RS-14-006, Clinton, Unit 1, Updated Safety Analysis Report, Revision 16, Chapter 7 - Instrument and Control Systems
Text
CPS/USAR CHAPTER 07 7.2-1 REV. 11, JANUARY 2005 7.2 REACTOR PROTECTION (TRIP) SYSTEM - INSTRUMENTATION AND CONTROLS
7.2.1 Description
7.2.1.1 System Description 7.2.1.1.1 Identification The reactor protection (trip) system (RPS) includes the power distribution panels, logic, load drivers, power supplies, sensors trip modules, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the performance monitoring system and annunciators, although these latter two system are not part of the reactor protection system. Trip signals are received from many diverse reactor and plant systems. 7.2.1.1.2 Classification The RPS is classified as Safety Class 2, Seismic Category I, and Quality Group B (Electric Safety Class 1E). 7.2.1.1.3 Power Sources The RPS utilizes three types of power; 120 Vac for the scram pilot valve solenoids and neutron monitoring system; 125 Vdc power for MSIV and turbine control and stop valve limit switches and the backup scram valve solenoids, and low voltage dc for the solid state logic. 7.2.1.1.3.1 120 Vac Four uninterruptible NSPS buses supply Class 1E 120 Vac power to the four logic divisions of the Reactor Protection System. A NSPS bus is normally fed via a DC to AC inverter, the inverter being fed by a 125 Vdc divisional charger with a floating battery. In the unlikely event of an inverter failure/power loss, the NSPS bus automatically transfers by the use of a solid state transfer switch, to an alternate 120 Vac source derived from a 480 Vac to 120 Vac transformer supply. Also, 120V AC can be supplied to the Division A and B NSPS buses by manual transfer to an inverter maintenance bypass feed. "The definition of a divisional inverter failure as used in the USAR is that the inverter detects abnormal conditions and performs a function. This function is to transfer to its alternate power source. The four divisional inverters automatically switch to the alternate power source for internal inverter problems and for handling fault clearing and inrush current demands. The transfer of the divisional inverters to their alternate source will occur if the alternate source is either energized or deenergized." Two RPS busses (A&B) supply uninterruptible non-Class 1E 120 Vac power to the RPS "A" and "B" scram solenoids and the MSIV "A" and "B" solenoids. Each RPS bus is normally fed via a DC to AC inverter with the inverter fed by a non-Class 1E battery charger with a floating battery. During maintenance or inverter failure or power loss, a manual bypass switch may be used to transfer the RPS bus to an alternate 120 Vac source from a Class 1E 480/120V transformer. See Figures 7.2-9 and 7.2-10 and Drawing E02-1RP99.
CPS/USAR CHAPTER 07 7.2-2 REV. 11, JANUARY 2005 7.2.1.1.3.2 125 Vdc The 125 Vdc is provided by the four divisional batteries. Batteries are sized to supply shutdown loads for a minimum of four hours without the chargers operating. 7.2.1.1.3.3 DC Logic Power DC logic power consists of eight 24 Vdc supplies (2 per division) and eight 12 Vdc supplies (2 per division). The dc supplies are powered from four 120 Vac NSPS buses. (See Subsection
7.2.1.1.3.) 7.2.1.1.4 Equipment Design 7.2.1.1.4.1 General The RPS instrumentation is divided into sensor (instrument) channels, trip logic divisions, and actuator output logic divisions. There are four sensor channels for each variable, although more than one sensor per variable may provide inputs to each trip channel. The sensor trip channels are designated as A, B, C and D, or divisions 1, 2, 3, and 4. The sensor trip channels are combined into a two-out-of-four logic using isolation modules to assure that no single failure can prevent the required safety
action from the remainder of the system. There are four trip logic divisions, which are designated as divisions 1, 2, 3 and 4. The four actuator logics are also designated as division 1, 2, 3, and 4. Each trip logic division 1 through 4 provides output signals to both scram pilot valve solenoids in rod groups 1, 2, 3, and 4 via the four Actuator Logics. During normal operation, all sensor and logic devices essential to safety are as shown in Figures 7.2-5 and 7.2-6. Figure 7.2-2 summarizes the RPS signals that cause a scram. The functional arrangement of sensors and channels that constitutes a single logic is shown in Figure 7.2-3. When a trip channel sensor signal exceeds the set point of the analog comparator trip module (ATM) the output changes state. The trip logics are unaware of the signal because the necessary two out of four coincidence is not met. When the signals of two or more trip channels of the same variable exceed the set point, the trip and actuator logics deenergize all scram pilot valve solenoids. There is one scram pilot valve with two solenoids and two scram valves for each control rod, arranged as shown in Drawing M05-1078, Sheet 3. Each scram pilot valve is solenoid operated, with the solenoids normally energized. The scram pilot valves control the air supply to the scram valves for each control rod. With either scram pilot valve solenoid energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive water. As shown in drawing E02-1RP99, scram pilot valves for each group are controlled by actuator logics composed of signals from all four division logics.
CPS/USAR CHAPTER 07 7.2-3 REV. 11, JANUARY 2005 When any two-out-of-four actuator logics are tripped, air is vented from the scram valves and allows control rod drive water to act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is exhausted into a scram discharge volume. To restore the RPS to normal operation following any single actuator logic trip or a scram, the actuators must be reset manually. After a 10-second delay, reset is possible only if the conditions that caused the scram have been cleared. The actuator logics are reset by operating switches in the main control room. There are two dc solenoid operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for either backup scram valve is energized, the backup scram valves vent the air supply for the scram valve. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valves are energized (initiate scram) when any two-out-of-four Actuator Logics are tripped. To prevent the potential consequences of a postulated anticipated transient without scram (ATWS) event, a non-safety related alternate rod insertion (ARI) subsystem is provided as part of the ATWS system and is described in Subsection 7.7.1.25.1. 7.2.1.1.4.2 Initiating Circuits The RPS scram functions, shown in Figure 7.2-2, are discussed in the following paragraphs.
(1) Neutron Monitoring System-NMS (See Figure 7.2-4) Neutron monitoring system instrumentation is described in Section 7.6. The neutron monitoring system channels are considered to be part of the neutron monitoring system; however, the neutron monitoring system logics provide inputs to the RPS. Each RPS IRM logic receives signals from two IRM channels, and each RPS APRM logic receives signals from one APRM channel. The position of the reactor mode switch determines which input signals will affect the output signal from the logic. The neutron monitoring system logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. There are four neutron monitoring system logics associated with the RPS. Each RPS logic receives inputs from either one SRM, APRM, or two IRM channels. High-high trip inputs from each SRM are combined to produce a non-coincident reactor trip through the automatic scram logic which is permitted by the removal of four shorting links. a. IRM System Logic The IRMs monitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM range. The IRM detectors can be positioned in the core from the control room. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor reaches a predetermined power level within the power range. The IRM is able to generate a trip signal that CPS/USAR CHAPTER 07 7.2-4 REV. 11, JANUARY 2005 can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range. The IRMs are divided into four groups of IRM channels arranged in the core as shown in drawing E02-1NR99. Two IRM channels are associated with each one of the four trip channels of the RPS. Two IRM channels and their trip auxiliaries from each group are installed in each separate NMS cabinet. The arrangement of IRM channels allows the two IRM channels in each group (or one RPS trip channel) to be bypassed without compromising the intermediate range neutron
monitoring function. Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on three conditions: (1) when the high voltage drops below a preset level, (2) when one of the modules is not plugged in, or (3) when the OPERATE-CALIBRATE switch is not in the OPERATE position. Each of the other trip circuits are specified to trip if preset downscale or upscale levels are reached. The trip functions actuated by the IRM trips are indicated in Table 7.6-4. The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram (drawing E02-1NR99). Subsection 7.7.1.2.3.2.3, "Rod Block Trip System," describes the IRM rod block trips. With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates a neutron monitoring system trip of the RPS. Only one of the IRM channels must trip to initiate a NMS trip of the associated trip channel of the RPS. At least two IRM trip channels in the RPS must trip to result in a scram. b. APRM System Logic The APRM channels receive input signals from the LPRM channels and provide a continuous indication of average reactor power from 10 percent to greater than rated reactor power. The APRM subsystem has redundant channels which meet industry and regulatory safety criteria. With the maximum permitted number of LPRM channels bypassed, the APRM subsystem is capable of generating a trip scram signal before the average neutron flux increases to the point that fuel damage is
probable. The trip units for the APRMs supply trip signals to the RPS and the Rod Control and Information System. Table 7.6-6 itemizes the APRM trip functions. Any one APRM can initiate a rod block, depending on the position of the reactor mode switch. Subsection 7.7.1.2, "Rod Control and Information System," describes in detail the APRM rod block functions. The APRM upscale rod block and the simulated thermal power scram trip set points vary as a function of reactor recirculation driving loop flow. The APRM signals for upscale rod block and the thermal power scram trip are passed through a 6-second time constant circuit to simulate thermal power. A faster response time (approx. 0.09 seconds) APRM upscale trip has a fixed setpoint, not variable with recirculation flow. Any APRM upscale or inoperative trip initiates a NMS trip in the RPS. Only the trip channel associated with that APRM is affected. At least two APRM trip channels in the CPS/USAR CHAPTER 07 7.2-5 REV. 11, JANUARY 2005 RPS must trip to result in a scram. The operator can bypass the trips from one APRM in each trip system of the RPS via the divisional sensor bypass. A simplified circuit arrangement is shown in Figure 7.6-20 (APRM Block Diag.). In addition to the IRM upscale trip, a fast response APRM neutron flux trip function with a setpoint of 15% power is active in the startup mode. Neutron monitoring system channel operating bypasses are described in Subsection 7.2.1.1.4.4.1. Diversity of trip initiation for unusual excursions at reactor power is provided by the Neutron Monitoring System trip signals and reactor vessel high pressure trip signals. An increase in reactor power will initiate protective action from the Neutron Monitoring System as discussed in the above paragraphs. This increase in power will cause reactor pressure to increase due to a higher rate of steam generation with no change in turbine control valve position resulting in a trip from reactor vessel high pressure. These variables are independent of one another and provide diverse protective action for this condition. (2) Reactor Pressure Reactor pressure is measured at four physically separated locations. An instrument sensing line from each location is routed through the drywell and terminates in the containment. One locally mounted, nonindicating pressure transmitter monitors the pressure in each instrument sensing line. Cables from these transmitters are routed to the control room. Each pressure transmitter provides a signal to a trip module in the same instrument channel. High pressure initiates a trip signal in each channel. Only the channel associated with each transmitter is affected. The physical separation and the signal arrangement assure that no single physical event can prevent a scram caused by reactor vessel high pressure. At least two instrument trip channel trips are required to cause a scram. The environmental conditions for the RPS are described in Subsection 3.11.2. The piping arrangement of the reactor pressure sensors is shown in Drawing 796E724, "Nuclear Boiler System P&ID." The discussion of diversity for reactor vessel high pressure is provided in Subsection 7.2.1.1.4.5. (3) Reactor Vessel Water Level Reactor vessel high and low water level signals are initiated from level (differential pressure) transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The transmitters are arranged on four sets of taps in the same way as the reactor vessel high pressure transmitters. The four pairs of instrument sensing lines terminate outside the drywell and inside the containment; they are physically separated from each other and tap the reactor vessel at widely separated points. Other systems sense pressure and level from these same instrument sensing lines. Each transmitter provides a high and low level signal to one trip channel trip module in the RPS. At least two trip channel trips are required to cause a scram. The physical separation of CPS/USAR CHAPTER 07 7.2-6 REV. 11, JANUARY 2005 redundant instruments and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level. Diversity of trip initiation for breaks in the reactor coolant pressure boundary is provided by reactor vessel low water level trip signals and high drywell pressure trip signals. If a break in the primary system boundary were to occur, a volume of primary coolant would be released to the drywell in the form of steam. This release would cause reactor vessel water level to decrease and drywell pressure to increase resulting in independent protective action initiation. These variables are independent and provide diverse protective action for this condition. The environmental conditions for the RPS are described in Subsection 3.11. The piping arrangement of the reactor vessel water level sensors is shown in Drawing 796E724, "Nuclear Boiler System P&ID." (4) Turbine Stop Valve Turbine stop valve closure inputs to the reactor protection system come from valve stem position switches mounted on the four turbine stop valves. Each of the single-pole, single-throw switches opens before the valve is more than 10% closed (Analytical Limit) to provide the earliest positive indication of closure. The logic is arranged so that closure of two or more valves initiates a scram, as shown in Figure 7.2-7. Turbine stop valve closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.2. Diversity of trip initiation for increases in reactor vessel pressure due to termination of steam flow by turbine stop valve or control valve closure is provided by reactor vessel high pressure and power trip signals. A closure of the turbine stop valves or control valves at steady-state conditions would result in an increase in reactor vessel pressure.
If a scram was not initiated from these closures, a scram would occur from high reactor vessel pressure or power. Reactor vessel high pressure and high power are independent variables for this condition and provide diverse protective action. The environmental conditions for the RPS are described in Subsection 3.11. (5) Turbine Control Valve Fast Closure Turbine control valve fast closure inputs to the RPS come from oil line pressure switches on each of four fast acting control v alve hydraulic mechanisms. These hydraulic mechanisms are part of the turbine control, and they are used to effect fast closure of the turbine control valves. These pressure switches provide signals to the RPS as shown in Figure 7.2-7. If hydraulic oil line pressure is lost, a turbine control valve fast closure scram is initiated. Turbine control valve fast closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.2. The discussion of diversity for turbine control valve fast closure is the same as that for turbine stop valve closure provided in Subsections 7.2.1.1.4.2(4) and 7.2.1.1.4.5.
CPS/USAR CHAPTER 07 7.2-7 REV. 11, JANUARY 2005 The environmental conditions for the RPS are described in Subsection 3.11. (6) Main Steam Line Isolation Valves Limit switches mounted on the eight main steam line isolation valves signal main steam line isolation valve closure to the reactor protection system. Each of the valve limit switches is arranged to open before the valve is more than 15% closed (Analytical Limit) to provide the earliest positive indication of closure. To facilitate the description of the logic arrangement, the position-sensing channels for each valve are identified and assigned to reactor protection system logics as follows: Valve Identification Position-Sensing Channels Feed TripTrip Logic Main steam line A, inboard valve F022A Division 1 Main steam line A, outboard valve F028A Division 1 Main steam line B, inboard valve F022B Division 2 Main steam line B, outboard valve F028B Division 2 Main steam line C, inboard valve F022C Division 3 Main steam line C, outboard valve F028C Division 3 Main steam line D, inboard valve F022D Division 4 Main steam line D, outboard valve F028D Division 4 The arrangement of signals within the trip logic requires closing of at least one valve in two or more steam lines to cause a scram. In no case does closure of two valves in one steam line cause a scram due to valve closure. The wiring for position-sensing channels feeding the different trip channels is separated. Main steam line isolation valve closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.3. Diversity of trip initiation for main steam isolation is provided by reactor vessel high pressure and power trip signals. A closure of the MSIVs at steady state conditions would cause an increase in reactor vessel pressure and power. If a scram was not initiated from MSIV closure, a scram would occur from high reactor vessel pressure or high power. These variables are independent and provide diverse protective action for this condition. The environmental conditions for the RPS are described in Subsection 3.11. (7) Scram Discharge Volume Four non-indicating level switches (one for each channel) provide scram discharge volume (SDV) high water level inputs to the four RPS channels. In addition, a non indicating level transmitter and a trip unit for each channel provide redundant SDV high water level inputs to the RPS. This arrangement provides diversity, as well as CPS/USAR CHAPTER 07 7.2-8 REV. 11, JANUARY 2005 redundancy. Sensors are arranged so that no single event will prevent a reactor scram caused by scram discharge volume high water level. With the predetermined scram setting, a scram is initiated when sufficient capacity still remains in the tank to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram were considered in selecting the trip setting. Scram discharge volume water level trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.4. The scram discharge volume function is to receive water which is discharged from the control rod drives (CRD) during a scram. If at the completion of the scram the level of water in the scram discharge volume is greater than the trip setting, the RPS cannot be reset until the discharge volume has been drained. In addition as described previously, the trip setting has been selected such that sufficient volume would be available to receive a full discharge of CRD water in the event that the scram discharge volume high level trip does not occur and subsequent scram protection is required. The environmental conditions for the RPS are described in Subsection 3.11. The piping arrangement of the scram discharge volume level sensors is shown on Drawing M05-1078, "CRD Hydraulic System P&ID." (8) Drywell Pressure Drywell pressure is monitored by four nonindicating pressure transmitters mounted on instrument racks outside the drywell in the containment. These racks also house the reactor vessel level and pressure sensors. Instrument sensing lines connect the transmitters with the drywell interior. The transmitters are physically separated and electrically connected to the RPS so that no single event will prevent a scram caused by drywell high pressure. Cables are routed from the transmitters to the divisional cabinets.
Each transmitter provides an input to one trip channel and one logic division. Each transmitter provides a drywell high pressure signal to one trip channel trip module in the RPS. At least two trip channel trips are required to cause a scram. The discussion of diversity for high drywell pressure is provided in Subsection 7.2.1.1.4.5. The environmental conditions of the RPS are described in Subsection 3.11.
(9) Deleted.
(10) Manual Scram A scram can be initiated manually. There are four scram buttons, one for each division logic (1, 2, 3 and 4). To initiate a manual scram, the arming collars must be set and at least two buttons must be depressed. The manual scram logic is the same as the automatic scram logic at the divisional logic level, i.e., any two-out-of-four divisions. The switches are located close enough to permit one hand motion to initiate a scram.
Manual scram capability can be tested. The reactor operator also can scram the reactor by interrupting power to the scram pilot valve solenoids or by placing the mode switch in its shutdown position.
CPS/USAR CHAPTER 07 7.2-9 REV. 11, JANUARY 2005 7.2.1.1.4.3 Logic The basis logic arrangement of the RPS is illustrated in drawing E02-1RP99. The system is arranged as four separately powered division logics. Each logic receives input signals from at least one channel for each monitored variable. At least four channels for each monitored variable are required, one for each of its four automatic or manual logics. Channel and trip logic devices are fast-response, and are highly reliable solid-state components. The actuator logic devices for interrupting the scram pilot valve solenoids have high current carrying capabilities and are highly reliable. All RPS logic devices are selected so that the continuous load will not exceed 50% of the continuous duty rating. The system response time, from the input of a step function to the input of the trip channel trip device, up to and including the change of state of the trip actuator, is less than 30 milliseconds. The time requirements for control rod movement are discussed in Subsection 4.6.1.1.2.5.3. The RPS response time, which is the time interval from when the monitored parameter exceeds its setpoint at the channel sensor until de-energization of the scram pilot valve solenoids, is provided in the Operational Requirements Manual (ORM). In each division, the trip channel inputs are combined into a two-out-of-four system trip logic or a non-coincident combination logic in each of the four divisional trip systems. Each trip system logic provides one input into each of the actuator logics. To produce a scram, any two-out-of-four Actuator logics must be tripped. Diversity of variables is provided for RPS but not in the trip and actuator logics.
The RPS reset switches (one per division) are used to momentarily bypass the seal-in circuit of the trip logic of the reactor shutdown system. If a single trip logic is tripped, or if a reactor scram condition is present, manual reset is prohibited for a 10-second period to assure completion of required safety actions and to permit the control rods to achieve their fully inserted position.
The manual trip can be immediately reset. Scram reset redundancy is provided by use of four reset switches. Actuation of all four switches is required to reset, following a scram and 10 second time delay, provided that the scram initiation signal has cleared. The use of four reset switches ensures that each division of the RPS logic is reset and that the trip condition has cleared. 7.2.1.1.4.4 Scram Operating Process Divisional channel bypasses exist for all essential variables, except the non-coincident NMS channels which can be bypassed by individual selector switches, via the NS 4/RPS division of sensor bypass. Only one division may be bypassed at a time which converts the RPS system logic from a two-out-of-four to a two-out-of-three logic trip system. Interlocks are provided to prevent bypassing more than one logic division at a time. All manual bypass switches are in the main control room, under the direct control of the main control room operator. The bypass status of trip system components is continuously indicated in the control room. There are four keylocked bypass switches, one for each logic division, located in the main control room. Bypassing any single system logic division will not inhibit protective action when required.
CPS/USAR CHAPTER 07 7.2-10 REV. 11, JANUARY 2005 7.2.1.1.4.4.1 Neutron Monitoring System Bypasses for the neutron monitoring system channels are described below. Divisional channel bypasses exist for both the APRM and IRM system channels via the NS 4/RPS division of sensor bypass. Only one division may be bypassed at a time, which then converts the RPS system logic from a two-out-of-four to a two-out-of-three logic trip system. Interlocks are provided to prevent bypassing more than one logic division at a time. There are four keylocking bypass switches of the maintained contact type, one for each logic division, located in the main control room. Bypassing either an APRM or an IRM channel will not inhibit the neutron monitoring system from providing protection action when required. Divisional bypasses do not exist for the SRM RPS logic. However, individual SRM channels may be bypassed by a selector switch located in the main control room. For the SRM division logic to function, either a non-tripped or bypass condition for the APRM and IRM division logic must exist. During fuel loading, neutron flux is monitored by the source range neutron monitoring channels. When the four shorting lin ks are removed, the SRMs provide a scram signal when the preset level of any channel has been reached. The SRM trip logic is bypassed by installation of the four shorting links. 7.2.1.1.4.4.2 Turbine Stop Valve and Turbine Control Valve Test/Fast Closure The turbine control valve fast closure scram and turbine stop valve closure scram are automatically bypassed if reactor power is at a value less than 33.3% of its rated value as indicated by turbine first stage pressure. Closure of these valves below this low initial power level will not cause fuel thermal power limits (MCPR) to be violated, thus the protective scram trip is bypassed at these low power levels. Turbine control valve fast closure and turbine stop valve closure trip bypass is effected by four pressure transmitters connected to the turbine first stage. One annunciator for channels 1 and 4 and one for channels 2 and 3 indicate the bypass condition. The transmitters are arranged so that no single failure can prevent a turbine stop
valve closure scram or turbine control valve fast closure scram. In addition, this bypass is operationally removed when the turbine first stage pressure exceeds the setpoint corresponding to greater than 33.3% of rated power. Turbine first stage pressure is sensed from 2 physically separate and redundant pressure taps. Each pressure tap is piped to two pressure transmitters which sense first stage pressure.
Redundancy has been achieved by connecting one pressure transmitter output to each of the four divisional trip logics such that at least two divisions must be bypassed, by action of the turbine first stage pressure scram bypass trip modules, to prevent a scram from turbine stop valve closure or turbine control valve fast closure. 7.2.1.1.4.4.3 Main Steam Line Isolation Valves At plant shutdown and during initial plant startup, bypass is required for the main steam line isolation valve closure scram trip in order to proper ly reset the Reactor Protection System. This bypass is in effect when the mode switch is in the shutdown, refuel or startup position. The bypass allows plant operation when the main steam line isolation valves are closed during low power operation. The operating bypass is remov ed when the mode switch is placed in RUN. The discussion of diversity for main steam line isolation valve closure is provided in Subsection 7.2.1.1.4.2(6) and 7.2.1.1.4.5.
CPS/USAR CHAPTER 07 7.2-11 REV. 12, JANUARY 2007 7.2.1.1.4.4.4 Scram Discharge Volume Level The scram discharge high water level trip bypass is controlled by the manual operation of keylocked divisional bypass switches, and is interlocked with the mode switch. The mode switch must be in the SHUTDOWN or REFUEL position. Four bypass channels emanate from the four banks of the RPS mode switch and are connected into the RPS logic. This bypass allows the operator to reset the reactor trip system trip actuators so that the system is restored to operation allowing the operator to drain the scram discharge volume. Resetting the trip actuators opens the scram discharge volume vent and drain valves. One annunciator in the main control room for each channel indicates the bypass condition. The discussion of diversity of the scram discharge volume level trip is provided in Subsection 7.2.1.1.4.2(7). 7.2.1.1.4.4.5 Mode Switch in Shutdown The scram initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a short time delay. The bypass allows the contr ol rod drive hydraulic sy stem valve lineup to be restored to normal. One annunciator in the main control room for channels 1 and 4 and one for channels 2 and 3 indicate the bypassed condition.
Redundancy of the operating bypass with the mode switch in shutdown is provided by four separate time delay devices connected in a manner which provides redundancy of the bypass operation, but will not inhibit the scram initiation. Diversity of variables is not provided for this function because placing of the mode switch in shutdown is the normal method for shutting down the reactor and requires only operator action for initiation. The mode switch in shutdown is not a safety function and does not require diversity. 7.2.1.1.4.4.6 Maintenance, Calibration or Test Bypasses Each reactor scram sensor can be removed for maintenance, test or calibration. When a trip channel is removed from service, annunciation of the administrative tripping of one of the four trip channels or alarming of the channel bypass is provided in the control room. A single division of system inputs to the 2/4 logic s may be bypassed by the manual actuation of one keylocked selector switch located in the main control room. The bypass switch permits disabling the inputs of one division at a time, changing the overall two out of four logics to two out of three (still meeting the single failure criterion requirement of IEEE-279). There are four sensor bypass switches designated for NS 4/RPS. Each switch is electrically interlocked to prevent bypassing more than one divisions' inputs (t o that system) at a time. Each bypass is indicated at the input cabinet, and is annunciated in the main control room. The bypass switch in one logic cabinet is electrically interlocked with the switches on the other divisions. Only the first bypass switch operated will affect a bypass. If a second switch is operated or fails so that it attempts to bypass, the bypass signal is ignored. APRM and IRM channel trip functions are administratively bypassed by the use of the respective division sensor bypass switch as required for maintenance, test, or calibration.
CPS/USAR CHAPTER 07 7.2-12 REV. 12, JANUARY 2007 Administrative controls during maintenance, test, and calibration are specified in the individual maintenance, test, and calibration procedures and in the plant Technical Specifications. A discussion of the bypass indication is provided in Subsection 7.2.2.1.2. 7.2.1.1.4.4.7 Interlocks The scram discharge volume high water level trip bypass signal interlocks with the rod control and information system to initiate a rod block. Reactor vessel low water level, reactor vessel pressure and drywell high pressure signals are shared with the containment and reactor vessel isolation control system (CRVICS). The sensors provide signals to trip channels in the RPS, and the containment and reactor vessel isolation control system (CRVICS). The turbine stop valve closure and turbine control valve fast closure channels also provide signals to trip the reactor recirculation pumps. In addition, the turbine stop valve channels are interlocked with the CRVICS low condenser vacuum bypass. A discussion of the Neutron Monitoring System interlocks to rod block functions is provided in Subsection 7.6.1.5. The reactor mode switch has interlocks to other than the RPS. These interlocks are discussed in Subsection 7.6.1 and 7.3.1. 7.2.1.1.4.5 Redundancy and Diversity Instrument sensing lines from the reactor vessel are routed through the drywell and terminates inside the containment. Instruments mounted on instrument racks in the containment sense reactor vessel pressure and water level from these instrument sensing lines. Valve position switches are mounted on valves from which position information is required. The sensors for RPS signals from equipment in the turbine building are mounted locally. The four battery powered inverters and divisional 120 Vac power supplies for the RPS are located in an area where they can be serviced during reactor operation. Cables from sensors and power cables are routed to four RPS logic cabinets in the main control room. One logic cabinet is used for each division. The redundancy portions of the RPS have physically separated sensor taps, sensing lines, sensors, sensor rack locations, cable routing and termination in four separate panels in the control room. By the use of four or more separate redundant sensors for each RPS variable with separate redundant logic and wiring, the RPS system has been protected from a credible single failure. For additional information on redundancy of RPS subsystems, refer to
Subsection 7.2.1.1.4.2. Redundancy of NSPS power supply to RPS logic is provided. There are four battery powered inverter power supplies which supply NSPS electrical power, one to each logic division of the RPS. A loss of one power supply will neither inhibit protective action nor cause a scram.
CPS/USAR CHAPTER 07 7.2-13 REV. 11, JANUARY 2005 Diversity is provided by monitoring diverse sets of independent reactor vessel variables. Pressure, water level, and neutron flux are all independent and are separate inputs to the system. Main steam line isolation valve closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of a reactor vessel high pressure and power scram trip. Therefore, reactor high pressure and power are diverse scram inputs to main steam line closure. Drywell high pressure and reactor low water level are diverse scram variables for a steam line break inside the containment. Diversity of variables for main steam line breaks outside the drywell, which initiate main steam line isolation and in turn reactor trip initiation is covered in Subsection 7.3.1.1.2.4.1.3.5. Diversity of variables for residual heat removal (RHR) system line breaks, which only initiate RHR isolation, is covered in Subsection 7.3.1.1.2.4.1.11.5. Diversity of variables for reactor water cleanup system (RWCU) line breaks, which only initiate RWCU isolation, is covered in Subsection 7.3.1.1.2.4.1.10.5. Diversity of variables for reactor core isolation cooling (RCIC) system steam line breaks, which only initiate RCIC isolation, is provided by ambient temperature, steam line pressure, and flow measurements. Other leaks outside drywell are detected by sump levels and the leak detection signals have no reactor trip function. Additional discussions of diversity of RPS variables are provided in Subsection 7.2.1.1.4.2. 7.2.1.1.4.6 Actuated Devices The actuator logic prevents output current flow when a trip signal is received and deenergizes the scram valve pilot solenoids. There are two pilot solenoids per control rod. Both solenoids must deenergize to bleed the instrument air from and open the inlet and outlet scram valves to allow drive water to scram a control rod. Each solenoid receives its signal from actuator logic in divisions 1 through 4. The instrument air system provides support to the RPS by maintaining the air operated scram valve closed until a scram is required. The individual control rods, the scram valves and pilot solenoids and their controls are not part of the RPS. For further information on the scram valves and controls rods see Subsection 4.2.3. The "A" and "B" scram pilot valve solenoids are s upplied from RPS busses A and B. Each RPS bus provides uninterruptible non-Class 1E 120 Vac power. See Subsection 7.2.1.1.3.1. In addition to the two scram valves for each control rod drive, there are two backup scram valves which are used to vent the scram pilot valve air header for all control rods. Energizing either backup scram valve initiates venting, and the two backup scram valves are individually supplied with 125-Vdc power from the essential plant batteries. Any use of plant instrument air system for auxiliary use is so designed that a failure of the air system will cause a safe direction actuation of the safety device.
CPS/USAR CHAPTER 07 7.2-14 REV. 11, JANUARY 2005 7.2.1.1.4.7 Separation Four independent sensor channels monitor the various process variables listed in Subsection 7.2.1.1.4.2. The redundant sensor devices are separated such that no single failure can prevent a scram. All protection system wiring outside the logic cabinets is run in divisional raceways. Physically separated cabinets or cabinet bays are provided for the four scram trip logics. The arrangement of RPS channels and logic is shown in Figure 7.2-3. The criteria for separation of sensing lines and sensors are discussed in Subsection 7.1.2.2. The mode switch, scram discharge volume high water level trip bypass switches, scram reset switches, and manual scram switches are all mounted on the principal plant console. Each device is mounted in a metal enclosure and has a sufficient number of barrier devices to maintain adequate separation between redundant portions of the RPS. Conduit is provided from the metal enclosures to the point where adequate physical separation can be maintained without barriers. The outputs from the logic cabinets to the scram pilot valve solenoids are run in rigid conduit or armored cable with no other wiring. There are conduit groups which match the four scram groups. The groups are selected so that the failure of one group to scram will not prevent a reactor shutdown. Signals which must run between redundant RPS divisions are electrically/
physically isolated by isolators to provide separation. RPS inputs to annunciators, recorders, and the computer systems are arranged so that no malfunction of the annunciating, recording or computing equipment can functionally disable the RPS. Direct signals from RPS sensors are not used as inputs to annunciating or data logging equipment. Electrical isolation is provided between the primary signal and the information output by means of optical isolators. 7.2.1.1.4.8 Testability The RPS can be tested during reactor operation by six separate tests. The first five tests are manual tests and, although each individually is a partial test, combined with the sixth test they constitute a complete system test. The sixth test is the self-test of the Nuclear Systems Protection System which includes the logic for the RPS and several other safety systems. The self-test automatically tests the complete system excluding sensors and actuators. The first of these is the manual scram test. The manual scram test verifies the ability to de-energize the scram pilot valve solenoids without scram by using the manual scram pushbutton switches. By depressing the manual scram button for one trip logic, one of the two pilot valve solenoids in each scram group is de-energized. After the first trip logic is reset, the second trip logic is tripped manually and so forth for the four manual scram buttons. In addition to control room and computer printout indications, scrams groups indicator lights indicate that the actuator trip logics have de-energized the scram pilot valve solenoids. The second test includes calibration of the Neutron Monitoring System by means of simulated inputs from calibration signal units. Calibration and test controls for the Neutron Monitoring System are located where the LPRM cards are located in the Main Control Room. They are under the administrative control of the control room operator. Subsection 7.6.1.5, "Neutron Monitoring System," describes the calibration procedure.
CPS/USAR CHAPTER 07 7.2-15 REV. 11, JANUARY 2005 The third test is the single rod scram test which verifies the capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular control rod drive. Timing traces can be made fo r each rod scrammed. Prior to the test, a physics review is conducted to assure that the rod pattern during scram testing will not create a rod of unacceptable reactivity worth. The fourth test involves applying a test signal to each RPS analog trip channel in turn and observing that the channel trip device changes state. One method utilizes electrical signals generated by the calibrator and fed to the ATM while bypassing the transmitter (see Subsection 7.1.2.10). If desired, the transmitter may be used directly in the test. In this method, the manually initiated test signals simulate the actual process signal. The test signal can be manually varied and, in conjunction with the Analog Trip Module (ATM) output indicator light and the appropriate instruments, both the transmitter and ATM outputs can be verified. This test also verifies the channel independence of the input variables. Pressure transmitters and level transmitters are located on their respective local panels. The transmitters can be individually valved out of service and subjected to test pressure to verify operability of the transmitters as well as verification of calibration range. To gain access to the field controls on each transmitter, a cover plate of sealing device must be removed. The access to the field controls is administratively controlled. Only qualified personnel are granted access for the purpose of testing or calibration adjustments. The fifth test is the sensor check. Digital inputs are tested by varying the monitored variable (e.g., stop valve closure, control valve fast closure, main steam line isolation valve closure) or by disconnecting the sensor from the process variable and inputting and varying a test source (e.g., CRD scram discharge high water level). In those cases where the sensor is disconnected from the process variable, an out-of-service alarm will be indicated in the main control room. Analog input is checked by cross comparison of the instrument channels measuring the same variable. The sixth test is an Automatic Pulse Test (APT) performed by the Self-Test Subsystem (STS) to the Nuclear Systems Protection System (NSPS).
The Self-Test Subsystem is an overlay testing and surveillance subsystem which provides the capability to continuously and automatically perform end-to-end testing of all active circuitry, within the NSPS panels, essential to t he safe shutdown of the reactor. The primary purpose of the STS is to improve the availability of the NSPS by optimizing the time to detect and determine the location of a failure in the functional system. It is not intended that the STS eliminate the need for the other five manual tests. Rather, by continuously providing an on-line periodic test, most faults are detected more quickly than by manual testing only. The STS is classified as Safety Associated, and its equipment is designed to meet the IEEE standards and Regulatory Guides which apply to this classification. In particular, the STS is designed to meet the separation requirements of Reg Guide 1.75 by use of the same isolation devices and enclosures as the NSPS equipment with which it is associated. Wherever it interfaces with safety equipment, STS equipment is qualified to 1E standards. In addition, the interfaces are by means of high impedance isolation devices which insure that failures in the STS will not propagate to the safety equipment.
CPS/USAR CHAPTER 07 7.2-16 REV. 11, JANUARY 2005 The overall STS has the following general features: (1) Each of the four NSPS divisional panels has a resident Self-Test Controller (STC) which contains a microprocessor executing firmware program designed to perform the required testing within that panel and to perform the monitoring function between the panels. In conjunction with the STC's in the other three divisions, the interdivisional communication paths including the divisional isolators are tested. (2) A portable Diagnostic Terminal (DT) is used by maintenance for fault isolator. It is capable of detecting faults down to the replaceable PC card level. By providing information display and control interface to the STS, the Diagnostic Terminal minimizes the need for physical access to the essential hardware panels during maintenance thus serving to maximize NSPS availability. By using the keyboard of the DT, manual operation mode allows the selection of any test and repetition of tests. (3) The Process Computer (Performance Monitoring System) is used primarily as a communication link between the Diagnostic Terminal and the four Self-Test Controllers. (4) The STS provides the means to continuously monitor the logic circuit integrity and the circuit continuity of the following seven essential nuclear systems protection systems (NSPS) resident in the four divisional panels: A. Reactor Protection System B. Nuclear Steam Supply Shutoff System C. High Pressure Core Spray System D. Residual Heat Removal System E. Automatic Depressurization System F. Reactor Core Isolation Cooling System G. Low Pressure Core Spray System The STS utilizes the stimulus-response method of testing. A series of short duration pulses (origin of the name Automatic Pulse Test) are injected through a high impedance path into the "front ends" of the various modules (printed circuit boards). The pulse is of sufficient duration to temporarily change the state of the module. The test pulse is propagated through the logic to the point of measurement where it is compared by the STC with the expected result stored in the non-volatile data base of the STC.
To minimize test time, each system is subdivided into circuits which are tested separately. Interface circuits are retested by overlap-testing of the involved circuits. The maximum propagation delay (response time) through any logic channel in the NSPS will always be less than 1 millisecond for each overlapping test or the STS will report a logic fault.
CPS/USAR CHAPTER 07 7.2-17 REV. 11, JANUARY 2005 Test pulses are purposely of short duration and limited repetition rate so that they do not latch and cause mechanical movement downstream. This difference in responsiveness between functional system and tester is easy to achieve since the former involves electro-mechanical devices, slower response, and the latter is just an electronic pulse, fast response. To provide protection against inadvertent operation caused by abnormally long pulse, the device which couples the test pulse to the input has discrete elements combined in a manner to attenuate a pulse of excessive long duration. Only one STC at a time is allowed to perform its test sequence and this STC is known as the Master Unit with the other three STC being the slave units. Upon test completion, test control is passed on to the next STC which then becomes the new Master Unit. The testing continuously sequences from one STC to the next with the selection sequence being under software control. The slave units monitor the master unit and have the capability of taking over the annunciating when one detects a master unit fault. Each test sequence within a Division consists of four major test functions: (1) Test Microprocessor, Firmware, and Memory (self-check)
(2) Test Self-Test Subsystem (3) Test NSPS System (4) Test Interdivisional Communication Links The above tests are organized and controlled to establish NSPS circuit integrity by testing the tester first and then expanding the monitoring functions to include the interface circuitry and finally the NSPS circuits and interdivisional lines. Any STS failure will not degrade the NSPS function since STS is isolated from NSPS, hence eliminating failure propagation. Furthermore, any STS failure is automatically detected by the self-check and self-test of STS and cross-check of STC's. All interdivisional links are optically isolated. Upon fault detection (either absence of a signal or presence of a faulty signal), a retest sequence is performed before the information is recorded in the error log of the respective STC.
A single "STS Failure" annunciator output is provided to annunciate any failure detected by the STS. This indicates that a failure has been identified by the STS, either in the STS itself or in a functional system and that maintenance attention is required, commencing at the diagnostic terminal. This annunciator is designed to minimize the potential for a failure in one division to inhibit an annunciator from another division. The Diagnostic Terminal (DT) is then used to obtain the specific STC error log. The DT then functions as an interactive terminal allowing maintenance to isolate the fault to a replaceable PC card level. Backup information to identify the source of functional system out-of-service annunciation is provided by the system elementary diagrams which include indicators for the seven essential NSPS systems.
CPS/USAR CHAPTER 07 7.2-18 REV. 11, JANUARY 2005 Other tests which are performed on a less frequent basis are the ATM set point and response test, plant startup and shutdown sensor verification, sensor response time test, and special component manual tests. They are discussed in the following paragraphs. A manual ATM set point and response test is provided (see Technical Specification). Each ATM has provisions for the application of a current ramp and a stable current level. The current ramp is applied to check the trip setpoint and response time. The stable current level is applied to the set point (calibration). Bypasses may be utilized while performing individual ATM set point/response tests. Indication of a bypass at the annunciator panel in the control room will be initiated at the time the ATM is selected and placed in test/calibrate mode. The design is such that a gross failure alarm is initiated any time the manual test/calibrate is applied. The alarm typewriter provided with the Performance Monitoring System (process computer) verifies the correct operation of any sensors during plant startup and shutdown. Main steam line isolation valve position switches and turbine stop valve position switches can be checked in this manner. The verification provided by the alarm typewriter is not considered in the selection of test and calibration frequencies and is not required for plant safety. Required sensor response times are determined for each RPS function and are identified in the design specification. The sensor manufacturer provides sensors which meet the required response times and certifies their ability to obtain these values. During preoperational testing, the sensors are tested using an accepted industry method, and the actual response time data are compared to the design requirement for acceptance. In addition, the overall RPS response time is verified during preoperational testing from sensor trip to load drive trip device to the change of state of the actuator logic output, and can be verified thereafter by similar test. For NSPS components identified as having particular failure modes which could prevent the NSPS from performing its safety functions and which are not automatically tested by the self test system or monitored during standard periodic surveillance tests, special manual tests are performed at specified intervals to ensure their functionality. 7.2.1.1.4.9 Noise and Interference The basic elements of the decision-making logic of the NSPS are standard MIL grade CMOS logic elements, in dual in-line ceramic packages, mounted on multilayer printed circuit cards. CMOS logic was chosen for the NSPS application because of its high noise immunity compared to other types of solid state devices. With the CMOS devices powered by 12 Vdc, it takes an input greater than approximately 4 V to switch the output on a low-to-high transition, and less than approximately 8 V to switch on a high-to-low transition. Thus, noise spikes of considerable magnitude can be tolerated on the input lines without causing erroneous logic states. As a comparison, TTL logic that must be operated at +5 V has a low-to-high minimum threshold of approximately .7 V. Numerous design techniques have been utilized to reduce the possibility of any significant electrical noise being coupled into the logic circuitry. All inputs and outputs that leave the NSPS cabinets are buffered and isolated, and internal wiring is routed to prevent "crosstalk" or radiated electro-magnetic interference. Specifically, prevention of electromagnetic conducted interference is accomplished in the following ways.
CPS/USAR CHAPTER 07 7.2-19 REV. 11, JANUARY 2005 Power lines: Conduction of EMI via power lines to the logic elements is prevented by the use of switching power supplies that are specified by the manufacturer to have a maximum noise spike of 62 mV. In addition, each logic card has single pole filters on the power input to remove any remaining high-frequency noise. Input signal lines: Inputs from other separation divisions and from nondivisional sources are processed through optical isolators which are also filtered on the input side. Inputs from same-division sources such as the control room panels or field sources are processed through digital signal conditioners (DSC's) that are filtered and optically coupled. Inputs to trip units are current loops and therefore much less vulnerable to
EMI. Output signal lines: Outputs to actuated devices pass through load drivers that have pulse transformer coupling between input and output stages. Outputs to other logic elements in other divisions pass through optical isolators. Internal wiring: Interconnections between logic cards is on a backplane of wire-wrapped terminals. The connections are made point to point so that groups of wires do not run in parallel for long distances. Power wiring is routed as far from signal wiring as possible. The high current wiring of the drives to the pilot valve solenoids is run in conduit, as is the wiring for utility services (lighting).
Card layout: All signal inputs at the card level are buffered by a 100 K ohm resistor. The use of ground planes over large areas of the boards also insures electrically quiet circuitry. All standards of good practice were applied during the design and construction of the solid state safety system to prevent any problem with EMI. (Q&R 421.18) 7.2.1.1.5 Environmental Considerations Electrical devices for the RPS instrumentation are located in the containment, turbine building and main control room. The environmental conditions for these areas are shown in Table 3.11-5. 7.2.1.1.6 Operational Considerations 7.2.1.1.6.1 Reactor Operator Information 7.2.1.1.6.1.1 Indicators Scram group indicators extinguish when an actuator logic prevents output current flow from the 120 Vac power source to the scram pilot valve solenoid associated with the actuator logic. Recorders (which are not part of the RPS) in the main control room also provide information regarding reactor vessel water level, reactor vessel pressures, and reactor power level.
CPS/USAR CHAPTER 07 7.2-20 REV. 11, JANUARY 2005 7.2.1.1.6.1.2 Annunciators Each RPS trip channel input is provided to the annunciator system through isolation devices. Trip logic trips, manual trips, and certain bypasses also signal the annunciator system (Subsection 7.7.1). When an RPS sensor trips, it lights an annunciator window, one common to division 1 and 4 sensors and one common to division 2 and 3 sensors for that variable, or the principle plant console in the main control room to indicate the out-of-limit variable. Each trip logic, one common to logic division 1 and 4 and one common to logic division 2 and 3, lights a red annunciator window to indicate that a trip has occurred. As an annunciator system input, a RPS channel trip also sounds an audible indication, which can be silenced by the operator. The annunciator window lights flash until acknowledged, whereupon the window lights latch on. Resetting the annunciator system so as to extinguish the window lights is not possible until the condition causing the trip has been cleared. 7.2.1.1.6.1.3 Computer Alarms A computer printout identifies each tripped channel; however, status indication at the RPS trip channel device may also be used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. Additional discussion of the non-safety computer systems are contained in Section 7.7.1. Upon detection of a status change of any of the preselected sequential events contacts, the Sequence-of-Events Log shall be initiated and shall signal the beginning of an "Event." The log shall be automatically printed. This log will include both NSS and BOP inputs. Changes of state received 15 milliseconds or more apart are sequentially differentiated on the printed log, together with time of occurrence, which shall be printed in an hours, minutes, seconds, milliseconds format. Use of the alarm printer and computer is not required for plant safety. 7.2.1.1.6.2 Reactor Operation Controls 7.2.1.1.6.2.1 Mode Switch A conveniently located, multiposition, keylock mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate sensors for scram functions and provides appropriate bypasses. The switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the RPS. The switch is designed to provide separation between the four trip logic divisions. The mode switch positions and their related scram functions are as follows: (1) SHUTDOWN Initiates a reactor scram; bypasses main steam line isolation scram and the reactor vessel high water level scram and provides a discharge volume high water level trip bypass permissive.
(2) REFUEL Selects neutron monitoring system scram for low neutron flux level operation (but does not disable the APRM scram); bypasses main steam line isolation scram CPS/USAR CHAPTER 07 7.2-21 REV. 11, JANUARY 2005 and the reactor vessel high water level scram and provides a discharge volume high water level trip bypass permissive. (3) STARTUP Selects neutron monitoring system scram for low neutron flux level operation; bypasses main steam line isolation scram and the reactor vessel high water level scram. (4) RUN Selects neutron monitoring system scrams for power range operation. 7.2.1.1.6.3 Set Points Instrument ranges are chosen to cover the range of expected conditions for the variable being monitored. Additionally, the range is chosen to pr ovide the necessary accuracy for any required set points and to meet the overall accuracy requirements of the channel. See the Operational Requirements Manual (ORM) for setpoints. (1) Neutron Monitoring System Trip To protect the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The neutron monitoring system set point bases are discussed in Subsection 7.
6.1.5, "Neutron Monitoring System Instrumentation and Controls." (2) Reactor Vessel System High Pressure Excessively high pressure within the Reactor Vessel threatens to rupture the reactor coolant pressure boundary. A reactor vessel pressure increase during reactor operation compresses the steam voids and results in a positive reactivity insertion; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The reactor vessel high pressure scram setting is chosen slightly above the reactor vessel maximum normal operation pressure to permit normal operation without spurious scram, yet provide a wide margin to the maximum allowable reactor vessel pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high pressure scram setting. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable pressure. The reactor vessel high pressure scram setting also protects the core from exceeding thermal hydraulic limits that result from pressure increases during events that occur when the reactor is operating below rated power and flow. (3) Reactor Vessel Low Water Level Low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. Decreasing water level while the reactor is operating CPS/USAR CHAPTER 07 7.2-22 REV. 11, JANUARY 2005 at power decreases the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core. The reactor vessel low water level scram setting was selected to prevent fuel damage following abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. The scram setting is far enough below normal operational levels to avoid spurious scrams. The setting is high enough above the top of the active fuel to assure that enough water is available to account for evaporation loss and displacement of coolant following the most severe abnormal operational transient involving a level decrease. (4) Reactor Vessel High Water Level Indicates any increase in feed water flow and impending power increase. The high water level trip causes scram prior to significant power increase, limiting neutron flux and thermal transient so that the fuel design basis is satisfied. The scram setting is selected such that spurious scrams will be avoided and that abnormal operational transients causing an increase in feedwater flow will not result in unacceptable results. (5) Turbine Stop Valve Closure Closure of the turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the neutron monitoring system or reactor vessel high pressure. It is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure by inserting negative reactivity with control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the reactor vessel pressure limit.
The turbine stop valve closure scram setting provides the earliest positive indication of valve closure. (6) Turbine Control Valve Fast Closure With the reactor and turbine generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure. It is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system CPS/USAR CHAPTER 07 7.2-23 REV. 12, JANUARY 2007 pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of cont rol valve fast closure. (7) Main Steam Line Isolation The main steam line isolation valve closure can result in a significant addition of positive reactivity to the core as reactor system pressure rises. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The logic allows functional testing of main steam line isolation trip channels by partially closing a main steam line isolation valve. (8) Scram Discharge Volume High Water Level Water displaced by the control rod drive pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for the water displaced during a scram, fast control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram. (9) Drywell High Pressure High pressure inside the drywell may indicate a break in the reactor coolant pressure boundary or pressure increase as a result of high drywell temperature.
It is prudent to scram the reactor in such situations to minimize the possibility of fuel damage and to reduce energy transfer from the core to the coolant. The drywell high pressure scram setting is selected to be as low as possible without inducing spurious scrams. (10) Manual Scram Push buttons are located in the control room to enable the operator to shut down the reactor by initiating a scram. (11) Mode Switch in SHUTDOWN When the mode switch is in SHUTDOWN, the reactor is to be shut down with all control rods inserted. This scram is not considered a protective function, because it is not required to protect the fuel or reactor vessel process barrier and it bears no relationship to minimizing the release of radioactive material from any CPS/USAR CHAPTER 07 7.2-24 REV. 11, JANUARY 2005 barrier. The scram signal is removed after a short delay, permitting a scram logic reset that restores the normal valve lineup in the control rod drive hydraulic system. 7.2.1.1.7 Containment Electrical Penetration Assignment Electrical containment penetrations are assigned to the protection systems on a 4-division basis as described in Subsections 7.2.1.1.4.1 and 7.2.1.1.4.7. Each penetration is provided with an enclosure box on each end providing continuation of the metal wireways described in Subsection 7.2.1.1.4.7. 7.2.1.1.8 Cable Spreading Area Description A general description of the separation criteria used in cable spreading areas is described in GE Topical Report NEDO-10466-A "Power Generation Control Complex" and is further described in Subsection 8.3.1.4. 7.2.1.1.9 Main Control Room Area The main control room area is on one floor. Divisions 2 and 3, Nuclear System Protection System (NSPS) cabinets, and Divisions 1 and 4, NSPS Cabinets are located on opposite sides of the main control room. Detailed design basis, description, and safety evaluation aspects for a PGCC System are comprehensively documented and presented in GE Topical Report NEDO-10466-A "Power Generation Control Complex;" and its amendments. 7.2.1.1.10 Main Control Room Cabinets and Their Contents Each RPS logic cabinet for Divisions 1, 2, 3, and 4 contains the trip channel analog trip modules, optical isolators, trip channel logic, self test system, bypass switch, terminal boards, the trip and actuator logics, and the scram actuator load drivers for a single division. The console for reactor control contains the reactor mode switch, bypass switches, scram solenoid valve status indicating lights, and manual scram switches. 7.2.1.1.11 Test Methods that Ensure RPS Reliability Surveillance testing is performed periodically on the RPS during operation. This testing includes sensor calibration and trip channel actuation with simulated inputs to individual trip modules and sensors. The sensors, which are transmitters, can be checked by comparison of the associated control room meter readings on other channels of the same variable. 7.2.1.1.12 Interlock Circuits to Inhibit Rod Motion as well as Vary the Protective Function There are no interlock circuits which inhibit rod motion as well as vary the protective functions. 7.2.1.1.13 Support Cooling Systems, HVAC Systems Descriptions The cooling (ventilating) systems important for proper operation of RPS equipment are described in Section 9.4.
CPS/USAR CHAPTER 07 7.2-25 REV. 12, JANUARY 2007 7.2.1.2 Design Bases Design bases information requested by IEEE 279 is discussed in the following paragraphs. These IEEE 279 design bases aspects are considered separately from those more broad and detailed design bases for this system cited in Section 7.1.2.1.1. 7.2.1.2.1 Conditions The generating station conditions which require RPS protective action are identified in the CPS Technical Specifications and the Operational Requirements Manual. 7.2.1.2.2 Variables The generating station variables which require monitoring to provide protective actions are neutron flux, reactor water level, reactor steam dome pressure, reactor recirculation flow, main steam isolation valve position, turbine stop valve position, turbine first stage pressure, turbine control valve fast closure (sensed as EHC hydraulic oil pressure), drywell pressure and scram discharge volume water level. 7.2.1.2.3 Sensors for Variables Having Spatial Dependence A minimum number of 16 LPRMs per APRM, with at least 2 LPRMs at each of the 4 core axial levels, are required to provide adequate protective action. 7.2.1.2.4 Operational Limits Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious scram is avoided. It is then verified by analysis that the release of radioactive material, following postulated gross failures of the fuel or the reactor coolant pressure boundary, is kept within an acceptable bounds. Design basis operational limits are based on operating experience and constrained by the safety design basis and the safety analyses. 7.2.1.2.5 Margin Between Operational Limits The margin between operational limits and the limiting conditions of operation (scram) for the RPS are in CPS Technical Specifications and Operational Requirements Manual (ORM). The margin includes the maximum allowable accuracy error, sensor response times and sensor set point drift. Annunciators are provided, at the setpoints listed in the Operational Requirements Manual (ORM), to alert the reactor operator of the onset of unsafe conditions. 7.2.1.2.6 Levels Requiring Protective Action Levels requiring protective action are shown in CPS Technical Specifications and the Operational Requirements Manual. These levels are the limiting safety system settings. 7.2.1.2.7 Ranges of Energy Supply and Environmental Conditions RPS uninterruptible 120 Vac logic power is provided by four Class 1E NSPS busses. Each bus is powered by a 125 Vdc/120 Vac inverter fed by a battery charger with floating battery. Each battery has sufficient stored energy to maintain a stable power supply and thus prevent scrams CPS/USAR CHAPTER 07 7.2-26 REV. 11, JANUARY 2005 caused by switch yard switching transients. Power loss due to inverter failure is sensed by a solid state transfer switch which then automatically transfers the NSPS bus to an alternate Class 1E power source provided by a Class 1E 480/120 V transformer. Also, 120V AC can be supplied to the Division A and B NSPS buses by manual transfer to an inverter maintenance bypass feed. RPS 120 Vac scram solenoid and MSIV solenoid power is provided by two uninterruptible Class 1E RPS busses. Each bus is powered by a DC to AC inverter fed by a battery charger with floating battery. During maintenance or inverter failure/power loss, each RPS bus may be transferred manually to an alternate power source provided by a Class 1E 480/120 V transformer. (See Figures 7.2-9 and 7.2-10 and Drawing E02-1RP99.) Environmental conditions for proper operation of the RPS components during normal operations are covered in Table 3.11-5. 7.2.1.2.8 Unusual Events Unusual events are defined as malfunctions or accidents, and others which could cause damage to safety systems. Chapter 15 and Appendix 15A, "Accident Analysis" describes the following credible accidents and events; floods, storms, tornadoes, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break. Each of these events is discussed below for the subsystems of the RPS.
(1) Floods The buildings containing RPS components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain water tight under PMF. Therefore, none of the RPS functions are affected by flooding. See also Section 3.4.1. (2) Storms and Tornadoes The buildings containing RPS components have been designed to withstand all credible meteorological events and tornadoes as described in Subsection 3.3.2.
Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair the RPS capabilities. See also Section 3.3. (3) Earthquakes The structures containing RPS components except the turbine building have been seismically qualified as described in sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). Reactor high pressure and power trips are diverse to turbine scram variables.
(4) Fires To protect the RPS in the event of a postulated fire, the RPS trip logics have been divided into four separate independent RPS panels. The sections are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the RPS functions would not be prevented by the CPS/USAR CHAPTER 07 7.2-27 REV. 11, JANUARY 2005 fire. The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the RPS will continue to provide the required protective action.
Refer to Section 9.5.1.
(5) LOCA The following RPS subsystem components are located inside the drywell and would be subjected to the affects of a design basis loss-of-coolant accident (LOCA): a. Neutron Monitoring System (NMS) c abling from the detectors to the main control room. b. MSIV Inboard position switches. c. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines, which terminate outside the drywell. d. Drywell pressure taps.
These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11 and indicated in Table 3.11-5. (6) Pipe Break Outside Containment This condition will not affect the reliability of the RPS. (7) Feedwater Line Break This condition will not affect the RPS.
(8) Missiles Missile protection is described in Section 3.5. 7.2.1.2.9 Performance Requirements The Operational Requirements Manual specifies instrument response time requirements and RPS setpoints which incorporate the affects of instrument performance such as accuracy, range magnitude and rates of change of sensed variables. Further descriptions of instrument performance requirements are included in Design Specifications and Calculations. 7.2.1.3 Final System Drawings The electrical elementary diagrams which were provided under separate cover are discussed in Section 1.7.1.
CPS/USAR CHAPTER 07 7.2-28 REV. 11, JANUARY 2005
7.2.2 Analysis
7.2.2.1 Reactor Protection (Trip) System-Instrumentation and Controls 7.2.2.1.1 General Functional Requirements Conformance This subsection presents an analysis of how the various functional requirements and the specific regulatory requirements of the RPS design bases (Subsection 7.1.2.1.1) are satisfied. 7.2.2.1.1.1 Conformance to Design Basis Requirements 7.2.2.1.1.1.1 Design Bases 7.1.2.1.1.1.1(1)
The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier. Chapter 15, Accident Analysis, identifies and evaluates events that jeopardize the fuel barrier and reactor coolant pressure boundary. The methods of assessing barrier damage and radioactive material releases along with the methods by which abnormal events are sought and identified are presented in that chapter. Design bases from Subsection 7.1.2.1.1 require that the precision and reliability of the initiation of reactor scrams be sufficient to prevent or limit fuel damage. RPS allowable values and trip setpoints are established conservatively fr om analytic limits by accounting for instrument performance characteristics, calibration error and drift. The analytic limits are derived from limiting values of process parameters, which are obtained from the safety analysis. Technical Specifications provides allowable values, and the Operational Requirements Manual provides setpoints. The analysis on the use of the RPS inputs from devices mounted on non-seismically qualified equipment and/or located in non-seismically qualified enclosures has been accepted per three Safety Evaluation Reports, References 2, 3, and 4, and include data for 238 and generic 251 BWR/6 designs. This analysis takes into consideration turbine trip, generator load rejection trip, and recirculation pump trip (RPT). The selection of scram trip settings has been developed through analytical modeling, experience, historical use of initial setpoints and adoption of new variables and setpoints as experience was gained. The initial setpoint selection method provided for settings which were sufficiently above the normal operating levels (to preclude the possibilities of spurious scrams or difficulties in operation) but low enough to protect the fuel. As additional information became available or systems were changed, additional scram variables were provided using the above method for initial setpoint selection. The selected scram settings are analyzed to verify that they are conservative and that the fuel, and fuel barriers are adequately protected. In all cases, the specific scram trip point selected is a conservative value that prevents damage to the fuel, taking into consideration previous operating experience and the analytical models. 7.2.2.1.1.1.2 Design Basis 7.1.2.1.1.1.1(2)
The scram initiated by reactor high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the reactor coolant pressure boundary as a result of internal pressure. The main steamline isolation valve closure scram provides a greater margin to the reactor coolant pressure boundary pressure safety limit than does the high pressure scram. For CPS/USAR CHAPTER 07 7.2-29 REV. 11, JANUARY 2005 turbine generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the nuclear system pressure safety limit than does the high pressure scram. Chapter 15, Accident Analysis, identifies and evaluates accidents and
abnormal operational events that result in nuclear system pressure increases. In no case does pressure exceed the reactor coolant pressure boundary safety limit. 7.2.2.1.1.1.3 Design Basis 7.1.2.1.1.1.1(3)
The scram initiated by reactor vessel low water level limits the radiological consequences of gross failure of the fuel or reactor coolant pressure boundary. Chapter 15 evaluates gross failures of the fuel and reactor coolant pressure boundary. In no case does the release of radioactive material to the environs result in exposures which exceed the guide values of applicable published regulations. 7.2.2.1.1.1.4 Design Basis 7.1.2.1.1.1.1(4)
Scrams are initiated by variables which are designed to indirectly monitor fuel temperature and protect the reactor coolant pressure boundary. The Neutron Monitoring System monitors fuel temperature indirectly using incore detectors. The incore detectors monitor the reactor power level by detecting the neutron level in the core. Reactor power level is directly proportionate to neutron level and the heat generated in the fuel. Although the neutron monitoring system does not monitor fuel temperature directly, by establishing a correlation between fuel temperature and reactor power level, scram setpoints can be determined for protective action, which will prevent fuel damage. The reactor coolant pressure boundary is protected by monitoring parameters which indicate reactor pressure directly or anticipated reactor pressure increases. Reactor pressure is monitored directly by pressure sensors, which are connected directly to the reactor pressure vessel through sensing lines and pressure taps. In addition, reactor pressure transients are anticipated by monitoring the closure of valves which shut off the flow of steam from the reactor pressure vessel and cause rapid pressure increases. The variables monitored to anticipate pressure transients are main steamline isolation valve position, turbine stop valve closure, and turbine control valve fast closure. If any of these valves were to close, pressure would rise very rapidly, therefore, this condition is anticipated and a trip is initiated to minimize the pressure transient occurring. Chapter 15, identifies and evaluates those conditions which threaten fuel and reactor coolant pressure boundary integrity. In no case does the core exceed a safety limit. 7.2.2.1.1.1.5 Design Basis 7.1.2.1.1.1.1(5)
The scrams initiated by the Neutron Monitoring System, drywell pressure, reactor vessel pressure, reactor vessel water level, turbine stop valve closure, m ain steam isolation valve closure, and turbine control valve fast closure will prevent fuel damage. The scram setpoints and response time requirements for these variables are identified in the Operational
Requirements Manual (ORM) and have been designed to cover the expected range of magnitude and rates of change during abnormal operational transients without fuel damage.
Chapter 15, identifies and evaluates those conditions which threaten fuel integrity. With the selected variables and scram setpoints, adequate core margins are maintained relative to thermal hydraulic safety limits.
CPS/USAR CHAPTER 07 7.2-30 REV. 11, JANUARY 2005 7.2.2.1.1.1.6 Design Basis 7.1.2.1.1.1.1(6)
Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations follows. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities. Two transient analyses are used to determine the minimum number and physical location of required LPRMs for each APRM. (1) The first analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LP RM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition. (2) The second analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a reduction of recirculation flow at a fixed design rate. LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition. The results of the two analyses are analyzed and compared to establish the actual minimum number and location of LPRMs needed for each APRM channel. 7.2.2.1.1.1.7 Design Basis 7.1.2.1.1.1.1(7a through 7h)
Sensors, channels, and logics of the RPS are not used directly for automatic control of process systems. An isolated Neutron Monitoring System signal is used with the recirculation flow control system as described in Subsection 7.7.1.3. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system. Failure of any one divisional RPS power supply would result in de-energizing one of the two scram valve pilot solenoids on each scram valve. Alternate power is available to the RPS buses. A complete sustained loss of electrical power to two or more power supplies would result in a scram. The RPS is designed so that it is only necessary for trip variables to exceed their trip setpoints for sufficient length of time to trip the analog comparater units and seal in the associated trip logic. Once this is accomplished, the scram will go to completion regardless of the state of the variable which initiated the protective action. When the initiating condition has cleared and a sufficient (10 seconds) time delay has occurred, the scram may be reset only by actuation of the scram reset switches in the main control room by the operator. Reactor protection cabling for scram solenoids is routed in separate conduits for each scram group.
CPS/USAR CHAPTER 07 7.2-31 REV. 11, JANUARY 2005 Physical separation and electrical isolation between redundant portions of the RPS is provided by separated process instrumentation, separated racks, and either separated or protected panels and cabling. Separate panels are provided for each division except for the principal plant console which has internal metal barriers. Where equipment from more than one division is in a panel, divisional separation is provided by fire barriers and/or physical distance of 6 inches or more where practicable. Where wiring must be run between redundant divisions, divisional separation is provided by electronic optical isolators. The ability of the RPS to withstand a safe shutdown earthquake is discussed in Section 7.2.1.2.
The ability of the RPS to function properly with a single failure is discussed in Section 7.2.2.1.2.3.1.2. The ability of the RPS to function properly while any one sensor or channel is bypassed or undergoing test or maintenance is discussed in Section 7.2.1.1.4.4.6. The RPS logic circuit is designed so that an automatic scram will be initiated when the required number of sensors for any monitored variables exceeds the scram setpoint. Separate racks are provided for the RPS instrumentation for each division and are installed in different locations. 7.2.2.1.1.1.8 Design Basis 7.1.2.1.1.1.1(8)
Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant operations supervisory personnel. Manual bypass of instrumentation and control equipm ent components is under the control of the operator in the main control room. If the ability to trip some essential part of the system is bypassed, this fact is continuously annunciated in the main control room. For the subsystem operational bypasses discussed in Subsection 7.2.1, bypassing of these subsystem components provides a continuous annunciation in the main control room. If other components are bypassed, such as taking a sensor out-of-service for calibration or testing, this condition will also be annunciated continuously in the main control room through the controlled manual actuation of the RPS system out-of-service annunciator associated with that sensor. 7.2.2.1.1.1.9 Other Design Basis Requirements The instruments and equipment of the reactor protection system must operate in environmental conditions corresponding to the zones defined in Section 3.11. The RPS components located inside the control room envelope will be exposed to a mild environment due to operation of the control room HVAC system as described in Section 9.4.1. The associated components that must function in the environment resulting from a reactor coolant pressure boundary break inside the drywell are the condensing chambers, the inboard main steam line isolation valve position switches, neutron monitoring system cabling, reactor vessel pressure taps, reactor vessel water level instrument taps, instrument sensing lines and drywell pressure taps (see Chapter 15). Special precautions are taken to ensure their CPS/USAR CHAPTER 07 7.2-32 REV. 11, JANUARY 2005 operability after the accident. The condensing chambers and all essential components of the control and electrical equipment are either similar to those that have successfully undergone qualification testing in connection with other projects, or additional qualification testing under simulated environmental conditions has been conducted. Equipment qualification information can be obtained from the respective qualification document packages referenced by component in Nuclear Station Engineering Department Maintenance Standard MS-02.00 (Reference 5). To ensure that the RPS remains functional, the number of operable channels for the essential monitored variables is maintained in accordance with Technical Specifications. In case of a loss-of-coolant accident, reactor shutdown occurs immediately following the accident as process variables exceed their specified set point. Operator verification that shutdown has occurred may be made by observing one or more of the following indications: (1) control rod status lamps indicating each rod fully inserted, (2) control rod scram pilot valve status lamps indicating open valves, (3) neutron monitoring channels and recorders indicating decreasing neutron flux. Following generator load rejection, a number of events occur in the following chronological order: (1) The pressure in the hydraulic oil lines to the control valves drops, and pressure sensors signal the RPS to scram. At the same time the turbine logic pressure controller initiates fast opening of the turbine bypass valves to minimize the pressure transient. Turbine stop valve closure and turbine control valve fast closure initiates the Recirculation Pump Trip (RPT) logic, which trips the recirculation pumps. (2) The reactor will scram unless the unit load is less than 33.3% below which the control valve fast closure pressure transient does not threaten the fuel thermal
limit. (3) The trip setting of the APRM channels will be automatically reduced as recirculation flow decreases (flow-referenced scram). Power level will have been reduced by a reactor scram and RPT initiation. The trip settings discussed in Subsection 7.2.1 are not changed to accommodate abnormal operating conditions. Transients requiring activation of the RPS are discussed in Chapter 15.
The discussions there designate which systems and instrumentation are required to mitigate the consequences of these transients. 7.2.2.1.1.1.9.1 Other Considerations Operability of the anticipatory signals from the turbine control valve fast closure or turbine stop valve closure following a safe shutdown earthquake is not a system design basis. As discussed in Subsection 5.2.2.2.2.2, closure of all the main steamline isolation valves without MSIV position switch trip produces similar effects which are slightly more severe. The design basis analysis is conducted for the MSIV closure.
CPS/USAR CHAPTER 07 7.2-33 REV. 11, JANUARY 2005 7.2.2.1.2 Conformance to Specific Regulatory Requirements 7.2.2.1.2.1 Conformance to NRC Regulatory Guides 7.2.2.1.2.1.1 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in Subsection 6.2.4.3.2.4. 7.2.2.1.2.1.2 Regulatory Guide 1.22 The system is designed so that it may be tested during plant operation from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram will not occur as a result of the testing. 7.2.2.1.2.1.3 Regulatory Guide 1.29 The electrical and mechanical devices, the circuitry between process instrumentation and protective actuators, and the monitoring devices of the RPS are classified as Seismic Category I, as discussed in Section 3.2. 7.2.2.1.2.1.4 Regulatory Guide 1.30 Conformance to Regulatory Guide 1.30 is discussed in Section 1.8.
7.2.2.1.2.1.5 Regulatory Guide 1.47 Regulatory Positions C.1, C.2 and C.3 Automatic indication is provided in the main control room to inform the operator that a system is out-of-service. Indicator lights indicate which part of a system is not operable. For example, the RPS system out-of-service annunciators energize whenever more than one RPS channel has an input variable out of service. By placing a trip module in calibration, indicator lights provide information as to which division is in calibration. Regulatory Position C.4 All the annunciators can be tested by depressing the annunciator test switches on the main control room benchboards. The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system. (1) Individual indicator lights are arranged together on the main control room benchboards and principal plant console to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed. (2) These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function.
CPS/USAR CHAPTER 07 7.2-34 REV. 11, JANUARY 2005 (3) All system out of service annunciator circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects. (4) Each indicator is provided with dual lamps. Testing will be included on a periodic basis when equipment associated with the indication is tested. 7.2.2.1.2.1.6 Regulatory Guide 1.53 Compliance with NRC Regulatory Guide 1.53 is attained by specifying, designing, and constructing the RPS to meet the single failure cr iterion, Section 4.2, of IEEE 279 "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379 "IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant sensors are used and the logic is arranged to ensure that a failure in a sensing element or the decision logic or an actuator will not prevent protective action. Separated channels are employed, so that a fault affecting one channel will not prevent the other channels from operating properly. 7.2.2.1.2.1.7 Regulatory Guide 1.62 Means are provided for manual initiation of reactor manual scram through the use of four armed pushbutton switches. These switches are located on the principal plant console. The amount of equipment common to initiation of both manual scram and automatic scram is kept to a minimum through implementation of manual scram as close as practicable to the final devices of (Load Drivers) the protection system. No single failure in the manual, automatic, or common portions of the protection system will prevent initiation of reactor scram by manual or automatic means. Manual initiation of reactor scram, once initiated, goes to completion as required by IEEE 279, Section 4.16. 7.2.2.1.2.1.8 Regulatory Guide 1.63 Conformance with this Regulatory Guide is discussed in Chapter 8, Section 8.1.6.1.12.
7.2.2.1.2.1.9 Regulatory Guide 1.68 Conformance with this Regulatory Guide is discussed in Chapter 14, Section 14.2.7 and Table 14.2-1. 7.2.2.1.2.1.10 Regulatory Guide 1.75 The RPS complies with the criteria set forth in IEEE 279, Paragraph 4.6 and Regulatory Guide 1.75. Class 1E circuits and Class 1E-associated circuits are identified and separated from redundant and non-Class 1E circuits. Isolation devices are provided in the design where an interface exists between redundant Class 1E divisions and between non-Class 1E and Class 1E or Class 1E-associated circuits. Independence and separation of safety-related systems is discussed in Section 7.1.2.6.19. Physical and electrical independence of the instrumentation devices of the system is provided by channel independence for sensors exposed to each process variable. Separate and CPS/USAR CHAPTER 07 7.2-35 REV. 11, JANUARY 2005 independent conduits for scram solenoid and neutron monitoring input cables are routed from each device to the respective main control room panel. Each division has a separate and independent main control room panel bay. Trip logic outputs are separate in the same manner as the divisions. Signals between redundant RPS divisions are electrically and physically isolated by Class 1E optical isolators. 7.2.2.1.2.1.11 Regulatory Guide 1.89 Written procedures and responsibilities are developed for the design and qualification of all RPS equipment. This includes preparation of specifications, qualification procedures and documentation for RPS equipment. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements, and an auditable file of qualification documents is available for review. All of this is included in the design even though the RPS is not required to comply with Regulatory Guide 1.89. 7.2.2.1.2.1.12 Regulatory Guide 1.97 Refer to Section 7.1.2.6.23 for assessment of Regulatory Guide 1.97.
7.2.2.1.2.1.13 Regulatory Guide 1.100 Refer to Section 7.1.2.6.24 for assessment of Regulatory Guide 1.100. 7.2.2.1.2.1.14 Regulatory Guide 1.105 Refer to Section 7.1.2.6.25 for assessment of Regulatory Guide 1.105.
7.2.2.1.2.1.15 Regulatory Guide 1.118 Refer to Section 7.1.2.6.26 for assessment of Regulatory Guide 1.118.
Position C.5 for APRM: With respect to conformance to position C.5, the inherent time response of the in-core sensors used for APRM (fission detectors operating in the ionization chamber mode) is many orders of magnitude faster than the APRM channel response time requirements and the signal conditioning electronics. The sensors cannot be tested without disconnecting and reconnecting to special equipment. 7.2.2.1.2.2 Conformance to 10 CFR 50, Appendix A - General Design Criteria 7.2.2.1.2.2.1 General Design Criterion 1 The quality assurance program for the system assures sound engineering in all phases of design and construction through conformity to regulatory requirements and design bases described in the license application. The quality assurance program is discussed in Chapter 17. Documents are maintained which demonstrate that all the requirements of the quality assurance program are being satisfied. These records will be maintained during the life of the operating licenses.
CPS/USAR CHAPTER 07 7.2-36 REV. 11, JANUARY 2005 7.2.2.1.2.2.2 General Design Criterion 2 Wind and tornado loadings are discussed in Section 3.3, flood design is described in Section 3.4 and seismic qualification of instrumentation and electrical equipment is discussed in Section
3.10. 7.2.2.1.2.2.3 General Design Criterion 3 The fire protection system and its design bases are discussed in Subsection 9.5.1, Fire protection in cable systems is described in Subsection 8.3.1.4.2. 7.2.2.1.2.2.4 General Design Criterion 10 The RPS is designed to monitor certain reactor parameters, sense abnormalities, and to scram the reactor thereby preventing fuel design limits from being exceeded when trip points are exceeded. Scram trip set points are selected based on operating experience and by the safety design basis. There is no case in which the scram trip set points allow the core to exceed the
thermal/hydraulic safety limits. The system is designed to assure that the specified fuel and Reactor Coolant Pressure Boundary (RCPB) design limits are not exceeded during conditions of normal or abnormal operation. 7.2.2.1.2.2.5 General Design Criterion 13 Instrumentation is provided to monitor variables and systems over their respective anticipated ranges for normal operational, anticipated operational occurrences, and accident conditions to assure adequate safety. Each system input is monitored and annunciated. 7.2.2.1.2.2.6 General Design Criterion 15 The RPS acts to provide sufficient margin to assure that the design conditions of the RCPB are not exceeded during any condition of normal operation including anticipated operational occurrences. If the monitored variables exceed their predetermined settings, the system automatically responds to maintain the variables and systems within allowable design limits. 7.2.2.1.2.2.7 General Design Criterion 19 Controls and instrumentation are provided in the main control room. The reactor can also be shutdown in an orderly manner from outside the main control room as described in Subsection 7.4.1.4. 7.2.2.1.2.2.8 General Design Criterion 20 The system constantly monitors the appropriate plant variables to maintain the fuel barrier and primary coolant pressure boundary and initiates a scram automatically when the variables exceed the established setpoints.
CPS/USAR CHAPTER 07 7.2-37 REV. 11, JANUARY 2005 7.2.2.1.2.2.9 General Design Criterion 21 The system is designed with four redundant instrument channels and four independent and separated logic divisions and actuator divisions. No single failure can prevent a scram. The system can be tested during plant operation to assure its reliability. 7.2.2.1.2.2.10 General Design Criterion 22 The redundant portions of the system are separated so that no single failure or credible natural disaster can prevent a scram except the turbine scram inputs which originate in the non-seismic Turbine Building. Reactor pressure and power are diverse to the turbine scram variables. In addition, drywell pressure and water level are diverse variables. 7.2.2.1.2.2.11 General Design Criterion 23 The RPS is fail safe on loss of power. A loss of electrical power or air supply will not prevent a scram. Postulated adverse environments will not prevent a scram. 7.2.2.1.2.2.12 General Design Criterion 24 The system has no control function. It is interlocked to control systems through isolation devices. 7.2.2.1.2.2.13 General Design Criterion 25 The reactor protection system conforms to the requirements of General Criterion 25. The method of conformance is listed below: The redundant portions of the system are designed such that no single failure can prevent a scram. Functional diversity is employed by measuring flux, pressure, and level in the reactor vessel, which are all reactivity dependent variables. The RPS provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary. Any monitored variable which exceeds the scram set point will initiate an automatic scram and not impair the remaining variables from being monitored, and if one channel fails the remaining portions of the
RPS will function. 7.2.2.1.2.2.14 General Design Criterion 29 The RPS will provide a reactor scram in the event of anticipated operational occurrences. 7.2.2.1.2.3 Conformance with Industry Codes and Standards 7.2.2.1.2.3.1 IEEE 279 The reactor protection (trip) system conforms to the requirements of this standard. The following is a detailed discussion of this conformance.
CPS/USAR CHAPTER 07 7.2-38 REV. 12, JANUARY 2007 7.2.2.1.2.3.1.1 General Functional Requirement (IEEE 279, Paragraph 4.1)
The following RPS trip variables provide automatic initiation of protective action in compliance with this requirement: (1) Scram discharge volume high water level trip (2) Main steamline isolation valv e closure trip (Run mode only) (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel low water level trip (6) Reactor vessel high water level trip (Run mode only)
(7) Neutron monitoring (APRM) system trip a. Neutron flux trip
- b. Simulated thermal power trip (8) Neutron Monitoring (SRM) System (non-coincident) trip (when the shorting links are removed) (9) Neutron Monitoring (IRM) System trip (10) Drywell high pressure trip (11) Reactor vessel high pressure trip The reactor system mode switch selects appropriate operating bypasses for various RPS variables in the Shutdown, Refuel, Startup, and Run modes of operation. Other manual controls, such as the discharge volume high water level bypass, the manual scram pushbutton switches, and the RPS reset switch are arranged so as to assure that the process variables providing automatic initiation of protective action will continue to remain in compliance with this requirement. The RPS reset switches are under the administrative control of the reactor operator. The automatic initiation requirement for protective action cannot be prevented by a reset switch. Manual reset by the operator bypasses the seal-in circuit to permit the RPS to be reset to its normally energized state when all instrument channels are within their normal (untripped) range of operation. (Administratively bypassed in the case of the discharge volume high water level). The RPS logic, trip actuator logic, and trip actuators are designed to comply with this requirement through automatic removal of electric power to the control rod drive scram pilot valves solenoids when one or more RPS variables exceeds the specified trip set point.
CPS/USAR CHAPTER 07 7.2-39 REV. 12, JANUARY 2007 7.2.2.1.2.3.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)
The following RPS trip variables are individually implemented with four physically separated sensor channels in compliance with this requirement: (1) Scram discharge volume high water level trip (2) Turbine stop valve closure trip (3) Turbine control valve fast closure trip (4) Reactor vessel low & high water level trip (5) Neutron monitoring (APRM) system trip (6) Neutron monitoring (IRM) system trip (7) Drywell high pressure trip (8) Reactor vessel high pressure trip (9) Main steamline isolation valve closure trip RPS manual controls also comply with the single failure criterion. Four manual scram pushbuttons are arranged into two separate redundant groups on the principle plant console, and are separated by approximately six inches within each group to permit the operator to initiate manual scram with one motion of one hand. The two groups of manual scram pushbuttons are separated by approximately three feet, and the switch contact blocks are enclosed within metal barriers. The reactor mode switch consists of a single manual actuator connected to four distinct switch banks. Each bank is housed within a fire retardant compartment. Contacts from each bank are wired in conduit to individual logic cabinets. There are four separate scram discharge volume high-level bypass switches. In each division manual operation of a bypass switch and the mode switch establishes divisional bypass. Therefore, the design of the bypass function complies with this design requirement. There is no single failure of this bypass function that will defeat the safety function. The main steam line valve closure trip operating bypass is implemented by separate mode switch contacts in a similar manner. The turbine stop valve closure trip and control valve fast closure trip operating bypass complies with the single-failure criterion. Four pressure transmitters are mounted in two separate redundant groups connected to two separate turbine first stage pressure taps. Wiring from the pressure transmitters is routed in conduit to the termination cabinets in the main control room.
CPS/USAR CHAPTER 07 7.2-40 REV. 12, JANUARY 2007 The logic configuration for the bypass provides a single bypass associated with a single division for stop valve closure and control valve fast closure. Each division provides separate input to the RPS two-out-of-four trip logic. Therefore, no single failure of this bypass circuitry will interfere with the normal protective action of the RPS trip channels. The RPS reset switches and associated logic comply with this design requirement. The four divisions of reset switches are physically and electrically separated. Those portions of the RPS downstream of the instrument channels also comply with this design requirement. Any postulated single failure of a given trip logic will not affect the remaining three trip logics. Similarly, any single failure of a trip actuator will not affect the remaining trip actuators, and any single failure of one trip actuator (load driver) logic will not affect the other trip actuator logic networks. The cabling associated with one scram group is routed in a conduit with no other wiring. It is physically separated from wiring to the other scram groups to preclude a single failure. Wiring for scram solenoids A and B for one control rod group may be routed together within a single conduit. 7.2.2.1.2.3.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)
The following RPS trip variables are implemented with components and modules which exhibit high quality and high reliability characteristics: (1) Scram discharge volume high water level trip; (2) Main steamline isolation valv e closure trip (Run mode only) (3) Turbine stop valve closure trip; (4) Turbine control valve fast closure trip; (5) Reactor vessel low water level trip; (6) Reactor vessel high water level trip (Run mode only);
(7) Neutron Monitoring (APRM) System trip; a. Neutron flux trip,
- b. Simulated thermal power trip, (8) Neutron Monitoring (SRM) System (non-coincident) trip (when shorting links are removed) (9) Neutron Monitoring (IRM) System trip; (10) Drywell high pressure trip; (11) Reactor vessel high pressure trip.
CPS/USAR CHAPTER 07 7.2-41 REV. 12, JANUARY 2007 The RPS manual switches are also selected for quality and reliability. The RPS trip logic, trip actuator logic and trip actuators are solid state circuits of quality and reliability. 7.2.2.1.2.3.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)
Conformance to equipment qualification requirements for the RPS is discussed in Sections 3.10 and 3.11. 7.2.2.1.2.3.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)
The components of the following RPS trip variables are specified to operate under normal and abnormal conditions of environment, energy supply, and accidents: (1) Scram discharge volume high water level trip; (2) Main steamline isolation valve closure trip; (3) Turbine stop valve closure trip (see Subsection 7.2.2.1.1.1.9.1);
(4) Turbine control valve fast closure trip (see Subsection 7.2.2.1.1.1.9.1);
(5) Reactor vessel low and high water level trips; (6) Neutron Monitoring (APRM) System trip a. High neutron flux, b. Simulated high thermal power, and c. Neutron Monitoring System (non-coincident) trip (when shorting links are removed); (7) Neutron Monitoring (IRM) System trip; (8) Drywell high pressure trip; (9) Reactor vessel high pressure trip. The RPS trip logic, trip actuators, and trip actuator logic, are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions and accidents. 7.2.2.1.2.3.1.6 Channel Independence (IEEE 279, Paragraph 4.6)
The following RPS trip variables are physically separated and electrically isolated from one another to meet this design requirement: (1) Scram discharge volume high water level trip; CPS/USAR CHAPTER 07 7.2-42 REV. 12, JANUARY 2007 (2) Turbine stop valve closure trip; (3) Turbine control valve fast closure trip; (4) Reactor vessel low and high-water level trips; (5) Drywell high-pressure trip; (6) Reactor vessel high-pressure trip; (7) Neutron monitoring trip; and (8) MSIV closure trip. The four channels of the turbine variables are physically separated.
The main steamline isolation valve closure trip is derived from eight individual sensors paired to provide four RPS channels. The eight IRM channels are physically and electrically separated into four groups, and the four APRM redundant channels are electrically isolated and physically separated from one another so as to comply with this design requirement. The manual scram pushbutton is a division component. The redundant manual trip divisions are physically separated to comply with this design requirement. The mode switch banks are physically separated and electrically isolated to comply with this design document. The circuitry for the RPS trip variable operating bypasses complies with this design requirement. Sufficient physical separation and electrical isolation exists to assure that the redundant operating bypass channels are satisfactorily independent. The four RPS reset logic inputs to the trip actuators are physically separated. Similarly, the RPS trip logic and trip actuator logics are physically separated. The wiring to each rod group scram solenoids A and B is routed in totally enclosed metallic raceways with no other wiring. 7.2.2.1.2.3.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7)
The channels for the following RPS trip variables are electrically isolated and physically separated from the plant control systems in compliance with this design requirement: (1) Scram discharge volume high water level trip (2) Main steamline isolation valve closure trip (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip CPS/USAR CHAPTER 07 7.2-43 REV. 12, JANUARY 2007 (5) Reactor vessel low and high water level trip (6) Neutron Monitoring (APRM) System trip (7) Neutron Monitoring (IRM) System trip (8) Neutron Monitoring System (non-coincident) trip (when shorting links are removed) (9) Drywell high-pressure trip (10) Reactor vessel high-pressure trip Outputs to annunciators in the main control room and to the PMS which provide a written log of the channel trips are through Class 1E isolation devices. There is no single failure that will prevent proper functioning of any protective function when it is required. Within the IRM and APRM modules (i.e., prior to their output trip unit driving the RPS), analog outputs are derived for use with main control room meters, recorders, and PMS. Electrical isolation has been incorporated into the design at this interface to prevent any single failure from influencing the protective output from the trip module. The trip module outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panels. The manual scram pushbutton has no control system interaction. The RPS mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement. Additional isolated contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator. No control functions are associated with the mode switch. Hence, the switch complies with this design requirement.
The system interlocks to control systems only through isolation devices so that no failure or combination of failures in the control system will have any effect on the RPS. The RPS scram discharge volume high water level trip operating bypass complies with this design requirement. An output is given to the control rod block circuitry to prevent rod withdrawal whenever the trip channel bypass is in effect. The system interlocks to control rod block only through isolation devices so that no failure or combination of failures in the control system will have any effect on the RPS. The main steamline isolation valve closure trip bypass has no interaction with any control system in the plant. Turbine stop valve and control valve trip bypasses have no interaction with any control system in the plant. The RPS logic is totally separate from any plant control system. The scram solenoids are physically separate and electrically isolated from the other portions of the control rod drive hydraulic control unit (HCU).
CPS/USAR CHAPTER 07 7.2-44 REV. 12, JANUARY 2007 The transmission of signals from the RPS to c ontrol systems is thr ough isolation devices which are part of the RPS. No credible failure at the output of these isolation devices can prevent the RPS from meeting its minimum performance requirements. There are no single random failures which can cause a control system action that results in a condition requiring action by the RPS designed to protect against that condition. The only single credible event that can cause a control system action resulting in a condition requiring protective action and can concurrently prevent operation of a portion of the RPS is a safe shutdown earthquake. For this event, the Turbine Stop Valve Closure Trip and Turbine Control Valve Fast Closure Trip may be disabled. The reactor vessel high-pressure and high-power trips provide diverse protection for this event. 7.2.2.1.2.3.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)
The following RPS trip variables are direct measures of a reactor overpressure condition, a reactor over-power condition, a gross fuel damage condition, or abnormal conditions within the reactor coolant pressure boundary: (1) Reactor vessel low and high water level trips; (2) Neutron Monitoring (APRM) System trip; a. Upscale trip,
- b. Thermal trip; (3) Neutron Monitoring (IRM) System trip; (4) Drywell high-pressure trip; and (5) Reactor vessel high pressure trip. The measurement of scram discharge volume water level is an appropriate variable for this protective function. The desired variable is available volume to accommodate a reactor scram. However, the measurement of consumed volume is sufficient to infer the amount of remaining available volume since the total volume is a fixed, predetermined value established by the design. The measurement of main steamline isolation valve position and turbine stop valve position is an appropriate variable for the reactor protection system. The desired variable is loss of the reactor heat sink; however, isolation or stop valve closure is the logical variable to infer that the steam path has been blocked between the reactor and the heat sink. Due to the normal throttling action of the turbine control valves with changes in the plant power level, measurement of control valve position is not an appropriate variable from which to infer the desired variable, which is rapid loss of the reactor heat sink. Consequently, a measurement related to control valve closure rate is necessary.
CPS/USAR CHAPTER 07 7.2-45 REV. 11, JANUARY 2005 Protection system design practice has discouraged use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation
would be a more positive means of determining fast closure of the control valves. Loss of hydraulic pressure in the electrohydraulic control (EHC) oil lines which initiates fast closure of the control valves is monitored. These measurements provide indication that fast closure of the control valves is imminent. This measurement is adequate and a proper variable for the protective function taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of control valve fast-closure rate. Since the mode switch is used to bypass certain RPS trips depending upon the operating state of the reactor, the selection of particular contacts to perform this logic operation is an appropriate means for obtaining the desired function. The turbine stop valve closure trip bypass and control valve fast closure trip operating bypass permit continued reactor operation at low-power levels when the turbine stop or control valves are closed. The selection of turbine first stage pressure is an appropriate variable for this bypass function. In the power range of reactor operation, turbine first stage pressure is essentially linear with increasing reactor power. Consequently, this variable provides the desired measurement of power level. 7.2.2.1.2.3.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)
During reactor operation, the analog outputs of each of the redundant devices for the following RPS trip variables may be directly cross-compared to meet this requirement: (1) Reactor vessel low and high water level trip; (2) Drywell high-pressure trip; and (3) Reactor vessel high-pressure trip; (4) Scram discharge volume high water level trip. During reactor operation, one transmitter of each of these variables may also be taken out-of-service at a time to perform calibration to a standard under administrative control. During this test, operation of the sensor and the RPS trip unit may be confirmed. At the conclusion of the test, administrative control must be used to ensure that the sensor has been properly returned to service. Annunciators and status lights continually indicate the out-of-service condition of all
trip units. In addition all trip modules may be tested with divisional trip logic by injecting an electronic calibration signal into the trip module input. During reactor operation, the sensors associated with the scram discharge volume highwater level trip may be valved out of service to perform a functional test. During the test, one RPS trip logic will be tripped and will produce both main control room annunciation and computer logging of the trip. At the conclusion of the test, administrative control is used to assure that the sensors
have been returned to service.
CPS/USAR CHAPTER 07 7.2-46 REV. 12, JANUARY 2007 The main steamline isolation valve position switches are tested during valve movements which cause the limit switches to operate at the setpoint value of the valve position.
For any single valve closure test, any one of four instrument will be tripped. This arrangement permits single valve testing without corresponding tripping of the RPS. The turbine stop valve position switches are also tested during valve movements which cause the limit switches to operate at the setpoint value. For any test of a single stop valve closure, an instrument channel will be placed in a tripped condition. The turbine control valve fast closure oil pressure switches may be tested during the routine turbine system tests. During any control valve fast-closure test, one RPS trip logic will be tripped and will produce both main control room annunciation and computer logging of the trip. During reactor operation in the RUN mode, the IRM detectors are stored below the reactor core in a low flux region. Movement of the detectors into the core will permit the operator to observe the instrument response from the different IRM channels and will confirm that the instrumentation is operable. In the power range of operation, the individual LPRM detectors will respond to local neutron flux and provide the operator with an indication that these instrument channels are responding properly. The four APRM channels may also be observed to respond to changes in the gross power level of the reactor to confirm their operation. Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input and each IRM instrument channel may be calibrated by introducing an external signal source into the amplifier input. During these tests, proper instrument response may be confirmed by observation of instrument lights in the main control room and trip annunciators. Proper operation of the mode switch may be verified by the operator during plant operation by performing certain sensor tests to confirm proper RPS operation. Movement of the mode switch from one position to another is not required for these tests since the connection of appropriate sensors to the RPS logic as well as the bypass of inappropriate sensors may be confirmed from the sensor tests. 7.2.2.1.2.3.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)
The following RPS trip variable sensors may be tested by cross-comparison of channels. They also have provisions for sensor testing and calibration during reactor operation: (1) Reactor vessel low and high water level trip; (2) Neutron Monitoring (APRM) System trip; (3) Neutron Monitoring (IRM) System trip; CPS/USAR CHAPTER 07 7.2-47 REV. 12, JANUARY 2007 (4) Drywell high-pressure trip; (5) Reactor vessel high pressure trip. In addition each channel trip unit may be calibrated individually for each process input by introducing an electronic calibration signal into the trip module to verify proper trip actuation. During plant operation, the operator can confirm that the main steamline isolation and turbine stop valve limit switches operate during valve motion from full open to full closed and vice versa by comparing the time that the RPS trip occurs with the time that the valve position indicator lights in the control room signaling that the valve is fully open and fully closed. This test does not confirm the exact setpoint, but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. During reactor shutdown, calibration of the main steamline isolation and turbine stop valve limit switch setpoint is at a valve position equal to the value in the Operat ional Requirements Manual (ORM). The APRMs are calibrated to reactor power by using a reactor heat balance and the Traversing In-Core Probe (TIP) System to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP System once the total reactor heat balance has been determined. The gain-adjustment-factors for the LPRMs are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These adjustments, when incorporated into the LPRMs, permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power. During reactor operation, one manual scram pushbutton may be depressed to test the proper operation of the switch and division trip logic. Once the RPS division logic has been reset, the other switches may be depressed to test their operation one at a time. For each such operation, a main control room annunciation will be initiated and the performance monitoring system will print the identification pertinent to the trip. Operation of the reactor system mode switch from one position to another may be employed to confirm certain aspects of the RPS trip channels during periodic test and calibration at shutdown only. During tests of the trip channels, proper operation of the mode switch contacts may be easily verified by noting that certain sensors are connected to the RPS logic and that other sensors are bypassed in the RPS logic in an appropriate manner dependent on by the position of the mode switch. In the startup and run modes of plant operation, procedures are used to confirm that scram discharge volume high water level sensor trip channels cannot be bypassed as a result of the manual bypass switches. In the shutdown and refuel modes of plant operation, a similar procedure may be used to bypass all four scram discharge volume trip channels. Due to the
discrete ON/OFF nature of the bypass function, calibration is not meaningful.
CPS/USAR CHAPTER 07 7.2-48 REV. 12, JANUARY 2007 A manual scram switch permits each individual instrument channel, and trip logic to be tested on a periodic basis. Testing of each process sensor of the protection system also affords an opportunity to verify proper operation of these components. 7.2.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)
The following RPS trip variables have no provision for sensor removal from service because of the use of valve position limit switches as the channel sensor. Channel bypass is discussed in Subsections 7.2.1.1.4.4.2 and 7.2.1.1.4.4.3. (1) Main steamline isolation valve closure trip and (2) Turbine stop valve closure trip Transmitters are normally tested during reactor operation by cross-comparison of channels. However, transmitters, level switches and pressure switches, may be valved out of service and returned to service under administrative control procedures. Since only one sensor is valved out-of-service at any given time during the test interval, protective capability for the following RPS trip variables is maintained through the remaining redundant instrument channels: (3) Reactor vessel low and high water level trip (4) Drywell high pressure trip (5) Reactor vessel high pressure trip (6) Scram discharge volume high water level trip (7) Turbine control valve fast closure trip Pressure switches are normally tested by removing the sensor from service. Since only one switch is removed at any given time during the test interval, protective capability from the remaining RPS pressure switch inputs is maintained.
The NS 4/RPS division of sensor bypass switches is provided to allow the bypass of a single division for test/calibration. When the bypass is in operation, an annunciator in the main control room is actuated. Only the non-coincident NMS trip (when shorting links are removed) is not bypassed by the NS 4/RPS division of sensor bypasses. The mode switch produces operating bypasses which need not be annunciated because they are removed by normal reactor operating sequence. 7.2.2.1.2.3.1.12 Operating Bypasses (IEEE 279, Paragraph 4.12)
The following RPS trip variables have no provision for an operating bypass: (1) Reactor vessel low water level trip; (2) Neutron Monitoring (APRM) System trip; CPS/USAR CHAPTER 07 7.2-49 REV. 12, JANUARY 2007 (3) Drywell high pressure trip and (4) Reactor vessel high pressure trip. An operating bypass of the scram discharge volume high water level trip is provided in the main control room for the operator to bypass the trip outputs in the shutdown and refuel modes of operation. Control of this bypass is achieved through administrative means, and its only purpose is to permit reset of the RPS following reactor scram to allow draining of the scram discharge volume. The bypass is manually initiated and must be manually removed to commence withdrawal of control rods after a reactor shutdown. An operating bypass is provided for the main steamline isolation valve closure trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in the shutdown, refuel, or startup positions. The only purpose of this bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the main steamline isolation valves closed or not fully open. An operating bypass is provided for the neutron monitoring (IRM) system trip when the reactor mode switch is placed in the run position. An operating bypass is provided for the reactor vessel high water level trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in shutdown, refuel, or startup positions. For each of these operating bypasses, four independent bypass divisions are provided through the mode switch to assure that all of the protection system criteria are satisfied. An operating bypass of the turbine stop valve and control valve fast closure trip is provided whenever the turbine is operating at an initial power level below 33.3% of rated power. The purpose of the bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the turbine stop valves not fully open. During normal plant operation above the switch setpoint, the bypass circuitry is in its passive, deenergized state. At these conditions, removal of the bypass for periodic test is permitted since it has no effect on plant safety. Under plant conditions at or below the switch setpoint, one bypass channel may be removed from service at a time without initiating protective action or affecting plant safety. This removal from service is accomplished under administrative control of plant personnel. 7.2.2.1.2.3.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)
The mode switch produced operating bypasses need not be annunciated because they are removed by normal reactor operating sequence. Although operating bypasses do not require annunciation, certain operating bypasses are annunciated in the main control room. The discharge volume high water level trip operating bypass, the main steam line isolation valve closure trip operating bypass, and the turbine stop and control valve fast-closure trips operating bypass are individually annunciated to the operator.
The main control room operator must exercise administrative control over nonoperating bypasses such as valving out-of-service of one RPS trip variable sensor at a time. The out of service condition is manually alarmed. To indicate a sensor bypass, the operator will manually CPS/USAR CHAPTER 07 7.2-50 REV. 12, JANUARY 2007 actuate the respective NS4/RPS sensor channel bypassed annunciator corresponding to the given sensor division. Also, the trip module in calibration will cause automatic actuation of the system out-of-service annunciator. 7.2.2.1.2.3.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)
The operator has administrative control of the sensor instrument valves, as well as their associated trip module calibration controls. Manual bypassing of any IRM or APRM channel is accomplished with main control room NS 4/RPS division of sensor bypass switches under the administrative control of the operator. Manual controls for the scram discharge volume high water level trip operating bypass and the main steamline isolation valve closure trip operating bypass are located in the main control room, and under the direct administrative control of the operator. Manual keylock switches are used to control these operating bypasses. The mode switch selects the appropriate sensors for scram functions and provides appropriate trip bypasses and bypass permissive for the selected mode. The mode switch is a keylock switch under the administrative control of plant personnel. Divisional channel bypasses exist for all essential variables, except the non-coincident NMS channels which can be bypassed by individual selector switches. Only one division may be bypassed at a time, which converts the RPS system logic from a two-out-of-four to a two-out-of-three logic trip system. Interlocks are provided to prevent bypassing more than one logic division at a time. There are four keylocked bypass switches, one for each logic division, located in the main control room. Bypassing any single system logic division will not inhibit protective action when required. 7.2.2.1.2.3.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)
The design requirement is not applicable to the following RPS trip variables because the set point values are fixed and do not vary with other reactor or plant parameters; (1) Scram discharge volume high water level trip (2) Main steamline isolation valve closure trip (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel low and high water level trip CPS/USAR CHAPTER 07 7.2-51 REV. 12, JANUARY 2007 (6) Drywell high pressure trip (7) Reactor vessel high pressure trip The trip setpoint of each IRM channel is established for each range of IRM operation. The IRM is a linear, half-decade per range instrument. Therefore, as the operator switches an IRM from one range to the next, the trip set point tracks the operator's selection. In the run mode APRM system simulated thermal power trip varies automatically with the recirculation flow, and in modes other than run the APRM setdown function selects a more restrictive scram trip setpoint at a fixed 15%. The devices used to prevent improper use of the less restrictive setpoints are designed in accordance with criteria regarding performance and reliability of protection system equipment. For further discussion refer to Section 7.6.1.5.
Operation of the mode switch from one position to another bypasses various RPS trip channels in accordance with the reactor conditions implied by the given position of the mode switch. 7.2.2.1.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE 279, Paragraph 4.16) The sensor output of the following RPS trip variables remains in a tripped state whenever the trip set point is exceeded: (1) Scram discharge volume high water level trip (2) Main steam line isolation valve closure trip (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel low and high water level trip (6) Neutron Monitoring (APRM) System trip (7) Neutron Monitoring (IRM) System trip (8) Drywell high pressure trip (9) Reactor vessel high pressure trip It is only necessary that the process sensors remain in a tripped condition for a sufficient length of time to trip the analog trip modules and operate the seal-in circuitry provided the two-out-of-four logic is satisfied. Once this action is accomplished, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the process sensors that initiated the sequence of events.
CPS/USAR CHAPTER 07 7.2-52 REV. 11, JANUARY 2005 Once the manual scram pushbuttons are depressed, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the manual scram pushbuttons. The function of the mode switch is to provide appropriate RPS trip channels for the RPS trip logic on a steady-state basis for each of the four given reactor operating states: SHUTDOWN, REFUEL, STARTUP and RUN. Protective action, in terms of the needed transient response, is derived from the other portions of the trip channels independent of the mode switch. Hence, the mode switch does not influence the completion of protective action in any manner. The turbine operating bypass is placed into effect only when the turbine first stage pressure is below 33.3% of reactor power. For plant operation above this setpoint, the trip channels will initiate protective action once the division logics trip and seal in, and the actuators have deenergized the scram pilot valve solenoids. 7.2.2.1.2.3.1.17 Manual Actuation (IEEE 279, Paragraph 4.17)
Four manual scram pushbutton controls are provided on the principle plant console to permit manual initiation of reactor scram at the division level. The four manual scram pushbuttons (one in each of the four RPS trip logic divisions) are arranged in two-out-of-four logic. Failure of an automatic RPS function cannot prevent the manual portions of the system from initiating the protective action. The manual scram pushbuttons are wired as close as practicable to the scram load drivers in order to minimize the dependence of manual scram capability on other equipment. Additional back-up to these manual controls is provided by the SHUTDOWN position of the Reactor System Mode Switch. No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram. 7.2.2.1.2.3.1.18 Access to Set Point Adjustments, Calibration, and Test Points (IEEE 279, Paragraph 4.18)
During reactor operation, access to set point or calibration controls is not possible for the following RPS trip variables: (1) Main steamline isolation valve closure trip (2) Turbine stop valve closure trip (3) Turbine control valve fast closure trip NOTE - Turbine stop valve closure and turbine control valve fast closure trips may be accessible with radiation exposure. Access to setpoint adjustments, calibration controls, and test points for the following RPS trip variables is under the administrative control of plant personnel: (4) Scram discharge volume high water level trip (5) Reactor vessel low and high water level trips CPS/USAR CHAPTER 07 7.2-53 REV. 12, JANUARY 2007 (6) Neutron monitoring (APRM) system trip (7) Neutron monitoring (IRM) system trip (8) Drywell high pressure trip (9) Reactor vessel high pressure trip 7.2.2.1.2.3.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)
When any one of the redundant sensor trip modules exceeds its setpoint value for the following RPS trip variables, a main control room annunciator is initiated to identify the particular variable: (1) Scram discharge volume high water level trip (2) Turbine control valve fast closure trip (3) Reactor vessel low water level trip (4) Reactor vessel high water level trip (5) Neutron monitoring system trip (6) Drywell high pressure trip (7) Reactor vessel high pressure trip (8) Main steam isolation valve trip (9) Turbine stop valve trip Identification of the particular trip channel exceeding its set point is accomplished as a typed record from the performance monitoring system or visual observation of the annunciators. When any manual scram pushbutton is depressed, a main control room annunciation is initiated and a performance monitoring system record is produced to identify the tripped RPS trip logic. Identification of the mode switch in shutdown position is provided by PMS trip logic identification printout, the mode switch in shutdown position annunciator and all division trips. 7.2.2.1.2.3.1.20 Information Readout (IEEE 279, Paragraph 4.20)
The data presented to the main control room operator for each of the following RPS trip variables complies with this design requirement: (1) Scram discharge volume high water level trip (2) Main steam line isolation valve closure trip CPS/USAR CHAPTER 07 7.2-54 REV. 12, JANUARY 2007 (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel high water level trip (6) Reactor vessel low water level trip (7) Neutron monitoring system trip (8) Drywell high pressure trip (9) Reactor vessel high pressure trip 7.2.2.1.2.3.1.21 System Repair (IEEE 279, Paragraph 4.21)
During periodic testing of the sensor channels for the following RPS trip variables, the operator can determine any defective component and replace it during plant operation: (1) Reactor vessel high water level trip (2) Reactor vessel low water level trip (3) Drywell high pressure trip (4) Reactor vessel high pressure trip During periodic testing of the sensor channels for the following trip variables, all defective components can be identified. Replacement and repair of failed sensors can only be accomplished during reactor shutdown. All other components can be replaced, repaired, and adjusted during plant operation. (5) Turbine stop valve closure trip (6) Main steamline isolation valve closure trip (7) Scram discharge volume high water level trip (8) Neutron monitoring system (9) Turbine control valve fast closure trip Provisions have been made to facilitate repair of neutron monitoring system components during plant operation except for the detector. Replacement of the detector can be accomplished during plant shutdown. Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the neutron monitoring system may be accomplished during CPS/USAR CHAPTER 07 7.2-55 REV. 12, JANUARY 2007 plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair. 7.2.2.1.2.3.1.22 Identification of Protection Systems (IEEE 279, Paragraph 4.22)
Each Nuclear System Protection system cabinet which contains RPS control room equipment is marked with the letter "NSPS" and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified specifically as Reactor Protection System wiring. The identification scheme used to distinguish between redundant cables and cable trays is described in Chapter 8. Redundant racks are identified by the color coded marker plates of instruments on the racks. 7.2.2.1.2.3.2 IEEE 308, Standard Criteria for Class 1E Power Systems for Nuclear Power Generating Stations Each of four separate RPS divisions, which includes sensors, trip modules and logic is powered by a redundant, separate Class 1E power source and the system complies with IEEE 308. The scram solenoids are powered by two separate non-Class 1E, non-divisional uninterruptible power supplies. 7.2.2.1.2.3.3 IEEE 317, Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations See Subsection 8.1.6.
7.2.2.1.2.3.4 IEEE 323, Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations The general Guide for Qualifying Class 1E Equipment is presented in Section 3.11. Records covering all essential components are maintained. 7.2.2.1.2.3.5 IEEE 336, Installation, Inspection, and Testing Requirements for Instrumentation and Electrical Equipment During the Construction of Nuclear Power Generating Stations The IEEE 336 requirements for installation, inspection and testing of Class 1E instruments and control equipment and systems during construction have been met through a quality assurance program. Conformance to IEE 336-1971 (ANSI N45.2.4-1972) is discussed in conjunction with Regulatory Guide 1.30. Refer to USAR Section 1.8. 7.2.2.1.2.3.6 IEEE 338, Standard Criteria for Periodic Testing of Nuclear Power Generating Station Safety Systems Periodic Testing of Protection Systems is complied with by being able to test the RPS from sensors to final actuators at any time during plant operation. The test must be performed in overlapping portions. The sensors associated with the NMS cannot be tested during operation.
CPS/USAR CHAPTER 07 7.2-56 REV. 11, JANUARY 2005 7.2.2.1.2.3.7 IEEE 344, Recommended Practices for SeismicQualification of Class 1E Equipment for Nuclear Power Generating Stations Seismic Qualification of Class 1E Electric Equipment requirements are satisfied by all Class I RPS equipment as described in Section 3.10. 7.2.2.1.2.3.8 IEEE 379, Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Class 1E Sys tem Application of the single-failure criterion to nuclear power generating station protection systems requirements are satisfied by consideration of the different single failure modes and carefully designing all single-failure modes out of the system, through redundant logic design and proper separation of redundant portions of the system. 7.2.2.1.2.3.9 IEEE 384, Standard Criteria for Independence of Class 1E Equipment and Circuits This standard requires that redundant portions of the system be physically separated from each other and from Non-Class 1E circuits. This includes process sensors, wiring, logic and actuators in plant and control room wireways and main control room panels. In addition, short circuit protection by grounded conduit or physical separation is required between wiring carrying essential power and nonessential RPS power. The standard requires that redundant sensors and their connections to the process system be sufficiently separated to assure that functional capability of the protection system will be maintained despite any single design basis event or resulting affect. This provision does not apply to turbine stop valve and control valve fast closure trips in the nonseismic turbine building during or after a safe shutdown earthquake.
Reactor pressure and power are diverse variables. The effect on sensor and sensing lines as a result of design basis events are discussed in Subsection 7.2.1.2.8. Redundant pressure taps are located at widely divergent points around the reactor vessel. The sensing lines are routed to the sensors through separate penetrations in the drywell. Redundant sensors are located on separated racks outside the drywell. The location and routing of sensors, sensing lines, and pressure taps meet the separation requirements of IEEE 384, section 5.8.
The discussion of compliance with the separation requirements of IEEE 384 for Class 1E power supplies for the RPS is provided in Chapter 8. RPS trip modules, logic and actuators are separated into four divisions contained in four separate logic panels. Whenever signals must pass between redundant logic divisions or between divisional and nondivisional circuits, they are electrically and physically isolated. 7.2.2.1.3 Additional Design Considerations Analyses 7.2.2.1.3.1 Spurious Rod Withdrawals Spurious control rod withdrawal will not normally cause a scram. A control rod withdrawal block may occur, however, (see Subsection 7.7.2.2.3). A scram will occur, however, if the spurious control rod withdrawal causes the average flux to exceed the trip setpoint.
CPS/USAR CHAPTER 07 7.2-57 REV. 11, JANUARY 2005 7.2.2.1.3.2 Loss of Plant Instrument Air System Loss of plant instrument air will cause gradual opening of the scram valves on the hydraulic control units which will insert all control rods. Full insertion will result as air pressure is lost at
the scram valves. 7.2.2.1.3.3 Loss of Cooling Water to Vital Equipment There is no loss of cooling water which will affect the RPS.
7.2.2.1.3.4 Plant Load Rejection Electrical grid disturbances could cause a significant loss of load which would initiate a turbine-generator overspeed trip and control valves fast closure, which may result in a reactor scram. The reactor scram occurs to anticipate an increase in reactor vessel pressure due to shutting off the path of steam flow to the turbine. Any additional increase in pressure will be prevented by the safety/relief valves which will open to relieve reactor pressure and close as pressure is reduced. The reactor core isolation cooling (RCIC) or high pressure core spray (HPCS) systems will automatically actuate and provide vessel makeup water if required. The fuel temperature or pressure boundary thermal/hydraulic limits are not exceeded during this event (Chapter 15). 7.2.2.1.3.5 Turbine Trip Initiation of turbine trip by the turbine system closes the turbine stop valves which may initiate a reactor scram. The stop valve closure scram anticipates a reactor pressure or power scram due to turbine stop valves closure. Any additional increase in reactor vessel pressure will be
prevented by the safety/relief valves which will open to relieve reactor vessel pressure and close as pressure is reduced. The RCIC and HPCS will automatically actuate and provide vessel makeup water if low water level occurs. Initiation of turbine trip by loss of condenser vacuum causes closure of the turbine stop valves and main steam isolation valves , initiating a reactor scram. The fuel temperature or pressure boundary, thermal/hydraulic limits are not exceeded during these events (Chapter 15).
7.2.3 References
(1) GE Topical Report, Power Generation Control Complex, NEDO-10466-A. (2) NUREG-0124 (Supplement to NUREG 75/110), Safety Evaluation Report, GESSAR 238 Nuclear Island Standard Design Supplement 1, September 1976, pp. 7-78, 15-3,4. (3) NUREG-0151, SER, GESSAR 251, Nuclear Steam Supply System Standard Design, March 1977. (4) NUREG-0124 Supplement 2, Jan. 1977, pp. 15-1,2. (5) Nuclear Station Engineering Department Maintenance Standard MS-02.00, Maintenance of Equipment Qualification Program Manual.
CPS/USAR CHAPTER 07 7.5-1 REV. 11, JANUARY 2005 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION
7.5.1 Description
7.5.1.1 General This section describes the instrumentation which provides information to the operator to enable him to perform required safety and power generation functions. The Safety Related Display Instrumentation is listed in Table 7.5-1. It tabulates equipment illustrated on the various system P&IDs and IEDs discussed in Sections 7.2, 7.3, 7.4, and 7.6. The instrumentation and ranges shown or referenced in Table 7.5-1 are selected on the basis of providing the reactor operator the necessary information to perform normal plant maneuvers and yet the capability to track process variables pertinent to safety during expected operational perturbations. The Elementary Diagrams illustrate separation of redundant display instrumentation and electrical isolation of redundant sensors and channels. The P&IDs, IEDs, and Elementary Diagrams adequately illustrate the redundancy of monitored variables and component sensors and channels. Nuclenet design provides an optimized operator/plant interface through the reduction of panel sizes and the logical grouping and simplification of controls and information displays. Where appropriate, considerable reduction in console (control panel) size is accomplished by simplifying controls and presenting normal operating data and supporting graphic displays on computer-controlled color displays. The computer systems are discussed in Subsections 7.7.1 and 7.7.2. A hardwired, independent annunciator system provides additional confirmation of the status of plant systems and components, and all system controls and switches remain conventionally hard-wired. The annunciator system is discussed in Subsections 7.7.1 and 7.7.2. Wherever the status or action of safety systems or safety-related information is concerned, additional hard-wired conventional display and/or indicating devices are used. The design stresses that the presentation of plant information to the operator be done in such a manner that efficient operation is enhanced. The partial or complete failure of the Nuclenet computer system will have no adverse effect upon continued safe operation of the unit. Nuclenet design also incorporates the Power Generation Control Complex (PGCC) described in General Electric Licensing Topical Report, NEDO-10466-A. PGCC allows improved control of cable routing in the main control room while maintaining strict separation requirements. The arrangement of the main control room is shown on Figure 7.5-1. This figure shows the relative location of the eight panels, benchboards, and consoles in the central control room area which serve as the primary operator interface with the plant. These panels are the Principal Plant Console (PPC) (P680), the Reactor Co re Cooling Systems Benchboard (RCCS) (P601), Diesel Generator Benchboard (P877), the Standby Information Panel (SIP) (P678), and three Balance of Plant (BOP) Benchboards (P800, P801, P870). Their individual descriptions are given in the following sections.
CPS/USAR CHAPTER 07 7.5-2 REV. 12, JANUARY 2007 7.5.1.1.1 Principal Plant Console (P680)
The PPC (also called the nuclenet control console) is the primary operator interface for monitoring and controlling plant operational systems. This console also contains some safety-related controls and hard-wired displays. The console is an angled, U-shaped, low-profile console and is approximately 16 ft long. Figure 7.5-2 shows the general arrangement of the console. The control functions that are located on the PPC are those that are required for normal operation of the nuclear unit. The functions that have been included are integrated on a unit basis as opposed to the use of separate nuclear boiler and turbine-generator benchboards.
Drawing 828E320 shows the system area assignment of space, within each area, for the hard-wired annunciators, displays, controllers and other instruments, and control switches and indicator lights. The overall shape and size of the console, combined with the centralized grouping of major plant system controls and displays, enhances the operator's interface with the plant processes. His awareness of and control response capabilities to changing plant conditions are thereby improved. The center section of the PPC contains integrated controls and displays for the reactor protection system, neutron monitoring system, The Rod Control and Information System, including the core display map and display control system. A detailed description of the design and functioning of these systems, the information displayed, and the control actions required by the operator is given in Sections 7.2, 7.6.1.5, 7.6.2.5, 7.7.1.2, and 7.7.2.2. The display control system is discussed in Section 7.7.1.21 and 7.7.2.21. 7.5.1.1.2 Standby Information Panel (P678)
The Standby Information Panel (SIP) is functional]y complementary to the displays on the Principal Plant Console. In case of a partial or complete failure of the Display Control System and the subsequent attendant loss of some or all data displays on the PPC, the standby information panel provides information which is required to perform plant operating activities. The SIP is positioned behind the PPC so that the operator has a clear view of the panel area where indicators and other display and recording devices are mounted. An outline of the SIP is provided in Drawing 866E441. 7.5.1.1.3 Reactor Core Cooling Systems Benchboard (P601)
The RCCS Benchboard provides all annunciators, necessary, recorders, indicators, and control functions for Division 1, 2, and 3 Engineered Safety Features. The layout of the benchboard, shown in Drawing 793E945, is functionally similar to designs approved for use on previous BWR's. Annunciators, indicators, and recording devices located on the RCCS benchboard are visible to an operator at the Principal Plant Console. 7.5.1.1.4 Balance of Plant Benchboards (P800, P801, P870)
The BOP Benchboards contain the annunciators, meters, recorders, controllers, indicators, and control devices for those plant systems and functions which do not require frequent attention or a rapid operator response. The operator generally has an extended period of time available to respond to control requirements on the BOP Benchboards. Annunciators, indicators, and displays can be seen by an operator at the Principal Plant Console. BOP Benchboard outline is shown in Figure 7.5-6.
CPS/USAR CHAPTER 07 7.5-3 REV. 11, JANUARY 2005 7.5.1.1.5 Diesel Generator Benchboard (P877)
The Diesel Generator Benchboard provides annunciation, necessary recorders, indicators and control functions for operation of Division 1 and 2 Engineered Safety Features diesel generators. The layout of the benchboard, shown in Figure 7.5-10, is functionally similar to designs approved for use on previous BWR's. All annunciators, indicators, and recording devices located on the Diesel Generator Benchboard are visible to an operator at the Principal
Plant Console. 7.5.1.2 Normal Operation The indicators and recorders for the plant process variables are described elsewhere in this chapter and are shown on the P&ID's for the various system. Hard-wired indicators and recorders are selected on the basis of being able to provide the operator the necessary information to perform all the normal plant maneuvers with the required precision and being able to track all the process variables pertinent to safety during expected operational perturbations.
These devices are mounted on the Standby Information Panel, Reactor Core Cooling Benchboard, or Balance of Plant Benchboard, according to the system which they serve and the functional classification of that system. 7.5.1.3 Abnormal Transient Occurrences The ranges of indicators and recorders provided are capable of covering the process variables and provide adequate information for all abnormal transient events. 7.5.1.4 Accident Conditions The DBA-LOCA is the most extreme postulated operational action event. Information readouts are designed to accommodate this event from the standpoint of operator action, information, and event tracking requirements and, therefore, will cover all other design-basis events or incident requirements. The annunciators discussed in this section are informational devices only and not part of the Safety Related Display Instrumentation (SRDI) and not indicators to direct operator action. They are addressed here because of the additional information they provide to the operator as a suppliment to SRDI devices. 7.5.1.4.1 Initial Accident Event The design basis of all engineered safety features to mitigate the accident event takes into consideration that no operator action or assistance is assumed for the first ten minutes of the
event. This requirement, therefore, makes it mandatory that all protective action necessary in the first ten minutes be "automatic". Although continuous tracking of process variables is available, no operator action based on them is required. 7.5.1.4.2 Post-Accident Tracking No operator action (and, therefore, no post-accident information) is required for at least ten minutes following an accident although the various monitoring devices are continuously tracking and indicating important parameter information and displaying it to the operator as well as recording appropriate data.
CPS/USAR CHAPTER 07 7.5-4 REV. 11, JANUARY 2005 The DBA-LOCA serves as the envelope accident sequence event to provide and demonstrate the plant's post-accident tracking capabilities. All other accidents have less severe and limiting tracking requirements. The following process instrumentation provides information to the operator after a design basis loss-of-coolant accident to monitor plant conditions. The instrumentation is also operable before and after a SSE. 7.5.1.4.2.1 Reactor Water Level (1) Two wide-range water level signals are transmitted from two independent differential pressure transmitters and are recorded on two, two-pen recorders located in the Main Control Room. One pen records the wide-range level and the other pen records the reactor pressure on each of the two recorders. These recorders are located on the RCCS benchboard. One recorder monitors Division 1 instrumentation and the other Division 2 instrumentation. Their design provides information over the full water level range for normal operation, abnormal transients, and accident conditions. The differential pressure transmitters have one side connected to a condensing chamber reference leg and the other side connected directly to a vessel nozzle, for the variable leg. The water level system is not compensated for variation in reactor water density and is calibrated to be most accurate at operational pressure and temperature conditions. The range of the recorded level is from the top of the feedwater control range (just above the high-level turbine trip point) down to a point near the top of the active fuel. The power sources for the two channels are the Division 1 and 2 instrument a-c buses fed by the Class 1E Power System buses. The feedwater control system has other reactor water level recorders and indicators in the Main Control
Room. Generic Letter 92-04 and NRC Bulletin 93-03 had addressed an issue where water in the RPV water level reference legs made up by the steam condensing chambers could be high in concentration of non-condensable gases. During depressurization, the high gas concentration could come out of solution causing a false high level indication. To comply with the generic letter and bulletin, CPS has installed a keep-fill system where water from the CRD system is fed into the Division 1 and 2 reference legs. This keeps the legs full of water with a low concentration of non-condensable gases. The low flow rate, approximately 4 lb/hr, does not impact the accuracy of the water level signals. If a channel of keep fill is not available, then the compensatory action of NRC Bulletin 93-03 would be in effect. This consists of enhanced monitoring during depressurization. (2) The narrow, upset and shutdown zone water levels and the fuel zone water level recorder are not safety related and are discussed in Subsection 7.7.1.1.3.1.2. (3) In order to minimize the level measurement error due to changes in the drywell temperature, the differences in vertical drops (from the condensing chamber to the drywell penetration) between the reference and variable legs of the wide and narrow ranges are within approximately
+/-1 foot. In order to minimize the level measurement error due to boiling in the sense lines, the vertical drop in the CPS/USAR CHAPTER 07 7.5-5 REV. 11, JANUARY 2005 reference legs shared by the narrow, wide and fuel zone ranges is less than 2.5 feet. 7.5.1.4.2.2 Reactor Pressure (1) Two high-range reactor pressure signals with range as itemized in Table 7.1-13 for RPV pressure are transmitted from two independent pressure transmitters and are recorded on two 2-pen recorders. These signals share the recorders described in Subsection 7.5.1.4.2.1. (2) Two low-range reactor pressure signals with range as itemized in Table 7.1-14 for RPV pressure are transmitted from two independent pressure transmitters and are recorded on two 3-pen recorders in the main control room. One pen records the low-range reactor pressure, the second pen records the suppression pool level, and the third pen records the low-range containment pressure. These recorders are located on the RCCS benchboard. One recorder monitors Division 1 instrumentation and the other monitors Division 2 instrumentation.
The power sources are from Class 1E power systems. 7.5.1.4.2.3 Reactor Shutdown, Isolation and Core Cooling Indication 7.5.1.4.2.3.1 Reactor Operator Information and Observations The information furnished to the main control room operator permits him to assess reactor shutdown, isolation, and availability of emergency core cooling following the postulated
accident. (1) Operator verification that reactor shutdown has occurred may be made by observing one or more of the following indications: a. The control rod status lights will be indicating each rod fully inserted. The power source is a non-class 1E ac distribution panel. These lights are located on the Principal Plant Console. (See Drawing 828E320) b. Control rod scram valve status lights will be indicating open valves. The power source is an instrument a-c bus. These lights are located on the
PPC. c. The neutron monitoring power range channels and recorders will indicate decreasing neutron flux or be downscale. Power sources for the Neutron flux signals are the NSPS buses, and the power source for the recorders is a non-class 1E ac distribution panel. Recorded indication is provided
on the Standby Information Panel. d. Indicators and supplementary annunciators for the reactor protection system variables and trip logic will be in the actuated state. The power source for the indicators is ac inverted from divisional dc batteries. The power source for the supplementary annunciators is dc from the station battery. These devices are located on the PPC.
CPS/USAR CHAPTER 07 7.5-6 REV. 11, JANUARY 2005 e. Supplementary information from the PMS by logging of trips and control rod position log. The power source is the computer power supply from battery-backed uninterruptible power. (2) Reactor isolation also occurs after the accident, as various environmental and process variables exceed their set points. The operator may verify reactor isolation by observing one or more of the following indications: a. The isolation valve position lamps in each affected system indicate valve closure by direct means. Each motor-operated isolation valve has limit switches operated by the motor operator. Air-operated isolation valves have limit switches operated by the valve stem. The power source for the valve position lamps is the same as for the associated valve operator. These lamps are on the RCCS benchboard. b. The main steam line flow indication will be downscale. This information is provided on the SIP. The power source is the instrument ac bus. c. Indication for the containment and reactor vessel isolation system variables and trip logic will be in the tripped state. These indicators are located on the RCCS benchboard. The power source is dc from the station battery. d. Supplementary information from the PMS. (3) Operation of the emergency core cooling and the RCIC system following the accident may be verified by observing the following indications, which except as noted are located on the RCCS benchboard; a. Indicators and status lights for high pressure core spray, low pressure core spray, residual heat removal, automatic depressurization system, and reactor core isolation cooling system sensor initiation logic trips. The power source is from the appropriate divisional supply. b. Flow and pressure indications for each emergency core cooling system are provided and are operable before and after a Safe Shutdown Earthquake (SSE). The power sources are independent and from the same Class 1E power system buses as the driven equipment. c. RCIC isolation valve position lamps directly indicate open valves via limit switches. These limit switches are operated by the motor operator on
motor-operated valves, and by the valve stem on air-operated valves. The power source for the valve position lights is the same as the valve motor. d. Injection valve position lights indicating either open or closed vlaves. Injection valve position inidcations are provided by direct means of limit switches operated by the motor operator. The power source for the position lights is the same as the vlave motor.
CPS/USAR CHAPTER 07 7.5-7 REV. 11, JANUARY 2005 e. Relief valve initiation circuit status by open or closed indicator lamps. The power source is the same as for the pilot solenoid. f. Relief valve position indications are provided by an acoustic-type valve position indicating system that provides open/closed status in the Main Control Room. The power ource is from a Class 1E system bus. g. Supplementary information from the PMS display located on panel H13-P870. The power source is the com puter power supply which utilizes a reliable ac cource including a battery backup. h. Relief valve discharge pipe temperature monitor located on panel H13-P614. The power source is from an instrument ac bus. 7.5.1.4.2.3.2 System Operation Information-Display Equipment (1) RCIC Two meters, one displaying RCIC discharge flow rate and one displaying RCIC pump discharge pressure, are located on the RCCS benchboard.
(2) HPCS Two meters, one displaying HPCS discharge flow rate and one displaying HPCS pump discharge pressure, are located on the RCCS benchboard.
(3) LPCS One meter displaying LPCS flow rate is located on the RCCS benchboard.
(4) RHR The following meters are located on the RCCS benchboard:
- a. One meter displaying RHR flow rate for each of the three RHR loops. b. One meter displaying RHR water temperature for each of the RHR heat exchanger outlets. c. One meter displaying RHR service water flow rate for each of the two RHR service water loops. d. There are more instruments monitor ing RHR service water. They are described in Subsection 7.5.1.4.2.6.
(5) MSIV/LCS The following meters are located in the main control room displaying reactor and steam line pressures: a. One meter displaying main steam line pressure for each of the four MSL.
CPS/USAR CHAPTER 07 7.5-8 REV. 14, JANUARY 2011 b. Two meters displaying reactor pressure. c. One meter and one (low pressure) range meter displaying outboard steam line header pressure. d. One meter displaying inboard steam line pressure for each of the four steam lines. The instruments are powered from separate 120 Vac divisional power buses. e. Two meters displaying MSIV leakage control system header pressure. (6) Containment Atmosphere Monitoring System (CAMS) The following CAMS display instrumentation is located in the main control room: a. One channel of drywell hydrogen concentration indication and recording. b. One channel of containment hydrogen concentration indication and recording. c. Two channels of drywell gross gamma radiation level indication and recording. d. Two channels of containment gross gamma radiation level indication and recording. (7) Miscellaneous In addition to the above displays, the following also provide information to enable the reactor operator in the main control room to perform post-accident safety
functions: a. Control rod status lamps (powered from a non-class 1E ac distribution panel.) b. Scram pilot valve status lamps (powered from non-class 1E uninteruptable RPS power supplies.) c. Neutron flux level meters (powered from the NSPS buses.)
- d. Two meters displaying ADS instrument air header pressure. One meter monitors Division 1 instrumentation and the other monitors Division 2
instrumentation. e. Two meters displaying ADS backup air bottle pressure. One meter monitors Division 1 instrumentation and the other monitors Division 2
instrumentation.
CPS/USAR CHAPTER 07 7.5-9 REV. 11, JANUARY 2005 7.5.1.4.2.3.3 System Operation Information-Display Equipment Qualification The safety-related display instrumentation sensors, modules, cabling, and display equipment are of the same high quality as the safety system's instrumentation. The environmental and seismic qualification of the sensors and modules is discussed in Sections 3.10 and 3.11. The post-accident display instrumentation is of a quality that is consistent with minimum maintenance requirements and low failure rates and is qualified according to IEEE 323. The post-accident monitoring equipment is environmentally and seismically qualified to continue to operate following a design basis accident. Redundant elements (such as cables, cable tray components, modules, and interconnecting wiring) are identified according to the requirements of IEEE 384. 7.5.1.4.2.4 Drywell and Containment Indications Drywell and containment building conditions are indicated and/or recorded by the instrumentation described below. (1) Containment Pressure Monitoring a. There are two post accident containment pressure monitoring channels with a range as itemized in Table 7.1-13 for primary containment pressure. One channel monitors Division 1 instrumentation and the other monitors Division 2 instrumentation. Each channel of instrumentation consists of two transmitters, one 3-pen recorder and one 2-pen recorder.
These two transmitters per channel overlap and split the required pressure range, thus providing the required measurement range and accuracy. One transmitter provides a low-range signal to one 3-pen recorder. This signal shares the recorder described in Subsection 7.5.1.4.2.2(2) which monitors low range reactor pressure and suppression pool level. The other transmitter provides a high range signal to one 2-pen recorder. b. Additionally, there are two higher range containment pressure monitoring channels with a range as itemized in Table 7.1-14 for primary containment pressure. The instrumentation consists of two separate transmitters and two 2-pen recorders. One pen records the containment pressure and the other records containment atmosphere temperature.
These recorders are mounted on the RCCS benchboard. One channel monitors Division 1 instrumentation and the other monitors Division 2 instrumentation. The power sources for the two channels are the two instrument a-c buses feeding from the Class 1E power system buses. The two monitoring channels are redundant to each other and qualified
Seismic Category I and Class 1E. One pen records the containment pressure and the other records the suppression pool level. The recorders are mounted on the RCCS benchboard in the main control room. The power sources for the two channels are the Class 1E power system buses. The two monitoring CPS/USAR CHAPTER 07 7.5-10 REV. 11, JANUARY 2005 channels are redundant to each other and qualified Seismic Category I and Class 1E. (2) Drywell Pressure Monitoring There are two drywell pressure monitoring channels with a range as itemized in Table 7.1-13 for drywell pressure. The instrumentation consists of two separate transmitters and two 2-pen recorders. One pen records the drywell pressure and the other records the drywell average temperature. These recorders are mounted on the RCCS benchboard. One channel monitors Division 1 instrumentation and the other monitors Division 2 instrumentation. The power sources for the two channels are the two instrument a-c buses feeding from the Class 1E power system buses. The two channels are redundant to each other and qualified Seismic Category I and Class 1E. (3) Suppression Pool Temperature Monitoring The suppression pool temperature is monitored by 24 sensors with a range as itemized in Table 7.1-13 for suppression pool bulk average temperature. The sensors are located between each SRV discharge pipe and below the minimum suppression pool water level. Twelve sensors are associated with Division 1 and 12 sensors with Division 2. Sensor outputs are recorded on the following
recorders: a. Two multi-point recorders mounted on Panels 1H13-P638 and 1H13-P639 in the main control room. One records the outputs from the eight Division 1 sensors and the other records the outputs from the eight Division 2 sensors. Each recorder is provided with contact closure outputs which actuate an alarm on the RCCS benchboard at high suppression pool temperature. The temperature sensors are located at
Elevation 730'-6". b. Two 2-pen recorders mounted on the RCCS benchboard in the main control room. One records the average output from four Division 1 sensors and the other records the average output from four Division 2 sensors. The second pen is used to monitor the suppression pool level.
The temperature sensors are located at Elevation 730'-6". c. Two 1-pen recorders mounted on the standby information panel in the main control room. One records the average output from four Division 1 sensors and the other records the average output from four Division 2 sensors. The temperature sensors are located at Elevation 726'-10". The instrumentation described in this subparagraph fulfills the requirements of TS 3.3.3.1, Post Accident Monitoring. Power sources for the two divisions of sensors are the two instrument a-c buses feeding from the Class 1E power system buses. The two divisions are redundant to each other and qualified Seismic Category I and Class 1E.
CPS/USAR CHAPTER 07 7.5-11 REV. 11, JANUARY 2005 (4) Suppression Pool Water Level The suppression pool water level is monitored by water level monitoring channels which measure a level range as itemized in Table 7.1-13 for suppression pool level. The lower end of the measurement range (720'-0") is at the same elevation as the ECCS suction line. Each division of instrumentation consists of two transmitters, one for low range and one for high range. For each division, the two transmitters over-lap and split the required water level range, thus providing the required measurement range and accuracy: The high range transmitter (CM system designator) provides a signal to one 2-pen recorder (which also records containment pressure described in Item (1)b above. The low range transmitter (SM system designator) provides a signal to one 3-pen recorder (which also records containment pressure and reactor pressure described in Subsection 7.5.1.4.2.2(2)). The power sources for the two suppression pool level instrumentation are the two instrument a-c buses feeding from the Class 1E power system buses. The divisional channels are redundant to each other and qualified Seismic Category I and Class 1E. (5) Suppression Pool Wide Range Water Level The suppression pool wide range (primary containment) water level is monitored by two channels of instrumentation which measure a level range as itemized in Table 7.1-14 for suppression pool level. One channel monitors Division 1 and the other monitors Division 2. Each channel of instrumentation consists of six transmitters, one selector switch and one indicator. These six transmitters split the required water level range, thus providing the required measurement accuracy. They provide a signal to one indicator by means of a range selector switch mounted on the RCCS benchboard. These transmitters and the suppression pool water level transmitters described in Item (4) above overlap to provide a full range of water level measur ement from the centerline of ECCS suction to the containment maximum floodable water level. The power sources for the two channels are the two instrument a-c buses feeding from the Class 1E power system buses. The two monitoring channels are redundant to each other and qualified Seismic Category I and Class 1E. (6) Containment Atmosphere Temperature Monitoring The containment atmosphere temperature is monitored by eight sensors with a range as itemized in Table 7.1-14 for containment atmosphere bulk temperature.
Four sensors are associated with Division 1 and four sensors are associated with Division 2. Each division of four sensor outputs are averaged and the averaged signal is then recorded on one 2-pen recorder. This signal is recorded on the 2-pen recorder described in Subsection 7.5.1.4.2.4(1b) which monitors the high-range containment pressure.
CPS/USAR CHAPTER 07 7.5-12 REV. 11, JANUARY 2005 Power sources for the two divisions of sensors and recorders are the two instrument a-c buses feeding from the Class 1E power system buses. The two divisions are redundant to each other and qualified Seismic Category I and
Class 1E. (7) Drywell Atmosphere Temperature Monitoring The drywell atmosphere temperature is monitored in a similar way as described in Item (6) above except the signal shares the recorder described in Item (2) above. There are eight Containment Monitoring (CM) sensors, four associated with Division 1 and four associated with Division 2, which fulfill the Post Accident Monitoring requirements of Regulatory Guide 1.97. These sensors are Seismic Category I and Class 1E. The range for these instruments is itemized in Table 7.1-13 for drywell atmosphere bulk average temperature. There are also 14 Drywell Cooling (VP) temperature sensors located at various elevations and azimuths within the drywell. These VP sensors are normally utilized to periodically calculate the arithmetic drywell average air temperature as required by the Technical Specifications during plant operation. These sensors are non-safety related. They have a range of 0-250 degrees Fahrenheit. The instrument number, elevation, and azimuth of these sensors are shown below. DRYWELL AIR TEMPERATURE SENSORS Instrument Number Elevation Azimuth a. ITE-VP033A 729'-0"# 45
° b. ITE-VP033B 775'-0" 160
° c. ITE-VP033C 741'-0" 45
° d. ITE-VP033D 772'-0" 130
° e. ITE-VP033E 802'-0" 0
° f. ITE-VP033F 746'-0" 307
° g. ITE-VP033G 794'-0" 0
° h. ITE-VP034A 732'-0"# 225
° i. ITE-VP034B 775'-0" 230
° j. ITE-VP034C 741'-0" 220
° k. ITE-VP034D 772'-0" 235
° l. ITE-VP034E 802'-0" 180
° m. ITE-VP034F 746'-0" 135
° n. ITE-VP034G 794'-0" 180
° # The instruments at a. and h. are considered to be at the same elevation.
CPS/USAR CHAPTER 07 7.5-13 REV. 11, JANUARY 2005 7.5.1.4.2.5 Main Control Room HVAC System Operation of the Main Control Room HVAC System may be verified by observing the following indications: a. The Make-up Filter Package Trains, Supply and Return fans status lights are indicated in the main control room. The control power circuits of the driven equipment provide power to the fan operating status lights. b. System damper position lights indicating either open or closed dampers are provided in the main control room and on local control panels as required. Intermediate damper position is indicated by simultaneous energization of both the open and closed indicating lights. These position indicating lights are actuated by limit switches that are operated directly from the damper shaft. The power sources are the same as the damper motor. c. The Make-up Filter Package Train flow is indicated and recorded in the main control room. Differential pressure recorders monitor the differential pressure across the demister and prefilter combination, and across the upstream HEPA
filter. The downstream HEPA filter differential pressure is indicated in the main control room. The power sources for these instruments are the same as for their respective systems. d. The main control room differential pressure with respect to the adjacent areas is indicated in the main control room. The power sources for these indicators are
the same as their respective HVAC trains. 7.5.1.4.2.6 Shutdown Service Water System The safety related display instrumentation for the Shutdown Service Water System (SSWS) is located in the main control room. Each subsystem of the SSWS is monitored by independent pressure sensors at each subsystem supply header which transmit signals that are indicated on the control board near the controls for the equipment being cooled by the SSWS. Additionally, each subsystem of the SSWS is monitored by independent temperature sensors at the inlet to the RHR heat exchangers which provides a signal indicated on the RCCS benchboard in the main control room. Each instrument loop is seismically qualified and Class 1E and is powered from the same safety related electrical separation division as the subsystem being monitored. 7.5.1.4.2.7 Standby Gas Treatment System (SGTS)
Operations of the SGTS may be verified by observing the following indications: a. Standby Gas Treatment System running lights indicate the operation of the equipment. The power sources are the same as for the equipment. b. System valve and damper open and closed position lights are provided in the main control benchboard. These position indications are actuated by limit switches that are operated directly from the valve stem or damper shaft. The power sources are the same as for the associated valve and damper motor.
CPS/USAR CHAPTER 07 7.5-14 REV. 11, JANUARY 2005 c. The filter train flow is indicated and recorded in the main control room. Differential pressure across the upstream and downstream HEPA filters is indicated in the main control room. A recorder monitors the differential pressure across the upstream HEPA filter. Instrument power is supplied by the same Class 1E bus that supplies power to each respective SGTS train. 7.5.1.4.2.8 Combustible Gas Control System 7.5.1.4.2.8.1 Drywell-Containment Mixing System Safety related controls for the drywell-containment mixing system are located in the main control room. Differential pressure is monitored across each compressor by an electronic differential pressure transmitter. The signal is indicated on the main control board near the control switches. Each instrument loop is seismically qualified, Class 1E, and is powered from the same electrical separation division which prov ides power to the equipment being monitored. Status lights located above the compressor control switches indicate whether the compressor is running, stopped or tripped. Position indicating lights are provided on the Standby Information Panel in the main control room for each of the eight check valves in the four vacuum relief lines. These indicating lights are controlled by limit switches on the check valves and indicate closed, intermediate, and open valve position. The indicating lights are power ed from Class 1E, Division 1 power. (Q&R 421.12) 7.5.1.4.2.8.2 Hydrogen Recombiner System Safety related instrumentation for the hydrogen recombiners is located on the local control panels for each recombiner. Recombiner flow and temperature is monitored and indicated on the control panel. Each instrument is seismically qualified, Class 1E, and is powered from the same electrical separation division which powers the equipment being monitored. Status lights
in the main control room above the control switch indicate whether the recombiner is running or stopped. 7.5.1.4.2.9 (NOT USED) 7.5.1.4.2.10 Diesel Generator Room Ventilation System 7.5.1.4.2.10.1 Indication Indication is provided as follows: a. Diesel Generator Room Ventilation fan status (i.e., on, tripped or off)
- b. Diesel Generator Ventilation Oil Room Exhaust Fan Status (i.e., on, tripped or off) 7.5.1.4.2.11 Essential Switchgear Heat Removal HVAC System 7.5.1.4.2.11.1 Indication Indication is provided as follows:
CPS/USAR CHAPTER 07 7.5-15 REV. 11, JANUARY 2005 a. Heat removal fan status (i.e., on, tripped or off), on the MCB. b. Battery Room exhaust fan status (i.e., on, tripped or off), on the MCB. 7.5.1.4.2.12 ECCS Equipment Room Cooling - HVAC System 7.5.1.4.2.12.1 Indication Indication is provided as follows: a. Emergency Core Cooling System fan status (i.e., on, tripped or off) 7.5.1.4.2.13 Shutdown Service Water Pump Room Cooling System 7.5.1.4.2.13.1 Indication Indication is provided as follows: a. Shutdown Service Water Pump Room Cooling System fan status (i.e., on, tripped, or off), on the MCB. b. Room temperature for each SSW pump room 7.5.1.4.2.14 Secondary Containment Area Temperature Monitoring Instrumentation The secondary containment ambient temperatures are monitored by a total of 40 sensors with an instrument channel range as itemized in Table 7.1-14 for secondary containment area temperature. These sensors are located in various secondary containment areas. These areas are assigned to one of two groups each consisting of 20 sensors which are recorded on multi-point recorders mounted on the standby information panel in the main control room. The recorders are provided with alarm contact outputs which will activate one common high temperature alarm when the temperature of any of the monitored areas reaches a maximum normal operating value (MNOV), and will activate another common high-high alarm when the temperature of any of the monitored areas reaches a maximum safe operating valve (MSOV). The alarms are located on the RCCS benchboard. The areas monitored are identified as follows: a. Group A NUMBER OF LOCATION SENSORS HPCS Pump Room 1 Auxiliary Building Aisle Elevation 707 feet, 6 inches' 1 RHR Pump Room A 1 RHR Heat Exchanger Room A 1 RHR Pump Room B 1 RHR Heat Exchanger Room B 1 RHR Pump Room C 1 CPS/USAR CHAPTER 07 7.5-16 REV. 11, JANUARY 2005 NUMBER OF LOCATION SENSORS Auxiliary Building RCIC Pump Room 1 Auxiliary Building RCIC Instrument Panel Room 1 LPCS Pump Room 1
Auxiliary Building Access Aisle Elevation 737, 0 inches 2 Auxiliary Building Radwaste Pipe Tunnel 1 Auxiliary Building Below Main Steam Tunnel 1 RWCU Pump Room A 1 RWCU Pump Room B 1 RWCU Pump Room C 1 Auxiliary Building Steam Tunnel 1 Fuel Pool Cooling Heat Exchanger Room 2
- b. Group B NUMBER OF LOCATION SENSORS Fuel Building General Area Elevation 712 feet, 0 inches 4 Fuel Building Pipe Valve Room 2 Fuel Building Fuel Pool Cooling Pump Room 2 Fuel Building General Area Elevation 737 feet, 0 inches 4 Fuel Building General Area Elevation 744 feet, 0 inches 4 Auxiliary Building MSIV Room A 1 Auxiliary Building MSIV Room B 1 Auxiliary Building Gas Control Boundary 2 7.5.1.4.2.15 Secondary Containment Water Level Monitoring Instrumentation Secondary containment areas are monitored for flooding by level switches. Each level switch will activate one common high-high water level alarm when the water level of any of the monitored areas reaches a maximum safe operating water level. The alarm is located on the RCCS benchboard. The areas monitored are identified as follows: a. RCIC Pump Room b. RHR Pump Room A
- c. RHR Pump Room B CPS/USAR CHAPTER 07 7.5-17 REV. 11, JANUARY 2005 d. RHR Pump Room C e. LPCS Pump Room
- f. HPCS Pump Room
- g. Fuel Building Elevation 712 feet, 0 inches
7.5.2 Analysis
7.5.2.1 General Functional Requirements The safety-related and power generation display instrumentation provides adequate information to allow an operator to make correct decisions as bases for manual control actions permitted under normal, abnormal transient, and accident conditions. The Nuclenet design provides the operator with readily accessible information and control of the various plant operational parameters. This is accomplished by the logical organization of functional plant system indicators, displays, controls, and a computer display system into a human-engineered operator interface. The implementation involves the use of five modular console/ panel/benchboards. Additional information concerning analysis and design criteria applicable to the specific hard-wired indicators, displays and controls, for the various safety-related systems, is provided elsewhere in this chapter with the systems they serve. Redundancy and independence or diversity are provided in all of those information systems which are used as a basis for operator-controlled safeguards action. The complete failure of the Display Control Syst em, which serves as an active part of the operator/plant interface, does not degrade the quantity or quality of necessary information, presented by hard-wired devices, needed to determine the status or action of plant safety systems. Some safety-related process information is displayed and/or analyzed by this non-safety class Display Control System (DCS), as well as by the conventional hard-wired instruments. In all cases where a safety-related information is shared this way, the DCS is isolated from the safety- related circuitry so that no DCS failure can inhibit or affect that circuit or vice versa. 7.5.2.1.1 Design Criteria 7.5.2.1.1.1 Power Generation Control Complex Criteria The applicable design criteria for the PGCC aspects of Nuclenet design are provided in General Electric Licensing Topical Report NEDO-10466-A. 7.5.2.1.1.2 Nuclenet Design and Operational Criteria Compliance 7.5.2.1.1.2.1 Design Criteria (1) Nuclenet is designed to enhance the operational information without degrading the ability of the ESF systems I&C to meet the requirements of their design specifications.
CPS/USAR CHAPTER 07 7.5-18 REV. 11, JANUARY 2005 (2) In the implementation of Nuclenet, instruments for the reactor protection system and the engineered safety features meet the system design requirements of the systems they serve. They shall be located at easily visible and accessible positions. (3) The design employs modular techniques to implement distinct circuits so that the separation and redundancy requirements are satisfied. (4) All reactor protection system components incorporated by Nuclenet are of at least comparable quality to those components that are integral to the design of related systems and shall have demonstrated operational reliability. (5) Nuclenet design is such that the IEEE-279 requirement for protection system integrity, independence, and absence of interaction can be maintained from the various controls, indicators, and displays on the console/panel/benchboards through the termination cabinets. The termination cabinets are described in NEDO-10466-A and are incorporated as part of Nuclenet. (6) Nuclenet makes use of modular control and indication components. Plug-connected cables are used to facilitate removal of the modules. Cables and connectors are easily accessible and identified. Connector separation requires deliberate action. (7) Cabling is identified at each connection point, in the panels, in the wireways, and in the termination cabinets, so that visual verification of separation is easily made. Connectors and cabling at connection points are clearly marked with system and reference designations. (8) The Reactor Core Cooling benchboard is physically separated from those benchboards or consoles used for planned operating activities not performed by systems on the RCC benchboard. (9) Hard-wired standby display capabilities are provided in the main control room to permit operational continuity following a malfunction in or loss of the Display
Control System (DCS). (10) All plant system controls are har d wired. They are external to, and not dependent upon, the computer systems. (11) Simplification of controls is restricted to manual functions operating independently from, but compatible with, the automatic protective functions. (12) All safety system functions, either automatic protective or interlocking, including controls, displays, and alarms, are hardwired. (13) The Display Control System provides an alarm initiated display capability for selected variables. This display also presents relevant parameters associated with the alarmed parameter.
CPS/USAR CHAPTER 07 7.5-19 REV. 12, JANUARY 2007 7.5.2.1.1.2.2 Operating Criteria The Nuclenet design provides for normal plant operation under planned conditions in the absence of significant abnormalities. Operations subsequent to an incident (transient, accident, or special event) are not considered planned operations until the procedures being followed or equipment being used are identical to those used during any one of the defined planned operations. The established planned operations can be considered as a chronological sequence: refueling outage, achieving shutdown, cooldown, refueling outage. The following planned operations are identified. a. Refueling Outage
- b. Achieving Criticality c. Heatup d. Reactor Power Operation
- e. Achieving Shutdown
- f. Cooldown 7.5.2.1.2 Principal Plant Console (P680)
The PPC (shown in Figure 7.5-2 and Drawing 828E320) contains control and display instrumentation which is safety-related, and also control and display instrumentation which is not safety-related. 7.5.2.1.3 Standby Information Panel (P678)
The SIP (shown in Drawing 866E441) contains both safety and nonsafety related instrumentation. The organization of system displays follows the same relative positional relationship when viewed by the operator as is used on the PPC. Certain functions of the following systems appear on the SIP: (1) Reactor Water Cleanup System (2) Feedwater System (3) Recirculation System (4) Nuclear Boiler and Main Steam Systems (5) Neutron Monitoring System 7.5.2.1.4 Reactor Core Cooling Systems Benchboard (P601)
The RCCS benchboard (shown in Drawing 793E945) is similar to previously approved designs. Hardwired controls, annunciators, and other instrumentation for the following systems appear on the RCCS benchboard:
CPS/USAR CHAPTER 07 7.5-20 REV. 11, JANUARY 2005 (1) CRD Hydraulic Control System (2) Standby Liquid Control System (3) Reactor Core Isolation Cooling and Low Pressure Core Spray Systems (4) RHR A System (5) Automatic Depressurization A System (6) Outboard Isolation System (7) Inboard Isolation System (8) Automatic Depressurization B System (9) RHR B and C Systems (10) HPCS Diesel Generator System (11) HPCS System This benchboard has welded steel barriers separating the controls and displays of one division from those of another division, and separating devices associated with any of the divisions from devices not associated with any division. All devices on the RCCS benchboard which are Class 1E, have been previously qualified for Class 1E use. Other criteria stated in Section 7.5.2.1.1.2 apply to the RCC benchboard. 7.5.2.1.5 Balance of Plant Benchboards (P800, P801, P870)
The function and description of the BOP benchboard were given in section 7.5.1.1.4. Instruments, controls, and annunciators are organized by system and function. The following safety and non-safety related systems are represented on these benchboards (shown in Figure 7.5-6): (1) Main Generator and Auxiliary Power Systems a. Main Generator, Switchyard, and Auxiliary Electrical Systems (2) Steam and Power Conversion Systems a. Turbine and Main Steam Systems
- b. Extraction Steam Systems
- c. Vents, Drains, Heaters, and Coolers
- d. Condensate and Feedwater Systems e. Condenser Air Removal and Seal Steam Systems CPS/USAR CHAPTER 07 7.5-21 REV. 11, JANUARY 2005 (3) Water Systems a. Circulating and Cooling Water Systems
- b. Service Water Systems
- c. Fuel Pool Cooling and Cleanup Systems d. Suppression Pool Cleanup and Makeup Systems (4) Other Service and Instrument Systems a. Instrument and Service Air Systems
- b. Drywell and Containment Temperature and Pressure Monitoring
- c. Containment Combustible Gas Control System
- d. Suppression Pool Temperature and Level Monitoring e. Control Building HVAC Systems f. Fire Protection System
- h. Radiological Monitoring Display The BOP benchboard conforms to criteria in Section 7.5.2.1.1.2.
7.5.2.1.6 Diesel Generators Benchboard (P877)
The Diesel Generator benchboard, shown in Figure 7.5-10, is similar to previously approved designs. Hard-wired controls, annunciators, and other instrumentation for the following systems appear on the Diesel Generator benchboard: (1) Division 1 Diesel Generator Control System (2) Division 2 Diesel Generator Control System This benchboard has welded steel barriers separating the controls and displays of one division from those of another division, and separating devices associated with any of the divisions from devices not associated with any division. All devices on the Diesel Generator benchboard which are Class 1E have been previously qualified for Class 1E use. 7.5.2.2 Normal Operation Subsection 7.5.1.2 describes the basis for selecting ranges for instrumentation and since abnormal, transient, or accident conditions monitoring requirements exceed those for normal operation, the normal ranges are covered adequately.
CPS/USAR CHAPTER 07 7.5-22 REV. 11, JANUARY 2005 7.5.2.3 Abnormal Transient Occurrences These occurrences are not limiting from the point of view of instrument ranges and functional capability. (See Subsection 7.5.2.4.) The indications which may be utilized to verify that shutdown and isolation safety actions have been accomplished (see Subsection 7.5.1.4.2.3) meet the requirements of IEEE 279. 7.5.2.4 Accident Conditions The DBA-LOCA is the most extreme operational event. Information readouts are designed to accommodate this event from the standpoint of operator actions, information, and event tracking requirements, and therefore, will cover all other design basis events or incident requirements. 7.5.2.4.1 Initial Accident Event The design basis of all engineered safety features to mitigate accident event conditions takes into consideration that no operator action or assistance is required or recommended for the first ten (10) minutes of the event. This requirement therefore makes it mandatory that all protective action necessary in the first ten minutes be automatic. Therefore, although continuous tracking of variables is available, no operator action based on them is intended. 7.5.2.4.2 Post-Accident Trackin g The following process instrumentation provides information to the operator after a DBA loss-of-coolant accident for use in monitoring reactor conditions. (1) Reactor Water Level and Pressure Vessel water level and pressure sensor instrumentation described in Subsection 7.5.1.4.2 is redundant, electrically independent, and is qualified to be operable during and after a loss-of-coolant accident in conjunction with an SSE. Power is from independent instrument buses supplied from the two divisional ac buses. This instrumentation complies with the independence and redundancy requirements of IEEE 279 and provides recorded outputs. The reactor water level and pressure sensors are mounted on two independent local panels. The transmitters and recorders are designed to operate during normal operation and/or post-accident environmental conditions. The design criteria that these instruments must meet are discussed in Subsection 7.1.2.1.7. There are two complete and independent channels of wide range reactor water level and reactor vessel pressure with each channel having readout on a separate two-pen recorder. The design, considering the accuracy, range and quality of the instrumentation, is adequate to provide the operator with reliable reactor water level and reactor pressure information during normal operation, abnormal, transient, and accident conditions. (2) Suppression Pool Water Level CPS/USAR CHAPTER 07 7.5-23 REV. 11, JANUARY 2005 This instrumentation is redundant, electrically independent, and qualified to be operable during and after a LOCA in conjunction with an SSE. Power is from independent instrument buses supplied from the two divisional Class 1E ac power buses and complies with the requirements of IEEE 279 and provides recorded outputs. (3) Drywell and Containment Pressure This instrumentation is redundant, electrically independent, and is qualified to be operable during and after a LOCA in conjunction with an SSE. Power is from independent instrument buses supplied from the two divisional Class 1E ac power buses and the instrumentation complies with the requirements of IEEE 279 and provides recorded and indicated outputs. (4) Emergency Core Cooling Systems Performance of emergency core cooling systems following an accident may be verified by observing redundant and independent indications as described in Subsection 7.5.1.4.2.3.1(3) and fully satisfies the need for operator verification of operation of the system. Redundancy of instrumentation within the individual ECCS systems is not always provided. However, redundancy is provided within the combination of ECCS
systems. Each ECCS is provided with system flow measuring indication and valve status indication allowing the operator to assess the operating conditions. (5) Continued Shutdown Tracking The various indications described in Subsection 7.5.1.4.2 provide adequate information regarding status of the reactor vessel level and pressure to allow reactor operators to make proper decisions regarding core and containment cooling operations, and fully satisfies the need for post-accident surveillance of
these variables. (6) MCR Ventilation System Performance of the HVAC system following an accident may be verified by observing redundant and independent indications as described in subsection 7.5.1.4.2.5 and fully satisfies the need for operator verification of system operation. Redundancy of instrumentation within individual HVAC trains is not provided. However, redundancy is provided by the redundancy of the HVAC
trains. (7) Shutdown Service Water System (SSW) Performance of the SSW System following an accident may be verified by observing redundant and independent indications as described in subsection 7.5.1.4.2.6 and fully satisfies the need for operator verification of system operation. Redundancy of instrumentation within individual SSW divisional trains is not provided. However, redundancy is provided by the redundancy of the
trains.
CPS/USAR CHAPTER 07 7.5-24 REV. 11, JANUARY 2005 (8) Hydrogen Control Aspect The hydrogen control system hydrogen analyzer with indicator, recorder and alarm is designed to automatically operate during LOCA conditions. Hydrogen control system operation following an accident or LOCA condition may be verified by observing the hydrogen concentration recorded in the control room as described in Subsection 7.5.1.4.2.8. Indications in the control room fully satisfy the need for operator verification of operation of the hydrogen mixing system and
the hydrogen recombiner. (9) Standby Gas Treatment System (SGTS) Performance of the SGTS following an accident may be verified by observing redundant and independent indications as described in subsection 7.5.1.4.2.7 and fully satisfies the need for operator verification of system operation.
Redundancy of instrumentation within individual SGTS trains is not provided.
However, redundancy is provided by the redundancy of the individual SGTS
trains. (10) Combustible Gas Control System (CGCS) Performance of the CGCS subsequent to the manual initiation of the system may be verified by observing the indications as described in Subsection 7.5.1.4.2.8 and fully satisfies the need for operator verification of system operation.
Redundancy of instrumentation within the divisional systems is not provided.
However, redundancy is provided by the redundant CGCS's. (11) Containment and Drywell Atmosphere Monitoring System The various indicators described in Subsection 7.5.1.4.2 provide adequate information concerning containment and drywell hydrogen concentration and gross gamma radiation levels under post accident conditions. This will allow the (reactor) operator to make proper decisions regarding radiation and hydrogen hazards in those spaces. All equipment is required to function following the design basis seismic event. 7.5.2.4.3 Safe Shutdown Display The safe shutdown display instrumentation in Subsection 7.5.1.4.2.3.1 consists of control rod status lamps, scram pilot valve status lamps, and neutron monitoring instrumentation. These displays are expected to remain operable for a long enough time following an accident to support and verify safe and orderly shutdown. The displays provide diverse indications by monitoring separate parameters. The rod position and neutron monitoring outputs are recorded (the former by the PMS). The systems cited are automatically connectable to standby ac power. 7.5.2.4.4 Engineered Safety Feature Operation Display The other operating instruments provide indication of operation of various safety systems but, except for the isolation valve status, do not constitute post-accident surveillance or safe CPS/USAR CHAPTER 07 7.5-25 REV. 11, JANUARY 2005 shutdown display. Isolation valve status meets qualifications, redundancy, power and IEEE 279 requirements for indication. The others meet only qualification, redundancy, and power requirements and do not meet seismic qualification requirements. 7.5.2.5 Specific Regulatory Requirements 7.5.2.5.1 Conformance to IEEE-279 7.5.2.5.1.1 General Functional Requirement (IEEE-279, Paragraph 4.1)
Scram valves position status display verifies completion of RPS scram function. This is further verified by the rods status display. This combination satisfies the requirements for reliability by redundant confirmation of diverse sensors. All components except the front panel display are seismically qualified. Rod position information can also be obtained directly from the rod information panels in the main control room.
The neutron monitoring system is designed to meet all the requirements of IEEE-279 as a part of the reactor protection system. However, its RPS function is a "fail-safe" function while safe shutdown display is not. Further, its RPS function terminates with the generation and maintenance of a shutdown signal. In this regard, post DBA environment conditions may cause malfunction but not until the RPS has had sufficient time to complete its scram function. This makes it impossible to claim continuous indicating capability for safe shutdown display by the neutron monitoring system. Redundancy, power switching capabilities, RPS capabilities, and expected time to failure under DBA environment conditions allow the neutron monitoring system to meet the functional requirements of IEEE-279 as applicable to display instrumentation. The automatic initiation of protective action function is not applicable to the safe shutdown display
instrumentation. 7.5.2.5.1.2 Single Failure Criterion (IEEE-279, Paragraph 4.2)
The redundant channels provide indication to meet the single failure criterion. Also, signals feeding the instrumentation are electrically buffered so that failures in the display apparatus cannot be reflected back into essential system functions. 7.5.2.5.1.3 Quality of Indicators (IEEE-279, Paragraph 4.3)
The quality of the indicators will be in accordance with their importance to safety. Instruments providing information necessary for manual safety actions are class 1E. 7.5.2.5.1.4 Equipment Qualification (IEEE-279, Paragraph 4.4)
All safety-related equipment is qualified to assure performance of safety-related functions including post-seismic performance. 7.5.2.5.1.5 Channel Integrity (IEEE-279, Paragraph 4.5)
The failure of any indicator will not adversely affect channel integrity. 7.5.2.5.1.6 Channel Independence (IEEE-279, Paragraph 4.6)
The failure of any indicator will not adversely affect channel independence.
CPS/USAR CHAPTER 07 7.5-26 REV. 11, JANUARY 2005 7.5.2.5.1.7 Control and Protection System Interaction (IEEE-279, Paragraph 4.7)
This design requirement is not applicable to the safe shutdown display instrumentation. 7.5.2.5.1.8 Derivation of System Inputs (IEEE-279, Paragraph 4.8)
This is not applicable to display instrumentation. 7.5.2.5.1.9 Capability for Sensor Checks (IEEE-279, Paragraph 4.9)
This is not applicable to safe shutdown display instrumentation.
7.5.2.5.1.10 Capability for Test and Calibration (IEEE-279, Paragraph 4.10)
Calibration checks of the display instrumentation can be made in conjunction with testing of the associated systems. 7.5.2.5.1.11 Channel Bypass (IEEE-279, Paragraph 4.11)
This is not applicable. 7.5.2.5.1.12 Operating Bypa sses (IEEE-279, Paragraph 4.12)
This is not applicable.
7.5.2.5.1.13 Indication of Bypass (IEEE-279, Paragraph 4.13)
This is not applicable.
7.5.2.5.1.14 Access to Means for Bypassing (IEEE-279, Paragraph 4.14)
Bypassing is not applicable. 7.5.2.5.1.15 Multiple Setpoints (IEEE-279, Paragraph 4.15)
This design requirement is not applicable to safety-related display instrumentation. 7.5.2.5.1.16 Completion of Protective Action Once It Is Initiated (IEEE-279, Paragraph 4.16)
This is not applicable. 7.5.2.5.1.17 Manual Actuation (IEEE-279, Paragraph 4.17)
Manual actuation is not applicable to display instrumentation.
7.5.2.5.1.18 Access to Setpoints (IEEE-279, Paragraph 4.18)
This design requirement is not applicable to display instrumentation.
CPS/USAR CHAPTER 07 7.5-27 REV. 11, JANUARY 2005 7.5.2.5.1.19 Identification of Prot ective Action (IEEE-279, Paragraph 4.19)
Indicators will indicate protective actions at the channel level.
7.5.2.5.1.20 Information Read Out (IEEE-279, Paragraph 4.20)
Indicators will provide required information. 7.5.2.5.1.21 System Repair (IEEE-279, Paragraph 4.21)
This design requirement is not directly applicable, however the indicators provide diagnostic information and are replaceable. 7.5.2.5.1.22 Identification (IEEE-279, Paragraph 4.22)
Indicators are identified.
7.5.2.5.2 Conformance with IEEE-323 See Section 3.11 7.5.2.5.3 Conformance with IEEE-344 See Section 3.10 7.5.2.5.4 Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Function Calibration checks may be made of the display instrumentation in conjunction with testing of the associated system. 7.5.2.5.5 Regulatory Guide 1.47, Bypassed and Inoperable Status Indicator for Nuclear Power Plant Safety Systems Regulatory Guide 1.47 is not applicable to safety related display instrumentation (SRDI) because the SRDI is designed to operate continuously and thereby allows continuous
instrument status monitoring. Removal of instrumentation for servicing during plant operation is administratively controlled. The bypassed and inoperable status indications for t he ESF systems are automatically activated and indicated in the main control room should any system or part of a system become inoperable. The bypassed and inoperable status annunciators and indicators are capable of being manually tested from the main control room. 7.5.2.5.6 Regulatory Guide 1.53, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Safety Related Display Instrumentation conf orms to the Regulatory Guide as addressed in Paragraph 4.2 of IEEE-279 above. 7.5.2.5.7 Regulatory Guide 1.97 See Subsection 7.1.2.6.23 for degree of conformance.
CPS/USAR CHAPTER 07 7.5-28 REV. 11, JANUARY 2005 7.5.2.5.8 Other Regulatory Guides Conformance to other regulatory guides identified in Table 7.1-3 for safety-related instruments is addressed generically in Section 7.1.2.6. 7.5.2.5.9 Conformance to 10CFR50 A. Appendix A (1) Criterion 13, Instrumentation and Control The safety-related display instrumentation is designed to provide reliable information to the operator consistent with this criteria for both normal and accident conditions (see Subsections 7.5.1.2 and 7.5.1.4, respectively). (2) Criterion 19, Control Room The safety-related display instrumentation discussed in this section is mounted in the main control room. It is designed to enhance operator awareness of plant functions, contributing to more effective main control room operation. Thus, it is consistent with the intent of this criterion. (3) Criterion 24, Separation of Protection and Control Systems Signals feeding the instrumentation are electrically buffered so that failures in the display apparatus cannot be reflected back into essential system functions. Thus, separation between protection and control system is retained. (4) GDC 41, Containment Atmosphere Cleanup Containment atmospheric monitoring and control system are provided as addressed in Subsections 7.6.1.10 (CAM) and 7.3.1.1.7 (CGCS), respectively.
The instrumentation provided with these systems is consistent with the intent of this criteria.
CPS/USAR CHAPTER 07 7.5-29 REV. 11, JANUARY 2005 TABLE 7.5-1 CONTROL ROOM SAFETY-RELATED DISPLAY INSTRUMENTATION INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION System-AP Auxiliary Power 1H13-P822 Bus 1ET4 FDR TO 4160V Bus 1C1 WATTHR JI 1JI -AP783 3 1H13-P852 Bus 1ET4 FDR TO 4160V Bus 1B1 WATTHR JI 1JI -AP775 2 1H13-P862 Bus 1ET4 FDR TO 4160V Bus 1A1 WATTHR JI 1JI -AP767 1 1H13-P877-14B 4160V Bus 1A1 EI 1EI -AP760 1 480V Bus 1A&A Voltage EI 1EI -AP955 1 1H13-P877-15B Voltage 4160V Bus 1B1 Voltage EI 1EI -AP769 2 4160V Bus 1B1 FDR 480V Bus B1 II 1II -AP707 2 TO Current II 1II -AP837 2 4160V Bus 1B1 FDR 480V Bus 1B TO Current System-B21 Nuclear Boiler System 1H13-P601-17B RPV Pressure-Level Press & Level PR/LR 1B21-R623 B 2 1H13-P601-20B RPV Pressure-Level Press & Level PR/LR 1B21-R623 A 1 1H13-P661 MSIV 1B21-F028A SOL A AMPS II 1B21-R661 A 1 MSIV 1B21-F028B SOL A AMPS II 1B21-R661 B 1 MSIV 1B21-F028C SOL A AMPS II 1B21-R661 C 1 MSIV 1B21-F028D SOL A AMPS II 1B21-R661 D 1 MSIV 1B21-F028A SOL B AMPS II 1B21-R662 A 1 MSIV 1B21-F028B SOL B AMPS II 1B21-R662 B 1 MSIV 1B21-F028C SOL B AMPS II 1B21-R662 C 1 MSIV 1B21-F028D SOL B AMPS II 1B21-R662 D 1 1H13-P662 MSIV 1B21-F022A SOL A AMPS II 1B21-R659 A 2 MSIV 1B21-F022B SOL A AMPS II 1B21-R659 B 2 MSIV 1B21-F022C SOL A AMPS II 1B21-R659 C 2 MSIV 1B21-F022D SOL A AMPS II 1B21-R659 D 2 MSIV 1B21-F022A SOL B AMPS II 1B21-R660 A 2 MSIV 1B21-F022B SOL B AMPS II 1B21-R660 B 2 MSIV 1B21-F022C SOL B AMPS II 1B21-R660 C 2 MSIV 1B21-F022D SOL B AMPS II 1B21-R660 D 2 System-CM Containment 1H13-P601-17B Cont Press & Cont Temp Press & Temp PR/TR 1PR-CM256 1 Cont Press & Cont Temp Press & Temp PR/TR 1PR-CM257 2 CPS/USAR TABLE 7.5-1 (CONT'D)
CHAPTER 07 7.5-30 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION 1H13-P601-18B Supp Pool Level & Cont Press Level & Press LR/PR 1LR-CM031 2 1H13-P601-19B DW Press & DW Bulk Temp Press & Temp PR/TR 1PR-CM063 1 DW Press & DW Bulk Temp Press & Temp PR/TR 1PR-CM064 2 Supp Pool Level & Supp Pool Level & Temp LR/TR 1LR-CM240 1 Bulk Temp 1LR-CM241 2 Supp Pool Level & Supp Pool Level & Temp LR/TR 1LR-CM030 1 Bulk Temp 1LI-CM260 1 1H13-P601-20B Supp Pool Level & Cont Press Level & Press LR/PR 1LI-CM261 2 1H13-P601-21B Supp Pool Water Level LI 1TR-CM017 1 Supp Pool Water Level LI 1RIX-CM061 1 1H13-P638 Supp Pool Water Temp TR 1RIX-CM059 1 Log Radiation Monitor Cont RIX 1TR-CM018 2 Log Radiation Monitor DW RIX 1RIX-CM062 2 1H13-P639 Supp Pool Water Temp TR 1RIX-CM060 2 Log Radiation Monitor Cont RIX 1TR-CM334 1 Log Radiation Monitor DW RIX 1TR-CM335 2 1H13-P678 Supp Pool Water Temp TR Supp Pool Water Temp TR System C-11 CRD Hydraulic System 1H13-P661 Turb First Stage Press Swch 1A PIS 1C11-N654 A 1 Turb First Stage Press Swch 1C PIS 1C11-N654 C 1 1H13-P662 Turb First Stage Press Swch 1B PIS 1C11-N654 B 2 Turb First Stage Press Swch 1D PIS 1C11-N654 D 2 System-DC Direct Current 1H13-P877-14B MCC 1A Voltage EI 1EI-DC001 1 Battery 1A AMM II 1II-DC006 1 1H13-P877-15B MCC 1B Voltage EI 1EI-DC002 2 MCC 1D Voltage EI 1EI-DC003 4 Battery 1B AMM II 1II-DC007 2 Battery 1D AMM II 1II-DC008 4 System-DG Diesel Generator 1H13-P852 DG 1B Output Current II 1II-DG811 B 2 DG 1B Ouptut WATTHR JI 1JI-DG809 2 1H13-P862 DG 1A Output Current II 1II-DG805 B 1 DG 1A Output WATTHR JI 1JI-DG803 1 CPS/USAR TABLE 7.5-1 (CONT'D)
CHAPTER 07 7.5-31 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION 1H13-P877-14B DG 1A Output Voltage EI 1EI-DG801 1 DG 1A Output Current II 1II-DG805 A 1 DG 1A Output WATTS JI 1JI-DG802 1 DG 1A Output VARS JI 1JI-DG804 1 DG 1A Output Freq SI 1SI-DG819 1 1H13-P877-15B DG 1B Output Voltage EI 1EI-DG807 2 DG 1B Output Current II 1II-DG811 A 2 DG 1B Output WATTS JI 1JI-DG808 2 DG 1B Output VARS JI 1JI-DG810 2 DG 1B Output Freq SI 1SI-DG821 2 System-DO Diesel Oil 1H13-P877-14B DG Fuel Oil Storage TK 1A LI 1LI-DO011 1 DG Fuel Oil Storage TK 1C LI 1LI-DO013 3 1H13-P877-15B DG Fuel Oil Storage TK 1B LI 1LI-DO012 2 System-D17 Process Radiation Monitoring System 1H13-P669 Main Steam Line Rad Monitor RIY 1D17-K610 A 1 1H13-P670 Main Steam Line Rad Monitor RIY 1D17-K610 B 2 1H13-P671 Main Steam Line Rad Monitor RIY 1D17-K610 C 3 1H13-P672 Main Steam Line Rad Monitor RIY 1D17-K610 D 4 System-E12 RHR 1H13-P601 RHR Pmp 1A Motor AMM Amps II 1E12-R555 1 RHR Pmp 1B Motor AMM Amps II 1E12-R556 2 RHR Pmp 1C Motor AMM Amps II 1E12-R557 2 1H13-P601-17B RHR Heat Exch B001B Service Water Flow FI 1E12-R602 B 2 RHR Line B Flow Flow FI 1E12-R603 B 2 RHR Line C Flow Flow FI 1E12-R603 C 2 RHR Heat Exch B001B Temp TI 1E12-R564 2 Service Water Inlet RHR Heat Exch B001B Temp TI 1E12-R566 2 Outlet Service Water Flow FI 1E12-R602 A 1 CPS/USAR TABLE 7.5-1 (CONT'D)
CHAPTER 07 7.5-32 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION 1H13-P601-20B RHR Heat Exch B001A Flow FI 1E12-R603 A 1 RHR Line A Flow Temp TI 1E12-R563 1 RHR Heat Exch B001A Service Water Inlet Temp TI 1E12-R565 1 RHR Heat Exch B001A Outlet System-E21 LPCS 1H13-P601-21B LPCS Pump Discharge Flow FI 1E21-R600 1 LPCS Pump Motor AMM Amps II 1E21-N558 1 System-E22 HPCS 1H13-P601-16B HPCS Transformer AMPS II 1E22-R621 3 Reserve Source WATTS JI 1E22-R625 3 HPCS Pump Discharge Pressure PI 1E22-R601 3 HPCS Pump Flow Flow FI 1E22-R603 3 HPCS Test Recirc Vlv POS (1E22-F010) ZI 1E22-R604 3 HPCS Test Recirc Vlv POS (1E22-F011) ZI 1E22-R606 3 System-E32 MSIV-LCS 1H13-P655 HTR B001A MSIV LCS Leakoff Line Temp TI 1E32-R602 A 1 HTR B001E MSIV LCS Leakoff Line Temp TI 1E32-R602 E 1 HTR B001J MSIV LCS Leakoff Line Temp TI 1E32-R602 J 1 HTR B001N MSIV LCS Leakoff Line Temp TI 1E32-R602 N 1 1H13-P601-19B MSIV Blower C001 Suct Press PI 1E32-R500 1 MSIV Blowers C002 B & F Suct Press PI 1E32-R501 1 System-E51 RCIC 1H13-P601 RCIC Turbine Speed Speed SI 1E51-C002-1 1 1H13-P601-21B RCIC Pump Disch Flow Sig to Turb Sp Cont FC 1E51-R600 1 1H13-P601 RCIC Pump Disch Pressure Press PI 1E51-R601 1 System-FC Fuel Pool Cooling and Cleanup 1H13-P800-62B Fuel Pool Clg Pmp 1A Motor AMM II 1II-FC119 1 Fuel Pool Clg Pmp 1B Motor AMM II 1II-FC120 2 System-HG Containment Combustible Gas Control 1H13-P800-63 Compressor 1HG02CA Diff Press PDI 1PDI-HG052 B 1 Compressor 1HG02CB Diff Press PDI 1PDI-HG053 B 2 CPS/USAR TABLE 7.5-1 (CONT'D)
CHAPTER 07 7.5-33 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION System-IA Instrument Air 1H13-P601-19B ADS Instr Air HDR Press PI 1PI-IA078 1 ADS Backup Bottles Press PI 1PI-IA080 1 ADS Instr Air HDR Press PI 1PI-IA079 2 ADS Backup Bottles Press PI 1PI-IA081 2 System-VG Standby Gas Treatment 1H13-P801-66B SGTS Train A Flow through DMPR 01YA FI 0FI-VG004 1 CTMT Gas Cont Boundary N & S PDI 0PDI-VG001 1 SGTS Train A Upstream HEPA Fltr 07FA PDI 0PDI-VG023 1 SGTS Train A Downstream HEPA Fltr 11FA PDI 0PDI-VG024 1 SGTS Train A Inlet Temp TI 0TI-VG-021 1 SGTS Train A Outlet Temp TI 0TI-VG022 1 1H13-P801-67B SGTS Train B Flow through DMPR 01YB FI 0FI-VG104 2 CTMT Gas Cont Boundary E & W PDI 0PDI-VG101 2 SGTS Train B Upstream HEPA Flter 07FB PDI 0PDI-VG123 2 SGTS Train B Upstream HEPA Fltr 11FB PDI 0PDI-VG124 2 SGTS Train B Inlet Temp TI 0TI-VG121 2 SGTS Train B Outlet Temp TI 0TI-VG122 2 System-SM Suppression Pool Makeup 1H13-P601 Supp Pool Level, Cont & RPV Press Level & Press LR/PR 1LR-SM014 1 1H13-P601 Supp Pool Level, Cont & RPV Press Level & Press LR/PR 1LR-SM016 2
CPS/USAR CHAPTER 07 7.5-34 REV. 11, JANUARY 2005 TABLE 7.5-2 THIS TABLE HAS BEEN INTENTIONALLY DELETED
CPS/USAR REV. 10, November 2002 Figures 7.1-1 and 7.1-2 Deleted
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.2-1 HAS BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.3-1 HAS BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.3-5 AND 7.3-6 HAVE BEEN DELETED
CPS/USAR REV. 10, November 2002 Figures 7.5-3 through 7.5-5 Deleted
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.5-7 THROUGH 7.5-9 HAVE BEEN DELETED
CPS/USAR REV. 10, November 2002 Figures 7.6-1 through 7.6-9 Deleted
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.6-12 THROUGH 7.6-14 HAVE BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.6-16 HAS BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.6-18 AND 7.6-19 HAVE BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.6-21 HAS BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.7-3 AND 7.7-4 HAVE BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.7-7A HAS BEEN DELETED
CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.7-8 AND 7.7-9 HAVE BEEN DELETED
CPS/USAR REV. 10, November 2002 Figures 7.7-11 through 7.7-14 Deleted