ML23291A422

From kanterella
Jump to navigation Jump to search
1 to Updated Final Safety Analysis Report, Chapter 7, Section 7.7, Controls Systems Not Required for Safety
ML23291A422
Person / Time
Site: Susquehanna  Talen Energy icon.png
Issue date: 10/12/2023
From:
Susquehanna
To:
Office of Nuclear Reactor Regulation
Shared Package
ML23291A105 List: ... further results
References
PLA-8081
Download: ML23291A422 (100)
v  d  e


Text

SSES-FSAR Text Rev. 77 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.

7.1 DESCRIPTION

This subsection discusses instrumentation controls of systems whose functions are not essential for the safety of the plant and permits an understanding of the way the reactor and important subsystems are controlled. The systems include:

(1) Reactor vessel - instrumentation NSSS (2) Reactor manual control system - instrumentation and controls, NSSS (3) Recirculation flow control system - instrumentation and controls NSSS (4) Reactor feedwater system - instrumentation and controls NSSS (5) Pressure regulator and turbine - generator system - instrumentation and controls non-NSSS (6) Neutron monitoring system - TIP (7a) Process computer system - instrumentation NSSS (7b) Reactor Data Analysis System - instrumentation NSSS (8) Reactor water cleanup system - instrumentation and controls NSSS (9) Transient Monitoring System (10) Refueling interlocks system (11) Neutron Monitoring System - rod block monitor system (12) Nuclear Pressure Relief System - instrumentation and controls (13) Neutron Monitoring System - source range monitor subsystem (14) Loose parts monitoring system 7.7.1.1 Reactor Vessel - Instrumentation Dwg. M-141, Sh. 1, Dwg. M-141, Sh. 2 and Dwg. M-142, Sh. 1 show the instrument numbers, arrangements of the sensors, and sensing equipment used to monitor the reactor vessel conditions. Because the reactor vessel sensors used for safety systems, engineered safeguards, and control systems are described and evaluated in other portions of this document, only the sensors that are not required for those systems are described in this subsection.

7.7.1.1.1 System Identification 7.7.1.1.1.1 General The purpose of the reactor vessel instrumentation is to monitor the key reactor vessel operating variables during plant operation.

These instruments and systems are used to provide the operator with information during normal plant operation, startup and shutdown. They are monitoring devices and provide no active power control or safety functions.

7.7.1.1.1.2 Classification The systems and instruments discussed in this subsection are designed to operate under normal and peak operating conditions of system pressures and ambient pressures and temperatures and are classified as not related to safety.

FSAR Rev. 71 7.7-1

SSES-FSAR Text Rev. 77 START HISTORICAL 7.7.1.1.1.3 Reference Design Table 7.1-2 lists the reference design information. The reactor vessel instrumentation is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities. This system is functionally identical to the referenced system.

END HISTORICAL 7.7.1.1.2 Power Sources The systems and instruments discussed in this subsection are powered from the instrument bus.

7.7.1.1.3 Equipment Design The instrument sensing lines that the various pressure and level sensors are connected to slope downward from the vessel to the instrument rack (including allowance for piping sag), so that air traps are not formed. The instrument lines are self-venting back to either the reactor vessel or the condensation chamber.

7.7.1.1.3.1 Circuit Description 7.7.1.1.3.1.1 Reactor Vessel Temperature The temperature of the coolant in the reactor pressure vessel during normal operation can be determined from either the reactor pressure or the temperature of the water in the inlet side of the recirculation loop. When the recirculation loop flow is low, vessel coolant temperature at saturation conditions can be determined from coolant pressure.

7.7.1.1.3.1.2 Reactor Vessel Water Level Figure 7.7-1 shows the water level range and the vessel penetration for each water level range.

The instruments that sense the water level are strictly differential pressure devices calibrated to be accurate at a specific vessel pressure and liquid temperature condition. The following is a description of each water level range shown on Figure 7.7-1.

(1) Shutdown water level range: This range is used to monitor the reactor water level and the water level in the reactor cavity during refueling activities. The water level measurement design for periods when the vessel head is on uses, the condensate reference chamber leg type that is not compensated for changes in density. The vessel temperature and pressure condition that is used for this calibration when the vessel head is on uses 0 psig and 120°F water in the vessel. When the vessel head is off and the condensate pot leg is disconnected the instrument reference leg is vented to the atmosphere at the loop transmitter. This allows for the measuring of the reactor vessel and the reactor cavity water level, referenced to instrument zero, to the top lip of the cavity. The two reactor vessel instrument penetration elevations used for the water level measurement when the vessel head is on are located at the top of the RPV head and the instrument tap just below the bottom of the dryer skirt. The zero of the instrument is at the bottom of the steam dryer skirt.

FSAR Rev. 71 7.7-2

SSES-FSAR Text Rev. 77 (2) Upset water level range: This range is used to monitor the reactor water when the level of the water goes off the narrow range scale on the high side. The design and vessel taps are the same as outlined above. The vessel pressure and temperature condition for accurate indication is at the normal operating point. The upset water level is continuously indicated by a recorder in the control room. The upset range and narrow range recorders are located in close proximity of each other. The upset range upper limit is higher than the narrow range upper limit. Therefore when the indication goes off scale in the upscale direction on the narrow range recorder, water level indication may be read immediately from the upset range recorder. Further information as to the range and main control room indication is discussed in Subsection 7.7.1.4. The zero of the instrument is the bottom of the dryer skirt.

(3) Narrow water level range: This range uses RPV taps at the elevation near the top of the dryer skirt and taps at an elevation near the bottom of the dryer skirt. The zero of the instrument is the bottom of the dryer skirt and the instruments are calibrated to be accurate at the normal operating point. The water level measurement design is the condensate reference chamber type, is not density compensated, and uses differential pressure devices as its primary elements. The feedwater control system uses this range for its water level control and indication inputs. For more information as to the range, trip points, number of channels, and control room indication, see the discussion on the feedwater control system, Subsection 7.7.1.4.

(4) Wide water level range: This range uses RPV taps at the elevation near the top of the dryer skirt and the taps at an elevation near the top of the active fuel. The zero of the instrument is the bottom of the dryer skirt and the instruments are calibrated to be accurate at the normal power operating point. The water level measurement design is the condensate reference type, is not density compensated, and uses differential pressure devices as its primary elements. Wide range water level is displayed on two redundant recorders located in the main control room.

(5) Fuel zone water level range: This range uses RPV taps at the elevation near the top of the dryer skirt and the taps at the jet pump diffuser skirt. The zero of the instrument is the bottom of the dryer skirt and the instruments are calibrated to be accurate at 0 psig and saturated condition. The water level design is the condensate reference type, is not density compensated, and uses differential pressure devices as its primary element. These instruments provide input for water level indication.

The condensate reference chamber for the Narrow range, Wide Range, and Fuel Zone water level range is common as discussed in Section 7.3.

In order to decouple the change in measured water level with changes in drywell temperature, the volume from RPV penetration to the drywell penetration will remain uniform for the narrow range and wide range water level instrument lines.

Reactor water level instrumentation that initiates safety systems and engineered safeguards systems is discussed in Sections 7.2 and 7.3. Reactor water level instrumentation that is used as part of the feedwater control system is discussed in Subsection 7.7.1.4.

The Reactor Pressure Vessel level instrumentation system condensing chamber vent lines are discussed in Section 7.5.1a.4.2.1.

FSAR Rev. 71 7.7-3

SSES-FSAR Text Rev. 77 7.7.1.1.3.1.3 Reactor Core Hydraulics A differential pressure transmitter indicates core plate pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly.

The instrument sensing line used to determine the pressure below the core support assembly attaches to the same reactor vessel tap that is used for the injection of the liquid from the standby liquid control system. An instrument sensing line is provided for measuring pressure above the core support assembly. The differential pressure of the core plate is recorded in the main control room.

Another differential pressure device indicates the jet pump developed head by measuring the pressure difference between the pressure above the core and the pressure below the core plate.

This indication is indicated in the main control room.

7.7.1.1.3.1.4 Reactor Vessel Pressure Pressure switches/transducers, indicators, and transmitters detect reactor vessel internal pressure from the same instrument lines used for measuring reactor vessel water level.

The following list shows the subsection in which the reactor vessel pressure measuring instruments are discussed:

(1) Pressure switches/transducers for initiating scram, and pressure switches/ transducers for bypassing the main steamline isolation valve closure are discussed in Subsection 7.2.1.1.

(2) Pressure switches/transducers used for HPCI, CS, LPCI, and ADS are discussed in Subsection 7.3.1.1a.1.

(3) Pressure transmitters/transducers and recorders used for feedwater control are discussed in Subsection 7.7.1.4.

(4) Pressure transmitters/transducers that are used for pressure recording are discussed in Subsection 7.5.1a.4.2.2.

7.7.1.1.3.1.5 Reactor Vessel Head Seal Leak Detection Pressure between the inner and outer reactor vessel head seal ring will be detected by a pressure indicator. If the inner seal fails, the pressure at the pressure indicator is the vessel pressure and can be read on the panel outside of primary containment. The plant will continue to operate with the outer seal as a backup, and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak will be detected by an increase in drywell temperature and pressure.

7.7.1.1.3.1.6 Safety/Relief Valve Seal Leak Detection Thermocouples are located near the discharge of the safety/relief valve seat. The temperature signal goes to a multipoint recorder with an alarm. The alarm will be activated by any temperature in excess of a set temperature signaling that one of the safety/relief valve seats has started to leak.

Each of the sixteen safety relief valves are provided with a safety grade acoustical monitoring system to detect flow through the valve, reference Subsection 18.1.24.3.

FSAR Rev. 71 7.7-4

SSES-FSAR Text Rev. 77 7.7.1.1.3.1.7 Other Instruments (1) The steam temperature is measured and is transmitted to a backrow panel in the main control room.

(2) The feedwater temperature is measured and transmitted to a backrow panel in the main control room.

(3) The feedwater corrosion products are monitored and the information is available at the Water Chemistry Data Acquisition System.

7.7.1.1.3.2 Testability Pressure, differential pressure, water level, and flow instruments are located outside the drywell and are piped so that calibration and test signals can be applied during reactor operation, if desired.

7.7.1.1.4 Environmental Considerations There are no special environmental considerations for the instruments described in this subsection.

7.7.1.1.5 Operational Considerations 7.7.1.1.5.1 General Information The reactor vessel instrumentation discussed in this subsection is designed to augment the existing information from the engineered safeguards and safety system such that the operator can start up, operate at power, shut down, and service the reactor vessel in an efficient manner. None of this instrumentation is required to initiate any engineered safeguard or safety system.

7.7.1.1.5.2 Reactor Operator Information The information that the operator has at his disposal from the instrumentation discussed in this subsection is discussed below:

(1) The shutdown flooding water level is indicated in the main control room.

(2) The core plate differential pressure is recorded on one pen of a two pen recorder. The second pen is used for total core flow.

(3) The jet pump developed head is indicated at a local instrument panel.

(4) Reactor vessel pressure is displayed on two redundant recorders located in the main control room.

(5) The reactor head inter-seal space pressure detector detects reactor pressure when the inner reactor head seal fails.

FSAR Rev. 71 7.7-5

SSES-FSAR Text Rev. 77 (6) The discharge temperatures of all the safety/relief valves are shown on a multipoint recorder on a backrow panel in the control room. Any temperature point that has exceeded the trip setting will turn on an annunciator indicating that a safety/relief valve seat has started to leak. (Also see Subsection 18.1.24.3 for a discussion of the acoustical monitoring system.)

(7) The feedwater corrosion products are monitored and the information is available at the Water Chemistry Data Acquisition System.

7.7.1.1.5.3 Setpoints The annunciator alarm setpoint for the safety/relief valve seat leak detection is set so the sensitivity to the variable being measured will provide adequate information.

Figure 7.7-1 includes a chart showing the relative indicated water levels at which various automatic alarms and safety actions are initiated. Specific level values are shown in Tables 7.3-1, 7.3-2, 7.3-3, 7.3-4 and 7.3-5. Each of the listed actions is described and evaluated in the subsection of this report where the system involved is described. The following list tells where various level measuring components and their setpoints are discussed.

(1) Level switches/transducers for initiating scram are discussed in Subsection 7.2.1.

(2) Level switches/transducers for initiating containment or vessel isolation are discussed in Subsection 7.3.1.1a.2.

(3) Level switches used for initiating HPCI, LPCI, CS and ADS and the level switches used to shut down the HPCI pump are discussed in Subsection 7.3.1.1a.

(4) Level switches to initiate RCIC and the level switches to shut down the RCIC pump drive turbine are discussed in Subsection 7.4.1.1.

(5) Level trips to initiate various alarms and trip the main turbine and the feed pumps are discussed in Subsection 7.7.1.4.

7.7.1.2 Reactor Manual Control System - Instrumentation and Controls 7.7.1.2.1 System Identification 7.7.1.2.1.1 General The objective of the reactor manual control system is to provide the operator with the means to make changes in nuclear reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods.

The reactor manual control system instrumentation and controls consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment.

FSAR Rev. 71 7.7-6

SSES-FSAR Text Rev. 77 This system includes the interlocks that inhibit rod movement (rod block) under certain conditions.

The reactor manual control system does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in Section 7.2. In addition, the mechanical devices of the control rod drives and the control rod drive hydraulic system are not included in the reactor manual control system. The latter mechanical components are described in Subsection 4.1.3.

7.7.1.2.1.2 Classification This system is a power generation system, and is classified as not related to safety.

START HISTORICAL 7.7.1.2.1.3 Reference Design Table 7.1-2 lists reference design information. The reactor manual control system is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities. This system is functionally identical to the referenced system.

END HISTORICAL 7.7.1.2.2 Power Sources Normal The reactor manual control system receives its power from the 120 VAC instrumentation buses.

Each of these buses receives its normal power supply from the appropriate 460 VAC standby power system. (See Subsection 8.3.1.)

Alternate On loss of normal auxiliary power, the station diesel generators provide backup power to the 480 volt standby AC power systems.

7.7.1.2.3 Equipment Design 7.7.1.2.3.1 General The following discussions will examine the control rod movement - instrumentation and control aspects of the subject system and the control rod position information system aspects. The "control" descriptions include:

(1) Control Rod Drive - Control System (2) Control Rod Drive - Hydraulic System (3) Rod Block Interlocks The "position" descriptions include:

(1) Rod Position Probes (2) Display Electronics FSAR Rev. 71 7.7-7

SSES-FSAR Text Rev. 77 Dwgs. M-146, Sh. 1 and M-147, Sh. 1 show the layout of the control rod drive hydraulic system.

Figure 7.7-2 shows the functional arrangement of devices for the control of components in the control rod drive hydraulic system. The block diagram for the overall reactor manual control system is shown in Dwgs. M1-C12-90, Sh. 4 and M1-C12-110, Sh. 8. Although Figures 7.7-2-1 to 7.7-2-7 also shows the functional arrangement of scram devices, these devices are not part of the reactor manual control system. Control rods are moved by admitting water, under pressure from a control rod drive water pump, into the appropriate end of the control rod drive cylinder. The pressurized water forces the piston, which is attached by a connecting rod, to move. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish the actions required for the operational modes.

The valves control the path that the control rod drive water takes to the cylinder.

7.7.1.2.3.2 Rod Movement Controls 7.7.1.2.3.2.1 Control Rod Drive Control System 7.7.1.2.3.2.1.1 Introduction When the operator selects a control rod for motion and operates the rod insertion control switch messages are formulated in the A and B portions of the rod drive control system (see Figure 7.7-4).

A comparison test is made of these two messages, and identical results confirmed; then a serial message in the form of electrical pulses is transmitted to all hydraulic control units (HCU). The message contains two portions, (1) the identity or "address" of the selected HCU, and (2) operation data on the action to be executed. Only the addressed HCU responds to this transmission; it proceeds to execute the rod motion commands.

On receipt of the transmitted signal as shown in Figure 7.7-4, the responding HCU transmits a message back to the control structure for comparison with the original message. This returning message contains:

(1) its own hard-wire identity "address,"

(2) its own operations currently being executed, and (3) status indications of valve positions, accumulator conditions, and test switch positions.

In a similar manner, rod withdrawal is accomplished by formulating a message containing a different operation code. The responding HCU decodes the message and proceeds to execute the withdrawal command by operation of HCU valves shown in Dwgs. M-146, Sh. 1 and M-147, Sh. 1.

In either rod motion direction, the A and B messages are formulated and compared bit by bit (basic word length = 100 microseconds). If they agree, a message is transmitted to the HCU selected by the operator. Continued rod motion depends on receipt of a train of sequential messages because the HCU insert, withdraw, and settle valve control circuits are accoupled. The system must operate in a dynamic manner to effect rod motion. Postulated failures within the reactor manual control system generally will result in a static condition within the system, which will prevent further rod motion.

As discussed above, any disagreement between the A and B formulated messages will prevent further rod motion. Electrical noise disruptions will have only a momentary effect on the system unless the duration of the noise source is sufficiently long to disrupt the comparison of the stored FSAR Rev. 71 7.7-8

SSES-FSAR Text Rev. 77 "B" message and the "C" acknowledgement a predetermined number of times. In guaranteeing that rod motion is indeed terminated, operator action is necessary to reset the system to restore normal operation. In Figure 7.7-5, three action loops of the solid-state reactor manual control system are depicted:

Loop A The high-speed loop (duration = 200 sec.) alternately:

a) Commands the selected control rod, and b) Either scans a rod for status information or directs a portion of a single HCU self-test.

Loop B The medium speed loop = (143 msec. duration) alternately:

a) Monitors the status of all rods, and b) Completes two seven-step self-checks on one HCU unit.

Loop C The low speed loop (=40 sec. to 240 sec. duration) self-tests all HCU's one at a time to ensure correct execution of actions commanded. These tests are of such short duration that the valves do not move.

The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a non-rod-selection condition.

Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.

Two of the valves on the HCU, labeled "withdraw," permit rod withdrawal. The withdrawal valve that connects the insert drive water supply line to the exhaust water header is the one that is associated with the settle operation. The remaining withdraw valve is associated only with the withdraw operation. The settle mode of control rod operation is provided to decelerate the control rod at the end of either an insert cycle or a withdraw cycle. The settle action smoothes out the control rod movement and prolongs the life of control rod drive hydraulic system components.

During the settle mode, the withdraw valve associated with the settle operation is opened or remains open while the other three solenoid-operated valves are closed.

During an insert cycle, the settle action vents the pressure from the insert drive water supply line to the exhaust header and thus gradually reduces the differential pressure across the drive piston of the selected rod. During a withdraw cycle, the settle action holds open the discharge path for withdraw water while the withdraw drive water supply is shut off. This also allows a gradual reduction in the differential pressure across the control rod drive piston. After the control rod has slowed down, the collet fingers engage the index tube and lock the rod in position.

The direction in which the selected rod moves is determined by the position of four switches located on the reactor control panel. These four switches, "insert," "withdraw," "continuous insert" and "continuous withdraw," are pushbuttons which return by spring action to an off position.

FSAR Rev. 71 7.7-9

SSES-FSAR Text Rev. 77 7.7.1.2.3.2.1.2 Insert Cycle Following is a description of the detailed operation of the reactor manual control system during an insert cycle. The cycle is described in terms of the insert, withdraw, and settle commands emanating from the reactor manual control system. The response of a selected rod when the various commands are transmitted has been explained previously. Figure 7.7-2 can be used to follow the sequence of an insert cycle.

With a control rod selected for movement, depressing the "insert" switch and then releasing the switch energizes the insert command for a limited time. Just as the insert command is removed, the settle command is automatically energized and remains energized for a limited time. The insert command time setting and the rate of drive water flow provided by the control rod drive hydraulic system determine the distance traveled by a rod. The time setting results in a one-notch (6-inch) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement switch. Continuous insertion of a selected control rod is possible by holding the "insert" switch.

A second switch can be used to affect insertion of a selected control rod. This switch is the "continuous insert" switch. By holding this switch "in," the unit maintains the insert command in a continuous, energized state to cause continuous insertion of the selected control rod. When released, the timers are not longer bypassed and normal insert and settle cycles are initiated to stop the drive.

7.7.1.2.3.2.1.3 Withdraw Cycle Following is a description of the detailed operation of the reactor manual control system during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle commands. The response to a selected rod when the various commands are transmitted has been explained previously. Figure 7.7-2 can be used to follow the sequence of a withdraw cycle.

With a control rod selected for movement, depressing the "withdrawal" switch energizes the insert valves for a short time. Energizing the insert valves at the beginning of the withdrawal cycle is necessary to allow the collet fingers to disengage the index tube. When the inert valves are deenergized, the withdraw and settle valves are energized for a controlled period of time. The withdraw valve is deenergized before the settle valve; this tends to decelerate the selected rod.

When the settle valve is deenergized, the withdraw cycle is complete. This withdraw cycle is the same whether the withdraw switch is held continuously or momentarily depressed position. The timers that control the withdraw cycle are set so that the rod travels one notch (6-inch) per cycle.

Provisions are included to prevent further control rod motion in the event of timer failure.

A selected control rod can be continuously withdrawn if the "withdraw" switch is held in the depressed position at the same time that the "continuous withdraw" switch is held in the depressed position. With both switches held in these positions, the withdraw and settle commands are continuously energized.

FSAR Rev. 71 7.7-10

SSES-FSAR Text Rev. 77 7.7.1.2.3.2.2 Control Rod Drive-Hydraulic System Control One motor-operated pressure control valve, two air-operated flow control valves, and two sets of solenoid-operated stabilizer valves are included in the control rod drive hydraulic system to maintain smooth and regulated system operation. These devices are shown in Dwgs. M-146, Sh. 1 and M-147, Sh. 1. The motor-operated pressure control valve is positioned by manipulating a switch in the main control room. The switch for this valve is located close to the pressure indicators that respond to the pressure changes caused by the movements of the valves. The air-operated flow control valves are automatically positioned in response to signals from an upstream flow measuring device. The stabilizer valves are automatically controlled by the energization of the insert and withdraw commands. The control scheme is shown in Figure 7.7-2. There are two drive water pumps which are controlled by switches in the main control room. Each pump automatically stops on indication on low-suction pressure.

7.7.1.2.3.2.3 Rod Block Interlocks The rod block functions are discussed in Subsection 7.7.1.2.6.

7.7.1.2.3.2.4 Testability In addition to the periodic self-test mode of system operation, the reactor manual control circuitry can be routinely checked for correct operation by manipulating control rods using the various methods of control. Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

7.7.1.2.3.3 Rod Position Information This subsystem includes the rod position probes and the electronic hardware that processes the probe signals and provides the data described above.

7.7.1.2.3.3.1 Position Probes The position probe is a long, cylindrical assembly that fits inside the control rod drive index tube. It includes 53 magnetically operated reed switches, located along the length of the probe and operated by a permanent magnet fixed to the moving part of the hydraulic drive mechanism. As the drive, and with it the control rod blade, moves along its length, the magnet causes reed switches to close as it passes over the switch locations. The particular switch closed then indicates where the control rod drive, and hence the rod itself, is positioned.

The switches are located as follows: one at each of 25 notch (even) position; one at each of 24 mid-notch (odd) positions; 2 at the fully inserted position (approximately the same location as the "00" notch); one at the fully withdrawn position (approximately the same location as the "48" notch position); and one at the "overtravel" or decoupled position.

All of the mid-notch or "odd" switches are wired in parallel and treated as one switch (for purposes of external connections), and the two fully-in switches are wired in parallel and treated as one switch. These and the remaining switches are wired in a 5 x 6 array (the switches short the intersections) and routed out in 11-wire cable to the processing electronics (the probe also includes a thermocouple which is wired out separately from the 5 x 6 array). See Figure 7.7-6.

FSAR Rev. 71 7.7-11

SSES-FSAR Text Rev. 77 7.7.1.2.3.3.2 Position Indication Electronics The electronics consists of a set of "probe multiplexer cards" (one per 4-rod group where the 4-rod group is the same as the display grouping described above), a set of "file control cards" (one per 11 multiplexer cards), and one set of master control and processing cards serving the whole system. All probe multiplexer cards are the same except that each has a pair of plug-in "daughter cards" containing the identity code of one 4-rod group (the probes for the corresponding 4 rods are connected to the probe multiplexer card).

7.7.1.2.3.3.3 System Operation The system operates on a continuous scanning basis with a complete cycle every 40 msec. The operation is as follows: The control logic generates the identity code of one rod in the set, and transmits it using time multiplexing to all of the file control cards. These in turn transmit the identity with timing signals to all of the probe multiplexer cards. The one multiplexer card with the matching rod identity will respond and transmit its identity (locally generated) plus the "raw" probe data for that rod back through the file control card to the master control and processing logic. The processing logic does several checks on the returning data. First, a check is made to verify that an answer was received. Next, the identity of the answering data is checked against that which was sent. Finally, the format of the data is checked for "legitimacy." Only a single even position, or full-in plus position "00," or full-out plus position "48," or odd, or overtravel, or blank (no switch closed) are legitimate. Any other combination of switches is flagged as a fault.

If the data passes all of these tests, it is (a) decoded and transmitted in multiplexed form to the displays on the Unit Operating Benchboard, and (b) loaded into a memory to be read by the computer as required.

As soon as one rod's data is processed, the next rod's identity is generated and processed and so on for all of the rods. When data for all rods has been gathered, the cycle repeats.

7.7.1.2.4 Environmental Considerations The reactor manual control system (control and position indication circuitry) is not required for any plant safety function, nor is it required to operate in any associated design basis accident or transient occurrence. The reactor manual control circuitry is required to operate only in the normal plant environment during normal power generation operations.

The control rod drives are located in the containment. The hydraulic control units for the control rod drives are located outside containment in the reactor building.

The logic and readout instrumentation are located in the control structure.

The control rod position detectors are located beneath the reactor vessel in the drywell. The normal design environments encountered in these areas are described in Section 3.11.

FSAR Rev. 71 7.7-12

SSES-FSAR Text Rev. 77 7.7.1.2.5 Operational Considerations 7.7.1.2.5.1 General Information The reactor manual control system is totally operable from the main control room. Manual operation of individual control rods is possible to effect control rod insertion, withdrawal, or settle.

Rod position indicators, described below, provide the necessary information to ascertain the operating state and position of all control rods. Conditions which prohibit control rod withdrawal are alarmed with the rod block annunciator.

7.7.1.2.5.2 Reactor Operator Information Table 7.7-1 gives information on instruments for the reactor manual control system. A large rod information display on the Unit Operating Benchboard is patterned after a top view of the reactor.

The display allows the operator to acquire information rapidly by scanning.

Colored windows provide an overall indication of rod pattern and allow the operator to quickly identify an abnormal indication. The following information for each control rod is presented in the display:

Rod fully inserted (green)

Rod fully withdrawn (red)

Selected rod identification (coordinate position, white)

Accumulator trouble (flashing red)

Rod drift (red)

The Unit Operating Benchboard contains a display on which the operator can display the positions of the control rods selected for movement and the other rods in the rod group. A separate, hardwired display is located on the standby information panel. In either display the control rods are considered in groups of four adjacent rods (a "four-rod group") centered around a common core volume monitored by four LPRM string. Rod groups at the periphery of the core may have less than four rods. The four-rod display shows the positions, in digital form, of the rods in the group to which the selected rod belongs. A backlighting on the digital display indicates which of the four rods is selected for movement. For Unit 2 only, on either side of the four-rod position display are indicated the readings of the 16 LPRM channels (four LPRM string) surrounding the core volume common to the four rods of the group.

The four-rod display allows the operator to better focus his attention to the portion of the core where rod motion is occurring. A full core rod position display would tend to be confusing and difficult to read. In addition, on demand by the operator, the process computer will provide a print-out of all rod positions.

In addition to the full core display, a drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer.

An indication is also provided for rod trend beyond the limits of normal rod movement. If the rod drive piston moves to the "overtravel" position, an alarm is sounded in the control room. The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact because, with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position.

Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position.

FSAR Rev. 71 7.7-13

SSES-FSAR Text Rev. 77 Accumulator trouble and 4 rod display inop indicators are provided to the displays by the rod drive control system. The remaining information to the displays and the position information for the process computer are provided by the rod position subsystem.

The following main control room lights are provided to allow the operator to know the conditions of the control rod drive hydraulic system and the control circuitry:

Stabilizer valve selector switch position Insert command energized Withdraw command energized Settle command energized Withdrawal not permissive Continuous withdrawal Pressure control valve position Flow control valve position Drive water pump low suction pressure (alarm and pump trip)

Drive water filter high differential pressure (alarm only)

Unit 1: Charging water (to accumulator) high pressure (alarm only)

Unit 2: Charging water (to accumulator) low pressure (alarm only)

Control rod drive temperature (alarm only)

Scram discharge volume not drained (alarm only)

Scram valve pilot air header low pressure (alarm only)

Scram valve pilot air header high pressure (alarm only) 7.7.1.2.5.3 Setpoints The subject system has no safety setpoints.

7.7.1.2.6 Rod Block Sub-Trip System of RMCS A portion of the reactor manual control system, upon receipt of input signals from other systems and subsystems, inhibits movement or selection of control rods.

7.7.1.2.6.1 Grouping of Channels The same grouping of neutron monitoring equipment (SRM, IRM, APRM, and RBM) that is used in the reactor protection system is also used in the rod block circuitry.

Half of the total monitors (SRM, IRM, APRM, and RBM) provide inputs to one of the RMCS rod block logic circuits and the remaining half provide inputs to the other RMCS rod block logic circuit.

Two APRM channels provide recirculation flow upscale rod blocks to one logic circuit; the other two APRM channels provide recirculation flow upscale rod block signals to the other logic circuit.

Flow comparison is performed within the RBM but is processed as an alarm only since the RBM rod block cautions are power and not flow dependent]

Scram discharge volume high water level signals are provided as inputs into both of the two rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed.

FSAR Rev. 71 7.7-14

SSES-FSAR Text Rev. 77 The rod insert block from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion.

The RBM rod block settings are varied as a function of Reactor Thermal Power. Analyses show that the selected settings are sufficient to avoid both reactor protection system action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. Additional detail on all the neutron monitoring system trip channels is available in Subsection 7.6.1a.5. The rod block from Scram Discharge Volume high water level comes from one of two float type level switches installed in each of two scram discharge instrument volumes.

The second float switch in each instrument volume provides a control room annunciation of increasing level below the level at which a rod block occurs.

7.7.1.2.6.2 Rod Block Function The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed later. Figure 7.7-4 shows all the rod block functions on a logic diagram. The rod block functions provided specifically for refueling situations are described in Subsection 7.7.1.10.

Rod block signals from safety-related systems are brought into the RMCS through optical isolators.

Rod motion permissive for each rod block function is signaled by an illuminated LED. The light from this LED affects the conductive state of a transistor across a separation zone. Opening of the rod block relay contact, failure of the LED, or failure of the power supply will extinguish the LED and remove the rod motion permissive.

(1) With the mode switch in the SHUTDOWN position, no control rod can be withdrawn. This enforces compliance with the intent of the shutdown mode.

(2) The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:

a. Any average power range monitor (APRM) Simulated Thermal Power Upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require reactor protection system action if allowed to proceed. The APRM Simulated Thermal Power Upscale rod block alarm setting is selected to initiate a rod block before the APRM Neutron Flux - High or Simulated Thermal Power-High scram setting is reached.
b. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or correctly bypassed.
c. Any APRM LPRM low count alarm. This ensures that no control rod is withdrawn unless the average power range neutron monitoring channels have the required number of LPRM inputs to be considered operable.
d. Either recirculation flow upscale or APRM inoperative alarm. This assures that no control rod is withdrawn unless the recirculation flow transmitters are operable.

FSAR Rev. 71 7.7-15

SSES-FSAR Text Rev. 77

e. Recirculation flow comparator alarm or RBM inoperable. This assures that no control rod is withdrawn unless the difference between the outputs of the flow transmitters is within limits.
f. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level.
g. Scram discharge volume high water level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service. The scram discharge volume high water level scram is only bypassed in shutdown and refuel.
h. The rod worth minimizer (RWM) function of the process computer can initiate a rod insert block, a rod withdrawal block, and a rod select block. The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under lower power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident.

Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed. Additional information on the rod worth minimizer function is available in Subsection 7.7.1.2.8.

i. Rod position information system malfunction. This assures that no control rod can be withdrawn unless the rod position information system is in service.
j. Rod movement timer malfunction during withdrawal. This assures no control rod can be withdrawn unless the timer is in service.
k. Either rod block monitor (RBM) upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result.

Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.

l. Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or correctly bypassed.

(3) With the mode switch in the RUN position, any of the following conditions initiates a rod block.

a. Any APRM downscale alarm. This assures that no control rod will be withdrawn during power range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN mode.
b. Either RBM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the RBM channels are operating correctly or are correctly bypassed. Unbypassed RBMs must be on scale during reactor operations in the RUN mode.

FSAR Rev. 71 7.7-16

SSES-FSAR Text Rev. 77

c. Any APRM recirculation flow upscale alarm [or any recirculation flow comparison alarm]. This ensures that the no control rod is withdrawn unless the APRM recirculation flow signals are operable and the flow rate is not unusually high.

(4) With the mode switch in the STARTUP or REFUEL position, any of the following conditions initiates a rod block:

a. Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges. This assures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information.
b. Any SRM upscale level alarm. This assures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.
c. Any SRM downscale alarm. This assures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring. This rod block is bypassed automatically when all unbypassed IRM channels are above Range 2.
d. Any SRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available in that all SRM channels are in service or correctly bypassed.
e. Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM detectors are correctly located.
f. Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring reactor protection system action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.
g. Any IRM downscale alarm except when range switch is on the lowest range. This assures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level. Thus, the rod block ensures that the intermediate range monitor is on scale if control rods are to be withdrawn.
h. Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available in that all IRM channels are in service or are correctly bypassed.

FSAR Rev. 71 7.7-17

SSES-FSAR Text Rev. 77 7.7.1.2.6.3 Rod Block Bypasses To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

1 SRM Channel 2 IRM Channels (1 on Bus A and 1 on Bus B) 1 APRM Channel 1 RBM Channel The permissible IRM bypasses are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The arrangement allows the bypassing of one IRM in each rod block logic circuit. One of the four APRM channels can be bypassed at any time. The assignment of LPRMs to APRM channels is chosen so that adequate monitoring of the core is maintained with an APRM channel bypassed.

These bypasses are affected by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM instrumentation. The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued.

An automatic bypass of the RBM rod block occurs when the power level is below a preselected level or when a peripheral control rod is selected. Either condition indicates that local fuel damage is not threatened and that RBM action is not required.

The rod worth minimizer and rod sequence control rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. It can be manually bypassed for maintenance at any time.

7.7.1.2.6.4 Rod Block Interlocks Figure 7.7-2 and Dwgs. M1-C51-2, Sh. 1, M1-C51-2, Sh. 2, M1-C51-2, Sh. 3, M1-C51-2, Sh. 4, M1-C51-2, Sh. 5, M1-C51-2, Sh. 6, and M1-C51-2, Sh. 7, show the rod block interlocks used in the reactor manual control system. Figure 7.7-2 shows the general functional arrangement of the interlocks. Dwgs. M1-C51-2, Sh. 1, M1-C51-2, Sh. 2, M1-C51-2, Sh. 3, M1-C51-2, Sh. 4, M1-C51-2, Sh. 5, M1-C51-2, Sh. 6, and M1-C51-2, Sh. 7 show in greater detail the rod blocking functions that originate in the neutron monitoring system.

7.7.1.2.6.5 Redundancy The same grouping of neutron monitoring equipment, SRM, IRM, APRM, and RBM, that is used in the reactor protection system is also used in the rod block circuitry. Half of the total monitors, SRM, IRM, APRM, and RBM, provide inputs to one of the rod block logic circuits with the remaining half providing inputs to the redundant logic circuit.

Two APRM channels provide recirculation flow upscale inputs to one rod block logic circuit with the remaining two providing inputs to the redundant logic circuit.

FSAR Rev. 71 7.7-18

SSES-FSAR Text Rev. 77 Scram discharge volume high water level signals are provided as inputs into both of the two rod block logic circuits. Both the redundant rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed. The rod withdrawal block from the rod worth minimizer trip affects both rod block logic circuits. The rod insert block from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion. The APRM rod block settings are varied as a function of recirculation flow. Analyses show that the selected settings are sufficient to avoid both reactor protection system action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. The rod block from scram discharge volume high water level utilizes one non-indicating float switch installed on the scram discharge volume. A second float switch provides a main control room annunciation of increasing level.

The rod block circuitry is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous withdrawal. If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even during a continuous rod withdrawal. It is designed so that no single failure can prevent a rod block.

The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod blocks are described in Subsection 7.7.1.10.

7.7.1.2.6.6 Testability On-line testability of the systems and indication of bypassed or inoperable status of the system is provided.

7.7.1.2.6.7 Environmental Considerations The equipment is mounted in the control room and will not see design basis accidents or anticipated operational occurrence environments.

7.7.1.2.6.8 Operational Considerations The rod block trips prevent an operator from withdrawing rods if the associated equipment is not capable of monitoring core response or if unchecked, the withdrawals might require a protective system action (scram). There are no special operational considerations.

7.7.1.2.7 Rod Sequence Control System (RSCS) -

Subsystem of RMCS - Instrumentation Controls The NRC original requirement for the RSCS was based on the perceived inability of the RWM to prevent the consequences of a CRDA. The NRC SE for NEDE-24011, General Electric Standard Application for Reactor Fuel, revision 8, Amendment 17, dated 12/27/87 addressed this issue and determined that operation without the RSCS was acceptable. When SSES implemented the Improved Tech Specs (ITS), NRC approval was granted to remove the RSCS fro the TS. The RSCS has been removed from Unit 1 per EC 964987 and Unit 2 per EC 935947.

FSAR Rev. 71 7.7-19

SSES-FSAR Text Rev. 77 7.7.1.2.8 Rod Worth Minimizer (RWM) - Instrumentation and Controls 7.7.1.2.8.1 System Identification The RWM uses the process computer described in Subsection 7.7.1.7. Only the RWM portion will be discussed here.

7.7.1.2.8.2 Power Sources The power for the RWM is supplied from the 120 VAC instrument bus.

7.7.1.2.8.3 Equipment Design The rod worth minimizer (RWM) function assists and supplements the operator with an effective backup control rod monitoring routine that enforces adherence to established startup, shutdown, and low power level control rod procedures. The rod worth minimizer portion of the computer prevents the operator from establishing control rod patterns that are not consistent with prestored RWM sequences by initiating appropriate rod select block, rod withdrawal block, and rod insert block interlock signals to the reactor manual control system rod block circuitry (see Figure 7.7-2).

The RWM sequences stored in the computer memory are based on control rod withdrawal procedures designed to limit (and thereby minimize) individual control rod worths to acceptable levels as determined by the design basis rod drop accident.

The RWM function does not interfere with normal reactor operation, and in the event of a failure does not itself cause rod patterns to be established. The RWM need not function upon loss of offsite power. The RWM function can be bypassed and its block function can be disabled only by specific procedural control initiated by the operator.

The following operator and sensor inputs are utilized by the RWM:

(1) Rod Test Sequence By selecting this input option, the operator is permitted to withdraw and reinsert any one control rod in the core while all other control rods are maintained in the fully inserted position.

(2) Normal/Bypass Mode A keylock switch permits the operator to apply permissives to RWM rod block functions at any time during plant operation.

(3) System Initialize This input is initiated by the operator to start or restart the RWM programs and system at any time during plant operation.

(4) Control Rod Selected Binary coded identification of the control rod selected by the operator.

FSAR Rev. 71 7.7-20

SSES-FSAR Text Rev. 77 (5) Control Rod Position Binary coded identification of the selected control rod position.

(6) Control Rod Drive Selected and Driving The RWM program utilizes this input as a logic diagnostic verification of the integrity of the rod select input data.

(7) Control Rod Drift The RWM program recognizes a position change of any control rod using the control rod drift signal input.

(8) Reactor Power Level Core average power is used to implement two digital inputs to permit program control of the RWM function. These two inputs, the low power setpoint and the low power alarm setpoint, are used to disable the RWM function at power levels above the intended service range of the RWM function.

(9) Permissive Echoes Rod withdraw and rod insert permissive echo inputs are utilized by the RWM as a verification "echo" feedback to the system hardware to assure proper response of an RWM output.

(10) Diagnostic Inputs The RWM utilizes selected diagnostic inputs to verify the integrity and performance of the processor.

7.7.1.2.8.4 System Interface Relationship Isolated contact outputs to plant instrumentation provide RWM block functions to the reactor manual control system to permit or inhibit selection, withdrawal, or insertion of a control rod. These actions do not affect any normal instrumentation displays associated with the selection of a control rod (see Dwgs. M1-C12-90, Sh. 4 and M1-C12-110, Sh. 8).

7.7.1.2.8.5 Operational Considerations The RWM control panel provides the following indication:

(1) Insert Error Control rod coordinate identification for as many as two insert errors.

(2) Withdrawal Error Control rod coordinate identification for one withdrawal error.

FSAR Rev. 71 7.7-21

SSES-FSAR Text Rev. 77 (3) Latched Group Identification of the RWM sequence group number currently enforced by the computer.

(4) Rod Test Select Indications that the rod test function test selected by the operator was honored by the RWM Program.

(5) RWM Bypass Indication that the RWM is manually bypassed.

(6) Select Error Indication of a control rod selection error.

(7) Blocks Indication that a selection block, withdrawal block, or insertion block is in effect for all control rods.

(8) Out of Sequence Indication that the actual control rod pattern is out of sequence with the RWM sequence currently being monitored while the reactor is operating above the low power setpoint but below the low power alarm setpoint.

7.7.1.3 Recirculation Flow Control System - Instrumentation and Controls 7.7.1.3.1 System Identification 7.7.1.3.1.1 General The objective of the recirculation flow control system is to control reactor power level, over a limited range, by controlling the flow rate of the reactor recirculating water.

See Figures 7.7-7 and 7.7-8. The control involves varying the speed of the recirculation pumps by changing the voltage and frequency of the AC supply to each pump motor. The AC supply is provided by a motor-generator (M-G) set for each pump. Each M-G set consists of a squirrel cage induction motor driving a variable frequency generator through a variable speed converter. The generator output is modulated by varying the slip within the converter. Since flow rate is directly proportional to pump speed, which is proportional to generator speed, generator speed is considered the controlled variable of the system. The recirculation flow control is provided by means of reactor recirculation pump speed control. This pump speed control is performed as part of a digital Integrated Control System combining the aspects of recirculation pump speed control, reactor feedwater level control, and reactor feedpump turbine speed control. The reactor recirculation pump speed control is designed to be operated either manually or automatically given Operator input. The Integrated Control System is designed to limit the range and rate of pump speed and to otherwise ensure proper operational and equipment protection.

FSAR Rev. 71 7.7-22

SSES-FSAR Text Rev. 77 7.7.1.3.1.2 Classification This system is a power generation system and is classified as not related to safety.

7.7.1.3.1.3 Reference Design The recirculation flow control system is an operational system and has no safety function; therefore, there are no safety differences between this system and those of the above referenced facilities. This system is functionally identical to the referenced system.

7.7.1.3.2 Power Sources The digital Integrated Control System power is provided by separate redundant 120 VAC field power sources. These power inputs supply the digital Integrated Control System primary and secondary power sources which in turn provide inputs to the data transfer switches and internal panel power sources required for the digital integrated control instrumentation. Each field primary power source receives its normal power supply from the appropriate ESS 480VAC power system. The internal panel power secondary source is always on demand so that upon loss of the primary source, a seamless transfer occurs which allows for the Integrated Control System continued operation.

7.7.1.3.3 Equipment Design 7.7.1.3.3.1 General Reactor recirculation flow is changed by adjusting the speed of the two reactor recirculating pumps.

This is accomplished by adjusting the frequency and voltage of the electrical power supplied to the recirculation pump motor (see Figure 7.7-8). Control of pump speed, and thus core flow, is such that at various control rod patterns, different power level changes can be accommodated. For a 100% rod pattern, power change control down to approximately 65 percent of full power is possible by use of flow variation. At other rod patterns, power control is possible down to approximately 65 percent of the maximum operating power level for that rod pattern. Thus, the power control range is approximately a constant fraction of operating power but a variable absolute power range.

A lower limit exists on flow control capability, below which automatic control by flow is not permitted. An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core. The additional neutron moderation increases the reactivity of the core, which causes the reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady-state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner.

7.7.1.3.3.2 Pump Drive Motor Control For operation, each recirculation pump motor has its own motor-generator set for a power supply. A variable speed converter is provided between the M-G set motor and generator. To change the speed of the reactor recirculation pump, the variable speed converter varies the generator speed by changing the position of a scoop tube positioner which changes the frequency and magnitude of the voltage supplied to the pump motor to give the desired pump speed.

FSAR Rev. 71 7.7-23

SSES-FSAR Text Rev. 77 A digital Integrated Control System provides demand input to the M-G set scoop tube positioner for proper positioning of the scoop tube, thus controlling generator output and reactor recirculation pump speed. The reactor recirculation pump speed control is designed to allow manual and automatic speed control. Given certain plant conditions, automatic speed control is at the discretion of the operator after confirmation of plant thermal margins and limits.

Automatic control is designed to allow small incremental power changes over a prescribed period of time. This automatic feature relieves operator burden during times where the plant electrical output is dictated by rated main turbine generator output limitations versus rated reactor core thermal power. Manual operation of the reactor recirculation pump speed control portion of the digital Integrated Control System is always the default operation and can be used to override the automatic operation at any time.

7.7.1.3.3.2.1 ATWS Trip The RPT breakers, which are between the variable frequency generator and the recirculation pump motor will trip when reactor low water level or high vessel pressure is sensed. There are two trip logic systems, each capable of tripping both pump motors. Each logic system is divisionalized and consists of two dedicated level sensors and two dedicated pressure sensors arranged in a two-out-of-two taken once logic arrangement as shown in Dwgs. M1-B31-189, Sh. 1, M1-B31-189, Sh. 2, and Figure 7.7-7-6. Relays actuated by the level sensors have 8 to 10 second time delays.

The two MG set drive motors are tripped consecutively after the RPT breakers are tripped. The ATWS trip is in addition to the normal motor protective trips. See Subsection 7.6.1a.8 for a discussion of RPT system instrumentation and controls.

7.7.1.3.3.3 High Frequency Motor - Generator (HFMG) Set Each of the two M-G sets and its controls are identical. The M-G set can continuously supply power to the pump motor at any frequency between approximately 19% and 96% of the drive motor supply bus frequency. The M-G set is capable of starting the pump and accelerating it from standstill to the desired operating speed when the pump motor thrust bearing is fully loaded by reactor pressure acting on the pump shaft. The main components of the M-G set are a drive motor, a generator, and a variable speed converter, with an actuation device to adjust the converter output speed.

(1) Drive Motor The drive motor is an AC induction motor which drives the input shaft of the variable speed converter. The motor can operate under electrical supply variations of 5 percent of rated frequency or 10 percent of rated voltage.

(2) Generator The variable frequency generator is driven by the output shaft of the variable speed converter. During normal operation, the generator exciter is powered by the drive motor.

The excitation of the generator is provided from an auxiliary source during pump startup.

FSAR Rev. 71 7.7-24

SSES-FSAR Text Rev. 77 (3) Variable Speed Converter and Actuation Device The variable speed converter transfers power from the drive motor to the generator. The variable speed converter actuator automatically adjusts the slip between the converter input shaft and output shaft as a function of the signal from the speed controller. If the speed controller signal is lost, the actuator causes the speed converter slip to remain "as is."

Manual reset of the actuation device is required to return the speed converter to normal operation.

7.7.1.3.3.4 Speed Control An Integrated Control System, Figure 7.7-8, controls the variable speed converters of both motor-generator sets. The M-G sets can be individually controlled by manual or automatic operation at the discretion of the operator. Manual mode is always the default control. (See 7.7.1.3.3.4.2 Modes of Speed Control Operation) 7.7.1.3.3.4.1 Digital Integrated Control System - Reactor Recirculation Pump Speed The digital Integrated Control System, Reactor Recirculation Pump Speed Control, provides the capability to modulate a speed demand signal to the Recirculation Pump M-G Set Scoop Tube Positioner for proper positioning of the scoop tube. Modulation of the scoop tube positioner is the primary means of controlling M-G set speed and thus, generator output and recirculation pump speed.

The Integrated Control System (ICS) is an Intelligent Automation (I/A) distributed control system including redundant fault tolerant digital control processors (CP), required input/output (I/O) modules, a new redundant high speed fiber-optic mesh Plant Data Network (PDN) with Operator and Engineering workstations, power supplies, flat panel displays, and redundant soft control Human Machine Interface (HMI) panels. Configurable software is developed in the form of compounds, blocks, and parameters, interconnected to execute the desired control logic.

The recirculation pump speed control function provides A & B recirculation MG Set speed control (multiple modes), runbacks, rundowns, channel bypasses (runback limiter initiation parameters), system operating limits and alarms, and functional control capabilities to position the scoop tubes. Process inputs are both discrete from the field and via peer-to-peer communication within the ICS distributed architecture. The ICS also interfaces with the Plant Process Computer (PICSY).

Operator interaction with the digital Integrated Control System is via Human Machine Interface (HMI) soft-touch screen monitors.

Failure of the Integrated Control System results in main control room alarm and acts to prevent any change of slip within the variable speed converter by initiating a scoop tube lockout.

The Reactor Recirculation Pump Speed control provides several modes of plant operation to be performed at the discretion of the Control Room Operator. These modes of operation are both manual and automatic as outlined in section 7.7.1.3.3.4.2.

Startup signal generator logic within the control systems supplies the setpoint signal for speed control during M-G startup. This adjusts the M-G set variable speed converter for approximately 50 percent recirculation pump speed.

FSAR Rev. 71 7.7-25

SSES-FSAR Text Rev. 77 7.7.1.3.3.4.2 Modes of Speed Control Operation The Reactor Recirculation Pump Speed Control provides the Control Room Operator with the capability of choosing manual speed control or a selection of power dependent "automatic" speed control modes. The speed control logic consists of four (4) modes of control available to the Operator at his/her discretion; Manual, Power Maneuvering, Fine Speed, and Monitor Mode.

Restrictions and limits are employed for combinations of control modes for each loop of RRP speed control. Manual mode is always the default mode regardless of the selected mode.

(1) Manual Under Manual Mode, the Operator has the capability to select the A or B Reactor Recirculation Pump and request an increase or decrease in speed. This is accomplished by depressing an increase or decrease pushbutton on the HMI control panel. Manual Mode is always the default and priority mode of operation.

(2) Power Maneuvering Upon confirming Thermal Power Limits, the Operator chooses Power Maneuvering Mode of operation. When in Power Maneuvering mode the Reactor Recirculation Pump Speed control will increase or decrease pump speed which corresponds to increase or decrease in percentages of thermal power in prescribed steps.

(3) Fine Speed Control Fine Speed Control is normally used by the Operator when plant operation is being dictated by Main Generator rating or at high percentages of power. Fine Speed Control is used over Power Maneuvering Mode when a smaller percentage increase in power is desired.

(4) Monitor Mode Monitor Mode is normally selected by the Operator when it is desired to closely maintain the plant within the Main Generator Capability Curve. The control system Monitor Mode decreases the reactor recirculation pump speed in successive step changes as necessary to maintain the unit within the defined Main Generator Capability Curve.

Decrease in speed will occur on the A or B reactor recirculation pump as necessary.

Prior to selecting any power dependent operating mode and magnitude & direction of change, the Operator assesses the plant status and make the determination that the Recirculation system power changes are acceptable. For all power dependent operating modes, "System Limits" are employed to inhibit the selection of any control mode other than Manual or force the control mode to Manual in the event Total Core Flow, Loop A & B Differential Core Flow, or Core Thermal Power exceeds pre-determined administrative limits.

Each Reactor Recirculation Pump will be independently Mode Selectable by the Operator and each loop (A or B) can have a different mode (within established limits).

FSAR Rev. 71 7.7-26

SSES-FSAR Text Rev. 77 7.7.1.3.3.4.3-1 Speed Limiters and Rundown There are two adjustable speed limiter functions in the Reactor Recirculation Pump Speed control for each M-G set. The speed limiter functions automatically limit the setpoint signal for the scoop tube position demand.

For the #1 Limiter, the signal is automatically limited if the Recirculation Pump Main Discharge Valve is not fully open, Reactor Low Water Level-3 signal is present (sensed via the Feedwater System) or the Feedwater Flow is less than 16.4% of Rated Flow. The M-G Set Generator Speed will be limited to 30% rated speed. The Basis for the discharge valve partial closure is to prevent excessive axial thrust on the Motor Thrust Bearing. The basis for Low Rx Water Level 3 is to assure sufficient NPSH. The basis for the Low Feedwater Flow requirement is also to assure sufficient NPSH. This is accomplished by actuating the circuitry on Low Feedwater Flow (less than 16.4%) with a companion 15 sec. time delay. The time delay precludes the effects of spurious flow oscillations around the setpoint. With a minimum of 16.4% Feedwater Flow or Reactor Water Level greater than Level 3, enough subcooling is provided for adequate NPSH during normal operation.

For the #2 Limiter, the signal is automatically limited if:

1. 1 of 4 operating Circulating Water Pumps trips and high Main Condenser pressure, or
2. 1 of 4 operating Condensate Pumps trips or
3. 1 of 3 operating Reactor Feed Pumps experience Low Flow Signals or
4. 1 of 6 Feedwater Heaters experience High-High Water Level Signals with a Reactor Low Water Level-4 present (sensed via the Feedwater System).

The M-G Set Generator Speed will be limited to 48% Rated Speed. The #2 Limiter functions to assure that for a Feedwater Transient or a loss of vacuum, the plant will remain on line but at a lower power level.

7.7.1.3.3.4.3-2 Runback of the reactor recirculation pumps can occur either manually by the operator or automatically. Automatic or manually initiated Runbacks will occur regardless of the MG Set speed control mode selected.

The #1 Limiter and #2 Limiter individual inputs can be manually bypassed by the Control Room Operator. A pushbutton on the HMI control panel is provided allowing the Operator to bypass the individual input for maintenance activities. An additional 120 second time delay bypass for Condensate Pump trip logic input is provided to the Reactor Recirculation Pump Speed control.

This time delay allows for successful Condensate Pump start following maintenance activities.

The Reactor Recirculation Pump Speed Control provides a "Rundown" feature. This feature initiates automatic reduction in the A & B loop MG Set Speed Demand Signal (limited to 15%

overall decrease) if Condenser vacuum degrades below acceptable levels or if Feedwater Demand exceeds predetermined limits (e.g. available FW Margin degraded). This feature is provided to protect the main generator and to assist the Operator in response to abnormal conditions. Should the condenser vacuum degrade to a pre-determined value, a bias signal will be initiated to rundown FSAR Rev. 71 7.7-27

SSES-FSAR Text Rev. 77 the reactor recirculation pumps by 5%. Should the Feedwater Demand signal exceed a pre-determined value, a signal will be initiated to rundown the reactor recirculation pumps by 10%.

Both conditions occurring would result in a combined 15% rundown. The rundown will occur regardless of the MG set speed control mode selected. This new Rundown feature is bounded under the existing Limiter runbacks and mimics operator manual action in response to degrading plant conditions.

7.7.1.3.3.4.4 Recirculation Loop Starting Sequence Each recirculation loop is started by:

(1) Opening the generator field circuit breaker.

(2) Placing the Reactor Recirculation Pump Speed Control in the manual position. The setpoint should be adjusted to give the generator speed that will be desired after the pump has started.

(3) Closing the M-G set drive motor circuit breaker.

(4) Initiating the automatic start sequence.

7.7.1.3.3.5 Testability The M-G set, and Reactor Recirculation Pump Speed Control are functioning during normal power operation. Any abnormal operation of these components can be detected during operation. The components that do not continually function during normal operation can be tested and inspected for calibration and operability during scheduled plant shutdowns. All the recirculation flow control system components are tested and inspected according to the component manufacturers' recommendations. This can be done during scheduled shutdowns.

7.7.1.3.4 Environmental Considerations The recirculation flow control system is not required for safety purposes, nor required to operate after the design basis accident. The system is required to operate in the normal plant environment for power generation purposes only.

The only part of the recirculation flow control equipment in the drywell is the pump motor and it is subject to the design conditions environment shown on Dwgs. C1815, Sh. 1 and C-1815, Sh. 2.

The digital Integrated Control System logic control units and instrumentation are located in the main control room, upper relay room, and computer room and are subject to that environment.

Refer to Table 3.11-1.

7.7.1.3.5 Operational Considerations 7.7.1.3.5.1 General Information Indicators and alarms are provided to keep the operator informed of the status of system and equipment and to permit him to quickly determine the location of malfunctioning equipment.

Temperature monitoring of the equipment is recorded and alarmed if safe levels are exceeded.

Indicators are provided to show pump power requirements, M-G set speed, recirculation loop flow, valve positions, and analog control signals, all of which determine system status. Alarms are FSAR Rev. 71 7.7-28

SSES-FSAR Text Rev. 77 provided to alert the operator to malfunctioning control signals, excessive cooling water temperatures, inability to change pump speed, and status of M-G circulating lube oil supply.

7.7.1.3.5.2 Reactor Operator Information Visual display consists of loop flow, valve position, MG set speed indication, and speed demand indication. In most cases, alarms are supplemented by light indicators to more closely define the problem area.

7.7.1.3.5.3 Setpoints The subject system has no safety setpoints.

7.7.1.4 Feedwater Control System-Instrumentation and Controls 7.7.1.4.1 System Identification 7.7.1.4.1.1 General The Feedwater Control System, as part of an Integrated Control Systems, controls the flow of feedwater into the reactor pressure vessel to maintain the water in the vessel within predetermined levels during all normal plant operating modes. The range of water level is based upon the requirements of the steam separators (this includes limiting carryover and carryunder, which affects turbine performance), and recirculation pump operation and the need to prevent exposure of the reactor core. The Feedwater Control System employs water level, steam flow, and feedwater flow as a three-element control.

Single-element control is also available based on water level only and is controlled separately from three-element control. Normally, the signal from the feedwater flow is equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will result from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow which causes the level of the water in the reactor vessel to rise or fall accordingly.

7.7.1.4.1.2 Classification This system is a power generation system and is classified as not related to safety.

START HISTORICAL 7.7.1.4.1.3 Reference Design Table 7.1-2 lists reference design information. The feedwater control system is an operational system and has no safety function. Therefore, there are no safety differences between this system and those of the above referenced facilities. The subject system is functionally identical to the referenced system.

END HISTORICAL FSAR Rev. 71 7.7-29

SSES-FSAR Text Rev. 77 7.7.1.4.2 Power Sources The digital Integrated Control System power is provided by separate redundant 120 VAC field power sources. These power inputs supply the digital Integrated Control System primary and secondary power sources which in turn provide inputs to the data transfer switches and internal panel power sources required for the digital integrated control instrumentation. Each field primary power source receives its normal power supply from the appropriate ESS 480VAC power system. The internal panel power secondary source is always on demand so that upon loss of the primary source, a seamless transfer occurs which allows for the Integrated Control System continued operation.

7.7.1.4.3 Equipment Design 7.7.1.4.3.1 General During normal plant operation, the feedwater control system automatically regulates feedwater flow into the reactor vessel. The system can be manually operated (see Dwg. M1-C32-3, Sh. 1).

The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel. During automatic operation, these three measurements are used for controlling feedwater flow.

The optimum reactor vessel water level is determined by the requirements of the steam separators.

The separators limit water carry-over in the steam going to the turbines and limit steam carry-under in water returning to the core. For optimum limitation of carry-over and carry-under, the steam separators require that the reactor vessel water level decrease functionally as reactor power level increases. The water level in the reactor vessel is maintained within +/- 2.0 inches of the setpoint value during normal operation. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow is regulated by controlling the speed of the turbine-driven feedwater pumps to deliver the required flow to the reactor vessel.

7.7.1.4.3.2 Reactor Vessel Water Level Measurement Reactor vessel level signal data is processed in the digital Integrated Control System. Reactor vessel level measurement is used for varying aspects of feedwater control functions including trip functions, control functions, alarm, and indication. This measurement includes input from the reactor narrow range water level instruments and upset level range instrument.

Reactor narrow range water level is monitored by three independent differential pressure transmitters. The transmitters are connected to water reference condensing chambers within the drywell. Each of the three transmitters produces an output signal (A, B, C) which represents the water level (0 to 60 inches at normal operating pressure). Only the narrow range water level provides trip inputs to the Main Turbine and Reactor Feedpump Turbines.

Additional reactor vessel level inputs are provided by upset level range instrument (0 to 180 inches at normal operating pressure) biased to compensate for effects of reactor recirculation flow and narrow range water level B biased to compensate for effects of reactor recirculation flow.

FSAR Rev. 71 7.7-30

SSES-FSAR Text Rev. 77 The Operator can select from two modes of reactor vessel water level measurement, 1) Auto and 2) Manual. When in Auto, predetermined inputs are averaged or selected to produce a reactor vessel level used for feedwater control. When in Manual, the Operator selects the desired level channel that will represent reactor vessel water level used for feedwater control.

7.7.1.4.3.3 Steam Flow Measurement Steam flow is sensed at each main steamline flow restrictor by a differential pressure transmitter. The steam flow measurement is processed in the digital Integrated Control System.

The main steam line flow inputs will be linearized (square rooted) and input to a total steam flow calculation, control room recorders, meters, alarms, and plant computer points. If any one of the main steam flow inputs is determined to be a bad or bypassed digital input, the input will be substituted with a value equal to the average of the three remaining main steam line flow inputs.

The resultant total steam flow signal is validated against turbine 1st stage pressure which has been converted to a total steam flow. When required minimum main steam line flow signals are not available, turbine 1st stage pressure is substituted for total steam flow.

7.7.1.4.3.4 Feedwater Flow Measurement Feedwater flow is sensed at a flow element in each feedwater line by differential transmitters.

The output from the differential transmitters is processed by the digital Integrated Control System. Differential pressure transmitter inputs from the feedwater loop and reactor feedpump discharge lines are summed, averaged, and linearized (square-rooted) for a representative loop feedwater flow. Total feedwater flow is used in digital calculation, control room recorders, meters, alarms, and plant computer points. Total as well as individual feedwater flow is also used as an input to the reactor recirculation pumps (A, B) #1 speed limiter discussed in section 7.7.1.3.3.4.3 7.7.1.4.3.5 Feedwater/Level Control The digital Integrated Control System accepts systems analog/digital inputs, processes inputs, calculates and compares the system inputs against system requirements, and then outputs digital control signals resulting in reactor vessel feedwater level control. System functions can be controlled either manually or automatically.

During initial startup, reactor vessel level is controlled by the Feedwater Startup Bypass Valve, with pressure supplied by the condensate pump. The Startup Bypass Valve is a manually operated valve that is operated through the Integrated Control System (ICS) HMI screens.

Once a main turbine bypass valve is able to be maintained open, the Low Load Valve is used for Startup Level Control. The Low Load Valve can be operated in automatic or manual through the ICS. The Low Load Valve is used to maintain the desired reactor vessel level while placing the first reactor feed pump in discharge pressure mode. The Startup Bypass Valve can be used to adjust reactor vessel level as well.

When plant conditions warrant, the digital Integrated Control system or an Operator can select single-element feedwater level control. Using selected narrow range reactor level, the control system will send a speed demand signal to the reactor feedpump turbine. Reactor feedpump turbines can be operated in manual or automatic control mode.

FSAR Rev. 71 7.7-31

SSES-FSAR Text Rev. 77 The reactor vessel feedwater level control system uses the three-element control to maintain reactor vessel water level within a small margin of optimum water level during plant load changes. The three-element control includes steam flow, feedwater flow, and reactor water level parameters. When plant conditions are such that main steam flow and feedwater flow are stable, the digital Integrated Control System or an Operator can select three-element feedwater level control. Reactor vessel level is compared to the level setpoint resulting in an error signal.

The level error is applied, summed, with steam flow which then acts as a remote setpoint and is compared with the feedwater flow. The resulting process variable becomes the reactor feedpump turbine speed control demand. When the level error is zero, steam flow equals feedwater flow. The three element level controller is tuned to respond to level errors and trims the steam flow signal demand to the flow controller to restore level setpoint.

7.7.1.4.3.5.1 Interlocks The level control system also provides interlocks and control functions to other systems. When one of the reactor feed pumps is lost, recirculation flow is reduced to within the power capabilities of the remaining reactor feed pumps. This reduction aids in avoiding a low level scram by reducing the steaming rate. Reactor recirculation flow is also reduced on sustained low feedwater flow to ensure that adequate NPSH will be provided for the recirculation system.

Interlocks from steam flow and feedwater flow are used to initiate insertion of the rod worth minimizer block. An alarm on low steam flow indicates that the above rod worth minimizer insertion interlock setpoint is being approached. Alarms are also provided for (1) high and low water level and (2) reactor high pressure. Interlocks will trip the plant turbine and feedwater pumps in event of reactor high water level.

7.7.1.4.3.6 Turbine-Driven Feedwater Pump Control Feedwater is delivered to the reactor vessel through turbine-driven feedwater pumps, which are arranged in parallel. The turbines are driven by steam from the reactor vessel. During planned operation, the feedwater control signal from the level controller is fed to the turbine speed control systems, which adjust the speed of their associated turbines so that feedwater flow is proportional to the feedwater demand signal.

Each turbine is controlled by the digital Integrated Control System, Reactor Feedwater Pump Turbine (RFPT) Speed Control. Each RFPT is controlled by redundant control processors to maximize reliability and limit the plant to a loss of a single reactor feedpump turbine upon the loss of any one of the control processors. The reactor feedwater pump turbine speed control, in conjunction with Operator human machine interface, controls the mode of operation of each reactor feedpump turbine. If Operator initiated automatic control is not available, the turbine speed can be controlled manually. In the automatic mode, upon the loss of Feedwater Level Control required input, the reactor feedwater pump turbine speed controller will default to Manual with its output at the last known good value.

The RFPT Speed Control system is equipped with redundant primary and back-up turbine speed control processors to position the Governor Control valve. Upon failure of the primary speed control processor, the backup processor will automatically assume control and maintain the control signal to the RFPT. Failure of both speed control processors will result in a RFPT trip.

FSAR Rev. 71 7.7-32

SSES-FSAR Text Rev. 77 Separate independent manual trip features for the reactor feedpumps is provided. These features consist of a local manual trip switch located on elevation 676 of the turbine bldg, and a remote manual trip switch for each RFPT located in the Main Control Room.

7.7.1.4.3.7 Testability All feedwater flow control system components can be tested and inspected according to manufacturers' recommendations. This can be done prior to plant operation and during scheduled shutdowns. Reactor vessel water level indications from the three water level sensing systems can be compared during normal operation to detect instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect inconsistencies in their signals. Access to the digital Integrated Control System constants, adjustable alarming features, scaling data & settings, and function blocks is available during operation. Certain analog process inputs to the digital Integrated Control System have maintenance bypass capability to maintain component testability. When in maintenance bypass, an alarm is provided on the digital Integrated Control System human machine interface panel.

7.7.1.4.4 Environmental Considerations The feedwater control system is not required for safety purposes, nor is it required to operate after the design basis accident. This system is required to operate in the normal plant environment for power generation purposes only. The reactor feed pumps in the turbine building experience the normal design environments listed in Table 3.11-1.

7.7.1.4.5 Operational Considerations 7.7.1.4.5.1 General Information The digital Integrated Control System including reactor vessel feedwater level control and reactor feedpump turbine speed control is operated through human machine interface (HMI) workstations located in the main control room. At the operators discretion, the system can be operated either manually or automatically via the push keys indicated on the soft touch panel.

Manual or automatic operation can also be performed at the workstation located in the control structure computer room.

External to the HMI, a Reactor Feedpump Turbine manual trip switch is provided for each reactor feedpump turbine control and are located in the main control room and the turbine building elevation 676.

In event of loss of feedwater, the reactor will automatically scram as a result of low water level (trip level 3). Reactor water level will continue to decrease until low water level (trip level 2) is reached.

The Loss-of-Feedwater analysis in Section 15.2.7 conservatively assumes that main steam isolation valve closure initiates at Level 2; however, MSIVs would not actually close until reactor vessel water level reaches Level 1. MSIV closure is not expected for the Loss-of-Feedwater transient because water level would not reach Level 1 with HPCI and RCIC operable. HPCI and RCIC systems automatically start and water level will be maintained.

FSAR Rev. 71 7.7-33

SSES-FSAR Text Rev. 77 7.7.1.4.5.2 Reactor Operator Information Indicators and alarms, provided to keep the operator informed of the status of the system, are as noted in previous subsections.

7.7.1.4.5.3 Setpoints The subject system has no safety setpoints.

7.7.1.5 Pressure Regulator and Turbine-Generator Control System 7.7.1.5.1 Power Generation Design Bases The pressure regulator and turbine-generator control system must maintain a constant turbine inlet pressure (within the range of the regulator controller proportional load setting). In conjunction with the reactor recirculation flow control system, the reactor pressure is controlled from startup, through normal operation, and to shutdown.

The control system must control the speed and the acceleration of the turbine from zero to 100 percent of rated speed.

The control system must match the nuclear steam supply to the steam requirements as determined by the load requirement.

A block diagram of the turbine controls is shown in Figure 7.7-15.

7.7.1.5.2 Power Sources Power for the pressure regulator and turbine-generator control system is supplied by a 120 VAC, 60 Hz, single phase, uninterruptible power supply and a 125 VDC station battery. See Subsections 8.3.1.8 and 8.3.2.1.1.8.

A permanent magnet generator (PMG) on the turbine shaft supplies 115 VAC, 3 phase, 420 Hz for speeds above 1800 RM.

7.7.1.5.3 Equipment Design 7.7.1.5.3.1 System Description The turbine-generator control system is a GE Mark I Electrohydraulic Control (EHC) system. Solid state control circuitry in combination with high pressure hydraulic systems provide schemes for turbine steam pressure regulation, steam bypassing to condenser, turbine speed controlling, and load following capability.

7.7.1.5.3.2 Steam Pressure Control The steam pressure control unit compares the actual main steam pressure with the desired reference pressure, determined by the load requirement, and generates a total steam flow demand.

FSAR Rev. 71 7.7-34

SSES-FSAR Text Rev. 77 The pressure reference signal is produced by a motor-operated device that can be operated by local pushbuttons or remote control signals.

The modified pressure error signal is produced twice by redundant devices. The two pressure error signals are fed into a gating circuit that accepts the lower pressure as a control signal with the higher becoming the backup.

The steam pressure control unit provides the control valve flow signal and bypass control unit and automatic load following signals.

7.7.1.5.3.3 Steam Bypass System The steam bypass control unit compares the desired control valve flow signal with the total steam flow signal. The resulting error signal which is biased from 5 to 15% to prevent continuous opening and closing of the bypass valves provides the desired bypass valve flow signal.

The bypass valve jack is a motor-operated device used for setting a bypass valve position reference during startup and shutdown of the reactor. This motor-operated device can be operated by local pushbuttons or remote control signals.

Limit signals are also produced by the maximum combined flow limit and the condenser vacuum pressure switches.

7.7.1.5.3.4 Turbine Speed System/Load Control System The speed control unit compares the actual turbine speed with the desired speed reference, and the actual acceleration with the desired acceleration reference to provide an error signal to the load control unit.

When the speed reference signal changes by a step, the acceleration control takes over to accelerate the turbine, at the selected rate, to the new speed reference. Upon a decrease of the speed reference, the turbine will coast down with the valves closed. The valves will reopen when the new desired speed is reached.

Because of the extreme importance in safeguarding against overspeed, the speed control unit has two redundant channels. Loss of both speed signals will shut down the turbine.

The load control unit provides flow control signals to the control valves and intercept valves, and modified speed error and load reference signals to the automatic load following circuit.

The load reference signal is produced by a motor-operated device that can be operated by local pushbuttons or remote control signals.

The load reference device can be calibrated for rated speed and steam conditions independent of speed regulation. When the generator is not on the line, the load reference signal is a speed adjustment and is used for synchronizing the turbine.

When the generator loses the electrical load, the load control unit initiates the action to rapidly close the control valves and the intercept valves to essentially stop the steam flow to the turbine.

7.7.1.5.3.5 Turbine Generator to Reactor Protection System Interface Two conditions initiate reactor scram, turbine stop valve closure, and turbine control valve fast closure when reactor power is above 26 percent of rated.

FSAR Rev. 71 7.7-35

SSES-FSAR Text Rev. 77 The turbine stop valve closure signal is generated before the turbine stop valves have closed more than 10 percent. This signal originates from position switches that sense stop-valve motion away from fully open. Four limit switches are provided equally among the turbine stop valves. The switches are closed when the stop valves are fully open and open within 10 milliseconds after the setpoint is reached. The switches are electrically isolated from each other and from other turbine plant equipment.

The control valve fast closure signal is generated by four turbine oil line pressure switches which sense hydraulic oil pressure decay. This signal is developed utilizing one-out-of-two taken twice relay logic. The switches are closed when the valves are open and open within 30 milliseconds after the control valves start to close in a fast closure mode.

Four turbine first-stage pressure switches, which measure equivalent steam flow, are provided for bypassing the stop valve closure and control valve fast closure inputs at reactor power levels below 26 percent.

7.7.1.5.3.6 Turbine-Generator to Main Steam Isolation System Interface The turbine-generator interfaces with the main steam isolation system through the condenser vacuum switches. Four independent main condenser vacuum switches provide isolating signals to the main steam isolation valves. Each vacuum switch has its own isolation (root valve) and pressurizing source connection for testing. Pressure switch contacts open on low vacuum.

Condenser vacuum switches are also discussed in Subsection 7.3.1.1a.2.4.1.13.

7.7.1.5.3.7 Inspection and Testing Testing controls are provided for testing the turbine valve reactor protection system interface signal switches.

Each stop valve is individually stroked to full closure.

One control valve fast closure hydraulic oil pressure switch is actuated at a time by actuating test valves in the pressure switch sensing line.

Each main condenser low vacuum switch is individually tested.

7.7.1.5.4 Environmental Considerations The turbine-generator control system is required to operate in the normal plant environment for power generation purposes only.

Instruments and controls on the turbine experience the turbine building normal design environment as listed in Table 3.11-1.

The logic, remote control units, and instrument terminals located in the control structure experience the environment as listed in Table 3.11-1.

7.7.1.5.5 Operational Considerations Process variables which are controlled by the pressure regulator and speed/load control systems are displayed on the turbine-generator section of the main control board. Manual and automatic control modes for the various turbine-generator operational modes (such as startup, normal FSAR Rev. 71 7.7-36

SSES-FSAR Text Rev. 77 operation, and shutdown) are available to the operator from the main control board. Auto display lights are provided to inform the operator of the operating mode of the turbine-generator unit.

In the event of control malfunction during an automatic control mode, control is transferred to the manual mode, with an alarm to alert the operator of the condition.

7.7.1.6 Neutron Monitoring System - Traversing In-core Probe (TIP) Subsystem - Instrumentation and Controls 7.7.1.6.1 System Identification 7.7.1.6.1.1 General Flux readings along the axial length of the core are obtained by fully inserting the traversing ion chamber into one of the calibration guide tubes, then taking data as the chamber is withdrawn.

The data goes directly to the computer. One traversing chamber and its associated drive mechanism is provided for each group of up to nine fixed in-core assemblies.

The control of the subject system is discussed in this section.

7.7.1.6.1.2 Classification This system is a power generation system, and is classified as not related to safety.

START HISTORICAL 7.7.1.6.1.3 Reference Design Table 7.1-2 lists reference design information. The subject instrumentation and control system is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities. This system is functionally identical to the referenced system.

END HISTORICAL 7.7.1.6.2 Power Sources The power for the subject system is supplied from the instrument AC power source.

7.7.1.6.3 Equipment Design 7.7.1.6.3.1 General The number of TIP machines is indicated in Dwgs. M1-C51-35, Sh. 1 and M1-C51-35, Sh. 2. The TIP machines have the following components:

(1) One Traversing in-core probe (TIP),

(2) One drive mechanism, (3) One indexing mechanism, and (4) Up to 10 in-core guide tubes.

FSAR Rev. 71 7.7-37

SSES-FSAR Text Rev. 77 The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated TIP machine.

7.7.1.6.3.2 Equipment Arrangement A TIP drive mechanism uses a fission chamber attached to a flexible drive cable (Figure 7.7-14).

The cable is driven from outside the drywell by a gearbox assembly. The flexible cable is contained by guide tubes that penetrate the reactor core. The guide tubes are a part of the LPRM detector assembly. The indexing mechanism allows the use of a single detector in any one of ten different tube paths. The 10th tube is used for TIP cross calibration with the other TIP machines.

The control system provides for both manual and semi-automatic operation. Electronics of the TIP panel amplify and display the TIP signal. Core position versus neutron flux is recorded on an X-Y recorder on a backrow panel in the main control room and is provided to the computer. Actual operating experience has shown the system to reproduce within 1.0% of full scale in a sequence of tests (Reference 7.7-1).

The TIP system equipment is placed outside but must penetrate an area where containment integrity is needed, the following TIP isolation system is provided. A valve system is provided with a valve on each guide tube entering the drywell. These valves are closed except when the TIP is in operation. A ball valve and a cable shearing valve are mounted in the guide tubing just outside the drywell. They maintain the leak tightness integrity of the drywell. A valve is also provided for a nitrogen gas purge line to the indexing mechanisms. A guide tube ball valve opens only when the TIP is being inserted. The shear valve is used only if a leak occurs when the TIP is beyond the ball valve and power to the TIP fails. The shear valve, which is controlled by a manually operated keylock switch, can cut the cable and close off the guide tube. The shear valves are actuated by detonation squibs.

The continuity of the squib circuits is monitored by indicator lights in the main control room. Upon receipt of containment isolation command from the NSSS, all machines are put in automatic full speed withdraw condition, removing the TIP detector from the containment and allowing the ball valves to close. The purge valve is also closed at this time. Manual reset is required to reopen the ball valves after an isolation signal has been cleared.

7.7.1.6.3.3 Testability The TIP equipment is tested and calibrated using heat balance data and procedures described in the instruction manual.

7.7.1.6.4 Environmental Considerations The equipment and cabling located in the drywell are designed for the environments described in Section 3.11.

7.7.1.6.5 Operational Considerations The TIP can be operated during reactor operation to calibrate the APRMs. The subject system has no safety setpoints.

FSAR Rev. 71 7.7-38

SSES-FSAR Text Rev. 77 7.7.1.7 Plant Integrated Computer System and Reactor Data Analysis System (RDAS)

Instrumentation The plant computer and RDAS systems are identified below. For initial cores, the NSS plant computer will perform the periodic core performance evaluations. For reload cores the RDAS will perform the periodic core performance evaluations.

7.7.1.7.1 System Identification The Plant Integrated Computer System consists of the following:

1. Generation and Updates of displays
2. NSSS Calculations
3. Balance of Plant Calculations
4. Historical Recording The following computer system provides additional NSS information:
5. Reactor Data Analysis System (RDAS) 7.7.1.7.1.1 General Objectives The objectives of the Plant Integrated Computer System are to monitor unit operation, generate graphic displays for operator use and optimize operator surveillance, perform BOP calculations, log data, make historical records, generate graphic displays and alarm status summary display, and provide off line capabilities. The objectives of the Plant Integrated Computer System and the RDAS computer system are to provide a quick and accurate determination of core thermal performance; to improve data reduction, accounting, and logging functions; and to supplement procedural requirements for control rod manipulation during reactor startup and shutdown.

7.7.1.7.1.2 Classification The Plant Integrated Computer System and RDAS are classified as non-safety related.

7.7.1.7.1.3 Reference Design Table 7.1-2 lists similarities of reference design information for Susquehanna SES compared to other plants.

7.7.1.7.2 Power Sources The power for the Plant Integrated Computer System and RDAS is supplied from a designated uninterruptible power supply backed up by an engineered safeguard supply (standby power).

See Subsection 8.3.1.8.

7.7.1.7.3.1 System Description The Plant Integrated Computer System is a multi-processor computer system linked together via network technology.

The RDAS consists of two fully redundant processors (see Subsection 7.7.1.7.3.1.1).

FSAR Rev. 71 7.7-39

SSES-FSAR Text Rev. 77 7.7.1.7.3.1.1 Reactor Data Analysis System (RDAS)

RDAS consists of the following units:

Two redundant computers (CPUs)

Third external computer to support Remote Engineering Access One CPU typically will monitor data from both the Unit 1 and Unit 2 Plant Integrated Computer Systems and perform NSS calculations using the Powerplex software. The second CPU serves as a backup to the other computer and typically will handle user requests for off line calculations.

Both CPUs are connected to the Level 4 Plant network by Ethernet cable.

The third external CPU receives data from the primary internal CPU and performs the same calculations using the Powerplex software. The third external CPU is connected to the Level 2 Plant network to support remote engineering monitoring functions.

7.7.1.7.3.2 Testability The NSS computer system has some self-checking provisions. It performs diagnostic checks to determine the operability of certain portions of the system hardware and performs internal programming checks to verify that input signals and selected program computations are either within specific limits or within reasonable bounds.

7.7.1.7.4 Environmental Considerations All the computer equipment, is designed for continuous duty up to 95°F, 80% relative humidity ambient. This equipment is installed in an air-conditioned room.

7.7.1.7.5 Operational Considerations 7.7.1.7.5.1 General Information The local power density of every 6-inch segment for every fuel assembly is calculated by the RDAS computer system using plant inputs of pressure, temperature, flow, LPRM levels, control rod positions, and the calculated fuel exposure. Total core thermal power is calculated from a reactor heat balance. Iterative computational methods are used to establish a compatible relationship between the core coolant flow and core power distribution. The calculated results yield local power at specified axial segments for each fuel bundle in the core.

After the power distribution is calculated, the RDAS system computes the appropriate reactor core thermal margins. These most recently calculated thermal margins are compared to the Thermal Limits Surveillance Alarm (TLSA) setpoints and an alarm is annunciated when the TLSA setpoints are exceeded. The TLSA thereby assists the operator to maintain core operation within permissible thermal limits established by prescribed maximum fuel rod power density, maximum average planar linear heat generation rate, and minimum critical power ratio criteria.

The core power distribution calculation sequence is completed periodically and on demand.

Subsequent to executing the program the computer prints a periodic log for record purposes.

FSAR Rev. 71 7.7-40

SSES-FSAR Text Rev. 77 Each minute as data is transferred from the NSS computer to the RDAS system, an analysis is performed which compares the current values of core thermal power, core flow, control rod positions, reactor pressure, and APRMs with the values from the most recently performed power distribution calculation. If the percent deviation of a selected data point exceeds a trigger limit, a new power distribution calculation is performed automatically. This trigger logic combined with TLSA setpoints provides nearly continuous core monitoring during reactor power level changes with the assurance that warning is provided when thermal operating limits are being approached.

Flux level and position data from the traversing in-core probe (TIP) equipment are read into the computer. The computer evaluates the data and determines gain adjustment factors by which the LPRM amplifier gains can be altered to compensate for exposure-induced sensitivity loss. The LPRM amplifier gains are not to be physically altered except immediately prior to a whole core calibration using the TIP system. The gain adjustment factor computations help to indicate to the operator when such a calibration procedure is necessary.

Using the power distribution data, a distribution of fuel exposure increments from the time of previous power distribution calculation is determined and is used to update the distribution of cumulative fuel exposure. Each fuel bundle is identified by batch and location, and its exposure is stored for each of the axial segments used in the power distribution calculation. These data are printed out on operator demand.

Exposure increments are determined periodically for each quarter-length section of each control rod and also for each 6" segment by RDAS. The corresponding cumulative exposure totals are periodically updated and printed out on operator demand.

The exposure increment of each local power range monitor is determined periodically and is used to update both the cumulative ion chamber exposures and the correction factors for exposure-dependent LPRM sensitivity loss. These data are printed out on operator demand.

The RDAS computer system provides on-line capability to determine monthly and on-demand isotopic composition for each fuel bundle in the core. This evaluation consists of computing the weight of one neptunium, three uranium, and five plutonium isotopes as well as the total uranium and total plutonium content. The isotopic composition is calculated for each fuel bundle and summed accordingly by bundles and batches. The method of analysis consists of relating the computed fuel exposure and average void fraction for the fuel to computer stored isotopic characteristics applicable to the specific fuel type.

7.7.1.7.5.2 Reactor Operator Information Major components are arranged as shown in Figure 6.4-1c. Functional description and operational arrangement is as follows:

Unit Operating Benchboard (H12-P680) (Panel C651) - houses controls, annunciators and displays, including the control rod position display. The primary process displays are computer generated formats from the Plant computers. All variables in the DCS displays that are required for unit operation, startup and shutdown are displayed on hardwired indicators on either the Unit Operating Benchboard or the Standby Information Panel. These variables in both the primary process displays and hardwired indicators generally originate from the same source.

FSAR Rev. 71 7.7-41

SSES-FSAR Text Rev. 77 Standby Information Panel (H12-P678) (C652) - houses hardwired indicators and recorders required to startup, run, and shutdown the plant without the use of the Plant Integrated Computer System. It is a hardwired backup to the Plant Integrated Computer System.

Reactor Core Cooling System BB (H12-P601) (C601) - houses hardwired indicators, recorders, annunciators and controls for unit BOP system's functions which do not require the operator's immediate attention during normal operation of the power plant. Functions on this panel have been determined to be long time response functions.

Common Plant Benchboard (H12-P853) (C653) - houses hardwired indicators, recorders annunciators and controls for systems which are common to Units 1 and 2. It also houses two displays connected to the Plant Integrated Computer System.

Unit Monitoring Console (C92-P628) (C684) - provides the unit operator sit down surveillance of the Unit Operating Benchboard and access to Plant Integrated Computer displays.

Safety Parameter Display System/Plant Monitoring Console (C667) - provides sit down surveillance of both units and access to Plant Integrated Computer System displays and Plant Integrated Computer System Functions as well as SPDS displays.

The annunciator system is a hardwired system which provides the operator with the alarm information required for unit operation, startup, and shutdown. Although this system is independent of the Plant Integrated Computer System, the computer system does provide redundant and auxiliary alarm information as AID's and the alarm status summary display.

The Plant Integrated Computer System collects unit process information and presents it on nine of the ten video displays on the Unit Operating Benchboard. One of these nine displays tabulates all actuated alarms. This display may be manually switched to other displays if operating conditions should require. The tenth display is used for operator I/O functions.

Approximately 60 display formats are available to the operator to present process information according to operating mode of the plant.

Plant Integrated Computer System displays are arranged by system. Each system has a set of formats. Each format is appropriate to an operating mode of the plant. The operator's designation of the plant operating mode by depressing a pushbutton will automatically cause a format appropriate to that mode to be displayed on each system display. However, the format on any display may be manually selected by the operator.

Each system format uses the bottom lines for Alarm Initiated Displays (AID). When certain variables reach a predetermined limit, (generally the limit is prior to an actual alarm or trip limit) the variable appears in the bottom lines along with other preselected variables. This display provides the operator with specific pre-trip information which is designed to allow him to take action to prevent the trip or alleviate its effects.

FSAR Rev. 71 7.7-42

SSES-FSAR Text Rev. 77 7.7.1.8 Reactor Water Cleanup (RWCU) System - Instrumentation and Controls 7.7.1.8.1 System Identification 7.7.1.8.1.1 General The purpose of the reactor cleanup system instrumentation and control is to provide protection for the system equipment from overheating and overpressurization and to provide operator information concerning the effectiveness of operation of the system.

7.7.1.8.1.2 Classification This is a power generation system and is classified as not related to safety.

START HISTORICAL 7.7.1.8.1.3 Reference Design Table 7.1-2 lists reference design information. The subject control system is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities. This system is functionally identical to the referenced system.

END HISTORICAL 7.7.1.8.2 Power Sources The RWCU system instrumentation and controls are fed from the plant instrumentation bus. No backup power source is necessary since the RWCU system is not a safety-related system.

Adequate fuse protection is provided so that a short circuit within the system will have only a local effect which can be easily corrected without interrupting the reactor operation.

7.7.1.8.3 Equipment Design 7.7.1.8.3.1 General The reactor water cleanup system is described in Subsection 5.4.8. This subsection describes the systems used to protect the resin and the filter-demineralizer. These circuits are shown in Dwgs.

M-144, Sh. 1 and M-144, Sh. 2 and the operating logic is shown in Dwg. M1-G33-143, Sh. 1.

7.7.1.8.3.2 Circuit Description To prevent resins from entering the reactor recirculation system in the event of a filter- demineralizer resin support failure, a strainer is installed on the outlet of each filter-demineralizer unit. Each strainer is provided with a control room alarm, which is energized by high differential pressure. A bypass line is provided around the filter-demineralizer units for bypassing the units when necessary. Dwg. M-145, Sh. 1 describes the filter-demineralizer instrumentation and control.

FSAR Rev. 71 7.7-43

SSES-FSAR Text Rev. 77 Relief valves and instrumentation are provided to protect the equipment against over-pressurization and the resins against overheating. The system is automatically isolated and the pumps tripped for the reasons indicated when signaled by any of the following occurrences:

(1) High temperature downstream of the nonregenerative heat exchanger -

to protect the ion exchange resins from deterioration due to high temperature, (2) Reactor vessel low water level - to protect the core in case of a possible break in the reactor water cleanup system piping and equipment (see Subsection 7.3.1.1a.2.4.1.1).

(3) Standby Liquid Control System actuation - to prevent removal of the boron by the cleanup system filter-demineralizers, (4) High cleanup system ambient room temperature -

(part of the plant leak detection system),

(5) High change in system inlet flow in comparison to the system outlet flow -

(part of the plant leak detection system).

(6) High differential pressure (flow) sensed in the pump suction line -

(part of the plant leak detection system).

In the event of low flow or loss of flow in the system, flow is maintained through each filter- demineralizer by its own holding pump. Sample points are provided upstream and downstream of each filter-demineralizer unit for continuous indication and recording of system conductivity. High/low conductivity is annunciated in the main control room. The influent sample point is also used as the normal source of reactor coolant samples. Sample analysis also indicates the effectiveness of the filter-demineralizer units.

7.7.1.8.3.3 Testability Because the reactor water cleanup system is usually inservice during plant operation, satisfactory performance is demonstrated without the need for any special inspection or testing beyond that specified in the manufacturer's instructions.

7.7.1.8.4 Environmental Considerations The reactor water cleanup system is not required for safety purposes, nor required to operate after the design basis accident. The reactor water cleanup system is required to operate in the normal plant environment for power generation purposes only.

RWCU instrumentation and controls located in the RWCU equipment area are subject to the environment shown on Dwg. C-1815, Sh. 9.

7.7.1.8.5 Operational Considerations 7.7.1.8.5.1 General Information The reactor water cleanup system-instrumentation and control is not required for safe operation of the plant. It provides a means of monitoring parameters of the system and protecting the system.

FSAR Rev. 71 7.7-44

SSES-FSAR Text Rev. 77 7.7.1.8.5.2 Reactor Operator Information Refer to the RWCU system instrumentation and control Dwgs. M-144, Sh. 1, M-144, Sh. 2 and Dwg. M1-G33-143, Sh. 1.

7.7.1.8.5.3 Setpoints Setpoints related to RWCU isolation are discussed in Subsection 7.3.1.1a.2.4.1.9.

There are no safety-related setpoints in the RWCU.

START HISTORICAL 7.7.1.9 Transient Monitoring System for Startup Testing A General Electric Co. (GE) Transient Recording System is used as a part of Startup Testing (Low Power and Power Ascension Testing) for purposes of measurement and recording of process transients. The system is a computer-based data acquisition and analysis system called GETARS.

This system will provide a permanent record (in digital format) of test results in the form of output plots from the system.

GETARS will be located within sight of the plant-operator interface area of the control room.

Communications will be provided between GETARS and the operator interface area.

7.7.1.9.1 Transient Monitoring System (TMS) Description The equipment for providing and conditioning of transient signals for GETARS is called the Transient Monitoring System (TMS). The scope of this system includes permanent mounting of devices in NSSS and non-NSSS panels and permanent installation of signal cables from the systems panels to a permanent control room panel. This panel collects and conditions the TMS signals and is called the Transient Monitoring Panel (TMP).

7.7.1.9.2 Piping Thermal Expansion and Vibration Measurement Measurements of piping thermal expansion and vibration during startup testing is handled by the use of multiplexing signals directly to GETARS. Signal conditioning and multiplexers are provided as packages and use cable from each multiplexer (one inside containment and one outside) to a master receiver that interfaces with GETARS. Instrumentation and multiplexers are temporarily installed and will be removed at the conclusion of the testing. Neither the equipment nor the cable used for these measurements are safety related.

END HISTORICAL 7.7.1.10 Refueling Interlocks System - Instrumentation and Controls 7.7.1.10.1 System Identification The purpose of the refueling interlocks system is to restrict the movement of control rods and the operation of refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations.

FSAR Rev. 71 7.7-45

SSES-FSAR Text Rev. 77 This equipment is not required to operate during a seismic event. The operability of the equipment can be verified after a seismic event without jeopardizing safety.

7.7.1.10.2 Power Sources There is only one source of power for both channels of the logic circuits (see Subsection 7.7.1.10.3.2). However, this power source supplies the Control Rod Drive System as well. A failure of this power supply will prevent any rod motion.

7.7.1.10.3 Equipment Design 7.7.1.10.3.1 Circuit Description The refueling interlocks circuitry senses the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated to prevent the movement of the refueling equipment or withdrawal of control rods (rod block). Circuitry is provided to sense the following conditions:

(1) All rods inserted (see Subsection 7.7.1.10.3.2)

(2) Refueling platform positioned near or over the core (3) Refueling platform hoists loaded (fuel grapple, frame-mounted hoist, trolley-mounted hoist)

(4) Service platform hoist bypass plug plugged in, and (5) Reactor Mode Switch in "Refuel" position 7.7.1.10.3.2 Logic and Sequencing The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement (Figure 7.7-2). A two-channel circuit indicates that all rods are in. The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe. The rod-in switch must be closed for each rod before the all-rods-in signal is generated. This is not the same switch that provides rod position information to the process computer and four rod position display. Both channels of RMCS activity control must register the all-rods-in signal in order for the refueling interlock circuitry to indicate the all-rods-in condition.

During refueling operations, no more than one control rod is permitted to be withdrawn; this is enforced by a redundant logic circuit that uses the all-rods-in signal and a rod selection signal to prevent the selection of a second rod for movement with any other rod not fully inserted. Control rod withdrawal is prevented by comparison checking between the A and B portions of the reactor manual control system and subsequent message transmission to the affected control rod. The simultaneous selection of two control rods is prevented by the multiplexing action of the rod select circuitry and by feedback which latches the selected rod's identity in a holding register. With the mode switch in the REFUEL, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.

Operation of refueling equipment is prevented by interrupting the power supply to the equipment.

The refueling platform is provided with two mechanical switches attached to the platform, adjacent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel to indicate the approach of the platform toward its position over the core.

FSAR Rev. 71 7.7-46

SSES-FSAR Text Rev. 77 Load cell read-out for the operator is provided for all hoists. The main hoist, frame-mounted auxiliary hoist and monorail auxiliary hoist load sensing is by a strain-gauge load cell with associated electronic setpoint modules and indicators.

The three hoists on the refueling platform are provided with switches that open when the hoists are fuel-loaded. The switches open at load weight that is lighter than that of a single fuel assembly.

This indicates when fuel is loaded on any hoist.

7.7.1.10.3.3 Bypasses and Interlocks The service platform is not used and has been eliminated. The bypass plug is installed in the service platform power connection box on the refuel floor. This plug bypasses the service platform hoist loaded interlock allowing control rod withdrawal with the mode switch in the STARTUP or REFUEL positions.

The rod block interlocks and refueling platform interlocks provide two independent levels of interlock action. The interlocks which restrict operation of the platform hoist and grapple provide a third level of interlock action since they would be required only after a failure of a rod block and refueling platform interlock. The strict procedural control exercised during refueling operations may be considered a fourth level of backup.

When using the opposite units refueling platform on the refuel unit for fuel handling activities (U1 platform refueling U2 reactor and vice versa), the refuel units idle platform may be powered from an alternate source which does not have the RMCS refuel interlock interface. When powered from the alternate source the refuel units platform becomes an auxiliary work platform over the dryer-separator storage pool or reactor vessel. In this configuration, the Main Hoist on this work platform will be in a stowed position and therefore physically disabled from handling fuel. The Auxiliary Hoists (i.e., Frame and Monorail Hoists) on the work platform will be administratively controlled from operation in the vessel if the Steam Separator is removed. In addition to the RMCS refueling interlocks, any boundary zone or travel interlocks may also be defeated for the platform functioning as an auxiliary work platform.

7.7.1.10.3.4 Redundancy and Diversity The refueling interlocks are not designed nor required to meet the IEEE 279-1971 criteria for Nuclear Power Plant Protection Systems. Failure of the refueling interlocks will neither cause an accident nor prevent safety-related systems from performing their protective actions. They are provided for use during planned refueling operations. Criticality is prevented during the insertion of fuel, provided control rods in the vicinity of the vacant fuel space are fully inserted during the fuel insertion. The interlock systems accomplish this by:

(1) Preventing operation of the loaded refueling equipment over the core whenever any control rod is withdrawn.

(2) Preventing control rod withdrawal whenever fuel loading equipment is over the core.

(3) Preventing withdrawal of more than one control rod when the mode switch is in the refuel position.

FSAR Rev. 71 7.7-47

SSES-FSAR Text Rev. 77 The refueling interlocks have been carefully designed utilizing redundancy of sensors and circuitry to provide a high level of reliability and assurance that the stated design bases will be met. Each of the individual refueling interlocks discussed above need not meet the single failure criterion because, for any of the "situations" listed in Table 7.7-2, a single interlock failure will not cause an accident or result in potential physical damage to fuel or result in radiation exposure to personnel during fuel handling operations.

7.7.1.10.3.5 Actuated Devices The refueling interlocks from the Reactor Manual Control System to the refueling equipment trip a relay in the refueling equipment controls which interrupts power to the equipment and prevents it from moving over the core.

The interlocks from the refueling equipment to the Reactor Manual Control System actuate circuitry that provides a control rod block. The rod block prevents the operator from withdrawing any control rods.

7.7.1.10.3.6 Separation The refueling interlocks are not designed to nor required to meet the IEEE 279-1971 criteria for Nuclear Power Plant Protection Systems. However, a single interlock failure will not cause an accident. Refueling interlocks and are used in conjunction with administration controls during planned refueling operations.

7.7.1.10.3.7 Testability Complete functional testing of all refueling interlocks before any refueling outage will positively indicate that the interlocks operate in the situations for which they were designed. The interlocks can be subjected to valid operational tests by loading each hoist with a dummy fuel assembly, positioning the refueling platform, and withdrawing control rods. Where redundancy is provided in the logic circuitry, tests are performed automatically, on a periodic basis, to assure that each redundant logic element can independently perform its function.

7.7.1.10.4 Environmental Considerations Equipment (refueling) will be subjected to the conditions shown on Dwg. C-1815, Sh. 12 during normal operation. The refueling interlocks are not required to operate under harsh ("accident")

conditions.

Refueling components are capable of surviving design basis events such as earthquakes, accidents, and anticipated operational occurrences without consequential damage, but are not required to be functional during or after the event without repair.

7.7.1.10.5 Operational Considerations 7.7.1.10.5.1 General Information The refueling interlocks system is required only during refueling operations.

FSAR Rev. 71 7.7-48

SSES-FSAR Text Rev. 77 7.7.1.10.5.2 Reactor Operator Information In the refueling mode, the control room operator has an indicator light for "Select Permissive" whenever all control rods are fully inserted. He can compare this indication with control rod position data from the computer as well as control rod in-out status on the full core status display.

Furthermore, whenever a control rod withdrawal block situation occurs, the operator receives annunciation. He can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree that permissive conditions exist in order to move control rods; otherwise, a control rod withdrawal block is placed into effect. Failure of one channel may initiate a rod withdrawal block, and will not prevent application of a valid control rod withdrawal block from the remaining operable channel.

Core flux activity monitoring is provided during refueling by the SRM's and/or dunking chambers which are specified and controlled in Technical Specification 3/4.9.

On Unit -1 refueling platform, displays indicate the hoist load and hoist elevation to the operator.

In addition, these displays provide bridge position, trolley position, and fault indication to the operator. An Operator Interface Console Assembly provides a touch screen, and camera control unit. Should an interlock condition occur, a message is displayed to inform the operator of the condition and what action is required to correct the situation. Manual control of all three axes, bridge, trolley and hoist, is performed using joysticks that provide infinitely variable speed commands to the motor drives.

On the Unit 2 refueling platform, the platform operator has readout indicators for the plaform x-y position relative to the reactor core in addition to a z coordinate indicator for the vertical main hoist position.

Both Unit 1 and Unit 2 refueling platforms have load cell indications of hoist loads for each of the three hoists on these platforms. Individual push button and rotary control switches are provided for local control of the platform and its hoists. The platform operator can immediately detect whether the platform and hoists are responding to his local instructions, and can, in conjunction with the control room operator, verify proper operation of each of the three levels of interlocks listed previously.

7.7.1.10.5.3 Setpoints There are no safety setpoints associated with this system.

7.7.1.11 Neutron Monitoring System - Rod Block Monitor (RBM) Subsystem 7.7.1.11.1 Equipment Design 7.7.1.11.1.1 Description The RBM has two channels. Each channel uses input signals from a number of LPRM channels.

A trip signal from either RBM channel can initiate a rod block. One RBM channel can be bypassed without loss of subsystem function. The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is four when using four LPRM assemblies, three when using three LPRM assemblies, and two when using two LPRM assemblies (Figure 7.7-16). These minimum LPRM inputs are 50% of the possible LPRM inputs to each RBM for 4, 3 or 2 LPRM assemblies.

FSAR Rev. 71 7.7-49

SSES-FSAR Text Rev. 77 (1) Power Supply The RBM power is received from the two 120 Vac supplies for the RPS. Each RBM is supplied by two redundant DC power supplies. Each DC power supply is supplied by one of the two 120 Vac buses.

(2) Signal Conditioning The RBM signal is generated by averaging a set of LPRM signals. The LPRM signals used depends on the control rod selected. Upon selection of a rod for withdrawal or insertion, the conditioned signals from the LPRMs around that rod will be automatically selected by the two RBM channels (Figure 7.7-16 shows examples of the four possible LPRM/selected rod assignment combinations).

Each RBM channel uses a BCCD level detector configuration, where C level detectors are shared. The A Level detectors are not used in the RBM signal. Each RBM selects half of the LPRM detectors surrounding the selected control rod, generates an average signal of the selected LPRM using detector levels B,C, and D signals and applies a gain adjustment to this localized average value to make it equal to 100%. The gain adjustment is applied only if the localized average value is less than 100%. The APRM Simulated Thermal Power (STP) is used to select one of three predefined setpoints.

A rod block signal is generated when the average of the selected LRPM signals reaches or exceeds the setpoint. The RBM is automatically disabled from generating rod blocks if a peripheral control rod is selected or if the STP value from the master APRM is less than approximately 28% of rated core thermal power.

In the operating range, the RBM signal is accurate to approximately 1% of full-scale.

7.7.1.11.1.2 Rod Block Trip Function The RBM supplies a trip signal to the reactor manual control system to inhibit control rod withdrawal. The trip is initiated when RBM output exceeds the rod block setpoint.

The RBM Upscale function setpoints are automatically varied as a function of reactor thermal power. The RBM selects one of three different RBM flux trip setpoints to be applied based on the current value of thermal power. Thermal power is indicated to each RBM channel by a simulated thermal power (STP) reference signal input from an associated reference APRM channel. The setpoint range is divided into three power ranges, a low power range, an intermediate power range, and a high power range. The RBM flux trip setpoint applied within each of these three power ranges is respectively, the low power setpoint, the intermediate power setpoint, and the high power setpoint. The trip setpoint applicable for each power range is more restrictive than the corresponding setpoint for the lower power range(s). When STP is below the low power setpoint, the RBM flux trip outputs are automatically bypassed but the low trip setpoint continues to be applied to indicate the RBM flux setpoint on the NUMAC RBM displays. .Either RBM can inhibit control rod withdrawal (Dwgs. M1-C51-2, Sh. 1, M1-C51-2, Sh. 2, M1-C51-2, Sh. 3, M1-C51-2, Sh. 4, M1-C51-2, Sh. 5, M1-C51-2, Sh. 6, and M1-C51-2, Sh. 7). Table 7.7-3 itemizes the RBM trip functions.

7.7.1.11.1.3 Bypasses The operator can bypass one of the two RBMs at any time (see Subsection 7.7.1.2.6.3).

FSAR Rev. 71 7.7-50

SSES-FSAR Text Rev. 77 7.7.1.11.1.4 Redundancy The following features are included in RBM design:

(1) Redundant, separate, and isolated RBM channels.

(2) Redundant, separate, isolated rod selection information (including isolated contacts for each rod selection pushbutton) provided directly to each RBM channel.

(3) Separate, isolated LPRM amplifier signal information provided to each RBM channel.

(4) Independent, separate, isolated APRM reference signals to each RBM channel.

(5) Independent, isolated RBM level readouts and status displays from the RBM channels.

(6) Mechanical barrier between Channel A and Channel B of the manual bypass switch.

(7) Independent, separate, isolated rod block signals from the RBM channels to the manual control system circuitry.

7.7.1.11.1.5 Testability The rod block monitor channels are tested and calibrated with procedures given in the applicable instruction manuals. The RBMs are functionally tested by introducing test signals into the RBM channels.

7.7.1.11.1.6 Limiting Safety System Setting Function The three RBM power-dependent functions (Low Power Upscale, Intermediate Power Upscale, and High Power Upscale) are considered to be Limiting System Safety Settings as the RBM is credited in the accident analysis with protecting the MCPR Safety Limit for a Rod Withdrawal Error event.

As a result of the importance of the settings, and because it is assumed that this digital equipment does not drift and has no inherent uncertainties, equipment performance is monitored under surveillance for any deviation from the NTSP (Nominal Trip Set Point), either as-found or as-left.

The Analytical Limits, Allowable Values and NTSPs were determined in accordance with GE document NEDC-31336, General Electric Setpoint Methodology, September 1996.

7.7.1.11.2 Environmental Considerations (See description for APRM, Subsection 7.6.1a.5.6.2.)

7.7.1.11.3 Operational Considerations The Rod Block Monitor System is designed to provide information about the local core power level in the vicinity of a control rod that has been selected for withdrawal or insertion, and to provide alarm signals used to inhibit rod withdrawal if the local power level reaches a predetermined level from the rod withdrawal error analysis.

FSAR Rev. 71 7.7-51

SSES-FSAR Text Rev. 77 7.7.1.12 Nuclear Pressure Relief System 7.7.1.12.1 System Identification The Nuclear Pressure Relief System, consisting of safety relief valves and associated circuitry, is designed to limit nuclear steam supply system pressure under various modes of reactor operation.

The pressure relief system includes 16 pressure relief valves, each operated by a pressure relief solenoid pilot air valve. Six of these pressure relief valves have two additional pilot valves for use with the ADS function as discussed in Subsection 7.3.1.1a.1.4.1.

7.7.1.12.2 Equipment Design The Nuclear Pressure Relief System controls and instrumentation consist of manual control/

pressure sensor channels, each dedicated to its respective safety relief valve and associated valve operator (solenoid operated air pilot valve). The pilot valve controls the pneumatic pressure applied to the air cylinder operator. Upon energizing the pilot valve, pneumatic pressure is directed from the accumulator to act on the air cylinder operator, causing the safety relief valve to open.

Upon again de-energizing the pilot valve, air in the air cylinder is exhausted and the accumulator is once again isolated via the de-energized pilot valve. An accumulator, one for each valve, is included with the control equipment to store the pneumatic energy for safety relief valve operation.

Safety relief valves are automatically initiated by high reactor pressure conditions. Cables from the pressure sensors for vessel pressure are routed to a single logic cabinet in the main control room.

Power to the safety relief valves' pilot valves and associated pressure sensors is provided by DC Bus A. The logic cabinet provides for appropriate separation of power supply feeders so as to limit the effects of electrical failures.

7.7.1.12.3 Initiating Circuits Reactor pressure is detected by pressure sensors (one for each valve) which are located in the reactor building. The logic for each valve requires a single sensor trip on vessel pressure to cause safety relief valve actuation.

7.7.1.12.4 Logic and Sequencing One initiation signal is used for each safety relief valve actuation via each respective pressure sensor output. High vessel pressure indicates the need for safety relief valve actuation to limit nuclear steam supply pressure.

Upon receipt of an initiation signal the pilot air valve is energized, thereby opening the safety relief valve. Lights in the main control room indicate when the solenoid-operated pilot valve are energized to open a safety relief valve. The safety relief valves remain open until the system pressure drops below the high pressure setpoint.

Manual system level initiation of a safety relief valve is accomplished by a control switch in either division 1 or division 2, depending on which division serving a given valve and its associated logic circuitry.

7.7.1.12.5 Bypasses and Interlocks Bypasses and interlocks are not utilized in the safety relief valve function.

FSAR Rev. 71 7.7-52

SSES-FSAR Text Rev. 77 7.7.1.12.6 Redundancy and Diversity The safety relief valve logic is initiated by high reactor pressure. Though redundancy is not provided for initiating signals to a given safety relief valve, it is provided with separate sensor signals each to different valves. Diversity is not provided.

7.7.1.12.7 Actuated Devices Safety relief valves are actuated by four methods:

a. Automatically on high reactor pressure via pressure sensors.
b. Manually, by the operator.
c. Mechanically, through spring setpoints.
d. Automatically or manually as part of ADS (Section 7.3.1.1a.1.4).

7.7.1.12.8 Separation Safety relief valve logic is of single channel design for each valve. Safety relief valves and associated logics are assigned to DC bus A. Cable routing, logic circuitry, manual controls and instrumentation are appropriately separated to limit the effects of a single failure.

7.7.1.12.9 Testability Safety relief valve logic is testable up to and including the sensors and actuated equipment.

7.7.1.12.10 Environmental Considerations The solenoid valves and their cables and the safety relief valves operators are located inside the drywell and will operate during normal and projected accident environmental conditions. The pressure sensors, which are located within the reactor building will also operate during normal and accident environments.

7.7.1.12.11 Operational Considerations 7.7.1.12.1.11.1 General Information The instrumentation and controls of the Nuclear Pressure Relief System are required for normal plant operations to limit nuclear system pressure. When pressure relief action is required, it will be initiated automatically by the circuits described in this section.

7.7.1.12.11.2 Operator Information A temperature element is installed on the safety relief valve discharge piping approximately three feet from the valve body. The temperature element is connected to a multipoint recorder in the control room to provide a means of detecting safety relief valve leakage during the plant operation.

When the temperature in any safety relief valve discharge piping exceeds a preset value, an alarm is sounded in the control room. The alarm setting is far enough above normal (rated power) drywell ambient temperatures to avoid spurious alarms, yet low enough to give early indication of significant safety relief valve leakage.

FSAR Rev. 71 7.7-53

SSES-FSAR Text Rev. 77 7.7.1.13 Neutron Monitoring System - Source Range Monitor (SRM) Subsystem 7.7.1.13.1 Equipment Design 7.7.1.13.1.1 Description The SRM provides neutron flux information during reactor startup and low flux level operations.

There are four SRM channels. Each includes one detector that can be physically positioned in the core from the control room (see Figure 7.6-3).

The detectors are inserted into the core for a reactor startup. They can be withdrawn if the indicated count rate is between preset limits or if the IRM is on the third range or above (see Dwgs. M1-C51-35, Sh. 1 and M1-C51-35, Sh. 2).

(1) Power Supply The power for the monitors is supplied from the two separate 24 VDC buses. Two monitors are powered from each bus (see Dwgs. M1-C51-35, Sh. 1 and M1-C51-35, Sh. 2).

(2) Physical Arrangement Each detector assembly consists of a miniature fission chamber and a low-noise, quartz-fiber-insulated transmission cable. The sensitivity of the detector is 1.2 x 10-3 cps/nv nominal, 5.0 x 10-4 cps/nv minimum, and 2.5 x 10-3 cps/nv maximum. The detector cable is connected underneath the reactor vessel to the multiple-shielded coaxial cable. This shielded cable carries the pulses to a pulse current preamplifier located outside the drywell.

The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote-controlled detector drive system moves the detector along the dry tube. Vertical positioning of the chamber is possible from above the centerline of the active length of fuel to 30 inches below the reactor fuel region (see Figure 7.6-5). When a detector arrives at a travel end point, detector motion is automatically stopped. SRM/IRM drive control arrangement and logic is presented in Figures 7.6-6 and 7.6-7. The electronics for the source range monitors, their trips, and their bypasses are located in two cabinets. Source range signal conditioning equipment is designed so that it can be used for open vessel experiments.

(3) Signal Conditioning A current pulse preamplifier provides amplification and impedance matching for the signal conditioning electronics.

The signal conditioning equipment converts the current pulses to analog currents that correspond to the logarithm of the count rate (LCR). The equipment also derives the period. The output is displayed on front panel meters and is provided to meters and recorders in the Control Structure. The LCR meter displays the rate of occurrence of the input current pulses. The period meter displays the time in seconds for the count rate of change by a factor of 2.7. In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits.

FSAR Rev. 71 7.7-54

SSES-FSAR Text Rev. 77 (4) Trip Functions The trip outputs of the SRM operate in the fail-safe mode. Loss of power to the SRM causes the associated outputs to become tripped.

The SRM provides signals indicating SRM upscale, downscale, inoperative, and incorrect detector position to the reactor manual control system to block rod withdrawal under certain conditions. Any SRM channel can initiate a rod block. These rod blocking functions are discussed in Subsection 7.7.1.2.6.1. Appropriate lights and annunciators are also actuated to indicate the existence of these conditions (Table 7.7-4).

7.7.1.13.1.1.1 Bypasses and Interlocks One of the four SRM channels can be bypassed at any one time by the operation of a switch on the Unit Operating Benchboard.

7.7.1.13.1.2 Redundancy and Diversity SRM channels are not redundant because SRM detectors are partially dependent and do not serve as a backup to other detectors.

7.7.1.13.1.3 Testability Each SRM channel is tested and calibrated using the procedures in SRM instruction manual.

Inspection and testing are performed as required on the SRM detector drive mechanism; the mechanism can be checked for full insertion and retraction capability. The various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions.

7.7.1.13.2 Environmental Considerations The wiring, cables, and connectors located within the drywell are designed for continuous duty in the conditions described in Section 3.11. The SRM system components are designed to operate during and after certain design basis events such as earthquakes and anticipated operational occurrences.

7.7.1.13.3 Operational Considerations The SRM system provides information to the operator and does not require any operation other than insertion of the SRM detectors into the core whenever these channels are needed, and withdrawal of the SRM detectors, when permitted, to prevent their burnup.

7.7.1.14 Loose Parts Monitoring System Piezoelectric accelerometers are attached externally to the Reactor Vessel and are abandoned in place.

FSAR Rev. 71 7.7-55

SSES-FSAR Text Rev. 77 7.7.2 ANALYSIS This subsection:

(1) demonstrates by direction or referenced analysis that the subject described systems are not required for any plant safety function, and (2) demonstrates by direct or referenced analysis that the plant protection systems described elsewhere are capable of coping with all failure modes of the subject control systems.

design basis: refer to Subsection 7.1.1 description: refer to Subsection 7.7.1 The individual system analysis in this section concludes that the subject systems are not required for any plant safety action.

For consideration of item (2) above, it is necessary to refer to the safety evaluations in Chapter 15 and Appendix 15A.

In that chapter, it is first shown that the subject systems are not utilized to provide any design basis accident safety function. Safety functions, where required, are provided by other qualified systems.

For expected or abnormal transient incidents following the single operation error (SOE) or single component failure (SCF) criteria, protective functions are also shown to be provided by other systems. The expected or abnormal transients cited are the limiting FMEA for the subject systems.

Next, further considerations of situations beyond the SOE and SCF, specified as single active component failure (SACF), are analyzed in Chapter 15 and Appendix 15A. Although these are not design basis requirements, the ability of the plant to provide at least one single protective function, even under these stringent assumptions, is demonstrated.

7.7.2.1 Reactor Vessel - Instrumentation 7.7.2.1.1 General Functional Requirements Conformance The reactor vessel-instrumentation is designed to provide augmented information to the existing information required from the engineered safeguards and safety systems. The operator utilizes this information to start up, operate at power, shut down, and service the reactor system in an efficient manner. None of this instrumentation is required to initiate or control any engineered safeguard or safety system.

7.7.2.1.2 Specific Regulatory Requirements Conformance There are no specific regulatory requirements imposed on this reactor vessel instrumentation, but the following general considerations are offered:

(1) Conformance with General Design Criteria 13 The reactor vessel information provides the operator with information on the reactor vessel operating variables during normal plant operation and anticipated operational occurrences so that the need to use the safety systems, although ready and able to respond, is minimized. This instrumentation does not serve in any direct controlling functions.

FSAR Rev. 71 7.7-56

SSES-FSAR Text Rev. 77 Controls that maintain the reactor vessel operating variables within prescribed operating ranges are performed by the:

(a) feedwater system (b) RCIC system (c) reactor manual control system or rod control and information system (2) Conformance with General Design Criteria 24 This instrumentation is not part of or related to any safety system. The circuitry of the safety systems is completely independent of this instrumentation, such that failures of this instrumentation will not cause or prevent any action to be initiated by the safety systems.

(3) Conformance to IEEE STD 279, section 4.7 This instrumentation is separate from and independent of the safety systems circuitry.

There is no direct circuit-to-circuit or functional interactions between this instrumentation and the safety systems. No single random or multiple failures in this instrumentation can prevent the safety systems from meeting the minimum performance requirements specified in the design basis of that system.

7.7.2.2 Reactor Manual Control System - Instrumentation and Controls 7.7.2.2.1 General Functional Requirements Conformance The circuitry described for the reactor manual control system is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry.

The scram circuitry is discussed in Section 7.2. Because each control rod is controlled as an individual unit, a failure that results in energizing of any of the insert or withdraw solenoid valves can affect only one control rod. The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod. It can be concluded that no single failure in the reactor manual control system can result in the prevention of a reactor scram and that repair, adjustment, or maintenance of reactor manual control system components does not affect the scram circuitry.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system.

The expected and abnormal transients and accident events analyzed envelope the FMEA associated with this system's components. These include:

(1) control rod withdrawal errors (2) control rod drop accident.

To be very specific, the following is cited:

(1) The RMCS is not required for plant safety functions. The system has no function associated with any design basis accident.

(2) This system is not used for plant shutdown resulting from an accident or nonstandard operational conditions.

(3) The function of the RMCS is to control core reactivity and thus power level. Interlocks from many different sources are incorporated to prevent the spurious operation of drives or undesirable rod patterns throughout all ranges of operation.

FSAR Rev. 71 7.7-57

SSES-FSAR Text Rev. 77 (4) This system contains no components, circuits, or instruments required for reactor trip or scram. There are no operator manual controls which can prevent scram.

(5) The consequence of improper operator action or the failure of rod block interlocks results in a reactor scram.

(6) The requirements for the portions of RMCS that interface with any safety system function includes tolerance to single failures and component quality.

7.7.2.2.2 Specific Regulatory Requirements There are no specific requirements imposed on this system, but the following general considerations are offered:

(1) 10CFR50 Appendix A - Criterion 24 No part of the RMCS is required for scram. The rod block functions provided by the NMS are the only instances where the RMCS uses any instruments or devices related to RPS functions. The rod block signals received from the NMS prevent improper rod motion before limits causing reactor scram are reached. Common APRM, IRM, and SRM detectors are used, but the signal is physically and electrically isolated before its use in the reactor manual control system. See Subsection 7.7.1.2.6.2 for a description of this interface. Single failure of a control component therefore will not degrade the protection system.

(2) 10CFR50 Appendix A - Criterion 26 The RMCS is one of the two independent reactivity control systems as required by this criterion.

7.7.2.2.3 Rod Block Trip - Instrumentation and Controls 7.7.2.2.3.1 General Functional Requirements Conformance The rod withdrawal block functions prevent an operator from carrying out actions which, if unchecked, might result in a protective system action (scram). A fixed margin separates the rod withdrawal block setpoints and the scram setpoints in IRM and APRM. There are no safety considerations.

7.7.2.2.3.2 Specific Regulatory Requirement Conformance No specific regulatory requirements apply. The circuits are designed to be normally energized (fail-safe on loss of power) and single-failure tolerant. The equipment is designed to prevent the rod block trip circuitry from affecting the protection system trips in the IRM and APRM channels through use of separate trip circuits and relays. IEEE Standards do not apply because rod block trips are not required for any postulated design basis accident or for safe shutdown.

FSAR Rev. 71 7.7-58

SSES-FSAR Text Rev. 77 7.7.2.2.4 Not Used 7.7.2.2.5 Rod Worth Minimizer (RWM) - Instrumentation and Controls 7.7.2.2.5.1 General Functional Requirements Conformance No general functional requirements are cited for this system.

7.7.2.2.5.2 Specific Regulatory Requirements Conformance The Rod Worth Minimizer program in the process computer has no specific regulatory or IEEE requirement.

7.7.2.3 Recirculation Flow Control System - Instrumentation and Controls 7.7.2.3.1 General Functional Requirements Conformance The recirculation flow control system is designed so that coupling is maintained between an M-G set drive motor and its generator, even if the AC power or a speed controller signal fails. This assures that the drive motor inertia will contribute to the power supplied to the recirculation pump during coastdown of the M-G set after loss of AC power, and that the generator continues to be driven if the speed controller signal is lost.

Transient analyses described in Chapter 15 show that no malfunction in the recirculation flow control system can cause a transient sufficient to damage the fuel barrier or exceed the nuclear system pressure limits, as required by the safety design basis.

The safety design basis of the recirculation flow control loop is that no single component failure shall result in a violation of the plant transient MCPR limit.

The recirculation flow control system is not required to be designed to meet the single-failure criterion. Control system failures resulting in complete loss of control signal will result in electrical "locking" of the scoop tube in its last demanded position at the instant of signal loss. This locking feature is provided both by the ICS diagnostics initiating an output contact state change (e.g.

external scoop tube lock input to positioner), and by the Jordan scoop tube positioner internal circuitry detecting an input signal loss.

In the case of recirculation control system failures (e.g., transistors, resistors, etc.) causing upscale signal failure, the reactor is protected by high pressure or high flux scram. Such faults have been analyzed in Chapter 15 and include both M-G sets going to full speed simultaneously.

Recirculation system flow control failures causing downscale signal failures may cause one or both recirculation M-G sets to go to minimum speed. M-G set speed reduction is limited to not more than 40% per second. Speed reduction of both M-G sets might result from failure of the reactor recirculation pump speed control.

The Integrated Control System maintains the electrical locking of the scoop tube to its last known demanded position upon loss of, or invalidation of the digital control scheme. The A and B speed control instrumentation systems are independent with redundant power sources. Additionally, the Operators ability to manually lock the scoop tube is unchanged. System operating capabilities are provided in the unlikely event a complete loss of a Control Processing pair or individual I/O module is experienced. A watchdog timer circuit monitors the operation of each Control Processing pair FSAR Rev. 71 7.7-59

SSES-FSAR Text Rev. 77 and will initiate a Scoop Tube Lock signal if both processors fail. Diagnostics monitoring communication of the I/O modules (FBM's) with the control processor as well as ICS monitoring of operating parameters and digital control logic will detect individual I/O module mis-operation and/or failure, resulting in the associated module failing to a pre-determined state supporting continued plant operation.

Recirculation M-G set speed limiters are provided to prevent recirculation pump, valve, and jet pumps from operating in regions that would cause cavitation damage to these components.

Each recirculation pump valve is independent of the other, and has its own Unit Operating Benchboard mounted control switch for manual operation. Each valve has open/close travel limit switches and Unit Operating Benchboard pilot lamp indication.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system.

The expected and abnormal transients and accident events analyzed envelope the FMEA associated with this system's components. These include:

(1) Recirculation flow controller failures (2) Recirculation pump seizure and pump shaft failure 7.7.2.3.2 Specific Regulatory Requirements There are no specific regulatory requirements imposed on this system.

7.7.2.4 Feedwater Control System (Turbine Driven Pumps) - Instrumentation and Controls 7.7.2.4.1 General Functional Requirements Conformance The feedwater control system is a power generation system for purposes of maintaining proper vessel water level. For feedwater level demand, interlocks are provided within the digital Integrated Control System to lock the flow changing capabilities to the last known good value upon reactor vessel feedwater level control system failure. This demand control signal will maintain the reactor feedpump turbine at the last known speed. The Integrated Control System will not initiate a RFPT trip on reactor vessel feedwater level control system failure.

Should the vessel level rise too high, the feedwater pumps and plant main turbine would be tripped. This is an equipment protective action which would result in reactor shutdown by the RPS system as outlined in Section 7.2. Lowering of the vessel level would also result in action of the RPS to shutdown the reactor.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system relative to plant safety and operational effects. The expected and abnormal transients and accident events analyzed in the appendix envelope the FMEA associated with this system's components. These include:

(1) Loss of all feedwater flow (pumps)

(2) Loss of feedwater heater (3) Malfunction of feedwater controller (4) Failure of feedwater line FSAR Rev. 71 7.7-60

SSES-FSAR Text Rev. 77 7.7.2.4.2 Specific Regulatory Requirements Conformance The feedwater system is not a safety-related system and is not required for safe shutdown of the plant, nor is it required during or after accident conditions.

There are no interconnections with safety-related systems and no specific regulatory requirements are imposed on the system.

7.7.2.5 Pressure Regulatory and Turbine-Generator System Instrumentation and Controls 7.7.2.5.1 General Functional Requirements Conformance Turbine speed and acceleration control is provided by the initial pressure regulator, which controls steam throttle valve position to maintain constant reactor pressure. The turbine speed governor overrides the pressure regulator on increase of turbine speed or loss of generator load. Excess steam is automatically bypassed directly to the main condenser by the pressure controlled bypass valves.

Provision is made for matching nuclear steam supply to turbine steam requirements. As pressure is lowered by a greater load demand, the pressure regulator sends a proportional signal to the recirculation flow control system, which causes an appropriate increase in recirculation flow.

Detailed description of conformance to these design bases is contained in Subsection 7.7.1.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system relative to plant safety and operational effects. The expected and abnormal transient and accident events analyzed in this appendix envelope the FMEA associated with this system's components.

These include:

(1) Failure of pressure regulator (2) Turbine/generator trips (3) Main condenser failures (4) Breaks outside containment 7.7.2.5.2 Specific Regulatory Requirements Conformance No specific regulatory requirements are imposed on the subject system.

The turbine-generator control system is not a safety-related system. Protection systems which are provided as an integral part of the turbine-generator equipment override the turbine-generator control system. In the event of a turbine-generator trip due to a protective action, the control valve fast closure and the stop valve closure inputs to the RPS initiate reactor scram (see Subsections 7.2.1.1.4.2(d) and 7.2.1.1.4.2(e)).

Pressure regulator malfunction which leads to low turbine inlet pressure is detected by pressure switches provided in the main steam isolation system, which in turn initiated closure of the main steamline isolation valves (see Subsection 7.3.1.1a.2.4.1.5). Similarly, high turbine inlet pressure leads to detection of high reactor pressure by the RPS, which initiates the reactor scram (see Subsection 7.3.1.1a.2.4.1.4).

FSAR Rev. 71 7.7-61

SSES-FSAR Text Rev. 77 Control malfunction which results in high flow through the turbine control valves and the bypass valves is detected by main steam flow switches provided in the main steam isolation system, which initiates closure of the main steam level isolation valves (see Subsection 7.3.1.1a.3) and a subsequent reactor scram (see Subsection 7.2.1.1.4.2(f)).

Interfaces between the subject non-safety systems and their components with safety-related systems (RPS, containment isolation control system, etc.) are designed in such a manner that failure of the non-safety components will not negate the necessary safety system functions.

7.7.2.6 Neutron Monitoring System Traversing In-Core Probe Subsystem (TIP) - Instrumentation and Controls 7.7.2.6.1 General Functional Requirement Conformance An adequate number of TIP machines is supplied to assure that each LPRM assembly can be proved by a TIP and that one LPRM assembly (the central one) can be proved by every TIP to allow intercalibration. Typical TIPs have been tested to prove linearity (Reference 7.7-1). The system has been field-tested in an operating reactor to assure reproducibility for repetitive measurements. The mechanical equipment has undergone life testing under simulated operating conditions to assure that all specifications can be met. The system design allows semi-automatic operation for LPRM calibration and process computer use. The TIP machines can be operated manually to allow pointwise flux mapping.

7.7.2.6.2 Specific Regulatory Requirement Conformance There are no specific regulatory requirements for the TIP subsystem.

7.7.2.7 Plant Computer System - Instrumentation 7.7.2.7.1 General Functional Requirements The Plant Computer System is designed to provide the operator with certain categories of information as defined in the equipment description (Subsection 7.7.1.7) and to supplement procedural requirements for control rod manipulation during reactor startup and shutdown.

The system augments existing information from other systems such that the operator can start up, operate at power, and shutdown in an efficiency manner. This system is not required to initiate or control any engineered safeguard or safety-related system.

7.7.2.7.2 Specific Regulatory Requirements Conformance The plant computer has no specific regulatory requirements.

7.7.2.8 Reactor Water Cleanup System - Instrumentation and Controls 7.7.2.8.1 General Functional Requirement Conformance The RWCU system is not a safety-related system. Therefore, the instrumentation supplied is for the plant equipment protection and for operator information only.

FSAR Rev. 71 7.7-62

SSES-FSAR Text Rev. 77 The cleanup system is protected against overpressurization by relief valves. The ion exchange resin is protected from high temperature by temperature switches upstream of the filter demineralizer unit. One switch activates an alarm while a second switch closes the isolation valve, which subsequently trips the cleanup pumps. The isolation valves will also close automatically and trip the pumps on a reactor low water level signal. Actuation of the standby liquid control system causes closure of the outboard isolation valve only. The pumps will also trip on high pump cooling water temperature or low discharge flow.

A high differential pressure across the filter-demineralizer or its discharge strainer will automatically close the unit's outlet valve after sounding an alarm. The holding pump starts whenever there is low flow through a filter-demineralizer. The precoat pump operation is unaffected by the precoat tank level.

Sampling stations are provided to obtain reactor water samples from the entrance and exit of both filter-demineralizers.

The system flow, pressure, temperature, and conductivity are recorded or indicated on a panel in the main control room. Instrumentation and control for backwashing and precoating the filter-demineralizers are on a local panel outside the drywell. Alarms are sounded in the main control room to alert the operator to abnormal conditions.

7.7.2.8.2 Specific Regulatory Requirements Conformance The subject system has no specific regulatory requirements imposed on it, but the following observation is included:

(1) Regulatory Guide 1.56 (6/73)

The Reactor Water Cleanup (RWCU) system provides the recorded conductivity measurements and alarms of influents and effluents of the demineralizers and records of the flow rate through each demineralizer as recommended in the guide.

7.7.2.9 Transient Monitoring System Analysis 7.7.2.9.1 TMS Safety-Related Functions The TMS itself performs no safety function. However, TMS devices are connected in safety-related circuits and must maintain the safety-related circuit integrity, without disturbance to that circuit, under all conditions.

Where TMS signals are required from safety-related circuits, isolation is provided between the safety circuit and the TMS signal by the use of a Validyne Engineering Corp. Remote Carrier Modulator, Model CM249.

7.7.2.9.1.1 TMS Safety-Related System Isolation The Validyne CM249 provides impedance isolation, using transformer coupling, between safety-related circuits and TMS circuits. CM249 circuit arrangement provides isolation in compliance with IEEE 279-1971, Section 4.7.2. The CM249 unit has been seismically and environmentally qualified. See Wyle Labs Report (NDQ 783015 Rev. B).

FSAR Rev. 71 7.7-63

SSES-FSAR Text Rev. 77 A summary of the Validyne CM249 specifications is as follows:

Common Mode Isolation Voltage - 2000 V Peak Input/Output Dielectric Strength - 2000 VDC, 220 VAC Insulation Resistance - 1010 ohms Input Impedance - 2 megohms 7.7.2.9.1.2 TMS Wiring Separation All wiring for the TMS is installed permanently except wiring for piping thermal expansion and vibration measurements installed locally from a measuring device to a multiplexer. This thermal expansion and vibration wiring is not safety-related and will be removed after completion of testing.

Wiring from the multiplexers to the TMP will be installed in a raceway system as any non-safety-related cable. Wiring for circuits from safety-related signals up to the isolation device shall be separated as though they were safety-related. Permanent wiring for the TMS from safety and non-safety systems to the TMP will be as follows:

A. Wiring required by transient test instrumentation within GE supplied panels is routed to the requirements of A61-4050 Electrical Equipment Separation for Safeguards System.

B. Cables required by transient test instrumentation is routed through the GE supplied PGCC panel modules in accordance with the requirements of NEDO 10466.

C. Safety-related wiring and cables required for transient test instrumentation is run in compliance with criteria set forth in Subsection 3.12 of this FSAR.

7.7.2.10 Refueling Interlocks System - Instrumentation and Controls 7.7.2.10.1 General Functional Requirements Conformance The refueling interlocks, in combination with core nuclear design and refueling procedures, limit the probability of an inadvertent criticality. The nuclear characteristics of the core assure that the reactor is subcritical with all rods except one full in and the highest worth control rod fully withdrawn. Refueling procedures are written to avoid situations in which inadvertent criticality is possible. The combination of refueling interlocks for control rods and the refueling platform provides redundant methods of preventing inadvertent criticality even after procedural violations.

The interlocks on hoists provide yet another method of avoiding inadvertent criticality.

Table 7.7-2 illustrates the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform movement and position, and mode switch manipulation. The initial conditions in Situations 4 and 5 appear to contradict the action of refueling interlocks, because the initial conditions indicate that more than one control rod is withdrawn, yet the mode switch is in REFUEL. Such initial conditions are possible if more than one control rod is withdrawn, yet the mode switch is in REFUEL. Such initial conditions are possible if the rods are withdrawn when the mode switch is in STARTUP, and then the mode switch is turned to REFUEL. In all cases, correct operation of the refueling interlock will prevent either the operation of loaded refueling equipment over the core when any control rod is withdrawn, or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the mode switch is in REFUEL, only one rod can be withdrawn; selection of a second rod initiates a rod block.

FSAR Rev. 71 7.7-64

SSES-FSAR Text Rev. 77 7.7.2.10.2 Specific Regulatory Requirements Conformance No specific regulatory requirements apply to refueling interlocks. The refueling interlocks are designed to be normally energized (fail safe) and single failure tolerant of equipment failures. IEEE standards do not apply because the refueling interlocks are not required for any postulated design basis accident or for safe shutdown. The interlocks are required only for the refueling mode of plant operation.

The requirements of 10 CFR 50 Appendix B are met in the manner set forth in Chapter 17.

There are no specific General Design Criteria requirements for this system.

7.7.2.11 Rod Block Monitor Subsystem 7.7.2.11.1 General Functional Requirement Conformance Motion of a control rod causes the LPRMs adjacent to the control rod to respond to the change in power in the region of the rod in motion. Figure 7.7-19 illustrates the calculated response of the two RBMs to the full withdrawal of a selected control rod from a region in which the design limits on power and flow exist.

Because MCPR cannot reach 1.0 until the control rod is withdrawn through greater than half its stroke, the highest rod block setpoint halts rod motion well before local fuel damage can occur.

This is true even with the adjacent and nearest LPRM detector assemblies failed.

7.7.2.11.2 Specific Regulatory Requirement Conformance The rod block monitor subsystem is not a protection system and protection criteria in IEEE standards and regulatory guides do not apply.

10CFR50 Appendix A Criterion 24 The RBM provides an interlocking function in the control rod withdrawal portion of the CRD reactor manual control system. This design is separated from the protective functions in the plant to assure their independence.

The RBM is designed to prevent inadvertent control rod withdrawal given an imposed single failure within the RBM. One of the two RBM channels is sufficient to provide an appropriate control rod withdrawal block.

In addition, the RBM has been designed to meet "appropriate protection system criteriaacceptable to the Regulatory Staff" (Reference 7.7-2).

7.7.2.12 Nuclear Pressure Relief System - Instrumentation and Controls 7.7.2.12.1 General Functional Requirements Conformance The Nuclear Pressure Relief system is designed to provide the nuclear steam supply pressure relief function without jeopardy to the safety-related ADS function, discussed in Section 7.3.

FSAR Rev. 71 7.7-65

SSES-FSAR Text Rev. 77 7.7.2.12.2 Specific Regulatory Requirements (1) 10CFR50 - Appendix A - Criterion 14.

The Nuclear Pressure Relief System provides additional means for minimizing the probability of abnormal reactor coolant pressure boundary leakage.

(2) 10CFR50 - Appendix A - Criterion 15.

The Nuclear Pressure Relief System is designed to afford adequate additional margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences.

(3) 10CFR Appendix A - Criterion 30.

The components of the Nuclear Pressure Relief System are designed, selected, fabricated, erected, and tested to the highest, practical, current industrial standards. The System is designed with temperature sensors for each safety relief valve whereby leaks may be detected and identified in a timely fashion.

7.7.2.13 Neutron Monitoring System - Instrumentation and Controls 7.7.2.13.1 Source Range Monitor Subsystem 7.7.2.13.1.1 General Functional Requirement Conformance The arrangement of the SRM Detectors in the reactor is shown in Figure 7.6-3. This arrangement produces at least three counts per second in the SRM, using the sensitivity noted in Subsection 7.7.1.13 and the design source strength at initial reactor startup. If the discriminator setting is adjusted to produce the specified sensitivity, the signal-to-noise count ratio is well above the 2:1 design basis for cold startup.

Normal startup procedures ensure that withdrawal of control rods is distributed about the core to prevent excessive multiplication in any one section of the core.

Hence, each SRM chamber can respond in some degree during the initial rod withdrawal. During startup withdrawal, one of the four control rods adjacent to each SRM chamber and one control rod adjacent to each neutron source is withdrawn before the reactor is critical. This procedure reduces source and detector shadowing and assures increases in the detector signals as the core average neutron multiplication increases.

The design sensitivity of the SRM detectors and their nominal operating ranges results in a design overlap of the SRM and IRM with both fully inserted (Figure 7.6-13); however, individual sensor sensitivity or unit characteristics may reduce or eliminate this overlap. The reduction or elimination of the overlap does not affect the IRM system safety-related functions nor preclude the operator from monitoring reactor period with the SRMs.

7.7.2.13.1.2 Specific Regulatory Requirements Conformance There are no specific regulatory or IEEE requirements for the Source Range Monitor Subsystem.

FSAR Rev. 71 7.7-66

SSES-FSAR Text Rev. 77 7.

7.3 REFERENCES

7.7-1 Morgan, W. R., "In Core Neutron Monitoring System for General Electric Boiling Water Reactors," APED-5706, November, 1968 (Rev. April, 1969).

7.7-2 Hatch 1 Amendment 7, June 24, 1969, pp. 7-3.0-1 and 7-5.0-1.

FSAR Rev. 71 7.7-67

SSES-FSlR

%61U,ILZ1.l=l

~IQ~B!~BattI~.it~l~!-e~~~,~~-l!~!~lIQB~

Total system flov Flo11 indicator Drive water PUIP suction Annunciator pressure Driv~ water filter Annunciator differential pressure Coolinq water header Pressure indicator pressure Char~inq water header Annunciator pressure Drive water flow rate Pl ov indicator Coolin1 vater header Flow in die! tor flow Control rod drive te p Annunciator Control roa position R~d status display (norm~l ranqe)

Rev. 35, 07/84

SSES-FSAR Table Rev. 36 TABLE 7.7-2 REFUELING INTERLOCK EFFECTIVENESS (See Note)

REFUELING SERVICE REFUELING PLATFORM HOISTS MODE SITUATION PLATFORM PLATFORM CONTROL RODS ATTEMPT RESULT TMH* FMH* FG* SWITCH POSITION HOIST Move refueling 1 Not near core UL* UL* UL* UL* All rods in I Refuel platform over core No restrictions Cannot withdraw more 2 Not near core UL UL UL I UL All rods in I Refuel Withdraw rods than one rod Move refueling 3 Not near core UL UL UL I UL One rod withdrawn I Refuel platform over core No restrictions Any hoist Move refueling Platform stopped 4 Not near core loaded I UL One rod withdrawn I Refuel platform over core before over core More than one rod Move refueling Platform stopped 5 Not near core UL UL UL I UL withdrawn Refuel platform over core before over core Cannot withdraw more 6 Over core UL UL UL I UL All rods in Refuel Withdraw rods than one rod Any hoist 7 Over core loaded All rods in I Refuel Withdraw rods Rod block 8 Not near core UL UL UL L* All rods in I Refuel Withdraw rods Rod block Operate service

9. Not near core UL UL UL I L All rods in I Refuel olatform hoist No restrictions Operate service Hoist operation
10. Not near core UL UL UL I L One rod withdrawn I Refuel platform hoist orevented Move refueling Platform stopped 11 Not near core UL UL UL I UL All rods in I Startup platform over core before over core Operate service 12 Not near core UL UL UL I L All rods in I Startup platform hoist No restrictions Operate service Hoist operation 13 Not near core UL UL UL I L One rod withdrawn I Startup platform hoist prevented 14 Not near core UL UL UL I L All rods in I Startup Withdraw rods Rod block 15 Not near core UL UL UL I UL All rods in I Startup Withdraw rods No restrictions
16. Over core UL UL UL UL All rods in Startup Withdraw rods Rod block Any condition, reactor Turn mode switch 17 Any Any condition I Any condition not at power Startup to RUN Rod block
  • LEGEND TMH - Trolley Mounted Hoist FMH - Frame Mounted Hoist FG - Fuel Grapple UL - Unloaded L - Fuel Loaded NOTE: The Service Platform is not used and has been eliminated. The bypass plug for the Service Platform hoist loaded interlock is installed which allows control rod withdrawal with the mode switch in REFUEL or STARTUP.

FSAR Rev. 62 Page 1 of 1

SSES-FSAR Table Rev. 57 TABLE 7.7-3 RBM SYSTEM TRIPS UNIT 1 & 2 TRIP FUNCTION NOMINAL SETPOINT TRIP ACTION Trip Setpoints and See Technical Requirements Manual Rod Block, Annunciator Power Setpoints Amber Light Display, RBM ODA RBM Inoperative (See Note) Rod Block, Annunciator Amber Light Display, RBM ODA RBM Downscale 5/125 PS Rod Block, Annunciator White Light Display, RBM ODA RBM Bypassed Manual Switch or Peripheral Rod Selected White Light Display, RBM or APRM Reference Below 30% ODA Note:

RBM is inoperative, if module interlock chain is broken, OPERATE-CALIBRATE switch is not in OPERATE position, less than 50% of available LPRM signals are above 3% threshold, internal logic self-test circuits indicate trouble or no rod selected or more than one rod selected.

FSAR Rev. 64 Page 1 of 1

SSES-FSAR TABLE 7.7-4 IRM TRIPS*

IRM Upscale Scram, annunciator, red light display (high-high) or IRM inoperative Scram, annunciator, red light display IRM upscale Rod block, annunciator, amber light display (high)

IRM downscale Rod block {exception on most sensitive scale),

annunciator, white light display IRM bypassed White light display Note: IRM is inoperative if module interlock chain is broken, operated-calibrate switch is not in operate position, or detector polarizing voltage is below 80 V.

  • See the Technical Specification and Technical Requirements Manual for set points.

Rev. 54, 10/99 Page 1 of 1

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT WATER LEVEL RANGE DETECTION FIGURE 7.7-1

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROD DRIVE HYDRAULIC SYSTEM LOGIC DIAGRAM FIGURE 7.7-2-1

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROD DRIVE HYDRAULIC SYSTEM LOGIC DIAGRAM FIGURE 7.7-2-2

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROD DRIVE HYDRAULIC SYSTEM LOGIC DIAGRAM FIGURE 7.7-2-3

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROD DRIVE HYDRAULIC SYSTEM LOGIC DIAGRAM FIGURE 7.7-2-4

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROD DRIVE HYDRAULIC SYSTEM LOGIC DIAGRAM FIGURE 7.7-2-5

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROD DRIVE HYDRAULIC SYSTEM LOGIC DIAGRAM FIGURE 7.7-2-6

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROD DRIVE HYDRAULIC SYSTEM LOGIC DIAGRAM FIGURE 7.7-2-7

FIGURE 7.7-3-1 REPLACED BY DWG. M1-C12-90, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-3-1 REPLACED BY DWG. M1-C12-90, SH. 4 FIGURE 7.7-3-1, Rev. 49 AutoCAD Figure 7_7_3_1.doc

FIGURE 7.7-3-2 REPLACED BY DWG. M1-C12-110, SH. 8 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-3-2 REPLACED BY DWG. M1-C12-110, SH. 8 FIGURE 7.7-3-2, Rev. 55 AutoCAD Figure 7_7_3_2.doc

ROD ROD WITt-iDRAWAL WITHDRAWAL M~OR ROD ROD MOTION BLOCK BLOCK CONTROLS SELECTION SELEC1"10N CONTROLS 8

+ t + t t '

ACTIVITY ACTIVITY CONTROL CONTROL A B C>--_ SERIAL DATA SERIAL OATA __-(. D 1

COMPARE , _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.,./"\

STOP

\

ADDRESS OF OPERATION HCU SELE:CTEO ACTION CODE

..*E]--E)----g- Heu, STOP  : COMPARE ADDRESS OF OPERATION SE.RIAL DATA HCU TAKING HCU RESPONDJNG PLACE STATUS PARALLEL 1----~ OUTPlJr ANALYZER OUTPUT DATA DATA FOR DISPLAY FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT REACTOR MANUAL CONTROL SYSTEM OPERATION FIGURE 7.7-4, Rev 49 AutoCAD: Figure Fsar 7_7_4.dwg

TeST HCUn

,-~--'\

,I I I I

I COMMAND I

ROD r-~I I

'LOOP A I tI 2001,1111c Ka I

I I T~ST I-ICU n I ~

I I I I

I I I I I I L___.1I I

I I I t I t

NO n*n -t- 1 LOOP C LOOP B

+ 40TO240 sec I 143 msec I I I I I COMMAND ROD

'L;;-0 I I l 20011-wcl I I f

n .. 1 I

I I

SCAN K*

f I HCU K K +1 I I I I I I I I

'-...__)

I NO I

I I I I i

'--~-_) '--~--..)

YES NO FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT REACTOR MANUAL CONTROL SELF-TEST PROVISIONS FIGURE 7.7-5, Rev 49 AutoCAD: Figure Fsar 7_7_5.dwg

,,,,,,....5WITCHNO.

500

, , S01 S02

)

503 504 505

~

506

)

"507

, , 508 S09

)

m S10 n m

511

. E.

l>

512 n "

513 S14 515

, , 516 517 518

' S19 520 521 522 sn 524 0

525

  • 526 ~

527 z 0

S28 n 529 0

."'"'~

, 530 .,m 531 7 r 532 I I 533

" 534 7

535

" S36 537

,, 538 S39

" S40

, S41 S42

,, S43 544 FSAR REV.65 545

$46 547 S4B FIGURE 7.7-6, Rev 49 SUSQUEHANNA STEAM ELECTRIC STATION ROD WITHDRAWN , S49 OVERTRAVEL 550 AutoCAD: Figure Fsar 7_7_6.dwg S51 ELEVEN-WIRE 1 S52 l ROD UNITS 1 & 2 INSERTED POSITION PROBE FINAL SAFETY ANALYSIS REPORT

FIGURE 7.7-7-1 REPLACED BY DWG. M1-B31-189, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-7-1 REPLACED BY DWG. M1-B31-189, SH. 1 FIGURE 7.7-7-1, Rev. 49 AutoCAD Figure 7_7_7_1.doc

FIGURE 7.7-7-2 REPLACED BY DWG. M1-B31-189, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-7-2 REPLACED BY DWG. M1-B31-189, SH. 2 FIGURE 7.7-7-2, Rev. 55 AutoCAD Figure 7_7_7_2.doc

FIGURE 7.7-7-3 REPLACED BY DWG. M1-B31-189, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-7-3 REPLACED BY DWG. M1-B31-189, SH. 3 FIGURE 7.7-7-3, Rev. 49 AutoCAD Figure 7_7_7_3.doc

FIGURE 7.7-7-4 REPLACED BY DWG. M1-B31-189, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-7-4 REPLACED BY DWG. M1-B31-189, SH. 4 FIGURE 7.7-7-4, Rev. 49 AutoCAD Figure 7_7_7_4.doc

FIGURE 7.7-7-5 REPLACED BY DWG. M1-B31-189, SH. 5 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-7-5 REPLACED BY DWG. M1-B31-189, SH. 5 FIGURE 7.7-7-5, Rev. 49 AutoCAD Figure 7_7_7_5.doc

VESSEL PRESS.

HI VESSEL PRESS.

HI VESSEL LEVEL LO-LO VESSEL LEVEL EOC BREAKER M-G DRIVE LO-LO A& B MOTOR ATWS-RPT BYPASS TYPICAL OF DIVISION 1 & DIVISION 2 M-G SET & PUMP MOTOR SCHEMATIC DRIVE MOTOR GENERATOR r---- - - - - - 1 r---- - - - - - 1 I RPT ) DIV 1 A I I RPT ) DIV 1 B I I I I I I I I BREAKERS ) DIV 2 A I I BREAKERS ) DIV 2 B I L____ J L----0----J REC IRC . RECIRC.

PUMP MOTOR PUMP MOTOR A B FSAR REV.71 Figure REV.49 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT ATWS RECIRCULATION PUMP TRIP LOGIC FIGURE 7.7-7-6 AutoCAD : Figure Fsar 7_ 7_7 _6.dwg

TURBINE CON-TROL MECH ADMISSION VALVE INITIAL PRESSURE REGULATOR t

TURBINE BYPASS VALVES REACTOR FLUID DRIVE ACTUATOR

! TURBINE M INDUCTION MOTOR G - AC GENERATOR C - ADJUSTABLE SPEED COUPLING

~ RECIRCULATION FLOW CONTROL COMPONENTS FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 AND 2 FINAL SAFETY ANALYSIS REPORT RECIRCULATION FLOW CONTROL ILLUSTRATION FIGURE 7.7-8, Rev. 57 Auto-Cad FSAR_7_7_8.DWG

FIGURE 7.7-9 REPLACED BY DWG. M1-C32-3, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-9 REPLACED BY DWG. M1-C32-3, SH. 1 FIGURE 7.7-9, Rev. 50 AutoCAD Figure 7_7_9.doc

POSITION SWITCHES DRIVE CONTROL MOTOR MONITOR CIRCUITRY FLEXIBLE CABLE FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT DETECTOR DRIVE SYSTEM SCHEMATIC FIGURE 7.7-10, Rev 49 AutoCAD: Figure Fsar 7_7_10.dwg

FIGURE 7.7-11 REPLACED BY DWG. M1-G33-143, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-11 REPLACED BY DWG. M1-G33-143, SH. 1 FIGURE 7.7-11, Rev. 56 AutoCAD Figure 7_7_11.doc

FIGURE 7.7-13 REPLACED BY DWG. A-105, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-13 REPLACED BY DWG. A-105, SH. 1 FIGURE 7.7-13, Rev. 50 AutoCAD Figure 7_7_13.doc

UNIT ~ ICOMMON I UNIT 2 PANEL NUMBER I DESCRIPTION I 1C600 - 2C600 Process Radiation Record V.B.

1C601 - 2C601 Reactor Core Cooling 8.B 1C607 - 2C607 T.I.P. Control & Monitor Cobinct 1C6i0 - 2C610 Control Rod Test Cabinet 1C614 - 2C614 NSS Temp. Record & Leak Detect. V.8.

1C644 - 2C644 V.B. Div. 2 1C645 - 2C645 V.B. Oiv. 1 1C650 OC650 2C650 Fire Protection V.B.

lC651 - 2C651 Unit Operation B.B.

1C652 - 2C652 Standby Information Panel V.B.

- OC653 - Plant Operating 8.8.

tC65-+ - 2Cf>S.I. Generator &: Transfer Prot. Re!oy V.B.

1C656 OC656 2C656 Electrical t.letering V.B.

- OC657 - Startup Transformer Prot. V.8.

- OC658 - Span Prot., Swyd. Cont. &: Display V.8.

- OC659 - 500 & 230 Kv Swyd. Cont. & Display V.B.

1C667 - 2C667 SPOS/Plant Monitoring Console 1C668 - 2C668 Unit Services B.B.

- OC669 - Stock Effl. Monitor Console

- OC671 - Meteorological &: River Telemeter V.B.

1C673 OC673 2C673 Off-gas Recombiner Contrc:11 V.9.

1C681 OC681 2C68t Heating &: Ventilation V.B.

1C684 OC684 2C684 Unit Operating Monitor Console 1C692 - 2C692 t.lisc. Systems Record V.8.

1C693 OC693 2C693 Misc. Plant Inst. & Record V.9.

1C694 - 2C694 Bypass Indication V.B.

- OC695 - P.A. & Emergency V.B.

- OC696 - Earthquake Monitor V.8.

- OCS97 - Motor Overload Bypass V. 8.

- OC699 - Plant Security Cabinet FSAR REV.68 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTROL ROOM PANEL SAFETY RELATED DISPLAY INSTRUMENT PLANT OPERATOR INTERFACE FIGURE 7 . 7-13A, Rev 2 AutoCAD: Figure Fsar 7_7 _13A.dwg

~ - - - - - - - - - - - - - - - - - - - 1 5 0 FT 4:f.! < N O M ) - - - - - - - - - - - - - - - - ~

- - - - - 2. 341<NOM) _ _ __.,.,-+,41------150 FT O < N O M ) 7 lrl. 75 REF O, 60 DIA REF FSAR REV.65 1:~56 DIA  ::x .-

L,_ ,~,~-,--~ ~r--4

o. 21 , tAf\ffi A~

\~~r .. -t *-- -.

o. 543
  • 1. 000 SENSITIVE SUSQUEHANNA STEAM ELECTRIC STATION LENGTH FIGURE 7.7-14, Rev 49 j[;I L
o. 60 REF, AutoCAD: Figure Fsar 7_7_14.dwg TRAVERSING IN-CORE UNITS 1 & 2 PROBE ASSEMBLY r -- ,

DETECTOR COLLECTOR Ll___!J FINAL SAFETY ANALYSIS REPORT DETECTOR OUTER SHELL

LOSS OF L.05' o, STATOR STATM COOIANT COCllAM' STEP BACK R\JN BACK (STOP VALVE NO. 2 C<lNTROl)

LOIO FREO.

SET "'""

CORRECTIOH TOTM... FLOW DE......,.0SIQW.

(+)

I I

iI -

I ~:o VALVE I

I I BIAS I I I I I I

I ~~~

I I ---+ ANALOG (CONTINUOUS SIGNAL)

I I I UMrTS I - - -+ DIGITAL (ON-OFF) SIGNAL I

--f---L- I

( +) PERMISSIVE RESO SIGNAL 1 I {-) MANDATORY TRIP SIGN.'il I I I TO PRESSURE I CONTR<lC

" t 1

~--+-- ---i+-------,

FAST ACTING T I

[ _ SIGNAL I (-I I (-I I I ------ I ~-~~

I (+) I ~E~ON I r--- J DUMP I I I VALVE

______ J

~-------

T I

I I

I I I I I - I (-I I I

CONT1lO<. lomRCEPT VALVES ll<A\1£5 I '"""CEPr VM...Vl:S l~MEOIATE [X1RACTION Figure REV.52 I STOP CHECK FSAR REV.71 NO. 1 TO 4 NO, I, l. (S) NO. 2, 4, (Ei) VAl.""5 I

I SUSQUEHANNA STEAM ELECTRIC STATION I UNITS 1 & 2 I

_ _ _ _J ~ FINAL SAFETY ANALYSIS REPORT

~

I I I I I I L ______________ J-----------------~-----------~-------------*-------------~ MAIN TURBINE CONTROL SYSTEM I

I BLOCK DIAGRAM

(-)§PRCUrr(-)

BRDl<ER -------- 81 CRO REIAY FIGURE 7.7-15 AutoCAD: Figure Fsar 7_7_15.dwg

Security-Related Information Figure Withheld Under 10 CFR 2.390 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT ASSIGNMENT OF LPRM INPUT TO RBM SYSTEM FIGURE 7.7-16

118 NEW BCCD1 CHANNEL 116 I I

NEW BCCD 2 CHANNEL I

114

/ OLD BD CHANNEL '\:

~

w I l

(/)

z 0

112

/

D..

I

(/)

w

/

Ck'.

w

~ I w

110 I / / OLD AC CHANNEL

____ .,,,, /

Ck'.

/

...J w

z z<(

I u

/

/ . ,,,,.

108 /

/

ID Ck'.

/

106 I I

I 104 I I

I 102 I

/

/

100 0 2 4 6 8 10 12 14 CONTROL ROD POSITION (FT WITHDRAWN)

FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT TYPICAL RBM CHANNEL RESPONSES OLD VERSUS NEW LPRM ASSIGNMENT (NO FAILED LPRMS)

FIGURE 7.7-19, Rev 2 AutoCAD: Figure Fsar 7_7_19.dwg

Retrieved from "https://kanterella.com/w/index.php?title=ML23291A422&oldid=3646687"