Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Controls

ML16357A523
Person / Time
Site:	Byron, Braidwood
Issue date:	12/15/2016
From:	Exelon Generation Co
To:	Office of Nuclear Material Safety and Safeguards, Office of Nuclear Reactor Regulation
Shared Package
ML16357A264	List: ML16357A507 ML16357A508 ML16357A509 ML16357A521 ML16357A523 ML16357A524 ML16357A526 ML16357A529 ML16357A530 ML16357A532 ML16357A533 ML16357A534 ML16357A535 ML16357A536 ML16357A537 ML16357A540 ML16357A545 ML16357A549 ML16357A579 ML16357A580 ML16357A583 ML16357A584 ML16357A591 ML16357A592 ML16357A593 ML17086A588 ML17086A589 ML17086A590 ML17086A591 ML17086A592 ML17086A593 ML17086A595 ML17086A596 ML17086A597 ML17086A598 ML17086A599 ML17086A600 ML17086A601 ML17094A865 ML17095A852 ML17095A866 RS-16-248, Braidwood Nuclear Station, Amendment 27 to Fire Protection Report, Chapter 3.0, Guidelines of BTP Cmeb 9.5-1 RS-16-248, Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Technical Requirements Manual RS-16-248, Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Technical Specifications Bases RS-16-248, Byron Nuclear Station, Amendment 27 to Fire Protection Report, Chapter 3.0, Guidelines of BTP Cmeb 9.5-1 RS-16-248, Byron Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Technical Specifications Bases RS-16-248, Byron/Braidwood Nuclear Stations, Amendment 27 to Fire Protection Report, Chapter 4.0, Fire Protection Program RS-16-248, Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Appendix B - Construct Material Standards and Quality Control Procedures RS-16-248, Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Appendix C - Deleted RS-16-248, Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Appendix D - Computer Programs ... further results
References
RS-16-248
Download: ML16357A523 (374)
v • d • e

Text

B/B-UFSAR 7.4-1 REVISION 9 - DECEMBER 2002 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels that are associated with the major systems in both the primary and secondary of the nuclear steam supply system. These channels are normally aligned to serve a variety of operational functions, including startup and shutdown as well as protective functions. There are no identifiable safe shutdown systems per se. However, prescribed procedures for securing and maintaining the plant in a safe condition can be instituted by appropriate alignment of selected systems in the nuclear steam supply system. The discussion of these systems together with the applicable codes, criteria and guidelines is found in other sections of the Byron/Braidwood Updated Final Safety Analysis Report. In addition, alignment is initiated during the safety injection mode by the engineered safety features actuation system by means of the final actuation circuitry discussed in the subsections under 7.3.1.1. This final actuation circuitry consists of the dry contacts of the slave relays and their associated output circuits in the solid state protection system (SSPS) and the field wiring up to the inputs of the actuation devices. For the description of the actuation devices and the actuated equipment, refer to the appropriate subsections in Chapters 6.0, 9.0, and 10.0 as identified in the subsections under 7.3.1.1. For example, Subsection 7.3.1.1.4 refers to 10 (a through j) key functions initiated by the final SSPS actuation circuitry. For the derivation of the logic functions that generate ESFAS, refer to Tables 7.3-1, 7.3-2, and 7.3-3, as well as Drawings 108D685. Following the safety injection mode, and following a LOCA, realignment of certain fluid system ECCS equipment occurs for cold leg recirculation. For the description of this phase of shutdown following a LOCA, refer to Subsection 6.3.2.8. For the description of hot leg recirculation realignment following a LOCA, refer to Table 6.3-7. Systems and instrumentation which may be used for post-fire safe shutdown are discussed in Section 2.4 of the Fire Protection Report.

The instrumentation and control functions which are required to be aligned for maintaining safe shutdown of the reactor that are discussed in this section are the minimum number under nonaccident conditions. These functions will permit the necessary operation that will: a. prevent the reactor from achieving criticality in violation of the technical specifications, and b. provide an adequate heat sink such that design and safety limits are not exceeded. 7.4.1 Description The designation of systems that can be used for safe shutdown depends on identifying those systems which provide the following capabilities for maintaining a safe shutdown:

B/B-UFSAR 7.4-2 REVISION 9 - DECEMBER 2002 a. boration, b. adequate supply for auxiliary feedwater, and c. residual heat removal. These systems are identified in the following subsections together with the associated instrumentation and controls provisions. The identification of the monitoring indicators (Subsection 7.4.1.1) and controls (Subsection 7.4.1.2) includes those necessary for maintaining hot standby. The plant can be maintained safely at hot standby for an extended period of time from outside the control room. The Technical Specifications place no time limit on maintenance of hot standby following a control room evacuation. The procedure for maintenance of hot standby following control room evacuation is included in the procedures written by the operating staff. These procedures are available for review at the site. The plant is placed in hot (shutdown) standby by initiating a reactor trip. This may be done by operator action at the main control room (MCR), at the reactor trip switchgear location, or by tripping the turbine locally or in the MCR. The equipment and services and approximate time required for a cold shutdown are identified in Subsection 7.4.1.4.

7.4.1.1 Monitoring Indicators The characteristics of these indicators, which are provided outside as well as inside the control room, are described in Section 7.5. The necessary indicators are listed in Table 7.4-1.

B/B-UFSAR 7.4-3 7.4.1.2 Controls 7.4.1.2.1 General Considerations a. The turbine is tripped (note that this can be accomplished at the turbine as well as in the control room). b. The reactor is tripped (note that this can be accomplished at the reactor trip switchgear as well as in the control room). c. All automatic systems continue functioning (discussed in Sections 7.2 and 7.7). d. For equipment having controls outside the control room (which duplicate the functions inside the control room), the controls are provided with a selector switch which transfers control of the switchgear from the control room to a local station. Placing the local selector switch in the local operating position gives an annunciating alarm in the control room and turns off the indicating lights on the control room panel. 7.4.1.2.2 Pumps and Fans The following pumps and fans are available for safe shutdown. Equipment considered necessary for safe shutdown is powered from ESF buses. Control is provided at the main control board and locally as shown.

ESF MCB Local Equipment Power Control Control Auxiliary Feedwater Pumps Yes Yes Yes Centrifugal Charging Pumps Yes Yes Yes Boric Acid Transfer Pumps No Yes Yes Essential Serv. Water Pump Yes Yes Yes Component Cooling Water Pump Yes Yes Yes Reactor Containment Fan Coolers Yes Yes Yes Control Room Ventilation Unit including Control Room Air Inlet Dampers Yes Yes Yes Primary Water Makeup Pumps No Yes Yes 7.4.1.2.3 Diesel Generators These units start automatically following a loss of normal a-c power or receipt of a safety injection.

B/B-UFSAR 7.4-4 REVISION 13 - DECEMBER 2010 7.4.1.2.4 Valves and Heaters The following valves and heaters are available for safe shut-down. Valves required for safe shutdown are powered from ESF buses. Control is available from the main control board and locally as shown. ESF MCB Local Equipment Power Control Control Charging Flow Control Valve No Yes Yes Letdown Orifice Isolation Valves No Yes Yes Aux. Feedwater Control Valves Yes Yes Yes Main Steam Dump Valves No Yes No Power-Operated Atmospheric Steam Relief Yes Yes Yes Pressurizer Heater Control No Yes Yes Emergency Boration Isolation Valve No Yes Yes Self-Activated Atmospheric Steam Safety Valves N/A N/A N/A The remote shutdown panels, except the one for Train B of the control room ventilation (VC) system, are located at plant elevation 383 feet 0 inch in the radwaste control area. The remote shutdown panel for Train B of the VC system is located at plant elevation 364 feet 0 inch at column/row 23/M in the auxiliary building.

The main control room panels and the remote shutdown panels are located in separate physical locations, on separate elevations, with separate ventilation systems and multiple communication systems, and with lighted access routes between the three locations. Therefore, no single credible event which will cause evacuation of the main control room will also cause the remote shutdown panels to be inoperable or inaccessible. The remote shutdown panels are provided with the necessary instrumentation and controls for prompt shutdown to the hot standby condition and the ability to maintain the unit in a safe condition pursuant to NRC General Design Criterion 19. See Section 2.4 of the Fire Protection Report for available post fire remote shutdown controls and instrumentation. 7.4.1.3 Control Room Evacuation It is noted that the instrumentation and controls listed in Subsections 7.4.1.1 and 7.4.1.2 which are used to achieve and maintain a safe shutdown are available in the event an evacuation of the control room is required. See Section 2.4 of the Fire Protection Report for available post fire remote shutdown controls and instrumentation. These controls and instrumentation channels together with the equipment identified in Subsection 7.4.1.4 identify the potential capability for cold shutdown of B/B-UFSAR 7.4-4a REVISION 13 - DECEMBER 2010 the reactor subsequent to a control room evacuation through the use of suitable procedures. The design basis for control room evacuation does not consider a concurrent condition II, III, or IV event, nor a single failure.

B/B-UFSAR 7.4-5 7.4.1.4 Equipment and Systems Available for Cold Shutdown a. Reactor coolant pump (see Subsection 5.4.1). b. Auxiliary feedwater pumps (see Subsection 10.4.9). c. Boric acid transfer pump (see Subsection 9.3.4).

d. Charging pumps (see Subsection 9.3.4). e. Essential service water pumps (see Subsection 9.2.1). f. Reactor containment fan coolers (see Subsection 6.2.2). g. Control room ventilation (see Subsection 9.4.1). h. Component cooling pumps (see Subsection 9.2.2). i. Residual heat removal pumps (see Subsection 5.4.7) (see Note). j. Certain motor control center and switchgear sections. k. Controlled steam release and feedwater supply (see Section 7.7 and Subsection 10.4.7).

1. Boration capability (see Subsection 9.3.4). m. Nuclear instrumentation system (source range or intermediate range) (see Sections 7.2 and 7.7) (see Note). n. Reactor coolant inventory control (charging and letdown) (see Subsection 9.3.4). o. Pressurizer pressure control including opening control for pressurizer relief valves (heaters and spray) (see Subsection 5.2.2) (see Note). Note The following equipment is associated with instrumentation and controls which may require some modification in order that their functions may be performed from outside the control room: a. Residual heat removal pumps.

b. Nuclear instrumentation system (source range or intermediate range). c. Pressurizer pressure control including opening control for pressurizer relief valves (heaters and spray).

B/B-UFSAR 7.4-6 REVISION 7 - DECEMBER 1998 d. Safety injection signal circuit (must be defeated). e. Accumulator isolation valves (closed). Note that the reactor plant design does not preclude attaining the cold shutdown condition from outside the control room. An assessment of plant conditions can be made on the long-term basis (a week or more) to establish procedures for making the necessary physical modifications to instrumentation and control equipment in order to attain cold shutdown. During such time the plant could be safely maintained at hot shutdown condition.

The plant can be taken to cold shutdown from locations outside the control room. This will be demonstrated in Start-Up Test 2.63.35, "Shutdown From Outside the Control Room." This Start-Up Test will satisfy the requirements of Regulatory Guide 1.68.2. The actions required for this operation are as follows: a. The reactor will be tripped. b. Shift Manager will go to the technical support center. c. Turbine trip and closure of the governor valves, stop valves, reheat stop valves, and intercept valves will be verified.

d. Actuation of safety injection will be checked. e. The shutdown panel will be manned. f. Local control will be established at the shutdown panel.

g. Auxiliary feedwater will be verified. h. A decreasing RCS average temperature will be verified. i. Pressurizer pressure and level will be verified. j. Steam generator levels will be verified. k. Shutdown boron concentration will be established. l. Intermediate range flux will be verified. m. Stable plant conditions will be verified.

n. One RCFC (minimum) will be verified to be running. o. All CRDM exhaust fans will be verified to be running. p. One RCP (minimum) will be verified to be running.

B/B-UFSAR 7.4-7 REVISION 7 - DECEMBER 1998 q. Steam will be dumped manually, using the steam generator PORVs to cool the plant. r. Charging pump suction will be switched to the RWST.

s. Letdown flow will be reduced by selection of the 45 gpm orifice block valve. t. VCT level will be monitored.

u. Steam generator level will be maintained. v. Pressurizer level will be verified. w. Pressurizer heaters will be turned off and auxiliary spray will be used to reduce RCS pressure.

x. Safety injection will be blocked. y. The accumulator isolation valves will be closed as RCS pressure is reduced to below 1000 psig. z. RCS pressure and temperature will be reduced to conditions for RH initiation. aa. Temporary air regulators will be installed for local control of the RH throttle valves. bb. An additional component cooling pump will be started. cc. The component cooling outlet isolation valve from the RH heat exchanger will be opened. dd. A RH pump will be started. ee. RH boron concentration will be established. ff. The RH pump will be stopped. gg. The RH pump suction will be switched to the hot legs. hh. The RH pump will be started.

ii. The RH throttle valves will be used to control the cooldown. The required equipment and instrumentation is located at the shutdown panel (383-N-23) except as follows: a. The reactor trip switchgear is located in the auxiliary building 451 elevation.

B/B-UFSAR 7.4-8 REVISION 13 - DECEMBER 2010 b. The turbine trip verification will occur on the turbine deck 451 elevation. c. Charging pump suction will be switched by the use of jumpers at the MCCs for the valves. d. Safety injection will be blocked by the use of jumpers in the auxiliary electric room. e. Groups C and D pressurizer heaters will be deenergized at the 480V feed breakers. f. The accumulator isolation valves will be closed by the use of jumpers at the MCCs for the valves. g. The RH throttle valves will be controlled locally.

h. The RH pump will be started and stopped at the 4160V switchgear. i The component cooling outlet isolation valve from the RH heat exchanger will be opened by the use of a jumper at the valve MCC.

j. The RH pump suction will be switched to RCS hot leg by the use of jumpers at valves MCCs. k. Train B components of the VC System will be operated as required from the remote shutdown panel at elevation 364 feet 0 inch of the auxiliary building. Note that Train A components of the VC System are on the shutdown panel at elevation 383 feet 0 inch (N-23). All equipment and instrumentation required for cold shutdown is accessible. Keys, jumpers, self-contained emergency breathing apparatus, and other equipment is available at the shutdown panel. 7.4.2 Analysis Hot standby is a stable plant condition, automatically reached following a plant shutdown. The hot standby condition can be maintained safely for an extended period of time. In the unlikely event that access to the control room is restricted, the plant can be safely kept at hot standby until the control room can be reentered by the use of the monitoring indicators and the controls listed in Subsections 7.4.1.1 and 7.4.1.2. These indicators and controls are provided outside as well as inside the control room. See Section 2.4 of the Fire Protection Report for available post fire remote shutdown controls and instrumentation. Safety analyses for individual systems and components listed previously in this section are discussed in their respective UFSAR sections. For example, an analysis of loss of cooling B/B-UFSAR 7.4-8a REVISION 7 - DECEMBER 1998 water to vital equipment is presented with the safety analysis for the essential service water system in Subsection 9.2.1.2.3. This system is redundant and designed to accommodate single failure. The safety analysis for the component cooling water system is presented in Subsection 9.2.2.4. This system is redundant and designed to accommodate single failure. Thus, complete loss of either essential service water or component cooling water is not a credible event.

B/B-UFSAR 7.4-9 REVISION 7 - DECEMBER 1998 Furthermore, all equipment which is relied upon to place the unit in a safe shutdown condition and which requires cooling water to operate is redundant so that loss of cooling water to a single piece of equipment will still leave its redundant counterpart in operable condition.

Instrumentation and controls duplicated at either the remote shutdown panels or on local panels are designed to maintain separation and isolation of redundant channels, assure access to appropriate controls at either location in the event of emergencies, and to prevent undue loss of reliability.

For instrumentation and controls mounted locally which duplicate instrumentation and controls mounted in the main control room, separation is maintained throughout the station cable tray and conduit system and the local control panels where the instrumentation and controls are located. A discussion of the cable tray and conduit system is contained in Subsection 8.3.1.4. Local control panels maintain the separation of redundant instruments and controls by the use of internal physical barriers in panels which contain redundant systems or by the use of separate control panels for redundant systems. The remote shutdown panel at elevation 383 feet 0 inches is of the first design with three sections; two sections for the two redundant ESF trains and one section for the non-safety-related trains and all separated by internal physical barriers. The remote shutdown panel for Train B of the VC System at elevation 364 feet 0 inches is of the second design with components of one division with adequate separation or barriers between the one division of Class 1E components and the non-safety related components and wiring.

Normal control of equipment and systems which have duplicated local controls and instrumentation is accomplished in the main control room. In the event of a main control room evacuation, local control functions are established at local control panels which are located in controlled access areas of the station. Access, location, and communications for the remote shutdown panel are discussed in Subsection 7.4.1. For control circuits, local control is established by use of selector switches provided on the local control panels which transfer control from the main control room to the local control panel. A selector switch is provided for each circuit. For the remote shutdown panel, switching to local control causes an annunciator alarm to sound in the main control room. A discussion of the selector switches as applied to the remote shutdown panel is contained in Subsection 7.4.1.2.1.d. Local control panel instrumentation such as analog indicators require no transfer as they are normally energized and operating.

Reliability of instruments and control which locally duplicate instruments and controls in the main control room is maximized by using the same standards for design, procurement, and installation as are used for main control room equipment.

B/B-UFSAR 7.4-9a REVISION 7 - DECEMBER 1998 The safety evaluation of the maintenance of shutdown with these systems and associated instrumentation and controls has included consideration of the accident consequences that might jeopardize safe shutdown conditions. The accident consequences that are

B/B-UFSAR 7.4-10 REVISION 13 - DECEMBER 2010 germane are those that would tend to degrade the capabilities for boration, adequate supply for auxiliary feedwater, and residual heat removal.

The results of the accident analysis are presented in Chapter 15.0. Of these, the following produce the most severe consequences that are pertinent:

a. uncontrolled boron dilution,

b. loss of normal feedwater, c. loss of external electrical load and/or turbine trip, and d. loss of nonemergency a-c power to the station auxiliaries. It will be shown by these analyses that safety is not adversely affected by these incidents with the associated assumptions being that the instrumentation and controls indicated in Subsections 7.4.1.1 and 7.4.1.2 are available to control and/or monitor shutdown. See Section 2.4 of the Fire Protection Report for available post fire remote shutdown controls and instrumentation. These available systems will allow a maintenance of hot standby even under the accident conditions listed above, which would tend toward a return to criticality or a loss of heat sink.

The results of the analysis which determined the applicability to the nuclear steam supply system safe shutdown systems of the NRC General Design Criteria, IEEE 279-1971, applicable NRC regulations, and other industry standards are presented in Table 7.1-1. The functions considered and listed below include both safety-related and non-safety-related equipment: a. reactor trip system, b. engineered safety features actuation system, c. safety-related display instrumentation for postaccident monitoring,

d. main control board, e. remote shutdown panel, f. residual heat removal,

g. instrument power supply, and h. control systems. For discussions addressing how these requirements are satisfied, see Table 7.1-1.

B/B-UFSAR 7.4-11 REVISION 9 - DECEMBER 2002 TABLE 7.4-1 REMOTE SHUTDOWN MONITORING INSTRUMENTATION INSTRUMENT READOUT LOCATION TOTAL NO. OF CHANNELS 1. Intermediate Range Neutron Flux PL06J 2 2. Source Range Neutron Flux PL06J 2 3. Reactor Coolant Temperature - Wide Range a. Hot Leg b. Cold Leg PL05J PL05J 1/loop 1/loop 4. Pressurizer Pressure PL06J 1 5. Pressurizer Level PL06J 2 6. Steam Generator Pressure PL04J/PL05J 1/stm gen 7. Steam Generator Level PL04J 1/stm gen 8. RHR Temperature LOCAL 2 9. Auxiliary Feedwater Flow Rate PL04J/PL05J 2/stm gen B/B-UFSAR 7.5-1 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION (Regulatory Guide 1.97) 7.5.1 Description Table 7.5-1 lists the information readouts provided to the operator to enable him to perform required manual safety functions, and to determine the effect of manual actions taken following a reactor trip due to a Condition II, III, or IV event, as defined in Chapter 15.0. Table 7.5-1 lists the information readouts required to maintain the plant in a hot standby condition or to proceed to cold shutdown within the limits of the technical specifications. Reactivity control after Condition II and III faults resulting in a reactor trip or a safety injection will be maintained by administrative sampling of the reactor coolant for boron to ensure that the concentration is sufficient to maintain the reactor subcritical. Table 7.5-2 lists the information available to the operator for monitoring conditions in the reactor, the reactor coolant system, and in the containment and process systems throughout all normal operating conditions of the plant, including anticipated operational occurrences.

All safety function actuations are initiated automatically so that no decision or manual action of controls is required by plant operations personnel. All events that automatically initiate auxiliary feedwater require the operator to manually terminate the flow to prevent steam generator overfill. Intelligence of the system responses is provided to the operator by control room instrumentation so that faults in the actuation of safety equipment can be diagnosed. The following main control board devices indicate this intelligence: a. Three indicating lights are provided for each pump control switch. They indicate pump stopped, pump automatic trip, and pump running. Two indicating lights are provided for each valve control switch. They indicate valve closed and valve open, and both lights are on when the valve is in the intermediate position. b. Status lights - A light in the status light grouping is provided to indicate that a channel of instrumentation that can initiate a safety function has been actuated. c. Monitor lights - A light in the monitor light grouping is provided for each pump (running) and for each valve (open, closed) that is an engineered safety feature (ESF). The assignment of a component to a light grouping is determined by that component's operation as follows:

B/B-UFSAR 7.5-2 Group 1 Group 1 lights monitor those components whose status is essential for advance readiness to actuate the engineered safety features. These lights should all be dark during normal operation. Group 2 Group 2 lights monitor those engineered safety features components which must actuate during the injection phase of an accident. These lights should all light for an accident. Some of these lights may be lit during normal operation, for instance component cooling, centrifugal charging, and essential service water pumps and fans running.

Group 3 Group 3 monitors those valves required to close for containment isolation Phase A. They are separated to show pairs of redundant valves subject to closure by the A and B trains. These lights should all light for an accident. Some of these lights may be lit during normal operation, for instance sample line isolation valves. Group 4 Group 4 monitors those components which must be changed to achieve the cold leg recirculation mode. The transition from injection mode to cold leg recirculation is done manually by the plant operators. This group is used as a guide, realigning 18 valves and restarting the RHR pumps until all lights in this group are lit. Some of the lights may be lit during normal operation or nonaccident cooldowns, such as centrifugal charging and RHR pump lights. Group 5 Group 5 monitors those components which must be changed to achieve the hot leg recirculation mode. The transition from cold leg recirculation to hot leg recirculation mode is done manually by the plant operators. This group is used as a guide, realigning eight valves and checking that the RHR pumps continue running until all lights in this group are lit. Some of the lights may be lit during normal operation or nonaccident cooldowns, such as centrifugal charging and RHR pump lights.

B/B-UFSAR 7.5-3 Group 6 Group 6 monitors those components which actuate on a high-high or a high-high-high containment pressure signal, including the containment spray system components, containment isolation Phase B components, and the main steam isolation valves. In nonaccident conditions, these lights will usually be all dark except during system testing or isolation of a steam generator.

Additional information pertaining to the monitor lights is as follows: 1. A mechanism for testing light bulbs is provided in each light group.

2. Group 1 is dark for normal operations. Groups 2 and 6 are lit for accident conditions as defined above, and in some instances may have several lights lit during various normal operations. 3. When a monitor light is energized, the statement written on the window is true. Since all the lights in a particular grouping operate in the same manner, a component failure is readily apparent. d. Pump motor ammeters - provided for engineered safety feature pump motors supplied from 4160-volt buses. No credit is taken for the annunciator and computer systems as an information display since they are not designed as engineered safety features. However, this does not preclude their availability as a useful diagnostic tool in a postincident review. 7.5.2 Analyses The indicator channels (see Table 7.5-1) required to enable the operator to take the correct action during the course of a Condition II, III, or IV accident or during postaccident recovery were designed to the criteria listed in Subsection 7.5.3. The indicators in Table 7.5-1 are used for the operational monitoring of the plant and are thus under surveillance by the operator during normal plant operation. The indicators are functionally arranged on the control board to provide the operator with ready understanding and interpretation of plant conditions. Comparisons between duplicate information channels or between functionally related channels will enable the operator to readily identify a malfunction in a particular channel. The range of the readouts extends over the maximum expected range of the variable being measured. The combined indicated accuracies are within the errors used in the safety analyses, as shown in Table 7.5-1.

B/B-UFSAR 7.5-4 The readouts identified in Table 7.5-1 were selected on the basis of sufficiency and availability during and subsequent to an accident for which they are necessary. Thus the occurrence of an accident does not render the information required for that accident unavailable, and the status and reliability of the necessary information are known to the operator before, during, and after an accident. 7.5.3 Design Criteria 7.5.3.1 Scope The scope of IEEE 279-1971 covers protection systems that initiate automatic protective actions. Therefore, in the absence of applicable industry standards for the postaccident monitoring system (PAMS), the following criteria were developed using applicable sections of IEEE 279-1971 as a model. The environmental and seismic qualification of equipment including these sensors is covered in Sections 3.10 and 3.11. The following criteria establish requirements for the functional performance and reliability of the safety-related PAMS for nuclear reactors producing steam for electric power generation. For purposes of these criteria, the nuclear power generating station safety-related PAMS encompasses those electric and mechanical devices and circuitry which provide information needed to: a. enable the operator to take the correct manual action during the course of a Condition II, III, or IV fault or during recovery from a Condition II, III or IV fault; and b. maintain safe shutdown.

7.5.3.2 Definitions The definitions in this section establish the meanings of words in the context of their use in these criteria. Channel - An arrangement of components and modules as required to generate a single information signal to monitor a generating station condition. Components - Items from which the system is assembled (for example, resistors, capacitors, wires, connectors, transistors, tubes, switches, springs, etc.). Module - Any assembly of interconnected components which constitutes an identifiable device, instrument, or piece of equipment. A module can be disconnected, removed as a unit, and replaced with a spare. It has definable performance characteristics which

B/B-UFSAR 7.5-5 REVISION 1 - DECEMBER 1989 permit it to be tested as a unit. A module could be a card or other subassembly of a larger device, provided it meets the requirements of this definition. Postaccident Monitoring Function - A postaccident monitoring function consists of the sensing of one or more variables associated with a particular generating station condition, signal processing, and the presentation of visual information (including recorded information) to the operator.

Monitoring System - Where not otherwise qualified, the words "monitoring system" refer to the nuclear power generating station postaccident monitoring system as defined in Table 7.5-1. Type Test - Tests made on one or more units to verify adequacy of design.

7.5.3.3 Requirements 7.5.3.3.1 General Functional Requirements The nuclear power generating station PAMS shall function with precision and reliability to continuously display the appropriate monitored variables. This requirement shall apply for the full range of conditions and performance enumerated. 7.5.3.3.2 Information Readout One of the channels used to monitor each parameter shall also be recorded to provide a historical record of the behavior of the parameters. The equipment used to record information need not be redundant nor meet the single-failure criterion. 7.5.3.3.3 Single-Failure Criterion Any single failure within the PAMS shall not result in the loss of the monitoring function. ("Single failure" includes such events as the shorting or open-circuiting of interconnecting signal or power cables. It also includes single credible malfunctions or events that cause a number of consequential component, module, or channel failures. For example, the overheating of an amplifier module is a single failure even though several transistor failures result. Mechanical damage to a mode switch would be a "single failure" although several channels might become involved.) 7.5.3.3.4 Quality of Components and Modules Components and modules are of a quality that is consistent with minimum maintenance requirements and low failure rates. Quality levels are achieved through the specification of requirements known to promote high quality, such as requirements for design, for the derating of components, for manufacturing, quality control, inspection, calibration, and test.

B/B-UFSAR 7.5-6 7.5.3.3.5 Equipment Qualification Type test data or reasonable engineering extrapolation based on test data shall be available to verify that PAMS equipment shall meet, on a continuing basis, the performance requirements determined to be necessary for achieving the system requirements. Qualification of recorders shall verify operability only following (not during) a seismic event. Accelerating forces associated with the pen during the shake period can cause an ink blur of the record during this period, and in some cases a mechanical loosening of the pens might be encountered. The qualification testing program is discussed in Section 3.10. 7.5.3.3.6 Channel Integrity All PAMS channels are designed to maintain necessary functional capability including accuracy and range, under extremes of conditions (as applicable) relating to environment, energy supply, and malfunctions. 7.5.3.3.7 Channel Independence Channels (exclusive of recorders as clarified in Subsection 7.5.3.3.2) that provide signals for the same monitoring function are independent and physically separated to accomplish decoupling of the effects of unsafe environmental factors, electric transients, and physical accident consequences documented in the design basis, and to reduce the likelihood of interactions between channels during maintenance operations or in the event of channel malfunction. Malfunctions, accidents, and other unusual events include, for example, fire, explosions, missiles, lightning, earthquakes, etc. 7.5.3.3.8 Power Source The PAMS display instrumentation is capable of operating independent of offsite power availability. 7.5.3.3.9 Postaccident Monitoring System and Control System Interaction 1. Classification of Equipment Any equipment that is used for both postaccident monitoring and control functions is classified as part of the PAMS. 2. Isolation Devices The transmission of signals from the postaccident monitoring equipment for control or monitoring is through isolation devices which are classified as part of the PAMS and meet all the requirements of this UFSAR. No credible failure at the output of an isolation device prevents the associated PAMS channel from B/B-UFSAR 7.5-7 REVISION 8 - DECEMBER 2000 meeting the minimum performance requirements considered in the design bases. Examples of credible failures include short circuits, open circuits, grounds, and the application of the maximum credible a-c or d-c potential (typically 130-Vdc or 118-Vac). A failure in an isolation device is evaluated in the same manner as a failure of other equipment in the PAMS. 7.5.3.3.10 Derivation of System Inputs Inputs to the monitoring system are derived from signals that are direct measures of the desired variables. In many cases, the channels listed also bear a known relationship to each other during normal plant operation. 7.5.3.3.11 Capability for Sensor Checks Means are provided for checking, with a high degree of confidence, the operational availability of each system input sensor during reactor operation. 7.5.3.3.12 Capability for Verifying Operability Means are available for verifying the operability of the monitoring system channels. Identification of malfunctions is adequately identified by cross-checking between duplicate redundant channels or cross-checking between channels that bear a known relationship to each other during normal plant operation. 7.5.3.3.13 Channel Bypass or Removal from Operation (RG 1.47) The system is designed to permit any one channel to be maintained when required during power operation. During such operation the active parts of the system need not themselves continue to meet the single-failure criterion. As such, monitoring systems comprised of two redundant channels are permitted to violate the single-failure criterion during channel bypass provided that acceptable reliability of operation can be otherwise demonstrated. The bypass time interval allowed for a maintenance operation is specified in Technical Specification 3.3.3. Bypass indication may be applied administratively or automatically.

7.5.3.3.14 Access to Means of Bypassing The design permits the administrative control of the means for manually bypassing channels. 7.5.3.3.15 Access to Setpoint Adjustments, Calibration, and Test Points The design permits the administrative control of access to all setpoint adjustments, module calibration adjustments, and test points.

B/B-UFSAR 7.5-8 7.5.3.3.16 Identification of Monitoring Functions Displays are indicated and identified down to the channel level. 7.5.3.3.17 System Repair The system is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.

7.5.3.3.18 Identification In order to provide assurance that the requirements given in this UFSAR can be applied during the design, construction, maintenance, and operation of the plant, the postaccident monitoring system equipment (for example, interconnecting wiring, components, modules, etc.), is identified distinctively to distinguish between redundant portions of the monitoring system. Installed items of equipment, components, or modules mounted in assemblies that are clearly identified as being in the monitoring system do not themselves require identification.

B/B-UFSAR 7.5-9 REVISION 9 - DECEMBER 2002 TABLE 7.5-1 MAIN CONTROL BOARD INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR (CONDITION II, III AND IV EVENTS)*

1. Wide Range Thot and Tcold __________________________ a. Minimum Requirement A minimum of two Thot and two Tcold indicator channels. The Thot channels must be on separate power supply from the Tcold channels. Capability of recording either Thot or Tcold in one non-isolated loop must be provided. b. Range - 0 to 700°F. Indicated Purpose Accuracy 1. Maintain the +/- 8% of plant in a safe full range shutdown condition 2. Ensure proper +/- 8% of cooldown rate full range 3. Ensure proper +/- 8% of relationship betweenfull range system pressure and temperature. 2. Pressurizer Water Level a. Minimum Requirement Two channels on separate power supplies with one channel recorded. b. Range - entire distance between taps.

• Station specific indicated accuracies found in calculation BRW-99-0017-1/BYR-99-010.

B/B-UFSAR 7.5-10 TABLE 7.5-1 (Cont'd) c. Purpose Accuracy 1. Maintain proper Sufficient accuracy reactor coolant to indicate water inventory level is above pressurizer heaters and below 100% of span.

(about +/- 25% of span)

2. Determine return Same as above of water level to pressurizer folllowing steam break and steam generator tube ruptures.

3. System Wide Range Pressure a. Minimum Requirement Two channels on separate power supplies with one channel recorded. b. Range - 0 to 3000 psi. c. Purpose Accuracy 1. Ensure proper +/- 8% of relationship between full system pressure and range temperature.

4. Containment Pressure a. Minimum Requirement Two channels on separate power supplies. Means must be provided to record one of the channels following a high energy line break inside containment b. Range - 0 to 115% of containment design pressure c. Purpose Accuracy 1. Monitor containment +/- 4% of conditions following full primary or secondary scale system break inside containment.

B/B-UFSAR 7.5-11 TABLE 7.5-1 (Cont'd)

5. Steamline Pressure a. Minimum Requirement Two channels per steamline on separate power supplies with one channel per steamline recorded. b. Range - 0 to 1300 psig. c. Purpose Accuracy 1. Needed to determine +/- 4% of type of accident that full has occurred and the scale proper recovery procedure to use 2. Determine that +/- 4% of plant is in a full safe shutdown scale condition.

6. Steam Generator Water Level (narrow or wide range) a. Minimum Requirement Two narrow range channels per steam generator on separate power supplies with one channel recorded for each steam generator. Although the requirement identifies two narrow range channels, the intent of the requirement is also satisfied by one narrow range and one wide range channel, either of which must be recorded. b. Range - 0 to 100% of span for both wide or narrow range. c. Purpose Accuracy 1. Maintain adequate Narrow range: heat sink sufficient following an accident accuracy to indicate that water level is between 0 and 100% of span 2. Needed in recovery procedure following steam generator tube rupture

B/B-UFSAR 7.5-12 REVISION 2 - DECEMBER 1990 TABLE 7.5-1 (Cont'd) 3. Ensure that steam generator tubes are covered following a LOCA.

7. Refueling Water Storage Tank Level a. Minimum Requirement Two channels on separate power supplies. Means must be provided to record one of the channels following a safety injection signal. b. Range - 0 to 100% of span. Time Needed c. Purpose Accuracy After Accident 1. Determine when to +/- 3% of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> perform the neces- level span cessary manual actions following switchover from the injection phase to the recirculation phase of safety injection after a LOCA.

B/B-UFSAR 7.5-13 REVISION 9 - DECEMBER 2002 TABLE 7.5-2 CONTROL ROOM INDICATOR AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATION NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES NUCLEAR INSTRUMENTATION

1. Source Range a. Count rate 2 1 to 106 counts/ +/-7% of the linear Both channels Control One recorder is sec full scale analog indicated. Either board used to record any voltage may be selected of the 8 nuclear recording. channels (2 source range, 2 intermediate range and 4 power range)

b. Count Rate** 2 0.1 to 105 counts/ +/-2% of the linear Both channels Control Source range (Post sec full scale analog indicated. Both board indication Accident voltage channels may be provided by Post Neutron selected recording Accident Neutron Monitors) on plant computer. Monitoring Instrumentation allowed for satisfying Technical Specification 3.9.3 in Mode 6.

Does not provide startup rate indication.

• Includes channel accuracy and environmental effects. Indicated accuracies provided by NSSS vendor (historical).

• • Channel indication may be used during Mode 6 to satisfy Technical Specification 3.9.3.

B/B-UFSAR 7.5-13a REVISION 10 - DECEMBER 2004 TABLE 7.5-2 (Cont'd) CONTROL ROOM INDICATOR AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATION NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES NUCLEAR INSTRUMENTATION c. Startup rate 2 -0.5 to 5.0 +/-7% of the linear Both channels Control decades/min full scale analog indicated. board voltage

2. Intermediate Range a. Flux level 2 8 decades of +/-7% of the linear Both channels Control neutron flux full scale analog indicated. Either board (corresponds voltage and +/-3% of may be selected to 0 to full the linear full for recording scale analog scale voltage in using the voltage) over- the range of 10-4 recorder in Item 1 lapping the to 10-3 amps above. source range (10 to 102% RTP at Byron) by 2 decades

• Includes channel accuracy and environmental effects.

B/B-UFSAR 7.5-14 REVISION 8 - DECEMBER 2000 TABLE 7.5-2 (Cont'd) NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES b.Startup rate 2 -0.5 to 5.0 +/-7% of the linear Both channels Control decades/min full scale analog indicated board voltage 3. Power Range A.Uncalibrated 4 0 to 120% of +/-1 of full power All 8 current NIS racks ion chamber full power current signals indicated. in control current (top current room and bottom uncompensated ion chambers) b.Calibrated ion 4 0 to 125% of +/-2% full power All 8 current Control chamber current full power current signals recorded board (top and bottom current (four recorders).

uncompensated Recorder 1 - upper ion chambers) currents for two diagonally opposed detectors.

Recorder 2 - upper currents for remaining detectors.

Recorder 3 - lower currents for two diagonally opposed detectors. Recorder 4 - lower currents for remaining detectors.

B/B-UFSAR 7.5-15 TABLE 7.5-2 (Cont'd) NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES c.Upper and lower 4 -60 to +60% +/-3% of full Diagonally opposed Control ion chamber power channels may be board current difference selected for recording at the same time using recorder in Item 1.

d. Average flux of 4 0 to 120% of +/-3% full All 4 channels Control the top and full power power for indicated. Any 2 board bottom ion indication of the four channels chamber +/-2% for recording may be recorded using recorder in Item 1 above e.Average flux of 4 0 to 200% of +/-2 of full power All 4 channels Control the top and full power to 120% recorded board bottom ion +/-6% of full chambers power to 200% f.Flux difference 4 -30 to 30% +/-4% All 4 channels Control of the top and indicated. board bottom ion chambers REACTOR COOLANT SYSTEM 1. Taverage 1/loop 530° - 630°F +/-4°F All channels Control (measured) indicated. board

B/B-UFSAR 7.5-16 REVISION 8 - DECEMBER 2000 TABLE 7.5-2 (Cont'd) NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 2. T(measured) 1/loop 0 to 150% of +/-4% of full All channels Control full power power T indicated. One board T channel is selected for recording

a. Tcold or Thot 1-Thot 0 to 700°F +/-4% One Thot channel Control and one Tcold board channel for each loop is recorded. (measured, 1-Tcold Each loop has a wide range) per loop separate recorder. 3. Overpower T 1/loop 0 to 150% of +/-4% full All channels Control Setpoint full power T power T indicated. One board channel is selected for recording.

4. Overtemperature 1/loop 0 to 150% of +/-4% power All channels Control T Setpoint full power T T indicated. One board channel is selected for recording.

5. Pressurizer 4 1700 to 2500 +/-28 psi All channels indicated Control Pressure psig board

6. Pressurizer 3 Entire distance +/-3.5% P All channels indicated Control Level recorded along Level between taps level at One channel board with reference level 2250 psia is selected signal for recording.

B/B-UFSAR 7.5-17 REVISION 10 - DECEMBER 2004 TABLE 7.5-2 (Cont'd) NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 7. Primary Coolant 3/loop 0 to 110% of Repeatability of All channels indicated Control Flow rated flow +4.5% of full board flow

8. Reactor Coolant 1/loop 0-1200A +/-2.3% All channels indicated Control One channel for each pump Pump Motor Current board

9. System Pressure 2 0 to 3000 psig +/-4% All channels indicated Control Wide Range and recorded. board REACTOR CONTROL SYSTEM

1. Demanded Rod 1 0 to 100% of +/-2% The one channel is Control Speed rated speed indicated. board

2. Auctioneered 1 530° to 630°F +/-4°F The one channel Control Any one of the Tavg Tavg is recorded. board channel into the auctioneer may be bypassed

3. Treference 1 530° to 630°F +/-4°F The one channel is Control recorded. board

4. Control Rod If system not available, Position borate and sample accordingly a. Number of steps 1/group 0 to 231 steps +/-1 step Each group is Control These signals are used of demanded rod indicated during board in conjunction with the withdrawal rod motion. measured position signals (4c) to detect deviation of any individual rod from the demanded position. A deviation will actuate an alarm and annunciator.

B/B-UFSAR 7.5-18 TABLE 7.5-2 (Cont'd) NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES b. Full length 1 for 0 to 228 steps +/-4 steps Each rod position Control rod measured each is indicated board position 5. Full length Control 4 0 to 230 steps +/-2.5% of total All 4 control rod Control 1. One channel for each Rod Bank Demanded bank travel bank positions are board control bank. Position recorded along with 2. An alarm and aunnunciator the low-low limit is actuated when alarm for each bank. the last rod control bank to be withdrawn reaches the withdrawal limit, when any rod control bank reaches the low insertion limit and when any rod control bank reaches the low-low insertion limit

CONTAINMENT SYSTEM

1. Containment 4 0 to 60 psig +/-3% All 4 channels Control Pressure indicated and 1 board is recorded.

FEEDWATER AND STEAM SYSTEMS 1. Auxiliary Feedwater 1/feed 0 to 250 +/-4% All channels Control Two feed lines per steam Flow line indicated. board generator. One each from Trains A and B.

B/B-UFSAR 7.5-19 REVISION 11 - DECEMBER 2006 TABLE 7.5-2 (Cont'd) NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 2. Steam Generator 4/steam +7 to -5 feet +/-4% of P level All channels indicated. Control Level (narrow generator from nominal (hot) The channels used for board range) full load level control are recorded.

3. Steam Generator 1/steam +7 to -41 ft +5% of level All channels Control Level (wide range) generator from nominal (cold) recorded board full load level

4. Deleted

5. Main Feedwater 2/steam 0 to 120% of +/-5% All channels indicated. Control Flow generator maximum The channels used for board calculated flow controls are recorded

6. Magnitude of 1/main 0 to 100% of +/-1.5% All channels Control 1. One channel for each Signal Controlling 1/bypass valve opening indicated. board. main and bypass Main and Bypass Feedwater Control Valves feed-water control valve 2. OPEN/SHUT indication is provided in the control room for each main and bypass feed-water control valve

B/B-UFSAR 7.5-20 TABLE 7.5-2 (Cont'd) NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 7. Steam Flow 2/steam 0 to 120% of +/-5.5% All channels indicated. Control Accuracy is equipment generator maximum The channels used for board capability; however, calculated flow control are recorded. absolute accuracy depends on applicant calibration against feedwater flow.

8. Steamline 3/loop 0 to 1300 psig +/-4% All channels indicated Control Pressure and 1 is board recorded

9. Steam Dump 1 0-100% of steam +/-1.5% The one channel is Control OPEN/SHUT indication is Modulate Signal dump valves open indicated. board provided in the control room for each steam dump valve

10. Turbine Impulse 2 0 to 120% of +/-3.5% Both channels Control OPEN/SHUT indication is Chamber Pressure maximum calculated indicated. board provided in the control turbine load room for each turbine stop valve

B/B-UFSAR 7.6-1 REVISION 4 - DECEMBER 1992 7.6 OTHER SAFETY-RELATED INSTRUMENTATION SYSTEMS 7.6.1 Description See Subsections 7.6.3 through 7.6.6 for descriptions of all other instrumentation systems required for safety not previously addressed.

Additional descriptions for the fire detection and protection systems and the process and effluent radiological monitors are found in Subsection 9.5.1 and Section 11.5 respectively. 7.6.2 Analysis See Subsections 7.6.3 through 7.6.6 for analyses of all other instrumentation systems required for safety not previously addressed.

7.6.3 Instrumentation and Control Power Supply System For a complete description and analysis of the instrumentation and control power supply system, see Subsection 8.3.1.1.2. 7.6.4 Residual Heat Removal Isolation Valves 7.6.4.1 Description The normally closed residual heat removal system (RHR) isolation valves 8701A/B and 8702A/B are opened only for residual heat removal after system pressure/temperature has been reduced to the cooldown setpoint. Their position is indicated at the main control board (MCB) by lights monitoring valve limit switches.

There are two motor-operated valves in series in each of the two RHR pump suction lines from the RCS hot legs. The valves are interlocked by diverse pressure instruments as shown on Figures 7.6-1 and 7.6-2 so that they cannot be opened unless the RCS pressure is below approximately 360 psig. This interlock prevents the valve from being opened when the RCS pressure plus the RHR pump pressure would be above the RHR system design pressure. An alarm is provided to alert the operator that an RCS-RHR series isolation valve(s) is not fully closed and that double isolation from the RCS to RHR is not being maintained. The logic inputs are from Limitorque limit switches and the hot leg wide-range pressure transmitters (see Subsection 5.4.7.2.3).

B/B-UFSAR 7.6-1a REVISION 3 - DECEMBER 1991 7.6.4.2 Analysis In order to meet NRC requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE 279-1971 have been applied with the following comments: 1. IEEE 279-1971, Paragraph 4.10: The above mentioned pressure interlock signals and logic are periodically tested. This is done in the interests of

B/B-UFSAR 7.6-2 safety, since an actual actuation to permit opening the valve could potentially leave only one remaining valve to isolate the low-pressure residual heat removal system from the reactor coolant system. 2. IEEE 279-1971, paragraph 4.15: This requirement does not apply, as the setpoints are independent of mode of operation and are not changed. Environmental qualification of the valves and wiring is discussed in Section 3.11.

7.6.5 Refueling Interlocks Electrical interlocks as discussed in Subsection 9.1.4.3.1 are provided to minimize the possibility of damage to the fuel during fuel handling operations.

7.6.6 Accumulator Motor-Operated Valves The control circuit for these valves is shown on Figure 7.6-3. The valves and control circuits are further discussed in Subsections 6.3.2 and 6.3.5.

The safety injection system accumulator discharge isolation valves are motor-operated, normally open valves which are controlled from the main control board.

These valves are interlocked such that: a. They open automatically on receipt of an "S" signal with the main control board switch in either the "AUTO" or "CLOSE" position. b. They open automatically whenever the reactor coolant system pressure is above the safety injection unblock pressure (P-11) specified in the technical specifications and the main control board switch is in the "AUTO" position. c. They cannot be closed as long as an "S" signal is present. The four main control board position switches for these valves provide a "spring return to auto" from the open position and a "maintain position" from the closed position.

The "maintain closed" position is required to provide an administratively controlled manual block of the automatic opening of the valve at pressure above the safety injection unblock pressure (P-11). The manual block or "maintain closed" position is required when performing periodic check valve leakage testing

B/B-UFSAR 7.6-3 REVISION 8 - DECEMBER 2000 when the reactor is at pressure. The maximum permissible time that an accumulator valve can be closed when the reactor is at pressure is specified in Technical Specification 3.5.1.

During plant shutdown, the accumulator valves are in a closed position.

When the RCS pressure is above the SI unblock pressure, an alarm sounds in the main control room for any accumulator isolation valve not fully open as indicated by the valve stem limit switch. 7.6.7 Switchover from Injection to Recirculation The details of achieving cold leg recirculation following safety injection are given in Subsection 6.3.2.8 and on Table 6.3-7. Figure 7.6-5 shows the logic which is used to open the sump valves automatically. The semiautomatic transfer signal for this switchover is shown in Figure 7.6-4 and is used for closing the charging pump miniflow motor-operated valves as well (see Figure 7.6-6).

7.6.8 Reactor Coolant System Loop Isolation Valve Interlocks 7.6.8.1 Description The purpose of these interlocks is to ensure that an accidental startup of an unborated and/or cold, isolated reactor coolant loop results only in a relatively slow reactivity insertion rate.

The interlocks are required to perform a protective function. Interlocks are provided to: a. Prevent the opening of a hot leg loop stop valve unless the cold leg stop valve in the same loop is fully closed. b. Prevent the starting of a reactor coolant pump unless: 1. The cold leg loop stop valve in the same loop is fully closed and the loop bypass valve is fully open, or 2. Both the hot leg loop stop valve and cold leg loop stop valve are fully open. c. Prevent the opening of a cold leg stop valve unless: 1. The hot leg loop stop valve in the same loop is open.

2. The bypass valve in the loop is open.

B/B-UFSAR 7.6-3a REVISION 5 - DECEMBER 1994 3. Minimum flow has existed through the relief line for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. 4. The cold leg temperature is within ~20°F of the highest cold leg temperature in the other loops and the hot leg temperature is within ~20°F of the highest hot leg temperature in the other loops. The interlocks are a part of the reactor protection system and include the following redundancy: a. Two independent limit switches to indicate that a valve is fully open. b. Two independent limit switches to indicate that a valve is fully closed. c. Two differential pressure switches in each line which bypasses a cold leg loop stop valve to determine that flow exists in the line. Flow through the line indicates: 1. The valves in the line are open. 2. The pump in the isolated loop is running. The interlocks meet the IEEE-279-1971 criteria and, therefore, cannot be negated by a single failure. The interlock on hot leg temperatures is a backup for the interlock on cold leg temperatures. Thus, the single failure criterion applies to the combination and not to each separately.

Figure 7.6-9 shows a reactor coolant loop with loop isolation valves and also shows the cold leg loop isolation valve bypass line. 7.6.9 Interlocks For RCS Pressure Control During Low Temperature Operation The basic function of the RCS pressure control during low temperature operation is discussed in Subsection 5.2.2.11. As noted in Subsection 5.2.2.11 this pressure control includes manually armed

B/B-UFSAR 7.6-4 REVISION 12 - DECEMBER 2008 semiautomatic actuation logic for two pressurizer power operated relief valves (PORVs). The function of this actuation logic is to continuously monitor RCS temperature and pressure conditions, with the actuation logic only unblocked by the manual ARM position on the PORV control switch when plant operation is at a temperature below the Technical Specification requirement of 350°F. The monitored system temperature signals are processed to generate the reference pressure limit program which is compared to the measured pressure.

The function of this actuation logic is to continuously monitor RCS temperature and pressure conditions, compare them with the reference nil ductility temperature (RNDT) and pressure limits, as shown in Pressure Temperature Limits Report (PTLR) Figure 3.1 and Table 3.1, and generate a signal to open the PORV if the pressure conditions exceed allowable limits. The actuation logic will function only if the PORV hand switch is in the manual ARM position. See Figure 7.6-10 for the block diagram showing the interlocks for RCS pressure control during low temperature operation. As shown in this figure, the station variables required for this interlock are channelized as follows: a. Protection Set I 1. wide range RCS temperature from hot legs and 2. wide range RCS system pressure (PT 407). b. Protection Set II 1. wide range RCS temperature from cold legs. c. Protection Set IV 1. wide range RCS system pressure (PT 406). The wide range temperature signals, as inputs to the Protection Sets I and II, continuously monitor RCS temperature conditions whenever plant operation is at a temperature below the RNDT. In Protection Set I, the existing RCS hot leg wide range temperature channels supply through an isolation device continuous analog input to an auctioneering device, which is located in the process rack of control rack Group 1. The lowest reading is selected and input to a function generator which calculates the reference pressure limit program considering the plant's allowable pressure and temperature limits. Also available from Protection Set I is the wide range RCS system pressure signal which is sent through an isolation device to control rack Group 1. The reference pressure from the function generator is compared to the actual RCS system pressure monitored by the wide range pressure channel. The error signal derived from the difference between the reference pressure and the actual measured pressure, will first annunciate a main board alarm whenever the actual measured pressure approaches, within a predetermined amount, the reference pressure. On a further increase in measured pressure, the error signal will generate an annunciated actuation signal. The actuation signal available from control rack Group 1 will control PORV "A" whenever a manually armed permissive signal from control B/B-UFSAR 7.6-5 REVISION 1 - DECEMBER 1989 Group 4 is present. The manually armed permissive to the PORVs actuation device is a signal which is turned on only when the MCB four-position PORV control switch is placed in the ARM position. When it is in the AUTO position (normal operating conditions) the actuation signal is at a temperature greater than the range of concern. This will prevent unnecessary system actuation when at normal RCS operating conditions as a result of a failure in the process sensors. The PORV control switch is placed in the ARM position when the low auctioneered RCS temperature signal reaches a low setpoint value which is indicated by an annunciated actuation signal. The monitored generating station variables that generate the actuation signal for the "B" PORV are processed in a similar manner. In the case of PORV "B", the reference temperature is generated in control rack Group 4 from the lowest auctioneered wide range cold leg temperature, the auctioneering device deriving its inputs from the RCS wide range temperature in Protection Set II, and the actual measured pressure signal is available from Protection set IV. Therefore, the generating station variables used for PORV "B" are derived from protection sets that are independent of the set from which generating station variables used for PORV "A" are derived. The error signal derivation itself used for the actuation signals is available from the control group. Upon receipt of the actuation signal and with the PORV control switch in the ARM position, the actuation device will automatically cause the PORV to open. Upon sufficient RCS inventory letdown, the operating RCS pressure will decrease, clearing the actuation signal. Removal of this signal causes the PORV to close. 7.6.9.1 Analysis of Interlock Many criteria presented in IEEE 279-1971 and IEEE 338-1971 standards do not apply to the interlocks for RCS pressure control during low temperature operation, because the interlocks do not perform a protective function but rather provide automatic pressure control at low temperatures as a backup to the operator. However, although IEEE 279-1971 criteria do not apply, some advantages of the dependability and benefits of an IEEE 279-1971 design have occurred by including the pressure and temperature signal elements as noted above in the protection sets and by organizing the control of the two PORVs (either of which can accomplish the RCS pressure control function) into dual channels wherever practical. Either of the two PORVs can accomplish the RCS pressure control function. The design of the low temperature interlocks for RCS pressure control includes the following features: a. No credible single failure at the output of the protection set racks, after the output leaves the racks B/B-UFSAR 7.6-6 REVISION 9 - DECEMBER 2002 to interface with the interlocks, will prevent the associated protection system channel from performing its protective function because such outputs that leave the racks go through an isolation device as shown in Figure 7.6-10 and because there are no shared components between channels. b. Testing capability for elements of the interlocks within (not external to) the Protection System is consistent with the testing principles and methods discussed in Subsection 7.2.2.2.3. It should be noted that there is an annunciator which provides an alarm when there is low auctioneered RCS temperature (below RNDT) coincident with a closed position of the motor operated (MOV) pressurizer relief block valve. This MOV is in the same fluid path as the PORV, with a separate MOV used and alarmed associated with the second PORV. c. A loss of offsite power will not defeat the provisions for an electrical power source for the interlocks because these provisions are through onsite power which is described in Section 8.3. 7.6.10 Instrumentation for Mitigating Consequences of Inadvertent Boron Dilution 7.6.10.1 Description Instrumentation is provided to mitigate the consequences of inadvertent addition of unborated, primary grade water into the reactor coolant system. The primary indication of a potential boron dilution transient in Modes 3, 4 and 5 is an increase in VCT volume as measured by redundant VCT level channels. These channels alarm in the main control room on high VCT level at 70%. In addition, alarm inputs from Train A and Train B source range flux doubling, and CV112A control valve not in VCT position, are available to alert the operators to the potential of a boron dilution transient. A boron dilution transient can be administratively terminated by aligning the CVCS valves to the RWST to inject borated water into the reactor (reference NRC Docket Nos. STN 50-456, STN 50-457, STN 50-454, and STN 50-455,

Subject:

Request for Technical Specifications Change, Removal of the Automatic Actuation Features of the Boron Dilution Protection System). 7.6.10.2 Analysis The analysis of effects and consequences of inadvertent boron dilution transient is covered in Subsection 15.4.6.

B/B-UFSAR 7.6-7 7.6.10.3 Qualification Qualification of the instrumentation is discussed in Sections 3.10 and 3.11.

7.6.11 Charging Pump Miniflow Valve Interlocks Two solenoid actuated charging pump miniflow control valves (CV8114 and CV8116) are provided with actuation logic to isolate the miniflow lines for the centrifugal charging pumps (see Subsection 6.3.2.2) on low RCS pressure in conjunction with an "S" signal. These valves open to protect the pumps should the RCS pressure increase above their "open" setpoint with an "S" signal present (see Figures 7.6-7 and 7.6-8). In addition to the solenoid actuated charging pump miniflow control valves, two motor-operated charging pump miniflow valves (CV8110 and CV8111) are also provided to isolate the miniflow lines at the time of switchover from safety injection to cold leg recirculation. This isolation is automatic when the refueling water storage tank (RWST) water level drops to the low-low setpoint in conjunction with an "S" signal (see Figures 7.6-4 and 7.6-6). In all four miniflow valves (2 that are solenoid actuated and 2 that are motor-operated), the "S" signal logic retains the "S" signal by retentive memory logic which can be reset at the control board. 7.6.12 References 1. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations", IEEE 279-1971. 2. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection System", IEEE 338-1971.

B/B-UFSAR 7.7-35 TABLE 7.7-1 PLANT CONTROL SYSTEM INTERLOCKS DESIGNATION DERIVATION FUNCTION C-1 1/2 Neutron flux Blocks automatic and (intermediate manual control rod range) above withdrawal setpoint C-2 1/4 Neutron flux Blocks automatic and (power range) manual control rod above setpoint withdrawal C-3 2/4 Overtemperature Blocks automatic and T above manual control rod setpoint withdrawal Actuates turbine runback via load reference

Defeats remote load dispatching (if remote load dispatching is used) C-4 2/4 Overpower T Blocks automatic and above setpoint manual control rod withdrawal Actuates turbine runback via load reference Defeats remote load dispatching (if remote load dispatching is used)

C-5 1/1 Turbine Defeats remote load impulse chamber dispatching (if remote load pressure below dispatching is used) setpoint Blocks automatic control rod withdrawal C-7 1/1 Time derivative Makes steam dump valves (absolute available for either value) of turbine tripping or modulation impulse chamber pressure (decrease only) above setpoint

B/B-UFSAR 7.7-36 REVISION 4 - DECEMBER 1992 TABLE 7.7-1 (Cont'd) DESIGNATION DERIVATION FUNCTION C-8 Turbine trip Provides turbine trip indication C-9 Any condenser Blocks steam dump to pressure above condenser setpoint

or

All circulation water pump breakers open C-11 1/1 Bank D control rod Blocks automatic rod position above setpointwithdrawal C-14 2/2 Steam generator Closes the feedwater level above control valve(s) in the setpoint (optional) affected steam generator only C-16 1/1 Auctioneered Stops turbine loading low Tavg - Tref (not used) below setpoint or 1/1 Auctioneered Defeats remote load low Tavg below dispatching (is remote setpoint load dispatching is used)

c -u 0 Cl (/) 0 H <:: ., ::0 -u H[D mo, z ::0 ::0 0 H ., )> )> )> ., H OH HOH G) 0 OoCl c (/) ::;: ::EzO ::0 )>o 0--<rn Cl "o o ::or OOo '" 'o :._, (f) A I H-<0 <Sl )>H _, (/) H C( 0 _,)> G) (/) z <:: ::0 H )> (/) <:: ::0 Cl -u 0 ::0 _, POWER CABINET REACTOR 1 BD CONTROL SYSTEM OVATION ( LOGIC DISCC CABINET SWITC MANUAL SWITCH -' BANK SELECTOR . MULTIPLEX POWER CIRCUITS CABINET 2 BD I'" 1

• 1 (( I I I [LIFTING } GROUP -----i t/2 I--(OFF I I I } ll GROUP 2 ------OFF NORNAL SEQUENCING OF GROUPS WITHIN BANK CONTROL BANK D GROUP 1 OIL NNECT HES CONTROL BANK D GROUP 2 1 NOTE: ONLY CABINETS 1 BD AND 2BD SHOWN. FOR MORE COMPLETE DIAGRAM INCLUDING POWER CABINETS 1AC, 2AC, AND SCD. SEE REF.1 IN SECTION 7.7.3. 0 f"T] (") Al f"T] f"T] ;;:: < rn .__. f"T] (/) Al >--< 0 NZ <Sl (J) (J)

CD c ::::0 -u )> 0 1-i 0 =E (/) l'T1 CD 0 1-i 0-< o:::as::: ., ::::0 1-i 0 zZ cO 1--1 ., )> ............ zo 1-i G) ICD ::::0 c (/) )> zo ::::0 )> 1-i N:rj CD l'T1 '10 l'T1 =E 12:>0 r :-..i =<!o ,g -...J 0 :A I )>0 ::::o-< 0 ...... z IS) )> (/) 1-i )> z fTl )> cs:: §6 (/) -l 1-i 1-i z )> (/) 0 1-i s::: z -I ::::0 (/) l'T1 ...... -u 121> 0 N ::::0 -I t "I ---LIHING} ll I. t/21 I I l OFF GROUP I I 11 LI FTI NG } GROUP 2 ll I ---------OFF NORMAL SEQUENCING OF GROUPS WiTHIN BANK I MOTE: ONLY CABINETS IBD AND 2BD SHOWN. FOR MORE COMPLETE DIAGRAM INCLUDING POWER INETS IAC. 2AC. AND SCD. SH REF. I IN SECTION 7.7.3 0 rTJ 0 :;;o rTJ rTJ OJ 1--1 rTJ (/) :;;o 1--1 0 NZ ___. ___. (j) (j)

Inputs to logics 2&3 SGA Level 3%< RPS SGB Level 3%< RPS Logics 2 & 3 similar to logic 1 Logic 3 Logic 2 Initiate auxiliary FW pumps and related components Div.11 M2148.43611*90 SGC Level 3%< RPS SGD Level 3%< RPS REVISION 15 DECEMBER 2014 r ARM system """"\ above C-20 \ C-20 C-20 >30% >30% Logic 1 Inhibit system for test Cont. switch normal Initiate auxiliary FW pumps and related components Div.12 Trip main turbine (emergency trip) BYRON/BRAIDWOOD STATIONS UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-12 ATWS MITIGATION SYSTEM SIMPLIFIED LOGIC DIAGRAM