ML23291A420
| ML23291A420 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  |
| Issue date: | 10/12/2023 |
| From: | Susquehanna |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML23291A105 | List:
|
| References | |
| PLA-8081 | |
| Download: ML23291A420 (212) | |
Text
SSES-FSAR Text Rev. 75 7.3 ENGINEERED SAFETY FEATURE SYSTEMS Safety-related instrumentation and controls for engineered safety feature (ESF) systems, i.e., the actuation system (AS) from sensor to actuation device and controls for the ESF system, which are engineered safety feature actuation systems (ESFAS), are described in this section.
Instrumentation and controls for systems which support ESF systems are also described.
This section is divided by responsibility as to supply, with NSSS and non-NSSS in Subsections A and B respectively.
7.
3.1 DESCRIPTION
A) ESF Actuation Systems Supplied with the NSSS
- 2) Primary Containment and Reactor Vessel Isolation Control Systems (PCRVICS)
- 3) RHRS/Containment Spray Cooling System
- 4) RHRS Suppression Pool Cooling B) ESF Actuation Systems and ESF Aux Support Systems Not Supplied with the NSSS
- 1) Containment Isolation (AS)
- 2) Combustible Gas Control Systems (AS)
- 3) Primary Containment Vacuum Relief (AS)
- 5) Reactor Building Recirculation (AS)
- 8) ESF Auxiliary Support Systems:
a) Emergency Service Water b) RHR Service Water c) Containment Instrument Gas d) Standby Power FSAR Rev. 71 7.3-1
SSES-FSAR Text Rev. 75
- 9) Heating, Ventilating and Air Conditioning for ESF Areas:
a) Standby Gas Treatment Equipment Room b) Diesel Generator Buildings c) ESSW Pumphouse d) ESF Switchgear Room e) ECCS Unit Coolers f) Drywell Unit Coolers g) Control Structure Chilled Water System 7.3.1.1a System Description (NSSS) 7.3.1.1a.1 Emergency Core Cooling Systems (ECCS) Instrumentation and Control 7.3.1.1a.1.1 Network Identification The ECCS is a network of the following subsystems:
(1) High Pressure Coolant Injection (HPCI) System (2) Automatic Depressurization (ADS) System (3) Core Spray (CS) Systems (4) Low Pressure Coolant Injection (LPCI) Mode of the Residual Heat Removal System (RHR)
The purpose of ECCS instrumentation and controls is to initiate appropriate responses from the system to ensure that the fuel is adequately cooled in the event of a design basis accident. The cooling provided by the system restricts the release of radioactive materials from the fuel by preventing or limiting the extent of fuel damage following situations in which coolant is lost from the reactor coolant pressure boundary (RCPB).
The ECCS instrumentation detects a need for core cooling systems operation, and the trip systems initiate the appropriate response.
Successful core cooling for a specified line break accident is discussed in Chapter 15.
7.3.1.1a.1.2 Network Power Sources The instrumentation and controls of the ECCS network system are powered by the 125 VDC and 120 VAC systems. The redundancy and separation of these systems are consistent with the redundancy and separation of the ECCS functional requirements. These power sources are described in detail in Chapter 8.0.
7.3.1.1a.1.3 High Pressure Coolant Injection (HPCI) System - Instrumentation and Controls 7.3.1.1a.1.3.1 System Identification When actuated, the HPCI system pumps water from either the condensate storage tank, the primary source, or the suppression chamber to the reactor vessel via the feedwater lines. The HPCI system includes one turbine-driven pump, one DC motor-driven auxiliary oil pump, one gland seal condenser and associated condensate pump, one gland seal condenser blower, automatic valves, control devices for this equipment, sensors, and logic circuitry. The arrangement of equipment and control devices is shown in Dwgs. M-155, Sh. 1 and M-156, Sh. 1.
FSAR Rev. 71 7.3-2
SSES-FSAR Text Rev. 75 7.3.1.1a.1.3.2 Equipment Design Pressure and level switches used in the HPCI system are located on racks in the reactor building and at the condensate storage tank. The only active component for the HPCI system that is located inside the primary containment is one of the two HPCI system turbine steam supply line isolation valves and its associated warm-up value. The rest of the HPCI system control and instrumentation components are located outside the primary containment. Cables connect the sensors to control circuitry in the control structure. The system is arranged to allow a full flow functional test of the system during normal reactor power operation. The test controls are arranged so that the system can operate automatically to fulfill its safety function regardless of the test being conducted except for the conditions discussed in Section 6.3.4.2.1.
7.3.1.1a.1.3.3 Initiating Circuits Reactor vessel low water level is monitored by four indicating type level switches that sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual height of water in the vessel. Two lines (one attached to a tap above and one to a tap below the water level on the reactor vessel) are required for the differential pressure measurement for each switch. The two pairs of lines terminate outside the primary containment and inside the reactor building. The pairs are physically separated from each other and tap off the reactor vessel at widely separated points. These same lines are also used for pressure and water level instruments for other systems. A one-out-of-two twice logic arrangement of the switches sensing low water level can initiate the HPCI system. This arrangement assures that no single event can prevent the initiation of the HPCI system due to reactor vessel low water level.
Primary containment pressure is monitored by four non-indicating pressure switches which are mounted on instrument racks outside the drywell, but inside the reactor building. Each instrument is connected to the drywell atmosphere by a redundant sensing line. The switches are grouped in pairs in a manner similar to the level sensors and are electrically connected so that no single event can prevent the initiation of the HPCI system due to primary containment high pressure.
The HPCI system controls automatically start the HPCI system from the receipt of a reactor vessel low water level signal or primary containment high pressure signal and bring the system to its design flow rate in approximately 30 seconds. The controls then function to provide design makeup water flow to the reactor vessel until the amount of water delivered to the reactor vessel is adequate, at which time the HPCI system automatically shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown.
The HPCI turbine is functionally controlled as shown in Dwgs. M1-E41-65, Sh. 1, M1-E41-65, Sh. 2, M1-E41-65, Sh. 3, M1-E41-65, Sh. 4, and M1-E41-65, Sh. 5. A turbine governor control system controls turbine speed during normal operation. A control governor receives a HPCI system flow signal and adjusts the turbine steam control valve so that design HPCI system pump discharge flow rate is obtained. Manual control of the governor is possible. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the HPCI system pump discharge line. The governor controls the pressure applied to the hydraulic operator of the turbine control valve which, in turn, controls the steam flow to the turbine. Hydraulic pressure is supplied for both the turbine control valve and the turbine stop valve by the DC powered oil pump during startup and then by the shaft driven hydraulic oil pump when the turbine reaches operating speed.
FSAR Rev. 71 7.3-3
SSES-FSAR Text Rev. 75 Upon receipt of an initiation signal, the auxiliary oil pump starts, providing hydraulic pressure for the turbine stop valve and turbine control valve hydraulic operator. As hydraulic oil pressure is developed, the turbine stop valve and the turbine control valve open and the turbine accelerates toward the speed setting of the control governor. As HPCI system flow increases, the flow signal adjusts the control governor setting so that design flow is maintained. The turbine is automatically shut down by tripping the turbine stop valve closed if any of the following conditions are detected:
(1) Turbine overspeed (2) High turbine exhaust pressure (3) Low pump suction pressure (4) Reactor vessel high water level (5) HPCI isolation signal from logic "A" or "B" Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service. A turbine trip is initiated for those conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be restored to service. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so close that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical-hydraulic device. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown. One pressure switch is used to detect low HPCI system pump suction pressure.
High water level in the reactor vessel indicates that the HPCI system has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in HPCI system turbine damage caused by gross carryover of moisture. The reactor vessel high water level setting which trips the turbine is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Two level switches that sense differential pressure are arranged to require that both switches trip to initiate a turbine shutdown.
For both a manual and automatic initiation, the HPCI system logic provides for automatic cycling of HPCI operation from a high water level tripped condition to a restart upon again reaching low water level. This action is afforded through the absence of a latch (seal-in) in the turbine trip logic, and a conditional (on low water level) latch in the high water level trip logic. Upon (again) returning to low water level, the latch high water level trip is cleared, thereby defeating the turbine tripped condition and re-establishing turbine operation.
The control scheme for the turbine auxiliary oil pump is shown in Dwg. M1-E41-65, Sh. 5. The controls are arranged for automatic or manual control. Upon receipt of an HPCI system initiation signal, the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft-driven oil pump begins to supply hydraulic pressure. After about 1/2 minute during an automatic turbine startup, the pressure supplied by the shaft driven oil pump is sufficient, and the auxiliary oil pump automatically stops upon receipt of a high oil pressure signal. Should the shaft-driven oil pump malfunction, causing oil pressure to drop, the auxiliary oil pump restarts automatically.
FSAR Rev. 71 7.3-4
SSES-FSAR Text Rev. 75 Operation of the gland seal condenser components (gland seal condenser condensate pump (DC),
gland seal condenser blower (DC), and gland seal condenser water level instrumentation) prevent out-leakage from the turbine shaft seals. Startup of this equipment is automatic, as shown in Dwg.
M1-E41-65, Sh. 5. Failure of this equipment will not prevent the HPCI system from providing water to the reactor vessel.
7.3.1.1a.1.3.4 Logic and Sequencing Either reactor vessel low water level or primary containment (drywell) high pressure can automatically start the HPCI system as indicated in Dwg. M1-E41-65, Sh. 1. A 3 second time delay in each logic division prevents inadvertent system isolations due to pressure spikes. Reactor vessel low water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.
The scheme used for initiating the HPCI system is shown on Figure 7.3-6. One trip system logic actuates the trip system upon receipt of a low water level signal. The other actuates upon receipt of a high drywell pressure signal. Either trip system logic can start the HPCI system. The HPCI system is powered by DC buses.
Instrument functions, type, range and number of channels provided for the HPCI system controls and instrumentation are listed in Table 7.3-1. The reactor vessel low water level setting for HPCI system initiation is selected high enough above the active fuel to start the HPCI system in time both to prevent excessive fuel cladding temperatures and to prevent more than a small fraction of the core from reaching the temperature at which gross fuel failure occurs. The water level setting is sufficiently below normal levels such that spurious HPCI system startups are avoided. The primary containment high pressure setting is selected to be as low as possible without inducing spurious HPCI system startup.
7.3.1.1a.1.3.5 Bypasses and Interlocks To prevent the turbine pump from being damaged by overheating at reduced HPCI pump discharge flow, a pump discharge bypass is provided to route the water being discharged from the pump to the suppression pool. The bypass is controlled by an automatic, DC motor operated valve whose control scheme is shown in Dwg. M1-E41-65, Sh. 4. At high HPCI flow, the valve is closed and at low flow, the valve is opened. Flow switches that measure the pressure difference across a flow element in the HPCI pump discharge pipeline provide the signals used for flow indication.
To prevent the HPCI steam supply pipeline from filling up with water and cooling, a drain pot, steamline drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The control scheme is shown in Dwg. M1-E41-65, Sh. 2. The controls position valves so that during normal operation steamline drainage is routed to the main condenser. Upon receipt of a HPCI initiation signal, the drainage path is isolated. The water level in the steamline drain pot is controlled by a level switch and air operated valve.
During test operation, the HPCI pump discharge is routed to the condensate storage tank. Two DC motor-operated valves are installed in the pump discharge to the condensate storage tank pipeline. The piping arrangement is shown in Dwgs. M-155, Sh. 1 and M-156, Sh. 1. The control scheme for the two valves is shown in Dwg. M1-E41-65, Sh. 4. Upon receipt of an HPCI system initiation signal, the two valves close and remain closed except for the conditions discussed in Section 6.3.4.2.1. The valves are interlocked closed if the suppression pool suction valve is not FSAR Rev. 71 7.3-5
SSES-FSAR Text Rev. 75 fully closed. Indications pertinent to the operation and condition of the HPCI system are available to the main control room operator as shown in Dwgs. M-155, Sh. 1, M-156, Sh. 1 and M1-E41-65, Sh. 4.
7.3.1.1a.1.3.6 Redundancy and Diversity The HPCI system is actuated either by reactor vessel low water level or by primary containment high pressure. Both of these conditions could result from a LOCA. The redundancy of the HPCI system initiating circuits is consistent with the design of the HPCI system.
7.3.1.1a.1.3.7 Actuated Devices The HPCI actuated devices are automatically controlled by logic or manually by switches in the main control room. Motor-operated valves are provided with appropriate limit or torque switches to turn off the motors when the full open or full closed positions are reached. Valves that are automatically closed on isolation or turbine trip signals are equipped with remote manual reset devices, so that they cannot be reopened without operator action. All essential HPCI system controls operate independent of AC power.
To assure that the HPCI system can be brought to design flow rate within 30 seconds from the receipt of the initiation signal, the following maximum operating times for essential HPCI system valves are provided by the valve operation mechanisms:
(1) HPCI system turbine steam supply valve 20 seconds (2) HPCI system pump discharge valves 20 seconds (3) HPCI system pump minimum flow bypass valve 10 seconds The operating time is the time required for the valve to travel from the fully closed to the fully open position or vice versa. Because the two HPCI system steam supply line isolation valves are normally open and because they are intended to isolate the HPCI system steamline in the event of a break in that line, the operating time requirements for them are based on isolation specifications.
These are described in Subsection 7.3.1.1a.2. A normally closed DC motor-operated isolation valve is located in the turbine steam supply line just upstream of the turbine stop valve. The control scheme for this valve is shown in Dwg. M1-E41-65, Sh. 5. Upon receipt of an HPCI system initiation signal, this valve opens and remains open until closed by operator action from the main control room.
Two normally open isolation valves are provided in the steam supply line to the turbine. The valve inside the drywell is controlled by an AC motor. The valve outside the drywell is controlled by a DC motor. The control diagram is shown in Dwg. M1-E41-65, Sh. 2. The valves close automatically upon receipt of an HPCI signal. An isolation signal results from HPCI steam line high differential pressure (flow), HPCI turbine exhaust diaphragm high pressure, low reactor vessel pressure (low steam supply to turbine), or high temperature around the steamline. The isolation signal resulting from steam line high differential pressure incorporates a time delay to prevent inadvertent isolation due to transient events. The instrumentation for isolation is described in Subsection 7.3.1.1a.2.
Two pump suction valves are provided in the HPCI system. One valve provides pump suction from the condensate storage tank; the other one provides suction from the suppression chamber. The condensate storage tank is the preferred source. Both valves are operated by DC motors. The control arrangement is shown in Dwgs. M1-E41-65, Sh. 4 and M1-E41-65, Sh. 2. Although the condensate storage tank suction valve is normally open, an HPCI system initiation signal opens it if FSAR Rev. 71 7.3-6
SSES-FSAR Text Rev. 75 it is closed, and the suppression pool suction valve is not full open. If the water level in the condensate storage tank falls below a preselected level, during HPCI operation, an automatic suction transfer is initiated. The suppression chamber suction valve receives a signal to open and in parallel, the condensate storage tank suction valves receives a signal to close to complete the transfer. Two level switches are used to detect the condensate storage tank low water level condition. Either switch can initiate the automatic suction transfer from the condensate storage tank to the suppression chamber. If open, the suppression chamber suction valve automatically closes upon receipt of the signals that initiate HPCI system steamline isolation.
Two level switches monitor the suppression chamber water level and provide high level alarms.
Two DC motor-operated HPCI system pump discharge valves in the pump discharge line are provided. The control schemes for these two valves are shown in Dwg. M1-E41-65, Sh. 4. Both valves are arranged to open upon receipt of HPCI system initiation signals. The outboard valve remains open upon receipt of a turbine trip signal until closed by operator action in the main control room.
To prevent damage by overheating at reduced HPCI system pump flow, a pump discharge minimum flow bypass is provided. The bypass is controlled by an automatic, DC motor-operated valve whose control scheme is shown in Dwg. M1-E41-65, Sh. 2. At HPCI system high flow, the valve is closed; at low flow, the valve is opened. Flow switches that measure the pressure difference across a flow element in the HPCI system pump discharge line provide the signals used for flow indication. There is also an interlock provided to shut the minimum flow bypass whenever the turbine is tripped. This is necessary to prevent drainage of the condensate storage tank into the suppression pool.
To prevent the HPCI system steam supply line from filling up with water and cooling, a drain pot, steamline drain, and appropriate valves are provided in a drain line arrangement just upstream of the turbine supply valve. The control scheme is shown in Dwgs. M1-E41-65, Sh. 2 and M1-E41-65, Sh. 3. The controls position valves so that during normal operation steamline drainage is routed to the main condenser. Upon receipt of an HPCI system initiation signal, the drainage path is isolated. The water level in the steamline drain pot is controlled by a level switch and air operated valve.
During test operation, the HPCI system pump discharge is routed to the condensate storage tank.
The DC motor-operated valves are installed in the pump discharge test lines. The piping arrangement is shown in Dwgs. M-155, Sh. 1 and M-156, Sh. 1. The control scheme for the valves is shown in Dwg. M1-E41-65, Sh. 4. Upon receipt of an HPCI system initiation signal, the valves close and remain closed except for the conditions discussed in Section 6.3.4.2.1. The valves are interlocked closed if the suppression chamber suction valve is not fully closed. Indications pertinent to the operation and condition of the HPCI system are available to the plant operator as shown on Dwgs. M-155, Sh. 1, M-156, Sh. 1, M1-E41-65, Sh. 1, M1-E41-65, Sh. 2, M1-E41-65, Sh. 3, M1-E41-65, Sh. 4, and M1-E41-65, Sh. 5.
7.3.1.1a.1.3.8 Separation The HPCI system is a Division II system. The system equipment is part of Division II except that the initiation sensors are from Division I and Division II in order to develop the one-out-of-two twice logic. Additionally the system has Division I and Division II isolation logic and controls. Relay coil to contact isolation is used to assure separation between the divisions. The HPCI system is FSAR Rev. 71 7.3-7
SSES-FSAR Text Rev. 75 functionally redundant to the ADS and the low pressure core cooling system (ADS and low pressure ECCS systems have redundant functions in Division I and II).
7.3.1.1a.1.3.9 Testability The HPCI system is designed to be completely testable during reactor operation. Systems providing core cooling water are arranged with bypass valves so that pumps may be operated at design flow. Control design is such that the system automatically returns from the test to the operating mode if system initiation is required except for the conditions discussed in Section 6.3.4.2.1. Controls and instrumentation are designed to establish that the following functions are met:
(1) Each instrument channel functions independently of all others.
(2) Sensing devices will respond to process variables and provide channel trips at correct values.
(3) Sensors and associated instrument channels will respond to both steady-state and transient changes in the process variable within specified accuracy and time limitations, and will provide channel trips at correct values even when affected by process variations that may extend grossly beyond the expected trip setpoint.
(4) Paralleled circuit elements can perform their intended function independently.
(5) Series circuit elements are free from shorts that can abrogate their function.
(6) Redundant instrument or logic channels are free from interconnecting shorts that could violate independence if a single malfunction should occur.
(7) No element of the system is omitted from the test if it can impair system operability in any way. If the test is done in parts, then the parts must overlap sufficiently to ensure operability of the entire system.
(8) Each monitoring alarm or indication function is operable.
The HPCI system is provided with a test jack so that the reactor low water level or drywell high pressure one-out-of-two twice circuits can be tested. Completeness of tests can be assured if all instrument channels are tested, actuating one instrument channel at a time. Insertion of the test plug at the logic relay panel is indicated in the control room.
7.3.1.1a.1.3.10 Environmental Considerations The only HPCI system control component located inside the primary containment that must remain functional in the environment resulting from a LOCA is the control mechanism for the inboard isolation valve on the HPCI system turbine steamline. The environmental capabilities of this valve are discussed in Subsection 7.3.1.1a.2. The HPCI system control and instrumentation equipment located outside the primary containment is selected in consideration of the normal and accident environments in which it must operate. These conditions are discussed in Section 3.11.
FSAR Rev. 71 7.3-8
SSES-FSAR Text Rev. 75 7.3.1.1a.1.3.11 Operational Considerations 7.3.1.1a.1.3.11.1 General Information The HPCI system is not required for normal operations. Under the abnormal or accident conditions when it is required, initiation and control are provided automatically for at least 10 minutes. After that time, operator action may be required to sustain core cooling. The HPCI system may also be used for reactor pressure control when the MSIVs are closed. This mode of operation may only be used when it has been determined that HPCI is not required for core cooling.
7.3.1.1a.1.3.11.2 Reactor Operator Information Indications pertinent to the operation and condition of the HPCI system are available to the main control room operator, as shown in Dwgs. M-155, Sh. 1, M-156, Sh. 1, M1-E41-65, Sh. 1, M1-E41-65, Sh. 2, M1-E41-65, Sh. 3, M1-E41-65, Sh. 4, and M1-E41-65, Sh. 5.
7.3.1.1a.1.3.11.3 Setpoints Refer to the Technical Requirements Manual for safety trip setpoints, and the plant Technical Specifications for the Allowable Values.
7.3.1.1a.1.4 Automatic Depressurization System (ADS) - Instrumentation and Controls 7.3.1.1a.1.4.1 System Identification The automatic depressurization system (ADS) has six automatically controlled safety/relief valves that are installed on the main steamlines inside the primary containment. These six valves perform both the ADS and the SRV function. The valves are dual purpose in that they will relieve pressure by normal mechanical action or by automatic action of an electric-pneumatic control system. The relief by normal mechanical action is intended to prevent overpressurization of the reactor vessel.
The depressurization by automatic action of the control system is intended to reduce reactor vessel pressure during a LOCA in which the HPCI system is not available so that the CS system or LPCI system can inject water into the reactor vessel. The instrumentation and controls for one of these safety/relief valves are discussed. The remaining five safety/relief valves equipped for automatic depressurization are identical. Ten additional safety/relief valves providing only the SRV function are discussed in Subsection 7.7.1.12.
7.3.1.1a.1.4.2 Equipment Design The control system consists of drywell pressure and reactor water level sensors arranged in trip systems that control two solenoid-operated pilot air valves (one for each ADS system) for each safety relief valve. Each of these two air valves controls pneumatic pressure for safety relief valves actuation. A third solenoid-operated pilot air valve with each safety relief valve is used for the Relief Valve function (See Subsection 7.7.1.12 for details of Relief Valve control). An accumulator is included with the control equipment to store pneumatic energy for actuation of the ADS piston type pneumatic actuator via the solenoid valves following failure of the pneumatic supply. The accumulator is sized to provide one ADS safety/relief valve actuation peak calculated drywell pressure or two ADS actuations at 70% of peak calculated drywell pressure. Additional design information is provided in Section 5.2.2.4. Cables from the sensors lead to the control structure where the logic arrangements are formed in cabinets. The electrical control circuitry is powered by DC from the plant batteries. The power supplies for the redundant control circuits are selected and FSAR Rev. 71 7.3-9
SSES-FSAR Text Rev. 75 arranged to maintain tripping ability in the event of an electrical power circuit failure. Electrical elements in the control system energized to cause opening of the safety/relief valve.
7.3.1.1a.1.4.3 Initiating Circuits The pressure and level switches used to initiate one ADS logic are separated from those used to initiate the other logic on the same ADS valve. Reactor vessel low water level is detected by six switches that measure differential pressure. Primary containment high pressure is detected by four pressure switches, which are located outside the primary containment and inside the reactor building. The level instruments are piped individually so that an instrument pipeline break will not inadvertently initiate auto blowdown. The primary containment high pressure signals are arranged to seal into the control circuitry; they must be manually reset to clear.
Two separate time delays are used in each ADS logic. The ADS Logic delay is long enough that the HPCI system has time to operate, yet not so long that the LPCI and CS systems are unable to adequately cool the fuel if the HPCI system fails to start. An alarm in the main control room is annunciated when either of the ADS Logic timers is timing. Resetting the ADS initiating signals recycles the timers. A 400 second time delay is provided in each trip system so that the ADS trip logic will initiate on RPV Low Low Low Level 1 (Drywell Pressure Bypass Timer) after the 400 second time delay even if high drywell pressure is not present. The remaining trip logic must be satisfied in order to actuate either division of ADS. In addition, a manual inhibit switch is installed to permit overriding ADS actuation in the event that the actuation signals are due to an ATWS rather than a LOCA.
7.3.1.1a.1.4.4 Logic and Sequencing Three initiation signals are used for the ADS; namely, reactor vessel low water level, drywell high pressure, and RHR and/or CS pumps running. All signals must be present to cause the safety/relief valves to open, as shown in Figure 7.3-5-2. Reactor vessel low water level indicates that the fuel is in danger of becoming uncovered. The second (lower) low water level initiates the ADS. Primary containment high pressure indicates a breach in the RCPB inside the drywell. A permissive signal indicating LPCI or CS pump discharge pressure is also required. Discharge pressure on any one of the RHR pumps or either pair of the CS pumps (A&C) or (B&D) is sufficient to give the permissive signal, which permits automatic depressurization when the LPCI and CS systems are operable.
After receipt of the initiation signals and after a delay provided by timers, each of the pilot gas solenoid valves is energized. This allows pneumatic pressure from the accumulator to act on the gas cylinder operator. The gas cylinder operator holds the relief valve open. Lights in the main control room indicate when the solenoid-operated pilot valves are energized to open a safety/relief valve.
Manual reset circuits are provided for the ADS initiation signals. By manually resetting the initiation signal the delay timers are recycled. The operator can use the reset pushbuttons to delay or prevent automatic opening of the relief valves if such delay or prevention is prudent.
Control switches are available in the main control room for each safety/relief valve associated with the ADS. The OPEN position is for manual safety/relief valve operation.
FSAR Rev. 71 7.3-10
SSES-FSAR Text Rev. 75 Two ADS logics trains are provided as shown in Dwg. M1-B21-92, Sh. 4. Division I sensors for low reactor water level and high drywell pressure initiate ADS A (logics A & C), and Division II sensors initiate ADS B (logics B & D). One of the two solenoid-operated pilot air valves associated with each safety relief valves is controlled by ADS A and the other is controlled by ADS B. The reactor vessel low water level initiation setting for the ADS is selected to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the LPCI system or CS system following a LOCA in which the HPCI system fails to perform its function adequately. The primary containment high pressure setting is selected as low as possible without inducing spurious initiation of the automatic depressurization system. This provides timely depressurization of the reactor vessel if the HPCI system fails to start or fails after it successfully starts following a LOCA.
Each LPCI and CS pump discharge line is monitored by pressure switches with setpoints selected to indicate that the pumps are running and capable of delivering water to the reactor vessel. The switches are arranged to provide a permissive to the initiation of ADS Division 1, logic A, when either of the RHR A or C pump is running or when the CS pump A is running. Initiation of the Division 1, logic C, occurs when either the RHR A or C pump is running or when the CS pump C is running. Division 2 ADS initiation is similar to the above except that RHR pump B and D, respectively. The setting is high enough to ensure that the pump will be delivering at near rated flow, yet not be so low as to provide an erroneous signal that the pump is running when it actually is not.
As discussed in Subsection 18.1.24.3, each of the 16 safety/relief valves are provided with an acoustic monitoring system to detect flow through the valve.
7.3.1.1a.1.4.5 Bypasses and Interlocks It is possible for the operator to manually delay the depressurizing action by the trip system reset switches. This would reset the timers to zero seconds and prevent depressurization for another timer delay period. The operator would make this decision based on an assessment of other plant conditions. ADS is interlocked with the CS and RHR by means of pressure switches located on the discharge of these pumps. These are the "AC interlock." Although the "AC interlocks" are common to automatic and manual ADS initiation circuits, the independence of manual and automatic initiation is not compromised because each of the logics is duplicated (ADS A and ADS B) and for a failure of the ADS to occur both the AC interlocks would have to fail. At least one of the RHR pumps or one pair of the CS pumps must be capable of delivering water into the vessel. In addition, a manual inhibit switch is installed to permit overriding ADS actuation in the event that actuation signals are due to an ATWS rather than a LOCA.
7.3.1.1a.1.4.6 Redundancy and Diversity The ADS, when CS or LPCI permissive signals are present, is initiated by high drywell pressure and low reactor vessel water level. The initiating circuits for each of these parameters are redundant, as verified by the circuit description of this section.
Instrument types, functions, ranges and number of channels provided are listed in Table 7.3-2 according to system functions.
FSAR Rev. 71 7.3-11
SSES-FSAR Text Rev. 75 7.3.1.1a.1.4.7 Actuated Devices All safety/relief valves in the ADS are equipped with remote manual switches so that the entire system can be operated manually as well as automatically. The valves will also relieve pressure by built-in mechanical action.
7.3.1.1a.1.4.8 Separation ADS is a Division 1 (ADS A) and Division 2 (ADS B) system except that only one set of relief valves is supplied. Each relief valve can be actuated by either of two pilot solenoid valves supplying gas to the relief valve piston operators. One of the pilot solenoid valves is operated by trip system A and the other by trip system B. Logic relays, manual controls, and instrumentation are mounted so that Division l and Division 2 separation is maintained.
7.3.1.1a.1.4.9 Testability The ADS has two trip systems and either one can initiate automatic depressurization. Each trip system has two trip logics, both of which must trip to initiate ADS. Four test jacks are provided, one in each trip logic. To prevent spurious actuation of the ADS during testing, only one trip logic should be actuated at a time. An alarm is provided if a test plug is inserted in both trip logics.
Operation of the test plug switch along with actuation of the ADS reactor level interlock and with the RHR or CS pump running, will close one of the two series relay contacts in the valve solenoid circuit. This will cause a panel light to come on indicating proper trip logic operation and also continuity of the solenoid electrical circuit. Testing of the other trip logic and trip system is similar.
Annunciation is provided in the main control room whenever a test plug is inserted in a jack to indicate to the reactor operator that the ADS is in a test status. Testing of the one division does not interfere with automatic operation of the redundant division if required by an initiation signal.
7.3.1.1a.1.4.10 Environmental Considerations The signal cables, solenoid valves, and safety/relief valve operators are the only control and instrumentation equipment for the ADS located inside the primary containment. These items will operate in the most severe environment resulting from a LOCA. Gamma and neutron radiation have been considered in the selection of these items. Equipment located outside the primary containment will also operate in its normal and accident environments (See Section 3.11).
7.3.1.1a.1.4.11 Operational Considerations 7.3.1.1a.1.4.11.1 General Information The instrumentation and controls of the ADS are not required for normal plant operations. When automatic depressurization is required, it will be initiated automatically by the circuits described in this section.
7.3.1.1a.1.4.11.2 Reactor Operator Information A temperature element is installed on the safety/relief valve discharge piping several feet from the valve body. The temperature element is connected to a multi-point recorder in the back row panels of the main control room to provide a means of detecting safety/relief valve leakage during plant operation. When the temperature in any safety/relief valve discharge pipeline exceeds a preset value, an alarm is sounded in the main control room. This alarm setting is high enough above FSAR Rev. 71 7.3-12
SSES-FSAR Text Rev. 75 normal rated power temperatures to avoid spurious alarms, yet low enough to give early indication of safety/relief valve leakage.
As discussed in Subsection 18.1.24.3, each of the 16 safety/relief valves are provided with an acoustic monitoring system to detect flow through the valve.
7.3.1.1a.1.4.11.3 Setpoints Refer to the Technical Requirements Manual for safety trip setpoints; and the plant Technical Specifications for the Allowable Values.
7.3.1.1a.1.5 Core Spray (CS) System - Instrumentation and Controls 7.3.1.1a.1.5.1 System Identification The CS system consists of two independent spray loops as illustrated in Dwg. M-152, Sh. 1. Each loop is capable of supplying cooling water to the reactor vessel to cool the core following a LOCA.
7.3.1.1a.1.5.2 Equipment Design The two CS loops are physically and electrically separated so that no single physical event makes both loops inoperable. Each loop includes two AC motor-driven pumps, appropriate valves, and the piping to route water from the suppression pool to the reactor vessel. The controls and instrumentation for the CS system includes the sensors, relays, wiring, and valve operating mechanisms used to start, operate, and test the system. Except for the testable check valve in each spray loop, which is inside the primary containment, the sensors and valve closing mechanisms for the CS system are located in the reactor building. Testable check valves are described in Chapter 6. Cables from the sensors are routed to the control structure where the control circuitry is assembled in electrical panels. Each CS loop is powered from a different AC bus which is capable of receiving standby power. The power supply for automatic valves in each loop is the same as that used for the CS pumps in that loop. Control power for each of the CS loops come from separate DC buses. The electrical equipment in the control structure for one core spray loop is isolated from that used for the other loop.
7.3.1.1a.1.5.3 Initiating Circuits Primary containment pressure is monitored by four non-indicating pressure switches mounted on instrument racks outside the primary containment, but inside the reactor building. Cables are routed from the switches to the relay logic cabinets. Figure 7.3-5-1 shows the initiating logic typical for each CS loop. Each drywell high pressure trip channel provides an input into the appropriate trip logic shown in Figure 7.3-5-1. Pipes that terminate in the reactor building allow the switches to communicate with the drywell interior. Two diverse automatic initiations are provided for each CS loop: 1) Reactor Vessel Low Water Level; or, 2) Drywell High Pressure coincident with Low Reactor Vessel Pressure. Each low reactor vessel pressure switch is electrically connected in series with a high drywell pressure switch so that high drywell pressure alone cannot initiate the CS automatic functions in a one-out-of-two-twice circuit arrangement as shown by Figure 7.3-5-1.
Contacts from the primary containment high pressure signal relays are also used in the HPCI system. Reactor vessel low water level initiation signal uses low level switches as described for the HPCI system. A manual system initiation is also included.
FSAR Rev. 71 7.3-13
SSES-FSAR Text Rev. 75 7.3.1.1a.1.5.4 Logic and Sequencing The control scheme for the CS system is illustrated in Dwgs. M1-E21-3, Sh. 1, M1-E21-3, Sh. 2, and M1-E21-3, Sh. 3. The overall operation of the system following the receipt of an initiating signal and required permissive signal is as follows:
(1) Test bypass valves are closed and interlocked to prevent opening.
(2) If normal AC power is available, the CS pumps in both spray loops start after a 15 Second delay.
(3) If normal AC power is not available, the CS pumps in both spray loops start 10.5 seconds after standby power becomes available for loading.
(4) When reactor vessel pressure drops to a preselected value, valves open in the pump discharge lines allowing water to be sprayed over the core.
(5) When sufficient pump discharge flow is indicated, the pump low flow bypass valves shut directing full flow into the reactor vessel.
The initiation logic for one CS loop is depicted in Figure 7.3-5-1 in a one-out-of-two-twice network using level and pressure sensors. The initiation signal will be generated when:
(1) both level sensors are tripped, or (2) two high drywell pressure sensors and two low reactor vessel pressure sensors are tripped, or (3) two of the four possible combinations of one level sensor and one high drywell pressure sensor together with its associated low reactor vessel pressure sensor.
Once an initiation signal is received by the CS control circuitry, the signal is sealed in until manually reset. The seal-in feature is shown in Dwg. M1-E21-3, Sh. 1.
Reactor vessel low water level indicates that the core is in danger of being overheated due to the loss of coolant. Drywell high pressure indicates that a breach of the RCPB has occurred inside the drywell. The reactor vessel low water level and primary containment high pressure settings and the instruments that provide the initiating signals are selected and arranged so as to assure adequate cooling for the LOCA without inducing spurious system startups.
7.3.1.1a.1.5.5 Bypasses and Interlocks SSES is designed to withstand a LOCA simultaneous with a loss of offsite power assuming the most severe active single failure. This means the plant must withstand a LOCA on one unit combined with a false or spurious LOCA signal on the non-accident unit. Interlocks between the Unit 1 and Unit 2 Core Spray Systems prevent electrical system overloads by limiting the number of CS pumps that can start because of a LOCA/False LOCA signal.
FSAR Rev. 71 7.3-14
SSES-FSAR Text Rev. 75 Any time a LOCA signal (low reactor water level or high drywell pressure combined with low reactor pressure) is generated in Unit 1, a trip signal is sent to Unit 2 CS pumps A and C. Similarly, if a LOCA signal is generated in Unit 2, Unit 1 CS pumps B and D receive a trip signal. The pumps receiving a trip signal are also prevented from starting. Therefore, a LOCA in one unit and a false LOCA signal in non-accident unit will start A and C CS pumps on Unit 1 and the B and D CS pumps on Unit 2. A single LOCA signal on either unit will start all four CS pumps of the affected unit and will trip and prevent operation of two CS pumps of the unaffected unit.
To prevent pump overheating at reduced CS pump flow, a pump discharge minimum flow bypass is provided from each loop. The bypass routes the discharge from the pump in a loop back to the suppression pool. The bypass is controlled by an automatic motor-operated valve whose control scheme is shown in Dwg. M1-E21-3, Sh. 2. At CS flow above setpoint, the bypass valve is closed.
At low flow, and with at least one pump in the loop running, the bypass valve is opened. A flow switch measures the flow in each of the two loops. During test operation, each CS loop discharge can be routed to the suppression pool. Motor-operated valves are installed in the test lines. The piping arrangement is shown in Dwg. M1-152, Sh. 1. The control scheme for the two valves is shown in Dwg. M1-E21-3, Sh. 2. On receipt of a CS initiation signal, the bypass valve closes and remains closed.
To permit opening of the CS inboard injection valves in the event of a loss of the CS logics or failure of the low reactor pressure signals, a capability has been provided in the injection valve control circuit to bypass the low reactor pressure permissive. Operation of this bypass switch in conjunction with placing the injection valve control switch in the OPEN position will permit CS injection if reactor pressure is below the CS pump discharge design pressure. Operation of the bypass switch provides an input to the CS bypass indication system (BIS) display panel.
7.3.1.1a.1.5.6 Redundancy and Diversity The CS is actuated by either reactor vessel low water level and/or drywell high pressure coincident with reactor low pressure permissive. The redundancy and diversity inherent in the CS one-out-of-two-twice initiation logic are described in Subsection 7.3.1.1a.1.5.4. Each pair of CS pumps is backed up by RHR (LPCI Mode) within ECCS Division 1.
7.3.1.1a.1.5.7 Actuated Devices The control arrangements for the CS pumps are shown in Dwg. M1-E21-3, Sh. 1. The circuitry provides for detection of normal power available, so that all pumps are automatically started in sequence. Each pump can be manually controlled by a main control room remote switch, or the automatic control system. A pressure transducer on the discharge line from each set of CS pumps provides a signal in the main control room to indicate the successful startup of the pumps. If a CS initiation signal is received when normal AC power is not available, the CS pumps start 10.5 seconds after AC power is available for loading. The CS pump motors are provided with overload and undervoltage protection. Overload relays are applied so as to maintain power as long as possible without immediate damage to the motors or standby power system.
Undervoltage trips are provided with time delays to permit power transfer from one startup transformer to the other.
Flow-measuring instrumentation is provided in the discharge line of each set of core spray pumps.
The instrumentation provides flow indication in the main control room.
FSAR Rev. 71 7.3-15
SSES-FSAR Text Rev. 75 Except where specified otherwise, the remainder of the description of the CS system refers to one CS loop. The second CS loop is identical. The control arrangements for the various automatic valves in the CS system are indicated in Dwgs. M1-E21-3, Sh. 1, M1-E21-3, Sh. 2, and M1-E21-3, Sh. 3. All motor-operated valves are equipped with limit and torque switches to turn off the valve motor when the valve reaches the limits of movement and provide control room indication for valve position. Each automatic valve can be operated from the main control room. Valve motors are protected by overload devices during test only.
Upon receipt of an initiation signal, the test bypass valve is interlocked shut. The core spray pump discharge valves are automatically opened when reactor vessel pressure drops to a preselected value; the setting is selected low enough so that the CS system is not over-pressurized, yet high enough to open the valves in time to provide adequate cooling for the fuel. Four pressure switches in each loop are used to monitor reactor vessel pressure. Contacts from four switches are wired in a one-out-of-two/twice configuration and permits valve opening any time reactor pressure is below the switches setpoint. The full stroke operating times of the motor-operated valves are selected to be rapid enough to assure proper delivery of water to the reactor vessel in a DBA.
A flow switch on the discharge of each set of pumps provide a signal to operate the minimum flow bypass line valve for each pump set. When the flow reaches the value required to prevent pump overheating, the valves close and all flow is directed into the sparger.
7.3.1.1a.1.5.8 Separation The CS System consists of four CS Pumps powered from four independent 4.16kV buses. Each CS Pump (A through D) is powered from its respective 4.16 kV bus (A through D). Class 1E 125 VDC Bus A (Channel A) provides logic control power to the Division I relay logic. The Division I relay logic provides a start signal to CS Pumps A and C. Class 1E 125 VDC Bus B (Channel B) provides logic control power to the Division II relay logic. Division II relay logic provides a start signal to CS Pumps B and D. The two divisionalized logics are located in separate panels. Each CS Pump (A through D) obtains its breaker control power from its respective Class 1E 125 VDC Bus (A through D).
7.3.1.1a.1.5.9 Testability The CS system is provided with a test jack in both logics A and B. The reactor low water level or high drywell pressure one-out-of-two-twice circuit can be completely tested by actuating one instrument channel at a time. Completeness of tests can be assured if all instrument channels are tested. Insertion of the test plug at either logic relay panel is indicated in the control room.
7.3.1.1a.1.5.10 Environmental Considerations There are no control and instrumentation components for the CS system that are located inside the primary containment that must operate in the environment resulting from a LOCA. All components of the CS system that are required for system operation are outside the drywell and are selected in consideration of the normal and accident environments in which they must operate.
FSAR Rev. 71 7.3-16
SSES-FSAR Text Rev. 75 7.3.1.1a.1.5.11 Operational Considerations 7.3.1.1a.1.5.11.1 General Information The CS system is not required for normal plant operation. When it is required for accident conditions, it will be initiated automatically by the circuitry described in this section. No operator action will be required for at least 20 minutes following initiation.
7.3.1.1a.1.5.11.2 Reactor Operator Information Core Spray System pressure between the two pump discharge valves is monitored by a pressure switch to permit detection of leakage from the RCPB into the CS system outside the primary containment. A detection system is also provided to continuously confirm the integrity of the core spray piping between the inside of the reactor vessel and the core shroud. A differential pressure switch measures the pressure difference between the top of the core support plate and the inside of the CS sparger pipe just outside the reactor vessel. If the CS sparger piping is sound, this pressure difference will be the pressure drop across the core resulting from interchannel leakage.
If integrity is lost, this pressure drop will include the steam separator pressure drop. An increase in the normal pressure drop initiates an alarm in the main control room. Pressure in each core spray pump suction line is monitored by a local pressure indicator to determine suction head and pump performance. Pressure in the discharge line of the pair of pumps is monitored by a pressure indicator in the control room to determine pump performance.
7.3.1.1a.1.5.11.3 Setpoints Refer to the Technical Requirements Manual for safety trip setpoints; and the plant Technical Specifications for the Allowable Values.
7.3.1.1a.1.6 Low Pressure Coolant Injection (LPCI) System - Instrumentation and Controls 7.3.1.1a.1.6.1 System Identification Low pressure coolant injection (LPCI) is an operating mode of the residual heat removal system (RHR). The RHR system and its operating modes are discussed in Chapters 5 and 6. Because the LPCI system is designed to provide water to the reactor vessel following the LOCA, the controls and instrumentation for it are discussed here.
7.3.1.1a.1.6.2 Equipment Design Dwgs. M-151, Sh. 1, M-151, Sh. 2, and M-151, Sh. 3 show the entire RHR system, including the equipment used for LPCI operation. Control and instrumentation for the following equipment is essential:
(1) Four RHR main system pumps (2) Pump suction valves (3) LPCI injection valves (4) Vessel level switches (5) Drywell pressure switches (6) Vessel pressure switches FSAR Rev. 71 7.3-17
SSES-FSAR Text Rev. 75 The instrumentation for LPCI operation controls other valves in the RHR. This ensures that the water pumped from the suppression pool by the main system pumps is routed directly to the reactor. These interlocking features are described in this subsection. LPCI operation uses two identical pump loops, each loop with two pumps in parallel. The two loops are arranged to discharge water into different reactor recirculation loops. A cross-connection containing two keylocked normally closed valves in series exists between the pump discharge lines of each loop.
Dwgs. M-151, Sh. 1, M-151, Sh. 2, and M-151, Sh. 3 show the locations of instruments, control equipment, and LPCI components. Except for the RHR testable check valves and the reactor recirculation loop valves, the components pertinent to LPCI operation are located outside the primary containment.
Power for the main system pumps is supplied from AC buses that can receive standby AC power.
Motive power for the injection valves (one in each loop) used during LPCI operation comes from a bus which can be automatically connected to alternate standby power sources. Refer to Subsection 8.3.1.3.5 for discussion of this bus. Control power for the LPCI components, except valves, comes from the DC buses. Redundant trip systems are powered from different DC buses.
LPCI is arranged for automatic operation and for remote manual operation from the main control room. The equipment provided for manual operation of the system allows the operator to take action independent of the automatic controls in the event of a LOCA.
7.3.1.1a.1.6.3 Initiating Circuits Two diverse automatic initiation signals are provided for the RHR (LPCI) pumps; namely, reactor vessel low water level (Level 1) or drywell high pressure coincident with low reactor pressure. The low reactor pressure permissive is provided to prevent a high drywell pressure condition which is not accompanied by low reactor pressure, i.e., a false LOCA signal, from disabling two RHR pumps on the other unit. (This would otherwise occur due to the interlocks between the Unit 1 and Unit 2 RHR pumps as discussed in Subsection 7.3.1.1a.1.6.5.) After system initiation, the LPCI injection valve is opened when the low reactor pressure permissive is present.
The RHR (LPCI) pump initiation logic is cross connected between divisions; i.e., a start signal from either division will start all four pumps. This feature is essential to ensuring that the ECCS equipment specified in Table 6.3-5 will be available in the event of a discharge side break and the single failure of a DC power source. The cross-connection logic ensures that the RHR pump assumed to remain is available, and this pump is necessary to meet minimum ECCS criteria (see Subsection 6.3.3.2).
The low water level or high drywell pressure initiation signal for the LPCI system is a one-out-of-two-twice circuit arrangement as described in Subsection 7.3.1.1a.1.5.3 for the CS system. A manual system initiation is provided by armed pushbutton switches show as Item (6)
RHR A/RHR C and Item (7) RHR B/RHR D of Subsection 7.3.2a.1.2.1.9.
Dwgs. M-151, Sh. 1, M-151, Sh. 2, and M-151, Sh. 3 can be used to determine the locations of sensors and Dwgs. M1-E11-51, Sh. 1, M1-E11-51, Sh. 2, M1-E11-51, Sh. 3, M1-E11-51, Sh. 4, and M1-E11-51, Sh. 5 can be used to determine the functional use of each sensor in the control circuitry for LPCI components. Instrument function, type, ranges and number of channels provided are given in Table 7.3-4.
FSAR Rev. 71 7.3-18
SSES-FSAR Text Rev. 75 7.3.1.1a.1.6.4 Logic and Sequencing The overall LPCI operating sequence following the receipt of an initiation signal is as follows:
(1) The valves in the suction paths from the suppression pool are kept open and require no automatic action to line up suction.
(2) If normal AC power is available, the A and B RHR pumps start immediately, taking suction from the suppression pool. The other two pumps start after a 7.5-second delay to limit the loading of the power sources. In the event the normal AC power is lost, standby power sources become available and all pumps start after a 3-second time delay.
(3) Valves used in other RHR modes are automatically positioned so the water pumped from the suppression pool is routed correctly.
(4) The LPCI injection valves automatically open when reactor pressure decreases to the setpoint.
(5) When reactor vessel pressure has dropped to a value at which the main system pumps are capable of injecting water into the recirculation loops, water is delivered to the reactor vessel via the recirculation loop until the vessel water level is adequate to provide core cooling and the RHR pumps are manually shut off.
When the RHR system is operating in the shutdown cooling mode below the pressure where LPCI is not required, receipt of an initiation signal will not automatically open the LPCI injection valves.
The low water level signal, however, will isolate the shutdown cooling valves to prevent further loss of water; the CS system will operate to provide cooling makeup water.
7.3.1.1a.1.6.5 Bypasses and Interlocks To protect the pumps from overheating at low flow rates, a minimum flow bypass pipeline is provided which routes water from the pump discharge to the suppression chamber, for each pair of pumps. A single motor-operated valve controls the conditions of each bypass line. The minimum flow bypass valve automatically opens upon sensing low flow in the discharge lines from both pumps of the associated pump pair. The valve automatically closes whenever the flow from the main system pumps is above the low flow setting. Flow indications are derived from flow switches that sense the pressure differential across a length of the pump discharge lines. Dwgs. M-151, Sh. 1, M-151, Sh. 2, and M-151, Sh. 3 show the location of the flow switches. One switch is used for each pair of pumps.
The valves that allow the diversion of water for containment cooling are automatically closed upon receipt of a low water level and/or high drywell pressure (LOCA) signal, or a system level manual initiation of the LPCI mode. The manual controls for these valves are interlocked so that opening the valves is possible only if there is no LOCA or manual initiation signal present. A keylock switch in the main control room allows a manual override of the LOCA interlock for containment cooling valve operation.
Interlocks are provided between Susquehanna Units 1 and 2 within the LPCI systems. The Unit 1 and Unit 2 RHR pumps are interlocked such that a Unit 1 and corresponding Unit 2 pump cannot operate at the same time. The interlock assures that the shared Emergency Power Supplies are not overloaded.
FSAR Rev. 71 7.3-19
SSES-FSAR Text Rev. 75 Additional interlocks are provided for the following conditions:
- 1. LOCA/false-LOCA - The interlocks stop and prevent the manual or automatic starting of one pump in each RHR Loop as follows: Unit 1 LOCA initiation logic stops RHR pumps A and B in Unit 2, similarly, Unit 2 LOCA initiation logic stops RHR Pumps C and D in Unit 1.
The purpose of these interlocks is to assure that adequate core cooling pump capacity exists in the Unit with the actual LOCA.
- 2. LOCA in one Unit, Non-LOCA in the other Unit - The interlocks stop and prevent the manual or automatic starting of all four of the non-LOCA Unit's RHR pumps, thus assuring that all four RHR pumps on the LOCA unit will operate, providing adequate core cooling pump capacity in the unit with the LOCA. Analyses were performed on the non-LOCA Unit, assuming the following initial conditions one at a time:
- a. Normal power generation with or without suppression pool cooling
- b. High Pressure, hot standby
- c. Low pressure, hot standby
- d. Cold shutdown with RPV head on
- e. Cold shutdown with RPV head off In addition, the analysis assumed the RHR system was inoperable on the non-LOCA Unit for a period of twenty minutes. The non-LOCA unit response has been determined to be bounded by existing Chapter 15 events.
7.3.1.1a.1.6.6 Redundancy and Diversity The LPCI system is redundant in that two separate loops are provided, with pumps A and C feeding into recirculation loop A, and pumps B and D feeding into recirculation loop B. Loops A and B are connected together by means of a cross header containing two series mounted valves which are keylocked closed and have their power removed except during cold shutdown. Failure of A or B logic would still allow two pumps to supply water to the reactor.
7.3.1.1a.1.6.7 Actuated Devices The functional control arrangement for the RHR pumps is shown in Dwg. M1-E11-51, Sh. 1. When AC power is available, two of the RHR pumps start immediately, while the remaining two pumps start after a 7.5 second delay. The operator can manually control the pumps from the main control room, thus permitting the operator to use the pumps for other purposes, such as containment cooling. Two pressure switches are installed in each pump discharge pipeline to verify that the pumps are operating following an initiation signal. The pressure signal is used in the ADS to verify availability of low pressure core cooling. The pressure instruments are located upstream of the pump discharge check valves to prevent the operating pump discharge pressure from concealing a pump failure. The main system pump motors are provided with overload protection. The overload relays maintain power on the motors as long as possible without harming the motors or jeopardizing the emergency power system.
All automatic valves used in the LPCI function are equipped with remote manual test capability.
The entire system can be operated from the main control room. Motor operated valves have limit switches to turn off the motors when the full open positions are reached and are torque seated in the closing direction. Valves that have vessel and containment isolation requirements are described in Subsection 7.3.1.1a.2.
FSAR Rev. 71 7.3-20
SSES-FSAR Text Rev. 75 The RHR pump suction valves from the suppression pool are normally open. To reposition the valves, a key lock switch must be turned in the main control room. On receipt of an LPCI system initiation signal, other RHR system valves are signaled to close, even though they may normally be closed, to ensure that the RHR pump discharge is correctly routed. The normally closed valves that provide suction from the recirculation loop during RHR shutdown cooling mode are signaled closed by the low water level signal.
A 'LOCA OVERRIDE' switch when manually operated cancels the LPCI open signal to the heat exchanger bypass valves. The signal override allows the operator to control the flow through the heat exchangers for other post-accident or ATWS conditions. Overriding the open signal does not cause the bypass valve to close.
7.3.1.1a.1.6.8 Separation The LPCI System consists of four RHR Pumps powered from four independent 4.16 kV buses.
Each RHR Pump (A through D) is powered from its respective 4.16 kV bus (A through D).
Class 1E 125 VDC Bus A (Channel A) provides logic control power to the Division I relay logic.
The Division I relay logic provides a start signal to all four RHR Pumps. Class 1E 125 VDC Bus B (Channel B) provides logic control power to the Division II relay logic. Division II relay logic also provides a start signal to all four RHR Pumps. The two divisionalized logics are located in separate panels. Each RHR Pump (A through D) obtains its breaker control power from its respective Class 1E 125 VDC Bus (A through D).
7.3.1.1a.1.6.9 Testability The LPCI system is provided with test jacks in each logic. The reactor vessel low water level or high drywell pressure one-out-of-two-twice circuit can be tested by actuating one instrument channel at a time. Completeness of tests can be assured if all instrument channels are tested.
The other test jacks are used in the logic to facilitate testings as required. Insertion of the test plug in any jack actuates an alarm in the main control room to indicate that the LPCI system is in test status and the system is inoperative.
7.3.1.1a.1.6.10 Environmental Considerations The only control components pertinent to LPCI operation that are located inside the drywell are those controlling the gas-operated check valves on the injection lines. Other equipment, located outside the primary containment, is selected in consideration of the normal and accident environments in which it must operate (see Section 3.11).
7.3.1.1a.1.6.11 Operational Considerations 7.3.1.1a.1.6.11.1 General Information The LPCI mode is not required for normal operation.
7.3.1.1a.1.6.11.2 Reactor Operator Information Initiation of this mode is automatic, and no operator action is required for at least 20 minutes following initiation. Under certain conditions, automatic opening of LPCI injection valves on low RW level is blocked. These conditions include: reactor pressure 135 psig and the RHR system is aligned for the shutdown cooling mode, RHR Reactor Pump suction from RPV valves HV-1F008 FSAR Rev. 71 7.3-21
SSES-FSAR Text Rev. 75 and HV-1F009 not fully closed, and an isolation signal exists. The operator may control the RHR system manually after initiation to use its capabilities in the other modes of the RHR system, if the core is being cooled by other ECCS. Temperature, flow, pressure, and valve position indications are available in the main control room for the operator to assess the LPCI system operation accurately. Valves have indications of full open, intermediate, and full closed positions. Pumps have indications for pump running and pump stopped. Alarm and indication devices are shown in Dwgs. M-151, Sh. 1, M-151, Sh. 2, M-151, Sh. 3, M1-E11-51, Sh. 1, M1-E11-51, Sh. 2, M1-E11-51, Sh. 3, M1-E11-51, Sh. 4, and M1-E11-51, Sh. 5.
7.3.1.1a.1.6.11.3 Setpoints Refer to the Technical Requirements Manual for safety trip setpoints; and the plant Technical Specifications for the Allowable Values.
7.3.1.1a.2 Primary Containment and Reactor Vessel Isolation Control System - for NSSS Instrumentation and Controls 7.3.1.1a.2.1 System Identification The PCRVICS includes the instrument channels, logics and actuation circuits that activate valve closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment or reactor vessel or both.
The PCRVICS include the following instrumentation and control subsystems:
(1) Reactor Vessel - Low Water Level (2) Main Steamline - High Radiation (3) RB Main Steamline Tunnel - High Temperature and Differential Temperature (high differential temperature isolation and isolation alarm function have been removed but equipment still remains in the field.)
(4) Main Steamline - High Flow (5) Main Turbine Inlet - Low Steam Pressure (6) Drywell - High Pressure (7) Reactor Water Cleanup System - High Differential Flow (8) Reactor Water Cleanup System - Area - High Temperature and Differential Temperature (high differential temperature isolation and isolation alarm function has been removed but equipment still remains in the field.)
(9) Intentionally left blank (10) Main Condenser - Vacuum Trip (11) Reactor Water Cleanup System - High Flow FSAR Rev. 71 7.3-22
SSES-FSAR Text Rev. 75 This system provides initiation to non-NSSS systems as follows:
(1) Containment Isolation (see Subsection 7.3.1.1b.1)
(2) Standby Gas Treatment System (see Subsection 7.3.1.1b.4)
(3) Reactor Building Isolation and HVAC Support System (see Subsection 7.3.1.1b.6)
The purpose of the system is to prevent the gross release of radioactive material in the event of a breach in the RCPB by automatically isolating the appropriate pipelines that penetrate the primary containment. The power generation objective of this system is to avoid spurious closure of particular isolation valves as a result of single failure. Identification of NSSS and non-NSSS valves closed by the PCRVICS is provided in Table 6.2-12.
7.3.1.1a.2.2 System Power Sources Power for the system channels and logics of the isolation control system and main steamline isolation valves are supplied from the two electrical buses that supply the reactor protection system trip systems. Each bus has its own motor-generator set and can receive alternate power from the preferred power source. Each bus can be supplied from only one of its power sources at any given time. Motor-operated isolation valves receive power from emergency buses. Power for the operation of any two valves mounted series is supplied from separate or different sources. Inboard isolation valves are powered from the Division I AC power source. Outboard isolation valves use a Division II DC power source.
7.3.1.1a.2.3 System Equipment Design Pipelines that penetrate the primary containment and drywell and directly communicate with the reactor vessel generally have two isolation valves, one inside the primary containment and one outside the primary containment. These automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the RCPB.
Power cables run in raceways from the electrical source to each motor-operated isolation valve.
Solenoid valve power goes from its source to the control devices for the valve. The main steamline isolation valve controls include pneumatic piping, and an accumulator for the gas operated valves as the emergency motive power source in addition to the springs. Pressure, temperature, and water level sensors are mounted on instrument racks or locally in either the secondary containment or the turbine building. The location of these sensors is shown on FSAR Dwgs:
J-2-4, Sh. 1 J-6-3, Sh. 1 J-6-4, Sh. 1 J-10-3, Sh. 1 J-11-4, Sh. 1 J-25-1, Sh. 1 J-25-3, Sh. 1 J-25-4, Sh. 1 J-26-2, Sh. 1 J-26-3, Sh. 1 J-26-4, Sh. 1 J-26-6, Sh. 1 J-26-12, Sh. 1 J-27-1, Sh. 1 J-27-2, Sh. 1 J-27-3, Sh. 1 J-27-4, Sh. 1 J-27-5, Sh. 1 J-27-6, Sh. 1 J-28-1, Sh. 1 J-28-2, Sh. 1 J-28-3, Sh. 1 J-28-4, Sh. 1 J-28-5, Sh. 1 J-28-6, Sh. 1 J-29-1, Sh. 1 J-29-3, Sh. 1 J-29-4, Sh. 1 and J-29-5, Sh. 1 Valve position switches are mounted on motor and gas-operated valves. Switches are encased to protect them from environmental conditions. Cables from each sensor are routed in raceways to the control structure. All signals transmitted to the main control room are electrical; no piping from the reactor pressure coolant boundary penetrates the main control room. The sensor cables and power supply cables are routed to cabinets in the control or electrical equipment rooms, where the sensor signals and supplied power are arranged according to system logic requirements.
FSAR Rev. 71 7.3-23
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4 System Initiating Circuits During normal plant operation, the isolation control system sensors and trip controls that are essential to safety are energized. When abnormal conditions are sensed, contacts in the trip logic initiate isolation. Loss of both power supplies also initiates isolation.
Each main steamline isolation valve is fitted with two control solenoids. For any valve to close automatically, both of its solenoids must be deenergized. Each solenoid receives inputs from two logics; a signal from either can deenergize the solenoid.
For the main steamline isolation valve control, four instrument channels are provided for each measured variable. The four channels (A, B, C, and D) are independent and separate. One output of the Channels A and C logic actuators control one solenoid in both the inboard and outboard valves of all four main steamlines. One output of the Channels B and D logic actuators control the other solenoid in both inboard and outboard valves for all four main steamlines.
The main steamline drain valves and inboard valves close if two of the main steamline isolation logics are tripped, and the outboard valves close if the other two logics are tripped.
The reactor water cleanup system and RHR system isolation valves are each controlled by two logic circuits; one for the inboard valve and a second for the outboard valve.
7.3.1.1a.2.4.1 Isolation Functions and Settings The isolation function, instrument type, range and number of channels provided of the PCRVICS are listed in Table 7.3-5. The functional control diagram Dwgs. M1-B21-92, Sh. 1, M1-B21-92, Sh. 2, M1-B21-92, Sh. 3, M1-B21-92, Sh. 4, M1-B21-92, Sh. 5, and M1-B21-92, Sh. 6 illustrate how these signals initiate closure of isolation valves.
7.3.1.1a.2.4.1.1 Reactor Vessel Low Water Level 7.3.1.1a.2.4.1.1.1 Subsystem Identification A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the RCPB and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.
Reactor vessel low water level initiates closure of various valves. The closure of these valves is intended to isolate a breach in any of the pipelines in which the valves are contained, conserve reactor coolant by closing off process lines, or prevent the escape of radioactive materials from the primary containment through process lines that communicate with the primary containment interior.
Three reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel.
The first low water level setting (which is the RPS low water level scram setting, Low Level 3) is selected to initiate isolation at the earliest indication of a possible breach in the reactor coolant FSAR Rev. 71 7.3-24
SSES-FSAR Text Rev. 75 pressure boundary, yet far enough below normal operational levels to avoid spurious isolation.
Isolation of the following pipelines is initiated when reactor vessel low water level falls to Level 3:
(1) RHR-Reactor Vessel head spray (2) RHR shutdown cooling suction (3) TIP guide tube (4) Non-NSSS system isolation as described in Subsection 7.3.1.1b The second (and lower) reactor vessel low water level isolation setting (the same water level setting at which the RCIC system is placed in operation, Low, Low Level 2) is selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram and high enough to complete isolation in time for ECCS operation in the event of a large break in the RCPB.
Isolation of the following pipelines is initiated when the reactor vessel water level falls to Level 2:
(1) Reactor water sample line (2) RWCU system suction (3) Non-NSSS system isolation as described in Subsection 7.3.1.1b The third (and lowest) reactor vessel low water level isolation setting (Low Low Low Level 1) is selected low enough to allow operation of those systems which may alleviate the effects of a LOCA inside of containment, yet high enough to allow isolation of those systems when an uncovered core may be imminent. Isolation of the following pipelines is initiated when the reactor vessel water level falls to Level 1:
(1) Main steamlines (2) Main steamline drain (3) RHR - Drywell Spray (4) RHR - Suppression Pool Spray/Suppression Pool Cooling (5) Core Spray Test Line (6) Non-NSSS System isolation as described in Section 7.3.1.1b Reactor vessel low water level signals are initiated from indicating type differential pressure switches. One contact on each of four redundant switches per trip system is used to indicate that water level has decreased to Low Level 3; one contact on each of four other redundant switches per trip system are used to indicate that water level has decreased to Low, Low Level 2 or low, low, low level 1 as required.
Three instrument lines, one common line above water level and one from each differential pressure switch to the below water level taps, are provided for each redundant pair of level switches. Each switch pair provides signals into one trip logic. There is a different trip logic for each switch pair.
The three lines of each pair terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The reactor vessel low water level switches sense level from these pipes. This arrangement assures that no single physical event can prevent isolation, if required. Cables from the level sensors are routed to the control structure. Temperature equalization is used to increase the accuracy of the level measurements.
7.3.1.1a.2.4.1.1.2 Subsystem Power Supplies For the power supplies for main steamline isolation valves and other isolation valves, see Figures 7.3-2 and 7.3-3, respectively.
FSAR Rev. 71 7.3-25
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.1.3 Subsystem Initiating Circuits Four level sensing circuits monitor the reactor vessel water level. One level circuit is associated with each of four logic channels. Four level switches at two separate locations on the reactor vessel allow the earliest possible detection of reactor vessel low water level.
7.3.1.1a.2.4.1.1.4 Subsystem Logic and Sequencing When a significant decrease in reactor water level is detected, trip signals are transmitted to the PCRVICS, which initiates closure of the main steamline isolation valves, main steamline drain valves, RHR process sampling valve, RHR discharge valve to radwaste, reactor water sample valve, and TIP system valves.
There are four instrumentation channels provided to assure that protective action occurs when required but prevents inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a logic channel trip. Logic channel trips are combined as shown in Figures 7.3-2 and 7.3-3.
7.3.1.1a.2.4.1.1.5 Subsystem Redundancy and Diversity Redundancy of trip initiation for each reactor vessel low water level setpoint is provided by four level switches installed at separate locations in secondary containment. Each trip system is powered from diverse and redundant power supplies.
Diversity to reactor vessel low water level (level 3) for pipe breaks inside the primary containment is provided by drywell high pressure. RHR leak detection instrumentation provide diversity to reactor vessel low water level for pipe breaks outside of primary containment. No diversity is provided for pipe breaks outside the primary containment for TIP guide tube isolation.
Diversity to reactor vessel low low water (Level 2) which results in isolation as indicated in Subsection 7.3.1.1a.2.4.1.1.1, for pipe breaks outside the primary containment, is provided by main steamline and RWCS leak detection instrumentation. No diversity is provided for breaks inside the primary containment.
7.3.1.1a.2.4.1.1.6 Subsystem Bypasses and Interlocks The low water level (Level 1) initiation of the MSIVs (Div. 1) Control Logic "A" and Control Logic "C" can be manually bypassed from the Control Room following an ATWS event, or during beyond design basis conditions (e.g., Rapid Depressurization or Primary Containment Flooding).
Bypassing of the low water level isolation signal interlock will not prevent MSIV closure since other diverse isolation signal interlocks are available.
Reactor vessel low water level trip has provisions to initiate the standby gas treatment system.
7.3.1.1a.2.4.1.1.7 Subsystem Testability Testability is discussed in Subsections 7.3.2a.2.2.3.1.9 and 7.3.2a.2.2.3.1.10.
FSAR Rev. 71 7.3-26
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.2 Main Steamline High Radiation 7.3.1.1a.2.4.1.2.1 Subsystem Identification High radiation in the vicinity of the main steamlines could indicate a gross release of fission products from the fuel. High radiation near the main steamlines initiates isolation of the following pipelines:
(1) Reactor water sample line The high radiation trip setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to promptly detect a gross release of fission products from the fuel.
Refer to Section 11.5 for subsystem description.
The objective of the main steamline radiation monitoring subsystem is to monitor for the gross release of fission products from the fuel and, upon indication of such release, the control room operators manually initiate appropriate action to limit fuel damage and contain the released fission products.
This subsystem classification is provided in Table 3.2-1.
7.3.1.1a.2.4.1.2.2 Subsystem Power Sources The 120 VAC RPS Buses A and B are the power sources for the main steamline radiation monitoring subsystem. Two channels are powered from one RPS bus and the other two channels are powered from the other RPS bus.
7.3.1.1a.2.4.1.2.3 Subsystem Initiating Circuits Four gamma-sensitive instrumentation channels monitor the gross gamma radiation from the main steamlines. The detectors are physically located near the main steamlines just downstream of the outboard main steamline isolation valves. The detectors are geometrically arranged to detect significant increases in radiation level with any number of main steamlines in operation. Their location along the main steamlines allows the earliest practical detection of a gross fuel failure.
Each monitoring channel consists of a gamma-sensitive ion chamber and a log radiation monitor, as shown in Dwgs. M1-D12-1, Sh. 1, M1-D12-1, Sh. 2, M1-D12-1, Sh. 3, M1-D12-1, Sh. 4, and M1-D12-1, Sh. 5. Capabilities of the monitoring channel are listed in Table 11.5-1. Each log radiation monitor has three trip circuits. One upscale trip circuit is used to initiate, isolation, and alarm. The second circuit is used for an alarm and is set at a level below that of the upscale trip circuit used for isolation. The third circuit is a downscale trip that actuates an alarm in the main control room and produces an isolation trip signal. The output from each log radiation monitor is displayed on a six-decade meter on back row panel in the main control room.
FSAR Rev. 71 7.3-27
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.2.4 Subsystem Logic and Sequencing When a significant increase in the main steamline radiation level is detected, trip signals are transmitted to the reactor protection system, the PCRVICS, and to condenser air removal systems.
Upon receipt of the high radiation trip signals, the PCRVICS initiate closure of the reactor coolant sample valves.
Four instrumentation channels are provided to assure protective action when needed and to prevent inadvertent scram and isolation resulting from instrumentation malfunctions. The output trip signals of each monitoring channel are combined as shown in Figures 7.3-2 and 7.3-3. Failure of any one monitoring channel does not result in inadvertent action.
7.3.1.1a.2.4.1.2.5 Subsystem Bypasses and Interlocks No operational bypasses are provided with this subsystem. However, the individual log radiation monitors may be bypassed for maintenance or calibration by the use of test switches on each monitor. Bypassing one log radiation monitor will not cause an isolation but will cause a single trip system trip to occur.
The main steamline radiation monitor isolation signals provide interlocks to prevent operation of the condenser mechanical vacuum pump.
7.3.1.1a.2.4.1.2.6 Subsystem Redundancy and Diversity The number of monitoring channels in this subsystem provides the required redundancy and is verified in the circuit description.
The single failure criterion has been met in the design by providing redundant sensors, channels, division logics and trip systems, which are seismically and environmentally qualified. The failure of a single component will not prevent the system from functioning in the event protective action is required. In addition, a single failure will not initiate an isolation function, due to the use of two independent trip systems.
7.3.1.1a.2.4.1.2.7 Testability A built-in source of adjustable current is provided with each log radiation monitor for test purposes.
The operability of each monitoring channel can be routinely verified by comparing the outputs of the channels during power operation.
7.3.1.1a.2.4.1.2.8 Environmental Considerations This subsystem is designed and has been qualified to meet the environmental conditions indicated in Section 3.11. In addition, this subsystem has been seismically qualified as described in Section 3.10a.
7.3.1.1a.2.4.1.2.9 Operational Considerations In the event of a high or low radiation level trip within any of the channels, the subsystem will automatically activate the appropriate alarm annunciator and provide a meter indication in the main control room. Similarly, the occurrence of a high-high or an inoperable trip within any of the channels of the system will result in a signal being sent to the PCRVICS.
FSAR Rev. 71 7.3-28
SSES-FSAR Text Rev. 75 The panels in the main control room, associated with the PCRVICS, are identified by colored nameplates which indicate the panel function and identification of the contained logic channels.
The only direct support required for the PCRVICS is the electrical power system, which is provided from 120 VAC RPS Buses A and B as described in Subsection 7.3.1.1a.2.4.1.2.2 and Chapter 8.0.
7.3.1.1a.2.4.1.3 Main Steamline Tunnel High Temperature and Differential Temperature 7.3.1.1a.2.4.1.3.1 Subsystem Identification High temperature in the tunnel in which the main steamlines are located outside of the primary containment could indicate a breach in a main steamline. Also, such a breach may be indicated by high differential temperature between the outlet and inlet ventilation air for this steamline tunnel (note the high differential temperature isolation and isolation alarm function has been removed but a pre-isolation alarm will still be initiated for high differential temperature). The automatic closure of various valves prevents the excessive loss of reactor coolant and the release of a significant amount of radioactive material from the RCPB. Main steamline tunnel temperatures are monitored in the Reactor Building and Turbine Building portions of the steam tunnel; steam tunnel differential temperature is monitored only in the Reactor Building portion of the steam tunnel and the differential temperature does not provide an isolation or isolation alarm function. When high temperatures occur in the Reactor Building main steamline tunnel, the following pipelines are isolated (Turbine Building main steamline tunnel high temperature is alarm only):
(1) Main steamlines (2) Main steamline drain The Reactor Building main steamline tunnel high temperature trip is set far enough above the temperature expected during operation at rated power to avoid spurious isolation, yet low enough to detect a pipe crack well below the size that would become unstable and rupture (critical crack size).
High temperature in the vicinity of the main steamlines is detected by four dual element thermocouples in each portion of the steam tunnel with remote readout in the control room. These thermocouples are located along the main steamlines between the drywell wall and the Reactor Building wall, and between the Turbine Building wall and the turbine. The detectors are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment.
The temperature sensors activate an alarm at high temperature. The main steamline tunnel temperature detection system is designed to detect leak rates well below the flow corresponding to critical crack size in a main steam line. A total of four main steamline space high temperature channels are provided in each portion of the steam tunnel. Main steamline isolation logic receives an input signal from the main steamline Reactor Building tunnel high temperature .
7.3.1.1a.2.4.1.3.2 Subsystem Power Supplies For the power supplies for the main steamline isolation valves and other isolation valves, see Figures 7.3-2 and 7.3-3, respectively.
7.3.1.1a.2.4.1.3.3 Subsystem Initiating Circuits Four space and four differential temperature sensing circuits monitor the Reactor Building main steamline area temperatures. Four space temperature sensing circuits monitor the Turbine FSAR Rev. 71 7.3-29
SSES-FSAR Text Rev. 75 Building main steamline area temperatures which is for alarm only. One space temperature circuit from each portion of the steam tunnel and one Reactor Building differential temperature circuit is connected to each of four instrumentation channels. Both sets of space temperature elements are physically located near the main steamlines in the main steamline tunnel. The eight temperature elements for differential temperature monitoring are located in the ventilation supply and exhaust ducts for the Reactor Building portion of the main steamline tunnel. The locations of the temperature elements provide the earliest practical detection of main steamline breaks. Note that the high differential temperature isolation and isolation alarm function have been removed but the above equipment is still located in the field. A pre-isolation alarm will still be initiated for high differential temperature.
7.3.1.1a.2.4.1.3.4 Subsystem Logic and Sequencing When a significant increase in Reactor Building main steamline tunnel temperature is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiate closure of all main steamline isolation and drain valves.
Four instrumentation channels are provided to assure protective action when needed and to prevent inadvertent isolation resulting from instrumentation malfunctions.
The output trip signal of each instrumentation channel initiates a logic trip. The output trip signals of the logic are combined as shown in Figure 7.3-2 and 7.3-3. Failure of any one logic does not result in inadvertent action.
7.3.1.1a.2.4.1.3.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for high space temperature is provided by four temperature elements installed at different locations within the Reactor Building main steamline tunnel. Each device is associated with one of four logic divisions. Temperature elements A and B are supplied from one power source, and C and D are supplied from a different power source.
Redundancy of trip initiation signals for high differential temperature is provided by four temperature element pairs installed at different locations within the ventilation supply and exhaust areas of the Reactor Building portion of the main steamline tunnel. Each pair of temperature elements is associated with one of four logic divisions. Note that the high differential temperature isolation and isolation alarm function have been removed but the above equipment is still located in the field. A pre-isolation alarm will still be initiated for high differential temperature.
Diversity of trip initiation signals for main steamline break is provided by main steamline tunnel temperature, main steamline high flow, low pressure instrumentation and reactor vessel low low water level, Level 1. An increase in tunnel temperature, main steamline flow, or a decrease in pressure will initiate main steamline and main steamline drain valve isolation.
7.3.1.1a.2.4.1.3.6 Subsystem Bypasses and Interlocks No operational bypasses are provided with this subsystem. However, the temperature switches may be bypassed by the use of bypass switches provided for surveillance and calibration purposes. Bypassing of a temperature switch will not cause nor prevent a logic channel trip.
Interlocks to other systems are not provided.
FSAR Rev. 71 7.3-30
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.3.7 Subsystem Testability Testability is discussed in Subsections 7.3.2a.2.2.3.1.9 and 7.3.2a.2.2.3.1.10.
7.3.1.1a.2.4.1.4 Main Steamline High Flow 7.3.1.1a.2.4.1.4.1 Subsystem Identification Main steamline high flow could indicate a break in a main steamline. Automatic closure of various valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the RCPB. On detection of main steamline high flow, the following pipelines are isolated:
(1) Main steamlines (2) Main steamline drain The main steamline high flow trip setting was selected high enough to permit isolation of one main steamline for test at rated power without causing an automatic isolation of the other steamlines, yet low enough to permit early detection of a steamline break.
High flow in each main steamline is sensed by four indicating type differential pressure switches that sense the pressure difference across the flow element in that line.
7.3.1.1a.2.4.1.4.2 Subsystem Power Supplies For power supplies, refer to Figures 7.3-2 and 7.3-3.
7.3.1.1a.2.4.1.4.3 Subsystem Initiating Circuits Sixteen differential pressure sensing circuits, four for each main steamline, monitor the main steamline flow. One differential pressure circuit for each main steamline is associated with each of four logics. Four differential pressure indicating switches are installed on each main steamline and provide the earliest practical detection of a main steam line break.
7.3.1.1a.2.4.1.4.4 Subsystem Logic and Sequencing When a significant increase in main steamline flow is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiate closure of all main steamline isolation and drain valves.
Four instrumentation logics are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a logic trip. The output trip signals of the logics are combined as shown in Figures 7.3-2 and 7.3-3 in a one-out-of-two-twice and two-out-of-two logics. Logic A or C and B or D are required to initiate main steamline isolation. Logics A and B or C and D are required to initiate main steamline drain isolation. Failure of any one logic does not result in inadvertent action.
FSAR Rev. 71 7.3-31
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.4.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for high flow is provided by four differential pressure switches for each main steamline. Each differential pressure switch for each main steamline is associated with one of four logics. Two differential pressure switches for each main steamline are supplied from one power source and two are supplied from a different power source.
Diversity of trip initiation signals is described in Subsection 7.3.1.1a.2.4.1.3.5.
7.3.1.1a.2.4.1.4.6 Subsystem Bypasses and Interlocks There are no bypasses associated with this Subsystem or interlocks to other systems from main steamline high flow trip signals.
7.3.1.1a.2.4.1.4.7 Subsystem Testability Testability is discussed in Subsections 7.3.2a.2.2.3.1.9 and 7.3.2a.2.2.3.1.10.
7.3.1.1a.2.4.1.5 Main Turbine Inlet - Low Steam Pressure 7.3.1.1a.2.4.1.5.1 Subsystem Identification Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the steam pressure regulator in which the turbine control valves or turbine bypass valves become fully open, and causes rapid depressurization of the reactor vessel. From part-load operating conditions, the rate of decrease of saturation temperature could exceed the allowable rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventive action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid these requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored. Pressure falling below a pre-selected value with the reactor in the RUN mode initiates isolation of the following pipelines:
(1) Main steamlines (2) Main steamline drain The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure regulator malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, the discussion is included to complete the listing of isolation functions.
Main steamline low pressure is sensed by four bourdon-tube-operated pressure switches that sense pressure downstream of the outboard main steamline isolation valves. The sensing point is located at the header that connects the four steamlines upstream to the turbine stop valves. Each switch is part of an independent channel. Each channel provides a signal to one isolation logic.
FSAR Rev. 71 7.3-32
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.5.2 Subsystem Power Supplies For power supplies, refer to Figures 7.3-2 and 7.3-3.
7.3.1.1a.2.4.1.5.3 Subsystem Initiating Circuits Four pressure sensitive circuits, one for each main steamline, monitor main steamline pressure.
One pressure circuit is associated with each of four logics. The locations of the pressure switches provide the earliest practical detection of low main steamline pressure.
7.3.1.1a.2.4.1.5.4 Subsystem Logic and Sequencing When a significant decrease in main steamline pressure is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiate closure of all main steamline isolation and drain valves.
Four instrumentation channels are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a logic division trip. The output trip signals of the logics are combined as shown in Figures 7.3-2 and 7.3-3. Failure of any one channel does not result in inadvertent action.
7.3.1.1a.2.4.1.5.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for low pressure is provided by four pressure switches, one for each main steamline. Each pressure switch is associated with one of four logics. Two pressure transmitters are supplied from one power source and the other two are supplied from a different power source.
Diversity of trip initiation signals is described in Subsection 7.3.1.1a.2.4.1.3.5.
7.3.1.1a.2.4.1.5.6 Subsystem Bypasses and Interlocks The main steamline low pressure trip is bypassed by the reactor mode switch in the Shutdown, Refuel, and Startup modes of reactor operation. In the RUN mode, the low pressure trip function is operative.
There are no interlocks to other systems for main steamline low pressure trip signals.
7.3.1.1a.2.4.1.5.7 Subsystem Testability Testability is discussed in Subsections 7.3.2a.2.2.3.1.9 and 7.3.2a.2.2.3.1.10.
7.3.1.1a.2.4.1.6 Containment Drywell-High Pressure 7.3.1.1a.2.4.1.6.1 Subsystem Identification High pressure in the drywell could indicate a breach of the RCPB inside the drywell. The automatic closure of various valves prevents the release of significant amounts of radioactive material from FSAR Rev. 71 7.3-33
SSES-FSAR Text Rev. 75 the primary containment. On detection of high drywell pressure, the following pipelines are isolated:
(1) HPCI, RCIC Vacuum Relief Valves (2) RHR-Reactor Vessel Head Spray Valves (3) Traversing in-core probe guide tubes (4) RHR-Drywell, Suppression Pool Sprays, Suppression Pool Cooling (5) Core Spray Test Line Valve (6) Non-NSSS System isolation valves as described in Subsection 7.3.1.1b The drywell high pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips.
7.3.1.1a.2.4.1.6.2 Subsystem Power Supplies For power supplies, refer to Figures 7.3-2 and 7.3-3.
7.3.1.1a.2.4.1.6.3 Subsystem Initiating Circuits Drywell pressure is monitored by locally mounted pressure switches which are located outside of containment. Three separate sets of pressure switches, consisting of four switches each, monitor Drywell pressure for various isolation valves. Instrument sensing lines connect the switches with the Drywell interior. All Drywell pressure sensing lines are wholly contained within the Reactor Building/secondary containment. The switches are divisionally separate such that no single failure will prevent isolation trip system initiation on high Drywell pressure.
7.3.1.1a.2.4.1.6.4 Subsystem Logic and Sequencing When a significant increase in drywell pressure is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiate closure of those system isolation valves identified in Subsection 7.3.1.1a.2.4.1.6.1.
Four instrumentation channels are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signals of the instrumentation channels are combined as shown in Figures 7.3-2 and 7.3-3. Failure of any one channel does not result in inadvertent action.
7.3.1.1a.2.4.1.6.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for drywell high pressure is described in Subsections 7.3.1.1a.2.4.1.6.3 and 7.3.1.1a.2.4.1.6.4.
Diversity of trip initiation signals for line breaks inside of the primary containment is provided by drywell high pressure and reactor low water level. An increase in drywell pressure or a decrease in reactor water level will initiate isolation, except for HPCI and RCIC vacuum relief isolation valves which isolate on Drywell Pressure-high or Reactor Vessel/System Steam Supply low pressure. In these cases, Reactor Vessel low pressure provides the diverse isolation signal.
7.3.1.1a.2.4.1.6.6 Subsystem Bypasses and Interlocks There are no bypasses for drywell high pressure trip signals.
FSAR Rev. 71 7.3-34
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.6.7 Subsystem Testability Testability is discussed in Subsections 7.3.2a.2.2.3.1.9 and 7.3.2a.2.2.3.1.10.
7.3.1.1a.2.4.1.7 and 7.3.1.1a.2.4.1.8 These Subsection numbers were not used.
7.3.1.1a.2.4.1.9 Reactor Water Cleanup (RWCU) System -
High Differential Flow and High Flow 7.3.1.1a.2.4.1.9.1 Subsystem Identification High differential flow or high flow in the reactor water cleanup system could indicate a breach of the RCPB in the cleanup system. The RWCU system flow at the inlet to the heat exchanger is compared with the flow at the outlet of the filter/demineralizer; high flow in the RWCU suction line is also monitored. High differential flow or high flow initiates isolation of the cleanup system.
7.3.1.1a.2.4.1.9.2 Subsystem Power Supplies For power supply arrangements, see Figures 7.3-2 and 7.3-3.
7.3.1.1a.2.4.1.9.3 Subsystem Initiating Circuits Two differential flow actuation devices (FDSH-G33-1N603A, FDSH-G33-1N603B) provide an isolation signal A or isolation signal B, respectively, to isolate the reactor water cleanup system on high differential flow. High RWCU system differential flow is measured between the system inlet flow to the heat exchanger (FT-G33-1N036) and combined outlet of the filter/demineralizer (FT-G33-1N041) flow and drain flow (FT-G33-1N012) to either the condenser or radwaste.
The two differential flow actuation devices (FDSH-G33-1N603A, FDSH-G33-1N603B) receive an input signal from a common summer (FY-G33-1K604). The summer receives its inputs from FT-G33-1N036, FT-G33-1N041 and FT-G33-1N012. The locations of the flow transmitters provide the earliest practical detection of a RWCU system line break.
Two high flow (differential pressure switches (PDIS-G33-1N044A and PDIS-G33-1N044B) sensors monitor the suction line to detect the line break.
The single failure criterion applies at the system or function level and not at the signal input or channel level (see response to FSAR Question 032.74). The RWCU isolation valves will receive a system isolation signal from the space temperature trip channels or the high flow signal where PDIS-G33-N044A or N044B provide a RWCU system isolation signal on high flow in the RWCU suction line if a breach occurs in the RWCU system reactor coolant pressure boundary and the flow summer (FY-G33-1K604) was to fail. Thus, single failure of the summer, any of the three flow transmitters or the common power supply for the two isolation actuation devices (PDIS-G33-1N044A, PDIS-G33-1N044B) will not preclude RWCU system isolation.
FSAR Rev. 71 7.3-35
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.9.4 Subsystem Logic and Sequencing When a significant increase in reactor water cleanup system differential flow or high flow is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiate closure of all RWCU system isolation valves.
Two instrumentation channels are provided to assure protective action when required. The output trip signal of each instrumentation channel initiates a division logic trip and closure of either the inboard or outboard RWCU system isolation valve.
7.3.1.1a.2.4.1.9.5 Subsystem Redundancy and Diversity Diversity of trip initiation signals for RWCU system line break is provided by high differential flow, high flow, ambient temperature, and Reactor Vessel low, low water level, Level 2. An increase in differential flow, space temperature, or low Reactor vessel water level will initiate RWCU system isolation.
As described in Subsection 7.3.1.1a.2.4.1.9.3, the single failure criterion applies at the system or function level and not at the channel level.
7.3.1.1a.2.4.1.9.6 Subsystem Bypasses and Interlocks A time delay is provided for the RWCU Differential Flow - High and RWCU Flow - High Functions to prevent spurious trips during RWCU transients. Bypass switches for the RWCU Differential Flow - High and RWCU Flow - High Functions with a status annunciator are located in the control room. The bypass switches are designed to permit testing during normal operation and the annunciator is used to supplement administrative procedures by providing system status in accordance with Regulatory Guide 1.47 requirements.
There are no interlocks to other systems from reactor water cleanup system high differential flow, or high flow trip signals.
7.3.1.1a.2.4.1.9.7 Subsystem Testability Testability is discussed in Subsection 7.3.2a.2.2.3.1.10.
7.3.1.1a.2.4.1.10 Reactor Water Cleanup (RWCU) System-Area High Temperature and Differential Temperature 7.3.1.1a.2.4.1.10.1 Subsystem Identification High temperature in the area of the RWCU system could indicate a breach in the RCPB in the cleanup system. High area temperature initiates isolation of the RWCU system. Note that the high differential temperature isolation and isolation alarm function have been removed but the above equipment is still located in the field. A pre-isolation alarm will still be initiated for high differential temperature.
7.3.1.1a.2.4.1.10.2 Power Supplies For the power supply arrangements, see Figures 7.3-2 and 7.3-3.
FSAR Rev. 71 7.3-36
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.10.3 Subsystem Initiating Circuits Six space temperature and six differential temperature sensing circuits monitor the RWCU system area temperatures. Three space and three differential temperature circuits are associated with each of two instrumentation channels. Redundant space temperature measurements and inlet and outlet differential temperatures of the Reactor Water Cleanup pump room, heat exchanger room and penetration room are used to detect system line breaks. Note that the high differential temperature isolation and isolation alarm function have been removed but the above equipment is still located in the field. A pre-isolation alarm will still be initiated for high differential temperature.
7.3.1.1a.2.4.1.10.4 Subsystem Logic and Sequencing When a significant increase in RWCU system area space temperature is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiate closure of all reactor water cleanup system isolation valves.
Two instrumentation channels are provided to assure protective action when required. The output trip signal of each instrumentation channel initiates a division logic trip and closure of either the inboard or outboard RWCU system isolation valve. In order to close both the inboard and outboard isolation valves, both division logics must trip. Protection against inadvertent isolation due to instrumentation malfunction is not provided.
7.3.1.1a.2.4.1.10.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals from high space temperature is provided by two space temperature elements installed in each RWCU system area, and which are associated with one of two division logics.
Redundancy of trip initiation signals for high differential temperature is provided by four temperature elements in each RWCU system area. Each pair of sensors is associated with one of two division logics. Note that the high differential temperature isolation and isolation alarm function have been removed but the above equipment is still located in the field. A pre-isolation alarm will still be initiated for high differential temperature.
Diversity is discussed in Subsection 7.3.1.1a.2.4.1.9.5.
7.3.1.1a.2.4.1.10.6 Subsystem Bypasses and Interlocks The RWCU system high space temperature trips have no automatic bypasses associated with them.
There are no interlocks to other systems from the RWCU system high space temperature trip signals.
7.3.1.1a.2.4.1.10.7 Subsystem Testability Testability is discussed in Subsection 7.3.2a.2.2.3.1.10.
FSAR Rev. 71 7.3-37
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.11 This Subsection has been deleted 7.3.1.1a.2.4.1.12 Main Steamline-Leak Detection 7.3.1.1a.2.4.1.12.1 Subsystem Identification The main steamlines are constantly monitored for leaks by the leak detection system Dwgs. M-141, Sh. 1, M-141, Sh. 2, and M-142, Sh. 1. Steamline leaks will cause changes in at least one of the following monitored operating parameters: Reactor Building steam tunnel ambient temperature, flow rate, low turbine inlet pressure, or low water level in the reactor vessel. If a leak is detected, the detection system responds by triggering an annunciator and initiating a steamline isolation trip logic signal.
The main steamline break leak detection subsystem consists of three types of monitoring circuits:
a) ambient temperature monitors, which cause an alarm (Turbine and Reactor Building) and main steamline isolation (Reactor Building only) to be initiated when an observed temperature rises above a preset maximum, b) steamline mass flow rate monitors, which initiate an alarm and closure of isolation valves when the observed flow rate exceeds a preset maximum, and c) reactor vessel water level detectors which send a trip signal to the isolation valve logic when level decreases below a pre-selected setpoint.
The area temperature monitoring feature is discussed in Subsection 7.3.1.1a.2.4.1.3.
The main steamline flow monitoring feature is discussed in Subsection 7.3.1.1a.2.4.1.4.
The reactor vessel level monitoring feature is discussed in Subsection 7.3.1.1a.2.4.1.1.
The main steamline pressure monitoring feature is discussed in Subsection 7.3.1.1a.2.4.1.5.
7.3.1.1a.2.4.1.13 Main Condenser Vacuum Trip 7.3.1.1a.2.4.1.13.1 Subsystem Identification In addition to the present turbine stop valve trip resulting from low condenser vacuum, which is a standard component of turbine system instrumentation, a main steamline isolation valve trip from a low condenser vacuum instrumentation system is provided, and meets the safety design basis of the PCRVICS.
The main turbine condenser low vacuum signal would indicate a leak in the condenser. Initiation of automatic closure of various Class A valves will prevent excessive loss of reactor coolant and the release of significant amounts of radioactive material from the RCPB. Upon detection of turbine condenser low vacuum, the following lines will be isolated:
(1) Main steamline (2) Main steamline drain The turbine condenser low vacuum trip setting was selected far enough above the normal operating vacuum to avoid spurious isolation, yet low enough to provide an isolation signal prior to the rupture of the condenser and subsequent loss of reactor coolant and release of radioactive material.
FSAR Rev. 71 7.3-38
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.13.2 Subsystem Power Supplies For power supply arrangements, see Figures 7.3-2 and 7.3-3.
7.3.1.1a.2.4.1.13.3 Subsystem Initiating Circuits Four pressure sensing circuits monitor the main condenser vacuum. One pressure circuit is associated with each of four instrumentation channels. Four pressure switches are installed to provide the earliest practical detection of main condenser leak.
7.3.1.1a.2.4.1.13.4 Subsystem Logic and Sequencing With a significant decrease in main condenser vacuum is detected, trip signals are transmitted to the PCRVICS. The PCRVICS initiate closure of all main steamline isolation and drain valves.
Four instrumentation channels are provided to assure protective action when required, and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a logic trip. The output trip signals of the logics are combined as shown in Figures 7.3-2 and 7.3-3. Failure of any one channel does not result in inadvertent isolation action.
7.3.1.1a.2.4.1.13.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for low condenser vacuum is provided by four pressure switches. Each pressure signal is associated with one of four logics. Two pressure switches are supplied by one power source and the other two are supplied from a different power source.
Diversity of trip initiation signals is not provided.
7.3.1.1a.2.4.1.13.6 Subsystem Bypasses and Interlocks Each main condenser low vacuum trip system isolation signal can be bypassed manually when the appropriate turbine stop valve is not full open, the reactor pressure is below the high pressure scram initiation setpoint, and the reactor mode switch not in run.
There are no interlocks to other systems from the main condenser low vacuum trip signals.
7.3.1.1a.2.4.1.13.7 Subsystem Testability Testability is discussed in Subsection 7.3.2a.2.2.3.1.10.
7.3.1.1a.2.4.1.14 RHR System High Flow 7.3.1.1a.2.4.1.14.1 Subsystem Identification High flow in the RHR system suction line could indicate a breach in the RCPB in the RHR system.
High flow initiates closure of either the inboard or outboard RHR-Shutdown Cooling system isolation valve.
7.3.1.1a.2.4.1.14.2 Subsystem Power Supplies For power supply arrangements, see Figures 7.3-2 and 7.3-3.
FSAR Rev. 71 7.3-39
SSES-FSAR Text Rev. 75 7.3.1.1a.2.4.1.14.3 Subsystem Initiating Circuits Two redundant differential pressure switches monitor the RHR shutdown cooling mode suction line. The output trip signal of each sensor initiates closure of either the inboard or outboard RHR system isolation valve.
7.3.1.1a.2.4.1.14.4 Subsystem Logic and Sequencing When RHR system high low is detected, trip signals are transmitted to the RHR system suction line isolation valves. Two instrumentation channels are provided to assure protective action when required. The output trip signal of each instrumentation channel initiates a division logic trip and closure of either the inboard or outboard RHR system suction line isolation valve.
7.3.1.1a.2.4.1.14.5 Subsystem Redundancy and Diversity Each of two instrumentation channels are supplied from a different power source. One channel is supplied to inboard logic and the other to outboard logic.
Diverse signals for isolation of the RHR system suction line isolation valves are provided by vessel low level (level 3 in addition to excess flow).
7.3.1.1a.2.4.1.14.6 Subsystem Bypasses and Interlocks There are no interlocks or bypasses associated with RHR system high flow trip signals.
7.3.1.1a.2.4.1.14.7 Subsystem Testability Testability is discussed in Subsection 7.3.2a.2.2.3.1.10.
7.3.1.1a.2.4.2 System Instrumentation Sensors providing inputs to the PCRVICS are not used for the automatic control of the process system, thereby achieving separation of the protection and process systems. Channels are physically and electrically separated to reduce the probability that a single physical event will prevent isolation. Redundant channels for one monitored variable provide inputs to different isolation trip systems. The functions of the sensors in the isolation control system are shown in Figures 7.3-2 and 7.3-3. Table 7.3-5 lists instrument characteristics.
7.3.1.1a.2.5 System Logic The variables and logic arrangements that initiate automatic actuation of all subsystems associated with the PCRVICS are provided in Subsection 7.3.1.1a.2.4.
7.3.1.1a.2.6 System Sequencing A discussion of all sequencing of all subsystems of the PCRVICS is provided in Subsection 7.3.1.1a.2.4.
FSAR Rev. 71 7.3-40
SSES-FSAR Text Rev. 75 7.3.1.1a.2.7 System Bypasses and Interlocks Bypasses and interlocks for all subsystems associated with the PCRVICS are detailed in Subsection 7.3.1.1a.2.4.1.
7.3.1.1a.2.8 System Redundancy and Diversity The variables which initiate isolation are listed in the circuit description, Subsection 7.3.1.1a.2.4.1.
Also listed there are the number of initiating sensors and channels for the isolation valves.
7.3.1.1a.2.9 System Actuated Devices To prevent the reactor vessel water level from falling below the top of the active fuel as a result of a pipeline break, the valve closing mechanisms are designed to meet the closure times specified in Table 6.2-12.
The main steamline isolation valves are spring-closing, pneumatic, piston-operated valves. They close on loss of pneumatic pressure to the valve operator. This is fail-safe design. The control arrangement is shown in Figure 7.3-4. Closure time for the valves is adjustable between 3 and 10 seconds. Each valve is piloted by two three-way, packless, direct-acting, solenoid-operated pilot. An accumulator located close to each isolation valve provides pneumatic pressure for valve closing in the event of failure of the normal gas supply system.
The sensor trip channel and trip logic relays for the instrumentation used in the systems described are high reliability relays. The relays are selected so that the continuous load will not exceed 50%
of the continuous duty numbers of trip channels needed to ensure that the isolation control system retains its functional capabilities.
7.3.1.1a.2.10 System Separation Sensor devices are separated physically such that no single failure (open, closure, or short) can prevent the safety action. By the use of separated raceways, the single failure criterion is met from the sensors to the logic cabinets in the relay control rooms. The logic cabinets are so arranged that redundant equipment and wiring are not present in the same bay of a cabinet except as noted in Section 3.12. A bay is a cabinet section separated from other cabinet sections by a fire barrier.
Normally the barrier is of full cabinet height and depth. Redundant equipment and wiring may be present in control room bench boards, where separation is achieved by surrounding redundant wire and equipment in metal encasements. From the logic cabinets to the isolation valves, separated raceways are employed to complete adherence to the single failure criterion.
7.3.1.1a.2.11 System Testability The main steamline isolation valve instrumentation is capable of complete testing during power operation. The isolation signals include low reactor water level, high main steamline flow, Reactor Building high main steamline tunnel temperature, low condenser vacuum, and low turbine pressure. The water level, turbine pressure, and steamline flow sensors are pressure or differential pressure type sensors which may be valved out of service one at a time and functionally tested using a test pressure source. The radiation measuring amplifier is provided with a test switch and internal test source by which operability may be verified.
FSAR Rev. 71 7.3-41
SSES-FSAR Text Rev. 75 Functional operability of the temperature switches may be verified by applying a heat source to the locally mounted temperature sensing elements. Control room indications include annunciation and panel lights. The condition of each sensor is indicated by at least one of these methods in addition to annunciators common to sensors of one variable. In addition, the functional availability of each isolation valve may be confirmed by completely or partially closing each valve individually at reduced power using test switches located in the control structure.
The RWCU system isolation signals include low reactor water level, equipment area high ambient temperature, high flow, high differential flow, high temperature downstream of the non-regenerative heat exchanger, and standby liquid control system actuation. The water level sensor is of the differential pressure type and can be periodically tested by valving each sensor out of service and applying a test pressure. The temperature switches may be functionally tested by removing from service and applying a heat source to the temperature sensing elements. The differential flow switches may be tested by applying a test input. The various trip actuation are annunciated in the main control room. Also, valve indicator lights in the main control room provide indication of RWCU isolation valve position.
7.3.1.1a.2.12 System Environmental Considerations The physical and electrical arrangement of the PCRVICS was selected so that no single physical event will prevent achievement of isolation functions. Motor operators for valves inside the drywell are of the totally enclosed type; those outside the containment have weatherproof-type enclosures.
Solenoid valves, whether used for direct valve isolation or as a gas pilot, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields.
Special consideration has been given to isolation requirements during a LOCA inside the drywell.
Components of the PCRVICS that are located inside the drywell and that must operate during a LOCA are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a LOCA environment (see Section 3.11). Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the PCRVICS only after completion of environmental testing under LOCA conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.
7.3.1.1a.2.13 System Operational Considerations 7.3.1.1a.2.13.1 General Information The PCRVICS are not required for normal operation. The system is initiated automatically when one of the monitored variables exceeds preset limits. No operation action is required for at least 10 minutes following initiation.
All automatic isolation valves can be closed by manipulating switches in the main control room, thus providing the reactor operator with control which is independent of the automatic isolation functions.
FSAR Rev. 71 7.3-42
SSES-FSAR Text Rev. 75 7.3.1.1a.2.13.2 Reactor Operator Information In general, once isolation is initiated, the valve continues to close even if the condition that caused isolation is restored to normal. The reactor operator must manually operate switches in the main control room to reopen a valve that has been automatically closed. Except where manual override features are provided in the manual control circuitry, the operator cannot reopen the valve until the conditions that initiated isolation have cleared.
A trip of an isolation control system channel is annunciated in the main control room so that the reactor operator is immediately informed of the condition. The response of isolation valves is indicated by OPEN-CLOSED status lights in the main control room. All motor-operated and gas-operated isolation valves have OPEN-CLOSED status lights in the main control room.
Inputs to annunciators and indicators are arranged so that no malfunction of the annunciating or indicating equipment can functionally disable the system. Direct signals from the isolation control system sensors are not used as inputs to annunciating or indicating equipment. Relay isolation is provided between the primary signal and the information output (Refer to Section 7.7 for further discussion of information available for the reactor operator).
7.3.1.1a.2.13.3 Setpoints Refer to the Technical Requirements Manual for safety trip setpoints; and the plant Technical Specifications for the Allowable Values.
7.3.1.1a.3 This Subsection Is Not Used 7.3.1.1a.4 RHRS/Containment Spray Cooling System - Instrumentation and Controls 7.3.1.1a.4.1 System Identification The containment spray cooling system is an operating mode of the Residual Heat Removal System. It is designed to provide the capability of condensing steam in the suppression pool air volume and/or the drywell atmosphere and removing heat from the suppression pool water volume.
The system is manually initiated when necessary.
The RHR system is shown in Dwgs. M-151, Sh. 1, M-151, Sh. 2, M-151, Sh. 3, and M-151, Sh. 4.
7.3.1.1a.4.2 Power Sources The power supplies for the RHR system are described in Subsection 7.3.1.1a.1.6.
7.3.1.1a.4.3 Equipment Design Control and instrumentation for the following equipment is required for this mode of operation:
(1) Two RHR main system pumps (2) Pump suction valves (3) Containment spray discharge valves FSAR Rev. 71 7.3-43
SSES-FSAR Text Rev. 75 Sensors needed for operation of the equipment are drywell pressure switches, reactor water level indicating switches, and valve limit switches.
The instrumentation for containment spray cooling operation allows the operator to assure that water will be routed from the suppression pool to the containment spray system for use in the drywell and/or suppression pool air volumes.
Containment spray operation uses two pump loops, each loop with its own separate discharge valve. All components pertinent to containment spray cooling operation are located outside of the drywell. The system can be operated such that the spray can be directed to the drywell and/or suppression pool air volume.
7.3.1.1a.4.4 Initiating Circuits Loop A containment spray cooling mode of the RHR System may be initiated by the operator when the LOCA interlock (reactor vessel low water level and/or drywell high pressure in a one-out-of-two-twice logic configuration) has been satisfied.
This interlock may be bypassed by a manual override switch. The Loop B containment spray cooling mode of the RHR System initiation is identical to that of Loop A.
7.3.1.1a.4.5 Logic and Sequencing The operating sequence of containment spray following receipt of the necessary initiating signals is as follows:
(1) The RHR system pumps continue to operate.
(2) Valves in other RHR modes are manually positioned or remain as positioned during LPCI.
(3) The RHR service water pumps are started.
(4) RHR service water discharge valves to the RHR heat exchanger are opened.
The containment spray system will continue to operate until the operator closes the containment spray injection valves. The operator can then initiate another mode of RHR if appropriate permissives are satisfied.
7.3.1.1a.4.6 Bypasses and Interlocks No bypasses are provided for the containment spray system.
7.3.1.1a.4.7 Redundancy and Diversity Redundancy is provided for the containment spray function by two separated logics, one for each divisional loop. Redundancy and diversity of initiation permissive sensors is described in Subsection 7.3.2a.4.
7.3.1.1a.4.8 Actuated Devices Dwg. M1-E11-51, Sh. 4 shows functional control arrangement of the containment spray system.
FSAR Rev. 71 7.3-44
SSES-FSAR Text Rev. 75 The RHR A and RHR B loops are utilized for containment spray. Therefore, the pump and valves are the same for LPCI and containment spray function except that each has its own discharge valve. See Subsection 7.3.1.1a.1.6.7 for specific information.
7.3.1.1a.4.9 Separation For separation, refer to Subsection 7.3.1.1a.1.6.8.
7.3.1.1a.4.10 Testability Containment spray cooling system is capable of being tested up to the last discharge valve during normal operation.
Testing for functional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in conjunction with single sensor tests. Other control equipment is functionally tested during manual testing of each loop. Adequate indication in the form of panel lamps and annunciators is provided in the main control room.
7.3.1.1a.4.11 Environmental Considerations See Section 3.11 for environmental qualifications of the containment spray system components.
7.3.1.1a.4.12 Operational Considerations 7.3.1.1a.4.12.1 General Information Containment spray is a mode of the RHR and is not required during normal operation.
7.3.1.1a.4.12.2 Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess containment spray operation. Alarms and indications are shown in Dwgs. M-151, Sh. 1, M-151, Sh. 2, M-151, Sh. 3, M-151, Sh. 4, M1-E11-51, Sh. 1, M1-E11-51, Sh. 2, M1-E11-51, Sh. 3, M1-E11-51, Sh. 4, and M1-E11-51, Sh. 5.
7.3.1.1a.4.12.3 Setpoints Setpoints for the containment spray permissives (drywell pressure and reactor vessel water level) are shown in the Technical Requirements Manual. Refer to the plant Technical Specifications for the Allowable Values.
7.3.1.1a.5 RHRS/Suppression Pool Cooling Mode - Instrumentation and Controls 7.3.1.1a.5.1 System Identification Suppression pool cooling is an operating mode of the Residual Heat Removal System. It is designed to provide the capability of removing heat from the suppression pool water volume. The system is manually initiated when necessary.
FSAR Rev. 71 7.3-45
SSES-FSAR Text Rev. 75 7.3.1.1a.5.2 Power Sources Power for the RHR system pumps is supplied from four AC buses that can receive standby AC power. Motive and control power for the two loops of suppression pool cooling are the same as that used for the two LPCI loops; see Subsection 7.3.1.1a.1.6. Power for suppression pool cooling instrumentation is from the Class 1E 125 VDC and 120 VAC systems, described in Chapter 8.
7.3.1.1a.5.3 Equipment Design Control and instrumentation for the following equipment is required for this mode of operation:
(1) RHR pumps, (2) Pump suction valves, and (3) Suppression pool return valves.
Suppression pool cooling uses two pump loops, each loop containing two pumps. All components pertinent to suppression pool cooling operation are located outside the drywell.
The suppression pool cooling mode is manually initiated from the control room. This mode is put into operation to maintain the water temperature in the suppression pool within specified limits.
7.3.1.1a.5.4 Initiating Circuits Initiation of either suppression pool cooling loop is performed manually by the control room operator.
7.3.1.1a.5.5 Logic and Sequencing The operating sequence of suppression pool cooling mode is as follows:
(1) Valves are manually positioned.
(2) The RHR pumps operate.
(3) The RHR heat exchanger service water system is placed into service.
The suppression pool cooling mode will continue to operate until terminated by manual operator action.
7.3.1.1a.5.6 Bypasses and Interlocks No bypasses are provided for the suppression pool cooling mode. The suppression pool cooling mode is interlocked with reactor water level and drywell pressure functions by the repositioning of valves associated with the initiation of the LPCI mode on LOCA signal. See Subsection 7.3.1.1a.1.6.4.
7.3.1.1a.5.7 Redundancy and Diversity Redundancy is provided for the suppression pool cooling mode by separate logics, one for each loop.
FSAR Rev. 71 7.3-46
SSES-FSAR Text Rev. 75 7.3.1.1a.5.8 Actuated Devices Dwgs. M1-E11-51, Sh. 1, M1-E11-51, Sh. 2, M1-E11-51, Sh. 3, M1-E11-51, Sh. 4, and M1-E11-51, Sh. 5 show functional control arrangement of the pumps and valves used during the suppression pool cooling mode.
7.3.1.1a.5.9 Separation Suppression pool cooling is a two-divisional system. Manual control, logic circuits, cabling, and instrumentation for suppression pool cooling are mounted so that divisional separation is maintained.
7.3.1.1a.5.10 Testability Suppression pool cooling is capable of being tested during normal operation.
Testing for functional operability can be accomplished during manual testing of each loop. Panel lamps and annunciators provide control room indications.
7.3.1.1a.5.11 Environmental Considerations Refer to Section 3.11 and the Susquehanna SES Environmental Equipment Qualification Program for environmental qualifications of the system components.
7.3.1.1a.5.12 Operational Considerations 7.3.1.1a.5.12.1 General Information Suppression pool cooling is used to limit suppression pool temperature.
7.3.1.1a.5.12.2 Reactor Operator Information Temperature, flow, pressure, and valve position indications are available in the control room for the operator to assess suppression pool cooling operation. Annunciator identification and system logic are shown in Dwgs. M1-E11-51, Sh. 1, M1-E11-51, Sh. 2, M1-E11-51, Sh. 3, M1-E11-51, Sh. 4, and M1-E11-51, Sh. 5.
7.3.1.1a.5.12.3 Setpoints There are no setpoints. The system is only manually initiated.
7.3.1.1b System Description (Non-NSSS) 7.3.1.1b.1 Primary Containment Isolation Control System for Non-NSSS-Instrumentation and Control The isolation described in this subsection as non-NSSS and that described in Subsection 7.3.1.1a.2 as NSSS provide the complete containment isolation ESF.
FSAR Rev. 71 7.3-47
SSES-FSAR Text Rev. 75 7.3.1.1b.1.1 System Description The primary containment isolation for non-NSSS is designed to ensure the containment integrity in the event of a LOCA. The system includes divisionalized logic and actuation circuits that initiate the closing of non-NSSS containment isolation valves.
The initiating contact for each division is provided by the NSSS initiating logic for the primary containment isolation control system and is a combination of the following:
(1) Reactor vessel - low water level (2) Drywell - high pressure In addition, containment purge supply and exhaust lines isolate on high radiation measured at the SGTS exhaust stack.
Sensors and initiating circuits are provided in the NSSS-PCRVICS. Refer to 7.3.2a.2.2.3.1.9 and 7.3.2a.2.2.3.1.10 for discussion of calibration and testing. For discussion of test provisions of the non-NSSS circuits refer to Subsection 7.3.2b.2-4.10. For description of the SGTS exhaust radiation monitors, refer to Subsection 11.5.2.1.4.
The objective of the system is to provide automatic isolation of all non-NSSS pipeline penetrations of the primary containment upon a LOCA.
A specific identification of containment isolation valves is provided in Table 6.2-12.
Isolation of the following pipelines is initiated by this system:
(1) Reactor Building Closed Cooling Water Supply and Return (2) Drywell & Suppression Chamber Purge Supply and Exhaust Lines (3) Drywell & Suppression Chamber Gas Sampling and Return Lines (4) Instrument Gas Supply and Return Lines (5) Drywell Floor Drain to Radwaste (6) Equipment Drain to Radwaste (7) Chilled Water Supply and Return Lines (8) Suppression Pool Cleanup 7.3.1.1b.1.2 Initiating Circuits and Logic The non-NSSS isolation logics are derived from inputs from the PCRVICS and Core Spray System. Refer to Subsection 7.3.1.1a.2 for description of initiating circuits, logic, bypasses, interlocks, redundancy and diversity of the NSSS portion of this system.
Eight sets of contacts on six relays, four sets of contacts and three relays per division, represent the interface from NSSS to non-NSSS containment isolation. These relays will be de-energized and initiate isolation on any of the following conditions:
(1) Manual Isolation (2) Low low Reactor Water Level 2 (3) Low low low Reactor Water Level 1 (4) High Drywell Pressure FSAR Rev. 71 7.3-48
SSES-FSAR Text Rev. 75 For Containment Purge lines, there signals are combined with trip signals from the SGTS Exhaust Radiation - high sensors.
Normally energized relays are used to multiply these signals. The assignment of electrical divisions to containment isolation valves is as shown in Table 6.2-12.
7.3.1.1b.1.3 Bypasses, Interlocks, and Sequencing No sequencing is required for this system.
A timing circuit is implemented to allow manual opening of isolation valves after the isolation signal is received and the timer times out. These timing circuits reset when the isolation signal is manually reset to ensure closure upon receiving the next isolation signal. The time varies to meet post-LOCA monitoring of the containment. Refer to Subsection 6.2.4.3.3.1 and Table 6.2-12, Remarks column, for identification of valves, times, and bypasses.
The Low Reactor Water Level/High Drywell Pressure isolation signal initiation of CIG valves HV-12603, HV-22603, SV-12651, SV-22651, SV-12605 and SV-22605 control logics can be manually bypassed from the Control Room following an ATWS event, or during beyond design basis conditions (e.g., Rapid Depressurization or Primary Containment Flooding). Bypassing of these isolation signal interlocks will ensure the MSIVs can be maintained open during an ATWS event, or will allow the MSIVs to be reopened, to preserve containment integrity and to keep the main condenser available as a heat sink or to reestablish it as a heat sink during other beyond design basis conditions. Bypassing these isolation signal interlocks will also enable the SRVs to be individually controlled for pressurization and pressure control of the RPV during a Loss of All Decay Heat Removal beyond design basis event. Individual control of SRVs enables decay heat removal via RWCU to be maximized until another method of decay heat removal is available.
7.3.1.1b.1.4 Redundancy and Diversity The Division I initiation circuit is independent and redundant to the Division II circuit.
Diversity of measurements is discussed in Subsection 7.3.1.1a.
7.3.1.1b.1.5 Actuated Devices Table 6.2-12 lists all valves actuated by the containment isolation control system.
7.3.1.1b.1.6 Supporting Systems The power sources for the isolation logic are supplied from two divisionalized and redundant 120 VAC buses. Refer to Chapter 8.0 for division.
Two additional divisionalized and redundant 125 VDC power sources are supplied to auxiliary isolation timing logics for drywell and suppression chamber purge supply and exhaust lines, drywell, and suppression chamber sampling and return lines, and drywell burp and purge lines.
7.3.1.1b.1.7 Instrument Sensing Lines All instrument line penetrations of the primary containment are equipped with excess flow check valves which isolate upon a high flow and differential pressure across the valve. This would be caused by a downstream line break on a high pressure system. When isolation of any excess flow FSAR Rev. 71 7.3-49
SSES-FSAR Text Rev. 75 check valve occurs, control room alarm alerts the operator. Two position-indicating lights on a backrow panel in the main control room panel provide the status of each valve. A test pushbutton allows a circuit test for the indicating lights as well as the annunciating logic for all excess flow check valves. Annunciation is provided on the unit operating benchboard to indicate excess flow check valve operation.
7.3.1.1b.2 Combustible Gas Control System The concentration of the combustible gas inside the primary containment may increase after a LOCA as described in Subsection 6.2.5.
7.3.1.1b.2.1 Supporting Systems The primary containment atmospheric monitoring system (hydrogen and oxygen analyzers) indicates the containment gas concentration during startup, during normal plant operation and after a LOCA. Refer to Subsection 6.2.5.2 for system description and to Section 7.5 for safety-related display instrumentation.
7.3.1.1b.3 Primary Containment Vacuum Relief - Instrumentation and Control 7.3.1.1b.3.1 System Description The system is designed to allow periodic testing of all five pairs of primary containment vacuum relief valves to ensure their functional capability. This is accomplished by opening each valve by remote actuation of the solenoid valve. Status-indicating lights of the relief valve position verifies the operation.
7.3.1.1b.3.2 Initiating Circuits, Logic, Bypasses, Interlocks, and Sequencing One test selector switch per division permits the testing of each relief valve in that group. A momentary test pushbutton will cause a selective opening of each valve. All valves will close again when the selector switch is returned into normal position.
No system bypasses, interlocks, or sequencing are provided.
7.3.1.1b.3.3 Redundancy and Diversity Redundancy is given by the divisionalized system design. Diversity is not required for this manually-operated system.
7.3.1.1b.3.4 Actuated Devices The vacuum relief valves are the only actuated devices.
7.3.1.1b.4 Standby Gas Treatment System (SGTS)
For the description and operation of the SGTS, refer to Subsections 6.5.1.1 and 9.4.2.
FSAR Rev. 71 7.3-50
SSES-FSAR Text Rev. 75 7.3.1.1b.4.1 Initiating Circuits Each train of the SGTS may be initiated or stopped in a protective function mode as follows:
a) High radiation sensed by any of the five gamma sensors located as follows (see Section 11.5 and Table 11.5-1):
- 1) Unit 1 - Refueling floor high exhaust duct
- 2) Unit 2 - Refueling floor high exhaust duct
- 3) Unit 1 - Refueling floor wall exhaust duct
- 4) Unit 2 - Refueling floor wall exhaust duct
- 5) Railroad access shaft exhaust duct b) LOCA signals provided by NSSS to non-NSSS output initiating contacts (see Subsection 7.3.1.1b.1.1).
c) Primary containment vent and purge operation will be stopped by high radiation detected at the SGTS exhaust vent.
d) An operating train will be stopped by low air flow and the standby train initiated. This occurs only when SGTS is not responding to a reactor building isolation signal. The low flow trip is automatically bypassed when SGTS is to perform its ESF function.
e) Secondary protection is provided by sensors monitoring an operating filter train for a malfunction condition that will trip an operating train and cause the standby train to start.
That malfunction condition is a high-high charcoal filter temperature (also controls fire protection deluge water valves and drain valves).
f) High inlet header static pressure of the SGTS will initiate a SGTS train.
g) System protection (not safety-related) is provided to initiate the filter train fan in a cooling mode on high charcoal temperature (pre-ignition temperature).
Each channel provides:
- 1) Continuous monitoring of radiation
- 2) Alarms in the control room for downscale/inoperative, high, and high-high radiation
- 3) Analog signals for the radiation indicator and recorder and trip circuit for initiating isolation and stop signals Capability for sensor checks and capability for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
7.3.1.1b.4.2 Logic and Sequencing The two SGTS redundant filter trains are set up in a lead-lead mode. When an emergency start signal exists in this mode, both trains will start.
The flow control of the operating SGTS uses inlet header pressure to outside air pressure differential as a setpoint to ensure the inlet header pressure is less than atmospheric. This prevents reactor building air exhaust to the atmosphere, through the outside air intake plenum.
FSAR Rev. 71 7.3-51
SSES-FSAR Text Rev. 75 The SGTS is provided with redundant control loops to control the following variables:
a) Total airflow of the system b) Relative humidity of air entering the charcoal absorber c) Pressure in the SGTS inlet header d) Air pressure in the reactor building e) Rate of flow of cooling air through the charcoal absorbers Operation of the above loops is described in Subsection 6.5.1.1.
7.3.1.1b.4.3 Interlocks No outputs of reactor building zone pressure differential controllers (PDIC-07554A&B) are present under the following conditions:
a) No reactor building isolation signal b) Respective SGTS fan is not running As a result, though both of the reactor building negative pressure control loops are operable at all times, dampers PDD-07554A&B will not operate when the above two conditions exist.
7.3.1.1b.4.4 Bypasses The manual control switches of the fans in the SGTS when in OFF position provide automatic input to the Bypass Indication System (BIS). See Section 7.5 for complete discussion of BIS.
7.3.1.1b.4.5 Redundancy Controls and instrumentation are provided on a none-to-one basis with the mechanical equipment, so that the controls and instrumentation preserve the redundancy of the mechanical equipment.
Equipment, controls, and instrumentation of filter train A belong to Division I and filter train B to Division II.
7.3.1.1b.4.6 Diversity The diversity of the NSSS-furnished LOCA signal from the PCRVICS is used.
7.3.1.1b.4.7 Actuated Devices The list of actuated equipment is shown in Table 7.3-13.
7.3.1.1b.4.8 Separation The instrumentation, controls, and power supply of the SGTS system are redundant, and are physically and electrically separate in accordance with IEEE Std. 384-1974.
Redundant local control panels of the SGTS system are physically separate.
FSAR Rev. 71 7.3-52
SSES-FSAR Text Rev. 75 7.3.1.1b.4.9 Supporting Systems The instrumentation and controls of the SGTS are powered from the Class 1E 125 VDC and 120 VAC systems. These electrical systems are discussed in Chapter 8.
The SGTS equipment room heating and ventilating system supports the SGTS and is discussed in Subsection 9.4.1.
7.3.1.1b.4.10 System Parts Not Required for Safety The parts of the SGTS not required for safety are as follows:
a) Charcoal filter fire protection. The fire protection system is discussed in Subsection 9.5.1.
b) Instrumentation loops for monitoring air flow from the reactor building recirculation system and outside makeup air intake.
7.3.1.1b.5 Reactor Building Recirculation System For the description and operation of the recirculation system, refer to Subsections 6.5.3 and 9.4.2.
7.3.1.1b.5.1 Initiating Circuits Each fan of the recirculation system may be initiated or stopped in a protective function by the following:
a) High radiation sensed by any of the five gamma sensors located as follows (see Section 11.5 and Table 11.5-1):
- 1) Unit 1 - Refueling floor high exhaust duct
- 2) Unit 2 - Refueling floor high exhaust duct
- 3) Unit 1 - Refueling floor wall exhaust duct
- 4) Unit 2 - Refueling floor wall exhaust duct
- 5) Railroad access shaft exhaust duct b) LOCA signals provided by NSSS to non-NSSS output initiating contacts.
c) Low system airflow will initiate the standby fan. The low flow is detected by a pressure differential switch sensing low differential pressure between supply and exhaust plenums of the recirculation system.
The initiation signals described in a or b above may open at least one of two, arranged in parallel, isolation-type dampers provided on ducts connecting the supply and return plenums of the recirculation system with appropriate normal ventilation ductwork.
Each channel provides:
- 1) Continuous monitoring of radiation
- 2) Alarms in the control room for downscale/inoperative, high, and high-high radiation
- 3) Analog signals for the radiation indicator/recorder, and digital output initiating signal FSAR Rev. 71 7.3-53
SSES-FSAR Text Rev. 75 7.3.1.1b.5.2 Logic and Sequencing Capability for sensor checks and test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
Two redundant recirculation fans are normally set up in a "lead-lag" fashion. When an initiation signal exists, the lead fan automatically starts and the other fan remains on standby. The standby fan pressure differential switch (flow switch) monitors the operation of the lead fan by sensing pressure differential developed by the running lead fan between common supply and exhaust plenums. If the lead fan, and the system loses airflow, the standby fan will start.
Except for the differential pressure switches, no other instruments or instrument loops are provided for the recirculation system.
The initiation signals except for low system air flow will also initiate closure of isolation dampers for the affected portions of the secondary containment, and open dampers linking the recirculation system with the respective supply and exhaust air duct systems.
7.3.1.1b.5.3 Interlocks See Table 7.3-14 for interlocks between control systems and mechanical equipment and components. This table includes the reactor building isolation dampers and the reactor building plant normal operation ventilation fans interlocked with ESFAS.
7.3.1.1b.5.4 Bypasses The hand control switch of each recirculation fan, when in OFF position, provides automatic input to the Bypass Indication System (BIS). See Section 7.5 for complete discussion of BIS.
7.3.1.1b.5.5 Redundancy Controls and instrumentation are provided on a one-to-one basis with the mechanical equipment, so that the controls and instrumentation preserve the redundancy of the mechanical equipment.
Equipment, controls, and instrumentation of fan A belong to Division I and fan B to Division II.
7.3.1.1b.5.6 Diversity The diversity of the NSSS-furnished LOCA signal from the PCRVICS is used.
7.3.1.1b.5.7 Actuated Devices The list of actuated equipment, including the reactor building isolation dampers, and non-safety-related normal plant operation ventilation fans, is shown in Table 7.3-14.
7.3.1.1b.5.8 Separation The instruments, controls, and power supply of the recirculation system are redundant and are physically and electrically separated.
FSAR Rev. 71 7.3-54
SSES-FSAR Text Rev. 75 7.3.1.1b.5.9 Supporting Systems The instrumentation and controls of the recirculation system are powered from the Class 1E 125 VDC and 120 VAC systems. These electrical systems are discussed in Chapter 8.
7.3.1.1b.5.10 System Parts Not Required for Safety All instrumentation and controls of the recirculation system are safety-related and required for safety.
7.3.1.1b.6 Reactor Building Isolation and HVAC Support Isolation of the reactor building (secondary containment) is a function of the reactor building ventilation system discussed in Subsection 9.4.2.1.
7.3.1.1b.6.1 Initiation Circuits Refer to Subsection 9.4.2.1.3, for discussion of isolation signals which are the same as those used for the standby gas treatment and reactor building recirculation systems. See Subsection 7.3.1.1b.4 and 7.3.1.1b.5.
Capability for sensor checks and test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
7.3.1.1b.6.2 Logic and Sequencing Refer to Subsection 9.4.2.1.3.
7.3.1.1b.6.3 Interlocks The isolation function is not interlocked with other systems.
7.3.1.1b.6.4 Bypasses Zone I and II HVAC isolation bypass switches are provided to isolate the appropriate zone from the recirculation system and remove it from the secondary containment boundary.
7.3.1.1b.6.5 Redundancy Controls and instrumentation are provided on a one-to-one basis with mechanical equipment, i.e.,
the redundant dampers have separate actuation systems.
7.3.1.1b.6.6 Diversity The diversity of the NSSS-furnished LOCA signal from the PCRVICS is used.
7.3.1.1b.6.7 Actuated Devices Refer to Table 7.3-14.
FSAR Rev. 71 7.3-55
SSES-FSAR Text Rev. 75 7.3.1.1b.6.8 Separation Physical and electrical separation of actuation systems is provided.
7.3.1.1b.6.9 Supporting Systems Instrumentation and controls are powered from Class 1E 125 VDC and 120 VAC systems.
7.3.1.1b.6.10 System Parts Not Required for Safety Refer to Subsection 9.4.2 for non-safety-related parts.
7.3.1.1b.7 Habitability, Control Room Isolation Instrumentation and controls function in the following systems to provide control room isolation:
- 1) Emergency outside air system
- 2) Control structure HVAC system Refer to Subsection 9.4.1 for descriptions.
Capability for sensor checks and for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
7.3.1.1b.7.1 Initiation Control Structure Isolation is initiated by:
a) Outside Air High-High Radiation (see Section 11.5) b) Reactor Building Isolation Signal (SGTS Isolation) 7.3.1.1b.7.2 Logic and Sequencing One mode of isolation is provided: Diverting the outside air through the Emergency Outside Air Intake filter in the event of high radiation detection and reactor building isolation. Refer to Subsection 9.4.1 and Tables 7.3-15 and 7.3-16 for details.
7.3.1.1b.7.3 Interlocks The systems listed are interlocked to provide the appropriate isolation mode and initiate proper equipment. Control Room Floor, Computer Room Floor and Control Structure H&V systems are interlocked with the Control Structure Chilled Water System. Refer to Subsection 7.3.1.1b.8.5.
7.3.1.1b.7.4 Bypasses Off position of the hand control switches in the Habitability and Control Structure Isolation Systems are automatically input to the Bypass Indication System (see Section 7.5).
FSAR Rev. 71 7.3-56
SSES-FSAR Text Rev. 75 7.3.1.1b.7.5 Redundancy Controls and instrumentation are provided on a one-to-one basis with the redundant mechanical equipment they control.
7.3.1.1b.7.6 Diversity The diversity provided in the NSSS LOCA signals is used. No diversity is provided in radiation detection.
7.3.1.1b.7.7 Actuated Devices Actuated equipment is listed in Tables 7.3-15.
7.3.1.1b.7.8 Separation Physical and electrical separation of all actuation systems is provided.
7.3.1.1b.7.9 Supporting Systems Instrumentation and controls are powered from Class 1E 125 VDC and 120 VAC systems. The control structure chilled water system and emergency service water provide support when the systems are operated as a safety function.
7.3.1.1b.7.10 System Parts Not Required for Safety Refer to Subsection 9.4.1, description of individual systems.
7.3.1.1b.8 Auxiliary Support Systems Auxiliary support systems are required for proper operation of ESF systems as listed in Subsection 7.3.1.
7.3.1.1b.8.1 Emergency Service Water System - Instrumentation and Control The emergency service water system is discussed in Subsection 9.2.5. The instrumentation for the two redundant emergency service water loops is designed with necessary logic and actuation circuits, controls, and instrumentation for process monitoring by the control room operator.
Capability for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
In addition, a temperature control valve and associated logic and instrumentation to accomplish control of the diesel generator intake air temperature is discussed in Sections 8.3.1.4.3, 9.5.5.2, and 9.5.5.5.
7.3.1.1b.8.1.1 Initiating Circuits A signal from each aligned diesel generator start logic initiates the automatic start of the associated emergency service water pump. For diesel generator logic, see Subsection 8.3.1.4. Diesel generator A (C) starts ESW pump A (C), which supplies cooling water for loop A (Division I) of the system. Signals from the start logic of diesel generator B (D) start the ESW pump B (D) for loop B (Division 2) of the system.
FSAR Rev. 71 7.3-57
SSES-FSAR Text Rev. 75 Diesel Generator E serves as a replacement for any of the four normally-aligned diesel generators, A, B, C, or D. In the event that Diesel Generator A, B, C, or D is removed from service for repair or maintenance, the replacement Diesel Generator E is aligned to the respective ESS Bus and will initiate the automatic start of the associated Emergency Service Water Pump.
Manual control for all four pumps is available to the operator in the control room and on the remote shutdown panel. Manual control of the diesel generator cooler main inlet/outlet valves for the diesel generators is available only in the local engine control panels.
7.3.1.1b.8.1.2 Logic, Bypasses, Interlocks, and Sequencing The logics of the ESW system uses electromechanical relays and switch contacts that actuate the equipment.
7.3.1.1b.8.1.2.1 Logic Power Source The power supply for the auxiliary supporting system divisionalized logic is from the divisionalized 125 VDC Class 1E bus. Refer to Section 8.3.
7.3.1.1b.8.1.2.2 Pump Logic Refer to the electrical schematic diagram E-146 which was submitted under separate cover.
Automatic and/or manual start of each pump is initiated if the following conditions exist:
a) Power supply bus voltage available b) Automatic pump start signal from the aligned diesel generator logic or manual control from the control room (or remote shutdown panel)
If automatic start fails because of power supply bus trouble, one annunciator for each system loop alerts the operator in the control room.
Indicating lights for pump status are provided on the control room panel.
Once a pump is started, it remains in operation until any one of the following conditions trip the circuit breaker:
a) Manual stop by operator in control room or at remote shutdown panel b) Feeder overcurrent c) Power bus lockout d) Power bus undervoltage Long-time phase B overcurrent is alarmed for each pump motor in the main control room, but does not trip the pump.
7.3.1.1b.8.1.2.3 Bypasses A manual bypass of the pump control logic is possible by switching the transfer switch in the remote shutdown panels.
The physical removal of the pump motor circuit breaker for functional testing of the control logic represents a bypass of the system.
FSAR Rev. 71 7.3-58
SSES-FSAR Text Rev. 75 For bypass indication system description refer to Section 7.5.
7.3.1.1b.8.1.2.4 Interlocks The diesel cooler main inlet/outlet valves are normally open on both loops of ESW for the diesel generators which are aligned to the ESS buses.
If Diesel Generator 'E' is being operated in the test mode while it is not aligned to an ESS bus, an auto-start on the aligned diesel generators will trip Diesel Generator 'E' and isolate the ESW inlet/outlet valves to the diesel generator.
During maintenance on either loop of the ESW system, local switches in each diesel bay will permit the respective loop of ESW to be isolated at each diesel generator.
7.3.1.1b.8.1.2.5 Sequencing Refer to Subsection 9.2.5.1.
7.3.1.1b.8.1.3 Redundancy Controls and instrumentation are provided on a one-to-one basis with the mechanical equipment to maintain the redundancy of the mechanical equipment.
ESW loop A is in Division I with pumps A and C providing the necessary system flow. System loop B is in Division II using pumps B and D.
The instrumentation of one process loop is redundant to the other.
7.3.1.1b.8.1.4 Actuated Devices Each pump running condition generates a signal to permit the start of its associated HVAC air cooling fan and also permits the control structure chilled water system safety function to be tested.
For description of the HVAC system, refer to Subsection 9.4.8.
An actuation signal is provided from the pump A or C running condition to start the chart drive of the emergency service water flow and RHR service water flow recorder for loop A in the control room. Pump running condition of pump B or D initiates the chart drive for the system loop B recorder.
7.3.1.1b.8.1.5 Supporting Systems The ESSW pumphouse HVAC system described in Subsection 9.4.8 is a supporting system to the emergency service water system.
FSAR Rev. 71 7.3-59
SSES-FSAR Text Rev. 75 7.3.1.1b.8.1.6 ESW Instrumentation Not Required for Safety Non-safety related instrumentation in the control room includes:
a) Diesel generator A cooler outlet temperature b) Diesel generator B cooler outlet temperature c) Diesel generator C cooler outlet temperature d) Diesel generator D cooler outlet temperature e) ESW loop A (B) flow (recording)
Diesel Generator 'E' serves as replacement for any of the four normally aligned Diesel Generators A, B, C, or D. In the event that Diesel Generator A, B, C, or D is removed from service for repair or maintenance, the replacement Diesel Generator 'E will be aligned to the respective ESS Bus. Diesel Generator 'E' cooler outlet temperature will be indicated on the diesel generator cooler outlet temperature instrumentation in the control room for the diesel generator it is replacing.
Refer to Section 7.5 for instrument ranges, accuracy, and panel location for the above-mentioned instruments.
Control room annunciators are not required for safety but alert the operator of abnormal process conditions. The following alarms are in the main control room:
a) Spray pond low level b) ESSW structure flooded c) ESW loop low flow d) Diesel generator coolers high outlet temperature e) Diesel generator rooms flooded 7.3.1.1b.8.2 RHR Service Water System - Instrumentation and Controls The description, the design basis, and the safety evaluation of the RHR service water system are in Subsection 9.2.6.
The controls and instrumentation for the RHR service water system are designed to provide adequate information to the control room operator for control and monitoring of the system operating modes. Capability for test and calibration is provided as described in Subsection 7.3.2b-2.4-10.
7.3.1.1b.8.2.1 Initiation Circuits The RHR service water system can be manually initiated from either the main control room or the remote shutdown panel.
7.3.1.1b.8.2.2 Logic, Bypasses, Interlocks, and Sequencing The RHR water system control logics are designed using electromechanical relays and control switch signals to actuate the equipment.
7.3.1.1b.8.2.2.1 Logic Power Source The RHR service water system logics are powered from two independent divisionalized 125 VDC FSAR Rev. 71 7.3-60
SSES-FSAR Text Rev. 75 Class 1E power sources. Refer to Section 8.3 for description.
7.3.1.1b.8.2.2.2 Pump Control Logic For documentation of the logic, refer to electrical schematic diagram E-150 which was submitted under separate cover.
Each RHRSW pump can be started from the main control room, or one can be started from the unit remote shutdown panel (1B/2A) and the other (1A/2B) from the unit switchgear. In order to start any RHRSW pump, the following conditions must be satisfied:
a) Power supply bus voltage is available.
b) Control switch is turned to pump run position. Any of the following conditions trip the circuit breaker to the pump motor.
- 1) Manual stop by operator in main control room or at the remote shutdown panel (or local circuit breaker control switch at the switchgear)
- 2) Motor feeder overcurrent
- 3) Power bus lockout
- 4) Power bus undervoltage Long-time phase B overcurrent is alarmed in the main control room but does not trip the circuit breaker.
7.3.1.1b.8.2.2.3 Bypasses A manual bypass of the main control room pump control is possible by transferring control of pump 1B or 2A at the unit remote shutdown panel or by controlling pump 1A or 2B at the unit switchgear.
The physical removal of the circuit breaker from its operating position for functional testing of the pump control logic inhibits the operation of the pump.
The above bypasses are automatically indicated on the bypass indication panel in the control room. For the Bypass Indication System (BIS) description, refer to Section 7.5.
7.3.1.1b.8.2.2.4 Valve Control Logic In general, motor-operated valves are controlled by momentary switches with seal-in logic or by switches with maintained contacts to ensure a fully opened or closed position. The exceptions are (1) the RHR service water heat exchanger inlet valves, which are designed to modulate the RHR service water flow by manual jogging of the valve in either an opening or closing direction and (2) the spray pond bypass valves, which are part of the UHS. These valves are used to throttle ESW flow in support of ESW pump in-service testing. This function is in addition to their normal spray pond bypass function.
7.3.1.1b.8.2.2.5 Interlocks If a LOCA occurs during a routine test of the RHR service water system, the function for "LOCA trip enable," initiated by the operator before start of testing procedure, will cause the LOCA signal to open the circuit breaker of the pump in test. This logic design prevents overloading the diesel FSAR Rev. 71 7.3-61
SSES-FSAR Text Rev. 75 generator in its initial operation. Under these conditions, manual initiation requires resetting the "LOCA trip enable" switch.
7.3.1.1b.8.2.3 Actuated Devices Refer to sequencing for description of equipment actuated. The running condition for each pump closes a contact for the start of its associated HVAC air cooling fan. For description of the HVAC system, refer to Subsection 9.4.8.
The flow recorder for RHR service water and ESW flow receives the initiating signal for the chart drive from the running condition of the RHR service water pump.
7.3.1.1b.8.2.4 Redundancy and Diversity Redundancy of the mechanical equipment is maintained on a one-to-one basis with controls and instrumentation.
The Pump A and the associated process loop A are in Division I. Pump B and the associated process loop B are in Division II.
The display instrumentation in the main control room provides diversity for the process monitoring by allowing the operator to evaluate the system function from system flow, pump discharge pressure, and water temperature.
7.3.1.1b.8.2.5 Supporting Systems The HVAC system for the ESSW pumphouse is described in Subsection 9.4.8.
7.3.1.1b.8.2.6 RHR Service Water Instrumentation Not Required for Safety The following variables provide system monitoring to the operator but are not required for safety:
a) RHR service water pump discharge pressure b) RHR service water flow and ESW flow recording c) Heat exchanger inlet temperature d) RHR service water heat exchanger inlet valve percent open position e) RHR service water radiation monitoring (refer to Section 11.5) f) Spray pond temperature g) Computer inputs for process monitoring h) Annunciator system i) Spray Pond Riser Level All instrument data and ranges for the RHR service water system are listed in Section 7.5.
7.3.1.1b.8.3 Containment Instrument Gas System - Instrumentation and Control The containment instrument gas system is described in Subsection 9.3.1.5 and gives the design basis, system operation, and safety evaluation.
FSAR Rev. 71 7.3-62
SSES-FSAR Text Rev. 75 The two redundant sets of high pressure nitrogen storage bottles are designed as an ESF auxiliary supporting system to provide the necessary compressed gas for the operation of the main steam relief valves for auto depressurization (ADS).
Containment isolation of the instrument gas system is described in Subsection 7.3.1.1b.1.
Capability for testing is provided when testing containment isolation and further described in Subsection 7.3.2b.2-4.10.
7.3.1.1b.8.3.1 Initiating Logic and Interlocks A pressure sensing transmitter is located in piping headers A&B leading to the ADS relief valves.
A signal from an electronic switch automatically opens the isolation valve of the nitrogen storage bottles if the normal supply pressure is not available from the gas compressors. A signal from containment isolation also initiates the automatic opening of the nitrogen storage isolation valve.
The manual control of the outboard isolation valves allows the operator, after determining that adequate supply pressure is available from the compressors, to open the normal supply line to the ADS relief valves. This operation will isolate the instrument gas storage bottles. However, low instrument gas header pressure will automatically override this interlock to ensure the necessary gas supply.
Refer to electrical schematic diagram E-172 which was submitted under separate cover.
The logic power supply for containment isolation valves is divisionalized from a 125 VDC Class 1E bus.
The instrument panel supply is provided by a 120 VAC Class 1E source to 120 VAC/24 VDC power supply.
7.3.1.1b.8.3.2 Bypasses, Interlocks, and Sequencing Refer to Subsection 7.3.1.1b.1.3 for Bypasses associated with CIG Valves HV-12603, HV-22603, SV-12651, SV-22651, SV-12605 and SV-22605.
The system is not designed with bypass capability. Sequencing is not applicable for this system.
This system is not interlocked with other systems.
7.3.1.1b.8.3.3 Redundancy Instrumentation and controls are provided on a one-to-one basis with the mechanical equipment.
7.3.1.1b.8.3.4 Containment Instrument Gas - Instrumentation Not Required for Safety The instrumentation application discussed in Subsection 9.3.1.5.5 describes the monitoring instruments and controls for the gas compressors and its controls.
The monitoring instruments in the auxiliary support system are not safety-related. Each train of gas bottles has a low header pressure alarm in the main control room. The isolation valve position is indicated by status lights on the main control room panel. Refer to Table 7.5-7 for listing of instrumentation for the containment instrument gas system.
FSAR Rev. 71 7.3-63
SSES-FSAR Text Rev. 75 7.3.1.1b.8.3.5 Containment Instrument Gas - Safety-Related Instrumentation The high pressure header for each train of containment instrument gas system bottles is monitored by a safety-grade pressure indication loop which reads out on a single dual-gauge indicator located on a main control room panel. This pressure instrumentation also provides a signal to the plant computer.
This system complies with the criteria of Regulatory Guide 1.97 for post-accident indication.
7.3.1.1b.8.4 Standby Power System Descriptions of the standby power system and supporting system can be found in the following:
a) Refer to Subsection 8.3.1 for description of the diesel generators. Refer to Section 7.6.1b.3 for NSSS to non-NSSS diesel initiation signal.
b) Refer to Subsection 9.5.4 for Diesel Fuel Oil Storage and Transfer.
c) Refer to Subsection 9.5.5 for Diesel Generator Cooling Water System.
d) Refer to Subsection 9.5.6 for Diesel Generator Starting System.
e) Refer to Subsection 9.5.7 for Diesel Generator Lubrication System.
7.3.1.1b.8.5 Heating, Ventilating, and Air Conditioning Systems for ESF Areas All H&V systems for ESF areas are actuated by the system they support.
7.3.1.1b.8.5.1 SGTS Equipment Room H&V System For the description and operation of this system, refer to Subsection 9.4.1.
7.3.1.1b.8.5.1.1 Initiating Circuits Each fan of the SGTS Equipment Room H&V System may be initiated or stopped in a protective mode as follows:
a) High room temperature (lower of two high temperature setpoints) as detected by room thermostat will initiate the lead fan in "automatic" mode. The standby fan is also placed into service when the higher temperature setpoint is reached.
b) Low airflow at the common exhaust duct as detected by a flow sensor will trip the turning fan.
Capability for sensor checks and for test and calibration is provided as described in Subsection 7.3.2b-2-4.10.
7.3.1.1b.8.5.1.2 Logic and Sequencing The ESFAS of the SGTS Equipment Room H & V System is a one-out-of-one logic.
FSAR Rev. 71 7.3-64
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.1.3 Interlocks This system has no interlocks.
7.3.1.1b.8.5.1.4 Bypasses The manual control switches for the fans in the SGTS Equipment room H&V System when in OFF position provide automatic input to the Bypass Indication System (BIS). See Section 7.5 for discussion of BIS.
The manual/automatic control of the 'A' SGTS Equipment Room Fan can be bypassed by manual operation at the Alternate Control Structure HVAC Control Panel. Operation of the fan from this panel provides input to the BIS.
7.3.1.1b.8.5.1.5 Redundancy Controls and instrumentation are provided on a one-to-one basis with the mechanical equipment, so that the controls and instrumentation preserve the redundancy of the mechanical equipment.
Equipment, controls, and instrumentation for the A fans belong to Division I and B fans to Division II.
7.3.1.1b.8.5.1.6 Diversity Not applicable.
7.3.1.1b.8.5.1.7 Actuated Devices The fan motors for this system are the only actuated devices.
7.3.1.1b.8.5.1.8 Separation The instrumentation, controls, and power supply of the SGTS Equipment Room H&V system are redundant, and are physically and electrically separate in accordance with IEEE Std. 384-1974.
Redundant instrument sensors on the common duct are located on opposite sides of the duct to achieve separation in accordance with IEEE Std. 384-1974.
7.3.1.1b.8.5.1.9 Supporting Systems The instrumentation and controls of the SGTS are powered from the Class 1E 125 VDC and 120 VAC systems. These electrical systems are discussed in Chapter 8.
7.3.1.1b.8.5.1.10 System Parts Not Required for Safety The system parts not required for safety are the outputs to the control room annunciator systems and the local pressure differential indicators across the filters of the heating system.
7.3.1.1b.8.5.2 Diesel Generator Buildings' H&V Systems For the description and operation of the Diesel Generator Buildings H&V Systems, refer to Subsection 9.4.7.
FSAR Rev. 71 7.3-65
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.2.1 Initiating Circuits a) Diesel Generators A, B, C, D - Cooling Mode Each of the four diesel generators has its own corresponding ventilation system and may be initiated or stopped as follows:
- 1) The starting of an associated diesel.
- 2) The initiation by the room thermostat.
- 3) Manual starting by a handswitch located in the back row panel of the main control room.
- 4) Tripping of the start-stop thermostat, once the diesel has been shut down and the room ambient temperature drops below the fan cut-out setting.
- 5) Manual stopping by a handswitch located in the main control room.
- 6) Manual starting by a handswitch located at a diesel generator's associated transfer panel (0C512A, B, C, D) when the diesel generator is replaced by a Diesel Generator 'E'.
- 7) Manual stopping by a handswitch located at a diesel generator's associated transfer panel (0C512A, B, C, D) when the diesel generator is replaced by Diesel Generator 'E'.
- 8) An additional temperature switch is provided in each diesel generator room to detect high-high room temperature resulting from fan control failure due to a fire in the control room. Detection of high-high temperature will actuate the switch causing transfer of controls from the control room circuit to this temperature actuated control circuit and automatically start the associated fan. This occurrence will also result in fan trouble annunciation in the control room. A low temperature setpoint is also provided to stop the fan after adequate cooling has occurred.
b) Diesel Generators A, B, C, D - Heating Mode Each diesel generator room is maintained at a minimum of 72oF which is controlled by four thermostats that initiate the cycling of electric resistance heaters.
c) Diesel Generator 'E' - Cooling Mode Diesel Generator 'E' has its own corresponding ventilation system and may be started or stopped as follows:
(1) Automatic starting initiated by the room thermostats.
(2) Manual starting by handswitches located on Panel 0C577E when Diesel Generator
'E' is not aligned to replace Diesel Generator A, B, C, or D.
FSAR Rev. 71 7.3-66
SSES-FSAR Text Rev. 75 (3) Manual stopping by handswitches located on Panel 0C577E when Diesel Generator 'E' is not aligned to replace Diesel Generator A, B, C, or D.
(4) Automatic stopping (trip) by the start-stop room thermostats, once the room ambient temperature drops below the fan cut-out setting.
(5) Manual starting by a handswitch located in the back row panel of the main control room when Diesel Generator 'E' is aligned to replace Diesel Generator A, B, C, or D.
(6) Manual stopping by a handswitch located in the back row panel of the main control room when Diesel Generator 'E' is aligned to replace Diesel Generator A, B, C, or D.
(7) Automatic stopping (trip) by the Smoke and Temperature Detection System if Diesel Generator 'E' is not aligned to an ESS Bus and in the Auto-Start mode of operation.
d) Diesel Generator 'E' Basement and Battery Room Ventilation System Cooling Mode Diesel Generator 'E' has a basement and battery room ventilation system that may be initiated or stopped as follows:
(1) Manual starting by a handswitch located on Panel 0C-577E.
(2) Manual stopping by a handswitch located on panel 0C-577E.
(3) Automatic stopping (trip) by the Smoke and Temperature Detection System if Diesel Generator 'E' is not aligned to an ESS Bus and in the Auto-Start mode of operation.
e) Diesel Generator 'E' - Heating Mode Diesel Generator 'E' is maintained at a minimum temperature of 72o at elevation 708'-0" by six thermostats that initiate the cycling of six electric unit heaters.
Elevation 675'-6" is maintained at a minimum temperature of 72o by eight thermostats that initiate the cycling of eight electric unit heaters and by two thermostats that initiate the cycling of two electric baseboard heaters.
f) Diesel Generator 'E' Basement and Battery Room H&V System - Heating Mode Diesel Generator 'E' Basement at elevation 656'-6" is maintained at a minimum of 60oF by five thermostats that initiate the cycling of five electric unit heaters and by four thermostats that initiate the cycling of four electric baseboard heaters. Diesel Generator 'E' also has a battery room located in the basement that is maintained at a minimum of 65oF by one thermostat located on the basement/battery room ventilation fan duct. The thermostat controls an electric baseboard heater for the battery room.
Capability for sensor checks and capability for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
FSAR Rev. 71 7.3-67
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.2.2 Logic and Sequencing (a) Diesel Generators A, B, C, D Once the diesel start signal is initiated, the associated ventilation fan also starts after a time delay and continues to run until the diesel stops and the ambient room temperature drops below the thermostat cut-out setting. The intake, exhaust, and recirculation dampers are continually energized and will modulate to control the discharge air temperature.
If the room temperature exceeds 95°F while the diesel generator is not operating the fan will automatically start. These start signals will initiate the system, provided the selector switch is positioned in the auto-mode. If the diesel generator is aligned, its associated ventilation fan can be manually stopped or started from a handswitch located on a back row panel in the main control room.
(b) Diesel Generator 'E' The heating and ventilating system for the Diesel Generator 'E' Building is designed to maintain a suitable environment for the diesel generator and its accessories during all modes of operation. Two (2) 50 percent capacity supply fans and two (2) 50 percent capacity exhaust fans are installed to ventilate the Diesel Generator 'E' Building. One supply fan and one exhaust fan operate in a pair with three modulating dampers (one supply, one exhaust, and one recirculation damper). A second pair of ventilating fans consists of one supply, one exhaust, and no modulating dampers.
The first pair of fans are started by a thermostat located on elevation 675'-6" and another on elevation 656'-6." The thermostats will start the first pair of fans when room temperature at either elevation exceeds 100oF and will stop the fans when ambient room temperatures drop below the thermostat's cut-out setting. The supply, exhaust, and recirculation dampers are continually energized and will modulate to control the supply fan discharge air temperature at 95oF.
If the ambient room temperature on elevation 675'-6" (operating floor) increases to 110o, the second pair of supply and exhaust fans will start to provide additional cooling. The second pair of fans will stop on decreasing temperature of 100oF. The fans can be manually started and stopped in pairs by selector switches located on Panel 0C577E in the Diesel Generator 'E' Building if Diesel Generator 'E' is not aligned to replace Diesel Generator A, B, C, or D. If Diesel Generator 'E' is aligned to replace Diesel Generator A, B, C, or D, then all four ventilation fans can manually be stopped or started only from a selector switch located on a back row panel (0C681) in the main control room.
The Diesel Generator 'E' Basement and Battery Room ventilation fan is designed to run continuously to prevent hydrogen gas from accumulating in the battery room. The fan is not capable of being started automatically. A two-position switch on local Panel 0C577E is used to start or stop the fan. An alarm on 0C577E will annunciate whenever the Diesel Generator 'E' Basement and Battery Room Fan is not running.
7.3.1.1b.8.5.2.3 Interlocks The building ventilation fans for Diesel Generators A, B, C, and D are interlocked with the respective diesel start. The Diesel Generator 'E' Building ventilation fans are not interlocked with FSAR Rev. 71 7.3-68
SSES-FSAR Text Rev. 75 the diesel start. They are, however, interlocked in pairs such that a supply and an exhaust fan will start and stop together.
7.3.1.1b.8.5.2.4 Bypasses The manual control switches of the diesel generator buildings' ventilation systems when in the OFF position provide automatic input to the Bypass Indication System (BIS). See Section 7.5 for discussion of BIS.
7.3.1.1b.8.5.2.5 Redundancy Individual redundancy is not required in the diesel generator buildings' ventilation systems since each diesel generator has its own ventilating system.
7.3.1.1b.8.5.2.6 Diversity Not applicable.
7.3.1.1b.8.5.2.7 Actuated Devices Refer to Subsection 9.4.7.
7.3.1.1b.8.5.2.8 Separation The instrumentation, controls, and power supply of the Diesel Generator Buildings' Ventilation Systems are physically and electrically separate. Each system is located in a separate room with missile barrier designed walls between them, or in separate buildings.
7.3.1.1.b.8.5.2.9 Supporting Systems The instrumentation and controls of the Diesel Generator Buildings' Ventilation Systems are powered from Class 1E 125 VDC and 120 VAC systems. These electrical systems are discussed in Chapter 8.0.
The diesel generator buildings' unit heaters and the basement ventilation fans that support the main ventilation system are discussed in Subsection 9.4.7.
7.3.1.1b.8.5.2.10 System Parts Not Required for Safety The parts of the Diesel Generator Buildings' Ventilation Systems that are not required for safety are as follows:
(a) All electric heaters, see Subsection 9.4.7 (b) Instrumentation for monitoring airflow from the Diesel Generator Buildings' Ventilation Systems (c) Instrumentation for alarming on the back row panel in the main control room of high, low, and high-high temperatures in the diesel generator room (d) The Diesel Generator A-D Building basement ventilation fans and controls FSAR Rev. 71 7.3-69
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.3 Engineered Safeguard Service Water Pumphouse Ventilation System For the description and operation of the Engineered Safeguard Service Water (ESSW)
Pumphouse H&V System, refer to Subsection 9.4.8.
7.3.1.1b.8.5.3.1 Initiating Circuits (a) Cooling Mode Each of the RHR and RHR emergency service water pumps has a corresponding ventilation system which may be initiated or stopped as follows:
(1) The starting of an associated service water pump.
(2) The initiation by thermostat.
(3) Manual starting.
(4) Tripping of the start stop thermostat, once the associated service water pump has been shut down and the surrounding ambient temperature drops below the fan cut-out setting.
(5) Manual stopping Capability for sensor checks and for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
(6) An additional temperature switch initiates autostart of the ventilation fan should pump room temperature rise above high temperature setting in the event of loss of control from the control room due to a control room fire, and shuts off when the room temperature falls below the cutout setting.
7.3.1.1b.8.5.3.2 Logic and Sequencing The pump start signal also initiates the vent fan and damper control. Fan and damper control are energized until the pump stops or until ambient temperature drops below the thermostat setting.
7.3.1.1b.8.5.3.3 Interlocks The ESSW pumphouse ventilation systems are interlocked with the respective pump start signal.
7.3.1.1b.8.5.3.4 Bypasses The manual control switches of the ESSW pumphouse ventilation system, when in the OFF position, provide automatic input to the Bypass Indication System (BIS). See Section 7.5 for a discussion of BIS.
7.3.1.1b.8.5.3.5 Redundancy Instrumentation and controls are provided on a one-to-one basis with the mechanical equipment they control.
FSAR Rev. 71 7.3-70
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.3.6 Diversity Not applicable.
7.3.1.1b.8.5.3.7 Actuated Devices Refer to Subsection 9.4.8.
7.3.1.1b.8.5.3.8 Separation The instrumentation, controls, and power supply of the ESSW pumphouse are divisionally separated. Two bays provide physical and electrical separation between Division I and Division II.
7.3.1.1b.8.5.3.9 Supporting Systems The instrumentation and controls of the ESSW pumphouse ventilation system are powered from a Class 1E 120 VAC system. This electrical system is discussed in Chapter 8.
The ESSW pumphouse unit heaters support the ventilation system as discussed in Subsection 9.4.8.
7.3.1.1b.8.5.3.10 System Parts Not Required for Safety The parts of the ESSW pumphouse ventilation system not required for safety are as follows:
(a) All electric unit heaters, see Subsection 9.4.8 (b) Instrumentation for monitoring airflow from the ESSW pumphouse ventilation system (c) Instrumentation for alarming in the main control room of high-high and low-low temperatures in the ESSW pumphouse 7.3.1.1b.8.5.4 ESF Switchgear (SWGR) Rooms Cooling System For the description of operation of the above system refer to Subsection 9.4.2.2.
7.3.1.1b.8.5.4.1 Initiating Circuits Each cooling unit of the Emergency SWGR Rooms Cooling System may be initiated or stopped as follows:
(a) Low airflow in the common cooling air duct, as detected by a flow sensing switch in the redundant (standby) cooling system, will initiate the standby unit.
(b) High air temperature in the common cooling air duct, as detected by a temperature sensing switch in the standby cooling system, will initiate the standby unit.
(c) On Unit 1 a separate temperature switch will isolate control circuits of Emergency Switchgear And Load Center Room Cooling Equipment from the Control Room and initiate an autostart of the A(B) Emergency Switchgear And Load Center Room Cooling Equipment upon a high room temperature provided the respective Division Control Structure Chilled FSAR Rev. 71 7.3-71
SSES-FSAR Text Rev. 75 Water Circulation Pump is running. It will shut off when room temperature falls below the cutout setting. This will provide cooling in the event that the existing control circuits for the Emergency Switchgear Room and Load Center Cooling System are disabled during a Control Room fire.
(d) On Unit 2 a separate temperature switch will isolate control circuits of Emergency Switchgear Room Cooling Equipment from the Control Room and initiate an autostart of the A Emergency Switchgear Room Cooling Equipment upon a high room temperature and shuts off when room temperature falls below the cutout setting. Interlocks are provided in the fan control circuit to prevent it from starting until the compressor is running. This will provide cooling in the event that the existing control circuits for the Emergency Switchgear room cooling system are disabled during a Control Room fire.
When the standby unit is initiated, the running unit is tripped.
Capability for sensor checks and for test and calibration is provided as described in Subsection 7.3.2b.2.2-4.10.
7.3.1.1b.8.5.4.2 Logic and Sequencing The two redundant cooling units are normally set up in a "lead-lag" fashion. The lead unit is started manually, while the other unit is on standby. The system is used for both normal and emergency operation. The lead unit continues to run after an emergency condition unless stopped as described above.
In that event, the standby unit will automatically start. During the system safety-related operation emergency power supply (see Chapter 8.0) is used. In both Unit 1 and Unit 2, the SWGR room cooler's cooling coils for normal operation are cooled by the Reactor Building Chilled Water System. In Unit 1, the cooler's emergency cooling coils are cooled by the Control Structure Chilled Water System. In Unit 2, the cooler's emergency cooling coils are cooled by direct expansion refrigeration units which are in turn cooled by the Emergency Service Water System.
7.3.1.1b.8.5.4.3 Interlocks The flow switches and temperature switches, located in the system common discharge duct, are interlocked with the respective fan.
7.3.1.1b.8.5.4.4 Bypasses The manual control switches of each cooler fan when in OFF position provide automatic input to the Bypass Indication System (BIS). See Section 7.5 for complete discussion of BIS.
7.3.1.1b.8.5.4.5 Redundancy Controls and instrumentation are provided on a one-to-one basis with the mechanical equipment, so that the controls and instrumentation preserve the redundancy of the mechanical equipment.
Equipment, controls, and instrumentation of unit cooler A belong to Division I, and unit cooler B to Division II.
FSAR Rev. 71 7.3-72
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.4.6 Diversity Not applicable.
7.3.1.1b.8.5.4.7 Actuated Devices None of the Emergency SWGR Rooms Cooling System equipment is actuated by any of the ESFAS control signals. The system's operation is described in Subsection 9.4.2.2.
7.3.1.1b.8.5.4.8 Separation The instrumentation, controls, and power supply are redundant and physically and electrically separate.
Redundant instrument sensors on the common duct are located on opposite sides of the duct to achieve separation in accordance with IEEE Std. 384-1974.
7.3.1.1b.8.5.4.9 Supporting Systems The instrumentation and controls are powered from the Class 1E 125 VDC and 120 VAC systems.
These electrical systems are discussed in Chapter 8.0.
7.3.1.1b.8.5.4.10 System Parts Not Required for Safety System discharge air temperature control loop, including chilled water control valve and chilled water cooling coils, are the only parts of the system not required for safety.
7.3.1.1b.8.5.5 Emergency Core Cooling Systems (ECCS) Unit Coolers For the description and operation of the ECCS unit coolers, see Subsection 9.4.2.2.
7.3.1.1b.8.5.5.1 Initiating Circuits The unit coolers may be initiated or stopped as follows:
(a) RHR and Core Spray Pump Rooms Unit Coolers (1) Respective pump start or stop signal.
(2) Each unit cooler is also provided with a hand switch in the control room for manual operation.
(3) An additional temperature switch is provided in the RHR pump room to detect high room temperature resulting from fan control failure due to a fire in the control room.
Detection of high temperature results in the automatic start the B unit cooler in the RHR pump room (A unit cooler for the Unit 2 RHR pump room) while simultaneously isolating the control room controls from the fan starter circuits. A low temperature setpoint is also provided to stop the fans after adequate cooling has occurred.
FSAR Rev. 71 7.3-73
SSES-FSAR Text Rev. 75 (b) HPCI and RCIC Pump Rooms Unit Coolers (1) High lead cooler discharge air temperature will initiate the standby cooler.
(2) A signal to open steam stop valve RCIC pump turbine will initiate the lead RCIC unit cooler.
(3) A position signal on HPCI pump turbine stop valve will initiate the lead HPCI unit cooler when the valve is opened.
(4) Each unit cooler is also provided with a hand switch in the control room for manual operation.
(5) An additional temperature switch is provided in the RCIC pump room to detect high room temperature resulting from fan control failure due to a fire in the control room.
Detection of high temperature results in the automatic start of the B fan in the RCIC pump while simultaneously isolating the control room controls from the fan starter circuits. A low temperature setpoint is also provided to stop the fans after adequate cooling has occurred.
Capability for sensor checks and for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
7.3.1.1b.8.5.5.2 Logic and Sequencing a) RHR and Core Spray Pump Rooms Unit Coolers Each cooler is assigned on a one-to-one basis to a pump. When the pump start signal exists, the fan automatically starts.
A flow switch monitors the fan's operation. If the fan fails and the unit cooler loses the flow, an alarm will be annunciated in the main control room.
b) HPCI and RCIC Pump Rooms Unit Coolers Two redundant unit coolers are set up in a lead-lag fashion. When an ECCS pump start signal exists, the lead fan of the respective pair of unit coolers automatically starts and the other fan remains on standby. The standby fan temperature switch monitors the operation of the lead cooler. If the lead cooler fails to deliver cooling air at the temperature below setting of the temperature switch, the standby cooler will start.
Except for the flow switches and temperature switches, no other instruments or instrument loops are provided for the unit cooler.
7.3.1.1b.8.5.5.3 Interlocks Each RHR and core spray pump rooms unit cooler is interlocked with a respective pump on a one-to-one basis.
FSAR Rev. 71 7.3-74
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.5.4 Bypass Based on maintenance practices, indication in the Bypass Indication System (BIS) is not required per Regulatory Guide 1.47. See Section 7.5 for discussion of BIS.
7.3.1.1b.8.5.5.5 Redundancy Instruments are provided on one-to-one basis with the mechanical equipment they serve.
With RHR and core spray unit coolers, instrumentation and coolers A and C belong to Division I, and instrumentation and coolers B and D to Division II.
RCIC pump room unit coolers and their instrumentation belong to Division I, and HPCI coolers and their instrumentation to Division II.
7.3.1.1b.8.5.5.6 Diversity Not applicable.
7.3.1.1b.8.5.5.7 Actuated Devices Only fans of the unit coolers are actuated.
7.3.1.1b.8.5.5.8 Separation Instrumentation and power supply belong to and separated into the same divisions as the pumps the unit coolers serve.
7.3.1.1b.8.5.5.9 Supporting Systems The instruments are powered from the Class 1E 120 VAC systems. These systems are discussed in Chapter 8.
7.3.1.1b.8.5.5.10 System Parts Not Required for Safety The flow switches for RHR and core spray pump room unit coolers are the only parts of the system not required for safety. Their function is to alarm in the main control room the loss of air flow.
7.3.1.1b.8.5.6 Drywell Unit Coolers and CRD Area Recirculating Fans For the description and operation of the drywell unit coolers and CRD area recirculation fans, see Subsection 9.4.5.
7.3.1.1b.8.5.6.1 Initiating Circuits All drywell unit coolers and CRD area recirculation fans are stopped by a LOCA signal. Low airflow in the lead unit or high temperature will initiate the standby unit cooler and CRD area recirculation fan, only during non safety-related, high speed, mode of operation. Capability for sensor checks and for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
FSAR Rev. 71 7.3-75
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.6.2 Logic and Sequencing Each pair of unit coolers and CRD area recirculation fans is set up in a "lead-lag" fashion. When high drywell pressure exists, all the running coolers and CRD area recirculation fan are automatically stopped. Then, the safety-related unit coolers and fan can be manually started, at low speed, from the back row panel in main control room to provide mixing of the containment atmosphere. During the plant normal operation, the standby cooler and CRD area recirculation fan pressure flow switch monitors fan operation. If the lead fan loses airflow, the standby fan will start.
The flow switch is non safety-related. Any cooler or CRD area recirculation fan, once manually started in the safety-related mode, can only be manually stopped. The flow switch no-flow-signal will not affect cooler's and CRD area recirculation fan's operation.
7.3.1.1b.8.5.6.3 Interlocks See logic and sequencing.
7.3.1.1b.8.5.6.4 Bypass The hand control switches of each cooler and CRD area recirculation fan, when in OFF position, provide automatic input to the Bypass Indication System (BIS). See Section 7.5 for discussion of BIS.
7.3.1.1b.8.5.6.5 Redundancy Controls and instrumentation are provided on one-to-one basis with the mechanical equipment they serve.
7.3.1.1b.8.5.6.6 Diversity Not applicable.
7.3.1.1b.8.5.6.7 Actuated Devices Refer to Subsection 9.4.5.
7.3.1.1b.8.5.6.8 Separation The instrumentation, controls, and power supply are physically and electrically separate.
7.3.1.1b.8.5.6.9 Supporting Systems Except for flow switches, the control system is powered from the Class 1E 120 VAC system.
7.3.1.1b.8.5.6.10 System Parts Not Required for Safety Flow switches and the cooler inlet and outlet temperature monitoring subsystem are the only parts of the system not required for safety.
7.3.1.1b.8.5.7 Control Structure Chilled Water System (CSCWS)
For description and operation of the CSCWS, refer to Subsection 9.2.12.
FSAR Rev. 71 7.3-76
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.7.1 Initiating Circuits Each CSCWS loop may be initiated or stopped as follows:
a) Manual starting and stopping b) Low flow in the chilled water operating loop initiates the standby loop c) High return air temperatures, in any of the following H&V systems, will trip the operating chilled water loop and initiate the standby loop:
- 1) Main control room
- 2) Computer room
- 3) Control structure d) Failure of the emergency condenser water circulating pump will trip the associated chilled water circulating loop e) Failure of a chiller will trip the entire associated loop f) Fan failure of any of the following H&V systems will trip the associated chiller loop:
- 1) Main control room
- 2) Computer room
- 3) Control structure
- 4) Emergency switchgear and load center room - Unit 1 (Emergency operations only)
Capability for test and calibration is provided as described in Subsection 7.3.2b.2-4.10.
7.3.1.1b.8.5.7.2 Logic and Sequencing The chilled water circulating pump loops are the controlling components for the control structure chilled water system.
Once a chilled water circulating pump is running and flow is detected, the condenser water circulating pump is initiated along with a solenoid valve, which allows air pressure to control the condensing water temperature mixing valve. Initiating signals from indication of flow in both the chilled water and condensing water loops will start the associated chiller, providing that the chiller's internal permissives such as low oil pressure are not present. Once the system is in operation, the chiller's capacity control system will modulate the compressor's inlet vane, controlling the amount of refrigerant flow to maintain a constant chilled water temperature.
In the event of any of the following input signals, the emergency condenser water circulating pump (ECWCP) associated with the operating chilled water loop will start:
a) LOCA, Unit 1 b) LOCA, Unit 2 c) Loss of offsite power FSAR Rev. 71 7.3-77
SSES-FSAR Text Rev. 75 Upon initiation of the ECWCP, the following functions will occur:
a) Energize the emergency condenser water temperature control valve b) Energize (open) the emergency service water return valve c) Trip the condenser water circulating pump Upon low flow of emergency condenser water, the main control room alarm is actuated, and the chilled water circulation pump is tripped, which in turn sequences off the entire operating loop and initiates the standby loop.
A manual switch located on a back row panel in the main control room can start the emergency condenser water circulating pumps for testing purposes whenever the corresponding emergency service water loop operating.
7.3.1.1b.8.5.7.3 Interlocks The CSCWS is interlocked with the following airflow systems:
a) Main control room b) Computer room c) Control structure d) Emergency switchgear and load center room - Unit 1 (Emergency operations only) 7.3.1.1b.8.5.7.4 Bypasses The manual control switches for the chilled water circulating pumps when in the OFF position provide automatic input to the Bypass Indication System (BIS). See Section 7.5 for discussion of BIS.
The manual/automatic control of the 'A' Train (loop) of CSCWS can be bypassed by manual operation at the Alternate Control Structure HVAC Control Panel. Operation from this panel would provide input to BIS.
7.3.1.1b.8.5.7.5 Redundancy Controls and instrumentation are provided on a one-to-one basis with the mechanical equipment they serve. Equipment, controls, and instrumentation of chilled water loop A belong to Division I and chilled water loop B to Division II.
7.3.1.1b.8.5.7.6 Diversity Not applicable.
7.3.1.1b.8.5.7.7 Actuated Devices Refer to Subsection 9.2.12.
7.3.1.1b.8.5.7.8 Separation The instrumentation, controls, and power supply of the CSCWS are physically and electrically separate. Redundant local control panels of the CSCWS are physically separate.
FSAR Rev. 71 7.3-78
SSES-FSAR Text Rev. 75 7.3.1.1b.8.5.7.9 Supporting Systems The instrumentation and controls of the CSCWS are powered from the Class 1E 125 VDC and 120 VAC systems. These electrical systems are discussed in Chapter 8.
7.3.1.1b.8.5.7.10 System Parts Not Required for Safety The parts of the CSCW not required for safety are as follows:
a) The service water piping and associated condenser water circulating system (pump, valves, piping, and instrumentation) b) Pipe mounted temperature and pressure indicators 7.3.1.1b.9 Containment Atmosphere Control The valves within these systems are a subset of those listed in Table 6.2-12 (Containment Penetration Data) and are identified by XV-157YY. Many of these valves have timers as described in Section 7.3.1.1b.1.3.
The LOCA isolation signal to four of these valves (two per division) may be bypassed by keylocked hand switches for the purpose of venting either the Drywell or the Suppression Chamber to the SGTS in the event of a false LOCA during startup.
Fifteen of these valves are independently isolated by High High Radiation signals (one per division) from detectors located in the SGTS exhaust. Four of these valves are provided with High High Radiation isolation signal overrides by means of keylocked hand switches.
7.3.1.2 IEEE 279-1971 Design Basis Information Design basis information as required by Section 3 of IEEE 279-1971 is provided below for NSSS and non-NSSS as required for the protection systems listed and described in the preceding sections.
7.3.1.2.1 Conditions
- a. NSSS The plant conditions which require protective action involving the systems of this section and other sections are examined and presented in Chapter 15 and Appendix 15A.
- b. Non-NSSS Non-NSSS ESF systems as listed in Subsection 7.3.1 provide protective action in response to the following plant conditions:
Reactor Water Level Primary Containment Pressure Radiation (at outside air intake)
Radiation (plant gaseous effluents)
FSAR Rev. 71 7.3-79
SSES-FSAR Text Rev. 75 7.3.1.2.2 Variables
- a. NSSS The plant variables which require monitoring to provide protective actions are identified in the Tables 7.3-1, 7.3-2, 7.3-3, 7.3-4 for ECCS and Table 7.3-5 for containment isolation function. For other ESF described, refer to the individual system discussions or to Chapter 15 where safety analysis parameters for each event are cited.
- b. Non-NSSS Variables required to be monitored in order to provide non-NSSS ESF action are as follows:
NSSS reactor water level and primary containment pressure variables constitute a LOCA signal used for Primary Containment Isolation (refer to Table 6.2-12); Secondary Containment Isolation, and Secondary Containment Recirculation and Standby Gas Treatment System initiation. Also refer to 7.3.1.1a.
Radiation (outside air intake) is used for control room isolation and initiation of the Emergency Outside Air Supply System (EOASS). Refer to Table 11.5-1.
Radiation (SGTS exhaust) is used for Primary Containment Purge Vent valve isolation.
Refer to Section 11.5.
Radiation (plant gaseous effluents) is used for Secondary Containment Isolation. Refer to Table 11.5-1.
7.3.1.2.3 Numbers of Sensors and Location
- a. NSSS Minimum number of sensors required to monitor safety-related variables are provided in Technical Specifications. There are no sensors in the PCRVICS or ECCS which have a spatial dependence. Therefore, location information is not relevant.
- b. Non-NSSS Minimum sensors required are noted in sections and tables describing the systems as follows:
Reactor water level and primary containment pressure are provided with NSSS and are described in 7.3.1.1a and Table 7.3-5.
Radiation (outside air intake) is provided by the NSSS supplier and is described in Table 11.5-1. Number and locations are defined under non-NSSS responsibility.
Radiation (plant gaseous effluents) are provided by the NSSS supplier and is described in Table 11.5-1. Number and locations are defined under non-NSSS responsibility.
FSAR Rev. 71 7.3-80
SSES-FSAR Text Rev. 75 7.3.1.2.4 Operational Limits
- a. NSSS Prudent operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels so that a spurious isolation or ECCS initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the RCPB is kept within an acceptable bounds. Design basis operational limits (Allowable Values), as listed in the plant Technical Specifications for the PCRVICS and the ECCS, are based on operating experience and constrained by the safety design basis and the safety analyses.
- b. Non-NSSS Non-NSSS systems use the operational limits for the variables as follows:
Reactor water level and primary containment pressure - refer to Subsection 7.3.1.2.3 and the plant Technical Specifications.
Radiation (intake) - refer to the plant Technical Specifications.
Radiation (Reactor Building Isolation) - refer to the plant Technical Specifications.
7.3.1.2.5 Margin Between Operational Limits
- a. NSSS The margin between operational limits (i.e., trip setpoints) and the limiting conditions of operation (i.e., Allowable Values) for the PCRVICS parameters as listed in Table 7.3-5 and those listed in Tables 7.3-1 through 7.3-4 for the ECCS includes consideration of the setpoint drift. The margin between the Allowable Value and the Analytical Limit includes consideration of the accuracy (see Tables 7.3-29 and 7.3-30 for response times).
Annunciators are actuated at the setpoints to alert the reactor operator of the onset of unsafe conditions.
- b. Non-NSSS Reactor water level and containment pressure - refer to Subsection 7.3.1.2.5(a).
Radiation trip levels will be below Allowable Values established in the Technical Specifications.
7.3.1.2.6 Levels Requiring Protective Action
- a. NSSS Tables 7.3-5 (PCRVICS) and 7.3-1 through 7.3-4 (ECCS) provide information of the Instrument functions, Instrument/sensor type, Instrument range and Number of channels provided. Refer to the Technical Requirements Manual for the trip setpoints; and the plant Technical Specifications for the Allowable Values.
FSAR Rev. 71 7.3-81
SSES-FSAR Text Rev. 75
- b. Non-NSSS Refer to the Technical Requirements Manual.
7.3.1.2.7 Range of Energy Supply and Environmental Conditions of Safety Systems See Section 3.11 and the Susquehanna SES Environmental Qualification Program for Class 1E Equipment for environmental conditions, and Chapter 8 for the range of energy supply. PCRVICS channel, logic and main steamline isolation valve 120 VAC power is provided by the reactor protection system high inertia MG sets. Voltage regulation is designed to respond to a step load change of 50% of rated load with an output voltage change of not more than 15%. The flywheel on each MG set provides stored energy to maintain voltage and frequency within 5% of rated value for 1 second, preventing momentary switchyard transients from causing a scram. PCRVICS relays will operate without failure within the range of +10% of rated voltage. An alternate source of 120 volt power is provided to each RPS bus. This unregulated alternate power is provided for the RPS bus when maintenance is required for an MG set.
125 VDC power is provided by the Class 1E station batteries. 120 VAC power is provided by the Class 1E instrument AC system. Motive power is provided by class 1E power systems.
7.3.1.2.8 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety System Chapter 15 describes the following credible accidents and events; LOCA, pipe break outside containment, and feedwater line break. The remaining accidents and events are described in the FSAR as indicated.
Floods The buildings containing ESF components have been designed to meet the PMF (Probable Maximum Flood) at the Susquehanna SES site. This ensures that the buildings will remain watertight under PMF including wind generated wave action and wave runup.
Refer to Subsection 3.4.1.
Storms and Tornadoes The buildings containing ESF components have been designed to withstand the meteorological events described in Subsection 3.3.2.
Earthquakes The structures containing ESF components have been seismically qualified as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE).
FSAR Rev. 71 7.3-82
SSES-FSAR Text Rev. 75 Fires To protect the ESF in the event of a postulated fire, the redundant portions of the systems are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the PCRVICS and ECCS functions would not be prevented by the fire. The use of separation and fire barriers ensures that even though some portion of the systems may be affected, the PCRVICS and ECCS will continue to provide the required protective action. A fire detection system using heat detectors and product of combustion detectors is provided in PGCC floor sections and in panels containing ESF systems mounted on these floor sections. A Halon fire suppression system is provided in the same areas.
Refer to Subsection 9.5.1.1 for further fire protection discussion.
LOCA The following PCRVICS and ECCS system components which are located inside the drywell are functionally required during and following a loss-of-coolant accident (LOCA):
- 1) Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines, which terminate outside the drywell
- 2) The MSIV safety/relief valves and recirculation discharge valve actuators, actuated equipment and cables These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11.
Pipe Break Outside Secondary Containment This condition will not prevent the ESF from performing their safety functions.
Feedwater Break This condition will not prevent the ESF from performing their safety functions.
7.3.1.2.9 Minimum Performance Requirements
- a. NSSS (See Table 7.3-5 for PCRVICS which provides information of the Instrument functions, Instrument/sensor type, Instrument range and Number of channels provided).
Within ECCS, performance requirements refer only to a system as a whole and not specifically to individual components except in the area of accuracy (see Tables 7.3-1 through 7.3-4 which provide information of the Instrument functions, Instrument/sensor type, Instrument range and Number of channels provided).
- b. Non-NSSS Reactor water level and containment pressure are discussed in Subsection 7.3.1.2.9(a).
Radiation detection response times are not applicable; ranges are provided in Table 11.5-1.
FSAR Rev. 71 7.3-83
SSES-FSAR Text Rev. 75 Instrument accuracy is maintained by calibration per as requirement of the Technical Specifications. Calibration per the Technical Specifications.
7.3.1.3 Final System Drawings The final system drawings including:
- a. Piping and Instrumentation Diagrams (P&ID)
- b. Functional Control Diagrams (FCD) have been provided for the ESF in this section.
Logic, schematic, electrical interconnection will be supplied under separate cover. Table 1.7-1 lists the drawings to be supplied.
7.3.2 ANALYSIS 7.3.2a Analysis of ESFAS Supplied with the NSSS 7.3.2a.1 Emergency Core Cooling Systems - Instrumentation and Controls 7.3.2a.1.1 General Functional Requirement Conformance Chapters 15.0 and 6.0 evaluate the individual and combined capabilities of the ECCS. For the entire range of RCPB break sizes, the cooling systems prevent excessive fuel cladding temperatures.
Instrumentation for the ECCS must respond to the potential inadequacy of core cooling regardless of the location of a breach in the RCPB. Such a breach inside or outside the containment is sensed by reactor low water level. The reactor vessel low water level signal is the only ECCS initiating function that is completely independent of breach location. Consequently, it can actuate HPCI. It can also initiate CS and LPCI with a low reactor pressure permissive present.
The other major initiating function, drywell high pressure, is provided because pressurization of the drywell will result from any significant RCPB breach anywhere inside the drywell.
Initiation of the ADS which employs both reactor vessel low water level and drywell high pressure in coincidence, requires that the RCPB breach be inside the drywell. This control arrangement is satisfactory in view of the automatic isolation of the reactor vessel for breaches outside the drywell and because the automatic depressurization system is required only if the HPCI fails.
An evaluation of ECCS controls show that no operator action is required to initiate the correct responses of the ECCS. However, the control room operator can manually initiate every essential operation of the ECCS. Alarms and indications in the control room allow the operator to assess situations that requires the ECCS and verify the responses of each system. This arrangement limits safety dependence on operator judgment, and design of the ECCS control equipment has appropriately limited response.
FSAR Rev. 71 7.3-84
SSES-FSAR Text Rev. 75 The redundance of the control equipment for the ECCS is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the ECCS, as shown in Figures 7.3-5-1, 7.3-5-2 and 7.3-6, is also consistent with the arrangement of the systems themselves.
No failure of a single initiating trip channel can prevent the start of the cooling systems when required or inadvertently initiate these same systems.
An evaluation of the control schemes for each ECCS component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling.
In performing this evaluation the redundancy of components and cooling systems was considered.
The control arrangement used for the ADS is designed to avoid spurious actuation. The ADS relief valves are controlled by two trip systems. The conditions indicated by the table result in both trip systems always remaining capable of initiating automatic depressurization. If an inoperable sensor is in the tripped state or if a synthetic trip signal is inserted in the control circuitry, automatic depressurization can be initiated when the other initiating signals are received.
The only equipment protective devices that can interrupt planned ECCS operation are those that must act to prevent complete failure of the component or system. In no case can the action of a protective device prevent other redundant cooling systems from providing adequate cooling to the core.
The controls that adjust or interrupt operation of ECCS and subsystems are located in the control structure and are under administrative control of the operators.
The components located inside the drywell and essential to ECCS performance are designed to operate in the drywell environment resulting from a LOCA. Essential instruments located outside the drywell are also qualified for the environment in which they must perform their essential function.
Capability for emergency core cooling following a postulated accident may be verified by observing the following indications:
(1) annunciators for HPCI, CS, LPCI and ADS sensor initiation logic trips (2) flow and pressure indications for each emergency core cooling system (3) isolation valve position lights indicating open valves (4) injection valve position lights indicating either open or closed valves (5) relief valve initiation circuit status by open-closed indicator lamps (6) relief valve position may be inferred from reactor pressure indications (7) relief valve discharge pipe temperature monitors and alarm 7.3.2a.1.2 Specific Regulatory Requirements Conformance 7.3.2a.1.2.1 Regulatory Guides 7.3.2a.1.2.1.1 Regulatory Guide 1.6 (1971)
See Subsection 8.1.6.1, paragraph a.
FSAR Rev. 71 7.3-85
SSES-FSAR Text Rev. 75 7.3.2a.1.2.1.2 Regulatory Guide 1.11 (1971)
Instrument lines have automatic or remote-manual isolation.
7.3.2a.1.2.1.3 Regulatory Guide 1.22 (1972)
Conformance to this regulatory guide is achieved by providing system level indication when the system is rendered inoperable for test or maintenance except for position D.3.b of the guide which is clarified and amplified in the compliance analysis for Regulatory Guide 1.47-1973. Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when called upon. Testing incorporates all elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection.
7.3.2a.1.2.1.4 Regulatory Guide 1.29 (1976)
Instrumentation is classified as Seismic Category I as discussed in Section 3.10.
7.3.2a.1.2.1.5 Regulatory Guide 1.30 (1972)
Refer to Section 3.13.
7.3.2a.1.2.1.6 Regulatory Guide 1.32 (1972)
Conformance is described in the conformance to General Design Criterion 17 and Industry Standard IEEE 308-1971.
7.3.2a.1.2.1.7 Regulatory Guide 1.47 (1973)
Regulatory Position C.1, C.2 and C.3 Indication is provided in the main control room to inform the operator that a system is inoperable.
Annunciation is provided to indicate that either a system or a part of a system is not operable. For example, the ECCS system have annunciator alarms whenever one or more channels of an input variable are bypassed. Instruments which form part of a one-out-of-two-twice logic and can be removed from service for calibration. Removal of the instrument from service will be indicated in the control room as a single instrument channel trip. Each subsystem within the ECCS Network is provided with an automatically or operator initiated system level bypass and inoperability annunciator located in the control room.
Regulatory Position C.4 Capability for manual initiation of the ECCS system level bypass and inoperability indication is provided by activation of a control switch located in the main control room. This may be used to provide administrative control of the bypass indication for those bypasses or inoperabilities which cannot be automatically indicated. A control switch is provided for each system level bypass indicator.
FSAR Rev. 71 7.3-86
SSES-FSAR Text Rev. 75 The importance of providing accurate information for the reactor operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system are discussed in the following paragraphs:
(1) Individual indicators are arranged together on the control room panel to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators, both at a system level and component level, will be grouped only with those items that will prevent a system from operating if needed.
(2) As a result of design, preop testing and startup testing, no erroneous bypass indication is anticipated.
(3) These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions.
This indication has no safety-related functions.
(4) All circuits will be electrically independent of the plant safety systems to prevent the possibility of adverse effects. The annunciator initiation signals cannot prevent required protective actions.
(5) Each indicator can be individually tested.
7.3.2a.1.2.1.8 Regulatory Guide 1.53 (1973)
Compliance with NRC Regulatory Guide 1.53-1973 is achieved by specifying, designing, and constructing the ECCS so that they meet the single failure criterion described in Paragraph 4.2 of IEEE 279-1971 and IEEE 379-1972. Redundant sensors are used, and the logic is arranged to insure that a failure in a sensing element or the decision logic or an actuator will neither prevent nor spuriously initiate protective action. Separated channels are employed, so that a fault affecting one channel will not prevent the other channels from operating properly. Specifications are provided to define channel separation for wiring not included with NSSS supplier supplied equipment.
7.3.2a.1.2.1.9 Regulatory Guide 1.62 (1973)
Means are provided for manual initiation of ECCS at the system level through the following armed pushbutton switches:
(1) HPCI: one switch in Division 2 (2) ADS A: two switches in Division 1 (3) ADS B: two switches in Division 2 (4) CS A/CS C: one switch in Division 1 (5) CS B/CS D: one switch in Division 2 (6) RHR A/RHR C: one switch in Division 1 (7) RHR B/RHR D: one switch in Division 2 These switches are located on a main control room panel in the designated ECCS division portions of that panel.
The amount of equipment common to initiation of both manual and automatic emergency core cooling is kept to a minimum through implementation of manual initiation (operation of armed pushbutton) of emergency core cooling at the final devices (relays) of the protection system. No FSAR Rev. 71 7.3-87
SSES-FSAR Text Rev. 75 single failure in the manual, automatic or common portions of the protection system will prevent initiation of a sufficient amount of emergency core cooling equipment by manual or automatic means.
In order to prevent manual initiation of vessel depressurization when low pressure core cooling capability is absent, the ADS manual initiation has an interlock to assure proper conditions for depressurization (AC Interlock). One interlock is provided for Division 1 ADS and a second independent interlock is provided for Division 2 ADS.
Manual initiation of emergency core cooling, once initiated, goes to completion as required by IEEE 279-1971 paragraph 4.16.
7.3.2a.1.2.1.10 Regulatory Guide 1.75 (1974)
Refer to Subsection 7.1.2.5.8.
7.3.2a.1.2.2 10 CFR 50, Appendix A (1) Criterion No. 5 Emergency power supplies are shared between Susquehanna Unit 1 and 2. Interlocks are provided so that required safety functions are adequately performed in the event of an accident in one Unit, and so that orderly, safe shutdown and cooldown functions are adequately performed in the other Unit.
(2) Criterion No. 13 Conformance to this requirement is achieved by monitoring appropriate variables over the range expected and providing containment isolation, emergency core cooling, and other functions to maintain the variables within the prescribed ranges.
(3) Criteria 17 and 18 See Subsection 8.3.1.11.1 and 8.3.2.2.1.
(4) Criteria 19 through 24, 29, 35, and 37 Conformances to these criteria are shown in Subsections 7.3.1.1a.1.3, 7.3.1.1a.1.4, 7.3.1.1a.1.5 and 7.3.1.1a.1.6. See also Section 3.1.
7.3.2a.1.2.3 Industry Standards 7.3.2a.1.2.3.1 IEEE 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the ECCS with IEEE 279-1971 is detailed below.
FSAR Rev. 71 7.3-88
SSES-FSAR Text Rev. 75 7.3.2a.1.2.3.1.1 General Functional Requirement (IEEE 279-1971, Paragraph 4.1)
Automatic initiation of the ECCS is provided from sensors measuring reactor vessel low water level and drywell high pressure. The following systems are individually initiated by automatic means:
(1) HPCI (2) ADS (3) CS (4) LPCI mode of the RHR system This automatic initiation is accomplished with precision and reliability commensurate with the overall ECCS objective and is effective over the full range of environmental conditions depicted below:
(1) Power supply voltages HPCI: Tolerance is provided to complete loss of station AC power, but not loss of the DC source of power for the HPCI system.
ADS: Tolerance is provided to complete loss of station AC power, but not to loss of both DC sources for ADS.
CS: Tolerance is provided to complete loss of AC or DC power within one division, but not loss of power to both divisions.
LPCI: Tolerance is provided to AC power supply failure such that failures cannot negate PCI Divisions.
(2) Power supply frequency HPCI: No AC controls are used.
ADS: No AC controls are used.
CS: Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division is required.
LPCI: Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division is required.
(3) Temperature HPCI, ADS, CS, and LPCI:
Operable at all temperatures that can result from LOCA. See Section 3.11.
(4) Humidity HPCI, ADS, CS, and LPCI:
Operable at humidities, including steam, that can result from a LOCA. See Section 3.11.
FSAR Rev. 71 7.3-89
SSES-FSAR Text Rev. 75 (5) Pressure HPCI, ADS, CS, and LPCI:
Operable at all pressures resulting from a LOCA as required. See Section 3.11.
(6) Vibration HPCI, ADS, CS, and LPCI:
Tolerance to conditions stated in Section 3.10.
(7) Malfunctions Overall ECCS:
Network tolerance to any single component failure to operate on command.
(8) Accidents HPCI, ADS, CS, and LPCI:
Network tolerance to all design basis accident without malfunction.
(9) Fire HPCI:
Tolerance to single raceway fire or mechanical damage of the initiation sensors but not the control cabinet outputs.
Overall ECCS:
Network tolerance to single raceway fires or mechanical damage.
(10) Explosion HPCI, ADS, CS, and LPCI:
Explosions are not defined in design bases.
(11) Missiles HPCI: Tolerance to any single missile destroying no more than one pipe or raceway to the initiation sensors.
ADS: Separate routing of the ADS conduits within the drywell reduces to a very low probability the potential for missile damage to more than one conduit to ADS or damage to the pilot solenoid assemblies of ADS valves.
FSAR Rev. 71 7.3-90
SSES-FSAR Text Rev. 75 Overall ECCS:
Network tolerance to any single missile destroying no more than one pipe, raceway, equipment or cabinet.
(12) Lightning HPCI and ADS:
Ungrounded DC system not subject to lightning strikes.
CS and LPCI:
Tolerance to lightning damage limited to one auxiliary bus system. See comments under (1) and (2).
(13) Flood HPCI, ADS, CS, and LPCI:
All control equipment is located above level by design.
(14) Earthquake HPCI, ADS, CS, and LPCI:
Tolerance to conditions stated in Section 3.10.
(15) Wind and Tornado HPCI, ADS, CS, and LPCI:
Class I structure houses all control equipment.
(16) System Response Time HPCI, ADS, CS, and LPCI:
Response times are within the requirements of need to start ECCS (see Chapter 15).
(17) System Accuracies HPCI; ADS; CS; and LPCI:
Accuracies are within that needed for correct timely action.
(18) Abnormal Ranges of Sensed Variables HPCI, ADS, CS, and LPCI:
Sensors are not subject to saturation when overranged.
FSAR Rev. 71 7.3-91
SSES-FSAR Text Rev. 75 7.3.2a.1.2.3.1.2 Single Failure Criterion (IEEE 279-1971, Paragraph 4.2)
HPCI: The HPCI system, by itself, is not required to meet the single failure criterion. The control logic circuits for the HPCI system initiation and control are housed in a single relay cabinet and the power supply for the control logic and other HPCI system equipment is from a single DC power source.
The HPCI system initiation sensors and wiring up to the HPCI system relay logic cabinet does, however, meet the single failure criterion. In addition, two divisionally separated HPCI isolation logics are provided in compliance with IEEE-279-1971 for the leak detection system isolation function. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line, or pipe, failure can prevent HPCI initiation. Wiring separation between divisions also provides tolerance to single raceway destruction, including shorts, opens, and grounds, in the accident detection portion of the control logic. The single failure criterion is not applied to logic relay cabinet or to other equipment required to function for HPCI system operation.
ADS: The ADS system, comprised of two independent sets of controls for the two pilot solenoids, meets all credible aspects of the single failure criterion. At least two failures would have to occur to cause actuation. Tolerance to the following single failures or events has been incorporated into the control system design and installation:
(1) Single open circuit (2) Single short circuit (3) Single relay failure to pickup (4) Single relay failure to drop out (5) Single module failure (6) Single control cabinet destruction (7) Single instrument rack destruction (8) Single raceway destruction (9) Single control power supply failure (any mode)
(10) Single motive power supply failure (any mode)
(11) Single control circuit failure (12) Single sensing line (pipe) failure (13) Single electrical component failure CS: The CS system, comprising two independent sets of controls for the two physically separated pumping systems, meets the single failure criterion. Tolerance to the following single failures or events has been incorporated into the control system design and installation:
(1) Single open circuit (2) Single short circuit (3) Single relay failure to pickup (4) Single relay failure to drop out (5) Single module failure (including multiple shorts, opens and grounds)
(6) Single control cabinet destruction (including multiple shorts, opens and grounds)
(7) Single instrument rack destruction (including multiple shorts, opens and grounds)
(8) Single raceway destruction (including multiple shorts, opens and grounds)
(9) Single control power supply failure (any mode)
FSAR Rev. 71 7.3-92
SSES-FSAR Text Rev. 75 (10) Single motive power supply failure (any mode)
(11) Single control circuit failure (12) Single sensing line (pipe) failure (13) Single electrical component failure When considering the consequences of destruction of a single control cabinet, instrument rack or raceway, attention is focused on the wiring that must run between the two CS system control cabinets for purposes of mutual backup. Destruction of wiring in one cabinet can be assumed to short and ground the wires going between the two cabinets. It can be shown that the worst combination of shorts and grounds in a single cabinet cannot disable the automatic control for both CS system loops. False starts could be initiated and a ground may be imposed on one side of the second subsystem and redundancy may be impaired, leaving a single subsystem operating on a limiting two-out-of-two logic for the injection valve opening permissive. However, such gross destruction of an entire cabinet is extremely unlikely. Moreover, these consequences are no worse than losing a single fuse on the low pressure permissive relay circuit or failing to operate a single injection valve. Gross faulting within a single raceway can reduce redundancy but does not disable redundant systems, even though redundant DC power supplies may be involved and sensors are shared by different systems.
LPCI: Redundancy in equipment and control logic circuitry is provided so that it is highly unlikely that the complete LPCI subsystem can be rendered inoperative.
Two control logic circuits are provided. Control logic "A" initiates loop A pumps and valves.
Control logic "B" initiates loop B pumps and valves.
Tolerance to the following single failures or events is provided in the control logic initiation circuitry so that these failures would disable only one LPCI loop (no more than two of four pumps available):
(1) Single open circuit (2) Single short circuit (3) Single relay failure to pickup (4) Single relay failure to drop out (5) Single module failure (including shorts, opens, and grounds)
(6) Single control cabinet destruction (including shorts, opens, and grounds)
(7) Single local instrument rack destruction (including shorts, opens, and grounds)
(8) Single raceway destruction (including shorts, opens, and grounds)
(9) Single control power supply failure (10) Single motive power supply failure (11) Single control circuit failure (12) Single sensing line (pipe) failure (13) Single electrical component failure 7.3.2a.1.2.3.1.3 Quality of Components (IEEE 279-971, Paragraph 4.3)
HPCI: See Section 3.11.
FSAR Rev. 71 7.3-93
SSES-FSAR Text Rev. 75 ADS: Components used in the ADS control system have been carefully selected for the specific application. Ratings have sufficient conservatism to ensure against significant deterioration over the lifetime of the plant as described below:
(1) Switch and relay contacts carry no more than 50% of their continuous current rating.
(2) Controls are energized to operate and have brief and infrequent duty cycles.
(3) Instrumentation and controls are heavy duty industrial type of standard designs well proven by service in industry or in nuclear power plants applications.
(4) These components are subjected to the manufacturers normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the ADS.
Furthermore, a quality control and assurance program is required, to be implemented and documented by equipment vendors, with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.
CS: Components used in the CS control system have been carefully selected on the basis of suitability for the specific application. All of the sensors and logic relays are of the same types used in the RPS discussed in Section 7.2. Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:
(1) Switch and relay contacts carry no more than 50 percent of their continuous current rating.
(2) CS controls are energized to operate and have brief and infrequent duty cycles.
(3) Motor starters and breakers are effectively derated for motor starting applications since their nameplate ratings are based on short circuit interruption capabilities as well as on continuous current carrying capabilities. Short circuit current interrupting capabilities are many times the starting current for the motors being started, so that normal duty does not begin to approach maximum equipment capability.
(4) Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application will demand, even including testing.
(5) Instrumentation and controls are heavy duty industrial types of standard designs well proven by service in industry or in nuclear power plant applications.
(6) These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components that have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the CS control system.
FSAR Rev. 71 7.3-94
SSES-FSAR Text Rev. 75 Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. "Minimum" maintenance has been assumed to have been achieved if components can be reasonably expected to last 40 years or more without wearing out or failing under their maximum anticipated duty cycle, including testing.
LPCI: The discussion in this section regarding CS system equipment applies equally to the LPCI system.
7.3.2a.1.2.3.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4)
HPCI: The HPCI system steamline isolation valve located inside the drywell is a normally open valve and is, therefore, not required to operate except under special or test conditions.
Also, this valve is considered to be part of the piping system for HPCI system operation rather than part of the control system and is outside the scope of this section. See the discussion in Section 5.5 for further information on this valve control.
Other process sensor equipment for HPCI system initiation is located in the reactor building and is capable of accurate operation in ambient temperature conditions that result from abnormal (i.e., loss-of-ventilation and LOCA) conditions. Panels and relay cabinets are located in the control structure, so environmental testing of components mounted in these enclosures is not warranted. There are no components in the HPCI control system that have not demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use. See Sections 3.10 and 3.11 also.
ADS: The solenoid valves, their cables, and the relief valve mechanical operators of the ADS are located inside the drywell and must remain operable in the LOCA environment. These items are selected with capabilities that permit proper operation in the most severe environment resulting from a LOCA and have been environmentally tested to verify the selection. Gamma and neutron radiation is also considered in the selection of these items and only materials which are expected to tolerate the integrated dosage superimposed on other environmental factors for at least a 40-year period of normal plant operation without excessive deterioration are used (i.e., no need for a replacement is anticipated). The SSES EQ Program manages aging of equipment in the program to ensure it continues to perform its intended function during the period of extended operation.
Other components of the ADS control system which are required to operate in the drywell environment are the condensate pots for the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (i.e.,
loss-of-ventilation and LOCA) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type as used for the RPS and meet the same standards. Control panels and relay logic cabinets are located in the control structure which presents no new or unusual operating considerations.
All components used in the ADS control system have demonstrated reliable operation in similar nuclear power plant protection system or industrial applications. See Sections 3.10 and 3.11 also.
FSAR Rev. 71 7.3-95
SSES-FSAR Text Rev. 75 CS: All sensory equipment is located in the reactor building outside the drywell and is capable of accurate operation with wider swings in ambient temperature than would result from the normal or abnormal (i.e., loss-of-ventilation and LOCA) conditions. Reactor vessel water level sensors, drywell high pressure sensors, and reactor vessel low pressure permissive switches are of the same type as those discussed in Section 7.2. The testable check valves located inside the drywell are considered to be part of the piping system rather than part of the control system. Control panels and relay logic cabinets are located in the control structure which presents no new or unusual operating considerations. All components used in the CS control system have demonstrated reliable operation in similar nuclear power plant protection systems or industrial applications.
LPCI: No components of the LPCI System are required to operate in the drywell environment except for the condensate pots used with the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider changes in ambient temperature than results from normal or abnormal (i.e.,
loss-of-ventilation and LOCA) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type as used for the RPS and meet the same standards. Reactor vessel low pressure permissive sensors are of the same type as those discussed in the RPS. The testable check valves which are located inside the drywell are considered to be part of the piping system rather than part of the control system. Control panels and relay logic cabinets are located in the control structure which present no new or unusual operating considerations.
All components used in the LPCI system have demonstrated reliable operation in similar nuclear power plant protection system or industrial applications.
7.3.2a.1.2.3.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5)
HPCI: The HPCI system instrument initiation sensors and isolation logic meet the single failure criterion as discussed in Subsection 7.3.2a.1.2.3.1.2 and thus satisfy the channel integrity objective of this paragraph.
By definition, from IEEE 279-1971, paragraph 2, a channel loses its identity where single action signals are combined. Therefore, since instrument channels are combined into a single initiation trip system this paragraph of IEEE 279-1971 does not strictly apply for the HPCI control system.
ADS: The ADS system initiation channels (low water level or high drywell pressure) satisfy the channel integrity objective of the paragraph.
CS: The CS control system is designed to tolerate the spectrum of failures listed under the general requirements, the single failure criterion, and thus satisfies the channel integrity objective of this paragraph.
LPCI: The LPCI system initiation channels (low water level or high drywell pressure) satisfy the channel integrity objective of this paragraph.
FSAR Rev. 71 7.3-96
SSES-FSAR Text Rev. 75 7.3.2a.1.2.3.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6)
HPCI: Channel independence for initiation sensors monitoring each variable is provided by electrical and mechanical separation. For instance, the A and C sensors for reactor vessel water level are located on one local instrument panel identified as Division 1 equipment, and the B and D sensors are located on a second instrument rack widely separated from the first and identified as Division 2 equipment. The A and C sensors have a common pair of process taps which are widely separated from the corresponding taps for sensors B and D. Disabling of one or both sensors in one location does not disable the control for HPCI initiation. Channel independence does not strictly apply to the HPCI system since the one-out-of-two taken twice logic is combined in a single logic trip system.
ADS: Channel independence for sensors exposed to each variable is provided by electrical and mechanical separation. For instance, the A and C sensors for reactor vessel level are located on one local instrument rack identified as Division I equipment and the B and D sensors are located on a second instrument rack widely separated from the first and identified as Division 2 equipment. The A and C sensors have a common pair of process taps which are widely separated from the corresponding taps for sensors B and D.
Disabling of one or both sensors in one location does not disable the control for both of the auto depressurization control channels.
Logic relays for the ADS are separated into Division 1 and Division 2 located in separate cabinets. ADS controls are separated on the control panels.
CS: Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. For instance, the A and C sensors for reactor vessel water level are located on one local instrument panel that is identified as Division 1 equipment, and the B and D sensors are located on a second instrument panel, widely separated from the first and identified as Division 2 equipment. The A and C sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and D.
Disabling of one or all sensors in one location does not disable the control for either of the two core spray loops.
Relay cabinets for CS subsystem A are in a separate physical division from that for CS subsystem B, and each division is complete in itself, with its own station battery control and instrument power bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final control element, and includes both control and motive power supplies. Although there are only two sensors for each variable in each division, the drywell pressure and reactor water level sensors backup each other so that the logic for each division is one-out-of-two taken twice, energize to operate.
LPCI: Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. For instance, the A and C sensors for reactor vessel low water level are located on one local instrument rack that is identified as Division 1 equipment, and the B and D sensors are located on a second instrument rack, widely separated from the first and identified as Division 2 equipment. The A and C sensors have a common process tap which is widely separated from the corresponding tap for sensors B and D. Disabling of one or all sensors in one location does not disable the control for the other Division.
Relay cabinets for Division 1 are in a separate location from that of Division 2, and each division is complete in itself, with its own station battery control and instrument power bus, FSAR Rev. 71 7.3-97
SSES-FSAR Text Rev. 75 power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final control element, and includes both control and motive power supplies.
Although there are only two sensors for each variable in each division, these sensors back up each other as described in the preceding paragraph.
7.3.2a.1.2.3.1.7 Control and Protection Interaction (IEEE 279-1972, Paragraph 4.7)
The HPCI, ADS, CS and LPCI systems are designated as safety systems and are designed to be independent of plant control systems. Annunciator circuits are electrically isolated and cannot impair the operability of these systems.
7.3.2a.1.2.3.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8)
HPCI: Inputs that start the HPCI system are direct measures of the variables that indicate need for high pressure core cooling; viz., reactor vessel low water level or high drywell pressure.
Reactor vessel water level and drywell pressure sensors are described in this section for the CS system and apply equally to the HPCI system.
ADS: Inputs that start the ADS are direct measures of the variables that indicate both the need and acceptable conditions for rapid depressurization of the reactor vessel; viz., reactor vessel low water verified by high drywell pressure and at least one low pressure core cooling subsystem developing adequate discharge pressure plus adequate time delay to allow HPCI to operate if available.
CS: Inputs that start the CS system are direct measures of the variables that indicate the need for low pressure core cooling; viz., reactor vessel low water level, high drywell pressure, and reactor low pressure. Reactor vessel water level is sensed by level indicating switches. Drywell high pressure is sensed by non-indicating pressure switches on two separate sensing lines connected to two separate penetrations. Each sensing line has its own root valve and each pressure switch has its own instrument valve. Four reactor vessel pressure switches for the low pressure injection valve opening permissive are on four separate instrument lines going through the drywell at two different locations. The A and C lines are in one location and the B and D lines in another location. These switches operate relays whose contacts are connected in A or B logic for the CS system valve opening permissives. The vessel water level indicator switches are operated by the differential pressure between a reference leg and a vessel static head tap.
LPCI: Inputs that start the LPCI system are direct measures of the variables that indicate the need for LPCI; viz., reactor vessel low water, high drywell pressure, and reactor low pressure.
Reactor vessel level is sensed by vessel water level indicator switches. Drywell high pressure is sensed by pressure switches. Reactor low pressure is sensed by pressure switches.
7.3.2a.1.2.3.1.9 Capability of Sensor Checks (IEEE 279-1971, Paragraph 4.9)
All HPCI, ADS, CS and LPCI sensors are of the pressure sensing type, and are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown.
FSAR Rev. 71 7.3-98
SSES-FSAR Text Rev. 75 The reactor low pressure switches can be checked for operability during plant operation by closing the instrument valve and bleeding off pressure to the low pressure actuation point observing channel trip.
The reactor vessel level switches can be similarly checked for operability by closing the low side instrument valve and bleeding off a small amount of water through the low side bleed plugs (which are provided for venting the instruments), while observing the scale reading and channel trip indication in the control structure, and then reopening the instrument valve.
The drywell high pressure switches can be checked only by application of gas pressure from a low pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve.
7.3.2a.1.2.3.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10)
HPCI: The discussion in this section regarding CS system test and calibration applies equally to the HPCI system except that the turbine (rather than pump) is started by opening the steam inlet valve. The injection valve is kept closed during the test. The operability of the injection valve can be verified during reactor operation by opening it when the HPCI turbine is not operating.
ADS: The ADS is not tested in its entirety during actual plant operation but provisions are incorporated so that operability of all elements of the system can be verified at periodic intervals. The operability of individual valves may be verified by means of the individual control switches on the main control room panels. Testing of control circuitry is accomplished at the control relay cabinets by means of test jacks, switches, and indicator lights while exercising sensors one at a time. The test method is generally as follows:
Action Observation (1) Exercise a sensor a. Sensor relay pickup
- b. Alarm is given (2) Start a CS or RHR a. Off-normal alarm (LPCI mode) pump b. Low pressure cooling system available relay pickup (3) Exercise logic channel a. Logic channel relay pickup by means of plug-in b. Continuity lights on each test switch valve circuit are energized (4) Reset logic channel a. Annunciators clear (5) Repeat above steps a. Same as for associated for other sensors, other steps above low pressure ECCS pumps, other logic channels FSAR Rev. 71 7.3-99
SSES-FSAR Text Rev. 75 CS: The CS control system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests. Pumps can be started by the appropriate breakers to pump water against system check valves or return it to the suppression pool through test valves while the reactor is at pressure. Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested. Check valves are testable by a remotely operable pneumatic piston. Core spray water is not actually introduced into the vessel during CS system testing unless operator action is taken to cause the injection. The only time the core spray pattern was tested was prior to initial fuel load.
LPCI: The discussion in this section regarding CS system test and calibration applies equally to the LPCI system.
7.3.2a.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11)
HPCI: Calibration of a sensor that introduces a single instrument channel trip will not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses as such in the HPCI system. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. Removal of an instrument channel from service during calibration will be brief.
ADS: Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective action without the coincident trip of three other channels. Removal of an instrument channel from service during calibration will be brief and will not significantly increase the probability of failure to operate. There are no channel bypasses in the ADS.
Removal of a sensor from operation during calibration does not prevent the redundant trip circuit from functioning if accident conditions occur. The manual reset buttons can interrupt the auto depressurization for a limited time. However, releasing either one of the two reset buttons will allow automatic timing and action to resume.
CS: The discussion in this section regarding HPCI channel bypass is equally applicable to the CS system.
LPCI: The discussion in this section regarding HPCI channel bypass is equally applicable to the LPCI subsystem.
7.3.2a.1.2.3.1.12 Operating Bypasses (IEEE 279-1971, Paragraph 4.12)
There are no operating bypasses in the HPCI, CS, and LPCI system.
ADS: The manual reset of ADS timer may be considered to be an operating bypass. The bypass is automatically removed when the preset time interval expires.
FSAR Rev. 71 7.3-100
SSES-FSAR Text Rev. 75 7.3.2a.1.2.3.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13)
Automatic indication, accompanied by an audible alarm, is provided in the main control room to inform the operator that a protection system, of which the ECCS is one, and the systems actuated or controlled by the protection system, is inoperable. Manual capability also exists in the main control room and may be used to activate each system level indicator provided for the protection system.
7.3.2a.1.2.3.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14)
Access to switch-gear, motor control centers and valves may be procedurally controlled by the following administrative means or other suitable alternative:
(1) Seals (or locks) on valves (2) Lockable doors on the emergency switchgear rooms (3) Lockable breaker control switch handles in the motor control centers The logic test plugs are under the administrative control of the operators.
The HPCI turbine cannot be automatically bypassed but can be disabled for test purposes. Such disabling is capable only in the control room and is under the administrative control of plant supervisory personnel.
7.3.2a.1.2.3.1.15 Multiple Setpoints (IEEE 279-1971, Paragraph 4.15)
This section is not applicable to the HPCI, ADS, CS or LPCI systems because all trip setpoints are fixed.
7.3.2a.1.2.3.1.16 Completion of Protective Action Once It Is Initiated (IEEE 279-1971, Paragraph 4.16)
HPCI: The final control elements for the HPCI system are essentially bi-stable, i.e., motor operated valves stay open or closed once they have reached their desired position even though their starter may drop out (which they do when the limit switch is reached). In the case of the turbine, the auto initiation signal is electrically sealed in. Thus, protection action once initiated (i.e., flow is established) must go to completion or continue until terminated by deliberate operator action or automatically stopped on vessel high water level or system malfunction trip signals.
ADS: Each of the redundant ADS seals in electrically and remains energized until manually reset by one of the two reset pushbuttons.
CS: The final control elements for the CS system are essentially bi-stable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out which will occur when the valve open limit switch is reached. In the event of an interruption in AC power, timer will recycle causing 10 second delay. Then AC motor operated valves will continue to completion of their direction of motion. Thus, protective action once initiated will go to completion or continue until terminated by deliberate operator action.
LPCI: The discussion provided in this section for the CS system is equally applicable to the LPCI system.
FSAR Rev. 71 7.3-101
SSES-FSAR Text Rev. 75 7.3.2a.1.2.3.1.17 Manual Initiation (IEEE 279-1971, Paragraph 4.17)
HPCI: The HPCI has a manual initiation armed pushbutton in parallel with the automatic initiation logic. Each piece of HPCI system actuation equipment required to operate the pumps and valves is capable of manual initiation electrically from the control panel in the main control room. Failure of logic circuitry to initiate the HPCI system will not affect the manual control of equipment. However, failures of active components, or control circuit failure which produce a turbine trip, may disable the manual actuation of the HPCI subsystem. Failures of this type are continuously monitored by alarms as discussed in previous sections and as such cannot realistically be expected to occur when HPCI subsystem operation is required.
In no event can failure of the automatic control circuit for the HPCI subsystem disable the automatic depressurization system which provides backup to the HPCI subsystem.
ADS: The ADS has four manual initiation switches. Two switches are in each of the two ADS systems (A&B). Both switches for one system have to be closed to manually initiate ADS.
To further preclude inadvertent actuation, each switch is equipped with a collar which must be turned before electrical contacts of the pushbutton are effective. Thus, to initiate ADS manually, the operator must turn two collars and depress two pushbuttons. Whenever a collar is turned, an annunciator is actuated. The two switches have, as a permissive, the RHR/core spray pump run interlocks.
The ADS automatic initiation delay timer is provided to give HPCI ample time to automatically restore vessel level so that ADS actuation will not be needed. This delay timer is not provided for manual initiation since the operator will not initiate ADS until he determines it necessary.
CS: The CS system can be manually initiated at the system level in the main control room.
Each piece of CS system actuation equipment, such as a pump, valve, breaker, or starter, is capable of individual manual initiation, electrically from the control panel in the main control room and locally, if desired, by use of physical mechanisms. The valves have handwheels overriding the motor operators, and the switchgear is capable of having closing springs charged manually and the breaker closed by mechanical linkages on the switchgear.
Failures within the logic circuitry of a single CS logic may cause a single manual control failure because of commonality of circuitry at the control power fuse, the low pressure permissive relay and at the utilization point, e.g., the breaker control relay or valve motor starter coil. However, failure of any active control component exclusive of the breaker will not affect the manual control of the CS system pumps. In no event can failure of an automatic control circuit for one CS loop disable the manual electrical control circuit for the other CS loop. Single electrical failures cannot disable manual initiation of the core spray function.
LPCI: The discussion provided in this section for the CS system is equally applicable to the LPCI system.
FSAR Rev. 71 7.3-102
SSES-FSAR Text Rev. 75 7.3.2a.1.2.3.1.18 Access to Setpoint Adjustments (IEEE 279-971, Paragraph 4.18)
Setpoint adjustments for the HPCI, ADS, CS, and LPCI sensors are integral with the sensors and cannot be changed without the use of tools to remove covers over these adjustments. Test points are incorporated into the control relay cabinets which are lockable to prevent unauthorized actuation.
The range or span of the drywell and reactor vessel pressure switches is not adjustable. Because of these restrictions, compliance with this paragraph of IEEE-279-1971 is considered complete.
The only adjustable setpoints in the HPCI system are those provided on the flow controller on the main control room panel and are administratively controlled.
7.3.2a.1.2.3.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19)
Protective actions are directly indicated and identified by annunciator operation, sensor relay indicator lights, or action of the sensor relay, which has an identification tag and a clear glass front window permitting convenient, visible verification of the relay position. Any one of these indications should be adequate, so this combination of annunciation and visible verification relay actuation fulfills the requirements of this criterion.
In addition, the following indications are provided for the ADS:
(1) ADS-timers initiated (either one of two)
(2) ADS control power failure (any normal supply de-energized)
(3) ADS auxiliary relays energized (either one of two)
(4) High drywell pressure sealed in (any one of four)
(5) Relief valves discharge pipe high temperature (any one) 7.3.2a.1.2.3.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20)
HPCI: The HPCI control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. Periodic testing is the means provided for verifying the operability of the components and, by proper selection of test periods to be compatible with the historically established reliability of the components tested, complete and timely indications are made available. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the HPCI function is available and/or operating properly.
Annunciators are provided as shown on the functional control diagram, Dwgs. M1-E41-65, Sh. 1, M1-E41-65, Sh. 2, M1-E41-65, Sh. 3, M1-E41-65, Sh. 4, and M1-E41-65, Sh. 5. In addition to these annunciators, there are other indications for the HPCI system in the main control room. These indications include:
(1) Valve position lights (2) Pump suction pressure indicator FSAR Rev. 71 7.3-103
SSES-FSAR Text Rev. 75 (3) Pump discharge pressure indicator (4) Pump flow indicator (5) Turbine exhaust line pressure indicator (6) Turbine steam supply pressure indicator (7) Turbine speed indicator (8) Shaft vibration indication (9) Temperature recorder for:
- a. Oil cooler discharge temperature
- b. High pressure bearing oil temperature
- c. Low pressure bearing oil temperature
- d. Thrust bearing temperature
- e. Pump oil temperature (10) Control power indicator lights ADS: The information provided to the operator pertinent to ADS status is as follows:
(1) Annunciators listed in Subsection 7.3.2a.1.2.3.1.19 (2) Valve position lights for each valve (3) Reactor vessel level indication
- a. All four channels are indicated locally.
- b. Reactor vessel level is indicated in the control room.
Change of state of any active component from its normal condition is indicated in the main control room; therefore, the indication is considered to be complete and timely. The condition of the ADS pertinent to plant safety is also considered to be adequately covered by the indications and alarms delineated above.
CS: The CS control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications. There are many passive as well as active elements of this energize-to-operate system that are not continuously monitored for operability.
Examples are circuits that are normally open and are not monitored for continuity on a continuous basis, and pressure and level sensors, that, although continuously active, are not continuously exercised and verified as operable. Verifying the operability of these components is accomplished by periodic testing and by proper selection of test period to be compatible with the historically established reliability of the components tested. Sufficient information is provided on a continuous basis so that the operator can have a high degree FSAR Rev. 71 7.3-104
SSES-FSAR Text Rev. 75 of confidence that the CS function is available and operating properly. Annunciation is provided for the following conditions:
(1) CS pump trip for each pump (2) Core spray injection valve hi leakage pressure (3) CS pump motor overload for each pump (4) CS system out of service (5) CS system actuated (system 1 and 2)
(6) CS system manual initiation switch armed In addition to the annunciation listed above, other indications are included on the main control panel as follows:
(7) Valve position lights for each motor-operated valve (8) Pump breaker position lights for each pump (9) Position lights for the locked open valves in the drywell (10) Position lights for the testable check valves (11) Flow indication of loop flow in each loop (12) CS pump discharge pressure for each pump (13) CS pump current meter for each pump LPCI: Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the LPCI function is available and/or operating properly.
7.3.2a.1.2.3.1.21 System Repair (IEEE 279-1971, Paragraph 4.21)
The HPCI, ADS, CS and LPCI control systems are designed to permit repair or replacement of components.
Recognition and location of a failed component will be accomplished during periodic testing. The logic will make the detection and location failed component relatively easy, and components are mounted in such a way that they can be conveniently replaced. For example, estimated replacement time for the type relays used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings and could be changed in less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, including electrical connection replacement.
7.3.2a.1.2.3.1.22 Identification (IEEE 279-1971, Paragraph 4.22)
The ECCS panels are identified by yellow colored nameplates. Rear of panel nameplates for controls, instrumentation, and relays are distinctively colored according to their power supply color.
7.3.2a.1.2.3.2 IEEE 308-1974 Class 1E AC and DC power supply system ECCS loads are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised.
7.3.2a.1.2.3.3 IEEE 323-1971 See Subsection 7.1.2.5.3(a).
FSAR Rev. 71 7.3-105
SSES-FSAR Text Rev. 75 7.3.2a.1.2.3.4 IEEE 338-1971 The only paragraphs of IEEE-338 that apply to the design of the ECCS are as follows:
(1) 2.1 - Capability of Sensor Checks (2) 2.2 - Capability for Test and Calibration (See Subsections 7.3.1.1a.1.3, 7.3.1.1a.1.4, 7.3.1.1a.1.5, and 7.3.1.1a.1.6.)
7.3.2a.1.2.3.5 IEEE 344-1971 See Section 3.10a.
7.3.2a.1.2.3.6 IEEE 379-1972 The Single Failure Criterion of IEEE 279-1971, Paragraph 4.2, as further defined in IEEE 379-1972, is met as described in Subsection 7.3.2a.1.2.3.1.2.
7.3.2a.2 Primary Containment and Reactor Vessel Isolation Control System for NSS Systems - Instrumentation and Controls 7.3.2a.2.1 General Functional Requirement Conformance The PCRVICS instrumentation and control system is analyzed in this subsection. This system is described in Subsection 7.3.1.1a.2, and that description is used as the basis for this analysis. The safety design bases and specific regulatory requirements of this system are stated in Subsection 7.1.2a.1.2. This analysis shows conformance to the requirements given in that subsection.
The PCRVICS instrumentation and control system, in conjunction with other safety systems, are designed to provide timely protection against the onset and consequences of the gross release of radioactive materials from fuel and reactor coolant pressure boundaries. Chapter 15.0 identifies and evaluates postulated events that can result in gross failure of fuel and reactor coolant pressure boundaries. The consequences of such gross failures are described and evaluated. Chapter 15.0 also evaluates a gross breach in a main steamline outside the containment during operation at rated power. The evaluation shows that the main steamlines are automatically isolated in time to prevent the loss-of-coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed.
The shortest possible main steamline valve closure time is 3 seconds. The transient resulting from a simultaneous closure of all main steamline isolation valves in 3 seconds during reactor operation at rated power is discussed in Chapter 15.0.
7.3.2a.2.2 Specific Regulatory Requirements Conformance 7.3.2a.2.2.1 NRC Regulatory Guides 7.3.2a.2.2.1.1 Regulatory Guide 1.11 (1971)
Instrument lines penetrating the primary reactor containment have excess flow check valves to isolate the lines in the event of line rupture.
FSAR Rev. 71 7.3-106
SSES-FSAR Text Rev. 75 7.3.2a.2.2.1.2 Regulatory Guide 1.22 (1972)
MSIV:
The main steamline isolation valves, associated logic, and sensor devices may be tested from the sensor device to one of the two solenoids required for valve closure. The valve may be exercised closed with a slow acting test solenoid to verify that there are no obstructions to the valve stem at full power. A reduction in power is necessary to avoid reactor scram before performing a valve closure using two, fast acting, main solenoids.
Other Isolation Valves:
Except for the MSIV, all isolation valves may be tested from sensor to actuator during plant operation. The test may cause isolation of the process lines involved but this is tolerable.
MSL High Radiation Monitoring Subsystems:
This subsystem conforms to Regulatory Guide 1.22 in that provisions which allow periodic testing of individual channels have been built into the monitoring instruments and the trip systems.
7.3.2a.2.2.1.3 Regulatory Guide 1.29 (1972)
All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as Seismic Category I.
7.3.2a.2.2.1.4 Regulatory Guide 1.30 (1972)
See Section 3.13.
7.3.2a.2.2.1.5 Regulatory Guide 1.47 (1973)
MSIV and Other Isolation Valves:
Regulatory Position C.1, C.2, and C.3 Automatic indication will be provided in the main control room to inform the reactor operator that a system is inoperable. Annunciation will be provided to indicate a system or part of a system is not operable. For example, the RPS (trip) system and the PCRVICS activate annunciators whenever one or more channels of an input variable are bypassed.
Bypassing is not allowed in the trip logic or actuator logic. An example of indication of operability follows:
Instruments which form part of a one-out-of-two twice logic can be removed from service for calibration. Removal of the instrument from service will be indicated in the main control room as a single instrument channel trip.
Regulatory Position C.4 Capability for manual initiation of the ECCS system level bypass and inoperability indication is provided by activation of a control switch located in the main control room. This may be used to provide administrative control of the bypass indication for those bypasses or inoperabilities which FSAR Rev. 71 7.3-107
SSES-FSAR Text Rev. 75 cannot be automatically indicated. A control switch is provided for each system level bypass indicator.
The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system:
(1) Individual indicators are arranged together on the control room panel to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed.
(2) As a result of design, preop testing and startup testing, no erroneous bypass indication is anticipated.
(3) These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions.
This indication does not perform safety functions.
(4) All circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects.
(5) Each indicator can be tested and is provided with dual lamps.
MSL High Radiation Monitoring Subsystem:
This subsystem meets the requirements of this guide as discussed in this section for MSIV.
7.3.2a.2.2.1.6 Regulatory Guide 1.53-1973 MSIV, Other Isolation Valves, and MSL High Radiation Monitoring:
Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the engineered safeguard systems to meet the single failure criterion (Section 4.2 of IEEE 279-1971 and IEEE 379-1972). Redundant sensors are used and the logic is arranged to ensure that a failure in a sensing element or the decision logic of an actuator will not prevent or initiate protective action. Separated channels are employed so that a fault affecting one channel will not prevent the other channels from operating properly. Specifications are provided to define channel separation for wiring not included with NSSS supplied equipment.
Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when required. Testing incorporates all elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection.
7.3.2a.2.2.1.7 Regulatory Guide 1.62 (1973)
MSIV and Other Isolation Valves:
FSAR Rev. 71 7.3-108
SSES-FSAR Text Rev. 75 Means are provided for manual initiation of reactor isolation at the system level through the use of four armed pushbutton switches.
Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry.
The amount of equipment common to initiation of both manual reactor isolation and automatic isolation is kept to a minimum through implementation of manual reactor isolation at the final devices (relays) of the protection system. No failure in the manual, automatic or common portions of the protection system will prevent initiation of reactor isolation by manual or automatic means.
Manual initiation of reactor isolation, once initiated, goes to completion as required by IEEE 279-1971, paragraph 4.16.
7.3.2a.2.2.1.8 Regulatory Guide 1.63 (1973)
See Subsection 7.1.2.6.13.
7.3.2a.2.2.1.9 Regulatory Guide 1.75 (1975)
Physical independence of electric systems of the PCRVICS is provided by channel independence for sensors exposed to each process variable using electrical and mechanical separation. Physical separation is maintained between redundant elements of the redundant control systems which add to reliability of operation.
7.3.2a.2.2.1.10 Regulatory Guide 1.89 (1974)
See the Susquehanna SES Environmental Qualification Program for Class 1E Equipment.
7.3.2a.2.2.2 Conformance to 10CFR50, Appendix A (1) Criterion 13 MSIV and Other Isolation Valves:
The integrity of the reactor core and the reactor coolant pressure boundary is assured by monitoring the appropriate plant variables and closing various isolation valves.
(2) Criterion 19 MSIV and Other Isolation Valves:
Controls and instrumentation are provided in the control room.
(3) Criterion 20 MSIV and Other Isolation Valves:
The PCRVICS automatically isolates the appropriate process lines. No operator action is required to effect an isolation.
FSAR Rev. 71 7.3-109
SSES-FSAR Text Rev. 75 (4) Criterion 21 MSIV, Other Isolation Valves, MSL High Radiation Monitoring Subsystems:
The high reliability relay and switch devices are arranged in two redundant divisions and maintained separately. Testing is covered in the discussion on conformance to Regulatory Guide 1.22 (Subsection 7.3.2a.2.2.1.2).
(5) Criterion 22 MSIV and Other Isolation Valves:
Two redundant divisions are physically arranged so that no single failure can prevent an isolation. Functional diversity of sensed variables is utilized.
MSL High Radiation Monitoring Subsystem:
This subsystem conforms to criterion 22 in that the effects of natural phenomena and normal operation (including testing) will not result in the loss of protection.
(6) Criterion 23 MSIV and Other Isolation Valves:
The system logic and actuator signals are failsafe. The motor operated valves will fail "as-is" on loss of power, steam leak subsystem temperature switches excluded.
Temperature switches fail open (non fail-safe), to negate spurious closure of isolation valves. Reliance is placed on other leak detection instruments.
MSL High Radiation Monitoring Subsystem:
This subsystem conforms to criterion 23 in that the trip circuits associated with each channel have been designed to specifically "fail-safe" in the event of loss of power.
(7) Criterion 24 MSIV, Other Isolation Valves, and MSL High Radiation Monitoring Subsystems:
The system has no control functions. The equipment is physically separated from the control system equipment to the extent that no single failure in the control system can prevent isolation.
(8) Criterion 29 MSIV, Other Isolation Valves, and MSL High Radiation Monitoring Subsystems:
No anticipated operational occurrence will prevent this equipment from performing its safety function. No anticipated operational occurrence will prevent an isolation.
FSAR Rev. 71 7.3-110
SSES-FSAR Text Rev. 75 (9) Criterion 34 MSIV and Other Isolation Valves:
Isolation Signals are provided for the Shutdown Cooling Subsystem of the RHR System.
7.3.2a.2.2.3 Industry Codes and Standards 7.3.2a.2.2.3.1 IEEE 279-1971 7.3.2a.2.2.3.1.1 General Functional Requirement (IEEE 279-1971, Paragraph 4.1)
PCRVICS: The PCRVICS initiates automatic closure of specific isolation valves from trip signals generated by specified process variables and maintains the valves in a closed position without further application of power until such time as a manual reset is permissible.
The control system is capable of initiating action in a time commensurate with the need for valve closure. Speed of the sensors and valve actuators are chosen to be compatible with the isolation function considered.
Accuracies of each of the sensing elements is sufficient to accomplish the isolation initiation within required limits without interfering with normal plant operation. Accuracies of each of the types of sensing instruments used for isolation are considered when establishing a trip setpoint. The safety trip setpoints are specified in the Technical Requirements Manual, and the Allowable Values of the trip setpoints are specified in the plant Technical Specifications.
The reliability of the isolation control system is compatible with the reliability of the actuated equipment (valves).
The PCRVICS equipment is designed for the full range of environmental conditions enumerated as follows:
(1) Power Supply Voltage Tolerance exists to any degree of power supply failure in one motive power system or one control power system.
(2) Power Supply Frequency Tolerance exists to any degree of power supply failure in one power system or one control power system.
(3) Temperature System operates within required time limit at all temperatures that can result from an accident.
(4) Humidity System operates within required time limit at humidities (steam) that can result from a loss-of-coolant accident.
FSAR Rev. 71 7.3-111
SSES-FSAR Text Rev. 75 (5) Pressure System operates at all pressures resulting from LOCA as required.
(6) Vibration Tolerance to conditions stated in Section 3.10.
(7) Malfunctions System is tolerant to any single component malfunction in any mode.
(8) Accidents Tolerance exists for any design basis accident without malfunction of either Subsystem.
(9) Fire System is tolerant to any single raceway fire, or fire within a single enclosure.
(10) Explosion Explosions are not defined in design bases.
(11) Missiles System has tolerances to any single missile destroying no more than one pipe, raceway, or cabinet.
(12) Lightning Tolerance to lightning damage is limited to one auxiliary bus system.
(13) Flood All control equipment is located above flood level by design.
(14) Earthquake Tolerance to conditions stated in Section 3.10.
(15) Wind and Tornado Seismic Class I buildings house all control equipment.
(16) System Response Time Responses are within the requirements of need to start ECCS.
FSAR Rev. 71 7.3-112
SSES-FSAR Text Rev. 75 (17) System Accuracies Accuracies are within that needed for correct timely action.
(18) Abnormal Ranges of Sensed Variables Sensors are not subject to saturation when overranged.
Valves and wiring which must function in the drywell environment in the event of a LOCA will have fulfilled their function within a short time after such an event has occurred, probably before the environment has attained the design basis values.
Main Steamline Radiation Monitoring Subsystem:
The Main Steamline Radiation Monitoring Subsystem will detect and promptly indicate a gross release of fission products from the fuel under any operation for any combination of main steamlines.
On detection of a gross release of fission products from the fuel, the subsystem will initiate appropriate alarm annunciators and provide the PCRVICS with a "trip-occurred" signal. The high-high radiation trip setting is selected so that a trip will result from the fission products released at low steam flow condition in the design basis rod drop accident. The setting is sufficiently above the background radiation level in the vicinity of the main steamlines that spurious trips are unlikely at rated power. Yet the setting is low enough to trip on the fission products calculated to be released during the design basis rod drop accident. The amount of fuel damage and fission product release involved in this accident is relatively small. Therefore, for any situation involving gross fission product release, the main steamline radiation monitoring subsystem can provide prompt safety action.
Reactor Building Radiation Monitoring Subsystem:
The subsystem will detect and promptly indicate excessive radiation in the reactor building. On detection, an isolation will be effected. For further discussion, see Section 11.5.
7.3.2a.2.2.3.1.2 Single Failure Criterion (IEEE 279-1971, Paragraph 4.2)
PCRVICS:
Tolerance to the following single failures has been incorporated into the control system design and installation:
(1) Single open circuit (2) Single short circuit (3) Single relay failure to pickup (4) Single relay failure to drop out (5) Single module failure (including multiple shorts, opens and grounds)
(6) Single control cabinet destruction (including multiple shorts, opens and grounds)
(7) Single instrument panel destruction (including multiple shorts, opens and grounds (8) Single raceway destruction (including multiple shorts, opens and grounds)
(9) Single control power supply failure (any mode)
(10) Single motive power supply failure (any mode)
(11) Single control circuit failure FSAR Rev. 71 7.3-113
SSES-FSAR Text Rev. 75 (12) Single sensing line (pipe) failure (13) Single electrical component failure 7.3.2a.2.2.3.1.3 Quality of Components and Modules (IEEE 279-1971, Paragraph 4.3)
PCRVICS:
Components used in the isolation system have been carefully selected on the basis of suitability for the specific application. All of the sensors and logic relays are of the same types used in the RPS.
Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:
(1) Switch and relay contacts carry no more than 50% of their continuous current rating.
(2) Isolation control is deenergized to trip, instead of energized to trip, and is thus made to call attention to the failures that may occur in coil circuits, connections, or contacts.
(3) Instrumentation and controls are heavy duty industrial type of standard designs well proven by service in industry or in nuclear power plants applications.
(4) These components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications are selected for use in the isolation system.
Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors to comply with the requirements set forth in 10 CFR 50, Appendix B. "Minimum" maintenance has been assumed to have been achieved if components can be reasonably expected to last 40 years or more without wearing out or failing under their maximum anticipated duty cycle (including testing).
7.3.2a.2.2.3.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4)
PCRVICS:
No sensory components of the isolation system are required to operate in the drywell environment with the exception of the condensing chambers. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss-of-ventilation and LOCA) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type used for the RPS and meet the same standards. Control panels and relay logic cabinets are located in the control structure which presents no new or unusual operating considerations.
All components used in the isolation system have demonstrated reliable operation in similar nuclear power plant protection system or industrial applications.
On the component and module level, NSSS supplier conducted qualification tests to qualify the items for this application.
FSAR Rev. 71 7.3-114
SSES-FSAR Text Rev. 75 In situ operational testing of the detectors, monitors and channels will be performed at the site during the preoperational test phase.
7.3.2a.2.2.3.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5)
PCRVICS:
The isolation system is designed to tolerate the spectrum of failures listed under the general requirements and the single failure criterion, and so it satisfies the channel integrity objective of this paragraph.
7.3.2a.2.2.3.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6)
The four trip channels of this protective function are electrically isolated and physically separated in order to meet this design requirement.
Channel independence for sensors exposed to each process variable is provided by electrical and mechanical separation. Physical separation is maintained between redundant elements of the redundant control systems which will add to reliability of operation.
7.3.2a.2.2.3.1.7 Control and Protection Interaction (IEEE 279-1971, Paragraph 4.7)
PCRVICS:
(1) Classifications of Equipment. There is no control function in the system. It is strictly a protection system.
(2) Isolation Devices. No isolation devices are required.
(3) Single Random Failure. No single random failure of a control system can prevent proper action of the isolation channel designed to protect against the condition.
(4) Multiple Failures Resulting from a Credible Single Event. Analysis of (3) above applies directly.
7.3.2a.2.2.3.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8)
PCRVICS:
The inputs which initiate isolation valve closure are direct measures of variables that indicate a need for isolation; viz., reactor vessel low level, drywell high pressure, and pipe break detection.
Pipe break detection utilizes methods of recognition of the presence of a material that has escaped from the pipe, rather than detecting actual physical changes in the pipe itself.
7.3.2a.2.2.3.1.9 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9)
PCRVICS:
The reactor vessel instruments can be checked one at a time by application of simulated signals.
These include level, pressure, radiation and flow. Temperature sensors used for leak detection are FSAR Rev. 71 7.3-115
SSES-FSAR Text Rev. 75 checked periodically against a known heat source and also are calibrated, which requires removal from the circuit during calibration and replacement by calibrated units.
7.3.2a.2.2.3.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10)
PCRVICS:
All active components of the PCRVICS can be tested and calibrated during plant operation. The radiation sensors can be cross-checked against their companions for verification of operability and since they are used with reference to background, they do not require actual sensitivity verification on a frequent basis. The contact action on an HFA type relay during a channel trip condition can be verified by observation of actual drop-out when deenergized. The auxiliary relay circuits can be tested individually by pulling the individual valve circuit fuses and observing relay drop-out. The log radiation monitor can be tested by placing the monitor switch out of the "operate" position.
Thus, complete testability of every element of the system can be demonstrated without shutting down the plant.
7.3.2a.2.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11)
PCRVICS:
Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective function without the coincident trip of at least one other instrument channel.
7.3.2a.2.2.3.1.12 Operating Bypasses (IEEE 279-1971, Paragraph 4.12)
PCRVICS:
The isolation valve control system has two bypasses. One is the main steamline low pressure bypass which is imposed by means of the mode switch in the other-than-run mode. The mode switch cannot be left in this position with neutron flux measuring power above 10% of rated power without initiating a scram. Therefore, the bypass is removed in accordance with IEEE 279-1971, although it is a manual action that removes it rather than an automatic one.
The second, low condenser vacuum bypass is imposed by means of a manual bypass switch in conjunction with closure of the turbine stop valves. Bypass removal is accomplished automatically by the opening of the turbine stop valves and manually by placing the bypass switch in normal position. Hence, the bypass is considered to be removed in accordance with IEEE 279-1971.
In the case of the motor-operated valves, automatic or manual closure can be prevented by shutting off electric power to the motor starters. This action will be indicated by annunciator in the main control room.
As in other ESF many of the sensors for process variables operate from instrument lines hooked up with root valves and instrument valves. Shutting off these valves in certain selected combinations can disable redundant sensors and thus prevent operation of the system.
Precautions are taken to preclude such a possibility by requiring that the specific manipulation of all instrument valves be either procedurally controlled, or controlled via a work authorizing document in such a manner as to assure equipment restoration is accurately performed and documented.
FSAR Rev. 71 7.3-116
SSES-FSAR Text Rev. 75 The low water level (Level 1) initiation of the MSIVs (Div. 1) Control Logic "A" and Control Logic "C" can be manually bypassed from the Control Room following an ATWS event, or during beyond design basis conditions (e.g., Rapid Depressurization or Primary Containment Flooding).
7.3.2a.2.2.3.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13)
PCRVICS:
The bypass of the main steamline low pressure isolation signal is not indicated directly in the main control room except by the position of the mode switch handle. The bypass of the low condenser vacuum is directly indicated in the main control room by an annunciator.
As with other ESF there are means of deliberately rendering the system inoperative without giving indication of such conditions in the main control room. For instance, wires can be disconnected in an energize-to-operate system without giving indication. Nor is the de-energize-to-operate system immune from the equally disabling action of jumpering of normally closed contacts so their action will not be seen by the system. Instrument valve shutoff is another disabling mechanism which is not directly indicated in the main control room, but such action cannot be taken without defeating established administrative procedural controls.
The position of the Bypass Switches used to defeat the low water level (Level 1) initiation of the MSIVs following an ATWS event, or during beyond design conditions, is indicated in the Main Control Room by indicating lights and by an annunciator.
7.3.2a.2.2.3.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14)
PCRVICS:
The mode switch and condenser vacuum bypass switch are the only bypass switches affecting the PCRVICS are located in the control structure and are keylocked.
As discussed in the paragraphs above, the instrument valves are under administrative control.
The Bypass Switches for the low water level (Level 1) initiation of the MSIVs following an ATWS event, or during beyond design basis conditions, are keylocked and located in the Main Control Room.
7.3.2a.2.2.3.1.15 Multiple Setpoints (IEEE 279-1971, Paragraph 4.15)
Paragraph 4.15 of IEEE 279-1971 is not applicable because all setpoints are fixed.
7.3.2a.2.2.3.1.16 Completion of Protection Action Once Initiated (IEEE 279-1971, Paragraph 4.16)
PCRVICS:
All isolation actions are sealed-in downstream of the logic, so valves go to the close position completing the protective action. Manual reset action is provided by two reset switches, so that inboard valves will be reset independent of outboard valves. This feature is incorporated only to augment the electrical separation of the inboard and outboard valves and not for any need to reset them separately.
FSAR Rev. 71 7.3-117
SSES-FSAR Text Rev. 75 7.3.2a.2.2.3.1.17 Manual Action (IEEE 279-1971, Paragraph 4.17)
PCRVICS:
The PCRVICS has four divisionally separated manual initiation switches which will separately activate each of the four MSIV logics and isolation system initiation at the system level.
The logic for manual initiation is one-out-of-two-twice for the main steamline isolation valves and one-out-of-two for the other isolation valves. The manual initiation switches require two distinct operator actions (armed pushbuttons) to initiate the safety action. The manual initiation circuits are at the system level, redundant, separated, testable during power operation and will meet the single failure criterion.
Manual controls are separated so that a single failure will not inhibit an isolation. The separation of devices is maintained in both the manual and automatic portion of the system so that no single failure in either the manual or automatic portions can prevent an isolation by either manual or automatic means.
7.3.2a.2.2.3.1.18 Access to Setpoint Adjustments (IEEE 279-1971, Paragraph 4.18)
PCRVICS:
Setpoint and adjustments for the isolation system sensors are integral with the sensors on the local instruments and cannot be changed without the use of tools to remove covers over these adjustments. Test points are incorporated into the control relay cabinets which are lockable to prevent unauthorized actuation. The range (or span) of the drywell and reactor vessel pressure switches is not adjustable.
7.3.2a.2.2.3.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19)
PCRVICS:
Protective actions (here, interpreted to mean pickup of a single sensor relay) are directly indicated and identified by action of the sensor relay, which has an identification tag and a clear glass front window permitting convenient, visible verification of the relay position. Any one of the sensor relays also actuates an annunciator, so that no single channel "trip" (relay pickup) will go unnoticed. Either of these indications is adequate, so this combination of annunciation and visible verification of relay actuation fulfills the requirements of this criterion. In addition, indicator lights are provided to show pickup of sensor relays.
7.3.2a.2.2.3.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20)
PCRVICS:
The information presented to the reactor operator by isolation control system are as follows:
(1) Annunciation of each process variable which has reached a trip point (2) Computer readout of trips on Reactor Building main steamline tunnel temperature or main steamline high flow FSAR Rev. 71 7.3-118
SSES-FSAR Text Rev. 75 (3) Annunciation of steam leaks in each of the systems monitored, viz., main steam, cleanup, and RHR (4) Open and closed position lights for each isolation valve 7.3.2a.2.2.3.1.21 System Repair (IEEE 279-1971, Paragraph 4.21)
PCRVICS:
Those components which are expected to have a moderate need for replacement are designed for convenient removal. This includes the temperature signal amplifier units and temperature sensor.
The amplifier units are of the circuit card or replaceable module construction and the temperature sensor are replaceable units with disconnectable heads. Pressure sensors, vessel level sensors can be replaced in a reasonable length of time, but these devices are considered to be permanently installed although they have non-welded connections at the instrument, which will allow replacement. All devices in the system can be reasonably expected to last forty years without failure, with the duty cycle expected to be imposed, including testing. However, failures can be detected during periodic testing and replacement time will be nominal.
The main steam tunnel temperature sensors are not accessible during normal plant operation because of radiation from the main steamlines. Since there are four sensors per division, a failed sensor will be replaced during a shutdown.
Similarly, the main steamline low pressure sensors are not readily accessible during operation because of radiation from steamlines.
7.3.2a.2.2.3.1.22 Identification of Protection Systems (IEEE 279-1971, Paragraph 4.22)
PCRVICS:
Panels and racks which house isolation system equipment are identified by a distinctive color marker plate listing the system name and designation of the particular redundant portion of the system. Cables and raceways are color coded displaying the appropriate redundant portion of the system.
7.3.2a.2.2.3.2 Conformance to IEEE 308-1974 Class 1E AC power supply systems are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised.
7.3.2a.2.2.3.3 Conformance to IEEE 323-1971 The components of the PCRVICS are covered by Subsection 7.1.2.5.3.
7.3.2a.2.2.3.4 Conformance to IEEE 338-1971 The system is testable during reactor operation. The tests will test the sensors through to the final actuators, demonstrate independence of channels, and expose failures while not negating the isolation function.
FSAR Rev. 71 7.3-119
SSES-FSAR Text Rev. 75 7.3.2a.2.2.3.5 Conformance to IEEE 344-1971 The seismic qualification of components of PCRVICS is covered by Section 3.10a.
7.3.2a.2.2.3.6 Conformance to IEEE 379-1972 The single failure criterion of IEEE 279, as defined by IEEE 379-1972, is fully complied with in the design of the PCRVICS.
The Main Steamline High Radiation Trip meets the single failure criterion by use of two redundant gamma sensors in each of two different locations (four sensors total). The outputs from the sensors are connected and routed separately to two independent logic trip systems. A single failure would not inhibit the required isolation function. The equipment has been seismically and environmentally qualified to ensure operation.
Power is provided from two independent sources. A failure of one source would neither cause nor inhibit the isolation function. A complete loss of power would cause an isolation to occur.
7.3.2a.3 This Subsection Is Not Used 7.3.2a.4 Containment Spray Cooling System-Instrumentation and Controls 7.3.2a.4.1 General Functional Requirement Conformance The RHR system is in the containment spray cooling mode, when the pumps take suction from the suppression pool, pass it through the RHR heat exchangers, and inject it through spray spargers located in the upper drywell.
In the event that the hydrogen mixing system is required to limit the hydrogen concentration in the drywell, the RHR system flow will be diverted to containment spray headers (Containment Spray Mode of RHR). The flow of the RHR pump will pass through the containment spray nozzles quenching any bypassed steam resulting from operation of the hydrogen mixing system. The system is initiated as described in Subsection 7.3.1.1a.4.
7.3.2a.4.2 Specific Regulatory Requirements Conformance The containment spray system meets the specific Regulatory Requirements as described in Subsection 7.3.2a.1.2.
7.3.2a.4.3 Conformance to Industry Codes and Standards 7.3.2a.4.3.1 IEEE 279-1971 7.3.2a.4.3.1.1 General Functional Requirement (IEEE 279-1971, Paragraph 4.1)
IEEE 279-1971 Requirement Containment Spray Design Provision AUTO-INITIATION Containment spray is not automatically initiated; however, its safety function is adequately assured by manual initiation.
FSAR Rev. 71 7.3-120
SSES-FSAR Text Rev. 75 (1) Appropriate Action Appropriate action for the containment spray control system is defined as activating equipment for introducing water into the containment spray discharge valves.
(2) Precision Precision is a term that does not apply strictly to the containment spray system control because of the wide range of setpoint values that could give the appropriate signal to allow manual initiation.
Reliability of the control system is compatible with the controlled equipment.
(3) With Reliability (4) Over Full Range of Environmental Conditions
- a. Power Supply Voltage Tolerance is provided to any degree of AC power supply voltage fluctuation within one division such that voltage regulation failures in one division cannot negate successful low pressure core cooling. DC power supply failure will likewise affect only one of the two containment spray divisions.
- b. Power Supply Same as (4)a. above.
Frequency Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division is required.
- f. Vibration Tolerance to conditions stated in Section 3.10.
- g. Malfunctions Tolerance to any single component failure to operate on command.
- h. Accidents Tolerance to all design basis accidents without malfunction.
- i. Fire Tolerance to a single raceway or enclosure fire or mechanical damage.
- j. Explosion Explosions not defined in design basis.
- k. Missiles Tolerance to any single missile destroying no more than one pipe, raceway, or electrical enclosure.
- l. Lightning Tolerance to lightning damage limited to one auxiliary bus system. See comments under (4)a.
FSAR Rev. 71 7.3-121
SSES-FSAR Text Rev. 75
- m. Flood All control equipment is located above flood level by design.
- n. Earthquake Tolerance to conditions stated in Section 3.10.
- o. Wind Seismic Class I building houses all control equipment.
- p. System Response Responses are within the time requirements of need to start containment spray.
- q. System Accuracies Accuracies are within that needed for correct timely action.
- r. Abnormal Ranges Sensors do not saturate when over ranged of Sensed Variables.
7.3.2a.4.3.1.2 Single-Failure Criterion (IEEE 279-1971, Paragraph 4.2)
Redundancy in equipment and control logic circuitry is provided so that it is not possible that the complete containment spray system can be rendered inoperative using single failure criteria.
Two division logics are provided. Division 1 logic is provided to initiate loop A equipment and Division 2 logic is provided to initiate loop B equipment.
Tolerance to the following single failures or events is provided in the sensing channels, trip logic, actuator logic, and actuated equipment so that these failures will be limited to the possible disabling of the initiation of only one loop:
(1) Single open circuit (2) Single short circuit (3) Single component failure open (4) Single component failure shorted or grounded (5) Single module failure (including shorts, opens, and grounds)
(6) Single electrical enclosure involvement (including shorts, opens, and grounds)
(7) Single local instrument cabinet destruction (including shorts, opens, and grounds)
(8) Single raceway destruction (including shorts, opens, and grounds)
(9) Single control power supply failure (10) Single motive power supply failure (11) Single control circuit failure (12) Single sensing line (pipe) failure (13) Single electrical component failure 7.3.2a.4.3.1.3 Quality Components (IEEE 279-1971, Paragraph 4.3)
Components used in the containment spray control system have been carefully selected for the specific application. Ratings have sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:
(1) Switch and relay contacts carry no more than 50% of their continuous current rating.
(2) Controls are energized to operate and have brief and infrequent duty cycles.
FSAR Rev. 71 7.3-122
SSES-FSAR Text Rev. 75 (3) Motor starters and circuit breakers are effectively derated for motor starting applications since their nameplate ratings are based on short circuit interruption capabilities, as well as on continuous current carrying capabilities. Short-circuit current-interrupting capabilities are many times the starting current for the motors being started.
(4) Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application will demand, including testing.
(5) Instrumentation and controls are rated for application in the normal, abnormal, and accident environments in which they are located.
(6) These components are subjected to the manufacturers normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use.
Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.
7.3.2a.4.3.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4)
No components of the containment spray system are required to operate in the drywell environment. Sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss-of-ventilation and LOCA) conditions. All components used in the containment spray system have demonstrated reliable operation in similar nuclear power plant protection systems or industrial operation. All of the equipment located outside the drywell are qualified to and will operate in their worst-case environments shown in the 3.11 tables.
7.3.2a.4.3.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5)
The containment spray system instrument channels (low water level or high drywell pressure) are designed to satisfy the channel integrity objective.
7.3.2a.4.3.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6)
Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. For instance, the A and C sensors for reactor vessel low water levels are located on one local instrument panel that is identified as Division 1 equipment; the B and D sensors are located on a second instrument panel, widely separated from the first and identified as Division 2 equipment. The A and C, sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and D. Disabling of one or all sensors in one location does not disable the control for the other division.
Relay cabinets for Division 1 are in a separate physical location from that of Division 2. Each division is complete in itself with its own station battery control and instrument power bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final activated equipment, and includes both control and motive power supplies.
FSAR Rev. 71 7.3-123
SSES-FSAR Text Rev. 75 Although there are only two sensors for each variable in each division, these sensors back up each other as described in the preceding paragraph.
7.3.2a.4.3.1.7 Control and Protection Interaction (IEEE 279-1971, Paragraph 4.7)
The containment spray system is a safety system designed to be independent of plant control systems.
7.3.2a.4.3.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8)
The inputs which are permissive for the containment spray system are direct measures of the variables that indicate need for containment cooling. Containment high pressure is sensed by pressure sensors. Reactor vessel water level is sensed by vessel water level sensors.
7.3.2a.4.3.1.9 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9)
All sensors are of the pressure sensing type and are installed with calibration taps and instrument valves, to permit testing during normal plant operation or during shutdown. The drywell high pressure sensors can be checked only by application of gas pressure from a low pressure source (instrument air or inert gas bottle) after closing the instrument valve and opening the calibration valve.
The reactor water indicating switches can be calibrated during normal plant operation or during shutdown. The switches are valved out of service and a test source, using operational process fluid (demineralized water in this case), applies a differential pressure across the switches.
Pressures are analogous to those corresponding to reactor water levels over the instruments range. The same procedure is used for both setpoint and indication calibration.
7.3.2a.4.3.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10)
The containment spray system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Motor-operated valves can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed as the system is tested.
The pump can be started by appropriate breakers. Sensors can be exercised by applying test pressures. Logic relays can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests.
7.3.2a.4.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11)
Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective function without coincident operation of a second channel.
Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. Removal of an instrument channel from service during calibration will be brief.
7.3.2a.4.3.1.12 Operating Bypasses (IEEE 279-1971, Paragraph 4.12)
Containment spray has no operating bypasses.
FSAR Rev. 71 7.3-124
SSES-FSAR Text Rev. 75 7.3.2a.4.3.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13)
There are no automatic bypasses of any part of the containment spray control system. Deliberate opening of the valve motor breaker will give annunciation in the main control room.
7.3.2a.4.3.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14)
Access to switchgear, motor control centers, and instrument valves may be procedurally controlled by the following administrative means or other suitable alternative:
(1) Seals (or locks) on instrument valves (2) Lockable doors on emergency switchgear rooms (3) Lockable breaker control switch handles in the motor control centers 7.3.2a.4.3.1.15 Multiple Trip Settings (IEEE 279-1971, Paragraph 4.15)
Paragraph 4.15 of IEEE 279 is not applicable because all setpoints are fixed.
7.3.2a.4.3.1.16 Completion of Protection Action Once It Is Initiated (IEEE 279-1971, Paragraph 4.16)
The final control elements for the containment spray system are essentially bi-stable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reached). In the event of an interruption in AC power the control system will reset itself and recycle on restoration of power.
Thus, protective action once initiated must go to completion or continue until terminated by deliberate operator action.
7.3.2a.4.3.1.17 Manual Actuation (IEEE 279-1971, Paragraph 4.17)
Containment spray is a manually initiated system.
7.3.2a.4.3.1.18 Access to Setpoint Adjustment (IEEE 279-1971, Paragraph 4.18)
Setpoint adjustments for the containment spray system sensors are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Test points are incorporated into the control relay cabinets which are capable of being locked to prevent unauthorized actuation. The range (or span) of the drywell and reactor vessel pressure transducers is not adjustable. Because of these restrictions, compliance with this requirement of IEEE 279 is considered complete.
7.3.2a.4.3.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19)
Protective actions are directly indicated and identified by annunciator operation and sensor relay indicator lights. Either of these indications should be adequate, so this combination of annunciation and visible verification fulfills the requirements of this criterion.
FSAR Rev. 71 7.3-125
SSES-FSAR Text Rev. 75 7.3.2a.4.3.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20)
Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the containment spray function is available and/or operating properly.
7.3.2a.4.3.1.21 System Repair (IEEE 279-1971, Paragraph 4.21)
The containment spray control system is designed to permit repair or replacement of components.
Recognition and location of a failed component will be accomplished during periodic testing. The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. Sensors which are connected to the instrument piping are connected with separate screwed or bolted fittings and could be changed in approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, including electrical connection replacement.
7.3.2a.4.3.1.22 Identification (IEEE 279-1971, Paragraph 4.22)
A colored nameplate identifies each logic cabinet and instrument panel that are part of the containment spray system. The nameplate shows the division to which each panel or cabinet is assigned, and also identifies the function in the system of each item on the control panel.
Identification of cables and raceways is provided.
Panels in the control structure are identified by tags which indicate the system and logic contained in each panel.
7.3.2a.5 Suppression Pool Cooling Mode (RHR) - Instrumentation and Controls 7.3.2a.5.1 General Functional Requirements Conformance The suppression pool cooling mode of the RHR is designed to limit the water temperature in the suppression pool such that the temperature immediately after a blowdown does not exceed the established limit when reactor pressure is above the limit for cold shutdown. During this mode of operation, water is pumped from the suppression pool, through the RHR system heat exchangers, and back to the suppression pool. The SPC mode thus maintains the suppression pool as a heat sink for reactor and containment.
7.3.2a.5.2 Regulatory Requirements Conformance 7.3.2a.5.2.1 Regulatory Guide 1.22 (1972)
Conformance to this guide is discussed in Section 7.3.2a.1.2.1.3.
7.3.2a.5.2.2 Regulatory Guide 1.29 (1973)
Conformance to this guide is discussed in Section 7.3.2a.1.2.1.4.
7.3.2a.5.2.3 Regulatory Guide 1.30 (1972)
Conformance to this guide is discussed in Section 3.13.
FSAR Rev. 71 7.3-126
SSES-FSAR Text Rev. 75 7.3.2a.5.2.4 Regulatory Guide 1.32 (1972)
See Subsection 7.3.2a.1.2.3.2.
7.3.2a.5.2.5 Regulatory Guide 1.47 (1973)
Indication and annunciation is provided in the control room to inform the operator that a system or part of a system is inoperable. See Section 7.1.2.6.10 for a discussion of the bypass indication capability provided.
7.3.2a.5.2.6 Regulatory Guide 1.53 (1973)
The system is designed with two independent and redundant portions to assure that no single failure can prevent the safety function.
7.3.2a.5.2.7 Regulatory Guide 1.62 (1973)
System initiation is manual from the control room. The manual controls are easily accessible to the operator so that required actions can be performed quickly. Once initiated, system initiation goes to completion unless overridden by a higher priority function or interlock.
7.3.2a.5.2.8 Regulatory Guide 1.63 (1973)
See Subsection 7.1.2.6.13.
7.3.2a.5.2.9 Regulatory Guide 1.75 (1975)
Conformance to this guide is discussed in Section 7.1.2.6.17.
7.3.2a.5.3 Conformance to 10CFR50 Appendix A Conformance to GDC 5, 13, 19 through 24, 29, 35, and 37 are described in Section 7.3.2a.1.2.2.
7.3.2a.5.4 Conformance to Industry Codes and Standards 7.3.2a.5.4.1 IEEE Standard 279 (1971) 7.3.2a.5.4.1.1 General Functional Requirements (Paragraph 4.1)
A. Auto Initiation - The suppression pool cooling mode has no auto-initiation feature, but is manually initiated from the control room. Proper and timely system operation is assured with manual initiation, because sufficient time and information is available to the operator.
The monitored parameters which would indicate satisfactory system performance, or operator error include fluid temperature, flow, pressure, and valve positions.
B. Appropriate Protective Action - The suppression pool cooling instrumentation and controls allows manual initiation of cooling flow to control suppression pool temperature.
C. Precision - Since suppression pool cooling is manually initiated based on one or more parameters, precision does not strictly apply to this system's control circuitry.
FSAR Rev. 71 7.3-127
SSES-FSAR Text Rev. 75 D. Reliability - Reliability of the control system is compatible with controlled equipment.
E. Performance Under Adverse Conditions
- 1. Power supply voltage and frequency - An electrical fault in one division cannot impair proper suppression pool cooling mode operation due to the redundant control circuits, each being supplied by different power sources.
- 2. Temperature - The suppression pool cooling mode is designed to function properly in the high temperature environment expected during the design basis accidents.
- 3. Humidity - The system is designed to function properly in the high humidity (steam) environment expected during the design basis accidents.
- 4. Pressure - The system is designed to function properly in the full range of pressures expected during the design basis accidents.
- 5. Vibration - Tolerance to environmentally - induced vibration (earthquake, wind) is discussed in Section 3.10.
- 6. Accidents - The system is tolerant to any design basis accident.
- 7. Fire - The system is tolerant to a fire in a single division raceway or enclosure.
- 8. Explosions - Explosions are not defined in the design basis.
- 9. Missiles - The system is tolerant to any single missile destroying no more than one pipe, raceway, or electrical enclosure.
- 10. Lightning - The system is tolerant to lightning damage to one auxiliary AC bus.
- 11. Flood - All instrumentation and controls are located above flood level or are protected from flood damage.
- 12. Earthquake - All control equipment is housed in a seismic Class I structure.
Tolerance to earthquake damage is discussed in Section 3.10.
- 13. Wind and Tornado - The structures containing ESF components have been designed to withstand meteorological events described in Section 3.3.2. Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair ESF capabilities.
- 14. System Response Time - Manual initiation has been shown to provide adequate response time for initiation of this RHR mode.
- 15. System Accuracies - Instrumentation accuracy is considered when establishing a safety trip setpoint. System accuracies are within that needed for correct timely action.
FSAR Rev. 71 7.3-128
SSES-FSAR Text Rev. 75
- 16. Ranges of Monitored Parameters - Instrument sensors and processing equipment are capable of displaying the full ranges of parameters expected during the design basis accidents.
7.3.2a.5.4.1.2 Single Failure Criterion (Paragraph 4.2)
Two independent fluid systems are provided, each with the capacity for removing the total design heat load. Two division logic networks are provided: Division 1 logic initiates loop A equipment and Division 2 logic initiates loop B equipment.
Redundancy in equipment and control logic circuitry is provided so that a single failure will not interfere with proper operation of the redundant portions of the system.
Tolerance to specific single failures or events is discussed in Section 7.3.2a.4.3.1.2.
7.3.2a.5.4.1.3 Quality of Components (Paragraph 4.3)
Components used in the suppression pool cooling mode have been carefully selected for their specific applications. Ratings have sufficient conservatism to prevent significant deterioration during expected duty over the lifetime of the plant, as illustrated below:
(1) Controls are "energized to operate" and have infrequent, brief duty cycles.
(2) Switch and relay contacts carry no more than 50% of their continuous duty rating.
(3) Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the application will demand, including testing.
(4) Instrumentation and controls are rated for application in the normal, abnormal, and accident environments in which they are located.
(5) These components are subjected to the manufacturer's normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel assembly. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or which have been qualified by testing, are selected for use.
Additionally, equipment vendors are required to implement and document a quality control and assurance program in accordance with the requirements of 10 CFR 50, Appendix B.
7.3.2a.5.4.1.4 Equipment Qualification (Paragraph 4.4)
Components of the suppression pool cooling mode instrumentation have undergone qualification testing to evaluate their suitability for reliable service in their installed locations, or have demonstrated reliable operation in similar nuclear power plant installations and industrial applications.
No component of the control system is required to operate in the drywell environment. Sensory equipment is located outside the drywell and is capable of accurate operation in wide variations of environmental conditions.
FSAR Rev. 71 7.3-129
SSES-FSAR Text Rev. 75 7.3.2a.5.4.1.5 Channel Integrity (Paragraph 4.5)
The suppression pool cooling mode instrumentation and controls are designed to remain operable under extreme environmental conditions as detailed in Subsection 7.3.2a.5.4.1.3 (5).
7.3.2a.5.4.1.6 Channel Independence (Paragraph 4.6)
Channel independence is maintained for all suppression pool cooling control circuitry. Channel sensor instrumentation is physically and electrically separated and identified as belonging to the respective divisions. Relay cabinets are physically and electrically separated. Each division has its own battery, control and instrumentation bus, power distribution buses, and motor control centers.
7.3.2a.5.4.1.7 Control and Protection System Interaction (Paragraph 4.7)
The suppression pool cooling mode is a safety function and is independent of plant control systems.
7.3.2a.5.4.1.8 Derivation of System Inputs (Paragraph 4.8)
The inputs to the interlock circuit for suppression pool cooling flow control are the same as those used for low pressure coolant injection (See Section 7.3.1.1a.1.6.5).
7.3.2a.5.4.1.9 Capability for Sensor Checks (Paragraph 4.9)
Discussion of checks on sensors used in the interlock circuit are discussed in Subsection 7.3.2a.4.3.1.9.
7.3.2a.5.4.1.10 Capability for Test and Calibration (Paragraph 4.10)
The suppression pool cooling mode can be tested completely during normal plant operation to verify that each element of the system active or passive, is capable of performing its intended function. Motor-operated valves can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed during the test.
7.3.2a.5.4.1.11 Channel Bypass or Removal from Operation (Paragraph 4.11, Operating Bypasses (Paragraph 4.12), Indication of Bypasses (Paragraph 4.13)
The suppression pool cooling controls have no operating bypasses.
7.3.2a.5.4.1.12 Access to Means for Bypassing (Paragraph 4.14)
Since there are no bypasses, this criterion is not strictly applicable. Means of disabling instrumentation and controls is administratively controlled, including control of access to instrument valves and emergency switchgear.
7.3.2a.5.4.1.13 Multiple Setpoint (Paragraph 4.15)
There are not multiple trip settings.
FSAR Rev. 71 7.3-130
SSES-FSAR Text Rev. 75 7.3.2a.5.4.1.14 Completion of Protective Action Once Initiated (Paragraph 4.16)
The final control elements for the suppression pool cooling mode are essentially bi-stable: for example, motor-operated valves stay open once they have reached their open position even after the motor starter drops out. Thus, once manually initiated an action will go to completion and will continue unless deliberately terminated by the operator, or overridden by a higher priority function or interlock.
7.3.2a.5.4.1.15 Manual Initiation (Paragraph 4.17)
Suppression pool cooling is manually-initiated. Each separated loop is independently controlled by the operator.
7.3.2a.5.4.1.16 Access to Setpoint Adjustments (Paragraph 4.18)
The suppression pool cooling mode does not require setpoints.
7.3.2a.5.4.1.17 Identification of Protective Actions (Paragraph 4.19)
Suppression pool cooling flow initiation is indicated by status lights on the control panel.
7.3.2a.5.4.1.18 Information Read-Out (Paragraph 4.20)
Continuous-reading indications are provided to enable the operator to verify proper system operation. The design minimizes the possibility of confusion due to inconsistent indications.
7.3.2a.5.4.1.19 System Repair (Paragraph 4.21)
The suppression pool cooling mode is designed for efficient maintainability. Easy recognition of malfunctioning equipment is provided through proper test procedures. Accessibility is provided for the sensors and controls to facilitate repair or adjustment.
Sensors connected to instrument piping have threaded fittings or bolted fasteners and can be easily replaced.
7.3.2a.5.4.1.20 Identification (Paragraph 4.22)
Nameplates identify each logic cabinet and instrument panel that is part of the RHR system. The nameplates also indicate the division to which each panel or cabinet is assigned. Identification of cables and raceways is provided.
7.3.2a.5.4.2 IEEE Standard 308 (1974)
Class 1E electrical loads in the suppression pool cooling instrumentation and control system are physically separated and electrically isolated into independent load groups. A failure in one group will not interfere with proper operation of the redundant portions of the system in Section 8.1.
7.3.2a.5.4.3 IEEE Standard 338 (1971)
The capability for testing the suppression pool cooling instrumentation and control system is discussed in Subsection 7.3.1.1a.5.10.
FSAR Rev. 71 7.3-131
SSES-FSAR Text Rev. 75 7.3.2a.5.4.4 IEEE Standard 379 (1972)
The single failure criterion of IEEE 279 (1971), paragraph 4.2 as further defined in IEEE 379 (1972), "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection System," is met as described in Subsection 7.3.2a.5.4.1.2.
7.3.2a.5.4.5 IEEE Standard 384 (1974)
Independence of suppression pool cooling equipment is demonstrated in the Section on Conformance to IEEE 279 (1971) paragraph 4.6 and IEEE 308 (1974). See Subsections 7.3.2a.5.4.1.6 and 7.3.2a.5.4.2.
7.3.2a.6 Additional Design Considerations Analyses 7.3.2a.6.1 General Plant Safety Analysis The examination of the subject ESF system at the plant safety analyses level is presented in Chapter 15 and Appendix 15A.
7.3.2a.6.2 Loss of Plant Instrument Air System Loss of plant instrument air will not negate the subject ESF system safety functions. Refer to Appendix 15A.
7.3.2a.6.3 Loss of Cooling Water to Vital Equipment Loss of cooling water to ECCS, containment and reactor vessel isolation systems and other systems described in this section, when subject to single active component failure or single operator error, will not result in the loss of sufficient ESF system to negate their safety function.
Refer to Appendix 15A.
7.3.2b ANALYSIS FOR NON-NSSS SYSTEMS Analysis of ESF Actuation Systems (ESFAS) not supplied with the NSSS. Generally, the requirements of the General Design Criteria, Appendix A of 10 CFR 50, are satisfied for ESFAS as described in Section 3.1. This section describes the applicability of General Design Criteria to non-NSSS ESFAS, describes how the requirements of IEEE 279-1971 (Section 4) are applicable, and how they are met.
7.3.2b.1 General Design Criteria Criterion 1: Quality Standards and Records The equipment for non-NSSS ESFAS, ESF, and supporting systems is included in an established quality assurance program as described in Subsection 3.1.2 and Chapter 17.
Regulatory Guides 1.28, 1.30, and 1.38 has been satisfied with exceptions noted in Section 3.13.
FSAR Rev. 71 7.3-132
SSES-FSAR Text Rev. 75 Criterion 2: Design Basis for Protection Against Natural Phenomena The design basis for protection against natural phenomena is described in Subsection 3.1.2 and is applicable to non-NSSS ESFAS.
Criterion 3: Fire Protection The design basis for the fire protection system is described in Subsection 9.5.1 and in the Fire Protection Review Report.
Criterion 4: Environmental and Missile Design Basis Environmental design is described in Section 3.11. Missile design basis requirements are documented in Section 3.5, and see Subsection 3.1.2 for response to these GDC.
Criterion 5: Sharing of Structures, Systems, and Components Refer to Section 3.1.2 for general discussion.
Refer to Subsection 9.4.2 for sharing of H&V, reactor building isolation and recirculation and standby gas treatment systems.
Criterion 10: Reactor Design The criterion is applicable to non-NSSS ESFAS insofar as containment isolation, standby gas treatment, reactor building isolation and recirculation, and control room isolation (habitability) are initiated by NSSS sensors monitoring reactor and containment conditions.
Refer to Subsection 7.2.2.1.2.2.6.
Criterion 13: Instrumentation and Controls The instrumentation and controls for ESF systems are selected to monitor variables required for safety over the expected range of operation for normal, transient, and accident conditions.
Variables affecting plant design limits are monitored to initiate protective action.
Safety related display instrumentation is documented in Table 7.5-1.
Criterion 19: Control Room The control room layout is presented in Section 7.5.
Control room isolation and habitability is described in Sections 6.4 and Subsections 7.3.1.1b.7, and 9.4.1.
Remote shutdown design is described in Subsection 7.4.1.4.
Criterion 20: Protection System Function The criterion is applicable to non-NSSS ESFAS insofar as containment isolation, standby gas treatment, reactor building isolation and recirculation, and control room isolation (habitability) are initiated by NSSS sensors monitoring reactor and containment conditions. Refer to FSAR Rev. 71 7.3-133
SSES-FSAR Text Rev. 75 Subsection 7.2.1.1.4.2 which describes variables affecting plant safety which are monitored by RPS and ESF systems, with automatic initiation through ESFAS. Refer to Tables 7.3-1 through 7.3-5 for information on the Instrument functions, Instrument/sensor type, Instrument range and Number of channels provided. Refer to Technical Requirements Manual for the trip setpoints; and the plant Technical Specifications for the Allowable Values.
Criterion 21: Protection System Reliability and Testability Refer to Subsections 7.2.2.1.2.2.12 and 7.3.2a.2.2.3.10.
Criterion 22: Protection System Independence Refer to Subsection 7.2.2.1.2.2.13 and 3.1.2.
Criterion 23, 24, 25, 26, 27, 28 These criteria are not directly applicable to non-NSSS ESF. Refer to Subsection 3.1.2 for general discussion.
Criterion 29: Protection Against Anticipated Operational Occurrences Non-NSSS is affected insofar as NSSS sensors and logic are provided, selected, and installed to accomplish their function.
Criteria 30, 31, 32, 33 Not applicable to non-NSSS ESF.
Criterion 34: Residual Heat Removal Non-NSSS RHR Service Water is an auxiliary support system to provide coolant to RHR. The system is described in Subsection 9.2.6. ESFAS is described in Subsection 7.3.1.1b.8.2.
Criterion 35: Emergency Core Cooling Non-NSSS provides support to ECCS in that ECCS Unit Coolers (Subsection 7.3.1.1b.8.5.5) support ECCS equipment. Actuation is described in the above reference. These coolers are actuated directly by interlocks to the equipment they serve.
Criteria 36 and 37 These criteria are not applicable to non-NSSS ESF.
Criterion 38: Containment Heat Removal Non-NSSS Drywell Unit Coolers provide the normal operating function of containment heat removal. Actuation of these coolers is described in Subsection 7.3.1.1b.8.5.6. The system is described in Subsection 9.4.5.
FSAR Rev. 71 7.3-134
SSES-FSAR Text Rev. 75 Criteria 39 and 40: Inspection and Testing of Containment Heat Removal These criteria are not applicable to non-NSSS ESFAS.
Criterion 41: Containment Atmosphere Cleanup SGTS, Recirculation and Containment Atmosphere monitoring provide functions to which these criteria apply.
These systems' ESFAS are described and analyzed in the following sections:
Standby Gas: Subsections 6.5.1.1, 9.4.2, 7.3.1.1b.4, and Table 7.3-18 Recirculation: Subsections 6.5.3, 9.4.2, 7.3.1.1b.5, and Table 3-19 Containment Atmosphere: Subsection 6.2.5, and Sections 7.5 Monitoring and 7.6 Criteria 42 and 43 Not applicable to non-NSSS ESFAS.
Criterion 44: Cooling Water Emergency Service Water provides support of heat transfer for standby power and reactor building and Containment Cooling under emergency conditions. RHR Service Water serves RHR. Both systems work from the ultimate heat sink. Descriptions are in Subsections 9.2.5, and 9.2.6; ESFAS are in Subsections 7.3.1.1b.8.1 and 7.3.1.1b.8.2.
Criterion 45 Not applicable to non-NSSS ESF.
Criterion 46: Testing of Cooling Water Systems Testing of EBSW and RHRSW ESFAS are described under IEEE requirements (Paragraph 4.10) below.
Criterion 50-54: Piping Systems Penetrating Containment These criteria are not applicable to non-NSSS ESF.
Criteria 55, 56, and 57 Primary Containment Isolation.
Refer to Subsections 6.2.4, 7.3.1.1a.2, 7.3.1.1b.1, 7.3.2a and 7.3.2b and Table 6.2-12.
Criterion 60-64 Not applicable to non-NSSS ESFAS.
FSAR Rev. 71 7.3-135
SSES-FSAR Text Rev. 75 7.3.2b.2 Equipment Design Criteria The requirements for safety related functional performance and reliability of ESF and auxiliary support systems are established in IEEE 279-1971, criteria for protection systems for nuclear power generating stations.
This section describes how the requirements listed in Section 4 of IEEE 279 are satisfied.
- 4. Requirements 4.1 General Functional Requirement The ESFAS is designed to manually or automatically actuate non-NSSS ESF systems and auxiliary support systems whenever a plant condition is detected to exceed a preset safe value.
Instrument performance and characteristics, such as response time, accuracies, and ranges are considered in the design to ensure adequate protection during anticipated normal, abnormal, or accident conditions.
Technical specifications are presented in Chapter 16.
4.2 Single Failure Criteria In all cases for non-NSSS ESFAS described, single failure criteria are met by use of redundant protection systems. In terms of single failure analysis (IEEE 379-1972) for any required protective action, channels, system logic, and actuator circuits are redundant and independent trains.
Therefore, any single failure in any subdivision of one train cannot prevent the other train from operating. Non-NSSS ESFAS and auxiliary support systems use the above design.
4.3 Quality of Components and Modules NSSS furnished equipment serving non-NSSS ESFAS is described in Subsections 7.3.2a.2.2.3.1.3 and 7.3.2a.1. 2.3.1.3.
4.4 Equipment Qualifications Equipment qualifications for the performance requirement of instrumentation for ESF systems, and auxiliary support systems are described in Sections 3.10 and 3.11.
4.5 Channel Integrity Integrity within each redundant system is provided as described in above and below statements of compliance.
4.6 Channel Independence Each redundant safety related system and its instrumentation is designed as an independent system physically separated from each other.
FSAR Rev. 71 7.3-136
SSES-FSAR Text Rev. 75 Physical independence of electrical systems follows the recommendations of Regulatory Guide 1.75 for all non-NSSS ESF systems, and auxiliary supporting systems. Also refer to Section 3.12.
4.7 Control and Protection System Interaction No portion of non-NSSS ESFAS is used for control functions.
4.8 Derivation of Signal Inputs Safety related signals are measured directly from the desired process variable, if the input is provided to the ESFAS. Signals originate as described in Subsections 7.3.2a.2.2.3.1.8 and 7.3.2a.2.1.3.1.8.
4.9 Capability of Sensor Checks Non-NSSS ESFAS use NSSS sensors. Capability for checks is covered typically in Subsection 7.3.2a.2.2.1.9. Radiation detector checks are described in Section 11.5.
4.10 Capability for Test and Calibration Provisions have been incorporated to periodically test the non-NSSS ESFAS functions to affirm operability from the initiation signal to the final actuators. Implementation is described below for each system. Test frequency is as noted in the Technical Specification or in accordance with the preventative maintenance program as appropriate.
(1) Primary Containment Isolation Control (see Subsection 7.3.1.1b.1) is initiated by relays B21H-K84, E21A-K100A, E21A-K101A, PSHX-15120C and LISX-14221C for Division I circuits and by relays B21H-K83, E21A-K100B, E21A-K101B, PSHX-15120D and LISX-14221D for Division II circuits (refer to E-184, sheets 1, 5 and 7). The system then isolates containment.
(2) Combustible Gas Control System - Instrumentation and Control (Subsection 7.3.1.1b.2.1),
test requirements are given in 6.2.5.4.
(3) Primary Containment Vacuum Relief Instrumentation and Control is a test system (see Subsection 7.3.1.1b.3).
(4) Emergency Service Water System Instrumentation and Control (Subsection 7.3.1.1b.8.1) is initiated by the diesel start signal from diesel generators aligned to ESS Buses. All features of the system can be tested by altering the start sequence and the number of diesels being operated.
(5) RHR Service Water System Instrumentation and Control (Subsection 7.3.1.1b.8.2) is a manually initiated system and may be tested by manual initiation.
(6) Containment Instrument Gas System Instrumentation and Control (Subsection 7.3.1.1b.8.3) is initiated by the relays as described in (1) above. The system then completes its transfer function to the standby gas bottles, which is verified by indicator lights and local pressure indication.
FSAR Rev. 71 7.3-137
SSES-FSAR Text Rev. 75 (6) Standby Gas Treatment System (SGTS) (Subsection 7.3.1.1b.4). Sensors of the SGTS initiating circuits can be checked for the operational availability, and the initiating circuits can be actuated or calibrated by either perturbing the monitored variable or by use of substitution input to the sensors.
LOCA - signal for the SGTS is initiated by relay XY07553A for Div. I and by relays XY07553B for Div. II.
(8) Reactor Building Recirculation System (7.3.1.1b.5). Sensors of the recirculating system initiating circuits can be checked for operational availability, and the initiation of circuits can be actuated or calibrated by use of substitution input to the sensors.
LOCA-signal for the fans are directly initiated by relays XY07553A and B; Zone I recirculation dampers are initiated by relays XY07551A and B; dampers connecting SGTS to the recirculation plenum are initiated by relays XY07553A and B; Zone II dampers are initiated by relays XY07552A and B.
(9) Reactor Building Isolation and HVAC Support (Subsection 7.3.1.1b.6).
Checking of sensors and initiation circuits for the reactor building isolation is the same as for the Reactor Building Recirculation System, see Subsection 7.3.2b.2-4.10(8).
(10) Habitability, Control Room Isolation (Subsection 7.3.1.1b.7). Sensors of the control room isolation initiating circuit can be checked for the operational availability, and the initiating circuits can be initiated or calibrated by use of Substitution input to the sensors.
The LOCA signal for the control room isolation is initiated by any one of relays XY07551A, XY07552A or XY07553A for Div. I, and any one of relays XY07551B, XY07552B or XY07553B for Div. II.
(11) SGTS Equipment Room H&V System (Subsection 7.3.1.1b.8.5.1). Sensors of the SGTS equipment room H&V system initiating circuits can be checked for the availability, and the initiating circuits can be actuated or calibrated by perturbing the monitored variable at the sensors.
(12) Diesel Generator Buildings' H&V Systems (Subsection 7.3.1.1b.8.5.2). Sensors of the diesel generator buildings H&V system initiating circuits can be checked for the availability, and the initiating circuits can be actuated or calibrated by perturbing the monitored variable at the sensors.
Also the Diesel Generator A-D Building H&V system is initiated by the start of the same channel diesel generator, and by manual initiation from the main control room.
Diesel Generator 'E' Building H&V System is automatically initiated by room thermostats and manually initiated from a local control panel. If Diesel Generator 'E' is aligned to replace Diesel Generator A, B, C or D, then the Diesel Generator 'E' Building H&V System can be manually started from the main control room.
FSAR Rev. 71 7.3-138
SSES-FSAR Text Rev. 75 (13) Engineered Safeguard Service Water Pumphouse Ventilation System (Subsection 7.3.1.1b.8.5.3). Sensors of the system initiating circuits can be checked for the availability, and the initiating circuits can be actuated or calibrated by perturbing the monitored variable at the sensors.
Also, the ventilation system can be initiated by a start signal of associated service water pump or by manual initiation from the control room.
(14) ESF Switchgear (SWGR) Rooms Cooling Systems (Subsection 7.3.1.1b.8.5.4). The ESF SWGR rooms cooling system initiating circuits can be checked for operational availability, and the initiating circuits can be actuated or calibrated by either the use of substitution input to the sensors, or perturbing the monitored variable.
(15) Emergency Core Cooling Systems (ECCS) Unit Coolers (Subsection 7.3.1.1b.8.5.5) RHR and core spray pumps, unit coolers can be initiated by a start signal of an associated pump, or by manual initiation from the control room.
HPCI and RCIC pump room unit cooler high discharge air temperature switch initiating circuits can be checked for operational availability, and the initiating circuits can be actuated or calibrated by use of substitution input to the sensors.
Other HPCI and RCIC initiating circuits can be tested by manual tripping of steam stop valve position switches (valve open) to the respective turbines.
(16) Drywell Unit Coolers (Subsection 7.3.1.1b.8.5.6) are tripped by high drywell pressure signal relays HSX117701A through HSX517701A for Div. I, and HSX117701B through HSX517701B for Div. II, once tripped they can be manually initiated from the control room for low speed operation. CRD area ventilation fans 1V418A (Div. I) and 1V418B (Div. II) are tripped by high drywell signal relays HSX217701A and HSX217701B, respectively.
Once tripped, they can be manually initiated from the control room for low speed operation.
(17) Control Structure Chilled Water System (Subsection 7.3.1.1b.8.5.7). The control structure chilled water initiating circuits can be checked for operational availability, and the initiating circuits can be actuated or calibrated by use of substitution input to the sensors, or by perturbing the monitored variable at the sensors.
(18) Primary Containment Isolation of containment purge and vent valves on high radiation signal (SGTS Exhaust Hi Hi Radiation). See Subsection 7.3.1.1b.9. The initiating circuits can be actuated or calibrated by perturbing the monitored variable at the sensor.
4.11 Channel Bypass or Removal for Operation Non-NSSS protection systems are tested, one system at a time, which allows one of the two redundant divisions to perform full protective function. This is described typically in Subsection 7.3.2a.2.2.3.1.11.
If a division is bypassed, the single failure criteria are violated. However, the redundant division is available and is designed to fail safe, i.e., to initiate a protective action.
FSAR Rev. 71 7.3-139
SSES-FSAR Text Rev. 75 4.12 Operating Bypass Non-NSSS systems are not provided with operating bypasses.
4.13 Indication of Bypasses Bypasses of protective systems are indicated and alarmed in the control room or are covered by administrative procedure.
Refer to Bypass Indication System (BIS) description in Subsection 7.5.1b.7.
4.14 Access to Means for Bypassing Administrative procedure is required to allow for manual system bypass. Divisionalized circuits are located in key locked panels.
4.15 Multiple Setpoints Non-NSSS systems do not require multiple setpoints.
4.16 Completion of Protective Action Once it is Initiated The logic circuit design ensures completion of protective action once it is initiated.
4.17 Manual Initiation Each ESF system can be manually initiated by the operator in the main control room.
4.18 Access to Setpoint Adjustments, Calibration, and Test Points Refer to Subsection 7.3.2a.2.2.3.1.18 and the response to requirement 4.14.
4.19 Identification of Protective Action NSSS equipment is described in Subsection 7.3.2a.2.2.3.1.19 which applies to containment isolation, reactor building and containment atmosphere decontamination. High radiation initiated ESFAS is discussed in Section 11.5.
4.20 Information Read-Out Each ESF system is designed with display instrumentation necessary for monitoring the protection function from the main control room. Refer to Subsections 7.3.2a.2.2.3.1.20 and 11.5.
Safety related display instrumentation is described in Section 7.5.
4.21 System Repair Defective systems can be detected by observation of alarms, indicating lights, or during periodic testing. Replacement or repair of components is possible after the affected system has been bypassed.
FSAR Rev. 71 7.3-140
SSES-FSAR Text Rev. 75 4.22 Identification All equipment, panels, modules, components, and cables of ESF and support systems are identified by tag numbers. Interconnecting cables are color coded on a division basis.
7.3.2b.3 Failure Modes and Effect Analysis (FMEA) 7.3.2b.3.1 Non-NSSS Containment Isolation Systems FMEA's are provided in Table 7.3-20.
7.3.2b.3.2 Combustible Gas Control This system is manually initiated. Therefore, no FMEA is provided.
Refer to the system description in Section 6.5 for details.
7.3.2b.3.3 Primary Containment Vacuum Relief This system is a mechanically actuated system. Actuation is provided only for a test function which determines that the valves do open.
7.3.2b.3.4 Standby Gas Treatment System FMEA is provided in Table 7.3-18.
7.3.2b.3.5 Reactor Building Recirculation System's FMEA is provided in Table 7.3-19.
7.3.2b.3.6 Reactor Building Isolation The discussion is provided in Subsection 9.4.2.
7.3.2b.3.7 Control Room Isolation The system is described as Emergency Outside Air Supply. The FMEA is in Tables 7.3-21 through 7.3-26.
7.3.2b.4 Consideration of Plant Contingencies 7.3.2b.4.1 Loss of Instrument Air Systems a) No instrument air is required to perform any protective action. Equipment using instrument air is designed to fail in a safe condition.
b) Containment Instrument Gas is provided for certain protective functions inside the containment. Refer to Subsection 7.3.1.1b.8.3 for discussion of its function.
c) Complete loss of instrument air will cause a reactor scram as described in Chapter 15.
FSAR Rev. 71 7.3-141
SSES-FSAR Text Rev. 75 7.3.2b.4.2 Loss of Cooling Water to Vital Equipment Vital equipment, the emergency diesels, containment cooling, reactor building cooling, control structure coolers and ECCS unit coolers are all switched to emergency service water when the equipment is required to provide its protective function. Refer to Subsections 9.2.5 and 7.3.1.1b.8.1.
7.3.2b.5 Testing Methods and Effects on System Integrity During Testing Chapter 14 discusses preoperational and startup test programs. See the Technical Specifications for surveillance during normal operation.
FSAR Rev. 71 7.3-142
SSES-FSAR Table Rev. 56 TABLE 7.3-1 HIGH PRESSURE COOLANT INJECTION SYSTEM-INSTRUMENT SPECIFICATIONS AND CHANNELS Number of Instrument Channels HPCI Function Instrument Range(1) Provided(2)
Reactor vessel high water level turbine trip Level switch 0 - 60 2 Turbine exhaust high pressure Pressure switch 10 - 240 psig 2 High(5) 1 HPCI system pump high/low suction pressure Pressure switch Low 30 Hg/10 psig 1 Reactor vessel low water level Level switch -150/0/+60 4 Primary containment (drywell)high pressure Pressure switch 0.2 - 6 psig 4 HPCI pump minimum flow Flow switch 0 - 1370gpm (4) 1 HPCI system steam supply low pressure Pressure switch 6 - 340 psig 4 HPCI pump discharge flow Flow indicator controller 0 - 6000 gpm 1 Condensate storage tank low level Level switch + 1 2 Suppression pool high water level Level switch + 1 2(6)
Turbine overspeed Centrifugal device(3) 0 - 6000 rpm 1 HPCI system pump high discharge pressure Pressure switch 6-340 psig 1 (1) See the Technical Requirements Manual for the trip setpoints; and the plant Technical Specifications for the Allowable Values, where applicable.
(2) See the Technical Specifications for the minimum number of channels required.
(3) See Section 6.3, ECCS, for description of the turbine; this purely mechanical device forms an integral part of the turbine.
(4) Equivalent dp range 0-20 H2O.
(5) Unit 1: 3-85 psig Unit 2: 10-275 psig (6) Control Room Alarm Only FSAR Rev. 71 Page 1 of 1
SSES-FSAR TABLE 7.3-2 AUTOMATIC DEPRESSURIZA TION SYSTEM - INSTRUMENT SPEC[FICATIONS AND CHANNELS I
Number Of I Instrument Channels ADS Function Instrument I Range (1 ) Provided( 2l Reactor Vessel Low Level (ADS Level Switch 0-60" 1 per Trip System Initiation)
Reactor Vessel Low Water Level Leve! Switch -150/0/+60" 2 per Trip System (ADS Initiation)
Primary Containment (Drywell) High Pressure Switch 0.2 .. s psig 2 per Trip System Pressure Automatic Depressurization Time Timer 0-150 sec 1 per Trip System Delay LPCI Pump Discharge Pressure Pressure Switch 10-240 psig 4 per Trip System Core Spray Pump Discharge Pressure Switch 6-330 psig 2 per Trip System Pressure High Drywell Pressure Bypass Time Timer 1-30 min. 2 per Trip System Delay tt) See the Technical Requirements Manual for the trip setpoints, and the plant Technical Specifications for the Allowable Values. where applicable.
2
( l See the Technical Specifications, for minimum number of channels required.
Rev. 54, 10/99 Page 1 of 1
SSES-FSAR. - * --_ -.. **: --*-:
NIMS Rev. 56 TABLE 7.3-3 CORE SPRAY SYSTEM - INSTRUMENT-SPECIRCATIO NS AND CHANNELS Number Of Instrument Channels ts. Function Instrument - Range f 1> Provided m-
- Reactor Vessel Low Water Level Switch -15Q/Q/+60n 2 per Trip System Reactor Containment High Pressure Pressure Switch 0.2-6 psig 2 per Trip System Reactor Vessel Low Pressure Pressure Switch 0-500 psig 2 per Trip System Core Spray High Differential Pressure Differentia I -10/0/+15 psid 1 per Sparger Pressure Switch (alarm only)
Pump Discharge Minimum Flow Flow Switch 0-1782 gpm( 3l 4 per Loop Pump Suction Pressure Pressure Indicator -30" Hg/0/60 psig 2 per Pump
{indicator only)
Pump Discharge Pre~sure *_ _ Pressure*lndicator .
- 6-330 psig - 2-per Trip ~ystem -
(ADS Permissive} :
(1)
See the Technical Requirements Manual for the trip,setpoints, and th~*plant Technical Specifications for the-Allo~b-te Vaiues,-where applicable. * -
{2)
See the Technical Specifications, for minimum number of channels required.
(3)
Equivalent dp range 0-30" H2O.
Rev. 55 Page 1 of 1
SSES-FSAR NIMS Rev. 55 TABLE 7.3-4 LOW PRESSURE COOLANT INJECTION - INSTRUMENT SPECIFICATION AND CHANNELS Channels LPCI Function Instrument Range <1> Provided <2>
Reactor vessel low water Level switch -150 /0/+60 2 per trip System 11 level (LPCI initiation)
Drywell high pressure Pressure switch 0.2-6 psig 2 per tnp System (LPCI initiation}
Drywell high pressure Pressure switch 0.2-6 psig 2 per trip System (ADS initiation)
Reactor low pressure Pressure switch 0-500 psig 2 per trip System (LPCI valves)
Pump minimum flow Flow switch 0-4270 gpm (3) 1 per trip System bypass Pump discharge pressure Pressure switch 10-240 psig 4 per trip System (signal to auto.
depressurization system)
Reactor low pressure Pressure swf tch 100-1200 psig 2 per trip System (recirc. valves) 0-500 psig 1
( l See the Technical Requirements Manual for the trip setpo:nts, and the plant Technical Specifications for the Allowable Values, where applicable.
2
<) See the Technical Specifications for minimum number of channels required.
3
<> Equivalent dp range 0-20" H2O.
Rev.55 Page 1 of 1
SSES-FSAR Table Rev. 59 TABLE 7.3-5 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENTATION SPECIFICATIONS Number Of Channels Isolation Function Instrument / Or Sensor Range (1) Provided (1) (2)
Reactor Vessel Low Water Level (Isolation of Primary System Valves Except MSI Valves) Signal Differential Level Switch 0-60 4 A(4)
Reactor Vessel Low Water Level (Isolation MSI Differential Level Switch -150 / 0 / +60 4 Valves) Signal G(4)
Main Steamline High Radiation Radiation Monitor 1-106 MR/HR 4 Main Steamline High Flow Differential Pressure Switch 0-200 psid 16 Main Steamline Low Pressure Pressure Switch 100 - 1200 4 Primary Containment High Pressure Pressure Switch 0.2-6 psig 14
.8 Hg VAC-29.2 Condenser Vacuum Vacuum Switch Hg VAC 4 30 HgV to 0.5 psi Reactor Building Ventilation Exhaust High Radiation Radiation Monitor 0.01 = 100 MR/HR 2 Number Of Channels Isolation Function Instrument / Or Sensor Range (1) Provided (2) (3)
Reactor Vessel High Pressure Pressure Switch 0-225 psig 2 Reactor Water Cleanup System Space High Temperature Switch 50 - 350°F 6 Temperature (System Isolation)
Main Steamline Space High Temperature Temperature Switch 50 - 350°F 4 RWCU High Flow Flow Switch 0 - 24 H20 2 Reactor Water Cleanup High Differential Flow Differential Flow Switch 0 - 100% 2 Differential Pressure Indicating RHR Water Line High Flow -300-+300H20 2 Switch (1) See the Technical Requirements Manual for the trip setpoints, and the plant Technical Specifications for the Allowable Values, where applicable.
(2) See the Technical Specifications for minimum number of channels required.
(3) Normal number of trip channels per trip system.
(4) Refer to FSAR Table 6.2-12 for a description of Isolation signal codes.
FSAR Rev. 71 Page 1 of 1
SSES-FSAR TABLE 7.3-13 ESFAS ACTUATED EQUIPMENT STANDBY GAS TREATMENT SYSTEM
,';[f~~:
OV-109A
~~16~; ll~~NW~i[JE; :~~~"' i!J!~::;:;i,:':;:;; ~ir;J!?f[':'1~1l:[\i;[f.,;~;!ili:IliiFJi~,f'.i; VC-175 SGTS 'A' fan A 1
Start Start Start Start Trip 1
Sh. 3 OV-1098 VC-175 SGTS 'B' fan -B Start Start Start Start Trip Sh. 3 TV-07550A VC-175 SGTS backup A - -- -- -- -- Open I
Sh. 3 deluge valve 'A' TV-07550B VC-175 SGTS backup I B I -- I -- I - -- I -- I Open IOpen Sh . 3 deluge valve 'B' HV-07551A1 I VC-175 SGTS drain valves I A I -- I -- I - I -- I --
I I Open through A4
- Sh. 3 'A 1' through 'A4' HV-0755181 through 84 VC-175 Sh. 3 SGTS drain valves
'B1' through 'B4' I B I -- I -- I - I -- --
TD-07560A VC-175 SGTS crossover A -- - - -- Open -- Control signal 'E' will Sh. 3 duct 'A' dmpr open valve 'A' only TD-075608 VC-175 SGTS crossover B -- - -- -- Open -- when SGTS train '8' Sh . 3 duct '8' dmpr is in operation and vice versa ; otherwise, they wi!I stay closed .
Rev . 54, 10/99 Page 1 of 1
SSES-FSAR TABLE 7.3-14 ESFAS ACTUATED EQUIPMENT RECIRCULATION SYSTEM, REACTOR BUILDING ISOLATION DAMPERS, AND REACTOR BUILDING NONSAFETY RELATED EQUIPMENT Table Rev. 55 Control Signal Function EQUIPMENT FIGURE ESP DESCRIPTION (See Table 7.3-17) REMARKS NO. NO. TRAIN A B 0V201A VC-175 Recirculation A fan A Start Start Sh. 1 0V201B VC-175 Recirculation B fan B Start Start Sh. 1 HD07543A VC-175 Recirculation A dmpr A Open Open Sh. 1 HD07543B VC-175 Recirculation B dmpr B Open Open HD17601A VC-176 Recirculation A dmpr A Open -
HD17601B VC-176 Recirculation B dmpr B Open -
HD17602A VC-176 Recirculation A dmpr A Open -
HD17602B VC-176 Recirculation B dmpr B Open -
HD17657A VC-176 Recirculation A dmpr A Open -
HD17657B VC-176 Recirculation B dmpr B Open -
Reactor Building Isolation Dmprs HD17524A VC-175 Zone I eq comp exh sys A Close -
Sh. 2 HD17524B VC-175 Zone I eq comp exh sys B Close -
Sh. 2 HD17576A VC-175 Zone I exhaust sys A Close -
Sh. 1 HD17576B VC-175 Zone I exhaust sys B Close -
Sh. 1 HD17586A VC-175 Zone I supply sys A Close -
Sh. 1 HD17586B VC-175 Zone I supply sys B Close -
Sh. 1 HD17514A VC-175 Zone III filtd exh sys A Close Close Sh. 2 HD17514B VC-175 Zone III filtd exh sys B Close Close FSAR Rev. 66 Page 1 of 3
SSES-FSAR TABLE 7.3-14 ESFAS ACTUATED EQUIPMENT RECIRCULATION SYSTEM, REACTOR BUILDING ISOLATION DAMPERS, AND REACTOR BUILDING NONSAFETY RELATED EQUIPMENT Table Rev. 55 Control Signal Function EQUIPMENT FIGURE ESP DESCRIPTION (See Table 7.3-17) REMARKS NO. NO. TRAIN A B HD17502A VC-175 Zone III exhaust sys A Close Close Sh. 2 HD17502B VC-175 Zone III exhaust sys B Close Close Sh. 2 HD17564A VC-175 Zone III supply sys A Close Close Sh. 1 HD17564B VC-175 Zone III supply sys B Close Close Sh. 1 HD17534A VC-175 Zone air lock I-606 A Close Close Sh. 1 HD17534B VC-175 Zone air lock I-611 A Close Close Sh. 1 HD17534D VC-175 Zone air lock I-803 A Close Close Sh. 1 HD17534E VC-175 Zone air lock I-805 A Close Close Sh. 1 HD17534F VC-175 Zone air lock I-617 A Close Close Sh. 1 HD17534H VC-175 Zone air lock I-618 A Close Close Sh. 1 HD17508A VC-175 Unit 1 drywell & wetwell A Close Close Sh. 3 purge & burp HD17508B VC-175 Unit 1 drywell & wetwell B Close Close Sh. 3 purge & burp Reactor Building Non-Safety-Related Equipment 1V217A VC-175 Zone III filtd exh sys - Trip Trip Sh. 2 FSAR Rev. 66 Page 2 of 3
SSES-FSAR TABLE 7.3-14 ESFAS ACTUATED EQUIPMENT RECIRCULATION SYSTEM, REACTOR BUILDING ISOLATION DAMPERS, AND REACTOR BUILDING NONSAFETY RELATED EQUIPMENT Table Rev. 55 Control Signal Function EQUIPMENT FIGURE ESP DESCRIPTION (See Table 7.3-17) REMARKS NO. NO. TRAIN A B 1V217B VC-175 Zone III filtd exh sys - Trip Trip Sh. 2 1V206A VC-175 Zone I eq comp exh sys - Trip -
Sh. 2 1V206B VC-175 Zone I eq comp exh sys - Trip -
Sh. 2 FSAR Rev. 66 Page 3 of 3
SSES-FSAR TABLE 7.3-15 ESFAS ACTUATED EQUIPMENT CONTROL STRUCTURE EMERGENCY OUTSIDE AIR SUPPLY SYSTEM ControlS~n~ Function EQUIPMENT FIGURE ESF DESCRIPTION (See Table 7.3-17) REMARKS NO NO. TRAIN A 8 F I J G OV101A VC-178 Emerg O/A supp A fan A Start Start Trip - Start Trip Sh. 1 OV101B VC-178 Emerg O/A supp B fan B Start Start Start - Start Start Sh. 1 HD07812A VC-178 Emerg O/A supp cont A A Open Open Close Close Open Close Sh. 1 dmpr HD078128 VC-178 Emerg O/A supp cont B B Open Open Open Close Open Open Sh. 1 . dmpr HD07802A VC-178 Normal O/A supp isol A A Close Close - Close Close -
Sh. 1 dmpr
. HD07802B VC-178 Normal 0/A supp isol B B Close Close - Close Close -
Sh. 1 dmpr HD07814A VC-178 Emerg OJA supp isol A A Open Open Close Close Open Close Sh. 1 dmpr HD07814B VC-178 Emerg O/A supp isol B B Open Open Open Close Open Open -
Sh. 1 dmpr H007813A VC-178 Emerg O/A recirc isol A A - - - Open - -
Sh. 1 dmpr HD07813B VC-178 Emerg O/A recirc isol B B - - - Open - -
Sh. 1 dmpr HO07833A VC-178 Cont rm relief air A dmpr A - - - Close . -
Sh. 1 H007833B VC-178 Cont rm relief air B 8 - - - Close - -
Sh. 1 dmpr HD07824A1 VC-178 Contstructexh~ciA1 A Close Close - Close Close -
- Sh. 3 dmpr H007824B1 VC-178 Cont struct exh isol A2 B Close Close - Close Close -
Sh. 3 Dmpr Rev. 54, 10/99 Page 1 of 2
SSES-FSAR TABLE 7.3-15 ESFAS ACTUATED EQUIPMENT CONTROL STRUCTURE EMERGENCY OUTSIDE AIR SUPPLY SYSTEM Control Signal Function EQUIPMENT FIGURE ESF NO NO.
DESCRIPTION TRAIN (See Table 7 .3-17) REMARKS A B F I J G HD07873A VC-178 Cont rm kitchen A
- A Close Close - Close Close -
Sh. 2 dmpr HD078738 VC-178 Cont rm kitchen B B Close Close - Close Close ~
Sh. 3 dmpr OV105 VC-178 Access cont & lab area A/B Trip Trip - - Trip -
Sh. 4 supp fan Rev. 54, 10/99 Page 2 of 2
SSES-FSAR Table Rev. 44 TABLE 7.3-16 ESFAS ACTUATED EQUIPMENT BATTERY ROOMS EXHAUST SYSTEM THIS TABLE HAS BEEN DELETED FSAR Rev. 56 Page 1 of 1
SSES-FSAR TABLE 7.3-17 GENERAL NOTES FOR TABLES 7.3-13 THROUGH 7.3-16
- 1. The Engineered Safety Feature actuation Systems (ESFAS) control signals are as follows:
A Loss of coolant accident (LOCA)
B High radiation in reactor building zone Ill nonfiltered exhaust system 1 C High radiation in SGTS exhaust vent D High press_ure in SGTS inlet header
-E Charcoal filter high temperature (pre-ignition temperature)
F Charcoal filter high-high temperature (ignition temperature)
G High radiation in emergency outside air intake for the control structure High temperature differential across the emergency outside air supply H
charcoal unit.
I High drywell pressure Rev. 54, 10/99 Page 1 of 1
SSES-FSAR TABLE 7.3-18 STANDBY GAS TREATMENT SYSTEM (SGTS)
FAILURE MODE AND EFFECTS ANALYSIS Failure Mode Effect On System Detection Remarks Loss of offsite power Momentary ioss of the system. Alarm in the control room Instrumentation and controls are The system will automatically start powered from separate Class IE as required when emergency diesel generators.
power to on line.
Failure of LOCA signal: No lose of safety function a) Contact open or open wiring If the system is operated in the lead-lead mode, the train affected by the failure will not start but the other train will.
b) Contact closed or shorted If the system is operated in the lead-lead mode the train is in the same division as the failed contact will start.
Failure of any high-high radiation No loss of safety function signal from the refueling pool, refueling floor, and railroad access shaft radiation monitors:
a) Contact open or open wiring Effect on system is the same as Radiation monitor inoperative is Any other failures such as open failure of LOCA signal. alanned in the control room. circuit, which may not be alarmed, can be detected by periodic testing.
b) Contact closed or shorted Effect on system is the same as High-high radiation contact closure failure of LOCA signal. is alarmed in the control room.
Rev. 54, 10/99 Page 1 of 3
SSES-FSAR TABLE 7.3-18 STANDBY GAS TREATMENT SYSTEM (SGTS)
FAILURE MOOE AND EFFECTS ANALYSIS Failure Mode Effect On System Detection Remarks Failure of the common exhaust No loss of safety function duct airflow signal:
a) Contact open or open wiring The system is operated in the I] lead-lead mode both trains will continue to operate.
b) Contact closed or shorted The system is operated in the lead-lead node both trains will continue to operate.
Failure of high-high charcoal No loss of safety function adsorber temperature (ignition temperature) trip signal:
a) Contact closed or shorted The system Is operated In the High and high-high temperature The charcoal pre-ignition*
IA::u-1-IP.~rl morlP. hoth trn.in~ will alarm. High- high radiation alarm. tP.mpP.r~h 1rn i!=:. ~farmPrl in thP.
continue to operate. All alarms are in the control room. control room to forewarn the operator.
b) Contact open or open wiring The system ls operated In the Periodic testing. Emergency lead-lead mode and the affected operating procedure.
train will be tripped and the other train will continue to operate.
Failure of high inlet header static pressure Initiating signal:
a) Contact closed or shorted The affected train will automatically Status indicating lights In the start. control room.
Rev. 54, 10/99 Page 2 of 3
SSES-FSAR TABLE 7.3-18 STANDBY GAS TREATMENT SYSTEM (SGTS)
FAILURE MODE AND EFFECTS ANALYSIS Failure Mode Effect On System Detection Remarks b) Contact open or open wiring One train will start if required. Periodic testing. Alarm In the control room if high pressure exists.
Failure of the charcoal adsorber No loss of the safety function high temperature(pre-ignition)
Initiating signal:
a) Contact closed or shorted The affected train will automatically Status Indicating lights In the start in its cooling mode control room . Alarm in the control (non-safety-related function). room if high temperature exists.
b) Contact open or open wiring No effect if the affected train is Periodic testing operating.
If the affected train is not Periodic testing. Pre-ignition and operating, the heat could ignition temperature aiarms in the eventually reach ignition. At control room.
Ignition temperature the train will 1
not be able to start and the deluge water valve is opened.
Rev. 54, 10/99 Page 3 of 3
Tl.". ~.B_ 7. J-19 R~ACTOR BUILDING RECIRCULATION SYST.B~
FAILURE l'IODE A~D !PFECTS ANALYSIS Failure l'lotie Effect on System Detection Re arks Loss of _ offsite power No loss of the safety alar* in the control roo Instru entatiou and controls function by the system. are powered fro separate l'lomentary loss of the system. Class IE diesel gefteratocs.
The syste vill automatically restart vben e11e_rqer:icv pover supply is established.
Failure of initiatioq ~o loss of safety function
- siqnal . from anv of of the .system.
reactor bi1ildinq radiation monitors:
a) Contact closed or This is equivalent to Various alar s in the shorted existence of any of the control room associated reactor buildinq hiqh with the reactor building radiation initiatinq isolation.
siqnals. See Ta~le 7.3-14 for the list of the actuated equip ent.
b) Contact open or Failure to initiate operation Periodic testing open wirinq of the lead recirculation tan. Also failure to open or close associated isolation daapers. Hove*er. the redundant hiqh radiation siqnal will initiate the standby recirculation fan and actudte the redundant isolation da pers.
Failure of one LOCI "o loss of safety function siqnal of the syste
- The effect on syste is identical to the effect of loss of one ot the reactor buildinq hiqh radiation siqnals. See description aboYe.
Rev. 3 5 , 07 / 8 4
I!~~~-1~l-1l~ontinu~~l Failure "lo.lo? etfec~ on Sy~tem Detectioo ae arJts Failure of sv~tem air No loss of safety function flo11 switch: of the system at Contact close4 or If th~ siqnal is for tbe Pdn failure alarm in shorted operatinq fan, the fan will the control room, or triP and the sta~dby fan will periodic testio1 if the auto~atically start. fao is not in operation vhen the flow svitch fails.
If failed siqnal is tor Periodic testing the standby fan, the fan vill not start vhen required.
. b) Contact open or If failed si1nal is for Periodic testing op'"n ;iirinq the oper~tinQ fan, tbe fan vill continua to run. When failed siqnal is foe the standby fan, the fan can St4rt and run vhen required, and once the standby fan, 11hen tlsed, loses its flow
,he lead fan flow switch vill detect it and will stdrt the le~d fan.
Rev. 35, 07/84
SSES-FSAR TABLE 7.3-20 FAILURE MODE AND EFFECTS ANALYSIS PRIMARY CONTAINMENT ISOLATION CONTROL SYSTEM FAN NON-NSS SYSTEMS EFFECT ON FAILURE MODE DETECTION REMARKS SYSTEM Nuclear Steam Supply Shutoff System interface/actuation relays:
Open Components in one Immediate Spurious trip and I division isolate annunciator isolation of part of one !
division I Close Loss of actuation Periodic testing Redundant division system for available for isolation components in one control I division Loss of one division Automatic isolation of Immediate Spurious trip and I
AC power (control portions of one annunciator isolation of part of one circuit) division division Output wiring fails (equipment level):
i Short Loss of isolation Periodic testing . Redundant division I i function for this device available for isolation Open Spurious isolation of Periodic I the process line testing/indicating lights Core Spray System Interface/actuation relays Open 1 channel of 2 in Indicating tamps in Isolation logic for division trips, no control room. division is placed to 1 components re- of 1 once logic.
position Redundant division available for isolation.
Close 1 channel of 2 in Periodic testing Redundant division division will not trip, available for isolation.
therefore isolation on that function inhibited .
in that division Loss of one division 1 channel of 2 in Indicating lamps in Isolation logic for DC power (control division trips, no control room. division is placed to 1 circuit) components re- of 1 once logic.
position Redundant division available for isolation.
Rev. 54, 10/99 Page 1 of 2
SSES-FSAR TABLE 7.3-20 FAILURE MODE AND EFFECTS ANALYSIS PRIMARY CONTAINMENT ISOLATION CONTROL SYSTEM FAN NON-NSS SYSTEMS I
EFFECT ON FAILURE MODE DETECTION REMARKS SYSTEM Output wiring fails (equipment level):
Open The fault will not
- IPeriodic testing Redundant division cause the isolation available for isolation nor inhibit the proper operation of the other division i Short The fault will not Periodic testing Redundant division cause the isolation available for isolation.
nor inhibit the proper operation of the other division Rev. 54, 10/99 Page 2 of 2
SSES-FSAR TABLE 7.3-21 EMERGENCY OUTSIDE AIR SUPPLY SYSTEM (EOASS)
FAILURE MODE AND EFFECTS ANALYSIS EF.FECTON FAILURE MODE DETECTION REMARKS
- SYSTEM Loss of offsite power Momentary loss of the Alarm in the control Instrumentation and system. The system room controls are powered will automatically start from separate Class as required when IE diese) generators.
emergency power is on line.
Failure of the control No loss of safety structure radiation function isolation signal.
a) Contact closed or The affected train wHI Status indicating All isofation dampers shorted start automatically. lights in the control except those required room. by the EOASS are tripped ( closed) on control structure radiation isolation.
b) Contract open or The affected train will Periodic testing open wiring not be able to start automatically when required.
Failure of the common exhaust duct air flow signal:
a) Contact open or If failed signal is for Periodic testing open wiring the lead operating train, it has no effect.
lffailed signal is for Periodic testing the standby train, the standby train will not start on failure of the lead train.
b) Contact closed or If failed signal is for Fan failure alarm in shorted the lead operating the control room.
train, the lead train will trip itself out and the standby wiU start automatically.
Rev. 54, 10/99 Page 1 of 3
SSES-FSAR TABLE 7 .3-21 EMERGENCY OUTSIDE AIR SUPPLY SYSTEM (EOASS)
FAILURE MODE AND EFFECTS ANALYSIS EFFECT ON FAILURE MODE DETECTlON REMARKS SYSTEM If failed signal is for Periodic testing.
the standby train, the standby train is disabled.
Failure of high-high No loss of safety charcoal adsorber function temperature (ignition
. temperature) trip signal:
a) Contact closed or If failed signal is*tor High area radiation All alarms are in the shorted the operating filter alarm, high and high- control room.
train, the operating high charcoal train will not trip and temperature alarms air supply to the control room may be contaminated. The area radiation monitors in the control room will detect contamination and will alarm. The operating train of the EOASS could then be manually stopped and the standby manually started.
If failed signal is for High and high-high the standby filter train, charcoal temperature the standby train will alarms in the control no longer be effective room.
to perform its function. Periodic testing.
The standby train can be put in OFF position.
b) Contact open or Affected train will not Periodic testing open wiring be able to start or Status indicating operate. lights, high and/or high-high charcoal temperature alarms in the control room Rev. 54. 10/99 Page 2 of 3
SSES-FSAR TABLE 7.3-21 EMERGENCY OUTSIDE AIR SUPPLY SYSTEM (EOASS)
FAILURE MODE AND EFFECTS ANALYSIS EFFECT ON FAILURE MODE SYSTEM DETECTION REMARKS Failure of the low No loss to the safety High area radiation Alarms are in the temperature function. Effect on alarm control room.
differential across the the system is the Heater failure alann electric heater (heater same as failure of the Periodic testing failure) trip signal high-high cnarcoal adsorber temperature.
Rev. 54, 10/99 Page 3 of 3
TAB 1, !_ 7
- l- 2 2 C~nPUTEB ROO~ ~OOLING SYST~N (CRCS)
FAlLURE ~ODE ANO fFPECTS ANALYSIS
- ------------------------------------------------------......~~.....:...~~-----------------------
PailuC'e ~ocie t::ffect on Syste:a Detection Re arks Loss of offsite paver ~oment4rY loss of* t~e system. Alarm in the control rooa Instruaentatiou aud controls srst~m vill ~utomatically are povered fro* separate restdrt when e11erq~ncy Class IE diesel generators.
pove~ is ON and the chilled water system starts.
Pailure of initiatinq ~o loss of safety function
~iqnal from the chilled vat~r system:
&) Contact clos~d or If f~iled si1nal is fro Periodic testing short~d operatinq lead chiller, the associated .fan of t~e cacs will continue to operate even if the lead chiller has tripped and the.standby chiller ha~ star~ed.
If failed signal is from Unit status indicating the standby chiller vhich liqhts in the control is not in operation, the rooa tvo redundant units of the CRCS vill operate.
b) Contact open OC' If the failed siqoal is fro Riqh teaperature alara llaras, band switches, and open 11irinq the operatioq lead chiller, together with statu~ indicating lights a~e located th~ associated fan of the indicatinq lights of in the control roo
- CRCS will trip. The standby the units.
unit will start only ~hen the redundant te pecdture detection loops dt the co *on return air duct detect hiqh te perature. The operatinq chiller is- tbeo tripped and the standby chiller is started.
Rev. 35, 07/84
TAB~~-1£1=~LjContiQJAedL Failure ~ode Effect on System Detection
~------------------------
Remarks Failure of the common No loss of safety function eKhaust duct ~irflov of the systeGI.
siqna l:
at Contact closed or If failed siqnal is fot the ran failure alar* in shorted operdtinq fan. thP. opetatinq the control room.
fan and its associated chiller vill trip. The standby unit of the CRCS vill auto~atically start as ~oon as the standby chiller starts.
If failed siqnal is for the Periodic testinq.
standby fan. the tan cannot operate ~hen required.
b) Contact open or ,o effect oo the lead fan. Periodic testing oPen virinQ tf the failed siqnal is foe Peturn die biqh temperature the standby unit, the alar* in the control roon standby unit cannot operate vhen required. However. the redundant temperature
~etection loops a~ the coaaon return air duct ~ill detect return air hiqb teaperature dnd vill trip the operating
.cbiller and start the standby chiller. hen the standby chiller starts, th~ standby fan of the cacs autoaatically starts.
Rev. 35, 07 /84
TAs 4 7.J~
CONTROL STRUCTURE H&V SYSTE" (CSHTS)
FAILURE ftOOE ANO 8PPECTS ANALYSIS P'allure "ode !ffect on Syste Detection ae arts Loss of of.fsite power ~o entary loss of tbe srste
- Alar in the control roo Instru entation and con~rol~
svste will automatically are povered fro separate restart vhen emerqency Class IE diesel generators.
power is ON and the chilled vater syste starts.
Pailure of initiatinq Mo loss of safety function siqnal fro the chilled of th~ syste
- water s,stea:
a) Contact closed or If failed siqnal is fro Periodic testinq shotted operatinq lead chiller, the associated fan of the CSHVS vi11 continue to operate even if the lead chiller has tripped and tbe standby chiller bas started.
If tailed siqnal is fros Unit status indicating the ~tandby chiller which liqbts in the control is not in operation, the roo tvo redundant units of the CSHVS will operate.
b) contact open or If the failed siqnal is fro Riqh teaperature alar Alac s, hand switches. aad ooen wiirinq the oper~tinq lead chiller. together with status indicating lights are loca~ed the associated fan of tbe indicating 1ights of in the control roo
- CSHVS vill trip. The standby the units.
unit will stdrt only when the redundant t~ perature detection loops at the co on return air duct detect biqb teaperature. The operatinq chiller is then tripped and the standby chiller is started.
Rev. 35, 07/84
!A~LJ_1.a.J=-l1-JContinyedJ _ _ _ _w _ _ _ _ _ _ _ _ _ _ ._!_
Pallure node Effect on SJste Detection ae*arks railure of the co oo No loss of safety functicn exhaust duct airflow of the svstea.
siqnal:
a, Contact closed or If failed siqnal is foe the Pan failure alar in shorted operatinq fao, the operatinq the control roo*.
fan and its associated chiller will trip. The standby unit of the CSHVS will autoaatically start as soon as the standby chiller starts.
If failed siqnal is for the Periodic testing standby fan, the fan cannot operate *hen required.
b) Contact open or No effect on the lead fan. Per:iodic testing open v ir inq If the failed signal is for Return air high te perature the standby unit, the alar in the control roo standby unit cannot operate vben required. Hove~er, the redundant teaperature detection loops at the cc* on return air duct will detect return air biqh te pecature and will trip the operatinq chiller and start the standby chiller. When the st<<ndby chill~r starts, the standby fan of the CSHYS auto atically starts.
Rev. 3 5 , 0 7 / 8 4
TAB~.L 7. J-2~
CONTROL STRUCTURE CHILLED WATEe STST£, (CSCWS)
FAILURE ~ODE A~D EfYECTS ANALYSIS Reaarks Pailure Plode Effect on System Detection Pailure of the chilled
~o loss of safety function
~-------------------- ----~------------
water lov flov initiatinq siqnal:
a)* Contact closed or If the failed siqnal is foe status indicating lights shorted the standby loop, the standby in the control rooa looo will start and both loops ~ill run~
If the tailed siqnal is for Periodic testinq the operatioq loop, tbe operatinq loop vill continue to run.
b) Contact open or If the signal failure is Periodic testing open wirinq for the operatinq loop, the loop vill ~ontinue to run.
If the failed signal is for Periodic testing standby loop. tbe standby loop vill not start vhen required.
Failure of any of the air No loss of safety function handlinq units return air hiqh te*pecatuce siqnal:
a) Contact closed or If the siqoal failure Statas indicating liqbt shorted occurs on the standby loop. in the control roo*
the standbr loop vill start.
lf the siqnal failure occurs Haudswitch and status on the operatinq loop. both indicating lights in loops _vill operate. the control roo*
b) Contact o~en or If failure of the operatiaq Periodic testinq open viriaq loop siqnal acco panied with Hiqh air teape~atore biqh te*Perature cccurE. the alar standby loop vill be Haadswitcb and status initiated. indicating lights.
If failure of the standby Periodic test iug loop siqoal acco panied ~itb Kiqb air teaperature hiqb te*Perat~ce cccurs. il la r the opecatinq loop will . Handswitch and status trip and the st4ndb1 loo~ indicatinq lights.
vill be initiated tbcouqb loss of Mater tlov in the operatinQ loop.
Rev. 35, 07./84
I!~~~-1£J=~-1~2!1A.!!.Y!~l Pail~re Node Effect on System Detection
- ------.-.-...-.___,.-~-
Reaarks
~--~~~~~~
Pailure of . any of the air No loss ot safety function handlinq units fail~re trio siqnal:
a) Contact open or rf failed siqnal is for the Handswitch and status open wirinq operatinq loopw the operatinq indicatinq lights in the
- loop will tcip and the control room standby loop will start.
If failed siqnil is for the Periodic testLng standby loop, the operatinQ loop will continue to run but the standby looµ will not be able to start when required.
b} contact close~ or No etfect* on the runninq Periodic t~sting shorted loop unless ther~ is actual Return ai~ high temperature failure of the associated ~lara and status indicatioq air handlinq unit, in which lights in the control roo
- case the return air high te*PPrature 3iqnal will trip the operatinq loop and standby loop starts.
"o effect on the standby Periodic testing loop.
Failure of e erqencv Mo loss of safety f~ncticn condenser vater circulatinq pu p tailure trip siqnal:
a) Contact closei or Failure of the runninq sbo~ted e erqencv condenser ~ater circulatinq loop siqnal vill allow the loop to run.
unless .a flow failure actually occurs.
Failure of the ~tandby Periodic testinq e*erq~ocv condenser water cicculatinq loop trip siqnal
~ill no~ affect the startinq of th~ standbf loop.
If this is the cas~ tbe Periodic ~esting, chiller chiller will tri~ cut on failure al~c** handsvitcb hiqh coadensinq pressure, and status indicating which vill then trip tbe liqhts chilled water pu p and start the standby loop.
Rev. 35, 07 /RI!
TABLE '~l=2ij _ _(£ontinuedl Failure l"o*l~ Effect on svste* Detection aeaarks b) Contact ooen or Failure of ~he runoinq Periodic testing open wirioq e~ecqency condenser vater gaerqency condenser circulating loop siqnal circulating water loop vi11* trip the associated failuce alar chiller and chilled vater Handswitc~ dnd status pump, ~hich in turn will indicating lights ini~ia~e the standby loop.
Failur~ of the standby Per*iodic testing emerqency condenser water circulating *1oop siqnal vill prevent the standby loop from starting.
- Pailur@ of chiller trip No loss of safety functioo siqnal:
a) Contact open or lf failed signal is for the_ Status indicatinq lights open virioq operatinq loop. the in the control roo* and operatinq loop is-tripped at the locai chiller and the standby loop control panel starts autoaaticall1.
If failed siqnal is foe the Periodic: testinq standby loop. the standby loop will not be able to stact vhen required.
b) Cootact closed or If failed signal is for tbe Periodic testing sh.orted operatinq loop and there is Air bandlinq units high ac~ual failure of the te*perature alar in chiller. the chilled va~er the control roo pu*p will continue to operate until tripped bf the hiqh te perature switch of an, of the associated air handliuq units. The standby loop vill start auto aticallr.
No effect on the standbf loop Periodic testinq Rev. 35, 07184
IA~h.Ll£J::1L~2ntin~l Pailure ptode Effect oo Syste11 Detection Re arks Pailur~ of the condenser No loss of safety functicn.
vater circul~tinq ~u p This control siqnal is trip siqnal (non~safetv- cancelled out automatically related\: durinq e11ecqencv conditions.
a) contact open or If failed siqnal is for the Statds indicating lights open virinq ope[atinq loop_ the locp ~s in the control rooa tripped and the standby loop starts automaticallJ.
If failed siqnal is for the P~riodic testing standby loop. the standby loop will not start vben required.
b) Contact closed or No ~ffect on the operating Periodic testing shortP.d loop unless flow failuce actudlly occurs. Lov cond~nser vater tlov will trip the operati~q loop and the standby lcop will start auto atically.
No effect on the standby Periodic testing loop unless the standby loop is operatinq and failure a~tua 11 y occurs.
Pailure of any of the No loss of sa.tety function.
follo11inq emerqencv siqnals: Thes~ siqnals are used to tr iP out the no*n- safety-LOCA (Unit 1) related condenser vater LOCA (Unit 2) circulating pu p and initiate Loss of off1ite pov~r tbe eaerqency condenser water circulating pu p.
a) Contact cloged oc The failed signal h~s no P~riodic testinq shotted effect on the operating loop if the e erqency Eervice vater syste is not opecatinQ.
If the failed siqnal is Periodic testing tor the standby loop. the stanrlby loop vill not operate when lequir~d Lf it~
associated e erq~ncy se~*ice v~tet loop is oo~ in operation.
Re,v. 35, Oj7 IRA
IA§it_1L1=1!_J~Qntig~~4l f'ailure ,,,rle Eff~ct on System Oetecti<>n
.Re11arts
~---~--~~-------- ------ ---------------
b) Contact open or The opecatin1 loop may trip Emergency operating open virinq out and the stdndby loop will procedure start automatically.
If the failed si~nal is for Periodic testing the standby loop, the standby loop will not operate when requited.
Rev. 35, 07 /84
SSES-FSAR TABLE 7.3-25 BATTERY ROOMS EXHAUST SYSTEM FAILURE MODE AND EFFECTS ANALYSIS EFFECT ON FAILURE MODE DETECTION REMARKS SYSTEM Loss of offsite power Momentary loss of the Alarm in the control Instrumentation and system. System will room. controls are powered automatically restart from separate Class when emergency IE diesel generators.
power *is ON.
Failure of control No loss of safety structure H&V system function low airflow trip signal:
a) Contact closed or No effect on the Periodic testing shorted system b) Contact open or The control structure Periodic testing Hand control switches open wiring H&V system common Position of hand and status indicating discharge airflow control switches and lights are located in detection loops are fan status indicating the control room .
redundant. If the lights operating fan of the battery rooms exhaust system is tripped, the standby fan will automatically start Failure of the No loss of safety common exhaust duct function of the system airflow signal:
a) Contact closed or If failed signal is for Alarm in the control shorted operating (lead) fan, room the fan trips and alarms. The standby unit automatically starts after a time delay.
If failed signal is for Alarm in the control the standby unit, the room standby unit will start after a time delay, operate a few seconds and then trip itself out and alarm.
Rev. 54, 10/99 Page 1 of 2
SSES-FSAR TABLE 7.3-25 BATTERY ROOMS EXHAUST SYSTEM FAILURE MODE AND EFFECTS ANALYSIS EFFECT ON FAILURE MODE DETECTION REMARKS SYSTEM b) Contact open or If failed signal is for Periodic testing open wiring operating fan, the fan will not alarm when it fails.
If failed signal is for the standby unit, the standby unit will not start on failure of the operating fan. I Rev. 54, 10/99 Page 2 of 2
lHI.t.f:_l.1.1=1§ CONTROL HOO~ PLOOH COOLIRG SYS?!" (CHPCS)
~~~~------
FAILOR& ~ODE ANO EPPECTS AMALYStS
~--~--------------------------------------------------~--------*-----
Failttre Plode tffect on srste Det.ectioa 'RP. arks
~----------~-------------------------------------...~--------.-------
Loss ~f offsite power ~o*~nta~y loss of the syste
- Alar in the control roo Instcuaent&tion and controls Syste will auto dtically are po*ered fro sepacate restart when e erqency power Class 1! d~esel qenerators is ON and th~ chilled water syste starts.
Pa~lure of initiatinq No loss of safety function siqnal fro the chilled water syste*:
aJ Contact closed or If failed siqoal is fro Periodic testing shorted operating lead chiller. the associated fan of the CRPCS will continue to operate e*en if the le4d chiller bas tripped and ~be standby chiller has started.
If failed siqnal is fro* - Unit stat~s indicating tho standby chiller vbich liqbts ia the control is not in operation. the roo*
tvo :edundant units of the CRFCS vill operate.
b) contact opeo. or If the failed siqnal is Hiqh te perature alar* llar s. han4 switches. an4 open virinq fro* the operatioq lead toqether* with status indicating lights are located chiller. the associated fan indicatinq lights of the in the control roo
- of the cRrcs vill trip. The unit::;.
standby unit vill stact only vhen the ceduodant te*oecature detection loops at tbe coaaon return air duct detect hiqh teaperatare.
The operatinq chiller is then tripped and the standbf chiller is started.
Rev. 35, 07/84
!!l~J_1...J=li~l~2~ti!~~L
~--------------~~---------------~...----------~----~----~------~----
. Pail_ure "ode !ffect oo Oet.ection
.... - ~----. --~------~-------~-___.------~~----~~------
Syste . Re a.rkg
~~-~- ..................~
Pallure of the co on No loss of safety . function exhaust duct airflow siqnal:
a) Contact closed or If failed siqnal is fort.be ?an failure alar* in th~
shorted operat.inq fan, the operat.ia*q control rooa fan a~d its associated
.chiller Vill trip. The
~tandbf ~nit of the CRPCS will autoaatically ~tart as soon as the standbf cbiller starts.
If failed signal is for the 'Periodic teatinq standby fan, tbe fan cannot operate vhen required.
b) Contact
- open or No effect on the lead fan. Periodic testing.
o,:,en virinq If the failed siqnal is for Return air high teaperatur@
the standby unit. the
- alar in tbe- control roo standby unit canaot operate vhen required. Ko*ewer, the redundant teaperatu~e detection loops at the co on return air dQct will detect return air biqh te perature aad will trip the operatinq c~il1er and start the standby cbi_l ler.
When the standby chiller starts. tbe standbf fan of the CRPCS &Uto atically starts.
------~~-.... ---....~
Rev. 35, 07/84
SSES-FSAR Table Rev. 52 Table 7.3-28 REACTOR PROTECTION SYSTEM RESPONSE TIMES FUNCTIONAL UNIT RESPONSE TIME (Seconds)
- a. Neutron Flux - High NA
- b. Inoperative NA
- 2. Avg. Power Range Monitor*
- a. Neutron Flux - High (Setdown) N/A
- b. Simulated Thermal Power - High** 0.09***
- c. Neutron Flux - High 0.09***
- d. Inoperative NA
- e. 2-out of-4 Voter 0.05****
- f. OPRM Trip 0.40***
- 3. Reactor Vessel Steam Dome Pressure - High 0.55***
- 4. Reactor Vessel Water Level - Low, Level 3 1.05***
- 5. Main Steam Line Isolation Valve - Closure 0.06
- 6. Main Steam Line Radiation - High NA
- 7. Drywell Pressure - High NA
- 8. Scram Discharge Volume Water Level - High
- a. Level Transmitter NA
- b. Float Switch NA
- 9. Turbine Stop Valve - Closure 0.06
- 10. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low 0.08#
- 11. Reactor Mode Switch Shutdown Position NA
- 12. Manual Scram NA
- Neutron detectors are exempt from response time testing.
Response time shall be measured from the detector output or from the input of the first electronic component in the channel.
- Not including simulated thermal power time constant.
- Measured from actuation of fast-acting solenoid.
- Response time testing is not required.
- Measured from activation of the 2-out-of-4 Voter output. I FSAR Rev. 63 Page 1 of 1
SSES-FSAR Table Rev. 54 TABLE 7.3-29 ISOLATION SYSTEM INSTRUMENTATION RESPONSE TIME RESPONSE TIME TRIP FUNCTION (Seconds)#
- 1. Primary Containment Isolation
- 1) Low, Level 3 NA
- 2) Low Low, Level 2 NA
- 3) Low Low Low, Level 1 NA
- b. Drywell Pressure - High NA
- c. Manual initiation NA
- d. SGTS Exhaust Radiation - High(b) NA
- e. Main Steam Line Radiation - High(b) 10(a)#####
- 2. Secondary Containment Isolation
- a. Reactor Vessel Water Level - Low Low, Level 2 NA
- b. Drywell Pressure - High NA
- c. Refuel Floor High Exhaust Duct Radiation - High(b) NA
- d. Railroad Access Shaft Exhaust Duct Radiation - High(b) NA
- e. Refuel Floor Wall Exhaust Duct Radiation - High(b) NA
- f. Manual Initiation NA
- 3. Main Steam Line Isolation
- a. Reactor Vessel Water Level - Low Low Low, Level 1 1.0*
- b. Main Steam Line Pressure - Low 1.0*###
- c. Main Steam Line Flow - High 0.5*
- d. Condenser Vacuum - Low NA
- e. Reactor Building Main Steam Line Tunnel Temperature - High NA
- f. Manual Initiation NA
- 4. Reactor Water Cleanup System Isolation
- a. RWCU Flow - High 10(a)##
- b. RWCU Area Temperature - High NA
- c. SLCS Initiation NA
- d. Reactor Vessel Water Level - Low Low, Level 2 NA
- e. RWCU Flow - High NA
- f. Manual Initiation NA
- 5. Reactor Core Isolation Cooling System Isolation
- a. RCIC Steam Line Pressure - High NA
- b. RCIC Steam Supply Pressure - Low NA
- d. RCIC Equipment Room Temperature - High NA
- e. RCIC Pipe Routing Area Temperature - High NA
- f. RCIC Emergency Area Cooler Temperature - High NA
- g. Manual Initiation NA
- h. Drywell Pressure - High NA FSAR Rev. 71 Page 1 of 2
SSES-FSAR Table Rev. 54 TABLE 7.3-29 ISOLATION SYSTEM INSTRUMENTATION RESPONSE TIME RESPONSE TIME TRIP FUNCTION (Seconds)#
- 6. High Pressure Coolant Injection System Isolation
- a. HPCI Steam Flow - High NA
- b. HPCI Steam Supply Pressure - Low NA
- d. HPCI Equipment Room Temperature - High NA
- e. HPCI Emergency Area Cooler Temperature - High NA
- f. HPCI Pipe Routing Area Temperature - High NA
- g. Manual Initiation NA
- h. Drywell Pressure - High NA
- 7. RHR System Shutdown Cooling/Head Spray Mode Isolation
- a. Reactor Vessel Water Level - Low, Level 3 NA
- b. Reactor Vessel (RHR Cut-In Permissive) Pressure - High NA
- c. RHR Flow - High NA
- d. Manual Initiation NA
- e. Drywell Pressure - High NA (a) The isolation system instrumentation response time shall be measured and recorded as a part of the ISOLATION SYSTEM RESPONSE TIME. Isolation system instrumentation response time specified includes the delay for diesel generator starting assumed in the accident analysis.
(b) Radiation detectors are exempt from response time testing. Response time shall be measured from detector output or the input of the first electronic component in the channel.
- Isolation system instrumentation response time for MSIVs only. No diesel generator delays assumed for MSIV Valves.
- Isolation system instrumentation response time for associated valves except MSIVs.
Response time testing not required.
- Isolation system instrumentation response time specified for the Trip Function actuating each valve group shall be added to isolation time shown in Table 3.6.3-1 and 3.6.5.2-1 for valves in each valve group to obtain ISOLATION SYSTEM RESPONSE TIME for each valve.
- With time delay of 45 seconds. Response time testing of isolating relay is not required.
- Response time testing of sensors is not required.
- With time delay of 3 seconds.
- Response time testing of relays for function 1e (10 second requirement) is not required.
The sensor response time testing requirement for functions 1e (10 second requirement) is met by testing the sensor to the 1 second requirement.
FSAR Rev. 71 Page 2 of 2
SSES-FSAR TABLE 7.3-30 EMERGENCY CORE COOLING SYSTEM RESPONSE TIMES RESPONSE TIME TRIP FUNCTION (Seconds)
- 1. Core Spray System
- a. Reactor Vessel Water Lever - Low Low Low, Level 1 S 34..,
- b. Drywell Pressure - High s 34*
C. Reactor Vessel Steam Dome Pressure - Low s 34*
- d. Manual Initiation NA
- 2. Low Pressure Coolant Injection Mode of RHR System
- a. Reactor Vessel Water Level - Low Low Low, level 1 s 40*
- b. Drywell Pressure - High s 40"'
C. Reactor Vessel Steam Dome Pressure - Low
- 1) System Initiation s 40*
- 2) Recirculation Discharge Valve Closure ~ 40*
- d. Manual Initiation NA
- 3. High Pressure Coolant Injection System
- a. Reactor Vessel Water Level - Low Low, Level 2 ~ 30*
- b. Drywell Pressure - High ~ 30*
C. Condensate Storage Tank Level - Low NA
- d. Reactor Vessel Water Level - High, Level 8 NA
- e. Suppression Pool Water Level - High NA
- f. Manual Initiation NA
- a. Reactor Vessel Water Level - Low Low Low, Level 1 NA
- b. Drywell Pressure - High NA C. ADS Timer NA
- d. Core Spray Pump Discharge Pressure - High NA
- f. Reactor Vessel Water Lever - Low, Level 3 NA
- g. ADS Drywell Pressure Bypass Timer NA
- h. Manual Inhibit NA
- i. Manual Initiation NA
- 5. Loss of Power
- a. 4.16 kV ESS Bus Undervoltage (Loss of Voltage < 20%) NA
- b. 4.16 kV ESS Bus Undervoltage (Degraded Voltage < 65%) NA C. 4.16 kV ESS Bus Undervoltage {Degraded Voltage < 93%) NA
- d. 480V ESS Bus 08565 (Degraded Voltage< 65%) NA
- e. 480V ESS Bus 0B565 (Degraded Voltage< 92%) NA
,t Response time testing of sensors and relays is not required.
Rev. 49, 04/96
I ISOLATION TRIP SYSTEM A ISOLATlON TRIP SYSTEM B I
e>i re> I I I ~I I I
r<:t?
I I
D I
I I I -,
--=!J I B I I
DI I
I I _J _J I
CHANNEL A CHANNELC CHANNELS CHANNELO A-CPOWERlREAC TOR A-C POWER !REACTOR PROTECTION SYSTEM CHANNELS PROTECTION SYSTEM I
M-GSETAOR M-GSETBOR
--]:----:E--}
A-CPOWERI A-CPOWER)
...2_ I !i_ ...£.
{--I-
_i_A
---I--
C 8 D I :r INPUTSFROM OTHER I I
--:r~-----:r-- I TRIP CHANNELS
- c ::c I ::r:
ISOLATIONLOGICS --I-- --f--
LOGIC A LOGIC C LOGICS LOGIC ::}
1 LOGIC LOGIC LOGIC LOGIC A C a D A a ISOLATION ACTUATORS FROM A-C POWER FROM A-C POWER RPSM-GSET A FROM DC POWER BUS A FROM DC F'OWER BUS B RPSM-GSET8 Ia I J_ J_ J_ J_ D I I I A B C l
TRIP ACTUATOR
{ {
~ :;J A LOGICS INBOARD VALVES
~ OUTBOARD VALVES FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT ISOLATION CONTROL SYSTEM FOR MAIN STEAM LINE ISOLATION VALVES FIGURE 7.3-2, Rev 49 AutoCAD: Figure Fsar 7_3_2.dwg
I
~
~
I
~I I~
I I I I CI-IANNEL A CHANNEL t. CHANNELD A-CPOWERIREACTOR A-CPOWERIREACTOA PROTECTION SYSTEM PflOTECTION SYSTEM M- G SET A OR M-GSET SOR A - C POWER) A-CPOWERJ ISOLATION TRIP SYSTEM A ISOLATION TRIP SYSTEM B
£c ~o r-~----~----
~A ~B
---:I:------+/-----,
- r: I :r:
INPUTSFROM
- J: I I
- r:::
OTHER I I I TRIP CHANNELS ::::r:
_ _ _r_ _ _ _7:-_.1 I L-"'.f---....::r=----
6 0 IS01..ATION LOGICS 6 LOGIC A1 LOGIC A2 I LOGIC 81 LOGIC 82 LOGIC I I
A1 I
ISOLATION ACTUATORS
-y.-
9 y
2 A1 _L l A2 81 .J... _L 82 0,0'-AT,)N ,C,-UATOA CDGOCS
-:*1$-- --
INBOARD VALVES OUTBOARD VALVES VALVE CONTROL POWER VALVe CONTROL POWER ii
<i:
1
,1 MOTOR CONTROLLERS ii ::~--11
-c:;
L----~
L----~
MOTOR CONTROLLER MOTOR CONTROLLER DIV I DIV U VALVE CLOSING POWER VALVE CLOSING POWER
...L .J_
mf--1______st_1---
K1 K2
____r INBOARD OUTBOARD FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT ISOLATION CONTROL SYSTEM USING MOTOR-OPERATED VALVES FIGURE 7.3-3, Rev 49 AutoCAD: Figure Fsar 7_3_3.dwg
LEGEND 1 WAY VALVE 2a - J -WAY VALVE MSIV CYLINDER I
2b - "i. -WAY VALVE I I J 3 - STORAGE TANK I
4 WAY VALVE I 5 WAY VALVE I 6 - 3-WAY VALVE FSAR REV.65 I
7 - SPEED CONTROL VALVE I
B - HYDRAULIC CYLINDHI I
9 - SWING CHECK VALVE r---f--------ll>
I FIGURE 7.3-4, Rev 49 SUSQUEHANNA STEAM ELECTRIC STATION I
I EXHAUST I RESTRICTOR ~ I V I AutoCAD: Figure Fsar 7_3_4.dwg MAIN STEAM LINE ISOLATION I l !.::J I I J.--- - - - -- ___
--7 I
_J UNITS 1 & 2 VALVE (SCHEMATIC) 7 SHOWN WITH SOLENOIDS I OE *ENE"GIZEO I I.
FINAL SAFETY ANALYSIS REPORT I
I I
I
~-+1----+-----J;T I II 't ---
I' JI It* -- ~
E PRESSURE RELIEF VALVE AIR SUPPL y " t) * '( I EXHAUST RESTRICTOR CHECK VALVE ACCUMULATOR
Level 1 Level 1 START CS START RHR (LPCI MODE)
NOTE:
FOR DETAILED LOGIC See Fi~ure 7.3-9 & 7.3-10 4t - TIME DELAY 0 - LOW F\EACTOR WATER LEVEL 0 - HIGH DRYWELL PRESSURE C RPP ) - REACTOR PRESSURE PERMISSIVE FSAR REV. 71 FIG. REV. 49 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT INITIATION LOGIC -
CS, RHR FIGURE 7.3-5-1 AutoCAD: Figure Fsar 7_3_5_1.dwg
l
@LEVEL 1 G)
I I
(y400 SEC . DIVISION 1 SHOWN, DIVISION 2 SIMILAR EXCEPT RHR PUMPS BORD &
CS PUMPS B & D
@cs PUMP pp PUMPS pp CS PUMP
~ I-pp ~~PS C l~c A OR C A
G- TIME DELAY 1cp
@- LOW REACTOR WATER LEVEL START D MS
~ - HIGH DRYWELL PRESSURE
@- REACTOR PRESSURE PERMISSIVE
@- PUMP PRESrnRE PERMISSIVE
@- MANUAL INH lB IT FSAR REV.71 FIG. REV.49 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT ADS INITIATION LOGIC FIGURE 7.3-5-2 AutoCAD: Figure Fsar 7_3_5_2 .dwg
START HPCI RCIC BA'ITERY START RCIC
© -REACTOR VESSEL WATER LEVEL 0 -HIGH DRYWELL PRESSURE FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT INITIATION LOGIC -
HPCI,RCIC FIGURE 7.3-6, Rev 49 AutoCAD: Figure Fsar 7_3_6.dwg
FIGURE 7.3-7-1 REPLACED BY DWG. M1-E41-65, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-7-1 REPLACED BY DWG. M1-E41-65, SH. 1 FIGURE 7.3-7-1, Rev. 49 AutoCAD Figure 7_3_7_1.doc
FIGURE 7.3-7-2 REPLACED BY DWG. M1-E41-65, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-7-2 REPLACED BY DWG. M1-E41-65, SH. 2 FIGURE 7.3-7-2, Rev. 55 AutoCAD Figure 7_3_7_2.doc
FIGURE 7.3-7-3 REPLACED BY DWG. M1-E41-65, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-7-3 REPLACED BY DWG. M1-E41-65, SH. 3 FIGURE 7.3-7-3, Rev. 49 AutoCAD Figure 7_3_7_3.doc
FIGURE 7.3-7-4 REPLACED BY DWG. M1-E41-65, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-7-4 REPLACED BY DWG. M1-E41-65, SH. 4 FIGURE 7.3-7-4, Rev. 49 AutoCAD Figure 7_3_7_4.doc
FIGURE 7.3-7-5 REPLACED BY DWG. M1-E41-65, SH. 5 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-7-5 REPLACED BY DWG. M1-E41-65, SH. 5 FIGURE 7.3-7-5, Rev. 49 AutoCAD Figure 7_3_7_5.doc
FIGURE 7.3-8-1 REPLACED BY DWG. M1-B21-92, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-8-1 REPLACED BY DWG. M1-B21-92, SH. 1 FIGURE 7.3-8-1, Rev. 55 AutoCAD Figure 7_3_8_1.doc
FIGURE 7.3-8-2 REPLACED BY DWG. M1-B21-92, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-8-2 REPLACED BY DWG. M1-B21-92, SH. 2 FIGURE 7.3-8-2, Rev. 55 AutoCAD Figure 7_3_8_2.doc
FIGURE 7.3-8-3 REPLACED BY DWG. M1-B21-92, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-8-3 REPLACED BY DWG. M1-B21-92, SH. 3 FIGURE 7.3-8-3, Rev. 55 AutoCAD Figure 7_3_8_3.doc
FIGURE 7.3-8-4 REPLACED BY DWG. M1-B21-92, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-8-4 REPLACED BY DWG. M1-B21-92, SH. 4 FIGURE 7.3-8-4, Rev. 55 AutoCAD Figure 7_3_8_4.doc
FIGURE 7.3-8-5 REPLACED BY DWG. M1-B21-92, SH. 5 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-8-5 REPLACED BY DWG. M1-B21-92, SH. 5 FIGURE 7.3-8-5, Rev. 55 AutoCAD Figure 7_3_8_5.doc
FIGURE 7.3-8-6 REPLACED BY DWG. M1-B21-92, SH. 6 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-8-6 REPLACED BY DWG. M1-B21-92, SH. 6 FIGURE 7.3-8-6, Rev. 55 AutoCAD Figure 7_3_8_6.doc
FIGURE 7.3-9-1 REPLACED BY DWG. M1-E21-3, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-9-1 REPLACED BY DWG. M1-E21-3, SH. 1 FIGURE 7.3-9-1, Rev. 50 AutoCAD Figure 7_3_9_1.doc
FIGURE 7.3-9-2 REPLACED BY DWG. M1-E21-3, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-9-2 REPLACED BY DWG. M1-E21-3, SH. 2 FIGURE 7.3-9-2, Rev. 49 AutoCAD Figure 7_3_9_2.doc
FIGURE 7.3-9-3 REPLACED BY DWG. M1-E21-3, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-9-3 REPLACED BY DWG. M1-E21-3, SH. 3 FIGURE 7.3-9-3, Rev. 49 AutoCAD Figure 7_3_9_3.doc
FIGURE 7.3-10-1 REPLACED BY DWG. M1-E11-51, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-10-1 REPLACED BY DWG. M1-E11-51, SH. 1 FIGURE 7.3-10-1, Rev. 56 AutoCAD Figure 7_3_10_1.doc
FIGURE 7.3-10-2 REPLACED BY DWG. M1-E11-51, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-10-2 REPLACED BY DWG. M1-E11-51, SH. 2 FIGURE 7.3-10-2, Rev. 56 AutoCAD Figure 7_3_10_2.doc
FIGURE 7.3-10-3 REPLACED BY DWG. M1-E11-51, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-10-3 REPLACED BY DWG. M1-E11-51, SH. 3 FIGURE 7.3-10-3, Rev. 55 AutoCAD Figure 7_3_10_3.doc
FIGURE 7.3-10-4 REPLACED BY DWG. M1-E11-51, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-10-4 REPLACED BY DWG. M1-E11-51, SH. 4 FIGURE 7.3-10-4, Rev. 55 AutoCAD Figure 7_3_10_4.doc
FIGURE 7.3-10-5 REPLACED BY DWG. M1-E11-51, SH. 5 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-10-5 REPLACED BY DWG. M1-E11-51, SH. 5 FIGURE 7.3-10-5, Rev. 56 AutoCAD Figure 7_3_10_5.doc
FIGURE 7.3-11-1 REPLACED BY DWG. M1-D12-1, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-11-1 REPLACED BY DWG. M1-D12-1, SH. 1 FIGURE 7.3-11-1, Rev. 49 AutoCAD Figure 7_3_11_1.doc
FIGURE 7.3-11-2 REPLACED BY DWG. M1-D12-1, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-11-2 REPLACED BY DWG. M1-D12-1, SH. 2 FIGURE 7.3-11-2, Rev. 49 AutoCAD Figure 7_3_11_2.doc
FIGURE 7.3-11-3 REPLACED BY DWG. M1-D12-1, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-11-3 REPLACED BY DWG. M1-D12-1, SH. 3 FIGURE 7.3-11-3, Rev. 49 AutoCAD Figure 7_3_11_3.doc
FIGURE 7.3-11-4 REPLACED BY DWG. M1-D12-1, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-11-4 REPLACED BY DWG. M1-D12-1, SH. 4 FIGURE 7.3-11-4, Rev. 49 AutoCAD Figure 7_3_11_4.doc
FIGURE 7.3-11-5 REPLACED BY DWG. M1-D12-1, SH. 5 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.3-11-5 REPLACED BY DWG. M1-D12-1, SH. 5 FIGURE 7.3-11-5, Rev. 49 AutoCAD Figure 7_3_11_5.doc