Latest revision as of 04:05, 3 April 2019

Text

Revision 33 to the Updated Final Safety Analysis Report, Section 7, Plant Instrumentation and Control Systems
	ML16054A421
Person / Time
Site:	Monticello
Issue date:	01/26/2016
From:	; Northern States Power Co, Xcel Energy
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML16054A376	List: L-MT-16-004, Revision 33 to Updated Final Safety Analysis Report, Drawings NF-36058 Through NH-36243-1, Rev. 82 (Public); ML16054A388; ML16054A413; ML16054A414; ML16054A415; ML16054A416; ML16054A417; ML16054A418; ML16054A419; ML16054A420; ML16054A421; ML16054A422; ML16054A423; ML16054A424; ML16054A425; ML16054A426; ML16054A427; ML16054A428; ML16054A429; ML16054A432; ML16054A434; ML16054A435; ML16054A436; ML16054A438; ML16054A439; ML16054A440; ML16054A441; ML16054A442; ML16054A443; ML16054A444; ML16054A445; ML16054A446; ML16054A447; ML16054A448; ML16155A258; ML16155A259;
References
	L-MT-16-004
	Download: ML16054A421 (159)
	v • d • e

SECTION 7

SECTION 77.17.1.1

7.1.2 Revision

26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 14SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEM I/kab7.2Reactor Control Systems7.2.1Reactor Manual Control System7.2.1.1Design Basis The reactor manual control system is designed to:a.Provide methods to control reactor power level.

b.Provide methods to balance the power distribution within the reactor core.

c.Prevent a single component malfunction or single operator error from causing damage to the reactor coolant system.d.Prevent a malfunction from interfering with reactor protective functions.

e.Provide a capability to satisfy the boundaries for fuel damage by meeting the specific core characteristics, parameters, and limitations listed anddescribed in Section 3.2.

Based on these design bases the reactor manual control system can be

described in such manner as to separate the system into both safety and

operational design bases and objectives. It is upon these objectives and design bases and their ultimate mission cited in Sections 3.2.1 and 3.2.2, that

the following sections are justified and discussed.7.2.1.1.1IdentificationThe reactor manual control system consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the

control rods and the surveillance of associated equipment. This system

includes the interlocks that inhibit rod movement (rod block) under certain conditions. The reactor manual control system does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in the Reactor Protection System, Section 7.6.1. Neither

are the mechanical devices of the control rod drives and the control rod drive

hydraulic system included in the reactor manual control system. Thesemechanical components are described in Section 3.5, "Reactivity Control Mechanical Characteristics".

Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 2 of 14 I/kab7.2.1.1.2Operational Objective The objective of the reactor manual control system is to provide the operator with the means to make changes in core reactivity so that reactor power level

and power distribution can be controlled. The system allows the operator to

manipulate control rods.7.2.1.1.3Safety Design Basisa.The circuitry provided for the manipulation of control rods is designed sothat no single failure can negate the effectiveness of a reactor scram.b.Repair, replacement, or adjustment of any failed or malfunctioning component does not require that any element needed for reactor scram be bypassed unless a bypass is normally allowed.7.2.1.1.4Operational Design Basisa.The reactor manual control system is designed to inhibit control rod withdrawal following erroneous control rod manipulations so that reactor protection system action (scram) is not required.b.The reactor manual control system is designed to inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous

control rod manipulation.c.The reactor manual control system is designed to inhibit rod movement whenever such movement would result in operationally undesirable core

reactivity conditions or whenever instrumentation is incapable of

monitoring the core response to rod movement.d.To limit the potential for inadvertent rod withdrawals leading to reactor protection system action, the reactor manual control system is designed in such a way that deliberate operator action is required to effect a continuous rod withdrawal.e.To provide the operator with the means to achieve prescribed control rod patterns, information pertinent to the position and motion of the control rods is available in the control room.7.2.1.2Control Rod Adjustment Control7.2.1.2.1General Withdrawing a control rod increases core reactivity causing reactor power to

increase until the increased boiling, void formation, and fuel temperature

balance the change in reactivity caused by the rod withdrawal. Increase in Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 3 of 14 I/kabboiling rate tends to raise reactor vessel pressure, causing the initial pressure regulator to open the main turbine control or bypass valves to maintain a constant turbine inlet pressure. When a control rod is inserted, the converseeffect takes place.

The hydraulic portion of the control rod drive system is described and evaluatedin Section 3.5.3. Each control rod has its own drive, including separate control and scram devices. Each rod is electrically and hydraulically independent of the others, except that a common hydraulic pressure source is used for normal

operation. The east hydraulic control unit groups use the east scram discharge

volume and the west hydraulic control unit groups use the west scram

discharge volume for the scram operation. Each rod has an individual pressure source for scram operation. Rod position is mechanically controlled by thedesign of the rod drive piston and collet assembly.

Scram operation of all rods is completely independent of the circuitry involved in rod positioning during normal operation. Scram operation is described inSection 7.6.1.2.

Electrical power for the control rod drive control system is received from an instrument bus and the a-c bus. The rod drive system is actuated, for normal operation, by energizing solenoid operated valves which direct the drive water to insert or withdraw the rod.

Control rods are operated one at a time and are withdrawn in preplanned sequences conforming to the Banked Position Withdrawal Sequence (BPWS).See section 7.8.2 for additional discussion of the BPWS. The rod selected for movement is electrically controlled so that movement is not more than six

inches - one notch at a time except that the one notch withdrawal movement

restriction can be overridden by the operator by simultaneously manipulating

two switches. Insertion requires operation of only one switch. Protection isafforded to prevent inadvertent withdrawal, insertion and selection of thecontrols rods. This protection prevents control rod movement (rod block). To

permit continued power operation during the repair or calibration of equipment

for selected functions which provide rod block interlocks, a limited number of

manual bypasses are permitted as follows:

1 SRM channel

2 IRM channels (1 on either bus)

1 APRM channel

1 RBM channel The permissible IRM and APRM bypasses are arranged in the same way as in

the reactor protection system. The IRMs are arranged as two groups of equal

numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The arrangement allows the bypassing

of one IRM in each rod block logic circuit. Only one of the 4 APRM channels0117204801172048 Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 4 of 14 I/kabcan be bypassed at a time. Only one rod block circuit can be affected by the APRM bypass function. These bypasses are enabled by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is enabled as the neutron flux increases beyond a preset low level on the SRM instrumentation.

The bypass allows the detector to be partially or completely withdrawn as a reactor startup is continued.

An automatic bypass of the RBM rod block occurs whenever the power level is below a preselected level or whenever a peripheral control rod is selected.

Either of these two conditions indicates that local fuel damage is not threatened and the RBM action is not required.

The rod worth minimizer rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. It may be manually bypassed for maintenance at any time.

The same grouping of neutron monitoring equipment (APRM, IRM, SRM, and RBM) that is used in the reactor protection system is also used in the rod blockcircuitry. One half of the total numbers of APRMs IRMs, SRMs, and RBMs provides inputs to one of the rod block logic circuits, and the remaining half

provides inputs to the other logic circuit. Both RBM trip channels provide input

signals into a separate inhibit circuit for the "nonannunciating rod block control".

Scram discharge volume high water level signals are provided as inputs into one of the two rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed.

The rod withdrawal block from the rod worth minimizer trip affects a separate

circuit that trips the "nonannunciating rod block control". The rod insert block

from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion.The APRM rod block settings are varied as a function of recirculation flow.Analyses show that the settings selected are sufficient to avoid both reactor

protection system action and local fuel damage as a result of a single controlrod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully

inserted. Additional detail on all the neutron monitoring system trip channels is available in the Section 7.3.

The rod block from scram discharge volume high water level utilizes two thermally activated switches, one installed on each scram discharge volume.

Control rod position information is obtained from reed switches in the control

rod drive that open or close as a magnet attached to the rod drive piston passes during rod movement. Reed switches are provided at each 3 inch increment of piston travel. Since a notch is 6 inches, indication is available for

each half-notch of rod travel. The reed switches located at the half-notch0117204801172048 Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 5 of 14 I/kabpositions for each rod are used to indicate rod drift. A drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is alsomonitored by the process computer and the rod worth minimizer.

Reed switches are also provided at locations that are beyond the limits or normal rod movement. If the rod drive piston moves to these over-travel

positions, an alarm is sounded in the control room. The over-travel alarm

provides a means to verify that the drive-to-rod coupling is intact, because with the coupling in its normal condition, the drive cannot be physically withdrawn to the over-travel position. Coupling integrity can be checked by attempting to

withdraw the drive to the over-travel position.

The following control room lights are provided to allow the operator to know the status of the control rod system and the control circuitry:

Rod position Withdraw bus energized

Insert bus energized

Withdrawal not permissive

Rod drift Notch override Settle bus energized

Rod drive flow control valves' position

Rod drive water pressure control valve position

Drive water pump low suction pressure (alarm only)

Charging water (to accumulator) low pressure (alarm only)

Control rod drive high temperature alarm

Scram discharge volume not drained (alarm only)

Scram valve pilot air header low pressure (alarm only)

Rod worth minimizer conditions are displayed (Section 7.8)

Nuclear instrumentation system trips are displayed (Section 7.3)7.2.1.2.2Control Rod Operating Logic7.2.1.2.2.1Description The control rod operating logic is shown in block form on Section 15 Drawings NX-7865-7-1 and NX-7865-7-2, and is described below:a.With the mode switch in SHUTDOWN, no control rod can be withdrawn.

This enforces compliance with the intent of the SHUTDOWN mode.

Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 6 of 14 I/kabb.The circuitry is arranged to initiate a rod block which prevents rod withdrawal regardless of the position of the mode switch for the following conditions:1.Any average power range monitor (APRM STP) upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require reactor protection system action if

allowed to proceed. The APRM STP upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.2.Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring

channels are either in service or properly bypassed.3.Either rod block monitor (RBM) upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that

local fuel damage does not result. Although local fuel damage

poses no significant threat in terms of radioactive material

released from the nuclear steam supply system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.4.Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or properly

bypassed.5.APRM flow upscale alarm rod block. This assures that no control rod is withdrawn unless the recirculation flow inputs to the APRMs

are operable.6.The reduction of LPRM inputs for any APRM channel below a preset number gives a trouble alarm.7.Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in

either scram discharge volume to accommodate a scram. The

setting is selected to initiate a rod block no later than the scram that is initiated on scram discharge volume high water level.8.Scram discharge volume high water level scram trip bypassed.

This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service.0117204801172048 Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 7 of 14 I/kab9.The rod worth minimizer (RWM) can initiate a rod insert block, a rod withdrawal block, or a rod select block. The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under low power conditions. The rod block

trip settings are based on the allowable control rod worth limits

established for the design basis rod drop accident. Adherence to

prescribed control rod patterns is the normal method by which this reactivity restriction is observed.10.Rod select switch "off" position is necessary to assure compliancewith the intent of the "off" position.11.Rod movement timer malfunction prevents rod motion if timer inthe control rod withdraw circuitry is not functioning properly.12.Rod position information system malfunction. A rod block occurs whenever the rod position information system clock oscillator malfunctions or whenever a control rod probe buffer printer circuitcard is removed from its card holder. This circuitry assures that all

control rod positions are being properly monitored.c.With the mode switch in RUN the following conditions initiate a rod block:1.Any APRM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the average power range neutron monitoring channels are operating properly

or are correctly bypassed. All unbypassed APRMs must be on

scale during reactor operations in the RUN mode.2.Either RBM downscale. This assures that the RBM is in an operating range and is automatically bypassed at low power by a

low APRM signal.3.Any APRM Simulated Thermal Power (STP) - High in RUN. The APRM-STP rod block trip prevents operation significantly above

the licensing basis power level especially during operation atreduced flow. The APRM-STP rod block provides gross core protection; i.e., limits the gross core power increase from

withdrawal of control rods in the normal withdrawal sequence.d.With the mode switch in STARTUP or REFUEL the following conditions initiate a rod block:1.Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges.

This assures that no control rod is withdrawn unless all SRM01172048 Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 8 of 14 I/kabdetectors are properly inserted when they must be relied upon to provide the operator with neutron flux level information.2.Any SRM upscale level alarm. This assures that no control rod is withdrawn unless the SRM detectors are properly retracted during

a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.3.Any SRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper

neutron monitoring capability is available in that all SRM channels

are in service or properly bypassed.4.Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during

low neutron flux level operations unless proper neutron monitoring

capability is available in that all IRM detectors are properly located.5.Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is properly upranged during a reactor startup. This rod

block also provides a means to stop rod withdrawal in time to

avoid conditions requiring reactor protection system action (scram)

in the event that a rod withdrawal error is made during low neutron flux level operation.6.Any IRM downscale alarm except when the range switch is on the lowest range. This assures that no control rod is withdrawn during

low neutron flux level operations unless the neutron flux is being properly monitored. This rod block prevents the continuation of a

reactor startup if the operator upranges the IRM too far for the

existing flux level; thus, the rod block ensures that the intermediate

range monitor is on scale if control rods are to be withdrawn.7.Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM channels are in service or properly bypassed.8.Fuel loaded on service platform hoist. This prevents rod movement while this hoist is loaded.9.Refuel platform is near or over reactor core and the fuel grapple, frame mounted hoist, or trolley mounted hoist is loaded. This

feature prevents rod movement while any of these hoists are

loaded.

Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 9 of 14 I/kabe.With the mode switch in REFUEL position:1.One rod permissive not energized - provides a bypass to permit single rod withdrawal without nuclear instrumentation permissives.f.With mode switch in STARTUP position:1.Refuel platform near or over reactor core - prevents rod motion for startup if the refueling platform is near or over the core.2.APRM STP - High (Setdown) in STARTUP. For operation at low power (i.e. Mode 2), the APRM STP - High (Setdown) Function generates a rod block to prevent fuel damage resulting from

abnormal operating transients in this power range.7.2.1.2.2.2Justification The rod block functions listed above can be divided into three primary

categories: 1) those associated with the neutron monitoring system; 2) those

associated with preventing control rod withdrawal due to malfunctions within

the control rod control system; 3) those associated with the refueling interlock

system. Although considerable redundancy has been provided in these systems, they are not part of the plant protection system and, therefore, are not designed to meet IEEE 279 "Criteria for Nuclear Power Plant Protection Systems" (Reference 18). As stated in Section 7.1.1, they are designed to

prevent a single malfunction or single operator error from causing damage to

the reactor or the reactor coolant system.

Of the rod block functions listed, item "a" needs no justification, since it isprovided to enforce the intent of the shutdown and control rod select off

position and is necessary to assure that the operator can "lock" the control

rods when the plant is shutdown.

Functions b1, b2, b3, b4, b5, b9, c1, c2 are part of the neutron monitoring system. Functions d1, d2, d3, d4, d5, d6, d7and f2 are also neutronmonitoring system inputs under some conditions as described below. A

description of the neutron monitoring system is contained in Reference 1 and Section 7.3. It is indicated in these documents that the neutron monitoring system is designed such that it is adequate to block withdrawal when required.There are two rod block logic circuits and one half of the total numbers of APRMs, IRMs, SRMs, and RBMs provides inputs to one of the rod block logic

circuits. The remaining half provides inputs to the other logic circuit. In addition to the arrangement just described, both RBM channels provide input signals into a separate inhibit circuit for the "nonannunciating rod block

control".011720480117204801172048 Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 10 of 14 I/kabThe rod withdrawal block from the rod worth minimizer trip affects a separate circuit that trips the "nonannunciating rod block control". The rod insert block from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion.The RBM rod block alarm settings are varied as a function of reactor power.Analysis shows that the settings selected are sufficient to avoid local fuel damage as a result of a single control rod withdrawal error. This analysis isdiscussed in Section 7.3.5.3.3. Thus, although the system may not meet the IEEE 279 criteria, considerable redundancy is provided.

The rod block monitor (RBM) is installed in the boiling water reactor to provide, in addition to stated operating procedures, equipment as an

operating aid in the event of a single equipment malfunction or a singleoperator error, so that thermal margins are maintained. As explained above, if the most adverse control rod pattern were to be established by the operator

it is possible there would exist a control rod, which if fully withdrawn, could

result in reduced thermal margins. In order for the operator to withdraw such

a rod it is necessary that, besides committing a procedural error of beginning the withdrawal of the wrong rod, he must ignore several alarms (or have failures of such alarms) and simultaneously have a failure of the RBM

system. Thus, it has been analyzed that even if it is assumed that: 1) one

operator error AND one equipment malfunction, or 2) one operator error plus a second operator error AND one or more equipment malfunctions occur, thepossible off-site effects are within the limitations of 10CFR20. Therefore, safety-grade equipment status has not been assigned to the RBM.If it is assumed that sufficient operator errors and equipment failures occur to exceed thermal limits and if exceeding these thermal limits causes fuel perforations, no off-site doses in excess of 10CFR20 limits would occur due to the protective action of such equipment as the air ejector isolation of theoff-gas or the stack gas alarm which would alert the operator to isolate the off-gas.Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. These switches help assure proper utilization of the SRM and IRM systems during

refueling and startup conditions.Functions b7, b8, b11, b12 are associated with possible malfunctions within the control rod control system. These are desirable in order to prevent control rod withdrawal when there is a known malfunction in the control rod system. Such a rod block forces immediate repair or adjustment as indicated

by the corresponding alarms before control rod withdrawal can be resumed.

Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORTPage 11 of 14 I/kabFunctions d1, d2, d3, d4, d5, d6, d7, d8, d9, e1, f1, and f2 permit refuelingthe reactor, checking reactivity during fueling operations, testing individual control rod drives and yet helping to assure that refueling is not attempted when the control room operator does not intend such action and that reactor

startup is not undertaken while refueling operations are progressing. As

described above, outputs from the IRM and SRM systems are inputs to the

two rod block logic circuits, one half of the instrument channels feeding the rod blocks logic circuits. These outputs are arranged to insure that the low range neutron monitors are operating (or properly bypassed) when fuel is

being moved.

In addition to assuring that the neutron monitors are in operation, refueling interlocks are provided which include circuitry to sense the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated which prevent the movement of the

refueling equipment or withdrawal of control rods (rod block).7.2.1.2.3Performance Analysis The reactor manual control system is used to manipulate individual control rods during plant operation, and is a distinctly separate system (both electrically and physically) from the reactor protection system (RPS) which is used to scram all control rods when required for protection of the reactor. The scram circuitry of the reactor protection system is discussed in Section 7.6. The independence

and separation of these two systems assures that any single failure of the manual control system cannot prevent a reactor scram when such action is required.Both of these systems are designed to control individual control rods: however, the manual control system accomplishes its function by means of four

directional control solenoids and valves, whereas the RPS accomplishes its function using the two scram pilot valves and solenoids of each control rod.

Even if a given control rod is being withdrawn with the manual control system, the action of the scram valves on that rod results in the rod being inserted to its

full-in position. Hence, it is concluded that the RPS protective action is

applicable to all control rods regardless of the state of the reactor manual control system.

The design features of the reactor manual control system to prevent simultaneous withdrawal of more than one control rod are as follows:a.A single pushbutton is used to select an individual control rod. Wiring is used from the pushbutton contacts to the control rod select relays associated with the chosen control rod.01172048 Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 12 of 14 I/kabb.The logic of the control rod select pushbutton contacts is arranged with a set of contacts in the "hot" side of the power line and another set of contacts in the "neutral" side of the power line. The rod select relay for any selected rod is automatically de-energized by this logic arrangement prior to energization of the next control rod selected by the operator.

This configuration assures that only one control rod is selected at any given

time. Therefore it is concluded that the reactor manual control system contains adequate provisions to prevent simultaneous withdrawal of more than one control rod.

The system has inherent design features which provide additional protective and operational capabilities which are not necessary for safety criteria

purposes. Even if multiple component failures are assumed, the rod block monitor (RBM) would prevent control rod withdrawal due to the fact it would receive double the normal analog voltage input from two rods being selected by the multiple failure. Below 10% power the rod worth minimizer (RWM) may

also detect erroneous selection of more than one rod since the selected rod

input information from each rod is added together by Boolean addition.Moreover, if such multiple component failures caused multiple rod selection the reactor operator would be presented with the control rod selection pushbutton

display having more than one pushbutton illuminated. Such an indication

would warn the reactor operator that multiple failures had occurred.

An evaluation of the control rod position detection and indication system shows that there are no specific number of switch failures which require restricting the control system. Formal criteria or procedures are not considered necessary to

properly operate the plant under conditions of one or more rod position

indication or detection failures. For such failures, it is necessary that operating

personnel exercise good judgement based upon the particular circumstances.As indicated below, the operator is generally able to deduce the position of the control rod. This approach is illustrated by the following examples:a.One open reed switch on one control rod. At this particular rod position, no indication of rod position would be provided to the operator or theprocess computer. It is expected that the operator would move this control rod to an adjacent position having proper rod position indication.b.One continuously closed reed switch on one control rod. At various positions, indications would be provided. The operator is generally able to

properly deduce the correct position, but the process computer may be unable to do so. It is expected that the operator would not need to move the rod since he would be highly confident of its position and the computer

program would automatically assume a predetermined position to eliminate the ambiguity.

Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 13 of 14 I/kabc.Loss of all rod position information for one rod. The operator indication and computer input would indicate absence of data, blank display andlogic "0" inputs to the computer. It is expected that the operator would either place the rod at its full-in position and valve it out of service, or he

may attempt to locate it using the TIP system to scan the core flux

distribution at the guide tube nearest the control rod in question. If the rod

position information system (RPIS) electronics board has caused the failure, the board would be replaced to correct the fault.d.Loss of rod position information for all rods. A malfunction of the RPIS internal clock oscillator or loss of AC power to the RPIS result in rod selection, rod insertion and rod withdrawal blocks by direct interlocks in

the control rod adjustment control system, and by indirect means with the rod worth minimizer function of the process computer below 10% power levels. Repair of the fault would be anticipated in these circumstances.

Many combinations of similar failures could be postulated and analyzed.

However, the above four examples illustrate the importance of operator judgment in assessing the situation and determining a proper course of action.7.2.1.2.4Inspection and Testing The reactor manual control system is routinely checked for proper operation by manipulating control rods using the various methods of control. Detailed

testing and calibration is performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

7.2.2 Recirculation

Flow Control System7.2.2.1Description Reactor power may be varied over a range of approximately 30% by varying

recirculation flow rate. As recirculation flow rate is increased, steam is removed from the core faster, thus reducing the existing void accumulation. A positive reactivity insertion is affected by increased moderation of neutrons, and reactor power increases. The positive reactivity input is balanced by thenegative reactivity effects of high temperature and new void formation.

Speed of the reactor recirculation pumps is varied to change the recirculationflow. A block diagram of the recirculation flow control system is shown in Figure 7.2-2. Motor-generator sets with adjustable speed couplings vary the frequency of the voltage supply to the pump motors to give the desired pumpspeed. To change reactor power, an input from the reactor operator is applied

to one of the Pump Speed Control Switches. A signal from each Control Switch

directs the Programmable Logic Controller (PLC) to control the time rate of

change of pump speed. It is the signal from this device that directly controls the actuators that vary the adjustable speed couplings of the motor-generator sets. The recirculating pump motor adjusts its speed in accordance with the

frequency of the motor-generator (MG) set output voltage.

Revision 26 USAR 7.2MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 14 of 14 I/kabA scoop tube lock-up system installed at Monticello improves the reliability of the recirculation flow control system. Protective logic functions monitor each recirculation flow control loop and lock the actuator in position if abnormal conditions are sensed.7.2.2.2Performance Analysis The recirculation flow control arrangement contributes to the stable response of the reactor. Malfunction of the flow controls is discussed in Section 14.5 of theFSAR. Section 3 describes reactor margins under the flow control mode.

SECTION 77.37.3.17.3.2

7.3.3

7.3.4

7.3.5 Revision

25 USAR 7.4MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 5SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEMS I/cah7.4Reactor Vessel Instrumentation7.4.1Design Basis The reactor vessel instrumentation is designed to fulfill a number of requirements pertaining to the vessel itself or the reactor core; the

instrumentation must:a.Provide the operator with sufficient information in the control room to protect the vessel from undue stresses.b.Provide information which can be used to assure that the reactor core remains covered with water and that the separators are not flooded.c.Provide redundant, reliable inputs to the reactor protection system to shut the reactor down when fuel damage limits are approached.d.Provide a method of detecting leakage from the reactor vessel head flange.7.4.2DescriptionRefer to Section 15 Drawing NH-36242, NH-36242-1 and NH-36242-2, for the

following description of reactor vessel instrumentation.7.4.2.1Reactor Vessel Temperature Thermocouples are attached to the reactor vessel to measure the temperature

at a number of points, chosen to provide data representative of thick, thin, and

transitional sections of the vessel. The data obtained from such

instrumentation provides the basis for controlling the rate of heating or cooling

the vessel so that the stress set up between sections of the reactor vessel is held to an allowable limit. The temperatures are recorded on a multi-pointrecorder. The thermocouples are copper constantan, insulated with braided

glass, and clad with stainless steel. They are positioned under pads welded to

or magnetically fastened to the reactor vessel.Two thermocouples located near the vessel flange are recorded as differentialtemperature on a separate recorder. The two thermocouples used fordifferential temperature are on or near the same vessel azimuth.

Revision 25 USAR 7.4MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 2 of 5 I/cah7.4.2.2Reactor Vessel Pressure Pressure is both indicated and recorded in the control room; these sensors aredifferent from the reactor protection system sensors.

The reactor pressure inputs to the reactor protection system are from localnon-indicating type pressure switches. The pressure is tapped off the vessel

through two sensor lines on opposite sides of the reactor vessel. The sensor

lines are extended outside the drywell to separate instrument racks. The pressure switches are grouped on the two independent sensing lines so that nosingle event jeopardizes the protection system's ability to scram.7.4.2.3Reactor Vessel Water Level Reactor vessel water level is indicated and recorded in the control room. Level is measured by differential pressure transmitters. The instrument sensing lineswhich tap off the condensing chambers also serve as reference columns. The reference columns are located outside the drywell to prevent exposing the

reference columns to the high drywell temperatures of a post-LOCA

environment. This "cold reference leg" design will minimize the indicated level errors due to temperature changes of the reference columns. Two sets of sensing lines on opposite sides of the reactor vessel are extended outside the drywell to separate instrument racks and the transmitters are grouped so that no single event jeopardizes the reactor protection system's ability to scram.

The level of the water in the reactor is controlled by a reactor feedwater control system which receives inputs from water level, steam flow, and feedwater measurements. The water level is monitored by level transmitters coupled to sensing lines from the reactor vessel and is indicated in the control room.On June 30, 1989, the NRC Staff issued Generic Letter 89-11: Resolution ofGeneric Issue 101 "Boiling Water Reactor Water Level Redundancy" (Reference 25). The Generic Issue 101 concern is that a leak or break in the instrument sensing line that is connected to the constant head condensing chamber could cause the reference water leg level to decrease. The decrease in the reference water leg level could cause all the differential pressure

instruments connected to that line to indicate a false high reactor water level.

Under these conditions, the feedwater system may automatically reduce the feedwater flow into the reactor vessel, causing the actual reactor water level todecrease. Generic Letter 89-11 stated that the NRC Staff has concluded that

all BWR designs, in conjunction with operator training and procedures, provide

adequate protection in the event of an instrument line break in any of the reactor vessel water-level instrument systems. The technical basis for theStaff's conclusion is documented in NUREG/CR-5112, "Evaluation of Boiling Water Reactor Water-Level Sensing Line Break and Single Failure" (Reference 26).

Revision 25 USAR 7.4MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 3 of 5 I/cahNRC Bulletin 93-03: "Resolution of Issues Related to Reactor Vessel WaterLevel Instruments" was issued in May, 1993 (Reference 27). The concern is that noncondensible gases may become dissolved in the reference leg of BWR water level instrumentation and lead to a false high level indication during RPV

depressurization when the noncondensibles could come out of solution. Each

licensee was requested to implement hardware modifications necessary to

ensure the level instrumentation design is of high functional reliability for long-term operation.

Monticello has installed a backfill system which provides a backfill of water from the CRD charging water header to the safeguards and feedwater instrument

reference legs. Backfilling the instrument lines prevents water in the reference

legs from being saturated with noncondensible gases and thus, enhances the vessel level instrumentation system to ensure a high functional reliability system.7.4.2.4Reactor Feedwater Flow Reactor feedwater flow is monitored by flow transmitters coupled to flow

nozzles in the feedwater lines. Feedwater flow instrumentation is shown on thefeedwater system P&ID, Section 15 Drawings NH-36036 and NH-36037.7.4.2.5Reactor Steam Flow Reactor steam flow is monitored by flow transmitters coupled to the flow restrictors in each main steam line. The total steam flow is obtained by

summing the flow signal from each main steam line.7.4.2.6Reactor Vessel Flange Leak Detection Integrity of the seal between the reactor vessel body and head is continuously

monitored at the drain line connected to the flange face between the two large

concentric O-rings. Leakage from the reactor vessel through the inner O-ring

collects in a level-switch chamber and annunciates an alarm. Pressure buildup is also annunciated. A solenoid operated valve permits draining the leak system piping so a measurement of the severity of this leak can be made as

the chamber refills.7.4.2.7Design Evaluation Reactor vessel temperature and pressure are sensed and indicated in the control room to provide the operator with the knowledge required to preventexcessive vessel stresses. Sufficient vessel temperature sensors and pressure

sensors are provided in quantities to allow margin for sensor failures.01134127 Revision 25 USAR 7.4MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 4 of 5 I/cahThermocouples on the reactor vessel are particularly important during the first few cycles of heating and cooling of the reactor vessel. Once a good record is obtained and analyzed, the limiting rates of temperature change can be related to the temperature observations from a relatively few thermocouples.

Redundant thermocouples are installed to ensure that the operator always has adequate information to operate the reactor safely. The thermocouples meet the requirements of ASA-C96.1 (Reference 28).

Reactor vessel water level is measured to provide information which can be used to assure that the core is covered and that the separators are not flooded.

The use of the level signals in the reactor protection system and the feedwater

control system assures that the reactor is shut down automatically if the proper level is not maintained.

Redundant analog trip units and transmitters are provided as required byNUREG-0737 (Reference 41) Item II.F.2, and there are a sufficient number of

sensing lines so that plugging of a line does not cause a failure to scram. The arrangement provides assurance that vital protection functions occur as required in spite of system failures.

Other than common taps, the feedwater control system level sensors are independent of the reactor protection system level sensors. A failure in the level control which causes the water level to exceed limits in no way influences the level signals feeding the reactor protection system. Feedwater control system failures are discussed in Section 14.4.

Reactor vessel level and pressure are sensed for core protection purposes. A damaging core power transient resulting from a reactor vessel pressure rise is prevented through the use of the pressure signal. The four pressure sensors

used by the reactor protection system are arranged so that a plugged line or

any other single failure does not prevent a reactor scram due to high pressure.

The reactor vessel flange leak detection system gives immediate qualitative information about a leak sensed by a pressure buildup. This signal has a

sensitivity such that degradation of the seal is noted long before excessive

leakage occurs. Quantitative leak rate information provides the information necessary for a decision regarding repair.7.4.3Inspection and Testing All reactor vessel instrumentation inputs to the reactor protection system operate on a pressure or differential pressure signal. These devices are piped so that

they may be individually actuated with a known signal during shutdown or operation to initiate a protection system single logic channel trip. The level switches have indicators so that the readings can be compared to check for nonconformity.

Revision 25 USAR 7.4MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 5 of 5 I/cahDuring equilibrium conditions, either hot or cold, thermocouples monitor an approximately constant temperature; this fact is used to detect abnormalities.

The reactor feedwater system control scheme is a dynamic system and malfunctions become self-evident. The system can at all times be

cross-compared with other level instruments.

SECTION 77.57.5.17.5.2

7.5.3

7.5.4

Provided with ARM auxiliary units.

SECTION 77.67.6.1

7.6.2

7.6.3 SECTION

77.77.7.1 7.7.2

7.7.3

7.7.4 Revision

28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 10SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEMS I/arb7.8NUMAC Rod Worth Minimizer and Plant Process Computer7.8.1IntroductionTwo digital computer devices are provided to aid in controlling the reactor. Both the control rod worth minimizer and the plant process computer are considered operating conveniences. While they assist the operator in knowing the complete status of the reactor core, they are not required for safe operation of the plant.

The control rod worth minimizer is connected to the rod block functions as described in Section 7.3 but may be bypassed by use of a key lock switch. The

process computer is isolated from the reactor manual control and reactor protection systems.7.8.2Rod Worth Minimizer7.8.2.1Design BasisThe NUMAC RWM is an interlock and display system used to assist theoperator in effecting rod pattern control. The principal function of the RWM is

to limit rod motion such that high worth rods are not created, thereby limiting the maximum reactivity increase due to a CRDA. This is the only function theRWM must perform to satisfy all licensing and design basis requirements.

However, the NUMAC RWM also limits rod motion so that rods cannot be

withdrawn to the extent of generating excessive heat flux in the fuel or causing premature criticality. It displays information relevant to the movement of control rods used to shape both the axial and radial flux profiles for achieving optimum core performance and fuel utilization. The system imposes operating

restrictions by limiting the movement of control rods to prescribed sequences, thereby minimizing the effect of a CRDA, should it occur. The NUMAC RWM System also imposes restrictions on which rod motions the operator can effect under various system states that result during testing and in achieving specialfunctions. The NUMAC RWM includes options such as providing an optimal

rod insertion sequence for rapid power reduction according to a permanently

stored algorithm, and identification of rod movements required to align to the

loaded sequence during reactor shutdown.The RWM is programmed to follow the Banked Position Withdrawal Sequences (BPWS). The banked positions are established to minimize the maximum

incremental control rod worth without being overly restrictive during normalplant operation. Generic analysis of the BPWS (References 20 and 46) has demonstrated that the fuel damage limit will not be violated during a Control

Rod Drop Accident while following the BPWS mode of operation. This analysis also included an evaluation of the effect of fully inserted, inoperable control

rods. It determined that it is acceptable to start up or operate with asymmetric control rod patterns so long as requirements of the BPWS are satisfied and theeffect of any resulting asymmetric power distribution does not affect compliance

with all thermal margin requirements.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 2 of 10 I/arb7.8.2.2Description and Definitions7.8.2.2.1Rod Group A rod step consists of a group of one or more consecutive rods scheduled for individual withdrawal by normal operating procedures. Groups are specified by

control rod identification and steps by minimum and maximum notch position of

a rod group. For example, a specified step may be considered complete when a group of rods are all at some intermediate axial position. Certain rods may be included in more than one step as rod patterns are changed.

Steps and groups are selected such that the order of withdrawal or insertion within a given group minimizes rod worth. In general, the number of rods within a given group and the range of axial positions included in a step is maximized, consistent with the RWM objectives.7.8.2.2.2Rod Subgroup A rod subgroup is a subset of rods within a rod group. They are defined for

operational convenience and their movement within a step will be enforced by the RWM. Rod subgroups may be any set of rods within a rod group. They are

typically only used in the high power rod groups near the end of the withdrawal sequence steps.7.8.2.2.3Operating Sequence An operating sequence is defined as a series of rod steps controlled by theRWM. Steps are ordered within an operating sequence such that rod withdraws by normal operating procedures corresponds to the series of groups.

A complete operating sequence of rod groups includes all control rods in the

system from the full in to the full out positions.7.8.2.2.4Shutdown Margin Test Sequence The shutdown margin test sequence consists of any group of any two control

rods. One rod of the group may be fully withdrawn and the other has a

specified axial position limit. The order of withdrawal is unrestricted. For

example, if the first rod is withdrawn to less than the axial position limit referred to above, the second rod may be fully withdrawn. However, if the first rod is withdrawn beyond the axial position limit, the second rod is automatically stopped at that limit.7.8.2.2.5Selected SequenceThe RWM can store four operating sequences, one special test sequence and

the shutdown margin test sequence. A selected sequence is the particular one being enforced by the RWM.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 3 of 10 I/arb7.8.2.2.6Selection Error A selection error is defined as the selection of a control rod inconsistent with the selected sequence.7.8.2.2.7Insertion Error An insertion error is defined as the insertion of a control rod inconsistent with the selected operation sequence. For example, if the operator is withdrawing

control rods exactly according to procedures and has withdrawn several of the rods which are defined to be in a particular group, the insertion of any withdrawn rod of that group is not considered an insertion error even though it may be a deviation from planned procedures. However, if the operator were to

attempt to insert a rod which is defined in an earlier sequenced group, that

action is inconsistent with the operating sequence and would be blocked. This definition is independent of how far the rod is inserted.7.8.2.2.8Withdrawal ErrorA withdrawal error is defined similarly to an insertion error. For example, if several rods in a group are not withdrawn, the withdrawal of a rod from any group sequenced for subsequent withdrawal is a withdrawal error, regardless of how far the rod is moved.7.8.2.2.9Power Level Set PointAbove 10% power, the objectives of the RWM are satisfied with no constraintson rod patterns. This is due largely to the advantageous effects of high initial

power level on the consequences of a reactivity insertion accident. Therefore,sensed core average power level is used to remove RWM constraints above10% power.7.8.2.2.10DescriptionThe operation of the NUMAC RWM System and its interaction with other major

systems in the BWR is described with the aid of the system block diagrams ofFigure 7.8-1. The NUMAC RWM chassis and the Operator's Display (OD)constitute the NUMAC RWM System. It is convenient to begin by examining in detail the system shown in Figure 7.8-1 and Figure 7.8-2.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 4 of 10 I/arbThe NUMAC RWM chassis receives input from the Rod Position Information System (RPIS), Reactor Manual Control System (RMCS), Plant Power Level Indication - based on Steam Flow from the Digital Feedwater Control System(DFCS), and the Process Computer System (PCS). The RWM OD provides an improved operator interface for control and information. The RWM outputs

include rod motion interlocks to the RMCS relay logic, operator annunciation, error message display via the PCS, and information to the PCS. A keylockswitch on the RWM OD provides rod block and annunciate bypass capability.Display, controls and a keylock switch on the RWM chassis provide

maintenance and setup capability under procedural control.

Rod Motion permissive interlocks connect to the RMCS to assure that rod motions conform to a planned rod motion sequence. Four alternate sequences can be simultaneously stored. A particular sequence is selected under keylock control when the RWM is in the INOP mode.

The operator must withdraw control rods from the reactor core according to the selected sequence. The sequence is divided into steps which identify a group

or subgroup of rods which can be moved between insert and withdraw limits.

Rod groups are identified by the BPWS criteria. A subgroup is a subset of a

rod group. The operator selects and withdraws each rod to the withdraw limit.Each step is completed in order.

Control of the sequence of rod motions within the step is available as an optional feature, but is not required. The sequence is continued by step untilthe Low Power Set Point (LPSP) is reached, at which time the RWM rod blockand annunciator function is automatically bypassed. The RWM continues to

follow rod motion and display any deviation from the selected sequence in an "advisory" capacity until the RWM OD is manually shut off.The RWM remains operable during reactor operation, but performs only theRPIS interface functions to the PCS. The Internal Self-Test system continually monitors the RWM hardware and annunciates in the event of hardware failure.During reactor shutdown, the RWM OD is turned on when the Low PowerAlarm Point (LPAP) is reached, if not turned on by the operator. If rod positions do not conform to the selected sequence when the LPAP is reached, Annunciation occurs and insert/withdraw errors are identified to the operator.

If the control rod configuration does not conform to the selected sequence when the LPSP is reached, rod insert and withdraw blocks are applied. The

optional sequence alignment function aids the operator to assure against this

condition.

Rod motions, on power descent, conform to the selected BPWS sequence in the reverse order of the selected BPWS sequence.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 5 of 10 I/arb7.8.2.2.11ArrangementThe major elements constituting the RWM System are shown in Figure 7.8-1.The system includes the NUMAC RWM Computer and the NUMAC Operator'sDisplay (OD) subsystems as well as portions of the plant's process computer, the General Electric Data Acquisition and Control (GEDAC) System, the Rod

Position and Information System (RPIS) and Reactor Manual Control System (RMCS).Control rod motion sequences are designed to assure rod worth minimization, and are normally developed and updated on or using the process computerand stored in its memory. The process computer program validates the control rod sequences by checking against a variety of sequence constraints.

Validated sequences of control rod motion, both for normal operation and

operation under test conditions or emergency shutdown (optional), are stored

in the plant computer system. This data is downloaded from the plantcomputer system and is transmitted through a GEDAC formatter (a bufferingand formatting device) to the RWM Computer over a serial data link. Any RWM sequence which is downloaded to the RWM Computer is tested to the BPWS criteria stored in the functional computer ROM while the RWM Computer is in

the "INOP" mode of operation. Acceptance of the downloaded data results in the storage of validated, downloaded sequence information in memory withinthe RWM Computer. The RWM Computer can then be placed in its "OPERATE" mode in which it performs its sequence enforcement function without the aid of the process computer.

The Rod Position Information System contains an on-board enhancement card which serves as a data acquisition system. The enhanced RPIS uses a fixed program stored in ROM and has its own internal clock which drives a program counter; and the program counter drives a micro-programmed ROM. The

outputs of the ROM are decoded to simultaneously select four channels of rod

position and rod identification data. A parallel to serial conversion presents

data from each channel of the rod position and identification data in a formsuitable for transmission over four balanced lines to the RWM Computer. Four channels of rod position and identification data are transmitted during each

scan period. The data acquisition and output multiplexer portion of the RPIS

transmits a complete scan of 37 scan periods in 2.4 milliseconds.

The four data streams from the RPIS are converted from serial to parallelformat in the RWM Computer and stored sequentially in memory for subsequent processing. Output data, in the form of contact closures, (or voltage levels) from the RMCS are applied directly to the RWM Computer. The input data from the RWM Computer are assembled into words and stored in

memory for subsequent processing. Stored rod position data and alarmmessages (RWM status data) are transmitted from the RWM Computer to the process computer via the GEDAC multiplexer (MUX) and the GEDAC

formatters.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 6 of 10 I/arbWhen an operator selects a rod, the RWM Computer will perform an evaluationbased on the power level, the rod motion sequence position, the selected rod'sidentification and position and the operating step. The RWM computer checks its own state and the state of the NUMAC OD, as well as the input information

from the Rod Position Information System (RPIS), the Plant Power Level

Monitor and the Reactor Manual Control System (RMCS) to arrive at a decision

whether or not to transmit a permissive signal to the RMCS. The RMCSreceives its command inputs from the reactor operator's console as a result ofmanual inputs by the reactor operator. Comparison by the RWM Computer of

the command inputs and the permitted sequence of commanded rod motions determines whether the RWM Computer issues a permissive signal to the

RMCS.If movement of the selected rod is not permitted, the RWM Computer will blockthe rod motion by removing the permissive; that is, the RWM provides an

interlock function for relay logic circuits in the RMCS when an out of sequence

rod selection or a rod motion is requested. The operator is prevented from causing an out of sequence rod motion unless he bypasses the RWM. Theinterlock function of the RWM System can be bypassed and the RWM annunciator signal deactivated only by setting a keylock switch on the front panel of the OD in the "BYPASS" position.7.8.2.3Performance Analysis During normal operation in any of the sequences, with the operator withdrawing and inserting control rods according to the pre-determined procedures, theRWM neither blocks nor noticeably delays such procedures. During such

operation there are no alarms except for equipment malfunctions, i.e., control rod drift, RWM computer error, or RWM input/output error. If the core power level exceeds the low power alarm point, the RWM neither inhibits nor alarms the selection, insertion, or withdrawal of any control rod.All operator selection errors are indicated by the RWM except during operation above the low power alarm point.

Assuming normal operation in any rod sequence, with permissives in theapplicable group below the low power set point, the RWM does not permit anyerrors to occur. If an error exists due to equipment failure, the RWM does notallow further rod motion unless it is to correct the error. The operator's display

indicates an operator select error and, if applicable, any insert or withdrawal

errors.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 7 of 10 I/arb7.8.2.4Surveillance and Testing Continuous running system diagnostic routines are provided to test the computer and the control rod interlock networks.7.8.3Process Computer The purpose of the Process Computer System (PCS) is to aid the operator in timely determination of plant operability status during all plant conditions by

providing a real time presentation of operational data pertaining to the reactor core and other plant equipment. The PCS also records plant operational data which can be recalled for evaluation of abnormal and unusual events.7.8.3.1Design Basis The objective of the Process Computer System (PCS) is to provide the process monitoring, calculations and data presentation necessary for effective evaluation of normal and emergency plant operation.

The following basis for design was used to accomplish the intended design objectives:a.The PCS provides the capability for periodically determining the three dimensional power density distribution for the reactor core and providing the operator with operational data output with which an accurate assessment of core thermal performance can be attained.b.The PCS provides the capability for continuous monitoring and alarming of the core operating level with respect to the established core operating

limits. This capability aids in assuring that the core is operating within acceptable limits at all times, including periods of maneuvering.c.The PCS includes the capability for providing isotopic concentration data for each fuel bundle in the core.d.The PCS has no direct protective or safety significance and functions only as an operating aid by enhancing established manual operating

procedures.e.The PCS provides the capability to perform certain "Balance of Plant"calculations to aid in maintaining efficiency of operation.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 8 of 10 I/arb7.8.3.2Description of Process Computer Functions The PCS is an integrated system designed for monitoring, analysis and display of plant process parameters obtained from instrumentation connected to plant equipment and systems. Data is collected via an interface with the Data

Acquisition System (DAS). The PCS processes the data (analog, digital and

pulse) and provides meaningful displays, logs and plots of historical, current

and predicted plant performance. The PCS provides the following functions:a.The Safety Parameter Display System (SPDS) provides displays of critical plant parameters to aid control room operator personnel and system engineers in the determination of safety status of the plant during

abnormal and emergency conditions.b.The Transient Recording and Analysis (TRA) System provides recording and analysis functions of real time and historical plant data.c.The Point Log and Alarm (PLA) provides point data processing and an operator interface for controlling point processing, data alarming, display and logging.d.The Gardel Core Monitoring System is provided the necessary data bythe PCS. The PCS provides interfaces to interact with the Rod WorthMinimizer (RWM) and the Transversing Incore Probe (TIP) system for the transfer of data.e.The Sequence of Events (SOE) function provides data recording and event recall for system disturbance evaluation.f.The collection and recording of balance of plant (BOP) data provides for BOP performance monitoring.g.The PCS receives data from the CROSSFLOW system, which may beapplied to correct for the effects of flow nozzle fouling on the calculated feedwater flow rate. When the CROSSFLOW system is enabled, this

data is utilized in the PCS Core Thermal Power calculation.7.8.3.3Description of Core Calculation Computer Functions The nuclear core calculation functions provide the operator with the following

information:a.Reactor core performance and power distribution evaluations.b.Rapid core monitoring.c.Fuel exposure evaluations.

01245016 Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 9 of 10 I/arbd.Control rod exposure evaluations.e.LPRM calibration and accumulated chamber exposure.f.Isotopic composition of the fuel.7.8.3.4Effects of Computer on Instrument System The plant can operate independently of the PCS and failure of the PCS will notaffect the function of any safety system. However, the PCS monitors a number

of plant protection circuits. The two types of signals monitored, and the method of preventing undesirable interference from these signals, are:a.Analog signals Analog neutron monitoring signals are read into the plant process computer using analog to digital converter to convert the output DC signal

to digital information. The DC voltage scanned by the computer is developed across a small precision resistor in series with an isolation resistor from the amplifier output.

The small precision resistor added to accommodate the computer is sizedso that its failure does not affect the neutron monitoring channel output signal. Typical values of the voltages (relative to ground) are:

Neutron Monitoring Amplifier Output 0 - 10 Vdc Computer Input 0 - 160 milli-Vdc If the computer resistor shorts to ground the neutron monitoring amplifier output signal remains constant and the circuit current increases by an

insignificant voltage. Addition of the special resistor for the computer

does not increase the probability of other neutron monitoring circuit failures. The neutron monitoring circuit is protected from a voltagefeeding back from the computer by an inline fuse of low milliamp capacity.b.Digital signals Reactor protection signals are read into the plant process computer from isolated relay or switch contacts in the protection circuitry. Where an isolated set of contacts is not available for computer use, an interposing relay is added.

Data acquisition modules have been connected to safety systems to support the Safety Parameter Display System. These devices are Class

IE analog to digital converters and serve as qualified isolators to assure that failures on the computer side of the device will not affect the safety system. Separation criteria specified in the original plant design havebeen maintained. Loss of power to these modules does not affect the

circuits within the safety system.

Revision 28 USAR 7.8MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 10 of 10 I/arb7.8.3.5Surveillance and Testing The process computer system is self-checking. It performs diagnostic checks to determine the operability of certain portions of the system hardware, and performs internal programming checks to verify that input signals and selected

program computations are either within specific limits or within reasonable

bounds.

Revision 25 USAR 7.9MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 2SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEMS I/cah7.9Other Systems Control and Instrumentation7.9.1Reference to Control and Instrumentation Systems Discussed in Further Detail in Other Sections Controls and Instrumentation for each of the following systems are described in the sections of the text describing the system itself:Secondary Containment SystemSection 5.3Reactor Cleanup Demineralizer SystemSection 10.2Reactor Core Isolation Cooling SystemSection 10.2Emergency Core Cooling SystemSection 6.2 Fire Protection SystemSection 10.3 Reactor Feedwater SystemSection 11.8Plant Service Water SystemSection 10.4Makeup Water SystemSection 10.3 Service and Instrument Air SystemsSection 10.3 Communications SystemSection 10.3Fuel Storage Pool Filtering andSection 10.2 Cooling SystemReactor Shutdown Cooling SystemSection 10.2 Standby Liquid Control SystemSection 6.6Refueling EquipmentSection 10.2Containment MonitorsSection 5.2.2.5.5 Post Accident SamplingSection 10.3.10 SRV Low-Low Set SystemSection 4.4.2.37.9.2Toxic Substance Monitors7.9.2.1Design Basis The toxic substance monitors were eliminated in 1994. See USAR Section

2.9.1 Revision

25 USAR 7.9MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 2 of 2 I/cah7.9.3Accident Monitoring Instrumentation7.9.3.1Design BasisIn Supplement 1 to NUREG-0737 (NRC Generic Letter 82-33) (Reference 31), the NRC specified the requirements for accident monitoring instrumentation.

The guidelines of Regulatory Guide 1.97, Revision 2, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident" (Reference 32) were reviewed, and a number of additional instruments were identified. A number ofexceptions to Regulatory Guide were also taken (References 3, 14, 15, and16).7.9.3.2DescriptionRegulatory Guide 1.97, Revision 2 (Reference 32) provides NRC guidance on

design criteria for accident monitoring instrumentation used by control room operating personnel. The guide delineates design and qualification criteria for the instrumentation used to measure variables that provide accident monitoring

information.The NRC reviewed Monticello's responses with respect to conformance to(Reference 31), and issued a letter and Safety Evaluation Report (SER)(Reference 16). The report concluded that Monticello either conformed to or

provided acceptable justification for deviations from the guidance of Regulatory

the basis for the plant specific compliance method for Regulatory Guide 1.97.

A site program provides instructions to assure continued compliance with the approved method of implementing the applicable Regulatory Guide 1.97 criteria

at Monticello. The program provides for a detailed and current database of the

accident monitoring channels and associated equipment. The database

includes the Regulatory Guide 1.97 category and type classifications for each channel and the plant specific design and qualification criteria that are based on these classifications. The program also identifies the documentation and

the site administrative processes that support ongoing compliance with the

Regulatory Guide 1.97 criteria.7.9.3.3Performance Analysis Instrumentation is provided to assess plant and environs conditions during and

following an accident following the guidance provided in Regulatory Guide 1.97, Revision 2.7.9.3.4Testing and Inspection Instrumentation is periodically sensor checked, functionally tested, andcalibrated in accordance with the requirements of the Technical Specifications and the Monticello instrument calibration program.0111076801110768 Revision 22 USAR 7.10MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 3SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEMS I/mab7.10Seismic and Transient Performance Instrumentation Systems7.10.1Nuclear Boiler Instrument Systems - Initial Seismic Test Program7.10.1.1Introduction The following describes the program which was used for assuring Class I instrumentation meets the seismic requirements at the time Monticello was going through the license application review process.7.10.1.2Systems Representative samples of the Class I instruments for the following essential systems were designed, analyzed and tested by General Electric or other

vendors to ensure performance of their primary functions without spurious

response during and after an earthquake:

Reactor Protection System Nuclear Boiler System

CRD Hydraulic System

Standby Liquid Control System Neutron Monitoring System Emergency Core Cooling Systems

Process Radiation Monitoring Systems7.10.1.3Design Criteriaa.Design Basis Earthquake For the Design Basis Earthquake for rigid body calculations, the seismic force assumed to act on the equipments center of mass had the following

components:Horizontal1.5 times the weightVertical0.14 times the weightb.Operational Basis Earthquake The maximum stresses from combined seismic and normal loads did not exceed allowable stresses without the usual one-third increase of

allowable stress for short term loading. The seismic loads for such

analyses were:Horizontal0.75 times the weight Vertical0.07 times the weightFOR ADMINISTRATIVE USE ONLYResp Supv:CNSTP Assoc Ref:

SR:2yrs N Freq: USAR-MANARMS:USAR-07.10Doc Type:Admin Initials:Date:

9703 Revision 22 USAR 7.10MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 2 of 3 I/mab7.10.1.4Evaluationa.DevicesAll types of Class I devices (relays, switches, amplifiers, power supplies, sensors, etc.) which make up the Class I systems were tested for proper performance under the simulated seismic accelerations of the Design Basis Earthquake. Each device tested is energized and, as applicable, has a simulated input signal applied; and has its output monitored during

and after the test.

The test consists of vibrating the devices to the DBE accelerations over the DBE frequency range on each of the devices three rectilinear axes.b.Racks and Panels Class I racks and panels complete with all internal wiring and devices mounted were vibrated at low accelerations over the DBE frequency range and measurements made to determine the presence of resonances. If resonances were present which affect Class I devices, steps were taken to shift their frequencies out of the band of interest or

dampen them to an acceptable level. Once this was accomplished, the panel can be considered a rigid body and analyzed statically.c.Code devices All instrument devices required to conform to ASME Boiler Code

requirements were analyzed as required by the applicable code. In

general, these devices are large, strong structural or pressure bearing

instruments which would not be noticeably stressed at the low seismic accelerations but, rather, should be analyzed at the combined loading of

their in situ forces plus the seismic loads.7.10.1.5Acceptance The product being evaluated was required to perform its prescribed functions without failure or unacceptable response during and after the application of seismic forces.

Addition of new systems or re-evaluation of existing systems is done using current methods of analysis and component qualification. See Section 12.2.1.10.7.10.2Transient PerformanceTests were performed to determine the stability of the original vessel level instrumentation in the presence of rapidly decaying pressures. These tests were conducted at 1500 psig on a standard temperature compensated head chamber

and verified that the level instrumentation equipment used for Monticello would Revision 22 USAR 7.10MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 3 of 3 I/mabwithstand a depressurization rate of 200 psig/sec for the first three seconds.

Thereafter the rate was 100 psig/sec. During the most rapid depressurization transient the calculated pressure decay rate is approximately 100 psig/sec (200 psig/sec is not expected).

There is nothing to imply that the pressure sensors used would be required to follow such a transient. The pressure switches used to supply signals for

actuation of ECCS equipment have a response time on the order of milliseconds.

This response is fast enough to assure that pressure switch response does notaffect ECCS equipment operation.7.10.3Balance of Plant Control Systems - Seismic Information Program The original seismic qualification of critical items of the following Balance of

Plant equipment were performed by the equipment manufacturers using methods acceptable at the time.4160 Volt AC Switchgear480 Volt AC Load Centers 480 Volt AC Motor Control Centers 250 Volt DC Motor Control Center Electrical Penetration Assemblies Control Boards

Batteries and Battery Racks

Diesel-Generator System Standby Gas Treatment System RHR Service Water SystemEmergency Service Water System Revision 22USAR 7.11MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 2SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEMS I/mab7.11Reactor Shutdown Capability7.11.1Shutdown from Outside the Control Room7.11.1.1Conditions and AssumptionsThe ability to safely shutdown the reactor, should access be lost to the control room, was evaluated using the following conditions and assumptions:a.Conditions1.The plant was operating initially at or less than design power.2.Loss of offsite AC power was not considered.

3.Simultaneous or subsequent accidents were not considered.b.Assumptions1.The control room becomes uninhabitable.

2.Plant personnel evacuate the control room.

3.Access to the control room continues to be completely denied.7.11.1.2Performance Evaluation It is extremely improbable that the control room would become totallyinaccessible. However, the plant design does in fact make provision and does

not preclude the ability to bring the plant to a safe and orderly hot shutdown

condition and ultimately to a cold shutdown condition from outside the control room.There are a number of automatic features incorporated in the plant design which would allow the reactor to come to a safe shutdown condition, in terms of core cooling, independent of any operator action. From an operating standpoint, however, it is desirable that operator action be taken to supplement

these automatic features so that the plant outage time would be kept to a

minimum following the re-establishment of control room access.FOR ADMINISTRATIVE USE ONLYResp Supv:CNSTP Assoc Ref:

SR:2yrs N Freq: USAR-MANARMS:USAR-07.11Doc Type:Admin Initials:Date:

9703 Revision 22USAR 7.11MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 2 of 2 I/mabBefore the control room operator is forced from the control room, he would attempt to bring the plant to a safe shutdown condition. If this cannot be accomplished before leaving, cold shutdown is achieved from the AlternateShutdown System (ASDS) panel. ASDS is discussed in Section 10.3.1.5.4.

During the entire shutdown process described in Section 10.3.1.5.4, no reliance

has been placed on regaining entry into the control room.

Revision 22 USAR 7.12MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 1SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEMS I/mab7.12Detailed Control Room Design Review The plant is equipped with a single control room which contains controls and instrumentation necessary for safe operation of the unit, including the reactor andthe turbine generator, under normal and accident conditions. A Detailed Control Room Design Review (DCRDR) program has been conducted. A DCRDR

summary report which fulfills the guidance contained in NUREG-0700 (Reference

34) and NUREG-0800 (Reference 35) has been submitted to the NRC Staff forreview and approval (Reference 6). The NRC staff issued a Safety Evaluation(Reference 10) pertaining to the Detailed Control Room Design Review (DCRDR)

Program Plan.

The objective of the control room design review was to improve ability of nuclear power plant control room operators to prevent accidents or cope with accidents if they occur by improving the information provided to them. The design review plan describes activities for Monticellos control room review, emergency operating

procedures development, safety parameter display system development and

training plans.

The design review was set up to identify modifications to the control room that significantly reduce the probability of operator error through changes in control

room design or related areas of training or procedures.

This design review included a control room survey to identify deviation from accepted human factor principles, and identification and initiation of the necessary

control room changes and a human factors review of these modifications.

The design review concluded that there is a high likelihood of long-term improvements in operator performance and reduction of errors under both normal

and emergency operating procedures.FOR ADMINISTRATIVE USE ONLYResp Supv:CNSTP Assoc Ref:

SR:2yrs N Freq: USAR-MANARMS:USAR-07.12Doc Type:Admin Initials:Date:

9703 Revision 22 USAR 7.13MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 1 of 2SECTION 7PLANT INSTRUMENTATION AND CONTROL SYSTEMS I/mab7.13Safety Parameter Display System7.13.1Design Basis The purpose of the Safety Parameter Display System (SPDS) is to provide a concise display of critical plant variables to control room operators to aid them inrapidly and reliably determining the safety status of the plant (References 7, 8 and 9).7.13.2 Description The Monticello SPDS consists of three primary displays that are designed to

support the information needs of the Emergency Procedure Guidelines (EPGs).These displays, RPV Control Display, Containment Control Display, and CriticalPlant Variables Display, are elaborated in special function displays. The special

function displays provide: 1) two-dimensional plots of the limiting conditions

defined in the Emergency Operating Procedures (EOPs), e.g., Drywell Design

Pressure Curve; 2) trend plots of all control parameters, showing data from the most recent 30 minutes; 3) the validation status of SPDS input data, and 4) radiation monitoring displays.

Design of the SPDS was developed based on human factor engineering principles, then reviewed to assure that those principles had been properly implemented. The human factors engineering program provides reasonable

assurance that the information provided by SPDS will be readily perceived and

comprehended.

7.13.3 Performance Analysis The Monticello SPDS meets the requirements of NUREG-0737, Supplement 1 (Reference 31). Section 4.1f of Supplement 1 to NUREG-0737 states that:The minimum information to be provided shall be sufficient to provide information to plant operators about:(1)Reactivity Control(2)Reactor core cooling and heat removal from the primary system(3)Reactor coolant system integrity(4)Radioactivity control(5)Containment conditionsFOR ADMINISTRATIVE USE ONLYResp Supv:CNSTP Assoc Ref:

SR:2yrs N Freq: USAR-MANARMS:USAR-07.13Doc Type:Admin Initials:Date:

9703 Revision 22 USAR 7.13MONTICELLO UPDATED SAFETY ANALYSIS REPORT Page 2 of 2 I/mabThe SPDS was added as an aid to plant operators. It is not intended as a substitute for other safety-related equipment or instrumentation, but rather as an adjunct to such equipment. The SPDS is not essential to the safe operation of the plant, it is not essential to the prevention of events that endanger the public health and safety, nor is it essential to the mitigation of the consequences of an

accident.7.13.4CertificationNRC Generic Letter 89-06, dated April 12, 1989 (Reference 36), requested

certification regarding the implementation of a Safety Parameter Display System (SPDS). The Generic Letter and its attachment, NUREG-1342, provided

clarification of the requirements for an acceptable SPDS as originally defined in

NUREG 0737, Supplement 1.On July 11, 1989, NSP certified that the SPDS at Monticello (Reference 37) fully meets the requirements of NUREG-0737, Supplement 1, taking into account the information provided in NUREG-1342 (Reference 38). Based upon this certification, the NRC staff concluded in a letter dated April 25, 1990 (Reference

39) that the SPDS has satisfactorily met all the requirements specified inNUREG-0737, Supplement 1. Therefore, staff review and licensee implementation of the SPDS are considered complete for Monticello.

SECTION 77.14

SECTION 7

4