ML23129A270

From kanterella
Jump to navigation Jump to search
1 to Updated Safety Analysis Report,Section VII, Control and Instrumentation
ML23129A270
Person / Time
Site: Cooper Entergy icon.png
Issue date: 04/20/2023
From:
Nebraska Public Power District (NPPD)
To:
Office of Nuclear Reactor Regulation
Shared Package
ML23129A261 List: ... further results
References
NLS2023022
Download: ML23129A270 (1)
v  d  e


Text

USAR VII - CONTROL AND INSTRUMENTATION PAGE 1.0

SUMMARY

DESCRIPTION VII-1-1 1.1 Safety Systems VII-1-1 1.2 Power Generatio n Systems VII-1-1 1.3 Safety Functions VII-1-2 1.4 Station Operation al Control VII-1-3 1.5 Definitio ns VII-1-4 1.6 System Suppliers and Design Basis VII-1-4 1.7 Design Criteria VII-1-5 1.7.1 Single Failure Criteria VII-1-5 1.7.2 Equipment Qualifica tion VII-1-6 1.7.3 Channel Independe nce VII-1-7 1.7.3.1 Criteria for Preservin g the Independe nce of Redundant Channels VII-1-7 1.7.3.2 Cable Derating VII-1-12 1.7.3.3 Fire Detection and Protectio n VII-1-13 1.7.3.4 Administ rative Responsi bility VII-1-17 1.7.3.5 Spacing of Wiring and Component s in Control Boards, Panels, and Relay Racks VII-1-17 1.7.3.6 Annunciat or Circuits VII-1-17

1. 7. 4 Tests and Calibrati on VII-1-18
1. 7. 5 Indicatio n of Protectiv e Action Bypasses VII-1-18
1. 7. 6 Informatio n Readout - Reactor Core and Primary Containme nt VII-1-20
1. 7. 7 Identific ation of Class IE Equipment VII-1-23
1. 7. 8 Seismic Criteria VII-1-24 2.0 REACTOR PROTECTION SYSTEM VII-2-1 2.1 Safety Objective VII-2-1 2.2 Safety Design Basis VII-2-1 2.3 Descripti on VII-2-3 2.3.1 Identific ation VII-2-3 2.3.2 Power Supply VII-2-3 2.3.3 Physical Arrangeme nt VII-2-3
2. 3. 4 Logic VII-2-4 2.3.5 Operation VII-2-4 2.3.5.1 Alternate Rod Insertion (ARI) VII-2-6 2.3.6 Scram Functions and Bases for Trip Settings VII-2-6 2.3.6.1 Neutron Monitorin g System Trip VII-2-6 2.3.6.2 Reactor Vessel Steam Dome High Pressure VII-2-6 2.3.6.3 Reactor Vessel Water Level Low-Level 3 VII-2-7 2.3.6.4 Turbine Stop Valve Closure VII-2-7 2.3.6.5 Turbine Control Valve Fast Closure VII-2-8 2.3.6.6 Main Steam Line Isolation VII-2-8 2.3.6.7 Scram Discharge Volume High Water Level VII-2-9 2.3.6.8 Drywell High Pressure VII-2-9 2.3.6.9 Manual Scram VII-2-9 2.3.6.10 Reactor Mode Selector Switch in Shutdown VII-2-9 2.3.7 Reactor Mode Selector Switch VII-2-10 2.3.7.1 Shutdown Mode VII-2-10 2.3.7.2 Refuel Mode VII-2-10 2.3.7.3 Startup/H ot Standby Mode VII-2-10 2.3.7.4 Run Mode VII-2-10 2.3.8 Scram Bypasses VII-2-10 2.3.9 Instrumen tation VII-2-11 2.3.9.1 Neutron Monitorin g System VII-2-11 2.3.9.2 Reactor Vessel-Ste am Dome Pressure VII-2-11 2.3.9.3 Reactor Vessel Water Level Low-Level 3 VII-2-12 vii-1-1 01/23/01

USAR VII - CONTROL AND INSTRUMENTATION (Cont'd.)

PAGE

2. 3. 9. 4 Main Turbine Stop Valve Closure VII-2-12 2.3.9.5 Main Turbine Control Valve Fast Closure VII-2-12
2. 3. 9. 6 Main Steam Line Isolation VII-2-12 2.3.9.7 Scram Discharge Volume High Water Level VII-2-13
2. 3. 9. 8 Drywell Pressure VII-2-13
2. 3. 9. 9 Main Turbine Supply Pressure Switches VII-2-13 2.3.9.10 Channel and Logic Relays VII-2-13 2.3.10 Wiring VII-2-14 2.4 Safety Evaluation VII-2-14 2.5 Inspection and Testing VII-2-19 3.0 PRIMARY CONTAINMENT ISOLATION CONTROL AND INSTRUMENTATION SYSTEM VII-3-1 3.1 Safety Objective VII-3-1 3.2 Safety Design Basis VII-3-1 3.3 Description VII-3-3 3.3.1 Identification VII-3-3 3.3.2 Definitions VII-3-3
3. 3. 3 Power Supply VII-3-4 3.3.4 Physical Arrangement VII-3-4 3.3.5 Logic VII-3-5
3. 3. 6 Operation VII-3-5 3.3.7 Isolation Valve Closing Devices and Circuits VII-3-6 3.3.7.1 Main Steam Isolation Valves VII-3-7 3.3.8 Isolation Functions and Settings VII-3-7 3.3.8.1 Reactor Vessel Low Water Level (Level 3) VII-3-8 3.3.8.2 Reactor Vessel Low Low Water Level (Level 2) VII-3-8 3.3.8.3 Reactor Vessel Low Low Low Water Level (Level 1) VII-3-9 3.3.8.4 Main Steam Line High Radiation VII-3-9 3.3.8.5 Main Steam Line Space High Temperature VII-3-9
3. 3. 8. 6 Main Steam Line High Flow VII-3-9
3. 3. 8. 7 Low Main Steam Line Pressure VII-3-11 3.3.8.8 Primary Containment (Drywell)

High Pressure VII-3-11

3. 3. 8. 9 RCIC Equipment Space High Temperature VII-3-11 3.3.8.10 RCIC Turbine High Steam Flow VII-3-12 3.3.8.11 RCIC Turbine Steam Line Low Pressure VII-3-12 3.3.8.12 HPCI Equipment Space High Temperature VII-3-12 3.3.8.13 HPCI Turbine High Steam Flow VII-3-12 3.3.8.14 HPCI Turbine Steam Line Low Pressure VII-3-12 3.3.8.15 Condenser Low Vacuum VII-3-13 3.3.8.16 Reactor Building Ventilation Exhaust High Radiation VII-3-13 3.3.8.17 RWCU System High Flow VII-3-13 3.3.8.18 RWCU System Space High Temperature VII-3-13 3.3.8.19 Torus Area NW RHR Steam Line High Temperature VII-3-13 3.3.9 Instrumentation VII-3-14 3.3.10 Environmental Capabilities VII-3-16 3.4 Safety Evaluation VII-3-17 3.5 Inspection and Testing VII-3-20 4.0 EMERGENCY CORE COOLING SYSTEMS CONTROL AND INSTRUMENTATION VII-4-1 4.1 Safety Objective VII-4-1 4.2 Safety Design Basis VII-4-1 4.3 Power Generation Objective VII-4-2 vii-1-2 03/28/19

USAR VII - CONTROL AND INSTRUMENTATION (Cont'd.)

4.4 Power Generation Design Basis VII-4-2 4.5 Description VII-4-3 4.5.1 Identificati on VII-4-3 4.5.2 High Pressure Coolant Injection System (HPCI)

Control and Instrumenta tion VII-4-3 4.5.2.1 Identificati on and Physical Arrangement VII-4-3 4.5.2.2 HPCI Actuation Signals and Logic VII-4-4 4.5.2.3 HPCI Initiating Instrumenta tion VII-4-4 4.5.2.4 HPCI Turbine and Turbine Auxiliaries Control VII-4-6 4.5.2.5 HPCI Valve Control VII-4-7 4.5.2.6 HPCI Environment al Consideratio ns VII-4-10 4.5.3 Automatic Depressuriz ation System Control and Instrumenta tion VII-4-10 4.5.3.1 Identificati on and Physical Arrangement VII-4-10 4.5.3.2 Automatic Depressuriz ation System Initiating Signals and Logic VII-4-10 4.5.3.3 Automatic Depressuriz ation System Initiating Instrumenta tion VII-4-13 4.5.3.4 Automatic Depressuriz ation System Alarms VII-4-13 4.5.3.5 Automatic Depressuriz ation System Environment al Consideratio ns VII-4-13

4. 5. 4 Core Spray Systems Control and Instrumenta tion VII-4-13 4.5.4.1 Identificati on and Physical Arrangement VII-4-13 4.5.4.2 Core Spray System Initiating Signals and Logic VII-4-14
4. 5. 4. 3 Core Spray System Pump Control VII-4-15
4. 5. 4. 4 Core Spray System Valve Control VII-4-15
4. 5. 4. 5 Core Spray System Alarms and Indications VII-4-17
4. 5. 4. 6 Core Spray System Environment al Consideratio ns VII-4-17 4.5.4.7 Reference Leg Injection VII-4-17 4.5.5 Low Pressure Coolant Injection Control and Instrumenta tion VII-4-18 4.5.5.1 Identificati on and Physical Arrangement VII-4-18 4.5.5.2 LPCI Initiating Signals and Logic VII-4-19 4.5.5.3 LPCI Mode Pump Control VII-4-21 4.5.5.4 LPCI Valve Control VII-4-21 4.5.5.5 LPCI Environment al Consideratio ns VII-4-23 4.6 Safety Evaluation VII-4-23 4.7 Inspection and Testing VII-4-25 5.0 NEUTRON MONITORING SYSTEM VII-5-1 5.1 Safety Objective VII-5-1 5.2 Safety Design Basis VII-5-1 5.3 Power Generation Objective VII-5-1 5.4 Power Generation Design Basis VII-5-1 5.5 Identificat ion VII-5-1 5.6 Source Range Monitor Subsystem VII-5-1 5.6.1 Power Generation Design Basis VII-5-1 5.6.2 Description VII-5-2 5.6.2.1 Identificati on VII-5-2 5.6.2.2 Power Supply VII-5-2 5.6.2.3 Physical Arrangement VII-5-2 5.6.2.4 Signal Conditionin g VII-5-3 5.6.2.5 Trip Functions VII-5-4 vii-1-3 08/14/00

USAR VII - CONTROL AND INSTRUMENTATION (Cont'd.)

PAGE 5.6.3 Power Generation Evaluation VII-5-4 5.6.4 Inspection and Testing VII-5-6 5.7 Intermediate Range Monitor Subsystem VII-5-6 5.7.1 Safety Design Basis VII-5-6 5.7.2 Power Generation Design Basis VII-5-6 5.7.3 Description VII-5-6 5.7.3.1 Identification VII-5-6 5.7.3.2 Power Supply VII-5-6 5.7.3.3 Physical Arrangement VII-5-7 5.7.3.4 Signal Conditioning VII-5-7 5.7.3.5 Trip Functions VII-5-8 5.7.4 Safety Evaluation VII-5-8 5.7.5 Power Generation Evaluation VII-5-9 5.7.6 Inspection and Testing VII-5-9 5.8 Local Power Range Monitor Subsystem VII-5-9 5.8.1 Power Generation Design Basis VII-5-9 5.8.2 Description VII-5-11 5.8.2.1 Identification VII-5-11 5.8.2.2 Power Supply VII-5-11 5.8.2.3 Physical Arrangement VII-5-11 5.8.2.4 Signal Conditioning VII-5-12 5.8.2.5 Trip Functions VII-5-12 5.8.3 Power Generation Evaluation VII-5-14 5.8.4 Inspection and Testing VII-5-14 5.9 Average Power Range Monitor Subsystem VII-5-14 5.9.1 Safety Design Basis VII-5-14 5.9.2 Power Generation Design Basis VII-5-14 5.9.3 Description VII-5-14 5.9.3.1 Identification VII-5-14 5.9.3.2 Power Supply VII-5-15 5.9.3.3 Signal Conditioning VII-5-15 5.9.3.4 Trip Function VII-5-15 5.9.4 Safety Evaluation VII-5-16 5.9.5 Power Generation Evaluation VII-5-16 5.9.6 Inspection and Testing VII-5-16 5.10 Rod Block Monitor Subsystem VII-5-18 5.10.1 Power Generation Design Basis VII-5-18 5 .10. 2 Description VII-5-18 5.10.2.1 Identification VII-5-18 5.10.2.2 Power Supply VII-5-18 5.10.2.3 Signal Conditioning VII-5-18 5.10.2.4 Trip Function VII-5-18 5 .10. 3 Power Generation Evaluation VII-5-19 5.10.4 Inspection and Testing VII-5-19 5 .11 Traversing In-Core Probe Subsystem VII-5-19 5.11.1 Power Generation Design Basis VII-5-19

5. 11. 2 Description VII-5-19 5.11.2.1 Identification VII-5-19 5.11.2.2 Physical Arrangement VII-5-20 5.11.2.3 Signal Conditioning VII-5-21
5. 11. 3 Power Generation Evaluation VII-5-22 5.11.4 Inspection and Testing VII-5-22 6.0 REFUELING INTERLOCKS VII-6-1 6.1 Safety Objective VII-6-1 6.2 Safety Design Basis VII-6-1 6.3 Description VII-6-1 6.4 Safety Evaluation VII-6-4 6.5 Inspection and Testing VII-6-5 vii-1-4 01/23/01

USAR VII - CONTROL AND INSTRUMENTATION (Cont'd.)

PAGE 7.0 REACTOR MANUAL CONTROL SYSTEM VII-7-1 7.1 Safety Objective VII-7-1 7.2 Safety Design Basis VII-7-1 7.3 Power Generation Objective VII-7-1 7.4 Power Generation Design Basis VII-7-1 7.5 Description VII-7-1 7.5.1 Identification VII-7-1 7.5.2 Operation VII-7-2 7.5.2.1 General VII-7-2 7.5.2.2 Insert Mode VII-7-3 7.5.2.3 Withdraw Mode VII-7-3 7.5.2.4 Control Rod Drive Hydraulic System Control VII-7-4 7.5.3 Rod Block Interlocks VII-7-4 7.5.3.1 General VII-7-4 7.5.3.2 Rod Block Functions VII-7-5 7.5.3.3 Rod Block Bypasses VII-7-7 7.5.3.4 Arrangement of Rod Block Trip Channels VII-7-8 7.5.4 Instrumentation VII-7-8 7.5.5 Rod Sequence Control System VII-7-10 7.6 Safety Evaluation VII-7-10 7.7 Inspection and Testing VII-7-10 8.0 REACTOR VESSEL INSTRUMENTATION VII-8-1 8.1 Safety Objective VII-8-1 8.2 Safety Design Bases VII-8-1 8.3 Power Generation Objective VII-8-1 8.4 Power Generation Design Basis VII-8-1 8.5 Description VII-8-1 8.5.1 Reactor Vessel Surface Temperature VII-8-2 8.5.2 Reactor Vessel Water Level VII-8-2 8.5.3 Reactor Vessel Coolant Flow Rates and Differential Pressures VII-8-6 8.5.4 Reactor Vessel Internal Pressure VII-8-6 8.5.5 Reactor Vessel Top Head Flange Leak Detection VII-8-7 8.6 Safety Evaluation VII-8-7 8.7 Inspection and Testing VII-8-8 9.0 RECIRCULATION FLOW CONTROL SYSTEM VII-9-1 9.1 Safety Objective VII-9-1 9.2 Safety Design Basis VII-9-1 9.3 Power Generation Objective VII-9-1 9.4 Power Generation Design Bases VII-9-1 9.5 Description VII-9-1

9. 5. 1 General VII-9-1 9.5.2 Motor-Generator Set VII-9-2 9.5.3 Speed Control Components VII-9-3 9.5.4 System Operation VII-9-4 9.5.4.1 Recirculation Loop Starting Sequence VII-9-4 9.5.4.2 Recirculation Pump Trip (RPT) VII-9-5 9.6 Safety Evaluation VII-9-6 9.7 Inspection and Testing VII-9-6 10.0 FEEDWATER CONTROL SYSTEM VII-10-1 10.1 Power Generation Objective VII-10-1 10.2 Power Generation Design Bases VII-10-1 10.3 Description VII-10-1 10.3.1 Reactor Vessel Water Level Measurement VII-10-1
10. 3. 2 Steam Flow Measurement VII-10-2 vii-1-5 04/22/02

USAR VII - CONTROL AND INSTRUMENTATION (Cont'd.)

PAGE

10. 3. 3 Feedwater Flow Measurement VII-10-2
10. 3. 4 Feedwater Control Signal VII-10-2 10.3.4.1 Automatic Operation VII-10-3 10.3.4.2 Optional Operating Modes VII-10-3
10. 3. 5 Reactor Feed Pump Control VII-10-4 10.3.6 Reactor Overfill Protection VII-10-4 10.4 Inspection and Testing VII-10-4 11.0 PRESSURE REGULATOR AND TURBINE-GENERATOR CONTROL VII-11-1 11.1 Power Generation Objective VII-11-1 11.2 Power Generation Design Basis VII-11-1 11.3 Description VII-11-1 11.3.1 Normal Control Operations VII-11-1
11. 3. 2 Turbine Protective Devices VII-11-2
11. 3. 3 Overspeed Protection VII-11-3 11.3.3.1 Valve Operations VII-11-3 11.4 Power Generation Evaluation VII-11-4 11.5 Inspection and Testing VII-11-4 11.5.1 Turbine-Generator Supervisory Instruments VII-11-4
11. 5. 2 Testing Provisions VII-11-5 11.5.3 Inspection Provisions VII-11-5 12.0 PROCESS RADIATION MONITORING VII-12-1 12.1 Main Steam Line Radiation Monitoring System VII-12-1
12. 1. 1 Safety Objective VII-12-1
12. 1. 2 Safety Design Basis VII-12-1
12. 1. 3 Description VII-12-1 12.1.4 Safety Evaluation VII-12-2 12.1.5 Inspection and Testing VII-12-2 12.2 Air Ejector (Off-Gas) Radiation Monitoring System VII-12-4
12. 2. 1 Safety Objective VII-12-4

. 12. 2. 2 Safety Design Basis VII-12-4

12. 2. 3 Description VII-12-4 12.2.4 Safety Evaluation VII-12-5 12.2.5 Inspection and Testing VII-12-5 12.3 Process Liquid Radiation Monitors VII-12-5
12. 3. 1 Safety Objective VII-12-5
12. 3. 2 Safety Design Bases VII-12-5
12. 3. 3 Power Generation Objective VII-12-5 12.3.4 Power Generation Design Basis VII-12-5
12. 3. 5 Description VII-12-5 12.3.5.1 Service Water (SW) and the Reactor Equipment Cooling (REC) System Process Liquid Radiation Monitors VII-12-5 12.3.5.2 Radwaste Process Liquid Radiation Monitor VII-12-7 12.3.6 Safety Evaluation VII-12-7 12.3.7 Inspection and Testing VII-12-8 12.4 Reactor Building Isolation Ventilation Radiation Monitoring System VII-12-8
12. 4. 1 Safety Objective VII-12-8 12.4.2 Safety Design Basis VII-12-8
12. 4. 3 Description VII-12-8 12.4.4 Safety Evaluation VII-12-9 12.4.5 Inspection and Testing VII-12-9 12.5 Elevated Release Point Radiation Monitoring System VII-12-9
12. 5. 1 Safety Objective VII-12-9
12. 5. 2 Safety Design Basis VII-12-9 vii-1-6 09/02/08

USAR VII - CONTROL AND INSTRUMENTATION (Cont'd.)

PAGE

12. 5. 3 Description VII-12-9 12.5.4 Safety Evaluation VII-12-10 12.5.5 Inspection and Testing VII-12-10 12.6 Radwaste/Augmented Radwaste Building Ventilation Radiation Monitoring System VII-12-10
12. 6. 1 Safety Objective VII-12-10
12. 6. 2 Safety Design Basis VII-12-11
12. 6. 3 Description VII-12-11 12.6.4 Safety Evaluation VII-12-11 12.6.5 Inspection and Testing VII-12-12 12.7 Turbine Building Ventilation Radiation Monitoring System VII-12-12
12. 7. 1 Safety Objective VII-12-12
12. 7. 2 Safety Design Basis VII-12-12
12. 7. 3 Description VII-12-12 12.7.4 Safety Evaluation VII-12-13 12.7.5 Inspection and Testing VII-12-13 12.8 Multi-Purpose Facility Building Ventilation Monitoring System VII-12-13
12. 8. 1 Safety Objective VII-12-13 12.8.2 Safety Design Basis VII-12-13
12. 8. 3 Description VII-12-13 12.8.4 Safety Evaluation VII-12-14 12.8.5 Inspection and Testing VII-12-14 12.9 Reactor Building Ventilation Radiation Monitoring System VII-12-14
12. 9. 1 Safety Objective VII-12-14 12.9.2 Safety Design Basis VII-12-14
12. 9. 3 Description VII-12-14
12. 9. 4 Safety Evaluation VII-12-15 12.9.5 Inspection and Testing VII-12-15 13.0 PLANT AND AUGMENTED RADWASTE (DRUM HANDLING) AREA RADIATION MONITORING SYSTEM VII-13-1 13.1 Power Generation Objective VII-13-1 13.2 Power Generation Design Bases VII-13-1 13.3 Description VII-13-1 13.3.1 Monitors VII-13-1
13. 3. 2 Locations VII-13-3 13.4 Inspection and Testing VII-13-3 14.0 ENVIRONMENTAL RADIATION MONITORING INSTRUMENTS VII-14-1 14.1 General VII-14-1 14.2 Description VII-14-1 14.2.1 External Radiation Background VII-14-1 14.2.1.1 Initial G.M. Instrument Measurements VII-14-1 14.2.1.2 Thermoluminescent Dosimeters (TLD) VII-14-1
14. 2. 2 Air Sampling VII-14-1 14.2.3 Inspection and Testing VII-14-2 15.0 RADIOLOGICAL PROTECTION AND RADIOCHEMISTRY INSTRUMENTS VII-15-1 15.1 Portable Radiation Survey Instruments VII-15-1 15.2 Personnel Radiation Monitoring Devices VII-15-1 15.3 Personnel Contamination Monitoring Devices VII-15-1 15.4 Constant Air Monitors VII-15-1 15.5 Counting Room Instruments VII-15-1 15.6 Radiochemistry Instruments VII-15-1 15.7 Inspection and Testing VII-15-1 16.0 PROCESS COMPUTER SYSTEM VII-16-1 16.1 Power Generation Objective VII-16-1 vii-1-7 01/17/14

USAR VII - CONTROL AND INSTRUMENTATION (Cont'd.)

PAGE 16.2 Power Generation Design Basis VII-16-1 16.3 Description VII-16-1 16.3.1 Computer System Components VII-16-1 16.3.1.1 Central Processors VII-16-1 16.3.1.2 Bulk Memory Subsystem VII-16-2 16.3.1.3 Peripheral Input/Output Subsystem VII-16-2 16.3.1.4 Process Input/Output Subsystems VII-16-2 16.3.1.5 Operator Console VII-16-2 16.3.1.6 Programming and Maintenance Consoles VII-16-2 16.3.2 Reactor Core Performance Function VII-16-2 16.3.2.1 Power Distribution Evaluation VII-16-2 16.3.2.2 LPRM Calibration VII-16-9 16.3.2.3 Fuel Exposure VII-16-9 16.3.2.4 Control Rod Exposure VII-16-9 16.3.2.5 LPRM Exposure VII-16-9 16.3.2.6 Isotopic Composition of Exposed Fuel VII-16-9 16.3.3 Rod Worth Minimizer Function VII-16-9 16.3.3.1 RWM Inputs VII-16-10 16.3.3.2 RWM Outputs VII-16-11 16.3.3.3 RWM Indications VII-16-11 16.3.4 Monitor Alarm and Logging Functions VII-16-12 16.3.4.1 Analog Monitor and Alarm VII-16-12 16.3.4.2 Digital Monitor and Alarm VII-16-13 16.3.4.3 Alarm Logging and Displaying VII-16-13 16.4 Power Generation Evaluations VII-16-13 16.5 Inspection and Testing VII-16-13 17.0 STANDBY GAS TREATMENT SYSTEM VII-17-1 17.1 Safety Objective VII-17-1 17.2 Safety Design Basis VII-17-1 17.3 Description VII-17-1 17.4 Safety Evaluation VII-17-3 17.5 Inspection and Testing VII-1 7-3 18.0 ALTERNATE SHUTDOWN CAPABILITY VII-18-1 18.1 Safety Objective VII-18-1 18.2 Safety Design Basis VII-18-1 18.3 Description VII-18-1

18. 3. 1 Location VII-18-2 18.4 System Operation VII-18-2 18.5 Safety Evaluation VII-18-2 18.6 Inspection and Testing VII-18-2

19.0 REFERENCES

FOR CHAPTER VII VII-19-1 vii-1-8 04/08/15

USAR LIST OF FIGURES (At End of Section VII)

Figure No. Title VII-1-1 Use of Protective System Control and Instrumenta tion Definitions VII-1-2 Single-Cycle -BWR Control System (Flow Control Section)

Functional Block Diagram VII-1-3 Reactor Protection System Scram Trip Circuits VII-1-4 ESF Separation Concept VII-1-5 Cable Separation Scheme - ESF VII-1-6 Primary Containment Isolation System Separation Concept VII-2-3 Schematic Diagram of Logics in One Trip System VII-2-4 Schematic Diagram of Actuators and Actuator Logics VII-2-5 Reactor Protection System, Scram Functions VII-2-7 Relationshi p Between Neutron Monitoring System and Reactor Protection System VII-2-8 Functional Control Diagram for Neutron Monitoring System Logics VII-2-9 Typical Arrangement of Channels and Logics VII-2-11 Typical Configuratio n for Main Steamline Isolation Scram VII-3-3 Reactor Building Plan, Elevation 859 ft. 0 in.

VII-3-4 Reactor Building - Plan, Elevation 903 ft. 6 in.

VII-3-5 Main Steam Power Supply and Logic VII-4-9 LPCI Component Arrangement VII-4-10 Typical Emergency Core Cooling System (ECCS) Instrumenta tion VII-5-2a Detector Drive System VII-5-3 Functional Block Diagram of SRM Channel VII-5-5 Source Range Monitoring System Core Locations VII-5-6 Functional Block Diagram of IRM Channel VII-5-7 IRM Locations VII-5-8 Control Rod Withdrawal Error VII-5-9 Normalized Flux Distributio n for Rod Withdrawal Error vii-2-1 01/23/01

USAR LIST OF FIGURES (CONT'D.)

(At End of Section VII)

Figure No. Title VII-5-11 LPRM Locations VII-5-13a LPRM to APRM Assignment Scheme (System A)

VII-5-13b LPRM to APRM Assignment Scheme (System B)

VII-5-14 Envelope of Maximum APRM Deviation, Reduction in Power by Flow Control VII-5-15 APRM Tracking With On-Limits Control Rod Withdrawal VII-5-16 Assignment of LPRM Assemblies to RBM's VII-5-18 Assignment of LPRM Strings to TIP Machines VII-5-19 Traversing In-Core Probe Subsystem Block Diagram VII-5-23 Ranges of Neutron Monitoring System VII-5-24 Typical IRM Circuit Arrangement for Reactor Protection System Input VII-5-25 Typical APRM Circuit Arrangement for Reactor Protection System Input VII-6-1 Refueling Interlocks VII-7-2 RBM Flow Variance Circuit, Schematic VII-7-4 Typical Process Computer Printout VII-9-1 Recirculatio n Flow Control, Illustration VII-9-4 Recirculatio n Pump Trip (RPT) Logic Configuratio n VII-12-2 Effluent Radiation Monitoring System VII-13-2 Area Radiation Monitoring System vii-2-2 01/23/01

USAR LIST OF TABLES Table No. Title VII-1-1 System and Subsystem Separation VII-1-9 VII-1-2 Reactor Protection System and Primary Containment Isolation Inputs Sensor Suffix Letters and Division Allocation VII-1-25 VII-1-3 Reactor Protection System Four Division Grouping for a Six Channel Neutron Monitoring System VII-1-26 VII-1-4 Engineered Safety Feature (ESF) Sensor Suffix Letters and Division Allocation VII-1-27 VII-1-5 System and Subsystem Separation VII-1-28 VII-1-6 Documentation of Seismic Compliance with IEE-344 VII-1-31 or GIP-3 VII-1-7 Reactor Water Level Instrumentation VII-1-32 VII-2-1 Reactor Protection System Instrumentation Environmental Conditions VII-2-15 VII-2-2 Reactor Protection System/ATWS Scram Trip Functions and Analytical Limits VII-2-22 VII-3-2 Primary Containment Isolation System Instrument Specifications VII-3-10 VII-3-6 Primary Containment Isolation System (PCIS) Signals and Isolations VII-3-21 VII-4-1 High Pressure Coolant Injection System Instrument Specifications VII-4-5 VII-4-2 Automatic Depressurization System Instrument Specifications VII-4-12 VII-4-3 Core Spray System Instrument Specifications VII-4-16 VII-4-4 Low Pressure Coolant Injection Instrument Specifications VII-4-20 VII-5-1 SRM Trips VII-5-5 VII-5-2 IRM Trips VII-5-10 VII-5-3 LPRM Trips VII-5-13 VII-5-4 APRM Trips VII-5-17 VII-6-1 Refueling Interlock Effectiveness VII-6-6 VII-7-1 Reactor Manual Control System Instrument Specifications VII-7-11 VII-8-1 Reactor Vessel Instrumentation Instrument Specifications VII-8-3 VII-8-2 Reactor Vessel Level and Pressure Instrument Cross Reference VII-8-4 vii-3-1 04/06/05

USAR LIST OF TABLES (CONT'D.)

Table No. Title VII-12-1 Process Radiation Monitoring Systems Characteris tics VII-12-3 VII-12-2 Process Radiation Monitoring System Environment al and Power Supply Design Conditions VII-12-6 VII-13-1 Plant and Augmented Radwaste (Drum Handling)

Area Radiation Monitoring System Environment al and Power Supply Design Conditions VII-13-2 VII-13-2 Plant and Augmented Radwaste (Drum Handling) Area Radiation Monitoring System Channels, Ranges, Locations VII-13-4 VII-16-1 Typical Nuclear Process Monitoring Instrumenta tion Input Summary VII-16-3 VII-16-2 Typical PMIS Instrumenta tion Output Summary Signal Output Description VII-16-8 vii-3-2 01/23/01

USAR 1.0

SUMMARY

DESCRIPTION The control and instrumentation section presents the details of the more complex control and instrumentation systems in the station. Some of these systems are safety systems; others are power generation systems.

1.1 Safety System The safety systems described in the control and instrumentation section are the following:

1. Nuclear safety systems and Engineered Safety Features (required for accidents and abnormal operational transients)

Reactor Protection System (USAR Section VII-2.0)

Primary Containment Isolation System (PCIS) (USAR Section VII-3. 0)

Emergency Core Cooling System (ECCS) Control and Instrumentation (USAR Section VII-4.0)

Neutron Monitoring System ( specific portions) ( USAR Section VII-5.0)

Main Stearn Line Radiation Monitoring System (USAR Section VII-12.1)

Reactor Building Isolation Ventilation Radiation Monitoring System (USAR Section VII-12.4)

Standby Gas Treatment System (USAR Section VII-17.0)

2. Process safety systems (required for planned operation)

Neutron Monitoring System (specific portions) (USAR Section VII-5.0)

Refueling Interlocks (USAR Section VII-6.0)

Reactor Vessel Instrumentation (USAR Section VII-8.0)

Process Radiation Monitors (except Main Steam Line Radiation Monitoring System and Reactor Building Isolation Ventilation Radiation Monitoring System) (USAR Section VII-12.0)

1. 2 Power Generation Systems The power generation systems described in this chapter are as follows:

Reactor Manual Control System (USAR Section VII-7.0)

Recirculation Flow Control System (USAR Section VII-9.0)

Feedwater System Control and Instrumentation (USAR Section VII-10.0)

Pressure Regulator and Turbine-Generator Control (USAR Section VII-11.0)

Area Radiation Monitors (USAR Section VII-13.0)

Site Environmental Radiation Monitors (USAR Section VII-14.0)

Radiological Protection and Laboratory Analysis Radiation Monitors (USAR Section VII-15.0)

Process Computer System (USAR Section VII-16.0)

VII-1-1 01/23/01

USAR

1. 3 Safety Functions The major functions of the safety systems are summarized as follows:
1. Reactor Protection System The Reactor Protection System initiates an automatic reactor shutdown (scram) if monitored nuclear system variables exceed pre-established limits. This action prevents fuel damage and limits system pressure and thus restricts the release of radioactive material.
2. Primary Containment Isolation System (PCIS)

This system initiates closure of various automatic isolation valves in response to off-limit nuclear system variables. The action provided limits the loss-of-coolant from the reactor vessel and contains radioactive materials either inside the reactor vessel or inside the primary containment.

The system responds to various indications of pipe breaks or radioactive material release.

3. Emergency Core Cooling System (ECCS) Control and Instrumentation This subsection describes the arrangement of control devices for High Pressure Coolant Injection, Automatic Depressurization, Core Spray, and Low Pressure Coolant Injection.
4. Neutron Monitoring System The Neutron Monitoring System uses in-core neutron detectors to monitor core neutron flux. The safety function of the Neutron Monitoring System is to provide a signal to shut down the reactor when an overpower condition is detected. High average neutron flux is used as the overpower indicator. In addition, the neutron monitoring system provides the required power level indication during planned operation.
5. Main Steam Line Radiation Monitoring System Gamma sensitive radiation monitors are installed in the vicinity of the main steam lines just outside the primary containment. These monitors can detect a gross release of fission products from the fuel by measuring the gamma radiation coming from the steam lines. A high radiation trip signal is sent to the Primary Containment Isolation System ( PCIS) to initiate closure of the reactor water sample valves. The trip signal also turns off the mechanical vacuum pump, if running, and closes the mechanical vacuum pump inlet and outlet valves.
6. Reactor Building Isolation Ventilation Radiation Monitoring System This subsection describes the monitoring system used to indicate high radiation in the exhaust plenum of the reactor building heating and ventilating system, initiate a Group 6 isolation of the reactor building, start the standby gas treatment system and initiates the control room emergency filtration system.
7. Refueling Interlocks The Refueling Interlocks serve as a backup to procedural core reactivity control during refueling operation.

VII-1-2 04/08/02

USAR

8. Reactor Vessel Instrumentation The Reactor Vessel Instrumentation monitors and transmits information concerning key reactor vessel operating parameters during planned operations to insure that sufficient control of these parameters is possible.
9. Process Radiation Monitors (except Main Steam Line Radiation Monitoring Systems and Reactor Building Isolation Ventilation Radiation Monitoring System)

A large number of radiation monitoring systems are provided on process liquid and gas lines to provide sufficient control of radioactive material release from the site.

10. Standby Gas Treatment System This system processes effluent from the reactor building (secondary containment), limiting the discharge of radioactive material to the environs. The controls and instrumentation assure that the radioactivity released to the environs is kept as low as practical and within the guideline values of 10 CFR 20, 10 CFR 50.67 and 10 CFR 100.
1. 4 Station Operational Control The major systems used to control the station during planned operations are listed below and are illustrated by Figure VII-1-2.
1. Reactor Manual Control System This system allows the operator to manipulate control rods and determine their positions. Various interlocks are provided in the control circuitry to avoid unnecessary safety system action resulting from operator error.
2. Recirculation Flow Control System This system controls the speed of the two reactor recirculation pumps by varying the electrical frequency of the power supply for the pump motors. By varying the coolant flow rate through the core, power level may be changed. The system is arranged to allow for manual control (operator action).
3. Feedwater System Control and Instrumentation This system regulates the feedwater system flow rate so that proper reactor vessel water level is maintained. The feedwater system controller uses reactor vessel water level, main steam flow, and feedwater flow signals to regulate feedwater flow. The system is arranged to permit single element (level only), three element (level, steam flow, feed flow), or manual operation.
4. Pressure Regulator and Turbine-Generator Controls Normally, the pressure regulator controls steam admission valve position to maintain constant reactor pressure. The ability of the station to follow system load is accomplished by adjusting the reactor power level, either by regulating the reactor coolant recirculation flow or by moving control rods. However, the turbine speed governor can override the VII-1-3 02/05/10

USAR pressure regulator, and the steam admission valves will close when an increase in system frequency or a loss of generator load causes the speed of the turbine to increase.

A single pressure regulator, with a backup regulator, is used to control both the turbine admission valves and the turbine bypass system valves.

The backup pressure regulator is provided to take over control of pressure in the event the operating regulator should fail. The set point of the backup regulator is normally a few psig above the set point of the normal operating pressure regulator.

1.5 Definitions See USAR Section I-2 and Technical Specifications Section 1.1 for Definitions.

1. 6 System Suppliers and Design Basis [ll The safety related systems which actuate reactor trip and engineered safety feature action and which were designed and supplied by General Electric Company are:
1. Reactor Protection System
2. Nuclear steam supply isolation valves control
3. Core Standby Cooling Systems control and instrumentation
4. Neutron Monitoring System (specific portions)
5. Main Steam Line Radiation Monitoring System Suppliers other than General Electric for the protection system have not been utilized.

Burns & Roe designed the engineered safeguards systems listed below:

1. Engineered Safeguards Heating and Ventilation System
2. Reactor Building Ventilation System Radiation Monitoring System
3. Emergency Service Water System
4. RHR Service Water System
5. Standby a-c Power Supply
6. 125/250V d-c Power Supply
7. 24V d-c Power Supply The following operational control systems were supplied by General Electric Company: [21
1. Neutron Monitoring System (specific portions)
2. Refueling interlocks VII-1-4 01/23/01

USAR

3. Reactor Manual Control System
4. Reactor vessel instrumentation
5. Recirculation Flow Control System
6. Feedwater system control and instrumentation
7. Area radiation monitors The following operational monitoring system was supplied by Science Application International Corporation during 1985 and 1986.
1. Process Computer System
1. 7 Design Criteria The design of protection systems conforms to the "Proposed Criteria for Protection Systems for Nuclear Power Generating Stations (IEEE-279)," as described in NEDO-10139, "Compliance of Protection Systems to Industry Criteria: General Electric BWR Nuclear Steam Supply System."

Category I instrumentation and Class IE electrical equipment conform to IEEE-344-1971, "IEEE Guide for Seismic Qualification of Class IE Electrical Equipment for Nuclear Power Generating Stations," or to Revision 3 of the Generic Implementation Procedure (GIP-3) as modified and supplemented by the U.S. Nuclear Regulatory Commission Supplemental Safety Evaluation Report (SSER) No. 2 and SSER No. 3. Criteria for conformance to these standards are described herein.

The safety systems are designed so that, once initiated, automatic actions go to completion. Resetting the signal will not result in the automatic return to previous state. Return to normal operation after isolation action requires deliberate operator action.

1. 7. 1 Single Failure Criteria A compliance comparison of the RPS and ECCS design with each design requirement of the proposed IEEE-279 is given in Atomic Power Equipment Division (APED) Topical Report NEDO 10139 dated June, 1970. This report is applicable to the Cooper Plant. DC 76-2 removed the LPCI Loop Select function.

Therefore the discussion about Loop Select in NEDO 10139 is historical information and does not reflect the current plant configuration. The exception from single failure criterion (proposed IEEE-279 Par. 4.2) that was taken for LPCI controls and instrumentation by NEDO 10139 is no longer applicable.

The conclusion of this Topical Report is that RPS and ECCS compliance with the proposed IEEE-279 is achieved.

In particular, satisfaction of the Single Failure Criterion and the Channel Independence requirements are given in the following tables of NEDO 10139:

System Table Pages RPS 2-2 2-22 and 2-23 LPCI 3-6 3-54 cs 3-2 3-7 HPCI 3-8 3-86 VII-1-5 08/08/01

USAR System Table Pages ADS 3-10 3-107 Cont. Isolation 4-3 4-12 As a result of additional ACRS concerns expressed in Vermont Yankee and Pilgrim hearings increased separation of the following switches and cables have been added.

1. Main Steam Line Isolation Valve Logic Reset Switches
2. HPCI High Flow Instrument Locations on Racks
3. RCIC High Flow Instrument Locations on Racks
4. HPCI Isolation Valves Logic Reset Switch
5. RCIC Isolation Valves Logic Reset Switch
6. HPCI Inboard Isolation Valve Switch
7. RCIC Inboard Isolation Valve Switch With these additions CNS satisfies the safety design bases and the requirements of the proposed IEEE-279, as described in NEDO 10139.

As the result of additional questions raised by the DRL staff during their review of CNS during construction, the following information is submitted concerning low reactor pressure, permissive signals. The diversity of signal is provided by utilizing S-O-R (diaphragm) and a Barton (bellows) type of sensors. Channel separation is provided by locating the S-O-R sensors Al, A2 on rack 25-5 and Cl, C2 on rack 25-51 with the Barton sensor B on rack 25-6 and D on rack 25-52. [3 l

1. 7. 2 Equipment Qualification The CNS Environmental Qualification (EQ) program meets the requirements of 10CFR50.49 for electrical equipment important to safety. This equipment consists of: (1) Electric equipment relied upon to remain functional during and following design basis events to ensure the integrity of the reactor coolant pressure boundary, the capability to shut down the reactor and maintain it in a safe shutdown condition, and the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the 10CFRl00 or 10CFR50.67 guidelines. (2) Non safety-related electric equipment whose failure under postulated environmental conditions could prevent satisfactory accomplishment of safety functions.

( 3) Certain post-accident monitoring equipment as determined per the guidelines of Regulatory Guide 1.97.

In accordance with the requirements of 10CFR50.49, a Master Equipment List (MEL) of all electrical equipment covered by the regulation is maintained. The equipment items have been catalogued by location in the plant, as a basis for identification of normal service and accident environments under which the equipment must function. [9 0J The MEL provides summary information identifying each EQ item and its characteristics and environmental requirements.

Original CNS electrical equipment that falls under the scope of the EQ Rule has been environmentally qualified using the methodology described VII-1-6 04/17/18

USAR in the "Division of Operating Reactors Guidelines for Evaluating Environmental Qualifications of Class lE Electrical Equipment in Operating Reactors" (DOR Guidelines), in accordance with 10CFR50.49(k). Replacement components and new EQ equipment are qualified in accordance with Regulatory Guide 1.89, Revision 1, in accordance with 10CFR50.49(1).

1. 7. 3 Channel Independence [7 l 1.7.3.1 Criteria for Preserving the Independence of Redundant Channels A. Reactor Protection System (RPS) and Primary Containment Isolation System (PCIS) - General Rules
1. Wiring for the RPS outside of the main protection system cabinet is run in rigid conduits used for no other wiring and is conspicuously identified at all junction or pull boxes. Under-vessel neutron monitoring cables are exempted from the requirement of rigid conduit installation because of space limitations and need for flexibility on SRM and IRM cables.
2. Wiring to redundant sensors on a common process tap are run in separate conduits to their separate destinations in order to meet the single failure criteria.
3. Wiring for sensors of more than one variable in the same trip channel may be run in the same conduit.
4. Wires from both RPS trip system trip actuators to a single group of scram solenoids may be run in a single conduit. However, a single conduit does not contain wires to more than one group of scram solenoids. Wiring for two solenoids on the same control rod may be run in the same conduit.
5. Cables through the primary containment penetrations are so grouped as to insure that failure of all cabling in a single penetration cannot prevent a scram and isolation. ( This applies specifically to the neutron monitoring cables and MSIV position switches.)
6. In accordance with the contract specifications, the cables are generally continuous in length between terminations with minimum splicing permitted.
7. RPS Special Considerations: The APRM of the RPS has six (A, B, C, D, E, F) independent input instrument channels for each measured parameter (see Figure VII-1-3). The six separate conduits for the six sensors for a specific parameter are kept segregated. In no case could the total disabling of equipment within a single di vision be capable of preventing a required scram action under permitted bypass conditions.

B. Engineered Safety Feature (ESF) and Other Class IE Equipment The following general rules are used to determine the allocation of the electrical wiring between the segregated divisions.

1. Basic Criteria: Separation is such that no single failure can prevent operation of an engineered safety function (i.e., core cooling) Redundant (even dissimilar) systems may be required to perform the required function to satisfy the single failure criteria.

Table VII-1-1 illustrates the separation of subsystems of the ESF and the PCIS Valves.

VII-1-7 01/23/01

USAR Figures VII-1-4 and Figure VII-1-5 illustrate the ESF equipment separation into two basic di visions and the allowable interaction s through isolating devices. Interconnec ting conduits are assigned to the same division as the power for the contained circuits and separation between divisions is maintained except at the immediate area of entrance to the cabinet of the other division.

2. The inboard primary containment isolation valve wiring between the control panel and the valve proper is separated from the outboard isolation valve wiring. See Figure VII-1-6 which illustrates this requirement .

C. Vital Auxiliary Systems [Bl The Service Water and Reactor Equipment Cooling systems have been designed in accordance with the proposed criteria for nuclear power plant protection systems (IEEE-279) for Engineered Safety Features. Electrical power for control and instrumenta tion is provided from separate critical buses designated for Division I and Division II service. Initiating and control instrumenta tion is redundant per Division I and Division II requirement s.

Electrical wire and cable is run in separate Division I and Division II raceways rated for Seismic Class IS support service, with separation criteria maintained throughout.

The fire protection system is not an Engineered Safety Feature as such. Redundancy has, however, been provided by the use of electrical motor driven and diesel engine driven fire pumps. In addition, all plant cable run in tray networks is fire-resista nt and not subject to fire-propag ation.

Instrument air is not required for safe shutdown of the plant and has therefore not been classified as an Engineered Safety Feature.

Safety related equipment circuits have been reviewed to insure that the disabling of one component does not render other components inoperable. l 9 l CNS reviewed all interlocks on 4160 volt and 480 volt breakers as well as motor starter interlocks on all motor control centers to determine whether there would be inadvertent disabling of one component by racking out circuit breakers or starters in any of the following safety related systems:

Automatic Depressuriz ation System Reactor Protection System Residual Heat Removal System Standby Liquid Control System Reactor Water Cleanup System Core Spray System Primary Containment System LPCI, HPCI, RCIC System Emergency Equipment Cooling Water Systems Service Water System RHR Service Water Booster System Reactor Equipment Cooling System Standby Gas Treatment System Drywell Fan Coil Units VII-1-8 01/23/01

USAR TABLE VII-1-1 [7 l SYSTEM AND SUBSYSTEM SEPARATION DIVISION I DIVISION II Core Spray A Core Spray B Automatic Depressurization HPCI Inboard Nuclear Steam Supply Outboard Nuclear Steam Supply Shutoff Valves Shutoff Valves Emergency Equipment Cooling Emergency Equipment Cooling Water A Water B

-Service Water A&C -Service Water B&D

-RHR Service Water Booster A&C -RHR Service Water Booster B&D

-Reactor Equip. Cooling Water A&B -Reactor Equip. Cooling Water C&D RCIC - Reactor Core Isolation Cooling (Not an Engineered Safety Feature).

VII-1-9 01/23/01

USAR In the case of the standby liquid control system the motor starter contacts were found to interlock such that the redundant motor would be disabled. Interposing relays have been installed such that withdrawal of motor starters will not defeat the interlocks in the redundant motor.

Review of secondary containment isolation has revealed no violation, inasmuch as all isolating valves are directly actuated by two separate channels from the isolation signal and are not dependent on motor control devices. Isolation of controls is also maintained in the standby gas treatment system.

No other interlockin g contacts were found on safety related systems to disable other components of related systems.

D. Criteria for Physical Separation Requirement s Separation of equipment and wiring for the RPS, ESF and PCIS is effected into separate di visions designated as Di vision IA, IIA, IB, and IIB as indicated on Figures VII-1-3 to VII-1-6. Separation requirement s also apply to control power and motive power for all systems concerned. The separation criteria, as indicated on the above figures, develops from the consideratio n of the following hazardous areas:

1. Mechanical Damage (Missile) Zone: Adjacent pipes and other equipment have been fully secured to prevent falling on emergency equipment. Arrangement and/or protective barriers as indicated on the above figures have been designed according to the following criteria:
a. Tray Separation: In rooms or compartment s, which are missile prone zones, having rotating heavy machinery such as the main turbine generator, the reactor recirculatin g pump MG sets and the reactor feed pumps or in rooms containing high pressure steam lines such as exist between the reactor and the turbine, a minimum separation of 20 feet or a 6-inch thick reinforced concrete wall is required between trays containing cables of different divisions.

In any area containing an operating crane such as the turbine building main floor and the region above the reactor pressure vessel, there is a minimum horizontal separation of 20 feet or a six-inch thick reinforced concrete wall between trays of different divisions.

b. Switchgear units and motor control centers which are associated with two redundant safety systems and located in a missile prone zone such as discussed above have a minimum horizontal separation of 20 feet or are separated by a protective wall equivalent to a 6-inch thick reinforced concrete wall. The RPS motor-gener ator sets oriented for minimum missile damage are in separate rooms where there are not cable trays.
2. Fire Hazard Zone: All potential for fire damage to cables pertaining to the RPS, ESF, or PCIS is avoided as much as possible.

Separation is required such that fire in one division will not propagate to another division.

a. Routing of Cables through room or spaces where there is a potential for accumulatio n of large quantities (gallons) of oil or other combustible fluids through leakage or rupture of lube oil or cooling systems is avoided. Where such routing is practically unavoidable , only one division of RPS, PCIS, or ESF cables are allowed in any such space.
b. Cable Trays: The horizontal separation of cable trays of different divisions is three feet as a minimum. Where a horizontal VII-1-10 01/23/01

USAR separation of three feet is unattainable, a fire resistant barrier is provided, extending at least one foot above (or to the ceiling) and one foot below (or to the floor) line-of-sight communication between the two trays, all as indicated on the drawings.

Vertical separation of cable trays is a minimum of five feet al though vertical stacking of horizontal trays, one above the other, is avoided as much as possible for trays of different divisions. The lower tray must have a solid metal cover and the upper tray must have a solid metal bottom.

In the case of one tray crossing over another (or over a panel), there is a minimum vertical separation of 18 inches (tray bottom to tray bottom) with the bottom tray covered with a metal cover and the top tray provided with a metal bottom for a distance of five feet on each side of the tray.

The one known exception to these cable tray separation criteria occurs in the drywell. Cable trays C-8 4 and C-8 5 are Di vision I and Di vision II cable trays that completely circle the inside of the drywell. The major portion of the trays run parallel about 18 inches apart just below the second level of the drywell. This horizontal run has a metal fire barrier installed on the top of the bottom tray. The trays drop vertically on either side of the Northeast equipment hatch.

There is a single fire barrier between the two trays on their vertical runs. This provides a single fire barrier between the two trays throughout their entire length in the drywell. The installation of the vertical fire barriers provides adequate fire protection to the C-84 and C-85 cable trays. A review of the functions of the cables in these trays determined that a complete loss of these trays does not prevent the safe shutdown of the reactor or the ability to maintain it in that condition. [lOJ The cables in the trays provide control and instrumentation functions. There are no power cables in either tray. The cables are rated at 600 volts AC but supply circuits which do not exceed 120 vol ts. The current derating factors are O. 1 or less. In addition, the cable installed in these trays successfully complied with fire test specifications more stringent than those of IEEE Standard 383-1974 and the cables will not sustain or propagate a fire.

c. Conduits where stacked vertically are separated by a distance of five feet, for conduits of different divisions.
d. Floor and Wall Openings for runs of NSSS and ESF cables in cable trays are sealed with fire resistant material.
3. Cable Spreading Room (Control Building)
a. Trays: The same requirements given in Paragraph D. 2 regulating physical separation of cables and trays in fire hazard zones apply here with one added alternative applying to vertical stacking of trays, where in this case a fire-resistant barrier between trays is provided if the five-foot separation requirement cannot be met.
b. When approaching the same or adjacent control panels, cables of different di visions are run in metal ( rigid or flexible) conduit, or a fire barrier is installed, whenever the separation is less than three feet.

VII-1-11 01/23/01

USAR

c. No 4160 volt switchgear and no 480 volt switchgear or motor control centers are permitted in the Cable Spreading Room.
4. Main Control Room
a. Panels and Racks: No single control panel or instrument rack includes wiring required for the protective function of two systems which are backups for each other (Division I and Division II) without fire barrier separation or compartmentation to provide protection. Manual control switches for separate systems may be located on the same panel in those cases where it is considered unduly restrictive to install them on separate panels provided no single event can defeat the automatic operation of the equipment.
b. No power equipment other than air conditioning is permitted in the control room. Specifically, the following equipment is located in the control room:
1. Main control bench boards
2. Vertical control boards
3. Fire control panel There is an access area located behind the vertical control boards which is physically separated from the main control room requiring access through a door opening located at either end of the vertical control boards. The following equipment is located in this area:
1. Lighting transformers
2. Panel exhaust fans
3. Distribution panel boards
4. Light dimmer equipment
5. Future Cable Installation Future cable installation resulting from additional equipment installation or system upgrading will be installed in accordance with the current CNS separation criteria in effect at the time of modification.

1.7.3.2 Cable Derating A. Criteria for Rating of Cables Inside Primary Containment

1. Normal Operation Cables used in primary containment are rated 90°C continuous, 100% humidity, and lxl0 7 rads. All power cables are installed in conduit and derated by a factor of 0.67.
2. Emergency Conditions Under emergency conditions for one time operation only, the cables are rated to withstand, within six seconds, a change from VII-1-12 01/23/01

USAR normal environment as described above to 171°C and 62 psig and held to those values for two (2) hours followed by 71°C for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, under full capacity of the cable as derated for 66°C ambient temperature.

3. Testing The cables were tested in an autoclave under steam atmosphere conditions at the temperature and pressure conditions given above.

B. Criteria for Derating Cables Installed in Trays Power cables are rated 90°C and are installed in cable trays using only one vertical layer with cables separated by approximately one diameter.

They are derated by a factor of 0.9 for 40°C ambient with further derating for the number of cables as follows:

Number of Cables - 3 or less 4 5 6 Over 6 Derating Factor 0.85 0.84 0.83 0.82 0.80 The above derating factors were obtained from the 1968 Edition of the National Electric Code, Table 318-6.

Fill for trays containing control and instrument cable is subject to the following:

1. Tray fill of 50% or less is acceptable
2. Tray fill of greater than 50% and less than or equal to 70% is acceptable if the maximum hotspot temperature of the cable mass does not exceed the rating of the cables in the tray.
3. Tray fill of greater than 70% and less than or equal to 80% is acceptable if the maximum hotspot temperature of the cable mass does not exceed the rating of the cables in the tray and the cable tray support is designed for the loading level.

All trays are supported every six feet unless analyzed/evaluated by approved calculation.

C. Criteria for Derating Cables Through Penetrations Cables routed through penetrations in the primary containment wall are sized on the basis of a maximum value of heat release below fifteen ( 15) watts per linear foot. The heat release calculations are made on the basis of a 60°C ambient temperature.

1.7.3.3 Fire Detection and Protection Cables related to the Reactor Protection Systems, Engineered Safety Features, and other Class IE electric equipment are, in general, installed in conduits.

Those cables installed in the Cable Spreading Room, underneath the Control Room, are not all run in conduits due to problems of space limitation.

Some cables may run in trays. Trays are installed in accordance with the separation requirements to maintain independence of redundant channels of instrumentation. Cables are of fire-resistant construction.

VII-1-13 03/02/11

USAR Special design features are incorporate d in the fire protection and detection of the Cable Spreading Areas in order to provide protection for those cables run in trays.

A general description of the fire protection system is given in USAR Section X-9. The District's Fire Protection Program based on NFPA 8 05 provides additional information regarding separation criteria and protection of redundant divisions of safety-rela ted circuits and equipment.

Pertinent detailed specificatio ns of special features are as follows:

A. Cable Spreading Room One pre-action sprinkler system is installed in the Cable Spreading Room in the Control Building on Elevation 918' 0".

This system was designed and installed using the National Fire Protection Association Standard 13 as a guideline. Sprinkler coverage does not exceed 100 square feet for each sprinkler nozzle. The features of the system are as follows:

1. Heat sensitive detectors are located per NFPA requirement s. Heat detection by any one element sounds an alarm in the Main Control Room and releases the pre-action valve to the room.
2. Automatic fusible link sprinkler heads discharge at any location where a local elevated temperature causes discharge. Sprinklers are rated for 286°F, unless otherwise indicated.
3. The system is normally "dry" with air under a slight pressure downstream of the pre-action valve for piping supervision .
4. The system has an OS&Y gate valve, a pre-action valve, and a check valve at the supply source.
5. Provision for pushbutton start of the system from the Control Room is included in the design, in the event that the detection system does not open the pre-action valve.
6. The sprinkler system is supplied from a six-inch ( 6")

flanged branch connection from the Control Building sprinkler riser.

7. Area smoke detection is provided by ionization-t ype smoke detectors which alarm to the Control Room.

B. Cable Expansion Room One wet pipe automatic sprinkler system is installed in the Cable Expansion Room in the Controlled Corridor on Elevation 918'-0".

This system was designed using NFPA Standard 13 as a guideline. Sprinkler heads have a temperature rating of 175°F for this area.

The sprinkler system is supplied from a four-inch (4") branch connection from the Controlled Corridor fire main header.

Area smoke detection is provided by ionization- type smoke detectors which alarm to the Control Room.

VII-1-14 04/28/16

USAR C. Reactor Building Reactor Recirc. Motor Generator (RRMG) Sets One pre-action system is installed on the Reactor Building Elevation 976'-0" level for the area bounded by Columns 8.2 to 11.7 and N to Q. This system is for the RRMG Sets. Coverage does not exceed 100 square feet per sprinkler nozzle and was installed using NFPA Standard 13 as a guideline.

This system is designed and performs in accordance with the same requirements specified for the pre-action sprinkler system in the Cable Spreading Room.

The sprinkler system is supplied from a three-inch (3")

flanged branch connection from the Reactor Building sprinkler riser.

Area smoke detection is provided by ionization-type smoke detectors which alarm to the Control Room.

D. Reactor Building - RRMG Set Oil Pumps and Motors One wet pipe automatic sprinkler system is installed on the Reactor Building Elevation 958'-0" level for the area bounded by Columns P and Q and 10.5 and 12.7 excluding the stair wells. This system is for the Motor Generator Set oil pumps and motor consoles. Coverage does not exceed 90 square feet per sprinkler nozzle. At the riser connection, the system has an OS&Y gate valve and an alarm check valve which alarms to the Control Room.

Sprinkler heads have a temperature rating of 212°F for this area. The sprinkler system is supplied from a two and one half inch (2-1/2")

flanged branch connection from the Reactor Building sprinkler riser.

Area smoke detection is provided by ionization-type smoke detectors which alarm to the Control Room.

E. Reactor Building - Motor Generator Set Heat Exchangers One wet pipe automatic sprinkler system is installed on the Reactor Building Elevator 931'-6" level for the area bounded by Columns P and Q and 10.5 and 12.7 excluding the stairwells. This system is for the Motor Generator Set Heat Exchangers. Coverage does not exceed 90 square feet per sprinkler nozzle. At the riser connection, the system has an OS&Y gate valve and a flow switch which alarms to the Control Room.

Sprinkler heads have a temperature rating of 212°F for this area. The sprinkler system is supplied from a branch connection from the Reactor Building sprinkler riser.

Area smoke detection is provided by ionization-type smoke detectors which alarm to the Control Room.

F. Reactor Building - Northeast Corner Elevation 903'-6" One wet pipe automatic sprinkler system is installed on the Reactor Building Elevation 903'-6" level for the area bounded by Columns J and N and 10.5 and 12.7 excluding the stairwells. This system is for the Northeast Corner Elevation 903' -6" of the Reactor Building. Coverage does not exceed 90 square feet per sprinkler nozzle. At the riser connection, the system has an OS&Y gate valve and a flow switch which alarms to the Control Room.

VII-1-15 01/23/01

USAR Sprinkler heads have a temperature rating of 286°F for this area. The sprinkler system is supplied from a three-inch (3") branch connection from the Reactor Building Northeast fire main riser.

Area smoke detection is provided by ionization-type smoke detectors which alarm to the Control Room.

G. Intake Structure - Service Water Pump Room An automatic Halon 1301 suppression system is installed in the service water pump room. The Halon system is activated by heat and smoke-detection devices.

Area fire detection is provided by the ionization-type smoke detectors and the flame detectors in the service water pump area which alarm to the control room.

H. General for All Indoor Sprinkler Systems Sprinkler assemblies are suspended from ceilings and/or walls as required for coverage, and supports are completely independent of the equipment being protected.

Feeder lines to each sprinkler are routed through protected area and pitched to drain to valved drains.

I. Diesel Generator Rooms Independent, fully automatic CO2 protection systems are provided for each one of the two Stand-By Diesel Generator Rooms. The two systems also provide coverage for the associated Diesel Fuel Oil Day Tank Rooms. The systems are installed using NFPA Standard 12 as a guideline.

The carbon dioxide systems are interconnected such that the primary charge of each is available to the other as a reserve charge.

Each system is arranged for total flooding of each Diesel Generator Room. Upon system actuation alarms are received in the Control Room.

Provisions are made for remote and local manual activation of the systems.

The systems are actuated automatically by heat and smoke-detection devices.

Area fire detection is provided by heat detectors which I alarm to the Control Room.

J. Additional Smoke Detection Sensitive smoke detection is provided, in addition to the areas described, for the following critical areas:

1. Computer Room
2. Auxiliary Relay Board Room
3. DC Switchgear Room
4. Battery Room VII-1-16 01/08/04

USAR

5. Reactor Protection System M-G Set Room
6. Control Room
7. Control Building Basement 1.7.3.4 Administrative Responsibili ty[ 7 l During initial plant construction the administrative responsibility and control provided to assure compliance with design and installation criterion of all Class IE Electrical Systems rested on Burns and Roe, Inc., the Architect Engineer and Stearns-Roger, Quality Assurance. A detailed summary of responsibilities of these two organizations is included in Appendix "D(l)", Section 2.

1.7.3.5 Spacing of Wiring and Components in Control Boards, Panels, and Relay Racks Components and wiring in panels, control boards, and relay racks are spaced to preserve the independence of redundant channels as described under "Criteria for Physical Separation Requirements" ( see USAR Section VII-1.7.3.1).

For those isolated cases where complete separation in different panels for each channel is not possible, the cabinet where two redundant elements are installed is designed with special precautions to comply with the single failure criteria such that barriers are provided or a minimum of six inch air space is provided. Redundant cables are not connected to single switches.

Internal wiring is performed such that destruction of one wiring bundle by shorting, opening, or grounding or a combination of same will not disable the protective function.

1.7.3.6 Annunciator Circuits Annunciator circuits are not Class IE systems. The following discusses the design features of the annunciator system:

Several features have been included in the design of circuitry for annunciators to minimize common mode failures. First, the station DC battery systems are connected to all DC annunciators through DC to DC converters using transformer circuits to isolate the supply systems from the annunciator systems. Each annunciator cabinet utilizes a separate and redundant set of converters powered from separate battery systems. With this method of power distribution and isolation, a ground on any annunciator circuit does not appear on any DC battery supply system and vice versa. Furthermore, a ground on any annunciator circuit powered by one converter will not interrupt the annunciator circuits because the other DC power train will continue to power the other annunciator circuits. Second, the power distribution circuit design allows for no single failure to reduce the integrity of any part of the annunciator ground alarm. Undervoltage conditions will be detected by an over/under voltage relay connected to the annunciator circuit. Finally, with this circuit arrangement, failure or grounds on any portion of the annunciator system cannot cascade down through the DC battery systems because of the fusing, division of circuits, and isolation of power sources.

In the event of loss of annunciator circuits, the process computer system is used as backup for all major plant parameters.

VII-1-17 03/02/11

USAR

1. 7. 4 Tests and Calibration The capability for test and calibration of each protection system channel is discussed in detail in Topical Report NEDO 10139, "Compliance of Protection Systems to Industry Criteria: General Electric BWR Nuclear Steam Supply System", dated June, 1970.

Each RPS sensor is discussed in NEDO 10139 Section 2. No exceptions are taken for sensor channels or their bypasses through the final channel output signals.

Emergency Core Cooling System (ECCS) Channel Testability is discussed in a similar manner in NEDO 10139 Section 3.

Nuclear Steam Supply Isolation System Channel Testability is discussed in a similar manner in NEDO 10139 Section 4.

The entire set of BWR protection system channels is designed to comply with the proposed IEEE-279 requirement 4.10 during plant operation as illustrated in each specific instance in the NEDO 10139 Topical Report.ll1J

1. 7. 5 Indication of Protective Action Bypasses Annunciators and position indicating devices give an accurate indication when an Engineered Safety Feature has been bypassed using installed circuits and switches in fulfillment of Section 4.13 of the proposed IEEE-279, as described in NEDO 10139.

In addition, a safety system status panel is located in the main control room to provide indications when an Engineered Safety Feature has been made inoperable.

The objective of this panel is to provide a clear, concise, and centrally located indication of the status of all the safety systems to the plant operators. The appropriate lights are manually energized whenever a required component is determined to be out of service for tests, maintenance, or any other reason.

The status panel consists of a 5 x 5 array of indicating lights similar to MSC series 800 Tellite to indicate the status of the following reactor safety systems:

LPCI "A" Diesel "A" and Distribution Systems LPCI "B" Diesel "B" Core Spray "A" 250V Battery "A" Core Spray "B" 250V Battery "B" RCIC (Not an Engineered Safety Standby Gas Treatment "A" Feature)

HPCI Standby Gas Treatment "B" ADS 125V Battery "A" and Distribution Systems SLC (Not an Engineered Safety 125V Battery "B" and Distribution Feature) Systems VII-1-18 01/23/01

USAR Nine modules are used to indicate a "test" status and sixteen modules are used to indicate "operable/inoperable" status. Each indicating module has two or more lamps to provide redundancy.

The status panel is powered from 24 VDC Panel DC-A and contains a lamp to indicate when power is available. Location of the status panel is in a conspicuous but out of the way area to minimize the possibility of inadvertently canceling or energizing an indicator. Equipment tagging procedures require use of the status panel. Operating procedures require use of the status panel whenever an Engineered Safety Feature is bypassed or otherwise declared out of service. r121 There are few operator bypasses in the Emergency Core Cooling System ( ECCS) which have any effect on plant safety. For all core cooling systems the opening of fuses to relay logic panels will be annunciated in the control room. This would occur whether the fuses were pulled manually or opened from overcurrent. Each core cooling system has its own alarm independent of the other systems.

All protection system motor operated valves have position lights.

Should a pump or valve breaker be opened for maintenance, these lights can be extinguished on the control room benchboard. The valve position lights are located near the control switch and would indicate which valve has been taken out of service.

Core Spray System This system incorporates a manual override which provides the initiation signal to the inboard injection valve CS-MO12A(B). This provides the operator with a throttling capability for system flow. The valve may also be fully closed to shut off the individual system in the event that the spray sparger or injection line is not intact. This can be done only when an accident signal is present. An amber light on the benchboard indicator shows when this valve is in manual override. A subsequent accident signal initiates core spray protective action.

The core spray pumps have a similar manual override feature. With an accident signal present, and a need to manually stop the pump, the stop position of the control switch will trip the pump. Again a light on the benchboard will go on indicating manual override. Also this action would be annunciated in the control room as the respective pump is tripped.

Relays on 4160 volt motors provide protection against short circuits and locked rotor for which conditions the relays cause motor circuit breaker trip. In addition, the relays will sound an annunciator alarm when the motors exceed 15% overload, but no motor trip occurs. [l 3 J HPCI and RCIC Systems Both HPCI and RCIC (not an Engineered Safety Feature) have provision for manually tripping the turbine under any running condition. This signal is not sealed in and thus the operator must maintain the push button in the trip position. This action could be considered as an operational bypass.

An alarm in the control room (one for each turbine) is provided to indicate a turbine trip. Neither turbine is likely to be accidentally placed out of service by tripping in the control room during normal plant operation. r13 J Any accidental trip will be corrected promptly by operator notification of the trip by the alarm.

The HPCI system requires an auxiliary oil pump for the control valve. This pump starts on the accident signal. ll 3 J A pull to lock in stop VII-1-19 01/23/01

USAR feature is incorporated in the control room switch for the purpose of personnel safety during maintenance. The pull to lock feature could also be used to secure the turbine in the event of unsafe turbine failure or to prevent HPCI injection flow when it is not required to assure adequate core cooling. Should the switch be in the pull to lock position, an alarm in the control room will annunciate.

RHR System The RHR pumps have a manual override feature similar to that of the Core Spray System. This allows the opera tor to stop the pump when an accident signal occurs. An amber light will go on indicating that the pump is on manual override. The RHR pumps can only be sealed out in stop when an accident signal occurs. Thus, this feature can not override the pump during normal operation. A subsequent accident signal initiates RHR protective action. fl 3 J Reactor Water Level Instrumentation The Reactor Water Level Instrumentation provides automatic system actuation for various system and protective functions such as RPS, ECCS, PCIS, and specific plant system controls. It also provides indication and recorder logging to the plant operators as described below.

The primary means of monitoring reactor coolant inventory is via differential pressure sensing instruments that measure the pressure difference between a constant head "reference leg" and variable head "variable leg" which changes as the water level in the reactor changes. Both legs are subject to the same static pressure of the reactor, allowing the instruments to operate over the full range of reactor pressures.

The Reactor Water Level Instrumentation uses di verse instrumentation types and redundant sensing line connections to the reactor vessel.r.1.

In order to assure that the differential pressure head corrections for the sensing legs remain valid and reference leg "degassing" or boil-off does not occur, "reference leg backfill" provisions are made to inject cool water into the cold reference legs. During normal operation this is done via the CRD system as described in USAR Section III-5.5.2. During accident conditions, Suppression Chamber water is injected into the reference legs from the Core Spray System, as described in USAR Section VI-4. 3. 3. r1231

1. 7. 6 Information Readout - Reactor Core and Primary Containment ll 4 J The following process instrumentation provides information to the operator in the control room for monitoring conditions in the reactor:
1. Reactor Water Level The reactor vessel water level instrumentation described below will be operable during normal operation. NPPD Drawing CNS-NBI-10 provides a graphical correlation of the range of indication of these instruments. The following primary instruments that transmit the signal to the control room are located on various local racks in the reactor building:
a. Two narrow range reactor water level indicators located in the control room operating from separate differential pressure transmitter systems have a range from Oto 60 inches. The zero of the system is 158 inches above Fuel Zone Zero, a reference level called Instrument Zero.

These two systems are selectively connected to a control room recorder and VII-1-20 01/23/01

USAR provide the level signal for the feedwater control system. A third indicator from a separate transmitter is provided to assist in resolving indication ambiguities due to electronic failure of either of the two redundant channels.

b. Two wide range reactor water level indicators located in the control room operating from separate level columns and transmitter systems have a range from -155 to +60 inches. The zero of the system is referenced to Instrument Zero. These two systems also provide signals to redundant control room recorders to display direct and immediate trend or transient information. A third indicator from a separate transmitter is provided to resolve any indication ambiguity due to electronic failure of either of the two redundant channels. These channels have been qualified to ensure their operability during and following a LOCA or high-energy-line-break .
c. Two fuel zone level indicators located in the control room operating from separate differential pressure transmitter systems have a range from -320 to +60 inches. The zero of the system is referenced to Instrument Zero. These two systems also provide signals to redundant control room recorders to display direct and immediate trend or transient information.

A third indicator from a separate transmitter is provided to resolve any indication ambiguity due to electronic failure of either of the two redundant channels. These channels have been qualified to ensure their operability during and following a LOCA or high-energy-line-break .

d. One steam nozzle range level indicator located in the control room provides indication from +0 to +180 inches referenced to Instrument Zero. This indicator provides the operator with an indication of whether the reactor coolant has reached, and spilled into, the main steam lines. This channel has been qualified to ensure its operability during and following a LOCA or high-energy-line-break .
e. A shutdown range reactor water level indicator located in the control room provides level indication from Oto 400 inches referenced to Instrument Zero. This indication is used when filling the reactor pressure vessel in preparations for refueling. [l0 4 J The various Reactor Water Levels of interest are identified in Table VII-1-7.
2. Reactor Pressure The reactor vessel pressure instrumentation described below will be operable during normal operation as well as during and after a LOCA.

The following primary instruments that transmit the signal to the control room are located on various local racks in the reactor building:

a. Two pressure indicators located in the control room operating from separate pressure transmitter systems have a range from Oto 1200 psig. These two systems are selectively connected to a control room recorder. A third indicator from a separate transmitter is provided to resolve any indication ambiguity due to electronic failure of either of the two redundant channels. In addition, reactor vessel pressure is redundantly monitored by 0-1500 psig pressure transmitters in each RPS division.

VII-1-21 08/18/08

USAR

b. A mechanical pressure gauge is located on Instrument Rack 25-51 in the Reactor Building on the 903 foot level. The pressure gauge is a Perma-Cal 0-1500 psig. The pressure monitored is that immediately above the core plate. The gauge has been seismically qualified to 2. 5 g. [B 9 J The systems discussed above are adequate in design to perform their respective control and safety functions.
3. Containment Pressure Normal containment pressure is monitored continuously by means of a local pressure gauge and a remote recorder in the control room.

Range of measurement is from O - 2 psig.

Pressure is redundantly monitored by narrow and wide range pressure transmitters in each RPS di vision. The narrow range monitors the range of -5 to +5 psig and the wide range monitors the range 0-250 psig.

4. Containment Temperature Containment temperature is monitored continuously by indicators and recorders in the main control room. Specific points of measurement are listed in USAR Section V-2.3.9.
5. Suppression Chamber Temperatures Suppression chamber air temperatures are indicated and recorded in the main control room from two separate temperature sensing systems. Range of indicating measurement is from 0-400°F. Range of recording is 0-400°F.
6. Suppression Chamber Water Level Suppression chamber water level is indicated and recorded in the main control room from two separate level transmitters. Range of indication is from -4 feet to +6 feet of vessel centerline. Range of recording is from -4 feet to +6 feet. [lOSJ
7. Containment Water Level Containment water level is redundantly monitored by narrow and wide range instruments in each RPS division. The narrow range instruments are used to monitor water level in the suppression pool. The narrow range instruments provide water level measurements in the suppression pool with a range of 0-30 feet. The wide range instruments are used to monitor water level in both the suppression pool and the drywell. The wide range instruments provide water level measurements in the suppression pool and the drywell with a range of 0-100 feet.
8. Containment Moisture Containment moisture level is monitored by four (4) dew point sensors located in the inlet ducts to the four drywell fan coil units.

Readout is on four ( 4) recorders in the main control room. The range of indication is Oto 100°F.

VII-1-22 03/09/07

USAR

9. Containment Radiation For monitoring radiation inside the primary containment, a three-channel monitor with filter particulate collector, iodine collector, and gaseous activity monitor is provided.

Two redundant Victoreen Model 877 area radiation detectors are located 180 degrees from each other within containment above elevation 901 '-6". The detector's range is from 1 R/hr to 10 7 R/hr. Detector readouts are located in the Control Room.

10. Suppression Pool Water Temperature Suppression pool water temperature is indicated and recorded in the main control room from two separate sensing devices. Range of indicating measurements is 0-250°F. Recording range is 0-250°F.
11. Containment Oxygen Containment oxygen is monitored sequentially at three locations inside the primary containment and one location in the suppression chamber. Redundant systems are provided for measuring containment oxygen. The range of monitoring is 0-30% for normal operation with provision for switching range to 0-10% on the redundant system (Division I). Recording is maintained in the control room using a digital meter or two (2) recorders. High Oxygen and High-High Oxygen is annunciated in the control room. [1361
12. Containment Hydrogen Containment hydrogen is monitored sequentially at three locations inside the primary containment and one location in the suppression chamber. Redundant systems are provided for measuring containment hydrogen.

Ranges of operation are 0-30% for each system. Recording and annunciation of High Hydrogen and High-High Hydrogen are on separate local panels and in the control room. [1361

1. 7. 7 Identification of Class IE Equipment [161 A. General. Equipment associated with the RPS, PCIS, and ESF is identified so that two facts are physically apparent to the operating and maintenance personnel: first, that the equipment is part of the RPS, PCIS, or the ESF equipment; and second, the grouping (or division) of enforced segregation with which the equipment is associated.

B. Panels and Racks. Panels and Racks associated with RPS, PCIS, and ESF are labeled with marker plates which are conspicuously different from those for other similar panels by means of yellow color and distinctive shape. The marker plates include identification of the proper division (I or II, etc., per Tables VII-1-2 through VII-1-5) of the equipment included and as indicated on the drawings.

C. Junction or Pull Boxes. Junction and/or pull boxes enclosing wiring for the RPS, PCIS, and ESF have identification similar to and compatible with the panels and racks considered in Paragraph B above.

D. Cables and Conduits. Tags for the cables and conduits external to cabinets and/or panels for the RPS, PCIS, and ESF are conspicuously different from other similar tags; they are of yellow color, and the identification includes the division numeral (I or II as applicable) and as shown on drawings. Non-safety cables are tagged white (I or II).

VII-1-23 01/23/01

USAR E. Trays. Those trays or conduits which carry RPS, PCIS, and ESF wiring are identified at entrance points of each room they pass through (and exit points unless room is small enough to facilitate convenient following of cable) with a conspicuous tag bearing the initials ESS-1 for Division I ESS-II for Division II, and as indicated on the drawings.

F. Sensory Equipment Grouping and Designation Letters.

Redundant sensory equipment is identified by suffix letters in accordance with Table VII-1-2 for the RPS and PCIS, Table VII-1-3 for the RPS and Table VII-1-4 for the ESF. These tables also show the allocation of sensors to separated divisions.

1. 7. 8 Seismic Criteria ri 7J A. Reactor Protection and Engineered Safety Features A test and analyses program was performed to evaluate the seismic performance of typical GE-BWR Nuclear Steam Supply Instrumentation.

The Class IE instruments for the following essential systems were designed, analyzed, and tested to ensure performance of their primary functions without spurious response during and after an earthquake:

Reactor Protection System Nuclear Boiler System CRD Hydraulic System Neutron Monitoring System Emergency Core Cooling System (ECCS)

Process Radiation Monitoring Systems

1. Criteria Control and instrumentation is used on many nuclear power plants with differing seismic requirements. Such products are designed and qualified for seismic loading which may be in excess of the particular requirements for any given site. This is true for CNS in that the equipment was previously qualified to perform its required function during and after a design basis earthquake as defined in IEEE 344-1971, paragraph 2.2 with the acceleration values chosen to be:

Horizontal 1. 5g Vertical .5g Frequency 5 - 33 Hz Experience has justified the lower frequency limit of 5 Hz. Testing many components and assemblies has shown that due to their physical size and weight, the lowest resonances occurred above 10 Hz. Also, there were no indications that these were anything but fundamental resonances since no subharmonics were discerned in the 5 Hz to 10 Hz range. So long as resonances do not exist, the equipment is in no way sensitive to the frequency of vibration and a test to determine the acceleration at which malfunction occurs can be run at any frequency. Tests were run at 30 Hz in order to reach the highest accelerations which the vibration equipment could provide since the needed linear displacement for a given acceleration decreases with frequency and this was often found to be the limiting variable.

VII-1-24 01/23/01

USAR TABLE VI I-1-2 * [l 6 J REACTOR PROTECTION SYSTEM AND PRIMARY CONTAINMENT ISOLATION INPUTS SENSOR SUFFIX LETTERS AND DIVISION ALLOCATION**

Total No.

Sensors DIV. IA DIV. IB DIV. IIA DIV. IIB Tri£ Sy_s. Al Tri£ Sy_s. Bl Tri£ Sy:s. A2 Tri£ Sy:s. B2 4 A B C D 8 AE BF CG DH 16 AEJN BFKP CGLR DHMS (Trip Sys. (Trip Sys. (Trip Sys. (Trip Sys.

sub-chan. Al) sub-chan. Bl) sub-chan. A2) sub-chan. B2)

  • See Figures VII-1-3 and VII-1-6.
    • This Division does not apply to the six channel APRM System which must have a special four group arrangement to allow for maintenance bypassing of a single channel in each protection system without violating the single failure criteria (see Table VII-1-3).

VII-1-25 01/23/01

USAR TABLE VII-1-3* [lGJ REACTOR PROTECTION SYSTEM FOUR DIVISION GROUPING FOR A SIX CHANNEL NEUTRON MONITORING SYSTEM DIVISION IA IIA IB IIB Channel Designation Letter A C E F D B Trip System Sub Channel Al A2 Al Bl B2 B2 A2 Bl

  • See Figure VII-1-3.

VII-1-2 6 01/23/01

USAR TABLE VII-1-4*l 16 l ENGINEERED SAFETY FEATURE (ESF)

SENSOR SUFFIX LETTERS AND DIVISION ALLOCATION Total No. DIVISION I DIVISION II Sensor for Each Sensor Suffix Sensor Suffix Parameter Letters Letters 4 A / C B I D Operate System A Operate System B directly, and directly, and System B through System A through isolation devices isolation devices

  • See Figure VII-1-5.

VII-1-27 01/23/01

USAR TABLE VII-1-5[ 161 SYSTEM AND SUBSYSTEM SEPARATION DIVISION I DIVISION II Core Spray A Core Spray B Residual Heat Removal A Residual Heat Removal B Low Pressure Coolant Injection Low Pressure Coolant Injection Automatic Depressurization High Pressure Coolant Injection Inboard Nuclear Steam Supply Shutoff Outboard Nuclear Steam Supply Valves Shutoff Valves Reactor Protection System Div. IA - Al, Reactor Protection System A Div. IB - Bl Div. IIA - A2, Div. IIB - B2 Standby Gas Treatment A Standby Gas Treatment B Emergency Equipment Cooling Water: Emergency Equipment Cooling Water:

Service Water A&C Service Water B&D RHR Service Water Booster A&C RHR Service Water Booster B&D Reactor Equipment Cooling A&B Reactor Equipment Cooling C&D Reactor Core Isolation Cooling (Not an Engineered Safety Feature)

Diesel Generator DGl Diesel Generator DG2 4160 Volt Switchgear lF, EGl 4160 Volt Switchgear lG, EG2 480 Volt Unit Substation lF 480 Volt Unit Substation lG Critical Motor Control Centers K, L, Q, Critical Motor Control Centers S, R, RA, DGl, CA, LX T, Y, RB, DG2, CB, TX Critical Distribution Panel A Critical Distribution Panel B Critical Control Panel CCPlA Critical Control Panel CCPlB Reactor Prot. System Power Panel A Reactor Prot. System Power Panel B Station Batteries & Chargers A Station Batteries & Chargers B DC Switchgear A DC Switchgear B VII-1-28 01/23/01

USAR Revision 3 of the Generic Implementation Procedure (GIP-3), as modified and supplemented by the U.S. Nuclear Regulatory Commission Supplemental Safety Evaluation Report (SSER) No. 2 and SSER No. 3, may be used as an alternative to other authorized methods for the seismic design and verification of existing, modified, new and replacement equipment classified as Class I and which are in the scope of equipment in GIP-3.

2. Qualification Tests, analyses and GIP-3 experience-based methods were performed to prove the capability of the equipment to withstand seismic vibrations. The equipment was divided into three main classes: (1) instruments and instrumentation and control devices, ( 2) enclosures, panels, and racks, and ( 3) primary pressure boundary devices. Tests and GIP evaluations were performed for categories 1 and 2 above and analyses were performed for category 3.

The justification for not testing the devices of category 3 is based on the fact that their primary function is the preservation of primary pressure integrity and, as such, are all subject to the requirements of the ASME Code. The Code requires that these devices undergo rigorous and conservative stress analyses with seismic loading being but one of many conditions considered.

The tests were run in conformance with IEEE 344 - 1971 in that each type device was made operational and was tested for resonances and then tested at successively higher accelerations either at the resonant frequency or, if none, at 30 Hz until malfunction occurred. The enclosures, panels, and racks were tested in an inoperative condition but with accelerometers located at critical spots to allow determination of resonances and of the amount of amplification. Knowing the acceleration malfunction level of each device, and the amount of amplification provided by the enclosure, it was then possible to determine whether the assembly would perform properly during and after a design basis earthquake of the acceleration levels given above in (1). Due to the standard designs used, the enclosures, panels, and racks were able to be subdivided into generic types and the testing performed on a representative sample of each type.

In addition, the General Electric Company has issued a generic topical report entitled "Seismic Qualification of Class I Electric Equipment" NEDO 10 67 8, November, 197 2. This report provides further detailed discussion of the above areas. Analytical procedures and testing methods for electrical equipment are discussed further in USAR Section XII-2.3.5.2.4.

The GIP method for seismic qualification was performed on certain equipment on the CNS safe shutdown equipment list ( SSEL) . This method may be used on existing, modified, new and replacement equipment and parts for this equipment and other equipment as long as the rules of GIP-3 are followed. This method is discussed further in Appendix C-3.

3. Acceptance The product being evaluated, whether reactor protection system or engineered safety feature, performed its prescribed functions without failure or unacceptable response during and after the application of the seismic accelerations described in (1) .{AG0135}

VII-1-2 9 08/08/01

USAR B. Emergency Power System

1. The equipment and accessories comprising the emergency power system are as follows:
a. 4160 volt switchgear lF, lG, EGl, and EG2.
b. 480 volt switchgear lF and lG.
c. 480 volt motor control centers K, L, Q, S, T, Y, R, RA, RB, DGl, and DG2, CA, CB, LX, and TX.
d. Control and relay boards in main control room and diesel generator room.
e. Batteries, battery racks, and chargers.
f. DC switchgear.
g. Diesel-generators and auxiliaries.
h. Cable, conduit, and cable tray.
i. Distribution panelboards.
2. The seismic design criteria applicable to the emergency power system are as follows:

The equipment and accessories must be capable of withstanding the specified seismic conditions without any failure and without false tripping or closing of circuit breakers or relays. The equipment and accessories must be capable of operation during and following the occurrence of an earthquake having seismic forces at the equipment of magnitude up to and including those listed in the specification. This may be demonstrated by testing or by use of the GIP-3 method for relay evaluation, if the relay is within the scope of the GIP-3 program.

VII-1-30 08/08/01

USAR TABLE VI I 6 [1 7 l DOCUMENTATION OF SEISMIC COMPLIANCE WITH IEEE - 344 OR GIP-3*

Equipment IEEE - 344**

4160 Volt Switchgea r Analysis and Vendor Certifica tion 480 Volt Switchgea r Analysis and Vendor Tests on Similar Equipment 480 Volt Motor Control Centers Vendor Tests on Similar Equipment Control and Relay Boards Analysis on Control Room Boards Vendor to Submit Tests on DG Boards Battery Equipment Vendor Certifica tion of Complianc e for Batteries and Racks, and for Tests on Chargers and Inverters DC Switchgea r Vendor Tests on Similar Equipment Diesel-Ge nerator Vendor has submitted Seismic Tests on Similar Equipment Conduit and Cable Tray Criteria has been Prepared for Conduit and Cable Tray Seismic Supports Distribut ion Panelboar d Vendor Certifica tion of Complianc e and Tests on Similar Panelboar ds

  • Note: When using GIP-3 method, use appropria te Screening Evaluatio n Work Sheet (SEWS) form and NARE Guideline s checklist .
    • Note: Table lists the documenta tion of the listed equipment original qualifica tion to IEEE 344-1971. Subsequen t qualifica tion for equipment was performed using the Generic Implemen tation Procedure (GIP) for equipment identifie d on the safe shutdown equipment list (SSEL) under the USI A-46 program.

VII-1-31 08/14/18

USAR TABLE VII-1-7 Reactor Water Level Instrumentation Level 8: High Level Main Turbine Stop Valve Closure RCIC Turbine Trip HPCI Turbine Trip Reactor Feedwater Pump Turbine Trip Level 7: High Level Alarm Level 6: Programmed Level Control Range 10% Load Level 5: Programmed Level Control Range 100% Load Level 4: Low Level Alarm Level 3: Low Level Scram Group 2 Isolation (except Main Steam Lines)

ADS Level 3 confirmatory Low Level signal Level 2: Low Level Initiate Recirculation Pump Trip Initiate RCIC Initiate HPCI Group 3 & 6 Isolation Level 1: Low Level Initiate LPCI Pumps Initiate Core Spray System Contribute to Auto-Depressur ization Start Diesel Generator Group 1 & 7 Isolation Level 0: Low Level Containment Spray Permissive Interlock VII-1-32 08/18/08

USAR 2.0 REACTOR PROTECTION SYSTEM 2.1 Safety Objective The Reactor Protection System (RPS) provides timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier (uranium dioxide sealed in cladding) and the reactor coolant pressure boundary. Excessive temperature threatens to perforate the cladding or melt the uranium dioxide. Excessive pressure threatens to rupture the reactor coolant pressure boundary. The RPS limits the uncontrolled release of radioactive material from the fuel and reactor coolant pressure boundary by terminating excessive temperature and pressure increases through the initiation of an automatic scram.

2.2 Safety Design Basis

1. The RPS shall initiate with precision and reliability a reactor scram in time to limit fuel damage following abnormal operational transients.
2. The RPS shall initiate with precision and reliability a scram in time to prevent damage to the reactor coolant pressure boundary as a result of internal pressure. Specifically, the RPS shall initiate a reactor scram in time to prevent reactor coolant pressure from exceeding the reactor coolant pressure allowed by applicable industry codes.
3. The RPS shall initiate with precision and reliability a reactor scram upon gross failure of the reactor coolant pressure boundary, to limit the uncontrolled release of radioactive material.
4. To provide assurance that conditions which threaten the fuel or reactor coolant pressure boundaries are detected with sufficient timeliness and precision to fulfill safety design bases 1, 2, and 3; RPS inputs shall be derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.
5. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design bases 1, 2, and 3; the RPS shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.
6. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design bases 1, 2, and 3; an adequate number of sensors shall be provided for monitoring essential variables that have spatial dependence.
7. The following bases provide assurance that the RPS is designed with sufficient reliability to fulfill safety design bases 1, 2, and 3:
a. No single failure within the RPS shall prevent proper RPS action when required to satisfy safety design bases 1, 2, or 3.
b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall not impair the ability of the RPS to respond correctly. During such operation the requirements of basis 7a., shall continue to be met.
c. The system shall be designed for a high probability that when any monitored variable exceeds the scram setpoint, the event shall VII-2-1 01/23/01

USAR result in an automatic scram and shall not impair the ability of the system to scram as other monitored variables exceed their scram trip points.

d. Where a plant condition that requires a reactor scram can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more RPS channels designed to provide protection against the unsafe condition, the remaining portions of the RPS shall meet the requirements of safety design bases 1, 2, 3, and 7a.
e. The power supply for the RPS shall be arranged so that loss of one supply neither causes nor prevents a reactor scram.
f. The system shall be designed so that, once initiated, a RPS action goes to completion. Return to normal operation after protection system action shall require deliberate operator action.
g. There shall be sufficient electrical and physical separation between channels and between logics monitoring the same variable to prevent environmental factors, electrical transients, and physical events from impairing the ability of the system to respond correctly.
h. Earthquake ground motions shall not impair the ability of the RPS to initiate a reactor scram.
8. The following bases are specified to reduce the probability that RPS operational reliability and precision will be degraded by operator error:
a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with important monitored variables shall be under the physical control of station operations personnel.
b. The means for manually bypassing logics, channels, or system components shall be under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact shall be continuously annunciated in the main control room.
9. To provide the operator with means independent of the automatic scram functions to counteract conditions that threaten the fuel or reactor coolant pressure boundary, it shall be possible for the control room operator to manually initiate a reactor scram.
10. The following bases are specified to provide the operator with the means to assess the condition of the RPS and to identify conditions that threaten the integrity of the fuel or reactor coolant pressure boundary:
a. The RPS shall be designed to provide the operator with information pertinent to the operational status of the protection system.
b. Means shall be provided for prompt identification of channel and trip system responses.
11. It shall be possible to check the operational availability of each channel and logic.

VII-2-2 01/23/01

USAR 2.3 Description 2.3.1 Identification The RPS includes the motor generator (MG) power supplies with associated control and indicating equipment, sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes output to the process computer system and annunciators. The RPS is designed to meet the intent of the IEEE proposed criteria for nuclear power plant protection systems (IEEE-279). A comprehensive comparison of the RPS with the design requirements of the proposed IEEE-279 has been assembled into a topical report entitled, "Compliance of Protection Systems* to Industry Criteria and General Electric BWR Nuclear Stearn Supply System," NEDO 10139, June, 1970. The results of this analysis indicate that the RPS meets the design requirements of the proposed IEEE-27 9. [lBJ The Process Computer System and annunciators are not part of the RPS. Although scram signals are received from the Neutron Monitoring System, this system is treated as a separate nuclear safety system in USAR Section VII-5.

Two Electrical Protection Assemblies ( EPAs) were added to each RPS feeder to monitor overvoltage, undervoltage, and underfrequency. Each EPA trips after a time delay (design maximum 4 seconds) when voltage or frequency exceeds the predetermined value.

2.3.2 Power Supply Power to each of the two reactor protection trip systems is supplied, via a separate bus, by its own high inertia AC MG set (see General Electric Drawing 729E222BB, Sheet 1). Each generator has a voltage regulator which is designed to respond to a step load change of 50% of rated load with an output voltage change of not greater than 15%. High inertia is provided by a flywheel. The inertia is sufficient to maintain voltage within 5% of rated value and frequency not less than 55 hertz for at least 1.0 second following a total loss of power to the drive motor.

Alternate power is available to either RPS bus from separate standby power buses. The system also prevents paralleling a MG set with the alternate supply. 125 volt DC power is supplied to the backup scram valve solenoids from the plant batteries.

2.3.3 Physical Arrangement Instrument piping that taps into the reactor vessel is routed through the drywell wall and terminates inside the secondary containment

( reactor building) . Reactor vessel pressure and water level information is sensed from this piping by instruments mounted on instrument racks in the reactor building. Valve position switches are mounted on valves from which position information is required. The sensors for RPS signals from equipment in the turbine building are mounted locally in the turbine building. The two MG sets that supply power for the RPS are located in an area where they can be serviced during reactor operation. Cables from sensors and power cables are routed to two RPS cabinets in the control room, where the logic circuitry of the system is formed. One cabinet is used for each of the two trip systems.

The logics of each trip system are isolated in separate bays in each cabinet.

The RPS is designed as Class I equipment to assure a safe reactor shutdown during and after seismic disturbances. The detailed requirements for Class I equipment are described in USAR Appendix C.

VII-2-3 01/23/01

USAR 2.3.4 The basic logic arrangement of the system is illustrated in General Electric Drawing 729E222BB, Sheet 2. The RPS is arranged as two separately powered trip systems. Each trip system has three logics, as shown in Figure VII-2-3. Two of the logics are used to produce automatic trip signals. The remaining logic is used for a manual trip signal. Each of the two logics used for automatic trip signals receives input signals from at least one channel for each monitored variable. Thus, two channels are required for each monitored variable to provide independent inputs to the logics of one trip system. At least four channels for each monitored variable are required for the logics of both trip systems.

As shown in General Electric Drawing 729E222BB, Sheet 1, each actuator logic is a 1-out-of-2 arrangement. To produce a scram, the actuator logics of both trip systems must be tripped. The overall logic of the RPS could be termed 1-out-of-2 taken twice, as shown in Figure VII-2-4.

2.3.5 Operation To facilitate the description of the RPS, the two trip systems are called trip system A and trip system B. The automatic logics of Trip Systems A and B are logics Al, A2, Bl and B2. The manual logics are A3 and B3. The actuators associated with any particular logic are identified by the logic identity (such as actuators B2) and a letter (see Figure VII-2-3). Channels are identified by the name of the monitored variable and the logic identity with which the channel is associated ( such as reactor vessel high pressure channel Bl).

During normal operation all sensor and trip contacts essential to safety are closed; channels, and actuators are energized. In contrast, however, trip bypass channels consist of normally open contact networks.

There is one dual solenoid-operated scram pilot valve for each control rod, arranged functionally as shown in General Electric Drawing 729E222BB, Sheet 1. The solenoids for each scram pilot valve are normally energized. The scram pilot valve controls the air supply to both scram valves for each rod. With either solenoid on the scram pilot valve energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive water. One of the solenoids for the scram pilot valve for each control rod is controlled by actuator logics A, the other solenoid by actuator logics B. There are two DC solenoid-operated backup scram valves which provide a second means of controlling the air supply to the scram valves for all control rods. The DC solenoid for each backup scram valve is normally deenergized. The backup scram valves are energized (initiate scram) when both trip system A and trip system Bare tripped.

The functional arrangement of sensors and channels that constitute a single logic is shown in General Electric Drawing 729E222BB, Sheet 2. A schematic is given in Figure VII-2-3.

Whenever a channel sensor contact opens, its sensor relay deenergizes, causing contacts in the logic to open. The opening of contacts in the logic deenergizes its actuators. When deenergized, the actuators open contacts in all the actuator logics for that trip system. This action results in deenergizing the scram pilot valve solenoids associated with that trip system (one scram pilot valve solenoid for each control rod). Unless the other scram pilot valve solenoid for each rod is deenergized, the rods are not scrammed. If a trip then occurs in any of the logics of the other trip system, the remaining scram pilot valve solenoid for each rod is deenergized, venting the air pressure from the scram valves and allowing control rod drive water to VII-2-4 06/08/04

USAR act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into the scram discharge volumes ( SDVs) . General Electric Drawing 7 2 9E222BB, Sheet 1 shows that when the solenoid for each backup scram valve is energized, the backup scram valves vent the air supply from the scram valves; this action initiates insertion of every control rod regardless of the action of the scram pilot valves.

A scram can be manually initiated. There are two scram buttons, one for logic A3 and one for logic B3. Depressing the scram button on logic A3 deenergizes actuator A3 and opens corresponding contacts in actuator logics A.

A single trip system is actuated as a result, but no scram occurs. To effect a manual scram, the buttons for both logic A3 and logic B3 must be depressed. By operating the manual scram button for one manual logic at a time, followed by reset of that logic, each trip system can be tested for manual scram capability. It is also possible for the control room operator to scram the reactor by interrupting power to the RPS. This can be done by operating power supply breakers. The manual scram capability provided in the control room meets safety design basis 9.

To restore the RPS to normal operation following any single trip system trip or scram, the actuators must be manually reset. Reset is possible only if the conditions that caused the trip or scram have been cleared and is accomplished by operating switches in the control room. General Electric Drawing 729E222BB, Sheet 2 shows the functional arrangement of reset contacts for trip system A. This meets safety basis 7f.

Whenever a RPS sensor trips, it lights a printed red window, common to all the channels for that variable, on the reactor control panel in the control room to indicate the out-of-limit variable. Each trip system lights a red window indicating the trip system which has tripped. A RPS channel trip also sounds an audible alarm, which can be silenced by the operator. The annunciator window lights latch in until manually reset; reset is not possible until the condition causing the trip has been cleared. A computer printout identifies each tripped channel; however, the physical positions of RPS relays may be used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. The location of alarm windows provides the operator with the means to quickly identify the cause of RPS trips and to evaluate the threat to the fuel or reactor coolant pressure boundary.

To provide the operator with the ability to analyze an abnormal transient during which events occur too rapidly for direct operator comprehension, all RPS trips are recorded by an alarm typewriter controlled by the Process Computer System. All trip events are recorded. The first 40 are recorded in chronological sequence except that events occurring within 4 milliseconds of each other are treated as having occurred simultaneously.

Use of the alarm typewriter and computer is not required for plant safety, and information provided is in addition to that immediately available from other annunciators and data displays. The printout of trips is of particular usefulness in routinely verifying the proper operation of pressure, level, and valve position switches as trip points are passed during startups, shutdowns, and maintenance operations.

RPS inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the RPS. Signals directly from the RPS sensors are not used as inputs to annunciating or data logging equipment.

Relay contact isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the RPS satisfies safety design bases 10a and 10b.

VII-2-5 01/23/01

USAR 2.3.5.1 Alternate Rod Insertion (ARI) [1061 An Alternate Rod Insertion (ARI) system is installed as a diverse and independent backup to the RPS. ARI operates by opening (energizing) vent valves that rapidly depressurize the scram air header in a manner similar to the backup scram valves.

The ARI is initiated when sensors, which are independent of the RPS, detect abnormally high reactor pressure (higher than the RPS actuation point) or low reactor water level (Level-2, which is lower than the RPS actuation point at Level-3). Detection of such reactor conditions could be indication of an abnormal operational transient and failure of RPS to achieve shutdown. ARI can also be initiated by manual push buttons in the main Control Room. The ARI vent valves have direct position indication in the Auxiliary Relay Room.

The electrical equipment used in the ARI system energizes to initiate the ARI function, and is independent of the RPS. Certain mechanical equipment such as the scram valves are shared in accomplishing the RPS initiated scram and the ARI function.

The ARI logic and actuation devices ( solenoid valves) are DC powered to ensure availability during loss of offsite power, and to provide independence and diversity from the RPS. This equipment is not required to meet the IEEE-279 requirements for safety related equipment, nor to be powered from a safety related power source. All ARI equipment is environmentally qualified to conditions that occur with an Anticipated Transient Without Scram (ATWS) up to the time the ARI function is complete. ARI is not required to be qualified for LOCA scenarios or High Energy Line Breaks.

The ARI system equipment is discussed further in USAR Section III-5, "Control Rod Drive Mechanical Design," and the instrumentation which initiates the ARI function, which also results in a trip of the Reactor Recirculation Pumps, is discussed in USAR Section VII-9, "Recirculation Flow Control System."

2.3.6 Scram Functions and Bases for Trip Settings The following discussion covers the functional considerations for the variables or conditions monitored by the RPS. Table VII-2-2 provides the Analytical Limits for the RPS Scram Functions. [1261 The Technical Specifications list the specifications for instruments providing signals for the system. Figure VII-2-5 shows the scram functions in block form.

2.3.6.1 Neutron Monitoring System Trip To provide protection for the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The neutron monitoring system trip functions and their bases are discussed in USAR Section VII-5, "Neutron Monitoring System."

2.3.6.2 Reactor Vessel Steam Dome High Pressure High pressure within the reactor poses a direct threat of rupture to the reactor coolant pressure boundary. A reactor vessel pressure increase while the reactor is operating compresses the steam voids and results in a positive reactivity insertion causing increased core heat generation that could lead to fuel failure and system over pressurization. A scram counteracts a pressure increase by quickly reducing the core fission heat generation. The reactor vessel high pressure scram setting is chosen slightly above the VII-2-6 01/23/01

USAR reactor vessel maximum normal operating pressure to permit normal operation without spurious scram yet provide a wide margin to the maximum allowable reactor vessel pressure. The location of the pressure measurement, as compared to the location of highest reactor vessel pressure during transients, was also considered in the selection of the high pressure scram setting. The reactor vessel high pressure scram works in conj unction with the pressure relief system in preventing reactor vessel pressure from exceeding the maximum allowable pressure. This same reactor vessel high pressure scram setting also protects the core from exceeding thermal hydraulic limits as a result of pressure increases for some events that occur when the reactor is operating at less than rated power and flow.

2.3.6.3 Reactor Vessel Water Low Level - Level-3 A low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. The effect of a decreasing water level while the reactor is operating at power is to decrease the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core.

The reactor vessel low water level scram setting at Level-3 was selected to prevent fuel damage following those abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. Specifically, the scram setting is chosen far enough below normal operational levels to avoid spurious scrams but high enough above the Top of Active Fuel to assure that enough water is available to account for evaporation losses and displacements of coolant following the most severe abnormal operational transient involving a level decrease. The specific low water level scram setting at the Level-3 setpoint ensures that during normal power operation the bottom of the separator skirt is not uncovered. This protects the reactor recirculation pump from excessive carryunder of steam into the downcomer region of the reactor vessel, which would reduce the available NPSH for the reactor recirculation pump. The selected scram setting was used in the development of thermal-hydraulic limits, which set operational limits on the thermal power level for various coolant flow rates.

2. 3. 6. 4 Turbine Stop Valve Closure Closure of the main turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise collapses steam voids. The turbine stop valve closure scram, which initiates a scram earlier than either the neutron monitoring system or reactor vessel high pressure, is required to provide a satisfactory margin below core thermal hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the reactor vessel, the turbine stop valve closure scram provides additional margin to the reactor vessel pressure limit.

The turbine stop valve closure scram setting is selected to provide the earliest positive indication of valve closure. The trip logic was chosen both to identify those situations in which a reactor scram is required for fuel protection and to allow functional testing of this scram function.

The Cooper turbine has been supplied by Westinghouse while the RPS is designed around a General Electric (GE) turbine, the difference being there VII-2-7 01/23/01

are two stop valves on the Westinghouse turbine versus tour stop valves on a GE turbine. Using the Westinghouse turbine, CNS is limited to testing one out of two valves at or be Lm0 70 pmver. The G. E. c is satisfied by using tv-lO RPS limit switches on each stop valve. l\ scram signal is generated \.vhen both stop vaJves are not fully open such that each valve actuates at least one of their associated limit switches. The switches on each vaJ.ve are mechanically and electrical separated and satisfy IEEE-279. Channel Functional Testing is performed by manipulation of each stop valve during periods of low (or no) power or manual actuation of the limit switches at any power level. f 19 J Direct scram of the reactor is not provided on low main condenser vacuum. Loss of condenser vacuum results in a turbine tr ( closu:re of tJ-1e turbine stop valves), Adequate reactor protection for the loss of condenser s assured th the turbine trip result ng in a turbine stop valve closure scram. rn1 2.3.6.5 Turbine Control Valve Fast Closure i\litNh tt1e react()r and turl)ir1e ger1erato.r Elt povve.r-, fa.sl closure c)f 1.~he turbine control valves can resuJ.t :i.n a significant addition of posj live reactivity to the core as reactor ve.sse oressure rises. The turbine control val\re fast closure scram, which initiates a scrarn earlier than either the neutron monitoring system or reactor vesseJ h.1gh pressure 1 is required to provide a satisfactory margin to core thermal-hydraulic l irtL1 t. s for t }1 is category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure inserting negative reactivity tvith the control rods. Although the reactor vessel pressure scram, n unction with the pressure relief system, is adequate to prec1..ude ove1---presslJ1~J z the reactor vessel I the turbine control vaJ ve East closure s c_~r* arn PI"()\7 ides additional margin to the reactor vessel pressure limit.

The turbjne control valve fast closure scram setting is selected

~o provide timely indication of control valve fast cJosure. The trip logic was chosen to identify those situations in which a reactor scram is required for fuel protection. Four separate channels have been provided, each mechanically and electrically separated from each other, ncluding source taps. Wiring and separation criteria is .in accordance with the proposed IEEE-279.

The tl\Jestinghouse turbine does not use an acceleration signal to give RPS tr i P

  • An e qui v a 1 en t s i g n a .L i s g i v en by t u r bin e cont r o 1 v a 1 v e o i 1 pressure, which normally operates between 1750 to 2150 psig. When the turbine contro.L valves are ft111y open with the maximum control oil pressure in the hydraulic accumulators, the control valve trip system oil pressure must decrease to 1000 psig (analytical limit) before the trip oil header dump valve will open to cause the control valve to start fast closure. [.t 9 J 2.3.6.6 Main Steam Line Isolation The main steam line isolation valve (MSIV) closure scram is provided to .Limit the release of fissj on products from the reactor vessel.

Automatic closure of the MSIVs is initiated upon conditions indicative of a stearn line break. Immc~diate shutdown of the :ceactor is appropriate in such a situation. The sc'.ram initiated by MSIV closure anticipates a reactor vessel low water level scram. The MSIV scram setting is selected to give the earliest positive indication of isolation valve closure. The trip logj.c aJ lows functional testing of main steam line isolation trip channels with one steam Line isolated.

MSI 11 closure, with ceactor scram, also provides protection aqainst an overpressure condition in the main condenser in the event of a loss of condenser vacuum. [~c1 VTT-2-8 02/?.4/20

USAR 2.3.6.7 Scram Discharge Volume High Water Level Each SDV receives the water displaced by the motion of the control rod drive pistons during a scram. The SDVs are comprised of header piping, which is slightly sloped to promote draining of the SDVs to the Scram Discharge Instrument Volumes (SDIVs). The SDIVs provide a means of measuring the water level in the SDVs. Should the SDVs fill up with water to the point where not enough space remains for the water displaced during a scram, control rod movement would be hindered in the event a scram were required. To prevent this situation the reactor is scrammed when the water level in the SDIVs attains a value high enough to verify that the SDVs are filling up yet low enough to ensure that the remaining capacity in the SDVs can accommodate a scram. Prior to this level being reached, alarms and a control rod withdrawal block are generated to prevent further rod withdrawal which would necessitate more SDV capacity should a scram be required.

Per IEB 80-14 commitments, to ensure the SDV does not fill with water, the vent and drain valves are verified open at least once every 31 days. This is to preclude establishing a water inventory, which if sufficiently large, could result in slow scram times or only a partial control rod insertion.

The vent and drain valves shut on a scram signal thus providing a contained volume (SDV) capable of receiving the full volume of water discharged by the control rod drives at any reactor vessel pressure. Following a scram, the SDV is discharged into the reactor building drain system.

2. 3. 6. 8 Drywell High Pressure A high pressure inside the drywell could indicate a break in the reactor coolant pressure boundary. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce the addition of energy from the core to the coolant. The reactor vessel low water level scram also acts to scram the reactor for LOCAs. The drywell high pressure scram setting is selected to be as low as possible without inducing spurious scrams.
2. 3. 6. 9 Manual Scram The operator is provided with a means to shut down with RPS manual scram push buttons located in the control room.

2.3.6.10 Reactor Mode Selector Switch in Shutdown The reactor mode selector switch provides appropriate protective functions for the condition in which the reactor is to be operated. The reactor is to be shut down with all control rods inserted when the mode selector switch is in SHUTDOWN. To enforce the condition defined for the SHUTDOWN position, placing the reactor mode selector switch in the SHUTDOWN position initiates a reactor scram. This scram is not considered a protective function because it is not required to protect the fuel or reactor coolant pressure boundary, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short time delay, which permits a scram reset. This reset allows normal valve lineup restoration in the control rod drive hydraulic system. Normal valve lineup restoration opens the SDV drain and vent valves to allow the SDV to be drained.

VII-2-9 01/23/01

USAR

2. 3. 7 Reactor Mode Selector Switch A conveniently located, multi-position, keylock r_eactor mode selector switch is provided to select the necessary scram functions for various station conditions. In addition to selecting scram functions from the proper sensors, the mode selector switch provides appropriate bypasses. The mode switch also provides interlocks for such functions as isolation on low main steam line pressure (see USAR Section VII-3, "Primary Containment Isolation System), control rod blocks (see USAR Section VII-6, "Refueling Interlocks"), and refueling equipment restrictions (see USAR Section VII-7, "Reactor Manual Control System"), which are not considered here as part of the RPS. The switch itself is designed to provide separation between the two trip systems. The reactor mode selector switch positions and their related scram functions are as follows:
2. 3. 7 .1 Shutdown Mode The Shutdown Mode initiates a reactor scram and bypasses the MSIV closure scram.
2. 3. 7. 2 Refuel Mode The Refuel Mode selects the Neutron Monitoring System scram for low neutron flux level operation (see USAR Section VII-5, "Neutron Monitoring System") and bypasses the MSIV closure scram.

2.3.7.3 Startup/Hot Standby Mode The Startup/Hot Standby Mode selects the Neutron Monitoring System scram for low neutron flux level operation (see USAR Section VII-5, "Neutron Monitoring System") and bypasses the MSIV closure scram.

2.3.7.4 Run Mode The Run Mode selects the Neutron Monitoring System scram for power range operation (see USAR Section VII-5, "Neutron Monitoring System").

2.3.8 Scram Bypasses A number of scram bypasses are provided to account for the varying protection requirements depending on reactor conditions and to allow for instrument service during reactor operations. Some bypasses are automatic, others are manual. All manual bypass switches are in the control room, under the direct control of the control room operator. If the ability to trip some part of the system has been bypassed, this condition is continuously indicated in the control room.

Automatic bypass of the scram trips from MSIV closure is provided when the Reactor Mode Selector Switch is not in RUN. The bypass allows reactor operations at low power with the main steam lines isolated. This condition may exist during startups and certain reactivity tests during refueling.

A reactor scram is initiated by placing the Reactor Mode Selector Switch in SHUTDOWN. There is an automatic bypass after a time delay when the switch is placed in SHUTDOWN. The bypass is provided to allow manual reset of the scram and subsequent restoration of the Control Rod Drive Hydraulic System valve lineup to normal. An annunciator in the control room indicates the bypassed condition.

Below 30 percent of reactor rated power, the scram signal due to turbine control valve fast closure and turbine stop valve closure is bypassed VII-2-10 01/23/01

USAR because the Neutron Monitoring System high flux scram and high pressure scram are adequate to protect the reactor pressure vessel. Closure of these valves from such a low initial power level does not constitute a threat to the integrity of any barrier to the release of radioactive material. Thirty percent of reactor rated thermal power is approximately equivalent to 30 percent of rated supply pressure during normal system operation (turbine bypass valves closed). During turbine bypass valve testing (or other activities that divert steam from the supply), steam is diverted through the bypass valves. This results in a supply pressure that indicates a lower power level than is actually occurring in the reactor. To compensate for possible turbine trips during bypass valves testing (or other activities which divert steam from the main turbine supply), the actual scram bypass setpoint is implemented at less than or equal to 25 percent [l0 7 l 1127 l of rated turbine supply pressure.

Bypasses for the Neutron Monitoring System channels are described in USAR Section VII-5, "Neutron Monitoring System."

A manual keylock switch located in the control room permits the operator to bypass the SDV high level scram trip if the Reactor Mode Selector Switch is in SHUTDOWN or REFUEL. This bypass allows the operator to reset the RPS, so that the system is restored to operation while the operator drains the SDV. In addition to allowing the scram relays to be reset, actuating the bypass initiates a control rod withdrawal block (see USAR Section VII-7, "Reactor Manual Control System") . Resetting the trip actuators opens the SDV vent and drain valves. An annunciator in the control room indicates the bypass condition.

The arrangement of bypasses meets safety design basis 8b.

2.3.9 Instrumentation Instrument Channels providing inputs to the RPS are not used for automatic control of process systems, thus the operations of protection and process systems are separated. The RPS instrumentation, shown in General Electric Drawing 729E222BB, Sheet 3, is discussed as follows:

2. 3. 9 .1 Neutron Monitoring System The Neutron Monitoring System instrumentation is described in USAR Section VII-5, "Neutron Monitoring System." Figure VII-2-7 clarifies the relationship between Neutron Monitoring System channels, Neutron Monitoring System logics, and the RPS logics. The Neutron Monitoring System channels are considered part of the Neutron Monitoring System. The Neutron Monitoring System logics are considered part of the RPS. As shown in Figure VII-2-8, there are four Neutron Monitoring System logics associated with each trip system of the RPS. Each RPS logic receives inputs from two Neutron Monitoring System logics.

Each Neutron Monitoring System logic receives signals from one IRM channel and one APRM channel. The position of the mode switch determines which input signals will affect the output signal from the logic. The arrangement of Neutron Monitoring System logics is such that the failure of any one logic cannot prevent the initiation of a high neutron flux scram.

2.3.9.2 Reactor Vessel-Steam Dome Pressure The Reactor Vessel-Steam Dome Pressure is tapped from the reactor vessel at two separate locations. A pipe from each tap is led outside the primary containment and terminates in the reactor building. Two locally mounted, non-indicating pressure switches monitor the pressure in each pipe.

VII-2-11 11/29/16

USAR Cables from these switches are routed to the control room. The two pairs of switches are physically separated. Each switch provides a high pressure signal to one channel. The switches are arranged so that each pair provides an input to trip system A and trip system B, as shown in Figure VII-2-9. The physical separation and the signal arrangement assure that no single physical event can prevent a scram due to reactor vessel high pressure.

2.3.9.3 Reactor Vessel Water Level Low - Level-3 The Reactor Vessel Water Level Low signals are initiated from indicating type differential pressure switches which sense the difference between the pressure due to a reference column of water and the pressure due to the actual water level in the vessel. The switches are arranged in pairs in the same way as the reactor vessel high pressure switches (Figure VII-2-9).

Two instrument pipelines attached to taps, one above and one below the water level, on the reactor vessel are required for the differential pressure measurement for each pair of switches. The two pairs of pipe lines terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The RPS pressure switches, as well as instruments for other systems sense pressure and level from these same pipes. The physical separation and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level. Temperature compensating columns are used to increase the accuracy of the level measurements.

2. 3. 9. 4 Main Turbine Stop Valve Closure The Main Turbine Stop Valve Closure inputs to the RPS are from valve stem position switches mounted on the two turbine stop valves. Each of the switches is arranged to actuate before the valve is 90% open (10% closed) to provide the earliest positive indication of closure. Either of the two channels associated with one stop valve can signal valve closure. The logic is arranged so that closure of both initiates a scram.

2.3.9.5 Main Turbine Control Valve Fast Closure The Main Turbine Control Valve Fast Closure inputs to the RPS are from four pressure switches sensing discharge oil pressure from the control oil dump line. The dump system is that part of the turbine control system used to effect fast closure of the turbine control valves. These pressure switches provide signals to both RPS trip systems, as shown in Figure VI I-2-9. The logic is one-out-of-two taken twice. The switches are open when the control valves are fully open, but close within 30 milliseconds after the control valve starts to close.

2.3.9.6 Main Steam Line Isolation There are eight main steam line isolation channels, two for each main steam line. Each channel senses isolation of the associated main steam line via a valve stem position switch on each MSIV. The switch on each MSIV is arranged to open before the valve is 90% open (10% closed) to provide the earliest indication of isolation. The closure of either valve in a main steam line causes both channels associated with that steam line to signal isolation.

Figure VII-2-11 shows the arrangement of main steam line isolation channels.

The MSIV closure scram function is effective only when the reactor mode selector switch is in RUN.

The outputs from the channels are combined in RPS logic in such a way that the isolation of three of four main steam lines (closure of one valve in each main steam line) causes a scram. Figure VII-2-11 shows the logic VII-2-12 01/23/01

USAR arrangement. Wiring of the isolation channels from any one main steam line is physically separated in the same way that wiring to duplicate sensor on a common process tap is separated. The effects of the logic arrangement and separation provided for the main steam line isolation valve closure scram are as follows:

a. Closure of one valve for test purposes with one steam line already isolated without causing a scram due to valve closure.
b. Automatic scram upon isolation of all steam lines.
c. No single failure can prevent an automatic scram required for fuel protection due to main steam line isolation.

2.3.9.7 Scram Discharge Volume High Water Level The SDV High Water Level inputs to the RPS are from four float type level switches (two per SDV) and four transmitters (two per SDV) located in the reactor building. Each switch or transmitter provides an input into one channel (Figure VII-2-9). The switches and transmitters are arranged in pairs so that no single event will prevent a reactor scram due to SDV high water level. With the scram setting as addressed in the Technical Specifications, a scram is initiated while sufficient capacity remains in the SDVs to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram were considered in selecting the trip setting. For further information, see USAR Section III-5.5.2.7 "Scram Discharge Volumes" and III-5.5.2.8 "Scram Discharge Instrument Volumes."

2. 3. 9. 8 Drywell Pressure The Drywell Pressure is monitored by four non-indicating pressure switches which are mounted on instrument racks outside the drywell in the reactor building. Cables are routed from the switch to the control room. Each switch provides an input to one channel. (Figure VII-2-9). Pipes that terminate in the secondary containment (reactor building) connect the switches with the drywell interior. The switches are grouped in pairs, physically separated, and electrically connected to the RPS so that no single event will prevent a scram due to drywell high pressure.

2.3.9.9 Main Turbine Supply Pressure Switches Four Main Turbine Supply Pressure Switches are provided to initiate the automatic bypass of the turbine control valve fast closure and turbine stop valve closure scrams when the supply pressure is below some preset fraction of rated pressure. The switches are arranged so that no single failure can prevent a turbine stop valve closure scram or turbine control valve fast closure scram.

2.3.9.10 Channel and Logic Relays Instrument Channel and Logic Relays are fast response, high reliability relays. Power relays for interrupting the scram pilot valve solenoids are type CR magnetic contactors, made by the General Electric Company. All RPS relays are selected so that the continuous load will not exceed 50% of the continuous duty rating. Component electrical characteristics are selected so that the system response time, from the opening of a sensor contact up to and including the opening of all 16 of the trip actuator contacts is less than 50 milliseconds. The time requirements for control rod movement are discussed in USAR Section III-5, "Reactivity Control Mechanical Design."

VII-2-13 11/29/16

USAR Sensing elements are equipped with enclosures so that they can withstand conditions that may result from a steam or water line break long enough to perform satisfactorily. Normal environmental conditions for the instruments of the RPS are given in Table VII-2-1. Abnormal environmental conditions are described in the Environmental Qualification Program (see Subsection VII-1.7.2).

To gain access to those calibration and trip setting controls that are located outside the control room, a cover plate, access plug, or sealing device must be removed by qualified station personnel before any adjustment in trip settings can be effected.

2.3.10 Wiring Wiring and cables for RPS instrumentation are selected to avoid excessive deterioration due to temperature and humidity during the design life of the plant. Cables and connectors used inside the primary containment are designed for continuous operation at an ambient temperature of 150°F and a humidity of saturated steam at 2 psig with condensation.

Wiring for the RPS outside of the main protection system cabinet in the control room is run in rigid metallic conduits used for no other wiring. [211 The wires from duplicate sensors on a common process tap are run in separate conduits. Low level signal and power circuits are each run in separate rigid metallic conduits. Wires for sensors of different variables in the same RPS logic run in the same conduit.

The scram pilot valve solenoids are powered from eight actuator logic circuits - four circuits from trip system A and four from trip system B.

The four circuits associated with any one trip system are run in separate conduits. One actuator logic circuit from each trip system run in the same conduit; wiring for the two solenoids associated with any one control rod run in the same conduit.

Electrical panels and components of the RPS are prominently identified by nameplate. Each cable is uniquely marked at each termination as part of the RPS.

2.4 Safety Evaluation The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary. It is the objective of USAR Chapter XIV, "Station Safety Analysis" to identify and evaluate events that challenge the fuel barrier and reactor coolant pressure boundary. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that section.

Design procedure has been to select tentative scram trip settings that are far enough above or below normal operating levels that spurious scrams and operating inconvenience are avoided; it is then verified by analysis that the reactor fuel and reactor coolant pressure boundary are protected as is required by the basic objective. In all cases, the specific scram trip point selected is not the only value of the trip point which results in acceptable results relative to the fuel or reactor coolant pressure boundary; trip setting selection is based on operating experience and constrained by the safety design basis. The scrams initiated by Neutron Monitoring System variables, reactor vessel high pressure, turbine stop valve closure, turbine control valve fast closure, and reactor vessel low water level are sufficient to prevent excessive fuel damage following abnormal operational transients.

VII-2-14 01/23/01

USAR TABLE VII-2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION ENVIRONMENTAL CONDITIONS PRESSURE, TEMPERATURE, RELATIVE HUMIDITY ENVIRONMENTAL CONDITIONS Normal Conditions - Plant Operating Pressure Temperature Relative Humidity Area as Noted OF  %

I. Primary Containment (-) 0.5 to 2.0 psig 135° Average 40-55% Normal (Not otherwise noted) ( 1) -- Minimum 90% Maximum 150° Maximum -- Minimum Vicinity Recirculation Same as above 125° Average Same as above Pump Motors - -- Minimum Zone 4 135° Maximum Area Beneath RPV - Same as above 135° Average Same as above Zone 3 (7) 100° Minimum 165° Maximum

( 4)

II. Reactor Building Range from (-) 0 .10" to 70° Normal 40% Normal (Not otherwise noted) (-) 1.0" Water gage, static 90% Maximum 104° Maximum pressure 20% Minimum 40° Minimum Reactor Building Standby Same as above 104° Maximum Same as above Liquid Control Area 70° Minimum RCIC Equipment Area Same as above 70° Normal Same as above 104° Maximum ( 8)

( 2) ( 8) 60° Minimum Core Spray and RHR Same as above 70° Normal Same as above Equipment Area ( 8) 104° Maximum

( 2) ( 8) 40° Minimum Steam Tunnel Range from (-) 0, 10 II to 70° Normal 40 - 50% Normal

(-) 1.0" Water gage, static 90 - 98% Maximum 130° Maximum pressure 20% Minimum 40° Minimum HPCI Room Same as above 135° Maximum 40% Normal 90% Maximum 20% Minimum VII-2-15 01/23/01

USAR TABLE VII-2-1 (CONT'D)

REACTOR PROTECTION SYSTEM INSTRUMENTATION ENVIRONMENTAL CONDITIONS PRESSURE, TEMPERATURE, RELATIVE HUMIDITY ENVIRONMENTAL CONDITIONS Normal Conditions - Plant Operating Pressure Temperature Relative Humidity Area as Noted °F  %

III. Turbine Building Range 0.0" to(-) 0.25" 70° Normal 40% Normal water gage, static pressure 140° Maximum 90% Maximum 40° Minimum 20% Minimum IV. Control Room Range 0.10" to 1.0" water 60°-90° Normal 40-50% Normal gage, static pressure 120° Maximum 60% Maximum 40° Minimum 10% Minimum Notes: (1) Primary containment atmosphere during normal operation may be inerted with 96 percent nitrogen, 4 percent oxygen.

(2) Whenever RHR and Core Spray motors and ECCS are running, during test periods or during abnormal conditions, area space coolers may be required to maintain the ambient temperatures listed; maximum abnormal cycle of 6 months continuous operation.

(3) Components located in turbine building required to operate under abnormal conditions, if any, should be designed for equivalent conditions as shown for reactor building.

(4) During loss of offsite power, and other emergencies, except DBA, temperature of area underneath RPV will be maintained at 165°F or lower for up to 30 minutes.

(5) During periodic leak testing of primary containment, the equipment will be subjected to 62 psig and 135° for a maximum of 3 days.

(6) 56 psig is 90% of maximum containment internal pressure of 62 psig, as allowed by ASME Code.

(7) The same minimum temperature (100°F) shall apply inside base of the shield wall. Air velocity over vessel insulation and exposed vessel parts shall be approximately 6 fps.

(8) The maximum temperature and maximum humidity will occur simultaneously in these spaces less than 1% of the time.

VII-2-16 04/08/04

USAR USAR Chapter XIV, "Station Safety Analysis" identifies and evaluates the thre~ts to fuel integrity posed by abnormal operational events.

The effects of a postulated failure to scram under anticipated transients was studied. r 22 , 113 ' 114 J In no case does excessive fuel damage result from abnormal operational transients. The RPS meets the timeliness and precision requirements of safety design basis 1.

The evaluation of the scram function provided by the Neutron Monitoring System is presented in the section describing that system as well as in USAR Chapter XIV, "Station Safety Analysis."

The scram initiated by reactor vessel high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the reactor coolant pressure boundary as a result of internal pressure. For turbine generator trips, the turbine stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the maximum allowed reactor vessel pressure than would the high pressure scram alone. USAR Chapter XIV, "Station Safety Analysis" identifies and evaluates accidents and abnormal operational events that result in reactor vessel pressure increases; in no case does pressure exceed the maximum allowed reactor vessel pressure.

The RPS meets the timeliness and precision requirements of safety design basis 2.

The scrams initiated by the Neutron Monitoring System, MSIV closure, and reactor vessel low water level satisfactorily limit the radiological consequences of gross failure of the reactor coolant pressure boundary. USAR Chapter XIV, "Station Safety Analysis" evaluates gross failures of the fuel and reactor coolant pressure boundary; in no case does the release of radioactive material to the environs exceed the values of published regulations. The RPS meets the precision requirements of safety design basis 3.

Because the RPS meets the timeliness and precision requirements of safety design bases 1, 2, and 3 monitoring variables that are true, direct measures of operational conditions, it is concluded that safety design basis 4 is met.

Because the RPS meets the precision requirements of safety design bases 1, 2, and 3 using instruments with the characteristics described in Table VII-2-1 and the Environmental Qualification Program, it is concluded that safety design basis 5 is met.

Neutron flux (the Neutron Monitoring System variable) is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations of neutron flux detectors is discussed in USAR Section VII-5, "Neutron Monitoring System." Because the precision requirements of safety design bases 1, 2, and 3 are met using the Neutron Monitoring System as described, it is concluded that the number of sensors for spatially dependent variables satisfies safety design basis 6.

The items of safety design basis 7 specify the requirements that must be fulfilled for the RPS to meet the reliability requirements of safety design bases 1, 2, and 3. It has already been shown in the description of the RPS that safety design basis 7 f has been met. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities. The following discussion evaluates these subjects.

In terms of protection system nomenclature, the RPS is a 1-out-of-2 system used twice (1 of 2 x 2). Theoretically, its reliability is slightly higher than a 2-out-of-3 system and slightly lower than a 1-out-of-2 VII-2-17 01/23/01

USAR system. However, since the differences are slight, they can, in a practical sense, be neglected. The advantage of the dual trip system arrangement is that it can be tested thoroughly during reactor operation without causing a scram.

This capability for a thorough testing program, which contributes significantly to increased reliability, is not possible for a 1-out-of-2 system.

The use of independent channels allows the system to sustain any channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or channel failure will cause a single trip system trip and actuate alarms that identify the trip. The failure of two or more sensors or channels would cause either a single trip system trip, if the failures were confined to one trip system, or a reactor scram, if the failures occurred in different trip systems. An individual SDIV transmitter failure will not cause a trip function or alarm to inform control room personnel of the loss of that RPS channel. However, this failure will not prevent the other redundant and di verse SDIV sensors, monitoring the same variables, from initiating a scram. [B 2 J Any intentional bypass, maintenance operations, calibration operation, or test, all of which result in a single trip system trip, leaves at least two channels per monitored variable capable of initiating a scram by causing a trip of the remaining trip system. The resistance to spurious scrams contributes to station safety, because unnecessary cycling of the reactor through its operating modes would increase the probability of error or actual failure. It is concluded from the preceding paragraphs evaluating the logic, redundancy, and failure characteristics of the RPS that the system satisfies the reliability requirement stated in safety design bases 7a and 7b.

Any actual condition in which an essential monitored variable exceeds its scram trip point is sensed by at least two independent channels in each trip system. Because only one channel must trip in each trip system to initiate a scram, the arrangement of two channels per monitored variable per trip system provides assurance that a scram will occur as any monitored variable exceeds its scram setting.

Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot valve solenoid for any control rod fails to deenergize when a scram is required. It is concluded from the evaluations in the above paragraphs that the RPS meets safety design basis 7c.

Sensors, channels, and logics of the RPS are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system. This meets safety design basis 7d.

Failure of either RPS MG set would result, at worst, in a single trip system trip. Alternate power is available to the RPS buses. A complete, sustained loss of electrical power to both MG sets would result in a scram, delayed by the MG set flywheel inertia and the EPA trip time delay, in about three seconds. This meets safety design basis 7e.

The environmental conditions in which the instruments and equipment of the RPS must operate were considered in setting the environmental specification given in Table VII-2-1 and the Environmental Qualification Program. For the instruments located in the reactor or turbine buildings, the specifications are based on the worst expected ambient conditions in which the instruments must operate. The RPS components which are located inside the primary containment and which must function in the environment resulting from a break of the reactor coolant pressure boundary inside the primary VII-2-18 01/23/01

USAR containment are the reactor water level temperature equalizing columns and condensing chambers. Special precautions are taken to ensure satisfactory operability after the accident (see USAR Section VII-S, "Reactor Vessel Instrumentation"). The temperature equalizing columns and condensing chambers are similar to those that have successfully undergone qualification testing in connection with other BWRs.

The environmental capabilities of the RPS components, combined with the previously described physical and electrical isolation of sensors and channels, satisfy safety design basis 7g.

Safe shutdown of the reactor during earthquake ground motion is assured by the design of the system as a Class I system (see Appendix C) and the failsafe characteristics of the system. The system only fails in a direction that causes a reactor scram when subjected to extremes of vibration and shock. This meets safety design basis 7h.

Because the RPS meets Safety Design Bases 7 a through 7h, it is concluded that Safety Design Basis 7 is met.

Calibration and test controls for the Neutron Monitoring System are located in the control room and are, because of their physical location, under the direct physical control of the control room operator. Calibration and test controls for pressure switches, level switches, and valve position switches are located on the switches themselves. These switches are located in the turbine building, reactor building, and primary containment. To gain access to the setting controls on each switch, a cover plate or sealing device must be removed. Control room personnel are responsible for granting access to the setting controls to properly qualified station personnel for the purpose of testing or calibration adjustment. This meets safety design basis Sa.

It has been shown in the description of the RPS that safety design bases Sb, 9, 10a, and 10b are satisfied.

2. 5 Inspection and Testingr 23 J The RPS can be tested during normal reactor operation by five separate tests. The first test is the manual trip actuator test. By depressing the manual scram button for one trip system, the manual scram logic actuators are deenergized, opening contacts in the actuator logics. After resetting the first trip system, the second trip system is tripped with the other manual scram button. The total test verifies the ability to deenergize all eight groups of scram pilot valve solenoids by using the manual scram push button switches. Scram group indicator lights verify that the actuator contacts have opened. This test can be performed from the main control room. In addition all components covered in this test are accessible either in the control room or in the CRD hydraulic module area of the reactor building. Both areas are accessible during normal plant operation.

The second test is the automatic actuator test which is accomplished by operating, one at a time, the keylocked test switches for each automatic logic. The switch deenergizes the actuators for that logic, causing the associated actuator contacts to open. This test verifies the ability of each logic to deenergize the actuator logics associated with the parent trip system. The actuator and contact action can be verified by observing the physical position of these devices. This test can be performed from the control room.

The third test includes calibration of the Neutron Monitoring System by means of simulated inputs from calibration test equipment. These simulated signals can be applied to all neutron monitoring equipment including VII-2-19 01/23/01

USAR SRM' s, IRM' s, LPRM' s, and the LPRM' s making up the APRM' s and RBM' s. These neutron monitoring systems are designed so that any one channel of the SRM, IRM, APRM, and RBM can be bypassed for calibration without affecting the ability of the Protection System to function properly. Calibration signals can be applied to the inputs of the SRM and IRM pre-amp units which are located on local racks in the Reactor Building, while signals for the LPRM, APRM, and RBM are applied to the uni ts through input jacks on the back of the neutron monitoring panels located in the control room. In all of the above neutron monitoring equipment, there is also the ability to test the equipment using the internal test features of the equipment. This allows on-the-spot functional testing without the need of auxiliary test equipment. These tests provide complete testing of amplifiers and other signal conditioning equipment in addition to complete functional testing of all trip circuits associated with the neutron monitoring system. USAR Section VII-5 further describes calibration and testing of the neutron monitoring subsystems.

The fourth test is the single rod scram test which verifies capability of each rod to scram. It is accomplished by operation of toggle switches on the protection system operation panel which is located in the control room. Timing traces can be made for each rod scrammed. This test can be performed from the control room and the action of the indi victual CRD hydraulic units can be observed in a safe area of the Reactor Building.

The fifth test involves the application of a test signal to each RPS channel in turn and observing that a logic trip results. Between these logic system tests, more frequent channel functional tests can also be performed using test equipment allowing observation of a RPS channel actuation without causing a logic trip. These tests also verify the electrical independence of the channel circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps. These calibration taps are located on local panels located in the reactor building. These panels, MPL 25-5 and MPL 25-6 contain instrumentation for reactor pressure and water level. By putting calibration signals into the various instruments, remote readings and actions can be checked in the control room.

The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps. The test is conducted as follows:

1. An instrument technician following approval to conduct the test, verifies the proper instrument is being tested and shuts off the instrument line.
2. The instrument is isolated using the instrument valve ( or instrument manifold valve) and a calibration set is attached to the instrument calibration taps which are arranged to avoid spilling of water (if the instruments are normally filled).
3. A calibration signal sufficient to actuate the sensor contacts is applied while reading the value of applied pressure on a calibrated test gage.
4. The trip points and reset point are compared to the required set point and the value is recorded.
5. Adjustments are made to the trip setting if necessary; adjustments are recorded.
6. Communication with the control room is maintained during the test to verify the trip point as registered on control room instruments. The trip value is recorded.

VII-2-20 06/19/17

USAR

7. Proper protective relay operation is also verified by observation.
8. The calibration signal is then reduced to zero, the test is removed, the calibration taps plugged and the sensors valved into service.
9. The final state of the system valving and indication is verified, and the test is logged as complete.

RPS logic response times were first verified during preoperational testing and are verified thereafter by similar tests in accordance with Technical Specifications. The elapsed time from the individual RPS sensor contacts actuation until the time the scram solenoid valves deenergize is measured.

The alarm typewriter provided with the process computer verifies the proper operation of many sensors during plant startups and shutdowns. Main steam line isolation valve position switches and turbine stop valve position switches can be checked in this manner. The verification provided by the alarm typewriter is not considered in the selection of test and calibration frequencies and is not required for plant safety.

The provisions for functionally testing and calibrating the RPS meet the requirements of safety design basis 11.

VII-2-21 01/23/01

USAR TABLE VII-2-2 REACTOR PROTECTION SYSTEM/ATWS SCRAM TRIP FUNCTIONS & ANALYTICAL LIMITS RPS SCRAM TRIP FUNCTION ANALYTICAL LIMIT NOTES APRM Fixed Neutron Flux - High 123%

APRM Fixed Neutron Flux - High (Setdown) 17.4% of rated thermal power APRM Flow Biased - High 0.75W + 65.6%

IRM - High 125/125 Scale indication Reactor Steam Dome Pressure - High 1060 psig Reactor Vessel Water Level Low - Level-3 +0.5 inches above 1 instrument zero Turbine Stop Valve Closure Valve position 10%

closed Turbine Control Valve Fast Closure 1000 psig decreasing MSIV Closure Valve position 10%

closed Scram Discharge Volume (SDV) Level - 92" 2 High Drywell Pressure - High 2 psig ATWS TRIP FUNCTION Reactor Steam Dome Pressure - High RPT 1095 psig Reactor Vessel Low Low Water Level - -49 inches below 3 Level-2 RPT instrument zero NOTES:

1. Equivalent to 517.25 inches above reactor vessel bottom head invert.
2. The SDV analytical limit is referenced to 92 inches above the centerline of the lower SDIV instrument tap.
3. Equivalent to 467.75 inches above reactor vessel bottom head invert.

VII-2-22 08/07/08

USAR 3.0 PRIMARY CONTAINMENT ISOLATION SYSTEM CONTROL AND INSTRUMENTATION 3.1 Safety Objective To initiate isolation of the reactor or the primary containment so as to limit the release of radioactive materials during analyzed accidents or transients to within the limits of 10CFRl00, 10CFR50.67, or 10CFR20 as applicable. The Primary Containment Isolation System ( PCIS) initiates automatic isolations to limit the loss of reactor coolant inventory during analyzed plant accidents or transients to within the results of the plant safety analysis.

3.2 Safety Design Basis

1. To limit the uncontrolled release of radioactive material to the environs, the Primary Containment Isolation System shall with precision and reliability initiate timely isolation of penetrations through the primary containment structure which could otherwise allow the uncontrolled release of radioactive materials whenever the values of monitored variables exceed preselected operational limits.
2. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, the Primary Containment Isolation System shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.
3. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, an adequate number of sensors shall be provided for monitoring important variables that have spatial dependence.
4. To provide assurance that conditions indicative of a gross failure of the reactor coolant pressure boundary are detected with sufficient timeliness and precision to fulfill safety design basis 1, Primary Containment Isolation System inputs shall be derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.
5. The time required for closure of the main steam line isolation valves shall be short, so that the release of radioactive material and the loss of coolant as a result of a breach of a steam line outside the primary containment are within analyzed limits.
6. The time required for closure of the main steam isolation valves shall not be so short that inadvertent isolation of steam lines causes excessive fuel damage or excessive nuclear system pressure. This basis ensures that the main steam isolation valve closure speed is compatible with the ability of the Reactor Protection System and Pressure Relief System to protect the fuel and reactor coolant pressure boundary.
7. To provide assurance that closure of Class A and Class B automatic isolation valves is initiated, when required, with sufficient reliability to fulfill safety design basis 1, the following safety design bases are specified for the systems controlling Class A and Class B automatic isolation valves:
a. No single failure within the isolation control system shall prevent isolation action when required to satisfy safety design basis 1.
b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall not VII-3-1 02/05/10

USAR impair the functional ability of the isolation control system to respond correctly to important monitored variables.

c. The system shall be designed for a high probability that when any important monitored variable exceeds the isolation setpoint, the event shall either result in automatic isolation or shall not impair the ability of the system to respond correctly as other monitored variables exceed their trip points.
d. Where a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system shall meet the requirements of safety design bases 1, 2, 3, and 7a.
e. The power supplies for the Primary Containment Isolation System shall be arranged so that loss of one supply, as a credited single failure, cannot prevent automatic isolation when required.
f. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Resetting the isolation signal will not result in the automatic reopening of containment isolation valves.

Return to normal operation after isolation action shall require deliberate operator action. [251 [ll 7 l [ 1211

g. There shall be sufficient electrical and physical separation between trip channels monitoring the same important variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.
h. Earthquake ground motions shall not impair the ability of the Primary Containment Isolation System to initiate automatic isolation.
8. The following safety design bases are specified to assure that the timely isolation of main steam lines is accomplished, when required, with extra-ordinary reliability:
a. The motive force for achieving valve closure for one of the two tandem-mounted isolation valves in an individual steam line shall be derived from a different energy source than that for the other valve.
b. At least one of the isolation valves in each of the steam lines shall not rely on continuity of any variety of electrical power for the motive force to achieve closure.
9. To reduce the probability that the operational reliability and precision of the Primary Containment Isolation System will be degraded by operator error, the following safety design bases are specified for Class A and Class B automatic isolation valves:
a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with important monitored variables shall be under the control of the control room operator or other supervisory personnel.
b. The means for bypassing channels, logics, or system components shall be under the control of the control room operator. If the ability to trip some important part of the system has been bypassed, this fact shall be continuously indicated in the control room.

VII-3-2 01/23/01

USAR

10. To provide the operator with means independent of the automatic isolation functions to take action in the event of a failure of the reactor coolant pressure boundary, it shall be possible for the control room operator to manually initiate isolation of the primary containment and reactor vessel.
11. The following bases are specified to provide the operator with the means to assess the condition of the Primary Containment Isolation System and to identify conditions indicative of a gross failure of the reactor coolant pressure boundary.
a. The Primary Containment Isolation System shall be designed to provide the operator with information pertinent to the status of the system.
b. Means shall be provided for prompt identification of channel and trip system responses.
12. It shall be possible to check the operational availability of each important channel, logic, and trip system during reactor operation.

3.3 Description 3.3.1 Identification The Primary Containment Isolation System Controls and Instrumentation include the sensors, channels, switches, and remotely activated valve closing mechanisms associated with the valves which, when closed, effect isolation of the primary containment or reactor vessel, or both. It should be noted that the control systems for those Class A and B isolation valves which close by automatic action pursuant to the safety design bases are the main subject of this section. However, Class C remotely operated isolation valves are included because they add to the operator's ability to effect manual isolation. Injection check valves are also included because they provide the operator with an ability to check that the valve disk can respond to reverse flow. The Primary Containment Isolation System is designed to meet the intent of the IEEE proposed criteria for nuclear power plant protection systems (IEEE-279) as described in NEDO 10139.

3.3.2 Definitions Class A isolation valves are in pipelines that communicate directly with the reactor vessel and penetrate the primary containment. These lines generally have two isolation valves in series--one inside the primary containment and one outside the primary containment.

Class B isolation valves are in pipelines that do not communicate directly with the reactor vessel, but penetrate the primary containment and communicate with the primary containment free space. These pipelines generally have two isolation valves in series, both of them outside the primary containment, except that on water-sealed lines one isolation valve in addition to the water seal is adequate to meet isolation requirements.

Class C isolation valves are in pipelines that penetrate the primary containment, but do not communicate directly with the reactor vessel, the primary containment free space, or the environs. These lines require one isolation valve located outside the primary containment.

Variations to the basic isolation valve definitions are used in certain circumstances. These valves are referenced by their class designations followed by an "X" suffix; for example, A-X. These valves are generally VII-3-3 01/23/01

USAR located in instrument lines or in the ECCS lines which may be required to be operational when primary containment is required. For additional mechanical features of containment isolation valves, see USAR Section V-1.

3.3.3 Power Supply The power for the channels and logics of the isolation control system is supplied from the Reactor Protection System motor-generator sets and the unit preferred power system. Isolation valves receive power from standby power sources. Power for the operation of two valves in a pipeline is fed from different sources. In most cases one valve is powered from an AC bus of appropriate voltage, and the other valve is powered by DC from the station batteries. The main steam isolation valves (MS IVs), which are described in detail later, use AC, DC, and pneumatic pressure in the control scheme. This is illustrated by Figure VII-3-5. USAR Table V-2-2 lists the type of power supply for each power operated isolation valve.

3.3.4 Physical Arrangement USAR Table V-2-2 lists the automatic containment isolation valves, which include power operated valves and check valves, for pipelines that penetrate the primary containment and indicates the types and locations of the automatic isolation valves installed in each pipeline. Pipelines that penetrate the primary containment and are in direct communication with the reactor vessel generally have two Class A isolation valves, one inside the primary containment and one outside the primary containment. Pipelines which penetrate the primary containment and which communicate with the primary containment free space, but which do not communicate directly with the reactor vessel, generally have two Class B isolation valves located outside the primary containment. Class A and Class B automatic isolation valves are considered important for protection against the gross release of radioactive material in the event of a breach in the reactor coolant pressure boundary.

Process 'pipelines that penetrate the primary containment but do not communicate directly with the reactor vessel, the primary containment free space, or the environs, have at least one Class C isolation valve located outside the primary containment which may close either by process action

( reverse flow) or by remote manual operation. Only the controls for the automatic isolation valves are discussed in this part of the safety analysis report. The valves which are the subject of this text are specifically identified in the detailed descriptions which follow.

Power cables are run in conduits or trays from appropriate electrical sources to the motor or solenoid involved in the operation of each isolation valve. The control arrangement for the main steam line isolation valves includes pneumatic piping and an accumulator for those valves for which air is considered the emergency source of motive power for closing. Pressure and water level sensors are mounted on instrument racks in either the reactor building or the turbine building. Valve position switches are mounted on the valve for which position is to be indicated. Switches are enclosed in cases to protect them from environmental conditions. Cables from each sensor are routed in conduits and cable trays to the control room. All signals transmitted to the control room are electrical; no pipe from the nuclear system or the primary containment penetrates the control room. Sensing lines used to transmit level information from the reactor vessel to sensing instruments terminate inside the secondary containment ( reactor building) . The sensor cables and power supply cables are routed to cabinets in the control room where the logic arrangements of the system are formed.

To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control systems required for the automatic closure of Class A and Class B valves are VII-3-4 01/23/01

USAR designed as Class I equipment as described in USAR Section XII and Appendix C.

This meets safety design basis 7h.

3.3.5 The basic logic arrangement for important trip functions is one in which an automatic isolation valve is controlled by two trip systems. Where many isolation valves close on the same signal, two trip systems control the entire group. Where just one or two valves must close in response to a special signal, two trip systems may be formed from the instruments provided to sense the special condition. Valves that respond to the signals from common trip systems are identified in the detailed descriptions of isolation functions.

Each trip system has a pair of logics. Each logic receives input signals from at least one channel for each monitored variable. Thus, two channels are required for each important monitored variable to provide independent inputs to the logic of one trip system. A total of four channels for each important monitored variable are required for the logics of both trip systems.

The actuators associated with a logic pair provide inputs into each of the actuator logics for that trip system. Thus, either of the two logics associated with one trip system can produce a trip system trip. The logic is a 1-out-of-n arrangement, where n may be two or more.

To initiate valve closure the actuator logics of both trip systems must be tripped. The overall logic of the system could be termed one-out-of-two taken twice.

The basic logic arrangement just described does not apply to Class C isolation valves and injection check valves. Exceptions to the basic logic arrangement are made in several instances for certain Class A and Class B isolation valves as described below.

3.3.6 Operation During normal operation of the Station, when isolation is not required, sensor and trip contacts essential to safety are closed; channels, and trip logics are normally energized. Whenever a channel sensor contact opens, its auxiliary relay deenergizes, causing contacts in the trip logic to open. The opening of contacts in the logic deenergizes its actuator. When deenergized, the actuator trip relay opens a contact in the actuator logic. If a trip then occurs in either of the logic pairs of the other trip system, another actuator logic is deenergized. With both trip systems tripped, appropriate contacts open or close in valve control circuitry to actuate the valve closing mechanism. Automatic isolation valves that are normally closed receive the isolation signal as well as those valves that are open. The control system for each Class A isolation valve is designed to provide closure of the valve in time to prevent uncovering the fuel as a result of a break in the pipeline which the valve isolates. The control systems for Class A and Class B isolation valves are designed to provide closure of the valves with sufficient rapidity to restrict the release of radioactive material to the environs below the guideline values of applicable regulations.

All automatic Class A and Class B valves and remotely operable Class C valves (except in the case of check valves) can be closed by manipulating switches in the control room, thus providing the operator with means independent of the automatic isolation functions to take action in the event of a failure of the reactor coolant pressure boundary. This meets safety design basis 10.

VII-3-5 01/23/01

USAR Once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. Resetting the isolation signal will not result in the automatic reopening of containment isolation valves. [281 [ll 7J [ 1211 The operator must manually operate switches in the control room to reopen a valve which has been automatically closed. Unless manual override features are provided in the manual control circuitry, the operator cannot reopen the valve until the conditions that initiated isolation have cleared. This is the equivalent of a manual reset and meets safety design basis 7 f.

A trip of an isolation trip system channel is indicated in the control room so that the operator is immediately informed of the condition.

The response of isolation valves is indicated by "open-closed" lights. All motor-operated Class A and Class B isolation valves whose primary function is to isolate have two sets of "open-closed" lights. One set is located near the manual control switches for controlling each valve from the control room panel. A second set is located in a separate central isolation valve position display in the control room.

The positions of air-operated isolation valves are displayed in the same manner as motor operated valves with the exception of recirculation loop A sample line isolation valves RR-AOV-741AV and RR-AOV-740AV. Position indication for these valves is only provided on a control panel in the control room.

Inputs to annunciators, indicators, and the computer are arranged so that no malfunction of the annunciating, indicating, or computing requirement can functionally disable the system. Signals directly from the isolation control system sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the Primary Containment Isolation System satisfies safety design bases lla and llb.

3.3.7 Isolation Valve Closing Devices and Circuits USAR Table V-2-2 itemizes the type of closing device provided for each isolation valve intended for use in automatic or remote manual isolation of the primary containment or reactor vessel. To meet the requirement that automatic Class A valves be fully closed in time to prevent the reactor vessel water level from falling below the Top of Active Fuel as a result of a break of the pipeline which the valve isolates, the valve closing mechanisms are designed to give the closing rates specified in USAR Table V-2-2. In many cases a "standard" closing rate is adequate to meet isolation requirements.

Because of the relatively long time required for fission products to reach the containment atmosphere following a break in the reactor coolant pressure boundary inside the primary containment, a "standard" closure rate is adequate for the automatic closing devices on Class B isolation valves.

Motor operators for Class A and Class B isolation valves are selected with capabilities suitable to the physical and environmental requirements of service. The required valve closing rates were considered in designing motor operators. Appropriate torque and limit switches are used to ensure proper valve seating. Handwheels, which are automatically disengaged from the motor operator when the motor is energized, are provided for local-manual operation.

Direct solenoid operated isolation valves and solenoid air pilot valves are chosen with electrical and mechanical characteristics which make them suitable for the service for which they are intended. Appropriate watertight or weathertight housings are used to ensure proper operation under accident conditions.

VII-3-6 01/23/01

USAR

3. 3. 7 .1 Main Steam Isolation Valves The Main Steam Isolation Valves (MSIVs) are spring-closing, pneumatic, piston-operated valves designed to close upon loss of pneumatic pressure to the valve operator. This is fail safe design. Closure time for the valves is adjustable between 3 and 10 seconds. Although the closure time for the valves is adjustable, the closing rate is set to meet Technical Specification requirements and not normally adjusted. Each valve is piloted by two, three-way, packless, direct-acting, solenoid-operated pilot val ves--one powered by AC, the other by DC. An accumulator is located close to each isolation valve to provide pneumatic pressure for valve closing in the event of failure of the nitrogen (inboard MSIVs) or normal air (outboard MSIVs) supply systems.

The valve pilot system and the pneumatic pipe lines are arranged so that when one or both solenoid operated pilot valves are energized either nitrogen or normal air supply provides pressure to the pneumatically operated pilot valve to direct pressure to the main valve pneumatic operator. This overcomes the closing force exerted by the springs to keep the main valve open. When both solenoid operated pilots are deenergized, as would be the result of both trip systems tripping or placing the manual switch in the closed position, the path through which pressure acts is switched so that the opposite side of the valve operator is pressurized, thus assisting the springs in closing the valve. In the event of nitrogen or air supply failure, the loss of pressure will cause the pneumatically operated pilot valve to move by spring force to the position resulting in main valve closure. Main valve closure is then effected by means of the nitrogen or air stored in the accumulator and by the springs.

Pneumatic pressure, acting alone, and the force exerted by the springs, acting alone, are each capable of independently closing the valve except during a LOCA when the MSIVs inside the primary containment (inboard) may require both pneumatic pressure and spring force with the vented side of the piston operator at the containment peak accident pressure. (The outboard valve is exactly the same design, al though it will be subjected only to atmospheric pressures.) The accumulator volume was chosen to provide enough pressure to close the valve when the pneumatic supply to the accumulator has failed. The supply line to the accumulator is large enough to make up pressure to the accumulator at a rate faster than the valve operation bleeds pressure from the accumulator during valve opening or closing.

A separate, single, solenoid-operated pilot valve with an independent test switch is included to allow manual testing of each MSIV from the control room. The testing arrangement is designed to give a slow closure of the isolation valve being tested to avoid rapid changes in steam flow and nuclear system pressure. Slow closure of a valve during testing requires 50 to 60 seconds. The valve mechanical design is discussed further in USAR Section IV-6, "Main Steam Line Isolation Valves".

3.3.8 Isolation Functions and Settings The isolation trip sensors for the Primary Containment Isolation System are listed in USAR Table VII-3-2. The functions that initiate automatic isolation are itemized in USAR Table V-2-2 in terms of the pipelines that penetrate the primary containment. Although this section (3.3.8) is concerned with the electrical control systems that initiate isolation to prevent direct release of radioactive material from the primary containment or reactor coolant pressure boundary, the additional information given in USAR Table V-2-2 can be used to assess the overall ( electrical and mechanical) isolation effectiveness of each system having automatic isolation functions for pipelines which penetrate the primary containment. Isolation functions and VII-3-7 01/23/01

USAR trip settings used for the electrical control of isolation valves in fulfillment of the previously stated safety design bases are discussed in the following paragraphs. The role each isolation function plays in initiating isolation of barrier valves or groups of valves is illustrated in the nuclear boiler functional control diagrams on General Electric Drawing 730E149BB, Sheets 1 and 2. USAR Table VII-3-6, "Primary Containment Isolation System (PCIS) Signals and Isolations" lists the Isolation Group, the Isolation Signal and the Isolation Signal Analytical Limit values r1261 , and the Isolations. The Improved Technical Specification (ITS), Section 3, Table 3.3.6.1 contains the Allowable Values (AV) for the listed Isolation Signals. As shown in USAR Figure VII-3-3, the HPCI and RCIC steam lines are isolated from each other such that no simple break in either line will cause isolation of both the HPCI and RCIC systems. r 29 J 3.3.8.1 Reactor Vessel Low Water Level (Level 3)

A low water level in the reactor vessel (USAR Table V-2-2, Isolation Signal A) could indicate that either reactor coolant is being lost through a breach in the reactor coolant pressure boundary or that the normal supply of reactor feedwater has been lost and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Reactor vessel low water level (Level 3) initiates closure of various Class A valves and Class B valves. The closure of Class A valves is intended to either isolate a breach in any of the pipelines in which valves are closed or conserve reactor coolant by closing off process lines. The closure of Class B valves is intended to prevent the escape of radioactive materials from the primary containment through process lines which are in communication with the primary containment free space.

Three reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel. The first reactor vessel low water level ( Level 3) isolation trip setting, which occurs at a higher water level than the second and third settings, initiates closure of all Class A and Class B valves in major process pipelines except the main steam lines, reactor water clean-up, and the reactor building isolation and control system. The reactor water clean-up and reactor building isolation and control systems remain functional to prevent thermal stratification of the reactor vessel from complicating the scram recovery and vessel level control following reactor scram from greater than 50% power. The main steam lines are left open to allow the removal of heat from the reactor core. The second and third settings are discussed below.

The first low water level setting at reactor water Level 3, which is coincidentally the same as the reactor vessel low water level (Level 3) scram settings, was selected to initiate isolation at the earliest indication of a possible breach in the reactor coolant pressure boundary yet far enough below normal operational levels to avoid spurious isolation.

3.3.8.2 Reactor Vessel Low Low Water Level (Level 2)

The second reactor vessel low water level (Level 2) isolation trip setting (USAR Table V-2-2, Isolation Signal H) contributes to the isolation of the primary containment and reactor vessel by initiating isolation of normal reactor building ventilation, standby gas treatment, control room emergency filter system, and closure of the reactor water clean-up (RWCU) isolation valves. The reactor vessel low low water level (Level 2) isolation setting was selected low enough to minimize the likelihood of post-scram recovery difficulties at reactor power greater than 50% that could result from void collapse ( shrink) and high enough to complete isolation in time for the operation of the ECCS in the event of a large break in the reactor coolant pressure boundary. This second low water level setting is low enough that shrink resulting from reactor scram at greater than 50% power will not result VII-3-8 04/06/05

USAR in isolation of RWCU and the Reactor Recirculation Motor Generator (RRMG) set cooling air supply. Retaining the function of RWCU provides the ability to remove water from the vessel immediately after a scram. Retaining the cooling air supply to the RRMG set prevents RRMG set trip due to high air temperature.

By maintaining the function of the reactor recirculation pumps and the RWCU system following reactor scram at greater than 50% reactor power, the setting at Level 2 will minimize the likelihood of thermal stratification of the reactor vessel from complicating the scram recovery and vessel level control.

3.3.8.3 Reactor Vessel Low Low Low Water Level (Level 1)

The third and lower reactor vessel low water level (Level 1) isolation trip setting ( USAR Table V-2-2, Isolation Signal B) completes the isolation of the primary containment and reactor vessel by initiating closure of the main steam isolation valves and any other Class A or Class B valves that must be shut to isolate minor process lines. The reactor vessel low low low water level (Level 1) isolation setting was selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram and high enough to complete isolation in time for the operation of the ECCS in the event of a large break in the reactor coolant pressure boundary.

This third low water level setting is low enough that partial losses of feedwater supply would not unnecessarily initiate full isolation of the reactor, thereby disrupting normal shutdown or recovery procedures. By maintaining the main condenser available for a longer time and allowing more energy to be released to it, the setting at Level 1 will result a slower reactor vessel repressurization rate, fewer main steam line isolations, and fewer SRV actuations and challenges. [lOOJ 3.3.8.4 Main Stearn Line High Radiation High radiation in the vicinity of the main steam lines (USAR Table V-2-2, Isolation Signal C) could indicate a gross release of fission products from the fuel. High radiation near the main steam lines initiates isolation of the reactor water sample line.

The high radiation trip setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to promptly detect a gross release of fission products from the fuel.

3. 3. 8. 5 Main Stearn Line Space High Temperature High temperature in the space in which the main steam lines are located outside of the primary containment (USAR Table V-2-2, isolation signal D) could indicate a breach in a main steam line. The automatic closure of various Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the reactor coolant pressure boundary. However, per USAR Section XIV-6. 5, the maximum DBA dose is mitigated by the Main Stearn Line High Flow instrumentation.

The main steam line space high temperature trip is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

3. 3. 8. 6 Main Stearn Line High Flow Main steam line high flow (USAR Table V-2-2, isolation signal D) could indicate a break in a main steam line. The automatic closure of various Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the reactor coolant pressure boundary.

VII-3-9 04/06/05

USAR TABLE VII-3-2 PRIMARY CONTAINMENT ISOLATION SYSTEM INSTRUMENT SPECIFICATIONS (Allowable Values are in the Technical Specifications)

Isolation Signal Sensor Reactor vessel low water level (Level 3) Level indicating switch Reactor vessel low low water level (Level 2) Level indicating switch Reactor vessel low low low water level (Level 1) Level indicating switch Main steam line high radiation Radiation monitor Main steam line space high temperature Temperature switch Main steam line high flow Differential pressure switch Low Main steam line pressure Pressure switch Primary containment (drywell) high pressure Pressure switch RCIC equipment space high temperature Temperature switch RCIC turbine high steam flow Differential pressure switch RCIC turbine steam line low pressure Pressure switch HPCI equipment space high temperature Temperature switch HPCI turbine high steam flow Differential pressure switch HPCI turbine steam line low pressure Pressure switch Condenser low vacuum Pressure switch Reactor building ventilation exhaust high radiation Radiation monitor RHR heat exchanger steam line space high temperature Temperature switch RWCU system space high temperature Temperature switch RWCU system high flow Differential pressure switch VII-3-10 04/06/05

USAR The main steam line high flow trip setting was selected high enough to permit the isolation of one main steam line for test at rated power without causing an automatic isolation of the rest of the steam lines yet low enough to permit early detection of a steam line break. The trip setting basis is discussed further in USAR Section XIV-6.5.

3. 3. 8. 7 Low Main Steam Line Pressure Low main steam line pressure at the turbine inlet while the reactor is operating ( USAR Table V-2-2, isolation signal P) could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves open fully. This action could cause rapid depressurization of the nuclear system. From part-load operating conditions, the rate of decrease of nuclear system saturation temperature could exceed the design rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventative action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid the time consuming requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored and upon falling below a preselected value with the reactor in the RUN mode initiates isolation of the pipelines.

The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation yet high enough to provide timely detection of a pressure regulator malfunction.

Although this isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.

3. 3. 8. 8 Primary Containment (Drywell) High Pressure High pressure in the drywell (USAR Table V-2-2, isolation signal F) could indicate a breach of the reactor coolant pressure boundary inside the drywell. The automatic closure of various Class B valves prevents the release of significant amounts of radioactive material from the primary containment.

The primary containment high pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips.

3.3.8.9 RCIC Equipment Space High Temperature High temperature in the vicinity of the RCIC equipment could indicate a break in the RCIC steam line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the reactor coolant pressure boundary. When high temperature occurs near the RCIC equipment, the RCIC turbine steam line is isolated (USAR Table V-2-2, signal K). The high temperature isolation setting was selected far enough above anticipated normal RCIC system operational levels to avoid spurious operation but low enough to provide timely detection of an RCIC turbine steam line break.

Steam releases into the steam tunnel are detected by temperature sensors shown in Burns and Roe Drawing ILE70-3, Sheet 107B. When these sensors detect a high temperature condition in the steam tunnel, they initiate main steamline isolation but not RCIC isolation. If the break is in the RCIC steam piping traversing this area, the RCIC high flow sensors are the only automatic sensors providing protection for RCIC breaks in the tunnel. ( There are no RCIC temperature sensors located in the tunnel.) r3 oi VII-3-11 09/09/16

USAR 3.3.8.10 RCIC Turbine High Stearn Flow RCIC turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the reactor coolant pressure boundary.

Contacts which close on RCIC turbine high steam flow are in series with a time relay set at approximately three seconds. RCIC isolation ( USAR Table V-2-2, signal K) is initiated by the time delay relay, thus minimizing the chance of inadvertent isolation due to pressure transients during system start-up. [3 ll The logic arrangement used for this function is shown on General Electric Drawing 7 2 9E51 7BC, Sheet 1, and is an exception to the usual logic requirement because high steam flow is the second method of detecting an RCIC turbine steam line break.

3.3.8.11 RCIC Turbine Stearn Line Low Pressure RCIC turbine steam line low pressure is used to automatically close the two isolation valves ( USAR Table V-2-2, signal K) in the RCIC turbine steam line so that steam and radioactive gases will not escape from the RCIC turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that at which the RCIC turbine can operate effectively.

3.3.8.12 HPCI Equipment Space High Temperature High temperature in the vicinity of the HPCI equipment could indicate a break in the HPCI turbine steam line. The automatic closure of certain Class A valves prevents the excessive loss of.reactor coolant and the release of significant amounts of radioactive material from the reactor coolant pressure boundary. When high temperature occurs near the HPCI equipment, the HPCI turbine steam supply line is isolated ( USAR Table V-2-2, signal L). The high temperature isolation setting was selected far enough above anticipated normal HPCI system operational levels to avoid spurious isolation, but low enough to provide timely detection of an HPCI turbine steam line break.

3.3.8.13 HPCI Turbine High Stearn Flow HPCI turbine high steam flow could indicate a break in the HPCI turbine steam line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the reactor coolant pressure boundary.

Contacts which close on HPCI turbine high steam flow are in series with a time delay relay set at approximately three seconds. HPCI isolation (USAR Table V-2-2, signal L) is initiated by the time delay relay, thus minimizing inadvertent isolation due to pressure transients during system startup. [3 lJ The logic arrangement used for this function is shown on General Electric Drawing 729E589BB, Sheet 1, and is an exception to the usual logic requirement, because high steam flow is the second method of detecting an HPCI turbine steam line break.

3.3.8.14 HPCI Turbine Stearn Line Low Pressure HPCI turbine steam line low pressure is used to automatically close the two isolation valves in the HPCI turbine steam line (USAR Table V-2-2, signal L) so that steam and radioactive gases will not escape from the HPCI turbine shaft seals into the reactor building after steam VII-3-12 04/06/05

USAR pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that where the HPCI turbine can operate efficiently.

3.3.8.15 Condenser Low Vacuum Scram of the reactor is not provided on low condenser vacuum but will be accomplished indirectly by closure of the turbine main stop valves (see USAR Sections VII-2.3.6.4 and VII-11.3.2). To prevent overpressurization of the main condenser, the MSIVs and steam line drain lines (USAR Table V-2-2, signal Q) will isolate when the condenser vacuum decreases to within the Technical Specifications limit. Four pressure switches are provided in a one-out-of-two taken twice logic for actuation of the isolation system. l 33 l 3.3.8.16 Reactor Building Ventilation Exhaust High Radiation High radiation levels in the reactor building ventilation exhaust could indicate a possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a leak in the reactor coolant pressure boundary. When high radiation levels are detected, isolation of the primary containment purge and vent valves (USAR Table V-2-2, signal Z),

which communicate with the primary containment atmosphere, is initiated to limit the release of fission products and the Standby Gas Treatment System (SBGTS) is started. Additionally, the Control Room Emergency Filtration System (CREFS) is initiated to provide operator protection.

This function is also used to mi ti gate the effects of a Fuel Handling Accident ( FHA) by initiating the Control Room Emergency Filtration System. With Secondary Containment Integrity not established, operation of a Reactor Building exhaust fan or SGT fan is necessary during the movement of lately irradiated fuel (fuel that has been in a critical core within 7 days) to ensure the credited Group 6 actuation occurs after an FHA. For further details, see USAR Section VII-12. 4, Reactor Building Isolation Ventilation Radiation Monitoring System.

Four sensors are provided in a one-out-of-two taken twice logic for actuation of the isolation system.

3.3.8.17 RWCU System High Flow High flow rate in the RWCU system could indicate a break in the system piping. The automatic closure of the RWCU supply valves (USAR Table V-2-2, signal J) prevents loss of coolant and the release of significant amounts of radioactive material outside of the primary containment. Actuation of this isolation is discussed further in USAR Section IV-9, "Reactor Water Cleanup System. "[l0 3 l 3.3.8.18 RWCU System Space High Temperature High temperature in the vicinity of the RWCU system equipment could indicate a break in the RWCU system equipment or could indicate a break in the RWCU system piping. The automatic closure of the RWCU supply valves

( USAR Table V-2-2, Signal J) prevents loss of coolant and the release of significant amounts of radioactive material outside of the primary containment. Actuation of this isolation is discussed further in USAR Section IV-9, "Reactor Water Cleanup System." [l0 3 J 3.3.8.19 Torus Area NW RHR Steam Line High Temperature High temperature in the vicinity of the RHR steam lines located in the torus area NW could indicate a break in these lines. The automatic closure of the HPCI system isolation valves also isolates this steam line (USAR Table V-2-2, signal M) and prevents loss of coolant and the release of significant amounts of radioactive material outside the primary containment.

VII-3-13 03/09/07

USAR The logic for this isolation signal is combined with the HPCI system equipment space high temperature logic (USAR Table V-2-2, signal L).

3.3.9 Instrumentation Sensors providing inputs to the Primary Containment Isolation System are not used for the automatic control of process systems, thus separating the functional control of protection systems and process systems.

Channels are physically and electrically separated to assure that a single physical event cannot prevent isolation. Channels for one monitored variable that are grouped near to each other provide inputs to different isolation trip systems. General Electric Drawing 730El49BB, Sheets 1 and 2, illustrate the functional arrangement of channels used to initiate isolation of various groups of valves. USAR Table VII-3-2 lists the isolation signal and the type of sensor that monitors the process (RWL level, radiation, etc.).

1. The reactor vessel low water level (Level 3) signal is initiated from four indicating type differential pressure switches which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel.

One contact on each of the four switches is used to indicate that water level has decreased to the Level 3 isolation setting. The four switches are arranged in pairs; each switch in a pair provides a signal to a different trip system.

Two sensing lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of switches. The two pairs of sensing lines terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. This arrangement assures that no single physical event can prevent isolation, if required. Cables from the level sensors are routed to the control room.

The instruments that initiate the Level 1 and Level 2 signals are arranged identically to the instruments that provide the Level 3 signals.

However, these instruments use different pressure sensing lines which are connected to the temperature equalizing columns.

2. Main steam line radiation is monitored by four radiation monitors, which are described in USAR Section VII-12, "Process Radiation Monitoring System."
3. High temperature in the vicinity of the main steam lines is detected by bimetallic temperature switches located along the main steam lines between the drywell wall and the turbine building. The detectors are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment. An additional temperature sensor is located near each set of four detectors for remote temperature readout and alarm. The temperature sensors activate an alarm at high temperature and upon loss of power. The main steam line space temperature detection system is designed to detect leaks of from 1 % to 10% of rated steam flow. A total of four main steam line space high temperature Trip Channels (Al, A2, Bl and B2) are provided. Each main steam line trip system receives an input signal from one main steam line space high temperature channel (temperature switch) to trip. The main steam line leak detection system is shown in Burns and Roe Drawing ILE70-3, Sheet 107B.
4. High flow in each main steam line is sensed by four indicating type differential pressure switches which sense the pressure difference across the flow restrictor in that line. Each main steam line isolation logic receives an input signal from one main steam line high flow channel.

VII-3-14 09/09/16

USAR

5. Main steam line low pressure is sensed by four bourdon tube operated pressure switches which sense pressure downstream of the outboard MSIVs. The sensing point is located at the header that connects the four steam lines upstream to the turbine stop valves. Each switch is part of an independent channel. Each channel provides a signal to one isolation logic.
6. Primary containment pressure is monitored by four non-indicating pressure switches which are mounted on instrument racks outside the drywell. Sensing lines that terminate in the reactor building connect the switches with the drywell interior. Cables are routed from the switch to the control room. The switches are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event will prevent isolation due to primary containment high pressure.
7. High temperature in the vicinity of the RCIC equipment is sensed by four sets of four (16 total) bimetallic temperature switches. Each set is arranged as two trip systems. Each trip system receives input signals from two temperature trip channels. Both trip systems must trip to initiate isolation. The location of the temperature switches is shown in Burns and Roe Drawing ILE70-3, Sheet 107F.
8. High flow in the RCIC turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the RCIC turbine steam supply pipeline. [34 l The locations of the elbow flow devices are inside the drywell immediately upstream of the inboard isolation valves (see USAR Figure VII-3-4). These devices have been located such that they will not experience any adverse effects or false indications from flow in the main steam line. The tripping of either trip channel initiates isolation of the RCIC turbine steam line. This is an exception to the usual channel arrangement. The reason for the exception was given in the discussion of the RCIC turbine high steam flow isolation function.
9. Low pressure in the RCIC turbine steam line is sensed by four pressure switches from the RCIC turbine steam line upstream of the isolation valves. The switches are arranged as two trip systems both of which must trip to initiate isolation of the RCIC turbine steam line. Each trip system receives inputs from two pressure switches either one of which can trip the trip system.
10. High temperature in the vicinity of the HPCI equipment and RHR steam lines located in the torus area NW is sensed by ten sets of four bimetallic temperature switches. Each set is arranged as one trip system with two trip subsystems. Each trip subsystem receives input signals from two temperature trip channels. Both trip subsystems must trip to initiate isolation. The location of switches is shown in Burns and Roe Drawing ILE70-3, Sheets 107C and 107E.
11. High flow in the HPCI turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across a mechanical flow element installed in the HPCI turbine steam pipeline.

The locations of the elbow flow devices are inside the drywell immediately upstream of the inboard isolation valves ( see USAR Figure VII-3-4) . These devices have been located such that they will not experience any adverse effects or false indications from flow in the main steam line. [34 l The tripping of either switch initiates isolation of the HPCI turbine steam line. This is an exception to the usual sensor arrangement. The reason for the exception was given in the discussion of the HPCI turbine high steam flow isolation function. Separation of the HPCI steam line ~P sensors is not required as the HPCI area temperature monitors are installed to provide complete line coverage.

VII-3-15 09/09/16

USAR High steam flow isolation protection for the runs of steam piping to the RHR heat exchangers is provided by the HPCI flow sensor and by temperature switches.

12. Low pressure in the HPCI turbine steam line is sensed by four pressure switches from the HPCI turbine steam line upstream of the isolation valves. The switches are arranged as two trip systems both of which must trip to initiate isolation of the HPCI turbine steam line. Each trip system receives inputs from two pressure switches either one of which can trip the trip system.
13. High temperature in the vicinity of the RWCU system lines is sensed by sets of bimetallic temperature switches. Each set is arranged as two trip systems receiving inputs from two temperature trip channels. Both trip systems must trip to initiate isolation. ll0 3 l
14. High RWCU system flow rate is sensed by two differential pressure instruments downstream of the supply isolation valves. This is discussed further in USAR Section IV-9, "Reactor Water Cleanup System," and USAR Figure IV-9-4. ll0 3 l Channel and logic relays are high reliability relays equal to type HFA relays made by the General Electric Company. The relays are selected so that the continuous load will not exceed 50% of the continuous duty rating.

3.3.10 Environmental Capabilities The physical and electrical arrangement of the Primary Containment Isolation System was selected so that no single physical event will prevent isolation. The location of Class A and Class B valves inside and outside the primary containment provides assurance that the control system for at least one valve on any pipeline penetrating the primary containment will remain capable of automatic isolation. Electrical cables for isolation valves in the same pipelines are routed separately. Motor operators for valves inside the primary containment are of the totally enclosed type; those outside the primary containment are also totally enclosed. Solenoid valves, whether used for direct valve isolation or as an air pilot, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from electro-magnetic fields.

Special consideration has been given to isolation requirements during a LOCA inside the drywell. Components of the Primary Containment Isolation System that are located inside the primary containment and that must operate during a LOCA are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a LOCA environment.

Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the isolation control system only after completion of environmental testing under LOCA conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.

Verification that the isolation equipment has been designed, built, and installed in conformance to the specified criteria is accomplished through quality control and performance tests in the vendor's shop or after VII-3-16 o4/o6;os I

USAR installation at the station before startup, during startup, and thereafter during the service life of the equipment.

In addition to the EQ Program, control is also exercised through review of equipment design, during bid review, and by approval of vendor's drawings during the fabrication stage. Purchase specifications require extensive control of materials and of the fabrication procedure.

3.4 Safety Evaluation The Primary Containment Isolation System, in conjunction with other protection systems such as the Reactor Protection System, provides for the measurement of system processes and actuation of specified isolation for pathways that could result in the release of radioactive materials, so that the limits of 10CFRlOO, 10CFR50. 67, and 10CFR20 are met as required. The PCIS system also adequately limits the loss of reactor coolant inventory for specific events.

The specific consequences of analyzed accident events is presented in detail in the applicable system's chapters in the USAR, such as Chapter III and VI, and the detailed accident and release analyses of Chapter XIV.

The surveillance test and calibration frequencies for the instrumentation of the Primary Containment Isolation System are selected on the same basis as for the RPS (see USAR Section VII-2. 6). Except for the various radiation monitors, the channels are of the bistable type. The radiation monitoring systems are described in USAR Section VII-12, "Process Radiation Monitoring".

The surveillance test frequencies for the automatic isolation valves of the Primary Containment Isolation System have been selected in consideration of the need to prevent uncovering the core following pipe breaks outside the primary containment, the need to contain released fission products following pipe breaks inside the primary containment, the reliability of the valves, and the potential service experience of the valves. The valves of the system are highly reliable and have low service requirements; many of the valves are normally closed. Successful passing of the surveillance tests for the valves that are required for reactor vessel isolation shall meet the required closure times.

Design procedure has been to select tentative isolation trip settings that are far enough above or below operating levels that spurious isolation and operating inconvenience are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and reactor coolant pressure boundary is kept within acceptable bounds. Trip setting selection is based on operating experience and constrained by the safety design basis and the safety analyses.

USAR Chapter XIV, "Station Safety Analysis," shows that the actions initiated by the Primary Containment Isolation System, in conjunction with other safety systems, are sufficient to prevent releases of radioactive material from exceeding the guide values of published regulations. Because the actions of the system are effective in restricting the uncontrolled release of radioactive materials under accident situations, the Primary Containment Isolation System meets the precision and timeliness requirements of safety design basis 5.

Because the Primary Containment Isolation System meets the precision and timeliness requirements of safety design basis 1 using instruments with the characteristics described in USAR Table VI I-3-2, it is concluded that safety design basis 2 is met.

VII-3-1 7 02/05/10

USAR Temperatures in the spaces occupied by various steam lines outside the primary containment are the only important variables of significant spatial dependence that provide inputs to the Primary Containment Isolation System. High space temperature provides trip signals to PCIS Groups 1, 3, 4, and 5. A Group 1 Isolation can be caused by the Main Steam Line Leak Detection system that is composed of 16 temperature switches. Sixteen temperature switches are dispersed near the steam lines in the Main Steam Tunnel providing assurance that a significant break will be detected rapidly and accurately.

These sixteen switches are arranged in four Trip Channels (Al, A2, Bl and B2) which consist of four channels ( temperature switches) each located in the steam tunnel, between the drywell and the secondary containment barrier and will cause MSIV closure for High Energy Line Breaks in the Main Steam Tunnel.

The Group 3, Group 4, and Group 5 isolation signals for HPCI, RCIC, and RWCU are configured in an analogous manner along these high energy piping runs.

This assures that abnormal air temperature increases are detected regardless of leak location in that space. It is concluded that the number of sensors that are provided for steam line break detection satisfies safety design basis 3.

Because the Primary Containment Isolation System meets the timeliness and precision requirements of safety design basis 1 by monitoring variables that are true, direct measures of operational conditions, it is concluded that safety design basis 4 is satisfied.

Section XIV, "Station Safety Analysis," evaluates a gross breach in a main steam line outside the primary containment during operation at full power. The evaluation shows that the main steam lines are automatically isolated in time to prevent a release of radioactive material in excess of 10CFRl00 limits and to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed. The time required for automatic closure of the MSIVs meets the requirements of safety design basis 5.

The shortest closure time of which the MSIVs are capable is three seconds. The transient resulting from a simultaneous closure of all MSIVs in three seconds during reactor operation at full power is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in a small fraction of one second) coincident with failure of the turbine bypass system.

The RPS is capable of accommodating the transient resulting from the inadvertent closure of the MS IVs. This conclusion is substantiated by USAR Chapter XIV, "Station Safety Analysis." This meets safety design basis 6.

The items of safety design bases 7, 8, and 9 must be fulfilled for the Primary Containment Isolation System to meet the design reliability requirements of safety design basis 1. It has already been shown that safety design bases 7f and 7h have been met. The remainder of the reliability requirement is met by a combination of logic arrangement, sensor redundancy, wiring scheme, physical isolation, power supply arrangement, and environmental capabilities. These subjects are discussed in the following paragraphs.

Because important variables are monitored by four channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from achieving isolation. An analysis of the isolation control system shows that the system does not fail to respond to important variables as a result of single electrical failures such as short circuits, ground, and open circuits. A single trip system trip is the result of these VII-3-18 06/06/13

USAR failures. Isolation is initiated upon a trip of the remaining trip system. For some of the exceptions to the usual logic arrangement a single failure could result in inadvertent isolation of a pipeline. With respect to the release of radioactive material from the reactor coolant pressure boundary, such inadvertent valve closures are in the safe direction and do not pose any safety problems. This meets safety design bases 7a and 7b.

The redundancy of channels provided for all important variables provides a high probability that whenever an important variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all channels for one important variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings. This meets safety design basis 7c.

The sensors, circuitry, and logics used in the Primary Containment I sol a tion System are not used in the control of any process system. Thus, malfunction and failures in the controls of process systems have no direct effect on the isolation control system. This meets safety design basis 7d.

The various power supplies used for the isolation system logic circuitry and for valve operation provide assurance that the required isolation can be effected in spite of power failures. If AC for valves inside the primary containment is lost, DC is available for operation of valves outside the primary containment. The main steam isolation valve control arrangement is resistant to both AC and DC power failures. Because both solenoid operated pilot valves must be deenergized, loss of a single power supply will neither cause inadvertent isolation nor prevent isolation if required.

The logic circuitry for each channel is powered from the separate sources available from the reactor protection system busses (Critical Instrument and Control Panel, 125 VDC busses (Division I/II) or 250 VDC (Division I/II)). A loss of power here results in a single trip system trip.

In no case does a loss of a single power supply prevent isolation when required. This meets safety design basis 7e.

All instruments, valve closing mechanisms, and cables of the isolation control system can operate under the most unfavorable environmental conditions associated with normal operation. The discussion of the effects of rapid nuclear system depressurization on level measurement given in USAR Section VII-2, "Reactor Protection System", is equally applicable to the reactor vessel low water level switches used in the Primary Containment Isolation System. The temperature, pressure differential pressure, and level switches, cables and valve closing mechanisms used were selected with ratings that make them suitable for use in the environment in which they must operate.

The special considerations, discussed in USAR Section VII-3.3.10, made for the environmental conditions resulting from a loss-of-coolant accident inside the drywell are adequate to ensure operability of essential isolation components located inside the drywell.

The wall of the primary containment effectively separates adverse environmental conditions, which might otherwise affect both isolation valves in a pipeline. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given pipeline. The previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part. Electrical transients have no significant effect on the functioning of the isolation control system. It is that safety design basis 7g is satisfied.

VII-3-19 04;06;05 I

DSAR The design of the MSIVs meets the requirement of safety design basis Ba in that the motive force for closing each MSIV is derived from both a source of pneumatic pressure and the energy stored in the springs. Either energy source is capable, alone, of closing the valve. None of the valves reJ jes on continuity of any sort of electrical power to achieve closure in response to essential safety signals. Total loss of the power used to control the valves would result i.n closure. This meets safety design basis Bb.

Calibration and test controls for pressure and level switches are located on the switches themselves. These switches arc located in the turbine building and reactor building. To gain access to the setting controJ.s, deliberate manual action is required. The 1ocat.i on of calibration and test controls in areas under the control of t:.he contro.1 room operator or other supervisory personnel reduces the probabi ity that operational reliability will be degraded by operator error. This meets safety design basis 9a.

Switches are installed in the controJ circuit for various containment isolation valves to enable their opening if necessary (for purging, venting, inerting or sampling) without contjnuous indication of the bypass condition in the Control Room. Per guidance provided in Regulatory Guide 1. 47 r continuous indication of the bypass condition for those valves is not required since the condition is not expected to occur more frequently than once per year and then only when the system is not required to be operable. The aforementioned bypass switches are a 7 located in the control room and are under the control of the control room operator. This meets safety des basis 9b.

Because safety design bases 7 1 8 1 and 9 have been met, it can be concluded that the Primary Containment IsoJation System satisfies the reliability requirement of safety design base::s 10 1 1 la I and 1 lb was shown in the description of the system. The following section describing inspection and test or the system demonstrates that safety design basis 12 is satisfied.

Tt is concluded that all safety design bases are met.

3.5 Inspection and Testing Primary Containment Isolation valves within the scope of the Inservice Testing Program are tested in accordance with the Inservice Testing Program requirements. Isolation valves can be tested to assure that they are capable of clos ng by operating manual switches in the control room and observing the position lights and any associated process effects. The channel and trip system responses can be functionally tested by applying test signals to each channel and observing the trip system response. Testing of the MSIVs is discussed in USAR Section IV-6, "Main Steam Line Isolation Valves".

The containment spray valve, and low pressure ECCS injection valve control circuits include interlocks which prevent the simultaneous manual opening of the (series) valves to allow testing during reactor operation. l?-,J All temperature sensors for the RCIC, HPCI 1 RWCU, and main steam line leak detection systems will be tested during normal plan operation by the use of permanently instaJled heat wires for inaccessib e areas. l\ll systems are designed in accordance with the provisions o If~EE-279i. t 34 J VIT-3-20 04/17/20

USAR TABLE VII-3-6 PRIMARY CONTAINMENT ISOLATION SYSTEM (PCIS)

SIGNALS AND ISOLATIONS (Allowable Values are listed in Technical Specifications)

Group 1 Isolation Signals:

1. Reactor Low Low Low Water Level (Level 1) (AL -158.19")
2. Main Steam Line Low Pressure (AL= 825 psig)
3. Main Steam Line Leak Detection (AL= 200°F)
4. Condenser Low Vacuum (AL= 7" Hg vacuum)
5. Main Steam Line High Flow (150% steam flow)

Isolations:

1. MSIV's
2. Main Steam Line Drains Group 2 Isolation Signals:
1. Reactor Low Water Level (Level 3) (AL +0. 5")
2. High Drywell Pressure (AL= +2 psig)

Isolations:

1. RHR Shutdown Cooling mode of the RHR System
2. Drywell floor and equipment drain sump discharge lines
3. TIP ball valves
4. RHR to Radwaste Isolation Valves Group 3 Isolation Signals:
1. Reactor Low Low Water Level (Level 2) (AL = -4 9")
2. Reactor Water Cleanup System High Flow (AL= 200% flow)
3. Reactor Water Cleanup System High Area Temperature (AL= 200°F)

Isolations:

1. Reactor Water Cleanup System Group 4 Isolation Signals:
1. HPCI Steam High Flow (AL= 300% flow; AL, Time Delay 7 seconds)
2. HPCI High Area Temperature (AL= 200°F)
3. HPCI Steam Low Pressure (AL= 100 psig)

VII-3-21 04/06/05

USAR TABLE VII-3-6 (CONT'D)

PRIMARY CONTAINMENT ISOLATION SYSTEM (PCIS)

SIGNALS AND ISOLATIONS (Allowable Values are listed in Technical Specificatio ns)

Isolations:

Isolates the HPCI steam line Group 5 Isolation Signals:

1. RCIC Steam High Flow (AL= 300% flow; AL, Time Delay 7 seconds)
2. RCIC High Area Temperature (AL= 200°F)
3. RCIC Steam Low Pressure (AL= 50 psig)

Isolations:

Isolates the RCIC steam line Group 6 Isolation Signals:

1. Reactor Low Low Water Level (Level 2) (AL = -4 9")
2. High Drywell Pressure (AL= +2 psig)
3. Reactor Building H&V Exhaust Plenum High Radiation (AL 100 mr/hr above background)

Isolations:

1. Secondary Containment Isolation
2. Primary Containment (Drywell and Suppression Chamber) Atmospheric Control Isolation Valves
3. Primary Containment Atmospheric Monitor Isolation Valves
4. Start Standby Gas Treatment System
5. Initiate Control Room Emergency Filtration System Group 7 Isolation Signals:
1. Reactor Low Low Low Water Level (Level 1) (AL = -158. 19")
2. Main Steam Line High Radiation (Tech Spec Allowable Value ~3 times full power background)

Isolations:

Reactor Water Sample Valves VII-3-22 04/06/05

USAR 4.0 EMERGENCY CORE COOLING SYSTEMS CONTROL AND INSTRUMENTATION 4 .1 Safety Objective The safety objective of the Emergency Core Cooling System (ECCS) control and instrumentation is to initiate appropriate responses from the various cooling systems so that the fuel is adequately cooled under abnormal or accident conditions. The cooling provided by the systems limits the release of radioactive materials from the fuel by limiting the extent of fuel damage following situations in which reactor coolant is lost from the nuclear system.

Even after the reactor is shutdown from power operation by the full insertion of all control rods, heat continues to be generated in the fuel as radioactive fission products deca.y. An excessive loss of reactor coolant would allow the fuel temperature to rise, cladding to melt, and fission products in the fuel to be released. If the temperatures in the reactor rose to a sufficiently high value, a metal-(zirconiu m)-water reaction could occur, which would release energy. Such a reaction would increase the pressure inside the nuclear system and the primary containment. This could threaten the integrity of the barriers which are relied upon to prevent the uncontrolled release of radioactive materials. The controls and instrumentation for the ECCS prevent such a sequence of events by actuating core cooling systems in time to limit fuel temperatures to acceptable levels.

4.2 Safety Design Basis

1. Controls and instrumentation shall, with precision and reliability, automatically initiate and control the ECCS to allow removal of heat from the reactor core in time to prevent fuel clad temperatures in excess of 2200°Fr 351 so that fuel and core deformation do not limit effective cooling of the core.
2. Controls and instrumentation shall with precision and reliability initiate and control the ECCS with sufficient timeliness to prevent more than a small fraction of the reactor core from heating to a temperature at which a gross release of fission products could occur.
3. To meet the precision requirements of safety design bases 1 and 2, the controls and instrumentation for the ECCS shall respond to conditions that indicate the potential inadequacy of core cooling, regardless of the physical location of the defect causing the inadequacy,
4. To place limits on the degree to which safety is dependent on operator judgement in time of stress, the following safety design bases are specified:
a. Appropriate responses of the ECCS shall be initiated automatically by control systems when positive precise action is immediately required so that no decision or manipulation of controls beyond the capacity of operations personnel is demanded.
b. Readout of the responses of the ECCS shall be provided to the operator by Main Control Room instrumentation so that faults in the actuation of safety equipment can be diagnosed.

VII-4-1 08/14/00

USAR

c. Facilities for manual actuation of the ECCS shall be provided in the Main Control Room so that operator action is possible, yet reserved for the remedy of a deficiency in the automatic actuation of the safety equipment or for control over the long term effects of an abnormal or accident condition.
5. To meet the reliability requirements of safety design bases 1 and 2, the following safety design bases are specified:
a. No single failure, maintenance, calibration, or test operation shall prevent the integrated operations of the ECCS from providing adequate core cooling.
b. No equipment protective device which causes interruption of performance or availability of the ECCS shall be automatic, unless there is a high probability that continued use would make complete failure imminent. Instead, such protective devices shall indicate off-standard conditions for operator decision and action.
c. The power supplies for the controls and instrumentation for the ECCS shall be chosen so that core cooling can be accomplished concurrently with a loss of offsite AC power.
d. The physical events that accompany a loss-of-coolant accident (LOCA) shall not interfere with the ability of the ECCS controls and instrumentation to function properly.
e. Earthquake loading shall not impair the ability of required ECCS controls and instrumentation to function properly.
6. To provide the operator with the means to verify the availability of the ECCS, it shall be possible to test the responses of the controls and instrumentation to conditions representative of transient or accident situations.

Some components in ECCS are also used in support of the Alternate Shutdown System (ASD). The safe shutdown systems that are used to ensure post fire shutdown capability need not be designed to meet seismic Category I criteria, single failure criteria, or other design basis accident criteria, except where required because of interface with existing safety systems, e.g.

isolation switches (NFPA 805-2001, Section 2.3).

The pressure switches that monitor the LPCI, CS, and HPCI system lines shall be functionally tested and calibrated every three months.

4.3 Power Generation Objective The power generation objective of the ECCS is to provide a means of alternate shutdown in the special event of a fire.

4. 4 Power Generation Design Basis Alternate Controls for the HPCI, ADS, and RHR Systems independent of the Control Room, Computer Room, Cable Spreading Room, Cable Expansion Room, Auxiliary Relay Room, and Reactor Building 903' El Northeast Corner shall be provided to achieve safe shutdown during a fire related special VII-4-2 04/28/16

USAR event. See USAR Section VII-18, "Alternate Shutdown Capability," for further information.

4.5 Description 4.5.1 Identification The controls and instrumentation for the ECCS are identified as that equipment required for the initiation and control of the following:

High Pressure Coolant Injection System (HPCI)

Automatic Depressurizatio n System (ADS)

Core Spray System Low Pressure Coolant Injection ( LPCI an operating mode of the Residual Heat Removal System)

The equipment involved in the control of these systems includes automatic injection valves, turbine driven pump controls, electric motor driven pump controls, relief valve controls, and the switches, contacts, and relays that make up sensory logic channels. Injection check valves and certain automatic isolation valves are not included in this description because they are described in USAR Section VII-3, "Primary Containment Isolation System Controls and Instrumentation ".

A comprehensive comparison of the ECCS with the design requirements of proposed IEEE 27 9 has been assembled into a topical report entitled, "Compliance of Protection Systems to Industry Criteria and General Electric BWR Nuclear Steam Supply System," NEDO 10139, June, 1970. The results of this analysis indicate that the ECCS meets the design requirements of proposed IEEE 2 7 9. l 36 l The ECCS actuation and control instrumentation s can be conveniently divided into two parts, the detection circuitry and the control instrumentation . The detection circuitry includes those channels which detect a need for ECCS operation and the corresponding logic circuits which initiate the proper response of ECCS. The control instrumentation includes the balance of ECCS instrumentation which is utilized in control and testing.

4.5.2 High Pressure Coolant Injection System (HPCI) Control and Instrumentation

4. 5. 2 .1 Identification and Physical Arrangement When actuated the HPCI system pumps water from either the emergency condensate storage tanks or the suppression chamber to the reactor vessel via the feedwater pipeline. HPCI includes one turbine, one turbine-driven pump (main pump and booster pump in tandem) , one DC motor driven auxiliary oil pump, one gland seal condenser, one DC condensate pump, one gland seal condenser DC blower, automatic valves, control devices for this equipment, sensors, and logic circuitry. The arrangement of equipment and control devices is shown in Burns and Roe Drawing 2044.

Pressure and level switches used in HPCI are located on racks in the Reactor Building and Control Building. The only operating component for HPCI that is located inside primary containment is one of the two HPCI turbine steam supply pipeline isolation valves. The rest of the HPCI control and instrumentation components are located outside primary containment.

VII-4-3 08/14/00

USAR Al though the system is arranged to allow a full flow functional test of the system during power operation, the system logic will automatically re-align HPCI for injection if an initiation signal is received. Al though the logic re-aligns HPCI from the design flow functional test mode to the operating mode, the HPCI design function is not fulfilled due to the time required for realignment. To meet its safety design function, HPCI must be initially in an alignment where the system is capable of responding to and performing its mitigating function within analyzed limits.

No automatic actuation signals are utilized or required when operation or testing is from the ASD Room. See USAR Section VII-18.0 for ASD capability.

Cables connect the sensors to control circuitry in the Main Control Room as well as in the Alternate Shutdown (ASD) Room. Control is transferred from the Main Control Room to the ASD Room via manually operated transfer switches located on the HPCI ASD panel and annunciation will occur in the Main Control Room upon transfer.

4. 5. 2. 2 HPCI Actuation Signals and Logic Either reactor vessel low water level (Level 2) or primary containment ( drywell) high pressure will automatically start HPCI as indicated in General Electric Drawing 729E589BB, Sheets 1, 2, and 3. Reactor vessel low water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.

The logic scheme used for initiating the HPCI system is a single initiation system containing two decision making logic circuits as shown in USAR Figure VII-4-10. Each decision making logic is made up of two parallel paths. One decision making logic actuates upon receipt of a low water level (Level 2) signal. The other actuates upon receipt of a high drywell pressure signal. Either decision making logic can start HPCI. The HPCI trip system is DC powered.

Instrument characteristics for HPCI controls and instrumentation are listed in USAR Table VII-4-1. The reactor vessel low water level (Level 2) setting for HPCI actuation is conservatively selected above the Top of Active Fuel to start HPCI in time to prevent fuel damage during abnormal operational transients. The water level setting is far enough below normal levels that spurious HPCI startups are avoided. The primary containment high pressure setting is selected to be as low as possible without inducing spurious HPCI startup. No automatic actuation signals are utilized or required when operation or testing is from the Alternate Shutdown Panel. See USAR Section VII-18.0 for ASD capability.

4.5.2.3 HPCI Initiating Instrumentation Reactor vessel low water level ( Level 2) is monitored by four indicating type multi-circuit level switches that sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual height of water in the vessel. Two pipelines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of switches.

The two pairs of pipelines terminate outside the primary containment and inside the Reactor Building: they are physically separated from each other and tap off the reactor vessel at separate points. These same pipelines are also used for pressure and water level instruments for other systems. The level switches for HPCI are arranged in pairs, each pair sensing level from one pair of pipelines. Either pair sensing low water level can initiate the HPCI system. This arrangement assures that no single event can prevent HPCI actuation from reactor vessel low water level. Temperature compensating columns are used to increase the accuracy of level measurements.

VII-4-4 12/29/03

USAR TABLE VII-4-1 HIGH PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS [127 l (See Technical Specifications for Allowable Values)

HPCI Function Instrument Range Reactor vessel Level switch High water level Turbine trip Turbine exhaust Pressure switch 25-240 psig High pressure HPCI pump low Pressure switch 30 in. Hg VAC -0.5 Suction pressure psig

  • Reactor vessel Level switch low water level (Level 2)
  • Primary containment Pressure switch 0.5-6 psig (drywell) high pressure HPCI steam supply Pressure switch 25-240 psig low pressure HPCI system flow Flow switch 0-1000 gpm (for discharge bypass)

Suppression pool high Level switch -10 to +10 in. H2 0 Water level Emergency condensate Level switch Storage tank water Level Turbine overspeed Centrifugal device N/A

  • Incident detection circuitry instrumentation .

VII-4-5 07/28/17

USAR Primary containment pressure is monitored by four non-indicating pressure switches which are mounted on instrument racks outside the drywell but inside the Reactor Building. Pipes that terminate in the Reactor Building allow the switches to communicate with the drywell interior. The switches are grouped in pairs similar to the level sensors and electrically connected so that no single event can prevent the actuation of HPCI due to primary containment high pressure.

4. 5. 2. 4 HPCI Turbine and Turbine Auxiliaries Control The HPCI controls automatically start HPCI upon receipt of an actuation signal and bring the system to its design flow rate within 55 seconds as required by the LOCA Analysis ( See USAR Section VI-4. 1) . The controls then function to provide design make up water flow to the reactor vessel until vessel water level is restored to normal or until steam supply pressure falls below the 100 psig Analytical Limit, at which time HPCI automatically shuts down. HPCI will automatically restart if reactor vessel level decreases to the Level 2 setpoint again with a steam pressure above the preset pressure. The HPCI controls are arranged to allow remote-operator startup, operation, and shutdown from the Main Control Room or Alternate Shutdown Panel.

The HPCI turbine is functionally controlled as shown in General Electric Drawing 729E589BB, Sheet 3. A control governor receives a HPCI flow signal and adjusts the turbine steam control valve so that HPCI design pump discharge flow rate is obtained. Manual control of the governor is possible in the test mode, but the governor automatically returns to automatic control upon receipt of a HPCI actuation signal. General Electric Drawing 729E589BB, Sheet 3, shows the various modes of turbine control. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the HPCI pump discharge pipeline. The governor controls the pressure applied to the hydraulic operator of the turbine control valve which, in turn, controls the steam flow to the turbine.

Hydraulic pressure is supplied for both the turbine control valve and the turbine stop valve by the DC powered oil pump during startup and then by the shaft-driven hydraulic oil pump when the turbine speed is adequate.

Upon receipt of an actuation signal, the auxiliary oil pump starts, providing hydraulic pressure for the turbine stop valve and turbine control valve hydraulic operator. When the control switch for the auxiliary oil pump is in the pull to lock position, it locks out the auxiliary oil pump and thus blocks the automatic start of HPCI. An annunciator circuit will alarm when the switch is in the "pull to lock" position reminding the operator that the HPCI automatic start has been blocked. [37 l The flow signal will ramp the control governor until rated flow is achieved. Turbine speed is limited to the maximum output of the flow controller and is equivalent to the maximum turbine speed required to maintain design flow. As hydraulic oil pressure is developed, the turbine stop valve and the turbine control valve open simultaneously, and the turbine accelerates toward the speed setting of the control governor. As HPCI flow increases, the flow signal adjusts the control governor setting so that design flow is maintained.

The turbine is automatically shut down by tripping the turbine stop valve closed if any of the following conditions are detected; Turbine overspeed High turbine exhaust pressure VII-4-6 08/14/00

USAR Low pump suction pressure Reactor vessel high water level HPCI automatic isolation signal Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust pipeline. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service. A turbine trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected to minimize a spurious turbine trip but sufficient to prevent damage before the turbine is shut down. Turbine over speed is detected by a standard turbine overspeed mechanical- hydraulic device. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown. One pressure switch is used to detect low HPCI pump suction pressure.

High water level in the reactor vessel indicates that the HPCI has performed satisfactor ily in providing makeup water to the reactor vessel.

The reactor vessel high water level setting (Level 8) which trips the turbine is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Two level switches that sense differentia l pressure are arranged to require that both switches trip to initiate a turbine shutdown. The HPCI auto isolation signals are described in USAR Section VII-3, "Primary Containment Isolation System Controls and Instrumenta tion."

The control scheme for the turbine auxiliary oil pump is shown in General Electric Drawing 72 9E58 9BB, Sheet 2. The controls are arranged for automatic or manual control. Upon receipt of a HPCI actuation signal the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft driven oil pump begins to supply hydraulic pressure. After about 1/2 minute during an automatic turbine startup, the pressure supplied by the shaft driven oil pump is sufficient, and the auxiliary oil pump automatical ly stops upon receipt of a high oil pressure signal. Should the shaft driven oil pump malfunction , causing oil pressure to drop, the auxiliary oil pump restarts. The auxiliary oil pump will also restart following a turbine trip or isolation when the pressure supplied by the shaft driven oil pump drops as the turbine loses speed.

Operation of the gland seal condenser components- -gland seal condenser condensate pump, gland seal condenser blower, and gland seal condenser water level instrumenta tion--preven ts out leakage from the turbine shaft seals. Startup of this equipment is automatic, as shown in General Electric Drawing 729E589BB, Sheets 2 and 3; failure of this equipment will not prevent HPCI from providing water to the reactor vessel.

4. 5. 2. 5 HPCI Valve Control Automatic valves in HPCI are equipped with remote-oper ator test capability, so that the entire system can be operated from the Main Control Room. Selected valves can be operated from the Alternate Shutdown Panel.

Motor operated valves are provided with appropriate limit or torque switches to turn off the motors when the full open or full closed positions are VII-4-7 08/14/00

USAR reached. Some HPCI valves are closed due to receipt of an automatic HPCI isolation signal generated by HPCI turbine steam line high flow, HPCI turbine steam supply low pressure, or high steam line space temperature.

Either signal indicates a steam line break and the valves that receive the signal are the two HPCI injection valves, the HPCI suction valve from the suppression pool, and the two HPCI turbine exhaust line drain valves. The signal also trips the HPCI turbine. The automatic HPCI isolation signal latches to prevent the valves from being re-opened; the signal must be remotely reset by operator action with the push-button switches located in the Main Control Room. All essential components of HPCI controls operate from DC power sources.

To assure that the HPCI can be brought to design flow rate within 55 seconds from the receipt of the actuation signal, the following maximum operating times against full reactor pressure for essential HPCI valves are provided by the valve operation mechanisms:

HPCI Turbine steam supply valve 40 seconds HPCI injection valve 19 seconds HPCI pump minimum flow bypass valve 10 seconds The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. Because the two HPCI steam supply line containment isolation valves are normally open and because they are intended to isolate the HPCI steam line in the event of a break in that line, the operating time requirements for them are based on isolation specifications. These are described in USAR Section V-2, "Primary Containment."

A normally closed DC motor-operated steam supply to turbine block valve, HPCI-MO14, is located in the turbine steam supply pipeline just upstream of the turbine stop valve. The control scheme for this valve is shown in General Electric Drawing 729E589BB, Sheet 2. Upon receipt of a HPCI actuation signal this valve opens and remains open until closed by operator action or a vessel high water level signal.

Two normally open containment isolation valves are provided in the main steam supply line to the turbine. The valve inside the drywell, HPCI-MO15, is controlled by an AC motor. The valve outside the drywell, HPCI-MO16, is controlled by a DC motor. The control diagram is shown in General Electric Drawing 729E589BB, Sheet 1. These isolation valves automatically close upon receipt of a HPCI turbine steam line high flow signal, or a HPCI turbine steam supply low pressure signal, or high steam line space temperature. The instrumentation for isolation is described in USAR Section VII-3, "Primary Containment Isolation System Controls and Instrumentation ."

Two pump suction valves are provided in HPCI. Pump suction from the emergency condensate storage tank is through valve HPCI-MO17. Pump suction from the suppression pool is through valve HPCI-MO58. The emergency condensate storage tank is the initial source. These valves are operated by DC motors. The control arrangement is shown in General Electric Drawing 729E589BB, Sheet 1. Although HPCI-MO17 is normally open, a HPCI actuation signal to open will be initiated if the suppression pool suction valve is not fully open. If the water level in the emergency condensate storage tank falls below the minimum level, HPCI-MO58 automatically opens. When HPCI-MO58 is fully open, HPCI-MOl 7 automatically VII-4-8 11/05/14

USAR closes. Four level switches are used to detect the emergency condensate storage tank low water level condition. Any switch can cause the suppression pool suction valve to open. HPCI-MO58 also automatical ly opens and HPCI-MO17 closes if a high water level is detected in the suppression pool. Two level switches monitor the suppression pool water level. Either switch can initiate opening of the suppression pool suction valve. If open, HPCI-MO58 automatical ly closes upon receipt of the signals that initiate HPCI steam line isolation.

Two DC motor-opera ted valves (MOVs) in the HPCI pump discharge pipeline are provided. The control schemes for these two valves are shown in General Electric Drawing 729E589BB, Sheet 1. Both valves are arranged to open upon receipt of a HPCI actuation signal. The valves remain open upon receipt of a turbine trip signal until closed by operator action in the Main Control Room.

To prevent the turbine pump from being damaged by overheating at reduced HPCI pump discharge flow, a pump discharge minimum flow bypass is provided to route the water discharged from the pump back to the suppression pool. The bypass is controlled by an automatic, DC MOV whose control scheme is shown in General Electric Drawing 729E589BB, Sheet 1. At HPCI high flow, the valve is closed; at low flow, the valve is opened. Flow switches that measure the pressure difference across a flow element in the HPCI pump discharge pipeline provide the signals used for flow indication. There is also an interlock provided to shut the minimum flow bypass whenever the turbine is tripped. This prevents draining the emergency condensate storage tanks into the suppression pool.

To prevent the HPCI steam supply pipeline from filling up with water and cooling, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The control scheme is shown in General Electric Drawing 729E589BB, Sheet 2. The controls position valves so that during standby operation, steam line drainage is routed to the main condenser. Upon receipt of a HPCI actuation signal, the drainage path is isolated. The water level in the steam line drain condensate pot is controlled by a level switch and an air operated valve which opens to allow condensate to flow out of the pot.

During test operation, the HPCI pump discharge is routed to the emergency condensate storage tank. Two DC MOVs are installed in the pump discharge to the emergency condensate storage tank. The piping arrangement is shown in Burns and Roe Drawing 2044. The control scheme for the two valves is shown in General Electric Drawing 729E589BB, Sheet 1. Upon receipt of a HPCI actuation signal or the suppression pool suction valve opens, the valves close and remain closed. Numerous indications pertinent to the operation and condition of HPCI are available to the Main Control Room operator. Burns and Roe Drawing 2044 and General Electric Drawing 729E589BB, Sheet 2 show the various indications provided.

The HPCI discharge lines are maintained full of water. The design is similar to the fill systems for the RHR and Core Spray Systems (see USAR Section VII-4.5.4.4 ). An alarm annunciates in the Main Control Room indicating possible loss of water fill in the lines. [3 BJ VII-4-9 08/14/00

USAR 4.5.2.6 HPCI Environment al Consideratio ns The only HPCI control component located inside the primary containment that must remain functional in the environment resulting from a LOCA is the control mechanism for the inboard isolation valve on the HPCI turbine steam line. The environment al capabilitie s of this valve are discussed in USAR Section VII-3, "Primary Containment and Reactor Vessel Isolation Control System". The HPCI control and instrumenta tion equipment located outside the primary containment is selected in consideratio n of the normal and accident environment s in which it must operate.

4.5.3 Automatic Depressuriz ation System Control and Instrumenta tion

4. 5. 3 .1 Identificati on and Physical Arrangement The eight relief valves installed on the main steam lines inside the primary containment are automatical ly controlled (See USAR Sections IV-4. 5. 1 and IV-4. 5. 2) . Six of the valves are associated with the ADS and the other two are controlled by the Low-low set (LLS) relief logic.

The relief by mechanical action is initiated inherently by an overpressur e condition in the nuclear system. The depressuriz ation by automatic action of the control system is employed to reduce nuclear system pressure so that the Core Spray system and LPCI mode of the RHR system can inject water into the reactor vessel during a LOCA when HPCI is inoperable. The automatic control and instrumenta tion equipment for the automatic depressuriz ation mode of relief valve operation is described in this subsection.

The control system, which is functionally illustrated in General Electric Drawing 730E149BB, Sheet 1, consists physically of water level sensors arranged in trip systems that control a solenoid-op erated pilot air valve. The solenoid-op erated pilot valve controls the pneumatic pressure applied to a diaphragm actuator which controls the relief valve directly. An accumulator is included with the control equipment for each relief valve to store pneumatic energy for relief valve operation. The accumulator s are sized to provide sufficient nitrogen for a minimum of five ( 5) pilot actuations following failure of the normal nitrogen supply to the accumulator . Cables from the sensors lead to the Main Control Room where the logic arrangement s are formed. In the event of fire damage to the Main Control Room control capability, three (3) relief valves can be controlled from the Alternate Shutdown Room following the transfer of control capability via a transfer switch located on the ADS Alternate Shutdown Panel. Each ADS control logic is normally powered from its respective division of 125 volt DC power. On loss of the normal divisional power, transfer to the other di vision of 125 volt DC power occurs. l 39 l The (three) relief valves when controlled from the ASD panel are powered from the ASD panel.

4.5.3.2 Automatic Depressuriz ation System Initiating Signals and Logic The ADS logic sequence begins by activation of reactor vessel low water level (Level 3). If the reactor vessel water level continues to decline, reactor vessel low water level (Level 1) will be activated. Once these signals are present, there is a time delay of sufficient duration (see USAR Table VI-5-4) to allow HPCI to restore water level before the relief valves are actuated. If both halves of a channel logic are complete, Core Spray or RHR pump discharge pressure is above a given setpoint, and the time VII-4-10 08/14/00

USAR delay has been satisfied, ADS will activate automatically. This low water level condition would normally not be sustained unless HPCI failed.

There are two inhibit switches on the main control panel which allow the operator to prevent actuation of the ADS when RPV depressurizatio n by ADS actuation is not required to ensure adequate core cooling. [Bll After receipt of one initiation signal, and after the time delay provided by timer relays, the solenoid-operat ed pilot valve is energized provided that at least one LPCI (RHR) or Core Spray pump is running.

Energization of the solenoid operated pilot valves allows pneumatic pressure from the accumulator to act on the diaphragm actuator. The diaphragm actuator is an integral part of the relief valve and expands to hold the relief valve open. Lights in the Main Control Room inform the Main Control Room operator whenever the solenoid-operat ed pilot valve is energized, indicating that the relief valve is open or being opened.

A two-position switch is provided in the Main Control Room for the remote control of each relief valve. The two positions are "open" and "auto". In the "open" position the switch energizes the solenoid-operat ed pilot valve, which allows pneumatic pressure to be applied to the diaphragm actuator of the relief valve. This allows the Main Control Room operator to take manual action independent of the automatic system. Appropriate numbers of relief valves can be opened in this manner to provide a controlled nuclear system cooldown under conditions where the normal heat sink is not available.

In "auto" position, the valve is controlled by the ADS logic. Manual reset circuits are provided for the reactor vessel low water level initiating signals. By resetting these signals the delay timers are recycled. The operator can use the reset switches or the inhibit switches to delay or prevent automatic opening of the relief valves if such delay or prevention is prudent. Manual actuation on one ADS "Reset" button recycles the timer for one of the two trip systems. The second "Reset" button resets the second timer. Both timers must be reset to prevent automatic depressurizatio n.

The logic scheme used for initiating the ADS system is a single trip system containing two parallel trip system branches as shown in USAR Figure VII-4-10. Each trip system branch can initiate automatic depressurizatio ns when the logic in that branch is satisfied. Each trip system branch includes a timer that delays the opening of the relief valves.

This allows time for the operator to decide whether it is prudent to prevent or further postpone automatic depressurizatio n. The ADS trip system is DC powered.

Instrument specifications are listed in USAR Table VII-4-2. The wiring for the logic systems is routed in separate conduits to reduce the probability that a single event will prevent automatic opening of a relief valve. Pump discharge pressure switches are used to sense that the Core Spray and RHR pumps are running.

The reactor vessel low water level initiation setting (Level 1) for the ADS is selected to open the relief valves to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the Core Spray system and LPCI mode of the RHR system following a LOCA in which the other makeup systems (FW, RCIC, HPCI) fail to maintain vessel water level.

VII-4-11 08/14/00

USAR TABLE VII-4-2 AUTOMATIC DEPRESSURIZATION SYSTEM INSTRUMENT SPECIFICATIONS r 1271 (See Technical Specifications for Allowable Values)

System Function Instrument Type Range Reactor vessel low water Level switch 0-60 in. H20 level (Level 3)

  • Reactor vessel low water Level switch -150 to +60 in.

level (Level 1) H20

  • Automatic depressurization Timer 0-180 sec.

time delay Relief valve leakage Temperature switch -100 to +600°F Relief valve II open/ close II r 4 oJ Pressure switch 0-30 psig

  • Incident detection circuitry instrumentation.

VII-4-12 07/28/17

USAR 4.5.3.3 Automatic Depressurization System Initiating Instrumentation The level switches used to initiate the ADS are common to each relief valve control circuitry. Reactor vessel low water level (Level 1) is detected by four switches that measure differential pressure. The switches used for the initiating functions are the same ones used by the Core Spray system and LPCI mode of the RHR system.

Two timers are used in the control circuitry for each relief valve. The delay time setting for the ADS actuation allows HPCI sufficient time to start, and the Core Spray system and LPCI mode of the RHR system sufficient time to adequately provide a cooling medium to the fuel if HPCI fails to start. An alarm in the Main Control Room is annunciated every time either of the timers is timing. Resetting the ADS initiating trip

( reactor vessel low water level - Level 1) resets the timers. [BlJ

4. 5. 3. 4 Automatic Depressurization System Alarms Indication of relief valve open or closed position is provided by a pressure switch on each valve discharge pipe. Actuation of the relief valve pressurizes the discharge line, thus tripping the pressure switch. When the valve closes, the pressure in the line drops rapidly to zero, releasing the pressure switch to give a valve closed signal. The switch actuates an alarm in the Main Control Room and a readout on the plant process computer. [4 0J A thermocouple is installed on the relief valve discharge piping approximately one foot from the valve body. The thermocouple is connected to a recorder in the Main Control Room to provide a means of detecting relief valve leakage during station operation. When the external temperature in any relief valve discharge pipeline exceeds a preset value, an alarm is sounded in the Main Control Room. The alarm setting is selected sufficiently above normal rated power temperatures to avoid spurious alarms and reasonable enough to give early indication of relief valve leakage.

4.5.3.5 Automatic Depressurization System Environmental Considerations The signal cables, solenoid valves, and relief valve operators are the only i terns of the control and instrumentation equipment of the ADS that are located inside the primary containment and must remain functional in the environment resulting from a LOCA. These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of these items. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate.

4. 5. 4 Core Spray Systems Control and Instrumentation 4.5.4.1 Identification and Physical Arrangement The Core Spray system consists of two independent Core Spray divisions as illustrated in Burns and Roe Drawing 2045, Sheet 1. Either is capable of supplying sufficient cooling water to the reactor vessel to cool the core adequately following a design basis LOCA. The two di visions are physically and electrically separated so that no single physical event makes VII-4-13 03/09/07

USAR both di visions inoperabl e. Each di vision includes one AC motor driven pump, appropria te valves, and the piping to route water from the suppressi on pool to the reactor vessel. The controls and instrumen tation for the Core Spray system include the sensors, relays, wiring, and valve operating mechanism s used to start, operate, and test each division. Except for the check valve in each injection line, which is inside the primary containme nt, the sensors and valve closing mechanism s for both Core Spray di visions are located in the Reactor Building. Check valves are described in USAR Chapter VI, "Emergenc y Core Cooling Systems." Cables from the sensors are routed to the Main Control Room where the control circuitry is assembled in electrica l panels. Each Core Spray pump is powered from a different AC bus which is capable of receiving standby power. The power supply for automatic valves in each division is from the same source as that used for the Core Spray pump in that di vision.

Control power for each of the Core Spray divisions comes from separate DC buses. The electrica l equipment in the Main Control Room for one Core Spray di vision is located in a separate cabinet from that used for the electrica l equipment for the other division.

4. 5. 4. 2 Core Spray System Initiatin g Signals and Logic The control scheme for the Core Spray system is illustrate d in General Electric Drawing 7 2 9E4 02BB. Instrumen t specifica tions are given in USAR Table VII-4-3.

The overall operation of the Core Spray system following the receipt of an initiatin g signal is as follows (note - time delays are listed in USAR Table VIII-5-2)

1. Test bypass valves are closed and interlock ed to prevent opening.
2. If the offsite AC source is available , the Core Spray pumps in both divisions start after a sufficien t time delay.
3. If the off site AC source is not available , the Core Spray pump in both divisions starts after a set time duration after standby power becomes available to the pump.
4. When reactor vessel pressure drops to a preselect ed value, valves open in the pump discharge lines allowing water to be sprayed over the core.
5. When pump discharge flow is indicated , the pump low flow bypass valves shut (after a time delay) directing full flow into the reactor vessel.

Two initiatin g functions are used for the Core Spray system:

reactor vessel low water level (Level 1) and primary containme nt (drywell) high pres sure. Either initiatio n signal will start the system. [42 J Reactor vessel low water level (Level 1) indicates that the core is in danger of being overheate d due to the loss of coolant. Drywell high pressure indicates that a breach of the nuclear system process barrier has occurred inside the drywell. The reactor vessel low water level (Level 1) and primary containme nt high pressure settings and the instrumen ts that provide the initiatin g signals are selected and arranged so as to assure proper system operation without inducing spurious system startups.

VII-4-14 08/14/00

USAR The scheme used for initiating each Core Spray division contains decision making logic circuits. One Core Spray division logic circuit is shown in USAR Figure VII-4-10. The decision making logic can initiate Core Spray equipment in one Core Spray division. The logic circuits are powered by reliable independent DC buses.

4.5.4.3 Core Spray System Pump Control The control arrangements for the Core Spray pumps are shown in General Electric Drawing 729E402BB. Each pump can be manually controlled by a Main Control Room switch or the automatic control system. A pressure transmitter on the discharge pipeline from each Core Spray pump provides a signal in the Main Control Room to indicate the successful startup of a pump.

If a Core Spray initiation signal is received when the offsite AC source is not available, the Core Spray pumps start after a time delay when the bus is energized from the standby AC power source. The Core Spray pump motors are provided with overcurrent protection. Overcurrent relays are applied so as to maintain power as long as possible without immediate damage to the motors or critical switchgear.

Undervoltage trips, for the Core Spray pump motors, are provided with time delays sufficient to permit automatic transfer to an alternate source ( See USAR Section VI II-4. 6) without tripping the pump power supply breaker open.

Flow measuring instrumentation is provided in each of the Core Spray pump discharge lines. The instrumentation provides flow indication in the Main Control Room.

4. 5. 4. 4 Core Spray System Valve Control Except where specified otherwise, the remainder of the description of the Core Spray refers to one division. The second Core Spray division is similar. The control arrangements for the various automatic valves in the Core Spray system are indicated in General Electric Drawing 7 2 9E4 02BB. All MOVs are equipped with limit and torque switches to turn off the valve motor when the valve reaches the limits of movement. Each automatic valve can be operated from the Main Control Room.

Upon receipt of an initiation signal the test bypass valve is interlocked to close. The Core Spray pump discharge valves are automatically opened when nuclear system pressure drops to a preselected value; a sufficiently low setting is selected so that the low pressure portions of the Core Spray system do not overpressuri ze from the reactor, yet adequate to open the valves in time to provide cooling for the fuel. Four pressure switches are used to monitor nuclear system pressure, and are connected in a one-out-of-two-twice logic to provide an open permissive signal to the discharge valves at the preselected pressure. The full stroke operating time of the pump discharge valves is selected to be rapid enough to assure proper delivery of water to the reactor vessel in a design basis accident (OBA). A flow indicating switch on the discharge of each pump provides a signal to operate the minimum flow bypass line valve for each pump. When the flow reaches the minimum value to prevent pump overheating, the valves close (after a time delay), directing all flow into the reactor vessel.

VII-4-15 08/06/03

USAR TABLE VII-4-3 CORE SPRAY SYSTEM INSTRUMENT SPECIFICATIO NS [4 ll l 127 1 [ 129 1 (See Technical Specificatio ns for Allowable Values)

Core Spray Function Instrument Type Range

  • Reactor vessel low Level switch -150 to +60 in.

water level (Pump start H20 signal) (Level 1)

  • Primary containment Pressure switch 0.5-6 psig (drywell) high pressure (Pump start signal)

Core spray sparger high Differentia l -10 to +15 psid differentia l pressure pressure switch Pump suction pressure Pressure indicator 30 in. Hg - 30 psig Core spray flow Flow 0-6000 gpm Transmitter Pump discharge pressure Pressure indicator 0-500 psig Discharge header Pressure switch 25-240 psig pressure Reactor vessel low Pressure switch 100-500 psig pressure (Valve opening permissive)

  • Incident detection circuitry instrumenta tion.

VII-4-16 07/28/17

USAR Burns and Roe Drawing 2049, Sheet 3, shows the line filling equipment for the RHR and Core Spray Systems. The lines are normally kept full by the pressure maintenance subsystem of the condensate system. The Reactor Building Auxiliary Condensate Booster Pump is a backup source to the normal pressure maintenance system. A pressure switch on the pump discharge line starts the pump automatically on low pressure signal. Alarm indication of low condensate supply pressure for each Core Spray injection line is provided in the Main Control Room to indicate a possible loss of water fill in the lines. r 98 l The logic pressure switches which are part of the low pressure core cooling interlock are located between the ECCS pump and the first discharge valve. In this way, the pressure switches are independent of any downstream line pressure, and are only affected by the ECCS pump discharge head. r 43 l

4. 5. 4. 5 Core Spray System Alarms and Indications Core Spray system pressure between the two pump discharge valves is monitored by a pressure switch to permit detection of leakage from the nuclear system into the Core Spray system outside the primary containment. A detection system is also provided to continuously con£ irm the integrity of the Core Spray piping between the inside of the reactor vessel and the core shroud. A differential pressure switch measures pressure difference between the top of the core support plate and the inside of the Core Spray sparger pipe just outside the reactor vessel. If the Core Spray sparger piping is sound, this pressure difference will be the small drop across the core resulting from interchannel leakage. If integrity is lost, this pressure drop will also include the steam separator pressure drop. An increase in the normal pressure drop initiates an alarm in the Main Control Room. Pressure in each Core Spray pump suction and discharge is monitored by a pressure indicator which is locally mounted to permit determination of suction head and pump performance. An alarm annunciates in the Main Control Room indicating possible loss of fill water in the Core Spray fill system. r38 l Core Spray Header ~P instrumentation is checked daily and calibrated once every 3 months.
4. 5. 4. 6 Core Spray System Environmental Considerations There are no control and instrumentation components for the Core Spray system that are located inside the primary containment that must operate in the environment resulting from a LOCA. All components of the Core Spray system that are required for system operation are outside the drywell and are selected in consideration of the normal and accident environments in which they must operate.

4.5.4.7 Reference Leg Injection Reference leg injection, described in USAR Sections VI-4. 3 and VII-8. 5, is a manually actuated system. If the Core Spray pumps are not operating when injection is required, they are started by plant operations personnel and discharge into the suppression pool through the full flow test line. Only 0.5 gpm per loop will be flowing to the reference legs.

If the Core Spray pumps are operating when injection is required, injection is controlled under the direction of plant operations personnel.

VII-4-17 10/09/01

USAR Solenoid valve power is supplied by critical control panel CCPlA (Loop A),

and critical control panel CCPlB (Loop B).

Reference leg injection piping and valves are shown in Burns and Roe Drawing 2045, Sheet 1, and 2026, Sheet 1.

4.5.5 Low Pressure Coolant Injection Control and Instrumentation

4. 5. 5 .1 Identification and Physical Arrangement LPCI is an operating mode of the RHR system. Because the LPCI mode of operation is designed to provide cooling water to the reactor vessel following the design basis LOCA, the controls and instrumentation for it are discussed here. USAR Section IV-8, "Residual Heat Removal System",

describes RHR in detail.

Burns and Roe Drawing 2040, Sheets 1 and 2, show the RHR System including the equipment used for LPCI mode of operation. The following list of equipment itemizes essential components for which control or instrumentation is required to operate in the LPCI mode of operation:

Four RHR pumps Pump suction valves (from suppression pool)

LPCI-to-recircu lation loop injection valves Reactor Recirculation loop valves The instrumentation for LPCI mode of operation provides inputs to the control circuitry for other valves in RHR. This is necessary to ensure that the water pumped from the suppression pool by the pumps is routed directly to a Reactor Recirculation loop. These interlocking features are described in this section. The actions of the Reactor Recirculation loop valves are described in this section because these actions are accomplished to facilitate the LPCI mode of operation.

LPCI mode of operation uses two identical di visions, each division with two pumps in parallel. The two divisions are arranged to discharge water into different Reactor Recirculation loops. A cross connection exists between the pump discharge lines of each di vision. Burns and Roe Drawing 2040, Sheets 1 and 2, show the locations of instruments, control equipment, and LPCI components relative to the primary containment.

Except for the LPCI check valves and the Reactor Recirculation loop pumps and valves, the components pertinent to LPCI mode of operation are located outside the primary containment.

The power for the RHR pump motors is supplied from two Critical buses. Each bus receives backup power from its own emergency diesel generator. Two RHR pumps, denominated lA and lC, discharge into one injection loop and two other pumps, denominated lB and lD, discharge into a second injection loop. Motors for pumps lA and lB receive power from Di vision I Critical Bus and motors for pumps lC and lD receive power from Di vision I I Critical Bus.

Motor operators for the LPCI injection valve and Recirculation discharge valve in one di vision receive power from the Di vision I, 250 VDC bus and the corresponding motor operators in the second division receive power from the Division II, 250 VDC bus.r 45 l VII-4-18 08/14/00

USAR One AC Motor Control Center (MCC) provides control and motive power to remaining motor operators in the first division while a separate MCC provides power to the corresponding valve motor operators in the second division.

Control power for the LPCI divisional components comes from the corresponding divisional 125 VDC buses. Redundant trip systems are powered from different 125 voe buses.

LPCI is arranged for both automatic operation and remote-operator control from the Main Control Room. The equipment provided for remote operation of the system allows the operator to take action independent of the automatic controls in the event of a LOCA.

4.5.5.2 LPCI Initiating Signals and Logic The overall operating sequence for the LPCI mode of operation following the receipt of an actuation signal is as follows: [4 GJ

1. If the offsite AC power is available, one pump in each di vision starts with a short time delay and the second pump starts after a longer time delay, both taking suction from the suppression pool. The valves in the suction paths to the suppression pool are maintained open so that no automatic action is required to line up suction.
2. If the offsite source of AC power is not available, one pump in each di vision starts with a short time delay after the standby power source is operating. The second pump in each division starts after a longer time delay.
3. Upon detection of accident conditions and after reactor pressure decreases to an appropriate setting, both LPCI injection valves are signalled to open.
4. The Reactor Recirculation loop discharge valves are signalled to close when reactor pressure decreases to an appropriate setting following detection of accident conditions. Each LPCI division then delivers water to the reactor vessel via the associated Reactor Recirculation loops to restore water level and provide core cooling.

Burns and Roe Drawing 2040, Sheets 1 and 2, show the locations of sensors. General Electric Drawings 730El40BB, Sheets 1, 2, and 3, show the functional use of each sensor in the control circuitry for the various LPCI divisional components. Instrument characteristics are given in USAR Table VII-4-4.

Two automatic initiation functions are provided for the LPCI mode of operation: reactor vessel low water level (Level 1) and primary containment (drywell) high pressure. Reactor vessel low water level indicates that the fuel is in danger of being overheated because of an insufficient coolant inventory. Primary containment high pressure is indicative of a break of the nuclear system process barrier inside the drywell.

The instruments used to detect reactor vessel low water level and primary containment high pressure are the same ones used to initiate the other ECCS. Once an initiation signal is received by the LPCI control circuitry, the signal is latched until reset by operator action. The latching feature is shown in General Electric Drawing 7 30E14 0BB, Sheet 1. [4 BJ VII-4-19 08/14/00

USAR TABLE VII-4-4 LOW PRESSURE COOLANT INJECTION INSTRUMENT SPECIFICATIONS[ 4 ll [ 127 1 f 128 l [ 129 l [l3DJ (See Technical Specifications for Allowable Values)

LPCI Function Instrument Type Range

  • Reactor vessel low water Level switch -150 to +60 level (LPCI pump start in. H20 signal) (Level 1)
  • Primary containment Pressure switch 0.5-6 psig (drywell) high pressure (LPCI initiation)

Reactor vessel low water Level switch -260 - +40in.

level (inside shroud) H20 LPCI sequence delay Timer NA (pump B)

LPCI sequence delay Timer NA (pump C)

Reactor vessel low Pressure switch 100-500 psig pressure (valve opening permissive)

LPCI injection valve Timer NA initiation signal cancellation Containment spray valve Pressure switch 0.2-6 psig manual control interlock-high drywell pressure LPCI pump low flow Flow switch 0-3600 gpm Reactor vessel pressure Pressure switch 100-500 psig permissive

  • Incident detection circuitry instrumentation .

VII-4-20 07/28/17

USAR 4.5.5.3 LPCI Mode Pump Control The functional control arrangement for the pumps is shown in General Electric Drawing 730E140BB, Sheet 1. The reaction of the pumps to an initiation signal depends on the availability of power. If the offsite AC power source is not available, the two RHR pumps in each division automatically start in a timed sequence when the standby AC power source energizes the Critical Bus. [lOlJ If the offsi te AC power source is available, the two RHR pumps in each division automatically start in a timed sequence.

Pressure indicators installed in the pump discharge pipelines upstream of the pump discharge check valves, provide indication of proper pump operation following an initiation signal. A low pressure in a pump discharge pipeline indicates pump failure. The locations of the pressure indicators relative to the discharge check valves prevent the discharge pressure of an operating pump from concealing a pump failure.

To prevent RHR pump damage due to overheating at no flow, limit switches on suction valves provide indications that a suction lineup is in effect. If suction valves change from their fully open position, the limit switches trip the pump power supply breaker open.

The RHR pump motors are provided with overcurrent and undervoltage protection. The overcurrent relays are applied so as to maintain power on the motor as long as possible without harm to the motor or immediate damage to the AC power system. Undervol tage trips are provided with time delays sufficient to permit automatic transfer to an alternate source (See USAR Section VIII-4-6) without tripping the pump power supply breaker open.

4. 5. 5. 4 LPCI Valve Control The automatic valves controlled by the LPCI control circuitry are equipped with limit and torque switches which stop the valves operating mechanisms whenever the valves reach the limits of travel. Valve motors are protected by overload alarms. Seal-in and interlock features are provided to prevent improper valve positioning during automatic LPCI operation. The operating mechanisms for the valves are selected to meet times required by the LPCI operational objectives. The times required for the valves pertinent to LPCI operation to fully stroke are listed in USAR Table VI-5-4.

With the RHR system lined up with the LPCI mode of operation in a standby status, the RHR pump suction valves from the suppression pool are normally open. To prevent inadvertent closure, these valves are operated from the Main Control Room using a key-locked switch.

Upon receipt of a LPCI actuation signal, the LPCI injection valves open, the containment spray valves and containment cooling return

( also known as the system test line) valves automatically close if open.

Closure of the containment spray valves and containment cooling return valves assists the Main Control Room operator in maximizing injection into the reactor vessel from the LPCI mode of operation, if required to supplement the other ECCS in reflooding the core.

The LPCI mode of operation is designed to provide for sufficient cooling of the reactor core under various postulated LOCA conditions along with the Core Spray, ADS, and HPCI systems. These systems together provide the diversity and redundancy of cooling mechanisms such that the core geometry remains defined. General Electric LOCA analysis (SAFER/GESTR-LOCA) demonstrates conformance with the ECCS acceptance criteria of 10CFR50.46 VII-4-21 10/24/01

USAR Appendix K. A sufficient number of plant specific break sizes were evaluated to establish the behavior of both the nominal and Appendix K peak cladding temperatures as a function of break size, and single failure. See USAR Section VI-5 for details of LOCA Analysis.

Upon receipt of either a reactor low water level (Level 1) or a high drywell pressure signal, the LPCI logic starts all four RHR pumps. After reactor pressure decays to less than the injection permissive value, the injection valves in both loops open. The discharge valves of the Reactor Recirculation loops will begin closing upon receipt of a permissive signal from low reactor pressure sensors. The valves are capable of closing against a differential pressure of 200 psid. To assure the Reactor Recirculation system discharge valve is not required to close with a differential pressure greater than 200 psid, valve closures are delayed until reactor vessel pressure has decreased to less than 185 psig. [49 l Flow in the broken loop will not reach its expected value until the Reactor Recirculation discharge valve has fully closed. The RHR pumps go nearly to full runout flow, limited by piping and orifice resistance because each pair of pumps is delivering flow to its own bank of jet pump nozzles (see USAR Figure VII-4-9). The pump discharge lines have sufficient resistance to assure adequate NPSH exists for the pumps injecting into the reactor vessel or through the break.

A timer cancels the LPCI signals to the injection throttle valves after a time delay sufficient to permit satisfactory operation of the LPCI mode of operation. The cancellation of the signals allows the operator to divert the water for other post-accident purposes. Cancellation of the signals does not cause the injection valves to move.

The manual controls in the Main Control Room allow the operator to open a LPCI injection valve only if either the nuclear system pressure is low or the other injection valve in the same pipeline is closed. These restrictions prevent overpressurizat ion of the RHR piping. The same pressure switch used for the automatic opening of the valves is used in the manual circuit. Limit switches on both injection valves in each side provide valve position signals.

To protect the pumps from overheating at low flow rates a minimum flow bypass pipeline routes water from the pump discharge to the suppression pool for each pair of pumps. A single MOV controls the condition of each bypass pipeline. The minimum flow bypass valve is normally open and automatically closes upon sensing adequate flow (for pump protection) in the discharge lines from both pumps of the associated pump pair. The valve automatically opens whenever the flow from either of the associated RHR pumps is below the low flow setting. Flow indications are derived from flow switches. Burns and Roe Drawing 2040, Sheets 1 and 2, show the location of the flow switches. One switch is used for each pair of pumps. The reduced LPCI flow associated with a failed open minimum flow bypass valve has been evaluated. [l1SJ General Electric Drawing 729E727BB, Sheets 1, 2, and 3, show the control arrangement for the Reactor Recirculation loop valves.

After the LPCI mode of operation startup sequence is complete, flow commences in both loops. If a Reactor Recirculation loop has been damaged, flow in the damaged loop will not reach its expected value until the recirculation discharge valve has fully closed. [4 GJ The manual control VII-4-22 08/14/00

USAR circuitry for the Reactor Recirculation loop valves is interlocked to prevent valve opening whenever an LPCI initiation signal is present.

The valves that allow the di version of water for containment spray cooling are automatically closed upon receipt of a LPCI initiation signal. The manual controls for these valves are interlocked so that opening the valves by manual action is not possible unless both primary containment

( drywell) pressure is high, which indicates the need for containment spray cooling, and reactor vessel water level inside the core shroud is above the level equivalent to two-thirds the core height. Four switches are used to monitor drywell pressure for the set of valves in each di vision. The trip setting is selected to be as low as possible yet provide indication of abnormally high drywell pressure. The drywell pressure switches are arranged in a one-out-of-two- twice logic arrangement. A single level switch is used to monitor water level inside the core shroud for the set of valves in each division. A keylock switch in the Main Control Room allows an operator override of the 2/3 core height permissive contact for the containment cooling valves.

Sufficient temperature, flow, pressure, and valve position indications are available in the Main Control Room for the operator to accurately assess the LPCI mode of operation. Valves have indications of full open and full closed positions.

Pumps have indications for pump running and pump stopped. Alarm and indication devices are shown in Burns and Roe Drawing 2040, Sheets 1 and I, and General Electric Drawing 730E140BB, Sheet 3.

The RHR system is kept full automatically as described in USAR Section VII-4.5.4.4. An alarm annunciates in the Main Control Room indicating possible loss of fill water in the RHR fill system. [3 BJ

4. 5. 5. 5 LPCI Environmental Considerations The only control components pertinent to LPCI operation that are located inside the primary containment and that must remain functional in the environment resulting from a LOCA are the cables and valve closing mechanisms for the recirculation loop valves. The cables and valve operators are selected with environmental capabilities that assure valve closure under the environmental conditions resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of this equipment.

Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate.

4.6 Safety Evaluation In USAR Chapter XIV, "Station Safety Analysis" and USAR Chapter VI, "Emergency Core Cooling Systems", the individual and combined capabilities of the ECCS are evaluated. Relaxed values for the control equipment characteristics and trip settings described in this subsection were considered in the analysis of ECCS performance. For the entire range of nuclear process system break sizes the cooling systems are effective both in preventing fuel clad melting and in preventing more than a small fraction of the reactor core from reaching the temperature at which a gross release of fission products can occur. This conclusion is valid even with significant failures in individual cooling systems because of the overlapping capabilities of the ECCS. The controls and instrumentation for the ECCS VII-4-23 08/14/00

USAR satisfy the precision and timeliness requirement s of safety design basis 1 and 2.

Safety design basis 3 requires that instrumenta tion for the ECCS responds to the potential inadequacy of core cooling regardless of the location of a breach in the nuclear system process barrier. The reactor vessel low water level (LCPI and Core Spray - Level 1, and HPCI - Level 2) initiating function, which can actuate HPCI, the LPCI mode of operation, and Core Spray meets this safety design because a breach in the nuclear system process barrier inside or outside the primary containment is sensed by the low water level detectors. ADS provides additional means to reduce pressure and thereby temperature should a low water level condition remain for an excessive time interval.

Because of the isolation responses of the Primary Containment Isolation Control System to a breach of the nuclear system outside the primary containment , the use of the reactor vessel low water level signal as the only ECCS initiating function that is completely independent of breach location is satisfactory . The other major initiating function, primary containment high pressure, is provided because the primary containment and reactor vessel isolation control system may not be able to isolate all nuclear system breaches inside the primary containment . The primary containment high pressure initiating signal for the ECCS provides a second reliable method for sensing losses of coolant that cannot necessarily be stopped by isolation valve action. This second initiating function is independent of the physical location of the breach within the drywell. Thus, safety design basis 3 is satisfied.

An evaluation of ECCS controls show that no operator action beyond the reasonable capability of the operator is required to initiate the correct responses of the ECCS. The alarms and indications provided to the operator in the Main Control Room allow interpretati on of any situation requiring ECCS operations and verify the response of each system. Remote operator controls are illustrated on functional control diagrams. The Main Control Room operator can remotely initiate every essential operation of the ECCS. The degree to which safety is dependent on operator judgement and response has been appropriate ly limited by the design of ECCS control equipment and safety design bases 4a, 4b, and 4c are therefore satisfied.

The redundancy provided in the design of the control equipment for the ECCS is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the ECCS is similar to that provided by the dual trip system arrangement of the Reactor Protection System. No failure of a single initiating sensor can prevent the start of the cooling systems. The numbers of control components provided in the design for individual cooling system components is consistent with the need for the controlled equipment. An evaluation of the control schemes for each ECCS component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation the redundancy of components and ECCS was considered. The functional control diagrams provided with the description s of ECCS controls were used in assessing the functional effects of instrumenta tion failures. In the course of the evaluation, protection devices which can interrupt the planned operation of ECCS components were investigate d. The effects of their normal protective action as well as their malfunction on core cooling effectivene ss was evaluated. The only protection devices that can act to interrupt planned ECCS operation are those that must VII-4-24 08/14/00

USJ\R act to prevent complete failure of the component or system. Examples of sch devices are the HPCI turbi.ne overspeed trip, HPCI steam line break isolat on trip, pump trJps on low suction pressure, and automatically contra] ed minimum flow bypass valves for pumps. In every case the actJ.on of a protective device cannot prevent other redundant ECCS from providing adequate cooling to the core.

The locations of controls where operation of ECCS components can be adjusted or interrupted have been surveyed. Controls are located in areas under the surveillance of operations personnel. With the excepc.ion of the Alternate Shutdown Panels, local control switches are of the keylock type and Main Control Room override of local switches is provided. The isolation s1-vi tches on the l\l t.ernate SYmtdovm Panel are annunciated in the Main Control Room. Other controls are located in the Main Control Room and are under the supervision of Main Control Room personnel ..

The environmental capabilities of instrumentation and controls for the ECCS are discussed in the descriptions of the individual systems in this section. Components which are located inside the primary containment and which are required for ECCS performance are designed to operate in the environment resulting from a LOCA.

Special consideration has been given to the performance of reactor vessel water level and pressure sensors, temperature equalizing columns, and condensing chambers during rapid depressurization of the nuclear syst.em. The discussion of this consideration is included in USAR Sections VII-2. 4, 11 Safety Evaluation 11 and VII-1. 7, "Design Criteria,,., and is equally applicable to the instrumentation for the ECCS.

It is concluded from the previous paragraphs and the description of control equipment that safety design bases ~a through 5d are satisfied.

To assure the functional capabilities of the ECCS during and after earthquake loading, the controls and instrumentation for each of Lhe systems are designed as Class I design equipment as described in Appendix C.

This satisfies safety design basis 5e.

4.7 -~~~pection and Testing Components required for HPCI, the LPCl rnode of operation, and Core Spray are designed to allow functional testing during normal power operation. Overall testing of these systems is described in USAR Chapter VI, "Emergency Core Cooling Systems". Pumps and va1ves that meet the scope of the Inservice Testing Program are tested in accordance with the Inservice Testing Program requirements. During overall functional tests the operability of the valves, pumps, turbines, and their cont roJ instrumentation can be checked.

The ADS relief valves are exercised during startup after a refueling outage.

Logic circuitry used in the controls for the ECCS can be individually checked by applying test or calibration signals to the sensors and observing trip system responses. Valve and purnp operation from manual svvitches verifies the ability of breakers and valve closing mechanisms to operate. The automatic control circuitry for the ECCS is arranged to restore each of the cooling systems to normal operation if a LOCA occurs during a test operation. Certain testing requi.res electrically isolating valves which could prevent the auto return from the test mode to the operating mode. Due to the short duration of these tests, there is considered no effect on system reliability or degradation of plant safety. Although the logic of each ECCS VII-4 2~-S 04/11/2()

USAR re-aligns that system from the design flow functional test mode to the operating mode, the individual systems (HPCI, the LPCI mode of operation, and Core Spray) safety design functions are not fulfilled due to the time required for realignment. To meet the safety design basis functions, the system must be initially in an alignment where the system is capable of responding to and performing its mitigating function within analyzed limits.

No automatic actuation signals are utilized or required when operation or testing of RHR valves from the Alternate Shutdown Panel. (See USAR Section VII-18, Alternate Shutdown Capability.)

The testing capabilities of the ECCS discussed above satisfy design basis 6.

VII-4-26 12/29/03

USAR 5.0 NEUTRON MONITORING SYSTEM 5.1 Safety Objective The safety objective of the Neutron Monitoring System is to detect conditions in the core that threaten the overall integrity of the fuel barrier due to excessive power generation and provide signals to the reactor protection system, so that the release of radioactive material from the fuel barrier is limited.

5.2 Safety Design Basis The safety design basis for the Intermediate Range Monitor (IRM) and the Average Power Range Monitor (APRM) subsystems is described in USAR Sections VII-5.7.1 and VII-5.9.1. The Source Range Monitor (SRM), Local Power Range Monitor (LPRM), Traversing In-core Probe (TIP), and Rod Block Monitor (RBM) subsystems have no safety design basis.

5.3 Power Generation Objective The power generation objective of the Neutron Monitoring System is to provide information for the efficient, expedient operation and control of the reactor. Two specific power generation objectives of the Neutron Monitoring System are to detect conditions that could lead to local fuel damage and to provide signals that can be used to prevent such damage, so that station availability is not reduced.

5.4 Power Generation Design Basis The power generation design basis for all Neutron Monitoring System subsystems is provided in the following sections.

5.5 Identification The Neutron Monitoring System consists of six major subsystems as follows:

Source Range Monitor Subsystem (SRMS)

Intermediate Range Monitor Subsystem (IRMS)

Local Power Range Monitor Subsystem (LPRMS)

Average Power Range Monitor Subsystem (APRMS)

Rod Block Monitor Subsystem (RBMS)

Traversing In-Core Probe Subsystem (TIPS) 5.6 Source Range Monitor Subsystem This USAR section contains historical information, as indicated by italicized text. USAR Section I-3. 4 provides a more detailed discussion of historical information. The information presented in this section has* been preserved as it was originally submitted to the NRC in the CNS FSAR.

5.6.1 Power Generation Design Basis

1. Neutron sources and neutron detectors shall be provided which together result in a signal count-to-noise count ratio of no less than 2:1 and a count rate of no less than three counts per second with all control rods fully inserted prior to initial power operation. During subsequent operations, these requirements are met before the reactivity of the core exceeds the reactivity which existed with all control rods fully inserted prior to initial power operation.

VII-5-1 08/14/00

USAR The count rate of the SRMS may drop below three counts per second during spiral loading or offloading of the reactor core. When loading with all fresh fuel, lumped neutron sources and dunking chambers are to be used to meet the three cycles per second minimum count rate, however. rsoi

2. The SRMS shall be designed to indicate a measurable increase in output signal from at least one detecting channel before the reactor period is less than 20 seconds during the worst possible startup rod withdrawal conditions.
3. The SRMS shall be designed to indicate substantial increases in output signals with the maximum permitted number of SRM channels out of service during normal reactor startup operations.
4. The SRMS shall be designed so that SRM channels are on scale when the IRMS first indicates neutron flux during a reactor startup.
5. The SRMS shall provide a measure of the time rate of change of the neutron flux (reactor period) for operational convenience.
6. The SRMS shall be capable of generating a trip signal to block control rod withdrawal if the count rate exceeds a preset value or falls below a preset limit (if the IRM' s are not above the second range) or if certain electronic failures occur.

5.6.2 Description

5. 6. 2 .1 Identification The SRMS provides neutron flux information during reactor startup and low flux level operations. There are four SRM channels, each of which includes one detector that can be remotely positioned in the core from the control room. The detectors are inserted into the core for a reactor startup and may be withdrawn if the indicated count rate is between preset limits or if the IRMS are on the third range or above.

5.6.2.2 Power Supply The power for the monitors is supplied from the two separate 24 volt DC buses, two monitors on one bus and two monitors on the other (see USAR Section VIII-7, "24 Volt DC Power System").

5.6.2.3 Physical Arrangement Each detector assembly consists of a miniature fission chamber operated in the pulse counting mode and attached to a low-loss mineral insulated transmission cable. (See General Electric Drawing 730E923.) The sensitivity of the detector is 1.2 x 10- 3 cps/nv nominal, 5.0 x 10- 4 cps/nv minimum and 2.5 x 10- 3 cps/nv maximum. The detector cable is connected underneath the reactor vessel to a shielded coaxial cable. This shielded cable carries the pulses formed to a pulse current preamplifier located outside the primary containment. rsoi The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote controlled detector drive system can move the detector along the length of the dry tube allowing vertical positioning of the chamber at any point from 1-11/2 feet above the reactor (fuel) centerline to two feet below the reactor fuel region

( USAR Figure VI I-5-2a) . The detector can be stopped at any location between the limits of travel, but only the end points of travel are indicated. When a detector arrives at a travel end point, the detector motion is automatically VII-5-2 07/29/16

USAR stopped. A slip clutch is used to prevent overloads from damaging the flexible shaft portion of the drive system. SRM/IRM drive control logic is presented in General Electric Drawing 730E805BA, Sheet 6. The source range monitor trip and bypass are all located in one cabinet.

Source range signal conditioning equipment is designed so that it may be used for open-core experiments.

5. 6. 2. 4 Signal Conditioning A current pulse preamplifier provides amplification and impedance matching to allow signal transmission to the signal conditioning electronics (USAR Figure VII-5-3).

The signal conditioning equipment is designed to receive a series of input current pulses, convert the current pulse series to analog DC currents corresponding to the logarithm of the count rate (LCR), to derive the period, to display the outputs on front panel meters, and to provide outputs for remote meters and recorders. The LCR meter displays the rate of the occurrence of the input current pulses, and the period meter displays the time in seconds for the count rate to change by a factor of 2.72. In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits.

A high voltage power supply supplies a polarizing potential for the fission counter detectors. The potential is introduced to the detector through a filter network to minimize noise coupling.

The pulses from the pulse preamplifier are of various heights. In general, the pulses produced by neutrons are larger than pulses due to gamma and noise. To count only neutrons, the pulse height discriminator (PHD) is set to reject the small pulses and to accept only the large pulses, the threshold being adjustable. One output of the PHD has two stable states represented by full voltage and zero voltage. Each time an input pulse exceeds the threshold, the output of the PHD reverses state and holds that state until the next pulse causes another reversal. The PHD provides the pulse train input required by the log integrator. The PHD also has a scaler output which produces an output pulse for each input pulse crossing the threshold. The various signals are shown in the block diagram in USAR Figure VII-5-3 outlined by circles. At (A) the current pulses are shown as four different amplitudes to illustrate the output of the fission chamber. At (B) the absolute amplitudes are increased, but the relative amplitudes remain proportional. A dashed line representing the threshold level is indicated. At (C) there is an output pulse for every input pulse exceeding the threshold. This illustrates the action of the discriminator. This pulse is shaped to be compatible with the scaler input requirements. At (D) the PHD cuts off the second pulse because it did not attain the threshold level.

The log integrator is a network arranged to synthesize an output response which is a logarithmic function of the input counting rate. The log integrator has a time constant which varies with the counting rate. Thus, at low counting rates, the time constant is large to provide an adequate smoothing effect on the reading. At high counting rates, the time constant is small to provide for a faster overall response time.

The output of the log integrator is a current output requiring amplification. Operational Amplifier No. 1 is used to convert the current output from the log integrator to the standard signal used to drive the indicator recorders, trip circuits, and Operational Amplifier No. 2.

Operational Amplifier No. 2 is a differentiator with a resistor feedback and a VII-5-3 08/14/00

USAR capacitor input which drives the period indicator. The gain of the amplifier is scaled to produce a full scale period reading of +10 seconds.

Calibration features are included to enable the accuracy of all measuring circuits to be verified and the trip level of the trip circuits to be set and checked. A signal generator provides two discrete frequencies for use in verifying the calibration of the log integrator and provides an operational check on the PHD.

5.6.2.5 Trip Functions The trip outputs of the SRMS are all designed to operate in the fail safe mode; the loss of power to trip auxiliaries causes the associated trips to function. (See General Electric Drawing 729E223BB, Sheet 1.)

The SRMS provides SRM upscale, downscale, detector improper position, and inoperative signals to the reactor manual control system to block rod withdrawal under certain conditions. Any one SRM channel can initiate a rod block. The rod blocking functions are discussed in USAR Section VII-7, "Reactor Manual Control System". Appropriate lights and annunciators are actuated to indicate the existence of these same conditions (USAR Table VII-5-1). The trip actions are bypassed when reactor mode switch is in the "RUN" position. Any one of the four SRM channels can be bypassed by the operation of a switch on the operator's console. The switch contains a pushbutton lock mechanism to insure that the function cannot be bypassed accidentally. [SlJ ( See General Electric Drawing 7 30E805BA, Sheet 1.)

5.6.3 Power Generation Evaluation The locations and intensities of the antimony-beryllium neutron emitting sources and the locations and sensitivities of the source range monitor detectors are designed to provide a count rate of three counts per second when the reactor is first assembled. Sources are pre-irradiated at a suitable time prior to startup to allow for decay before appreciable flux becomes available in the core to sustain minimum count rate. Operation at power maintains the radioactivity of antimony (neutron, gamma interaction) to a level above the original design activation. The design activation is specified using experimental data provided by measurement of the neutron strengths of test sources, observation of design sources in operating reactors,!50] and calculational techniques. The arrangement of the sources and SRM detectors in the reactor is shown in USAR Figure VIl-5-5. This arrangement produces at least three counts per second in the SRMS using the sensitivity noted in USAR Section VIJ-5.6.2.3 and the design source strength at initial reactor startup.

The count rate in the SRMS would be below 3 cps during the unloading and reloading of the entire core when only a few fuel assemblies are present in the core. If the discriminator setting is adjusted to produce the specified sensitivity, the signal-to-noise count ratio is well above the 2:1 design basis for cold startup.

Design calculations show that if the multiplication of one section of the core is increased to the extent necessary to put that section of the reactor on a 20 second period, the nearest SRM chamber shows an increase in count rate; in general, at least one detector indicates the change in multiplication. These calculations use the design source intensity and neutron diffusion through the surrounding subcritical core.

Normal startup procedures require specific rod withdrawal patterns that ensure that the withdrawn control rods are distributed about the core so that the multiplication in no one section of the core exceeds the average by a large amount; hence, each SRM chamber can respond to some degree as the initial rod withdrawal is accomplished.

VII-5-4 08/14/00

USAR TABLE VII-5-1 SRM TRIPS Trip Function Trip Action SRM Upscale Annunciator , Panel 9-5 Red (High-High) Light, Local Red Light SRM Upscale Rod Block, Annunciator ,

(High) Panel 9-5 Amber Light, Local Amber Light SRM Inoperative Rod Block, Annunciator ,

Panel 9-5 Amber Light, Local White Light Detector Retract Not Permissive Rod Block Annunciator , Local (SRM downscale) White Light (bypass detector limit switch)

SRM Downscale Rod Block, Annunciator ,

Panel 9-5 White Light 1 Local White Light SRM Period Annunciator , Panel 9-5 Amber Light, Local Amber Light SRM Retract Permissive Display, Panel 9-5 Green Light SRM Bypassed Display, Panel 9-5 White Light, Local White Light VII-5-5 08/14/00

USAR Current design indicates that a scattered rod withdrawal of approximately 1/4 of all control rods required to reach criticality. During the initial startup withdrawal one of the four control rods adjacent to each SRM chamber and one control rod adjacent to each neutron source is withdrawn before the reactor is critical.

( The initial startup neutron sources have since been removed, see USAR Section III-3. 4. 11.) This procedure reduces source and detector shadowing and assures increases in the detector signals as the core average neutron multiplication increases.

Examination of the sensi ti vi ty of the SRM detectors (USAR Section VII-5.6.2.3 ) and their operating ranges of up to 10 6 cps indicates that the IRM is on scale before the SRM reaches full scale. ( See USAR Figure VII-5-23) Further overlap is provided by retraction of the SRM chambers to any position between full in and full out. SRM detector retraction is permitted without rod block only if the indicated SRM count rate remains above the rod block trip level (nominally 10 2 cps), or if the IRM has been ranged to the third or any less sensitive (higher) IRM range.

5.6.4 Inspection and Testing Each SRM channel is tested and calibrated using the surveillanc e procedures. Inspection and testing is performed as required on the SRM detector drive mechanism; the mechanism can be checked for full insertion and retraction capability. The various combination of SRM trips can be introduced to ensure the operability of the control rod blocking functions.

5.7 Intermediat e Range Monitor Subsystem 5.7.1 Safety Design Basis

1. The IRMS shall be capable of generating a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediat e power range.
2. The independenc e and redundancy incorporate d in the design of the IRMS shall be consistent with the safety design basis of the Reactor Protection System.

5.7.2 Power Generation Design Basis

1. The IRMS shall be capable of generating a trip signal to block rod withdrawal if the IRMS reading exceeds a preset value or if the IRMS is not operating properly.
2. The IRMS shall be designed so that overlapping neutron flux indications exist with the SRMS and Power Range Monitoring Subsystems.

5.7.3 Description 5.7.3.1 Identificat ion The IRMS monitors neutron flux from the upper portion of the SRM range to the lower portion of the Power Range Monitoring Subsystems. The IRM subsystem has 8 IRM channels, each of which includes one detector that can be physically positioned in the core by remote control. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is turned to "RUN".

5.7.3.2 Power Supply Power is supplied separately from two 24 volt DC sources (see USAR Section VIII-7, "24 Volt DC Power System"). The supplies are split VII-5-6 08/14/00

USAR according to their use so that loss of a power supply will result in loss of power to channels associated with only one trip system of the Reactor Protection System.

5.7.3.3 Physical Arrangement Each detector assembly consists of a miniature fission chamber attached to a low-loss, mineral-ins ulated transmission cable. When coupled to the signal conditionin g equipment the detector produces approximate ly a 30% reading on the most sensitive range with a neutron flux of 10 8 nv. The detector cable is connected underneath the reactor vessel to a shielded coaxial cable which carries the pulses generated in the fission chamber through the primary containment to the preamplifie r. The detector and cables are located in the drywell, are moveable in the same manner as the SRM detectors, and use the same type of mechanioal arrangement . [5 0J IRM drive control logic is presented in General Electric Drawing 730E805BA, Sheet 6.

5.7.3.4 Signal Conditionin g A voltage preamplifie r unit located outside the primary containment serves as a preamplifie r. This unit is designed to accept superimpose d current pulses from the fission chamber, remove the DC component, convert the current pulses to voltage pulses, amplify the voltage pulses, establish the bandpass characteris tics for the system, and provide a low impedance output suitable for driving a terminated cable. The gain of the low range of the preamplifie r is fixed but the gain of the high range is variable over a limited range to permit tracking between low and high ranges. A cable from the preamplifie r to the IRM signal conditionin g electronics (USAR Figure VII-5-6) couples the preamplifie r output signal.

The signal conditioning equipment for each IRM channel contains an input signal attenuator, additional stages of amplificatio n, an inverter, a mean square analog unit, a calibration and diode logic unit, a range switch, power supplies, trip circuits, and integral test and calibration circuits.

Each IRM channel receives its input signal from the preamplifie r and operates upon it with various combination s of preamplific ation gain and amplifier attenuation ratios. The amplificatio n and attenuation ratios of the IRM and preamplifie r are selected by a remote range switch which. provides nine ranges of increasing attenuation (the first six called low range and the last three called high range) acting upon the signal from the fission chamber. [52 l As the neutron flux of the reactor core increases from 1 x 10 8 nv to 1. 5 x 10 13 nv, the signal from the fission chamber becomes larger. The signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range. The output current is proportiona l to the power contained in the pulses received from the fission chamber. This output signal, which is proportiona l to neutron flux at the detector, is amplified and supplied to a locally mounted meter and an indicator/re corder on the main control board. The meter and indicator /recorder have two linear scales on a single face. The appropriate range being used is indicated by the range switch position. There is in the amplifier a potentiomet er with a gain effect of 1 to 1. 8 5, which provides an adjustment greater than one range position (approximat ely a factor of 3 in flux) in the output signal. The calibration and diode logic unit includes a circuit to develop a triangular wave shape of adjustable amplitude to provide a means of full scale calibration of the power meter. Calibration settings of 40% and 125% on a 125% scale are possible.

The high voltage supply associated with IRM supplies the polarizing potential for the fission chamber detector through a filter network to minimize noise coupling.

VII-5-7 08/14/00

USAR 5.7.3.5 Trip Functions The IRMS is divided into two groups of IRM channels arranged in the core as shown in USAR Figure VII-5-7. IRM channels A, C, E, and G are associated with Trip System A of the Reactor Protection System.

IRM channels B, D, F, and Hare associated with Trip System B of the Reactor Protection System. See General Electric Drawing 729E223BB, Sheet 1.

Two IRM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining channels are installed in a separate bay of the cabinet. Full length side covers on the cabinet bays isolate the two bays. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring capability. The switch contains a pushbutton lock mechanism to insure that the function cannot be bypassed accidentally. [SlJ See General Electric Drawing 730E805BA, Sheet 1.

Each IRM channel includes four trip circuits. One trip circuit is used as an instrument trouble trip. It operates whenever the high voltage drops below a preset level, whenever either positive or negative supply voltage is lost, whenever one of the modules is not plugged in, or whenever the "Operate-Calib rate" switch is not in the "Operate" position. Each of the other trip circuits can be chosen to operate whenever preset downscale or upscale levels are reached. A simplified circuit arrangement of the IRM trips is shown in USAR Figure VII-5-24.

The trip functions actuated by the IRM trips are indicated in USAR Table VII-5-2. The reactor mode switch determines whether IRM trips are effective in initiating a rod block and a reactor scram. USAR Section VII-7, "Reactor Manual Control System", describes the IRM rod block trips.

5. 7. 4 Safety Evaluation The safety evaluation in USAR Section VII-2, "Reactor Protection System" evaluates the arrangement of redundant input signals to the Reactor Protection System. The Neutron Monitoring System trip input to the Reactor Protection System and the trip channels used in actuating a Neutron Monitoring System trip are of equivalent independence and redundancy to other Reactor Protection System inputs.

The number and locations of the IRM detectors have been analytically and experimentally determined to provide sufficient intermediate range flux level information under the worst permitted bypass or detector failure conditions. For verification of this, a range of rod withdrawal accidents has been analyzed. The most severe case assumes that the reactor is just subcritical with one fourth of the control rods plus one more rod removed in the normal operating sequence. This configuration is illustrated in USAR Figure VII-5-8. The error or malfunction is the removal of the control rod adjacent to the last rod withdrawal. The location of this rod has been chosen to maximize the distance to the second nearest IRM detector assigned to each Reactor Protection System trip system. It is assumed that the nearest detector in each Reactor Protection System trip system is bypassed. A scram signal is initiated when one IRM detector in each Reactor Protection System trip system reaches its scram trip level. The neutron flux versus distance resulting from this withdrawal is shown in USAR Figure VII-5-9. 1 Note that the second nearest detector in trip System B is farther away than the second nearest detector in trip System A. The ratio of the neutron flux at this point to the peak flux is 1/4100. This detector reaches 120/125 full scale at a local flux approximately 3.3 x 10 8 nv. The Technical Specifications allowable value for the IRM neutron flux high scram is 121/125 divisions of full scale.

At 120/125 full scale the peak flux in the core is 1.35 x 10 12 nv or

2. 7 % rated average flux. For the scram point to be valid the IRM must be on VII-5-8 08/14/00

USAR the correct range. To assure that each IRM is on the correct range a rod block trip is initiated any time the IRM is both downscale and not on the most sensitive (lowest) scale. A rod block is initiated if the IRM detectors are not fully inserted in the core and the reactor mode switch is not in the RUN position. The IRM scram trips are automatically bypassed when the reactor mode switch is in the RUN position and the ARPM's are on scale. The IRM rod block trips are automatically bypassed when the reactor mode switch is in the RUN position.

The IRM detectors and electronics have been tested under operating conditions and verified to have the operational characteristics given in the description and as such provide the level of precision and reliability required by the Reactor Protection System safety design basis.

5.7.5 Power Generation Evaluation The Intermediate Range Monitor Subsystem is the primary source of information on the approach of the reactor to the power range. Its linear, approximate half decade steps with the rod blocking features on both high flux level and low flux levels require that the operator keep all the IRM's on the correct range to increase core reactivity by rod motion. The SRM overlaps the IRM as shown in USAR Figure VII-5-23. The sensitivity of the IRM is such that the IRMS is on scale on the least sensitive (highest) range with the reactor power above 15%.

5. 7. 6 Inspection and Testing Each IRM channel is tested and calibrated using the surveillance procedures. The IRM detector drive mechanisms and the IRM rod blocking functions are checked in the same manner as for the SRM channels. Each of the various IRM channels can be checked to ensure that the IRM high flux scram function is operable.

5.8 Local Power Range Monitor Subsystem 5.8.1 Power Generation Design Basis

1. The LPRMS shall provide signals proportional to the local neutron flux at various locations within the reactor core to the Average Power Range Monitor Subsystem (APRMS), so that accurate measurements of average reactor power can be made.
2. The LPRMS shall supply signals to the Rod Block Monitor Subsystem, so that measurement of changes in local relative neutron flux can be made during the movement of control rods.
3. The LPRMS shall be capable of alarming under conditions of high or low local neutron flux indication.
4. The LPRMS shall supply signals proportional to the local neutron flux to the process computer to be used in power distribution calculations, local heat flux calculations, and minimum critical power ratio (MCPR) calculations.
5. The LPRMS shall supply signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of the power distribution, local heat flux, and minimum critical power ratio (MCPR).

VII-5-9 06/11/13

USAR TABLE VII-5-2 IRM TRIPS Trip Function Trip Action IRM Upscale (High-High) or Scram, Annunciator , Red Inoperative Light IRM Upscale (High) Rod block, Annunciator ,

Amber Light IRM Downscale Rod block (exception on most sensitive scale),

Annunciator , White Light IRM Bypassed White Light VII-5-10 08/14/00

USAR 5.8.2 Description 5.8.2.1 Identification The LPRMS consists of the fission chamber detectors, the signal conditioning equipment, and trip functions. The LPRM signals are also used in the APRMS, RBMS, and Process Computer (see General Electric Drawing 729E223BB, Sheet 2) 5.8.2.2 Power Supply Power for the LPRMS is supplied by the two 120 V AC reactor protection system buses; approximately one half of the LPRM' s are supplied from each bus (see USAR Section VIII-8, "120/240 Volt Vital AC Power Systems") . Associated with each LPR amplifier is a separate power supply in the control room which furnishes the detector polarizing potential.

This power supply is adjustable from 50 to 200 V DC with a maximum current output of three milliamps, which ensures that the chambers can be operated in the saturated region at the maximum specified neutron fluxes. For maximum variation in the input voltage or line frequency, and over extended ranges of temperature and humidity the output voltage varies no more than two volts. Each "page" of amplifiers is supplied an operating voltage from a separate low voltage power supply.

5.8.2.3 Physical Arrangement The LPRMS includes LPRM detectors located throughout the core at different axial heights. USAR Figure VII-5-11 illustrates the LPRM detector radial layout scheme which provides a power range detector assembly at every fourth intersection of the narrower of the water channels around the fuel bundles (narrow-narrow water gap). Thus, every narrow-narrow water gap has either an actual detector assembly or a symmetrically equivalent assembly in some other quadrant.

The 31 power range detector assemblies, each containing four LPRM detectors, are distributed to monitor four horizontal planes throughout the core. The detector assemblies ( see General Electric Drawing 7 2 9E98 9) are inserted into the core in spaces between the fuel assemblies through thimbles which are mounted permanently at the bottom of the core lattice and which penetrate the bottom of the reactor vessel. These thimbles are welded to the reactor vessel at the penetration point. They extend down into the access area below the reactor vessel where they terminate in a flange which mates to the mounting flange on the power range detector assembly.

The detector assemblies are locked at the top end to the top fuel guide by means of a spring-loaded plunger. This type of assembly is referred to as top entry-bottom connect, since the assembly is inserted through the top of the core and penetrates the bottom of the reactor vessel. Special water sealing caps are placed over the connection end of the assembly and over the penetration at the bottom of the vessel during installation or removal of an assembly. This prevents the loss of reactor c~olant water upon removal of an assembly and also prevents the connection end of the assembly from being immersed in the water during installation or removal.

The local power range detector assembly contains four miniature fission chambers with an associated solid sheath cable. Each fission chamber produces a current which when coupled with the LPRM signal conditioning equipment provides the desired scale deflection throughout the design lifetime of the chamber. Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit. Each assembly also contains a calibration tube for a Traversing In-Core Probe (TIP). The enclosing tube around the entire assembly VII-5-11 12/21/04

USAR contains holes evenly spaced along its length. These holes allow circulation of the reactor coolant water to cool the fission chambers. Numerous tests have been performed on the chamber assemblies including tests of linearity, lifetime, gamma sensi ti vi ty, and cable effects. [soi These tests and experience in operating reactors provide confidence in the ability of the LPRM subsystem to monitor neutron flux to the design accuracy throughout the design lifetime.

The four miniature fission chambers used on each assembly are designed to operate up to a temperature of 599°F and a pressure of 1250 psig.

The LPRM chambers are vertically spaced in the power range detector assemblies in such a manner as to give adequate axial coverage of the core, complementi ng the radial coverage given by the horizontal arrangement of the LPRM detector assemblies. Each miniature chamber consists of two concentric cylinders, which act as electrodes. The inner cylinder, the collector, is mounted on insulators and is separated from the outer cylinder by a small air gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium coated outer electrode. The chamber has at the beginning of operation a sensitivity of approximate ly 2.25 x 10- 17 A/nv and is operated at a polarizing potential of approximate ly 100 V. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage.

5. 8. 2. 4 Signal Conditionin g The current signals from the LPRM detectors are transmitted to the LPRM amplifiers in the control room. Each amplifier is a modular plug-in element which is mounted in a hinged vertical assembly designated a "page".

The current signal from a chamber is transmitted directly to its amplifier through coaxial cable. The amplifier is a linear current amplifier whose voltage output is proportiona l to the current input and therefore is proportiona l to the magnitude of the neutron flux. The output of the amplifier ranges from Oto 10 VDC for Oto 125% indication. Additional low level output signals are provided which are suitable as an input to the computer, recorders, etc. The outputs of each LPRM amplifier are isolated to prevent interferenc e of the signal by inadvertent grounding or application of a stray voltage at the signal terminal point.

The LPRM amplifier signals can be read by the operator on the reactor console. When a central control rod is selected for movement, the output signals from the amplifiers associated with the nearest sixteen LPRM detectors are displayed on console meters. The four LPRM detector signals from each of the four LPRM assemblies are displayed on a stacked set of 16 meters. The operator can readily obtain the readings of all the LPRM amplifiers by selecting the control rods in the proper order.

USAR Section VII-7, "Reactor Manual Control System" describes in greater detail the indications on the reactor console.

5.8.2.5 Trip Functions The trip circuits for the LPRMS provide trip signals to activate lights, instrument inoperative signals, and annunciator s. These trip circuits use the DC power supply and are set to trip on loss of power; they also trip when power is not available for the LPRM amplifiers. USAR Table VII-5-3 indicates the trips.

The trip levels can be adjusted to within +/- 0. 5% of full scale deflection and are accurate to +/- 1% of full scale deflection in the normal operating environment .

VII-5-12 08/14/00

USAR TABLE VII-5-3 LPRM TRIPS Trip Function Trip Action LPRM Downscale White Light and Annunciator LPRM Upscale Amber Light and Annunciator LPRM Bypass White Light, Annunciator, and APRM averaging compensation VII-5-13 08/14/00

USAR 5.8.3 Power Generation Evaluation The Local Power Range Monitor Subsystem, as calibrated by the Traversing In-Core Probe Subsystem, provides detailed information about the neutron flux throughout the reactor core. The total of thirty-one LPRM assemblies and their distribution is determined by extensive calculational and experimental procedures. The di vision of the LPRMS into various groups for DC power supply allows operation with one DC power supply failed or being serviced without limiting reactor operation. Individual failed chambers can be bypassed, and neutron flux information for a failed chamber location can be interpolated from nearby chambers. A substitute reading for a failed chamber can be derived from an octant-symmetric chamber, or an actual flux indication can be obtained by insertion of a TIP to the failed chamber position. If a TIP cannot be run in the failed chamber location or the octant-symmetric location, the predicted value for the chamber reading can be used.

The LPRM outputs provide for the functions required in the LPRM power generation design basis. Each output is electrically isolated so that an event ( grounding the signal or applying a stray voltage) on the reception end does not destroy the validity of the LPRM signal. Tests and experience [SOJ attest to the ability of the detector to respond proportionally to the local neutron flux changes.

5.8.4 Inspection and Testing LPRM channels are calibrated using data from previous full power runs and TIP data and are tested by procedures in the applicable instruction manual.

5.9 Average Power Range Monitor Subsystem 5.9.1 Safety Design Basis

1. The design of the APRMS shall be such that for the worst permitted input LPRM bypass conditions, the APRMS shall be capable of generating a scram trip signal in response to average neutron flux increases resulting from abnormal operational transients in time to prevent fuel damage.
2. The design of the APRMS shall be consistent with the requirements of the safety design basis of the Reactor Protection System.

5.9.2 Power Generation Design Basis

1. The APRMS shall provide a continuous indication of average reactor power from a few percent to 125% of rated reactor power.
2. The APRMS shall be capable of providing trip signals for blocking rod withdrawal when the average reactor power exceeds pre-established limits set to prevent scram actuation.
3. The APRMS shall provide a reference power level for use in the Rod Block Monitor Subsystem.

5.9.3 Description 5.9.3.1 Identification The APRMS has six APRM channels each of which uses input signals from a number of LPRM channels. Three APRM channels are associated with each of the trip systems of the Reactor Protection System.

VII-5-14 05/05/06

USAR 5.9.3.2 Power Supply The APRM channels receive power from the 120 volt AC supplies used for the Reactor Protection System power (see USAR Section VIII-8, "120/240 Volt Vital AC Power Systems").

Power for each APRM trip unit is supplied from the same power supply as the APRM which it services.

5.9.3.3 Signal Conditionin g The APRMS uses electronic equipment which averages the output signals from a selected set of LPRM' s, trip uni ts which actuate automatic devices, and signal readout equipment. Each APRM channel can average the output signals from up to twenty-four LPRM's. Assignment of LPRM's to an APRM is made using the pattern illustrated in USAR Figure VII-5-13a. The letters at the detector locations in USAR Figure VII-5-13a refer to the axial positions of the detectors in the LPRM detector assembly. Position A is the bottom position, position Band Care above position A, and position Dis the topmost LPRM detector position. APRM channels A, C, and E are powered from the same AC bus used for trip system A of the Reactor Protection System; APRM channels B, D, and Fare powered from the AC bus used for trip system B.

The 120 volt AC bus used for a given APRM channel is the same as that used for the LPRM's providing inputs to that APRM. The pattern in USAR Figure VII-5-13a is for the APRM' s associated with trip system A of the Reactor Protection System. Assignments of LPRM's to APRM's associated with trip system B of the Reactor Protection System are given in USAR Figure VII-5-13b. APRM channels A, C, and E average the output signals from 17 LPRM' s. Channels B, D, and F average the output from 14 LPRM's.

The APRM amplifier gain can be adjusted to allow calibration to power as determined by a heat balance. The averaging circuit automatical ly corrects for the number of unbypassed LPRM amplifiers providing inputs to the APRM.

Each APRM channel receives a flow signal representat ive of total core flow. This flow signal is used with the three APRM's in one trip system.

Each signal is provided by summing the flow signals from the two recirculatio n loops. These redundant flow signals are sensed from two flow elements, one in each recirculatio n loop. Each flow element has one set of taps. The differentia l pressure from these taps is routed separately to four differentia l pressure transducers . The transducers and other signal conditionin g equipment are separated in a way which provides two independent flow signals. No single failure can cause more than one of these two redundant signals to read incorrectly . [53 J

5. 9. 3. 4 Trip Function The trip units for the APRM's supply trip signals to the Reactor Protection System and the Reactor Manual Control System. USAR Table VII-5-4 itemizes the APRM trip functions. Any one APRM can initiate a rod block, depending upon the position of the reactor mode switch. USAR Section VII-7, "Reactor Manual Control System" describes in detail the APRM rod block functions. The APRM upscale rod block trip setpoint is varied as a function of reactor recirculatio n flow. The slope of the upscale rod block trip response curve with recirculatio n flow is adjustable to allow tracking of the required trip setpoint with recirculatio n flow changes. This provides an effective rod block if core average power is increased above the power versus flow specificatio n at any flow rate. An APRM upscale or inoperative trip actuates one trip system in the Reactor Protection System. Since only the trip system associated with that APRM is affected, at least one APRM channel in each trip VII-5-15 08/14/00

USAR system of the Reactor Protection System must be actuated to cause a scram.

(See General Electric Drawing 730E805BA, Sheet 1.)

Because each trip is actuated by removing voltage to a relay coil, loss of power results in actuating the trips. The trips from one APRM in each trip system of the Reactor Protection System can be bypassed by operator action in the main control room. The bypass switch contains a pushbutton lock mechanism to insure that the function cannot be bypassed accidentally. [Sll A simplified APRM circuit arrangement is shown in USAR Figure VII-5-25.

Thermal-hydrau lic instability analysis and methodology is discussed in USAR Section III-10. [l 3 si [l 39 J 5.9.4 Safety Evaluation Each APRM derives its signal from information obtained from the LPRMS. The assignment, power separation, cabinet separation, and LPRM signal isolation are in accord with the safety design basis of Reactor Protection System. There are six APRM channels, three for each Reactor Protection System trip system, to allow one bypass and one undetected failure in each trip system and still satisfy the Reactor Protection System safety design basis.

USAR Figure VII-5-14 illustrates the ability of the APRMS to track core power versus coolant flow starting at 100% power and 100% flow to below the 65% flow point. USAR Figure VII-5-15 illustrates the ability of the APRM to respond to control rod motion. The conditions for this are selected from the most restrictive case. The figure illustrates a full withdrawal of a control rod from limiting conditions at rated power. Normal control rod manipulation results in good agreement (less than 5% deviation on the worst APRM) through a wide range of power levels.

The adequacy of the APRM scram setpoint is demonstrated to be adequate in preventing fuel damage as a result of abnormal operational transients by the analyses in USAR Chapter XIV, "Station Safety Analysis."

5.9.5 Power Generation Evaluation The APRMS provides the operator with six continuous recordings of the average reactor power. The rod blocking function prevents operation above the region defined by the design power response to recirculation flow control.

The flow signal used to vary the rod block level is supplied from the recirculation system flow instrumentation . Two flow comparators monitor the two flow signals and initiate a rod block if the two flow signals are not in agreement within predetermined limits. Because any one of the APRM' s can initiate a rod block, this function has a high level of redundancy and satisfies the power generation design basis. One APRM channel in each Reactor Protection System trip system may be bypassed. In addition a minimum of 11 LPRM inputs is required for each APRM channel to be operative. If the number is less than this, an automatic APRM inoperative trip is generated. An APRM channel is considered administrativel y inoperable if there are less than two LPRM inputs per level.

5.9.6 Inspection and Testing APRM channels are calibrated using data from previous full power runs and are tested by surveillance procedures. Each APRM channel can be individually tested for the operability of the APRM scram and rod blocking functions by introducing test signals.

VII-5-16 08/14/00

USAR TABLE VII-5-4 APRM TRIPS (See Technical Specificatio ns for Selected Set Points)

Trip Function Action APRM Downscale Rod Block, Annunciator ,

Panel 9-5 White Light, Local White Light, IRM scram interlock APRM Upscale Rod Block, Annunciator ,

(High) Panel 9-5 Amber Light, Local Amber Light APRM Upscale Scram, Annunciator ,

(High-High) Panel 9-5 Red Light, Local Red Light APRM Inoperative Scram, Annunciator ,

Panel 9-5 Red Light, Local White Light APRM Bypass Panel 9-5 White Light, Local White Light VII-5-1 7 08/14/00

USAR 5.10 Rod Block Monitor Subsystem 5.10.1 Power Generation Design Basis

1. The RBMS shall be designed to assist the operator in preventing local fuel damage as a result of a single rod withdrawal error under the worst permitted condition of RBM bypass.
2. The RBMS shall provide a signal to permit operator evaluation of the change in the local relative power level during control rod movement.

5.10.2 Description 5.10.2.1 Identificati on The RBMS has two RBM channels each of which uses input signals from a number of LPRM channels. A trip signal from either RBM channel can initiate a rod block. One RBM channel may be bypassed without loss of subsystem function. The minimum number of LPRM inputs required to each RBM channel to prevent an instrument inoperative alarm is four when using eight LPRM assemblies, three when using six LPRM assemblies, and two when using four LPRM assemblies. The assignment of LPRM assemblies to RBM' s is shown in USAR Figure VII-5-16.

5.10.2.2 Power Supply The RBMS power is received from the 120 volt AC supplies used for the Reactor Protection System (see USAR Section VIII-8, "120/240 Volt Vital AC Power Systems").

5.10.2.3 Signal Conditionin g The RBM signal is generated by averaging a set of LPRM signals.

Upon selection of a certain rod for withdrawal or insertion, the conditioned LPRM signals around that rod will be automatical ly fed into the two RBM channels. Each channel averages two B-position, two D-position and same four C-position LPRM inputs. The RBM Channel A is powered by the RPS power bus "A" and the RBM Channel B is powered by the RPS power bus "B".

A-position LPRM inputs are not included in the RBM averaging but will remain in the display and LPRM alarm logic. Assignment of power range detector assemblies to be used in RBM averaging is controlled by the selection of control rods. Note that the RBM is automatical ly bypassed and the output set to zero if a peripheral control rod is selected since the RBM function is not required. If any LPRM detector assigned to a RBM is bypassed, the computed average signal is adjusted automatical ly to compensate for the number of LPRM input signals to average.

Upon selection of a certain rod, the signal conditioner gain is automatical ly adjusted so that the output level of the signal conditioner always corresponds to a constant level. This gain set will be held constant during the movement of that rod thus providing an indication of the change in the relative, local power level. Whenever the reactor power level is below the lowest RBM operating range which is around 27 percent power, the RBM is zeroed and RBM outputs are bypassed.

5.10.2.4 Trip Function Each RBM will be furnished with a reference APRM signal. This reference signal will be used to automatical ly select the correspondin g RBM upscale trip. These are three RBM upscale trip settings, each of which VII-5-18 08/14/00

USAR corresponds to a certain RBM operating power range. One of the APRM channels from each RPS bus will supply this reference APRM signal for the RBM channel on the same bus. In the event of an APRM channel bypass, another APRM channel on the same RPS bus will be automatical ly substituted . An APRM filter (a time delay) is also implemented on the input to the reference APRM trip logic to eliminate the impact of APRM signal noise. One of the two RBM' s can be bypassed at any time by operator action. The bypass switch contains pushbutton lock mechanism to insure that the function cannot be bypassed accidentall y. [SlJ Either RBM can inhibit control rod withdrawal. (See General Electric Drawing 730E805BA, Sheet 1.)

5.10.3 Power Generation Evaluation Motion of a control rod causes the LPRM's adjacent to the control rod to respond strongly to the change in power in the region of the rod in motion. However, potential rod withdrawal error analyses [l0 2 J have been made to assure that the RBM will adequately protect the fuel, and to maintain adequate margin in the operating MCPR.

The highest rod block setpoint is selected such that the CPR safety limit is not exceeded for a rod withdrawal error. This rod error is identified in Reference 131, and for reactor cycle 14, the rod block point corresponds to a rod movement of 4.5 feet. This value assumes the LPRM's in the adjacent and nearest power range detector assemblies have failed.

5.10.4 Inspection and Testing The rod block monitor channels are tested and calibrated by surveillanc e procedures. The RBM's are functionally tested by introducing test signals into the RBM channels.

5 .11 Traversing In-Core Probe Subsystem 5.11.1 Power Generation Design Basis

1. The TIPS shall be capable of providing a signal proportiona l to the axial gamma flux distribution at selected small axial intervals over the regions of the core where power range detector assemblies are located.

This signal shall be of high precision to allow reliable calibration of LPRM gains.

2. The TIPS shall provide accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial gamma flux distributio n.

5.11.2 Description 5.11.2.1 Identificat ion The TIPS includes four traversing in-core probe (TIP) channels each of which has the following components:

1 traversing in-core probe (TIP) 1 drive mechanism 1 indexing mechanism Up to 10 in-core guide tubes 1 chamber shield The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided VII-5-19 08/14/00

USAR into groups. Each group has its own associated TIP channel. The assignment of LPRM strings to the four TIP channel is shown in USAR Figure VII-5-18.

5.11.2.2 Physical Arrangement A TIP drive mechanism uses an ionization chamber attached to a flexible drive cable, which is driven from outside the primary containment by a gear box assembly. The flexible cable is contained by guide tubes that continue into the reactor core. The guide tubes are a part of the power range detector assembly and are specially prepared to provide a durable ow friction surface. The indexing mechanism allows the use of a single detector in any one of ten different tube paths. The tenth tube is used for TIP cross calibration with the other TIP channels. The control system provides both manual and semi-automatic operation. The TIP signal is amplified and displayed on a meter. A block diagram of the drive system is shown in USAR Figure VII-5-19.

The heart of each TIP channel is the TIP probe consisting of a detector and the associated signal drive cable. The detector is an uncoated ionization chamber (less than 1. 8 x 10- 8 grams of Uranium-235 contamination),

0.211 inches in diameter (+0.000 - 0.002) and 1.0 inch in active length. The body of the chamber is made of a stainless steel cathode with a 42 al anode and argon fill gas. Sensitivity of the chamber is approximately 3 x 10- 14 amps/R/Hr. The chamber can operate in a neutron flux level of greater than 10 14 nv and gamma flux level of greater than 10 9 R/Hr. The saturation voltage is approximately 50 vdc.

The signal current from the detector is transmitted from the TIP to amplifiers and readout equipment by means of a triaxial signal cable, which is an integral part of the mechanical drive cable. The outer sheath of the drive cable is constructed of carbon steel in a helix array. The cable drive mechanism engages this helix to effect movement in and out of the guide tubes.

The inner surface of the guide tubing between the reactor vessel and the drive mechanism is coated with a ceramic bonded lubricant to reduce friction. Within the reactor vessel the guide tubing inner surface is nitrided.

The cable drive mechanism contains the drive motor, the cable take-up reel, and a mechanical counter to provide digital pulses to the control unit for positioning the TIP at specific locations along the guide tube.

The drive mechanism inserts and withdraws the TIP and its cable from the reactor and provides detector position indication signals. The drive mechanism consists of a motor and drive gear box which drives the cable in the manner of a rack and pinion. A two-speed motor is used providing a high speed for insertion and withdrawal (60 feet per minute) and a low speed for scanning the reactor core (15 feet per minute). See General Electric Drawing 730E100, Sheets 1 and 2.

A take-up reel is included in the cable drive mechanism to coil the drive cable as it is withdrawn from the reactor. This reel makes it possible to connect the TIP and its cable to the amplifier through a connector rather than slip rings which reduces possible noise and maintenance problems.

The mechanical counter (digital) is driven directly from the output shaft of the cable drive motor. The TIP position signal is also available to the process computer. The digital counter is used to position the TIP in the guide tube through the control logic with a linear position accuracy of plus or VII-5-20 09/01/21

USAR minus one inch. The digital counter can control TIP positions at the top of the core for initiation of scan, and at the bottom of the core for changing to fast withdrawal speed.

An in-shield limit switch prevents the TIP from accidentally being withdrawn into the TIP drive. This prevents high airborne radiation levels around the drive unit and in the reactor building. l 54 l A position limit switch provides an electrical interlock release when the probe is in the nominal zero position to allow the indexing mechanism to index the TIP to the next guide tube location. The limit switch is actuated when the end of the TIP passes a switch in the guide tube in use. The cable drive motor includes an AC voltage-operate d brake to prevent coasting of the TIP after a desired in-core position is reached. When the system is not in use, the detector probe can be completely withdrawn to a position in the center of the chamber shield.

A circular transfer machine with ten indexing points functions as an indexing mechanism. Nine of these locations are for the guide tubes associated only with that particular TIP machine. The tenth location is for the guide tube common to all the TIP machines. Indexing to a particular tube location is accomplished manually at the control panel by means of a position selector switch which energizes the electrically actuated rotating mechanism.

Electrical interlocks prevent the indexing mechanism from changing positions until the probe cable has been completely retracted beyond the transfer point.

Additional electrical interlocks prevent the cable drive motor from moving the cable until the transfer mechanism has indexed to the pre-selected guide tube

'location (see General Electric Drawing 730E805BA, Sheet 7)

A valve system is provided with a valve on each guide tube entering the primary containment. These valves are closed except when the TIP subsystem is in operation. A ball valve and a cable shearing valve are mounted in the guide tubing just outside of the primary containment. They prevent the loss of reactor coolant in the event a guide tube ruptures inside the reactor vessel. A valve is also provided for a gas purge line to the indexing mechanisms. A guide tube ball valve opens only when the TIP is being inserted. The shear valve is used only if a leak occurs when the TIP is beyond the ball valve and power to the TIPS fails. The shear valve, which is controlled by a manually operated protection switch, can cut the cable and close off the guide tube. The shear valves are actuated by detonation squibs.

The continuity of the squib circuits is monitored by panel indicator lights in the control room on panel 9-13 plus a trouble alarm on panel 9-5.

A guide tube ball valve is normally de-energized and in the closed position. When the TIP starts forward the valve is energized and opens. As it opens it actuates a set of contacts which gives a signal light indication at the TIPS control panel and bypasses an inhibit limit switch which automatically stops TIP motion if the ball valve does not open on command.

(See General Electric Drawing 730E805BA, Sheet 7.)

Operation of the guide tube ball valve and shear valve upon a PCIS Group 2 isolation signal is discussed in USAR Section V-2, "Primary Containment System."

5.11.2.3 Signal Conditioning The readout instruments and electrical controls for the TIP machines are mounted in a cabinet in the control room. Since there are several groups of guide tubes, each with an associated TIP machine, there are also several groups of readout equipment controls mounted in the cabinet. Each set of readout equipment consists of a DC amplifier and a DC power supply for VII-5-21 09/01/21

USAR the TIP polarizing voltage. An X-Y output is provided for use by the process computer. The TIP output is linear to within 1% of full scale from a neutron flux of 2. 8 x 10 13 to 2. 8 x 10 14 nv. The probe and cable leakages contribute less than 1% of indicated reading. For normal operating conditions the flux amplifier is linear to within+/- 0.1% of full scale.

5.11.3 Power Generation Evaluation An adequate number of TIP channels are supplied to assure that each LPRM assembly can be probed by a TIP and one LPRM assembly (the central one) can be probed by every TIP to allow intercalibratio n. Typical TIP's have been tested to prove linearity. The system has been field tested in an opera ting reactor to assure reproducibility for repetitive measurement, and the mechanical equipment has undergone life testing under simulated operating conditions to assure that all specifications can be met. The system design allows semi-automatic operation for LPRM calibration and process computer use.

The TIP machines can be operated manually to allow pointwise flux mapping.

5.11.4 Inspection and Testing The TIPS equipment is tested and calibrated using heat balance data and surveillance procedures.

VII-5-22 09/01/21

6.0 REFUELING INTERLOCKS 6.1 Safety Objective The refueling interlocks are designed to back up procedural core reactivity controls during refueling operations; specifically, the interlocks prevent an inadvertent criticality during refueling operations.

6.2 Safety Design Basis

1. During fuel movements in or over the reactor core, all control rods shall be in their fully-inserted positions.
2. No more than one control rod shall be withdrawn from its fully inserted position at any time when the reactor is in the refuel mode.

6.3 Description During a refueling operation, the reactor vessel head is removed, allowing direct access to the core. Refueling operations include the removal of reactor vessel upper internals and the movement of spent and fresh fuel assemblies between the core and the fuel storage pool. The service platform, refueling platform, and the equipment handling hoists on the platforms are used to accomplish the refueling task. The refueling interlocks reinforce operational procedures that prohibit taking the reactor critical under certain situations encountered during refueling operations by restricting the movement of control rods and the operation of refueling equipment.

The refueling interlocks include circuitry which sense the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated which prevent the movement of the refueling equipment or withdrawal of control rods (rod block).

Circuitry is provided which senses the following conditions:

1. All rods inserted
2. Refueling platform positioned near or over the core
3. Refueling platform hoists are fuel-loaded (fuel grapple, frame mounted hoist, monorail mounted hoist)
4. Fuel grapple not full up
5. Service platform hoist fuel-loaded
6. One rod withdrawn A two channel DC circuit indicates that all rods are in. The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe. The rod-in switch must be closed for each rod before the "all rods in" signal is generated; two channels carry the signal. Both channels must register the "all rods in" signals in order for the refueling interlock circuitry to indicate the "all rods in" condition.

The refueling platform is provided with two mechanical switches attached to the platform which are tripped open by a long, stationary ramp mounted adjacent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel, thereby providing indication of the approach of the platform toward the core or its position over the core.

Load cell readout is provided for the monorail hoist by a display giving hoist load directly to the operator. Load is sensed by a strain gauge load cell which produces a current signal to the control circuitry. Associated VII-6-1 08/14/00

interlock and load functions are provided by the control circuitry which receive the current signal generated by the load cell. Load cell readout for the other hoist on the refueling platform is provided by force gauges.

Associated interlock and load functions are performed by pressure micro-switches receiving signals from the force gauge. [55 l The three hoists on the refueling platform and the hoist on the service platform are provided with switches which open when the hoists are fuel-loaded. The switches are set up to open at a load weight which is lighter than the weight of a single fuel assembly, thus providing positive indication whenever fuel is loaded on any hoist.

For the refueling interlocks:

The fuel grapple hoist load switch shall be set at:::; 650 lbs.

If the frame-mounted auxiliary hoist, the monorail-mounted auxiliary hoist, or the service platform hoist is to be used for handling fuel with the head off the reactor vessel, the load limit switch on the hoist to be used shall be set at:::; 400 lbs.

By design the fuel handling bridge fuel hoist has a load-limit cell set at no more than 1,230 pounds.

The telescoping fuel grapple hoist is provided with a limit switch, which is open any time the grapple has descended more than about four inches from its full up position. This switch is placed in series with the grapple load switch to ensure interlock operation in the event that the weight of the bottom section of the telescope plus the fuel is less than the preset load.

The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operation and control rod movement, as described in USAR Figure VII-6-1 and General Electric Drawing 729E471BB, Sheet 6 and in the following:

1. Refueling platform travel toward the core is stopped when the following three conditions exist concurrently:
a. Any refueling platform hoist is loaded or the fuel grapple is not in its full up position.
b. Not all rods in
c. Refueling platform position is such that the position switch is open (platform near or over the core)
2. With the Reactor Mode Selector Switch in "Startup",

refueling platform travel toward the core is prevented when the refueling platform position switch is open (platform near or over the core).

3. With the Reactor Mode Selector Switch in "Refuel", refueling platform travel towards the core is prevented when the following two conditions exist concurrently:
a. More than one rod withdrawn
b. The refueling platform position switch is open (platform near or over the core)

VII-6-2 12/21/04

4. The refueling platform frame mounted hoist "LIFT" electrical circuit is open when the following three conditions exist concurrently:
a. Frame mounted hoist fuel loaded
b. Not all rods in
c. Refueling platform near or over the core
5. The refueling platform monorail mounted hoist "LIFT" electrical circuit is open when the following three conditions exist concurrently:
a. Monorail mounted hoist fuel loaded
b. Not all rods in
c. Refueling platform near or over the core
6. Operation of the telescoping fuel grapple is prevented when the following two conditions exist concurrently:
a. Not all rods in
b. Refueling platform near or over the core
7. Operation of the service platform hoist is prevented when the following two conditions exist concurrently:
a. Not all rods in
b. Service platform hoist fuel loaded
8. With the Reactor Mode Selector Switch in "Refuel", any one of the following three conditions prevents a control rod withdrawal:
a. Refueling platform over the core with a load on any refueling platform hoist or the fuel grapple not fully up
b. Service platform hoist fuel loaded
c. Selection of a second rod for movement with any other rod withdrawn from the fully inserted position
9. With the Reactor Mode Selector Switch in "Startup", any one of the following conditions prevents a control rod withdrawal:
a. Refueling platform over the core
b. Service platform hoist fuel-loaded The prevention of a control rod withdrawal is accomplished by opening contacts at two different points in the rod block circuitry; prevention of refueling equipment operation is accomplished by interrupting the power supply to the equipment.

During refueling operations no more than one control rod may be withdrawn (unless the spiral offload/reload technique is used); this is enforced by a redundant logic circuit which uses the "all rods in" signal and a rod selection signal to prevent the selection of a second rod for movement with any other rod not fully inserted. The simultaneous selection of VII-6-3 07/29/16

two control rods is prevented by the interconnection arrangement of the select push buttons. With the Reactor Mode Selector Switch in "Refuel", the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.

Spiral offloading encompasses offloading a cell on the edge of a continuous fueled region (the cell can be offloaded in any sequence). Spiral offloading and reloading will preclude the creation of flux traps (moderator filled cavities surrounded on all sides by fuel).

During spiral offloading, the SRM's shall have an initial count rate of >3 cps with all rods fully inserted. The count rate will diminish during fuel removal. After all the fuel is removed from a cell, the control rod may be withdrawn in that cell. After the control rod is withdrawn, the refueling interlock will be bypassed on that control rod. Following the withdrawal and bypassing of the control rod, two licensed operators will verify that the interlock bypassed is on the correct control rod. Once the control rod is withdrawn, it will be valved out of service. The refueling interlocks will prevent the withdrawal of another control rod unless the control rod just withdrawn from the unloaded cell is bypassed.

A bypass for the service platform hoist load interlock is provided. When the service platform is no longer needed, its power plug is removed, deenergizing the power supply to the hoist; the platform can then be moved to a location away from the core. Deenergizing the hoist power supply opens the hoist load switches, giving a false indication that the hoist is loaded; this indication prevents control rod withdrawal with the Reactor Mode Selector Switch in "Startup" or "Refuel". A bypass plug is provided to allow control rod movement in this situation. The bypass plug is physically arranged to prevent the connection of the service platform power plug unless the bypass plug is removed.

6.4 Safety Evaluation The refueling interlocks, in combination with core nuclear design and refueling procedures, limit the probability of an inadvertent criticality.

The nuclear characteristics of the core assure that the reactor is subcritical even when the highest worth control rod is fully withdrawn. Refueling procedures are written to avoid situations in which inadvertent criticality is possible. The combination of refueling interlocks for control rods and the refueling platform provide redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality.

USAR Table VII-6-1 illustrates the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform movement and position, and Reactor Mode Selector Switch manipulation. The initial conditions in situations 4 and 5 appear to be in contradiction to the action of refueling interlocks, because the initial conditions indicate that more than one control rod is withdrawn, yet the Reactor Mode Selector Switch is in REFUEL. Such initial conditions are possible if the rods are withdrawn when the Reactor Mode Selector Switch is in STARTUP, and then the Reactor Mode Selector Switch is turned to REFUEL. The scram indicated in situation 17 of USAR Table VII-6-1 is not a result of the refueling interlocks; it is the response of the reactor protection system to downscale neutron monitoring system channels when the Reactor Mode Selector Switch is shifted to RUN. In all cases, proper operation of the refueling interlocks is successful in preventing either the operation VII-6-4 07/29/16

of loaded refueling equipment over the core whenever any control rod is withdrawn or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the Reactor Mode Selector Switch is in REFUEL, only one rod can be withdrawn; selection of a second rod initiates a rod block. Thus, safety design bases 1 and 2 are satisfied.

6.5 Inspection and Testing Complete functional testing of all refueling interlocks before any refueling outage will provide positive indication that the interlocks operate in the situations for which they were designed. By loading each hoist with a weight equal to a fuel assembly, positioning the refueling platform, and withdrawing control rods or simulating their withdrawal, the interlocks can be subjected to valid operational tests. Where redundancy is provided in the logic circuitry, tests can be performed to assure that each redundant logic element can independently perform its function.

VII-6-5 11/17 /01

USAR TABLE VII-6-1 REFUELING INTERLOCK EFFECTIVENESS Refueling Service Platform Refueling Platform Hoists Platform Mode Situation Position MMH* FMH* FG* Hoist Control Rods Switch Attempt Result

1. Not near core UL* UL* UL* UL* All rods in Refuel Move refueling No restrictions platform over core
2. Not near core UL UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod
3. Not near core UL UL UL UL One rod withdrawn Refuel Move refueling No restrictions platform over core
4. Not near core Any hoist loaded or FG UL One or more rods Refuel Move refueling Platform stopped not fully up withdrawn platform over core before over core
5. Not near core UL UL UL UL More than one rod Refuel Move refueling Platform stopped Withdrawn platform over core before over core
6. Over core UL UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod
7. Over core Any hoist loaded or FG UL All rods in Refuel Withdraw rods Rod block not fully up
8. Not near core UL UL UL L* All rods in Refuel Withdraw rods Rod block
9. Not near core UL UL UL L All rods in Refuel Operate service platform No restrictions hoist
10. Not near core UL UL UL L One rod withdrawn Refuel Operate service platform Hoist operation hoist prevented
11. Not near core UL UL UL UL All rods in Startup Move refueling Platform stopped platform over core before over core
12. Not near core UL UL UL L All rods in Startup Operate service No restrictions platform hoist
13. Not near core UL UL UL L One rod withdrawn Startup Operate service Hoist operation platform hoist prevented
14. Not near core UL UL UL L All rods in Startup Withdraw rods Rod block
15. Not near core UL UL UL UL All rods in Startup Withdraw rods No restrictions
16. Over Core UL UL UL UL All rods in Startup Withdraw rods Rod block
17. Any Any condition Any Any condition, Startup Turn mode switch to run Scram condition reactor not at power
  • LEGEND MMH - Monorail Mounted Hoist FMH - Frame Mounted Hoist FG - Fuel Grapple UL - Unloaded L-Fuel-loaded VII-6-6 08/14/00

USAR 7.0 REACTOR MANUAL CONTROL SYSTEM 7.1 Safety Objective The Reactor Manual Control System ( RMCS) has no safety design basis of its own. However, its design and operation shall not affect or prevent the Reactor Protection System from performing its safety objective.

7.2 Safety Design Basis

1. The circuitry provided for the manipulation of control rods shall be designed so that no single failure can negate the effectiveness of a reactor scram.
2. Repair, replacement, or adjustment of any failed or malfunctioning component shall not require that any element needed for reactor scram be bypassed unless a bypass is normally allowed.

7.3 Power Generation Objective The objective of the RMCS is to provide the operator with the means to make changes in nuclear reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods.

7.4 Power Generation Design Basis

1. The RMCS shall be designed to inhibit control rod withdrawal following erroneous control rod manipulations so that reactor protection system action (scram) is not required.
2. The RMCS shall be designed to inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulation.
3. The RMCS shall be designed to inhibit rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation (due to failure) is incapable of monitoring the core response to rod movement.
4. To limit the potential for inadvertent rod withdrawals leading to Reactor Protection System (RPS) action, the RMCS shall be designed in such a way that deliberate operator action is required to effect a continuous rod withdrawal.
5. To provide the operator with the means to achieve prescribed control rod patterns, information pertinent to the position and motion of the control rods shall be available in the control room.

7.5 Description 7.5.1 Identification The RMCS consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The RMCS does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in USAR Section VII-2, "Reactor Protection System". The mechanical devices of the control rod drives and the control rod drive hydraulic system are not included VII-7-1 08/14/00

USAR in the RMCS. These mechanical components are described in USAR Section III-4, "Reactivity Control Mechanical Design".

7.5.2 Operation 7.5.2.1 General General Electric Drawing 7 2 9E4 7 lBB, Sheets 1 through 5 show the functional arrangement of devices for the control of components in the control rod drive hydraulic system. Although the drawings also show the arrangement of scram devices, these devices are not part of the RMCS.

Control rod movement is accomplished by admitting water under pressure from a control rod drive water pump into the appropriate end of the double-acting control rod drive cylinder. The pressurized water forces the piston, which is attached by a connecting rod to the control rod, to move.

Three modes of control rod operation are used: insert, withdraw, and settle.

Four solenoid operated valves are associated with each control rod to accomplish the actions required for the various operational modes. The valves control the path that the control rod drive water takes to the cylinder. The RMCS controls the valves.

Two of the four solenoid operated valves for a control rod are electrically connected to the insert bus. When the insert bus is energized and when a control rod has been selected for movement, the two insert valves for the selected rod open, allowing the control rod drive water to take the path that results in control rod insertion. Of the two remaining solenoid operated valves for a control rod, one is electrically connected to the withdraw bus, and the other is electrically connected to the settle bus. The withdraw valve that connects the insert drive water supply line to the exhaust water header is the one that is connected to the settle bus. The remaining withdraw valve is connected to the withdraw bus. When both the withdraw bus and the settle bus are energized and when a control rod has been selected for movement, both withdraw valves for the selected rod open, allowing control rod drive water to take the path that results in control rod withdrawal.

The settle mode is provided to insure that the control rod drive index tube is engaged promptly by the collet fingers after the completion of either an insert or withdraw cycle. During the settle mode, the withdraw valve connected to the settle bus is opened or remains open while the other three solenoid operated valves are closed. During an insert cycle, the settle action vents the pressure from the bottom of the drive piston to the exhaust header, thus gradually reducing the differential pressure across the drive piston of the selected rod. During a withdraw cycle, the settle action again vents the bottom of the drive piston to the exhaust header while the withdraw drive water supply is shut off. This also allows a gradual reduction in the differential pressure across the control rod drive piston. After the control rod has slowed down, the collet fingers engage the index tube and lock the rod in position. See General Electric Drawing 729E471BB, Sheet 1 for valve sequence and timing.

The arrangement of control rod selection pushbuttons and circuitry permits the selection of only one control rod at a time for movement. A rod is selected for movement by depressing a button for the desired rod on the reactor control bench board in the control room. The direction in which the selected rod moves is determined by the position of a switch, called the "rod movement" switch, which is also located on the reactor control bench board.

This switch has "rod-in" and "rod-out-notch" positions and returns by spring action to the "off" position. The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod-selected VII-7-2 08/14/00

USAR condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed.

Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.

A movement cycle is described in terms of the insert, withdraw and settle modes of control rod operation.

7.5.2.2 Insert Mode The following is a description of the detailed operation of the RMCS during an insert mode. The response of a selected rod when the various busses are energized has been explained previously. General Electric Drawing 7 2 9E4 7 lBB, Sheets 3 and 4, can be used to follow the sequence of an insert cycle.

A three position rod movement switch is provided on the reactor control bench board. The switch has a "rod-in" position, a "rod-out-notch" position, and an "off" position. The switch returns by spring action to the "off" position. With a control rod selected for movement, placing the rod movement switch in the "rod-in" position and then releasing the switch energizes the insert bus for a limited amount of time. Just before the insert bus is deenergized, the settle bus is automatically energized and remains energized for a limited period of time after the insert bus is deenergized.

The insert bus timer setting and the rate of drive water flow provided by the control rod drive hydraulic system determine the distance traveled by a rod.

The timer setting results in a 1-notch (six inches) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement switch. Continuous insertion of a selected control rod is possible by holding the rod movement switch in the "rod-in" position.

A second switch called the "rod-out-notch override" (RONOR) is available to initiate insertion of a selected control rod. The RONOR switch has three positions: "emergency in, " "notch override, " and "off." By holding the RONOR switch in the "emergency in" position, the insert bus is continuously energized, causing a continuous insertion of the selected control rod. The switch returns to the "off" position by spring action.

7.5.2.3 Withdraw Mode The following is a description of the detailed operation of the RMCS during a withdraw mode of operation. The response of a selected rod when the various busses are energized has been explained previously. General Electric Drawing 729E471BB, Sheets 3 and 4, can be used to follow the sequence of a withdraw mode.

With a control rod selected for movement, placing the rod movement switch in the "rod-out-notch" position energizes the insert bus for a short period of time. Energizing the insert bus at the beginning of the withdrawal mode is necessary to allow the coll et fingers to disengage the index tube.

When the insert bus is deenergized, the withdraw and settle busses are energized for a controlled period of time. The withdraw bus is deenergized prior to the settle bus, which, when deenergized completes the withdraw cycle.

This withdraw cycle is the same whether the rod movement switch is held continuously in the "rod-out-notch" position or released. The timers that control the withdraw cycle are set so that the rod travels one notch (six inches) per cycle. An interlock is provided in the withdraw circuitry to deenergize the control circuit and prevent rod withdrawal if the withdraw bus timer fails to deenergize the withdraw bus after the specified time period. A selected control rod can be continuously withdrawn if the rod movement switch is held in the "rod-out-notch" position at the same time that the RONOR switch is held in the "notch-override " position. With both switches held in these VII-7-3 08/14/00

USAR positions, the withdraw bus is continuously energized. Both switches return to the "off" position by spring action.

7.5.2.4 Control Rod Drive Hydraulic System Control One motor operated pressure control valve, two air operated flow control valves, and four solenoid operated stabilizing valves are included in the control rod drive hydraulic system to maintain smooth and regulated system operation ( see USAR Section III-4, "Reactivity Control Mechanical Design") .

The motor operated pressure control valve is positioned by manipulating a switch in the control room. The switch for this valve is located close to the pressure indicators that respond to the pressure changes caused by the movement of the valve. The air operated flow control valves are automatically positioned in response to signals from an upstream flow measuring device. The stabilizing valves are automatically controlled by the action of the energized insert and withdraw buses. The control scheme is shown in General Electric Drawing 729E471BB, Sheets 2, 3, and 4. The two drive water pumps are controlled by switches in the control room. Each pump automatically stops upon indication of low suction pressure (General Electric Drawing 729E471BB, Sheet 2) .

7.5.3 Rod Block Interlocks 7.5.3.1 General General Electric Drawing 7 2 9E4 7 lBB, Sheets 3, 4, and 5 show the rod block interlocks* used in the RMCS. Sheets 3 and 4 show the general functional arrangement of the interlocks, and Sheet 5 shows the rod blocking functions that originate in the neutron monitoring system in greater detail.

To achieve an operationally desirable performance objective where most failures of individual components would be easily detectable or do not disable the rod movement inhibiting functions, the rod block logic circuitry is arranged as two similar logic circuits. Most common connection points that would, after failure, allow rod withdrawal under rod block conditions are eliminated. The two circuits are energized when control rod movement is allowed. Rod block contacts are normally closed, and rod block relays are normally eriergized. Each of the two similar circuits receive input trip signals from a number of trip channels. There are a total of three rod withdrawal block signals associated with the two rod block circuits. Either of the two circuits can provide a separate rod block signal to the rod control circuitry. The individual signal from each circuit is called an "annunciating rod block control" because when tripped, an alarm is sounded in the control room to indicate the block signal. The third rod block signal is obtained by combining the outputs of the two similar logic circuits, the rod worth minimizer output (see USAR Section VII-16, "Process Computer System"), and the rod block monitor outputs. This third signal is called the "non-annunciating rod block control" because when tripped, the rod block condition is indicated in the control room by light indicator only. The two "annunciating rod block controls" are always placed in pairs in the rod control circuitry, while the "non-annunciating rod block control" is used independently. Both the two "annunciating rod block controls" and the "non-annunciating rod block control" must be in the permissive state for control rod withdrawal to be possible. A failure of any one of the three rod block controls cannot prevent the remaining parts of the rod block circuitry from initiating a rod block.

When in the tripped state, the "non-annunciating rod block control" prevents the withdraw movement of the selected rod by opening the rod control circuit that is used to energize the withdraw bus. The "annunciating rod block controls" prevent the withdraw movement of a selected rod in a similar manner, but the rod control circuit is opened at a location different from that affected by the "non-annunciating rod block control". The rod block circuitry VII-7-4 08/14/00

USAR is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous withdrawal. If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even if a continuous rod withdrawal is in progress.

The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod blocks are described in USAR Section VII-6, "Refueling Interlocks".

7.5.3.2 Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed later. General Electric Drawing 7 2 9E4 7 lBB, Sheet 5, shows all the rod block functions; the rod block functions provided specifically for refueling situations are described in USAR Section VII-6, "Refueling Interlocks".

a. With the Reactor Mode Selector Switch in SHUTDOWN, no control rod can be withdrawn. This enforces compliance with the intent of the SHUTDOWN mode.
b. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions (RBM bypassed less than about 27% power):
1. Any average power range monitor (APRM) upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require RPS action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.
2. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the APRM channels are either in service or properly bypassed.
3. Either rod block monitor ( RBM) upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.
4. Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or properly bypassed.
5. Either Reactor Recirculation Flow Controller (RRFC) flow converter upscale or inoperative alarm. This assures that no control rod is withdrawn unless the recirculation flow converters are operable.
6. RRFC flow converter comparator alarm is inoperative.

This assures that no control rod is withdrawn unless the difference between the outputs of the flow converters is within limits and the comparator is in service.

7. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volumes to accommodate a scram. The setting is selected to VII-7-5 08/14/00

USAR initiate a rod block well in advance of that level which produces a scram (see USAR Section VI I-2, "Reactor Protection System") .

8. Scram discharge volume high water level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service (see USAR Section VII-2, "Reactor Protection System") .
9. The rod worth minimizer (RWM) function of the process computer system can initiate a rod insert block, a rod withdrawal block, and a rod select block. The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under low power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident. Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed. Additional information on the RWM function is available in USAR Section VII-16, "Process Computer."
10. Rod Position Information System (RPIS) malfunction.

Depending on the severity of the malfunction, a rod drift alarm, inoperative select block, or RWM block may occur. An RPIS rod block assures that no control rod can be withdrawn unless RPIS is in service.

11. Rod movement timer switch malfunction during withdrawal. This assures that no control rod can be withdrawn unless the timer is in service.
c. With the Reactor Mode Selector Switch in RUN, the following conditions initiate a rod block:
1. Any APRM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the APRM channels are operating properly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN mode.
2. Either RBM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the RBM channels are operating properly or are correctly bypassed. RBMs automatically bypass for reactor power less than about 27 percent power.
d. With the Reactor Mode Selector Switch in STARTUP or REFUEL the following conditions initiate a rod block:
1. Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and the associated IRM range switches are on either of the two lowest ranges. This assures that no control rod is withdrawn unless all SRM detectors are properly inserted when they must be relied upon to provide the operator with neutron flux level information.
2. Any SRM upscale level alarm. This assures that no control rod is withdrawn unless the SRM detectors are properly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.
3. Any SRM downscale alarm and any IRM range switch on either of the two lowest ranges. This assures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring.

VII-7-6 08/14/00

USAR

4. Any SRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all SRM channels are in service or properly bypassed.
5. Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM detectors are properly located.
6. Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is properly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring RPS action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.
7. Any IRM downscale alarm except when range switch is on the lowest range. This assures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being properly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level; thus, the rod block ensures that the IRM is on scale if control rods are to be withdrawn.
8. Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM channels are in service or properly bypassed.

7.5.3.3 Rod Block Bypasses To permit continued power operation during the repair or calibration of equipment for selected functions which provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

1 SRM channel 2 IRM channels 2 APRM channels 1 RBM channel The Control Rod Withdrawal Block Instrumentation trip system is a one out of "n" trip system, and as such requires that only one APRM or IRM must exceed the trip level setting to cause a rod block. By utilizing the RPS bypass logic for the Control Rod Withdrawal Block Instrumentation , a sufficient number of instrument channels will always be operable to provide redundant rod withdrawal block protection. By design, only one each of the SRM's and RBM's may be bypassed.

These bypasses are effected by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM instrumentation . The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued.

An automatic bypass of the RBM rod block occurs whenever the power level is below a preselected level or whenever a peripheral control rod is selected. Either of these two conditions indicates that local fuel damage is not threatened and that RBM action is not required.

VII-7-7 08/14/00

USAR The RWM rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. It may be manually bypassed for maintenance at any time.

7. 5. 3. 4 Arrangement of Rod Block Trip Channels One half of the total numbers of APRM's, IRM's, SRM's, and RBM's provides inputs to one of the rod block logic circuits, and the remaining half provides inputs to the other logic circuit. One RRFC flow converter provides a rod block signal to one logic circuit; the remaining converter provides an input to the other logic circuit. The RRFC flow converter comparator provides trip signals to each flow converter trip circuit. In addition to the arrangement just described, both RBM trip channels provide input signals into a separate circuit for the "non-annunciati ng rod block control." Scram discharge volume high water level signals are provided as inputs into one of the two rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed. The rod withdrawal block from the RWM trip affects a separate circuit that trips the "non-annunciati ng rod block control." The rod insert block from the RWM function prevents energizing the insert bus for both notch insertion and continuous insertion.

The APRM rod block settings are varied as a function of recirculation flow, as shown in USAR Figure VII-7-2. RBM rod block settings are verified as a function of power provided by APRM.

Analyses show that the settings selected are sufficient to avoid both RPS action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. Additional detail on all the neutron monitoring system trip channels is available in USAR Section VII-5, "Neutron Monitoring System." The rod block from scram discharge volume high water level utilizes two non-indicating float switches, one installed in each scram discharge instrument volume. [B 2 l 7.5.4 Instrumentation USAR Table VII-7-1 gives instrument information for the RMCS. The RPIS information display is presented on the vertical portion of the reactor control bench board. This large display is patterned after a top view of the reactor core and is designed to allow the operator to acquire information rapidly by scanning. The use of colored windows provides an overall indication of rod pattern and allows the operator to quickly identify an abnormal indication. The following information for each control rod is presented in this large display:

Rod fully inserted (green)

Rod fully withdrawn (red)

Rod identification (coordinate position, white)

Accumulator trouble (amber)

Rod scram (blue)

Rod drift (red)

Also dispersed throughout the display in locations representative of the physical location of LPRM strings in the core are LPRM lights as follows:

LPRM low flux level (white)

LPRM high flux level (amber)

VII-7-8 08/14/00

USAR A separate, smaller display is located just below the large display on the vertical part of the bench board. This display presents the positions of the control rod selected for movement and the other rods in the rod group. For display purposes the control rods are considered in groups of four adjacent rods centered around a common core volume monitored by four LPRM strings. Rod groups at the periphery of the core may have less than four rods. The small rod display shows the positions in digital form of the rods in the group to which the selected rod belongs. A white light indicates which of the four rods is the one selected for movement. On either side of the four-rod position display are indicated the readings of the 16 LPRM channels (four LPRM strings) surrounding the core volume common to the four rods of the group.

The four-rod display allows the operator to easily focus attention on the core volume of concern during rod movements. This arrangement eliminates the problems inherent in larger, full core displays where the operator must concentrate attention on a small portion of a large display. The four-rod display also allows the operator to quickly investigate any volume of the core by simply selecting a control rod located in that volume.

The position signals of selected control rods together with a rod identification signal are provided as inputs to the on-line process computer.

The acquisition of the rod position signal does not interrupt the rod position indication signal in the control room. The computer can, on demand, provide a full core printout of control rod positions (USAR Figure VII-7-4).

Control rod position information (RPIS) is obtained from reed switches in the control rod drive that open or close as a magnet attached to the rod drive piston passes during rod movement. Reed switches are provided at each 3-inch increment of piston travel. Since a notch is 6 inches, indication is available for each half-notch of rod travel. The reed switches located at the half-notch positions for each rod are used to indicate rod drift. Both a rod selected for movement and the rods not selected for movement are monitored for drift. A drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer.

Reed switches are also provided at locations that are beyond the limits of normal rod movement. If the rod drive piston moves to these overtravel positions, an alarm is sounded in the control room. The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact, because with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position.

The following control room lights are provided to allow the operator to know the conditions of the Control Rod Drive Hydraulic (CRDH) system and the control circuitry: (General Electric Drawing 729E471BB, Sheets 1, 2, 4, and 7)

Stabilizer valve selector switch position Insert bus energized Withdraw bus energized Settle bus energized Withdrawal not permissive Notch override Pressure control valve position Flow control valve position Drive water pump low suction pressure (alarm only)

Drive water filter high differential pressure (alarm only)

VII-7-9 08/14/00

USAR Charging water (to accumulator) low/high pressure (alarm only)

Control rod drive temperature Scram discharge volume not drained (alarm only)

Scram valve pilot air header low/high pressure (alarm only)

Additional instrumentation provided for the RMCS is presented in USAR Table VII-7-1. Many of these RMCS indications are displayed on the reactor control bench board.

7.5.5 Rod Sequence Control System The group notch Rod Sequence Control System ( RSCS) was removed during the reload 15, cycle 16 refueling outage in the spring of 1993. The NRC approved the removal of the Technical Specifications associated with the RSCS with Amendment No. 156 to the CNS Operating License, [l10J which effectively approved the removal of the RSCS. NRC approval of the RSCS removal was based, in part, on a Boiling Water Reactor's Owner's Group (BWROG) effort which produced an amendment to the General Electric Standard Application for Reactor Fuel (GESTAR), demonstrating acceptability of RSCS removal. [ll1J The NRC, by letter dated December 27, 1987, documented acceptance for referencing of Licensing Topical Report NEDE-24011-P-A, "GE Standard Application for Reactor Fuel. "( 1121 7.6 Safety Evaluation The circuitry described for the RMCS is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry. The scram circuitry is discussed in USAR Section VII-2, "Reactor Protection System." Because each control rod is controlled as an individual unit, a failure that results in energizing of any of the insert or withdraw solenoid valves can affect only one control rod.

The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod. It can be concluded that no single failure in the RMCS can result in the prevention of a reactor scram and that repair, adjustment, or maintenance of RMCS components does not affect the scram circuitry. This meets safety design bases 1 and 2. The RMCS including instrumentation is designed as Class I seismic design equipment in accordance with Appendix C.

7.7 Inspection and Testing The RMCS can be routinely checked for proper operation by manipulating control rods using the various methods~ of control. Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

VII-7-10 08/14/00

USAR TABLE VII-7-1 REACTOR MANUAL CONTROL SYSTEM INSTRUMENT SPECIFICATIONS (See Technical Specifications for Select Alarm Settings)

Measured Variable Instrument Type Range Pump Suction Pressure Pressure Indicator 30 in. Hg VAC to +250 psig Pump Suction Pressure Alarm Pressure Switch 0 to 30 in. Hg Abs.

Pump Discharge Pressure Pressure Indicator 0-2000 psig Filter Pressure Drop AP Indicator 0-30 psid System Flow Indicator and Flow Indicator 0-80 gpm Controller Accum. Charge HDR Pressure Pressure Indicator 0-2000 psig Alarm Drive HDR Flow Flow Indicator 0-8 gpm Drive HDR Pressure Pressure Indicator 0-2000 psig Drive HDR Pressure Drop AP Indicator 0 to 350 psid Cooling HDR Flow Flow Indicator 0-60 gpm Cooling HDR Pressure Pressure Indicator 0-2000 psig Cooling HDR Pressure Drop AP Indicator 10-60 psid Stabilizing Flow Flow Indicator 0-8 gpm Exhaust Pressure Pressure Indicator 0-1800 psig Scram Discharge Level Level Switch 2 inches Drive Temperature PMIS Computer 0-500°F Instrument Air Supply Pressure Pressure Indicator 0-160 psig F.C. Station Air Pressure Pressure Indicator 0-160 psig Scram Pilot Air HDR Pressure Pressure Indicator 0-150 psig Scram Pilot Air HDR Pressure Pressure Switch 1.5-150 psig Accum. N2 Charge Pressure Pressure Indicator 0-2500 psig Accum. Pressure Pressure Switch 160-3200 psig Accum. Leak Leak Detector FCV Electro/Pneumatic Converter Pressure/Current 3 to 15 psig/10 to 50 ma Reactor Pressure Pressure Indicator 0 to 1000 psig Control Rod Drive Overtravel Reed Switches 2 in. beyond full (withdraw direction) withdrawal position Control Rod Drive Overtravel Reed Switches 1-9/16 in. beyond full (insert direction) insert position Control Rod Position (normal Reed Switches full in to full out, range) every 3 inches Rod Block-neutron monitoring SEE "NEUTRON MONITORING system trip channels SYSTEM" (USAR Section VII-5)

Rod Block-rod worth minimizer SEE "PROCESS COMPUTER SYSTEM" (USAR Section VII-16)

Rod Block-flow converter and SEE "NEUTRON MONITORING comparator trip channels SYSTEM" (USAR Section VII-5)

VII-7-11 07/28/2017

USAR 8.0 REACTOR VESSEL INSTRUMENTATION 8.1 Safety Objective The safety design objective of the reactor vessel instrumentation is to monitor and transmit information concerning key reactor vessel operating parameters during normal operations and abnormal and accident conditions to ensure that sufficient indication of these parameters is possible.

8.2 Safety Design Bases Reactor vessel instrumentation shall be designed to:

1. Provide the operator with sufficient indication of reactor core flow rate during normal operations to avoid operating conditions not considered by plant safety analyses.
2. Provide the operator with sufficient indication of reactor vessel water level during normal operations to determine that the core is adequately covered by the coolant inventory inside the reactor vessel to avoid the release of radioactive materials to the environs that would cause the limits of 10CFR20 to be exceeded, and to avoid operating conditions not considered by plant safety analyses.
3. Provide the operator with sufficient indication of reactor vessel pressure during normal operations to avoid nuclear system stresses in excess of those allowed by applicable industry codes.
4. Provide the operator with sufficient indication of reactor vessel top head flange leakage during normal operations to avoid nuclear system stress in excess of that allowed by applicable industry codes and to avoid the release of radioactive materials to the environs that would cause the limits of 10CFR20 to be exceeded.
5. Provide the operator with sufficient indication of reactor vessel parameters for use during abnormal and accident conditions to avoid the release of radioactive materials to the environs that would cause the limits of 10CFR20, 10CFR50.67, and 10CFRl00 to be exceeded.

8.3 Power Generation Objective The power generation objective of the reactor vessel instrumentation is to monitor and transmit reactor vessel parameter information such that the convenient, efficient, and economical operation of the plant is facilitated during normal operations.

8. 4 Power Generation Design Basis Reactor vessel instrumentation shall be designed to:
1. Monitor and transmit sufficient reactor vessel parameter information to the operator to operate the plant conveniently, efficiently, and economically.
2. Provide the operator with sufficient indication of reactor vessel parameters which are essential to perform a safe shutdown from the Alternate Shutdown Room in the special event of a fire.

8.5 Description General Electric Drawing 719E415BB and Burns and Roe Drawing 2026, Sheet 1, show the numbers, location, and arrangements of the sensors, switches, and sensing equipment used to monitor reactor vessel conditions. The reactor vessel VII-8-1 02/05/10

USAR sensors used for safety systems and enginee red safegua rds have been describ ed and evaluat ed in other USAR section s (refer to USAR Table VII-8-2

).

8.5.1 Reacto r Vessel Surface Temper ature Reacto r vessel temper ature is determ ined on the basis of reactor temper ature. Temper atures which are needed for operati on and coolan t for complia nce with the technic al specifi cation operati ng limits are obtaine d from one of several sources depend ing upon the operati ng conditi on. During normal operati on, either reactor pressur e and/or the inlet temper ature of the coolan t in the recircu lation loops may be used to determi ne the vessel temper ature. Below the operati ng span of the resista nce temper ature detecto rs in the recircu lation loop the vessel pressur e is used for determ ining the temper ature. Below 212°F the vessel coolan t, and thus the vessel temper ature, is reasona bly well shown by the reactor water cleanup inlet temper ature indicat or. These three sources of input are most conven iently availab le from the process comput er. Refer to USAR Section VII-16 for details of call-up methods for this inform ation. During normal operati on, vessel therma l transie nts are limited via operati onal constr aints on parame ters other than temper ature. (See USAR Section VII-2, "Reacto r Protec tion System ".) Genera l Electri c Drawing 919D690 BC, Sheet 5, shows the locatio n of the thermo couples .

Reacto r vessel thermo couples are provide d as a means of observi metal surface temper ature behavi or in respons e to vessel coolan ng vessel t temper ature changes during startup and power operati on testing . Indicat ions based upon these thermo couples are used along with the reading s of the reactor recircu lation temper ature in contro lling the rate of heating or cooling or limitin g the vessel therma l stresse s. Selecte d temper atures are recorde d on a recorde

r. Thermo couple and temper ature recorde r specifi cation s are listed in USAR Table VII-8-1 .

Resista nce temper ature detecto rs (RTDs) are install ed on the nozzles . feedwa ter 8.5.2 Reacto r Vessel Water Level Reacto r vessel water level indicat ion is detecte d by compar pressur e exerted by the actual height of water inside the ing the vessel to the pressur e exerted by a constan t referen ce column of water. Instrum ent sensing lines which are connec ted to widely separat ed nozzles in the reactor vessel lead from the vessel to locatio ns outside the primary contain ment where they termina te at instrum ent racks in the reacto r buildin g. Level measur ing instrum ents are attache d to the approp riate sensing lines so that the proper differe ntial pressu re is applied to the level instrum ents. A conden sing chambe r is install ed in each of the instrum ent sensing lines used to provide a referen ce column of water for level measure ments. Two of the referen ce columns are fitted with a temper ature compen sating column which improve s the accurac y of level measure ment and an auxilia ry head chambe r which preven ts flashin g of the referen ce column on depres surizat ion. The reactor vessel instrum entatio n used for safety systems is describ ed in USAR Section VII-1.7 .6 and evaluat ed in USAR Section VII-2. Each of the instrum ent sensing lines is fitted with one manual isolati on valve and one excess flow check valve both of which are located directl y outside the drywel l in the reactor buildin g. The instrum ent sensing lines slope down a minimum of 1/2 inch per foot in the directi on of the instrum ents so that no air traps are formed. Pressur e and differe ntial pressur e measur ing instrum ents also use these same instrum ent lines, as indicat ed in Burns and Roe Drawing 2026, Sheet 1.

There are numerou s indicat ions of reactor vessel water level reactor buildin g. Almost all of the level measur ing instrum ents in the indicat e locally , as shown in Burns and Roe Drawing 2026, Sheet 1. Some of the instrum level measure ments from the instrum ent sensing lines in ents derive their which the temper ature compen sating columns are install ed. Thus, temper ature compen sated, as well as uncomp ensated , level indicat ions are availab le in the reactor buildin g.

VII-8-2 01/21/0 9

USAR TABLE VII-8-1 REACTOR VESSEL INSTRUMENTATION INSTRUMENT SPECIFICATIONS*

Measured Variable Instrument Type Reactor vessel surface Thermocouple 0-600°F temperature Reactor vessel top head surface Thermocouple 0-600°F temperature Reactor vessel top head flange Thermocouple 0-600°F surface temperature Reactor vessel surface Temperature recorder 0-600°F temperature Reactor vessel water level Level indicator See Burns and Roe (temperature compensated) Drawing 2026, Sheet 1 Reactor vessel water level Level indicator See Burns and Roe Drawing 2026, Sheet 1 Calibrated jet pump flow rate Flow transmitter 0-30.61 psid Jet pump flow rate Flow transmitter 0-30.61 psid Calibrated jet pump flow rate Flow indicator 0-5. 5x10 6 lb/hr Jet pump flow rate Flow indicator 0-5. 5x10 6 lb/hr Calibrated jet pump flow rate Square root Recirculation loop flow rate Flow summer Recirculation loop flow rate Flow indicator 0-50,000 gpm Core total flow Flow summer Differential pressure across the Differential pressure 0-30 psid core support assembly transmitter Reactor vessel pressure Pressure indicators 0-1200 psig[ 63 l Pressure indicators 50-1200 psig Reactor vessel flange leak Pressure switch 0-1500 psig detection piping internal pressure Reactor vessel flange leak Pressure indicator 0-1500 psig detection piping internal pressure

  • Other instruments measuring reactor vessel variables are discussed in other USAR sections.

VII-8-3 11/29/22

USAR TABLE VII-8-2 REACTOR VESSEL LEVEL AND PRESSURE INSTRUMENT CROSS REFERENCE Level Instrumentation USAR Section in Which Discussed Level switches for initiating scram Reactor Protection System (VII-2)

Level switches for initiating primary Primary Containment Isolation containment or reactor vessel isolation System (VII-3)

Level switches used for HPCI, LPCI, core Emergency Core Cooling System spray, Automatic Depressurization Controls and Instrumentation (VII-4)

System, recirculation pump trip, or recirculation loop valve closure Level switches, transmitters and Emergency Core Cooling System recorder used to measure water level Controls and Instrumentation (VII-4) inside core shroud Level transmitters and recorders used Feedwater Control System (VII-10) for feedwater control, main turbine and feedwater pump turbine trips Level switches used to trip RCIC Emergency Core Cooling System turbine, and HPCI turbine Controls and Instrumentation (VII-4)

Level switches used to initiate RCIC Reactor Core Isolation Cooling System (IV-7)

Pressure Instrumentation USAR Section in Which Discussed Pressure switches used to initiate a Reactor Protection System (VII-2) scram Pressure switches used to bypass main Reactor Protection System (VII-2) steam line isolation valve closure scram Pressure switches used for Core Spray Emergency Core Cooling System System and LPCI Controls and Instrumentation (VII-4)

Pressure transmitters and recorders used Feedwater Control System (VII-10) for feedwater control Differential pressure switches measuring Emergency Core Cooling System differential pressure between inside of Controls and Instrumentation (VII-4) core spray sparger pipes and core inlet above the core support assembly.

Pressure Switches used to initiate the Nuclear Pressure Relief System (IV-4)

Low-Low Set logic VII-8-4 03/28/01

USAR There are twelve separate reactor vessel water level indications continuously displayed in the control room. Three of the control room level indications come from instruments used to measure the wide range reactor level, four come from the level transmitters provided for the Feedwater Control System, three come from the instruments used to measure fuel zone range, and two use a separate reference column of water located so that water level indication is possible all the way to the top of the vessel. A recorder receives a level input signal calculated by the vessel level control programmable logic controller (PLC) that is derived from the level transmitters in the Feedwater Control System and provides a continuous record of reactor vessel water level. This same recorder provides high and low level alarms. Two of the wide range and two of the fuel zone range indications are also displayed on control room recorders to provide a continuous record of reactor vessel water level. USAR Table VII-8-1 lists the specifications for level instruments not previously described with other systems. Information readouts to the control room from the above level indicators are discussed in more detail in USAR Section VII-1.7.6.

NPPD Drawing CNS-NBI-10 is a chart showing the water levels at which various automatic alarms and safety actions are initiated. Each of the actions listed is described and evaluated in the section of the USAR where the system involved is described. USAR Table VII-8-2 identifies where various level measuring components and their setpoints are discussed.

The large number of reactor vessel water level indications provide the operator with sufficient information to determine the adequacy of the coolant inventory to cool the fuel. In addition, by verifying that reactor vessel water level is not rising to an abnormally high level, the operator is assured that turbines are not endangered by the possibility of water carried into the steam lines. The approach of abnormal conditions is brought to the operator's attention by audible and visual alarms (Burns and Roe Drawing 2026, Sheet 1). It should be noted that operator action is not required for safety system response; all required protection system responses are automatic.

The Core Spray System ensures injection capabilities to preclude reference leg flashing/boiloff. Reference leg injection is necessary when a small steam line break or the loss of containment coolers during reactor depressurization causes the cold reference legs inside the drywell to flash or boiloff, which in turn results in inaccurate reactor water level indication.

Reference leg injection results in an indicated water level approximately seven ( 7) inches less than the actual level, which is in the conservative direction. Reference leg injection is described further in USAR Section VI-4.3.

Continuous backfill of water from the Control Rod Drive Hydraulic system (CRDH) is provided to the two divisional RPV water level instrumentation cold leg condensing chambers, 3A and 3B, in the Nuclear Boiler Instrumentation System. [123 J [ 124 J This backfill system ensures both correct Reactor Water level indication and operability of the safety trip functions of instrumentation which originate from these sensing lines. A continuous backfill of these condensing chambers eliminates the potential for noncondensable gases to be drawn into solution in the condensing chambers.

These noncondensables could then come out of solution during reactor depressurization ( termed degassing) and cause non-conservative water level errors in associated instruments. These errors are caused by the noncondensable gases displacing water from the reference leg, thus reducing differential pressure which corresponds to higher indicated water level.

Noncondensable buildup in the condensing chambers is prevented by having continuous flow from the CRDH system up through the cold reference legs and overflowing out of the condensing chambers into the vessel. See NRC Bulletin 93-03 and "Response to NRC Bulletin 93-03" dated July 29, 1993, for further information.

VII-8-5 09/02/08

USAR

8. 5. 3 Reactor Vessel Coolant Flow Rates and Differential Pressures Burns and Roe Drawing 2026, Sheet 1 shows the flow instruments, differential pressure instruments, and recorders provided so that the core coolant flow rates and the hydraulic performance of reactor vessel internals can be determined. Core flow instrumentation includes the following:
1. Control room readout of the total core flow rate and the total discharge flow from each group of jet pumps, which is driven by an individual drive loop. Measurement of diffuser-entrance-to-co re-supply-plenum pressure differentials is indicated in the control room for each jet pump unit.
2. Control room readout of fluid temperature in the recirculation pump suction and feedwater lines.
3. Control room readout of the total feedwater flow rate and RWCU flow rate.
4. Control room readout of flow in each jet pump drive loop (recirculation loop) using the flow nozzles provided.
5. Control room readout of the discharge flow from four specially calibrated jet pumps. The diffusers on these jet pump units contain special pressure taps for calibration using prototype test performance maps.
6. Locally accessible transducers and pressure sensing taps for making detailed performance measurements and calibrations during reactor operation for the preceding control room readout equipment.

This arrangement of flow measuring instrumentation accomplishes the following: Total core flow rate can be determined by three methods from the control room. The first method is direct readout of Item 1. The second method involves computer calculation of core flow rate using Items 2 and 3 and applying an energy and mass balance to the reactor downcomer region.

The third method is to establish a correlation (during startup tests) between drive loop flow rate and core flow rate with reactor power as a parameter. The correlation is then used to convert the readout of Item 4 to core flow rate.

The correlation should be updated periodically. During operation, results of the three methods can be cross-checked to ensure validity.

Calibration of the flow summers defined in Item 1 is dependent upon deriving the relationship between the two differential pressure readouts (Items 1 and 5) on the specially instrumented jet pumps as a function of jet pump flow. This relationship is obtained under reactor environmental conditions using jet pump prototype performance maps as the calibration basis.

Extreme accuracy of control room readout equipment is not required since precise measurements are possible at a location which is accessible during reactor operation. It is sufficient to demonstrate periodically that reactor recirculation flow is at least design flow during full power reactor operation.

8.5.4 Reactor Vessel Internal Pressure Reactor vessel internal pressure is detected by pressure switches, indicators, and transmitters from the same instrument sensing lines used for reactor vessel water level measurements. An additional pressure gauge is attached to the RHR/Core Spray low pressure initiation line to PS-52C. The VII-8-6 01/23/01

USAR gauge is located in Rack 25-51 on the 903 level in the Reactor Building. It should only be read when the reactor recirculation pumps are shut down.

Two pressure indicators that sense pressure from different, separated instrument sensing lines, provide pressure indications in the Reactor Building on the 931 ft level. Two reactor vessel pressure indications are provided in the Main Control Room. These emanate from the two pressure transmitters used in the Feedwater Control System. Reactor vessel pressure is continuously recorded in the Main Control Room on two recorders. In addition, reactor vessel pressure is monitored by 0-1500 psig pressure transmitters in each RPS di vis ion. [89J USAR Table VII-8-2 shows where reactor vessel pressure measuring instruments used for the automatic control of equipment or systems are discussed.

8.5.5 Reactor Vessel Top Head Flange Leak Detection A connection on the reactor vessel flange is provided into the annulus between the two metallic seal rings used to seal the reactor vessel and top head flanges. This connection permits detection of leakage from the inside of the reactor vessel past the inner seal ring. The connection is piped to a collection chamber installed between two AC solenoid-operated valves. The arrangement is shown in General Electric Drawing 719E415BB. The upstream valve is normally open, the downstream valve normally closed. A pressure switch is also provided to actuate the alarm in the main control room as pressure in the leakage collection piping becomes abnormally high. A pressure indicator is provided to indicate the pressure inside the piping arrangement. The collection chamber is located inside the primary containment, and the pressure instruments are located outside the drywell but inside the reactor building.

The instrument pipeline for the pressure instruments is provided with one manual isolation valve and one excess flow check valve. The specifications for the pressure instruments are given in USAR Table VII 8-1. The two solenoid valves are controlled by a switch in the main control room. The positions of the valves are indicated by lights. If leakage past the inner seal ring is indicated, the upstream valve can be closed and the downstream valve can be opened by remote-manual operation from the main control room. This action routes the accumulated leakage to the drywell equipment drain sump. After the collection chamber is drained, the solenoid-operated valves can be returned to their normal positions.

A connection is provided on the reactor vessel beyond the outer metallic head seal. This connection is piped to a point in the drywell accessible during reactor shutdown and is capped. (Note: In the event that difficulty is encountered in obtaining a pressure tight seal on the inner metallic seal, it may be desirable to operate on the outer metallic seal only.

It shall be possible to install a low pressure seal beyond the outer metallic seal and monitor the space between for outer metallic seal leakage by use of this piped connection.)

8.6 Safety Evaluation The reactor vessel instrumentation is designed to provide sufficient continuous indication of key reactor vessel operating parameters during normal operations such that the operator can efficiently monitor these parameters and anticipate any approach to operating conditions which could lead to any of the unacceptable safety results discussed in the Safety Design Bases (USAR Section VII-8.2). The redundancy of all indicators provided VII-8-7 11/29/22

USAR assures that the possibility that all instrumentation could be lost simultaneously is so remote as to be negligible. In addition, sensors providing safety signals to the reactor protection system and engineered safeguards systems for scram and isolation functions are separate from these indicator sensors such that loss of indication does not directly obviate protection against accidents and transients. It is therefore concluded that the safety design bases are satisfied.

8.7 Inspection and Testing The large number of spare thermocouples provided on the reactor vessel and its attachments permit cross checking to verify proper thermocouple response. Pressure, differential pressure, water level, and flow instruments are located in the reactor building and are piped such t~at the instruments can be calibrated/tested during reactor operation.

The water level in the reactor vessel will be perturbed and the corresponding level indicator changes will be monitored (NBI-LIS-101 A, B, C,

& D). This perturbation test will be performed after completion of the functional test program.

The reactor vessel instrumentation is in scope for License Renewal per 10 CFR 54.4 (a) (1), (a) (2), and (a) (3) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity (see USAR Section K-2.1.2), and Water Chemistry Control - BWR ( see USAR Section K-2. 1. 39) . The following Time-Limited Aging Analyses are applicable: Metal Fatigue (see USAR Section K-2.2.2.2).

VII-8-8 01/17/14

USAR 9.0 RECIRCULATION FLOW CONTROL SYSTEM 9.1 Safety Objective The recirculation flow control system shall be designed to avoid unacceptable safety results during abnormal operational transients and special events.

9.2 Safety Design Basis

1. The recirculation flow control system shall function so that no abnormal operational transient resulting from a malfunction, in the recirculation flow control system, can result in damaging the fuel or exceeding the nuclear system pressure limits.
2. The Recirculation Pump Trip (RPT) feature shall automatically trip the recirculation pumps under conditions indicative of an Anticipated Transient Without Scram (ATWS) special event and shall perform this function in a reliable manner.

9.3 Power Generation Objective The objective of the recirculation flow control system is to control reactor power level, over a limited range, by controlling the flow rate of the reactor recirculation water during planned operation.

9.4 Power Generation Design Basis

1. The recirculation flow control system shall be designed to allow variation of the recirculation flow rate.
2. The recirculation flow control system shall be designed to allow manual recirculation flow adjustment, so that control of reactor power level is possible.

9.5 Description 9.5.1 General Reactor recirculation flow is changed by adjusting the speed of the two reactor recirculation pumps. The recirculation flow control system controls the power supplies to the recirculation pump motors. By adjusting the frequency of the electrical power supplied to the recirculation pump motors, the recirculation flow control system can affect changes in reactor power level from approximately 75% to 100% of rated power.

An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core.

The additional neutron moderation increases the reactivity of the core, which causes the reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner.

VII-9-1 04/22/02

USAR USAR Figure VII-9-1 illustrates how the recirculation flow control system operates in manual mode.

Each recirculation pump motor has its own motor-generator (M-G) set for a power supply. A variable speed converter is provided between the M-G set motor and generator. To change the speed of the reactor recirculation pump, the variable speed converter varies the generator speed which changes the frequency and magnitude of the voltage supplied to the pump motor to give the desired pump speed. The recirculation flow control system uses a demand signal set by the operator. A signal from each recirculation flow controller adjusts the speed setting of each M-G set converter. General Electric Drawing 729E727BB, Sheets 1, 2, and 3, show the recirculation loop valve functional control logic.

The recirculation flow controller signal adjusts each M-G set variable speed converter. The recirculation flow controller signal causes adjustment of the speed converter, resulting in change of the generator speed.

The reactor power change resulting from the change in recirculation flow causes the initial pressure regulator to reposition the turbine control valves.

9.5.2 Motor-Generator Set Each M-G set supplies power to its associated reactor recirculation pump motor. Each of the two M-G sets and its controls are identical; therefore, only one description is given of the M-G set. General Electric Drawing 729E174BB, Sheet 1, shows the general arrangement and rating of the M-G set. The M-G set can continuously supply power to the pump motor at any speed between approximately 19% and 96% of drive motor speed. The M-G set is capable of starting the pump and accelerating it from a standstill to the desired operating speed when the pump motor thrust bearing is fully loaded by reactor pressure acting on the pump shaft.

The M-G set is located in the reactor building. Its main components are a driven motor, a generator, and a variable speed converter with an actuation device to adjust the converter speed.

Drive Motor The drive motor is an AC induction motor which drives the input shaft of the variable speed converter. The motor can operate under electrical supply variations of+/- 5% of rated frequency and+/- 10% of rated voltage. The AC power for each drive motor is supplied from a different bus.

Generator The variable frequency generator is driven by the output shaft of the variable speed converter. During normal operation, the generator exciter is powered by the drive motor. The excitation of the generator is provided from an auxiliary source during pump startup.

Variable Speed Converter and Actuation Device The variable speed converter transfers power from the drive motor to the generator. The variable speed converter actuator automatically adjusts VII-9-2 04/22/02

USAR the slip between the converter input shaft and output shaft as a function of the signal from the speed controller. If the speed controller signal is lost, the actuator causes the speed converter slip to remain "as is". Manual reset of the actuation device is required to return the speed converter to normal operation.

9.5.3 Speed Control Components The speed control system (General Electric Drawing 730E197BB, Sheet 6B) controls the variable speed converters of both M-G sets. The M-G sets can be manually controlled individually. The control system components for each M-G set consist of a manual control station, which includes; controller, signal characterizer, signal failure function, startup signal function, and speed demand runback control functions.

Manual Control Station (one for each M-G set)

The manual control station is a digital controller that provides the speed demand signal which adjusts the M-G set variable speed converter.

Each manual control station is configured to provide manual control, output signal characterization, controller failure alarm with scoop tube lockout/reset logic, output rate of change limit and M-G set runback logic.

During pump startup the manual control station also provides the startup signal, and during low feedwater flow limits the speed demand.

To prevent erratic pump rpm display due to electrical noise, a high pass to ground filter has been added in the speed control system. [641 Characterizer (one for each M-G set)

The characterizer compensates for any inherent non-linearity in the signal to the M-G set variable speed converter. The characterizer block within the manual controller provides the characterized output signal.

Signal Failure Alarm (one for each M-G set)

If the signal to the M-G set variable speed converter drops below 10% normal control signal, the signal failure alarm actuates an alarm in the control room and acts to prevent any change of slip within the variable speed converter.

Startup Signal Function (one for each M-G set)

The startup signal function block supplies the signal to the speed controller during M-G set startup. This sets the M-G set variable speed converter for approximately 40% recirculation pump speed (as the M-G set is unloaded since its field breaker is open, the actual M-G set speed will be approximately 80%).

Speed Limiter (one for each M-G set)

The speed controller setpoint is automatically switched to the speed limiter if the recirculation pump main discharge valve is not fully open or the feedwater flow is less than 20% of rated flow. The speed controller signal will set the M-G set generator speed to approximately 22% rated speed. If the recirculation pump discharge valve is partly closed, the recirculation pump may overheat. If the feedwater flow is less than 20%

VII-9-3 04/22/02

USAR of rated flow, sufficient steam voids may be present in the recirculation water to cause cavitation in the recirculation pump or the jet pumps.

The Reactor Vessel Level Control System (RVLCS) provides a logic output to the speed controller to runback reactor recirculation pump speed when reactor power is greater than the capacity of the operating pumps in the Condensate and Feedwater system and certain other conditions are present. The limiter logic will operate to runback reactor recirculation pump speed until within the capacity of the operating pumps or the limit of 45% speed demand is reached. Once the runback signal clears, the limiter logic is automatically removed from the circuit; no operator action is required to manually reset the runback function. The RVLCS logic will block the runback when an RRMG scoop tube is locked out or the plant is operating in single loop mode. This logic enhances the system capability to avoid the "stability exclusion regionu of the "Power-to-Flow mapn.

9.5.4 System Operation

9. 5. 4 .1 Recirculation Loop Starting Sequence Each recirculation loop is independently put into operation by operating the controls of each recirculation loop as follows:
1. The starting sequence is manually initiated by placing the drive motor control switch for one M-G set in the start position. The drive motor breaker closes provided that:
a. The drive motor bus is near rated voltage (as verified by the operator).
b. The recirculation loop suction valve is fully open.
c. The recirculation loop discharge valve is fully closed.
d. The generator field breaker is open.
e. The fluid drive lube oil pressure has been established.
f. The reactor recirculation generator lockout relay and the generator auxiliary lockout relay are reset.
g. The reactor recirculation motor lockout relay is reset.
h. The reactor recirculation MG set ventilation is in operation.
i. The recirculation loop discharge valve jog select indicating lights (amber) are on if the other RR pump is running. [BSJ
2. The manual control station output signal is adjusted to give the desired generator speed ( typically 20% of rated speed) after the pump has started.
3. When the drive motor breaker is closed, the following event occurs automatically to position the variable speed converter for startup:
a. The signal from the manual control station is interrupted and replaced with the startup signal output.

VII-9-4 09/02/08

USAR

4. Once the variable speed converter has achieved its startup position the following events occur:
a. The auxiliary source of field excitation is engaged.
b. The generator field breaker is closed after a time delay.
5. Field breaker closure reverses condition 3.a and reverts control to the manual control station's full range of adjustment capability (see 2.).
6. After recirculation pump start is sensed, the generator is automatically transferred to self-excitation .
7. Recirculation flow is increased during startup by manually increasing recirculation pump speed.
9. 5. 4. 2 Recirculation Pump Trip (RPT) f 65 lr 1061 The function of the RPT system is to reduce the severity of the consequences of the unlikely occurrence of a failure to scram during an anticipated transient (ATWS event) . The RPT system trips the Reactor Recirculation pump early in the event on either high pressure or low water level (Level 2) in the reactor vessel.
1. The RPT system trip actuates on high pressure ( see Table VII-2-2 for Analytical Limit value), without delay, and causes a rapid core flow reduction, increasing void content, and thereby reduces reactivity.
2. The RPT system trip actuates on low water level (see Table VII-2-2 for Analytical Limit value) and is delayed for 9 seconds (delay required by the CNS ATWS event analysis to preserve ECCS analysis assumptions). The analyses of a LOCA and Main Steam Line break assume that the reactor recirculation pumps continue to add pumping energy to the water in the external recirculation loop during the pump coast down period which in turn increases the pumping action through the core ( USAR Section VI-5. 3 and USAR Section XIV-6.5). This inhibits void retention in the core and so promotes power production, which must be minimized. The Reactor Recirculation pump trip must be delayed so that the LOCA analysis credit for full inertia coast down is not impaired.

Pressure switches (NBI-PS-102A-D) are set to close on high reactor pressure, which is set higher than the reactor high pressure scram setting, and serve RPT and ARI. Switch #2 of the water level switches (NBI-LIS-57A, 57B, 58A, and 58B) is set to close on low reactor water level (level 2), which is lower than the low reactor water level scram settings and is used to initiate RPT and ARI. Switch #1 of the level switches is used to initiate MSIV closure (PCIS Group 1 Isolation).

There are two trip di visions, each with two separate channels.

Each di vision is powered by a separate critical DC bus. A signal from both switches in any one channel (i.e., NBI-LIS-57A and 58A, or 57B and 58B, or NBI-PS-102A and 102C, or 102B and 102D) will trip both Reactor Recirculation pumps (see Figure VII-9-4). All cable involved is separated from the RPS cables since RPS cables are routed through rigid galvanized steel conduit (Reference USAR Section VII.2.3.10).

VII-9-5 03/16/05

USAR The racks holding the components are located on opposite sides of the reactor containment. All components are of protection system quality.

This equipment is designed to perform its function in a reliable manner.

Separation criteria meets IEEE 384-1974.

RPT is discussed further in USAR Sections IV-3 and XIV-5.5.2, ARI I in USAR Section III-5.5, and both ARI and RPT in USAR Section XIV-5.9.3.

9.6 Safety Evaluation The recirculation flow control system is designed so that coupling is maintained between an M-G set drive motor and its generator even if the AC power or a speed controller signal fails. This assures that the drive motor inertia contributes to power supplied to the Reactor Recirculation pump during the coastdown of the M-G set after loss of AC power and that the generator continues to be driven if the speed controller signal is lost.

As described in USAR Chapter XIV, transient analyses show that no malfunction in the recirculation flow control system can cause a transient sufficient to damage the fuel barrier or exceed the nuclear system pressure limits, as required by the safety design basis.

9.7 Inspection and Testing The M-G set, and manual speed controller with characterizer are functioning during normal operation. Any abnormal operation of these components can be detected during operation. The components which do not continually function during normal operation can be tested and inspected for calibration and operability during scheduled plant shutdowns. Also, system surveillances are performed in accordance with the Technical Specifications.

VII-9-6 08/06/03

10.0 FEEDWATER CONTROL SYSTEM 10.1 Power Generation Objective The objective of the feedwater control system is to maintain a pre-established water level in the reactor vessel during planned operation.

10.2 Power Generation Design Bases The feedwater control system shall regulate the feedwater flow so that the proper water level in the reactor vessel is maintained according to the requirements of the steam separators over the entire operating range of the reactor.

The feedwater control system shall protect the Main Turbine and steam piping from a reactor vessel overfill event.

The feedwater flow shall also provide sufficient subcooled water to the reactor vessel during power operation to maintain normal operating temperatures.

10.3 Description The feedwater control system, during planned operation, automatically regulates feedwater flow into the reactor vessel. The system is capable of being manually operated.

The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel. During automatic operation, these three measurements are used for controlling feedwater flow (see General Electric Drawing 791E257, Sheets 3 and 4).

The optimum reactor vessel water level range is determined by the requirements of the steam separators, which limit the water carryover with the steam going to the turbines and limit the steam carryunder with the water returning to the core. The water level in the reactor vessel is maintained within +/-2 inches of the optimum level during normal power operation. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow regulation is achieved by adjusting the reactor feed pump turbine control valves or, when in service, adjusting the feedwater startup bypass control valves to deliver the required feedwater flow to the reactor vessel.

During a reactor vessel overfill event, the feedwater control system causes the Main Turbine and the feedwater pump turbines to trip on high RPV water level (Level 8).

10.3.1 Reactor Vessel Water Level Measurement [661 The f eedwa ter level controller receives input from three narrow range reactor water level sensing channels (A, B, and C), as well as one wide range channel (D). Each channel has a differential pressure transmitter which is installed on differential pressure taps that serve other systems (see USAR Section VII-8). The level control system uses these four inputs to calculate average and median water level from all valid inputs. The average and median levels are used as part of the input validation process, which checks for signal failure, maintenance bypass, and instrument drift.

The reactor vessel overfill protection instrumentation receives input from three narrow range level sensing channels described above.

VII-10-1 09/02/08

The three narrow range differential pressure transmitters provide level signals for indication in the main control room. The controlling water level signal is recorded in the main control room.

10.3.2 Steam Flow Measurement [66 l The steam flow is measured across each main steam line flow restrictor by a differential pressure transmitter. The steam flow transmitters linearize the measured differential pressure to produce a mass flow rate signal.

The steam flow rate from each main steam line is indicated in the main control room. The steam flow signals are density compensated and used to produce a total steam flow signal for indication and feedwater flow control.

The total steam flow is recorded in the main control room.

10.3.3 Feedwater Flow Measurement [67 l A flow element in each feedwater line is provided for flow measurement. The pressure difference across the flow element is sensed by a differential pressure transmitter. The feedwater transmitters then linearize the measured differential pressure to produce a mass flow rate signal.

The feedwater control system density compensates the feedwater mass flow signals using feedwater temperature inputs, and produces a total feedwater flow signal for indication and feedwater flow control. The total feedwater flow is recorded in the main control room.

An additional highly accurate ultrasonic flow instrumentation system has been installed to allow operation at an increased rated thermal power (2419 MWt). [l 4 ll 10.3.4 Feedwater Control Signal The feedwater control signal adjusts the RFP turbine control system. The components which are manually operated or automatically function to produce the feedwater control signal are the following:

Three-Element Level Control During automatic operation of the feedwater control system, the three-element controller output is the feedwater pump speed demand signal.

During manual operation the level controller output signal tracks the speed of the inservice feedwater pumps to allow bumpless transfer.

The three-element controller receives the calculated reactor vessel water level described in Section 10. 3 .1, the calculated steam flow described in Section 10. 3. 2, and the calculated feedwater flow described in Section 10.3.3. The output from the level control block resulting from comparison of the setpoint to the signal representing reactor vessel water level, is passed to the flow control block. There it is added to the steam flow signal and supplied to the flow control block as setpoint, where the difference between setpoint and feedwater flow drives the feedwater control signal so that the reactor vessel water level meets the setpoint requirement.

Single-Element Level Control During periods when steam or feedwater flow values are not available, or at low power where three-element control is not required, the system may be operated in single-element mode. Single-element control block operation is identical to the level control section of the three-element VII-10-2 09/02/08

controller, except the output is scaled to directly generate a feedwater control signal.

Operator Control Stations The Operator Control Stations are digital human-machine interface (HMI) and display units. Each HMI is a panel-mount computer running WonderWare graphical interface software. These HMI provide other devices in the feedwater system. Using these HMI, the Operator can initiate changes in system and input operating modes, review system alarms, and monitor overall system status.

10.3.4.1 Automatic Operation The ability of the feedwater control system to maintain reactor vessel water level within a small margin of optimum water level during plant load changes is accomplished by the three-element control signal.

The three-element feedwater control signal provides anticipatory action during load changes by using steam and feedwater flow signals to determine if level is increasing or decreasing. If steam flow is greater than feedwater flow, the flow control block output is increased from its normal value when steam and feedwater flows are equal. The reverse is also true. This flow control block input is fed by the level control block, which receives the reactor vessel water level signal. The addition of the reactor vessel water level control block output to the feedwater flow block setpoint results in the three-element control. Both the level control and feedwater flow control blocks use proportional and integral control, with tuning parameters derived from adaptive gain logic to optimize response based on plant power level, feed pump turbine motive steam pressure, and the number of feed pumps in operation.

If the system detects conditions are not met to support three-element control, it will automatically transfer to single-element control. The single-element control block also uses proportional and integral control, with adaptive tuning parameters.

The single and three-element control blocks are configured to track the feedwater control signal and back-calculate values when out of service so that transfer is bumpless when placed in service.

10.3.4.2 Optional Operating Modes Optional methods of feedwater control system operation are available, but are not normally used during high power operation of the reactor. A single-element signal (reactor vessel water level) can be used to replace the three-element control signal to the feed pump turbines. At high power level when steam flow and feedwater flow signals are large, anticipatory action is effective. At low loads (0-10%), single-element control is recommended since steam flow measurement signal-to-noise ratio is prohibitive and it has no useful anticipatory action. Feed pump turbine speed setpoint can be manually adjusted to obtain full range speed control of each of the RFP turbines for startup and overspeed trip testing.

The startup bypass valves can be automatically or remote manually controlled from the HMI, and are used during low flow demand conditions such as startup and shutdown. Feed pump turbine speed setpoint can be automatically or manually controlled to maintain the startup bypass valves in their control range.

VII-10-3 09/02/08

10.3.5 Reactor Feed Pump Control During normal power operation feedwater is delivered to the reactor vessel through two reactor feed pumps in parallel. However, for sustained operation below 600 megawatts, only one feed pump may be operated. [691 The feedwater pumps are powered by steam driven turbines.

The f eedwater control signal is fed to the RFP turbine speed controllers. Both RFP turbines are normally operated in parallel in response to the feedwater control signal. Control of the reactor feed pump turbine speed is provided by a Triconex speed control system. Demand for a turbine speed change comes from the three-element feedwater control system furnished by Triconex. For periods of minimal or no feedwater demand, the feed pumps are operated in a minimum flow condition by bypassing feedwater via modulating minimum flow control valves to the condenser. Normal flow control is from a digital speed demand signal from the feedwater control system via redundant network connections. A Turbine Driven Reactor Feedwater Pump (TDRFP) systems loss of control signal results in diagnostic transfer of the RFP turbine speed control to manual mode at the existing speed setpoint (manual demand tracks auto demand) .

Redundant current operated trip relays, connected to each narrow range reactor level channel, are provided for tripping of the main and RFP turbines in the event of high reactor water level. Runout protection is not required because the decaying reactor pressure results in loss of motive power for the steam turbine drive reactor feedwater pumps. USAR Section XI-8.0 discusses the reactor feedwater turbine and pump in more detail.

The switches and controllers that provide for normal manual or automatic control are located in the control room. The HMI are also located in the control room.

10.3.6 Reactor Overfill Protection In Generic Letter 89-19, the NRC stated that BWR plants should provide automatic reactor vessel overfill protection due to feedwater control system failures at power. The CNS design provides for a non-essential overfill protection system initiated on a high reactor water level signal (Level 8) .

Three separate reactor water level channels are arranged in a 2-out-of-3 logic which trip the feedwater pump turbines and the Main Turbine. While some of the components in the overfill protection channels share a common power supply with the feedwater control system, no single power supply failure will cause the loss of both the feedwater control system and the reactor overfill protection function. The 2-out-of-3 initiating logic provides inherent protection against inadvertent or spurious actuations. The actuation setpoint is low enough to prevent gross moisture carryover to the Main Turbine, while providing sufficient margin above normal reactor water level to prevent spurious turbine trips. Accordingly, adequate protection is provided against a reactor vessel overfill event, as described in Generic Letter 89-19. See also USAR Section XIV-5.8.1 and Appendix G, Section G-5.3, Event 32).

10.4 Inspection and Testing All feedwater flow control system components can be tested and inspected according to manufacturers' recommendations. This can be done prior to or during plant operation and during scheduled shutdowns. Reactor vessel water level indications can be compared during normal operation to detect instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect inconsistencies in their signals. The level control system can be tested while reactor level is being VII-10-4 09/02/08

controlled by adjusting feed pump turbine speed setpoints in manual from the HMI.

The Triconex programmable logic controllers used for Vessel Level and Feed Pump Turbine Control employ Triple Modular Redundant ( TMR) architecture with two full capacity power supplies. Because of this design, system failures will generally affect only a single leg of a TMR card, or one of two power sources, and will have no effect on the associated system operation. System logic was designed to validate signal inputs and remove failed inputs from control.

The CNS Technical Specifications provide the testing requirements of the reactor vessel overfill protection feature (i.e., the feedwater pump turbine and Main Turbine high RPV water level trip function).

VII-10-5 09/02/08

USAR

11. 0 PRESSURE REGULATOR AND TURBINE-GENERATOR CONTROL 11.1 Power Generation Objective The power generation objectives are: (a) to maintain the nuclear steam at an essentially constant pressure, so that pressure induced core reactivity changes are controlled, (b) to provide turbine-gen erator speed-load controls for startup and operation of turbine-gen erator unit, and (c) to limit turbine overspeed.
11. 2 Power Generation Design Basis The power generation design basis of the compound control mechanism shall be to generate coordinated positioning signals for the control, intercept, and bypass valves in order to control reactor pressure and turbine load (or speed during startup, shutdown, and emergency conditions) .
11. 3 Description
11. 3 .1 Normal Control Operations The reactor steam is admitted to the high pressure turbine section through two main stop valve and governor valve assemblies. After expansion through the high-pressu re turbine section, steam flows to moisture separators and returns to the low-pressur e turbine section by passing through four sets of combined intermediat e valves ( interceptor valves and reheat stop valves combined into one assembly). After expansion through the low-pressur e turbine section, the steam is discharged into the condenser.

A bypass system is provided to allow reactor steam to be bypassed to the condenser whenever the turbine cannot absorb all the generated steam.

The normal input signals to the Digital Electro-Hyd raulic (DEH)

Control System are:

Throttle header pressure setpoint (operator selected)

Throttle header pressure Load or speed setpoint (operator selected)

Turbine speed Governor valves position Bypass valves position Generator load The normal output signals shall be:

Governor valve position signal Bypass valve position signal ( allowing up to 25% of rated main steam flow to be bypassed)

Normal operation of the DEH Control System is accomplishe d by the integrated electro-hyd raulic operation of the following functional units:

Speed-load control unit Pressure control unit VII-11-1 12/15/11

USAR These combined functional units modulate the position of the governor and bypass valves. The descriptions of these units are as follows:

1. Speed-Load Control Unit During turbine startup, the turbine is under control of the electro-hydraulic (EH) speed control loop until the main generator breaker is closed. Upon closing of the main generator breaker the turbine control is indexed from a load demand signal from the DEH Control System. Steam flow is gradually transferred from the bypass system to the turbines. The load indexing process continues until the pressure control system causes the bypass valves to be fully closed. Operation in the above mode is limited to the range of the bypass capacity unless the reactor is manually adjusted to a new load.
2. Pressure Control Unit The pressure control system consists of three processors to form the control pressure control loop. Control is provided from O psig to 1050 psig at a preselected rate by the operator. During startup, reactor pressure is controlled by modulation of the bypass valves from the pressure controller. The main turbine governor and the bypass valves can be operated in automatic or manual control.

11.3.2 Turbine Protective Devices The protective devices will trip the turbine control system in order to protect the turbine and the plant under abnormal conditions. The devices used are:

1. The electrical overspeed trip which trips the main stop, reheat stop, governor and interceptor valves. The electrical trip is performed by two independent systems, Main Turbine Trip Tr icon System and DEH Control System. (See USAR Section 11. 3. 3 for further discussion).
2. The turbine master trip which trips the main stop, reheat stop, governor and interceptor valves on an operator's signal or as a result of protective circuitry action.
3. The first vacuum trip which trips the main stop, reheat stop, governor and interceptor valves on 18-22 inches Hg vacuum.
4. The second vacuum trip which trips the bypass valves on about 7 inches Hg vacuum.
5. The motoring protection circuit which trips the generator circuit breakers following a time delay if the differential pressure between the inlet and exhaust of the high pressure turbine decreases to a I predetermined level.
6. The hydraulic thrust bearing wear detector which upon excessive wear of either one of the thrust plates will trip the main stop, reheat stop, governor and interceptor valves (three pressure transmitters for two out of three logic).
7. The nuclear boiler high water level trip and swi tchyard malfunction trip will also trip the main stop, reheat stop, governor and interceptor valves (see USAR Section VII-10).
8. The main turbine will trip on low Emergency Stop Valve Trip Header Pressure which will trip the main stop, reheat stop, governor and interceptor valves (three pressure transmitters for two out of three logic).

VII-11-2 11/29/16

USAR

9. The main turbine will trip on low bearing oil pressure which will trip the main stop, reheat stop, governor and interceptor valves (three pressure transmitters for two out of three logic).

11.3.3 Overspeed Protection The following is a summary of the equipment and devices inherent in the overspeed protection system operation: [7 0J

1. Separate stop and governor valves. This provides complete redundancy in the main steam inlet lines.
2. Separate reheat stop and interceptor valves. This provides complete redundancy between the moisture separator and the low pressure turbine inlets.
3. The DEH control system includes three (3) separate speed sensors mounted on the turbine stub shaft located in the turbine front pedestal to perform the following:
a. Electro-magnetic pickup for main speed governor control.
b. Electro-magnetic pickup for over speed protective controller. This pickup uses the same toothed wheel as item 3.a above.
4. The Main Turbine Trip System includes three ( 3) separate speed sensors mounted on the turbine stub shaft located in the turbine front pedestal to provide overspeed protective trip function.

11.3.3.1 Valve Operations The signals which act upon each of the main steam valves should the turbine speed exceed 1800 RPM are as follows: [7 0J

1. Stop valves and reheat stop valves To prevent the turbine from exceeding approximately 111% of rated speed, these valves will be tripped closed by both (a) DEH Control System electrical overspeed protection actuating at approximately 106% of rated speed, and (b) the Main Turbine Trip Tricon System electrical trip set at approximately 106% of rated speed.
2. Main governor valves When the circuit breaker opens, the main speed channel calls for rated speed. Thus, when the unit exceeds rated speed with the circuit breaker open, the DEH speed control logic calls for closing of the governor valves.

The over speed protective controller ( OPC) calls for fully closed governor valves at 103% of rated speed.

To prevent the turbine from exceeding approximately 111% of rated speed, the governor valves are tripped closed by both (a) the Control Tricon system overspeed protection and (b) the Main Turbine Trip Tricon electrical overspeed trip.

VII-11-3 12/15/11

USAR

3. Interceptor valves The over speed protective controller ( OPC) calls for fully closed interceptor valves at 103% of rated speed.

To prevent the turbine from exceeding approximately 111% of rated speed, the interceptor valves are tripped closed by both (a) the Control Tricon system overspeed protection and (b) the Main Turbine Trip Tricon electrical overspeed trip.

The overspeed protection system is not considered to be an engineered safety type, therefore it is not required to meet the requirements of IEEE-279.

11. 4 Power Generation Evaluation The throttle header pressure regulator and turbine-generator control system design is such that it provides a stable control response to normal load fluctuations.

The main turbine bypass valves are capable of responding to the maximum closure rate of the turbine admission valves such that reactor steam flow is not significantly affected until the magnitude of the load rejection exceeds the capacity of the bypass valves (25% of full load flow). Load rejections in excess of bypass valve capacity can cause the reactor to scram due to high pressure. Any condition causing the turbine stop valves to close will directly initiate a scram before reactor pressure or neutron flux has risen to the trip level. For a discussion of the turbine stop valve closure and control valve fast closure scram signals, see USAR Section VII-2, Reactor Protection System.

The throttle header pressure regulator and turbine-generator control system can fail in such a manner as to cause the control and bypass valves to fail either open or closed. Refer to USAR Chapter XIV, Station Safety Analysis, for the transient analysis.

11. 5 Inspection and Testing 11.5.1 Turbine-Generator Supervisory Instruments Although the turbine is not readily accessible during operation, the turbine supervisory instrumentation is sufficient to detect any potential mal-operation. The turbine supervisory instrumentation includes monitoring of the following variables:

Vibration and Eccentricity Thrust Bearing Wear Exhaust Hood Temperature and Spray Pressure Oil System Pressures, Levels, and Temperatures Bearing Metal and Drain Temperatures Shell Temperatures Valve Positions Shell and Rotor Differential Expansion Shaft Speed, Electrical Load, and Control Valve Inlet Pressure Indication Hydrogen Temperature, Pressure, and Purity Stator Winding Temperature Alternator Air Coolant Temperature Steam Seal Pressure Steam Chest Pressure Seal Oil Pressure VII-11-4 12/15/11

USAR

11. 5. 2 Testing Provisions The following is a summary of the tests which can be performed to verify the operation of the overspeed protection system: [7 0J
1. Test performed while unit is on turning gear
a. Stop, interceptor and reheat stop valves closing capabilities can be checked from the trip solenoid.
2. Test performed while unit is on speed control
a. Stop, interceptor and reheat stop valves closing capabilities can be checked from the trip solenoid.
b. Check of the overspeed trip protection can be tested from the DEH panel.
3. Test that could be performed while unit is on line
a. Stop, governor, interceptor, and reheat stop valves can be tested.

11.5.3 Inspection Provisions Operational test of the overspeed trip protection is performed during refueling outage once per cycle (testing is performed at operating speed) .

VII-11-5 12/15/11

USAR 12.0 PROCESS RADIATION MONITORING A number of radiation monitors and monitoring systems are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials. The monitors include the following:

Main Steam Line Radiation Monitoring System Air Ejector Off-Gas Radiation Monitoring System Process Liquid Radiation Monitors Reactor Building Isolation Ventilation Radiation Monitoring System Elevated Release Point Radiation Monitoring System Radwaste/Augmented Radwaste Building Ventilation Radiation Monitoring System Multi-Purpose Facility Building Ventilation Monitoring System Turbine Building Ventilation Radiation Monitoring System Reactor Building Ventilation Radiation Monitoring System These systems are described individually in this Section.

The Drywell Ventilation Monitoring System is discussed in USAR Section X-10.

12.1 Main Steam Line Radiation Monitoring System

12. 1. 1 Safety Objective The objective of the Main Steam Line Radiation Monitoring System (MSLRM) is to monitor for the gross release of fission products from the fuel and, upon indication of such failure, to initiate appropriate action to limit fuel damage and contain the released fission products.
12. 1. 2 Safety Design Basis
1. The MSLRM System shall be designed to give prompt indication of a gross release of fission products from the fuel.
2. The MSLRM System shall be capable of detecting a gross release of fission products from the fuel under any anticipated operating combination of main steam lines.
3. Upon detection of a gross release of fission products from the fuel, the MSLRM System shall initiate action to minimize unfiltered release of the fission products to the environment.
12. 1. 3 Description The MSLRM System consists of four gamma detectors mounted in the steam tunnel immediately downstream of the outboard isolation valves such that each detector views all of the steam lines with approximately the same response. The monitors indicate instantaneous radiation level on the front panel displays located in the Main Control Room on panel 9-10 and share a multi-channel recorder in the Main Control Room on panel 9-2. The range of the instrument is 1 to 10E6 mR/hr. [7ll When a significant increase in the main steam line radiation level is detected, trip signals are transmitted to the Primary Containment Isolation System ( PCIS) and to the Off-Gas System. Upon receipt of the high radiation trip signals, the PCIS initiates closure of the reactor water sample valves the mechanical vacuum pump is turned off, if running, and the mechanical vacuum pump inlet and outlet valves are shut. The closure of the sample VII-12-1 02/22/07

USAR valves, stopping the mechanical vacuum pump and closing the mechanical vacuum pump inlet and outlet valves effects containment of radioactive materials.

This meets safety design basis No. 3.

The radiation trip setting is selected so that a high radiation trip results from the fission products released in the design basis rod drop accident. The setting is selected high enough above the background radiation level in the vicinity of the main steam lines that spurious trips are avoided at rated power. The setting is low enough that the monitors can respond to the fission products released during the design basis rod drop accident, which occurs at a low steam flow condition. [lOB, 109 J The ratio of the true dose rate to the indicated dose rate over the design range of environmental conditions listed in USAR Table VII-12-2 will be within 0.5 to 2.0.

Four instrumentation channels are used to provide a resistance to inadvertent reactor water sample line isolation and mechanical vacuum pump trips as a result of instrumentation malfunctions. The output trip signals of each monitoring channel are combined in such a way that at least two channels must signal high radiation to initiate an isolation. Thus, failure of any one monitoring channel does not result in inadvertent action.

Each monitoring channel consists of a gamma sensitive ion chamber and a log radiation monitor, as shown in General Electric Drawing 719E479BB.

Capabilities of the monitoring channel are listed in USAR Table VII-12-1. Each log radiation monitor has four trip circuits. One trip circuit comprises the upscale trip setting that is used to initiate an isolation, while the other upscale trip setting is lower and is used to generate an alarm in the Main Control Room before an isolation is affected. If the monitor becomes disabled, whether by operator action or a failure of a monitor subcomponent, an 'inop' trip is generated which can also initiate an isolation. The fourth trip circuit is a downscale trip that actuates an instrument trouble alarm in the Main Control Room. The output from each log radiation monitor is indicated on a six decade display in the Main Control Room.

A multi-channel four monitoring channels.

recorder is used to record the outputs of the I The trip circuits for each monitoring channel operate normally energized, so that failures in which power to monitoring components is interrupted result in a trip signal. The environmental capabilities of the components of each monitoring channel are selected in consideration of the locations in which the components are to be placed.

12. 1. 4 Safety Evaluation The system is capable of initiating safety action at the level of fuel damage resulting from the design basis rod drop accident. In USAR Chapter XIV, "Station Safety Analysis," it is shown that the amount of fuel damage and fission product release involved in this accident are relatively small. It can be concluded that for any situation involving gross fission product release, the MSLRM is capable of providing prompt safety action.
12. 1. 5 Inspection and Testing A built-in, adjustable current source is provided for test purposes with each log radiation monitor. Routine verification of the operability of each monitoring channel can be made by comparing the outputs of the channels during power operation.

VII-12-2 07/01/04

USAR TABLE VII-12-1 PROCESS RADIATION MONITORING SYSTEMS CHARACTERISTICS Instrument Instrument Upscale Downscale Instrument Instrument Trips per Trips per Monitoring System Range* Scale Channel*** Channel***

Main Stearn Line 1-10E6 rnR/hr 6 Decade log 2 1 Air Ejector 1-10E6 rnR/hr 6 Decade log 2 1 Off-Gas Liquid Process SW lE-7 to lE-2 Digital 1 1

µCi/cc Readout Liquid Process l0E-1 to 10E6 7 Decade log 1 1 REC counts/second**

Liquid Process RW l0E-6 to 5 Decade log 1 1 l0E-1 µCi/ml Reactor Building 0.1 rnR/hr to 4 Decade log 1 1 Isolation 10E3 rnR/hr Ventilation Radiation Monitoring System Elevated Release Noble Gas l0E-7 Digital 2 1 Point to 10E5 µCi/ml Readout Radwaste/Augrnented Noble Gas l0E-7 Digital 2 1 Radwaste Building to 10E5 µCi/ml Readout Ventilation Radiation Monitoring System Multi-Purpose N/A N/A N/A N/A Facility Building Ventilation Monitoring System****

Turbine Building Noble Gas l0E-7 Digital 2 1 Ventilation to 10E5 µCi/ml Readout Radiation Monitoring System Reactor Building Noble Gas l0E-7 Digital 2 1 Ventilation to l0E-1 µCi/ml Readout Radiation Monitoring System

  • Range of measurements is dependent on items such as the source geometry, background radiation, shielding, energy levels, and method of sampling.
    • Readout is dependent upon the pulse height discriminator setting.
      • Instrument Channel trips may provide alarm and/or protective action.
        • Monitoring consists of sample filter capture for particulates and iodines.

VII-12-3 02/22/07

USAR 12.2 Air Ejector Off-Gas Radiation Monitoring System 12.2.1 Safety Objective The objectives of the Air Ejector Off-Gas Radiation Monitoring System are to indicate when limits for the release of radioactive material to the environs are approached and to effect appropriate control of the offgas so that the limits are not exceeded.

12.2.2 Safety Design Basis

1. The Air Ejector Off-Gas Radiation Monitoring System shall provide an alarm to operations personnel whenever the radioactivity level of the Air Ejector Off-Gas reaches short-term limits.
2. The Air Ejector Off-Gas Radiation Monitoring System shall provide a continuous record of the radioactivity released via the Air Ejector Off-Gas line.
3. The Air Ejector Off-Gas Radiation Monitoring System shall initiate appropriate action in time to prevent exceeding short-term limits on the release of radioactive materials to the environs as a result of releasing the radioactivity contained in the Air Ejector Off-Gas.

12.2.3 Description The Air Ejector Off-Gas Radiation Monitoring System is shown in General Electric Drawing 719E4 7 9BB, and system specifications are given in USAR Table VII-12-1. The system has two instrumentation channels, each with a gamma-sensitive detector, a logarithmic radiation monitor that includes a power supply and a panel display, and a multi-channel recorder point. The range of each detector is 1 to 10E6 mR/h. [7 ll The monitors and the recorder are located in the Main Control Room. Each logarithmic radiation monitor is powered from a different bus of the Reactor Protection System (RPS).

Each monitor has upscale high, upscale high-high, downscale, and inop trips. A high-high or downscale or inop trip occurring in one of the two channels and a high-high or downscale or inop trip occurring in the other channel, will initiate the Off-Gas timer and a Main Control Room annunciator will activate. The timer will initiate an Off-Gas Isolation. Any one high, downscale or inop trip will give an alarm in the Main Control Room. The time delay switch is adjustable from Oto 15 minutes and resets automatically when the activity level drops below the setpoint.

The time delay is permitted because of the length of time the gas takes to travel from the sample point to the shutoff valve. The time delay allows the reactor operator to reduce power or to correct for a spurious trip condition before the shutoff valve is closed.

The two gamma-sensitive ion chambers are positioned adjacent to a vertical sample chamber which is internally polished to minimize plateout. A sample is drawn from the Off-Gas line through the sample chamber by the main condenser suction. The sample system is arranged to give a two minute time delay before the sample is monitored.

The time delay allows nitrogen-16 and oxygen-19 activity to decay.

This reduces the background radiation that the detector would otherwise measure.

VII-12-4 07/01/04

USAR The Air Ejector Off Gas Radiation Monitor is capable of detecting small fuel cladding failures by monitoring the Air Ejector Off-Gas radiation level. l 79 l The environmental and power supply design conditions are given in USAR Table VII-12-2.

12.2.4 Safety Evaluation The Air Ejector Off-Gas Radiation Monitors have been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity in the Air Ejector Off-Gas. The system provides the operator with enough information to easily control the activity release rate. Because the system is not essential to any transients or accidents, no redundancy is required, al though sufficient redundancy is provided to allow maintenance on one channel without losing the indications provided by the system.

12.2.5 Inspection and Testing Each channel can be calibrated using the off-gas sampling system.

The Air Ejector Off-Gas Radiation Monitoring System is in scope for License Renewal per 10 CFR 54.4(a) (2) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity (see USAR Section K-2.1.2) and Periodic Surveillance and Preventive Maintenance (see USAR Section K-2.1.31). There are no Time-Limited Aging Analyses that are applicable.

12.3 Process Liquid Radiation Monitors 12.3.1 Safety Objective On process liquid streams that normally discharge to the environs, Process Liquid Radiation Monitors are provided to indicate when operational limits for the normal release of radioactive material to the environs are exceeded.

12.3.2 Safety Design Basis Process Liquid Radiation Monitors located in streams that normally discharge to the environs shall provide a clear indication to operations personnel whenever the radioactivity level in the stream reaches or exceeds pre-established operational limits for the discharge with appropriate dilution of radioactive material to the environs.

12.3.3 Power Generation Objective On certain process streams that do not discharge to the environs, process liquid radiation monitors are provided to indicate process system malfunctions by detecting the accumulation of radioactive material in a normally uncontaminated system.

12.3.4 Power Generation Design Basis Process Liquid Radiation Monitors located in streams that do not discharge to the environs shall provide a clear indication to operations personnel whenever the radioactivity level in the stream reaches or exceeds a pre-established limit above the normal radiation level of the stream.

12.3.5 Description 12.3.5.1 Service Water (SW) and the Reactor Equipment Cooling (REC) System Process Liquid Radiation Monitors The SW and the REC System Process Liquid Radiation Monitors are shown in General Electric Drawing 719E4 7 9BB, and system specifications are given in USAR Table VII-12-1. Three individual channels are provided to monitor the radiation level of the SW effluent (2 channels) and the REC System effluent (1 channel).

VII-12-5 01/17/14

USAR TABLE VII-12-2 PROCESS RADIATION MONITORING SYSTEM ENVIRONMENTAL AND POWER SUPPLY DESIGN CONDITIONS Sensor Location Control Room Design Design Parameter Center Range Center Range Temperature 25°C 0°C to +60°C 25°C 50 to +50°C Relative 50% 20 to 98% 50% 20 to 90%

Humidity Power, AC 115 VAC +/- 10% 115 VAC +/- 10%

60 Hz 60 Hz

+/- 5% +/- 5%

Power, DC +24 VDC +22 to +29 VDC +24 VDC +22 to +29

-24 VDC -22 to -29 VDC -24 VDC VDC

-22 to -29 VDC VII-12-6 01/23/01

USAR The REC effluent channel consists of a scintillation detector, a process radiation monitor, a point on a common recorder and a shared trip auxiliary unit. The detector is located in a shielded sampler that is positioned on a section of the process liquid piping. The REC monitor and the recorder are located in the Main Control Room.

The REC effluent channel has an upscale alarm to indicate high radiation level and a downscale alarm to indicate instrument trouble. The SW effluent channels have an upscale alarm to indicate high radiation level and an inoperable alarm to indicate instrument trouble. Neither the SW or REC effluent channels perform a control function.

The SW channels consist of two scintillation detectors, two local processing units, two remote display units, and two points on a common multi-channel recorder. The SW detectors are located in a monitoring well/casing that is positioned on a section of the process piping. The remote display uni ts and the shared recorder are all located in the Main Control Room.

Service Water is used to cool the REC System via heat exchangers.

An increase in the radiation level of the Service Water discharge may indicate that a leak into the system from a contaminated stream has occurred. The Service Water System also serves as the heat sink for the RHR in the shutdown cooling mode and the containment cooling mode. The water circulated through the heat exchangers by the RHR will be primary water or suppression pool water both of which have a significant activity level. Changes in the normal radiation level in the Service Water discharge could indicate leakage in the RHR heat exchangers.

The REC System is utilized to provide cooling for potentially contaminated areas such as the drywell atmosphere cooling coils, nonregenerati ve heat exchanger, recirculation pumps, Fuel Pool cooling heat exchangers, and various sample coolers. Changes in the normal radiation level could indicate leaks of radioactive water into the system.

The REC channel is connected to a 24 VDC power bus. ( See USAR Section VIII-7.) The SW channels are powered from both CCPlA and NBPP.

The environmental and power supply design conditions are given in USAR Table VII-12-2.

12.3.5.2 Radwaste Process Liquid Radiation Monitor The Radwaste Process Liquid Radiation Monitor system specifications are given in USAR Table VII-12-1. One channel is provided to monitor the Radwaste effluents during discharge to the environment via the Service Water effluent piping.

The Radwaste effluent channel consists of a scintillation detector, a liquid radiation monitor, and a recorder. The Radwaste effluent is monitored prior to discharge into the Service Water effluent piping. The monitor and the recorder are located in the Main Control Room.

The Radwaste effluent channel has an upscale trip for high radiation and an inop trip to indicate instrument trouble. The monitor is set to alarm in the Main Control Room and to automatically close the waste discharge valves prior to exceeding any 10CFR20 Appendix B limits. Another control action of this monitor is to open a recirculation valve to protect the floor drain sample pump.

The Radwaste channel is supplied from 120VAC power.

12.3.6 Safety Evaluation The Process Liquid Radiation Monitors for process liquid streams that normally discharge to the environs, possess radiation detection and monitoring characteristics sufficient to inform plant operations personnel whenever radiation levels in the discharges rise above preset limits.

VII-12-7 06/02/04

USAR 12.3.7 Inspection and Testing Alarm trip circuits are tested using test signals or portable gamma sources.

The Process Liquid Radiation Monitoring System is in scope for License Renewal per 10 CFR 54. 4 (a) (2) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity (see USAR Section K-2.1.2), External Surfaces Monitoring ( see USAR Section K-2. 1. 14), and Periodic Surveillance and Preventive Maintenance (see USAR Section K-2.1.31). There are no Time-Limited Aging Analyses that are applicable.

12.4 Reactor Building Isolation Ventilation Radiation Monitoring System 12.4.1 Safety Objective The objectives of the Reactor Building Isolation Ventilation Radiation Monitoring System are to indicate whenever abnormal amounts of radioactive material exist in the reactor building, and to effect appropriate action so that the release of radioactive material to the environs is controlled.

12.4.2 Safety Design Basis

1. The Reactor Building Isolation Ventilation Radiation Monitoring System shall provide a clear indication to operations personnel whenever abnormal amounts of radioactivity exist in the reactor building.
2. The Reactor Building Isolation Ventilation Radiation Monitoring System shall initiate appropriate action to control the release of radioactive material to the environs when abnormal amounts of radioactive material exist in the reactor building.

12.4.3 Description The Reactor Building Isolation Ventilation Radiation Monitoring System is shown in General Electric Drawing 719E479BB and system specifications are given in USAR Table VII-12-1. The system consists of four gamma detectors that are mounted such that they can monitor the radiation levels in the flow of gas through the reactor building plenum. While the Reactor Building Isolation Ventilation Radiation Monitoring System primary purpose is to isolate the reactor building and initiate the Standby Gas Treatment system on high radiation levels and initiate the Control Room Emergency Filtration System, each channel has an indicator in the Main Control Room. [7 ll A multi-channel recorder with a range of l0E-1 to 10E3 mR/hr, is used to record the outputs from the four monitoring channels.

Each channel has two trips. The upscale trip indicates high radiation, and the downscale trip indicates instrument trouble. In each division, if there is one upscale trip or two downscale trips, that division is tripped. If both divisions are tripped, a PCIS Group 6 isolation occurs (See USAR Table VII-3-6).

Power for this system is from the 115 VAC Reactor Protection System busses. Two 24 VDC power supplies are provided, one for each division, which supply both channels in that di vision. The environmental and power supply design conditions are given in USAR Table VII-12-2.

VII-12-8 01/17/14

USAR 12.4.4 Safety Evaluation The physical location and monitoring characteristics of the Reactor Building Isolation Ventilation Radiation Monitoring Channels are adequate to provide detection capability for abnormal amounts of radioactivity in the reactor building and initiate isolation. The redundancy and arrangement of channels is sufficient to ensure that no single active component failure can prevent isolation when required. During fuel handling operations (including criticality tests with the head off), the system acts as an engineered safeguard against the consequences of the Fuel Handling Accident.

The response of the Reactor Building Isolation Ventilation Radiation Monitoring System to the Fuel Handling Accident is presented in USAR Section XIV-6.4.

During planned operation other than refueling, the radiation monitoring system acts as a process safety system in monitoring the reactor building atmosphere for abnormal radioactivity resulting from nuclear system leakage.

12.4.5 Inspection and Testing The trip circuits are tested by using test signals or portable gamma sources.

12.5 Elevated Release Point Radiation Monitoring System 12.5.1 Safety Objective The objectives of the Elevated Release Point (ERP) Radiation Monitoring System are to indicate whenever limits on the release of radioactive material to the environs are reached or exceeded, and to indicate the rate of radioactive material release during planned operation.

12.5.2 Safety Design Basis

1. The ERP Radiation Monitoring System shall provide a clear indication to operations personnel whenever limits on the release of radioactive material to the environs are reached or exceeded.
2. The ERP Radiation Monitoring System shall indicate the rate of release of radioactive material from values above release rate limits down to the release rates normally encountered during high power operation.
3. The ERP Radiation Monitoring System shall record the rate of release of radioactive material to the environs, so that determination of the total amounts of activity released is possible.

12.5.3 Description The ERP Radiation Monitoring System specifications are shown in USAR Table VII-12-1. The system monitors the radiation level of the air discharged at a sample point located approximately one third of the way up the ERP stack. The system consists of a normal and a high range detector, a particulate and iodine collection assembly, a local and a remote (located in the Main Control Room) control and display unit, and a recorder. The system has the capability to monitor and record a range of l0E-7 to 10E5 µCi/ml (Xe-133 reference). Under normal operating conditions the normal range monitor is operating, and the high range monitor is in a standby mode. The high range monitor will automatically start when the normal range alarms or when the signal from the normal range monitor is lost.

VII-12-9 01/17/14

USAR The system has two upscale alarms and one equipment failure alarm in the Main Control Room, but performs no control function. The upscale alarms indicate high and high-high radiation, and the equipment failure alarm indicates instrument trouble. To monitor the ERP gas stream, the sample is drawn through the anisokinetic probe to assure representative sampling. The sample passes through a shielded chamber, where the radiation level is measured by detectors. The normal range monitor uses a gaseous monitoring chamber with a beta scintillation detector. The high range monitor uses a mid-range gas detector, a high range gas detector, and three particulate-iodine detectors.

To ensure that a representative sample is obtained for the ERP monitor, the sampling line between the ERP and the Off-Gas Filter Building is heat traced to minimize sample plate-out.

The particulate and iodine collection assembly uses filters in the sample stream, which are routinely analyzed to measure particulate and halogen radiation levels of up to 10E2 µCi/ml (I-131 reference).

The ERP Radiation Monitoring System is designed to meet the requirements of NUREG 0737 and Reg. Guide 1.97 regarding the measurements of Noble gas monitoring and the collection of particulates and halogens. The referenced ranges are l0E-7 to 10E5 µCi/ml for Xenon-133 equivalent and up to 10E2 µCi/cc for particulates and halogens.

12.5.4 Safety Evaluation The ERP Radiation Monitoring System has been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity being released to the environs via the Off-Gas vent. The system thus provides continuous surveillance of the activity released. Because the system is not required for any transients or accidents, no redundancy is required, although a backup means to take representative samples exists in the event of maintenance on the primary system.

12.5.5 Inspection and Testing Release rate indicators are calibrated using a portable radiation source, and calibration and testing is performed to verify monitor operability.

Each individual channel includes a purge line to purge the vent gas from the sampling chamber. The purge valve is operated from the Main Control Room.

The Elevated Release Point Radiation Monitoring System is in scope for License Renewal per 10 CFR 54 .4 (a) (2) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity (see USAR Section K-2.1.2), External Surfaces Monitoring (see USAR Section K-2.1.14), and Periodic Surveillance and Preventive Maintenance (see USAR Section K-2.1.31). There are no Time-Limited Aging Analyses that are applicable.

12.6 Radwaste/Augmented Radwaste Building Ventilation Radiation Monitoring System 12.6.1 Safety Objective The objective of the Radwaste/Augmented Radwaste Building Ventilation Radiation Monitoring System is to monitor gases exhausted from the Radwaste/Augmented Radwaste Buildings which share a common ventilation exhaust duct.

VII-12-10 12/09/19

USAR 12.6.2 Safety Design Basis

1. The Radwaste/Au gmented Radwaste Building Ventilation Radiation Monitoring System shall provide a continuous record of exhaust air flow and air activity.
2. The Radwaste/Au gmented Radwaste Building Ventilation Radiation Monitoring System shall alert operations personnel to abnormal air activity.

12.6.3 Description The Radwaste/Au gmented Radwaste Building Ventilation Radiation Monitoring System specificatio ns are shown in USAR Table VII-12-1. The system measures radioactivi ty level of the gases at a sample point located in the Radwaste/Au gmented Radwaste Building ventilation exhaust vent. The system consists of a normal and a high range detector, a particulate and iodine collection assembly, a local and a remote (located in the Main Control Room) control and display unit, and a recorder. The system has the capability to monitor and record a range of l0E-7 to 10E5 µCi/ml (Xe-133 reference). Under normal operating conditions the normal range monitor is operating, and the high range monitor is in a standby mode. The high range monitor will automatical ly start when the normal range alarms or when the signal from the normal range monitor is lost.

The system has two upscale alarms and one equipment failure alarm in the Main Control Room, but performs no control function. The upscale alarms indicate high and high-high radiation, and the equipment failure alarm indicates instrument trouble. To monitor the exhaust stream, the sample is drawn through the anisokineti c probe to assure representat ive sampling. The sample passes through a shielded chamber, where the radiation level is measured by detectors. The normal range monitor uses a gaseous monitoring chamber with a beta scintillatio n detector. The high range monitor uses a mid-range gas detector, a high range gas detector, and three particulate -iodine detectors.

The particulate and iodine collection assembly uses filters in the sample stream, which are routinely analyzed to measure particulate d and halogen radiation of up to 10E2 µCi/ml (I-131 reference).

The Radwaste/Au gmented Radwaste Building Ventilation Radiation Monitoring System is designed to meet the requirement s of NUREG 0737 and Reg.

Guide 1.97 regarding the measurement s of Noble gas monitoring and the collection of particulate s and halogens. The referenced ranges are l0E-7 to 10E5 µCi/ml for Xenon-133 equivalent and up to 10E2 µCi/ml for particulate s and halogens.

12.6.4 Safety Evaluation The Radwaste/Au gmented Radwaste Building Ventilation Radiation Monitoring System has been selected with monitoring characteris tics sufficient to provide plant operations personnel with accurate indication of abnormal air activity. The system thus provides continuous surveillanc e of the activity released. Because the system is not essential to any transients or accidents, no redundancy is required, al though a backup means to take representat ive samples exists in the event of maintenance on the primary system.

VII-12-11 01/17/14

USAR 12.6.5 Inspection and Testing Release rate indicators are calibrated using a portable radiation source, and calibration and testing is performed to verify operability.

The Radwaste/Augmented Radwaste Ventilation Radiation Monitoring System is in scope for License Renewal per 10 CFR 54. 4 (a) ( 2) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity ( see USAR Section K-2. 1. 2) , External Surfaces Monitoring (see USAR Section K-2.1.14), and Periodic Surveillance and Preventive Maintenance (see USAR Section K-2.1.31). There are no Time-Limited Aging Analyses that are applicable.

12.7 Turbine Building Ventilation Radiation Monitoring System 12.7.1 Safety Objective The objective of the Turbine Building Ventilation Radiation Monitoring System is to monitor gases exhausted from the Turbine Building.

12.7.2 Safety Design Basis

1. The Turbine Building Ventilation Radiation Monitoring System shall provide a continuous record to exhaust air flow and air activity.
2. The Turbine Building Ventilation Radiation Monitoring System shall alert operations personnel to abnormal air activity.

12.7.3 Description The Turbine Building Ventilation Radiation Monitoring System specifications are shown in USAR Table VII-12-1. The system measures radioactivity level of the gases sampled at four sample points located in the Turbine Building ventilation exhaust vents. The system consists of a normal and a high range detector, a particulate and iodine collection assembly, a local and a remote (located in the Main Control Room) control and display unit, and a recorder. The system has the capability to monitor and record a range of l0E-7 to 10E5 µCi/ml (Xe-133 reference). Under normal operating conditions the normal range monitor is operating, and the high range monitor is in a standby mode. The high range monitor will automatically start when the normal range alarms or when the signal from the normal range monitor is lost.

The system has two upscale alarms and one equipment failure alarm in the Main Control Room, but performs no control function. The upscale alarms indicate high and high-high radiation, and the equipment failure alarm indicates instrument trouble. To monitor the exhaust stream, the sample is drawn through an isokinetic probe to assure representative sampling. An isokinetic probe is located in each of the four Turbine Building exhaust vents. Each of the probe sample lines are provided with a root valve which is interlocked with the respective duct exhaust fan, so that monitoring of all of the exhaust path ( s) which may be in service is assured ( see Burns and Roe Drawing 2018). The sample passes through a shielded chamber, where the radiation level is measured by detectors. The normal range monitor uses a gaseous monitoring chamber with a beta scintillation detector. The high range monitor uses a mid-range gas detector, a high range gas detector, and three particulate-iodine detectors.

The particulate and iodine collection assembly uses filters in the sample stream, which are routinely analyzed to measure particulate and halogen radiation levels of up to l0E-2 µCi/ml (I-131 reference).

VII-12-12 12/09/19

USAR The Turbine Building Ventilation Radiation Monitoring System is designed to meet the requirements of NUREG 0737 and Reg. Guide 1.97 regarding the measurement of Noble gas monitoring and the collection of particulates and halogens. The referenced ranges are l0E-7 to 10E5 µCi/ml for Xenon-133 equivalent and up to l0E-2 µCi/cc for particulates and halogens.

12.7.4 Safety Evaluation The Turbine Building Ventilation Radiation Monitoring System has been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of abnormal air activity. The system thus provides continuous surveillance of the activity released. Because the system is not essential to any transients or accidents, no redundancy is required, although a backup means to take representative samples exists in the event of maintenance on the primary system.

12.7.5 Inspection and Testing Release rate indicators are calibrated using a portable radiation source, and calibration and testing is performed to verify monitor operability.

The Turbine Building Ventilation Radiation Monitoring System is in scope for License Renewal per 10 CFR 54. 4 (a) (2) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity (see USAR Section K-2.1.2), External Surfaces Monitoring ( see USAR Section K-2 .1.14), and Periodic Surveillance and Preventive Maintenance (see USAR Section K-2.1.31). There are no Time-Limited Aging Analyses that are applicable.

12.8 Multi-Purpose Facility Building Ventilation Monitoring Systeml 83 l 12.8.1 Safety Objective The objective of the Multi-Purpose Facility (MPF) Ventilation Monitoring System (VMS) is to monitor, via particulate and iodine sample, effluent air released from the MPF to atmosphere.

12.8.2 Safety Design Basis

1. The MPF VMS shall provide representative particulate and iodine samples of effluent released from the MPF to atmosphere.
2. The MPF VMS shall provide a continuous record of exhaust air flow.
3. The MPF VMS shall alert Operations personnel to abnormal sample air flow.

12.8.3 Description The MPF VMS is shown on Figure VII-12-2 and system specifications are given on USAR Table VII-12-1. The system provides representative samples of the particulate and iodine activity present in the effluent stream at a point just prior to release to the atmosphere. The sample is drawn through a anisokinetic probe to assure representative sampling.

With the exception of the anisokinetic sample probe, the system is completely redundant. Each train consists of an air sample pump, a particulate/iod ine combination sample collection assembly, a sample flow VII-12-13 12/09/19

USAR transmitter and local sample flow indicator. The system provides a trouble/low flow alarm in the control room and a sample flow signal to the PMIS computer.

12.8.4 Safety Evaluation The physical location and characteristics of the MPF VMS are adequate to provide representative sampling for particulate and iodine activity.

12.8.5 Inspection and Testing Alarm circuits are tested locally. Sample flow rate meters are checked against a portable venturi flow meter.

The Multi-Purpose Facility Ventilation Radiation Monitoring System is in scope for License Renewal per 10 CFR 54.4(a) (2) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity (see USAR Section K-2.1.2), External Surfaces Monitoring (see USAR Section K-2.1.14), and Periodic Surveillance and Preventive Maintenance (see USAR Section K-2.1.31). There are no Time-Limited Aging Analyses that are applicable.

12.9 Reactor Building Ventilation Radiation Monitoring System 12.9.1 Safety Objective The objective of the Reactor Building Ventilation Radiation Monitoring System is to monitor gases exhausted from the Reactor Building.

12.9.2 Safety Design Basis

1. The Reactor Building Ventilation Radiation Monitoring System shall provide a continuous record of exhaust air flow and air activity.
2. The Reactor Building Ventilation Radiation Monitoring System shall alert operations personnel to abnormal air activity.

12.9.3 Description The Reactor Building Ventilation Radiation Monitoring System specifications are shown in USAR Table VII-12-1. The system measures the radiation level at a sample point located in the Reactor Building ventilation exhaust vent just prior to the release point. The system consists of a normal range detector, a particulate and iodine collection assembly, a local and a remote (located in the Main Control Room) control and display unit, and a recorder. The system has the capability to monitor and record a range of l0E-7 to l0E-1 µCi/ml (Xe-133 reference).

The system has two upscale alarms and one equipment failure alarm in the Main Control Room, but performs no control function. The upscale alarms indicate high and high-high radiation, and the equipment failure alarm indicates instrument trouble. To monitor the exhaust stream, the sample is drawn through the anisokinetic probe to assure representative sampling. The sample passes through a shielded chamber, where the radiation level is measured by a detector. The monitor has a gaseous monitoring chamber with a beta scintillation detector.

The particulate and iodine collection assembly uses filters in the sample stream, which are routinely analyzed to measure particulate and halogen radiation levels of up to l0E-5 µCi/ml (I-131 reference).

VII-12-14 01/17/14

USAR The Reactor Building Ventilation Radiation Monitoring System is designed to meet the requirement s of NUREG 0737 and Reg. Guide 1.97 regarding the measurement s of Noble gas monitoring and the collection of particulate s and halogens. The referenced ranges are l0E-7 to l0E-1 µCi/ml for Xenon-133 equivalent and up to l0E-5 µCi/ml for particulate s and halogens.

12.9.4 Safety Evaluation The Reactor Building Ventilation Radiation Monitoring System has been selected with monitoring characteris tics sufficient to provide plant operations personnel with accurate indication of abnormal air activity. The system thus provides continuous surveillanc e of the activity released. Because the system is not essential to any transients or accidents, no redundancy is required, although a backup means to take representat ive samples exists in the event of maintenance on the primary system.

12.9.5 Inspection and Testing Alarm circuits are provided with a built-in check source. Release rate indicators are calibrated using a portable radiation source, and calibration and testing is performed to verify monitor operability .

The Reactor Building Ventilation Radiation Monitoring System is in scope for License Renewal per 10 CFR 54. 4 (a) (1) and (a) (2) and was subject to aging management review. Aging effects are managed by the following Aging Management Programs: Bolting Integrity ( see USAR Section K-2. 1. 2), External Surfaces Monitoring (see USAR Section K-2.1.14), and Periodic Surveillanc e and Preventive Maintenance (see USAR Section K-2.1.31). There are no Time-Limite d Aging Analyses that are applicable.

VII-12-15 01/17/14

USAR

13. 0 PLANT AND AUGMENTED RADWASTE (DRUM HANDLING) AREA RADIATION MONITORING SYSTEM 13.1 Power Generation Objective The objective of the Area Radiation Monitoring Systems is to warn of abnormal gamma radiation levels in areas where radioactive material may be handled or inadvertently introduced.
13. 2 Power Generation Design Bases
1. The Plant Area Radiation Monitoring System shall provide operating personnel with a record and an indication in the Main Control Room of gamma radiation levels at selected locations within the various station buildings.
2. The Plant and Augmented Radwaste (ARW) Drum Handling Area Radiation Monitoring System shall provide local alarms where it is necessary to warn personnel of substantial immediate changes in gamma radiation levels.
13. 3 Description
13. 3 .1 Monitors The Plant Area Radiation Monitoring System is shown as a functional block diagram in General Electric Drawing 921D796. A typical channel consists of a local sensor and converter unit, a Main Control Room indicator and trip unit, a shared power supply, and a shared recorder. [71 l Some channels have, in addition, a local audio alarm auxiliary unit. The system trip is powered from the 120 VAC instrument bus. The trip circuits are set so that loss of power causes an alarm.

The Augmented Radwaste Area Radiation Monitoring System is shown as a functionally block diagram in USAR Figure VII-13-2. Five channels, each with local alarm and meter also have remote alarm and meter at the Augmented Radwaste Drum Handling Area Control Room.

All radiation monitors have an upscale trip that indicates high radiation and a downscale trip that may indicate instrument trouble. These trips have alarms, but perform no control function. The environmental and power supply design conditions are given in USAR Table VII-13-1 for plant and radwaste monitors.

VII-13-1 03/04/22

USAR TABLE VII-13-1 PLANT AND AUGMENTED RADWASTE (DRUM HANDLING)

AREA RADIATION MONITORING SYSTEM ENVIRONMENTAL AND POWER SUPPLY DESIGN CONDITIONS Sensor Location Control Room Design Design Parameter Center Range Center Range Temperature 25°F oo to 60°C 25°C 50 to +50°C Relative Humidity 50% 20 to 100% 50% 20 to 90%

Power 120 VAC +/- 10% 120 VAC +/- 10%

60 Hz +/- 5% 60 Hz +/- 5%

VII-13-2 01/23/01

USAR

13. 3. 2 Locations [7 ll Work areas where monitors are located are listed in USAR Table VII-13-2. Annunciation and indication are provided in the Main Control Room for Plant Area and Radwaste monitors and in the Drum Handling Control Room for the drum handling and Augmented Radwaste (ARW) Area monitors. In addition, there is a recorder located in the Main Control Room that makes a permanent record of the units.
13. 4 Inspection and Testing An internal trip test circuit, adjustable over the full range of the trip circuit, is provided. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a real trip. All trip circuits are of the latching type and must be manually reset at the front panel.

A portable calibration unit is also provided. This is a test unit designed for use in the adjustment procedure for the area radiation monitor sensor and converter unit. It provides five gamma radiation levels between 1 mr/hr and 125 mr/hr. The source is CO 60 of approximately 80µc strength. A cavity in the sensor and converter unit is designed to receive the calibration unit. Located on the back wall of the cylindrical lower half of the cavity is a window through which radiation from the source emanates. A chart on each unit indicates the radiation levels available from the unit for the various control settings.

VII-13-3 03/09/07

USAR TABLE VII-13-2 PLANT AND AUGMENTED RADWASTE (DRUM HANDLING)

AREA RADIATION MONITORING SYSTEM CHANNELS, RANGES, LOCATIONS[ 71 l CHANNEL RANGE (mR/hr) LOCATION 12 0.01-100 RHR PUMP ROOM (NORTHWEST) 13 0.01-100 RCIC/CORE SPRAY PUMP ROOM (NORTHEAST) 11 0.01-100 RHR PUMP ROOM (SOUTHWEST) 14 0.01-100 CORE SPRAY PUMP ROOM (SOUTHEAST) 10 0.01-100 HPCI PUMP ROOM 9 0.01-100 CONTROL ROD DRIVE HYDRAULIC EQUIP AREA (NORTH) 8 0.01-100 CONTROL ROD DRIVE HYDRAULIC EQUIP AREA (SOUTH) 6 0.1-1000 NEUTRON MONITOR SYSTEM INDEX AREA 7 0.01-100 NEUTRON MONITOR SYSTEM DRIVE MECH AREA 18 1-10E4 TURBINE BLDG REACTOR FEED PUMP AREA 4 0.1-1000 RWCU PRECOAT AREA 3 0.01-100 NEW FUEL AREA 1 100-10E6 FUEL POOL AREA 2 0.01-100 FUEL POOL AREA 22 0.01-100 RADWASTE CONTROL ROOM 23 0.01-100 RADWASTE PUMP ROOM 24 0.01-100 RADWASTE BASEMENT EQUIPMENT AREA 25 0.1-1000 RADWASTE DEMINERALIZER VALVE ROOM 26 0.1-1000 RADWASTE CONVEYOR AISLE OPERATING AREA 27 1-10E4 RX BLDG SUPPRESSION CHAMBER AREA 859' (SOUTHWEST) 28 0.01-100 RADWASTE LABORATORY 20 0.01-100 MAIN CONTROL ROOM 19 0.01-100 TURBINE BLDG CONDENSATE PUMP AREA 17 0.01-100 TURBINE BLDG BASEMENT CONTROL CORRIDER 16 0.01-100 TURBINE BLDG MEZZANINE CONTROL CORRIDER 15 0.1-1000 TURBINE FRONT STANDARD 21 0.01-100 GRADE LEVEL CONTROL CORRIDER 29 0.01-10 RADWASTE BIO-ANALYSIS LAB 5 0.1-1000 RWCU SLUDGE & DECANT PUMP AREA 30 0.01-10 RADWASTE IC HOT SHOP I 1-10E5 ARW DRUM HANDLING AREA SOUTH END OF EAST SHIELD WALL II 0.1-1000 ARW DRUM HANDLING AREA SOUTH END OF EAST SHIELD WALL III 0.1-1000 ARW DRUM HANDLING CONTROL ROOM (NORTH)

IV 0.1-1000 ARW DRUM HANDLING AREA UPPER LEVEL STORAGE LEVEL V 0.1-1000 ARW DRUM HANDLING AREA WEST WALL 40A 1-10E7 R/hr DRYWELL (Containment High Range Monitor) 40B 1-10E7 R/hr DRYWELL (Containment High Range Monitor) 45A 0.1-10E7 PASS PANEL 45B 0.1-10E7 PASS PANEL VII-13-4 03/04/22

USAR 14.0 ENVIRONMENTAL RADIATION MONITORING INSTRUMENTS ll 35 l This USAR section contains historical information, as indicated by italicized text. USAR Section I-3.4 provides a more detailed discussion of historical information. The information being presented in this section as historical has been preserved as it was originally submitted to the NRC in the CNS FSAR.

14.1 General As described in Section II-6, "Environmental Radiation Surveillance Program", the District has been measuring radiation levels in the environment at the plant site and in adj a cent areas since October 197 0. Following are descriptions of the monitoring equipment being used in the program.

14.2 Description 14.2.1 External Radiation Background 14.2.1.1 Initial G.M. Instrument Measurements Initial measurements were pe1formed at 31 selected locations on-site and off-site, using Nuclear-Chicago 1612 Geiger-Mueller type radiation survey meters. Measurements pe,fonned at each of these locations consisted of the average of at least three one-minute readings obtained with the detector probe at an elevation of 30 inches above ground level, and the beta window open and directed downward. The radiation survey instruments were calibrated with CO60 and s/0 calibration sources and were cross referenced to insure accuracy of measurements and consistency of instrument operation.

14.2.1.2 Thermoluminescent Dosimeters (TLD)

Gamma radiation levels are being determined at locations both on-site and off-site through the use of thermoluminescent dosimeters (TLD).

A TLD is a single phosphore. Two or more phosphores in one package are considered to be two or more dosimeters. The TLD's are enclosed in a light opaque black polyethylene envelope. The filled envelope is placed in a plastic rectangular holder which contains copper shielding to filter out beta radiation, thus measuring gamma radiation only.

14.2.2 Air Sampling Air sampling is performed through the use of continuous, constant flow air samplers equipped with elapsed time meters which indicate actual operating time. Flow rates are calibrated periodically to insure consistent sampling rates of 1.0 cfm.

Particulates are collected on 2-inch diameter Millipore type SS membrane filters or other suitable filter media.

Iodine 131 is collected in activated charcoal cartridges which are impregnated with tetraethylenediamine (TEDA) and are in direct line connection with the air particulate filters.

Each air sampler is housed in a louvered aluminum shelter designed to protect the filter from the weather and, at the same time, allow the ambient air to flow unencumbered through the shelter and across the filter location.

VII-14-1 01/23/01

USAR The filter is located above ground level at an elevation that lessens the buildup of ground dust on the filter and to minimize the influence on sample activity of radon and daughters emanating from the soil.

14.2.3 Inspection and Testing The TLD maintained at each station is changed and read quarterly.

A record of each TLD reading is provided by the contracting laboratory and is maintained on a permanent basis.

VII-14-2 09/18/18

USAR 15.0 RADIOLOGICAL PROTECTION AND RADIOCHEMISTRY INSTRUMENTS 15.1 Portable Radiation Survey Instruments Portable radiation survey instruments are provided on site in suitable quantities and of appropriate ranges of detection for measurement of alpha, beta, gamma, and neutron radiation expected during normal operation and in emergencies.

15.2 Personnel Radiation Monitoring Devices Personnel monitoring devices are provided to and worn by personnel in those areas required by 10CFR20.

15.3 Personnel Contamination Monitoring Devices Personnel contamination monitoring is provided to detect radioactive contamination upon exit from contaminated or potentially contaminated areas.

15.4 Constant Air Monitors Constant air monitoring units are placed at designated locations to continuously monitor levels of airborne activity and to alarm in the event setpoint values are exceeded.

15.5 Counting Room Instruments Counting room instruments are provided for precise measuring and radio-assay of alpha, beta, and gamma radiation and for the analysis of radioactive gaseous, liquid and solid samples. Instruments are also provided for counting of smear samples used for contamination control.

15.6 Radiochemistry Instruments In addition to conventional chemical laboratory equipment, instruments are provided for precise measuring and radiochemical analysis of alpha, beta, and gamma radiation in all types of process system samples including gaseous, liquid, and solid materials.

15.7 Inspection and Testing Proper operation of radiation monitoring instrumentation is checked with built-in testing circuits and/or radiation sources. Measuring instruments are periodically calibrated with radioactive or electronic calibration sources.

VII-15-1 01/23/01

USAR 16.0 PLANT PROCESS COMPUTER 16.1 Power Generation Objective The objectives of the Plant Process Computer (PPC), which includes the Plant Management Information System (PMIS) r961 , GARDEL, and Meteorological (MET) computers, are to provide a quick and accurate determination of core thermal performance; to provide data reduction, accounting, trending, plotting and logging functions; and to supplement procedural requirements for control rod manipulation during reactor startup and shutdown. PMIS shall provide the Safety Parameter Display System (SPDS) in conformance with NPPD commitments to NUREG-0737 Item I.D.2 and other emergency response data analysis capabilities. [%ml [%nJ r 122 1 r132 1 r133 1 [ 134 1 16.2 Power Generation Design Basis

1. The ( PPC) shall be designed to periodically determine the three dimensional power density distribution for the reactor core and provide printed logs which permit accurate assessment of core thermal performance.
2. The (PPC) shall provide continuous monitoring of the core operating level and appropriate alarms based on established core operating limits to aid the operator in assuring that the core is operating within acceptable limits at all times, including periods of maneuvering.
3. The PPC shall provide inputs to the rod block circuitry to supplement and aid in the enforcement of procedural restrictions on control rod manipulation, so that rod worth is limited to the values assumed in plant safety analyses.
4. The PPC shall provide the SPDS to give the Main Control Room operators an overview of important plant operational parameters. The SPDS is an operational aid which supplements the information available via the Control Room panels.

16.3 Description 16.3.1 Computer System Components 16.3.1.1 Central Processors The central processors of the PMIS consist of dual redundant digital processors. One processor functions as the primary processor and monitors the plant processes in real-time. The other processor, if online, is in a hot backup mode ready to assume the primary role in case of a failover from the current primary machine. Failover will occur automatically in case of software and/or hardware errors on the primary machine or can be initiated manually.

The computer operating system permits assigning different priority levels to various software tasks thus providing the capability to respond rapidly to important process functions that must respond more closely to real-time.

The computer system has automatic error detection and correction thus permitting it to discontinue usage of bad areas of memory and to also alert the system operator of this via the system operators console. The entire computer complex is supplied power from an uninterrupted power system (UPS) that has battery backup and can provide power for a half hour in the event of a loss of power. After power is restored to the critical bus by the Diesel-Generator, the UPS system will automatically be connected to the VII-16-1 06/15/16

USAR critical bus after a time delay but prior to exceeding battery backup capabilit y.

16.3.1.2 Bulk Memory Subsystem Bulk memory consists of disk drives allocated on each computer.

These drives are used for storage of the operating system, applicatio n software and data. The operating system stores programs and data in a file arrangeme nt.

16.3.1.3 Periphera l Input/Out put Subsystem The PMIS periphera l I/O equipment consists of programme r terminals , color graphic display terminals with keyboard operator input capabilit y, and hardcopy devices. The color graphic displays are located in the Control Room, Technical Support Center (TSC) and Emergency Operation s Facility (EOF). A switching scheme automatic ally switches the color graphic display terminals to the correct computer upon a failover from one computer to the other.

16.3.1.4 Process Input/Out put Subsystem s The process computer I/O hardware consists of two data networks with one connected to each PMIS computer that collect analog and digital data at various scan frequenci es from remote multiplex ers located throughou t the plant. This equipment also permits analog and digital outputs to support systems such as the Traversin g In-Core Probe (TIP) system. The remote multiplex ers communica te with both data networks for redundanc y.

USAR Table VII-16-1 provides a typical instrumen tation input summary of the nuclear system variables monitored by the PPC.

USAR Table VII-16-2 provides a typical instrumen tation output summary of the signal requireme nts from the PPC to plant instrumen tation.

16.3.1.5 Operator Console During routine operation the operator uses the color graphic display terminals located in the Main Control Room to enter informatio n into the computer and for requestin g various special functions from it. Menu driven displays, keyboard input and dedicated function keys permit the operator to adequatel y communica te with the PMIS computer.

16.3.1.6 Programmi ng and Maintenan ce Consoles Various programmi ng and maintenan ce consoles are used by programme rs and maintenan ce personnel for access to the system for trouble shooting and maintenan ce functions . These consoles are located throughou t CNS.

16.3.2 Reactor Core Performan ce Function 16.3.2.1 Power Distribut ion Evaluatio n The local power density for a specified axial segment of every fuel assembly is calculate d, using plant inputs of pressure, temperatu re, flow, LPRM levels, control rod positions , and the calculate d fuel exposure.

Total core thermal power is calculate d from a reactor heat balance. Iterative computati onal methods are used to establish a compatibl e relationsh ip between the core coolant flow and core power distributi on. The results are subsequen tly interprete d as local power at specified axial segments for each fuel bundle in the core.

VII-16-2 02/23/23

USAR TABLE VII-16-1 TYPICAL NUCLEAR PROCESS MONITORING INSTRUMENTATION INPUT

SUMMARY

Primary Type of Engr Data Variable Input Units Utilization NEUTRON MONTIORING SYSTEM LPRM Level (Flux) Analog W/cm 2 Core Performance APRM Level (Flux) Analog  % PWR Core Performance (Channel A,C) Event Recall Log APRM Level (Flux) Analog  % PWR Core Performance (Channel B,D,E,F)

APRM Channel Bypass Digital Status Status Alarm Log APRM Trip on Level Digital Status Sequence Annunciator (Flux Chnl A,B,C,D,E,F) Log APRM Upscale Digital Status* Status Alarm Log Alarm on Level (Any Channel)

APRM Downscale Digital Status* Status Alarm Log Alarm on Level (Any Channel)

APRM Alarm on Digital Status* Status Alarm Log Instrument Inoperative (Any Channel)

Flow Converter Upscale Digital Status Status Alarm Log Trip/Alarm on Level/

Instrument Inoperative Alarm on Flow Converter Digital Status Status Alarm Log Comparator TIP Level (Flux) Analog  % PWR Core Performance (System A,B,C,D)

TIP Guide Tube Address Digital Code Selected Core Performance (4 inputs per machine) Group Tube (Machine A,B,C,D) Location TIP Probe at Top of Core Digital Status Core Performance TIP Probe Position Pulses Pulse/inch Core Performance TIP Machine Ready Digital Status Core Performance (System A,B,C,D)

Reactor Neutron Digital Status Sequence Annunciator Monitor System Trip (A,B,C,D)

SRM Detector Not in Digital Status* Status Alarm Log 11 St art - Up Position 11 (Any Channel)

    • Table is not inclusive of all points. Refer to PMIS Point-I/O Summary Database for complete list.

VII-16-3 01/23/01

USAR TABLE VII-16-1 (CONT'D)

TYPICAL NUCLEAR PROCESS MONITORING INSTRUMENTATION INPUT

SUMMARY

Primary Type of Engr Data Variable Input Units Utilization NEUTRON MONTIORING SYSTEM (Cont'd)

SRM Upscale Digital Status* Status Alarm Log Alarm on Level (Any Channel)

SRM Alarm on Digital Status* Status Alarm Log Instrument Inoperative (Any Channel)

SRM Bypassed Digital Status Status Alarm Log (Any Channel)

IRM Upscale Trip on Level Digital Status* Sequence Annunciator (Chnl A,B,C,D,E,F,G,H) Log IRM Detector Not in Digital Status* Status Alarm Log "Full In Position" (Any Channel)

IRM Upscale Digital Status* Status Alarm Log Alarm on Level (Any Channel)

IRM Downscale Digital Status Status Alarm Log Alarm on Level (Any Channel)

IRM Alarm on Digital Status* Status Alarm Log Instrument Inoperative (Any Channel)

IRM Bypassed Digital Status Status Alarm Log (Any Channel)

RBM Level (Flux) Analog  % PWR Variable Alarm Log (Channel A,B)

RBM Trip on Level Digital Status Status Alarm Log (Either Channel)

RBM Downscale Digital Status Status Alarm Log Alarm on Level (Either Channel)

RBM Alarm on Digital Status Status Alarm Log Instrument Inoperative (Either Channel)

RBM Bypass Digital Status Status Alarm Log (Either or Both Channels)

REACTOR MANUAL CONTROL SYSTEM Control Rod Drive System Analog 10 6 lb/hr Core Performance Flow Control Rod Selected; Digital Rod Number, Core Performance and Control Rod Pos., Tens; Code Group Notch Pos. Rod Worth Minimizer Control Rod Pos.

Units; Rod Drift Alarm; Rod Selected and Driving

    • Table is not inclusive of all points. Refer to PMIS Point-I/O Summary Database for complete list.

VII-16-4 01/23/01

USAR TABLE VII-16-1 (CONT'D)

TYPICAL NUCLEAR PROCESS MONITORING INSTRUMENTATION INPUT

SUMMARY

Primary Type of Engr Data Variable Input Units Utilization REACTOR MANUAL CONTROL SYSTEM (CONT'D)

Control Rod Withdraw Digital Status Core Performance Discharge Vol. High Water Digital Status Sequence Annunciator Level Scram Trip (A,B,C,D) Log Refuel Interlock Digital Status Status Alarm Log Control Rod Timer Malfunction Digital Status Status Alarm Log Shutdown Margin Select Digital Status Rod Worth Minimizer Status Alarm Log RWM Rod Insert Digital Status Rod Worth Minimizer Permissive Echo Status Alarm Log RWM Rod Select Digital Status Rod Worth Minimizer Permissive Echo Status Alarm Log RWM Block Digital Status Status Alarm Log Rod Out Block Digital Status Status Alarm Log Discharge Volume Digital Status Status Alarm Log High Water Level Rod Block RWM Rod Withdraw Digital Status Rod Worth Minimizer Permissive Echo Status Alarm Log RPIS Offline Digital Status Status Alarm Log FEEDWATER CONTROL SYSTEM Reactor Feedwater Analog 10 6 lb/hr Core Performance Inlet Flow (A,B) Event Recall Log Reactor Pressure Analog psig Core Performance Event Recall Log Reactor Water Level Analog Inches of Core Performance Water Event Recall Log Total Steam Flow Analog 10 6 lb/hr Event Recall Log Low Power Level Alarm Digital Status Rod Worth Minimizer Low Power Level Interlock Digital Status Rod Worth Minimizer Reactor Feedwater Analog OF Core Performance Inl'et Temperature Event Recall Log (Al,A2,Bl,B2)

    • Table is not inclusive of all points. Refer to PMIS Point-I/O Summary Database for complete list.

VII-16-5 01/23/01

USAR TABLE VII-16-1 (CONT'D)

TYPICAL NUCLEAR PROCESS MONITORING INSTRUMENTATION INPUT

SUMMARY

Primary Type of Engr Data Variable Input Units Utilization REACTOR VESSEL INSTRUMENTATION Reactor Core Analog psi Core Performance Pressure Drop Event Recall Log Total Reactor Analog 10 6 lb/hr Core Performance Jet-Pump Flow Event Recall Log (Core Flow)

Total Recirculation Analog 10 6 lb/hr Core Performance Drive Flow (Al,A2,Bl,B2)

Recirculation Pump Analog 10 6 Watts Core Performance Motor Power (A,B)

Reactor Water Level Digital Status Sequence Annunciator (Channel A,B,C,D) Log Main Steam Line Digital Status Sequence Annunciator Isolation Valve Log Closure (A,B,C,D)

Main Steam Line Digital Status Status Alarm Leak Detection (A,B,C,D)

Reactor High Pressure Digital Status Sequence Annunciator (A,B,C,D) Log Main Steam Line Digital Status Status Alarm Log High Flow (A,B,C,D)

Recirculation Loop Analog OF Core Performance Inlet Temperature (Al,A2,Bl,B2)

REACTOR PROTECTION SYSTEM Primary Containment Digital Status Sequence Annunciator High Pressure (A,B,C,D) Log Manual Scram Digital Status Sequence Annunciator (Channel A,B) Log Reactor Scram Digital Status Sequence Annunciator (Channel A,B) Log Turbine Control Valve Digital Status Sequence Annunciator Fast Closure Log (A,B,C,D)

Turbine Stop Valve Digital Status Sequence Annunciator Closure (A,B,C,D) Log

    • Table is not inclusive of all points. Refer to PMIS Point-I/O Summary Database for complete list.

VII-16-6 01/23/01

USAR TABLE VII-16-1 (CONT'D)

TYPICAL NUCLEAR PROCESS MONITORING INSTRUMENTATION INPUT

SUMMARY

Primary Type of Engr Data Variable Input Units Utilization PROCESS RADIATION MONITORING SYSTEMS Main Steamline Digital Status Sequence Annunciator High Radiation Log (A,B,C,D)

REACTOR WATER CLEAN-UP SYSTEM Clean-Up System Analog OF Core Performance Inlet Temperature Clean-Up System Analog OF Core Performance Outlet Temperature Clean-Up System Analog 10 6 lb/hr Core Performance Flow (Channel A,B)

OTHER SYSTEMS Gross Generator Power Analog 10 6 Watts Core Performance Gross Generator Energy Pulse KWH/Pulse Core Performance

  • Assume that no respective channel bypass is applied.

NOTE: TIP Traversing In-Core Probe APRM Average Power Range Monitor LPRM Local Power Range Monitor SRM Source Range Monitor IRM Itermediate Range Monitor RBM Rod Block Monitor

    • Table is not inclusive of all points. Refer to PMIS Point-I/O Summary Database for complete list.

VII-16-7 01/23/01

USAR TABLE VII-16-2 TYPICAL PMIS INSTRUMENTATION OUTPUT

SUMMARY

SIGNAL OUTPUT DESCRIPTION[ 96 l**

Latching TIP Scan TIP Position Enable TIP Core top Enable RPIS Scan Mode RPIS Next Rod RWM Insert Block (A,B,C)

RWM Withdraw Block (A,B,C)

RWM Program Operating Nonlatching

    • Table is not inclusive of all points. Refer to PMIS Point-I/O Summary Database for complete list.

VII-16-8 01/23/01

USAR After calculating the power distribution within the core, the computer compares the values to appropriate reactor operating limit criteria.

These comparisons assist the operator in maintaining core operation within permissible thermal limits established by prescribed maximum fuel rod power density and minimum critical heat flux ratio criteria. The core evaluation analytical sequence is completed periodically and on demand, requiring less than 5 minutes to execute. Subsequent to executing the program the computer prints a periodic log.

16.3.2.2 LPRM Calibration Flux level and position data from the flux mapping and calibration equipment are read into the computer. The computer evaluates the data and determines gain adjustment factors by which the Local Power Range Monitor (LPRM) amplifier gains can be altered except immediately prior to whole core calibration using this method. The gain adjustment factor computations help to indicate to the operator when such a calibration procedure is necessary.

16.3.2.3 Fuel Exposure Using the power distribution data, a distribution of fuel exposure increments from the time of a previous power distribution calculation is determined and is used to update the distribution of cumulative fuel exposure.

Each fuel bundle is identified by batch and location, and its exposure is stored for each of the axial segments used in the power distribution calculation. These data are printed out on demand.

16.3.2.4 Control Rod Exposure Exposure increments are determined periodically for each one-quarter length section of each control rod. The corresponding cumulative exposure totals are periodically updated and printed out on demand.

16.3.2.5 LPRM Exposure The exposure increment of each local power range monitor is determined periodically and is used to update both the cumulative ion chamber exposures and the correction factors for exposure-dependent LPRM sensitivity loss. These data are printed out on demand.

16.3.2.6 Isotopic Composition of Exposed Fuel The computer provides on-line capability to determine monthly and on-demand the isotopic composition of each fuel bundle in the core. This evaluation consists of computing the weight of three uranium and five plutonium isotopes as well as the total uranium and total plutonium content. The isotopic composition is calculated for each one-quarter length of each fuel bundle and summed accordingly by bundles and batches. The method of analysis consists of relating the computed fuel exposure and the exposure weighted void fraction for the given fuel segments to computer stored isotopic characteristic applicable to the specific fuel type.

16.3.3 Rod Worth Minimizer _Function The rod worth minimizer (RWM) function assists and supplements the operator with an effective backup control rod monitoring routine that enforces adherence to established start-up, shutdown, and low power level control rod procedures. The RWM computer alerts the operator when control rod patterns are established that are not consistent with Banked Position Withdrawal Sequence (BPWS) and initiates appropriate rod withdrawal block or rod insert VII-16-9 02/05/07

USAR block interlock signals to the reactor manual control systems rod block circuitry when the actual sequence deviates beyond allowances from the stored sequence (General Electric Drawing 729E471BB, Sheet 7). The RWM sequences stored in the computer memory are based on control rod BPWS designed to limit

( and thereby minimize) individual control rod worths to acceptable levels as determined by the design basis Control Rod Drop Accident. [74 l [ 75 l [l 4 0J The RWM function does not interfere with normal reactor operation, and in the event of a failure does not its elf cause rod patterns to be established which would violate the above objective. The RWM function may be bypassed and its rod block function disabled as provided for in Technical Specification 3.3.2.1.

16.3.3.1 RWM Inputs The following operator and sensor inputs are utilized by the RWM:

1. Group In/Out Service The operator can remove or insert a notch control group if there are no notch errors in that group.
2. Rod Test Select By selecting this input option, the operator is permitted to withdraw and re-insert any one control rod in the core while all other control rods are maintained in the fully inserted position.
3. Normal/Bypass Mode A key lock switch is provided to permit the operator to apply permissives to RWM rod block functions at any time during plant operation.
4. System Initialize This input is initiated by the operator to start or restart the RWM programs and system at any time during plant operation.
5. Control Rod Selected The RWM recognizes the binary coded identification of the control rod selected by the operator.
6. Control Rod Position The RWM recognizes the binary coded identification of the control rod position.
7. Control Rod Drive Selected and Driving The RWM utilizes this input as a logic diagnostic verification of the integrity of the rod select input data.
8. Control Rod Drift The RWM recognizes a position change of any control rod using the control rod drift indication. This information is used to evaluate permissible withdrawal or insertion of subsequently selected rods.
9. Reactor Power Level [74 , 75 l Feedwater flow and steam flow signals are used to implement two digital inputs to permit program control of the RWM function. These two inputs, the low power setpoint and the low power alarm setpoint, are used to disable the RWM blocking function at power levels above the intended service range of the RWM function. The low power setpoint limit is 10 percent rated power. The low power alarm setpoint is initially set at 35 percent rated power. [lllJ VII-16-10 02/05/07

USAR

10. Permissive Echoes Rod withdraw, and rod insert permissive echo inputs are utilized by the RWM as a verification "echo" feedback to the system hardware to assure proper response of an RWM output.

16.3.3.2 RWM Outputs The RWM provides isolated contact outputs to plant instrumentation as follows:

1. Blocks The RWM is interlocked with the reactor manual control system to permit or inhibit withdrawal or insertion of a control rod. These actions do not affect any normal instrumentation displays associated with the selection of a control rod (General Electric Drawing 729E471BB, Sheet 7).
2. Scan Mode and Next Rod These RWM outputs are used to synchronize acquisition of control rod position data during the scan mode.

16.3.3.3 RWM Indications The RWM color graphic display available at any of the display terminals in the Main Control Room provides the following indications:

1. Insert Error Control rod coordinate identification for up to two insert errors.
2. Withdrawal Error Control rod coordinate identification for one withdrawal error.
3. Latched Group Identification of the RWM sequence group number currently enforced by the computer.
4. Group Out of Service Indication of an operator removed group.
5. RWM Bypass Indication that the RWM is manually bypassed.
6. Select Error Indication of a control rod selection error.
7. Blocks Indication that a withdrawal block or insertion block is in effect for all control rods. r74 , 75 l
8. Out of Sequence Indication that the actual control rod pattern is out of sequence with the RWM sequence currently being monitored while the reactor is operating above the low power setpoint but below the low power alarm setpoint.
9. RWM Off-Line Indication that the RWM is unable to operate properly.

VII-16-11 0211s1os I

USAR 16.3.4 Monitor Alarm and Logging Functions 16.3.4.1 Analog Monitor and Alarm

1. General For each analog point in the system, the capability exists for four warning and alarm limits (i.e. High Alarm, High Warning, Low Warning, Low Alarm) for each of the four plant modes. For instance, when the plant is in SHUTDOWN mode, a set of predefined warning/alar m values may be in effect for each point. When the plant changes to STARTUP mode, a different set of warning/alar m values may be used to determine point quality. These values may or may not be different for each point.

The alarming sequence consists of a message for the variables exceeding process alarm limits on the alarm display. A variable that is returning to normal is signified by a message on the alarm display.

2. Events and Event Logging An event is any condition or occurrence that requires generation of post-trip and event recall data.

Whenever an event is declared the Post-Trip and Event Recall Logs are started. These logs are described in the following paragraphs.

The Post-Trip Log contains values for Balance of Plant inputs. This log is automatical ly initiated upon occurrence of predefined plant trips. In addition, this log may be activated on demand from the color graphic display consoles. Data is collected based on operator specified frequency for an operator-sp ecified period of time. This period may be split between pre- and post-trip. The log is printed on the operator specified hardcopy device. For each Post-Trip transaction the following information will be printed:

o Date and time of trip or demand occurrence o Date and time change of state occurred o Point ID name o Current value as defined by the set or reset message.

The Event Recall Log contains selected nuclear system inputs. This log is automatical ly initiated upon occurrence of predefined plant trips. In addition, this log may be activated on demand from the color graphic display consoles. Data is collected based on operator specified frequency for a period of twenty (20) minutes. This period may be split between pre- and post-trip. The log is printed on the operator specified hardcopy device. For each Event Recall transaction the following information will be printed:

o Date and time of event or demand occurrence o Date and time change of state occurred o Point ID name o Current value as defined by the set or reset message.

VII-16-12 02/23/23

USAR 16.3.4.2 Digital Monitor and Alarm

1. Sequence Annunciator Recording Selected digital inputs are implemented to provide for logging the sequence of contact closure or opening on the alarm output device.

Input alarms received 2 millisecond s or more apart are sequentially differentiat ed and printed. The printout includes point description and time of occurrence to the nearest hundredth of a second.

2. Status Alarm The status alarm function scans digital inputs at least once each second and provides a printed record of selected system alarms. The record includes point description and time of occurrence.

16.3.4.3 Alarm Logging and Displaying The alarm logs required by the associated process programs are shown on an alarm display located on the operator's console in the Main Control Room. Alarm display messages are used to inform the operator of computer system malfunction s, system operation exceeding acceptable limits, and off-normal or failed input sensors.

16.4 Power Generation Evaluation As described in the Station Safety Analysis, USAR Section XIV-6, treatment of the control rod drop accident, the maximum rod worth below 10% power assumed was 0.025 ~k. The rod worth minimizer operates to maintain the maximum rod worth below 0.01 ~k. At power levels above 10% of rated the maximum rod worth possible was assumed in the control rod drop accident cases; thus no rod worth control is required above 10% of rated power. Should the rod worth minimizer program be inoperative for any reason, the reactor operator can maintain acceptable rod worth by simply adhering to prescribed control rod patterns and sequences when below 10% of rated power.

16.5 Inspection and Testing The PPC is self-checkin g. It performs diagnostic checks to determine the operability of certain portions of the system hardware, and it performs internal programming checks to verify that input signals and selected program computation s are either within specific limits or within reasonable bounds.

VII-16-13 02/23/23

USAR 17.0 STANDBY GAS TREATMENT SYSTEM[ 761 17.1 Safety Objective The objective of the Standby Gas Treatment System (SGT) is to process effluent from the reactor building (secondary containment) when required, therefore limiting the discharge of radioactive material to the environs.

17.2 Safety Design Basis

1. Both SGT subsystems are to start simultaneously and automatically in the event of a secondary containment isolation signal.
2. After both SGT subsystems have started simultaneously in the event of a secondary containment isolation signal, one subsystem may be placed in standby mode to restart automatically if the first operating subsystem indicates "Low Flow."
3. Either SGT subsystem may be controlled manually from the Main Control Room.
4. In the event one SGT subsystem is being operated for test purposes, a secondary containment isolation signal will automatically select and start the other subsystem. The signal will also provide the proper alignment of dampers in both subsystems.
5. Manual alignment will provide for decay heat removal from fission products deposited on either filter bank.
6. Gas temperatures, moisture indication (heater functionality),

and overall filter bank pressure differential will be indicated and high values will be annunciated in the Main Control Room.

7. Low flow in the selected SGT subsystem, automatic transfer upon low flow in the selected subsystem, or low flow in the standby subsystem after automatic transfer due to failure of the selected subsystem will be annunciated in the Main Control Room.
17. 3 Description The above design was incorporated in a controls and instrumentation scheme that is reflected in the control diagram. Separate controls and instrumentation are associated with the two independent SGT subsystems consisting of filter banks, blowers, dampers and ducts. The logic allows placing one subsystem in the auto mode and the other subsystem in the standby mode.

A PCIS Group 6 isolation signal starts both SGT subsystems in the automatic mode. After the required Reactor Building negative pressure is reached, the operator selects one subsystem to run while the other is placed in the standby mode. ( See USAR Sections V-3. 4 and VII-3.) The standby subsystem restarts by timer action if the PCIS Group 6 isolation signal continues and low flow is indicated by failure of the operating subsystem.

In the event the standby SGT subsystem is being operated for test purposes, accident signals will terminate the testing by de-energizing the VII-17-1 09/19/06

USAR relative humidity heat, aligning the dampers to the nonoperating position and stopping the blowers.

Each SGT subsystem is furnished with a flow detector which provides permissive information to generate a signal to start the standby subsystem upon low flow in the active subsystem providing a PCIS Group 6 isolation signal is present or sealed-in. A time delay is provided to block a transfer to the standby subsystem for the duration of a normal startup transient in the selected subsystem. The time is bypassed in the selected subsystem so that there is no delay in initiating action in this subsystem.

Low point drains on the SGT effluent lines remove condensation to Sump Z below the ERP. Level switches start the pumps on high water level to transfer to the radwaste system.

Gas temperatures upstream of the relative humidity heater and downstream of the charcoal bed are measured and indicated both locally and in the Main Control Room. High temperature in the outlet of each SGT subsystem and high flow is annunciated in the Main Control Room. The overall filter train pressure differential is measured and indicated in the Main Control Room. High pressure differential is annunciated.

Each SGT subsystem with its associated controls and instruments is supplied with critical power. This power is taken from separate divisions of the Standby AC Power Source to guarantee that one subsystem is always available in case of loss of off-site power. The system is also arranged so that power failures that interrupt flow in the operating subsystem will transfer the processing of the effluent to the standby subsystem.

Separation criteria require that the power supplies be completely separate. Fuses are provided to protect the connecting leads of the low voltage annunciator circuit from short circuits in the subsystem selector switches.

Main Control Room annunciators alert the operators of malfunctions in the SGT system such as low flow, high filter differential pressure, high moisture levels and high temperatures. Primary controls for the operation of both subsystems are located in the Main Control Room. In the event of malfunction of both SGT subsystems, the SGT system can be manually aligned and controlled from the Main Control Room. This type of operation requires power along with the pertinent controls and instrumentation to some parts of both subsystems and is therefore not available for the complete loss of power to either subsystem.

The design of the controls and instrumentation makes it possible for removal of decay heat from fission products deposited on the filter bank in either subsystem. If one filter bank is in operation with flow from the secondary containment, the decay heat in the shutdown filter bank is removed by opening the inlet damper upstream of the shutdown filter bank, allowing cooling flow from the secondary containment through the shutdown filter bank, through the throttled open manual cross-tie valve and out the running blower.

Following an accident, when the PCIS Group 6 isolation signal is reset and it is desired to shutdown the running SGT subsystem, decay heat removal from the SGT system may be required. In this case, the standby SGT subsystem is started, the running SGT subsystem is shutdown, and its Dilution Air valve is opened, allowing room air to be drawn through the VII-17-2 05/28/02

USAR subsystem being cooled via the manual cross-connect valve and out the second SGT fan.

Additional information regarding SGT system operation and components can be found in USAR Section V-3, "Secondary Containment System."

17.4 Safety Evaluation The SGT system accomplishes its safety objective by maintaining the Reactor Building at a slightly negative pressure relative to the atmosphere and filtering all the exhaust. The SGT system control and instrumentation provide the logic and signals to cause the equipment or redundant components to operate as required to cope with any radioactivity releases. Thus, the controls and instrumentation assure that the performance of the SGT system is such that the radioactivity released to the environs is kept within the limits of 10CFRlOO (offsite dose) and GDC 19 (Control Room occupant dose) or within the limits of 10CFR50.67 in the event of a postulated Loss of Coolant Accident.

17.5 Inspection and Testing Testing and inspections of the SGT system controls and instrumentation are made periodically. The dampers are tested by operation of manual switches in the Main Control Room and observing the position indicating lights in the Main Control Room. The auto start signals, transfer signals, and alarms are functionally tested by applying test signals which simulate a malfunction. Instruments are tested and calibrated periodically.

Surveillance testing of the SGT system controls and instrumentation is specified in the CNS Technical Specifications.

VII-17-3 02/05/10

USAR 18.0 ALTERNATE SHUTDOWN CAPABILITY 18.1 Safety Objective Alternate Shutdown (ASD) capability is provided to maintain the station in a safe condition in the Special Event that the Main Control Room is evacuated, and is designed to not degrade the operation of existing essential systems.

18.2 Safety Design Basis In the event that the Main Control Room becomes inaccessib le, it shall be possible to bring the reactor from power range operation to a hot shutdown condition by manipulati on of the local controls and equipment which are available outside of the Main Control Room.

Station design shall not preclude the ability to bring the reactor to a cold shutdown condition from the hot shutdown condition from outside of the Main Control Room.

The operationa l interface between the alternate shutdown capability and existing essential systems shall be designed to the requiremen ts of the essential system.

18.3 Descriptio n The Alternate Shutdown capability augments safe shutdown system capabiliti es by providing for local control of selected components . The system is comprised of circuit isolation devices, local controls, and indication s for the components necessary to safely shutdown the plant in the event that the Main Control Room is evacuated. The alternate shutdown capability is made up of the following:

. ((

] ]

The operation of components which have not been provided with alternate controls are accomplish ed by local manual operation. Selected valves and circuit breakers will be manually operated as part of the alternate shutdown capability .

Controls for select valves with AC power are ((

)) . Controls for select valves with DC power are [ [

)) . In both cases, the control is similar to valve controls in the ASD room. The system is comprised of circuit isolation devices, local controls, and indication s.

VII-18-1 04/08/15

USAR 18.3.1 Location The Alternate Shutdown control panels are located in the

(( )) . This particular location was chosen so as to be independent of those fire areas which disable control circuits and instrumentation to the extent that safe shutdown from the Control Room can no longer be accomplished.

The alternate shutdown controls for ((

)) .

18.4 System Operation The alternate shutdown capability is designed to be operable during a Special Event of Station Shutdown from Outside the Control Room. Ref er to Section XIV-5.9.1 for a description of this Special Event.

18.5 Safety Evaluation The alternate shutdown capability is used to mitigate a Special Event and is not a safety-related function. However, certain components which interface with systems which are important to safety are qualified to the respective interfacing systems specifications. Section XIV-5.9.1 describes the Station Shutdown from Outside the Control Room Special Event and demonstrates that both hot and cold shutdown can be achieved. The use of alternate shutdown capability installed at CNS has been designed to not degrade existing essential systems. The use of alternate shutdown capability in the event of a fire that either disables control of safe shutdown equipment from the Main Control Room, or renders the Main Control Room inaccessible is addressed in the Fire Safety Analysis. It is concluded that the Safety Design Bases are met.

18.6 Inspection and Testing Periodic functional testing of the controls and indications which comprise the ASD capability is accomplished to demonstrate the reliability of the ASD capability for use during an emergency condition. See Technical Specification 3.3.3.2 for additional information.

VII-18-2 04/08/15

USAR

19.0 REFERENCES

FOR CHAPTER VII

1. Q/A 7.1, Amend. 13.
2. Q/A 7.2, Amend. 14.
3. Q/A 7.10, Amend. 14.
4. Deleted.
5. Deleted.
6. Deleted.
7. Q/A 7.4, Amend. 35.
8. Q/A 7.13, Amend. 9.
9. Q/A 5.22, Amend. 26.
10. MDC 75-68.
11. Q/A 7. 6, Amend. 15.
12. Q/A 7.21, Amend. 15.
13. Q/A 7.12, Amend. 14.
14. Q/A 7. 7, Amend. 15.
15. Deleted.
16. Q/A 7.5, Amend. 13.
17. Q/A 7.17, Amend. 15.
18. Q/A 7 .1, Amend. 13.
19. Q/A 7.23, Amend. 17.
20. Q/A 7. 8, Amend. 13.
21. Q/A 7. 4, Amend. 35.
22. General Electric MDE-270-1285, "Evaluation of ATWS Performance at Cooper Nuclear Station," December 1985.
23. Q/A 7.6, Amend. 15.
24. Deleted.

25 . MDC 7 9- 51.

26. Deleted.
27. Q/A 7.8, Amend. 13.
28. MDC 79-51.

VII-19-1 01/23/01

USAR

29. Q/A 6.1, Amend. 9.
30. Q/A 6.14, Amend. 15.
31. MDC 81-006 and G.E. Concept and Design.
32. Deleted.
33. Q/A 7.8, Amend. 13.
34. Q/A 6.14, Amend. 15.
35. DC 76-2; 10CFR50.46.
36. Q/A 7.1, Amend. 13.
37. MDC 80-05.
38. Q/A 6.12, Amend. 14.
39. Q/A 8.9, Amend. 14.
40. MDC 80-10.
41. Some items deleted as per Q/A 7.16, Amend. 11.
42. Q/A 7.16, Amend. 11.
43. Q/A 6.7, Amend. 9.

4 4. Deleted.

45. DC 7 6-2.

4 6. DC 7 6-2.

47 . Deleted.

48. Q/A 7.16, Amend. 11.

4 9. DC 7 6-2.

50. APED-5706, "In-Core Neutron Monitoring System for G. E. Boiling Water Reactors," W. R. Morgan, November, 1968 (Rev. April, 1969).
51. MDC 77-94.
52. DC 7 6-1.
53. Q/A 7.15, Amend. 15.

54 . MDC 7 8 - 4 0 .

55. MDC 77-69.

5 6. Deleted.

5 7. Deleted.

5 8. Deleted.

VII-19-2 10/09/01

USAR 5 9. Deleted.

60. Deleted.
61. Deleted.
62. Deleted.
63. Q/A 7.7, Amend. 15.
64. MDC 78-06.
65. Letter from J. Pilant to V. Stello, Director of Nuclear Reactor Reg., October, 1976.

66 . MDC 7 8 6 2 .

67. Letter from C.R. Noyes to Director of Licensing - Quality Assurance, January, 1979.
68. Deleted.
69. Q/A 11.3, Amend. 11.
70. Q/A 11.1, Amend. 14.
71. Q/A 13 .10, Amend. 24.

7 2. Deleted.

7 3. Deleted.

74 . MDC 7 6-101 .

75. Letter from L. C. Lessor to J. Pilant, December, 1977.
76. Q/A 7.9, Amend. 14.
77. Deleted.
78. Deleted.
79. Letter from J.M. Pilant to G. E. Lear, dated March 21, 1978.
80. NRC SER to License Amendment 61 dated February 29, 1980.

81 . DC 8 4 - 0 1 .

82. MDC 81-010-1.

83 . MDC 8 4 - 0 6 0 .

8 4. Deleted.

85. MDC 84-162.
86. Deleted.
87. Deleted.

VII-19-3 09/02/08

USAR 8 8. Deleted.

8 9. MDC 8 5-0 4 4 .

90. Letter from J.M. Pilant to D. G. Eisenhut, dated April 24, 1984, "Resolutions of Safety Evaluation Report for Environmental Qualification of Safety-Related Electrical Equipment."
91. Deleted.
92. Deleted.
93. Deleted.
94. Deleted.
95. Deleted .

. 96. The following is a complete list of all the related design changes that accomplished the actual installation of the PMIS and SPDS:

a. MDC 84-37, PMIS Installation Overview
b. MDC 83-75, Computer Room Raised Floor Modification
c. MDC 84-37B, Installation of Dual DEC VAX 11/780 Cluster Configuration
d. MDC 84-37C, Installation of RWM/RPIS Subsystem
e. MDC 84-37D, Installation of Data Acquisition Equipment and Computer Peripherals Outside of the Control Room, Cable Spreading Room, and Computer Room.
f. MDC 84-37E, Installation of Data Acquisition Equipment and Computer Peripherals in the Control Room and Cable Spreading Room.
g. MDC 84-37F, Installation of Data Acquisition Equipment in the Computer Room.
h. MDC 84-37G, Installation of PMIS UPS Power Supply
i. MDC 84-37H, Installation of Computer Room HVAC
j. MDC 84-371, Installation of Halon Fire Suppression System in the Computer Room
k. MDC 84-37J, GE/PAC 4020 Decommissioning
1. MDC 85-79, TSC/SPDS Power Supply Circuit
m. SDC 84-01, Implementation of the Safety Parameter Display System (SPDS) software on the PMIS.
n. SDC 84-02, Integration of the MONICORE Reactor Core Monitoring Software Package on the PMIS.

VII-19-4 04/08/15

USAR

o. SDC 84-03, Implementation of a Control Rod Scram Timing (CRST) Software Package on the PMIS.
p. SDC 84-04, Conversion and Implementation of the GE/PAC 4020 Balance of Plant (BOP) Software Package on the PMIS.
97. Deleted.
98. MDC 73-2.
99. Deleted.

100. NRC, Safety Evaluation Report (SER) for CNS Technical Specification Amendment No. 83, dated May 4, 1983.

101. Evaluation of Diesel Generator Startup Requirements for Cooper Nuclear Station, EAS-133-187, Revision 1, February 1988.

102. G.E. Report NEDC 31892P May 1991, "Extended Load Line Limit and ARTS Improvement Program Analysis for Cooper Nuclear Station, Cycle 14."

103. Q/A 4.34 FSAR Amendment 15.

104. NRC, Safety Evaluation Report (SER) for CNS Technical Specifications Amendment 150, dated November 22, 1991.

105. NRC, Safety Evaluation Report (SER) for CNS Technical Specifications Amendment 7, dated February 7, 1975.

106. NEDE-31113-P, Cooper ATWS Compliance: Alternate Rod Insertion System and Recirculation Pump Trip Modifications.

107. NRC, Safety Evaluation Report ( SER) for CNS Technical Specification Amendment No. 100, dated May 20, 1986.

108. NEDO-31400, Safety Evaluation for Eliminating the Boiling Water Reactor Main Steam Line Isolation Valve Closure Function and Scram Function of the Main Steam Line Radiation Monitor, May 1987, General Electric Company.

109. Design Change DC 91-088, MAIN STEAM LINE RADIATION MONITOR SCRAM AND GROUP 1 FUNCTION REMOVAL.

110. Letter from Harry Rood (NRC) to G. R. Horn, dated December 22, 1992, "Amendment No. 156 to Cooper Nuclear Station."

111. Letter from T. Pickens (BWROG) to G. C. Lainas (NRC), dated August 15, 1986, "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A ."

112. Letter from A. L. Thadani (NRC) to J. S. Chamley (GE), dated December 27, 1987, "Acceptance for Referencing of Licensing Topical Report NEDE-24011-P-A, 'General Electric Standard Application for Reactor Fuel,' Revision 8, Amendment 17."

VII-19-5 01/23/01

USAR 113. GENE-673-02 0-0993, General Electric Report "Evaluation of RHR Heat Exchanger Tube Plugging Margin for the Cooper Nuclear Station," October 1993.

114. Letter from S. K. Rhow (GE) to J. R. Hotovy ( NPPD) , dated February 14, 1993, "Suppressio n Pool Response to an ATWS Event with 4,000 gpm Service Water Flow per RHR Loop at the Cooper Nuclear Station."

115. DC 94-332.

116. Deleted.

117. DC 95-037, PC and TIP Valve Isolation Reset Mod.

118. Deleted.

119. Deleted.

120. NEDC 10-041, "Recovery Action Feasibility Assessment Report Review EPM Report R1906-004-0 05, Latest Revision."

I 121. NRC Generic Letter, GL 80-37, "Five Additional TMI-2 Related Requirement s for Operating Reactors."

122. NRC Generic Letter, GL 89-06, "Task Action Plan Item I.D.2 -

Safety Parameter Display System - 10CFR50.54( f) ."

123. NRC Generic Letter, GL 92-04, "Resolution of the Issues Related to Reactor Vessel Water Instrumenta tion in Boiling Water Reactors," (TAC No. M84275) ."

124. NRC Bulletin 93-03, "Resolution of Issues Related to Reactor Vessel Water Instrumenta tion in BWRs," (TAC No. M86888).

125. NRC Generic Letter, GL 84-23, "Reactor Vessel Water Level Instrumenta tion in BWRs."

12 6. NEDC-32 67 6P, "Analytical Uni ts for Cooper Nuclear Station, "January 1997, General Electric Company."

127. NEDO 10139, "Core Standby Cooling System," dated 6/70.

128. UCR 97-023, "RHR Minimum Flow Valves."

129. DC 87-043 Am. 1, "NBI Pressure Switch Upgrade."

130. DC 76-2, "LPCI Modificatio n."

131. DC 90-152, "CNS Cycle 14, Reload 13, Design & Safety Analysis."

132. NUREG 0737, "Post-TMI Requiremen ts."

133. NUREG 0737 Supplement 1, *"Requireme nts for Emergency Response Capability. "

134. NUREG 1342, "A Status Report Regarding Industry Implementat ion of Safety Parameter Display System."

135. Q&A 2.21; Amend. 9.

VII-19-6 02/18/16

USAR 136. DC 87-036, Installation of Containment Hydrogen/Oxygen Monitoring Systems.

137. NEDC 92-050AJ, Setpoint Calculation Main Turbine Supply I Pressure.

138. GL 94-02, NRC Generic Letter "Long-Term Solutions and Upgrade of Interim Operating Recommendations for Thermal-Hydraulic Instabilities in Boiling Water Reactors."

139. NLS940039, NPPD Letter from Guy Horn to NRC RE: Response to GL 94-02, dated 9/9/94.

140. NEDO-21231, "Banked Position Withdrawal Sequence,"

January 1977.

141. Cooper Nuclear Station License Amendment 231, dated June 30, 2008, Issuance of Amendment Re: Measurement Uncertainty Recapture Power Uprate.

VII-19-7 03/28/19

Retrieved from "https://kanterella.com/w/index.php?title=ML23129A270&oldid=3620903"