ML23062A427

From kanterella
Jump to navigation Jump to search
8 to Updated Final Safety Analysis Report, Chapter 7, Sections 1 Through 9 (Redacted)
ML23062A427
Person / Time
Site: Peach Bottom  Constellation icon.png
Issue date: 03/03/2023
From:
Exelon Generation Co
To:
Office of Nuclear Reactor Regulation
References
Download: ML23062A427 (1)
v  d  e


Text

PBAPS UFSAR SECTION 7.0 - CONTROL AND INSTRUMENTATION 7.1

SUMMARY

DESCRIPTION The control and instrumentation section presents the details of the more complex control and instrumentation system in the station. Some of these systems are safety systems, while others are power generation systems.

7.1.1 Safety Systems The safety systems described in the control and instrumentation section are the following:

1. Nuclear safety systems and engineered safeguards (required for accidents and abnormal operational transients)
a. RPS
b. Primary containment and reactor vessel isolation control system
c. CSCS's control and instrumentation
d. Neutron monitoring system (specific portions)
e. Process radiation monitoring system (specific portions)
f. Containment atmosphere control.
2. Safety-related display instrumentation
a. Accident monitoring.
3. Process safety systems (required for planned operation)
a. Neutron monitoring system (specific portions)
b. Refueling interlocks
c. Reactor vessel instrumentation
d. Process radiation monitors (specific portions).

CHAPTER 07 7.1-1 REV. 27, APRIL 2019

PBAPS UFSAR 7.1.2 Power Generation Systems The power generation systems described in this section are as follows:

1. Reactor manual control system.
2. Recirculation flow control system.
3. Feedwater system control and instrumentation.
4. Pressure regulator and turbine-generator control.
5. Process computer system. (PMS)
6. Area radiation monitors.
7. Site environs radiation monitors.
8. Health physics and laboratory analysis radiation monitors.

7.1.3 Safety Functions The major functions of the safety systems are summarized as follows:

1. Reactor Protection System - The RPS initiates an automatic reactor shutdown (scram) if monitored nuclear system variables exceed established limits. This action limits fuel damage and system pressure and thus restricts the release of radioactive material.
2. Primary Containment and Reactor Vessel Isolation Control System - This system initiates closure of various automatic isolation valves in response to out of limit nuclear system variables. The action provided limits the loss of coolant from the reactor vessel and contains radioactive materials either inside the reactor vessel or inside the primary containment. The system responds to various indications of pipe breaks or radioactive material release.
3. Core Standby Cooling Systems Control and Instrumentation

- This subsection describes the arrangement of control CHAPTER 07 7.1-2 REV. 27, APRIL 2019

PBAPS UFSAR devices for HPCI, automatic depressurization, core spray, and LPCI.

4. Neutron Monitoring System - The neutron monitoring system uses in-core neutron detectors to monitor core neutron flux. The safety function of the neutron monitoring system is to provide a signal to shut down the reactor when an overpower or instability condition is detected. High average neutron flux is used as the overpower indicator. Oscillations in the neutron flux are used as the thermal-hydraulic instability indicator.

In addition, the neutron monitoring system provides the required power level indication during planned operation.

5. Main Steam Radiation Monitoring System - Gamma sensitive radiation monitors are installed in the vicinity of the main lines just outside the primary containment. These monitors can detect a gross release of fission products from the fuel by measuring the gamma radiation coming from the steam lines. A high radiation trip signal is sent to the RPS and the primary containment and reactor vessel isolation control system. The high radiation condition results in reactor scram and isolation.
6. Refueling Interlocks - The refueling interlocks serve as a backup to procedural core reactivity control during refueling operation.
7. Reactor Vessel Instrumentation - The reactor vessel instrumentation monitors and transmits information concerning key reactor vessel operating parameters during planned operation to ensure that sufficient control of these parameters is possible.
8. Process Radiation Monitors (except Main Steam Line Radiation Monitoring System) - A number of radiation monitoring systems are provided on process liquid and gas lines to provide sufficient information for control of radioactive material release from the site.
9. Containment Atmosphere Control System - The containment atmosphere control system provides the capability to monitor and control the concentration of oxygen in the primary containment during normal operations.

CHAPTER 07 7.1-3 REV. 27, APRIL 2019

PBAPS UFSAR

10. Containment Atmospheric Dilution System - The CADS provides the capability to monitor and control the concentration of hydrogen in the primary containment following an accident.
11. Seismic Monitoring System - The seismic monitoring system provides the capability to record and play back the time-history of seismic vibration and the resulting safety structure response.
12. Accident Monitoring Equipment - The accident monitoring equipment provides the capability to monitor the plant conditions to assess the progress of an accident to allow appropriate remedial action to be taken.

7.1.4 Plant Operational Control The major systems used to control the plant during planned power generation operations are the following:

1. Reactor Manual Control System - This system allows the operator to manipulate control rods and determine their positions. Various interlocks are provided in the control circuitry to avoid unnecessary protection system action resulting from operator error.
2. Recirculation Flow Control System - This system controls the speed of the two reactor recirculation pumps by varying the frequency of the power supply for the pumps.

By varying the coolant flow rate through the core, power level may be changed. The system is arranged to allow for manual control (operator action).

3. Feedwater System Control and Instrumentation - This system regulates the feedwater flow rate so that proper reactor vessel water level is maintained. The feedwater system controller uses reactor vessel water level, main steam flow, and feedwater flow signals to regulate feedwater flow. The system is arranged to permit single element (level only), three element (level, steam flow, and feed flow), or manual operation.
4. Pressure Regulator and Turbine-Generator Controls -The pressure regulator and turbine-generator controls work together to allow proper generator and reactor response to load demand changes. The pressure regulator acts to maintain nuclear system pressure essentially constant, CHAPTER 07 7.1-4 REV. 27, APRIL 2019

PBAPS UFSAR so that pressure-induced core reactivity changes are controlled. To maintain constant pressure, the pressure regulator adjusts the turbine control valves or turbine bypass valves. The turbine-generator speed-load controls can initiate rapid closure of the turbine control valves (coincident with fast opening of the bypass valves) to prevent excessive turbine overspeed in case of loss of generator electrical load.

5. Process Computer System (PMS) - The process computer provides alarm and data logging facilities and supplemental information for the more efficient operation of the core.
6. Area Radiation Monitoring System - The area radiation monitoring system provides a record and an indication in the control room of gamma radiation levels at selected locations within various plant buildings during normal operation and post-accident containment radiation levels. It also provides local alarms to warn personnel of significant increases in radiation levels.
7. Site Environs Radiation Monitoring System - The function of the site environmental monitoring program is to measure trends in the levels of environmental radioactivity. The monitoring station continuously records gamma radiation levels and collects airborne radioactive particulates for analysis.
8. Health Physics and Laboratory Analysis Radiation Monitoring Program - Portable radiation survey instruments and laboratory instruments are available to measure alpha, beta, gamma, and neutron radiation to protect the health and safety of plant personnel.

7.1.5 Definitions The complexity of the control and instrumentation systems requires the use of certain terminology for clarification in the description of the protection systems. See additional definitions in subsection 1.2, "Definitions."

1. Channel - A channel is an arrangement of one or more sensors and associated components used to monitor plant variables and produce discrete outputs used in logic. A channel terminates and loses its identity where CHAPTER 07 7.1-5 REV. 27, APRIL 2019

PBAPS UFSAR individual channel outputs are combined in logic. See Figure 7.1.1.

2. Sensor - A sensor is that part of a channel used to detect variations in the measured power plant variable.

See Figure 7.1.1.

3. Logic - Logic is that array of components which combines individual bistable output signals to produce decision outputs. See Figure 7.1.1.
4. Trip System - A trip system is that portion of a system encompassing one or more channels, logic, and bistable devices used to produce output signals to the actuation logic. A trip system terminates and loses its identity where outputs are combined in logic. See Figure 7.1.1.
5. Actuation Device - An actuation device is an electrical or electromechanical module controlled by an electrical decision output used to produce mechanical operation of one or more activated devices to accomplish the necessary action. See Figure 7.1.1.
6. Activated Device - An activated device is a mechanical module in a system used to accomplish an action. An activated device is controlled by an actuation device.

See Figure 7.1.1.

7. Trip - A trip is the change of state of a bistable device which represents the change from a normal condition. A trip signal, which results from a trip, is generated in the channels of a trip system and produces subsequent trips and trip signals throughout the system as directed by the logic.
8. Set Point - A set point is that value of a monitored plant variable which is maintained by control action or at which a trip occurs.
9. Component - Items from which the system is assembled (e.g., resistors, capacitors, wires, connectors, transistors, switches, springs, pumps, valves, piping, heat exchangers, vessels, etc).
10. Module - Any assembly of interconnected components which constitutes an identifiable device, instrument, or piece of equipment.

CHAPTER 07 7.1-6 REV. 27, APRIL 2019

PBAPS UFSAR

11. Incident Detection Circuitry - Incident detection circuitry includes those trip systems which are used to sense the occurrence of an incident. Such circuitry is described and evaluated separately where the incident detection circuitry is common to several systems.

CHAPTER 07 7.1-7 REV. 27, APRIL 2019

PBAPS UFSAR 7.1.6 Redundant System Wiring Independence, Protection, and Marking 7.1.6.1 Cable Routing and Separation Cable routing and separation maintains the ability to safely shutdown the plant in the event of a fire. Cable routing and separation for fire protection is described in the Fire Protection Program, Peach Bottom Atomic Power Station, Units 2 and 3.

Cables serving engineered safety feature systems and Class 1E electrical systems are routed separately when duplicate or backup equipment is affected. Separation for these safety systems is achieved by routing through separate rooms or corridors where possible. When wiring for two or more redundant safety systems passes through the same compartment having rotating heavy machinery or containing high-pressure steam lines, a horizontal separation of 20 ft is maintained between raceways groups. Where spacing less than 20 ft is provided in zones of potential mechanical damage, protective walls or barriers equal to a 6-in thick reinforced concrete wall are provided between groups.

Cables identified as required for Safe Shutdown in accordance with Appendix R to 10CFR, Part 50 are routed in accordance with the separation criteria identified in Section III.G of Appendix R.

Any switchgear or electrical panel associated with redundant systems has a minimum horizontal separation of 20 ft or is separated by a protective wall, ceiling, or floor equivalent to a 6-in thick reinforced concrete wall. This applies only in zones of potential missile damage.

To protect against the potential hazard of an electrical fire, where practical, cable trays of redundant systems have a minimum horizontal separation of 3 ft and a minimum vertical separation of 5 ft, or a crossover separation of 18 in. Where these separations cannot be maintained, fire resistant barriers are installed between the trays, or cables are run in rigid steel conduit, steel intermediate metal conduit (IMC) or steel electrical metallic tubing (EMT), until this separation exists.

In the Cable Spreading Room, where cables of redundant systems approach the same or adjacent control panels with a spacing less than 3 feet horizontally or 5 feet vertically, both cables run in rigid steel conduit, steel IMC, steel EMT or separation is established by an analysis of the installation. Flexible steel CHAPTER 07 7.1-8 REV. 27, APRIL 2019

PBAPS UFSAR conduit is used only for final bend to the tray or through floor sleeves when conduit is required to panels. A barrier exists between the cable spreading room and the main control room.

In other areas where cables of redundant systems approach the same or adjacent control panels or components with a spacing less than 3 feet horizontally or 5 feet vertically, both cables run in rigid steel conduit, steel IMC or steel EMT or, for control and instrument cables, separation is established by an analysis of the installation. Flexible steel conduit is used only for final bend to the tray, component, or through floor sleeves when conduit is required to panels.

The RPS and primary containment isolation system are designed to meet the following requirements:

1. Wiring to duplicate sensors on a common process is run in separate conduits. The neutron monitoring system cables beneath the reactor vessel are an exception to the general rule. They are not routed in conduit because of space limitations and the need for flexibility of the cables. However, these cables are grouped and separated to obtain effective channel independence.
2. Cables through drywell penetrations are so grouped that loss of all cabling in a single penetration cannot prevent a scram.
3. Wiring for sensors of more than one variable in the same trip channel may be run in the same conduit.
4. For the primary containment isolation system, the inboard primary containment isolation valve wiring between the control panel and the valve proper is separate from the outboard isolation valve wiring.

Safety system cables are not installed in nonsafety system trays or conduits. Nonsafety-related cables may be installed in a safety system tray or conduit, but those of a nonsafety system are not installed in trays or conduits of more than one independent channel of a safety system.

No single control panel includes wiring essential to the function of two redundant systems unless there is a minimum of 6 inches of separation between cables and components of the two systems, except where the presence of wiring of two redundant systems is CHAPTER 07 7.1-9 REV. 27, APRIL 2019

PBAPS UFSAR permitted by project specifications. If less than 6 inches separation between systems exists, a fire resistant barrier is provided or wiring for one of the two systems is run in conduit or fire resistant sleeving to separate the two systems. Penetration of separation barriers within a panel is not permitted, unless the penetration is so designed that fire cannot propagate through the penetration, or conduit is used. Devices or components of redundant systems on the same panel less than 6 in apart are considered adequately separated if one of the devices is totally enclosed in fire resistant material, or if their failure in any mode will not negate automatic system operation if required.

If two panels containing circuits of redundant systems are less than 3 ft apart, there is a steel barrier between the two panels.

Panel ends closed by steel end plates are acceptable barriers provided that terminal boards and wireways are mounted at least 1 in from the end plates.

7.1.6.2 Fire Protection Part of the fire protection system, as described in subsection 10.12, is used to detect fire and protect safety-related cables in trays in the following areas:

1. Smoke detectors are installed in the cable spreading room and computer room to initiate alarm in the control room. A manually operated carbon dioxide system in the computer room and cable spreading room are used for fire protection in these areas.
2. Heat detectors are installed in the HPCI rooms to initiate alarms in the control room and for automatic initiation of the carbon dioxide system.

7.1.6.3 Cable and Tray Marking The permanent cable markers for engineered safeguard cables include a color dot to identify a particular wiring channel.

Cable trays and conduits used for engineered safeguard cables are marked at intervals not exceeding 50 ft with the raceway number and color code.

Identification of engineered safeguard cables and raceways is as follows:

Cable and Raceway Color Channel Prefix Code CHAPTER 07 7.1-10 REV. 27, APRIL 2019

PBAPS UFSAR A ZA Blue B ZB Green C ZC Red D ZD Orange RPS cables are installed in conduits having a unique identification number.

7.1.6.4 Cable Derating Cables serving engineered safety feature and Class 1E electrical systems are thermally sized and derated in accordance with methods outlined in Insulated Power Cable Engineers Association (IPCEA) standards. Power Cables installed in conduit are derated in accordance with IPCEA standard P-46-426, Power Cable Ampacities, Volume I or Volume II. Power cables installed in open-top cable tray are derated in accordance with ICEA standard P-54-440, Ampacities Cables in Open-top Cable Trays. For special cases where the use of these standards is restrictive, cables are derated using a heat transfer model which considers load diversity among cables (actual loading of cables) installed in the raceway.

7.1.7 Reactor Protection System and Engineered Safeguard Equipment Marking RPS and engineered safeguard equipment is physically identified as safety related by use of distinctive markings or labels designating the name of apparatus and the applicable channel or safeguard division.

7.1.8 Periodic Testing of Instrumentation and Control Equipment The use of lifted leads and jumpers for on-line testing of engineered safety feature equipment is permitted but will be minimized. All lifted leads and jumpers shall be clearly identified and controlled by specific instructions in the procedure including signoff and verification. All periodic testing of engineering safety features is consistent with IEEE 279 with regard to on-line testability.

The following test methods will be considered:

CHAPTER 07 7.1-11 REV. 27, APRIL 2019

PBAPS UFSAR

1. Provisions should be made for functional testing without requiring shutdown or unscheduled power change as a condition of the test.
2. Testing should be accomplished without disturbing the existing wiring (i.e., lifting of wires from terminals is not the best method of testing). Pulling of fuses is an acceptable practice.
3. The use of clip-leads should be minimized except for the attachment of meter leads.
4. Test jacks permanently wired to existing circuitry are considered acceptable provided the connection points are so chosen that no portion of the installed protective wiring is untestable and that external equipment connected to the text jacks is procedurally controlled.
5. Permanently wired test lights are acceptable provided the installation is not capable of producing an unsafe failure through any malfunction of the lamp.
6. Booting of contacts should be done only when necessary. All alternate methods should be considered first.

CHAPTER 07 7.1-12 REV. 27, APRIL 2019

PBAPS UFSAR 7.2 REACTOR PROTECTION SYSTEM 7.2.1 Safety Objective The safety objective of the RPS is to provide timely protection against the onset and consequences of conditions that threaten the integrities of the fuel barrier (uranium dioxide sealed in cladding) and the nuclear system process barrier. Excessive temperature threatens to perforate the cladding or melt the uranium dioxide. Excessive pressure threatens to rupture the nuclear system process barrier. The RPS limits the uncontrolled release of radioactive material from the fuel and nuclear system process barrier by terminating excessive temperature and pressure increases through the initiation of an automatic scram.

7.2.2 Safety Design Basis

1. The RPS initiates, with precision and reliability, a reactor scram in time to limit fuel damage following abnormal operational transients to such an extent that, if the freed fission products were released to the environs via the normal discharge path for radioactive material, the limits of applicable regulations would not be exceeded.
2. The RPS initiates, with precision and reliability, a reactor scram in time to prevent damage to the nuclear system process barrier as a result of internal pressure.

Specifically, the RPS initiates a reactor scram in time to prevent nuclear system pressure from exceeding the nuclear system pressure allowed by applicable industry codes.

3. The RPS initiates, with precision and reliability, a reactor scram to limit the uncontrolled release of radioactive materials from the fuel or nuclear system process barrier upon gross failure of either of these barriers.
4. RPS inputs are derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions to provide assurance that conditions which threaten the fuel or nuclear system process barriers are detected with sufficient timeliness and precision to fulfill safety design bases 1, 2, and 3.

CHAPTER 07 7.2-1 REV. 28, APRIL 2021

PBAPS UFSAR

5. The RPS responds correctly to the sensed variables over the expected range of magnitudes and rates of change to provide assurance that important variables are monitored with a precision sufficient to fulfill safety design bases 1, 2, and 3.
6. An adequate number of sensors are provided for monitoring essential variables having spatial dependence to provide assurance that important variables are monitored with a precision sufficient to fulfill safety design bases 1, 2, and 3.
7. The following bases provide assurance that the RPS is designed with sufficient reliability to fulfill safety design bases 1, 2, and 3:
a. No single failure within the RPS prevents proper RPS action when required to satisfy safety design bases 1, 2, or 3.
b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the ability of the RPS to respond correctly.
c. The system is designed for a high probability that, when any monitored variable exceeds the scram set point, the event results in an automatic scram, and does not impair the ability of the system to scram, as other monitored variables exceed their scram trip points.
d. Where a plant condition that requires a reactor scram can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more RPS channels designed to provide protection against the unsafe condition, the remaining portions of the RPS meet the requirements of safety design bases 1, 2, 3, and 7a.
e. The power supply for the RPS is arranged so that loss of one supply neither causes nor prevents a reactor scram.

CHAPTER 07 7.2-2 REV. 28, APRIL 2021

PBAPS UFSAR

f. The system is designed so that, once initiated, an RPS action goes to completion.

Return to normal operation after protection system action requires deliberate operator action.

g. There is sufficient electrical and physical separation between channels, and between logics monitoring the same variable, to prevent environmental factors, electrical transients, and physical events from impairing the ability of the system to respond correctly.
h. Earthquake ground motions do not impair the ability of the RPS to initiate a reactor scram.
i. Sufficient diversity in measurement principle or manufacture of the devices used to monitor water level in the scram discharge volume is provided to ensure that a common mode failure of the devices of one design will not prevent a scram on high scram discharge volume water level.
8. The following bases are specified to reduce the probability that RPS operational reliability and precision is degraded by operator error:
a. Access to trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables are under the control of station operations personnel.
b. The means for manually bypassing logics, channels, or system components are under the control of the control room operator. If a channel logic is bypassed, this fact is continuously annunciated in the control room.
9. To provide the operator with means, independent of the automatic scram functions, to counteract conditions that threaten the fuel or nuclear system process barrier, it CHAPTER 07 7.2-3 REV. 28, APRIL 2021

PBAPS UFSAR is possible for the control room operator to manually initiate a reactor scram.

10. The following bases are specified to provide the operator with the means to assess the condition of the RPS and to identify conditions that threaten the integrities of the fuel or nuclear system process barriers:
a. The RPS is designed to provide the operator with information pertinent to the operational status of the protection system.
b. Means are provided for prompt identification of channel and trip system responses.
11. It is possible to check the operational availability of each logic.

7.2.3 Description 7.2.3.1 General The RPS is designed to meet the intent of the Institute of Electrical and Electronic Engineers (IEEE) "Proposed Criteria for Nuclear Power Plant Protection Systems," (IEEE-279 of August, 1968). The RPS is functionally identical to the design as presented in Topical Report NEDO-10139, "Compliance of Protection Systems to Industry Criteria: GE BWR Nuclear Steam Supply System" (June 1970). Details of the RPS compliance with IEEE-279-1968 are presented on pages 2-21 through 2-24 of the topical report. In addition to the subsystems listed in the topical report, a condenser low vacuum scram is included in the PBAPS design. This scram complies with IEEE-279-1968. Appendix H contains an evaluation of the facility with respect to the 70 General Design Criteria for Nuclear Power Plant Construction Permit (July 1967).

The RPS includes the motor-generator (M-G) power supplies with associated control and indicating equipment, sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the process computer system (PMS) and annunciators.

The process computer system (PMS) and annunciators are not part of the RPS. Although scram signals are received from the neutron monitoring system, this system is treated as a separate nuclear safety system elsewhere in the report (subsection 7.5, "Neutron Monitoring System").

CHAPTER 07 7.2-4 REV. 28, APRIL 2021

PBAPS UFSAR 7.2.3.2 Power Supply Power to each of the two reactor protection trip systems is supplied, via a separate bus, by its own high inertia AC M-G set (Drawing M-1-T-49, Sheets 1 and 4). Each generator has a voltage regulator which is designed to respond to a step load change of 50 percent of rated load with an output voltage change of not greater than 15 percent. High inertia is provided by a flywheel. The inertia is sufficient to maintain voltage and frequency within 5 percent of rated values for at least 1.0 sec following a total loss of power to the drive motor. The output of each RPS M-G set is protected by a protection panel containing two channels of Class 1E protection. Each channel contains relays for overvoltage, undervoltage, and underfrequency protection which trip an associated circuit breaker. The protection panels will protect RPS components from an overvoltage, undervoltage, and underfrequency condition as defined in the Technical Specification Bases.

Each M-G Set is designed to allow a momentary loss of power to the drive motor during 4 kV transients. A time delay relay maintains a restart signal to the motor if power is restored within a specified time. This delay is based on the ability of the flywheel to provide sufficient inertia to maintain generator output during a 4 kV fast transfer. The time delay also provides assurance that on a total loss of 4 kV, the RPS M-G set output trips on undervoltage after flywheel inertia is lost to trip the unit and is removed from the emergency diesel generators as a system load.

Deenergization of one of the RPS power supplies causes the associated RPS to actuate causing a half scram.

Alternate power is available to either RPS bus from an inverter supplied by DC power, or an electrical bus that can receive standby electrical power. The output of the alternate power source is protected by a protection panel which provides similar RPS component protection as installed on the M-G sets. The alternate power switch prevents simultaneously feeding both buses from the same source. The switch also prevents paralleling an M-G set with the alternate supply. Dc power is supplied to the backup scram valve solenoids from the station batteries. The protection panels will protect the RPS components from an overvoltage, undervoltage, and underfrequency condition as defined in the Technical Specification Bases.

CHAPTER 07 7.2-5 REV. 28, APRIL 2021

PBAPS UFSAR 7.2.3.3 Physical Arrangement Instrument piping that taps into the reactor vessel is routed through the drywell wall and terminates inside the secondary containment (reactor building). Reactor vessel pressure and water level information is sensed from this piping by instruments mounted on instrument racks in the reactor building. Valve position switches are mounted on valves from which position information is required. The sensors for RPS signals from equipment in the turbine building are mounted locally. The two M-G sets that supply power for the RPS are located in the 4 kV switchgear complex in an area where they can be serviced during reactor operation. Cables from sensors and power cables are routed to two RPS cabinets in the control room, where the logic circuitry of the system is formed. One cabinet is used for each of the two trip systems. The logics of each trip system are isolated in separate bays in each cabinet. The RPS is designed as seismic Class I equipment to assure a safe reactor shutdown during and after seismic disturbances. However, certain input signals to RPS such as:

  • Turbine stop valve pressure sensors
  • First stage turbine pressure sensors
  • Condenser vacuum pressure sensors
  • Main steam line pressure sensors are located in the Turbine Building which is a Seismic Class II structure. All of these instruments are qualified and mounted per Seismic Class I requirements.

7.2.3.4 Logic The basic logic arrangement of the system is illustrated in Drawing M-1-T-49, Sheets 2 and 5. The RPS is arranged as two separately powered trip systems. Each trip system has three logics, as shown in Figure 7.2.4. Two of the logics are used to produce automatic trip signals. The remaining logic is used for a manual trip signal. Each of the two logics used for automatic trip signals receives input signals from at least one channel for each monitored variable. Thus, two channels are required for each monitored variable to provide independent inputs to the logics of one trip system. At least four channels for each monitored variable are required for the logics of both trip systems.

As shown in Figure 7.2.5, the actuators associated with any one logic provide inputs into each of the actuator logics for the CHAPTER 07 7.2-6 REV. 28, APRIL 2021

PBAPS UFSAR associated trip system. Thus, either of the two automatic logics associated with one trip system can produce a trip system trip.

The logic is a one-out-of-two arrangement. To produce a scram, the actuator logics of both trip systems must be tripped. The overall logic of the RPS could be termed one-out-of-two taken twice.

7.2.3.5 Operation To facilitate the description of the RPS, the two trip systems are called trip system A and trip system B. The automatic logics of trip system A are logics A1 and A2; the manual logic of trip system A is logic A3. Similarly, the logics for trip system B are logics B1, B2, and B3. The actuators associated with any particular logic are identified by the logic identity (such as actuators B2) and a letter (Figure 7.2.4). The actuator logics associated with a trip system are identified with the trip system identity (such as actuator logics A). Channels are identified by the name of the monitored variable and the logic identity with which the channel is associated (such as reactor vessel high-pressure channel B1).

During normal operation all sensor and trip contacts essential to safety are closed; channels, logics, and actuators are energized.

There are two scram pilot valve solenoids and two scram valves for each control rod, arranged functionally as shown in Drawing M-1-T-49, Sheet 1 and 4. Each scram pilot valve is solenoid operated.

The solenoids are normally energized. The scram pilot valves associated with a control rod control the air supply to both scram valves for that rod. With either scram pilot valve solenoid energized, air pressure holds the scram valves closed. The scram insert valve supplies water to the CRD from the scram accumulator and the scram exhaust valves exhaust water from the CRD to the scram discharge volume. One of the scram pilot valve solenoids for each control rod is controlled by actuator logics A, the other solenoid by actuator logics B. There are two DC solenoid-operated backup scram valves which provide a second means of controlling the air supply to the scram valves for all control rods. The DC solenoid for each backup scram valve is normally deenergized. The backup scram valves are energized (initiate scram) when both trip system A and trip system B are tripped.

The functional arrangement of sensors and channels that constitute a single logic is shown in Drawing M-1-T-49, Sheet 2 and 5. A schematic is given in Figure 7.2.4.

CHAPTER 07 7.2-7 REV. 28, APRIL 2021

PBAPS UFSAR Whenever a channel sensor contact opens, its sensor relay deenergizes, causing contacts in the logic to open. The opening of contacts in the logic deenergizes its actuators. When deenergized, the actuators open contacts in all the actuator logics for that trip system. This action results in deenergizing the scram pilot valve solenoids associated with that trip system (one scram pilot valve solenoid for each control rod). Unless the other scram pilot valve solenoid for each rod is deenergized, the rods are not scrammed. If a trip then occurs in any of the logics of the other trip system, the remaining scram pilot valve solenoid for each rod is deenergized, venting the air pressure from the scram valves, and allowing CRD water to act on the CRD piston.

Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume which is isolated due to the RPS scram signal. Drawing M-1-T-49, Sheets 1 and 4 shows that when the solenoid for each backup scram valve is energized, the backup scram valves vent the air supply for the scram valves; this action initiates insertion of every control rod regardless of the action of the scram pilot valves.

A scram can be manually initiated. There are two scram buttons, one for logic A3 and one for logic B3. Depressing the scram button on the logic A3 deenergizes actuators A3 and opens corresponding contacts in actuator logics A. A single trip system trip is the result. To effect a manual scram, the buttons for both logic A3 and logic B3 must be depressed. By operating the manual scram button for one manual logic at a time, followed by reset of that logic, each trip system can be tested for manual scram capability. It is also possible to scram the reactor by interrupting power to the RPS. This can be done by opening power supply breakers. The manual scram capability provided in the control room meets safety design basis 9.

As an alternate means, Operations can initiate an automatic scram using the test switches. There is one test push-button for logic A1, A2, B1, and B2. Depressing test switches on the logic A1, deenergizes actuators A1 and opens corresponding contacts in actuator logics A. A single trip system trip is the result. To cause a scram, the buttons for both logic (A1 or A2) and logic (B1 or B2) must be depressed. By operating the test switches for one auto logic at a time, followed by reset of that logic, each trip system can be tested for automatic scram capability.

To restore the RPS to normal operation following any single trip system trip or scram, the actuators must be manually reset. Reset is possible only if the conditions that caused the trip or scram CHAPTER 07 7.2-8 REV. 28, APRIL 2021

PBAPS UFSAR have been cleared and is accomplished by operating switches in the control room. Drawing M-1-T-49, Sheets 2 and 5 shows the functional arrangement of reset contacts for trip system A. This meets safety design basis 7f.

Whenever an RPS sensor trips, it lights a printed red window, common to all the channels for that variable, on the reactor annunciator panel in the control room to indicate the out-of-limit variable. Each trip system lights a red window indicating the trip system which has tripped. An RPS channel trip also sounds a buzzer or horn, which can be silenced by the operator. The annunciator window lights latch in until manually reset; reset is not possible until the condition causing the trip has been cleared. The physical positions of RPS relays are used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. The location of alarm windows provides the operator with the means to quickly identify the cause of RPS trips and to evaluate the threat to the fuel or nuclear system process barrier.

To provide the operator with the ability to analyze an abnormal transient during which events occur too rapidly for direct operator comprehension, all RPS trips are recorded by the plant monitoring system (PMS) computer system. All trip events are recorded. Use of the computer is not required for plant safety, and information provided is in addition to that immediately available from other annunciators and data displays. The display of trips is of particular usefulness in routinely verifying the proper operation of pressure, level, and valve position sensors as trip points are passed during startups, shutdowns, and maintenance operations.

RPS inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the RPS. Signals directly from the RPS sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the RPS satisfies safety design bases 10a and 10b.

7.2.3.6 Scram Functions and Bases for Trip Settings The following discussion covers the functional considerations for the variables or conditions monitored by the RPS. Table 7.2.1 lists the specifications for instruments providing signals for the system. Figure 7.2.6 shows the scram functions in block form.

CHAPTER 07 7.2-9 REV. 28, APRIL 2021

PBAPS UFSAR

a. Neutron monitoring system trip. To provide protection for the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram.

The neutron monitoring system set points and their bases are discussed in subsection 7.5, "Neutron Monitoring System."

b. Nuclear system high pressure. High pressure within the nuclear system poses a direct threat of rupture to the nuclear system process barrier. A nuclear system pressure increase while the reactor is operating compresses the steam voids and results in a positive reactivity insertion causing increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing the core fission heat generation.

The nuclear system high-pressure scram setting is chosen slightly above the reactor vessel maximum normal operating pressure to permit normal operation without spurious scram yet provide a wide margin to the maximum allowable nuclear system pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high-pressure scram setting. The nuclear system high-pressure scram works in conjunction with the pressure relief system in preventing nuclear system pressure from exceeding the maximum allowable pressure. This same nuclear system high-pressure scram setting also protects the core from exceeding thermal hydraulic limits as a result of pressure increases for some events that occur when the reactor is operating at less than rated power and flow.

c. Reactor vessel low water level. A low water level in the reactor vessel indicates that the core is in danger of being inadequately cooled. The effect of a decreasing water level while the reactor is operating at power is to decrease the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core.

CHAPTER 07 7.2-10 REV. 28, APRIL 2021

PBAPS UFSAR The reactor vessel low water level scram setting was selected to prevent fuel damage following those abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. Specifically, the scram setting is chosen far enough below normal operational levels to avoid spurious scrams but high enough above the top of the active fuel to assure that enough water is available to account for evaporation losses and displacements of coolant following the most severe abnormal operational transient involving a level decrease. The selected scram setting was used in the development of thermal-hydraulic limits, which set operational limits on the thermal power level for various coolant flow rates.

d. Turbine stop valve closure. Closure of the turbine stop valves with the reactor at power can result in a significant addition of positive reactivity to the core as the nuclear system pressure rise collapses steam voids. The turbine stop valve closure scram, which initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure, is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods.

Although the nuclear system high-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the nuclear system pressure limit.

The turbine stop valve closure scram setting is selected to provide the earliest positive indication of valve closure. The trip logic was chosen both to identify those situations in which a reactor scram is required for fuel protection and to allow functional testing of this scram function.

e. Turbine control valve fast closure. With the reactor and turbine-generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram, which initiates a scram earlier than CHAPTER 07 7.2-11 REV. 28, APRIL 2021

PBAPS UFSAR either the neutron monitoring system or nuclear system high pressure, is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. Although the nuclear system high-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit.

The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure. The trip logic was chosen to identify those situations in which a reactor scram is required for fuel protection.

f. Main steam line isolation. The main steam line isolation scram is provided to limit the release of fission products from the nuclear system. Automatic closure of the main steam line isolation valves is initiated upon conditions indicative of a steam line break. Immediate shutdown of the reactor is appropriate in such a situation. The scram initiated by main steam line isolation valve closure anticipates a reactor vessel low water level scram. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The trip logic allows functional testing of main steam line isolation trip channels with one steam line isolated.
g. Scram discharge volume high water level. The scram discharge volume receives the water displaced by the motion of the CRD pistons during a scram. Should the scram discharge volume fill up with water to the point where not enough space remains for the water displaced during a scram, control rod movement would be hindered in the event a scram were required. To prevent this situation the reactor is scrammed when the water level in the discharge volume attains a value high enough to verify that the volume is filling up yet low enough to ensure that the remaining capacity in the volume can accommodate a scram.

CHAPTER 07 7.2-12 REV. 28, APRIL 2021

PBAPS UFSAR

h. Primary containment high pressure. A high pressure inside the primary containment could indicate a break in the nuclear system process barrier. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce the addition of energy from the core to the coolant. The reactor vessel low water level scram also acts to scram the reactor for LOCA's. The primary containment high-pressure scram setting is selected to be as low as possible without inducing spurious scrams.
i. Main steam line high radiation. High radiation in the vicinity of the main steam lines could indicate a gross fuel failure in the core. When high radiation is detected near the steam lines an alarm is initiated to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiation levels within limits. Initiation of a high-high radiation alarm alerts the Operators to close any open reactor coolant sample lines and trips the mechanical vacuum pump, if running. The high radiation alarm setting is selected high enough above background radiation levels to avoid spurious alarms, yet low enough to promptly detect a gross release of fission products from the fuel. More information on the alarm setting is available in subsection 7.12, "Process Radiation Monitoring."
j. Main condenser low vacuum scram. The purpose of the low condenser vacuum turbine trip is to protect the main condenser against overpressure on loss of condenser vacuum. A low condenser vacuum condition provides a signal to trip the main turbine by providing automatic closure to the turbine stop valves. To anticipate the transient and automatic scram which results from the closure of the turbine stop valves, a low condenser vacuum condition initiates a reactor scram. The low condenser vacuum scram trip setting is selected to initiate a reactor scram prior to initiation of closure of the turbine stop valves.
k. Manual scram. To provide the operator with means to shut down the reactor, push buttons located on the reactor operator's console in the control room initiate a scram when actuated by the operator.

CHAPTER 07 7.2-13 REV. 28, APRIL 2021

PBAPS UFSAR As an alternate means, Operations can initiate an automatic scram using the test switches. There is one test switch for each logic: A1, A2, B1, and B2.

Actuating test switches on the logic A1 deenergizes actuators A1 and opens corresponding contacts in actuator logic A. A single trip system trip is the result. To cause a scram, the switches for both logic (A1 or A2) and logic (B1 or B2) must be actuated. By operating the test switches for one auto logic at a time, followed by reset of that logic, each trip system can be tested for automatic scram capability.

l. Mode switch in SHUTDOWN. The mode switch provides appropriate protective functions for the condition in which the reactor is to be operated. Placing the mode switch in the SHUTDOWN position initiates a reactor scram. This scram is not considered a protective function because it is not required to protect the fuel or nuclear system process barrier, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short time delay, permitting a scram reset which restores the normal valve lineup in the CRD hydraulic system.

When performing a plant shutdown by insertion of all control rods (soft shutdown), the scram function generated from the mode switch being placed in the SHUTDOWN position may be temporarily bypassed under administrative controls that assure all control rods are fully inserted, associated Technical Specification Required Actions are entered, and time duration of bypass is managed.

7.2.3.7 Mode Switch A multi-position keylock mode switch located on the reactor operator's console is provided to select the necessary scram functions for various plant conditions. In addition to selecting scram functions from the proper sensors, the mode switch provides appropriate bypasses. The mode switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the RPS.

The switch itself is designed to provide separation between the two trip systems. The mode switch positions and their related scram functions are as follows:

CHAPTER 07 7.2-14 REV. 28, APRIL 2021

PBAPS UFSAR

1. SHUTDOWN - Initiates a reactor scram; bypasses main steam line isolation scram and main condenser low vacuum scram.
2. REFUEL - Selects neutron monitoring system scram for low neutron flux level operation (subsection 7.5, "Neutron Monitoring System"); bypasses main steam line isolation scram and main condenser low vacuum scram.
3. STARTUP - Selects neutron monitoring system scram for low neutron flux level operation (subsection 7.5, "Neutron Monitoring System"); bypasses main steam line isolation scram and main condenser low vacuum scram.
4. RUN - Selects neutron monitoring system scram for power range operation (subsection 7.5, "Neutron Monitoring System").

The relationship between the actions caused by the position of the mode switch and the various BWR operating states is represented in Table 7.2.2.

7.2.3.8 Scram Bypasses A number of scram bypasses are provided to account for the varying protection requirements depending on reactor conditions and to allow for instrument service during reactor operations. Some bypasses are automatic; others are manual. All manual bypass switches are in the control room, under the direct control of the reactor operator. If the ability to trip some part of the system has been bypassed, this part is continuously indicated in the control room.

Automatic bypass of the scram trips from main steam line isolation and main condenser low vacuum is provided when the mode switch is not in RUN.

The bypass allows reactor operations at low power with the main steam lines isolated and the main condenser not in operation.

These conditions exist during startups and certain reactivity tests during refueling.

The scram signal initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a time delay of 2 seconds. The bypass is provided to permit resetting the trip logic while the CHAPTER 07 7.2-15 REV. 28, APRIL 2021

PBAPS UFSAR reactor mode switch is in the shutdown position. Resetting of any scram signal requires a 10-second time delay to insure that, once initiated, the RPS action goes to completion. This meets safety design basis 7f. An annunciator in the control room indicates the bypassed condition.

An automatic bypass of the turbine control valve fast closure scram and turbine stop valve closure scram is effected whenever the reactor thermal power is less than 26.3 (as indicated by turbine first stage pressure with no 3rd, 4th, or 5th feedwater heaters in service). Closure of these valves from such a low initial power level does not constitute a threat to the integrity of any barrier to the release of radioactive material. Bypasses for the neutron monitoring system channels are described in subsection 7.5, "Neutron Monitoring System." A manual keylock switch located in the control room permits the operator to bypass the scram discharge volume high level scram trip if the mode switch is in SHUTDOWN or REFUEL. This bypass allows the operator to reset the RPS, so that the system is restored to operation while the operator drains the scram discharge volume. In addition to allowing the scram relays to be reset, actuating the bypass initiates a control rod block. An annunciator in the control room indicates the bypass condition. The arrangement of bypasses meets safety design basis 8b.

When performing a plant shutdown by inserting all control rods (soft shutdown), the scram function generated from the mode switch being placed in SHUTDOWN may be temporarily bypassed under administrative controls. Administrative procedures during this evolution ensure licensed operator cognizance of RPS condition and therefore, the intent of safety design basis 8b is satisfied.

7.2.3.9 Instrumentation Channels providing inputs to the RPS are not used for automatic control of process systems; thus, the operations of protection and process systems are separated. The RPS instrumentation, shown in Drawing M-1-T-49, Sheets 3 and 6, is discussed as follows:

1. Neutron monitoring system instrumentation is described in subsection 7.5, "Neutron Monitoring System." Figure 7.2.8 clarifies the relationship between neutron monitoring system channels, neutron monitoring system logics, and the RPS logics. The neutron monitoring system channels are considered part of the neutron monitoring system.

CHAPTER 07 7.2-16 REV. 28, APRIL 2021

PBAPS UFSAR The neutron monitoring system logics are considered part of the RPS. As shown in Figure 7.2.9, there are four neutron monitoring system logics associated with each trip system of the RPS. Each RPS logic receives inputs from two neutron monitoring system logics. Each neutron monitoring system logic receives signals from one WRNM channel and one APRM voter channel. The position of the mode switch determines which input signals will affect the output signal from the logic. The arrangement of neutron monitoring system logics is such that the failure of any one logic cannot prevent the initiation of a high neutron flux scram.

2. Reactor pressure is measured at two separate locations.

A pipe from each location is routed through the primary containment and terminates in the reactor building. Two locally mounted, analog pressure transmitters monitor the pressure in each pipe. The pressure transmitters are connected to indicating electronic trip units located in one of two separate trip unit panels in the reactor building. The two pairs of pressure transmitters and trip units are physically separated.

Each trip unit provides a high-pressure signal to one channel. The trip units are arranged so that each pair provides an input to trip system A and trip system B, as shown in Figure 7.2.10. The physical separation and the signal arrangement assure that no single physical event can prevent a scram due to nuclear system high pressure.

3. Reactor vessel low water level signals are initiated from level transmitters which sense level from the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The level transmitters drive indicating electronic trip units. The level transmitters and trip units are arranged in pairs in the same way as the nuclear system high-pressure transmitters and trip units (Figure 7.2.10). Two instrument lines attached to taps, one above and one below the water level, on the reactor vessel are required for the differential pressure measurement for each pair of level transmitters. The two pairs of lines terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The RPS pressure sensors, as well as instruments for other systems, sense pressure and level CHAPTER 07 7.2-17 REV. 28, APRIL 2021

PBAPS UFSAR from these same lines. The physical separation and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level.

4. Turbine stop valve closure inputs to the RPS are from valve stem position switches mounted on the four turbine stop valves. Each of the double pole, single throw switches is arranged to open before the valve is more than 15 percent closed to provide the earliest positive indication of closure. Either of the two channels associated with one stop valve can signal valve closure, as shown in Figure 7.2.11. The logic is arranged so that closure of three or more valves initiates a scram.
5. Turbine control valve fast closure inputs to the RPS are from pressure switches in the hydraulic control system.

The loss of hydraulic fluid pressure is used to effect fast closure of the turbine control valves. These pressure switches on the hydraulic control system provide signals to the RPS trip systems, as shown in Figure 7.2.10.

6. There are eight main steam line isolation channels, two for each main steam line. Each channel senses isolation of the associated main steam line via a valve stem position switch on each isolation valve in the main steam line. The double pole, single throw switch on each main steam line isolation valve is arranged to open before the valve is more than 15 percent closed to provide the earliest indication of isolation. The closure of either valve in a main steam line causes both channels associated with that steam line to signal isolation. Figure 7.2.2 shows the arrangement of main steam line isolation channels. The main steam line isolation valve closure scram function is effective only when the reactor mode switch is in RUN.

The outputs from the channels are combined in RPS logic in such a way that the isolation of three or four main steam lines (closure of one valve in each main steam line) causes a scram. Figure 7.2.2 shows the logic arrangement. Wiring of the isolation channels from any one main steam line is physically separated in the same way that wiring to duplicate sensors on a common process tap is separated. The effects of the logic arrangement CHAPTER 07 7.2-18 REV. 28, APRIL 2021

PBAPS UFSAR and separation provided for the main steam line isolation valve closure scram are as follows:

a. Closure of one valve for test purposes with one steam line already isolated without causing a scram due to valve closure.
b. Automatic scram upon isolation of all steam lines.
c. No single failure can prevent an automatic scram required for fuel protection due to main steam line isolation.
7. Scram discharge volume high water level inputs to the RPS are from four switches located in the reactor building. Each switch provides an input into one channel (Figure 7.2.10). The switches are arranged in pairs so that no single event prevents a reactor scram due to scram discharge volume high water level. One pair of switches uses non-indicating float switches. The other pair of switches uses a thermal dispersion principle for level measurement. With the scram setting as listed in Table 7.2.1, a scram is initiated when sufficient capacity remains in the tank to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram were considered in selecting the trip setting.
8. Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell in the reactor building. The pressure transmitters drive indicating electronic trip units which are located in one of two separate panels in the reactor building. Each trip unit provides an input to one channel (Figure 7.2.10). Pipes that terminate in the secondary containment (reactor building) connect the pressure transmitters with the drywell interior. The pressure transmitters and trip units are grouped in pairs, physically separated, and electrically connected to the RPS so that no single event will prevent a scram due to primary containment high pressure.
9. Main steam line radiation is monitored by four radiation monitors, which are discussed and evaluated in paragraph 7.12.1 "Main Steam Line Radiation Monitoring System."

Each monitor provides a trip signal to one channel when CHAPTER 07 7.2-19 REV. 28, APRIL 2021

PBAPS UFSAR high gamma radiation is detected in the vicinity of the main steam lines (Figure 7.2.10).

10. Main condenser low vacuum is sensed by four vacuum pressure transmitters that provide inputs to associated trip units. The vacuum pressure transmitters and associated trip units are arranged as shown in Figure 7.2.12.
11. Deleted
12. Two turbine first stage pressure switches are provided for each trip system to initiate the automatic bypass of the turbine control valve fast closure and turbine stop valve closure scrams when reactor thermal power is below 26.3 percent (as indicated by turbine first stage pressure with no 3rd, 4th, or 5th feedwater heaters in service). The switches are arranged so that no single failure can prevent a turbine stop valve closure scram or turbine control valve fast closure scram.

Channel and logic relays are fast response, high reliability relays. Power relays for interrupting the scram pilot valve solenoids are type CR105 or equivalent magnetic contactors, made by the General Electric Company. All RPS relays are selected so that the continuous load will not exceed 50 percent of the continuous duty rating. Component electrical characteristics are selected so that the system response time, from the opening of a sensor contact up to and including the opening of the trip actuator contacts, is less than 50 milliseconds. The time requirements for control rod movement are discussed in subsection 3.4, "Reactivity Control Mechanical Design."

Environmental qualification of RPS equipment is provided in subsection 7.19.

To gain access to those calibration and trip setting controls that are located outside the control room, a cover plate, access plug, or sealing device must be removed by authorized personnel before any adjustment in trip settings can be effected.

7.2.3.10 Wiring Wiring and cables for RPS instrumentation are selected to avoid excessive deterioration due to temperature and humidity during the design life of the plant. Cables and connectors used inside the primary containment are designed for continuous operation at an CHAPTER 07 7.2-20 REV. 28, APRIL 2021

PBAPS UFSAR ambient temperature of 150F and a relative humidity of 99 percent.

Cables required to carry low level signals (currents of less than 1 milliampere or voltages of less than 100 millivolts) are designed and installed to minimize electrostatic and electromagnetic pickup from power cables and other AC or DC fields; ferromagnetic conduits are used. Low level signal cables are routed separately from all power cables.

Wiring for the RPS outside of the enclosures in the control room is run in rigid metallic conduits used for no other wiring (note exceptions described in Sec. 8.4.5). The wires from duplicate sensors on a common process tap are run in separate conduits.

Wires for sensors of different variables in the same RPS logic may be run in the same conduit.

The scram pilot valve solenoids are powered from eight actuator logic circuits: four circuits from trip system A and four from trip system B. The four circuits associated with any one trip system are run in separate conduits. One actuator logic circuit from each trip system may be run in the same conduit; wiring for the two solenoids associated with any one control rod may be run in the same conduit.

Electrical panels, junction boxes, and components of the RPS are prominently identified by nameplate. Circuits entering junction boxes are conspicuously marked inside the boxes. Wiring and cabling outside cabinets and panels are identified by color, tag, or other conspicuous means.

7.2.4 Safety Evaluation The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrities of the fuel barrier and the nuclear system process barrier. It is the objective of Section 14.0, "Plant Safety Analysis," to identify and evaluate events that challenge the fuel barrier and nuclear system process barrier. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that section.

Design procedure has been to select tentative scram trip settings that are far enough above or below normal operating levels that spurious scrams and operating inconvenience are avoided; it is then verified by analysis that the reactor fuel and nuclear system CHAPTER 07 7.2-21 REV. 28, APRIL 2021

PBAPS UFSAR process barrier are protected as is required by the basic objective. In all cases, the specific scram trip point selected is not the only value of the trip point which results in acceptable results relative to the fuel or nuclear system process barrier; trip setting selection is based on operating experience and constrained by the safety design basis. The scrams initiated by neutron monitoring system variables, nuclear system high pressure, turbine stop valve closure, turbine control valve fast closure, and reactor vessel low water level are sufficient to prevent excessive fuel damage following abnormal operational transients.

Section 14.0, "Plant Safety Analysis," identifies and evaluates the threats to fuel integrity posed by abnormal operational events. In no case does excessive fuel damage result from abnormal operational transients. The RPS meets the timeliness and precision requirements of safety design basis 1.

The evaluation of the scram function provided by the neutron monitoring system is presented in the section describing that system as well as in Section 14.0, "Plant Safety Analysis."

The scram initiated by nuclear system high pressure, in conjunction with the pressure relief system is sufficient to prevent damage to the nuclear system process barrier as a result of internal pressure. For turbine-generator trips, the turbine stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the maximum allowed nuclear system pressure than would the high pressure scram alone. Section 14.0, "Plant Safety Analysis," identifies and evaluates accidents and abnormal operational events that result in nuclear system pressure increases; in no case does pressure exceed the maximum allowed nuclear system pressure. The RPS meets the timeliness and precision requirements of safety design basis 2.

The scrams initiated by the neutron monitoring system, main steam isolation valve closure, and reactor vessel low water level satisfactorily limit the radiological consequences of gross failure of the fuel or nuclear system process barriers. Section 14.0, "Plant Safety Analysis," evaluates gross failures of the fuel and nuclear system process barriers; in no case does the release of radioactive material to the environs exceed the guideline values of published regulations. The RPS meets the precision requirements of safety design basis 3.

Because the RPS meets the timeliness and precision requirements of safety design bases 1, 2, and 3, monitoring variables that are CHAPTER 07 7.2-22 REV. 28, APRIL 2021

PBAPS UFSAR true, direct measures of operational conditions, it is concluded that safety design basis 4 is met.

Because the RPS meets the precision requirements of safety design bases 1, 2, and 3, using instruments with the characteristics described in Table 7.2.1, it is concluded that safety design basis 5 is met.

Neutron flux (the neutron monitoring system variable) is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations of neutron flux detectors is discussed in subsection 7.5, "Neutron Monitoring System." Because the precision requirements of safety design basis 1, 2, and 3 are met using the neutron monitoring system as described, it is concluded that the number of sensors for spatially dependent variables satisfies safety design basis 6.

The items of safety design basis 7 specify the requirements that must be fulfilled for the RPS to meet the reliability requirements of safety design bases 1, 2, and 3. It has already been shown in the description of the RPS that safety design basis 7f has been met. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities. The following discussion evaluates these subjects.

In terms of protection system nomenclature, the RPS is a one-out-of-two system used twice (1 of 2 x 2). Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system. However, since the differences are slight, they can, in a practical sense, be neglected. The advantage of the dual trip system arrangement is that it can be tested during reactor operation without causing a scram. This capability for a testing program, which contributes significantly to increased reliability, is not possible for a one-out-of-two system.

The use of independent channels allows the system to sustain any channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or channel failure will cause a single trip system trip and actuate alarms that identify the trip. The failure of two or more sensors or channels would cause either a single trip system trip, if the failures were confined to one trip system, or a reactor scram, if the failures occurred in different trip systems. Any intentional bypass, maintenance operation, calibration operation, or test leaves sufficient channels per monitored variable capable of CHAPTER 07 7.2-23 REV. 28, APRIL 2021

PBAPS UFSAR initiating a scram. The resistance to spurious scrams contributes to plant safety, because unnecessary cycling of the reactor through its operating modes would increase the probability of error or actual failure. It is concluded from the preceding paragraphs evaluating the logic, redundancy, and failure characteristics of the RPS that the system satisfies the reliability requirement stated in safety design bases 7a and 7b.

Any actual condition in which an essential monitored variable exceeds its scram trip point is sensed by at least two independent channels in each trip system. Because only one channel must trip in each trip system to initiate a scram, the arrangement of two channels per monitored variable per trip system provides assurance that a scram will occur as any monitored variable exceeds its scram setting.

Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot valve solenoid for any control rod fails to deenergize when a scram is required. It is concluded from the evaluations in the above paragraphs that the RPS meets safety design basis 7c.

Electronic sensors, channels, and logics of the RPS are not used in the process control systems. Therefore, failure in the controls and instrumentation logic systems of process systems cannot induce failure of any portion of the protection system.

This meets safety design basis 7d.

Failure of either RPS M-G set would result in a single trip system trip. Alternate power is available to the RPS buses. A complete, sustained loss of electrical power to both M-G sets would result in a scram, delayed by the M-G set flywheel inertia, in about 8 sec. This meets safety design basis 7e.

The environmental conditions in which the instruments and equipment of the RPS must operate are given in subsection 7.19.

RPS components located inside the primary containment must function in the environment resulting from a break of the nuclear system process barrier. Components located inside the primary containment are the condensing chambers. The condensing chambers are similar to those that have successfully undergone qualification testing in connection with other projects.

CHAPTER 07 7.2-24 REV. 28, APRIL 2021

PBAPS UFSAR The environmental capabilities of the RPS components, combined with the previously described physical and electrical isolation of sensors and channels, satisfy safety design basis 7g.

Safe shutdown of the reactor during earthquake ground motion is assured by the design of the system as a seismic Class I system and by the fail-safe characteristics of the system. The system only fails in a direction that causes a reactor scram when subjected to extremes of vibration and shock. This meets safety design basis 7h.

The scram discharge volume level switches are arranged in pairs.

Each pair of switches uses a different principle of water level measurement. This ensures that a common mode failure of the switches of one design will not prevent a scram on high scram discharge volume water level. This meets safety design basis 7i.

Calibration and test controls for the neutron monitoring system are located in the control room and are, because of their physical location, under the direct control of the control room operators.

Calibration and test controls for pressure switches, level switches, pressure transmitters, trip units, and valve position switches are located on the switches, transmitters, and trip units themselves. These devices are located in the turbine building, reactor building, and primary containment, and are equipped with cover plates and/or sealing mechanisms to prevent unauthorized adjustment. The control room operator is responsible for granting access to the setting controls to properly qualified plant personnel for the purpose of testing or calibration adjustments.

This meets safety design basis 8a.

It has been shown in the description of the RPS that safety design bases 8b, 9, 10a, and 10b are satisfied.

The following section covering inspection and testing of the RPS demonstrates that safety design basis 11 is satisfied.

7.2.5 Inspection and Testing The RPS can be tested during reactor operation by five separate tests. The first of these is the manual trip actuator test. By depressing the manual scram button for one trip system, the manual logic actuators are deenergized, opening contacts in the actuator logics. After resetting the first trip system, the second trip system is tripped with the other manual scram button. The total test verifies the ability to deenergize all eight groups of scram pilot valve solenoids by using the manual scram push button CHAPTER 07 7.2-25 REV. 28, APRIL 2021

PBAPS UFSAR switches. Scram group indicator lights verify that the actuator contacts have opened.

The second test is the automatic actuator test which is accomplished by operating, one at a time, the keylocked test switches for each automatic logic. The switch deenergizes the actuators for that logic, causing the associated actuator contacts to open. The test verifies the ability of each logic to deenergize the actuator logics associated with the parent trip system. The actuator and contact action can be verified by observing the alarming of a tripped condition of these devices.

The third test includes calibration of the neutron monitoring system by means of simulated inputs from calibration signal units.

Subsection 7.5, "Neutron Monitoring System," describes the calibration procedure.

The fourth test is the single rod scram test which verifies capability of each rod to scram. It is accomplished by operation of toggle switches on the protection system operations panel.

Scram time data can be gathered for each rod scrammed. Prior to the test, a physics review must be conducted to assure that the rod pattern during scram testing does not create a rod of excessive reactivity worth.

The fifth test involves the application of a test signal to each RPS channel in turn and observing that a logic trip results. This test also verifies the electrical independence of the channel circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps.

Reactor Protection System channels are tested to verify sensor-to-actuation response times are maintained below the 50 ms requirement. The RPS can be tested during reactor operation by an overlapping series of tests.

The PMS process computer verifies the condition of many sensors during plant startups and shutdowns. Main steam line isolation valve position switches and turbine stop valve position switches can be checked in this manner. The verification provided by the alarm computer is not considered in the selection of test and calibration frequencies and is not required for plant safety.

The provisions for functionally testing and calibrating the RPS meet the requirements of safety design basis 11. The methods of calibrating RPS instruments are provided in Table 7.2.3.

CHAPTER 07 7.2-26 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.2.1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Scram Function Instrument Accuracy(1) Trip Setting(2)

Neutron monitoring See subsection 7.5, "Neutron Monitoring System" system scram Nuclear system Pressure transmitter and +/-1% 1,101 psig high pressure indicating trip unit Reactor vessel low Level transmitter and +/-3.5 529 in above water level indicating trip unit vessel zero Turbine stop Position switch --- Before 1% valve valve closure closure Turbine control Pressure switch --- 400 psig valve fast closure Main steam line iso- Position switch --- Before 15% valve lation valve closure closure Scram discharge volume Level switch Repeatable within 50.36 gal high water level trip setting tolerance Primary containment Pressure transmitter and +/-0.05 psi 2.5 psig high pressure indicating trip unit Main steam line See subsection 7.12, "Main Steam Line Radiation Monitoring System" high radiation Condenser low vacuum Pressure transmitter and +/-0.3 in Hg Vacuum 20.5 in Hg Vacuum indicating trip unit (1)Instruments for this service have accuracy within the range over the actually purchased full scale.

(2)The values given here have been used in the setpoint analysis; however, the allowable values are listed in the plant's Technical Specifications.

CHAPTER 07 7.2-27 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.2.2 REACTOR PROTECTION SYSTEM ACTIONS (Various Positions of the Mode Switch)

Mode Turbine Reactor Power Switch Operating Inlet Position State(1) Pressure 0% (Shutdown) >0% - <15% 15 - 30% >30%

RUN B,D <850 psig Plant scram occurs due to MSIV closure from Group I isolation signal at <850 psig in run mode.

RUN D 850 psig Not a possible All RPS inputs active except All RPS inputs condition for WRNMs, APRM Neutron Flux-High (Setdown), active except WRNMs Operating State D OPRM upscale, turbine control vlv fast closure, and APRM Neutron and turbine stop vlv not full open Flux-High (Setdown)

RUN A,C Any Not a possible condition for Operating States A and C STARTUP A,B,C,D Any All RPS inputs active except APRM Not a possible condition. Plant Simulated Thermal Power-High, APRM scram occurs on APRM Neutron Neutron Flux High, OPRM upscale, MSIV closure, Flux-High (Setdown) when not in condenser low vacuum, turbine RUN mode control vlv fast closure, and turbine stop vlv not full open REFUEL B,D 0 Not a possible Not a possible condition, only one control rod may be condition for not-full-in at a time (refuel mode one rod permissive)

State B and D therefore criticality not possible REFUEL A,C 0 (See startup for Not a possible condition for Operating States A and C 0 - <25% power)

SHUTDOWN A,B,C,D 0 Not a possible condition, plant scram occurs with mode switch in shutdown (1)See Appendix G (2)All numbers shown are analytical limits CHAPTER 07 7.2-28 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.2.3 REACTOR PROTECTION SYSTEM INSTRUMENT CALIBRATION METHODS Instrument Channel Calibration Method WRNM Period Trip Comparison to Standard Frequency Source APRM High Flux Heat Balance and Comparison to Standard Simulated Thermal Power Frequency, Voltage and Resistance Source OPRM Upscale (all), Standard Pressure Source (Flow Flow Bias Signal Bias only)

LPRM Signal TIP System Traverse High Reactor Pressure Standard Pressure Source High Drywell Pressure Standard Pressure Source Reactor Low Water Level Pressure Standard High Water Level in Scram Water Column Discharge Instrument Volume Turbine Condenser Low Vacuum Standard Vacuum Source Main Steam Line Isolation Valve Physical Inspection and Actuation of these Closure Position Switches will be Performed During the Refueling Outages Main Steam Line High Radiation Standard Current Source Turbine First State Pressure Standard Pressure Source Permissive CHAPTER 07 7.2-29 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.2.3 (continued)

REACTOR PROTECTION SYSTEM INSTRUMENT CALIBRATION METHODS Instrument Channel Calibration Method Turbine Control Valve Fast Standard Pressure Source Closure Oil Pressure Trip Turbine Stop Valve Closure Physical Inspection and Actuation of these Position Switches will be Performed During the Refueling Outages CHAPTER 07 7.2-30 REV. 21, APRIL 2007

PBAPS UFSAR 7.3 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM 7.3.1 Safety Objective To provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barrier, the primary containment and reactor vessel isolation control system initiates automatic isolation of appropriate lines which penetrate the primary containment whenever monitored variables exceed preselected operational limits.

A gross failure of the fuel barrier would allow the escape of fission products from the fuel. A gross failure of the nuclear system process barrier could allow the escape of gross amounts of reactor coolant. The loss of coolant could lead to overheating and failure of the fuel. For a gross failure of the fuel, the primary containment and reactor vessel isolation control system initiates isolation of the reactor vessel to contain released fission products. For a gross breach in the nuclear system process barrier outside the primary containment, the isolation control system acts to interpose additional barriers between the reactor and the breach, thus stopping the release of radioactive materials and conserving reactor coolant. For gross breaches in the nuclear system process barrier inside the primary containment, the primary containment and reactor vessel isolation control system acts to close off release routes through the primary containment barrier, thus trapping the radioactive material coming through the breach inside the primary containment.

7.3.2 Definitions Group A isolation valves are in lines that communicate directly with the reactor vessel and penetrate the primary containment.

These lines have two isolation valves in series, generally one inside the primary containment and one outside the primary containment.

Group B isolation valves are in lines that do not communicate directly with the reactor vessel, but penetrate the primary containment and communicate with the primary containment free space. These lines generally have two isolation valves in series, usually both of them outside the primary containment.

Group C isolation valves are in lines that penetrate the primary containment but do not communicate directly with the reactor CHAPTER 07 7.3-1 REV. 27, APRIL 2019

PBAPS UFSAR vessel, nor do they open into the primary containment. These lines are provided with at least one valve located outside the primary containment.

7.3.3 Safety Design Basis

1. To limit the uncontrolled release of radioactive materials to the environs, the primary containment and reactor vessel isolation control system, with precision and reliability, initiates timely isolation of penetrations through the primary containment structure which could otherwise allow the uncontrolled release of radioactive materials whenever the values of monitored variables exceed preselected operational limits.
2. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, the primary containment and reactor vessel isolation control system responds correctly to the sensed variables over the expected range of magnitudes and rates of change.
3. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, an adequate number of sensors are provided for monitoring essential variables that have spatial dependence.
4. To provide assurance that conditions indicative of a gross failure of the nuclear system process barrier are detected with sufficient timeliness and precision to fulfill safety design basis 1, primary containment and reactor vessel isolation control system inputs are derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.
5. The time required for closure of the main steam line isolation valves is short, so that the release of radioactive material and the loss of coolant as a result of a breach of a steam line outside the primary containment are minimal.
6. The time required for closure of the main steam isolation valves is not so short that inadvertent isolation of steam lines causes excessive fuel damage or excessive nuclear system pressure. This basis ensures that the main steam isolation valve closure speed is compatible with the ability of the RPS and pressure relief system to protect the fuel and nuclear system process barrier.

CHAPTER 07 7.3-2 REV. 27, APRIL 2019

PBAPS UFSAR

7. To provide assurance that closure of Group A and Group B automatic isolation valves is initiated, when required, with sufficient reliability to fulfill safety design basis 1, the following safety design bases are specified for the systems controlling Group A and Group B automatic isolation valves:
a. No single failure within the isolation control system prevents isolation action when required to satisfy safety design basis 1.
b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the functional ability of the isolation control system to respond correctly to essential monitored variables.
c. The system is designed for a high probability that when any essential monitored variable exceeds the isolation set point, the event either results in automatic isolation or does not impair the ability of the system to respond correctly as other monitored variables exceed their trip points.
d. Where a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system meet the requirements of safety design bases 1, 2, 3, and 7a.
e. The power supplies for the primary containment and reactor vessel isolation control system are arranged so that loss of one supply cannot prevent automatic isolation when required.
f. The system is designed so that, once initiated, automatic isolation action goes to completion. Return to normal operation after isolation action requires deliberate operator action.
g. There is sufficient electrical and physical separation between trip channels monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.

CHAPTER 07 7.3-3 REV. 27, APRIL 2019

PBAPS UFSAR

h. Earthquake ground motions due to the maximum credible earthquake do not impair the ability of the primary containment and reactor vessel isolation control system to initiate automatic isolation.
8. The following safety design bases are specified to assure that the timely isolation of main steam lines is accomplished, when required, with extraordinary reliability:
a. The motive force for achieving valve closure for one of the two tandem-mounted isolation valves in an individual steam line is derived from a different energy source than that for the other valve.
b. At least one of the isolation valves in each of the steam lines does not rely on continuity of any variety of electrical power for the motive force to achieve closure.
9. To reduce the probability that the operational reliability and precision of the primary containment and reactor vessel isolation control system are degraded by operator error, the following safety design bases are specified for Group A and Group B automatic isolation valves:
a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables is under the control of the control room operator or other administrative personnel.
b. The means for bypassing channels, logics, or system components are under the administrative control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact is continuously indicated in the control room.
10. To provide the operator with means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier, it is possible for the control room operator to manually initiate isolation of the primary containment and reactor vessel.
11. The following bases are specified to provide the operator with the means to assess the condition of the primary containment and reactor vessel isolation control system and CHAPTER 07 7.3-4 REV. 27, APRIL 2019

PBAPS UFSAR to identify conditions indicative of a gross failure of the nuclear system process barrier:

a. The primary containment and reactor vessel isolation control system is designed to provide the operator with information pertinent to the status of the system.
b. Means are provided for prompt identification of channel and trip system responses.
12. It is possible to check the operational availability of each essential channel and logic during the reactor operation.

7.3.4 Description 7.3.4.1 Identification The primary containment and reactor vessel isolation control system includes sensors, trip units, channels, pressure compensation instruments, relays, relay contact output cards, switches, and remotely activated valve closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment or reactor vessel, or both. The control systems for those Group A and B isolation valves which close by automatic action pursuant to the safety design bases are the main subjects of this section. Group A and B check valves are also included even though no control system is involved. Testable check valves are also included because they provide the operator with an ability to verify that the check valve disc can respond to reverse flow.

The primary containment and reactor vessel isolation control system is designed to meet the intent of the IEEE proposed criteria for nuclear power plant protection systems (IEEE-279 of August, 1968). GE Topical Report NEDO-10139, "Compliance of Protection Systems to Industry Criteria: GE Boiling Water Reactor Nuclear Steam Supply System," details compliance of primary containment and reactor vessel isolation with IEEE-279-1968.

Appendix H contains an evaluation of the facility with respect to the 70 General Design Criteria for Nuclear Power Plant Construction Permit (July, 1967).

7.3.4.2 Power Supply The power for the channels and logics of the isolation control system is supplied from the RPS M-G sets. Isolation valves receive power from standby power sources. Power for the operation CHAPTER 07 7.3-5 REV. 27, APRIL 2019

PBAPS UFSAR of two valves in a line is fed from different sources. In most cases, one valve is powered from an AC bus of appropriate voltage, and the other is powered by DC from the station batteries. The main steam isolation valves, which are described in detail later, use ac, dc, and pneumatic pressure and valve actuator springs in the control scheme. Table 7.3.1 lists the power supply for each isolation valve.

7.3.4.3 Physical Arrangement Table 7.3.1 lists all piping penetrations of the primary containment and the valves associated with these penetrations.

Lines which penetrate the primary containment and are in direct communication with the reactor vessel generally have two Group A isolation valves, one inside the primary containment and one outside the primary containment. Lines which penetrate the primary containment and which communicate with the primary containment free space, but which do not communicate directly with the reactor vessel, generally have two Group B isolation valves located outside the primary containment. Valves in lines that have core standby cooling as their primary function (Group C valves) are described with their own system; however, they have been included in Table 7.3.1. Figures 7.3.11a through 7.3.11tt show the containment isolation valve arrangements for the primary containment penetrations listed in Table 7.3.1.

Power cables are run in conduits or trays from appropriate electrical sources to the motor or solenoid involved in the operation of each isolation valve. The control arrangement for the main steam line isolation valves includes pneumatic piping and an accumulator for those valves for which air is considered the emergency source of motive power for closing. Pressure and water level sensors are mounted on instrument racks in either the reactor building or the turbine building. Valve position switches are enclosed in cases to protect them from environmental conditions. All signals transmitted to the control room are electrical; no pressure lines from the nuclear system or the primary containment penetrate the control room. Lines used to transmit level information from the reactor vessel to sensing instruments terminate inside the secondary containment (reactor building). The sensor cables and power supply cables are routed to cabinets in the control room or cable spreading room where the logic arrangements of the system are formed.

To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control systems required for the automatic closure of Group A CHAPTER 07 7.3-6 REV. 27, APRIL 2019

PBAPS UFSAR and Group B valves are designed as seismic Class I equipment as described in Appendix C. This meets safety design basis 7h.

7.3.4.4 Logic The basic logic arrangement is one in which an automatic isolation valve is controlled by two trip systems. Where many isolation valves close on the same signal, two trip systems control the entire group. Where just one or two valves must close in response to a special signal, two trip systems may be formed from the instruments provided to sense the special condition. Valves that respond to the signals from common trip systems are identified in the detailed descriptions of isolation functions (paragraph 7.3.4.7).

Each trip system is made up of two independent logic channels, each logic channel having inputs from essential monitored variables. A total of four channels are required for the actuator logics of both trip systems. Figures 7.3.2 and 7.3.3 illustrate typical isolation control arrangements for motor-operated valves and for the main steam line isolation valves. The two logic channels of one trip system are connected to form a one-out-of-two logic arrangement and are in turn connected with the logic channels of the other trip system to form a one-out-of-two taken twice logic for the trip system actuator logic. To initiate a motor-operated valve closure, one actuator logic must be tripped.

To initiate a main steam line isolation valve closure, both actuator logics must be tripped.

The basic logic arrangement just described does not apply to testable check valves. Exceptions to the basic logic arrangement are made for the HPCI and RCIC isolation valves as described below and for the main steam line drain valves, the logic for which is shown in Drawing M-1-CC-13, Sheets 4 and 16.

7.3.4.5 Operation During normal operation of the isolation control system, when isolation is not required, sensor and trip contacts essential to safety are closed: channels, logics, and actuators are normally energized (fail safe logic). Whenever a channel sensor contact opens, its auxiliary relay deenergizes, causing a contact in the logic to open. The opening of the contact in the logic deenergizes its actuator. When deenergized, the actuator opens contacts in the actuator logics. If a trip then occurs in either of the logic channels of the other trip system, both actuator logics are deenergized. With both trip systems tripped, CHAPTER 07 7.3-7 REV. 27, APRIL 2019

PBAPS UFSAR appropriate contacts open or close in valve control circuitry to actuate valve closing mechanisms. Automatic isolation valves that are normally closed receive the isolation signal as well as those valves that are open. The control system for each Group A isolation valve is designed to provide closure of the valve in time to prevent uncovering the fuel as a result of a break in the line which the valve isolates. The control systems for Group A and Group B isolation valves are designed to provide closure of the valves with sufficient rapidity to restrict the release of radioactive material to the environs below the guideline values of applicable regulations.

The HPCI and RCIC isolation valves, due to their service, are exceptions to the above description and use nonfail-safe logic.

When isolation is not required, sensor and trip contacts are open; channels, logics, and actuators are normally deenergized.

Operation is opposite to that described above.

All automatic isolation valves can be closed by manipulating switches in the control room, thus providing the operator with means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier. This meets safety design basis 10.

Once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The isolation logic prevents resetting of the primary containment isolation signals unless the conditions which initiated the isolation have cleared and all of the associated isolation control valve manual switches have been placed in the "close" position.

After resetting of the isolation signals, the operator can reopen the isolation valves as needed during the post-isolation period.

The requirement to return all valve manual switches to the "close" position prevents the valves from moving from the closed position upon reset of the isolation signal. Unless manual override features have been provided in the manual control circuitry, the operator cannot open an isolation valve with an isolation signal present. This is the equivalent of a manual reset and meets safety design basis 7f.

A trip of an isolation control system channel is annunciated in the control room so that the operator is immediately informed of the condition. The response of isolation valves is indicated by "open-closed" lights. All motor-operated isolation valves without an essential post-accident function have two sets of "open-closed" lights. One set is located near the manual control switches for controlling each valve from the control room panel. A second set CHAPTER 07 7.3-8 REV. 27, APRIL 2019

PBAPS UFSAR is located in a separate central isolation valve position display in the control room. The positions of pneumatically operated isolation valves are displayed in the same manner as motor-operated valves, with the exception of AO-23C-4807 (Unit 2 only) which has only one "open-closed" lights in the control room near its manual control switch.

In addition, the inflatable seal pressures of various isolation valves are monitored by pressure switches, that are set at predetermined low pressure values to activate control room annunciator alarms and the associated isolation valve red indicating lights.

Inputs to annunciators, indicators, and the computer (PMS) are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system.

Signals directly from the isolation control system sensors are not used as inputs to annunciating or data logging equipment.

Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the primary containment and reactor vessel isolation control system satisfies safety design bases 11a and 11b.

7.3.4.6 Isolation Valve Closing Devices and Circuits Table 7.3.1 itemizes the type of closing device provided for each isolation valve intended for use in automatic or remote manual isolation of the primary containment or reactor vessel. To meet the requirement that automatic Group A valves be fully closed in time to prevent the reactor vessel water level from falling below the top of the active fuel as a result of a break of the line which the valve isolates, the valve closing mechanisms are designed to give the minimum closing rates specified in Table 7.3.1. In many cases, a standard closing rate of 12 ipm for a gate valve is adequate to meet isolation requirements. Because of the relatively long time required for fission products to reach the containment atmosphere following a break in the nuclear system process barrier inside the primary containment, a standard closure rate is adequate for the automatic closing devices on Group B isolation valves. The design closure times for the various automatic isolation valves essential to reactor vessel isolation and those essential to primary containment isolation are given in Table 7.3.1.

Motor operators for isolation valves are selected with capabilities suitable to the physical and environmental CHAPTER 07 7.3-9 REV. 27, APRIL 2019

PBAPS UFSAR requirements of service. The required valve closing rates were considered in designing motor operators. Appropriate torque and limit switches are used to ensure proper valve seating.

Handwheels, which are automatically disengaged from the motor operator when the motor is energized, are provided for local-manual operation.

The control circuits of motor operators for automatically operated isolation valves are arranged so that motor thermal overload protection is provided for manual operation of the valves, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload. During automatic operation, the thermal overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received.

The operator can override the thermal overload circuit by continuously holding the spring return control switch in the "operate" position during manual operation.

Direct solenoid-operated isolation valves and solenoid air pilot valves are chosen with electrical and mechanical characteristics which make them suitable for the service for which they are intended. Appropriate watertight or weathertight housings are used to ensure proper operation under accident conditions.

The pneumatic actuator used for testable check valves is designed to allow opening the valve at near 0 psi differential pressure across the valve. The actuator cannot close the valve against forward flow or prevent the closing of the valve against reverse flow. Thus, the check valve neither hinders forward fluid flow nor fails to stop reverse flow regardless of the condition of the actuator.

The main steam isolation valves are spring-closing, pneumatic, piston-operated valves designed to close upon loss of power to both solenoid operated pilot valves. The control arrangement is shown in Figure 7.3.4 and Drawing M-1-CC-13, Sheets 3 and 15.

Closure time for the valves is adjustable between 3 and 10 sec.

Each valve is piloted by two, three-way, packless, direct-acting, solenoid-operated pilot valves: one powered by ac, the other by dc. An accumulator(s) is located close to each isolation valve to provide pneumatic pressure to assist valve closing in the event of failure of the normal air supply system.

The valve pilot system and the pneumatic lines, as shown in Figure 7.3.4, are arranged so that when one or both solenoid-operated pilot valves are energized, normal pneumatic supply provides CHAPTER 07 7.3-10 REV. 27, APRIL 2019

PBAPS UFSAR pneumatic pressure to the air-operated pilot valve to direct air pressure to the main valve pneumatic operator to open the valve.

This overcomes the closing force exerted by the spring to keep the main valve open. When both pilots are deenergized, as would be the result of both trip systems tripping or placing the manual switch in the closed position, the path through which the pressure acts is switched so that the opposite side of the valve operator is pressurized, thus assisting the spring in closing the valve.

In the event of the normal pneumatic supply failure for an outboard MSIV, the loss of pneumatic pressure causes the pneumatically operated pilot valve to move by spring force to the position resulting in the underside of the actuator cylinder to be vented to the atmosphere. In the event of normal and safety related pneumatic (i.e., local accumulator system) supply failure for an inboard MSIV, the loss of pneumatic pressure causes the pneumatically operated pilot valve to move by spring force to the position resulting in the underside of the actuator cylinder to be vented to containment. Main valve closure is then effected by means of the pneumatic supply stored in the accumulator(s) and assisted by the spring.

Pneumatic pressure, acting alone, and the force exerted by the spring, acting alone, are each capable of independently closing the valve under all postulated design basis accident conditions except the most severe cases involving high ambient pressure.

Accumulator capacity is provided for the isolation valves inside the primary containment (inboard) to assure closure by pneumatic pressure and spring force with the vented side of the piston operator at the primary containment peak accident pressure. The outboard isolation valve is subjected to peak steam tunnel accent pressure. The accumulator volumes for inboard and outboard isolation valves are designed to provide enough pressure to close the valve in combination with the springs when the pneumatic supply to the accumulator has failed. The supply line to the accumulator is large enough to make up pressure to the accumulator at a rate faster than the valve operation bleeds pressure from the accumulator during valve opening or closing.

A separate, single, solenoid-operated pilot valve with an independent switch is included to allow manual testing of each isolation valve from the control room. The testing arrangement is designed to give a slow closure of the isolation valve being tested to avoid rapid changes in steam flow and nuclear system pressure. Two different tests are performed: partial slow closure and full slow closure. Although the MSIVs were designed to be able to be partially stroked during plant on-line operations, the frequency of testing MSIVs is governed by the TS CHAPTER 07 7.3-11 REV. 27, APRIL 2019

PBAPS UFSAR surveillance frequency and IST programs. The full slow closure time test (from 0 to 100% closed) for the valve is only performed during outages. Full slow closure of a valve during testing requires 45 to 60 seconds. The valve mechanical design is discussed further in subsection 4.6, "Main Steam Line Isolation Valves."

7.3.4.7 Isolation Functions and Settings The isolation trip settings of the primary containment and reactor vessel isolation control system are listed in Table 7.3.2. The functions that initiate automatic isolation are itemized in Table 7.3.1.

Although this section is concerned with the electrical control systems that initiate isolation to prevent direct release of radioactive material from the primary containment or nuclear system process barrier, the additional information given in Table 7.3.1 can be used to assess the overall (electrical and mechanical) isolation effectiveness of each system.

Isolation functions and trip settings used for the electrical control of isolation valves in fulfillment of the previously stated safety design bases are discussed in the following paragraphs. The role each isolation function plays in initiating isolation of barrier valves or groups of valves is illustrated in the functional control diagrams in Drawing M-1-CC-13, Sheets 3 through 12A, and 15 through 24. For the RCIC isolation valves see Drawing M-1-CC-38, Sheets 1, 2, 7 and 8, for the HPCI isolation valves see Drawing M-1-CC-39, Sheets 1 through 12, for the core spray isolation valves see Drawing M-1-CC-41, Sheets 1 through 8, for the reactor water cleanup isolation valves see Drawing M-1-CC-35, Sheets 1 through 4, and for the RHR isolation valves see Drawing M-1-CC-40, Sheets 1 through 14.

CHAPTER 07 7.3-12 REV. 27, APRIL 2019

PBAPS UFSAR

1. Reactor vessel low water level (Table 7.3.1, signals I(A), II(A), III(A), IV(E), VI, VII).

A low water level in the reactor vessel could indicate that either reactor coolant is being lost through a breach in the nuclear system process barrier or that the normal supply of reactor feedwater has been lost and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Reactor vessel low water level initiates closure of various Group A and Group B valves.

The closure of Group A valves is intended to either isolate a breach in any of the lines in which valves are closed or conserve reactor coolant by closing off process lines. The closure of Group B valves is intended to prevent the escape of radioactive materials from the primary containment through process lines which are in communication with the primary containment free space.

Three reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel. The first reactor vessel low water level isolation trip setting, which occurs at a higher water level than the second setting, initiates closure of all Group A and Group B valves in major process lines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core. The second and lower reactor vessel low water level isolation trip setting initiates closure of HPCI Test Line Valve MO-23-31. The third and lowest reactor vessel low water level isolation trip setting, completes the isolation of the primary containment and reactor vessel by initiating closure of the main steam isolation valves and any other Group A or Group B valves that must be shut to isolate minor process lines.

The first low water level setting, which is, coincidentally, the same as the reactor vessel low water level scram setting, was selected to initiate isolation at the earliest indication of a possible breach in the nuclear system process barrier, yet far enough below normal operational levels to avoid spurious isolation. Isolation of the following lines is initiated when reactor vessel low water level falls to this first setting (Table 7.3.1, signals II(A), III(A)):

a. RHR reactor shutdown cooling supply.
b. REMOVED.
c. RHR injection (if in shutdown cooling mode).
d. Reactor water cleanup.

CHAPTER 07 7.3-13 REV. 27, APRIL 2019

PBAPS UFSAR

e. Feedwater long path recirculation.
f. Suppression chamber water cleanup.
g. Drywell and suppression chamber nitrogen makeup supply.
h. Drywell equipment drain discharge.
i. Drywell floor drain discharge.
j. Drywell purge inlet.
k. Drywell instrument nitrogen supply.
l. Drywell main exhaust.
m. Suppression chamber instrument nitrogen supply.
n. Suppression chamber exhaust valve bypass.
o. Suppression chamber purge inlet.
p. Suppression chamber main exhaust.
q. Primary containment oxygen analyzer.
r. Drywell exhaust valve bypass.
s. Instrument nitrogen compressor suction.
t. TIP.

The second and lower reactor vessel low water level isolation setting is used to initiate reconfiguration of the portion of the HPCI system, which affects penetration isolation valves in this system (Table 7.3.1 signal IV(E)):

a. HPCI Test Line.

The third and lowest of the reactor vessel low water level isolation settings was selected low enough to allow the removal of heat from the reactor for a predetermined time following scram and high enough to complete isolation in time for the operation of CSCS's in the event of a large break in the nuclear system process barrier. This third low water level setting is low enough that partial losses of feedwater supply would not unnecessarily initiate full isolation of the reactor, thereby disrupting normal plant shutdown or recovery procedures. Isolation of the following lines is initiated when the reactor vessel water level falls to this third setting (Table 7.3.1, signals I(A)):

a. All four main steam lines.
b. Main steam line drain.
c. Reactor water sample line.
d. Main steam sample line.

CHAPTER 07 7.3-14 REV. 27, APRIL 2019

PBAPS UFSAR This third low water level signal is also used to initiate reconfiguration of portions of the RHRS and core spray system, which affects penetration isolation valves in these systems (Table 7.3.1, signals VI and VII).

a. RHR test and suppression pool cooling return line.
b. RHR drywell and torus spray lines.
c. Core spray test lines.
2. Main steam line high radiation High radiation in the vicinity of the main steam lines could indicate a gross release of fission products from the fuel.

High radiation near the main steam lines initiates an alarm to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiation levels within limits. Initiation of a high-high radiation alarm alerts the Operators to close any open reactor coolant sample lines and trips the mechanical vacuum pump, if running.

The high radiation alarm setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to promptly detect a gross release of fission products from the fuel. Further information regarding the high radiation set point is available in subsection 7.12, "Process Radiation Monitoring."

3. Main steam line space high temperature (Table 7.3.1, signal I(C)).

High temperature in the space in which the main steam lines are located outside the primary containment could indicate a breach in a main steam line. The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperatures occur in the main steam line space, the following lines are isolated:

a. All four main steam lines.
b. Main steam line drain.

CHAPTER 07 7.3-15 REV. 27, APRIL 2019

PBAPS UFSAR

c. Reactor water sample line.
d. Main steam sample line.

The main steam line space high temperature trip is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

4. Main steam line high flow (Table 7.3.1, signal I(B)).

Main steam line high flow could indicate a break in a main steam line. The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of main steam line high flow, the following lines are isolated:

a. All four main steam lines.
b. Main steam line drain.
c. Reactor water sample line.
d. Main steam sample line.

The main steam line high flow trip setting was selected high enough to permit the isolation of one main steam line for test at rated power without causing an automatic isolation of the rest of the steam lines, yet low enough to permit early detection of a steam line break.

5. Low steam pressure at turbine inlet (Table 7.3.1, signal I(D)).

Low steam pressure at the turbine inlet could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves open fully. This action could cause rapid depressurization of the nuclear system. The rate of decrease of nuclear system saturation temperature could exceed the design rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such CHAPTER 07 7.3-16 REV. 27, APRIL 2019

PBAPS UFSAR depressurizations, without adequate preventive action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid the time-consuming requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored in the RUN mode. The signal initiates isolation of the following lines:

a. All four main steam lines.
b. Main steam drain line.
c. Reactor water sample line.
d. Main steam sample line.

The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure regulator malfunction. Although the isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.

6. Primary containment (drywell) high pressure (Table 7.3.1, signals II(B), III(B), IV(D), V(D), VI, VII).

High pressure in the drywell could indicate a breach of the nuclear system process barrier inside the drywell. The automatic closure of various Group B valves prevents the release of significant amounts of radioactive material from the primary containment. Upon detection of a high drywell pressure, the following lines are isolated:

a. RHRS shutdown cooling supply.
b. REMOVED.
c. RHRS injection (if in shutdown cooling mode).
d. Feedwater long path recirculation.
e. Drywell equipment drain discharge.
f. Drywell and suppression chamber nitrogen makeup supply.

CHAPTER 07 7.3-17 REV. 27, APRIL 2019

PBAPS UFSAR

g. Drywell floor drain discharge.
h. Drywell instrument nitrogen supply.
i. TIP tubes.
j. Drywell purge inlet.
k. Drywell main exhaust.
l. Suppression chamber water cleanup.
m. Suppression chamber exhaust valve bypass.
n. Suppression chamber instrument nitrogen supply.
o. Suppression chamber purge inlet.
p. Suppression chamber main exhaust.
q. Primary containment oxygen analyzer.
r. Drywell exhaust valve bypass.
s. Instrument nitrogen compressor suction.

The primary containment high-pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips.

7. RCICS equipment space high temperature (Table 7.3.1, signal V(B)).

High temperature in the vicinity of the RCICS equipment could indicate a break in the RCIC steam line. The automatic closure of certain Group A valves listed in Table 7.3.1 prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier (Drawing M-1-CC-38, Sheets 1, 2, 7 and 8). When high temperature occurs near the RCICS equipment, except in the Outboard MSIV Room, the RCIC turbine steam line is isolated. The high temperature isolation setting was selected far enough above anticipated normal RCICS operational levels to avoid spurious operation, but low enough to provide timely detection of an RCIC turbine steam line break. This signal has nonfail-safe logic to be CHAPTER 07 7.3-18 REV. 27, APRIL 2019

PBAPS UFSAR compatible with the core cooling primary function of the RCICS.

8. RCIC turbine high steam flow (Table 7.3.1, signal V(A)).

RCIC turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RCICS turbine high steam flow, the RCICS turbine steam line is isolated. The high steam flow trip setting was selected high enough to avoid spurious isolation, yet low enough to provide timely detection of an RCIC turbine steam line break. A time delay is provided to prevent isolation due to high flow transients upon RCICS startup. The nominal 3-second time delay is determined by station setpoint control processes.

The logic arrangement used for this function is shown in Drawing M-1-CC-38, Sheets 1, 2, 7 and 8 for valves listed in Table 7.3.1 and is an exception to the usual logic requirement because the high steam flow logic uses a one-out-of-two configuration. This signal has nonfail-safe logic to be compatible with the core cooling primary function of the RCICS.

9. RCIC turbine steam line low pressure (Table 7.3.1, signal V(C)).

RCIC turbine steam line low pressure is used to automatically close the two isolation valves in the RCIC turbine steam line so that steam and radioactive gases do not escape from the RCIC turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated (Drawing M-1-CC-38, Sheets 1, 2, 7 and 8). The isolation set point is chosen at a pressure below that at which the RCIC turbine can operate effectively.

This signal has nonfail-safe logic to be compatible with the core cooling primary function of the RCICS.

10. HPCIS equipment space high temperature (Table 7.3.1, signal IV(B)).

High temperature in the vicinity of the HPCIS equipment could indicate a break in the HPCIS turbine steam line. The automatic closure of certain Group A valves (listed in Table CHAPTER 07 7.3-19 REV. 27, APRIL 2019

PBAPS UFSAR 7.3.1) prevents the excessive loss of coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs near the HPCIS equipment, the HPCIS turbine steam supply line is isolated. The high temperature isolation setting was selected far enough above anticipated normal HPCIS operational levels to avoid spurious isolation, but low enough to provide timely detection of an HPCI turbine steam line break. This signal has nonfail-safe logic (Drawing M CC-38, Sheets 1, 2, 7 and 8) to be compatible with the core cooling primary function of the HPCIS.

11. HPCI turbine high steam flow (Table 7.3.1, (signal IV(A)).

HPCI turbine high steam flow could indicate a break in the HPCI turbine steam line. The automatic closure of certain Group A valves (listed in Table 7.3.1) prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of HPCI turbine high steam flow, the HPCI turbine steam line is isolated (Drawing M CC-38, Sheets 1, 2, 7 and 8). The high steam flow trip setting was selected high enough to avoid spurious isolation, yet low enough to provide timely detection of an HPCI turbine steam line break. A time delay is provided to prevent isolation due to high flow transients upon HPCIS startup.

The nominal 3-second time delay is determined by station setpoint control processes.

The logic arrangement used for this function is shown in Drawing M-1-CC-38, Sheets 1, 2, 7 and 8 and is an exception to the usual logic requirement because high steam flow logic uses a one-out-of-two configuration. This signal has nonfail-safe logic to be compatible with the core cooling primary function of the HPCIS.

12. HPCI turbine steam line low pressure (Table 7.3.1, signal IV(C)).

HPCI turbine steam line low pressure is used to automatically close the two isolation valves in the HPCI turbine steam line so that steam and radioactive gases do not escape from the HPCI turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated (Drawing M-1-CC-38, Sheets 1, 2, 7 and 8 for valves listed in Table 7.3.1). The isolation set CHAPTER 07 7.3-20 REV. 27, APRIL 2019

PBAPS UFSAR point is chosen at a pressure below that at which the HPCI turbine can operate efficiently. This signal has nonfail-safe logic to be compatible with the core cooling primary function of the HPCIS.

13. Reactor building ventilation exhaust high radiation (Table 7.3.1, signal III(C)).

High radiation in the reactor building ventilation exhaust could indicate a breach of the nuclear system process barrier inside the primary containment which would result in increased airborne radioactivity levels in the primary containment exhaust to the secondary containment. The automatic closure of certain Group B valves acts to close off release routes for radioactive material from the primary containment into the secondary containment (reactor building). Reactor building ventilation exhaust high radiation initiates isolation of the following lines:

a. Drywell purge inlet.
b. Drywell main exhaust.
c. Drywell and suppression chamber nitrogen makeup inlet.
d. Suppression chamber exhaust valve bypass.
e. Suppression chamber purge inlet.
f. Suppression chamber main exhaust.
g. Primary containment oxygen analyzer.
h. Drywell exhaust valve bypass.
i. Instrument nitrogen compressor suction.

The high radiation trip setting selected is far enough above background radiation levels to avoid spurious isolation, but low enough to provide timely detection of nuclear system process barrier leaks inside the primary containment.

Because the primary containment high-pressure isolation function and the reactor vessel low water level isolation function are adequate in effecting appropriate isolation of the above lines for gross breaks, the reactor building ventilation exhaust high radiation isolation function is CHAPTER 07 7.3-21 REV. 27, APRIL 2019

PBAPS UFSAR provided as a third redundant method of detecting breaks in the nuclear system process barrier significant enough to require automatic isolation.

14. Cleanup system high flow and manual isolation (Table 7.3.1, signals II(C), II(D)).

High flow in the reactor water cleanup system or high temperature in the reactor water cleanup system equipment rooms would be indicative of a rupture in the system. The high flow signal automatically isolates the cleanup system and high room temperature initiates an alarm with one exception. There is no temperature monitoring in the RWCU pump rooms. When a high temperature alarm occurs, the cleanup system is manually isolated. Upon detection of abnormal leakage in the RWCU pump rooms, the system is manually isolated. The high flow and temperature settings were selected far enough above the anticipated normal values to avoid spurious isolation or alarm, but low enough to provide timely detection of a reactor water cleanup system line break (high flow isolation) or abnormal system leakage which could lead to catastrophic piping failure (manual isolation).

15. ADS safety-grade pneumatic supply pressure low differential with respect to drywell pressure and supply line high flow (Table 7.3.1, signals VIII(A) and VIII(B)).

ADS safety-grade pneumatic supply pressure low differential with respect to drywell pressure indicates a breach of the nuclear system process barrier inside the drywell. High supply line flow indicates a line break downstream of the flow transmitter either inside or outside of containment.

Either condition automatically isolates the ADS safety-grade pneumatic supply line. The high flow isolation setting was selected far enough above anticipated operational levels to avoid spurious isolation, but low enough to provide timely detection of a line break. A time delay is provided in the high flow isolation logic to prevent spurious closing of the valve due to the initial inrush of nitrogen gas.

7.3.4.8 Instrumentation Sensors providing inputs to the primary containment and reactor vessel isolation control system are not used for the automatic control of process systems, thus separating the functional control of protection systems and process systems. Channels are CHAPTER 07 7.3-22 REV. 27, APRIL 2019

PBAPS UFSAR physically and electrically separated to assure that a single physical event cannot prevent isolation. Channels for one monitored variable that are grouped near each other provide inputs to different isolation trip systems. Figures 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.8, 7.3.9, and 7.3.10 illustrate arrangements of channels, logics, and valve closing mechanism circuitry for isolation control systems. Drawings M-1-CC-13, Sheets 3 through 12, Sheets 15 through 24, M-1-CC-38, Sheets 1, 2, 7, 8, and M-1-CC-39, Sheets 1 through 12 illustrate in detail the functional arrangement of channels used to initiate isolation of various groups of valves as detailed in Table 7.3.1. Table 7.3.2 lists instrument characteristics.

1. Reactor vessel low water level signals are initiated from differential pressure transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. These transmitters with trip units are used to sense that water level has decreased to the first (highest) or the third (lowest) low water level setting for RPS or PCIS. Other transmitters with pressure compensation instruments are used to sense that water has decreased to the second (middle) low water level setting for ECCS and RCIC.

The differential pressure transmitters for each level setting are arranged in pairs; each transmitter in a pair provides a signal to a different trip system. Two lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The two pairs of lines terminate outside the primary containment and inside the secondary containment. They are physically separated from each other and tap off the reactor vessel at widely separated points.

This arrangement assures that no single physical event can prevent isolation, if required. Pressure compensation instruments are used to increase the accuracy of the level measurements.

2. Main steam line radiation is monitored by four radiation monitors, which are described in subsection 7.12, "Process Radiation Monitoring."
3. High temperature in the vicinity of the main steam lines is detected by 16 resistance temperature detectors located along the main steam lines between the drywell wall and the turbine. The detectors are located or shielded so that they CHAPTER 07 7.3-23 REV. 27, APRIL 2019

PBAPS UFSAR are sensitive to air temperature and not radiated heat from hot equipment. An additional temperature sensor is located near each set of four detectors for remote temperature readout and alarm. The temperature sensors activate an alarm at high temperature and, upon loss of power, operate to give the alarm condition. The main steam line space temperature detection system is designed to detect leaks of from 1 percent to 10 percent of rated steam flow. Figure 7.3.6 illustrates in general terms the instruments used to detect high temperatures in the main steam line space. A total of four main steam line space high temperature channels are provided. Each main steam line isolation logic receives an input signal from one main steam line space high temperature channel.

4. High flow in each main steam line is sensed by four differential pressure transmitters which sense the pressure difference across the flow restrictor in that line. The differential pressure transmitters drive indicating electronic trip units. Figure 7.3.8 illustrates the general arrangement of instruments used to sense the flow in a single main steam line. Figure 7.3.9 illustrates how the 16 differential pressure transmitters and trip units are combined to form four channels. Each main steam line isolation logic receives an input signal from one main steam line high flow channel.
5. Main steam line low pressure is monitored by four pressure switches which sense pressure just upstream of the turbine stop valves. Each switch is part of an independent channel.

Each channel provides a signal to one isolation logic.

6. Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell. The pressure transmitters drive indicating electronic trip units which are located in one of two separate panels in the reactor building. The transmitters and trip units are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event prevents isolation due to primary containment high pressure.
7. High temperature in the vicinity of the RCIC equipment is sensed by four sets of four resistance temperature detectors.

Figure 7.3.6 illustrates the arrangement. Each set is arranged as two trip systems. Each trip system receives CHAPTER 07 7.3-24 REV. 27, APRIL 2019

PBAPS UFSAR input signals from two temperature trip channels. Both trip systems must trip to initiate isolation.

8. High flow in the RCIC turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the RCIC turbine steam supply line. The arrangement is illustrated in Figure 7.3.10. The tripping of either trip channel initiates isolation of the RCIC turbine steam line. This is an exception to the usual channel arrangement. The reason for the exception was given in the discussion of the RCIC turbine high steam flow isolation function.
9. Low pressure in the RCIC turbine steam line is sensed by four pressure switches from the RCIC turbine steam line upstream of the isolation valves. The switches are arranged as two trip systems, both of which must trip to initiate isolation of the RCIC turbine steam line. Each trip system receives inputs from two pressure switches either one of which can initiate isolation. The arrangement is shown in Drawings M-1-CC-38, Sheets 1, 2, 7, and 8.
10. High temperature in the vicinity of the HPCI equipment is sensed by four sets of four resistance temperature detectors.

Figure 7.3.6 illustrates the arrangement. Each set is arranged as two trip systems. Each trip system receives input signals from two temperature trip channels. Both trip channels must trip to initiate isolation.

11. High flow in the HPCI turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the HPCI turbine steam line. The arrangement is illustrated in Figure 7.3.10. The tripping of either switch initiates isolation of the HPCI turbine steam line. This is an exception to the usual sensor arrangement. The reason for the exception was given in the discussion of the HPCI turbine high steam flow isolation function.
12. Low pressure in the HPCI turbine steam line is sensed by four pressure switches from HPCI turbine steam line upstream of the isolation valves. The switches are arranged as two trip systems, both of which must trip to initiate isolation of the HPCI turbine steam line. Each trip system receives inputs from two pressure switches, either one of which can initiate isolation. The arrangement is shown in Drawing M-1-CC-39, Sheets 1 through 12.

CHAPTER 07 7.3-25 REV. 27, APRIL 2019

PBAPS UFSAR

13. Reactor building ventilation exhaust radiation is monitored by four reactor building ventilation exhaust monitors which are described in paragraph 7.12.5, "Ventilation Radiation Monitoring." Each monitoring trip channel provides one input to each applicable isolation trip system. The channels are arranged in a one-out-of-two-twice isolation logic.
14. High temperature in the spaces occupied by the RHRS (shutdown cooling) and the reactor water cleanup system piping outside the primary containment is sensed by temperature sensors.

These sensors input to a control room recorder which provides an alarm output on high temperature to indicate possible line breaks. A typical arrangement is shown in Figure 7.3.6 for the RHRS which alarms only. Automatic isolation on high temperature is not required since the reactor vessel low water level isolation function is adequate in preventing the release of significant amounts of radioactive material in the event that this system suffers a breach.

15. ADS safety-grade pneumatic supply pressure is monitored by a pressure transmitter in each line. The output of this transmitter is compared with the output from a drywell pressure transmitter to generate a trip signal whenever a low differential exists between the supply line pressure and the drywell pressure. Flow in each supply line is monitored by a differential pressure transmitter which senses the pressure difference across a flow surface. The differential pressure signal is transmitted to an electronic trip unit that produces a trip signal whenever flow exceeds a predetermined setpoint. A time delay relay provides the necessary time delay of the high flow trip signal to prevent spurious closing of the solenoid valves. Figure 7.3.12 illustrates the arrangement of instruments used to generate these trip signals. Two trip systems are used, one for each supply line. The transmitters and trip units for each trip system are physically and electrically independent to ensure that a single active failure will not isolate both supply lines.

Channel and logic relays are high reliability relays equal to type HFA relays made by the General Electric Company. The relays are selected so that the continuous load does not exceed 50 percent of the continuous duty rating.

7.3.4.9 Environmental Capabilities CHAPTER 07 7.3-26 REV. 27, APRIL 2019

PBAPS UFSAR The physical and electrical arrangement of the primary containment and the reactor vessel isolation control system was selected so that no single physical event prevents isolation. The location of Group A and Group B valves inside and outside the primary containment provides assurance that the control system for at least one valve on any line penetrating the primary containment remains capable of automatic isolation. Electrical cables for isolation valves in the same line are routed separately. Motor operators for valves inside the primary containment are of the totally enclosed type; those outside the primary containment have weatherproof type enclosures. Solenoid valves, whether used for direct valve isolation or as an air pilot, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields.

Special consideration has been given to isolation requirements during a LOCA inside the drywell. Components of the primary containment and reactor vessel isolation control system that are located inside the primary containment and that must operate during a LOCA are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a LOCA environment.

Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the isolation control system only after completion of environmental testing under LOCA conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.

Verification that the isolation equipment has been designed, built, and installed in conformance to the specified criteria is accomplished through quality control and performance tests in the vendor's shop or after installation at the plant before startup, during startup, and thereafter during the service life of the equipment.

Control is also exercised through review of equipment design during bid review and by approval of vendor's drawings during the fabrication stage. Purchase specifications require extensive control of materials and of the fabrication procedure.

CHAPTER 07 7.3-27 REV. 27, APRIL 2019

PBAPS UFSAR Further information on the environmental qualification of Class 1E equipment is contained in subsection 7.19.

7.3.5 Safety Evaluation The primary containment and reactor vessel isolation control system, in conjunction with other protection systems, is designed to provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barriers. It is the objective of Section 14.0, "Plant Safety Analysis," to identify and evaluate postulated events resulting in gross failure of the fuel barrier and the nuclear system process barrier. The consequences of such gross failures are described and evaluated in that section.

Design procedure has been to select tentative isolation trip settings that are far enough above or below normal operating levels that spurious isolation and operating inconveniences are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within acceptable bounds. Trip setting selection is based on operating experience and constrained by the safety design basis, the safety analyses and/or design analysis.

Section 14.0, "Plant Safety Analysis," shows that the actions initiated by the primary containment and reactor vessel isolation control system, in conjunction with other safety systems, are sufficient to prevent releases of radioactive materials from exceeding the guideline values of published regulations. Because the actions of the system are effective in restricting the uncontrolled release of radioactive materials under accident situations, the primary containment and reactor vessel isolation control system meets the precision, reliability, and timeliness requirements of safety design basis 1.

Because the primary containment and reactor vessel isolation control system meets the precision and timeliness requirements of safety design basis 1 using instruments with the characteristics described in Table 7.3.2, safety design basis 2 is met.

Temperatures in the spaces occupied by various steam lines outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to the primary containment and reactor vessel isolation control system. The large number of temperature sensors and their dispersed CHAPTER 07 7.3-28 REV. 27, APRIL 2019

PBAPS UFSAR arrangement near the steam lines requiring this type of break protection provide assurance that a significant break is detected rapidly and accurately. One of the four groups of temperature switches is located in the ventilation exhaust from the steam line space between the drywell wall and the secondary containment wall.

This assures that abnormal air temperature increases are detected regardless of leak location in that space. The number of sensors provided for steam line break detection satisfies safety design basis 3.

Because the primary containment and reactor vessel isolation control system meets the timeliness and precision requirements of safety design basis 1 by monitoring variables that are true, direct measures of operational conditions, safety design basis 4 is satisfied.

Section 14.0, "Plant Safety Analysis," evaluates a gross break in a main steam line outside the primary containment during operation at design power. The evaluation shows that the main steam lines are automatically isolated in time to prevent a release of radioactive material in excess of the guideline values of published regulations and to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed.

The time required for automatic closure of the main steam isolation valves meets the requirements of safety design basis 5.

The shortest closure time of which the main steam valves are capable is 3 sec. The transient resulting from a simultaneous closure of all main steam isolation valves in 3 sec during reactor operation at design power is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in a small fraction of 1 sec) coincident with failure of the turbine bypass system. The RPS is capable of accommodating the transient resulting from the inadvertent closure of the main steam line isolation valves. This conclusion is substantiated by Section 14.0, "Plant Safety Analysis." This meets safety design basis 6.

The items of safety design bases 7, 8, and 9 must be fulfilled for the primary containment and reactor vessel isolation control system to meet the design reliability requirements of safety design basis 1. It has already been shown that safety design bases 7f and 7h have been met. The remainder of the reliability requirement is met by a combination of logic arrangement, sensor redundancy, wiring scheme, physical isolation, power supply CHAPTER 07 7.3-29 REV. 27, APRIL 2019

PBAPS UFSAR arrangement, and environmental capabilities. These subjects are discussed in the following paragraphs.

Because essential variables are monitored by four channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from achieving isolation. An analysis of the isolation control system shows that the system does not fail to respond to essential variables as a result of single electrical failures such as short circuits, ground, and open circuits. A single trip system trip is the result of these failures. Isolation is initiated upon a trip of the remaining trip system. For some of the exceptions to the usual logic arrangement, a single failure could result in inadvertent isolation of a line. With respect to the release of radioactive material from the nuclear system process barrier, such inadvertent valve closures are in the safe direction and do not pose any safety problems. This meets safety design bases 7a and 7b.

The redundancy of channels provided for all essential variables provides a high probability that whenever an essential variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all channels for one essential variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings. This meets safety design basis 7c.

The sensors, circuitry, and logics used in the primary containment and reactor vessel isolation control system are not used in the control of any process system. Thus malfunctions and failures in the controls of process systems have no direct effect on the isolation control system. This meets safety design basis 7d.

The various power supplies used for the isolation system logic circuitry and for valve operation provide assurance that the required isolation can be effected in spite of a single power failure. If AC for valves inside the primary containment is lost, DC is available for operation of valves outside the primary containment. The main steam isolation valve control arrangement is resistant to both AC and DC power failures. Because both solenoid-operated pilot valves must be deenergized, loss of a single power supply neither causes inadvertent isolation nor prevents isolation if required. The logic circuitry for each channel is powered from separate sources available from the RPS CHAPTER 07 7.3-30 REV. 27, APRIL 2019

PBAPS UFSAR buses. A loss of power here results in a single trip system trip.

In no case does a loss of a single power supply prevent isolation when required. This meets safety design bases 7c and 7e.

All instruments, valve closing mechanisms, and cables of the isolation control system can operate under the most unfavorable containment environmental conditions associated with normal operation. The discussion of the effects of rapid nuclear system depressurization on level measurement given in subsection 7.2, "Reactor Protection System," is equally applicable to the reactor vessel low water level switches used in the primary containment and reactor vessel isolation control system. The temperature, pressure, differential pressure, and level switches, transmitters and trip units, cables and valve closing mechanisms used were selected with ratings that make them suitable for use in the environment in which they must operate.

The special considerations (treated in the description portion of this subsection) made for the containment environmental conditions resulting from a LOCA are adequate to ensure operability of essential isolation components located inside the drywell.

The wall of the primary containment effectively separates adverse environmental conditions which might otherwise affect both isolation valves in a line. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given line.

The previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part. Electrical transients have no significant effect on the functioning of the isolation control system, and safety design basis 7g is satisfied.

The design of the main steam isolation valves meets the requirement of safety design basis 8a in that the motive forces for closing the inboard and outboard main steam line isolation valves are derived from separate sources, i.e., instrument nitrogen and instrument air system accumulators, respectively, and the energy stored in the springs of each valve operator.

None of the valves relies on continuity of any sort of electrical power to achieve closure in response to essential safety signals.

Total loss of the power used to control the valves would result in closure. This meets safety design basis 8b.

Access is provided for calibration and testing of pressure and level switches, and transmitters and trip units which are located CHAPTER 07 7.3-31 REV. 27, APRIL 2019

PBAPS UFSAR in the turbine building and reactor building. To gain access to the setting controls on each switch, transmitter, or trip unit, a cover plate, access plug, or sealing device must be removed by operations personnel before any adjustment in trip settings can be effected. The location of calibration and test controls in areas under the control of the control room operator or other supervisory personnel reduces the probability that operational reliability will be degraded by operator error. This meets safety design basis 9a.

The ability to bypass certain containment isolation lines (e.g.,

instrument nitrogen, RHR sample lines) is under the administrative control of the control room operator, via emergency response procedures, through the use of key interlock switches. In addition to administrative control, continuous alarm indication of the bypassed line is provided in the control room. This meets safety design basis 9b.

Because safety design bases 7, 8, and 9 have been met, it can be concluded that the primary containment and reactor vessel isolation control system satisfies the reliability requirement of safety design basis 1. That the system satisfies safety design bases 10, 11a, and 11b was shown in the description of the system.

The following section describing inspection and testing of the system demonstrates that safety design basis 12 is satisfied.

7.3.6 Inspection and Testing Essential parts of the primary containment and reactor vessel isolation control system are testable during reactor operation.

Isolation valves can be tested to assure that they are capable of closing by operating manual switches in the control room and observing the position lights and any associated process effects.

Testable check valves are arranged to verify that the valve disc is free to open and close. The channel and trip system responses can be functionally tested by applying test signals to each channel and observing the trip system response. Testing of the main steam line isolation valves is discussed in subsection 4.6, "Main Steam Line Isolation Valves."

CHAPTER 07 7.3-32 REV. 27, APRIL 2019

PBAPS UFSAR TABLE 7.3.1 PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALVES Penetration Valve Position (22)

Figure Mode of Actuation P

TAINMENT r ti IS Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-7 A to D Main Steam Steam 26 A Yes No AO-2-01A-80 AtoD Inside GB b Inst. Nitrogen Spring O C C C(15) I(A,B,C,D,E) Yes Yes 3< to <5 19) A and E D I Yes No AO-2-01A-86 AtoD Outside GB Inst. Air Spring O C C C(15) I(A,B,C,D,E) Yes Yes 3< to <5 19) B and F D N-8 Main Steam Drain Steam/ 3 A No No MO-2-01A-74 Inside GT b AC Motor Manual C O/C C as is I(A,B,C,D,E) Yes Yes 30 A D I Water No No MO-2-01A-077 Outside GT DC Motor Manual C O/C C as is I(A,B,C,D,E) Yes Yes 30 F D N-9A Feedwater - feedwater Water 24 A Yes Yes CHK-2-06-28A Inside CK c Flow - O C O/C - - - - - - N I

- feedwater No No CHK-2-06-96A Outside CK Flow - O C C - - - - - - N

- startup recirc. No No MO-2-06-038A Outside GT AC Motor Manual C C C as is IIC(A,B,F) Yes Yes 60 D D

- HPCI Yes Yes MO-2-23-019 Outside GT DC Motor Manual C C O as is RM** n.a. n.a. - F D

- instrument (9 lines) No No - Outside GB Manual - O O O - - - - - - -

- startup bypass No No - Outside CK Flow - C C C - - - - - - -

N-9B Feedwater - feedwater Water 24 A Yes Yes CHK-2-06-28B Inside CK c Flow - O C O/C - - - - - - N I

- feedwater No No CHK-2-06-96B Outside CK Flow - O C C - - - - - - N

- RCIC Yes Yes MO-2-13-021 Outside GT DC Motor Manual C C O as is RM** n.a. n.a. - E D

- RWCU No No MO-2-12-068 Outside GB AC Motor Manual O O C as is IIA(A,C,D,G) Yes Yes 30 B D

- startup recirc. No No MO-2-06-038B Outside GT AC Motor Manual C C C as is IIC(A,B,F) Yes Yes 60 B D N-10 Steam to RCIC Turbine Steam 3 A Yes Yes MO-2-13-015 Inside GT d AC Motor Manual O C O as is V(A,B,C)** n.a. 2 25 B D I Yes Yes MO-2-13-016 Outside GT DC Motor Manual O C O as is V(A,B,C)** n.a. 2 25 E D N-11 Steam to HPCI Turbine Steam 10 A Yes Yes MO-2-23-015 Inside GT d AC Motor Manual O C O as is IV(A,B,C)** n.a. 2 25 A D I Yes Yes MO-2-23-016 Outside GT DC Motor Manual O C O as is IV(A,B,C)** n.a. 2 25 F D Yes No AO-2-23C-4807 (Unit 2 Only) Outside GT Inst. Air Spring C C C C IV(A,B,C) Yes Yes {5} F D N-12 RHR Shutdown Cooling Suction Water 20 A No No MO-2-10-017 Outside GT e DC Motor Manual C O C as is IIB(A,B,E) Yes Yes 40 F D I No No MO-2-10-018 Inside GT AC Motor Manual C O C as is IIB(A,B,E) Yes Yes 40 A D N-13 A,B RHR Shutdown Cooling Return Water 24 A YI YI MO-2-10-025 B,A Outside GT f AC Motor Manual C O O/C as is IIB(A,B)(10)** Yes Yes 34 1 D I

& LPCI Injection YI YI AO-2-10-046 B,A Inside CK Flow - C O O/C - - - - - 2 D YI No AO-2-10-163 B,A (Unit 2 only) Inside DCV Inst. Nitrogen Spring C C C C RMP n.a. n.a. {5} B,A D YI No HV-3-10-33451 B,A Inside GB Manual - C C C C LC - - - - N N-14 RWCU Pump Suction Water 6 A No No MO-2-12-015 Inside GT g AC Motor Manual O O C as is IIA(A,C,D,G) Yes Yes 30 A D I No No MO-2-12-018 Outside GT DC Motor Manual O O C as is IIA(A,C,D,G) Yes Yes 30 F D N-16 A,B Core Spray Pump Discharge Water 12 A Yes Yes MO-2-14-012 B,A Outside GT f AC Motor Manual C C O as is RM** n.a. n.a. {18} D,A D I (Unit 2)

B,C (Unit 3)

Yes Yes AO-2-14-013 B,A Inside CK Flow - C C O - - - - - 2 D Yes No AO-2-14-015 B,A (Unit 2 only) Inside DCV Inst. Nitrogen Spring C C C C RMP n.a. n.a. {5} B,A D Yes No HV-3-14-39046 B,A Inside GB Manual - C C C C LC - - - - N N-18 Drywell Fl. Dr. Pump Disch. Water 3 B No No AO-2-20-082 Outside DCV i Inst. Air Spring O C C C IIB(A,B) Yes Yes 5 A D III No No AO-2-20-083 Outside DCV Inst. Air Spring O C C C IIB(A,B) Yes Yes 5 B D N-19 Drywell Equip. Dr.Pump Disc. Water 3 B No No AO-2-20-094 Outside DCV i Inst. Air Spring O C C C IID(A,B) Yes Yes 5 A D III No No AO-2-20-095 Outside DCV Inst. Air Spring O C C C IID(A,B) Yes Yes 5 B D N-21 Service Air Supply Air 1 B No No HV-2-36A-20165 Inside GB j Manual - C C C - LC - - - - N III No No HV-2-36A-20163 Outside GB Manual - C C C - LC - - - - N N-22 Inst. Nitrogen Supply Air/ 1 B No No CHK-2-16-23202A Outside CK k Flow - O O C - - - - - - N III Nitrogen AO-2-16-2969A Outside DCV Inst. Air Spring O O C C IID(A,B) Yes Yes {5} A D N-23 RBCW to Recirc. Pumps Water 4 C No No MO-2-35-2373 Outside GT l AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. - B D III N-24 RBCW from Recirc. Pumps Water 4 C No No MO-2-35-2374 Outside GT l AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. - B D III N-25 Drywell and Torus - purge Air/ 18 & B No No AO-2-07B-2505(17) Outside B m Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 B D II

& 205B Purge Supply - purge Nitrogen 20 B No No AO-2-07B-2519(17) Outside B Inst. Air(18) Spring C C C C III(A,B,C,D,E) Yes Yes 15 B D

- purge No No AO-2-07B-2520(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 A D

- purge No No AO-2-07B-2521A(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 B D

- purge No No AO-2-07B-2521B(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 A D

- N2 Supply No No AO-2-07B-2523 Outside DCV Inst. Air Spring C C C C III(A,B,C,D) Yes Yes 5 A D

- vac. relief Yes Yes AO-2-07B-2502A Outside B Inst. Air(18) Spring C C C O RM n.a. n.a. {10} H D

- vac. relief Yes Yes VBV-2-07B-026A Outside VB Flow - C C C - - - - - - N

- inst. (press) Yes Yes DPIS-2503A Outside Inst - - - - - - - - - - - N

- N2 Supply No No CHK-2-07B-40095 A,B Outside CK Flow - C C C - - - - - - N CHAPTER 07 7.3-33 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALVES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-26 Drywell Purge - CAD Air/ 18 B Yes Yes AO-2-07B-2509 Outside DCV n Inst. Air(18) Spring O O C/O C III(A,B,C,D) Yes Yes 5 B D I Exhaust - CAD Nitrogen Yes Yes AO-2-07B-2510 Outside DCV Inst. Air(18) Spring C C C/O C III(A,B,C,D) Yes Yes 5 B D

- purge No No AO-2-07B-2506(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 A D II

- purge No No AO-2-07B-2507(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 B D

- inst. gas No No AO-2-16-4235 Outside DCV Inst. Air Spring O O C C III(A,B,C,D) Yes Yes 5 B D

- inst. gas No No SV-2-16-8100 Outside SV AC Coil - O O C C III(A,B,C,D) Yes Yes 5 A D

- Spare (25)

- CAD sample Yes Yes SV-2-07E-4960B Outside SV AC Coil Manual C C O C RM n.a. n.a. - B I

- CAD sample Yes Yes SV-2-07E-4961B Outside SV AC Coil Manual C C O C RM n.a. n.a. - D I

- rad. gas sample No No SV-2-63G-4966B Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- rad. gas sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D II

- inst. (press) Yes Yes PT-2508A,B Outside INST - - - - - - - - - - - N N-26A Inst. Line-RPV Level & Pressure Water/ 1 A Yes Yes RO-80338A Inside RO q - - - - - - - - - - - N I Steam Yes Yes XFC-2-02-37A Outside XFCV Flow - 0 0 0 - - - - - - N N-26B Inst. Line-RPV Level & Pressure Water/ 1 A Yes Yes RO-80338C Insdie RO q - - - - - - - - - - - N I Steam Yes Yes XFC-2-02-37B Outside XFCV Flow - 0 0 0 - - - - - - N N-27A,C Inst. Line - Bottom Head Water 1 A No No RO-80476A,B Inside RO q - - - - - - - - - - - N I (Unit 2) Drain Line Flow (Unit 2) No No XFC-2-12-80457L,H Outside XFCV Flow - 0 0 0 - - - - - - N N-27 E,F Inst. Lines-Core Plate Press. Water 1 A No No RO-80341A,B Inside RO q - - - - - - - - - - - N I No No XFC-2-02-25 Outside XFCV Flow - 0 0 0 - - - - - - N XFC-2-02-27 N-28 A,B Inst. Lines-RPV Level & Pressure Water/Steam 1 A Yes,C-No Yes,C-No RO-80339A, RO(MK-1) Inside RO q - - - - - - - - - - - N I C,F Steam RO-80337, RO-80338B 0 0 0 - - - - - - N Yes,C-No Yes,C-No XFC-2-02-17A, XFC-2-02-19A, Outside XFCV Flow -

XFC-2-02-11, XFC-2-02-15A

- - - - - - - - - N I N-28 D Inst. Line - RPV Head Pressure Steam 1 A No No RO-80335 Inside RO q - - 0 0 0 - - -

No No XFC-2-02-23 Outside XFCV Flow -

N-29 A,D,E Inst. Lines - RPV Level and Water/ 1 A Yes Yes RO-80339B, RO(MK-1) Inside RO q - - 0 0 0 - - - - - - N I (Unit 2) Pressure Steam RO-80338D, RO-90338D Yes Yes XFC-2-02-17B, XFC-2-02-19B, Outside XFCV Flow -

N-29F XFC-2-02-15B, XFC-3-02-15B (Unit 3)

- - - - - - - - - N I 0 0 0 - - - - - - N N-30 A, Inst. Lines - Main Stm. Pressure Steam 1 A Yes Yes RO-80336B, RO-80336D Inside RO q - -

B,C,D RO-90336C, RO-80338D, RO-80336H - - - - - - - - - N I Yes Yes XFC-2-02-73A,C,E,G Outside XFCV Flow - 0 0 0 - - - - - - N N-30 E,F Inst. Lines - Recirc. Loop B Flow Water 1 A No No RO-80483D,C Inside RO q - - - - - - - - - - - N I XFC-2-02-64D,C Outside XFCV Flow - 0 0 0 - - - - - - N N-31 A to D Inst. Lines - Recirc. Pump Water 1 A No No RO-80129A,B, RO-80128A,B Inside RO q - -

Seal Press. XFC-2-02-7A,B Outside XFCV Flow - - - - - - - - - - N I XFC-2-02-8A,B 0 0 0 - - - - - - N N-32 A,B Inst. Lines - Recirc. Loop A Flow Water 1 A No No RO-80483A,B Inside RO q - - C C C - LC - - - - N III No No XFC-2-02-64A,B Outside XFCV Flow - C C C - LC - - - - N III N-32 C,D ILRT Connections Air 1 B No No HV-2-07A-29871,29873 Outside GB s Manual - - - - - - - - - - N I No No HV-2-07A-29872,29874 Outside GB Manual - 0 0 0 - - - - - - N N-32 E,F Inst. Lines - CS Water 1 A Yes No RO-80330B,A Inside RO q - - - - - - - - - - - N I Line Break Detect. No No XFC-2-14-31B,A Outside XFCV Flow -

0 0 0 - - - - - - N N-33 A, Inst. Lines - Recirc. Pump Water 1 A No No RO-80481A, RO-80482A Inside RO q - -

B,C,D RO-80481B, RO-80482B - - - - - - - - - N I No No XFC-2-02-62A,B,C,D Outside XFCV Flow -

N-33 F Inst. Line - Drywell Pressure Air/ 1 B Yes Yes PT-4805, DPT-8143 Outside INST t - - - - - - - - - - - N I Nitrogen 0 0 0 - - - - - - N N-34 A to D Inst. Lines - Main Stm. Pressure Steam 1 A Yes Yes RO-80336A, RO-80336C Inside RO q - -

RO-90336D, RO-80336E, RO-80336G - - - - - - - - - N I Yes Yes XFC-2-02-73B,D,F,H Outside XFCV Flow - 0 0 0 - - - - - - N N-34 E,F Inst. Lines - HPCI Stm. Pressure Steam 1 A Yes Yes RO-80328, RO-80327 Inside RO q - -

XFC-2-23-37A,B Outside XFCV Flow -

CHAPTER 07 7.3-34 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALVES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-35B-G TIP Drives Air 3/8 B No No SV-2-07-104 AtoE (24) Outside BL p AC Coil Spring C C C C IID(A,B) Yes Yes - 3 D III (See Figure for Unit Specific Letters) XV-2-07-102 AtoE (24) Outside XV DC Squib - O O O C RM n.a. n.a. - 3 D N-35C,D TIP Purge Air/ 3/8 B No No CHK-2-07F-41504 Outside CK o Flow - O C C - - - - - - N III (See Figure for Unit Specific Letters) Nitrogen SV-2-07-109 Outside SV AC Coil - O C C C IID(A,B) Yes Yes - 3 I N-37 A to D CRD Insert Water 1 A Yes Yes - Inside BCK v Flow - C C C - - - - - - N I Yes Yes - Outside HCU AC Coils/Inst. Air Spring C C C/O C/O - n.a. n.a. - N I N-38 A to D CRD Withdrawal Water 1 A Yes Yes - Outside HCU v AC Coils/Inst. Air Spring C C C/O C/O - - - - N I I No No AO-2-03-032A,B Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSA D No No AO-2-03-033 Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSA D No No AO-2-03-035A,B Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSB D No No AO-2-03-036 Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSB D N-39 A,B RHR Containment Spray - RHR Water/ 14 B Yes Yes MO-2-10-031B,A Outside GT w AC Motor Manual C C C/O as is VII(A,B,c) Yes Yes {20} D,C D II

- RHR Air/ Yes Yes MO-2-10-026B,A Outside GT AC Motor Manual C C C/O as is VII(A,B,C) Yes Yes {20} D,C D

- CAD Nitrogen No Yes SV-2-07C-4949B,A (U2) Outside SV AC Coil - C C O C RM n.a. n.a. - D,C(U2) I SV-3-07C-5949A,B (U3) C,D(U3)

- CAD No Yes CHK-2-07C-40143/ Outside CK Flow - C C O - - - - - - N CHK-3-07C-50142, CHK-2-07C-40142/

CHK-3-07C-50143 N-40 AtoD Inst. Lines - Jet Pumps Water 1 A No No RO-80340 A to Z Inside RO q - - - - - - - - - - - N I No No XFC-2-02-21A to D Outside XFCV Flow - 0 0 0 - - - - - - N (except N-40B-D XFC-2-02-23A to D N-40D-B) XFC-2-02-31B to W N-41 Recirc. Loop Sample Water 3/4 A No No AO-2-02-039 Inside DCV x Inst. Nitrogen Spring C C C C I(A,B,C,D,E) Yes Yes 5 A D I AO-2-02-040 Outside DCV Inst. Air Spring C C C C I(A,B,C,D,E) Yes Yes 5 B D N-42 Standby Liquid Control Sodium 1 1/2 A No Yes CHK-2(3)-11-16 Outside CK y Flow - C C C - - - - - - N I Pentaborate Solution XV-2(3)-11-14A,B Outside XV AC Squib - C C C As is - - - - A,B I N-46 A,B Inst. Lines - Unit 3, Drywell Air/ 1 B Yes Yes PT-9102A/PT-100A/PT-3-05-12A/ Outside INST t - - - - - - - - - - - N I Pressure Nitrogen PS-3-05-16, PT-9102C/PT-100C/PT-3-05-12B N-47 ADS Safety Grade Pneumatic Supply Gas 1 B Yes Yes SV-2-16A-8130B Outside SV k AC Coil - C C C/O C VIII(A,B) n.a. Yes - D D II Yes Yes CHK-2-16A-23299B Outside CK Flow - C C C/O - - - - - - N Gas 1/2 B Yes Yes HV-3-16A-33468B Outside BL k Manual - C C C/O - LC - - - - N II N-49 B,C Inst. Lines - Unit 3, Drywell Pres. Air/ 1 B Yes Yes PT-3-05-124/PT-100B/PT-9102B, Outside INST t - - - - - - - - - - - N II Nitrogen PT-9458/PT-9102D/PT-3-05-12D/

PT-100D N-49 E,F Inst. Lines. - Unit 2, Drywell Pres. Air/ 1 B Yes Yes PT-2-05-16/PT-2-05-12A/PT-8102A Outside INST t - - - - - - - - - - - N II Nitrogen PT-100A,PT-2-05-12B/PT-8102C/

PT-100C N-50A Inst. Lines. - Recirc. Suction Pres. Water 1 A No No RO-80484A/RO-80485A Inside RO q - - - - - - - - - - - N II No No XFC-2-02-305A Outside XFCV Flow - 0 0 0 - - - - - - N N-50 B,C Inst. Lines - RCIC Stm. Pressure Steam 1 A Yes Yes RO-80308/RO-90307, Inside RO q - - - - - - - - - - - N I RO-80307/RO-90308 Yes Yes XFC-2-13-55B/XFC-3-13-55A, Outside XFC Flow - 0 0 0 - - - - - - N XFC-2-13-55A/XFC-3-13-55B N-50 D,E Inst. Lines - RWCU Pump Suct. Press. Water 1 A No Yes RO-125A,B Inside RO q - - - - - - - - - - - N I No No XFC-2-12-66A,B Outside XFCV Flow - 0 0 0 - - - - - - N N-51 A,B CACS Sample Lines Air/ 1 B No No SV-2-07D-2671E,D Outside SV z AC Coil - O O C C III(A,B,C,D) Yes Yes - A,A I II Nitrogen No No SV-2-07D-2978E,D Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F,F I N-51C CACS Sample Lines Spare (25) II

- CAD Sample Yes Yes SV-2-07E-4960C Outside SV AC Coil Manual C C O C RM n.a. n.a. - A I

- CAD Sample Yes Yes SV-2-07E-4961C Outside SV AC Coil Manual C C O C RM n.a. n.a. - C I

- Rad. Gas Sample No No SV-2-63G-4966C Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- Rad. Gas Sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D N-51D CACS Sample Return Air/ 1 B No No CHK-2-07D-40140 Outside CK bb Flow - O O C - - - - - - N II Nitrogen SV-2-07D-2980 Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I N-51E Inst. Line - Recirc. Suction Water 1 A No No RO-80485A/RO-90484A Inside RO q - - - - - - - - - - - N I Pressure No No XFC-2-02-305B Outside XFCV Flow - 0 0 0 - - - - - - N N-52E Inst. Line - Core Plate Pressure Water 1 A No No RO-80342 Inside RO q - - - - - - - - - - - N I No No XFC-2-02-33 Outside XFCV Flow - 0 0 0 - - - - - - N CHAPTER 07 7.3-35 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALUES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-52F Inst. Nitrogen Supply Gas 1 B No No CHK-2-16-23335 (U2 only) Outside CK k Flow - C C C - - - - - - N III Air/ CHK-3-16-33312 (U3 only)

Nitrogen AO-2-16-2969B Outside DCV Inst. Air Spring O O C C IID(A,B) Yes Yes {5} B D HV-2-16-23333 (U2 only); Outside GB Manual - C C C - 2C - - - - N HV-2-16-33310 (U3 only)

CHK-2-16-23202B Outside CK Flow - O O C - - - - - - N N-53 Chilled Wtr. From Drywell Coolers, Water 8 C No No MO-2-44A-2201B Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} B D III Loop A N-54 Chilled Wtr. From Drywell Coolers, Water 8 C No No MO-2-44A-2200B Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} B D III Loop B N-55 Chilled Wtr. To Drywell Coolers, Water 8 C No No MO-2-44A-2200A Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} A D III Loop B N-56 Chilled Wtr. To Drywell Coolers, Water 8 C No No MO-2-44A-2201A Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} A D III Loop A N-57 Main Stm. Line 'D' Sample Steam 3/4 A No No AO-2-02-316 Inside DCV x Inst. Nitrogen Spring C C C C I(A,B,C,D,E) Yes Yes 5 A D I No No AO-2-02-317 Outside DCV Inst. Air Spring C C C C I(A,B,C,D,E) Yes Yes 5 B D N-100BA Inst. Line - RPV Level & Pressure Water/ 1 A Yes Yes RO-90339B, RO(MK-1) Inside RO q - - - - - - - - - - - N I N-100BD (Unit 3) Steam Yes Yes XFC-3-02-17B, Outside XFCV Flow - O O O - - - - - - N XFC-3-02-19B N-102BA, Inst. Line - Unit 2, Drywell Press Air/ 1 B Yes Yes PT-2-05-12C, PT-8102B, PT-100B, Outside INST t - - - - - - - - - - - N I BB Nitrogen PT-2-05-12D, PT-8102D, PT-100D, PT-8458 N-102BC ADS Safety Grade Pneumatic Supply Gas 1 B Yes Yes SV-2-16A-8130A Outside SV k AC Coil Spring C C C/O C VIII(A,B) n.a. Yes - C D II Yes Yes CHK-2-16A-23299A Outside CK Flow - C C C/O - - - - - - N N-102BD Breathing Air-Unit 3 Air 3 B No No HV-3-36E-50078 Outside GT j Manual - C C C - LC - - - - N III No No HV-3-36E-54762 Inside GT Manual - C C C - LC - - - - N N-203 CACS & CAD Sample Line - CACS Sample Air/ 1 B No No SV-2-07D-2671B Outside SV aa AC Coil - O O C C III(A,B,C,D) Yes Yes - A I II

- CACS Sample Nitrogen No No SV-2-07D-2978B Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I

- CAD Sample Yes Yes SV-2-07E-4960D Outside SV AC Coil Manual C C O C RM n.a. n.a. - B I

- CAD Sample Yes Yes SV-2-07E-4961D Outside SV AC Coil Manual C C O C RM n.a. n.a. - D I

- rad. gas Sample No No SV-2-63G-4966D Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- rad. gas sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D

- inst. Yes Yes PT-4953 Outside INST - - - - - - - - - - - N N-205A Torus Vacuum Breaker Air/ 20 B Yes Yes AO-2-07B-2502B Outside B dd Inst. Air(18) Spring C C C O RM n.a. n.a. {10} G D III Nitrogen Yes Yes VBV-2-07B-26B Outside VB Vaccum - C C C - - - - - - N Yes Yes DPIS-2503B Outside INST - - - - - - - - - - - N N-206A,B Inst. Lines - Torus Level Air/Nitrogen 2 B Yes Yes LS-2-23-091A, LS-2-23-091B, Outside INST ee - - - - - - - - - - - N II Water LT-8123A, LT-8027A, LT-8027B N-210A,B RHR Test & Pool Cooling Return Water 18 B Yes Yes MO-2-10-034B,A Outside GB ff AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes - D,C D II Yes Yes CHK-2-10-19B,D,A,C Outside CK Flow - C C O/C - - - - - - N N-211A,B RHR Torus Spray - RHR Water 6 B Yes Yes MO-2-10-038B,A Outside GB ff AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes {30} D,C D III

- RHR Yes Yes MO-2-10-039B,A Outside GT AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes {112} D,C D

- RHR Yes Yes MO-2-10-034B,A Outside GB AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes - D,C D

- CAD Air/ No Yes SV-2-07C-4951B, SV-2-07C-4951A Outside SV AC Coil - C C O C RM n.a. n.a. - D,C/C,D I

- CAD Nitrogen No Yes SV-3-07C-5951A, SV-3-07C-5951B Outside CK Flow - C C O - - - - - N N No Yes CHK-2-07C-40145, CHK-2-07C-40144 No Yes CHK-3-07C-50144, CHK-3-07C-50145 N-212, HPCI & RCIC Turbine - RCIC Steam (N-212) 12 (N-212) B Yes Yes HV-2-13C-9 (21) Outside SCK gg Flow - C C O/C - - - - - - N II 214, Exhaust - RCIC Yes Yes CHK-2-13C-50 Outside CK Flow - C C O/C - - - - - - N 217B - RCIC Yes No AO-2-13-137 Outside DCV Inst. Air Spring O O O/C C TT,V(A,B,C) Yes Yes {5} E D

- RCIC Yes No AO-2-13-138 Outside DCV Inst. Air Spring O O O/C C V(A,B,C) Yes Yes {5} F D

- HPCI Steam (N-214) 24 (N-214) B Yes Yes HV-2-23C-12 (21) Outside SCK Flow - C C O/C - - - - - - N

- HPCI Yes Yes CHK-2-23C-65 Outside CK Flow - C C O/C - - - - - - N

- HPCI Yes No AO-2-23-137 Outside DCV Inst. Air Spring O O O C IV(A,B) Yes Yes {5} E D

- HPCI Yes No AO-2-23-138 Outside DCV Inst. Air Spring O O O/C C TT,IV(A,B,C) Yes Yes {5} F D

- vac. relief Air/Nitrogen 2 (N-217B) B Yes Yes MO-2-13C-4244 Outside GT DC Motor Manual O O O/C as is VB(C&D) n.a. Yes 20 E D

- vac. relief (N-217B) Yes Yes MO-2-23C-4245 Outside GT DC Motor Manual O O O/C as is IVB(C&D) n.a. Yes - F D N-213A Torus Drain (with level inst.) Water 1 B Yes Yes LT-8123B, LT8456 Outside INST ee - - - - - - - - - - - N II N-215 Inst. Line - Unit 2, Torus Level Air/Nitrogen 1 B Yes Yes LT-8123B, LT-8456 Outside INST ee - - - - - - - - - - - N II N-216 HPCI Min. Flow Water 4 B Yes Yes CHK-2-23B-62 Outside CK hh Flow - C C O/C - - - - - - N II N-218A Inst. Nitrogen Supply Air/ 1 B No No CHK-2-16-23261 Outside CK k Flow - O O C - - - - - - N III Nitrogen No No AO-2-16-2968 Outside DCV Inst. Air Spring O O C C IID(A,B) Yes Yes {5} B D CHAPTER 07 7.3-36 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALVES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-218B Spare (25) Air/ 1 B II Nitrogen N-218C ILRT Connection Air 1 B No No HV-2-07A-29875 Outside GB s Manual - C C C - LC - - - - N III No No HV-2-07A-29876 Outside GB Manual - C C C - LC - - - - N III N-219 Torus Purge - CACS Air/ 18 B No No AO-2-07B-2511(17) Outside B ii Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 E D II Exhaust - CACS Nitrogen No No AO-2-07B-2512(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 15 B D

- CAD Yes Yes AO-2-07B-2513 Outside DCV Inst. Air(18) Spring C C C/O C III(A,B,C,D) n.a. Yes 5 A D

- CAD Yes Yes AO-2-07B-2514 Outside DCV Inst. Air(18) Spring C C C/O C III(A,B,C,D) n.a. Yes 5 A D

- CACS Sample No No %SV-2-070-2671F Outside SV AC Coil - O O C C III(A,B,C,D) Yes Yes - A I

- CACS anal. Sample No No SV-2-07D-2978F Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I

- CAD anal. Sample Yes Yes SV-2-07E-4960A Outside SV AC Coil Manual C C O C RM n.a. n.a. - A I

- CAD anal. Sample Yes Yes SV-2-07E-4961A Outside SV AC Coil Manual C C C C RM n.a. n.a. - C I

- rad. gas Sample No No SV-2-63G-4966A Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- rad. gas Sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D

- inst. (pressure) Yes Yes PT-4952 Outside INST - - - - - C - - - - - N

- Torus Hardened Vent No No AO-2-07B-80290 Outside B Inst. Air - C C C - RM n.a. n.a. - E* D N-221 RCIC Vacuum Pump Disch. Air 2 B* Yes No Yes No CHK-2-13C-38 Outside CK jj Flow - C C O/C - - - - - - - II N-223 HPCI Turbine Drain Water 2 B* Yes No Yes No CHK-2-23C-56 Outside CK jj Flow - C C O/C - - - - - - - II N-224 Core Spray Test Line - Unit 2 Water 10 B* Yes No MO-2-14-026A Outside GB kk AC Motor Manual C C C as is VI(A,B) Yes Yes - C D II Yes No CHK-2-10-21541 Outside CK Flow - C C C - - - - - - N Yes No CHK-2-14-29051A Outside CK Flow - C C C - - - - - - N Yes No CHK-2-10-21577A Outside CK Flow - C C C - - - - - - N Yes Yes CHK-2-14-66A,C Outside CK Flow - C C O/C - - - - - - N N-225 RCIC & Torus Water Cleanup Suct. Water 6 B* Yes Yes MO-2(3)-13-041 Outside GT ll DC Motor Manual C C C/O as is V(A,B,C) n.a. Yes - E D II Yes Yes MO-2(3)-13-039 (23) Outside GT DC Motor Manual C C C/O as is V(A,B,C) n.a. Yes - E D No No MO-2-14-070 Outside GT AC Motor Manual C C C as is IID(A,B) Yes Yes - A D No No MO-2-14-071 Outside GT DC Motor Manual C C C as is IID(A,B) Yes Yes - E D N-226A RHR Pump Suction Water 24 B* Yes Yes MO-2-10-013B,D,A,C Outside GT mm AC Motor Manual O O O as is RM n.a. n.a. - B,D,A,C D II to D Yes No RV-2-10-072B,D,A,C Outside RV Pressure - C C C - - - - - - N N-227 HPCI Pump Suction Water 16 B* Yes Yes MO-2(3)-23-058 Outside GT nn DC Motor Manual C C C/O as is IV(A,B,C) n.a. Yes - F D II Yes Yes MO-2(3)-23-057 (23) Outside GT DC Motor Manual C C C/O as is IV(A,B,C) n.a. Yes - F D N-228A Core Spray Pump Suction Water 16 B* Yes Yes MO-2-14-007C,A,B,D(U2) Outside GT oo AC Motor Manual O O O as is RM n.a. n.a. {80} C,A,B,D(U2) D II to D MO-3-14-007D,B,C,A(U3) D,B,C,A(U3)

N-229 Core Spray Pump Min Flow - Unit 2 Water 4 B* Yes Yes CHK-2-14-66B,D Outside CK pp Flow - C C O/C - - - - - - N II No No CHK-2-14A-29036A,B Outside CK Flow - C C C - - - - - - N N-230 RCIC Pump Min. Flow Water 2 B* Yes Yes CHK-2-13B-29 Outside CK qq Flow - C C O/C - - - - - - N II N-233 HPCI Test Line - Unit 2 Water 4 B* Yes No MO-2-23-031 Outside GT rr DC Motor Manual C C C as is IVA(D,E) Yes Yes - F D II N-234 Core Spray Test Line - Unit 2 Water 10 B* Yes No MO-2-14-026B Outside GB ss AC Motor Manual C C C as is VI(A,B) Yes Yes - D D II Yes No CHK-2-10-21577B Outside CK Flow - C C C - - - - - - N Yes No CHK-2-14-29051B Outside CK Flow - C C C - - - - - - N No No CHK-2-21-40252 Outside CK Flow - C C C - - - - - - N N-234A Core Spray Test Line - Unit 3 Water 10 B* Yes No MO-3-14-026B Outside GB ss AC Motor Manual C C C as is VI(A,B) Yes Yes - D D II Yes No CHK-3-10-31541 Outside CK Flow - C C C - - - - - - N Yes No CHK-3-14-39051B Outside CK Flow - C C C - - - - - - N Yes No CHK-3-10-31577B Outside CK Flow - C C C - - - - - - N N-234B Core Spray Test Line - Unit 3 Water 10 B* Yes No MO-3-14-026A Outside GB ss AC Motor Manual C C C as is VI(A,B) Yes Yes - C D II Yes No CHK-3-10-31577A Outside CK Flow - C C C - - - - - - N Yes No CHK-3-14-39051A Outside CK Flow - C C C - - - - - - N No No CHK-3-21-50252 Outside CK Flow - C C C - - - - - - N N-235 HPCI Test Line - Unit 3 Water 4 B* Yes No MO-3-23-031 Outside GT rr DC Motor Manual C C C as is IVA(D,E) Yes Yes - F D II N-236A Core Spray Pump Min. Flow - Unit 3 Water 4 B* Yes Yes CHK-3-14-66B,D Outside CK tt Flow - C C O/C - - - - - - N II N-236B Core Spray Pump Min. Flow - Unit 3 Water 4 B* Yes Yes CHK-3-14-66A,C Outside CK pp Flow - C C O/C - - - - - - N II No No CHK-3-14A-39036A,B Outside CK Flow - C C C - - - - - - N N-250 Inst. Line - Unit 3, Torus Level Air/Nitrogen 1 B Yes Yes LT-9456, LT-9123B Outside INST ee - - - - - - - - - - - N I

  • Fuses removed during normal operation. Control room indication maintained.

CHAPTER 07 7.3-37 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (Continued)

NOTES:

1. Valve Numbering: Unless otherwise noted all Unit 2 valves also apply to Unit 3 with the numbering changes specified below.
a. All valves: the unit changes from 2 to 3
b. Valves with 4 or 5 digit suffixes: Unit 2 valve suffixes beginning with 2, 4, or 8 change to 3, 5 or 9 for Unit 3.
2. Valve Types:

GB - Globe DCV - Diaphragm Control Valve GT - Gate VB - Vacuum Breaker CK - Check XV - Explosive Valve BL - Ball RO - Restricting Orifice B - Butterfly BCK - Ball Check SV - Solenoid HCU - Hydraulic Control Unit RV - Relief XFCV - Excess Flow Check Valve SCK - Stop Check INST - Instrument, used when the instrument is the actual isolation device.

3. Isolation Signals:

The setpoints given here are analytical limits used in analyses; however the actual setpoints must be as given in Appendix B, plant Technical Specifications.

Group Signal (set point) Instrument I

A. Reactor Low-Low-Low LT/LIS-2-3-99 A thru D Water Level (Level 1)(-171.7 in)

B. High Steam Line Flow DPT/DPIS-2-116, 117, 118, (137.4%) 119, A thru D C. High Steam Tunnel Temp. TE-4931, 4932, 4933, (220F - Turbine Building) 4934, A thru D TIS-80547 (240oF - Unit 2 Reactor Building) A thru D (220oF - Unit 3 Reactor Building)

D. Low Steam Line Press. PS-2-134, A thru D (850 psi in Run Mode)

CHAPTER 07 7.3-38 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (Continued)

IIA, IIB, IIC, IID A. Reactor Low Water Level LT/LIS-2-3-101 A thru D (Level 3)(-9 in)

B. High Drywell Press PT/PIS-5-12 A thru D (2.5 psig)

C. RWCU High Flow (300%) DPIS-12-124 A & B D. RWCU Non-Regen. Hx Hi- TT/TS-12-99 Temp (200F)*

E. High Reactor Press. (shut- PT/PS-2-128 A & B down cooling-75 psig)

F. High Reactor Press. PT/PSL-2-3-55 A thru D (Feedwater flush system interlock - 600 psig)

G. SLC System Operation* Switch 11A-S1 III A. Reactor Low Water Level LT/LIS-2-3-101 A thru D (Level 3)(-9 in)

B. High Drywell Press. PT/PIS-5-12 A thru D (2.5 psig)

C. Reactor Bldg.High Rad. RE-17-430 A thru D (16 Mr/hr) RIS-17-452 A thru D D. Refueling Floor High Rad. RE-17-458 A thru D (16 Mr/hr) RIS-17-458 A thru D E. Main Stack Radiation High RE-17-50AG and -50BL

(<1.0 x 10-1 Ci/cc) RI-17-50A and -50B IV, IVA, IVB A. HPCI Steam Line High DPIS-23-76 and 77 Flow (300%)

B. HPCI Steam Tunnel High TE-4941, 4942, 4943, Temp. (220F) 4944, A thru D TIS-80547 A thru D C. HPCI Steam Line Low PS-23-68 A thru D Press. (50 psig)*

D. High Drywell Press. PT/PISHH-10-100 A thru D (2.5 psig)

E. Reactor Low-Low LT-2-3-72 A thru D/

Water Level XS-2-3-116 A thru D (Level 2)(-66 in)

V, VB A. RCIC Steam Line High Flow DPIS-13-83 and 84 (300%)

B. RCIC Steam Tunnel High TE-4936, 4937, 4938, Temp. (220F) 4939, A thru D TIS-80547 A thru D C. RCIC Steam Line Low PS-13-87 A thru D press. (50 psig)*

D. High Drywell Press. PT/PISHH-10-100 A thru D (2.5 psig)

CHAPTER 07 7.3-39 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (Continued)

VI A. Reactor Low-Low-Low LT-2-3-72 A thru D/

Water Level XS-2-3-116 A thru D (Level 1)(-171.7 in)

B. High Drywell Press. PT/PSHH-10-100 A thru D (2.5 psig)

VII LPCI Initiation:

A. Reactor Low-Low-Low LT-2-3-72 A thru D/

Water Level XS-2-3-116 A thru D (Level 1)(-171.7 in)

B. High Drywell Pressure PT/PISHH-10-100 A thru D (2.5 psig)

C. Reactor Low Pressure PT-2-3-404 C/D/

(400 psig) XS-2-3-121 A thru D VIII A. ADS Safety Grade PT/IE 8102 A,B Pneumatic Supply PT/IE/DPS 8142 A,B Pressure low differential with respect to Drywell pressure B. ADS Safety Grade FT/IE/FS 8130 A,B Pneumatic Supply high flow (10 scfm)

Scram- Reactor Protection System Trip RM - Remote Manual (operation from main Control Room)

M - Manual (local only)

LC - Locked Closed TT - Turbine Trip*

RMP - Push Button, momentary contact opens valve for test

  • Process Signals - Process Signals are signals used to support operation or to protect system related equipment. Process Signals do not support the isolation of the containment during accident conditions.
    • Valve opens on system initiation.
4. Diverse actuation signal provided per SRP 6.2.4. Only nonessential systems require diverse signals for automatic isolation.

Therefore, this column is not applicable, (n.a.), for essential containment isolation valves and remote manual valves. Non power operated components such as check valves, hand valves and instruments have a dash (-) designation. See note 11 for a definition of essential lines.

CHAPTER 07 7.3-40 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (Continued)

5. Is the control circuit designed such that resetting the isolation will not cause the valve to automatically return to its previous position?

The following special notes apply:

a. Valve automatically reopens upon reset of isolation signal if the system initiation signal is present.
6. Closure time is the maximum valve stroke time in the closed direction required to comply with Technical Specification SR 3.6.1.3.8.

A maximum valve stroke time in the closed direction is not applicable to the valves with closure times contained in brackets { }. The closure time is provided as design information only.

"S" indicates standard closing time. The standard minimum closing rate for automatic isolation valves is based on a nominal line size of 12 inches. Using the standard closing rate, a 12-inch line is isolated in 60 seconds. Conversion to closing time can be made on this basis using the actual size of the line in which the valve is installed.

7. The power supplies for the valves are identified as one of the following:

A - safeguard AC channel A (on-site emergency diesel buses)

B - safeguard AC channel B (on-site emergency diesel buses)

C - safeguard AC channel C (on-site emergency diesel buses)

D - safeguard AC channel D (on-site emergency diesel buses)

E - safeguard DC channel A (on-site emergency diesel buses)

F - safeguard DC channel B (on-site emergency diesel buses)

G - safeguard DC channel C (on-site emergency diesel buses)

H - safeguard DC channel D (on-site emergency diesel buses)

N - non-safeguard RPSA - reactor protection system Bus A RPSB - reactor protection system Bus B 1 - The power for valve MO-2(3)-10-025A automatically transfers between A and C depending upon availability. The power for valve MO-2(3)-10-025B automatically transfers between B and D depending upon availability.

2 - Testable check valve, power and controls do not affect isolation function.

3 - Controls for the TIP ball, shear, and purge valves are not separated and are not assigned to safeguard channels.

CHAPTER 07 7.3-41 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (Continued)

For cable routing purposes, channels A&C - AC and A&C-DC are assigned to Division I and channels B&D - AC and B&D-DC are assigned to Division II.

Non power operated components such as; check valves, hand valves, and instruments have a dash (-) designation.

8. Position indication, in the control room, for the valves is identified as follows:

D - direct indication from position switches at the valve.

I - indirect indication, usually light is electrically parallel to solenoid. Valves XV-2(3)-11-14A, B have firing readiness light based on circuit continuity.

N - no indication as to/component position.

9. Deleted
10. Isolates only if in shutdown cooling mode.
11. Essential lines are defined as those essential to emergency reactor shutdown, reactor core cooling, and containment heat removal. The classification of each isolation valve is indicated in UFSAR Table 7.3.1.

Y1 - Indicates the line is essential and ESF unless in shutdown cooling mode.

12. Piping Classification Group per Updated FSAR, App. A.
13. Engineering Safety Feature (ESF) is a system which is required to mitigate the consequences of a postulated accidents and abnormal transients. This classification is normally on a system level with the following exceptions. The portions of the Feedwater System which provide injection paths for the HPCI and RCIC Systems are considered part of the HPCI System and RCIC System and therefore, classified as an ESF. MSIV Isolation function is also considered an ESF.

Y1 - Indicates the line is essential and ESF unless in shutdown cooling mode.

14. Penetration Type Group -

Group A - Line communicates directly with reactor coolant.

Group B - Line communicates with containment free space. Line terminates inside the containment. Lines identified with an astrick (*) terminate below the torus minimum water level and are provided with a water seal.

Group C - Closed loop inside of containment.

CHAPTER 07 7.3-42 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (Continued)

15. Main steam isolation valves required both solenoid pilots to be deenergized to close valve. Accumulator pressure plus spring act together when both pilots are deenergized. Voltage failure at only one pilot does not cause valve to close.
16. The isolation valves on the Reactor Building Closed Cooling Water System and The Drywell Chilled Water System do not receive automatic isolation signals, since the continued use of these systems will tend to mitigate the consequences of an accident. In addition, 10CFR50, Appendix A, GDC57 allows the use of a remote-manual valve on lines such as these that are neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere. Plant operating procedures ensure appropriate closure of these valves following the onset of an accident.
17. Eighteen (18) Containment Atmospheric Control System valves (on Units 2 and 3) were modified to establish a new maximum allowable opening angle to improve their ability to close. The opening angles are listed below:

Value No. Opening Angle (max.)

A0-2(3)505 55 degrees A0-2(3)506 65 degrees A0-2(3)507 65 degrees A0-2(3)511 65 degrees A0-2(3)512 55 degrees A0-2(3)519 70 degrees A0-2(3)520 65 degrees A0-2(3)521A 65 degrees A0-2(3)521B 65 degrees

18. The Safety Grade Instrument Gas (SGIG) system supplies hard-piped pressurized nitrogen gas as backup to the normal instrument air supply to these valves.
19. A maximum closure time of 10 seconds has been used for AO-2(3)-01A-080A-D and AO-2(3)-01A-086A-D in some analyzes where the loss of reactor coolant inventory is the controlling variable. Using the extended closure time yields conservative results.
20. Note Deleted.
21. These stop check valves serve as block valves to allow testing of the outboard check valve. The check function of these valves is not leak tested. Valve positions representing system alignments for testing, maintenance, and transition between plant conditions are not provided.
22. Valve position information provided represents the expected position of the valve under the specified plant conditions. This information is provided for general guidance. Valve positions representing system alignments for testing, maintenance, and transition between plant conditions are not provided.

CHAPTER 07 7.3-43 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.1 (Continued)

Plant conditions are specified as follows:

Normal - Plant operation at rated power.

Shutdown - Normal system alignments during hot shutdown, cold shutdown and refueling conditions.

Post-Accident - Plant system alignments during an accident or abnormal transient event (short term and long term).

Power Failure - Loss of power to component.

23. This valve is not a PCIV.
24. This penetration only requires on PCIV. The shear valve (XV) and ball valve (SV) work in tandem to fulfill the PCIV function.
25. Specified Unit 2 and Unit 3 CACS Sample Lines are capped.

capped.

CHAPTER 07 7.3-44 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.2 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Isolation Signal* Isolation Function Sensor Accuracy(1) Trip Setting(2)

II(A), III(A) Reactor vessel Differential +/-3.5% -9 in low water level pressure transmitter (163 in above TAF) and indicating trip unit IV(E) Reactor vessel Differential +/-3.5% -66 in above low water level pressure transmitter instrument zero and pressure com- (106 in above TAF) pensation instruments I(A) Reactor vessel Differential +/-3.5% -171.7 in above low water level pressure transmitter instrument zero and indicating trip unit (0.3 in above TAF)

I(E) Main steam line Radiation high radiation monitor Paragraph 7.12.1 I(C) Main steam line Temperature indicating +/-2% 220F (Turbine Building) space high switch 240F (Unit 2 Reactor Building) temperature 220F (Unit 3 Reactor Building)

I(B) Main steam line Differential +/-2% 137.4% rated flow high flow pressure transmitter and indicating trip unit I(D) Main steam line Pressure switch +/-1% 850 psig low pressure II(B), III(B) Primary containment Pressure transmitter +/-0.5% psig 2.5 psig high pressure and indicating trip unit V(B) RCIC turbine steam Temperature indicating +/-2% 220F line space high switch temperature V(A) RCIC turbine steam Differential +/-5% 894 in WC line high flow pressure switch

  • See Isolation Signal Codes for Table 7.3.1.

CHAPTER 07 7.3-45 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.3.2 (cont'd)

PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Isolation Signal Isolation Function Sensor Accuracy(1) Trip Setting(2)

V(C) RCIC turbine steam Pressure switch +/-2% 50 psig line low pressure IV(B) HPCI turbine steam Temperature +/-2% 220F line space high indicating temperature switch IV(A) HPCI turbine steam Differential +/-5% 278 in WC line high flow pressure switch IV(C) HPCI turbine steam Pressure switch +/-2% 50 psig line low pressure III(C) Reactor building ventilation exhaust Radiation monitor Paragraph 7.12.5 high radiation RHRS (shutdown Temperature recorder +/-2% 160F cooling space high alarm switch temperature) alarm only II(C) Reactor water cleanup Differential +/-1% 132.48 in WC system high flow pressure switch VIII(A) ADS safety-grade Pressure transmitters +/-2.5% Gas Supply pneumatic supply and trip unit pressure pressure low less than differential with drywell pressure respect to drywell pressure VIII(B) ADS Safety Guide Flow transmitter +/-2.5% 10 scfm Pneumatic Supply high and trip unit flow 1 Instruments for this service have accuracy within this range over the actually purchased full scale.

2 The values given here have been used in the setpoint analysis; however, the allowable values are listed in Technical Specifications.

CHAPTER 07 7.3-46 REV. 28, APRIL 2021

PBAPS UFSAR 7.4 CORE STANDBY COOLING SYSTEMS CONTROL AND INSTRUMENTATION 7.4.1 Safety Objective The safety objective of the controls and instrumentation for the CSCS's is to initiate appropriate responses from the various cooling systems so that the fuel is adequately cooled under abnormal or accident conditions. The cooling provided by the systems restricts the release of radioactive materials from the fuel by limiting the extent of fuel damage following situations in which reactor coolant is lost from the nuclear system.

Even after the reactor is shut down from power operation by the full insertion of all control rods, heat continues to be generated in the fuel as radioactive fission products decay. An excessive loss of reactor coolant allows the fuel temperature to rise, cladding to melt, and fission products in the fuel to be released.

If the temperatures in the reactor rise to a sufficiently high value, a metal (zirconium)-water reaction occurs which releases energy. Such a reaction increases the pressure inside the nuclear system and the primary containment. This threatens the integrity of the barriers which are relied upon to prevent the uncontrolled release of radioactive materials. The controls and instrumentation for CSCS's prevent such a sequence of events by actuating CSCS's in time to limit fuel cladding temperatures to acceptable levels (less than 2,200F).

7.4.2 Safety Design Basis

1. Controls and instrumentation automatically initiate and control the CSCS's with precision and reliability to ensure removal of heat from the reactor core in time to prevent cladding temperature from exceeding 2,200F so that fuel and core deformation do not limit effective cooling of the core.
2. Controls and instrumentation initiate and control the CSCS's with sufficient timeliness, precision, and reliability to prevent more than a small fraction of the core from heating to a temperature at which a gross release of fission products occurs.
3. To meet the precision requirements of safety design bases 1 and 2, the controls and instrumentation for the CSCS's respond to conditions that indicate the potential inadequacy of core cooling, regardless of the physical location of the defect causing the inadequacy.

CHAPTER 07 7.4-1 REV. 26, APRIL 2017

PBAPS UFSAR

4. To place limits on the degree to which safety is dependent on operator judgment in time of stress, the following safety design bases are specified:
a. Appropriate responses of the CSCS's are initiated automatically by control systems when positive precise action is immediately required so that no decision or manipulation of controls beyond the capacity of plant operations personnel is demanded.
b. Intelligence of the responses of the CSCS's is provided to the operator by control room instrumentation so that faults in the actuation of safety equipment can be diagnosed.
c. Facilities for manual actuation of the CSCS's are provided in the control room so that operator action is possible, yet reserved for the remedy of a deficiency in the automatic actuation of the safety equipment or for control over the long term effects of an abnormal or accident condition.
5. To meet the reliability requirements of safety design bases 1 and 2, the following safety design bases are specified:
a. No single failure, maintenance, calibration, or test operation prevents the integrated operations of the CSCS's from providing adequate core cooling.
b. No protective device which causes interruption of performance or availability of the CSCS's is automatic, unless there is a high probability that continued use would make complete failure imminent.

Instead, such protective devices indicate off-standard conditions for operator decision and action.

c. The power supplies for the controls and instrumentation for the CSCS's are chosen so that core cooling can be accomplished concurrently with a loss of normal auxiliary AC power.
d. The physical events that accompany a LOCA do not interfere with the ability of the CSCS's controls and instrumentation to function properly.

CHAPTER 07 7.4-2 REV. 26, APRIL 2017

PBAPS UFSAR

e. Earthquake ground motion does not impair the ability of essential CSCS's controls and instrumentation to function properly.
6. To verify the availability of the CSCS's, it is possible to test the controls and instrumentation.

7.4.3 Description 7.4.3.1 Identification The controls and instrumentation for the CSCS's are identified as the equipment required for the initiation and control of the following:

1. HPCIS
2. ADS
3. Core spray system
4. LPCI (an operating mode of the RHRS).

The equipment involved in the control of these systems includes automatic injection valves, turbine pump controls, electric pump controls, relief valve controls, and the switches, contacts, and relays that make up sensory logic channels. Testable check valves and certain automatic isolation valves are not included in this description; they are described in subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System."

The CSCS's initiation and control instrumentation can be conveniently broken into two parts, the incident detection circuitry and the control instrumentation. The incident detection circuitry, which is designed to meet the intent of IEEE-279-1968, includes those channels which detect a need for core cooling systems operation and the corresponding trip systems which initiate the proper response of the CSCS's. GE Topical Report NEDO-10139 details the compliance of CSCS's with IEEE-279-1968 on pages 3-7, 3-54, 3-86, 3-107, and 3-108 (paragraph 7.2.3.1).

Appendix H contains an evaluation of the facility with respect to the 70 General Design Criteria for Nuclear Power Plant Construction Permit (July 1967).

To assure the functional capabilities of the CSCS's during and after earthquake ground motions, the controls and instrumentation CHAPTER 07 7.4-3 REV. 26, APRIL 2017

PBAPS UFSAR for each of the systems are designed as seismic Class I equipment.

This meets safety design basis 5e.

7.4.3.2 High Pressure Coolant Injection System Control and Instrumentation 7.4.3.2.1 Identification and Physical Arrangement When actuated, the HPCIS pumps water from either the condensate storage tank or the suppression chamber to the reactor vessel via the feedwater lines. The HPCIS includes one turbine driven pump set and auxiliary equipment as shown in Drawings M-365, Sheets 1 and 2 and M-366, Sheets 1 through 4.

Pressure and level sensors and trip units used in the HPCIS are located on racks in the reactor building. The pressure compensation instruments used in the HPCIS are mounted in panels in the cable spreading and computer rooms. The only operating component for the HPCIS that is located inside the primary containment is one of the two HPCIS turbine steam supply line isolation valves. The rest of the HPCIS control and instrumentation components are located outside the primary containment. Cables connect the sensors to control circuitry in the computer room, cable spreading room, and control room.

Although the system is arranged to allow a full flow functional test of the system during normal reactor power operation, the test controls are arranged so that the system will operate automatically to fulfill its safety function if required during a full flow functional test. If testing does prohibit the automatic initiation of the system, the system must be in Technical Specification Action Statement. The logic for the HPCIS is shown in Drawing M-1-CC-39, Sheets 1 through 12.

7.4.3.2.2 High Pressure Coolant Injection System Initiation Signals and Logic Either reactor vessel low water level (level 2) or primary containment (drywell) high pressure automatically start the HPCIS.

Reactor vessel low water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.

The logic scheme used for initiating the HPCIS is shown in Figure 7.4.9 and is a single trip system containing two trip system CHAPTER 07 7.4-4 REV. 26, APRIL 2017

PBAPS UFSAR logics. One trip system logic actuates upon receipt of a low water level signal. The other actuates upon receipt of a high drywell pressure signal. Either trip system logic can start the HPCIS. The HPCI trip system is powered by reliable DC buses.

Instrument settings for the HPCIS control and instrumentation are listed in Table 7.4.1. The reactor vessel low water level setting for HPCIS initiation is selected high enough above the active fuel to start the HPCIS in time both to prevent excessive fuel clad temperatures and to prevent more than a small fraction of the core from reaching the temperature at which gross fuel failure occurs.

The water level setting is far enough below normal levels that spurious HPCIS startups are avoided. The primary containment pressure setting is selected to be as low as possible without inducing spurious HPCIS startup.

A manual initiation switch, shown on Drawing M-1-CC-39, Sheets 1, 2A and 7, allows the operator to manually start the system quickly.

7.4.3.2.3 High Pressure Coolant Injection System Initiating Instrumentation Reactor vessel low water level is monitored by four level transmitters that sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual height of water in the vessel. The transmitters drive pressure compensation instruments. Two lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The two pairs of lines terminate outside the primary containment and inside the reactor building. They are physically separated from each other and tap off the reactor vessel at widely separated points. These same lines are also used for pressure and water level instruments for other systems. The level transmitters and pressure compensation instruments for the HPCIS are arranged in pairs, each pair sensing level from one pair of lines. The transmitter and pressure compensation instruments on each pair of lines provide an input to trip system A, the other to trip system B. This arrangement assures that no single transmitter or trip unit failure can prevent HPCIS initiation from reactor vessel low water level. These pressure compensation instruments are used to increase the accuracy of level measurements.

Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the CHAPTER 07 7.4-5 REV. 26, APRIL 2017

PBAPS UFSAR drywell, but inside the reactor building. The transmitters drive indicating electronic trip units which are located in panels in the reactor building. Pipes that terminate in the reactor building allow the transmitters to communicate with the drywell interior. The transmitters and trip unit combinations are grouped in pairs and are electrically connected so that no single failure of a transmitter or trip unit can prevent the initiation of the HPCIS due to primary containment high pressure.

7.4.3.2.4 High Pressure Coolant Injection System Turbine and Turbine Auxiliary Control The HPCIS controls automatically start the HPCIS from the receipt of a reactor vessel low water level signal or primary containment high pressure signal and bring the system to its design flow rate within 55 seconds. The controls then function to provide design makeup water flow to the reactor vessel until the amount of water delivered to the reactor vessel is adequate, at which time the HPCIS automatically shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown.

The HPCI turbine is functionally controlled as shown in Drawing M-1-CC-39, Sheets 5 and 11. A speed governor limits the turbine speed to its maximum operating level. A control governor receives an HPCIS flow signal and adjusts the turbine steam control valve so that design HPCIS pump discharge flow rate is obtained. Manual control of the governor is possible in the test mode, but control of the governor automatically returns to the flow controller upon receipt of an HPCIS initiation signal. The flow signal used for automatic control of the turbine is derived from a flow element in the HPCIS pump discharge line. The governor controls the pressure applied to the hydraulic operator of the turbine control valve which, in turn, controls the steam flow to the turbine. Hydraulic pressure is supplied for both the turbine control valve and the turbine stop valve by the DC powered oil pump during startup and then by the shaft-driven hydraulic oil pump when the turbine reaches operating speed.

Upon receipt of an initiation signal, the auxiliary oil pump starts, providing hydraulic pressure for the turbine stop valve and turbine control valve hydraulic operator. During turbine startup, the lower of the signals from the startup ramp generator and the flow controller positions the control valve. The control valve hydraulic operator is biased to start the control valve open as hydraulic pressure is developed. Once sufficient hydraulic pressure is developed to reposition the control valve operator, CHAPTER 07 7.4-6 REV. 26, APRIL 2017

PBAPS UFSAR the control valve starts to reclose, controlled by the idle ramp generator signal. The stop valve opens completely as hydraulic pressure is developed. When the stop valve starts open, a limit switch on the stop valve initiates the ramp generator to provide an increasing opening signal to the control valve to ramp the turbine up to rated flow within 55 seconds of the initiating signal. When the turbine reaches rated flow, the flow controller adjusts the control governor setting so that design flow is maintained.

The turbine is automatically shut down by tripping the turbine stop valve closed if any of the following conditions are detected:

1. Turbine overspeed.
2. High turbine exhaust pressure.
3. Low pump suction pressure.
4. Reactor vessel high water level.
5. Auto-isolation signal (subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System").

A probabilistic missile evaluation has been performed on the HPCIS pump turbine and is described in subsection 11.2.

Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service.

A turbine trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so close that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical-hydraulic device. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown. One pressure switch is used to detect low HPCIS pump suction pressure.

High water level in the reactor vessel indicates that the HPCIS has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in HPCIS CHAPTER 07 7.4-7 REV. 26, APRIL 2017

PBAPS UFSAR turbine damage caused by gross carryover of moisture. The reactor vessel high water level setting which trips the turbine is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Two level transmitters with pressure compensation instruments are arranged to require that both pressure compensation instruments must operate (coincidence) to initiate a turbine shutdown.

The controls for the turbine auxiliary oil pump are arranged for automatic or manual control. Upon receipt of an HPCIS initiation signal the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft-driven oil pump begins to supply hydraulic pressure. After about 30 sec during an automatic turbine startup, the pressure supplied by the shaft-driven oil pump is sufficient, and the auxiliary oil pump automatically stops upon receipt of a high oil pressure signal.

Should the shaft-driven oil pump malfunction, causing oil pressure to drop, the auxiliary oil pump restarts.

Operation of the gland seal condenser components - gland seal condenser condensate pump (DC), gland seal condenser blower (DC),

and gland seal condenser water level instrumentation - prevents out leakage from the turbine shaft seals. Startup of this equipment is automatic. Failure of this equipment will not prevent the HPCIS from providing water to the reactor vessel.

7.4.3.2.5 High Pressure Coolant Injection System Valve Control All automatic valves in the HPCIS are equipped with remote-manual test capability, so that the entire system can be operated from the control room. Motor operated valves are provided with appropriate limit switches to turn off the motors when the full open or full closed positions are reached. Valves that are automatically closed on isolation signals are equipped with remote-manual reset devices, so that they cannot be reopened without operator action. All essential components of the HPCIS control operate independent of normal AC power. The HPCI steam supply inboard isolation valve is AC powered, but is normally maintained open.

To assure that the HPCIS can be brought to design flow rate within 55 seconds from the receipt of the initiation signal, the following maximum operating times for essential HPCIS valves are provided by the valve operation mechanisms:

CHAPTER 07 7.4-8 REV. 26, APRIL 2017

PBAPS UFSAR HPCIS turbine steam supply valve 40 seconds HPCIS pump discharge valves 20 seconds HPCIS pump minimum flow bypass valve 12 seconds The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa.

Because the two HPCIS steam supply line isolation valves are normally open and because they are intended to isolate the HPCIS steam line in the event of a break in that line, the operating time requirements for them are based on isolation specifications.

These are described in subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System." A normally closed DC motor operated isolation valve is located in the turbine steam supply line just upstream of the turbine stop valve. Upon receipt of an HPCIS initiation signal, this valve opens and remains open until closed by operator action from the control room.

An inside of the drywell and an outside of the drywell isolation valve has been provided in the steam supply to the turbine. These valves are normally open. On Unit 2, a normally closed isolation valve has been provided in the 1-inch line that bypasses the isolation valve that is outside the drywell. The valve in the bypass line is used to control warm-up of the HPCI steam line before the HPCIS is returned to service with the reactor at power.

On Unit 3, the HPCI steam supply isolation valve is used to permit controlled steam line heatup. The steam supply line isolation valve inside the drywell is controlled by an AC motor. The valve outside the drywell is controlled by a DC motor. The bypass valve is a solenoid actuated, air operated valve that fails closed on loss of power or air. Although the main isolation valves are normally open, an HPCIS initiating signal opens them if they are closed. All three valves automatically close upon receipt of an HPCIS turbine steam line high flow signal, or an HPCIS turbine steam supply low pressure signal, or high steam line space temperature. The closure by the HPCIS turbine steam line high flow signal is delayed to prevent isolation of the HPCIS on transient high flow conditions experienced during system startup.

The nominal 3-second time delay is determined by station setpoint control processes. This meets the intent of NUREG-0737, Item II.K.3.15. The instrumentation for isolation is described in subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System."

The HPCI turbine exhaust line is equipped with vacuum breakers to prevent suppression pool water from being sucked into the line.

CHAPTER 07 7.4-9 REV. 26, APRIL 2017

PBAPS UFSAR The line to the vacuum breakers is equipped with an automatic isolation valve. The isolation signal for the valve consists of a high drywell pressure signal and a low reactor pressure signal combined in "AND" logic. The high drywell pressure indicates a need for containment isolation. The low reactor pressure signal is a permissive that allows automatic isolation only after reactor pressure has dropped to a value that renders the HPCIS inoperable.

Three pump suction valves are provided in the HPCIS. One valve provides pump suction from the condensate storage tank and the other two in series provide suction from the suppression chamber.

The condensate storage tank is the initial source. All three valves are operated by DC motors. The control arrangement is shown in Drawing M-1-CC-39, Sheets 1, 2A and 7. Although the condensate storage tank suction valve is normally open, an HPCIS initiation signal opens it if it is closed. If the water level in the condensate storage tank falls below a preselected level, the suppression chamber suction valves automatically open. When the suppression chamber valves are both fully open, the condensate storage tank suction valve automatically closes. Two level switches are used to detect the condensate storage tank low water level condition. Either switch can cause the suppression chamber suction valves to open. The suppression chamber suction valves also automatically open and the condensate storage tank suction valve closes if a high water level is detected in the suppression chamber. Two level switches monitor the water level. Either switch can initiate opening of the suppression chamber suction valves. If open, the suppression chamber suction valves automatically close upon receipt of the signals that initiate HPCIS steam line isolation.

Two DC motor operated HPCIS pump discharge valves in the pump discharge line are provided. Both valves are arranged to open upon receipt of either one of the HPCIS initiation signals. The valves remain open after receipt of a turbine trip signal until closed by operator action in the control room.

To prevent damage by overheating at reduced HPCIS pump flow, a pump discharge minimum flow bypass is provided back to the suppression chamber. The bypass is controlled by an automatic, DC motor-operated valve. At HPCIS high flow, the valve is closed; at low flow, the valve is opened. A flow switch in the HPCIS pump discharge line provides the necessary signals. There is also an interlock provided to shut the minimum flow bypass whenever the turbine is tripped. This is necessary to prevent drainage of the condensate storage tank into the suppression pool which is at a lower elevation.

CHAPTER 07 7.4-10 REV. 26, APRIL 2017

PBAPS UFSAR To prevent the HPCIS steam supply line from filling up with water and cooling, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain line arrangement just upstream of the turbine supply valve. The controls position valves so that during normal operation steam line drainage is routed to the main condenser. Upon receipt of an HPCIS initiation signal, the drainage path is isolated. The water level in the steam line drain condensate pot is controlled by a level switch and a direct-acting solenoid valve which energizes to allow condensate to flow out of the pot.

During test operation, the HPCIS pump discharge can be routed to the condensate storage tank or the suppression pool. DC motor operated valves are installed in the pump discharge test lines.

Upon receipt of an HPCIS initiation signal, the valves close and remain closed. In order to prevent injection of contaminated water into the condensate storage tank during testing, the valve that directs flow to the condensate storage tank is interlocked closed if any HPCIS or RCICS suppression chamber suction valve is fully open. Numerous indications pertinent to the operation and condition of the HPCIS are available to the control room operator.

Drawing M-1-CC-39, Sheets 6 and 12 shows the various indications provided.

The control circuits of motor operators for all automatically operated HPCI valves required to perform the HPCIS safety function, primary containment isolation or reactor vessel isolation, are arranged such that motor thermal overload protection is provided for manual operation of the valve, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload. During automatic operation, the thermal overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received.

The operator can override the thermal overload circuit by continuously holding the spring-return control switch in the operate position during manual operation.

7.4.3.2.6 High Pressure Coolant Injection System Environmental Considerations The only HPCIS control component located inside the primary containment that must remain functional in the environment resulting from a LOCA is the control mechanism for the inboard isolation valve on the HPCIS turbine steam line. The HPCIS control and instrumentation equipment located outside the primary CHAPTER 07 7.4-11 REV. 26, APRIL 2017

PBAPS UFSAR containment is selected in consideration of the normal and accident environments in which it must operate. The environmental capabilities of the HPCIS equipment is discussed in subsection 7.19, "Class 1E Equipment Environmental Qualification."

7.4.3.3 Automatic Depressurization System Control and Instrumentation 7.4.3.3.1 Identification and Physical Arrangement Automatically controlled relief valves are installed on the main steam lines inside the primary containment. The valves are dual purpose in that they will open due to overpressure or by action of an electric-pneumatic control system (subsection 4.4, "Nuclear System Pressure Relief System"). Depressurization by automatic action of the control system is intended to reduce nuclear system pressure during a LOCA in which the HPCIS flow is not adequate so that the core spray system and LPCIS can inject water into the reactor vessel. The automatic control and instrumentation equipment for the relief valves is described in this section. The controls and instrumentation for one of the relief valves are discussed. Other relief valves equipped for automatic depressurization are identical.

The control system, which is functionally illustrated in Drawing M-1-CC-13, Sheets 1, 2, 13 and 14, consists physically of pressure and water level sensors arranged in trip systems that control a solenoid operated pilot air valve. The solenoid operated pilot valve controls the pneumatic pressure applied to a diaphragm actuator which controls the relief valve directly. An accumulator is included with the control equipment to store pneumatic energy for relief valve operation. The accumulator is sized to hold a volume equivalent to five valve operations following failure of the pneumatic supply to the accumulator. The accumulator is supplied from either the plant instrument nitrogen (primary source) or the plant instrument air system (secondary source) and also from the long-term, safety-grade pneumatic supply. The electrical control circuitry is powered by DC from the station batteries. The power supplies for the control channels are separated to limit the effects of electrical failures. Electrical elements in the control system energize to cause opening of the relief valve.

7.4.3.3.2 Automatic Depressurization System Initiating Signals and Logic Two initiation signals are used for the ADS:

CHAPTER 07 7.4-12 REV. 26, APRIL 2017

PBAPS UFSAR

1. Reactor vessel low water level.
2. Primary containment (drywell) high pressure.

Reactor vessel low water level indicates that the fuel is in danger of becoming overheated. This low water level would normally not occur unless the HPCIS failed. Primary containment high pressure indicates that a breach in the nuclear system process barrier has occurred inside the drywell.

The presence of both initiation signals concurrently will cause the relief valves to open after a maximum two-minute time delay provided that at least one LPCI or two core spray pumps are running. Any combination of CS pumps running except A and B or C and D will satisfy the requirement. Additionally, the primary containment high pressure signal is bypassed after an extended time delay following receipt of a reactor vessel low water level signal. This causes the relief valves to open in response to a reactor vessel low water level signal alone, provided that at least one LPCI or two core spray pumps are running.

After receipt of the initiation signals, the solenoid operated pilot air valve is energized, allowing pneumatic pressure from the accumulator to act on the actuator. The diaphragm actuator is an integral part of the relief valve and mechanically displaces the second-stage piston to a position to permit the relief valve to remain open. Lights in the control room inform the control room operator of relief valve position.

A two-position switch is provided in the control room for the control of each relief valve. The two positions are OPEN and AUTO. In the open position the switch energizes the solenoid operated pilot valve, which allows pneumatic pressure to be applied to the diaphragm actuator of the relief valve.

This allows the control room operator to take action independent of the automatic system. The relief valves can be manually opened to provide a controlled nuclear system cooldown under conditions where the normal heat sink is not available. Manual reset circuits are provided for the initiating signals and for the logic circuits. Manually resetting the logic before the delay timers time out causes the timers to be recycled. The operator can use the logic reset switch to delay or prevent automatic opening of the relief valves if such delay or prevention is prudent.

CHAPTER 07 7.4-13 REV. 26, APRIL 2017

PBAPS UFSAR A manual inhibit switch is provided in the control room for each of the two logics. A keylocked switch is used to limit the potential for inadvertent actuation of the manual inhibit. The operator can use the inhibit switch to prevent automatic opening of the relief valves if such prevention is prudent. Alarms alert the operator of activation of the manual inhibit.

The logic scheme used for initiating the system is shown in Figure 7.4.9 and is a single trip system containing two trip system logics. Each trip system logic can initiate automatic depressurization. The trip system is powered by reliable DC buses.

Instrument specifications and settings are listed in Table 7.4.2.

The wiring from the trip systems to each relief valve is routed in separate conduits to reduce the probability that a single event will prevent automatic opening of the relief valves. Pump discharge pressure switches are used to sense that the core spray and LPCI pumps are running.

The reactor vessel low water level initiation setting for the ADS is selected to open the relief valves to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the core spray system and LPCIS following a LOCA in which the other makeup systems (feedwater, RCICS, HPCIS) fail to maintain vessel water level. The primary containment high pressure setting is selected to be as low as possible without inducing spurious initiation of the ADS.

7.4.3.3.3 Automatic Depressurization System Initiation Instrumentation The pressure and level switches used to initiate the ADS are common to each relief valve control circuitry. Reactor vessel low water level is detected by four level transmitters and pressure compensation instruments that measure differential pressure.

Primary containment high pressure is detected by four pressure transmitters and trip units. The transmitters, trip units, and pressure compensation instruments combinations used for these two initiating functions are the same ones used for the LPCIS and core spray system. Two additional uncompensated level transmitters are used to confirm reactor low water level as part of the interlocks.

The primary containment high pressure signals are arranged to seal into the control circuitry; they must be manually reset to clear.

Timers are used in the control circuitry for each of the two logics. The delay time setting before the ADS is actuated on low reactor vessel level and high drywell pressure is chosen to be CHAPTER 07 7.4-14 REV. 26, APRIL 2017

PBAPS UFSAR long enough so that the HPCIS has time to start, yet not so long that the core spray system and LPCIS are unable to adequately cool the fuel if the HPCIS fails to start. The delay time setting before the ADS is activated on low reactor vessel level alone is chosen to be long enough to allow the operator time to correctly diagnose plant conditions and inhibit the ADS in the case of an ATWS event, yet not so long that the core spray and LPCIS are unable to adequately cool the fuel if the HPCIS fails to start.

An alarm in the control room is annunciated every time any of the timers is running.

The requirement that at least one LPCI pump or two core spray pumps be running before automatic depressurization starts ensures that cooling will be available to the core after the system pressure is lowered.

7.4.3.3.4 Automatic Depressurization System Alarms A temperature element is installed in the thermowell in the relief valve discharge piping several feet from the valve body. The temperature element is connected to a multipoint recorder in the control room to provide a means of detecting relief valve leakage during plant operation. When the temperature in any relief valve discharge line exceeds a preset value, an alarm is sounded in the control room. The alarm setting is selected far enough above normal rated power temperatures to avoid spurious alarms yet low enough to give early indication of relief valve leakage.

7.4.3.3.5 Automatic Depressurization System Environmental Considerations Control and instrumentation equipment of the ADS such as signal cables, solenoid valves, and relief valve operators are the only items that are located inside the primary containment and that must remain functional in the environment resulting from a LOCA.

These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of these items. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate. Refer to subsection 7.19, "Class 1E Equipment Environmental Qualification."

7.4.3.4 Core Spray System Control and Instrumentation 7.4.3.4.1 Identification and Physical Arrangement CHAPTER 07 7.4-15 REV. 26, APRIL 2017

PBAPS UFSAR The core spray system consists of two independent spray loops as illustrated in M-362, Sheets 1 and 2. Each loop is capable of supplying sufficient cooling water to the reactor vessel to adequately cool the core following a design basis LOCA. The two spray loops are physically and electrically separated so that no single physical event makes both loops inoperable. Each loop includes two AC motor driven pumps, appropriate valves, and the piping to route water from the suppression pool to the reactor vessel. The controls and instrumentation for the core spray system includes either trip units and relays or pressure compensation instruments and relay contact output cards, and the sensors, wiring, and valve operating mechanisms used to start, operate, and test the system. Except for the testable check bypass valve in each spray loop, which is inside the primary containment, the sensors and valve closing mechanisms for the core spray system are located in the reactor building. Testable check valves are described in subsection 6.6, "Inspection and Testing."

Each core spray pump is powered from a separate AC bus which is capable of receiving standby power. The power supplies for automatic valves in each loop are from the same sources as these used for the core spray pumps in that loop. Control power for each of the core spray loops comes from separate DC buses. The electrical equipment in the control room for one core spray loop is isolated from that used for the other loop.

7.4.3.4.2 Core Spray System Initiating Signals and Logic The control scheme for the core spray system is illustrated in Drawing M-1-CC-41, Sheets 1 through 8. Trip settings are given in Table 7.4.3. The overall operation of the system following the receipt of an initiating signal is as follows:

1. Test bypass valves are closed and interlocked to prevent opening.
2. If normal AC power is available, the A & C pumps start after a 13-second time delay. The B & D pumps will start after a 23 second time delay. The valves in the suction paths from the suppression chamber are maintained open so that no automatic action is required to line up suction.
3. If normal power is not available, the four pumps start simultaneously 6 seconds after the standby power source is available.

CHAPTER 07 7.4-16 REV. 26, APRIL 2017

PBAPS UFSAR

4. When reactor vessel pressure drops to a preselected value, valves open in the pump discharge lines, allowing water to be sprayed over the core.
5. When pump differential pressure indicates that sufficient discharge flow is present, the pump low flow bypass valves shut, directing full flow into the reactor vessel.

Two automatic initiating functions are used for the core spray system: (1) primary containment (drywell) high pressure plus low reactor pressure and (2) reactor vessel low water level. Either initiation signal can start the system.

The logic scheme used for initiating the core spray system is comprised of two trip systems, each containing two trip system logics. One trip system logic actuates upon receipt of a low water signal. The other actuates upon receipt of a high drywell pressure signal if the reactor pressure is low. Each trip system logic is made up of two parallel logic pairs. Each trip system logic, in a trip system, can initiate the respective loop of the core spray system. The trip systems are powered by reliable independent DC buses.

A manual initiation switch in each of the two systems, shown on Drawing M-1-CC-41, Sheets 1 and 5, allows the operator to manually start the system quickly.

Reactor vessel low water level indicates that the core is in danger of being overheated due to the loss of coolant. Concurrent drywell high pressure and low reactor pressure indicates that a breach of the nuclear system process barrier has occurred inside the drywell. The reactor vessel low water level setting and primary containment high pressure and low reactor vessel pressure settings and the instruments that provide the initiating signals are selected and arranged so as to assure adequate cooling for the design basis LOCA without inducing spurious system startups.

7.4.3.4.3 Core Spray System Pump Control The control arrangements for the core spray pumps are shown in Drawing M-1-CC-41, Sheets 1 and 5. The circuitry provides for detection of normal power available, so that all pumps are automatically started in sequence. Each pump can be manually controlled by a control room remote switch, or the automatic control system. Pressure and flow instrumentation on the discharge line from each set of core spray pumps provide signals CHAPTER 07 7.4-17 REV. 26, APRIL 2017

PBAPS UFSAR in the control room to indicate the successful startup of the pumps.

The core spray pump motors are provided with overload and undervoltage protection. Overload relays are applied so as to maintain power as long as possible without immediate damage to the motors or emergency power system.

7.4.3.4.4 Core Spray System Valve Control Except where specified otherwise, the remainder of the description of the core spray system refers to one spray loop. The second core spray loop is identical. The control arrangements for the various automatic valves in the core spray system are indicated in Drawing M-1-CC-41, Sheets 1, 2, 3, 5, 6, and 7. All motor operated valves are equipped with switches to turn off the valve motor when the valve reaches the limits of movement and provide control room indication of valve position. Each automatic valve can be manually operated from the control room.

The control circuits of motor operators for automatically operated core spray system valves are arranged such that motor thermal overload protection is provided during manual operation, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload. During automatic operation, the overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received. The operator can override the thermal overload circuit by continuously holding the spring-return control switch in the operate position during manual operation.

Upon receipt of an initiation signal the test bypass valve is interlocked shut. The core spray pump discharge valves are automatically opened when nuclear system pressure drops to a pre-selected value; the setting is selected low enough so that the low pressure portions of the core spray system are not overpressurized, yet high enough to open the valves in time to provide adequate cooling for the fuel. Four sets of pressure transmitters and trip units are used to monitor nuclear system pressure. These are connected in a one-out-of-two-twice logic to initiate opening of the discharge valves. The full stroke operating time of the motor operated discharge valves is selected to be rapid enough to assure proper delivery of water to the reactor vessel in a design basis accident.

CHAPTER 07 7.4-18 REV. 26, APRIL 2017

PBAPS UFSAR A differential pressure indicating switch across each core spray pump provides a signal to operate the minimum flow bypass line valve for each pump. When the flow reaches the value required to prevent pump overheating, the valves close, directing all flow into the sparger.

7.4.3.4.5 Core Spray Alarms and Indications Core spray system pressure between the two pump discharge valves is monitored by a pressure switch to permit detection of leakage from the nuclear system into the core spray system outside the primary containment.

A detection system is also provided to continuously confirm the integrity of the core spray piping between the inside of the reactor vessel and the core shroud. A differential pressure switch measures the pressure difference between the bottom of the core and the inside of the core spray sparger pipe just outside the reactor vessel. If the core spray sparger piping is intact, this pressure difference will be the pressure drop across the core. If the core spray piping outside the shroud fails, this pressure drop will include the core pressure drop and the steam separator pressure drop. An increase in the normal pressure drop initiates an alarm in the control room. Pressure in each core spray pump suction and discharge line is monitored by a pressure indicator which is locally mounted to permit determination of suction head and pump performance.

7.4.3.4.6 Core Spray System Environmental Considerations There are no control and instrumentation components for the core spray system that are located inside the primary containment that must operate in the environment resulting from a LOCA. All components of the core spray system that are required for system operation are outside the drywell and are selected in consideration of the normal and accident environments in which they must operate. Refer to subsection 7.19, "Class 1E Equipment Environmental Qualification."

7.4.3.5 Low Pressure Coolant Injection Control and Instrumentation 7.4.3.5.1 Identification and Physical Arrangement LPCI is an operating mode of the RHRS that uses pumps and piping that are parts of the RHRS. Because the LPCIS is designed to provide cooling water to the reactor vessel following the design CHAPTER 07 7.4-19 REV. 26, APRIL 2017

PBAPS UFSAR basis LOCA, the controls and instrumentation for it are discussed here. Subsection 4.8, "Residual Heat Removal System," describes the RHRS in detail.

Drawing M-361 Sheets 1 through 4 shows the entire RHRS, including the equipment used for LPCI operation. The following list of equipment itemizes essential components for which control or instrumentation is required:

1. Four RHRS pumps.
2. Pump suction valves.
3. LPCI-to-recirculation loop injection valves.

The instrumentation for LPCI operation provides inputs to the control circuitry for other valves in the RHRS. This is necessary to ensure that the water pumped from the suppression chamber by the pumps is routed directly to a reactor recirculation loop.

These interlocking features are described in this section. The actions of the reactor recirculation loop valves are also described in this section because these actions are accomplished to facilitate LPCI operation.

LPCI operation uses two identical loops, each loop with two pumps in parallel. The two loops are arranged to discharge water into different reactor recirculation loops. Drawing M-361, Sheets 1 through 4, shows the locations of instruments, control equipment, and LPCI components relative to the primary containment. Except for the LPCI testable check valves and the reactor recirculation loop valves, the components pertinent to LPCI operation are located outside the primary containment.

The power for the RHRS pumps is supplied from AC buses that can receive standby AC power. Each of the four pumps derives its power from a different bus. The primary source of power for the LPCI inboard injection valves and recirculation pump discharge valves is from one of two redundant buses, with the capability to automatically transfer to the redundant and independent power supply upon loss of the primary power source. Control power for the LPCI components comes from the DC buses. Redundant trip systems are powered from different DC buses. Each pump is provided with a redundant start signal in one-out-of-two logic.

LPCI is arranged for automatic operation and for remote-manual operation from the control room. The equipment provided for manual operation of the system allows the operator to take action independent of the automatic controls in the event of a LOCA.

CHAPTER 07 7.4-20 REV. 26, APRIL 2017

PBAPS UFSAR 7.4.3.5.2 Low Pressure Coolant Injection Initiating Signals and Logic The overall operating sequence for LPCI following the receipt of an initiation signal is as follows:

1. If normal AC power is available, the A & B pumps start after a 2-second time delay and the C & D pumps start after an 8-second time delay. The valves in the suction paths from the suppression chamber are maintained open so that no automatic action is required to line up suction.
2. If normal AC power is not available, the four pumps start simultaneously with no delay as soon as the standby power source is available.
3. The discharge valves in the reactor recirculation loops automatically close when the reactor pressure decreases below the low pressure setpoint.
4. Selected valves automatically realign so that the water pumped from the suppression chamber is routed properly.
5. The high pressure service water pumps automatically stop (if running) because they are not needed for LPCI operation.
6. When nuclear system pressure has dropped to a value at which the RHR System pumps are capable of injecting water into the recirculating loops, the LPCIS injection valves to the recirculation loops automatically open.
7. The LPCIS then delivers water to the reactor vessel via the recirculation loops to provide core cooling.

In the descriptions of LPCI controls and instrumentation that follow, Drawing M-361, Sheets 1 through 4, can be used to determine the physical locations of sensors. Drawing M-1-CC-40, Sheets 1 through 14 can be used to determine the functional use of each sensor in the control circuitry for the various LPCI components. Instrument characteristics and settings are given in Table 7.4.4.

Two automatic initiation functions are provided for the LPCI: (1) primary containment (drywell) high pressure plus low reactor CHAPTER 07 7.4-21 REV. 26, APRIL 2017

PBAPS UFSAR pressure and (2) reactor vessel low water level. Either initiation signal can start the system.

The logic scheme used for initiating the LPCIS is shown in Figure 7.4.9 and is comprised of two trip systems each containing two-trip system logics. Each of the two initiation trip system logics can initiate its trip system. Each LPCI pump receives a start signal from the two trip systems either of which starts the pump. Each of these pump start circuits contains its own emergency bus voltage sensing relay and appropriate timing relays to assure complete redundancy of the starting signals. The trip systems are powered by reliable independent DC buses. The instruments used to detect reactor vessel low water level, primary containment high pressure and low reactor pressure are the same ones used to initiate the other CSCS.

A manual initiation switch, shown on Drawing M-1-CC-40, Sheets 1 and 8, allows the operator to manually start the system quickly.

7.4.3.5.3 Low Pressure Coolant Injection Pump Mode Control The functional control arrangement for the pumps is shown in Drawing M-1-CC-40, Sheets 1 and 8.

The time delays are provided by timers which are set as shown Table 7.4.4 to prevent overloading the power source.

Pressure switches installed in the pump discharge lines upstream of the pump discharge check valves provide indication of proper pump operation following an initiation signal. Low pressure in a pump discharge line indicates pump failure. The locations of the pressure switches relative to the discharge check valves prevent the discharge pressure from an operating pump from concealing a pump failure.

To prevent RHRS pump damage due to overheating at no flow, the control circuitry prevents a pump from starting unless a suction path is lined up. Limit switches on suction valves provide indications that a suction lineup is in effect. If suction valves change from their fully open position during RHRS pump operation, the limit switches trip the pump power supply breaker open.

The RHRS pump motors are provided with overload and undervoltage protection. The overload relays are applied so as to maintain power on the motor as long as possible without harm to the motor or immediate damage to the emergency power system.

CHAPTER 07 7.4-22 REV. 26, APRIL 2017

PBAPS UFSAR 7.4.3.5.4 Low Pressure Coolant Injection Valve Control The automatic valves controlled by the LPCI control circuitry are equipped with appropriate switches which turn off the valve operating mechanisms whenever the valves reach the limits of travel. Seal-in and interlock features are provided to prevent improper valve positioning during automatic LPCI operation. The operating mechanisms for the valves are selected so that the LPCI operation is in time for the system to fulfill its objective of providing adequate core cooling following a design basis LOCA.

The time required for the valves pertinent to LPCI operation to travel from the fully closed to the fully opened positions, or vice versa, is as follows:

LPCI injection valves 34 sec Reactor recirculation discharge valves 29 sec Containment(drywell spray) cooling valves 20 sec RHRS test line isolation valves 112 sec The pump suction valves to the suppression pool are normally open.

Upon receipt of an LPCI initiation signal certain reactor shutdown cooling system valves and the RHRS test line and containment spray valves automatically close to automatically return the system to the LPCI lineup. By closing these valves the pump discharge is properly routed. Also included in this set of valves are the valves which, if not closed, would permit the pumps to take a suction from the reactor recirculation loop, a lineup that is used during normal shutdown cooling system operation.

The control circuits of motor operators for automatically operated LPCIS valves are arranged such that motor thermal overload protection is provided during manual operation, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload.

During automatic operation, the overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received. The operator can override the thermal overload circuit by continuously holding the spring return control switch in the operate position during manual operation.

A motor operated valve is located in the RHR cross-tie line between pump discharge headers within each division. The RHR cross-tie valve is manually operated from the control room to CHAPTER 07 7.4-23 REV. 26, APRIL 2017

PBAPS UFSAR enter the RHR cross-tie mode of operation. With the valve open, a single RHR pump can be aligned to both RHR heat exchangers within a division, increasing cooling capacity of the RHR system.

A throttling valve is located in the discharge of each RHR pump before the associated heat exchanger. In the shutdown cooling mode, they are used to throttle RHR flow as the cooling requirement diminishes. During LPCI operation, they provide resistance to flow to prevent RHR pump runout in the event of pump output flowing into a broken recirculation line. The valves are positioned for LPCI operation during RHR surveillance testing, to ensure LPCI flow is above the minimum required to satisfy Technical Specifications, but limited to the maximum calculated flow to ensure that adequate NPSH remains available for the RHR pump, and also to prevent pump runout. To alert operators that the valves have been moved from their proper LPCI alignment during any period when LPCI could be needed, an alarm appears in the control room when the valves are moved from their proper position.

During the RHR cross-tie mode, the valves can be throttled to balance the flow rate between heat exchangers within the operating RHRS division.

The LPCIS is designed for automatic operation following a recirculation line break. The LPCI logic opens the LPCI valve and closes the recirculation pump discharge valves in both recirculation loops providing cooling for the reactor core. The LPCI logic is configured such that the recirculation pump discharge valves do not close until the reactor pressure has decayed below the low pressure setpoint. The functional control diagrams for the recirculation loop valves are provided in subsection 7.9. The manual control for the recirculation loop valves is interlocked to prevent valve opening whenever the LPCI initiation signal is present. The LPCI valves do not open until reactor pressure decreases to a value below the discharge head of the LPCIS. LPCI flow then enters the reactor vessel when the check valves open due to LPCI pressure being higher than reactor pressure.

A timer cancels the LPCI signals to the outboard LPCI injection valves and to the RHR throttling valves after a delay time long enough to permit satisfactory operation of the LPCIS. The cancellation of the signals allows the operator to divert the water for other post-accident purposes. Cancellation of the CHAPTER 07 7.4-24 REV. 26, APRIL 2017

PBAPS UFSAR signals does not cause the injection valves or the throttling valves to move.

The manual controls in the control room allow the operator to open an LPCI valve only if either nuclear system pressure is low or the other injection valve in the same line is closed. These restrictions prevent overpressurization of low pressure piping.

The same pressure transmitter and trip unit used for the automatic opening of the valves are used in the manual circuit. Limit switches on both injection valves for each LPCI loop provide the valve position signals required for injection valve manual operation at high nuclear system pressure.

To protect the pumps from overheating at low flow rates a minimum flow bypass line, which routes water from the pump discharge to the suppression chamber, is provided for each pump. A single motor-operated valve controls the condition of each bypass line.

The minimum flow bypass valve automatically opens upon low flow in the discharge line from the associated pump. The valve automatically closes whenever the flow from the associated pump is above the low flow setting. The RHR minimum flow bypass valves are controlled by differential pressure switches across each RHR pump. Drawing M-361Figure 7.4.6 shows the location of the differential pressure switches. One switch is used for each pump.

The valves that allow the diversion of water for containment cooling are automatically closed upon receipt of an LPCI initiation signal. The manual controls for the drywell valves are interlocked so that opening the valves by manual action is not possible unless both primary containment (drywell) pressure is high, which indicates the need for containment cooling, and reactor vessel water level inside the core shroud is above the level equivalent to two-thirds the core height. Four transmitters and trip units are used to monitor drywell pressure. The trip setting is selected to be as low as possible yet provide indication of abnormally high drywell pressure. The trip units which are in one-out-of-two-twice logic must register the drywell high-pressure condition to allow opening of containment cooling valves by manual action. A level transmitter and pressure compensation instrument is used to monitor water level inside the core shroud for each loop's set of valves. A keylock switch in the control room allows a manual override of the two-thirds core height permissive contact for the containment cooling valves.

Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess the LPCI operation. Valves have indications of CHAPTER 07 7.4-25 REV. 26, APRIL 2017

PBAPS UFSAR full open and full closed positions. Pumps have indications for pump running and pump stopped. Alarm and indication devices are shown in Drawing M-361, Sheets 1 through 4 and Drawing M-1-CC-40, Sheets 7 and 14.

7.4.3.5.5 Low Pressure Coolant Injection Environmental Considerations The only control components pertinent to LPCI operation that are located inside the primary containment that must remain functional in the environment resulting from a LOCA are the cables and valve closing mechanisms for the recirculation loop discharge valves.

The cables and valve operators are selected with environmental capabilities that assure valve closure under the environmental conditions resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of this equipment.

Other equipment located outside the drywell is selected in consideration of the normal and accident environments in which it must operate. Refer to subsection 7.19, "Class 1E Equipment Environmental Qualification."

7.4.3.5.6 Low Pressure Coolant Injection Load Shed In order to ensure that sufficient power is available to start the RHR pumps during LOCA event, the affected unit's backup air compressor is tripped if running or prevented from being started for the first 60 seconds of the LOCA event. The compressor load shed is initiated by a Division I or Division II LPCI initiation signal.

7.4.4 Safety Evaluation In Sections 14.0, "Plant Safety Analysis," and 6.0, "Core Standby Cooling Systems," the individual and combined capabilities of the CSCS's are evaluated. The control equipment characteristics and trip settings described in this section were considered in the analysis of CSCS's performance. For the entire range of nuclear process system break sizes the cooling systems are effective both in preventing excessive fuel clad temperature and in preventing more than a small fraction of the reactor core from reaching the temperature at which a gross release of fission products can occur. This conclusion is valid even with significant failures in individual cooling systems because of the overlapping capabilities of the CSCS's. The controls and instrumentation for the CSCS's satisfy the precision and timeliness requirements of safety design bases 1 and 2.

CHAPTER 07 7.4-26 REV. 26, APRIL 2017

PBAPS UFSAR Safety design basis 3 requires that instrumentation for the CSCS's responds to the potential inadequacy of core cooling regardless of the location of a breach in the nuclear system process barrier.

The reactor vessel low water level initiating function, which can actuate HPCI, ADS, LPCI, and core spray without coincident high drywell pressure, meets this safety design basis because a breach in the nuclear system process barrier inside or outside the primary containment is sensed by the low water level detectors.

The use of the reactor vessel low water level signal as the only CSCS initiating function completely independent of breach location is adequate. This is based on the isolation responses of the primary containment and reactor vessel isolation control system to a breach of the nuclear system outside the primary containment.

The other major initiating function, primary containment high pressure, is provided because the primary containment and reactor vessel isolation control system may not be able to isolate all nuclear system breaches inside the primary containment. The primary containment high pressure initiating signal for the CSCS's provides a second reliable method for sensing losses of coolant that cannot necessarily be stopped by isolation valve action.

This second initiating function is independent of the physical location of the breach within the drywell. The method used to initiate the ADS in the short term, which employs reactor vessel low water level and primary containment high pressure in coincidence, requires that the nuclear system breach be inside the drywell because of the required primary containment high pressure signal. This control arrangement is adequate in view of the automatic isolation of the reactor vessel by the primary containment and reactor vessel isolation control system for breaches outside the primary containment and because the ADS is required only if the HPCIS fails. Coincident failure of the primary containment and reactor vessel isolation control system would be needed for nuclear system breaks outside the primary containment. However, if these situations do occur, the existence of a low water level signal for an extended time period will cause initiation of the ADS without the presence of high drywell pressure. Thus safety design basis 3 is satisfied.

An evaluation of CSCS controls shows that no operator action beyond the capacity of the operator is required to initiate the correct responses of the CSCS's.

The alarms and indications provided to the operator in the control room allow interpretation of any situation requiring CSCS operations and verify the response of each system. Manual controls are illustrated on functional control diagrams. The CHAPTER 07 7.4-27 REV. 26, APRIL 2017

PBAPS UFSAR control room operator can manually initiate every essential operation of the CSCSs.

Because the degree to which safety is dependent on operator judgment and response has been appropriately limited by the design of CSCS control equipment, safety design bases 4a, 4b, and 4c are satisfied.

The redundancy provided in the design of the control equipment for the CSCSs is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the CSCSs is similar to that provided by the dual trip system arrangement of the RPS. No failure of a single initiating sensor channel can prevent the start of the cooling systems. The number of control components provided in the design for individual cooling system components are consistent with the need for the controlled equipment. An evaluation of the control schemes for each CSCS component shows that no single control failure can prevent the combined cooling systems from providing adequate core cooling. In performing this evaluation the redundancy of components and cooling systems was considered. The functional control diagrams provided with the descriptions of cooling systems were used in assessing the functional effects of instrumentation failures. In the course of the evaluation, protection devices which can interrupt the planned operation of cooling system components were investigated for the results of their normal protective action as well as maloperation on core cooling effectiveness.

The only protection devices that can act to interrupt planned CSCS operation are those that must act to prevent complete failure of the component or system. Examples of such devices are the HPCIS turbine overspeed trip, HPCIS steam line break isolation trip, pump trips on low suction pressure, and minimum flow bypass valves for pumps. In every case the action of a protective device cannot prevent other redundant cooling systems from providing adequate cooling to the core.

The locations of controls where operation of CSCSs components can be adjusted or interrupted are in areas under the surveillance of operations personnel.

The environmental capabilities of instrumentation for the CSCSs are discussed in the descriptions of the individual systems.

Components which are located inside the primary containment and which are essential to CSCS performance are designed to operate in the environment resulting from a LOCA.

CHAPTER 07 7.4-28 REV. 26, APRIL 2017

PBAPS UFSAR Special consideration has been given to the performance of reactor vessel water level and pressure sensors, pressure compensation instruments, and condensing chambers during rapid depressurization of the nuclear system. The discussion of this consideration is included in subsection 7.2, "Reactor Protection System," and is equally applicable to the instrumentation for the CSCS's.

It is concluded from the previous paragraphs and the description of control equipment that safety design basis 5 is satisfied. The testing capabilities of the CSCSs, which are discussed in the following section, satisfy safety design basis 6.

7.4.5 Inspection and Testing Components required for HPCI, LPCI, and core spray are designed to allow functional testing during normal power operation. Overall testing of these systems is described in Section 6.0, "Core Standby Cooling Systems." During overall functional tests the operability of the valves, pumps, turbines, and their control instrumentation can be checked. The ADS relief valves are subjected to tests during shutdown periods.

Logic circuitry used in the controls for the CSCS's can be individually checked by applying test or calibration signals to the sensors and observing trip system responses. Valve and pump operation from manual switches verifies the ability of breakers and valve closing mechanisms to operate. Normal lineup of the CSCS's is restored following a LOCA if the testing was a pump, valve and flow test. If a LOCA occurred while conducting a logic test, the division of the system under test would remain disabled, the other division of the system would operate normally.

CHAPTER 07 7.4-29 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.4.1 HIGH PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS HPCI Function Instrument Type Range(required) Accuracy(a) Trip Setting(b)

Reactor vessel high water level Level transmitter 0-225 in H20 +/-3.5% 593 in turbine trip and pressure com- above vessel zero pensation instrument Turbine exhaust high pressure Pressure switch 0-200 psig +/-1% 150 psig HPCIS pump high suction pressure Pressure switch 10-75 psig +/-2% 70 psig HPCIS pump low suction pressure Pressure switch 0-30 in HG vac +/-2% 15 in HG vac Reactor vessel low water level Level transmitter 0-215 in H20 +/-3.5% 472 in and pressure com- above vessel zero pensation instrument Primary containment (drywell) Pressure transmitter 0-25 psig +/-1% 2.5 psig high pressure and indicating trip unit HPCIS steam supply low pressure Pressure switch 0-1500 psig +/-2% 50 psig Condensate storage tank low level Level switch -2 in to 0 5% 60 in above to 2 in H2O bottom of tank HPCIS flow (for discharge bypass) Flow switch N/A +/-5% High - 1,290 gpm Low - 500 gpm Suppression pool high water level Level switch N/A for these +/-1/4" 16'-6.5" above devices torus invert Turbine overspeed Centrifugal device N/A +/-100 rpm 5,000 rpm Steam line high differential Pressure switch -300 in to +/-5% 278 in WC pressure +300 in H20 Steam leak detection high temperature RTD and Trip Unit 50 - 350 F +/-2% 220 F (a) Instruments for this service have accuracy within this range over the actually purchased full scale.

(b) The values given here have been used in the setpoint analysis; however, the allowable values are listed in the Technical Specifications.

CHAPTER 07 7.4-30 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.4.2 AUTOMATIC DEPRESSURIZATION SYSTEM INSTRUMENT SPECIFICATIONS System Function Instrument Type Normal Range(required) Accuracy(1) Trip Setting(2)

Reactor vessel low water level(3) Level transmitter 0-225 in H20 +/-3.5% 366.3 in above and pressure com- vessel zero pensation instrument Primary containment (drywell) Pressure transmitter 0-5 psig +/-1% 2.5 psig high pressure(3) and indicating trip unit ADS actuation timer(3) Timer 0-180 sec --- 120 sec ADS bypass timer(3) Timer 1-30 min +/-5% 12 min Relief valve leakage Temperature switch 0-600 F +/-1% 200 F LPCI pump discharge pressure(3) Pressure switch 0-450 psig +/-2% 66.55 psig Core spray pump discharge Pressure switch 0-500 psig +/-1% 201.55 psig pressure(3)

Confirmatory low reactor vessel(3) Level transmitter 0-60 in H20 +/-3.5% 529 in above water level and indicating trip vessel zero unit (1) Instruments for this service have accuracy within this range over the actually purchased full scale.

(2) The values given here have been used in the setpoint analysis; however, these are not the instrument setpoints. The setpoints are in the Improved Instrument Setpoint Control Program (IISCP), and the allowable values except relief valve leakage are listed in the Technical Specifications.

(3) Incident detection circuitry instrumentation.

CHAPTER 07 7.4-31 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.4.3 CORE SPRAY SYSTEM INSTRUMENT SPECIFICATIONS Core Spray Function Instrument Type Range(required) Accuracy(1) Trip Setting(2)

Reactor vessel low water Level transmitter 0-225 in H2O +/-3.5% 366.3 in level (3) and pressure com- above vessel zero pensation instrument Primary containment high Pressure transmitter 0-5 psig +/-1% 2.5 psig pressure(3) and indicating trip unit Reactor vessel low pressure Pressure transmitter 0-1,200 psig +/-1% 400 psig and pressure com-pensation instrument Core spray sparger high Differential -10 to +10 psid +/-1.0% 0.5 psid differential pressure pressure switch Pump discharge flow Flow indicator 0-8,000 gpm +/-10% ---

Pump suction pressure Pressure indicator 0-10 psig +/-1% ---

Pump discharge pressure Pressure indicator 0-500 psig +/-2% ---

Pump discharge flow Flow switch 450-900 ft w.c. 846/864 ft w.c.

CS sequence delay (Pump A)* Timer --- +/-7% 13 seconds CS sequence delay (Pump B)* Timer --- +/-7% 23 seconds CS sequence delay (Pump C)* Timer --- +/-7% 13 seconds CS sequence delay (Pump D)* Timer --- +/-7% 23 seconds (1) Instruments for this service have accuracy within this range over the actually purchased full scale (2) The values given here have been used in the setpoint analysis; however, the allowable values are listed in the Technical Specifications.

(3) Incident detection circuitry instrumentation.

  • Offsite power available CHAPTER 07 7.4-32 REV. 22, APRIL 2009

PBAPS UFSAR TABLE 7.4.4 LOW-PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS LPCI Function Instrument Type Range (required) Accuracy(1) Trip Setting(2)

Reactor vessel low water level(3) Level transmitter 0-225 in H2O +/-3.5% 366.3 in above (LPCI pump start signal) and pressure com- vessel zero pensation instrument Primary containment (drywell) Pressure transmitter 0-5 psig +/-1% 2.5 psig high pressure (LPCI initiation)(3) and indicating trip unit Reactor vessel low water level Level transmitter 0-400 in H2O +/-5% 309 in above vessel (inside shroud) and pressure com- zero (2/3 core height) pensation instrument LPCI sequence delay (pump A)* Timer --- +/-7% 2 sec LPCI sequence delay (pump B)* Timer --- +/-7% 2 sec LPCI sequence delay (pump C)* Timer --- +/-7% 8 sec LPCI sequence delay (pump D)* Timer --- +/-7% 8 sec LPCI reactor vessel low pressure Pressure transmitter 50-1,200 psig +/-1% 400 psig and pressure com-pensation instrument LPCI reactor vessel low-pressure Pressure transmitter 0-1,200 psig +/-1% 200 psig permissive (recirculation pump and pressure com-discharge valve closing) pensation instrument LPCI valve initiation Timer 0-15 min --- 10 min signal cancellation CHAPTER 07 7.4-33 REV. 22, APRIL 2009

PBAPS UFSAR

  • Offsite power available 1 of 2 CHAPTER 07 7.4-34 REV. 22, APRIL 2009

PBAPS UFSAR PBAPS TABLE 7.4.4 (continued)

LOW-PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS LPCI Function Instrument Type Range (required) Accuracy(1) Trip Setting(2)

Containment spray valve manual Pressure transmitter 0-10 psig +/-1% 1 psig control interlock - high and indicating trip drywell pressure unit LPCI pump low flow Differential pressure 0-1,000 gpm +/-2% 336.7 psid switch (1) Instruments for this service have accuracy within this range over the actually purchased full scale.

(2) The values given here have been used in the setpoint analysis; however, the allowable values are listed in the Techinical Specifications.

(3) Incident detection circuitry instrumentation.

CHAPTER 07 7.4-35 REV. 22, APRIL 2009

PBAPS UFSAR 2 of 2 CHAPTER 07 7.4-36 REV. 22, APRIL 2009

PBAPS UFSAR 7.5 NEUTRON MONITORING SYSTEM 7.5.1 Safety Objective The safety objective of the neutron monitoring system is to detect conditions in the core that threaten the overall integrity of the fuel barrier due to excessive power generation and provide signals to the RPS, so that the release of radioactive material from the fuel barrier is limited.

7.5.2 Power Generation Objective The power generation objective of the neutron monitoring system is to provide information for the efficient, expedient operation and control of the reactor. Specifically, the neutron monitoring system detects conditions that could lead to local fuel damage and provides signals that can be used to prevent such damage, so that plant availability is not reduced.

7.5.3 Identification The neutron monitoring system consists of five major subsystems as follows:

1. Wide range neutron monitor subsystem (WRNMS).
2. Local power range monitor subsystem (LPRMS).
3. Average power range monitor subsystem (APRMS).
4. Rod block monitor subsystem (RBMS).
5. Traversing in-core probe subsystem (TIPS).

7.5.4 Wide Range Neutron Monitor Subsystem 7.5.4.1 Power Generation Design Basis

1. With all control rods fully inserted, the present irradiated fuel and neutron detectors will maintain a minimum WRNM count rate based on a graph plotting WRNM count rate versus signal-to-noise ratio contained in the Technical Specifications. In cases where the core is fully unloaded, reloading can be accomplished by using procedures which, at a minimum, will maintain this signal count to noise count and counts per second.

CHAPTER 07 7.5-1 REV. 26, APRIL 2017

PBAPS UFSAR If this cannot be achieved, new startup sources will be provided in new source holders in the reactor pressure vessel.

2. The WRNMS is designed to indicate a measurable increase in output signal from at least one detecting channel before the reactor period is less than 20 sec during the worst possible startup rod withdrawal conditions.
3. The WRNMS is designed to indicate substantial increases in output signals with the maximum permitted number of WRNM channels out of service during normal reactor startup operations.
4. The WRNMS provides a measure of the time rate of change of the neutron flux (reactor period) for operational convenience and reactor protection.
5. The WRNMS is capable of generating a trip signal to block rod withdrawal if the WRNMS reading exceeds a preset value or if the WRNMS is not operating properly.
6. The WRNMS is designed so that overlapping neutron flux indications exist with the power range monitoring subsystems.

7.5.4.2 Safety Design Basis

1. The WRNMS is capable of generating a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate range.
2. The independence and redundancy incorporated in the design of the WRNMS is consistent with the safety design basis of the RPS.

7.5.4. Description 7.5.4.3.1 Identification The WRNMS provides neutron flux information during reactor startup and low flux level operations to the lower portion of the power range monitoring subsystems. There are eight WRNM channels each of which includes one detector that is positioned in the core.

7.5.4.3.2 Power Supply CHAPTER 07 7.5-2 REV. 26, APRIL 2017

PBAPS UFSAR Power is supplied separately from two 24 VDC sources. The supplies are split according to their use so that loss of a power supply results in loss of only one trip system of the RPS.

Conduits and physical separation isolate the power buses external to the WRNM cabinet.

7.5.4.3.3 Physical Arrangement Each detector assembly consists of a miniature fission chamber operated in the pulse counting mode and attached to a low-loss mineral insulated triaxial transmission cable (Figure 7.5.2). The sensitivity of a new WRNM detector is 2x10-3 cps/nv nominal at rated reactor temperature. The detector cable is connected underneath the reactor vessel to a triple-shielded coaxial cable.

This shielded cable carries the pulses formed to a detector preamplifier located outside the primary containment.(1)

The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. The detectors are fixed in-core and vertically positioned 1.5 ft above the reactor fuel center line (Figure 7.5.3). Wide range signal conditioning equipment is designed so that it may be used for open-core experiments.

7.5.4.3.4 Signal Conditioning The signal input from the WRNM detector via the detector preamplifier is a train whose count rate is indicative of the counting flux in the counting range and whose Mean Square Voltage is indicative of neutron flux in the MSV range.

The high voltage power supply supplies a polarizing potential for the fission counter detector.

The discriminator module removes undesired (noise) pulses from the signal received from the Detector Preamplifier. Each negative pulse received represents the detector gas ionization that results from fission product generation (desired signal pulses), alpha and beta particles, and gamma ray generation (noise pulses). Noise pulses also result from EMI effects (non-ionization events).

After passing through a bandpass filter, and upon further amplification, high and low height discrimination is applied to the signal in order to remove the noise pulses (EMI, alpha particles, beta particles, and gamma rays).

CHAPTER 07 7.5-3 REV. 26, APRIL 2017

PBAPS UFSAR Pulses which pass through the discriminator window are counted by hardware counters on the discriminator module. These counters are read to calculate an observed count rate in counts per second (CPS). The raw count rate is then filtered with a time constant which varies.

MSV Flux The neutron flux may be determined from the AC component of the voltage input from the detector. This signal is amplified by the preamplifier with a gain and is then passed into the MSV card where one of the three separate RMS converters further amplify the signal and determines the signals RMS value. Only the 150-450 KHz frequency band of the signal is considered. The RMS value is read from the output of the present on-scale RMS converter.

This voltage is then gain corrected and linearized (each RMS converter introduces some non-linearities which are determined during calibration and corrected for). The resulting RMS voltage corresponds to the RMS of the voltage output of the detector.

This RMS voltage is range limited and filtered. The neutron flux is based on the square of this RMS voltage (MSV).

The WRNM flux is calculated from the counting based flux and the MSV based flux. At low flux levels the counting based flux is more accurate than the MSV based flux, and at high flux levels the MSV flux is more accurate. An intermediate flux region exists through which both flux measurement methods are accurate. This transition region is defined based on the measured MSV flux.

Below the transition region the WRNM flux is equal to the counting based flux. Above the transition region the WRNM flux is equal to the MSV flux. Within the transition region the WRNM flux is linear interpolation of the log flux values. The percent power is proportional to WRNM flux.

Calibration and pulse discriminator features are included to enable the accuracy of internal power and all measuring circuits to be verified and the trip level of the trip circuits to be set and checked. Period generators provide a means for verifying the calibration of the system.

7.5.4.3.5 Trip Functions The WRNMS performs trip functions during shutdown and startup conditions (i.e., Reactor Mode Switch not in RUN) using fail-safe logic. The trips are shown in Table 7.5-2.

CHAPTER 07 7.5-4 REV. 26, APRIL 2017

PBAPS UFSAR The WRNMS is divided into two groups of WRNM channels arranged in the core as shown in Figure 7.5.6. Each group of WRNM channels is associated with one of the two trip systems of the RPS. Two WRNM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining channels are installed in separate bays of the cabinet. Full-length side covers on the cabinet bays isolate the WRNM groups. The arrangement of WRNM channels allows one WRNM channel in each group to be bypassed without compromising neutron monitoring startup operation.

Each WRNM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates whenever the high voltage drops below a preset level, whenever one of the modules is not plugged in, when a self test system declares a fault, or whenever the "Operate" switch is not in the OPERATE position. Each of the other trip circuits can be chosen to operate whenever present downscale or upscale levels are reached. A simplified WRNM circuit arrangement is shown in Figure 7.5.22.

The trip functions actuated by the WRNM trips are indicated in Table 7.5.2. The reactor mode switch determines whether WRNM trips are effective in initiating a rod block and a reactor scram.

Subsection 7.7, "Reactor Manual Control System," describes the WRNM rod block trips. With the reactor mode switch in REFUEL or STARTUP, an WRNM upscale period or inoperative trip signal actuates a neutron monitoring system trip of the RPS. Only one WRNM channel must trip to initiate a neutron monitoring system trip of the associated trip system of the RPS (Figure 7.2.9).

7.5.4.4 Power Generation Evaluation The locations and sensitivities of the WRNM detectors are designed to provide a count rate of at least three counts per second when all control rods are fully inserted in the reactor or a signal-to-noise ratio equal to or exceeding the curve in the Technical Specifications if the count rate is below 3 cps.

Design calculations show that if the multiplication of neutron sources in one section of the core is increased to the extent necessary to put that section of the reactor on a 20-sec period, the nearest WRNM chamber shows an increase in count rate; in general, at least one detector indicates the change in multiplication.

Normal startup procedures require specific rod withdrawal patterns that ensure that the withdrawn control rods are distributed about CHAPTER 07 7.5-5 REV. 26, APRIL 2017

PBAPS UFSAR the core so that the multiplication in no one section of the core exceeds the average by a large amount; hence, each WRNM chamber can respond to some degree as the initial rod withdrawal is accomplished. Current design indicates that a scattered rod withdrawal of approximately one-fourth of all control rods is required to reach criticality.

The WRNMS is the primary source of information on the approach of the reactor to the power range. Its period trips with the rod blocking features require that the operator corrects an increase in core reactivity by rod motion. The sensitivity of the WRNM is such that the WRNM is on scale over the entire range to a reactor power up to 100 percent.

CHAPTER 07 7.5-6 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.4.5 Safety Evaluation The safety evaluation in subsection 7.2, "Reactor Protection System," evaluates the arrangement of the redundant input signals to the RPS. The neutron monitoring system trip input to the RPS and the trip channels used in actuating a neutron monitoring system trip are of equivalent independence and redundancy to other RPS inputs.

The number and locations of the WRNM detectors have been analytically and experimentally determined to provide sufficient startup (wide) range flux level information under the worst permitted bypass and detector failure conditions. For verification of this, a range of rod withdrawal accidents has been analyzed. The most severe case assumes the reactor is critical and operating in the startup range, a single out of sequence rod is inadvertently selected and withdrawn at maximum drive speed and RWM Rod Block fails. A scram signal is initiated when one WRNM detector in each RPS trip system reaches its scram trip level.

The WRNM scram trips are automatically bypassed when the reactor mode switch is in the RUN position and the APRM's are on scale.

The WRNM rod block trips are automatically bypassed when the reactor mode switch is in the RUN position.

The WRNM detectors and electronics have been tested under operating conditions and verified to have the stated operational characteristics and as such provide the level of precision and reliability required by the RPS safety design bases.

Further analysis is presented in GE documents NEDE-24011-P, "Generic Reload Fuel Application Licensing Topical Report,"

Appendix A of NEDE-24011 and NEDE-24000. The WRNMS performs all the functions previously performed by the IRMS.

7.5.4.6 Inspection and Testing Each WRNM channel is tested and calibrated using the procedures in the WRNM instruction manual. All calibration functions are semi-automatic or automatic with manual verification. Each of the various WRNM channels can be checked to ensure that the WRNM short period scram and rod block functions are operable.

7.5.5 DELETED CHAPTER 07 7.5-7 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.6 Local Power Range Monitor Subsystem 7.5.6.1 Power Generation Design Basis

1. The LPRMS provides signals proportional to the local neutron flux at various locations within the reactor core to the APRMS, so that accurate measurements of average reactor power can be made.
2. The LPRMS supplies signals to the RBMS, so that measurement of changes in local relative neutron flux can be made during the movement of control rods.
3. The LPRMS is capable of alarming under conditions of high or low local neutron flux indication.
4. The LPRMS supplies signals proportional to the local neutron flux to the process computer (PMS) to be used in power distribution calculations, local heat flux calculations, minimum critical heat flux calculations, and fuel burnup calculations.
5. The LPRMS supplies signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of the power distribution, local heat flux, minimum critical heat flux, and fuel burnup.

7.5.6.2 Description 7.5.6.2.1 Identification The LPRMS consists of the fission chamber detectors, the signal conditioning equipment, and trip functions (Drawing M-1-T-20, Sheets 3 and 4). The LPRM signals are also used in the APRMS, RBMS, and process computer (PMS).

7.5.6.2.2 Power Supply Detector polarizing voltage for the LPRMs is supplied by eight pairs of redundant DC power supplies, adjustable from 75 to 200 VDC. Each DC power supply pair powers approximately one-eighth of the LPRMs. Power for the DC power supplies comes redundantly from the two 120 VAC Reactor Protection System buses via intermediate DC power supplies. These intermediate DC supplies also provide power for the LPRM amplifier cards. The redundant power supply in the power supply pair allows for on-line detector current-voltage CHAPTER 07 7.5-8 REV. 26, APRIL 2017

PBAPS UFSAR testing without interrupting the polarizing voltage to the remaining detectors not undergoing testing. In the event that the primary power supply fails, the redundant supply will take over normal detection polarizing functions.

The 75-200 VDC power supplies can supply up to 3 milliamperes for each LPRM detector which ensures that the chambers can be operated in the saturated region at the maximum specified neutron flux.

The voltage applied to the detectors varies no more than 2 VDC over the maximum variation of electrical input and environmental parameters.

7.5.6.2.3 Physical Arrangement The LPRMS includes LPRM detectors located throughout the core at different axial heights. Figure 7.5.6 illustrates the LPRM detector radial layout scheme which provides a detector assembly at every fourth intersection of the narrower of the water channels around the fuel bundles (narrow-narrow water gap). Thus, every narrow-narrow water gap has either an actual detector assembly or a symmetrically equivalent assembly in some other quadrant.

The 43 LPRM detector assemblies, each containing four fission chambers, are distributed to monitor four horizontal planes throughout the core. The detector assemblies (Figure 7.5.9) are inserted into the core in spaces between the fuel assemblies through thimbles which are mounted permanently at the bottom of the core lattice and which penetrate the bottom of the reactor vessel. These thimbles are welded to the reactor vessel at the penetration point. They extend down into the access area below the reactor vessel where they terminate in a flange which mates to the mounting flange on the incore detector assembly. The detector assemblies are locked at the top end to the top fuel guide by means of a spring-loaded plunger. This type of assembly is referred to as top entry-bottom connect, since the assembly is inserted through the top of the core and penetrates the bottom of the reactor vessel. Special water sealing caps are placed over the connection end of the assembly and over the penetration at the bottom of the vessel during installation or removal of an assembly. This prevents the loss of reactor coolant water upon removal of an assembly and also prevents the connection end of the assembly from being immersed in the water during installation or removal.

Each LPRM detector assembly contains four miniature fission chambers with an associated solid sheath cable. Each fission chamber produces a current which when coupled with the LPRM signal CHAPTER 07 7.5-9 REV. 26, APRIL 2017

PBAPS UFSAR conditioning equipment provides the desired scale deflection throughout the design lifetime of the chamber. Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit.

Each assembly also contains a calibration tube for a TIP. The enclosing tube around the entire assembly contains holes evenly spaced along its length. These holes allow circulation of the reactor coolant water to cool the fission chambers. Numerous tests have been performed on the chamber assemblies including tests of linearity, lifetime, gamma sensitivity, and cable effects.(1) These tests and experience in operating reactors provide confidence in the ability of the LPRMS to monitor neutron flux to the design accuracy throughout the design lifetime.

The four miniature fission chambers used on each assembly are designed to operate up to a temperature of 599F and a pressure of 1,250 psig. The chambers are vertically spaced in the LPRM detector assemblies in such a manner as to give adequate axial coverage of the core, complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies. Each miniature chamber consists of two concentric cylinders, which act as electrodes. The inner cylinder, the collector, is mounted on insulators and is separated from the outer cylinder by a small air gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium coated outer electrode. The chamber has at the beginning of operation, a sensitivity of approximately 2.15 x 10-17 amps/nv and is operated at a polarizing potential of approximately 100 V.

The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all ions produced in the ion chamber can be collected if the polarizing voltage is high enough.

When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage and has a linearity of approximately 1 percent over the design operating range.

7.5.6.2.4 Signal Conditioning The current signals from the LPRM detectors are transmitted to the LPRM amplifier modules within the control room electronics drawers. Amplifiers are arranged with up to five on an LPRM Input Module mounted in the APRM/LPRM chassis assembly. The current signal from a chamber is transmitted directly to its amplifier through coaxial cable. The amplifier is a linear current to voltage amplifier whose voltage output is proportional to the current input and therefore is proportional to the magnitude of the neutron flux. The amplifier output is digitized CHAPTER 07 7.5-10 REV. 26, APRIL 2017

PBAPS UFSAR and sent to the digital processing electronics. The digital electronics apply hardware gain corrections, perform filtering, and apply the LPRM gain factors. The digital electronics provide suitable output signals for the computer, recorders, annunciators, etc. The LPRM amplifiers also isolate the detector signals from the rest of the processing so that individual faults in one LPRM signal path will not affect other LPRM signal.

The LPRM signals can be read by the operator on the reactor console on either the APRM Operator Display Assemblies (ODAs) or the RBM ODAs. LPRM readings can be read on the APRM ODAs by selecting summary LPRM displays. When the control rod is selected for movement, LPRM readings can be read on the RBM ODAs for the 16 LPRM detectors nearest to the selected rod (see Figure 7.5.13).

Subsection 7.7, "Reactor Manual Control System," describes in greater detail the indications on the reactor console associated with the selected control rod.

7.5.6.2.5 Trip Functions The trip functions for the LPRMs provide trip signals to activate displays and annunciators. Table 7.5.3 indicates the trips.

The trip levels can be adjusted to within +/-0.1 percent of full-scale deflection and are accurate to +/-1 percent of full-scale deflection in the normal operating environment.

7.5.6.3 Power Generation Evaluation The LPRMS, as calibrated by the TIPS, provides detailed information about the neutron flux throughout the reactor core.

The total of 43 LPRM assemblies and their distribution is determined by extensive calculational and experimental procedures.

Individual failed chambers can be bypassed, and neutron flux information for a failed chamber location can be interpolated from nearby chambers. A substitute reading for a failed chamber can be derived from an octant-symmetric chamber, or an actual flux indication can be obtained by insertion of a TIP to the failed chamber position. The LPRM outputs provide for the functions required in the LPRM power generation design basis. Each output is electrically isolated so that an event (grounding the signal or applying a stray voltage) on the reception end does not destroy the validity of any other LPRM signal. Test and experience(1) attest to the ability of the detector to respond proportionally to the local neutron flux changes.

7.5.6.4 Inspection and Testing CHAPTER 07 7.5-11 REV. 26, APRIL 2017

PBAPS UFSAR LPRM channels are calibrated using data from previous full power runs and TIP data and are tested by procedures in the applicable instruction manual. The uncertainty value for the LPRM update uncertainty will be twice the value specified in the methodology contained in General Electric Licensing Topical Report NEDC-32694P-A, dated August 1999.

7.5.7 Average Power Range Monitor Subsystem 7.5.7.1 Safety Design Basis

1. The design of the APRMS is such that for the worst permitted input LPRM bypass conditions, the APRMS is capable of generating a scram trip signal in response to average neutron flux increases resulting from abnormal operational transients in time to prevent fuel damage.

The APRMS design also includes an OPRM upscale function that generates a trip signal upon detection of thermal-hydraulic instabilities.

2. The design of the APRMS is consistent with the requirements of the safety design basis of the RPS.

7.5.7.2 Power Generation Design Basis

1. The APRMS provides a continuous indication of average reactor power from a few percent to 125 percent of rated reactor power.
2. The APRMS is capable of providing trip signals for blocking rod withdrawal when the average reactor power exceeds pre-established limits.
3. The APRMS provides a reference power level for use in the RBMS.

7.5.7.3 Description 7.5.7.3.1 Identification The APRM System has four APRM channels, each of which uses input signals from 43 LPRM detectors. Each of the four APRM channels provides input to four two-out-of-four voter channels. Each voter channel is assigned to a specific RPS trip channel (i.e., A1, A2, B1, B2). Therefore, each APRM channel contributes to all four RPS channels.

CHAPTER 07 7.5-12 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.7.3.2 Power Supply The APRM channels receive power redundantly from the 120-V AC supplies used for the RPS power.

Each APRM two-out-of-four voter channel receives power from the same 120 V AC power as the Reactor Protection System trip system with which it is associated.

7.5.7.3.3 Signal Conditioning The APRM channel uses digital electronic equipment which averages the output signal from a selected set of LPRMs, generates trip outputs via the two-out-of-four voter channels (see Section 7.5.7.3.4), and provides signals to readout equipment. Each APRM channel can average the output signals from up to 43 LPRM channels. Assignment of LPRM channels to an APRM is shown in Table 1A and 1B on Drawing M-1-T-20, Sheets 3 and 4 with the distribution through the core shown in Figure 7.5.10. The letters at the detector locations in Drawing M-1-T-20, Sheets 3 and 4 refer to the axial positions of the detectors in the LPRM detector assembly. Position A is the bottom position, positions B and C are above position A, and position D is the topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions throughout the core. Some LPRM detectors may be bypassed, but the averaging logic automatically corrects for these by removing them from the average. The APRM value calculated from the LPRM inputs is adjusted by a digitally entered gain factor to allow calibration of the APRM to a heat balance.

Each APRM channel calculates a flow signal which is used to determine the APRMs flow-biased STP rod block and scram setpoints (see Drawing M-1-T-20, Sheets 3 and 4). The flow signal is also used to determine the trip-arming region associated with the Oscillation Power Range Monitor function. Each signal is determined by summing the flow signals from the two-recirculation loops. These signals are sensed from two flow elements, one in each recirculation loop (see Drawing M-352). The differential pressure from each flow element is routed to four different pressure transducers (eight total). The signals from two differential pressure transducers, one from each flow element, are routed to two inputs to each APRM digital electronics. Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale Function that monitors small groups of LPRM signals to detect thermal-hydraulic instabilities. The OPRM Upscale Function CHAPTER 07 7.5-13 REV. 26, APRIL 2017

PBAPS UFSAR receives input signals from small groups of LPRMs within the reactor core. The groups of LPRMs are combined into cells for evaluation by the OPRM algorithms.

All APRM channels are powered redundantly, via interpost low voltage DC power supplies, from both the A and B Reactor Protection System 120 Vac power buses. The LPRM signal processing equipment is powered by the same sources as their associated APRM channels.

7.5.7.3.4 Trip Function The digital electronics for each APRM channel provide trip signals to the Reactor Protection System (RPS) via the APRM two-out-of-four voter channels and directly to the Reactor Manual Control System via APRM interface hardware. Any two unbypassed APRM channels, via the APRM two-out-of-four voter channels, can initiate an RPS trip in both RPS trip systems. Any one unbypassed APRM can initiate a rod block. Table 7.5.4 lists the APRM trip functions. Subsection 7.7, Reactor Manual Control System, describes in more detail the APRM rod block functions.

In the run mode of operation the APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slope of the upscale rod block and scram trip response curves is set to track the required trip setpoint with recirculation flow changes.

An OPRM Upscale trip is issued from an OPRM channel when the Confirmation Density Algorithm (CDA) in that channel detects oscillatory changes in the neutron flux as indicated by periodic confirmations and amplitude exceeding the specified setpoints for a specified number of OPRM cells in the channel. The CDA is credited in the Licensing Analysis for OPRM. An OPRM Upscale trip is also issued from the channel if any of the DIDA (PBDA, ABA, GRA) exceed their trip condition for one or more cells in that channel. The PBDA, GRA and ABA are not credited in the Licensing Analysis for the OPRM and are provided for defense-in-depth only. The OPRM upscale trip output is automatically enabled (not-bypassed) when its associated APRM STP is above the OPRM auto-enable power setpoint and its associated recirculation flow is below the OPRM autoenable setpoint. The OPRM upscale trip output is automatically bypassed when the STP and recirculation flow are not within the OPRM trip enable region.

If OPRM is not operable, Backup Stability Protection (BSP) is required. The BSP consists of three options, which include the CHAPTER 07 7.5-14 REV. 26, APRIL 2017

PBAPS UFSAR BSP Boundary, BSP Manual Regions, and an Automatic BSP Scram.

The BSP Boundary defines the operating domain where potential instability events can be effectively addressed by the specified BSP manual operator actions. The Manual BSP Regions are procedurally controlled and require specified operator actions if predefined operational conditions occur. The Automated BSP Scram Region is designed to avoid reactor instability by automatically preventing entry into the region of the power and flow operating map that is susceptible to reactor instability.

Backup Stability Protection is a temporary means to protect against thermal-hydraulic instability if the OPRM is not operable.

At least two unbypassed APRM channels must be in the APRM upscale or inoperative trip state to cause an ARRM/INOP UPSCALE RPS trip output from the APRM two-out-of-four voter channels. Similarly, at least two unbypassed APRM channels must be in the OPRM upscale state to cause an OPRM RPS trip output from the APRM two-out-of-four voter channels. In either of these conditions, all four voter channels will provide an RPS trip output, two to each RPS trip system. If only one unbypassed APRM channel is providing a trip output, each of the four APRM two-out-of-four voter channels will have a half-trip, but no trip signals will be sent to the RPS (see Figure 7.2.8). The APRM/INOP and OPRM trips are voted independently. The Trips from one APRM can be bypassed by operator action in the control room, which bypasses both the APRM/INOP and OPRM trips from that APRM channel. Trip outputs to the RPS are transmitted by removing voltage to the associated RPS relay coil, so loss of power results in actuating the RPS trips.

A simplified APRM/RPS interface circuit arrangement is shown in Figure 7.2.8.

In the startup mode of operation, the APRM fixed upscale trip setpoint is set down to a low level. This trip function is provided in addition to the existing WRNM period upscale trip in the startup mode. The trip settings are listed in Table 7.5.4.

The trip functions are performed by digital comparisons in APRM electronics. The APRM flux value is developed by averaging the LPRM signals and then adjusting the average to develop an APRM power value. The APRM power is processed through a first order filter with a six second time constant to calculate a simulated thermal power that reflects the heat transfer characteristics in the core. These calculations are all performed by the digital processor and result in a digital representation of APRM and simulated thermal power. For each RPS trip and rod block alarm, the APRM power or simulated thermal power, as applicable, is CHAPTER 07 7.5-15 REV. 26, APRIL 2017

PBAPS UFSAR digitally compared to the setpoint (which was previously entered and stored). If the power value exceeds the setpoint, the applicable trip is issued.

7.5.7.4 Safety Evaluation Each APRM derives its signal from information obtained from the LPRMS. The assignment, power separation, cabinet separation, and the LPRM signal isolation are in accord with the safety design basis of the RPS. There are four APRM/OPRM channels with the Reactor Protection System trip outputs from each routed to each of four APRM two-out-of-four voter channels. Two voter channels are associated with each Reactor Protection System trip system. This configuration allows one APRM/OPRM channel to be bypassed plus one APRM/OPRM channel failure while still meeting the Reactor Protection System safety design basis.

Above a plant power level defined by Technical Specifications, the ARPM power (and simulated thermal power) are adjusted periodically based on heat balance to match true reactor power. This adjustment is made regularly at a rate sufficient to compensate for LPRM burnup and the related change in APRM values. However, coolant flow changes, control rod movements, and failed or bypassed LPRM inputs can also affect the relationship between APRM measured flux and true reactor power. These predictable APRM variations are included in the analysis performed to determine the minimum number of LPRM inputs required to be operable in order for the APRM channel to be operable. The analysis is performed, considering worst case combinations of failed LPRM inputs, at rated conditions by assuming both continuous withdrawal of the maximum worth control rod and reduction of recirculation flow to 40% of rated Flow. The minimum number of LPRM inputs for an APRM is determined such that the average of the remaining operable LPRM inputs still allows the APRM to track power excursions within the acceptance criteria assumed in plant safety analyses. If the number of operable LPRMs is less than the required minimum, the APRM channel is declared inoperable.

There is also a minimum cells requirement applied to the OPRM upscale function. The minimum number of OPRM cells per APRM channel is established to ensure that thermal-hydraulic instabilities are detected within the limits of the OPRM licensing methodology. If the number of cells is less than the required minimum, the OPRM channel is declared inoperable.

The adequacy of the flow reference and APRM scram set point is demonstrated to be adequate in preventing fuel damage as a result CHAPTER 07 7.5-16 REV. 26, APRIL 2017

PBAPS UFSAR of abnormal operational transients by the analyses in Section 14.0, "Plant Safety Analysis."

7.5.7.5 Power Generation Evaluation The APRMS provides the operator with four continuous recordings of the APRM average flux. The rod blocking function prevents operation above the region defined by the design power response to recirculation flow control. The flow signal used to vary the rod block level is supplied from the recirculation system flow function within the APRM instrumentation. Two flow signal comparators within the RBM instrumentation monitor the four total flow signals and initiate an alarm if the four total flow signals are not in agreement. Because any one of the APRM's can initiate a rod block, this function has a high level of redundancy and satisfies the power generation design basis. Any one APRM channel may be bypassed. In addition, a minimum number of LPRM inputs -

20 total and 3 per each axial level - are required for each APRM channel to be operative. If the number is less than this, an automatic Trouble alarm and rod block are generated. Each OPRM channel processes up to 33 cells of LPRMs with each cell comprised of 3 or 4 LPRMs. A minimum of 25 OPRM cells must be operative with at least 2 LPRMs per cell. If the number of cells is less than this, an automatic Trouble alarm is generated.

7.5.7.6 Inspection and Testing APRM channels are calibrated using a heat balance calculated by the plant process computer and are tested by procedures in the applicable instruction manual. Each APRM channel and APRM voter channel can be individually tested for the operability of the APRM scram and rod blocking functions by introducing test signals.

7.5.8 Rod Block Monitor Subsystem 7.5.8.1 Power Generation Design Basis

1. The RBMS is designed to prevent local fuel damage as a result of a single rod withdrawal error under the worst permitted condition of RBM bypass.
2. The RBMS provides a signal to permit operator evaluation of the change in the local relative power level during control rod movement.

7.5.8.2 Description CHAPTER 07 7.5-17 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.8.2.1 Identification The RBMS has two RBM channels, each of which uses input signals from a number of LPRM channels. A trip signal from either RBM channel can initiate a rod block. One RBM channel may be bypassed without loss of subsystem function. The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is 4 when using 4 LPRM assemblies, 3 when using 3 LPRM assemblies and 2 when using 2 LPRM assemblies (Figure 7.5.13).

7.5.8.2.2 Power Supply The RBMS power is received redundantly from the 120-V AC supplies used for the RPS.

7.5.8.2.3 Signal Conditioning The RBM signal is generated by averaging a set of LPRM signals.

The LPRM signals used depend on the control rod selected. Upon selection of a rod for withdrawal or insertion, the conditioned signals from the LPRMs around that rod will be automatically selected by the two RBM channels (Figure 7.5.13 shows examples of the four possible LPRM/selected rod assignment combinations). For a typical non-edge rod, each RBM channel averages LPRM inputs from two of the four B-level and D-level detectors, and all four of the C-level detectors (see Figure 7.5.13). A-level LPRM detectors are not included in the RBM averages, but are displayed to the operator. When a rod near, but not at, the edge of the core is selected, where there are fewer than four but at least two LPRM strings around the rod, the number of detectors used by the RBM channels is either six or four depending on how many LPRM strings are available. If a detector has been bypassed in the LPRM system, that detector is automatically deleted from the RBM processing and the averaging logic is adjusted to average only the remaining detectors.

After selection of a control rod, each RBM channel calculates the average of the related LPRM detectors and calculates a gain factor that will adjust the average to 100. Thereafter, until another rod is selected, the gain factor is applied to the LPRM average to obtain the RBM signal value. The RBM signal value is compared to RBM trip setpoints (see 7.5.8.2.4).

When a peripheral rod is selected, or if the APRM STP value from the RBMs associated APRM is below the automatic bypass level (approximately 30% power), the RBM function is automatically CHAPTER 07 7.5-18 REV. 26, APRIL 2017

PBAPS UFSAR bypassed, the rod block outputs are set to permissive, and the RBM average is set to zero.

7.5.8.2.4 Trip Function The RBM supplies a trip signal to the Reactor Manual Control System to inhibit control rod withdrawal. The trip is set whenever the RBM signal value exceeds the RBM setpoint. There are three different setpoints, each a percentage above the RBM initial value of 100. The particular setpoint that is applied is selected based on the simulated thermal power value from the RBMs associated APRM channel (an alternate APRM channel is assigned and is automatically used for inputs if the primary APRM channel is bypassed or inoperative). Higher APRM simulated thermal power values select a lower setpoint. That is, at higher power levels, the percentage increase in the RBM value allowed is less than at lower power levels.

Either RBM channel can prevent rod movement. One of the two RBMs can be bypassed by the operator.

7.5.8.3 Power Generation Evaluation Motion of a control rod causes the LPRMs adjacent to the control rod to respond strongly to the change in power in the region the rod is in motion. However, the RBM trip setpoints have been determined in NEDC-32162P to assure that the RBM will adequately protect the reactor fuel and maintain adequate margin in the operating MCPR during the Rod Withdrawal Error transients by blocking control rod withdrawal, but not over-restricting the RBM system performance. The RBM setpoints are also valid for peripheral cells with less than four LPRM strings. The RBM cells near the core peripheral may have one, two, or three LPRM strings.

In some peripheral cases, the responses are actually improved because the missing strings are the weaker signal inputs in a standard RBM cell.

7.5.8.4 Inspection and Testing The RBM channels are tested and calibrated by procedures given in the applicable instruction manuals. The RBM's are functionally tested by introducing test signals into the RBM channels.

7.5.9 Traversing In-Core Probe Subsystem 7.5.9.1 Power Generation Design Basis CHAPTER 07 7.5-19 REV. 26, APRIL 2017

PBAPS UFSAR

1. The TIPS is capable of providing a signal proportional to the axial neutron flux distribution at selected small axial intervals over the regions of the core where LPRM detector assemblies are located. This signal is of high precision to allow reliable calibration of LPRM gains.
2. The TIPS provides accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial neutron flux distribution.

7.5.9.2 Description 7.5.9.2.1 Identification The TIPS includes three TIP machines, each of which has the following components:

1. One TIP detector.
2. One Drive mechanism.
3. Two Indexing mechanisms.
4. Up to 15 in-core guide tubes.
5. One chamber shield.

The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated fifteen-path indexer.

7.5.9.2.2 Physical Arrangement A TIP drive mechanism uses a gamma sensitive detector attached to a flexible drive cable, which is driven from outside the primary containment by a gearbox assembly. The flexible cable is contained by guide tubes that continue into the reactor core. The guide tubes are a part of the LPRM detector assembly and are specially prepared to provide a durable low friction surface. The 6-path indexing mechanism allows the use of a single detector in any of the different tube paths. The fifteenth tube of the fifteen path indexer is used for TIP cross calibration with the other TIP machines. The control system provides both manual and automatic operation. The TIP signal is amplified and displayed.

CHAPTER 07 7.5-20 REV. 26, APRIL 2017

PBAPS UFSAR Core position versus neutron flux is recorded in the main control room.

The heart of each TIP machine is the probe (Figure 7.5.18),

consisting of a detector and the associated signal drive cable.

The gamma sensitive detector is .211 in. in diameter and 1.0 in.

in active length. The body of the detector is made of stainless steel and its inner electrodes are made of titanium. Sensitivity of the detector is approximately 3 x 10-14 amp/R/hr. The gamma TIP detector operates in an order of magnitude of the gamma flux level value 2.8 x 109 R/hr. The TIP system is scaled depending upon various factors within the core. The detector saturation voltage is approximately 150 V dc(1).

The signal current from the detector is transmitted from the TIP-to-TIP control system by means of a triaxial signal cable, which is an integral part of the mechanical drive cable. The outer sheath of the drive cable is constructed of carbon steel in a helix array. The cable drive mechanism engages this helix to effect movement in and out of the guide tubes. The inner surface of the guide tubing between the reactor vessel and the drive mechanism is coated with a ceramic bonded lubricant to reduce friction. Within the reactor vessel the guide tubing inner surface is nitrided.

The cable drive mechanism contains the drive motor, the cable takeup reel, and a resolver position transducer to provide the control unit with positioning data for the TIP at all locations along the guide tube.

The drive mechanism inserts and withdraws the TIP and its cable from the reactor and provides detector position indication signals. The drive mechanism consists of a motor and drive gear box which drives the cable in the manner of a rack and pinion. A two-speed motor is used providing a high speed for insertion and withdrawal (108 fpm) and a low speed for scanning the reactor core (18 fpm).

A takeup reel is included in the cable drive mechanism to coil the drive cable as it is withdrawn from the reactor. The drive unit takeup reel uses slip rings to connect the TIP detector and its cable to the signal cable from the amplifier.

The resolver is attached to the same drift shaft as the drive wheel. For each degree of rotation of the drive wheel the detector moves a known distance. The TIP console sends a reference AC sine wave to the resolver. The feedback signals from CHAPTER 07 7.5-21 REV. 26, APRIL 2017

PBAPS UFSAR the resolver's stator windings are used to determine detector speed, detector direction of travel, and distance the detector has travelled. The TIPS console circuitry converts the signals to position signal.

The Withdraw Limit Switch (WLS) is a position limit switch that provides an electrical interlock permissive to allow the 6-path indexing mechanism to rotate when the detector is behind the WLS.

The Transfer Insertion Switch (TIS) is a position limit switch that provides an electrical interlock permissive to allow the 15-path indexing mechanism to rotate to the next guide tube when the detector is behind the TIS. The cable drive motor includes an AC voltage-operated brake to prevent coasting of the TIP after a desired in-core position is reached. When the system is not in use, the detector probe is completely withdrawn to a position in the center of the chamber shield.

The TIP system uses the resolver signals to determine detector position. The detector stops on withdraw when the detector position signal equals the software position stored in the TIP system for the shield location. In the event the system fails or is used in the MANUAL Withdraw mode, a position limit switch named "Safety Limit Switch" (SLS) prevents farther withdraw. The SLS interlocks with the power to the drive mechanism. This position limit switch is used to prevent overtravel and resulting high radiation outside the TIP room.

The indexing mechanism is actuated by a motor-operated rotating drive. Electrical interlocks prevent the indexing mechanism from changing positions until the probe cable has been completely retracted beyond the transfer point. Additional electrical interlocks prevent the cable drive motor from moving the cable until the transfer mechanism has indexed to the pre-selected guide tube location (Drawing M-1-CC-23, Sheet 14).

A valve system is provided with a valve on each guide tube entering the primary containment. These valves are closed except when the TIPS is in operation. A ball valve and a cable shearing valve are mounted in the guide tubing just outside the primary containment. They prevent the loss of reactor coolant in the event a guide tube ruptures inside the reactor vessel. A valve is also provided for a nitrogen gas purge line to the indexing mechanisms. A guide tube ball valve opens only when the TIP is being inserted. The shear valve is used only if a leak occurs when the TIP is beyond the ball valve and power to the TIPS fails.

The shear valve, which is controlled by a manually operated keylock switch, can cut the cable and close off the guide tube.

CHAPTER 07 7.5-22 REV. 26, APRIL 2017

PBAPS UFSAR The shear valves are actuated by detonation squibs. The continuity of the squib circuits is monitored by indicator lights in the control room.

A guide tube ball valve is normally deenergized and in the closed position. When the TIP starts forward, the valve is energized and opens. As it opens, it actuates a set of contacts which give a signal light indication at the TIPS control panel. The TIP return automatically stops TIP motion if the ball valve does not open on command (Drawing M-1-CC-23, Sheet 14).

When a containment isolation signal is received by the TIP system while in a computerized traverse, the TIP detectors will automatically withdraw and the ball valves close. If the containment isolation signal is received during a MANUAL mode operation, only the ball valve closes. In "MANUAL" mode the TIP probe can be withdrawn and the penetration isolated via the ball valve upon indication of a PCIS isolation. If the probe cannot be withdrawn, the manually operated shear valves are available to isolate the penetration. The system design complies with Reg Guide 1.11, and thus GDS 56. The "MANUAL" mode of operation is used infrequently, and can only be implemented through use of a keylock switch.

7.5.9.2.3 Signal Conditioning An output is provided for use by the process computer (PMS). The TIP output is linear to within 1.0 percent full scale for an indicated flux range of 2.8 x 1012 to 2.8 x 1014 nv. The probe and cable leakages contribute less than 1 percent of indicated reading.

7.5.9.3 Power Generation Evaluation An adequate number of TIP machines is supplied to assure that each LPRM assembly can be probed by a TIP and one LPRM assembly (the central one) can be probed by every TIP to allow intercalibration.

An LPRM calibration can be performed properly, even if the data is unavailable from some of TIP locations (up to 1/3 of the total).

The system has been field tested in an operating reactor to assure reproductivity for repetitive measurements, and the mechanical equipment has undergone life testing under simulated operating conditions to assure that all specifications can be met. The system design allows semi-automatic operation for LPRM calibration CHAPTER 07 7.5-23 REV. 26, APRIL 2017

PBAPS UFSAR and process computer (PMS) use. The TIP machines can be operated manually to allow pointwise flux mapping.

7.5.9.4 Inspection and Testing The TIPS equipment is tested and calibrated using heat balance data and procedure as described in the instruction manual.

CHAPTER 07 7.5-24 REV. 26, APRIL 2017

PBAPS UFSAR 7.5 NEUTRON MONITORING SYSTEM REFERENCE

1. Morgan, W. R., "In-Core Neutron Monitoring System for GE Boiling Water Reactors," General Electric Company, APED-5706, November 1968.
2. "Maximum Expanded Load Limit (MELLL) and ARTS Improvement Program, Peach Bottom Atomic Power Station, Units 2 and 3,"

NEDC-32162P, Revision 1, February 1993.

3. NEDC-32410P-A, Nuclear Measurements Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.
4. NEDC-32410P-A Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Supplement 1, November 1997.
5. NEDO-31960-A, BWR Owners Group Long-Term Stability Solutions Licensing Methodology, November 1995.
6. NEDO-31960-A, Supplement 1, BWR Owners Group Long-Term Stability Solutions Licensing Methodology, November 1995.
7. NEDO-32465-A, BWR Owners Group Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications, August 1996.
8. NEDO-32694P-A, Power Distribution Uncertainties for Safety Limit MCPR Evaluations, August 1999.
9. NEDC-33075P-A, GE Hitachi Boiling Water Reactor Detect and Suppress Solution - Confirmation Density," November 2013.

CHAPTER 07 7.5-25 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.5.1 has been DELETED CHAPTER 07 7.5-26 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.5.2 WIDE RANGE NEUTRON MONITOR TRIPS AND ALARMS Function Action WRNM count rate low Trip indication, annunciator, rod block WRNM inoperative Scram, INOP indication, annunciator (FATAL) rod block WRNM bypassed White light WRNM period upscale Scram, trip indication, annunciator (High-high)

WRNM period upscale Trip indication, annunciator, rod (High) block Count rate (High) Trip indication, annunciator, rod

[Non-coincident mode only] block Count rate (High-high) Scram, trip indication, annunciator

[Non-coincident mode only]

WRNM inoperative Trip indication, annunciator (Non-fatal)

CHAPTER 07 7.5-27 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.5.3 LOCAL POWER RANGE MONITOR TRIPS Trip Set Point Trip Function Trip Range (%) Trip Action LPRM downscale 0% to full 3 Light and annun-scale ciator LPRM upscale 0% to full 100 Light and annun-scale ciator LPRM bypass Manual - Light, annunciator, Selection and APRM averaging compensation CHAPTER 07 7.5-28 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.5.4 AVERAGE POWER RANGE MONITOR TRIPS Trip Point Design (Analytical)

Trip Function Range Limits* Action APRM downscale 0% to full 0.5% Rod block scale APRM Simulated Varied with Rod block Thermal Power flow, inter-

- High cept and slope adjust- 0.60 W + 58.7% (TLO) able 0.54 W + 54.9% (SLO)

(Clamped - 110.4%)

APRM Simulated Varied with Scram Thermal Power flow, inter-

- High-High cept and slope adjust- 0.60 W + 68.1% (TLO) able 0.54 W + 64.3% (SLO)

(Clamped - 120%)

APRM Neutron 10% to full 125.0% Scram Flux - High scale APRM inoper- N/A Not in operate Scram and ative mode or critical rod block self-test fault APRM Simulated 7% to 27% 14% Rod block Thermal Power

- High (Setdown)

APRM Neutron 10% to 30% 21.0% Scram Flux - High (Setdown)

OPRM Upscale *** PBDA: Not Applicable **** Scram Confirmation Counts: 2-25 Amplitude:

1:00-1:30 ABA: 1.05-1.50 Not Applicable **** Scram GRA: 1.00-1.50 Not Applicable **** Scram CDA:

User-adjustable CDA confirmation count setpoint See COLR Jumpered out BSP:

Varies with flow, constant power and constant slope lines See COLR Disabled

  • The values given here have been used for the setpoint analysis; however, the actual Allowable Values must be as given in the Technical Specifications or the Technical Requirements Manual.

The percent (%) values given are in percent of rated thermal power (4016 MWt).

    • W = Recirculation loop flow rate in percent of design.

TLO = Two Loop Operation.

CHAPTER 07 7.5-29 REV. 27, APRIL 2019

PBAPS UFSAR SLO = Single Loop Operation.

CHAPTER 07 7.5-30 REV. 27, APRIL 2019

PBAPS UFSAR TABLE 7.5.4 (cont'd)

AVERAGE POWER RANGE MONITOR TRIPS W = Difference between two loop and single loop effective recirculation drive flow at the same core flow. During single loop operation, the reduction in trip setting (-0.55 W) is accomplished by selecting single loop operation mode in the APRM channel. The slope/offset settings must also be adjusted in each APRM channel when transitioning between Two Loop Operation (TLO) and Single Loop Operation (SLO). This action preserves the original (two loop) relationship between APRM rod block and scram setpoints and recirculation drive flow. W = 0 for two loop operation.

      • PBDA = period based detection algorithm ABA = amplitude based algorithm GRA = growth rate algorithm CDA = Confirmation Density Algorithm BSP = Automatic Backup Stability Protection
        • The PBDA, ABA, and GRA are not credited in the safety analysis for the OPRM.

CHAPTER 07 7.5-31 REV. 27, APRIL 2019

PBAPS UFSAR 7.6 REFUELING INTERLOCKS 7.6.1 Safety Objective The safety objective of the refueling interlocks in combination with refueling procedures is to prevent an inadvertent criticality during refueling operations.

During a refueling operation, the reactor vessel head is removed, allowing direct access to the core. Refueling operations include the removal of reactor vessel upper internals and the movement of spent and fresh fuel assemblies between the core and the fuel storage pool. The refueling platform, and the equipment handling hoists on the platform are used to accomplish the refueling task.

The refueling interlocks reinforce operational procedures that prohibit taking the reactor critical under certain situations encountered during refueling operations by restricting the movement of control rods and the operation of refueling equipment.

7.6.2 Safety Design Basis

1. During fuel movements in or over the reactor core, all control rods are in their fully inserted positions.
2. No more than one control rod adjacent to fueled cells is withdrawn from its fully inserted position at any time when the reactor is in the refuel mode.

7.6.3 Description The refueling interlocks include circuitry which senses the condition of the refueling equipment and the control rods.

Depending on the sensed condition, interlocks are actuated which prevent the movement of the refueling equipment or withdrawal of control rods (rod block). Circuitry is provided which senses the following conditions:

1. All rods inserted.
2. Refueling platform positioned near or over the core.
3. Refueling platform hoists are fuel-loaded (fuel grapple, frame-mounted hoist, monorail hoist).
4. Fuel grapple is closed.

CHAPTER 07 7.6-1 REV. 28, APRIL 2021

PBAPS UFSAR A two-channel DC circuit indicates that all rods are in. The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe. The rod-in switch must be closed for each rod before the "all rods in" signal is generated; two channels carry the signal.

Both channels must register the "all rods in" signal in order for the refueling interlock circuitry to provide the "all rods in" condition.

The refueling platform is provided with two mechanical switches attached to the platform which are tripped open by a long, stationary ramp mounted adjacent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel, thereby providing indication of the approach of the platform toward the core or its position over the core.

The three hoists on the refueling platform are provided with switches which open when the hoists are fuel loaded. The switches are set to open at a load weight which is lighter than the weight of a single fuel assembly, thus providing positive indication whenever fuel is loaded on any hoist.

The fuel grapple head has two limit switches that open whenever the grapple is open. These limit switches close to give a grapple engaged indication and a grapple engaged interlock.

The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operation as described in Drawing M-1-CC-42 and in the following:

1. Refueling platform travel toward the core is stopped when the following three conditions exist concurrently:
a. Any refueling platform hoist is loaded
b. Not all rods in
c. Refueling platform position is such that the position switch is open (platform near or over the core).
2. With the mode switch in STARTUP, refueling platform travel toward the core is prevented when the refueling platform position switch is open (platform near or over the core).

CHAPTER 07 7.6-2 REV. 28, APRIL 2021

PBAPS UFSAR

3. Raising or lowering the refueling platform grapple is prevented when the following conditions exist concurrently:
a. One or more rod withdrawn
b. The refueling platform position switch open (platform near or over the core).
c. Fuel grapple fuel - loaded
4. The refueling platform frame-mounted hoist LIFT electrical circuit is open when the following three conditions exist concurrently:
a. Frame-mounted hoist loaded
b. Not all rods in
c. Refueling platform near or over the core.
5. The refueling platform monorail hoist LIFT electrical circuit is open when the following three conditions exist concurrently:
a. monorail hoist loaded
b. Not all rods in
c. Refueling platform near or over the core.
6. Fuel grapple release is prevented when the following two conditions exist concurrently:
a. Grapple is not within one foot of the core.
b. Refueling platform near or over the core.

The indicated conditions are combined in logic circuits to satisfy restrictions on control rod movement as shown in Drawing M-1-CC-42, Sheets 5 and 14.

7. With the mode switch in REFUEL, any one of the following two conditions prevents a control rod withdrawal:

CHAPTER 07 7.6-3 REV. 28, APRIL 2021

PBAPS UFSAR

a. Refueling platform over the core with a load on any refueling platform hoist
b. During normal operations, selection of a second rod for movement with any other rod withdrawn from the fully inserted position.
c. Bypassing any number of "Fill-in" position indicators to allow multiple control rod withdrawal is permitted while in the REFUEL mode, provided the following requirements are met:
1. The four fuel assemblies are removed from the core cells associated with each control rod or CRD to be removed,
2. All other control rods in core cells containing one or more fuel assemblies are fully inserted, and,
3. Fuel assemblies shall only be loaded in compliance with an approved spiral reload sequence.
8. With the mode switch in STARTUP, the following condition prevents a control rod withdrawal:
a. Refueling platform over the core The prevention of a control rod withdrawal is accomplished by opening contacts at two different points in the rod block circuitry; prevention of refueling equipment operation is accomplished by interrupting the power supply to the equipment.

Except as noted in 7.c above, during refueling operations no more than one control rod may be withdrawn; this is enforced by a redundant logic circuit which uses the "all rods in" signal and a rod selection signal to prevent the selection of a second rod for movement with any other rod not fully inserted. The simultaneous selection of two control rods is prevented by the interconnection arrangement of the select pushbuttons. With the mode switch in REFUEL, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.

Interlocks are provided on the refueling platform to prevent the fuel from being raised to a point where there would be less than CHAPTER 07 7.6-4 REV. 28, APRIL 2021

PBAPS UFSAR adequate water shielding above active fuel. These interlocks include two separate modes of operation:

1. Normal Fuel Move Mode
2. Cask Loading Mode Selection of the cask loading mode including fuel handled in this mode is procedurally controlled. The cask loading mode is used for preselected spent fuel bundles that have been cooled for at least 7 years and are intended to be stored in an approved spent fuel storage cask. The shielding provided by the water coverage in both modes, assuming the Technical Specification low water level, has been evaluated. In both cases, the water coverage ensures that there is adequate water shielding above the active fuel.

The water coverage from top of active fuel is reduced locally when the Reactor Cavity Work Platform is installed in the reactor cavity. The platform personnel baskets are submerged into the reactor cavity water Security Related Information Withheld under 10 CFR 2.390 , which limits the water coverage when a perimeter fuel bundle is raised to its full up position. This reduced coverage was evaluated and concluded to have no adverse impact on the refueling interlocks, the inadvertent criticality prevention, the offsite dose exposure or safety related equipment qualification.

7.6.4 Safety Evaluation The refueling interlocks, in combination with core nuclear design, and refueling procedures, limit the probability of inadvertent criticality. The nuclear characteristics of the core assure that the reactor is subcritical even when the highest worth control rod is fully withdrawn. Refueling procedures are written to avoid situations in which inadvertent criticality is possible. The combination of refueling interlocks for control rods and the refueling platform interlocks provide redundant methods of preventing inadvertent criticality. The interlocks on hoists provide yet another method of avoiding inadvertent criticality.

Table 7.6.1 illustrates the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform and fuel grapple movement and position, and mode switch manipulation. The scram indicated in situation 11 of Table 7.6.1 is not a result of the refueling interlocks; it is the response of the RPS to downscale neutron monitoring system channels when the CHAPTER 07 7.6-5 REV. 28, APRIL 2021

PBAPS UFSAR mode switch is shifted to RUN. In all cases, proper operation of the refueling interlocks is successful in preventing either the operation of loaded refueling equipment over the core whenever any control rod is withdrawn or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the mode switch is in REFUEL, only one rod can be withdrawn from fueled cells; selection of a second rod is prohibited.

7.6.5 Inspection and Testing Complete functional testing of all refueling interlocks on equipment used during refueling activities shall be performed before any refueling activities. This will provide positive indication that the interlocks operate in the situations for which they were designed. By loading each hoist with a dummy fuel assembly, positioning the refueling platform, and withdrawing control rods, or by simulating these inputs, the interlocks can be subjected to valid operational tests. Where redundancy is provided in the logic circuitry, tests can be performed to assure that each redundant logic element can independently perform its function.

CHAPTER 07 7.6-6 REV. 28, APRIL 2021

PBAPS UFSAR TABLE 7.6.1 REFUELING INTERLOCK EFFECTIVENESS Refueling Refueling Platform Hoists Platform Mode Situation Position MH FMH FG Control Rods Switch Attempt Result 1 Not near core UL UL UL All rods in Refuel Move refueling No restrictions platform over core 2 Not near core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod 3 Not near core UL UL UL One or more Refuel Move refueling No restrictions rod withdrawn platform over core 4 Not near core Any hoist loaded One or more Refuel Move refueling Platform stopped rods withdrawn platform over core before over core 5 Near core Loaded Loaded Loaded One or more Refuel Raise or lower Cannot raise or rods withdrawn loaded hoist/grapple lower loaded hoist/grapple 6 Over core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod 7 Over core Any hoist loaded All rods in Refuel Withdraw rods Rod block 8 Not near core UL UL UL All rods in Startup Move refueling Platform stopped platform over core before over core CHAPTER 07 7.6-7 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.6.1 (Continued)

Refueling Refueling Platform Hoists Platform Mode Situation Position MH FMH FG Control Rods Switch Attempt Result 9 Not near core UL UL UL All rods in Startup Withdraw rods No restrictions 10 Over core UL UL UL All rods in Startup Withdraw rods Rod block 11 Any Any condition Any condition, Startup Turn mode switch Scram reactor not to run at power 12 Over core Any condition Any condition Any Release grapple Grapple will Grapple not within not release one foot of core KEY: MH = Monorail hoist FMH = Frame-mounted hoist FG = Fuel grapple UL = Unloaded CHAPTER 07 7.6-8 REV. 21, APRIL 2007

PBAPS UFSAR 7.7 REACTOR MANUAL CONTROL SYSTEM 7.7.1 Power Generation Objective The power generation objective of the reactor manual control system is to provide the operator with the means to make changes in nuclear reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods.

7.7.2 Safety Design Basis

1. The circuitry provided for the manipulation of control rods is designed so that no single failure can negate the effectiveness of a reactor scram.
2. Repair, replacement, or adjustment of any failed or malfunctioning component does not require that any element needed for reactor scram be bypassed unless a bypass is normally allowed.

7.7.3 Power Generation Design Basis

1. The reactor manual control system is designed to inhibit control rod withdrawal following erroneous control rod manipulations so that RPS action (scram) is not required.
2. The reactor manual control system is designed to inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulation.
3. The reactor manual control system is designed to inhibit rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation is incapable (due to failure) of monitoring the core response to rod movement.
4. To limit the potential for inadvertent rod withdrawals leading to RPS action, the reactor manual control system is designed in such a way that deliberate operator action is required to effect a continuous rod withdrawal.
5. To provide the operator with the means to achieve prescribed control rod patterns, information pertinent to the position and motion of the control rods is available in the control room.

7.7.4 Description CHAPTER 07 7.7-1 REV. 23, APRIL 2011

PBAPS UFSAR 7.7.4.1 Identification The reactor manual control system consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The reactor manual control system does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in subsection 7.2, "Reactor Protection System." Neither are the mechanical devices of the CRD's and the CRD hydraulic system included in the reactor manual control system. These mechanical components are described in subsection 3.4, "Reactivity Control Mechanical Design."

7.7.4.2 Operation 7.7.4.2.1 General Drawing M-1-CC-42, Sheets 1 through 7, 9 through 16, and 18 show the functional arrangement of devices for the control of components in the CRD hydraulic system. Although the figures also show the arrangement of scram devices, these devices are not part of the reactor manual control system.

Control rod movement is accomplished by admitting water under pressure from a CRD water pump into the appropriate end of the CRD cylinder. The pressurized water forces the piston, which is attached by a connecting rod to the control rod, to move. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish the actions required for the various operational modes. The valves control the path that the CRD water takes to the cylinder. The reactor manual control system controls the valves.

Two of the four solenoid-operated valves for a control rod are electrically connected to the insert bus. When the insert bus is energized and when a control rod has been selected for movement, the two insert valves for the selected rod open, allowing the CRD water to take the path that results in control rod insertion. Of the two remaining solenoid-operated valves for a control rod, one is electrically connected to the withdraw bus, and the other is connected to the settle bus. The withdraw valve that connects the insert drive water supply line to the exhaust water header is the one that is connected to the settle bus. The remaining withdraw CHAPTER 07 7.7-2 REV. 23, APRIL 2011

PBAPS UFSAR valve is connected to the withdraw bus. When both the withdraw bus and the settle bus are energized and when a control rod has been selected for movement, both withdraw valves for the selected rod open, allowing CRD water to take the path that results in control rod withdrawal.

The settle mode is provided to ensure that the CRD index tube is engaged promptly by the collet fingers after the completion of either an insert or withdraw cycle. During the settle mode, the withdraw valve connected to the settle bus is opened or remains open while the other three solenoid-operated valves are closed.

During an insert cycle, the settle action vents the pressure from the bottom of the CRD piston to the exhaust header, thus gradually reducing the differential pressure across the drive piston of the selected rod. During a withdraw cycle, the settle action again vents the bottom of the CRD piston to the exhaust header while the withdraw drive water supply is shut off. This also allows a gradual reduction in the differential pressure across the CRD piston. After the control rod has slowed down, the collet fingers engage the index tube and lock the rod in position. See Drawing M-1-CC-42, Sheets 1 and 10 for valve sequence and timing.

The arrangement of control rod selection push buttons and circuitry permits the selection of only one control rod at a time for movement. A rod is selected for movement by depressing a button for the desired rod on the reactor control bench board in the control room. This bench board is shown in Figure 7.7.3. The direction in which the selected rod moves is determined by the position of a switch, called the ROD CONTROL switch, which is also located on the reactor control bench board. This switch has ROD-IN and ROD-OUT-NOTCH positions and returns by spring action to the OFF position. The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod-selected condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.

7.7.4.2.2 Insert Cycle The following is a description of the detailed operation of the reactor manual control system during an insert cycle. The cycle is described in terms of the insert, withdraw, and settle buses.

CHAPTER 07 7.7-3 REV. 23, APRIL 2011

PBAPS UFSAR The response of a selected rod when the various buses are energized has been explained previously.

Drawing M-1-CC-42, Sheets 3, 4, 12, and 13 can be used to follow the sequence of an insert cycle.

A three-position rod control switch is provided on the reactor control bench board. The switch has a ROD-IN position, a ROD-OUT-NOTCH position, and an OFF position. The switch returns by spring action to the OFF position. With a control rod selected for movement, placing the rod control switch in the ROD-IN position and then releasing the switch energizes the insert bus for a limited amount of time. Just before the insert bus is deenergized, the settle bus is automatically energized and remains energized for a limited period of time after the insert bus is deenergized. The insert bus timer setting and the rate of drive water flow provided by the CRD hydraulic system determine the distance traveled by a rod. The timer setting results in a one notch (6 in) insertion of the selected rod for each momentary application of a ROD-IN signal from the rod control switch.

Continuous insertion of a selected control rod is possible by holding the rod control switch in the ROD-IN position.

A second switch can be used to initiate insertion of a selected control rod. This switch is the EMERGENCY IN/NOTCH OVERRIDE switch. The EMERGENCY IN/NOTCH OVERRIDE switch has three positions: EMERGENCY IN, NOTCH OVERRIDE, and OFF. The switch returns to the OFF position by spring action. By holding the EMERGENCY IN/NOTCH OVERRIDE switch in the EMERGENCY IN position, the insert bus is continuously energized, causing a continuous insertion of the selected control rod.

7.7.4.2.3 Withdraw Cycle The following is a description of the detailed operation of the reactor manual control system during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle buses.

The response of a selected rod when the various buses are energized has been explained previously. Drawing M-1-CC-42, Sheets 3, 4, 12, and 13 can be used to follow the sequence of a withdraw cycle.

With a control rod selected for movement, placing the rod control switch in the ROD-OUT-NOTCH position energizes the insert bus for a short period of time. Energizing the insert bus at the beginning of the withdrawal cycle is necessary to allow the collet fingers to disengage the index tube. When the CHAPTER 07 7.7-4 REV. 23, APRIL 2011

PBAPS UFSAR insert bus is deenergized, the withdrawal and settle buses are energized for a controlled period of time. The withdraw bus is deenergized prior to the settle bus, which, when deenergized, completes the withdraw cycle. This withdraw cycle is the same whether the rod control switch is held continuously in the ROD-OUT-NOTCH position or released. The timers that control the withdraw cycle are set so that the rod travels one notch (6 in) per cycle. An interlock is provided in the withdraw circuitry to deenergize the control circuit and prevent rod withdrawal if the withdraw bus timer fails to deenergize the withdraw bus after the specified time period.

A selected control rod can be continuously withdrawn if the rod control switch is held in the ROD-OUT-NOTCH position at the same time that the EMERGENCY IN/NOTCH OVERRIDE switch is held in the NOTCH-OVERRIDE position. With both switches held in these positions, the withdraw bus is continuously energized.

7.7.4.2.4 Control Rod Drive Hydraulic System Control Two motor-operated pressure control valves, two air-operated flow control valves, and two dual solenoid-operated stabilizing valves are included in the CRD hydraulic system to maintain smooth and regulated system operation (subsection 3.4, "Reactivity Control Mechanical Design"). The motor-operated pressure control valves are positioned by manipulating switches in the control room. The switches for these valves are located close to the pressure indicators that respond to the pressure changes caused by the movements of the valves. The air-operated flow control valves are automatically positioned in response to signals from an upstream flow measuring device. The stabilizing valves are automatically controlled in the same manner as the insert and withdraw buses.

The control scheme is shown in Drawing M-1-CC-42, Sheets 2, 3, 4, 11, 12, and 13. The two drive water pumps are controlled by switches in the control room. Each pump automatically stops upon indication of low suction pressure (Drawing M-1-CC-42, Sheets 2 and 11).

7.7.4.3 Rod Block Interlocks 7.7.4.3.1 General Drawing M-1-CC-42, Sheets 3, 4, 5, 12, 13, and 14 show the rod block interlocks used in the reactor manual control system.

Drawing M-1-CC-42, Sheets 3, 4, 12, and 13 show the general functional arrangement of the interlocks, and Drawing M-1-CC-42, CHAPTER 07 7.7-5 REV. 23, APRIL 2011

PBAPS UFSAR Sheets 5 and 14 shows the rod blocking functions originating in the neutron monitoring system in greater detail.

To achieve an operationally desirable performance objective where most failures of individual components would be easily detectable or do not disable the rod movement inhibiting functions, the rod block logic circuitry is arranged as two similar logic circuits.

The two circuits are energized when control rod movement is allowed. Rod block contacts are normally closed, and rod block relays are normally energized. Each of the two similar circuits receive input trip signals from a number of trip channels. Either of the two circuits can provide a separate rod block signal to the rod control circuitry. The individual signal from each circuit is called an "annunciating rod block control" because when tripped, a horn or buzzer is sounded in the control room to indicate the block signal. A third rod block signal is obtained by combining the outputs of the two similar logic circuits, the rod worth minimizer (RWM) output (subsection 7.16, "Process Computer System"), and the rod block monitor outputs. This third signal is called the non-annunciating rod block control because when tripped, the rod block condition is indicated in the control room by a light indicator only. The two annunciating rod block controls are always placed in pairs in the rod control circuitry, while the non-annunciating rod block control is used independently. The two annunciating rod block controls and the non-annunciating rod block control must be in the permissive state for control rod withdrawal to be possible. A failure of any one of the three-rod block controls cannot prevent the remaining parts of the rod block circuitry from initiating a rod block.

When in the tripped state, the non-annunciating rod block control prevents the withdraw movement of the selected rod by opening the rod control circuit that is used to energize the withdraw bus.

The annunciating rod block controls prevent the withdraw movement of a selected rod in a similar manner, but the rod control circuit is opened at a location different from that affected by the non-annunciating rod block control. The rod block circuitry is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous withdrawal. If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even if a continuous rod withdrawal is in progress.

The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod blocks are described in subsection 7.6, "Refueling Interlocks."

CHAPTER 07 7.7-6 REV. 23, APRIL 2011

PBAPS UFSAR 7.7.4.3.2 Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed later. Drawing M-1-CC-23, Sheets 1 and 8, M-1-CC-42, Sheets 5 and 14, and Figure 7.7.6 show the rod block initiation functions.

Drawing M-1-CC-23, Sheets 1 and 8 shows the rod block functions initiated in the neutron monitoring system. The channel A and B annunciating rod block control and non-annunciating rod block control shown on Drawing M-1-CC-42, Sheets 5 and 14 initiate rod blocks on the reactor manual control system as indicated in Drawing M-1-CC-42, Sheets 3, 4, 12 and 13.

a. With the mode switch in SHUTDOWN, no control rod can be withdrawn. This enforces compliance with the intent of the SHUTDOWN mode.
b. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:
1. Any APRM upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require RPS action if allowed to proceed.

The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM neutron flux high or flow-biased STP high scram settings are reached.

2. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or properly bypassed.
3. Either RBM upscale alarm. This function is provided to stop the erroneous withdrawal of a single worst-case control rod so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the alarm setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.

CHAPTER 07 7.7-7 REV. 23, APRIL 2011

PBAPS UFSAR

4. Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or properly bypassed.
5. Any recirculation flow signal upscale. This assures that no control rod is withdrawn unless the recirculation flow functions, which are necessary for the proper operation of the APRM Flow-Biased STP Rod Block, are operable.
6. Any APRM LPRM Low Count alarm. This assures that no rod is withdrawn unless the APRM channels are either monitoring the required minimum number of LPRM inputs to meet APRM channel operability requirements or the channel is properly bypassed.
7. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block well in advance of that level which produces a scram.
8. Deleted
9. The RWM function of the process computer system (PMS) can initiate a rod insert block and a rod withdrawal block. The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under low power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident.

Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed. Additional information on the RWM function is available in subsection 7.16, "Process Computer System."

10. The rod position information system (RPIS) initiates a rod select block for loss of power to the RPIS, loss of output signal from the master clock, or a missing printed circuit board in the RPIS.
11. Deleted CHAPTER 07 7.7-8 REV. 23, APRIL 2011

PBAPS UFSAR

12. Deleted
c. With the mode switch in RUN, the following conditions initiate a rod block:
1. Any APRM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the average power range neutron monitoring channels are operating properly or are correctly bypassed. All unbypassed APRM's must be onscale during reactor operations in the RUN mode.
2. Any RBM downscale alarm. This alarm indicates a gross failure of the RBM signal processing since normal RBM signal levels are much higher than the RBM downscale alarm setting. This assures that no rod is withdrawn unless the RBM channels are at least reading onscale or bypassed. Unbypassed RBMs must be onscale during reactor operations in the RUN mode.
d. With the mode switch in STARTUP or REFUEL the following conditions initiate a rod block:
1. Any WRNM downscale alarm. This assures that no control rod is withdrawn unless the WRNM count rate is above the minimum prescribed for low neutron flux level monitoring.
2. Any WRNM period short alarm. This assures that no control rod is withdrawn unless the wide range neutron monitoring equipment is properly monitoring the core during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring RPS action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.
3. Any WRNM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all WRNM channels are in service or properly bypassed.
4. The rod block functions provided specifically for refueling situation are described in subsection 7.6, "Refueling Interlocks."

CHAPTER 07 7.7-9 REV. 23, APRIL 2011

PBAPS UFSAR

e. With the mode switch in SHUTDOWN or REFUEL a rod block is initiated by scram discharge volume high level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high level scram function is out of service.

7.7.4.3.3 Rod Block Bypasses To permit continued power operation during the repair or calibration of equipment for selected functions which provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

1. Two WRNM channels.
2. One APRM channel.
3. One RBM channel.

The WRNM's are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. There are four APRM channels, each monitoring LPRM detectors covering the entire core.

The channels are arranged such that adequate monitoring of the core is maintained with one channel bypassed.

These bypasses are effected by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the RBM rod block occurs whenever the power level is below a preselected level or whenever a peripheral control rod is selected. Either of these two conditions indicates that local fuel damage is not threatened and that RBM action is not required.

The RWM rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. The automatic bypass may itself be disabled to allow control rod sequence enforcement up to 100% reactor power. The RWM may be manually bypassed for maintenance at any time.

7.7.4.4 Control Rod Information Displays The operator has three different displays of control rod position:

CHAPTER 07 7.7-10 REV. 23, APRIL 2011

PBAPS UFSAR

1. Rod status display.
2. Four rod display.
3. Process computer (PMS).

These displays serve the following purposes:

1. Provide the operator with a continuously available, easily understood presentation of each control rod's status.
2. Provide continuously available, easily discernible warning of an abnormal condition.
3. Present numerical rod position for each rod.
4. Log all control rod positions on a routine basis.

The rod status display (Figure 7.7.3) is located on a vertical panel behind the reactor control console in the control room. It provides the following continuously available information for each individual rod.

1. Rod position, digital and fully inserted (green).
2. Rod position, digital and fully withdrawn (red).
3. Rod identification, coordinate position of selected rod (white).
4. Accumulator trouble (amber).
5. Rod scram (blue).
6. Rod drift (red).

Also dispersed throughout the display in locations representative of the physical location of LPRM strings in the core are LPRM lights as follows:

1. LPRM low flux level (white).
2. LPRM high flux level (amber).

A separate four rod display consisting of four rod position modules is located on the reactor control console (Figure 7.7.3).

CHAPTER 07 7.7-11 REV. 23, APRIL 2011

PBAPS UFSAR These four modules display rod position in two digits and rod selected status (white light, off or on) for the selected rod and three adjacent rods (Figure 7.7.4). The rod position digital range is from 00 to 48, where 00 and 48 represent the fully inserted and fully withdrawn positions, respectively. Each even increment (e.g., 00-02) represents six physical inches of rod movement. Near the four rod display are two RBM Operator Display Assemblies (ODAs) which display RBM status information including the LPRM values for each of the detector strings surrounding the selected rod (Figure 7.7.4). Since each LPRM detector string contains 4 detectors, these ODAs display up to 16 LPRM detector values both in bargraph and digital display format. The RBM ODAs allow the operator to easily focus attention on the core volume of primary concern during rod movements.

Control rod position information is obtained from reed switches in the CRD that open or close during rod movement. Reed switches are provided at each 3-in increment of piston travel. Since a notch is 6 in, indication is available for each half-notch of rod travel. The reed switches located at the half-notch positions for each rod are used to indicate rod drift. Both a rod selected for movement and the rods not selected for movement are monitored for drift. A drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer (PMS).

Reed switches are also provided at locations that are beyond the limits of normal rod movement. If the rod drive piston moves to these overtravel positions, an alarm sounds in the control room.

The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact, because with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position.

The process computer (PMS) receives position indication from each rod and prints out all rod positions in a pre-arranged sequence.

The operator may order a computer printout at any time. The printout depicts the rod positions in an array corresponding to the other displays and actual core location (Figure 7.7.5). The printout is always in the same order; if there is an incorrect input, the printout will signify it by showing a blank or printing 99.

All displays are essentially independent of one another. Signals for the rod status display are hard wired from the rod position information system cabinet (RPISC) buffer outputs, so that a CHAPTER 07 7.7-12 REV. 23, APRIL 2011

PBAPS UFSAR signal failure of other parts of the RPISC will not affect this display. Likewise, the computer (PMS) could conceivably fail but the rod status and rod position displays will continue to function normally.

The condition of the CRD hydraulic system and control circuitry can be monitored from the main control room by use of the following devices:

1. Indicating Lamps Flow control valve position Drive water pressure control valve position Cooling water pressure control valve position Stabilizer valve selector switch position Drive water pump motor circuit breaker Scram valve position Discharge volume vent and drain valves position Withdraw bus energized Insert bus energized Settle bus energized Notch override Withdraw not permissive
2. Annunciators Scram valve pilot air header low pressure Accumulator low pressure or leakage Scram discharge volume not drained Drive water filter high differential pressure Charging water high pressure Drive water pump "A" suction low pressure Drive water pump "B" suction low pressure CRD temperature CHAPTER 07 7.7-13 REV. 23, APRIL 2011

PBAPS UFSAR

3. Instruments Drive water flow Cooling water flow Cooling water - reactor differential pressure Drive water - reactor differential pressure Charging water pressure CRD system flow Drive water pump ammeters Instrumentation provided for the reactor manual control system is presented in Table 7.7.1.

7.7.4.5 This subsection deleted 7.7.5 Safety Evaluation The circuitry described for the reactor manual control system is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry. The scram circuitry is discussed in subsection 7.2, "Reactor Protection System."

Because each control rod is controlled as an individual unit, a failure that results in energizing of any of the insert or withdraw solenoid valves can affect only one control rod. The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod. It can be concluded that no single failure in the reactor manual control system can result in the prevention of a reactor scram and that repair, adjustment, or maintenance of reactor manual control system components does not affect the scram circuitry. This meets safety design bases 1 and 2.

7.7.6 Inspection and Testing The reactor manual control system can be routinely checked for proper operation by manipulating control rods using the various methods of control. Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

CHAPTER 07 7.7-14 REV. 23, APRIL 2011

PBAPS UFSAR TABLE 7.7.1 REACTOR MANUAL CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Measured Variable Instrument Type Normal Range Accuracy Trip Setting Pump suction pressure Pressure indicator -15 to +250 psig +/-2% full scale ---

Pump suction pressure Pressure switch 0 to 30 in Hg +/-5% full scale 18 in Hg (decreasing)

Pump discharge pressure Pressure indicator 1,400 to 1,650 psig +/-2% full scale ---

Filter pressure drop P indicator 5 to 25 psid +/-2% full scale 17 to 22 psid (increasing)

System flow indication and controller Flow indicator 0 to 100 gpm +/-5% set point Accum. HDR. Chg. PRESS alarm Pressure switch 1,400 to 1,510 psig +/-2% full scale 1,510 psig (decreasing)

Accum. HDR. Chg. PRESS Pressure indicator ---

Drive HDR. flow Flow indicator 0, 2, 4 gpm +/-2% full scale ---

Drive HDR. pressure Pressure indicator 250 to 1,285 psig +/-1% full scale ---

Drive HDR. pressure drop P indicator 0 to 350 psid +/-2% full scale ---

Cooling HDR. flow Flow indicator 46 to 63 gpm +/-2% full scale ---

Cooling HDR. pressure Pressure indicator 20 to 1,075 psig +/-1% full scale ---

Cooling HDR. reactor P P indicator 20 to 40 psid +/-2% full scale ---

Stabilizing flow Flow indicator 5 to 7 gpm +/-5% full scale ---

Exhaust pressure Pressure indicator 0 to 1,045 psig +/-1/2% full scale ---

Scram discharge level Level switch 2 in +/-1/2 in ---

Drive temperature Monitor 50 to 500 F --- 300 F Instrument air supply pressure Pressure indicator 0 to 50 psig +/-2% full scale ---

CHAPTER 07 7.7-15 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.7.1 (Continued)

Measured Variable Instrument Type Normal Range Accuracy Trip Setting Flow control station air pressure Pressure indicator 0 to 15 psig +/-2% full scale ---

Scram pilot air HDR. pressure Pressure indicator 0 to 150 psig +/-2% full scale Scram pilot air HDR. pressure Pressure switch 70 to 100 psig +/-2% full scale ---

Accum. Nd Chg. pressure Pressure indicator 0 to 1,000 psig +/-2% full scale ---

Accum. Nd Chg. pressure alarm Pressure switch 0 to 1,000 psig ---

FCV electro/pneumatic Pressure/current 3 to 15 psig/ --- ---

converter 10 to 50 ma Control rod drive overtravel Reed switches 2 in beyond full +/-1 1/2 in 2 in beyond full (withdraw direction) withdrawal position withdrawal position Control rod drive overtravel Reed switches 1 1/2 in beyond +/-1 1/2 in 1 1/2 in beyond (insert direction) last notch full insert position Control rod position Reed switches full-in to full-out, +/-1 1/2 in ---

(normal range) every 3 in Rod block - neutron monitoring See Section 7.5, "Neutron Monitoring System" system trip channels Rod block - rod worth minimizer See Section 7.16, "Process Computer System" CHAPTER 07 7.7-16 REV. 21, APRIL 2007

PBAPS UFSAR 7.8 REACTOR VESSEL INSTRUMENTATION 7.8.1 Safety Objective The safety objective of the reactor vessel instrumentation is to monitor and transmit information concerning key reactor vessel operating parameters during planned operations to ensure that sufficient control of these parameters is possible in order to avoid (1) release of radioactive material to the environs such that the limits of 10CFR20 are exceeded, (2) nuclear system stress in excess of that allowed by applicable industry codes, and (3) the existence of any operating conditions not considered by plant safety analyses.

7.8.2 Safety Design Basis Reactor vessel instrumentation is designed to:

1. Provide the operator with sufficient indication of reactor core flow rate during planned operations to avoid operating conditions not considered by plant safety analyses.
2. Provide the operator with sufficient indication of reactor vessel water level during planned operations to determine that the core is adequately covered by the coolant inventory inside the reactor vessel to avoid the release of radioactive materials to the environs such that the limits of 10CFR20 are exceeded, and to avoid operating conditions not considered by plant safety analyses.
3. Provide the operator with sufficient indication of reactor vessel pressure and temperature during planned operations to avoid operating conditions not considered by plant safety analyses.
4. Provide the operator with sufficient indication of reactor vessel flange leakage during planned operations to avoid nuclear system stress in excess of that allowed by applicable industry codes and the release of radioactive material to the environs such that the limits of 10CFR20 are exceeded.

7.8.3 Power Generation Objective CHAPTER 07 7.8-1 REV. 26, APRIL 2017

PBAPS UFSAR The power generation objective of the reactor vessel instrumentation is to monitor and transmit reactor vessel parameter information for the convenient, efficient, and economical operation of the plant.

7.8.4 Power Generation Design Basis Reactor vessel instrumentation is designed to monitor and transmit sufficient reactor vessel parameter information to the operator such that he is continually able to operate the plant conveniently, efficiently, and economically.

7.8.5 Description Drawings M-351, Sheets 1 through 4 and M-352 show the numbers, location, and arrangements of the sensors, switches, and sensing equipment used to monitor reactor vessel conditions. Because the reactor vessel sensors used for safety systems and engineered safeguards have been described and evaluated in other portions of this Updated FSAR, only those sensors that are not required for safety systems are described in this subsection.

7.8.5.1 Reactor Vessel Surface Temperature Thermocouples are attached to the reactor vessel, the vessel top head, the vessel head studs, and the bottom vessel drain as a means of observing vessel metal temperature behavior in response to vessel coolant temperature changes during startup and power operation. Drawings M-351, M-352 and Figure 7.8.2 show the locations of the thermocouples. Probe type thermocouples are used to measure the temperature inside the reactor vessel head studs.

Magnetically attached thermocouples are used to measure the surface temperature of the vessel top head and top head flange.

Thermocouples are clamped to the vessel at various locations (see Figure 7.8.2) to measure the vessel surface temperature. The thermocouples are made of copper constantan insulated with braided glass, and clad with stainless steel. Thermocouple and temperature recorder specifications are listed in Table 7.8.1.

The collection of thermocouples provides temperature data representative of thick, thin, and transitional sections of the vessel and its attachments. Selected temperatures are recorded on a multi-point recorder in the control room. The temperature difference between the reactor vessel flange and the vessel wall adjacent to the flange is recorded on a temperature recorder.

7.8.5.2 Reactor Vessel Water Level CHAPTER 07 7.8-2 REV. 26, APRIL 2017

PBAPS UFSAR Reactor vessel water level indication is detected by comparing the pressure exerted by the actual height of water inside the vessel to the pressure exerted by a constant reference column of water.

Lines which are connected to widely separated nozzles in the reactor vessel lead from the vessel to locations outside the primary containment where they terminate at instrument racks in the reactor building. Level measuring instruments are attached to the appropriate sensor lines so that the proper differential pressure is applied to the level instruments. A condensing chamber is installed in each of the lines used to provide a reference column of water for level measurements. Pressure compensation instruments are used in the ECCS and Feedwater Control Systems to improve the accuracy of the level measurement.

The reactor vessel instrumentation used for safety systems is described and evaluated in subsections 7.2, 7.3, and 7.4. Each of the instrument lines is fitted with one manual isolation valve and one excess flow check valve, both of which are located directly outside the drywell in the reactor building. The instrument pipelines slope down in the direction of the instruments so that no air traps are formed. Pressure and differential pressure measuring instruments also use these same instrument lines, as indicated in Drawing M-352.

A continuous backfill system is connected to each reference column line at the instrument side of the excess flow check valve. The backfill system provides a continuous flow of water from the Control Rod Drive (CRD) System, through the reference column and condensing chamber, and into the Reactor Vessel. This flow of water will continuously purge the reference column and will prevent the migration of dissolved noncondensable gases down the columns. The backfill system connects to the CRD System and is common to all of the reference column lines up to a location outside primary containment where the backfill system line separates and is connected to each of the individual reference column lines. The backfill system line connecting to each reference column line is fitted with two manual isolation valves and two spring-loaded check valves. Backfill system flow to each reference column line is manually controlled via a double pattern needle valve, and both total backfill system flow and flow to each reference column line is indicated locally.

There are numerous indications of reactor vessel water level in the reactor building. Almost all of the level measuring instruments indicate locally, as shown in Drawing M-352.

CHAPTER 07 7.8-3 REV. 26, APRIL 2017

PBAPS UFSAR There are several reactor vessel water level indications continuously displayed on various boards in the control room and one indication that can be selectively connected to a control room recorder. Eleven of the control room level indications are derived from the pressure compensation instruments, four come from the level transmitters provided for the feedwater control system, five come from the instruments used to measure the water level inside the core shroud, and one uses a separate reference column of water located so that water level indication is possible all the way to the top of the vessel. There are five level recorders in the control room. The first recorder receives level signals from level transmitters in the feedwater control system and provides a continuous record of narrow range reactor vessel water level (0 to

+60 in). The second recorder can be selectively connected to a level transmitter to indicate in the range from instrument zero to 500 inches above instrument zero, during refueling operations.

This input is also provided to the plant monitoring computer. Two other recorders indicate reactor water level over the range from normal water level to the bottom of the fuel. Each of these recorders has two channels: one for wide range reactor level (-

165 to +60 in) and one for fuel zone level (-325 to +60 in). The inputs for these two recorders are from safety-related level transmitters, each recorder receiving signals from a separate set of transmitters. The power inputs for the dual channel recorders are from separate divisions and the design is such that no single failure will disable both recorders. The fifth recorder indicates reactor water level over the fuel zone range (-25 to +60 in).

This recorder receives its level signal from the pressure compensation instruments. Table 7.8.1 lists the specifications for level instruments not previously described with other systems.

Drawing M-352 gives a chart showing the water levels at which various automatic alarms and safety actions are initiated. Each of the actions listed is described and evaluated in the subsection of this report where the system involved is described. The following list tells where various level measuring components and their set points are discussed:

Level Instrumentation Subsection in Which Discussed Level transmitters and "Reactor Protection System" (7.2) trip units for initiating scram Level transmitters and "Primary Containment and Reactor pressure instruments Vessel Isolation Control System" or trip units for (7.3)

CHAPTER 07 7.8-4 REV. 26, APRIL 2017

PBAPS UFSAR initiating primary containment or reactor vessel isolation Level switches, "Core Standby Cooling Systems transmitters, and pres- Controls and Instrumentation" sure compensation instru- (7.4) ments used for HPCIS, LPCI, core spray, ADS, or recirculation loop valve closure CHAPTER 07 7.8-5 REV. 26, APRIL 2017

PBAPS UFSAR Level Instrumentation Subsection in Which Discussed Level transmitters, pres- "Core Standby Cooling Systems sure compensation instru- Controls and Instrumentation" ments, and recorder used (7.4) to measure water level inside core shroud Level transmitters and "Feedwater Control System" (7.10) recorders used for feedwater control Level transmitters and "Core Standby Cooling Systems pressure compensation Controls and Instrumentation" instruments used to trip (7.4)

RCICS turbine and HPCIS turbine Level transmitters and "Reactor Core Isolation pressure compensation Cooling System" (4.7) instruments used to initiate the RCICS Level transmitters and "Anticipated Transient pressure compensation without Scram Recirculation instruments used for Pump Trip" (7.9.4.4.2) automatically tripping recirculation pumps Level transmitters and "Alternate Rod Insertion" pressure compensation (1.6.3.4) instruments used for alternate rod insertion The large number of reactor vessel water level indications is sufficient in providing the operator with information with which the adequacy of the coolant inventory to cool the fuel can be determined. In addition, by verifying that reactor vessel water level is not rising to an abnormally high level, the operator is assured that turbines are not endangered by the possibility of water carried into the steam lines. The approach of abnormal conditions is brought to the operator's attention by audible and visual alarms (Drawing M-352). It should be noted that in no case requiring safety system response is operator action required; all essential protection system responses are completely automatic.

CHAPTER 07 7.8-6 REV. 26, APRIL 2017

PBAPS UFSAR 7.8.5.3 Reactor Vessel Coolant Flow Rates and Differential Pressures Drawing M-352 shows the flow instruments, differential pressure instruments, and recorders provided so that the core coolant flow rates and the hydraulic performance of reactor vessel internals can be determined.

The flow rate through each of the jet pumps is summed and indicated in the main control room. Four jet pumps, two associated with each recirculation loop, are specially calibrated.

They are provided with special pressure taps in the diffuser sections. The differential pressure measured between the special taps allows precise flow calibration using jet pump prototype test performance data. The flow rates through the remaining jet pumps are derived from the measured pressure differences between the jet pump diffuser near the throat end and the core inlet plenum. The flow rates through the jet pumps associated with each recirculation loop are again summed to provide a recorded control room indication of the total flow through the core. A smoothed average of the digital core flow values is available for the purpose of monitoring compliance with the 110% maximum core flow limit.

The control room flow rate readouts of the specially calibrated jet pumps can be used to cross-check the readouts of all the other jet pumps. A discrepancy in the cross-checks is reason enough to check local flow indications.

Flow in each recirculation loop is measured by a flow element as shown in Drawing M-353. Indicated recirculation loop flow rates can be checked by using recirculation pump performance curves and the differential pressure between the reactor vessel annulus and the core inlet plenum. Extreme accuracy of the flow rate operational readouts in the control room is not necessary because precise measurements can be obtained during reactor operation if they are desired. It is sufficient to periodically demonstrate that the reactor recirculation system flow rate is at least the design flow rate during operation at rated power.

A differential pressure transmitter is provided to indicate core pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly. The line used to determine the pressure in the core inlet plenum is the same line provided for the standby liquid control system. A separate line is provided for the pressure CHAPTER 07 7.8-7 REV. 26, APRIL 2017

PBAPS UFSAR measurement above the core support assembly. Core Plate Flow in M lbs./hr is indicated and recorded in the main control room.

Instrument lines leading from the reactor vessel to locations outside the drywell are each provided with one manual isolation valve and one excess flow check valve. All of the flow and differential pressure instruments are located outside the primary containment.

In addition to these measurements, core flow is calculated by the heat balance core flow measurement (HBCFM). This system uses the process computer (PMS) to calculate core flow by performing a heat balance around the reactor downcomer.

7.8.5.4 Reactor Vessel Internal Pressure Reactor vessel internal pressure is detected by pressure switches, indicators, and transmitters from the same instrument lines used for reactor vessel water level measurements. Several pressure indicators that sense pressure from different, separated instrument lines provide pressure indications in the reactor building. Reactor vessel pressure indications are provided in the main control room. These come from the pressure transmitters used in the feedwater control system. Reactor vessel pressure is continuously recorded in the main control room on four recorders.

Two of these recorders receive a signal from pressure transmitters associated with the feedwater control system. The remaining two recorders and their associated instrumentation are used for accident monitoring purposes. See subsection 7.20.4.2 for additional information on the reactor pressure accident monitoring instruments.

The following list shows where reactor vessel pressure measuring instruments used for the automatic control of equipment or systems are discussed:

Pressure Instrumentation Subsection in Which Discussed Pressure transmitters and "Reactor Protection System" trip units used to (7.2) initiate a scram Pressure transmitters and "Core Standby Cooling Systems pressure compensation Controls and Instrumentation" instruments used for core (7.4) spray system and LPCI CHAPTER 07 7.8-8 REV. 26, APRIL 2017

PBAPS UFSAR Pressure Instrumentation Subsection in Which Discussed Pressure instrumentation "System Operation" (7.9.4.4) used for automatically tripping the reactor recirculation pumps Pressure instrumentation "Alternate Rod Insertion" use for alternate rod (1.6.3.4)"

insertion Pressure transmitters and "Feedwater Control System" (7.10) recorders used for feedwater control Pressure instrumentation "Primary Containment and Reactor used for RHR shutdown Vessel Isolation Control System" cooling line isolation (7.3)

Differential pressure "Core Standby Cooling Systems switches measuring Controls and Instrumentation" differential pressure (7.4) between inside of core spray sparger pipes and core inlet above the core support assembly 7.8.5.5 Reactor Vessel Top Head Flange Leak Detection A connection on the reactor vessel flange is provided into the annulus between the two metallic seal rings used to seal the reactor vessel and top head flanges. This connection permits detection of leakage from the inside of the reactor vessel past the inner seal ring. The connection is piped to a collection chamber installed between two remotely operated valves. The arrangement is shown in Drawing M-351. The upstream valve is normally open, the downstream valve normally closed. A pressure switch is provided to actuate the alarm in the control room as pressure in the leakage collection piping becomes abnormally high.

A local pressure indicator is provided to indicate the pressure inside the piping arrangement. The pressure instruments are located outside the drywell but inside the reactor building. The instrument line for the pressure instruments is provided with one manual isolation valve and one excess flow check valve. The specifications for the pressure instruments are given in Table CHAPTER 07 7.8-9 REV. 26, APRIL 2017

PBAPS UFSAR 7.8.1. The two valves are controlled by a switch in the control room. The positions of the valves are indicated by lights. If leakage past the inner seal ring is indicated, the upstream valve can be closed and the downstream valve can be opened by remote-manual operation from the control room. This action routes the accumulated leakage to the drywell equipment drain sump. After the collection chamber is drained, the remotely operated valves can be returned to their normal positions. The leakage rate can be determined by timing the period until the alarm is reactivated (subsection 4.10, "Nuclear System Leakage Detection and Leakage Rate Limits").

A connection is provided on the reactor vessel beyond the outer metallic head seal. This connection is piped to a point in the drywell accessible during reactor shutdown and is capped. (Note:

In the event that difficulty is encountered in obtaining a pressure tight seal on the inner metallic seal, it is desirable to operate on the outer metallic seal only. It is possible to install a low pressure seal beyond the outer metallic seal and monitor the space between for outer metallic seal leakage by use of this piped connection.)

7.8.6 Safety Evaluation The reactor vessel instrumentation is designed to provide sufficient continuous indication of key reactor vessel operating parameters during planned operations such that the operator can efficiently monitor these parameters and anticipate any approach to operating conditions which could lead to any of the unacceptable safety results discussed in the safety design bases (paragraph 7.8.2). The redundancy of all indicators provided assures that the possibility that all instrumentation could be lost simultaneously is so remote as to be negligible. It is therefore concluded that the safety design bases are satisfied.

7.8.7 Inspection and Testing The large number of spare thermocouples provided on the reactor vessel and its attachments permit cross-checking to verify proper thermocouple response. Pressure, differential pressure, water level, and flow instruments are located in the reactor building and are piped so that calibration and test signals can be applied during reactor operation, if desired.

CHAPTER 07 7.8-10 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.8.1 REACTOR VESSEL INSTRUMENTATION INSTRUMENT SPECIFICATIONS*

Measured Variable Instrument Type Normal Range Accuracy Trip Setting Reactor vessel surface Thermocouple 0-600 F ASA C96.1 ---

temperature Reactor vessel top head Thermocouple 0-600 F ASA C96.1 ---

surface temperature Reactor vessel top head Thermocouple 0-600 F ASA C96.1 ---

flange surface temperature Reactor vessel surface Temperature 0-600 F +/-1% ---

temperature recorder Top head flange to reactor Differential tem- +/-300 F +/-1% ---

vessel wall differential perature recorder temperature Reactor vessel water level Level indicator See Fig. 7.3.1 +/-2% See Fig. 7.3.1 (pressure compensated)

Reactor vessel water level Level indicator See Fig. 7.3.1 5% See Fig. 7.3.1 Specially calibrated jet Flow transmitter 0-30 psi +/-1/2% ---

pump flow rate Jet pump flow rate Flow transmitter 0-30 psi +/-1/2% ---

Specially calibrated jet Flow indicator 0-6x106 lb/hr +/-2% ---

pump flow rate Jet pump flow rate Flow indicator 0-60x106 lb/hr +/-2% ---

Specially calibrated jet Square root --- +/-2% ---

pump flow rate extractor Jet pump flow rate --- +/-1/2% ---

Recirculation loop flow Flow summer --- +/-1/2% ---

rate

  • Other instruments measuring reactor vessel variables are discussed in sections where the systems using the instruments are described.

CHAPTER 07 7.8-11 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.8.1 (Continued)

Measured Variable Instrument Type Normal Range Accuracy Trip Setting Recirculation loop flow Flow indicator 0-70,000 gpm +/-2% ---

rate Core total flow Controller --- +/-1/2% ---

Pressure difference across Flow recorder 0-120x106 lb/hr +/-2%

core support assembly Reactor vessel annulus to Differential pres- 0-50 psid +/-1%

core inlet plenum differ- sure transmitter ential pressure Reactor vessel annulus to Differential pres- 0-50 psid +/-2%

core inlet plenum sure indicator differential pressure Differential pressure across Differential pres- 0-50 psid +/-1%

the core support assembly sure transmitter Reactor vessel pressure Pressure indicators 0-1,500 psig +/-2%

Reactor vessel flange leak Pressure switch 0-1,500 psig +/-2% 600 psig detection piping internal pressure Reactor vessel flange leak Pressure indicator 0-1,500 psig +/-2%

detection piping internal pressure CHAPTER 07 7.8-12 REV. 21, APRIL 2007

PBAPS UFSAR 7.9 RECIRCULATION FLOW CONTROL SYSTEM 7.9.1 Power Generation Objective The power generation objective of the recirculation flow control system is to control reactor power level over a limited range by controlling the flow rate of the reactor recirculating water.

7.9.2 Power Generation Design Basis The recirculation flow control system is designed to allow manual recirculation flow adjustment to control reactor power level.

7.9.3 Safety Design Basis The recirculation flow control system functions so that no abnormal operational transient caused by a malfunction in the recirculation flow control system can result in fuel damage or excessive nuclear system pressure.

7.9.4 Description 7.9.4.1 General Reactor recirculation flow is controlled by regulating the speed of the two reactor recirculating pumps. By adjusting the frequency of the electrical power supplied to the recirculation pump motors, the recirculation flow control system affects changes in reactor power level.

Control of pump speed, and thus core flow, is such that at various control rod patterns, different power level changes can be manually accommodated. For a rod pattern (called the rated pattern) where rated power accompanies 100 percent flow, power change control down to approximately 65 percent of full power is possible over a range of approximately 35 percent of the maximum operating power level for that rod pattern. Thus, the manual power control range is approximately a constant fraction of operating power but a variable absolute power range.

An increase in recirculation flow temporarily reduces the void content of the moderator through the core. The additional neutron moderation increases the reactivity of the core, which causes the reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady-state power level is CHAPTER 07 7.9-1 REV. 27, APRIL 2019

PBAPS UFSAR established. When recirculation flow is reduced, the power level is reduced in the reverse manner.

Figure 7.9.1 illustrates how the recirculation flow control system operates.

Each recirculation pump motor has its own ASD for a power supply.

Four Remote Input/Output cabinets (two for each ASD) are provided to process signals between the ASD sub-compartments and the MCR.

To change the speed of the reactor recirculation pump, both operator and system initiated speed commands to the ASD changes the frequency and magnitude of the voltage supplied to the pump motor to give the desired pump speed. The recirculation flow control system uses a demand signal from pushbuttons and switches provided by the operator.

7.9.4.2 Adjustable Speed Drive The ASD provides variable speed operation to the recirculation pump motors by converting utility power at fixed frequency and voltage to variable frequency and voltage power. This conversion is done electronically, without moving parts. The ASD can continuously supply power to the pump motor at any speed between 20 percent and 100 percent of pump motor speed once the minimum startup speed of 29.7 percent is reached. The ASD is capable of starting the pump and accelerating it from standstill to the desired operating speed under any pump loading conditions.

Security Related Information Withheld under 10 CFR 2.390 ASD Cabinet Description The 13.8kV input power is provided to the ASD through the Input cabinet and is then stepped down to 750V secondary winding outputs that supply voltage power cell input rectifiers. The FPC cabinet accommodates the cell input fuses that protect the cells from failure as well as providing input primary power interruption by monitoring the input voltages and currents so that the transformer secondary-side faults are identified quickly to variable frequency CHAPTER 07 7.9-2 REV. 27, APRIL 2019

PBAPS UFSAR and voltage AC power to drive the recirculation pump motor, via the Output panel and RPT breakers. The Relay cabinet monitors the output characteristics of the ASD. The CSC maintains the operating temperature. Remote communication is made with the ASD through the use of the RIO panels.

7.9.4.3 Speed Control for the Adjustable Speed Drive Low Flow Runback The automatic low flow runback is generated from the ASD RIO Cabinet and automatically limits recirculation pump speed to 30 percent if the recirculation pump main discharge valve is not fully open, the total feedwater flow is less than 20 percent rated flow after time delay, or upon detection of a reactor scram signal (Ref. Section 7.10.3.4.9). Without the low flow runback, the recirculation pump could overheat if the recirculation pump discharge valve is partly closed. The low flow runback also reduces the recirculation flow if the feedwater flow drops below 20 percent after time delay, to prevent cavitation in the recirculation or jet pumps. The low flow runback reduces the recirculation flow to minimize this reactor level drop to shrink effects following a reactor scram. Reducing recirculation flow slows this rate of void collapse giving the feedwater system time to respond. The low flow runback must be manually reset by the Operator to increase recirculation pump speed above 30 percent during the reactor start-up sequence or whenever the low flow runback is activated as long as the recirculation pump main discharge valve is fully open, total feedwater flow is above 20 percent, and a reactor scram is not present.

High Flow Runback The automatic high flow runback is generated from the ASD RIO Cabinet and automatically limits recirculation pump speed to 45 percent if reactor water level is less than 17" and individual feed pump flows less than 20 percent or total feed flow is greater than 85 percent (Ref. Section 7.10.3.4.9) and all three condensate pump breakers are not closed. The high flow runback must be manually reset by the to increase recirculation pump speed above 45 percent during the reactor start-up sequence or whenever the high flow runback is activated as long as the above plant logic is satisfied.

The raise/speed functions provided by the ASD are enabled after the startup speed of the recirculation pumps have, been obtained (minimum speed of 29.7 percent has been reached), then speed can CHAPTER 07 7.9-3 REV. 27, APRIL 2019

PBAPS UFSAR be lowered to 20 percent and/or any speed changes via remote raise/lower or local raise/lower functions can be made above the minimum speed of 20 percent (333 RPM). The following is a list of functions that are available to change the recirculation pump's motor speed using ASD:

a) Raise Low: By depressing the Raise Low pushbutton speed will increase 0.06 percent (1 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) b) Raise Medium: By depressing the Raise Medium pushbutton speed will increase 0.3 percent (5 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) c) Raise High: By depressing the Raise High pushbutton speed will increase 0.6 percent (10 RPM) per push at 2.0 percent/ sec (33.3 RPM/sec) d) Lower Low: By depressing the Lower Low pushbutton speed will decrease 0.06 percent (1 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) e) Lower Medium: By depressing the Lower Medium pushbutton speed will decrease 0.3 percent (5 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) f) Lower High: By depressing the Lower High pushbutton speed will decrease 1.8 percent (30 RPM) per push at 2.0 percent/sec (33.3 RPM/sec)

The motor speed cannot be lowered below 20 percent or raised above 100 percent. As soon as the ASD detects the "Remote Stop" or the "Local Stop" signal, it initiates a coast stop by disabling the drive output and concurrently tripping the drive Input Circuit Breaker (ICB) by de-energizing the Trip Input Medium Voltage Relay (TIMV) relays. The Medium Voltage (MV) ICB will open (de-energizes the TIMV relay) if the speed goes below 18 percent (300 RPM) after a startup complete (minimum speed of 29.7 percent has been obtained). This will preclude an inadvertent breaker closure/motor restart.

7.9.4.4 System Operation 7.9.4.4.1 Recirculation Loop Starting Sequence Each recirculation loop is independently put into operation by operating the controls of each recirculation loop as follows:

1. The recirculation loop suction valve is fully open.
2. The recirculation loop discharge valve is fully closed.

CHAPTER 07 7.9-4 REV. 27, APRIL 2019

PBAPS UFSAR

3. A "Ready to Pre-charge" signal is sent out if Control voltage is available, Low voltage is available, flow is above minimum value, the pre-charge circuit breaker is closed with voltage present for pre-charge, and the pre-charge permissive signal (used for remote control) is present.
4. The ASD internally controls the resonant pre-charge sequencing. The "Pre-Charge in Progress" signal is sent out and when pre-charging is complete and a close Medium Voltage signal is issued to the user. The MV breaker will close within 3 seconds from issuing the close request.
5. Once medium voltage is sensed by the ASD, the "Pre-Charge Complete" and "Ready to Run" signals are issued.
6. The ASD can now process a "Remote Start" sequence from the user ramping to minimum pre-defined speed.
7. Upon reaching this speed the "Drive Running" signal goes high and the ASD continues running the motor to demanded speed.
8. If there is a fault in the sequence and / or a failed start the "Pre-Charge Fault" signal is issued.
9. Recirculation flow is increased during startup by manually increasing recirculation pump speed and by opening the recirculation loop discharge valve.

7.9.4.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT)

A recirculation pump trip (ATWS-RPT) on reactor high pressure or reactor low water level has been provided to limit the consequences of a failure to scram during a transient.

General Electric Company Topical Report NEDO-10349, March 1971 evaluates the effects of an anticipated transient without scram event.

The report is applicable to Peach Bottom Units 2 and 3 with the exception that high neutron flux and the time delay discussed in the report are not used. The Peach Bottom Units 2 and 3 response to the event and the system design performance are within the envelope of the report's studied events. The reactor CHAPTER 07 7.9-5 REV. 27, APRIL 2019

PBAPS UFSAR recirculation pump ASDs are automatically tripped when redundant coincident logics of reactor high pressure or reactor low water level are tripped.

An automatic alternate rod insertion (ARI) takes place simultaneously with ATWS-RPT. ARI is discussed in subsection 1.6.3.4.

If automatic or manual insertion of rods fails, the operator injects boron into the reactor using the standby liquid control system (subsection 3.8).

ATWS-RPT and ARI uses four reactor pressure and four reactor level outputs from the compensated reactor water level instruments (subsection 7.8). These instrument channels are the same ones used by the Core and Containment Cooling Systems.

The ATWS recirculation pump trip circuit is shown functionally in Drawings M-1-CC-4, Sheets 1 through 12, and M-1-CC-46, Sheets 1 and 2.

For Peach Bottom Unit 2 and 3, a recirculation pump trip (ATWS-RPT) on reactor high pressure or reactor low water level has been provided to limit the consequences of a failure to SCRAM during a transient. General Electric-Hitachi Task Report, PEAM-EPU-0902 (Task T0902), analyzed the ATWS event under rated conditions at 4016 MWt. The 13.8 kV feeder breaker to the reactor recirculation ASDs are automatically tripped when redundant coincident logics of reactor high pressure or reactor low water level are tripped.

7.9.4.4.3 End-of-Cycle Recirculation Pump Trip (EOC-RPT)

The End-of-Cycle Recirculation Pump Trip (EOC-RPT) improves the response to plant pressurization transients (e.g. turbine trip, generator load rejection) by disconnecting the recirculation pumps from the ASDs s immediately upon receipt of a turbine stop valve (TSV) or control valve (TCV) trip signal to reduce system inertia and effect a quicker pump coastdown.

The EOC-RPT is composed of two 4.16 kV circuit breakers connected in series between each recirculation ASD and recirculation pump motor. These breakers provide a redundant means of tripping each pump. TSV closure and TCV fast closure from Reactor Protection System (RPS) logic channels A1 and B1 form one trip system and trip one EOC-RPT breaker for each recirc. pump. TSV closure and TCV fast closure signals from RPS logic channels A2 and B2 form the second trip system and trip the second EOC-RPT breaker for CHAPTER 07 7.9-6 REV. 27, APRIL 2019

PBAPS UFSAR each recirc. motor. Each EOC-RPT trip channel utilizes two TSV closure and two TCV fast closure signals from RPS (subsection 7.2). The reactor recirculation pumps are automatically tripped when both TSV or TCV inputs are actuated in either logic channel.

An automatic bypass of the EOC-RPT is applied whenever the reactor thermal power is less than 26.3% RTP (as indicated by turbine first stage pressure). Test switches are provided to allow EOC-RPT logic channel testing without tripping the recirc. pumps. An annunciation is also provided in the control room which indicates when a switch is in the TEST position. An annunciation is also provided which indicates the loss of EOC-RPT logic circuit control power. The EOC-RPT trip circuit is shown functionally in Drawing M-1-CC-46, Sheets 1 and 2.

The EOC-RPT related equipment are designed to withstand an Operating Basis Earthquake (OBE) (NRC Letter of March 15, 1995 to PECO Energy).

7.9.5 Safety Evaluation There is no inherent inertia driven coastdown power or braking force applied to the recirculation pump motor upon ASD stop or trip. As a result, the GNF2 ECCS-LOCA analysis demonstrated compliance with the 10 CFR 50.46 acceptance criteria, and concluded that the coastdown rate of the Recirculation pumps with the ASD is acceptable.

Transient analyses described in Section 14.0, "Plant Safety Analysis," show that no malfunction in the recirculation flow control system, including ATWS-RPT and EOC-RPT, can cause a transient sufficient to damage the fuel barrier or exceed the nuclear system pressure limits, as required by the safety design basis.

The original safety evaluation for the Anticipated Transient Without Scram Trip of the recirculation pump is contained in General Electric Company Topical Report NEDO-10349, March 1971.

Under MUR conditions (4016 MWt) for both Units 2 and 3, the safety evaluation for the Anticipated Transient Without Scram Trip of the recirculation pump is contained in General Electric Hitachi Safety Analysis Report NEDC-33873P, dated February 2017.

The effects of EOC-RPT on the transient analysis are described in subsection 14.5.

CHAPTER 07 7.9-7 REV. 27, APRIL 2019

PBAPS UFSAR 7.9.6 Inspection and Testing ASDs and associated controls are functioning during normal power operation. Any abnormal operation of these components can be detected during operation. The components which do not continually function during normal operation can be tested and inspected during scheduled plant shutdowns.

CHAPTER 07 7.9-8 REV. 27, APRIL 2019

Retrieved from "https://kanterella.com/w/index.php?title=ML23062A427&oldid=3528589"