|
|
| (6 intermediate revisions by the same user not shown) |
| Line 2: |
Line 2: |
| | number = ML17355A664 | | | number = ML17355A664 |
| | issue date = 12/31/2017 | | | issue date = 12/31/2017 |
| | title = Columbia Generating Station - Amendment 64 to Final Safety Analysis Report, Chapter 7, Instrumentation and Control Systems | | | title = Amendment 64 to Final Safety Analysis Report, Chapter 7, Instrumentation and Control Systems |
| | author name = | | | author name = |
| | author affiliation = Energy Northwest | | | author affiliation = Energy Northwest |
| Line 17: |
Line 17: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter: COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS Section Page LDCN-05-009 7-i | | {{#Wiki_filter:}} |
| | |
| ==7.1 INTRODUCTION==
| |
| .........................................................................7.1-1 7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS.......................7.1-1 7.1.1.1 Reactor Protection System...........................................................7.1-1 7.1.1.2 Primary Containment and Reactor Vessel Isolation Control System.........7.1-1 7.1.1.3 Emergency Core Cooling System..................................................7.1-1 7.1.1.4 Neutron Monitoring System.........................................................7.1-2 7.1.1.5 Process Radiation Monitoring System.............................................7.1-2 7.1.1.6 Main Control Room and Critical Switchgear Rooms Heating, Ventilating, and Air Conditioning System........................................7.1-2 7.1.1.7 Standby Service Water System......................................................7.1-2 7.1.1.8 Containment Atmosphere Control System........................................7.1-2 7.1.1.9 Reactor Core Isolation Cooling System...........................................7.1-3 7.1.1.10 Standby Liquid Control System....................................................7.1-3 7.1.1.11 Leak Detection System..............................................................7.1-3 7.1.1.12 Residual Heat Removal System - Shutdown Cooling Modes.................7.1-3 7.1.1.13 Fuel Pool Cooling and Cleanup System..........................................7.1-3 7.1.1.14 Suppression Pool Temperature Monitoring System.............................7.1-3 7.1.1.15 Standby Gas Treatment System....................................................7.1-3 7.1.1.16 DELETED.............................................................................7.1-3 7.1.1.17 Safety-Related Display Instrumentation...........................................7.1-4 7.1.1.18 Containment Instrument Air System..............................................7.1-4 7.1.1.19 Residual Heat Removal System - Containment Spray Cooling Mode.......7.1-4 7.1.1.20 Remote Shutdown System...........................................................7.1-4 7.1.1.21 Recirculation Pump Trip............................................................7.1-4 7.1.1.22 Residual Heat Removal System - Suppression Pool Cooling Mode..........7.1-4 7.1.1.23 Anticipated Transient Without Scram Recirculation Pump Trip.............7.1-4 7.1.1.24 Anticipated Transient Without Scram - Alternate Rod Insertion.............7.1-4 7.1.2 IDENTIFICATION OF SAFETY CRITERIA.....................................7.1-5 7.1.2.1 Regulatory Requirements............................................................7.1-5 7.1.2.2 Regulatory Conformance - 10 CFR 50 Appendix A............................7.1-5 7.1.2.3 Conformance to Institute of Electrical and Electronics Engineers Standards................................................................................7.1-5 7.1.2.4 Conformance to Regulatory Guides................................................7.1-7 7.1.2.5 Instrument Errors......................................................................7.1-10 COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-11-031 7-ii 7.2 REACTOR PROTECTION (TRIP) SYSTEM ........................................ 7.2-1 7.2.1 DESCRIPTION ........................................................................... 7.2-1 7.2.1.1 Reactor Protection System Description ............................................ 7.2-1 7.2.1.1.1 Neutron Monitoring System Trip ................................................ 7.2-3 7.2.1.1.1.1 Intermediate Range Monitors .................................................. 7.2-4 7.2.1.1.1.2 Average Power Range Monitors ............................................... 7.2-4 7.2.1.1.2 Reactor Vessel Pressure ........................................................... 7.2-5 7.2.1.1.3 Reactor Vessel Water Level ...................................................... 7.2-5 7.2.1.1.4 Turbine Throttle Valve Position .................................................. 7.2-6 7.2.1.1.5 Turbine Governor Valve Position ................................................ 7.2-6 7.2.1.1.6 Main Steam Line Isolation Valves Position .................................... 7.2-7 7.2.1.1.7 Scram Discharge Volume Water Level ......................................... 7.2-8 7.2.1.1.8 Drywell Pressure .................................................................... 7.2-8 7.2.1.1.9 Manual Scram ....................................................................... 7.2-8 7.2.1.1.10 Reactor Mode Switch Manual Scram ............................................ 7.2-9 7.2.1.2 Design Basis ............................................................................ 7.2-9 7.2.1.2.1 Variables Monitored to Provide Protective Actions .......................... 7.2-9 7.2.1.2.2 Location and Minimum Number of Sensors ................................... 7.2-9 7.2.1.2.3 Prudent Operational Limits ....................................................... 7.2-10 7.2.1.2.4 Margin ................................................................................ 7.2-10 7.2.1.2.5 Levels ................................................................................. 7.2-11 7.2.1.2.6 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems ........................................ 7.2-11 7.2.1.2.6.1 Floods .............................................................................. 7.2-11 7.2.1.2.6.2 Storms and Tornadoes ........................................................... 7.2-11 7.2.1.2.6.3 Earthquakes ....................................................................... 7.2-11 7.2.1.2.6.4 Fires ................................................................................ 7.2-12 7.2.1.2.6.5 Loss-of-Coolant Accident ....................................................... 7.2-12 7.2.1.2.6.6 Pipe Break Outside Primary Containment ................................... 7.2-13 7.2.1.2.6.7 Missiles ............................................................................ 7.2-13 7.2.1.2.7 Minimum Performance Requirements ........................................... 7.2-13 7.2.1.3 Final System Drawings ............................................................... 7.2-13 7.2.2 ANALYSIS ............................................................................... 7.2-13 7.2.2.1 Conformance to 10 CFR 50, Appendix A, General Design Criteria ......... 7.2-13 7.2.2.2 Conformance to IEEE Standards ................................................... 7.2-15 7.2.2.3 Conformance to NRC Regulatory Guides ......................................... 7.2-20 COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-09-007 7-iii 7.3 ENGINEERED SAFETY FEATURE SYSTEMS ................................... 7.3-1 7.3.1 DESCRIPTION .......................................................................... 7.3-1 7.3.1.1 System Description .................................................................... 7.3-1 7.3.1.1.1 Emergency Core Cooling Systems ............................................... 7.3-1 7.3.1.1.1.1 High-Pressure Core Spray System. ........................................... 7.3-2 7.3.1.1.1.2 Automatic Depressurization System .......................................... 7.3-4 7.3.1.1.1.3 Low-Pressure Core Spray. ...................................................... 7.3-5 7.3.1.1.1.4 Residual Heat Removal System - Low Pressure Coolant Injection Mode. ................................................................... 7.3-6 7.3.1.1.2 Primary Containment and Reactor Vessel Isolation Control System (PCRVICS) .......................................................................... 7.3-9 7.3.1.1.2.1 Reactor Vessel Low Water Level ............................................. 7.3-10 7.3.1.1.2.2 Drywell High Pressure .......................................................... 7.3-11 7.3.1.1.2.3 Main Steam Line - High Radiation ............................................ 7.3-11 7.3.1.1.2.4 Main Steam Line - Tunnel High Ambient Temperature or High Differential Temperature ........................................................ 7.3-11 7.3.1.1.2.5 Main Steam Line - High Flow ................................................. 7.3-12 7.3.1.1.2.6 Main Steam Line - Low Pressure ............................................. 7.3-12 7.3.1.1.2.7 Reactor Building Ventilation Exhaust Radiation Monitor ................. 7.3-13 7.3.1.1.2.8 Reactor Water Cleanup System - High Differential Flow ................. 7.3-13 7.3.1.1.2.9 Reactor Water Cleanup System - Area High Ambient Temperature or High Differential Temperature ............................................. 7.3-13 7.3.1.1.2.10 Reactor Water Cleanup System - High Blowdown Flow ................. 7.3-14 7.3.1.1.2.11 Residual Heat Removal System - Area High Ambient Temperature or High Differential Temperature ............................................. 7.3-14 7.3.1.1.2.12 Residual Heat Removal System - Flow Rate Monitoring ................. 7.3-14 7.3.1.1.2.13 Main Condenser Vacuum Trip ................................................ 7.3-15 7.3.1.1.2.14 Reactor Core Isolation Cooling System Isolation Signals. ............... 7.3-15 7.3.1.1.3 DELETED ........................................................................... 7.3-15 7.3.1.1.4 Residual Heat Removal System - Containment Spray Cooling Mode ..... 7.3-15 7.3.1.1.5 Residual Heat Removal System - Suppression Pool Cooling Mode ........ 7.3-16 7.3.1.1.6 Standby Service Water System ................................................... 7.3-17 7.3.1.1.7 Main Control Room and Critical Switchgear Rooms Heating, Ventilating, and Air Conditioning System ...................................... 7.3-18 7.3.1.1.8 Standby Gas Treatment System .................................................. 7.3-18 COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-05-009 7-iv 7.3.1.1.9 Reactor Building Ventilation and Pressure Control System..................7.3-18 7.3.1.1.10 Containment Instrument Air System............................................7.3-19 7.3.1.2 Design Basis............................................................................7.3-20 7.3.1.2.1 Variables Monitored to Provide Protective Action............................7.3-20 7.3.1.2.2 Location and Minimum Number of Sensors...................................7.3-22 7.3.1.2.3 Prudent Operational Limits.......................................................7.3-22 7.3.1.2.4 Margin................................................................................7.3-22 7.3.1.2.5 Levels.................................................................................7.3-22 7.3.1.2.6 Range of Transient, Steady State, and Environmental Conditions.........7.3-22 7.3.1.2.7 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety System.........................................7.3-23 7.3.1.2.7.1 Floods..............................................................................7.3-23 7.3.1.2.7.2 Storms and Tornadoes...........................................................7.3-23 7.3.1.2.7.3 Earthquakes.......................................................................7.3-23 7.3.1.2.7.4 Fires................................................................................7.3-23 7.3.1.2.7.5 LOCA..............................................................................7.3-23 7.3.1.2.7.6 Pipe Break Outside Primary Containment...................................7.3-23 7.3.1.2.7.7 Missiles............................................................................7.3-23 7.3.1.2.8 Minimum Performance Requirements...........................................7.3-23 7.3.1.3 Final System Drawings...............................................................7.3-24 7.3.2 ANALYSIS...............................................................................7.3-24 7.3.2.1 Engineered Safety Feature Systems - Instrumentation and Controls.........7.3-24 7.3.2.1.1 Conformance to 10 CFR 50 Appendix A.......................................7.3-24 7.3.2.1.2 Conformance to IEEE Standards.................................................7.3-25 7.3.2.1.3 Conformance to Regulatory Guides.............................................7.3-29 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN.................................7.4-1 7.4.1 DESCRIPTION..........................................................................7.4-1 7.4.1.1 Reactor Core Isolation Cooling System...........................................7.4-1 7.4.1.1.1 Function..............................................................................7.4-1 7.4.1.1.2 Operation.............................................................................7.4-2 7.4.1.2 Standby Liquid Control System.....................................................7.4-5 7.4.1.2.1 Function..............................................................................7.4-5 7.4.1.2.2 Operation.............................................................................7.4-6 7.4.1.3 Residual Heat Removal System/Shutdown Cooling Mode.....................7.4-6 7.4.1.3.1 Function..............................................................................7.4-6 COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-04-027 7-v 7.4.1.3.2 Operation.............................................................................7.4-6 7.4.1.4 Remote Shutdown Systems..........................................................7.4-7 7.4.1.4.1 Function..............................................................................7.4-7 7.4.1.4.2 Operation.............................................................................7.4-7 7.4.1.5 Anticipated Transient Without Scram - Recirculation Pump Trip............7.4-9 7.4.1.5.1 Function..............................................................................7.4-9 7.4.1.5.2 Operation.............................................................................7.4-9 7.4.1.6 Anticipated Transient Without Scram - Alternate Rod Insertion..............7.4-9 7.4.1.6.1 Function..............................................................................7.4-9 7.4.1.6.2 Operation.............................................................................7.4-9 7.4.1.7 Design Basis............................................................................7.4-10 7.4.1.7.1 Variables Monitored to Provide Protective Actions..........................7.4-10 7.4.1.7.2 Location and Minimum Number of Sensors...................................7.4-10 7.4.1.7.3 Prudent Operational Limits.......................................................7.4-10 7.4.1.7.4 Margin................................................................................7.4-10 7.4.1.7.5 Levels.................................................................................7.4-10 7.4.1.7.6 Range of Transient, Steady State, and Environmental Conditions.........7.4-11 7.4.1.7.7 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems........................................7.4-11 7.4.1.7.7.1 Floods..............................................................................7.4-11 7.4.1.7.7.2 Storms and Tornadoes...........................................................7.4-11 7.4.1.7.7.3 Earthquakes.......................................................................7.4-11 7.4.1.7.7.4 Fires................................................................................7.4-11 7.4.1.7.7.5 Loss-of-Coolant Accident.......................................................7.4-12 7.4.1.7.7.6 Pipe Break Outside Primary Containment...................................7.4-12 7.4.1.7.7.7 Missiles............................................................................7.4-12 7.4.1.7.8 Minimum Performance Requirements...........................................7.4-12 7.4.1.8 Final System Drawings...............................................................7.4-12 7.4.2 ANALYSIS...............................................................................7.4-12 7.4.2.1 Conformance to 10 CFR 50 Appendix A, General Design Criteria..........7.4-12 7.4.2.2 Conformance to IEEE Standards...................................................7.4-13 7.4.2.3 Regulatory Guides Conformance...................................................7.4-18 7.
| |
| | |
| ==4.3 REFERENCES==
| |
| ...........................................................................7.4-19 COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-09-033 7-vi 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION .......................... 7.5-1 7.5.1 SUMMARY DESCRIPTION .......................................................... 7.5-1 7.5.1.1 General .................................................................................. 7.5-1 7.5.1.1.1 Reactor Water Level ............................................................... 7.5-1 7.5.1.1.2 Reactor Pressure .................................................................... 7.5-2 7.5.1.2 Reactor Shutdown Indication ........................................................ 7.5-2 7.5.1.3 Primary Containment and Reactor Vessel Isolation Indication ................ 7.5-3 7.5.1.4 Emergency Core Cooling System and Reactor Core Isolation Cooling Indication ..................................................................... 7.5-3 7.5.1.5 Containment Indications .............................................................. 7.5-4 7.5.1.5.1 Primary Containment Pressure Monitoring .................................... 7.5-4 7.5.1.5.2 Primary Containment Temperature .............................................. 7.5-4 7.5.1.5.3 Primary Containment Radiation .................................................. 7.5-5 7.5.1.5.4 Primary Containment Hydrogen and Oxygen Concentration ................ 7.5-6 7.5.1.5.5 Suppression Chamber Pressure ................................................... 7.5-6 7.5.1.5.6 Suppression Pool Temperature Monitoring .................................... 7.5-6 7.5.1.5.7 Suppression Pool Water Level Monitoring ..................................... 7.5-6 7.5.1.6 Monitoring for Radioactive Release to the Environment ....................... 7.5-7 7.5.1.6.1 Building Effluent Gas Monitors .................................................. 7.5-7 7.5.1.6.2 Meteorological Conditions ........................................................ 7.5-7 7.5.1.7 Radiation Exposure (Postaccident) ................................................. 7.5-7 7.5.1.8 Postaccident Sampling System ...................................................... 7.5-8 7.5.1.9 Primary System Relief Valve Position Indication ................................ 7.5-8 7.5.1.10 Power Supply Status Monitoring ................................................... 7.5-8 7.5.1.11 Primary Water Source Indication .................................................. 7.5-8 7.5.1.12 Residual Heat Removal System .................................................... 7.5-8 7.5.1.13 Standby Liquid Control System .................................................... 7.5-9 7.5.1.14 DELETED ............................................................................. 7.5-9 7.5.1.15 High Levels in Radioactive Liquid Tanks ........................................ 7.5-9 7.5.1.16 Emergency Ventilation Damper Position Indication ............................ 7.5-9 7.5.1.17 Standby Service Water System ..................................................... 7.5-9 7.5.1.18 Spent Fuel Pool Cooling System ................................................... 7.5-9 7.5.1.19 Main Control Room Heating, Ventilating, and Air Conditioning ............ 7.5-9 7.5.1.20 Standby Gas Treatment System .................................................... 7.5-9 7.5.1.21 Containment Instrument Air ........................................................ 7.5-10 COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-05-009 7-vii 7.5.1.22 Safety Parameter Display............................................................7.5-10 7.5.1.22.1 Description..........................................................................7.5-10 7.5.1.22.2 Conformance to NUREG-0696..................................................7.5-10 7.5.2 ANALYSIS AND DESIGN BASIS..................................................7.5-11 7.5.2.1 Design Basis............................................................................7.5-11 7.5.2.2 Analysis.................................................................................7.5-13 7.5.2.2.1 Conformance To 10 CFR 50 Appendix A, General Design Criteria......7.5-14 7.5.2.2.2 Conformance To IEEE Standards................................................7.5-14 7.5.2.2.2.1 IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations.......................................7.5-14 7.5.2.2.2.2 IEEE Standard 323-1974, Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations.........................7.5-17 7.5.2.2.3 Regulatory Guide Conformance..................................................7.5-17 7.
| |
| | |
| ==5.3 REFERENCES==
| |
| ...........................................................................7.5-30 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY.....................................................................................7.6-1 7.6.1 DESCRIPTION..........................................................................7.6-1 7.6.1.1 Process Radiation Monitoring System.............................................7.6-1 7.6.1.2 High-Pressure/Low-Pressure Systems Interlocks and Alarms.................7.6-1 7.6.1.2.1 Function..............................................................................7.6-1 7.6.1.2.2 Operation.............................................................................7.6-1 7.6.1.3 Leak Detection System...............................................................7.6-2 7.6.1.3.1 Function..............................................................................7.6-3 7.6.1.3.2 Operation.............................................................................7.6-3 7.6.1.3.3 Main Steam Line Leak Detection................................................7.6-4 7.6.1.3.4 Reactor Core Isolation Cooling System Leak Detection.....................7.6-4 7.6.1.3.4.1 Reactor Core Isolation Cooling Area Temperature Monitoring..........7.6-4 7.6.1.3.4.2 Reactor Core Isolation Cooling Steam Flow Rate Monitoring...........7.6-5 7.6.1.3.4.3 Reactor Core Isolation Cooling Turbine Exhaust Diaphragm Pressure Monitoring.............................................................7.6-5 7.6.1.3.4.4 Reactor Core Isolation Cooling Pressure Monitoring......................7.6-5 7.6.1.3.5 Residual Heat Removal System Leak Detection...............................7.6-5 7.6.1.3.5.1 Residual Heat Removal Area Temperature Monitoring...................7.6-6 7.6.1.3.5.2 Residual Heat Removal Flow Rate Monitoring.............................7.6-6 COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-06-048 7-viii 7.6.1.3.6 Reactor Water Cleanup System Leak Detection...............................7.6-6 7.6.1.3.6.1 Reactor Water Cleanup Differential Flow Monitoring.....................7.6-7 7.6.1.3.6.2 Reactor Water Cleanup Area Temperature Monitoring...................7.6-7 7.6.1.3.6.3 Condenser Blowdown Line Flow Monitoring...............................7.6-7 7.6.1.3.7 Drywell Floor Drain Leak Detection............................................7.6-7 7.6.1.3.8 Drywell Equipment Drain Leak Detection.....................................7.6-7 7.6.1.3.9 Reactor Building Floor Drain and Equipment Drain Sumps Leak Detection.......................................................................7.6-8 7.6.1.3.10 Emergency Core Cooling Systems Pump Room Flooding Detection.....7.6-8 7.6.1.3.11 Drywell Atmosphere Radiation Monitoring System.........................7.6-8 7.6.1.3.12 Auxiliary Steam Line Leak Detection..........................................7.6-9 7.6.1.4 Neutron Monitoring System.........................................................7.6-9 7.6.1.4.1 Intermediate Range Monitor......................................................7.6-9 7.6.1.4.1.1 Function............................................................................7.6-9 7.6.1.4.1.2 Operation..........................................................................7.6-9 7.6.1.4.2 Local Power Range Monitor......................................................7.6.10 7.6.1.4.2.1 Function............................................................................7.6-10 7.6.1.4.2.2 Operation..........................................................................7.6-10 7.6.1.4.3 Average Power Range Monitor..................................................7.6-12 7.6.1.4.3.1 Function............................................................................7.6-12 7.6.1.4.3.2 Operation..........................................................................7.6-12 7.6.1.4.4 Oscillation Power Range Monitor................................................7.6-13 7.6.1.4.4.1 Function............................................................................7.6-13 7.6.1.4.4.2 Operation..........................................................................7.6-13 7.6.1.5 Recirculation Pump Trip System...................................................7.6-15 7.6.1.5.1 Function..............................................................................7.6-15 7.6.1.5.2 Operation.............................................................................7.6-15 7.6.1.5.2.1 Bypasses and Interlocks.........................................................7.6-16 7.6.1.5.2.2 Redundancy.......................................................................7.6-17 7.6.1.5.2.3 Testability..........................................................................7.6-17 7.6.1.5.2.4 Environmental Considerations.................................................7.6-17 7.6.1.5.2.5 Operational Considerations.....................................................7.6-17 7.6.1.6 Spent Fuel Pool Cooling and Cleanup System...................................7.6-17 7.6.1.6.1 Function..............................................................................7.6-17 7.6.1.6.2 Operation.............................................................................7.6-18 COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-06-048 7-ix 7.6.1.7 Suppression Pool Temperature Monitoring System.............................7.6-18 7.6.1.7.1 Function..............................................................................7.6-18 7.6.1.7.2 Operation.............................................................................7.6-18 7.6.1.8 Design Basis............................................................................7.6-19 7.6.1.8.1 Variables Monitored to Provide Protective Actions..........................7.6-19 7.6.1.8.2 Location and Minimum Number of Sensors...................................7.6-20 7.6.1.8.3 Prudent Operational Limits.......................................................7.6-20 7.6.1.8.4 Margin................................................................................7.6-21 7.6.1.8.5 Levels.................................................................................7.6-21 7.6.1.8.6 Range of Transient, Steady State, and Environmental Conditions.........7.6-21 7.6.1.8.7 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems................................................7.6-21 7.6.1.8.7.1 Floods..............................................................................7.6-21 7.6.1.8.7.2 Storms and Tornadoes...........................................................7.6-21 7.6.1.8.7.3 Earthquakes.......................................................................7.6-21 7.6.1.8.7.4 Fires................................................................................7.6-22 7.6.1.8.7.5 Loss-of-Coolant Accident.......................................................7.6-22 7.6.1.8.7.6 Pipe Break Outside Containment..............................................7.6-22 7.6.1.8.7.7 Missiles............................................................................7.6-22 7.6.1.8.8 Minimum Performance Requirements...........................................7.6-22 7.6.1.9 Final System Drawings...............................................................7.6-22 7.6.2 ANALYSIS...............................................................................7.6-22 7.6.2.1 Safety-Related Systems - Instrumentation and Controls........................7.6-22 7.6.2.2 Conformance to 10 CFR 50, Appendix A - General Design Criteria........7.6-23 7.6.2.3 Conformance to IEEE Standards...................................................7.6-23 7.6.2.4 Conformance to Regulatory Guides................................................7.6-28 7.
| |
| | |
| ==6.3 REFERENCES==
| |
| ...........................................................................7.6-31 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY.........................7.7-1 7.7.1 DESCRIPTION..........................................................................7.7-1 7.7.1.1 Reactor Vessel.........................................................................7.7-1 7.7.1.1.1 Function..............................................................................7.7-2 7.7.1.1.2 Operation.............................................................................7.7-2 7.7.1.1.2.1 Reactor Vessel Temperature....................................................7.7-2 7.7.1.1.2.2 Reactor Vessel Water Level....................................................7.7-2 7.7.1.1.2.3 Reactor Core Hydraulics........................................................7.7-3 COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-06-057 7-x 7.7.1.1.2.4 Reactor Vessel Pressure.........................................................7.7-3 7.7.1.2 Reactor Manual Control System....................................................7.7-4 7.7.1.2.1 Function..............................................................................7.7-4 7.7.1.2.2 Operation.............................................................................7.7-4 7.7.1.2.2.1 Rod Drive Control System......................................................7.7-4 7.7.1.2.2.2 Rod Block Trip System..........................................................7.7-7 7.7.1.2.2.3 Rod Position Probes.............................................................7.7-12 7.7.1.2.2.4 Position Indication Electronics.................................................7.7-12 7.7.1.3 Recirculation Flow Control System................................................7.7-14 7.7.1.3.1 Function..............................................................................7.7-14 7.7.1.3.2 Operation.............................................................................7.7-15 7.7.1.4 Feedwater Control System...........................................................7.7-19 7.7.1.4.1 Function..............................................................................7.7-19 7.7.1.4.2 Operation.............................................................................7.7-19 7.7.1.4.2.1 Reactor Vessel Water Level....................................................7.7-20 7.7.1.4.2.2 Main Steam Line Steam Flow..................................................7.7-20 7.7.1.4.2.3 Feedwater Flow...................................................................7.7-20 7.7.1.5 Digital Electro-Hydraulic Control System........................................7.7-21 7.7.1.5.1 Function..............................................................................7.7-21 7.7.1.5.2 Operation.............................................................................7.7-22 7.7.1.5.2.1 Steam Pressure Control.........................................................7.7-22 7.7.1.5.2.2 Steam Bypass System............................................................7.7-23 7.7.1.5.2.3 Turbine Control System Variables............................................7.7-23 7.7.1.5.2.4 Turbine Speed-Load Control Interfaces......................................7.7-24 7.7.1.6 Neutron Monitoring System - Traversing In-Core Probe......................7.7-28 7.7.1.6.1 Function..............................................................................7.7-28 7.7.1.6.2 Operation.............................................................................7.7-29 7.7.1.7 Neutron Monitoring System - Source Range Monitor..........................7.7-30 7.7.1.7.1 Function..............................................................................7.7-30 7.7.1.7.2 Operation.............................................................................7.7-30 7.7.1.8 Neutron Monitoring System - Rod Block Monitor..............................7.7-31 7.7.1.8.1 Function..............................................................................7.7-31 7.7.1.8.2 Operation.............................................................................7.7-31 7.7.1.9 Process Computer System...........................................................7.7-32 7.7.1.9.1 Function..............................................................................7.7-32 7.7.1.9.2 Operation.............................................................................7.7-33 COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS (Continued)
| |
| Section Page LDCN-14-004 7-xi 7.7.1.10 Rod Worth Minimizer Function .................................................... 7.7-34 7.7.1.10.1 Function .............................................................................. 7.7-34 7.7.1.10.2 Operation ............................................................................ 7.7-34 7.7.1.11 DELETED 7.7-36 Through 7.7-39 .............................................................. 7.7-39 7.7.1.12 Loose Parts Detection System ...................................................... 7.7-39 7.7.1.13 Refueling Interlocks .................................................................. 7.7-39 7.7.1.13.1 Function .............................................................................. 7.7-39 7.7.1.13.2 Operation ............................................................................ 7.7-39 7.7.1.14 Safety/Relief Valves - Relief Function ............................................ 7.7-41 7.7.1.14.1 Function .............................................................................. 7.7-41 7.7.1.14.2 Operation ............................................................................ 7.7-42 7.7.1.15 Transient Data Acquisition System ................................................ 7.7-42 7.7.1.15.1 Function .............................................................................. 7.7-42 7.7.1.15.2 Description .......................................................................... 7.7-43 7.7.1.15.3 Operation ............................................................................ 7.7-43 7.7.1.15.4 Conformance to NRC Regulatory Guides ...................................... 7.7-44 7.7.1.15.4.1 Regulatory Guide 1.75, Revision 2, Physical Independence of Electric Systems .............................................................. 7.7-44 7.7.1.15.4.2 NUREG-0737, Supplement 1, Clarification of TMI Action Plan Requirements: Requirements for Emergency Response Capabilities .. 7.7-45 7.7.1.16 Design Differences .................................................................. 7.7-45 7.7.2 ANALYSIS ............................................................................... 7.7-45
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS LIST OF TABLES Number Page LDCN-02-032, 05-009 7-xii 7.1-1 Design and Supply Responsibility of Safety-Related and Safe Shutdown Systems...................................................7.1-13 7.1-2 Safety-Related Systems Similarity to Licensed Reactors..................7.1-15 7.1-3 Codes and Standards Applicability Matrix.................................7.1-17 7.2-1 Reactor Protection System Instrumentation................................7.2-23 7.3-1 High Pressure Core Spray System Instrumentation.......................7.3-31 7.3-2 Automatic Depressurization System Instrumentation.....................7.3-32 7.3-3 Low-Pressure Core Spray System Instrumentation.......................7.3-33 7.3-4 Low-Pressure Coolant Injection Instrumentation..........................7.3-34 7.3-5 Primary Containment and Reactor Vessel Isolation Control System Instrumentation........................................................7.3-35 7.3-6 DELETED.......................................................................7.3-37 7.3-7 Residual Heat Removal System - Containment Spray Cooling Mode System Instrumentation................................................7.3-38 7.3-8 Residual Heat Removal System - Suppression Pool Cooling Mode System Instrumentation................................................7.3-39 7.3-9 Standby Service Water System Instrumentation...........................7.3-40 7.3-10 Main Control Room and Critical Switchgear Room HVAC System Instrumentation........................................................7.3-41 7.3-11 Standby Gas Treatment System Instrumentation..........................7.3-42 7.3-12 Reactor Building Ventilation and Pressure Controller System Instrumentation..................................................................7.3-43 COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS LIST OF TABLES (Continued)
| |
| Number Title Page LDCN-02-032, 05-009 7-xiii 7.3-13 Containment Instrument Air System Instrumentation.....................7.3-44 7.3-14 DELETED.......................................................................7.3-45 7.4-1 Reactor Core Isolation Cooling System Instrumentation.................7.4-21 7.4-2 ATWS-Recirculation Pump Trip System Instrumentation...............7.4-22 7.4-3 ATWS-Alternate Rod Insertion System Instrumentation.................7.4-23 7.5-1 Safety-Related Display Instrumentation.....................................7.5-33 7.6-1 High to Low Pressure System Interlocks Instrumentation...............7.6-33 7.6-2 Leak Detection System Instrumentation.....................................7.6-34 7.6-3 LPRM System Trips............................................................7.6-38 7.6-4 Recirculation System Trip Functions........................................7.6-39 7.6-5 Spent Fuel Pool Cooling and Cleanup System Instrumentation Specifications....................................................................7.6-40 7.6-6 Channels Required for Protective Action Completion for the Spent Fuel Pool Cooling and Cleanup System........................7.6-41 7.6-7 Suppression Pool Temperature Monitoring Instrumentation............7.6-42 7.7-1 Design and Supply Responsibility of Plant Control Systems............7.7-47 7.7-2 Similarity to Licensed Reactors..............................................7.7-48 7.7-3 Refueling Interlocks............................................................7.7-49 COLUMBIA GENERATING STATION Amendment 57 FINAL SAFETY ANALYSIS REPORT December 2003 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS LIST OF FIGURES Number Title LDCN-02-000 7-xiv 7.2-1 Reactor Protection System - IED (Sheets 1 through 4) 7.2-2 Reactor Protection System Scram Functions 7.2-3 Arrangement of RPS Sensor Trip Channels and Trip Logics 7.2-4 Arrangement of Actuators and Actuator Logics 7.2-5 Trip Logics in One Trip System (Schematic) 7.2-6 Relationships Between Neutron Monitoring System and Reactor Protection System 7.2-7 Configuration for Turbine Stop Valve Closure Reactor Trip 7.2-8 Process Radiation Monitoring System (Recombiner/Charcoal Bed) - IED (Sheets 1 through 3) 7.2-9 Configuration for Main Steam Line Isolation Reactor Trip 7.2-10 LPRM Channel Arrangement in the Core and APRM Channel Assignments (Sheets 1 and 2) 7.2-11 Block Diagram - RPS Protective Circuit - Electrical Protection Assembly (EPA) 7.3-1 Reactor Water Cleanup System
| |
| | |
| 7.3-2 Isolation Control System for Main Steam Line Isolation Valves 7.3-3 Isolation Control System Using Motor-Operated Valves 7.3-4 High-Pressure Core Spray Power Supply System - FCD (Sheets 1 through 3) 7.3-5 Initiation Logic - ADS, SPCS, LPCI A
| |
| | |
| 7.3-6 Initiation Logic - LPCI B and C, HPCS, RCIC COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS LIST OF FIGURES (Continued)
| |
| Number Title LDCN-06-000 7-xv 7.3-7 High-Pressure Core Spray System - FCD (Sheets 1 through 3) 7.3-8 Nuclear Boiler System - FCD (Sheets 1 through 5)
| |
| | |
| 7.3-9 Low-Pressure Core Spray System - FCD (Sheets 1 and 2) 7.3-10 Residual Heat Removal System - FCD (Sheets 1 through 5) 7.3-11 DELETED 7.3-12 Control Logic Diagram - Standby Service Water System (Sheets 1 through 19) 7.3-13 Control Logic Diagram - HVAC - Main Control Room and Critical Switchgear/Filter Runout Alarm (Sheets 1 through 11) 7.3-14 Control Logic Diagram - Standby Gas Treatment System (Sheets 1 through 10) 7.3-15 Control Logic Diagram - Primary Containment Instrument Air (Sheets 1 through 10) 7.4-1 Reactor Core Isolation Cooling System - FCD (Sheets 1 through 5) 7.4-2 Standby Liquid Control System - FCD
| |
| | |
| 7.4-3 Recirculation Pump Trip (ATWS-RPT) Logic 7.4-4 ATWS-ARI Control Rod Drive, CRD-V-24A, 25A, 26A, 27A, and 28 7.4-5 ATWS-ARI Control Rod Drive, CRD-V-24B, 25B, 26B, and 27B 7.4-6 Remote Shutdown System (Sheets 1 and 2)
| |
| | |
| 7.6-1 Leak Detection System (Sheets 1 and 2)
| |
| | |
| 7.6-2 ECCS Pump Rooms Water Level Detection Control Logic Diagram COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS LIST OF FIGURES (Continued)
| |
| Number Title 7-xvi 7.6-3 Neutron Monitoring System - FCD (Sheets 1 through 7) 7.6-4 Ranges of Neutron Monitoring System 7.6-5 SRM/IRM Neutron Monitoring Unit
| |
| | |
| 7.6-6 Detector Drive System Schematic 7.6-7 Functional Block Diagram - IRM Channel 7.6-8 Vessel Penetrations for Nuclear Instrumentation 7.6-9 Power Range Monitor Detector Assembly Location
| |
| | |
| 7.6-10 Neutron Monitoring System - IED (Sheets 1 and 2) 7.6-11 APRM Circuit Arrangement for Reactor Protection System Input 7.6-12 Recirculation Pump Trip Logic Diagram 7.6-13 Recirculation Pump Trip System A
| |
| | |
| 7.6-14 Turbine Governor Valve Fast Closure Sensors 7.6-15 Turbine Stop Valve Sensors
| |
| | |
| 7.6-16 Control Logic Diagram - Fuel Pool Cooling and Cleanup 7.6-17 Control Logic Diagram - Fuel Pool Circulation Pump (FPC-P-1A) 7.6-18 Control Logic Diagram - Fuel Pool Circulation Pump (FPC-P-1B) 7.6-19 Control Logic Diagram - Makeup Water Skimmer Surge Tank (Fuel Pool) 7.6-20 Control Logic Diagram - Fuel Pool Filter Demineralizer Bypass (Division 1)
| |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS LIST OF FIGURES (Continued)
| |
| Number Title 7-xvii 7.6-21 Control Logic Diagram - Fuel Pool Cooling Motor-Operated Valve 7.6-22 Control Logic Diagram - Fuel Pool Cooling Loop Isolation (Division 1) 7.6-23 Control Logic Diagram - Fuel Pool Cooling Loop Isolation (Division 2) 7.6-24 Control Logic Diagram - Fuel Pool Filter Demineralizer Bypass (Division 2) 7.6-25 Control Logic Diagram - Fuel Pool Cooling and Cleanup 7.6-26 BISI Logic Diagram - Fuel Pool Cooling and Cleanup System 7.7-1 Water Level Range Definition 7.7-2 Control Rod Drive Hydraulic System - FCD (Sheets 1 through 7) 7.7-3 Reactor Manual Control System (Sheets 1 and 2)
| |
| | |
| 7.7-4 Reactor Manual Control Operational Modes (Sheet 1) and Reactor Manual Control System Operation (Sheet 2) 7.7-5 Eleven-Wire Position Probe
| |
| | |
| 7.7-6 Simplified NSSS Control Schemes (RRS-ASD Flow Control Scheme) 7.7-7 RFCS Simplified Control Logic Block Diagram 7.7-8 Feedwater Control System - IED 7.7-9 Simplified Diagram of Turbine Pressure and Speed/Load Control 7.7-10 Functional Block Diagram - SRM Channel 7.7-11 Traversing In-Core Probe Assembly
| |
| | |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS LIST OF FIGURES (Continued)
| |
| Number Title LDCN-10-004 7-xviii 7.7-12 Assignment of LPRM Input to RBM System 7.7-13 RBM Response to Control Rod Motion (Channels A and C) 7.7-14 RBM Response to Control Rod Motion (Channels B and D) 7.7-15 DELETED
| |
| | |
| 7.7-16 TDAS/PPCRS/PDIS Configuration
| |
| | |
| 7.7-17 Power Dependent RBM Trip Setpoints COLUMBIA GENERATING STATION Amendment 53 FINAL SAFETY ANALYSIS REPORT November 1998 7.1-1 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
| |
| | |
| ==7.1 INTRODUCTION==
| |
| | |
| Chapter 7 presents design and performance information for instrumentation and control (I&C) of safety-related and major plant control systems used throughout the plant. The design and performance considerations of these systems, safety function, and their mechanical aspects are described in other chapters.
| |
| | |
| 7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS
| |
| | |
| The systems are classified according to Regulatory Guide 1.70, Revision 2. Table 7.1-1 lists safety-related and safe shutdown systems and identifies the designer and/or the supplier. Other control systems are listed in Table 7.7-1. Table 7.1-2 identifies I&C systems that are identical to those of a nuclear power plant of similar design that received NRC design or operation approval through the issuance of either a construction permit or an operating license.
| |
| The following is a brief description of reactor protection (trip) system (RPS), engineered safety feature systems, safe shutdown systems, safety-related display instrumentation and other systems required for safety.
| |
| | |
| 7.1.1.1 Reactor Protection System The I&C initiate reactor shutdown via automatic control rods insertion (scram) if selected variables exceed preestablished limits. This action prevents fuel damage, limits nuclear system pressure, and restricts the release of radioactive material.
| |
| 7.1.1.2 Primary Containment and Reactor Vessel Isolation Control System The I&C initiate automatic closure of various reactor pressure boundary and primary containment isolation valves if monitored system variables exceed preestablished limits. This action limits the loss of coolant from the reactor coolant pressure boundary (RCPB) and the release of radioactive materials from either the RCPB or the primary containment.
| |
| 7.1.1.3 Emergency Core Cooling System The I&C provide automatic initiation and control of specific core cooling systems, namely, high-pressure core spray (HPCS) system, automatic depressurization system (ADS), low-pressure core spray (LPCS) system, and the low-pressure coolant injection (LPCI) system. This provides adequate core cooling following a loss-of-coolant accident (LOCA) to prevent fuel cladding failure from excessive temperatures.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-14-002, 13-044 7.1-2 7.1.1.4 Neutron Monitoring System The I&C use in-core neutron detectors to monitor core neutron flux. The neutron monitoring system (NMS) provides signals to the RPS trip logic to scram the reactor. Average neutron flux or average simulated thermal power is measured by the average power range monitors (APRM) and is used as the overpower indicator during power operation. Intermediate range monitors (IRM) are used as power indicators during startup and shutdown. The NMS also provides power level indication during all modes of operation. Also included within NMS is the Oscillation Power Range Monitor (OPRM), which is used to detect thermal hydraulic oscillations. 7.1.1.5 Process Radiation Monitoring System Radiation monitors are provided on process lines to monitor/detect and provide trip signals to limit the release of radiation:
| |
| a. Main steam line radiation monitors,
| |
| : b. Reactor building exhaust radiation monitors, and c. Standby service water radiation monitors. 7.1.1.6 Main Control Room and Critical Switchgear Rooms Heating, Ventilating, and Air Conditioning System In the event of an F, A, or Z signal, the normal control room fresh air intake valves close. The signal energizes the control room emergency filtration units which divert air through the filters to pressurize the main control room. The main control room kitchen exhaust fan and its isolation damper are also shut off by the F, A, Z signals.
| |
| 7.1.1.7 Standby Service Water System The I&C automatically initiate cooling water flow to vital equipment during abnormal plant conditions.
| |
| | |
| 7.1.1.8 Containment Atmosphere Control System The I&C monitor the concentration of hydrogen and oxygen gas present in the primary containment during and after a postulated LOCA.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-04-027, 05-009 7.1-3 7.1.1.9 Reactor Core Isolation Cooling System The I&C provide makeup water to the reactor vessel in the event the reactor becomes isolated accompanied by a loss of flow from the reactor feedwater system during normal plant operation or plant transients.
| |
| 7.1.1.10 Standby Liquid Control System The I&C in conjunction with manual initiation provide a redundant reactivity control system that can shut the reactor down from rated power to the cold condition in the event that all withdrawn control rods cannot be inserted manually by the reactor manual control system to achieve reactor shutdown.
| |
| | |
| 7.1.1.11 Leak Detection System The I&C provide various temperature, pressure, level, and flow sensors to detect, annunciate, and isolate (in certain cases) water and steam leakage paths in selected reactor systems.
| |
| 7.1.1.12 Residual Heat Removal System - Shutdown Cooling Modes The I&C in conjunction with manual initiation of either the normal or alternate shutdown provide cooling to remove decay and sensible heat from the reactor vessel so that the reactor can be refueled and serviced.
| |
| | |
| 7.1.1.13 Fuel Pool Cooling and Cleanup System The I&C monitor fuel pool water temperature.
| |
| | |
| 7.1.1.14 Suppression Pool Temperature Monitoring System The I&C are provided to determine when special operating procedures are required to avoid elevated suppression pool temperatures.
| |
| | |
| 7.1.1.15 Standby Gas Treatment System The I&C control standby gas treatment (SGT) system operation during abnormal conditions to limit radioactive material releases.
| |
| 7.1.1.16 (DELETED)
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-05-009 7.1-4 7.1.1.17 Safety-Related Display Instrumentation The I&C provide information to the reactor operators to support manual safety actions or to allow assessment of safety system status.
| |
| | |
| 7.1.1.18 Containment Instrument Air System The I&C provide uninterruptable instrument air or nitrogen to essential ADS valve accumulators inside primary containment. 7.1.1.19 Residual Heat Removal System - Containment Spray Cooling Mode The I&C provide for the manual initiation of the residual heat removal (RHR) system subsystem that condenses steam in the drywell and suppression chamber following a LOCA. The drywell sprays (with or without the RHR heat exchangers) may be used to remove airborne radioactivity from the containment atmosphere in response to a LOCA.
| |
| 7.1.1.20 Remote Shutdown System The I&C provide the capability for safe shutdown of the reactor in the event the main control room becomes uninhabitable.
| |
| | |
| 7.1.1.21 Recirculation Pump Trip The I&C are provided to supplement plant shutdown at the end of a fuel cycle when control rod worths are reduced by core nuclear characteristics.
| |
| 7.1.1.22 Residual Heat Removal System - Suppression Pool Cooling Mode The I&C in conjunction with the suppression pool temperature monitor provides information to the reactor operators to support manual initiation of this subsystem of the RHR system that cools the suppression pool water to avoid elevated pool temperatures.
| |
| 7.1.1.23 Anticipated Transient Without Scram Recirculation Pump Trip The I&C trip the reactor recirculation pump motors in the event of an anticipated transient without scram (ATWS).
| |
| 7.1.1.24 Anticipated Transient Without Scram - Alternate Rod Insertion The I&C provide an alternative method of inserting the control rods in the event of an ATWS.
| |
| COLUMBIA GENERATING STATION Amendment 53 FINAL SAFETY ANALYSIS REPORT November 1998 7.1-5 7.1.2 IDENTIFICATION OF SAFETY CRITERIA The I&C equipment design is based on the need to have the system perform its intended function while meeting the requirements of applicable general design criteria (GDC), regulatory guides, industry standards, and other documents. See Sections 7.2 through 7.6 for a discussion of the design bases for each safety-related system.
| |
| 7.1.2.1 Regulatory Requirements The plant safety-related systems have been examined with respect to specific regulatory requirements that are applicable to the instrument and controls of these systems. The specific regulatory requirements pertaining to each system's I&C is specified in Table 7.1-3. For a discussion of the degree of conformance see the individual systems analysis portions in Sections 7.1 through 7.6. 7.1.2.2 Regulatory Conformance - 10 CFR 50 Appendix A Section 3.1 provides a discussion of those GDC that apply equally to all safety-related, safe shutdown, and augmented quality systems described in this chapter and include GDC 1, 2, 3, 4, 10, 13, 54, 55, and 56. Those GDC which do not apply equally to all safety-related, safe shutdown, and augmented quality systems are discussed for each system in the analysis portion of Sections 7.2 through 7.6.
| |
| 7.1.2.3 Conformance to Institute of Electrical and Electronics Engineers Standards The following is a discussion of those IEEE Standards which apply equally to all safety-related systems described in this chapter. Those IEEE Standards which do not apply equally to all safety-related systems are discussed for each system in the analysis portion of Sections 7.2 through 7.6:
| |
| IEEE 308-1974 - Class IE Power Systems for Nuclear Power Generating Stations IEEE 308-1974 is described in Section 8.3.
| |
| IEEE 317-1972 - Electric Penetration Assemblies in Containment Structures*
| |
| All containment electrical penetration assemblies used for circuits routed into primary containment are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent vs. time conditions, assuming a single failure of the circuit primary *For the replacement of the electrical penetration modules, use the version of IEEE 317 that is in effect at the time of purchase and documented in the design specifications.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 LDCN-09-011 7.1-6 overcurrent protection apparatus. See also Sections 1.8 (Regulatory Guide 1.63), 3.8.6, and 8.1.5.2.
| |
| IEEE 323-1971 - Qualifying Class 1E Equipment for Nuclear Power Generating Stations Written procedures and responsibilities are developed for the design and qualification of all Class 1 electric equipment. This includes preparation of specifications, qualification procedures, and documentation. Qualification testing or analysis is accomplished prior to release of the engineering design for production. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements, and an auditable file of qualification documents is available for review. See Sections 1.8.2, 1.8.3, 3.10 and 3.11 for a description of conformance to IEEE 323. NUREG 0588-Category II invokes IEEE-323-1971 with additional regulatory positions.
| |
| IEEE 336-1971 - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations Where applicable, purchase and contract specifications define installation, inspection, and testing requirements for plant I&Cs. See the Energy Northwest Operational Quality Assurance Program Description (OQAPD).
| |
| | |
| IEEE 338-1975 - Periodic Testing of Nuclear Power Generating Stations IEEE 338 is presented on a system basis in the analysis portions of Sections 7.2 through 7.6 as part of the discussion of Regulatory Guide 1.22 compliance.
| |
| | |
| IEEE 344-1971 and 1975 - Seismic Qualification of Class 1E Equipment Safety-related I&C equipment is classified as Seismic Category I, designed to withstand the effects of the safe shutdown earthquake (SSE) and remain functional during normal and accident conditions. Qualification and documentation procedures used for Seismic Category I equipment and systems are identified in Section 3.10 and Table 3.2-1. Section 3.10.1.2 identifies compliance to these standards and applicable exceptions.
| |
| IEEE 379-1972 - Application of Single Failure Criterion to Nuclear Power Generating Stations The extent to which the single failure criteria of IEEE 379 is satisfied is specifically covered for each system in the analysis of IEEE 279, paragraph 4.2, in Sections 7.2 through 7.6.
| |
| IEEE 384-1974 - Independence of Class 1E Equipment and Circuits The safety-related systems described in Sections 7.2 through 7.6 meet the independence and separation criteria for redundant systems in accordance with IEEE 279, paragraph 4.6.
| |
| COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 LDCN-01-000 7.1-7 The electrical power supply, instrumentation, and control wiring for redundant safety-related circuits are physically separated to preserve redundancy and ensure that no single credible event will prevent completion of the protective function. Credible events include but are not limited to the effects of short circuits, pipe rupture, pipe whip, high-pressure jets, missiles, fire, earthquake, and falling objects, and are considered in the basic plant design.
| |
| The independence of wiring, tubing, piping, and control devices for safety-related controls and instrumentation is achieved by physical space or barriers between separation groups of the same protective function. The criteria and bases for the independence of safety-related I&Cs, electrical equipment, cable, cable routing, marking, and cable derating, are discussed in Section 8.3.1.4. Fire detection and protection in the areas where cabling is installed is described in Appendix F.
| |
| IEEE 387-1972 - Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations Design and qualification testing of the standby power system used to furnish electrical power to safety loads conforms to IEEE 387 to ensure that system requirements for redundancy, single failure criteria, adequate capacity, capability, and reliability are adequately met. The standby power source as an integrated system component satisfies the requirements of IEEE 308 as discussed in Section 8.3.
| |
| 7.1.2.4 Conformance to Regulatory Guides The following is a discussion of Regulatory Guides which apply to safety-related systems described in this chapter. Unique applications of Regulatory Guides are discussed for each system in the applicable analysis portion of Sections 7.2 through 7.6 and Section 1.8.
| |
| Regulatory Guide 1.11 (March 1971)
| |
| All instrument lines that penetrate the primary containment vessel, which are part of safety-related systems, meet the requirements of Regulatory Position C.1. This is accomplished by redundancy, independence, by allowing for safety system testability, by line orificing or sizing, by including automatic or remote manual (from the control room) line shutoff capability if line integrity is lost, and by a conservative design at the individual penetrations.
| |
| | |
| All other instrument lines that penetrate the primary containment vessel meet the requirements of Regulatory Position C.2.a by the same factors discussed above.
| |
| See Section 6.2.4.3.2.4 for further discussion.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-06-014 7.1-8 Regulatory Guide 1.22 Lifting of leads and/or removal of fuses is required to perform a number of surveillance tests. Surveillance tests for which lifting of leads and/or removal of fuses is required fall into the following categories: (1) tests for thermocouples, (2) tests requiring introduction of test equipment into the instrument channel, (3) tests that otherwise would be unreasonably complex, (4) tests which must be performed before entering the mode in which normally testable, and (5) tests on systems or components for which the configuration permits no reasonable alternative. Plant procedures for these surveillance tests include instructions explicitly requiring the reconnecting of the lifted leads and/or replacement of fuses. Restoration is documented and verified in accordance with guidance provided in Information Notice 84-37.
| |
| Regulatory Guide 1.29 (September 1978)
| |
| All safety-related I&C equipment is classified as Seismic Category I, designed to withstand the effects of the SSE and remain functional during normal and accident conditions. Qualification and documentation procedures used for Seismic Category I equipment and systems are identified in Section 3.10 and Table 3.2-1.
| |
| Regulatory Guide 1.30 (August 11, 1972)
| |
| The quality assurance requirements of IEEE 336-1971 (see Section 7.1.2.3 discussion above) were applicable during the plant design and construction phases and implemented as an operational quality assurance program during plant operation in response to Regulatory Guide 1.30. The specific requirements of Regulatory Guide 1.30 are met as discussed in the OQAPD.
| |
| | |
| Regulatory Guide 1.40 (March 16, 1973)
| |
| The containment recirculation and head area return fans have been qualified for use in containment in accordance with IEEE 334-1974. Qualification testing was successfully performed on a prototype fan for motor heat aging, fan resonant search, vibration endurance, and LOCA simulation. Recirculation and head area return fans will be used as the hydrogen mixing system in the event of a LOCA. See also Section 9.4.11.3.
| |
| Regulatory Guide 1.47 (1973)
| |
| Each safety-related system described in Sections 7.2, 7.3, 7.4, and 7.6 is provided with an automatically or operator initiated system level bypass and inoperability annunciator. Each system level annunciator is located on the panel containing the controls for the specific system.
| |
| COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 LDCN-00-019 7.1-9 In addition to system level annunciation, component level indicators are provided near the system lever annunciator to indicate the cause of the system bypass or inoperability.
| |
| A switch is provided for manual actuation of each system level annunciator to allow display of those bypass or inoperable conditions which are expected to occur at a frequency less than once per year and are not automatically indicated.
| |
| | |
| Typically, the following bypasses or inoperabilities cause actuation of system level (and component level) annunciation for the affected system: a. Pump motor breaker not in operating position,
| |
| : b. Loss of pump motor control power,
| |
| : c. Loss of motor-operated valve control power/motive power,
| |
| : d. Logic power failure,
| |
| : e. Logic in test,
| |
| : f. Position of remote-manual valves which do not receive automatic alignment signals, and
| |
| : g. Bypass or test switches actuated.
| |
| The manually induced inoperable or bypass condition of an auxiliary supporting system, typically, also results in the loss of function (immediate or delayed) of another safety-related or important-to-safety system. To ensure that the operators recognize that more than one system may be out-of-service, typically, an inoperable or bypassed auxiliary support system will not only cause actuation of the auxiliary support system, system-level annunciator, but also will cause the actuation of the system-level annunciator of the supported system. The exception to this typical design is the diesel generator system, the battery system, and the standby service water system. For these three systems, an inoperable or bypass condition will not result in the actuation of the supported systems, system-level annunciators. However, component-level indicating lamps will be actuated at each of the supported system locations to alert operators of the auxiliary system out-of-service condition. These three systems are not designed to cascade to all the supported systems since each has its own out-of-service annunciation. This design reduces potential operator confusion and also distraction that may occur during a transient or accident event.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 LDCN-09-011 7.1-10 Regulatory Guide 1.63 (October 1973)
| |
| All containment electrical penetration assemblies used for circuits routed into primary containment are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent vs. time conditions, assuming a single failure of the circuit primary overcurrent protection apparatus. See also Sections 7.1.2.3 (IEEE 336), 1.8, 3.8.6, and 8.1.5.2.
| |
| Regulatory Guide 1.68 (November 1973)
| |
| Plant preoperational and initial startup test program requirements are discussed in Section 14.2.7.
| |
| Regulatory Guide 1.73 (January 1974)
| |
| Auxiliary equipment associated with valve operators are tested in accordance with the requirements of Regulatory Guide 1.73. Design service conditions are implemented in the tests. Conservative values of the environmental variables during and after a design-basis accident are used in the tests to ensure that the testing is carried out under more severe environmental conditions than those expected.
| |
| | |
| Regulatory Guide 1.75 (January 1974)
| |
| Regulatory Guide 1.75 is not applicable to the Columbia Generating Station (CGS) design. However, a complete description of the CGS physical and electrical separation criteria is discussed in Section 8.3.1.4.
| |
| Regulatory Guide 1.80 (June 1974)
| |
| Plant preoperational testing of instrument air systems is discussed in Sections 14.2.7 and 14.2.12.
| |
| | |
| Regulatory Guide 1.89 Revision 1 (June 1984)
| |
| Regulatory Guide 1.89 Revision 1 is applicable to the CGS design as clarified in Sections 1.8.2 and 1.8.3. Qualification of Class 1E equipment is discussed in Section 3.11.
| |
| 7.1.2.5 Instrument Errors The design of each safety-related system considers instrument drift, setability, and repeatability in the selection of I&C in the determination of setpoints. Adequate margin between safety limits and instrument setpoints is provided to allow for instrument error. The allowable values are listed in the Technical Specifications. The Licensee Controlled Specifications (LCS) also COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 7.1-11 contain information related to instrument setpoint determinations. The amount of instrument error is determined by test and experience. The setpoint is selected based on these known errors. The surveillance frequency is increased on instrumentation that demonstrates a tendency to drift or decreased based on stable performance characteristics.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.1-1 Design and Supply Responsibility of Safety-Related and Safe Shutdown Systems System GE Design GE Supply B&R Design Others Supply LDCN-05-009 7.1-13 Reactor Protection Trip X X Engineered Safety Feature Emergency core cooling X X X High-pressure core spray Automatic depressurization Low-pressure core spray Residual heat removal low pressure coolant injection Primary containment and reactor vessel isolation control X X X X Process radiation monitoring (portion used for PCRVICS) X X X X Standby service water X X X X Main control room heating, ventilating, and air conditioning X X Containment atmosphere control X X Reactor building ventilation and pressure control X X Standby gas treatment X X Residual heat removal system containment spray cooling mode X X X Residual heat removal system suppression pool cooling mode X X Containment instrument air X X Systems Required for Safe Shutdown Reactor core isolation cooling X X Standby liquid control X X Residual heat removal system reactor shutdown cooling mode X X Remote shutdown X X X X Safety-Related Display Instrumentation X X X X COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.1-1 Design and Supply Responsibility of Safety-Related and Safe Shutdown Systems (Continued) System GE Design GE Supply B&R Design Others Supply 7.1-14 All Other Leak detection (part of ESF) X X X X Process radiation monitoring X X X X Neutron monitoring X X Intermediate range monitor Average power range monitor Local power range monitor Primary containment atmosphere monitoring X X Recirculation pump trip X X Spent fuel pool cooling and cleanup X X Suppression pool temperature monitoring X X COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.1-2 Safety-Related Systems Similarity to Licensed Reactors Instrumentation and Controls (System) Plants Applying for or Having Construction Permit or Operating License Design LDCN-05-009 7.1-15 Reactor protection system Zimmer-1 Identical Primary containment and reactor vessel isolation control system Zimmer-1 Identical Emergency core cooling systems Zimmer 1 Identical Neutron monitoring system LaSalle Identical Process radiation monitoring system Zimmer-1 Identical Reactor building ventilation and pressure control system None Main control room heating, ventilating, and air conditioning system None Standby service water system None Containment atmosphere control system Zimmer-1 Identical Reactor core isolation cooling system Zimmer-1 Identical Standby liquid control system Zimmer-1 Identical Primary containment atmospheric monitoring system None Leak detection system None Residual heat removal system - reactor shutdown cooling mode Zimmer-1 Identical Fuel pool cooling and cleanup system None Standby gas treatment system None Safety-related display instrumentation Zimmer-1 Identical Containment instrument air system None Reactor building closed cooling water system None COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.1-2 Safety-Related Systems Similarity to Licensed Reactors (Continued) Instrumentation and Controls (System) Plants Applying for or Having Construction Permit or Operating License Design 7.1-16 Residual heat removal system -
| |
| containment spray cooling mode Zimmer-1 Identical Remote shutdown system Zimmer-1 (a) Recirculation pump trip Zimmer-1 Identical Residual heat removal system -
| |
| suppression pool cooling mode Zimmer-1 Identical a The number of valves controlled is slightly different due to differences in the necessary shutdown capability.
| |
| | |
| Table 7.1-3 Codes and Standards Applicability Matrix
| |
| | |
| RPS
| |
| | |
| PCRVICS
| |
| | |
| ECCS
| |
| | |
| NMS
| |
| | |
| PROCESS RAD MON. MAIN CONTROL ROOM HVAC EMERG SWGR RM
| |
| | |
| SERVICE WATER SYSTEM
| |
| | |
| RCIC
| |
| | |
| SLCS
| |
| | |
| CONTAIN.
| |
| ATMOS.
| |
| MON.
| |
| | |
| LEAK DETEC.
| |
| SYSTEMS RHR SHUT-DOWN COOL.
| |
| MODE
| |
| | |
| SFPCS
| |
| | |
| SGTS
| |
| | |
| MSIVLCS (DEACTI-VATED)
| |
| | |
| SAFETY-RELATED DISPLAY RHR CONT.
| |
| SPRAY COOL MODE
| |
| | |
| REMOTE SHUT-DOWN
| |
| | |
| RPT RHR SUPP.
| |
| POOL COOL.
| |
| MODE
| |
| | |
| ATWS RPT
| |
| | |
| ATWS ARI COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORTDecember 2007LDCN-05-009 7.1-17GDC 1 X X X X X X X X X X X X X X X X X X X X X X 2 X X X X X X X X X X X X X X X X X X X X X X 3 X X X X X X X X X X X X X X X X X X X X X X 4 X X X X X X X X X X X X X X X X X X X X X X 10 X X 12 X 13 X X X X X X X X X X X X X X X X X X X X X X 15 X X X 19 X X X X X X X X X X X X X X X X X X X X X X 20 X X X 21 X X X 22 X X X 23 X X X 24 X X X 25 X X 26 X X X X X X 28 X 29 X X X 33 X 34 X X X X 35 X X X 37 X X X 38 X X X X X 40 X X X 41 X 43 X X 44 X 46 X 50 X 54 X X X X X X X X X 55 X X X X X X X X 56 X X X X X X X 57 60 X X X 61 X X X Table 7.1-3 Codes and Standards Applicability Matrix (Continued)
| |
| | |
| RPS
| |
| | |
| PCRVICS
| |
| | |
| ECCS
| |
| | |
| NMS
| |
| | |
| PROCESS RAD MON. MAIN CONTROL ROOM HVAC EMERG SWGR RM
| |
| | |
| SERVICE WATER SYSTEM
| |
| | |
| RCIC
| |
| | |
| SLCS
| |
| | |
| CONTAIN.
| |
| ATMOS.
| |
| MON.
| |
| | |
| LEAK DETEC.
| |
| SYSTEMS RHR SHUT-DOWN COOL.
| |
| MODE
| |
| | |
| SFPCS
| |
| | |
| SGTS
| |
| | |
| MSIVLCS (DEACTI-VATED)
| |
| | |
| SAFETY-RELATED DISPLAY RHR CONT.
| |
| SPRAY COOL MODE
| |
| | |
| REMOTE SHUT-DOWN
| |
| | |
| RPT RHR SUPP.
| |
| POOL COOL.
| |
| MODE
| |
| | |
| ATWS RPT
| |
| | |
| ATWS ARI COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORTDecember 2009LDCN-09-011 7.1-18GDC 62 X 63 X 64 X IEEE 279-1971 X X X X X X X X X X X X X X X X X X X 323 Note 1 X X X X X X X X X X X X X X X X X X X 336-1971 X X X X X X X X X X X X X X X X X X X 338-1975 X X X X X X X X X X X X X X X X X X X 344 Note 1 X X X X X X X X X X X X X X X X X X X 379-1972 X X X X X X X X X X X X X X X X X X 384-1974 X X X X X X X X X X X X X X X X X X X RG 1.6 3/10/71 X RG 1.11 2/17/72 X X X X X X X RG 1.22 2/17/72 X X X X X X X X X X X X X X X X X X X RG 1.29 9/78 X X X X X X X X X X X X X X X X X X X RG 1.30 8/72 X X X X X X X X X X X X X X X X X X X RG 1.45 5/73 X X RG 1.47 5/73 X X X X X X X X X X X X X X X X X RG 1.53 6/73 X X X X X X X X X X X X X X X X X X RG 1.62 10/73 X X X X X X X X X X X X X X RG 1.68 11/73 X X X X X X X X X X X X X X X X X X X RG 1.73 1/74 X X X RG 1.80 6/74 X X X X X X RG 1.89 Note 2 X Note 1: For a discussion of the degree of conformance to codes and standards listed see the individual system analysis portions of Sections 7.2 through 7.6. Note 2: Only applicable to Safety Related Display Instruments.
| |
| COLUMBIA GENERATING STATION Amendment 53 FINAL SAFETY ANALYSIS REPORT November 1998 7.2-1 7.2 REACTOR PROTECTION (TRIP) SYSTEM 7.2.1 DESCRIPTION
| |
| | |
| The reactor protection system (RPS) is designed to cause rapid insertion of control rods (scram) to shut down the reactor when specific variables exceed predetermined limits.
| |
| 7.2.1.1 Reactor Protection System Description Schematic arrangements of RPS mechanical equipment and information displayed to the operator are shown in Figure 7.2-1. The RPS component control logic is shown in Figure 7.2-2. The RPS instrumentation is listed in Table 7.2-1. The RPS channel and logic arrangement are shown in Figure 7.2-3. The RPS actuators and logic arrangement are shown in Figure 7.2-4. Trip system logic is shown in Figure 7.2-5. Sensor input arrangements are shown in Figures 7.2-6, 7.2-7, 7.2-8, 7.2-9, and 7.2-10. The RPS instrumentation is divided into sensor trip channels, trip logic, and trip actuator logic.
| |
| During normal operation, all sensor contacts and trip contacts essential to safety are closed; channels, logic, and actuators are energized.
| |
| | |
| There are at least four sensor trip channels for each variable. The sensor trip channels are designated as A1, A2, B1, and B2. Each sensor trip channel is associated with the trip logic of the same designation.
| |
| | |
| Trip actuator logics A1 and A2 (trip system A) outputs are combined in a one-out-of-two logic arrangement to control the "A" pilot scram valve solenoid in each of the four rod groups (a rod group consists of approximately 25% of the total of control rods). Trip actuator logic B1 and B2 (trip system B) outputs control the "B" pilot scram valve solenoids in each of the four rod groups.
| |
| | |
| When a sensor trip channel contact opens, the trip logic deenergizes the trip actuator logic which deenergizes the pilot scram valves associated with that trip actuator logic. However, the other pilot scram valves for each rod must also be deenergized before the scram valves provide a reactor scram. There are two pilot scram valves and two scram valves for each control rod. Each pilot scram valve is solenoid operated, with the solenoids normally energized. The pilot scram valves control the air supply to the scram valves for each control rod. With either pilot scram valve energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive (CRD) water.
| |
| COLUMBIA GENERATING STATION Amendment 53 FINAL SAFETY ANALYSIS REPORT November 1998 7.2-2 When both actuator logic A1 or A2 and B1 or B2 are tripped, air is vented from the scram valves and allows CRD water to act on the CRD piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is exhausted into a scram discharge volume (SDV).
| |
| To restore the RPS to normal operation following any single actuator logic trip or a scram, the trip actuators must be reset manually. After a 10-sec delay reset is possible only if the conditions that caused the scram have been cleared. The trip actuators are reset by operating switches in the main control room. Two reset push button switches (A1/B1 and A2/B2) are provided.
| |
| | |
| There are two 125-V dc solenoid-operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for either backup scram valve is energized, the associated backup scram valve vents the air supply for the scram valves. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valves solenoids are energized (initiate scram) when trip logic A1 or A2 and B1 or B2 are both tripped.
| |
| | |
| The RPS receives power from two high inertia ac motor generator (MG) sets. A flywheel provides high inertia sufficient to maintain voltage and frequency within 5% of rated values for at least 1 sec following a momentary loss of power to the drive motor (see Section 8.3.1.1.6).
| |
| Alternate power is available to each RPS bus and is manually switched to the bus as necessary for maintenance of the RPS MG sets. The alternate power switch is interlocked to prevent simultaneous feeding of both buses from the same source. The switch also prevents paralleling of an MG set with the alternate supply.
| |
| The RPS is designed to use a fail-safe logic and actuation scheme. Therefore, the power supplied by the RPS MG sets to hold RPS components energized is expendable and considered non-safety-related. However, to ensure that overvoltage, undervoltage, or underfrequency do not damage safety-related components within the RPS, two series redundant Class 1E bus monitoring and tripping devices are provided between the RPS bus and each of the non-Class 1E power sources. These devices trip whenever the voltage and frequency exceed predetermined limits (see Figure 8.3-2 and Section 8.3.1.1.6). An electrical protection assembly (EPA) consisting of Class 1E protective circuitry is installed between the RPS and each of the power sources, which consists of two MG sets and alternate voltage supplies. The EPA provides redundant protection to the RPS and other systems which receive power from the RPS buses by acting to disconnect the RPS from the power source circuits. See Figure 7.2-11.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-17-001 7.2-3 Sensor trip channel inputs to the RPS causing reactor scram are discussed in the following paragraphs. 7.2.1.1.1 Neutron Monitoring System Trip To protect the fuel against high heat generation rates, neutron flux is monitored and initiates a reactor scram when predetermined limits are exceeded. Neutron monitoring system instrumentation is described in Section 7.6. Figure 7.2-6 clarifies the relationship between neutron monitoring system (NMS) channels, NMS logic, and the RPS logic. The NMS sensor channels are considered to be part of the NMS and not the RPS; however, the NMS logic channels are considered to be part of the RPS. Each NMS logic channel receives signals from one intermediate range monitor (IRM) channel and one average power range monitor (APRM) channel. The NMS logic is arranged so that failure of any one logic channel cannot prevent the initiation of a high neutron flux or simulated thermal power scram. As shown in Figure 7.6-3, there are eight NMS logic channels associated with the RPS. Each RPS logic channel receives inputs from two NMS logic channels. The source range monitors (SRMs) are not credited to perform any safety function in the plant design basis transients. For that reason, the trip signal inputs from the SRMs are normally removed from the RPS circuitry by the installation of "shorting links". With the "shorting links" installed, the SRM indication and rod block remain fully operable but the SRM trip is bypassed. The "shorting links" are required to be removed to support performance of shutdown margin testing in Mode 5 under Limiting Condition for Operation (LCO) 3.10.8, "Shutdown Margin (SDM) Test - Refueling." The removal of the "shorting links" during this testing provides a noncoincident NMS trip when any SRM exceeds the high-high flux trip setpoint, any IRM exceeds the high flux trip setpoint. The removal of the "shorting links" is required to be verified within 8 hours prior to placing the Mode switch into the startup/hot standby position and at least once per 12 hours during the time the Mode switch is in the startup/hot standby position when in Mode 5.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.2-4 7.2.1.1.1.1 Intermediate Range Monitors. The IRMs monitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM range. The IRM detectors are positioned in the core remotely from the control room. The IRM is divided into two groups of four IRM channels arranged in the core as shown in Figure 7.6-8. Two IRM channels are associated with each of the trip logic channels of the RPS. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising the IRM trip function. The NMS scram logic trip contacts for IRM can be bypassed by selector switches located on the reactor control benchboard in the main control room. The IRM channels A, C, E, and G bypasses are controlled by one selector switch. Channels B, D, F, and H are controlled by a second selector switch. Each selector switch will bypass only one IRM channel at any time. Bypassing an IRM channel will not inhibit the NMS from providing a protective action when required. Each IRM channel includes four trip circuits. One trip circuit is used as an instrument trouble trip. It operates on four conditions: (1) when the high voltage drops below a preset level, (2) when one of the modules is not plugged in, (3) loss of negative 15-V dc, or (4) the IRM not in the OPERATE position. Each of the other trip circuits is specified to trip when preset downscale or upscale levels are reached. The reactor mode switch determines whether IRM trips are effective in initiating a reactor scram. With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates an NMS trip of the RPS. At least one IRM channel in each RPS trip system must trip to cause a scram. 7.2.1.1.1.2 Average Power Range Monitors. There are four APRM channels. Each APRM channel consists of an APRM instrument, 2/4 logic module, quad low voltage power supply, local power range instrument, and a calibration/monitoring panel. The APRM channels receive and average input signals from the local power range monitor (LPRM) channels and provide a continuous indication of average reactor power from a few percent to greater than rated reactor power.
| |
| | |
| The APRMs supply neutron flux high, simulated thermal power, and INOP trip signals to the 2-Out-of-4-Voters. The outputs from all four APRM channels instruments go to each 2-Out-of-4-Voter (logic) module. Each of the 2/4 logic modules interface to one of the four RPS input channels (A1, A2, B1, and B2). The trip outputs from all four APRMs are sent to each 2/4 logic module, such that each input sent to the RPS is a voted result of all four APRMs. A trip output to the RPS is provided when at least two of the same type of trip inputs is in a tripped state for at least two non-bypassed ARPMs.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.2-4a APRM channel instrumentation trip inputs to the 2/4 logic modules can be bypassed by a single fiber optic selector switch on the reactor control benchboard in the main control room. Each 2/4 logic module is designed to receive a fiber optic bypass of its "home" APRM instrument. The state of that bypass signal is retransmitted to the other 2/4 logic modules in an isolated manner. Each 2/4 logic module will bypass the appropriate channel trip inputs when a bypass signal is active (modulated light is detected) for the APRM channel. Each 2/4 logic module will provide trip outputs to RPS as a voted result of the three unbypassed APRMs when one channel is bypassed, resulting in a 2/3 logic configuration. Bypassing an APRM will not inhibit NMS from performing its safety function. If a bypass indication from more than one APRM channel is received, none of the APRM inputs to the 2/4 logic modules will be bypassed and a trouble alarm will be generated by the "home" APRM. Each APRM channel receives an independent flow signal input from each of the two recirculation loops and determines the total recirculation driving flow by summing these loop flow inputs. A total of eight loop flow signals are sensed from four pairs of elbow taps. Each pair has an elbow tap in each recirculation loop. Total recirculation flow rate is calculated by each APRM chassis by adding the flow values for each loop to obtain total flow. The total flow value is used to produce flow biased APRM scram and APRM rod block setpoint values increase proportionally with total recirculation flow rate. The total recirculation flow is also used in the OPRM enable logic. The LPRM signals are averaged to achieve an APRM flux value. The APRM flux value is then adjusted by a manually entered or digitally transferred gain factor to allow calibration of the APRM. The APRM power is processed through a first order filter with a six second time constant to calculate simulated thermal power. Each APRM channel also calculates a flow signal that is used to determine the APRM's flow -biased rod block and scram setpoints. The APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slope of the upscale rod block and scram trip response curves is set to track the required trip setpoint with recirculation flow changes. These calculations are all performed by the digital processor and results in a digital representation of APRM and simulated thermal power, and of the flow-biased rod block and scram setpoints. At least one APRM voter in each trip system of the RPS must trip to cause a scram. A simplified circuit arrangement is shown in Figure 7.6-11. Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale function. The OPRM Upscale Function receives input signals from the LPRMs within the reactor core, which are combined into the "cells" for evaluation by the OPRM algorithms. Upon detection of thermal hydraulic oscillations, the OPRM initiates an automatic RPS trip signal (see Section 7.6.1.4.4).
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 7.2-5 In addition to the IRM upscale trip, a fast response APRM trip function with a setpoint of 15% power is active when the reactor mode switch is in the "startup" position. Diversity of trip initiation for excursions in reactor power is provided by the NMS trip signals and reactor vessel high pressure trip signals. An increase in reactor power will initiate protective action from the NMS as discussed above. This increase in power will cause reactor pressure to increase due to a higher rate of steam generation with no change in turbine control valve position resulting in a trip from reactor vessel high pressure. These variables are independent of one another and provide diverse protective action for this condition.
| |
| 7.2.1.1.2 Reactor Vessel Pressure
| |
| | |
| A reactor vessel pressure increase during reactor operation compresses the steam voids and results in increased reactivity; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable pressure. The reactor vessel high pressure scram setting also protects the core from exceeding thermal hydraulic limits that result from pressure increases during events that occur when the reactor is operating below rated power and flow.
| |
| Reactor pressure is monitored by four redundant pressure switches, each of which provides a reactor high pressure signal input to one of the four RPS sensor trip channels.
| |
| 7.2.1.1.3 Reactor Vessel Water Level
| |
| | |
| Decreasing water level while the reactor is operating at power decreases the reactor coolant. Should water level decrease too far, fuel damage could result as steam voids form around fuel rods. A reactor scram reduces the fission heat generation within the core.
| |
| Reactor vessel water level is monitored by four redundant differential pressure switches each of which provides a reactor vessel low water level (trip level 3) signal input to one of the four RPS sensor trip channels.
| |
| | |
| Diversity of trip initiation for breaks in the reactor coolant pressure boundary (RCPB) is provided by reactor vessel low water level trip signals and high drywell pressure trip signals.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-16-005 7.2-6 7.2.1.1.4 Turbine Throttle Valve Position
| |
| | |
| With the reactor above 29.5% power, generator load rejection or a turbine trip will initiate closure of the turbine throttle valve which can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine throttle valve closure scram initiates a scram earlier than either the NMS or reactor vessel high pressure to provide required margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure by inserting negative reactivity with control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine throttle valve closure scram provides additional margin to the reactor vessel pressure limit.
| |
| Turbine throttle valve closure inputs to the RPS originate from eight redundant valve stem position switches mounted on the four turbine throttle valves. Each of the switches opens before the valve is more than 10% closed to provide the earliest positive indication of closure. Each switch provides an input signal to one of the four RPS sensor trip channels. The logic is arranged so that closure of three or more valves is required to initiate a scram. The switches are arranged so that no single failure can prevent a turbine throttle valve closure scram.
| |
| Diversity of trip initiation for increases in reactor vessel pressure due to termination of steam flow by turbine throttle valve or governor valve closure is provided by reactor vessel high pressure and high neutron flux trip signals.
| |
| | |
| Turbine throttle valve closure trip bypass is effected by four pressure switches sensing turbine first stage pressure. The turbine throttle valve closure scram is automatically bypassed if the turbine first stage pressure is less than that corresponding to 29.5% of rated reactor power. The bypass is automatically removed above 29.5% of reactor power.
| |
| 7.2.1.1.5 Turbine Governor Valve Position Generator load rejection or a turbine trip with the reactor above 29.5% power automatically initiates fast closure of the turbine governor valves which results in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine governor valve fast closure scram initiates a scram earlier than either the NMS or nuclear system high pressure to provide required margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine governor valve fast closure scram provides additional margin to the nuclear system pressure limit. The turbine governor valve fast closure scram setting is selected to provide timely indication of governor valve fast closure.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 7.2-7 Turbine governor valve fast closure inputs to the RPS originate from oil line pressure switches on each of four fast acting governor valve hydraulic mechanisms. Each pressure switch provides an input signal to one of the four RPS sensor trip channels. If hydraulic oil line pressure is lost, a turbine governor valve fast closure scram is initiated.
| |
| Automatic turbine governor valve fast closure scram bypass is provided as described above for the turbine throttle valve.
| |
| 7.2.1.1.6 Main Steam Line Isolation Valves Position The main steam line isolation valve (MSIV) closure can result in a significant addition of positive reactivity to the core as nuclear system pressure rises.
| |
| Two redundant position switches mounted on each of the eight MSIVs provide an MSIV closure signal to the RPS. Each of the switches is arranged to open before the valve is more than 10% closed to provide the earliest positive indication of closure. Either of the two channels sensing isolation valve position can signal valve closure.
| |
| Each RPS sensor trip channel logic receives signals from the valves associated with two steam lines. The arrangement of signals within each logic requires closing of at least one valve in each of the two steam lines associated with that logic to cause a trip of that logic. Closure of at least one valve in three or more steam lines is required to initiate a scram.
| |
| At plant shutdown and during initial plant startup, a bypass is required for the MSIV closure scram trip to properly reset the RPS. This bypass is in effect when reactor pressure is less than scram setpoint pressure and the mode switch is in the shutdown, refuel, or startup position. The bypass allows plant operation when the MSIVs are closed during low power operation. The operating bypass is removed when the mode switch is placed in RUN.
| |
| Diversity of trip initiation due to main steam isolation is provided by reactor vessel high pressure and reactor power trip signals.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-14-003 7.2-8 7.2.1.1.7 Scram Discharge Volume Water Level Water displaced by the CRD pistons during a scram goes to the SDV. If the SDV fills with water so that insufficient capacity remains for the water displaced during a scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the discharge volume can accommodate a scram. Two transmitter/level switches (non-indicating) and two transmitter/level indicating switches directly connected to each of two instrument volumes monitor the volumes for abnormal level. They provide redundant and diverse input to the RPS scram function. One transmitter on each instrument volume also provides input for the control room annunciation and control rod withdrawal block function. The four level switches and the four level indicating switches are interconnected (one of each per trip channel) with the RPS system and initiate a reactor scram on high water level while sufficient volume for full scram still exists within the SDV. To provide diversity for the RPS function the two transmitters per channel use a different sensing operating principle and have a different transmitter manufacturer. The level switches and the level indicating switches in each channel are also from different manufacturers. This arrangement provides diversity, as well as redundancy, to ensure that no single event can prevent a scram caused by SDV high water level. A scram is automatically initiated when sufficient capacity still remains in the discharge volume to accommodate a scram. The SDV high water level trip bypass is controlled by the manual operation of two key-locked switches, a bypass switch, and the mode switch. The mode switch must be in the shutdown or refuel position to allow manual bypass of this trip. This bypass allows the operator to reset the RPS scram relays so that the SDV may be drained. Resetting the trip actuators opens the SDV vent and drain valves. An annunciator in the main control room indicates the bypass condition. 7.2.1.1.8 Drywell Pressure High pressure inside the drywell may indicate a break in the RCPB. Scram is initiated to minimize the possibility of fuel damage. Drywell pressure is monitored by four redundant pressure switches. Each switch provides an input to one of the four RPS sensor trip channels. 7.2.1.1.9 Manual Scram A scram can be initiated manually. There are four scram switches, one for each of the four RPS trip logic channels. The manual scram switches are arranged in two groups of two switches. One group contains the A1 and B1 switches and the other group contains the A2 and B2 switches. To initiate a manual scram, at least two switches in a group must be depressed. By operating the manual scram switch for one logic channel at a time and then resetting that logic, each actuator logic can be tested for manual scram capability.
| |
| COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 7.2-9 7.2.1.1.10 Reactor Mode Switch Manual Scram Even though the action is not a safety function, reactor scram can be initiated by placing the mode switch in the shutdown position. The mode switch consists of four independent banks of contacts. A shutdown position contact from each of the four banks is a scram input to the associated RPS trip logic channel. The relationship of the reactor mode switch position and its scram function is shown in Figure 7.2-2.
| |
| The scram signal, initiated by placing the mode switch in the shutdown position is automatically bypassed after 10 sec by a timer which allows the CRD hydraulic system valve lineup to be restored to normal before the control room operator can reset the RPS logic.
| |
| 7.2.1.2 Design Basis The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are presented in that chapter. Variables are monitored to provide protective actions to the RPS indicating the need for reactor scram.
| |
| | |
| 7.2.1.2.1 Variables Monitored to Provide Protective Actions a. NMS trip,
| |
| : b. Reactor vessel system high pressure,
| |
| : c. Reactor vessel low water level,
| |
| : d. Turbine throttle valve closure, e. Turbine governor valve fast closure, f. Main steam line isolation,
| |
| : g. SDC high level, and
| |
| : h. Drywell high pressure.
| |
| The plant conditions that require protective action involving the RPS are described in Chapter 15.
| |
| 7.2.1.2.2 Location and Minimum Number of Sensors Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations of sensors is discussed in the following. The other requirements are fulfilled through the combination of logic arrangement.
| |
| Two transient analyses are used to determine the minimum number and physical location of required LPRMs for each APRM.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.2-10 The first analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.
| |
| | |
| The second analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a reduction of recirculation flow at a fixed design rate. Again, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition. The number of LPRM detector signals available as inputs to an APRM channel shall satisfy the following criteria: a. The number of operable LPRM detector inputs shall be at least 20. The PRNM provides an alarm and rod block. CGS enforces operability administratively. b. The number of operable LPRM detector inputs per core axial level (A, B, C, or D) shall be at least 3. The PRNM provides an alarm and rod block. CGS enforces operability administratively. c. The number of LPRM detector inputs that have become inoperable (and bypassed) since the most recent APRM calibration shall be less than 10. This requirement is enforced by administrative means and the Operation and Maintenance (O&M) Manual. 7.2.1.2.3 Prudent Operational Limits
| |
| | |
| Limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious scram is avoided. It is then verified by analysis that the release of radioactive materials following postulated gross failures of the fuel or the RCPB is kept within acceptable bounds. Design basis operational limits, as listed in the Technical Specifications, are based on operating experience and constrained by the safety design basis and the safety analysis. The selection of tentative scram trip settings has been developed through analytical modeling, experience, historical use of initial setpoints, and adoption of new variables and setpoints as experience was gained. The initial setpoint selection method provided for settings which were sufficiently above the normal operating levels (to preclude the possibilities of spurious scrams or difficulties in operation), but low enough to protect the fuel and pressure barrier. As additional information becomes available or systems are changed, additional scram variables are provided using the above method for initial setpoint selection. The selected scram settings are analyzed to verify that they are conservative and that the fuel, fuel barriers, and nuclear system process barriers are adequately protected. In all cases, the specific scram trip point selected is a conservative value that prevents damage to the fuel or RCPB, taking into consideration previous operating experience and the analytical models.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 7.2-11 7.2.1.2.4 Margin The margin between operational limits and the limiting conditions of operation (scram) for the RPS are those parameters listed in the Technical Specifications. Annunciators are provided to alert the reactor operator of the onset of unsafe conditions. 7.2.1.2.5 Levels Levels requiring protective action are specified in the Technical Specifications. These levels are design basis limits and are provided in the Technical Specifications as allowable values. 7.2.1.2.6 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems Unusual events are defined as malfunctions, accidents, and others which could cause damage to safety systems. Chapters 3, 6, 9, 15, and Appendix F describe the following credible accidents and events: floods, storms, tornadoes, earthquakes, fires, loss-of-coolant accident (LOCA), pipe break outside containment, feedwater line break, and missiles. Each of these events is discussed below for the RPS. All components essential to the operation of the RPS are designed, fabricated, and mounted to Class 1E standards. However, even though the sensors initiating reactor scram which monitor turbine throttle valve position and turbine governor valve fast closure are designed and purchased Quality Class 1, Seismic Category I, they are physically mounted on equipment which is not Seismic Category I/Quality Class 1, and are located in the turbine generator building which is not Seismic Category I but has been shown to maintain its structural integrity following an safe shutdown earthquake (SSE) (see Section 3.8). For this reason other diverse variables (reactor pressure and neutron flux trips), which are Seismic Category I and Quality Class 1, may be relied on for reactor scram if components in the turbine generator building fail. 7.2.1.2.6.1 Floods. The buildings containing RPS components have been designed to meet the probable maximum flood (PMF) at the site location. See Section 2.4. For a discussion of internal flooding protection see Sections 3.4 and 3.6. 7.2.1.2.6.2 Storms and Tornadoes. The buildings containing RPS components, except the turbine generator building, have been designed to withstand all credible meteorological events and tornadoes as described in Section 3.3. 7.2.1.2.6.3 Earthquakes. The structures containing RPS components, except the turbine building, have been seismically qualified as described in Sections 3.7 and 3.8 and will remain functional during and following a SSE. However, as stated previously, other diverse variables (reactor pressure and neutron flux trips) may be relied on for reactor scram if components in the turbine generator building fail. The design features that prevent the following postulated COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 7.2-12 failures of turbine throttle and governor valve closure signals to the RPS during a seismic event from affecting other channels of the RPS from performing as required are the following: a. Shorts to ground: Each trip function input circuit to the RPS is individually fused to prevent degradation of other channels if a short to ground occurs on one channel. This protection also applies to the turbine throttle and governor valve closure trip inputs to the RPS. Therefore, a short to ground would be interrupted by the protective fuses eliminating any interaction or degradation of other channels, as well as resulting in a channel trip due to "fail-safe" logic; b. Opens: The normal operating state of the RPS trip inputs is a closed contact condition. Therefore, an open in an RPS input channel circuit would result in failure in the safe direction causing a trip of that channel with no degradation or interaction with other channels; and c. Hot shorts: Reactor protection system cabling that is routed from trip instrumentation through the turbine generator building is enclosed in conduit. Each trip channel has a separate and dedicated conduit. Therefore, hot shorts would be confined to one channel of trip instrumentation and would not degrade or interact with other protective channels. 7.2.1.2.6.4 Fires. To protect the RPS in the event of a postulated localized raceway or panel fire, the RPS trip logics have been divided into four separate sections within two separate RPS panels. The sections within a panel are isolated by electrical separation barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the RPS functions would not be prevented by the fire. The use of separation and barriers ensures that, even though some portion of the system may be affected, the RPS will continue to provide the required protective action. See Appendix F for a discussion of Appendix R fire effects on the RPS. Within the control room Power Generation Control Complex (PGCC) (underfloor cable routing ducts) heat detectors and products of combustion detectors are provided to initiate a Halon fire suppression system. Throughout main plant areas, redundant RPS cables are routed in separate raceway divisions sufficiently separated such that a fire cannot affect more than one RPS division. 7.2.1.2.6.5 Loss-of-Coolant Accident. The following RPS system components are located inside the drywell and would be subject to the effects of a design basis LOCA: a. NMS cabling from the detectors to the main control room, b. MSIV (inboard) position switches, c. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines, which terminate outside the drywell, and COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 7.2-13 d. Drywell pressure instrument taps.
| |
| These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11. 7.2.1.2.6.6 Pipe Break Outside Primary Containment. Protection for pipe break outside primary containment is described in Section 3.6. 7.2.1.2.6.7 Missiles. Missile protection for RPS components is described in Section 3.5. 7.2.1.2.7 Minimum Performance Requirements Minimum performance requirements for RPS instrumentation and controls are provided in the Technical Specifications.
| |
| | |
| 7.2.1.3 Final System Drawings Functional and architectural design differences between the PSAR and FSAR are listed in Table 1.3-8.
| |
| 7.2.2 ANALYSIS
| |
| | |
| The RPS is designed such that loss of plant instrument air, a plant load rejection, or a turbine trip will not prevent the completion of the safety function.
| |
| 7.2.2.1 Conformance to 10 CFR 50, Appendix A - General Design Criteria The following is a discussion of conformance to those General Design Criteria (GDC) which apply specifically to the RPS. See Section 3.1 for a discussion of GDC that apply equally to all safety-related systems.
| |
| | |
| GDC 12 - Suppression of Reactor Power Oscillations The system design provides protection from excessive fuel cladding temperatures and protects the RCPB from excessive pressures which threaten the integrity of the system. Abnormalities are sensed, and if protection system limits are reached, corrective action is initiated through an automatic scram.
| |
| GDC 15 - Reactor Coolant System Design The RPS provides sufficient margin to ensure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including anticipated operational COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 7.2-14 occurrences. If the monitored variables exceed their predetermined settings, the system automatically responds to maintain the variables and systems within allowable design limits. GDC 20 - Protection System Functions The RPS monitors the appropriate plant variables to maintain the fuel barrier and RCPB and initiates a scram automatically when the variables exceed predetermined limits.
| |
| GDC 21 - Protection System Reliability and Testability The RPS is designed with two groups of redundant sensor channels and four independent and separated output channels. No single failure can prevent a scram and removal from service of any component or channel will not result in loss of required minimum redundancy. GDC 22 - Protection System Independence The redundant portions of the RPS are separated such that no single failure or credible natural disaster can prevent a scram, except the turbine scram inputs which originate from the Seismic Category II turbine building. Reactor pressure and power are diverse to the turbine scram variables. In addition, drywell pressure and vessel water level are diverse variables. GDC 23 - Protection System Failure Modes The RPS is designed (including logic and actuated devices) to be fail safe. A complete loss of electrical power or air supply will result in a reactor scram. Postulated adverse environments will not prevent a scram. GDC 24 - Separation of Protection and Control Systems The RPS has no direct interaction with any plant control system. However, the RPS does receive inputs from the reactor mode switch and the NMS which also provide inputs to plant control systems through isolation devices. GDC 25 - Protection System Requirements for Reactivity Control Malfunctions The RPS provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Any monitored variable which exceeds the scram setpoint will initiate an automatic scram and not impair the remaining variables from being monitored, and if one channel fails the remaining portions of the RPS will function. GDC 29 - Protection Against Anticipated Operational Occurrences The RPS is highly reliable and will provide a reactor scram in the event of anticipated operational occurrences.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 7.2-15 7.2.2.2 Conformance to IEEE Standards The following is a discussion of conformance to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, that applies specifically to the RPS system. See Section 7.1.2.3 for a discussion of IEEE standards that apply equally to all safety-related systems.
| |
| | |
| General Functional Requirement (IEEE 279-1971, paragraph 4.1)
| |
| The RPS automatically initiates the appropriate protective actions whenever the conditions described in Section 7.2.1.1 reach predetermined limits with precision and reliability assuming the full range of conditions and performance discussed in Section 7.2.1.2.
| |
| Single Failure Criterion (IEEE 279-1971, paragraph 4.2)
| |
| Each of the conditions (variables) described in Section 7.2.1.1 is monitored by redundant sensors supplying input signals to redundant trip logics. Independence of redundant RPS equipment, cables, instrument tubing, etc., is maintained and single failure criteria preserved through the application of the Columbia Generating Station separation criteria as described in Section 8.3.1.4 to ensure that no single credible event can prevent the RPS from accomplishing its safety function.
| |
| | |
| Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
| |
| For a discussion of the quality of RPS components and modules see Section 3.11.
| |
| Equipment Qualification (IEEE 279-1971, paragraph 4.4)
| |
| Vendor certification requires that the sensors associated with each of the RPS trip variables, manual switches, and trip logic components perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification in conjunction with the existing field experience with these components in this application will serve to qualify these components.
| |
| For a complete discussion of RPS equipment protection and qualification see Sections 3.5, 3.6, 3.10, and 3.11.
| |
| Channel Integrity (IEEE 279-1971, paragraph 4.5)
| |
| For a discussion of RPS channel integrity under all extremes of conditions described in Section 7.2.1.2, see Sections 3.10, 3.11, 8.2.1, and 8.3.1.
| |
| COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 7.2-16 Channel Independence (IEEE 279-1971, paragraph 4.6)
| |
| The RPS channel independence is maintained through the application of the Columbia Generating Station separation criteria as described in Section 8.3.1.4.
| |
| Control and Protection System Interaction (IEEE 279-1971, paragraph 4.7) See Section 7.2.2.1 (GDC24). Derivation of System Inputs (IEEE 279-1971, paragraph 4.8)
| |
| The RPS trip variables are direct measures of a reactor overpressure condition, a reactor overpower condition, or abnormal conditions within the RCPB except as follows:
| |
| Due to the normal throttling action of the turbine governor valves with changes in the plant power level, measurement of governor valve position is not an appropriate variable from which to infer the desired variable, which is "rapid loss of the reactor heat sink." Consequently, a measurement of governor valve closure rate is necessary.
| |
| Protection system design practice has discouraged use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation would be a more positive means of determining fast closure of the governor valves.
| |
| Loss of pressure in the hydraulic oil lines which initiates fast closure of the governor valves is monitored. These measurements provide indication that fast closure of the governor valves is imminent.
| |
| | |
| This measurement is adequate and a proper variable for the protective function taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of governor valve fast-closure rate.
| |
| Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9) See Section 7.2.2.3 (Regulatory Guide 1.22). Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
| |
| See Section 7.2.2.3 (Regulatory Guide 1.22).
| |
| | |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.2-17 Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
| |
| The MSIV and the turbine throttle valve closure trip variables have no provision for sensor removal from service because of the use of valve position limit switches as the channel sensor.
| |
| During periodic tests of any one trip channel, a sensor may be valved out of service and returned to service under administrative control procedures. Since only one sensor is valved out of service at any given time during the test interval, protective action capability for RPS automatic initiation is maintained through the remaining redundant instrument channels.
| |
| A sufficient number of IRM channels is provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the IEEE 279 single failure design requirements.
| |
| One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be bypassed at any time. To accommodate a single failure of this bypass switch, electrical interlocks have also been incorporated into the bypass logic to prevent bypassing of more than one IRM in that trip system at any time. Consequently, with any IRM bypassed in a given trip system, three IRM channels remain in operation to satisfy the protection system requirements.
| |
| A single manual APRM bypass switch is provided for all four APRM channels. This is a mechanical/optical switch that allows only one APRM channel to be bypassed at any time. This interlock is accomplished independently in each of the APRM/OPRM 2-Out-of-4-Voter Channels. With any one APRM channel bypassed, the three remaining operating channels provide the necessary protection of the reactor. Bypassing an APRM channel bypasses both the APRM and OPRM trips from that channel. None of the 2-Out-of-4-Voter channels can be bypassed.
| |
| The mode switch produces operating bypasses which need not be annunciated because they are removed by normal reactor operating sequence.
| |
| Operating Bypasses (IEEE 279-1971, paragraph 4.12)
| |
| For a discussion of RPS operating bypasses see Sections 7.2.1.1 and 7.2.1.1.4 through 7.2.1.1.7.
| |
| Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
| |
| For a discussion of bypass and inoperability indication see Section 7.1.2.4 (Regulatory Guide 1.47).
| |
| COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 7.2-18 Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14) Access to means of bypassing any safety action or safety function is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with administrative control of the access to keys, procedurally controlled equipment lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional methods help to prevent inadvertent bypasses or to alert the plant operators to safety function bypasses occurring either from equipment failures or from manually induced bypasses that result as part of testing, maintenance, or equipment repair activities.
| |
| Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is procedurally controlled. When not in use, keys are under the administrative control of the control room supervisor/shift manager and stored in a key locker. The keys are audited once per day by the control room supervisor/shift manager. When operation of a key-locked control switch is required to be immediate, such as in the case of the reactor mode switch, the key may be left in the lock during normal plant operation to ensure timely actuation.
| |
| | |
| Multiple Set Points (IEEE 279-1971, paragraph 4.15)
| |
| There are no multiple setpoints within the RPS.
| |
| | |
| Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
| |
| Once the RPS trip logic is deenergized as a result of a sensor trip channel becoming tripped or the depressing of a manual scram push button, the scram contractor seal-in contact opens and completion of protective action is achieved without regard to the state of the initiating sensor trip channel.
| |
| | |
| After initial conditions (variable trip and logic deenergization) return to normal, deliberate operator action is required to return (reset) the RPS logic to normal (energized).
| |
| Manual Initiation (IEEE 279-1971, paragraph 4.17)
| |
| See Section 7.2.2.3 (Regulatory Guide 1.62).
| |
| | |
| COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 7.2-19 Access to Set Point Adjustments, Calibration, and Test Points (IEEE 279-1971, paragraph 4.18)
| |
| | |
| During reactor operation, access to setpoint or calibration controls is not possible for the following RPS trip variables: SDV high water level, MSIV closure, and turbine throttle valve closure.
| |
| | |
| Access to setpoint adjustments, calibration controls, and test points for all other RPS trip variables are under the administrative control of the control room operator.
| |
| Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)
| |
| When any one of the redundant RPS trip sensors exceeds its setpoint value, a control room annunciator is initiated to identify that variable and a printed record is available from the computer work stations.
| |
| | |
| Information Readout (IEEE 279-1971, paragraph 4.20)
| |
| The RPS is designed to provide the operator with accurate and timely information pertinent to its status. It does not give anomalous indications that would confuse the operator.
| |
| System Repair (IEEE 279-1971, paragraph 4.21)
| |
| During periodic testing of the RPS sensor channels (except as noted below), the operator can determine defective components and replace them during plant operation.
| |
| During reactor operation, the control room operator is able to determine failed sensors for the following RPS trip variables, but subsequent repair can only be accomplished during reactor shutdown: MSIV closure, turbine throttle valve closure, neutron monitoring (APRM) system, and neutron monitoring (IRM) system.
| |
| | |
| Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the NMS may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair. Identification of Protection Systems (IEEE 279-1971, paragraph 4.22) The RPS components are identified with an RPS designation colored marker plate. Cabling outside the cabinets is identified specifically as RPS wiring. (See also Section 8.3.1.3.) Redundant racks are identified by the identification marker plates of instruments on the racks.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-14-003 7.2-20 7.2.2.3 Conformance to NRC Regulatory Guides The following is a discussion of conformance to those Regulatory Guides that apply specifically to the RPS. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems.
| |
| | |
| Regulatory Guide 1.22 (February 1972), Period Testing of Protection System Actuation Function The RPS can be tested during reactor operation by the following separate tests: The manual scram test verifies the ability to deenergize the scram pilot valve solenoids without scram by using the manual scram push button switches. By depressing the manual scram button for one trip logic, the trip actuators are deenergized, opening contacts in the actuator logics.
| |
| | |
| After the first trip channel is reset, the second trip channel is tripped manually and so forth for the four manual scram buttons. In addition to control room and computer printout indications, scram group indicator lights verify that the actuator contacts have opened and interrupted power to the scram solenoids.
| |
| | |
| The single rod scram test verifies the capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular CRD. Timing traces can be made for each rod scrammed.
| |
| | |
| The sensor test involves applying a test signal to each RPS sensor trip channel in turn and observing that a logic trip results. The test signals can be applied to the processing sensing instrumentation (pressure and differential pressure) through calibration taps. During plant operation, the operator can set the turbine throttle valve or main steam line closure logic test switch in test position and actuate the other valve, which completes the respective channel trip with annunciation and computer logging. The operator can then confirm that the main steam line isolation and turbine throttle valve limit switches operate during valve motion, from full open to full closed and vice versa, by comparing the time that the RPS channel trip occurs with the time that the valve position indicator lights in the control room signal that the valve is fully open and fully closed. This test does not confirm the exact setpoint, but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. During reactor shutdown, calibration of the main steam line isolation and turbine throttle valve limit switch set point at a valve position of less than or equal to 10% closure is possible by physical observation of the valve stem.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-16-005 7.2-21 During reactor operation, a test and calibration of the individual hydraulic oil line pressure sensors associated with turbine control valve fast closure when the plant is operating above 29.5% of rated power may be accomplished by valving one sensor out-of-service at a time and introducing a test pressure input.
| |
| | |
| The APRMs are calibrated to reactor power by using a reactor heat balance and the traversing in-core probe (TIP) system to establish the relative local flux profile. The LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined.
| |
| | |
| The gain adjustment factors for the LPRMs are produced as a result of the computer calculations involving the reactor heat balance and the TIP flux distributions. The APRM and LPRM gains are adjusted using the instrument's front panel display or accepting the APRM gain calculated from the Percent Core Thermal Power (%CTP) and LPRM Gain adjustment factors that are downloaded from the core monitoring system. These adjustments, when incorporated into the LPRMs, permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power.
| |
| During reactor operation, one manual scram push button may be depressed to test the proper operation of the switch and trip logic relay. Once the RPS is reset, the other switches may be depressed to test their operation one at a time. For each such operation, a control room annunciation will be initiated and the process computer will print the identification of the pertinent trip.
| |
| | |
| Operation of the reactor mode switch from one position to another may be employed to confirm certain aspects of the RPS trip channels during periodic test and calibration at shutdown only. During tests of the trip channels, proper operation of the mode switch contacts can be easily verified by noting that certain sensors are connected into the RPS logic and that other sensors are bypassed in the RPS logic in an appropriate manner of the given position of the mode switch.
| |
| | |
| In the startup and run modes of plant operation, procedures may be used to confirm that SDV high water level trip channels cannot be bypassed as a result of the operating bypass switch. In the shutdown and refuel modes of plant operation, a similar procedure may be used to bypass all four SDV trip channels. Due to the discrete "on-off" nature of the bypass function, calibration is not meaningful.
| |
| | |
| Administrative control must be exercised to valve one turbine first-stage pressure sensor out-of-service for the periodic test. During this test, a variable pressure source may be introduced to operate the sensor at the setpoint value. When the condition for bypass has been COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-16-005 7.2-22 achieved on an individual sensor under test, the control room annunciator for this bypass function will be initiated. If the RPS trip channel associated with this sensor is in its tripped state, the process computer will log the return to normal state for the RPS trip logic. When the plant is operating above 29.5% of rated power, testing of the turbine throttle valve and governor valve fast closure trip channels will confirm that the bypass function is not in effect.
| |
| | |
| Operation of the reset switch following a trip of one RPS trip system will confirm that the switch is performing its intended function. Operation of the reset switch following trip of both RPS trip systems will confirm that all portions of the switch and relay logic are functioning properly since half of the control rods are returned to a normal state for one actuation of the switch.
| |
| | |
| A manual scram switch permits each individual trip logic, trip actuator, and trip actuator logic to be tested on a periodic basis. Testing of each process sensor of the protection system affords an opportunity to verify proper operation of these components. Calibration of the time response of the trip channel relays and trip actuators may be accomplished by connection of external test equipment.
| |
| | |
| Regulatory Guide 1.53 (June 1973), Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems
| |
| | |
| See Section 7.2.2.2 (IEEE 279-1971, Paragraph 4.2).
| |
| Regulatory Guide 1.62 (October 1973), Manual Initiation of Protective Actions Means are provided for manual initiation of the RPS at the system level through the use of four push button switches located on the control room bench board.
| |
| Operation of two switches (one in each trip system) accomplishes the initiation of all actions performed by the automatic initiation circuitry.
| |
| Placing the reactor mode switch in the shutdown position will also cause a system level initiation.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 Table 7.2-1 Reactor Protection System Instrumentation Function Instrumenta LDCN-14-003 7.2-23 Scram Reactor vessel high pressure Pressure switch (B22-N023A-D) MS-PS-23A-D Drywell high pressure Pressure switch (C72-N002A-D) RPS-PS-2A-D Reactor vessel low water level (level 3) Level switch (B22-N024A-D)
| |
| MS-LIS-24A-D Scram discharge volume high water level Transmitter/Level Indicating Switch CRD-LT-12A-D CRD-LIS-601A-D Transmitter/Level Switch CRD-LT-13A-D CRD-LS-613-A-D Turbine throttle valve closure Position switch (C72-N006A-D)
| |
| RPS-POS-33T/1A-4A RPS-POS-33T/1B-4B Turbine governor valve fast closure Pressure switch (C72-N005A-D)
| |
| RPS-PS-5A-D Main steam line isolation valve closure Position switch (B22F022 A-D)
| |
| MS-V-22 A-D (B22F028 A-D)
| |
| MS-V-28 A-D Neutron monitoring system IRM, APRM, OPRM COLUMBIA GENERATING STATION Amendment 53 FINAL SAFETY ANALYSIS REPORT November 1998 Table 7.2-1 Reactor Protection System Instrumentation (Continued) Function Instrumenta 7.2-24 Bypass Discharge volume high water level trip bypass N/A Turbine stop valve and governor valve fast-closure trip bypass Pressure switch (C72-N003A-D)
| |
| MS-PS-3A-D Main steam line isolation valve closure trip bypass Pressure switch (B22-N020A-D)
| |
| MS-PS-20A-D a Instruments in parentheses are the GE designation.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-05-009 7.3-1 7.3 ENGINEERED SAFETY FEATURE SYSTEMS 7.3.1 DESCRIPTION
| |
| | |
| The instrumentation and controls include the operation of the following engineered safety feature (ESF) systems (see Figures 7.3-1 through 7.3-15): a. Emergency core cooling system (ECCS),
| |
| b. Primary containment and reactor vessel isolation control systems (PCRVICS), c. Residual heat removal (RHR) system - containment spray cooling mode (CSCM),
| |
| : d. RHR system - suppression pool cooling mode (SPCM),
| |
| : e. Standby service water (SW) system,
| |
| : f. Main control room and critical switchgear rooms heating, ventilating, and air conditioning (HVAC) system,
| |
| : g. Reactor building ventilation and pressure control system,
| |
| : h. Standby gas treatment system (SGT),
| |
| : i. Containment instrument air (CIA) system, and The sources which supply power to the ESF systems originate from onsite ac and/or dc safety-related buses or, as in the case of the PCRVICS fail safe logic, from safety-related Division 1 and 2 power and the non-safety-related reactor protection system (RPS) motor generator (MG) sets. See Chapter 8 for a complete discussion of the ESF systems power sources.
| |
| | |
| 7.3.1.1 System Description 7.3.1.1.1 Emergency Core Cooling Systems The ECCS is a network of the following systems. See Sections 6.3.1 and 6.3.2. a. High-pressure core spray (HPCS) system,
| |
| : b. Automatic depressurization system (ADS),
| |
| : c. Low-pressure core spray (LPCS) system, and d. Low-pressure coolant injection (LPCI) mode of the RHR system.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-04-027, 05-009 7.3-2 The following plant variables are monitored and provide automatic initiation of the ECCS when these variables exceed predetermined limits: a. Reactor vessel water level A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary (RCPB) and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. See Figure 10.3-2 for a schematic arrangement of reactor vessel instrumentation.
| |
| b. Drywell pressure High pressure in the drywell could indicate a breach of the RCPB inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes.
| |
| 7.3.1.1.1.1 High-Pressure Core Spray System.
| |
| Function The purpose of the HPCS is to provide high pressure reactor vessel core spray for a small line break loss-of-coolant accident (LOCA) which does not depressurize the reactor vessel. In addition HPCS is redundant to the ADS system for mitigation of the consequences of various events described in Chapter 15. The HPCS can provide core cooling or reactor vessel inventory makeup following accidents and various design basis transients described in Chapter 15. See also Section 6.3.2.2.1. The HPCS also provides for core cooling during a station blackout event.
| |
| | |
| Operation Schematic arrangements of system mechanical equipment is shown in Figure 6.3-4. The HPCS system component control logic is shown in Figures 7.3-4 and 7.3-7. Instruments are listed in Table 7.3-1. Operator information displays are shown in Figures 7.3-7 and 7.3-4.
| |
| The HPCS is initiated automatically by either reactor vessel low water level (trip level 2) or drywell high pressure. The system is designed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once initiated the HPCS logic seals-in and can be reset by the operator only when the initial conditions return to normal. See Figure 7.3-7 for a schematic representation of the HPCS system initiation logic.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-3 Reactor vessel water level (trip level 2) is monitored by four redundant differential pressure switches. The switch contacts are arranged in a one-out-of-two twice logic arrangement to ensure that no single event can prevent the initiation of the HPCS. Initiation diversity is provided by drywell pressure which is monitored by four redundant pressure switches. The switches are electrically connected in a one-out-of-two twice logic arrangement to ensure that no single instrument failure can prevent the initiation of the HPCS.
| |
| The HPCS components respond to an automatic initiation signal as follows (actions are simultaneous unless stated otherwise):
| |
| a. The HPCS diesel generator is signaled to start and its protective relays are bypassed. Once the diesel is started it signals its cooling water pump to start. See Section 6.3.1.1;
| |
| : b. The HPCS pump motor is signaled to start;
| |
| : c. The normally open pump suction valve from the condensate storage tank HPCS-V-1 (MO F001), is signaled to open;
| |
| : d. The test return valves HPCS-V-10 (MO F010), HPCS-V-11 (MO F011), and HPCS-V-23 (MO F023) are signaled to close; and
| |
| : e. The HPCS injection valve HPCS-V-4 (MO F004) is signaled to open. If the pump is running but discharge flow is low enough that pump overheating may occur, the minimum flow return line valve HPCS-V-12 (MO F012) is signaled to open. The valve is automatically closed if flow is normal.
| |
| | |
| If water level in the condensate storage tanks falls below a predetermined level, the suppression pool suction valve HPCS-V-15 (MO F015) automatically opens. When HPCS-V-15 (MO F015) is fully open the condensate storage tank suction valve HPCS-V-1 (MO F001) automatically closes. Two level switches mounted on a Seismic Category I standpipe in the reactor building are used to detect low water level in the condensate storage tanks. Either switch can cause automatic suction transfer. If the condensate supply line fails, the suction supply for HPCS-P-1 pump transfers to the suppression pool. Either of two instruments mounted on the supply line in the reactor building sense a low water level in the supply line as a broken pipe. The suppression pool suction valve also automatically opens if high water level is detected in the suppression pool. Two level switches monitor suppression pool water level and either switch can initiate opening of the suppression pool suction valve. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other closes.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-4 The HPCS provides makeup water to the reactor until the vessel water level reaches the high level trip (trip level 8) at which time the injection valve HPCS-V-4 (MO F004) is automatically closed. The pump will continue to run on minimum flow recirculation. The injection valve will automatically reopen if vessel level again drops to the low level (trip level 2) initiation point.
| |
| | |
| The HPCS pump motor and injection valve are provided with manual override controls. These controls permit the reactor operator to manually control the system following automatic initiation. 7.3.1.1.1.2 Automatic Depressurization System.
| |
| Function The ADS is designed to provide automatic depressurization of the reactor vessel by activating seven safety/relief valves (SRVs). These valves vent steam to the suppression pool in the event the HPCS cannot maintain reactor water level following a LOCA. The ADS reduces reactor pressure so that flow from the low pressure ECCS, LPCI system and LPCS, can inject into the reactor vessel in time to cool the core and limit fuel cladding temperature. See also Section 6.3.2.2.2.
| |
| Operation Schematic arrangements of system mechanical equipment is shown in Figure 10.3-2. The ADS component control logic is shown in Figure 7.3-8. Instruments are listed in Table 7.3-2. Operator information displays are shown in Figures 10.3-2 and 7.3-8.
| |
| The ADS is made up of two independent trip systems (A&B).
| |
| | |
| To prevent inadvertent actuation of the ADS, two channels of logic for each ADS trip system are used. Both channels must be activated to actuate ADS. See Figure 7.3-5 for a schematic representation of the ADS initiation logic.
| |
| | |
| One channel includes two differential pressure sensor inputs monitoring reactor vessel low water level (trip level 3 and trip level 1). The low water level trip (trip level 3) provides confirmation of a reactor vessel low water level condition. The other channel includes only a single reactor vessel low water level (trip level 1) input.
| |
| To ensure that adequate makeup water is available after the vessel has been depressurized each logic channel includes a pump discharge pressure permissive signal indicating RHR or LPCS system available for vessel water makeup. Any one of the three RHR pumps or the LPCS pump is sufficient to permit automatic depressurization.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-5 After receipt of the initiation signals and a time delay, one or both of the two solenoid pilot air valves are energized. This allows pneumatic pressure from the accumulator to act on the air cylinder operator. Each ADS trip system timer can be reset manually to delay system initiation. If reactor vessel water level is restored by HPCS prior to the end of the time delay, ADS initiation will be prevented. Also, either or both ADS trip systems may be initially inhibited to eliminate resetting the timer.
| |
| The ADS trip system A actuates the "A" solenoid pilot valve on each ADS relief valve. Similarly, the ADS trip system B actuates the "B" solenoid pilot valve on each ADS relief valve. Actuation of either solenoid pilot valve causes the ADS valve to open and provide depressurization.
| |
| | |
| Two control switches (one for each trip system solenoid) are located in the main control room for each SRV associated with the ADS. Each switch controls one of the two solenoid pilot valves.
| |
| | |
| 7.3.1.1.1.3 Low-Pressure Core Spray.
| |
| Function The purpose of the LPCS is to provide low-pressure reactor vessel core spray following a LOCA when the vessel has been depressurized and vessel water level has not been restored by the HPCS. The LPCS is functionally diverse to the LPCI mode of the RHR system (see Section 6.3.2.2.3).
| |
| Operation Schematic arrangements of system mechanical equipment is shown in Figure 6.3-4. The LPCS component control logic is shown in Figure 7.3-9. Instruments are listed in Table 7.3-3. Operator information displays are shown in Figure 7.3-9.
| |
| The LPCS is initiated automatically by either reactor vessel low water level and/or drywell high pressure. The system is designed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once initiated the LPCS logic seals-in and can be reset by the control room operator only when the initial conditions return to normal. See Figure 7.3-9 for a schematic representation of the LPCS system initiation logic.
| |
| Reactor vessel water level (trip level 1) is monitored by two redundant differential pressure switches. To provide diversity drywell pressure is monitored by two redundant pressure switches. The vessel level switch contacts and the drywell pressure switch contacts are connected in a one-out-of-two twice logic arrangement so that no single instrument failure can prevent initiation of LPCS.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-6 The LPCS components respond to an automatic initiation signal simultaneously (or sequentially as noted) as follows: a. The Division 1 diesel generator is signaled to start,
| |
| : b. The normally closed test return line to the suppression pool valve LPCS-V-12 (MO F012) is signaled closed,
| |
| : c. If power from the normal auxiliary or backup transformer is available at the pump motor bus, the LPCS pump is signaled to start. If the startup transformer is supplying the pump motor buses, sequential starts of ECCS pumps are required to prevent excessive voltage drops on the buses. This is accomplished by delaying the start of LPCS pump by 9.5 sec.
| |
| : d. Reactor pressure is monitored by a pressure switch which senses the reactor vessel pressure. When the reactor vessel pressure is low enough to protect the LPCS from over-pressure and power is available to the pump motor bus, the injection valve is signaled to open.
| |
| The LPCS pump discharge flow is monitored by a flow indicating switch. When the pump is running and discharge flow is low enough that pump overheating may occur, the minimum flow return line valve LPCS-FCV-11 (MO F011) is opened. The valve is automatically closed if flow is normal.
| |
| | |
| The LPCS pump suction from the suppression pool valve LPCS-V-1 (MO F001) is normally open, the control switch is key locked in the open position, and thus requires no automatic open signal for system initiation.
| |
| | |
| The LPCS pump and injection valve are provided with manual override controls. These controls permit the operator to manually control the system subsequent to automatic initiation.
| |
| 7.3.1.1.1.4 Residual Heat Removal System - Low Pressure Coolant Injection Mode.
| |
| Function Low-pressure coolant injection is an operating mode of the RHR system. The purpose of the LPCI system is to provide low-pressure reactor vessel coolant makeup following a LOCA when the vessel has been depressurized and vessel water level is not restored by the HPCS (see Section 6.3.2.2.4).
| |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 7.3-7 Operation Schematic arrangements of system mechanical equipment is shown in Figure 5.4-15. The LPCI component control logic is shown in Figure 7.3-10. Instruments are listed in Table 7.3-4. Operator information displays are shown in Figures 7.3-10 and 5.4-15.
| |
| The LPCI system is initiated automatically by either reactor vessel low water level or drywell high pressure (one-out-of-two-twice logic). The system is designed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once initiated, the LPCI logic seals-in and can be reset by the control room operator only when initial conditions return to normal. See Figure 7.3-10 for a schematic representation of the LPCI initiation logic. To provide diversity, reactor vessel water level (trip level 1) and drywell pressure are monitored by two redundant differential pressure switches.
| |
| To initiate the Division 2 LPCI (loops B and C) the vessel level switch contacts and the two drywell pressure switch contacts are connected in a one-out-of-two-twice arrangement so that no single instrument failure can prevent initiation of LPCI.
| |
| The Division 1 LPCI (loop A) receives its initiation signal from the LPCS logic.
| |
| The LPCI system components respond to an automatic initiation signal simultaneously (or sequentially as noted) as follows (the loop A components are controlled from the Division 1 logic; the loop B and C components are controlled from the Division 2 logic): a. The Division 2 diesel generator is signaled to start from the loop B and C initiation logic;
| |
| : b. If offsite power is not available and the diesel generators are supplying the pump motor buses, sequential loading of the diesel generators is required. This is accomplished by delaying the start of LPCI pumps A and B by 5 sec while allowing the LPCS and LPCI C pumps to start immediately. The same start sequence is maintained for the LPCS and LPCI pumps when the pump motor buses are supplied from the normal auxiliary or backup transformer. If the startup transformer is supplying the pump motor buses, sequential starts of ECCS pumps are required to prevent excessive voltage drops on starting. This is accomplished by delaying the start of LPCS and LPCI C pumps by 9.5 sec and delaying LPCI A and B pump starts by 19.4 sec;
| |
| : c. Reactor pressure is monitored by a pressure switch for each LPCI injection valve RHR-V-42A, RHR-V-42B, and RHR-V-42C (MO FO42A, B, C). When the reactor pressure is low enough to protect the LPCI from overpressure and power is available at the associated pump motor bus, the injection valve is signaled to open; COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 LDCN-04-017 7.3-8
| |
| : d. The following normally closed valves are signaled closed to ensure proper system lineup: 1. The test return line to the suppression pool valves RHR-V-24A, RHR-V-24B (MO F024 A, B), RHR-V-21, and
| |
| : 2. The suppression pool spray valves RHR-V-27A and RHR-V-27B (MO F027 A, B). e. The normally open heat exchanger bypass valves RHR-V-48A and RHR-V-48B (MO F048 A, B) are signaled open. The open signal is automatically removed 10 minutes after system initiation to allow operator control of the valve for throttling purposes if cooling using RHR heat exchangers is required. The flow in each LPCI discharge line is monitored when the pump is running. Whenever the discharge flow is below the minimum flow setpoint, the respective minimum flow valve RHR-FCV-64A, RHR-FCV-64B, or RHR-FCV-64C (MO F064A, B or C) will automatically start to open in approximately 8 sec, to prevent pump overheating. The valve is automatically closed if the flow is above the minimum flow setpoint. The time delay is provided to limit reactor vessel inventory loss during the shutdown cooling mode of the RHR system (see Section 5.4.7.2.6).
| |
| The three RHR pump suction from the suppression pool valves RHR-V-4A, RHR-V-4B, RHR-V-4C (MO F004 A, B, C) and the RHR heat exchanger inlet valves RHR-V-47A, RHR-V-47B, (MO F047 A, B) which are locked open (with power removed) and outlet valves RHR-V-3A, RHR-V-3B (MO F003 A, B) have their control switches in the open position, and thus require no automatic open signal for system initiation.
| |
| | |
| The two series SW crosstie valves RHR-V-115 (MO F094) and RHR-V-116 (MO F093) have their control switches key locked in the close position, and thus require no automatic close signal for system initiation.
| |
| | |
| The two series containment spray valves RHR-V-16A, RHR-V-16B, (MO F016 A, B) and RHR-V-17 and RHR-V-17B (MO F017 A, B), the two series RHR heat exchanger vent valves RHR-V-73A, RHR-V-73B, RHR-V-74A, and RHR-V-74B (MO F073 A, B and MO F074 A, B), and the RHR shutdown cooling mode suction valves RHR-V-6A and RHR-V-6B (MO F006 A, B) are all normally closed and thus require no automatic close signal for system initiation.
| |
| | |
| The LPCI pump motors and injection valves are provided with manual override controls. These controls permit the operator to manually control the system subsequent to automatic initiation.
| |
| COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 LDCN-12-028 7.3-9 7.3.1.1.2 Primary Containment and Reactor Vessel Isolation Control System (PCRVICS)
| |
| Function The PCRVICS includes the instrument channels, trip logic, and actuation circuits that automatically initiate valve closure providing isolation of the primary containment and/or reactor vessel, and initiation of systems provided to limit the release of radioactive materials. See Section 6.2.4 and Table 6.2-16 for a complete description of primary containment and reactor vessel process lines and isolation signals applied to each. Operation Schematic mechanical arrangements of containment isolation valves and other components initiated by PCRVICS are shown in Figures 5.4-15, 10.3-2, 5.4-7, 5.4-11, 5.4-22, 9.3-9, 9.3-12, and 3.2-2. The PCRVICS component control logic is shown in Figures 7.3-1, 7.3-8, 7.3-10 and 7.4-1. Instruments are listed in Table 7.3-5. Operator information displays are shown on these figures.
| |
| | |
| During normal plant operation, the isolation control system sensors and trip logic that are essential to safety are energized. When abnormal conditions are sensed, instrument contacts open and deenergize the trip logic and thereby initiate isolation. Once initiated, then the PCRVICS trip logic seals-in and may be reset by the operator when the initiating conditions return to normal.
| |
| | |
| The PCRVICS trip logic provides isolation signals to the main steam line isolation valves (MSIVs) MS-V-22A, MS-V-22B, MS-V-22C, MS-V-22D (AO F022 A, B, C, D) and MS-V-28A, MS-V-28B, MS-V-28C, MS-V-28D (AO F028 A, B, C, D); to the main steam line drain valves MS-V-16 (MO F016), MS-V-67A, MS-V-67B, MS-V-67C, MS-V-67D (F067 A, B, C, D), and MS-V-19 (MO F019); to the reactor water sample valves RRC-V-19 (MO F019) and RRC-V-20 (F020); to the RHR shutdown cooling system valves RHR-V-8 (MO F008), RHR-V-9 (F009), RHR-V-23 (F023), RHR-V-40 (F040), RHR-V-49 (F049),
| |
| RHR-V-53A, RHR-V-53B (F053 A, B), RHR-V-123A, RHR-123B (F099 A, B); to the reactor water cleanup (RWCU) system valves RWCU-V-1 (MO F001) and RWCU-V-4 (F004); to the drywell equipment drain valves EDR-V-19 (AO F019) and EDR-V-20 (F020); to the drywell floor drain valves FDR-V-3 (AO F003) and FDR-V-4 (F004); to the TIP system valves, TIP-V-1, TIP-V-2, TIP-V-3, TIP-V-4, TIP-V-5, and TIP-V-15; and to the RCIC system valves, RCIC-V-63 (MOF063), RCIC-V-8 (F008) and RCIC-V-76 (F076).
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 LDCN-09-007 7.3-10 Each MSIV has two control solenoids. Each solenoid receives inputs from two redundant logic channels. A signal from either can deenergize the solenoid. For any one valve to close automatically, both of its solenoids must be deenergized.
| |
| The MSIV logic has a minimum of four redundant instrument channels for each measured variable. One channel of each variable is connected to one trip logic. One group of redundant logic (A, C) is used to control one solenoid of both inboard and outboard valves of all four main steam lines, and the other group of redundant logic (B, D) is used to control the other solenoid of both inboard and outboard valves. The four PCRVICS trip logic channels are arranged in a one-out-of-two twice logic combination (trip logic A or C and B or D). See Figure 7.3-2.
| |
| The main steam line drain valves, drywell equipment and floor drain valves, reactor water sample valves, the RWCU system, and RHR system isolation valves also operate in pairs. The outboard valves close if the Division 1 isolation logic (A and B) is tripped, and the inboard valves close if the Division 2 logic (C and D) is tripped. See Figure 7.3-3. The RCIC system isolation valves are initiated closed by the leak detection system signals listed in Section 7.3.1.2.1.d. See Figure 7.4-1.
| |
| The PCRVICS also provides signals to start the SGT, to remove nonessential loads from essential buses, and to isolate the reactor building ventilation system and the primary containment purge and vent system.
| |
| | |
| The following variables provide inputs to the PCRVICS logics for initiation of reactor vessel and drywell isolation, as well as the initiation or trip of other plant functions when predetermined limits are exceeded. Combinations of these variables, as necessary, provide initiation of various isolating and initiating functions as identified in Table 6.2-16 and described below.
| |
| | |
| 7.3.1.1.2.1 Reactor Vessel Low Water Level. A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the RCPB and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.
| |
| Reactor vessel low water level initiates closure of various valves. The closure of these valves is intended to isolate a breach of the pipelines, conserve reactor coolant by closing off process lines, and limit the escape of radioactive materials from the primary containment through process lines that communicate with the primary coolant boundary or primary containment.
| |
| Three reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel. The first (and higher) reactor vessel low water level isolation trip (trip level 3) initiates closure of all RHR system isolation valves. The main steam lines are left open to allow the removal of heat from the reactor core. The second (and lower) reactor vessel low-low water level isolation trip (trip level 2) isolates the Group 2, 3, 4 COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 LDCN-09-007 7.3-11 and 7 primary containment isolation valves and also provides inputs to logic which trips or initiates other plant equipment.
| |
| | |
| The third (lowest) reactor vessel low-low-low water isolation trip (trip level 1) isolates the Group 1 primary containment isolation valves which include MSIVs and main steam line drain valves.
| |
| Reactor vessel low water level (Level 3) is monitored by four redundant differential pressure switches. Each provides a low water level input to one of the four PCRVICS trip logic.
| |
| Reactor vessel water low-low (Level 2) and low-low-low (Level 1) are monitored by four redundant differential pressure transmitters with dual trip units. Each trip unit provides a Level 2 or Level 1 input to the PCRVICS trip logic.
| |
| Diversity of trip initiation for pipe breaks inside of primary containment is provided by drywell high pressure sensors.
| |
| | |
| 7.3.1.1.2.2 Drywell High Pressure. High pressure in the drywell could indicate a breach of the RCPB inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes.
| |
| | |
| Drywell pressure is monitored by four redundant pressure switches. Each switch provides an input to one of the four trip logic channels.
| |
| | |
| 7.3.1.1.2.3 Main Steam Line - High Radiation. The main steam line radiation monitors sense the gross release of fission products from the fuel and initiates action to contain the released fission products.
| |
| | |
| Four redundant detectors monitor the gross gamma radiation from the main steam lines. Each provides an input to one of the four PCRVICS trip logic channels.
| |
| Each channel consists of a gamma-sensitive ion chamber and a log radiation monitor. Each log radiation monitor has three trip circuits. One upscale trip circuit is used to initiate closure of the reactor water sample valves, mechanical vacuum pump trip, gland seal condenser exhauster trip, and an isolation alarm. The second circuit is used for a high alarm and is set at a level below that of the upscale trip circuit. The third circuit is a downscale alarm. The inoperative condition actuates the isolation alarm and produces the same isolation described above for the upscale trip circuit.
| |
| | |
| 7.3.1.1.2.4 Main Steam Line - Tunnel High Ambient Temperature or High Differential Temperature. A leak in a main steam line is indicated by a high ambient temperature or a high differential temperature for this area. The automatic closure of main steam line isolation and COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-12 drain valves prevents the excessive loss of reactor coolant and the release of a significant amount of radioactive material from the RCPB. There are four main steam line high ambient temperature channels within the steam tunnel and four high differential temperature channels between the main steam line tunnel and the reactor building. These eight channels monitor and actuate main steam line isolation logic which is deenergized by high ambient or high differential temperature condition.
| |
| Diversity of trip initiation signals for the main steam line tunnel high ambient or high differential temperature is provided by main steam line high flow and steam line low pressure instrumentation.
| |
| | |
| 7.3.1.1.2.5 Main Steam Line - High Flow. Main steam line high flow could indicate a breach in a main steam line. Automatic closure of isolation valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the RCPB.
| |
| Sixteen redundant differential pressure switches, four for each main steam line, monitor the main steam line flow. Four differential pressure switches for each main steam line provide inputs to each of the four trip logic channels.
| |
| | |
| When a significant increase in main steam line flow is detected, trip signals initiate closure of all main steam line isolation and drain valves.
| |
| 7.3.1.1.2.6 Main Steam Line - Low Pressure. Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure regulator in which the turbine governor valves or turbine bypass valves become fully open, thus causing rapid depressurization of the reactor vessel. From reduced power the rate of decrease of nuclear system saturation temperature could exceed the allowable rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels (around some fuel bundles) of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations without adequate preventive actions could require thorough vessel analysis or core inspection prior to returning the reactor to power operation.
| |
| Four redundant pressure sensors, one for each main steam line, monitor main steam line pressure and each provides an input to one of the four trip logic channels.
| |
| When a significant decrease in main steam line pressure is detected, the PCRVICS initiates closure of all main steam line isolation and drain valves.
| |
| The main steam line low pressure trip is bypassed by the reactor mode switch in the shutdown, refuel, and startup modes of reactor operation. In the run mode, the low pressure trip function is active.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-13 7.3.1.1.2.7 Reactor Building Ventilation Exhaust Radiation Monitor. There are four radiation monitors arranged in two sets of two channels each, (A, B) and (C, D), which make up the process radiation monitor (PRM) reactor building vent radiation monitor isolation system. Each channel has a trip signal output used for shutdown and isolation of the reactor building ventilation system, startup of the SGT, and trip and/or isolation of various other plant functions. The trip output is provided in response to either high radiation in the ventilation exhaust plenum (upscale trip) or instrument failure (downscale trip). The downscale trip also initiates an alarm to alert the operator to instrument trouble conditions. See Section 11.5 for additional details.
| |
| | |
| 7.3.1.1.2.8 Reactor Water Cleanup System - High Differential Flow. High differential flow in the RWCU system could indicate a breach of the RCPB of the cleanup system. The flow at the inlet to the system is compared with the flow at the outlets of the system.
| |
| A differential flow signal is developed from the compared inlet-outlet flow signals and applied to the two (inboard or outboard) logic trip channels. When an increase in RWCU system differential flow is detected, the PCRVICS initiates closure of the RWCU system isolation valves. This isolation function is not credited in the accident analysis.
| |
| Diversity of trip initiation signals for RWCU system isolation is provided by instrumentation for reactor water level, differential flow, high blowdown flow, and ambient or differential temperature in RWCU equipment areas.
| |
| | |
| The RWCU system high differential flow trip is bypassed by an automatic timing circuit during normal RWCU system surges. This time delay bypass prevents inadvertent system isolations during system flow transients.
| |
| | |
| 7.3.1.1.2.9 Reactor Water Cleanup System - Area High Ambient Temperature or High Differential Temperature. High temperature in the equipment room areas of the RWCU system could indicate a breach of the RCPB in the cleanup system.
| |
| Redundant ambient temperature or differential temperature sensors monitor the RWCU system area temperatures. When a significant increase in RWCU system area ambient or differential temperature is detected the PCRVICS initiates closure of RWCU system isolation valves.
| |
| The output trip signal of each sensor initiates a logic trip and closure of either the inboard or outboard RWCU system isolation valve.
| |
| | |
| Diversity of trip initiation signals for high differential temperature is provided by two pair of differential temperature elements and associated differential temperature switches. Each pair of temperature elements and its differential temperature switch are associated with one of two logic channels.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-14 7.3.1.1.2.10 Reactor Water Cleanup System - High Blowdown Flow. High flow conditions in the RWCU blowdown to the main condenser or radwaste line is indicative of a high-energy line break condition. Flow in this line is monitored by two redundant flow sensors which measure flow at the same point and apply flow signals to the trip logic channels. One flow signal is provided to the inboard trip channel and one to the outboard trip channel.
| |
| When an increase in RWCU blowdown flow is detected, the PCRVICS initiates closure of the RWCU system isolation valves. The high blowdown flow trip logic contains a time delay feature which prevents inadvertent system isolations due to normal flow transients.
| |
| | |
| 7.3.1.1.2.11 Residual Heat Removal System - Area High Ambient Temperature or High Differential Temperature. High temperature in the equipment room areas of the RHR system could indicate a breach in the RCPB in the RHR system.
| |
| Redundant ambient temperature or redundant differential temperature sensors monitor the RHR system area temperatures. Half of the ambient and differential temperature sensors are associated with one trip logic. The remaining temperature channels are associated with the other trip logic. The ambient temperature elements are located in each RHR equipment area. The differential temperature elements are located in the ventilation supply and ventilation exhaust of RHR pump rooms A and B.
| |
| | |
| When an increase in RHR system area ambient temperature or differential temperature is detected, the PCRVICS initiates closure of the RHR system isolation valves.
| |
| The output trip signal of each sensor initiates a trip logic and closure of either the inboard or outboard RHR system isolation valve.
| |
| | |
| Diversity of trip initiation signals for RHR line break is provided by ambient temperature, differential temperature, and shutdown cooling flow instrumentation. An increase in ambient temperature, differential temperature, or flow will initiate RHR system isolation.
| |
| 7.3.1.1.2.12 Residual Heat Removal System - Flow Rate Monitoring. High flow in the RHR system suction line from the reactor vessel could indicate a breach in the RCPB in the RHR system.
| |
| | |
| Two redundant differential pressure switches, one for each trip logic, monitor the RHR shutdown cooling mode suction line. The output trip signal of each sensor initiates a logic trip and closure of either the inboard or outboard RHR system isolation valve. The RHR suction high flow trip is not credited within the Columbia Generating Station (CGS) accident analysis.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-15 7.3.1.1.2.13 Main Condenser Vacuum Trip. The main turbine condenser low vacuum signal could indicate a leak in the condenser. Initiation of automatic closure of various valves will prevent excessive loss of reactor coolant and the release of significant amounts of radioactive material.
| |
| Four redundant vacuum switches monitor the main condenser vacuum. Each switch provides an input to one of four trip logic channels.
| |
| When a significant decrease in main condenser vacuum is detected, the PCRVICS initiates closure of all main steam line isolation and drain valves.
| |
| Main condenser low vacuum trip can be bypassed manually when the turbine throttle valve is less than 90% open and reactor pressure is below 1060 psig.
| |
| | |
| 7.3.1.1.2.14 Reactor Core Isolation Cooling System Isolation Signals. The RCIC isolation signals for RCIC steam line high flow and RCIC pipe routing/equipment area high ambient temperature or high differential temperature are a subset of the RCIC leak detection system and are described in Section 7.6.1.3.4.
| |
| 7.3.1.1.3 DELETED
| |
| | |
| 7.3.1.1.4 Residual Heat Removal System - Containment Spray Cooling Mode Function The CSCM is an operating mode of the RHR system. It is designed to condense steam in the suppression chamber air volume and/or the drywell atmosphere following a LOCA. See Section 5.4.7. The drywell spray (with or without the RHR heat exchangers) is used to remove airborne radioactivity from the containment atmosphere in response to a LOCA. Drywell sprays are started within the first 15 minutes post-LOCA.
| |
| Operation The RHR system control logic is shown in Figure 7.3-10. Instruments are listed in Table 7.3-7. Operator information displays are shown in Figure 7.3-10.
| |
| The CSCM is initiated by the control room operator by diverting RHR flow to either the suppression pool or the drywell by opening valves RHR-V-27A, RHR-V-27B (MO F027A, B) or RHR-V-16A, RHR-V-16B (MO F016A, B), and RHR-V-17A, RHR-V-17B (MO F017A, B).
| |
| | |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-16 The following conditions must exist before the operator can initiate the drywell spray cooling loop: a. The LOCA signal which automatically initiated LPCI must still exist;
| |
| : b. One of the two redundant drywell pressure switches must indicate high pressure; and
| |
| : c. The operator must close the LPCI injection valve RHR-V-42A, RHR-V-42B (MO F042A, B).
| |
| 7.3.1.1.5 Residual Heat Removal System - Suppression Pool Cooling Mode Function The SPCM is an operating mode of the RHR system. It is designed to prevent suppression pool temperature from exceeding predetermined limits following a reactor blowdown of the ADS or SRVs. The SPCM mode is also used during RCIC operation and SRV testing.
| |
| | |
| Operation Component control logic is shown in Figure 7.3-10. Instruments are listed in Table 7.3-8. Operator information displays are shown in Figure 7.3-10.
| |
| The SPCM is initiated by the control room operator either during normal plant operation or following a LOCA when the suppression pool temperature monitoring system (see Section 7.6) indicates that pool temperature may exceed a predetermined limit.
| |
| During normal plant operation the operator initiates the SPCM as follows: a. The RHR pump (A or B) is started. The standby SW pump is started and the RHR heat exchanger SW discharge valve RHR-V-68A, RHR-V-68B (MO 0068 A, B) is signaled to open automatically when the SW pump starts.
| |
| : b. The RHR test return line valve RHR-V-24A, RHR-V-24B (MO F024 A, B) is opened.
| |
| : c. The RHR heat exchanger inlet valves RHR-V-47A, RHR-V-47B (MO F047 A, B) are locked open (with power removed) and outlet valves RHR-V-3A, RHR-V-3B (MO F003 A, B) are throttled as necessary. The heat exchanger bypass valve RHR-V-48A, RHR-V-48B (MO F048 A, B) and valve RHR-V-24A, RHR-V-24B (MO F024 A, B) are throttled as necessary.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-15-062 7.3-17 Subsequent to a LOCA the operator initiates the SPCM as follows:
| |
| : a. Once reactor vessel water level has been restored, the LPCI flow must be terminated by closing the LPCI injection valve RHR-V-42A, RHR-V-42B (MO F042 A, B). Closing the injection valve causes the LOCA initiation logic to be overridden and allows operator control of the system;
| |
| : b. The RHR test return line valve RHR-V-24A, RHR-V-24B (MO F024 A, B) control logic also has LOCA signal override provisions. This allows the operator to open the valve; and
| |
| : c. The RHR heat exchanger inlet valves RHR-V-47A, RHR-V-47B (MO F047 A, B) are locked open (with power removed) and outlet valves RHR-V-3A, RHR-V-3B (MO F003 A, B) are throttled as necessary. The heat exchanger bypass valve RHR-V-48A, RHR-V-48B (MO F048 A, B) (a 10-minute timer keeps this valve open following a LOCA) and valve RHR-V-24A, RHR-V-24B (MO F024 A, B) are throttled as necessary. 7.3.1.1.6 Standby Service Water System Function The SW system provides cooling water to the diesel generators, the RHR heat exchangers, the HPCS, RCIC, LPCI, and LPCS auxiliary equipment (e.g., room cooler, pump motor bearing cooler, pump seal cooler), and the essential HVAC chillers. See Section 9.2.
| |
| Operation Schematic arrangements of system mechanical equipment is shown in Figure 9.2-12. The SW component control logic is shown in Figure 7.3-12. Instruments are listed in Table 7.3-9. Operator information displays are shown in Figures 7.3-12 and 9.2-12.
| |
| The SW system is automatically initiated as follows: a. The Division 1 SW pump P-1A is started automatically when either the RHR A pump, the LPCS pump, or the Division 1 diesel generator is started,
| |
| : b. The Division 2 SW pump P-1B is started automatically when either the RHR B pump, RHR C pump, the Division 2 diesel generator, or the RCIC pump is started, and
| |
| : c. The HPCS SW pump HPCS-P-2 (C002) is automatically started when the HPCS diesel generator is started.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-18 Once the SW pumps are started the following occurs:
| |
| a. The RHR heat exchanger SW discharge valves RHR-V-68A and RHR-V-68B are signaled open, and
| |
| : b. After the SW pumps discharge pressure exceeds a minimum value the pump discharge valves SW-V-2A, SW-V-2B, and SW-V-29 are signaled to open. 7.3.1.1.7 Main Control Room and Critical Switchgear Rooms Heating, Ventilating, and Air Conditioning System Schematic arrangements of system mechanical equipment are shown in Figure 9.4-1. Component control logic is shown in Figure 7.3-13. Instruments are listed in Table 7.3-10. Operator information displays are shown in Figure 9.4-1 and Figure 7.3-13.
| |
| For a complete description of the main control room and critical switchgear rooms HVAC instrumentation and controls see Section 9.4.1.
| |
| 7.3.1.1.8 Standby Gas Treatment System Schematic arrangements of system mechanical equipment are shown in Figure 3.2-2. The SGT component control logic is shown in Figure 7.3-14. Instruments are listed in Table 7.3-11. Operator information displays are shown in Figure 3.2-2 and Figure 7.3-14.
| |
| For a complete description of the SGT instrumentation and controls see Section 6.5.1.
| |
| 7.3.1.1.9 Reactor Building Ventilation and Pressure Control System Function The reactor building ventilation and pressure control system automatically maintains the reactor building or secondary containment at a negative pressure below atmospheric pressure by controlling the reactor building exhaust or SGT fan units. See Section 9.4.2. Operation Schematic arrangements of system mechanical equipment are shown in Figure 9.4-2. System component control logic is shown in Figure 7.3-14. Instruments are listed in Table 7.3-12. Operator information displays are shown in Figure 9.4-2 and Figure 7.3-14.
| |
| The differential pressure is monitored by eight redundant differential pressure transmitters, four in Division 1 and four in Division 2, which measure the differential pressure across the COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-19 exterior of four sides of the reactor building to inside the reactor building (572 ft el.). The signal indicating the least differential pressure from the four differential pressure transmitters in one division is selected and is used to control the position of the blades of the normal reactor building exhaust fan unit in that division. On the initiation of the SGT by containment isolation signals high drywell pressure, low reactor water level, or reactor building exhaust high radiation, the reactor building pressure control system then controls the secondary containment pressure by controlling the SGT fan units (see Section 6.5.1). 7.3.1.1.10 Containment Instrument Air System Function The purpose of the CIA system is to provide clean, dry, pressurized gas to the main steam relief valves and isolation valves inside primary containment. The pressurized nitrogen or air is normally provided by a non-safety-related source to a single header which delivers the operating gas to the relief and isolation valves. Under normal conditions, the non-safety-related source also provides working pressure to two headers which serve as the safety-related backup system for seven relief valves designated for the ADS function. However, a safety-related, bottled nitrogen source is available to maintain operating pressure to the seven divisionally separated ADS valves, in the event that the non-safety-related sources fail (see Figure 9.3-2).
| |
| In the event of failure of the non-safety-related portions of the system, which is indicated by low header pressure and detected by three pressure switches, the bottled nitrogen automatically maintains header pressure to the ADS valves. The non-safety-related portion of the system is isolated from the safety-related ADS portion upon receipt of the low header pressure signal. See Section 9.3.1.5.2.
| |
| The local stepping controller used for sequential nitrogen bottle opening is equipped with a local wheel index counter. A remote counter display is also located near the backup N2 supply bottles inside of the reactor building (see Section 9.3.1.2.2). In addition, a low-header pressure alarm is provided to alert the operator to the loss of the ADS pneumatic supply.
| |
| Operation Schematic arrangements of system mechanical equipment is shown in Figure 9.3-2. The CIA component control logic is shown in Figure 7.3-15. Instruments are listed in Table 7.3-13. Operator information displays are shown in Figures 7.3-15 and 9.3-2. The CIA system is always in operation. The instrumentation and controls of the system perform the following functions:
| |
| a. Monitor CIA system header pressure, COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 LDCN-09-007 7.3-20
| |
| : b. Isolate the non-safety-related portion of system in the event of failure in this portion, and
| |
| : c. Maintain CIA system header pressure in the event of item b by sequentially opening nitrogen bottles.
| |
| 7.3.1.2 Design Basis The ESF systems are designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are presented in Chapter 15. 7.3.1.2.1 Variables Monitored to Provide Protective Action The following variables are monitored to provide protective actions by the ESF systems: a. HPCS 1. Reactor vessel low water level (trip level 2), 2. Drywell high pressure; b. ADS 1. Reactor vessel low water level (trip level 3), 2. Reactor vessel low water level (trip level 1); c. LPCS and LPCI 1. Reactor vessel low water level (trip level 1), 2. Drywell high pressure; d. PCRVICS 1. Reactor vessel low water level (trip level 3), 2. Reactor vessel low-low water level (trip level 2), 3. Reactor vessel low-low-low water level (trip level 1), 4. Main steam line high radiation, 5. Main steam line tunnel high ambient or high differential temperature, COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-13-044 7.3-21 6. Main steam line high flow,
| |
| | |
| 7. Main steam line low pressure,
| |
| | |
| 8. Reactor building ventilation exhaust high radiation,
| |
| | |
| 9. RWCU high differential flow or high blowdown flow, 10. RWCU pipe routing and equipment area high ambient temperature or high differential temperature, 11. RHR area high ambient temperature or high differential temperature, 12. RHR shutdown cooling suction high flow,
| |
| | |
| 13. Main condenser low vacuum,
| |
| | |
| 14. Drywell high pressure,
| |
| | |
| 15. RCIC steam line high flow, and
| |
| | |
| 16. RCIC pipe routing area high temperature, or equipment area high ambient temperature or high differential temperature; e. DELETED;
| |
| : f. CSCM - drywell high pressure,
| |
| - suppression chamber high pressure;
| |
| : g. SPCM 1. Suppression pool temperature,
| |
| : 2. Drywell high pressure,
| |
| : 3. Reactor vessel low water level (trip level 1); h. SW System - RHR, LPCS, RCIC, or diesel generator start;
| |
| : i. Main control room and critical switchgear room HVAC 1. High room temperature; COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.3-22 j. Reactor building ventilation and pressure control - reactor building to fuel pool area differential pressure; k. SGT
| |
| : 1. Reactor vessel low water level (trip level 2), 2. Drywell high pressure,
| |
| : 3. Reactor building ventilation high radiation; l. CIA System - instrument air header low pressure; The plant conditions which require protective action involving the ESF systems are described in Chapter 15.
| |
| 7.3.1.2.2 Location and Minimum Number of Sensors See the Technical Specifications for ESF systems, which identifies the minimum number of sensors to monitor safety-related variables. There are no sensors in the ESF systems which have a spatial dependence.
| |
| | |
| 7.3.1.2.3 Prudent Operational Limits
| |
| | |
| Operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious ESF system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds.
| |
| 7.3.1.2.4 Margin
| |
| | |
| The margin between operational limits and the limiting conditions of operation of ESF systems are listed and the bases stated in the Technical Specifications.
| |
| 7.3.1.2.5 Levels
| |
| | |
| Levels requiring protective action are specified in the Technical Specifications.
| |
| 7.3.1.2.6 Range of Transient, Steady State, and Environmental Conditions See Section 3.11 for environmental conditions. See Sections 8.2.1 and 8.3.1 for the maximum and minimum range of energy supply to ESF instrumentation and controls. All ESF instrumentation and controls are specified and purchased to withstand the effects of energy supply extremes.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-23 7.3.1.2.7 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety System Chapters 3, 6, 9, 15, and Appendix F describe the following credible accidents and events: floods, storms, tornadoes, earthquakes, fires, LOCA, and pipe break outside containment. Each of these events is discussed below for the ESF systems.
| |
| 7.3.1.2.7.1 Floods. The buildings containing ESF systems components have been designed to meet the probable maximum flood (PMF) at the site location. See Section 2.4. For a discussion of internal flooding protection see Sections 3.4.1.4.1.2, 3.4.1.5.2, and 3.6.
| |
| 7.3.1.2.7.2 Storms and Tornadoes. The buildings containing ESF systems components have been designed to withstand meteorological events described in Section 3.3.
| |
| 7.3.1.2.7.3 Earthquakes. The structures containing ESF systems components have been seismically qualified as described in Sections 3.7 and 3.8 and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.
| |
| 7.3.1.2.7.4 Fires. To protect the ESF systems in the event of a postulated fire, the redundant portions of the systems are isolated by electrical separation barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the ESF systems functions would not be prevented by the fire. The use of spatial separation and barriers ensures that even though some portion of the systems may be affected, the ESF systems will continue to provide the required protective action. A fire detection system using heat detectors and combustion product detectors is provided in Power Generation Control Complex (PGCC) floor sections and in panels containing ESF systems components mounted on these floor sections. A Halon fire suppression system is provided in the same areas.
| |
| 7.3.1.2.7.5 LOCA. The ESF systems components functionally required during and/or following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11.
| |
| | |
| 7.3.1.2.7.6 Pipe Break Outside Primary Containment. The ESF systems are designed and qualified to remain functional during and/or following these events. See Section 3.6.
| |
| 7.3.1.2.7.7 Missiles. Protection for safety-related components is described in Section 3.5.
| |
| 7.3.1.2.8 Minimum Performance Requirements Minimum performance requirements for ESF instrumentation and controls are provided in the Technical Specifications.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-24 7.3.1.3 Final System Drawings Functional and architectural design differences between the PSAR and FSAR are listed in Table 1.3-8.
| |
| 7.3.2 ANALYSIS
| |
| | |
| 7.3.2.1 Engineered Safety Feature Systems - Instrumentation and Controls Chapter 15 and Chapter 6 evaluate the individual and combined capabilities of the ESF systems.
| |
| The ESF systems are designed such that a loss of instrument air, plant load rejection, or turbine trip will not prevent the completion of the safety function.
| |
| 7.3.2.1.1 Conformance to 10 CFR 50 Appendix A The following provides information regarding conformance to those General Design Criteria (GDC) which apply specifically to the ESF systems. See Section 3.1 for a discussion of GDC which apply equally to all safety-related systems.
| |
| GDC 33 See Sections 7.3.1.1.1.1 and 3.1.2.4.4.
| |
| GDC 34 See Section 7.3.1.1.6 and 3.1.2.4.5.
| |
| GDC 35 See Sections 7.3.1.1.1, 7.3.1.1.6, and 3.1.2.4.6.
| |
| GDC 36, 37, 39, 40, 42, 43, 45, 46, and 61 See Section 7.3.2.1.3, Regulatory Guide 1.22. GDC 38 See Sections 7.3.1.1.4, 7.3.1.1.5, and 7.3.1.1.6, and 3.1.2.4.9.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-25 GDC 41 See Sections 7.3.1.1.8 and 3.1.2.4.12.
| |
| GDC 44 See Sections 7.3.1.1.6 and 3.1.2.4.15.
| |
| GDC 60 and 61 See Sections 7.3.1.1.8, 7.3.1.1.3, 3.1.2.6.1, and 3.1.2.6.2.
| |
| GDC 64 See Sections 7.3.1.1.2 and 7.3.1.1.8.
| |
| 7.3.2.1.2 Conformance to IEEE Standards
| |
| | |
| The following provides information regarding conformance to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, which apply specifically to the ESF systems. See Section 7.1.2.3 for a discussion of IEEE standards which apply equally to all safety-related systems.
| |
| | |
| General Functional Requirement (IEEE 279-1971, paragraph 4.1)
| |
| The ESF systems that automatically initiate appropriate protective actions, whenever the parameters described in Section 7.3.1.2.1 reach predetermined limits, with precision and reliability assuming the full range of conditions and performance are discussed in Sections 7.3.1.2 and Chapter 15.
| |
| Single Failure Criterion (IEEE 279-1971, paragraph 4.2)
| |
| The ESF systems are not required to meet the single failure criterion on an individual system (division) basis. However, on a network basis, the single failure criteria does apply to ensure the completion of a protective function. Redundant sensors, wiring, logic, and actuated devices are physically and electrically separated such that a single failure will not prevent the protective function. See Section 8.3.1.4 for a discussion of the CGS separation criteria.
| |
| Quality Components (IEEE-279-1971, paragraph 4.3)
| |
| For a discussion of the quality of ESF system components and modules see Section 3.11.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-26 Equipment Qualification (IEEE 279-1971, paragraph 4.4) Vendor certification requires that the sensors associated with the ESF system variables, manual switches, and trip logic components located in mild environments perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the existing field experience with these components in this application, will serve to qualify these components.
| |
| For a complete discussion of ESF equipment seismic and harsh environment qualification see Sections 3.10 and 3.11.
| |
| Channel Integrity (IEEE 279-1971, paragraph 4.5)
| |
| For a discussion of ESF systems channel integrity under extreme conditions described in Section 7.3.1.2, see Sections 3.10, 3.11, 8.2.1, and 8.3.1.
| |
| Channel Independence (IEEE 279-1971, paragraph 4.6)
| |
| The ESF systems channel independence is maintained through the application of the CGS separation criteria as described in Section 8.3.1.4.
| |
| Control and Protection Interaction (IEEE 279-1971, paragraph 4.7)
| |
| There are no ESF system and control system interactions.
| |
| | |
| Derivation of System Inputs (IEEE 279-1971, paragraph 4.8)
| |
| The ESF variables are direct measures of the desired variables requiring protective actions. See Sections 7.3.1.1.1 through 7.3.1.1.10.
| |
| Capability of Sensor Checks (IEEE 279-1971, paragraph 4.9)
| |
| See Section 7.3.2.1.3, Regulatory Guide 1.22.
| |
| Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
| |
| See Section 7.3.2.1.3, Regulatory Guide 1.22.
| |
| Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
| |
| During periodic tests of any one ESF system channel, a sensor may be valved out of service and returned to service under the administrative control procedures. Since only one sensor is valved out of service at any given time during the test interval, protective action capability for COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-27 ESF system automatic initiation is maintained through the remaining redundant instrument channels.
| |
| Operating Bypasses (IEEE 279-1971, paragraph 4.12)
| |
| The ESF systems contain the following operating bypasses.
| |
| The PCRVICS has two bypasses: (1) main steam line low pressure operating bypass which is imposed by means of the mode switch in the "startup" position (not in "run"). The mode switch cannot be left in this position above approximately 15% of rated power without initiating a scram. Therefore, the bypass is removed by placing the mode switch in the "run" position via the normal reactor operating sequence, and (2) the low condenser vacuum bypass which is imposed by means of four manual bypass switches in conjunction with closure of the turbine throttle valves, the reactor mode switch in any position other than "run," and reactor pressure below the low-pressure setpoint. Bypass removal is accomplished automatically by the opening of the turbine throttle valves or raising reactor pressure above the interlock pressure setpoint or manually by placing any of the four bypass switches in normal position or by placing the mode switch in the "run" position.
| |
| | |
| Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
| |
| For a discussion of bypass and inoperability indication see Section 7.1.2.4, Regulatory Guide 1.47. Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14) Access to means of bypassing any safety action or safety function is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with administrative control of the access to keys, procedurally controlled equipment lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional methods help to prevent inadvertent bypasses or to alert the plant operators to safety function bypasses occurring either from equipment failures or from manually induced bypasses that result as part of testing, maintenance, or equipment repair activities.
| |
| Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is procedurally controlled. When not in use, keys are under the administrative control of the control room supervisor/shift manager and stored in a key locker. The keys are audited once per day by the control room supervisor/shift manager. When operation of a key-locked control switch is required to be immediate, such as in the case of the COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-28 reactor mode switch, the key may be left in the lock during normal plant operation to ensure timely actuation. Multiple Trip Settings (IEEE 279-1971, paragraph 4.15) There are no multiple set points within the ESF systems. Completion of Protective Action Once Initiated (IEEE 279-1971, paragraph 4.16) Each of the automatically ESF system initiation control logic channels seal-in electrically and remain energized after initial conditions return to normal. Deliberate operator action is required to return (reset) an ESF system logic to normal.
| |
| Manual Initiation (IEEE 279-1971, paragraph 4.17)
| |
| See the discussion of Regulatory Guide 1.62 in Section 7.3.2.1.3.
| |
| Access to Setpoint Adjustments (IEEE 279-1971, paragraph 4.18)
| |
| All access to ESF system setpoint adjustments, calibration controls, and test points are under the administrative control of the control room operator.
| |
| Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)
| |
| The ESF protective actions are directly indicated and identified by annunciators located in the main control room and a printed record is available from the process computer and transient data acquisition system.
| |
| | |
| Information Readout (IEEE 279-1971, paragraph 4.20)
| |
| The ESF systems are designed to provide the operator with accurate and timely information pertinent to their status. They do not introduce signals that could cause anomalous indications confusing to the operator.
| |
| | |
| System Repair (IEEE 279-1971, paragraph 4.21)
| |
| The ESF systems are designed to permit repair or replacement of components.
| |
| Recognition and location of a failed component will be accomplished during periodic testing or by annunciation in the main control room.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.3-29 Identification (IEEE 279-1971, paragraph 4.22) The ESF panels are identified by nameplates. The nameplate shows the division to which each panel or rack is assigned and also identifies the function in the system of each item of the control panel. The system to which each externally mounted relay belongs is identified on the relay panels.
| |
| | |
| Wiring and cabling outside of panels are labeled to indicate its divisional assignment as well as its system assignment (see Section 8.3.1.3).
| |
| 7.3.2.1.3 Conformance to Regulatory Guides The following is a discussion of conformance to those Regulatory Guides which apply specifically to the ESF systems. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems.
| |
| Regulatory Guide 1.22 - 1972 The ESF systems instrumentation and controls are capable of being tested during normal plant operation (unless that testing is detrimental to plant availability) to verify the operability of each system component. Testing of safety-related sensors is accomplished by valving out each sensor, one at a time, and applying a test pressure source or as in the case of the main steam line radiation sensors, the sensors may be removed and test sources applied. This verifies the operability of the sensor, sensor contacts, and the sensor setpoint. Associated logic components are typically tested during plant shutdown conditions when component activation is not detrimental to plant operation. Functional operability of temperature sensors may be verified by readout comparisons, applying a heat source to the locally mounted temperature sensing elements or by continuity testing.
| |
| For the HPCS, LPCS, and LPCI, testing for functional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in conjunction with single sensor tests. Annunciation is provided in the main control room whenever a test plug is inserted in a jack to indicate to the operator that an ECCS is in a test status.
| |
| Operability of air-operated, solenoid-operated, and motor-operated valves is verified by actuating the valve control switches and monitoring the position change by position indicating lights at the control switch.
| |
| | |
| The ESF systems are provided with indications, status displays, annunciation, and computer printouts which aid the control room operator during periodic system tests to verify component operability.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-05-009 7.3-30 Regulatory Guide 1.53 - 1973 See IEEE 279 paragraph 4.2 in Section 7.3.2.1.2.
| |
| Regulatory Guide 1.62 - 1973 The HPCS, LPCS, and the Division 2 LPCI system can be manually initiated at the system level from the main control room by actuation of armed push buttons. The LPCS push button also initiates the Division 1 LPCI system. The ADS and the PCRVICS (except RCIC is manually isolated at the system level by its "Manual Isolation Push Button") are manually initiated at the system (division) level by actuation of two armed push buttons (one for each logic channel). The CIA system provides pneumatic pressure for opening of the ADS valves and is normally in service. A safety-related source of pressurized nitrogen will automatically come on line if the normal supply cannot maintain system pressure above a preset pressure. There is no remote manual initiation of the CIA system.
| |
| | |
| The CSCM is manually initiated at the system (division) level by actuation of the RHR pump start control switch and by opening the containment spray or suppression chamber spray valves.
| |
| | |
| The SPCM is manually initiated from the main control room by actuation of system pump and valve controls.
| |
| The SW system is manually initiated at the system (division) level by actuation of the pump start control switch.
| |
| | |
| The main control room and critical switchgear HVAC is manually initiated at the system (division) level by actuation of individual fan start control switches.
| |
| The SGT is manually initiated at the system (division) level by actuation of the system start control switch.
| |
| | |
| The actuation of the system level manual initiation switches simulates all the actions of automatic or manual (individual equipment initiation) system actuation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-1 High-Pressure Core Spray System Instrumentation Function Instrumenta 7.3-31 Reactor vessel low water level (level 2) Level switch (B22-N031A-D)
| |
| MS-LIS-31A-D Drywell high pressure Pressure switch (B22-N047A-D)
| |
| MS-PS-47A-D Reactor vessel high water level (level 8) Level switch (B22-N100A, B)
| |
| MS-LIS-100A, B Pump minimum flow Flow switch (E22-N006)
| |
| HPCS-FIS-6 Suppression pool high water level Level switch (E22-N002A, B)
| |
| HPCS-LS-2A, B Condensate storage tanks low level Level switch (E22-N001A, B)
| |
| HPCS-LS-1A, B Condensate supply line level Pressureswitch HPCS-PS-3A, B a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-2 Automatic Depressurization System Instrumentation Function Instrumenta 7.3-32 Reactor vessel low water level (level 3) Level switch (B22-N038A, B)
| |
| MS-LIS-38A, B Reactor vessel low water level (level 1) Level switch (B22-N037A-D)
| |
| MS-LIS-37A-D Low-pressure coolant injection permissive Pressure switch (E12-N016A-C)
| |
| RHR-PS-16A-C (E12-N019A-C)
| |
| RHR-PS-19A-C Low-pressure core spray permissive Pressureswitch (E21-N001) LPCS-PS-1 (E21-N009)
| |
| LPCS-PS-9 Automatic depressurization time delay Timer B22-K5AA (MS-RLY-ADK5AA)
| |
| B22-K5BB (MS-RLY-ADK5BB) a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-3 Low-Pressure Core Spray System Instrumentation Function Instrumenta 7.3-33 Reactor vessel low water level (level 1) Level switch MS-LIS-37A, C (B22-N037A, C) Drywell high pressure Pressure switch MS-PS-48A, C (B22-N048A, C) Injection valve permissive Pressureswitch MS-PS-413C (B22-N413C) Pump minimum flow bypass Flow switch LPCS-FIS-4 (E21-N004) a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-4 Low-Pressure Coolant Injection Instrumentation Function Instrumenta 7.3-34 Reactor vessel low water level (level 1) Level switch MS-LIS-37A-D (B22-N037A-D) Drywell high pressure Pressure switch MS-PS-48A-D (B22-N048A-D) Low-pressure coolant injection pump delay (on loss of normal power) Timer RHR-RLY-K70A, B Injection valve permissive Pressureswitch MS-PS-413A, B, D (B22-N413A, B, D) Pump minimum flow bypass Flow switch RHR-FIS-10A-C (E12-N010A-C) a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 Table 7.3-5 Primary Containment and Reactor Vessel Isolation Control System Instrumentation Function Instrumenta LDCN-09-007 7.3-35 Reactor vessel low water level (level 3) Level switch MS-LIS-24A-D (B22-N024A-D) Reactor vessel low-low water level (level 2) Level transmitter MS-LT-61A-D Level switch MS-LS-300A-D Reactor vessel low-low-low water level (level 1) Level transmitter MS-LT-61A-D Level switch MS-LIS-200A-D Main steam line high radiation [closes RRC-V-19 (20)] Radiation monitor MS-RIS-610A-D (D17-K610A-D) Main steam line tunnel high temperature Main steam line tunnel high differential temperature Temperature monitor LD-MON-2A (2B) Main steam line low pressure Pressure switch MS-PS-15A-D (B22-N015A-D) Drywell high pressure Pressure switch RPS-PS-2A-D (C72-N002A-D) Reactor building ventilation exhaust high radiation Radiation monitor REA-RIS-609A-D (D17-K609A-D) Main condenser low vacuum Pressure switch MS-PS-56A-D (B22-N056A-D)
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 Table 7.3-5 Primary Containment and Reactor Vessel Isolation Control System Instrumentation (Continued) Function Instrumenta 7.3-36 Main steam line high flow Differential pressure switch MS-DPIS-8A-D (E31-N008A-D) MS-DPIS-9A-D (E31-N009A-D)
| |
| MS-DPIS-810A-D (E31-N010A-D)
| |
| MS-DPIS-11A-D (E31-N011A-D) RWCU system high differential flow Flow Switch LD-FS-605A,B RWCU blowdown line high flow Flow Switch LD-FS-15,16 RWCU equipment areas high temperature RWCU equipment areas high differential temperature Temperature Monitor LD-MON-1A,1B RHR shutdown cooling suction high flow Differential Pressure Switch RHR-DPIS-12A,B RHR equipment areas high temperature RHR equipment areas high differential temperature Temperature Monitor LD-MON-2A,2B RCIC steam supply line high flow Differential pressure switch RCIC-DPIS-13A,B RCIC-DPIS-7B RCIC equipment areas high temperature RCIC equipment areas high differential temperature Temperature Monitor LD-MON-1A,1B a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-6 DELETED LDCN-02-032, 05-009 7.3-37
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-7 Residual Heat Removal System - Containment Spray Cooling Mode System Instrumentation Function Instrumenta . 7.3-38 Drywell high pressure Pressure switch (B22-N048A-D)
| |
| MS-PS-48A-D Reactor vessel low water level (level 1) Level switch (B22-N037A-D)
| |
| MS-LIS-37A-D a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-8 Residual Heat Removal System - Suppression Pool Cooling Mode System Instrumentation Function Instrumenta 7.3-39 Reactor vessel low water level (level 1) Level switch (B22-N037A-D)
| |
| MS-LIS-37A-D Drywell high pressure Pressure switch (B22-N048A-D)
| |
| MS-PS-48A-D Suppression pool temperature - high Temperaturerecorder CMS-TR-5, 6 Temperatureindicator SPTM-TI-5 a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-9 Standby Service Water System Instrumentation Function Instrument 7.3-40 Standby service water discharge pressure low Pressure switch SW-PS-1A, 1B, and 40B Spray pond temperature Temperature switch SW-TS-1A, 1B, 1C, and 1D COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 Table 7.3-10 Main Control Room and Critical Switchgear Room HVAC System Instrumentation Function Instrumenta LDCN-13-044 7.3-41 Control room temperature Temperature controller WMA-TIC-11A, B Switchgear rooms temperature Temperature controllers WMA-TIC-52A, B WMA-TIC-53A, B Reactor vessel low-low water level (level 2) Level transmitter MS-LT-61A-D Level switch MS-LS-300A-D Drywell high pressure Pressure switch (C72-N002A-D)
| |
| RPS-PS-2A-D Reactor building ventilation exhaust high radiation Radiation monitor (D17-K609A-D)
| |
| REA-RIS-609A-D a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 Table 7.3-11 Standby Gas Treatment System Instrumentation Function Instrumenta LDCN-09-007 7.3-42 Reactor vessel low-low water level (level 2) Level transmitter MS-LT-61A-D Level switch MS-LS-300A-D Drywell high pressure Pressure switch (C72-N002A-D)
| |
| RPS-PS-2A-D Reactor building ventilation exhaust high radiation Radiation monitor (D17-K609A-D)
| |
| REA-RIS-609A-D a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-12 Reactor Building Ventilation and Pressure Controller System Instrumentation Function Instrument 7.3-43 Reactor building differential pressure Differential pressuretransmitter REA-DPT-1A1-1A4 REA-DPT-1B1-1B4 Differentialpressurecontroller REA-DPIC-1A, 1B COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-13 Containment Instrument Air System Instrumentation Function Instrument 7.3-44 Safety-related header pressure - low Pressure switch CIA-PIS-21A, B Safety-related header pressure - low Pressure switch CIA-PS-22A, B Non-safety-related header pressure - low Pressure switch CIA-PS-39A, B COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.3-14 DELETED LDCN-02-032, 05-009 7.3-45
| |
| | |
| {}}
| |
| | |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 LDCN-03-076 7.4-1 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4.1 DESCRIPTION
| |
| | |
| This section discusses the instrumentation and controls of the following systems required for safe plant shutdown:
| |
| : a. Reactor core isolation cooling (RCIC) system, b. Standby liquid control (SLC) system,
| |
| : c. Residual heat removal shutdown cooling mode (RHR-SDC),
| |
| : d. Remote shutdown system (RSS),
| |
| : e. Anticipated transient without scram recirculation pump trip system (ATWS-RPT), and
| |
| : f. Anticipated transient without scram alternate rod insertion (ATWS-ARI). The systems discussed in this section are all capable of assisting the operator in achieving a safe plant shutdown. The remote shutdown and SLC systems are manually operated backups to the control room and reactor manual control systems, respectively, and are only required for special event conditions. Their use is not required to achieve a safe shutdown under normal, transient, or accident conditions. The normal shutdown cooling mode of residual heat removal (RHR) is available to the operator to remove residual heat when the reactor is shut down. Recirculation pump trip (ATWS-RPT) is used in conjunction with alternate rod insertion (ARI) and SLC to mitigate an ATWS event. Design of the ATWS-RPT and ARI systems is in accordance with the criteria provided in Reference 7.4-1. Loss of any of the systems will not impede safe shutdown of the plant. As such these systems are not required to be safety-related (except RCIC and alternate RHR SDC) and have not been designed to meet safety system requirements.
| |
| | |
| The sources that supply power to the safe shutdown systems originate from onsite ac and/or dc safety-related and non-safety-related buses. See Chapter 8 for a complete discussion of the safety-related and non-safety-related power sources.
| |
| | |
| 7.4.1.1 Reactor Core Isolation Cooling System 7.4.1.1.1 Function
| |
| | |
| The RCIC system (see Section 5.4.6.2) is designed to maintain or supplement reactor vessel water inventory during the following conditions.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-04-027 7.4-2
| |
| : a. Normal Operation. When the reactor vessel is isolated from its primary heat sink (main condenser) and accompanied by a loss or unavailability of the reactor feedwater system; and
| |
| : b. When the plant is being shut down and normal coolant flow from the feedwater system is stopped before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation. 7.4.1.1.2 Operation
| |
| | |
| Schematic arrangements of system mechanical equipment are shown in Figure 5.4-11. The RCIC system component control logic is shown in Figure 7.4-1. Instruments are listed in Table 7.4-1. Operator information displays are shown in Figures 5.4-11 and 7.4-1.
| |
| The RCIC system can be initiated either manually or automatically. The control room operator can initiate RCIC by operating the manual initiation push button which simulates an automatic initiation or by activating each piece of equipment sequentially as required.
| |
| The RCIC system is automatically initiated by four redundant level switches, arranged in a one-out-of-two-twice logic configuration, which sense reactor vessel low water level (trip level 2).
| |
| | |
| The RCIC steam line isolation and the turbine steam exhaust motor-operated valves are normally open with their control switches key locked in the open position, and the turbine trip and throttle valve is normally open and these valves require no change of position for automatic system initiation. (Note: the key locked control switches do not prevent automatic isolation of these valves.)
| |
| | |
| The RCIC system responds to an automatic initiation signal as follows (actions are simultaneous unless stated otherwise):
| |
| : a. The pump suction from the condensate storage tanks valve RCIC-V-10 (MO F010) is signaled open; b. To ensure pump discharge flow is directed to the reactor vessel only, the test return line to the condensate storage tanks valves RCIC-V-22 (MO F022) and RCIC-V-59 (MO F059) are signaled closed; c. The turbine steam inlet and the turbine lube oil cooler cooling water supply valves RCIC-V-45 (MO F045) and RCIC-V-46 (MO F046) are signaled to open; COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-04-027 7.4-3 d. When the turbine steam inlet valve RCIC-V-45 (MO F045) starts to open, the RCIC pump discharge to reactor vessel valve RCIC-V-13 (MO F013) and the turbine lube oil cooler supply valve RCIC-V-46 (F046) are signaled open. Valves RCIC-V-13 (MO F013) and RCIC-V-46 (F046) are prohibited from opening or if open, automatically closes when RCIC-V-45 (MO F045) or the turbine trip and throttle valve RCIC-V-1 (MO F001) is closed. A one-out-of-two-twice limit switch logic trips the main turbine on the opening of RCIC-V-13 (MO F013) and RCIC-V-45 (MO F045) to limit moisture introduction; e. The barometric condenser vacuum tank vacuum pump is signaled to start; and f. When valve RCIC-V-45 (MO F045) leaves the closed position the RCIC turbine is accelerated until the automatic flow controller setpoint is reached and the system discharge flow is controlled by the turbine electronic governor mechanism.
| |
| RCIC flow may be directed away from the vessel by diverting the pump discharge to the CST.
| |
| This is accomplished by closing injection valve RCIC-V-13 and opening the test return valves (RCIC-V-22 and 59). The system is returned to injection mode by closing RCIC-V-59 and then opening RCIC-V-13. This mode of operation will not be used during events where an unacceptable source term is identified in primary containment. Diverting RCIC flow to the CST is not a safety-related function nor does this mode affect the ability of RCIC to initiate during plant transients. The system automatically switches to injection mode if the water level decreases to the low level initiation point (Level 2).
| |
| During system operation if the barometric condenser vacuum tank water level becomes high the condenser condensate discharge pump is automatically started and the condensate returned to the RCIC pump suction. When the system is not operating excess tank water is discharged through isolation valves RCIC-V-4 (AO F004) and RCIC-V-5 (AO F005) to the equipment drain system.
| |
| | |
| In the event the water level in the condensate storage tanks should become low the RCIC pump suction is automatically transferred from the condensate storage tank(s) to the suppression pool by opening valve RCIC-V-31 (MO F031). Two level switches mounted on a Seismic Category I standpipe in the reactor building are used to detect low water level in the condensate storage tank(s). Either switch can cause automatic suction transfer. Once valve RCIC-V-31 (F031) is fully open the condensate storage tank valve RCIC-V-10 (MO F010) is automatically closed.
| |
| | |
| The RCIC system includes design features which provide system equipment protection or accomplish primary containment isolation if certain types of abnormal events occur. The RCIC turbine is automatically shut down by closing the turbine trip and throttle valve, RCIC-V-1 (MO F001), if any of the following conditions are detected:
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.4-4 a. RCIC isolation signals: i. Low reactor pressure ii. High steam line flow iii. Instrumentation line break iv. High differential temperature across RCIC area cooler v. RCIC equipment area high temperature vi. High turbine exhaust diaphragm pressure vii. Manual isolation b. Turbine overspeed
| |
| : c. High turbine exhaust pressure
| |
| : d. Low pump suction pressure e. Low pressure in the RCIC discharge header f. Manual turbine trip actuated by the control room operator. The steam inlet valve RCIC-V-45 (MO F045) is automatically closed and the turbine is shut down if the reactor vessel high water level (level 8) is reached. The isolation valve for RCIC turbine lube oil cooling water, RCIC-V-46 (MO F046), automatically closes if RCIC-V-45 (MO F045) closes, or if the turbine trip and throttle valve RCIC-V-1 closes. Valves RCIC-V-45 (MO F045) and RCIC-V-46 (MO F046) will reopen automatically and the turbine restarts when the water level is subsequently reduced to the low level initiation (level 2).
| |
| Turbine trip throttle valve RCIC-V-1 automatically closes upon detection of low pressure in the discharge header of RCIC-P-1. The valve closure prevents the automatic initiation of RCIC in conditions where water hammer may result.
| |
| To protect the RCIC pump from overheating during low flow conditions the pump discharge flow and pressure are monitored. If the pump discharge pressure switch indicates the pump is running and the pump discharge flow switch indicates low flow, the minimum flow return line valve RCIC-V-19 (MO F019) is automatically opened. The minimum flow valve is automatically closed when flow is normal or when either the turbine trip and throttle valve (RCIC-V-1) or the steam inlet valve RCIC-V-45 (MO F045) is closed.
| |
| Air operated (AO) valves RCIC-V-25, RCIC-V-26, and RCIC-V-54 (AO F025, AO F026, and AO F054) and a condensate drain pot are provided in a drain pipe line arrangement just upstream of the turbine inlet valve. On receipt of an RCIC initiation signal, the drainage path is isolated by closing RCIC-V-25 and RCIC-V-26 (AO F025 and AO F026). The water level in the steam line drain condensate pot is controlled by a level switch and a valve RCIC-V-54 (AO F054) which energizes to allow condensate to flow out of the drain pot by bypassing the steam trap, in the event that the trap fails to adequately remove the condensate.
| |
| The RCIC system turbine exhaust line vacuum breaker isolation valves RCIC-V-110 (MO F080) and RCIC-V-113 (MO F086) are normally open but close automatically following COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.4-5 system trip when both the low steam line pressure and high drywell pressure setpoint are exceeded.
| |
| The leak detection and other protective signals of RCIC system will automatically signal the steam line warmup valve RCIC-V-76 (MO F076) closed, override the key lock control switch position and signal the steam line inboard isolation valve RCIC-V-63 (MO F063) and the outboard steam line isolation valve RCIC-V-8 (MO F008) closed if any of the following abnormal conditions exist: a. Redundant temperature switches sense RCIC pump room area ventilation air inlet and outlet high differential temperature or high ambient temperature; b. Redundant temperature switches sense RCIC pipe routing area high ambient temperature;
| |
| : c. Redundant differential pressure switches sense RCIC steam line high flow or instrument line break (after an approximate 3 sec delay);
| |
| : d. Redundant pressure switches sense RCIC turbine exhaust diaphragm high pressure. Both switches in the same division must actuate to cause isolation; and
| |
| : e. A pressure switch senses RCIC low steam supply pressure.
| |
| For a complete description of the RCIC system leak detection isolation signal, see Section 7.6.1.3.1.
| |
| The RCIC system may be isolated after initiation by the control room operator by actuation of a push button which causes the outboard steam line isolation valve to close.
| |
| 7.4.1.2 Standby Liquid Control System 7.4.1.2.1 Function
| |
| | |
| The SLC system (see Section 9.3.5) instrumentation is designed to initiate injection of a liquid neutron absorber into the reactor. Other instrumentation is provided to maintain this liquid chemical solution well above saturation temperature in readiness for injection.
| |
| The SLC system is a redundant method of manually shutting down the reactor to cold shutdown conditions from normal operation or from anticipated transient conditions when manual control rod insertion capability is lost. For the anticipated transient condition, boron solution can be injected into the reactor pressure vessel by running both SLC pumps COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.4-6 simultaneously. The quantity of boron required to shut down the nuclear reaction can be injected in approximately 1 hr (see Section 9.3.5.2). 7.4.1.2.2 Operation
| |
| | |
| Schematic arrangements of system mechanical equipment is shown in Figure 9.3-14. The SLC system component control logic is shown in Figure 7.4-2. Operator information displays are shown in Figures 9.3-14 and 7.4-2. The SLC system is initiated by the control room operator by turning the SYSTEM A or the SYSTEM B or both key locked switches to the OPERATE positions. When either or both of these switches are activated, both of the explosive-operated valves fire and both tank discharge valves (SLC-V-1A and SLC-V-1B) start to open immediately. The pumps are interlocked so that at least one of the two storage tank discharge valves (or the test tank discharge valve when testing) must be open for either or both pumps to run. When the SLC system is initiated, the outboard isolation valve of the reactor water cleanup (RWCU) system is automatically closed. This prevents removal of the injected boron by the RWCU demineralizers.
| |
| | |
| 7.4.1.3 Residual Heat Removal System/Shutdown Cooling Mode 7.4.1.3.1 Function
| |
| | |
| The normal shutdown cooling mode (see Section 5.4.7.1) of the RHR system is used when the reactor is shutdown and, if available, can be used for long-term cooling after vessel water level has been restored following accident conditions.
| |
| | |
| The RHR-SDC consists of instrumentation designed to provide decay heat removal capability for the core by accomplishing the following:
| |
| a. Reactor cooling during shutdown operation after the vessel pressure is reduced to approximately 48 psig,
| |
| : b. Cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished, and
| |
| : c. Diverting part of the shutdown flow to the reactor vessel head to condense the steam generated from the hot walls of the vessel while it is being flooded.
| |
| 7.4.1.3.2 Operation
| |
| | |
| See Section 5.4.7.2.6 for a complete description of the RHR-SDC operation.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.4-7 7.4.1.4 Remote Shutdown Systems 7.4.1.4.1 Function
| |
| | |
| The RSS are designed to achieve a cold reactor shutdown from outside the main control room following these postulated conditions:
| |
| a. The plant is at normal operating conditions and all plant personnel have been evacuated from the main control room and it is inaccessible;
| |
| : b. The initial event that causes the main control room to become inaccessible is assumed to be such that the reactor operator can manually scram the reactor before leaving the main control room. Though the capability exists to manually scram from outside the control room, plant procedures realistically call for scramming before exiting the control room;
| |
| : c. The main turbine pressure regulators may be controlling reactor pressure via the bypass valves. However, in the interest of demonstrating that the plant can accommodate even loss of the turbine controls, it is assumed that this turbine generator control panel function is also lost. Therefore, main steam line isolation is assumed to occur at a specified low turbine inlet pressure and reactor pressure is relieved through the relief valves to the suppression pool;
| |
| : d. The reactor feedwater system which is normally available is also assumed to be inoperable. Reactor vessel water inventory is provided by the RCIC system or automatic depressurization system (ADS) and RHR as described in Section 7.4.1.4.2; and
| |
| : e. Emergency dc power is assumed to be available. The RSS are required only during times of main control room inaccessibility when normal plant operating conditions exist, i.e., no transients or accidents are occurring. Following such an event the remote shutdown function is provided by two redundant systems: the RSS and the alternate RSS. 7.4.1.4.2 Operation
| |
| | |
| Some of the existing systems used for normal reactor shutdown operation are also used in the remote shutdown capability to shut down the reactor from outside the main control room. The functions needed for remote shutdown control are provided with manual transfer switches that override controls from the main control room and transfer the controls to the remote shutdown control panels. Remote shutdown control is not possible without actuation of the transfer COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.4-8 devices. Necessary power supplies and control logic are also transferred. Operation of the transfer switches causes an alarm in the main control room. During a main control room fire it has been postulated that high-to-low pressure interface valves RHR-V-8 and RHR-V-9 (series isolation valves) can simultaneously open. This would result in a loss-of-coolant accident (LOCA) outside the primary containment with no mitigation; these valves cannot close against a 1000 psi differential. For this reason, during normal plant operation, power is removed from RHR-V-9. This precludes operation via spurious control circuit energization. Access to the remote shutdown panel is administratively and procedurally controlled. All system equipment controls (for essential valves and pumps) necessary for proper system lineup and complete system control are located on the remote shutdown panels.
| |
| | |
| The remote shutdown function can be effected by one of two redundant systems. The primary (preferred) system uses the RHR system loop B (RHRB) while the secondary uses RHR loop A and is designated as the alternate RSS. The RCIC system is not required for reactor safe shutdown when using the minimum systems analyzed in GE document NEDO-24708A. Consequently, the mode of depressurization used for the alternate RSS is based on a rapid depressurization (ADS) in going from event initiation directly to cold shutdown where the low pressure system (RHR A) is used in the alternate shutdown cooling mode. This flow path uses the suppression pool as a heat sink when the service water system (SW loop A) is needed to bring the reactor to the cold low pressure condition.
| |
| When the RCIC system is available, then manual actuation of relief valves and the initiation of the RCIC system will maintain reactor water inventory and bring the reactor to a hot shutdown condition after scram. During this phase of shutdown, the suppression pool will be cooled by operating the RHR system in the suppression pool cooling mode. Reactor pressure will be controlled and core decay and sensible heat rejected to the suppression pool by relieving steam pressure through the relief valves.
| |
| | |
| Manual operation of the relief valves will cool the reactor and reduce its pressure at a controlled rate until reactor pressure becomes so low that the RCIC system is unable to sustain operation. The RHR system will then be operated in the shutdown cooling mode using the RHR system heat exchanger to cool reactor water and bring the reactor to the cold low pressure condition. Equipment/functions that have transfer and control switches or indicators located on the remote shutdown and the alternate remote shutdown control panels are shown in the Licensee Controlled Specifications.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.4-9 7.4.1.5 Anticipated Transient Without Scram - Recirculation Pump Trip 7.4.1.5.1 Function
| |
| | |
| The ATWS-RPT function is to trip the reactor recirculation pumps in the event of an abnormal operating occurrence in conjunction with failure of the reactor protection system (RPS).
| |
| 7.4.1.5.2 Operation Schematic arrangement of system mechanical equipment is shown in Figure 5.4-6. The ATWS-RPT is automatically initiated by reactor vessel low water level (level 2) and/or reactor vessel high pressure. Instruments are listed in Table 7.4-2. The sensor logic configuration is "one-out-of-two-twice" for tripping the reactor recirculating pump feeder breakers. See Figure 7.4-3.
| |
| The ATWS-RPT system is an energize-to-operate system. The sensor logic channels and the feeder breaker trip coil circuitry receive power from the 125-V dc batteries from Divisions 1 and 2. 7.4.1.6 Anticipated Transient Without Scram - Alternate Rod Insertion 7.4.1.6.1 Function
| |
| | |
| The ATWS-ARI function is to actuate valves in the scram air header to reduce the air pressure in the header allowing the scram inlet and discharge valves to open providing an alternate scram. The design is diverse and independent from the RPS.
| |
| 7.4.1.6.2 Operation
| |
| | |
| Schematic arrangement of the system mechanical equipment is shown in Figure 4.6-5. Logic arrangement is shown in Figures 7.4-4 and 7.4-5.
| |
| The ATWS-ARI is automatically initiated by reactor vessel low water level or reactor vessel high pressure. Instruments are listed in Table 7.4-3. The sensor logic configuration is "two-out-of-two" for either parameter input for energizing the scram air header exhaust solenoid valves to vent the header. The system can also be actuated manually. The ATWS-ARI is an energize-to-operate system. The sensor logic channels and solenoid valves receive power from the 125-V dc batteries from Divisions 1 and 2.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 7.4-10 7.4.1.7 Design Basis The safe shutdown systems are designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary (RCPB). Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are presented in Chapter 15. No design basis accident shall be considered for the RSS systems (including LOCA). Therefore, control of engineered safety feature (ESF) systems for protective action outside the main control room is not required.
| |
| 7.4.1.7.1 Variables Monitored to Provide Protective Actions All safe shutdown systems are initiated by operator actions, with the exception of ATWS-RPT and ATWS-ARI which are actuated by level and/or pressure sensors and RCIC which is activated by low reactor vessel water level (level 2).
| |
| | |
| The plant conditions which require protective action involving safe shutdown are described in Chapter 15.
| |
| | |
| 7.4.1.7.2 Location and Minimum Number of Sensors The Technical Specifications identify the minimum number of sensors required to monitor safety-related variables. There are no sensors in the safe shutdown systems which have a spatial dependence.
| |
| | |
| 7.4.1.7.3 Prudent Operational Limits
| |
| | |
| Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious safe shutdown system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds.
| |
| 7.4.1.7.4 Margin The margin between operational limits and the allowable values for safe shutdown systems are addressed for those parameters listed in the Technical Specifications. 7.4.1.7.5 Levels
| |
| | |
| Levels requiring protective action are established in the Technical Specifications.
| |
| COLUMBIA GENERATING STATION Amendment 57 FINAL SAFETY ANALYSIS REPORT December 2003 LDCN-98-078 7.4-11 7.4.1.7.6 Range of Transient, Steady State, and Environmental Conditions See Section 3.11 for environmental conditions. See Sections 8.2.1 and 8.3.1 for the maximum and minimum range of energy supply to the safe shutdown systems instrumentation and controls. All safety-related instrumentation and controls are specified and purchased to withstand the effects of energy supply extremes.
| |
| The ATWS-RPT and ATWS-ARI systems are required to function only during an anticipated operational occurrence, not a design basis accident. Therefore, all the ATWS-RPT and ATWS-ARI equipment is located outside containment and is qualified for the temperature, pressure, humidity, and radiation levels experienced during the anticipated operational occurrence.
| |
| | |
| 7.4.1.7.7 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems Chapter 15 describes the following credible accidents and events: floods, storms, tornadoes, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break. Each of these events is discussed below for the safe shutdown systems.
| |
| 7.4.1.7.7.1 Floods. The buildings containing safe shutdown system components have been designed to meet the probable maximum flood (PMF) at the site location. See Section 2.4. For a discussion of internal flooding protection see Sections 3.4 and 3.6.
| |
| 7.4.1.7.7.2 Storms and Tornadoes. The buildings containing safe shutdown system components have been designed to withstand meteorological events described in Section 3.3.
| |
| 7.4.1.7.7.3 Earthquakes. The structures containing safe shutdown system components have been seismically qualified (or shown to maintain integrity) as described in Sections 3.7 and 3.8 and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.
| |
| 7.4.1.7.7.4 Fires. To protect the safe shutdown systems in the event of a postulated fire, the redundant portions of the safe shutdown systems are isolated by electrical separation barriers or physical distance. The use of separation and barriers ensures that even though some portion of the systems may be affected, the safe shutdown systems will continue to provide the required protective action. A fire detection system using heat detectors and product of combustion detectors is provided in power generation control complex (PGCC) floor sections and in panels containing safe shutdown system components mounted on these floor sections. A Halon fire suppression system is provided in the same areas. See Appendix F for a discussion of Appendix R fire protection.
| |
| COLUMBIA GENERATING STATION Amendment58 FINAL SAFETY ANALYSIS REPORT December2005 LDCN-03-076 7.4-12 7.4.1.7.7.5 Loss-of-Coolant Accident. The safe shutdown systems components located inside containment which are functionally required following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11.
| |
| 7.4.1.7.7.6 Pipe Break Outside Primary Containment. Protection is provided for safe shutdown system components, as required from the effects of breaks outside primary containment. See Section 3.6.
| |
| 7.4.1.7.7.7 Missiles. Protection for safe shutdown systems is described in Section 3.5.
| |
| 7.4.1.7.8 Minimum Performance Requirements Minimum performance requirements for safe shutdown systems instrumentation and controls are provided in the Technical Specifications.
| |
| | |
| 7.4.1.8 Final System Drawings Functional and architectural design difference between the PSAR and FSAR are listed in Table 1.3-8.
| |
| 7.4.2 ANALYSIS
| |
| | |
| The safe shutdown systems are designed such that loss of instrument air, a plant load rejection, or a turbine trip will not prevent the completion of the safety function. No abnormal operation is assumed for the RSS which, by itself, performs no safety-related function.
| |
| 7.4.2.1 Conformance to 10 CFR 50 Appendix A - General Design Criteria The following is a discussion of conformance to those general design criteria (GDC) which apply specifically to the safe shutdown systems. See Section 3.1 for a discussion of GDC which apply equally to all safety-related systems.
| |
| GDC 19 - Control Room The RSS consists of equipment located outside the control room which is sufficient to provide and ensure safe shutdown of the reactor.
| |
| GDC 34 - Residual Heat Removal Refer to Section 3.1.2.4.5.
| |
| COLUMBIA GENERATING STATION Amendment58 FINAL SAFETY ANALYSIS REPORT December2005 LDCN-03-076 7.4-13 7.4.2.2 Conformance to IEEE Standards The following is a discussion of conformance to IEEE 279-1971 which applies specifically to the safe shutdown systems. See Section 7.1.2.3 for a discussion of IEEE Standards which apply equally to all safety-related systems.
| |
| | |
| General Functional Requirement (IEEE 279-1971, paragraph 4.1)
| |
| Since the RSSs, by themselves, do not perform any safety-related function, they do not fall within the criteria set by IEEE 279. However, since certain RSS components interface with safety-related systems, such as RHR and RCIC, during normal operation, they are part of those systems and meet the design criteria for those systems. Remote shutdown is provided by two redundant systems: the Division 2 RSS and the Division 1 alternate RSS. Portions of these systems are electrically separated by the physical and spatial requirements described in Section 8.3.1.4. A design basis fire in the main control room that fails all components to their worst operational state is considered an incredible event. As such only the Division 2 power distribution system for the Division 2 remote shutdown is completely isolated from the effects of a main control room fire. Control room interaction that would result in the loss of power to the alternate RSS as well, is not considered credible per Columbia Generating Station (CGS) SSER commitments (licensing condition 12). The RSSs consist of components that are qualified to Quality Class I and Seismic Category I requirements. Operation of any RSS transfer switch is annunciated in the main control room.
| |
| The RCIC is automatically initiated when reactor vessel water level is determined to be below a predetermined limit.
| |
| | |
| The SLC system is initiated by the control room operator. Display instrumentation in the control room provides the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status allowing assessment of the need for initiation of the SLC system.
| |
| | |
| The ATWS-RPT and ATWS-ARI are automatically initiated when reactor vessel low water level and/or reactor vessel high pressure predetermined limits are exceeded. ATWS-RPT and ATWS-ARI do not perform a safety-related function and do not fall within the criteria of IEEE 279. However, applicable paragraphs of IEEE 279 are addressed in the following paragraphs:
| |
| Single-Failure Criterion (IEEE 279-1971, paragraph 4.2)
| |
| The reactor shutdown cooling function is safety related and required to comply with single failure requirements of IEEE 279 and GDC 34. However, the preferred RHR-SDC suction path uses a single loop of the RRC system through two series, redundant division, isolation COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 LDCN-03-076 7.4-14 valves RHR-V-8 and RHR-V-9 and is, therefore, not single failure proof. To meet the single failure requirements of IEEE 279 and GDC 34, a safety related, single failure proof design for this function is provided by the alternate shutdown cooling mode of RHR. See Section 5.4.7.1.1 and the notes to Figure 15.2-10, Activity C1 or C2 for a complete discussion of the alternate shutdown cooling mode of RHR. The alternate shutdown cooling mode is safety related and single failure proof in that two redundant divisions of equipment are available. Since the normal shutdown cooling mode is the preferred path, Energy Northwest will maintain all the preferred path components as safety related, Quality Class I. The RCIC system alone is not required to meet the single-failure criterion. The RCIC initiation and isolation initiation sensors and associated logic do, however, meet the single-failure criterion for automatic system initiation or isolation. The single-failure criteria is met through physical and electrical separation of equipment as described in Section 8.3.1.4. The SLC system serves as backup to the control rod drive (CRD) system for controlling reactivity if the CRD fails and is required for ATWS. It is not necessary for the SLC system to meet the single failure criterion.
| |
| | |
| The ATWS-RPT and ATWS-ARI are not required to meet the single failure criterion. However, with the exception of the electrical power and the final actuating equipment the system is designed to the single failure criterion.
| |
| Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
| |
| See Section 3.11 for safe shutdown system conformance. The ATWS-ARI components are selected to satisfy the quality requirements in Reference 7.4-1.
| |
| Equipment Qualification (IEEE 279-1971, paragraph 4.4)
| |
| Vendor certification requires that the safe shutdown system sensors, manual switches, and logic components perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the existing field experience with these components in this application, will serve to qualify these components.
| |
| For a discussion of safe shutdown system equipment qualification see Sections 3.5, 3.6, 3.10, and 3.11. Channel Integrity (IEEE 279-1971, paragraph 4.5)
| |
| For a discussion of RCIC and SLC system Channel Integrity under all extremes of conditions described in Sections 7.4.1.1 and 7.4.1.2, see Section 3.11.
| |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 7.4-15 Channel Independence (IEEE 279-1971, paragraph 4.6) Channel independence is maintained through application of the CGS separation criteria as described in Section 8.3.1.4.
| |
| Control and Protection Interaction (IEEE 279-1971, paragraph 4.7)
| |
| The RCIC, SLC, ATWS-RPT, and ATWS-ARI systems have no interaction with plant control systems. Derivation of Systems Inputs (IEEE 279-1971, paragraph 4.8)
| |
| All inputs to the RCIC system, RSS, RHR-SDC, ATWS-RPT, and ATWS-ARI that are essential to their operation are direct measures of appropriate variables.
| |
| The SLC system display instrumentation in the control room provides the operator with directly measured information on reactor vessel water level, pressure, neutron flux level, control rod position and valve status. Based on this information the operator can assess the need for the SLC system.
| |
| | |
| Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9)
| |
| See Section 7.4.2.3, Regulatory Guide 1.22.
| |
| Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
| |
| See Section 7.4.2.3, Regulatory Guide 1.22.
| |
| Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
| |
| Calibration of a sensor which introduces a single instrument channel trip will not cause a protective action without the coincident trip of a second channel. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning.
| |
| Operating Bypasses (IEEE 279-1971, paragraph 4.12) There are no operating bypasses within the safe shutdown systems.
| |
| Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
| |
| For a discussion of bypass and inoperability indication see Section 7.1, with the exception of ATWS-RPT and ATWS-ARI, which are under administrative control.
| |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 7.4-16 Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)
| |
| Access to means of bypassing any safety action or safety function is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with administrative control of the access to keys, procedurally controlled equipment lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional methods help to prevent inadvertent bypasses or to alert the plant operators to safety function bypasses occurring either from equipment failures or from manually induced bypasses that result as part of testing, maintenance, or equipment repair activities.
| |
| Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is procedurally controlled. When not in use, keys are under the administrative control of the control room supervisor/shift manager and stored in a key locker. The keys are audited once per day by the control room supervisor/shift manager. When operation of a key-locked control switch is required to be immediate, such as in the case of the reactor mode switch, the key may be left in the lock during normal plant operation to ensure timely actuation.
| |
| | |
| Multiple Set Points (IEEE 279-1971, paragraph 4.15)
| |
| There are no multiple setpoints within the safe shutdown systems.
| |
| Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
| |
| The RCIC is automatically stopped on high vessel water level, system malfunction trip signals or if steam supply pressure drops below that necessary to sustain turbine operation.
| |
| The SLC system explosive valves remain open once fired. The injection valves will not close, and discharge pump motors will continue to run unless terminated by operator action. The ATWS-ARI system once initiated will actuate valves in the scram air header thus providing an alternate method to scram. This action will continue until the trip logic is cleared and the operator resets the system.
| |
| | |
| Manual Initiation (IEEE 279,1971, paragraph 4.17)
| |
| See Sections 7.4.1.1, 7.4.1.2, 7.4.1.3, 7.4.1.4, 7.4.1.5, and 7.4.1.6 for a discussion of the manual initiation of RCIC, SLC, RHR-SDC, RSS, ATWS-RPT, and ATWS-ARI systems.
| |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 7.4-17 Access to Set Point Adjustment (IEEE 279-1971, paragraph 4.18) All access to setpoint adjustments for RHR-SDC, RCIC, ATWS-RPT, and ATWS-ARI are under administrative control of the control room supervisor/shift manager.
| |
| The operation of the SLC system is not dependent on or affected by any setpoint adjustment or calibration.
| |
| | |
| Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)
| |
| Automatic initiation of the RCIC system is annunciated in the control room.
| |
| The ATWS-RPT breaker trip is annunciated in the control room. The ATWS-ARI system initiation is annunciated in the control room.
| |
| The explosive valve status of the SLC system, once fired, is indicated in the control room.
| |
| Information Readout (IEEE 279-1971, paragraph 4.20)
| |
| The RCIC, ATWS-RPT, and ATWS-ARI systems are designed to provide the operator with accurate and timely information pertinent to their status. They do not give anomalous indications confusing to the operator.
| |
| The SLC system discharge pressure of the pumps and storage tank level is indicated in the control room.
| |
| | |
| System Repair (IEEE 279-1971, paragraph 4.21)
| |
| The RCIC, SLC, ATWS-RPT, and ATWS-ARI systems are designed to permit repair or replacement of components during normal plant operation.
| |
| Recognition and location of a failed component will be accomplished during periodic testing or by annunciation in the control room.
| |
| | |
| Identification (IEEE 279-1971, paragraph 4.22)
| |
| Controls and instruments for RCIC, SLC, ATWS-RPT, and ATWS-ARI systems are located in the main control room and clearly identified by nameplates. Relays are located in separate panels for RCIC, SLC, ATWS-RPT, and ATWS-ARI systems use only. Relays and panels are identified by nameplates. All wiring and cabling is labeled to indicate its divisional assignment as well as its system assignment (see Section 8.3.1.3).
| |
| COLUMBIA GENERATING STATION Amendment58 FINAL SAFETY ANALYSIS REPORT December2005 7.4-18 7.4.2.3 Regulatory Guides Conformance Regulatory Guide conformance for remote shutdown control and instrumentation is provided in this chapter for each system whose instrumentation and controls interface with the RSS.
| |
| | |
| Conformance to Regulatory Guides for the RHR shutdown cooling mode is discussed in Section 7.3.2.
| |
| | |
| The following is a discussion of conformance to those Regulatory Guides which apply specifically to the RCIC, SLC, ATWS-RPT, and ATWS-ARI systems. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems. Regulatory Guide 1.22 - Periodic Testing of Protection System Actuation Functions The RCIC system, with the exception of RCIC-V-13 (injection valve), is capable of being completely tested during normal plant operation to verify that each element of the system is capable of performing its intended safety function. RCIC-V-13 is operability tested during plant shutdown.
| |
| | |
| The explosive valves may be tested during plant shutdown. The explosive valve control circuits are continuously monitored and annunciated in the control room. The remainder of the SLC system may be tested during normal plant operation to verify that each element is capable of performing its intended function.
| |
| | |
| Testing of RCIC, SLC, ATWS-RPT, and ATWS-ARI systems sensors during normal plant operation is accomplished by valving out each sensor from its process line and applying a test pressure source. This verifies the operability of the sensor, its calibration range, and the operability of associated control room logic components.
| |
| Also, the ATWS-RPT trip logic up to the breaker trip can be tested during plant operation. The ATWS-ARI trip logic can be tested up to the solenoid valves during plant operation.
| |
| Regulatory Guide 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems See Section 7.4.2.2 and IEEE 279, paragraph 4.2, for the RCIC, SLC, ATWS-RPT, and ATWS-ARI systems.
| |
| Regulatory Guide 1.62 - Manual Initiation of Protective Actions The SLC system is actuated by two key-locked switches on the main control room console. Operating either switch starts one of the injection pumps, actuates both of the explosive valves, COLUMBIA GENERATING STATION Amendment58 FINAL SAFETY ANALYSIS REPORT December2005 7.4-19 opens both pump suction motor-operated valves, and closes the RWCU system outboard isolation valve.
| |
| The ATWS-RPT feeder breakers can be initiated manually from the main control room by actuation of the feeder breaker control switch.
| |
| | |
| The ATWS-ARI scram air header blowdown valves can be manually initiated from the main control room.
| |
| The RCIC system can be manually initiated for vessel water level makeup. 7.
| |
| | |
| ==4.3 REFERENCES==
| |
| | |
| 7.4-1 NEDE-31096-P, Licensing Topical Report, Anticipated Transients Without Scram, response to NRC ATWS RULE 10 CFR 50.62, December 1985.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.4-1 Reactor Core Isolation Cooling System Instrumentation Function Instrumenta 7.4-21 Reactor vessel high water level (level 8) Level switch (B22-N024B, D) MS-LIS-24B, D Pump low suction pressure Pressure switch (E51-N006)
| |
| RCIC-PS-6 Reactor vessel low water level (level 2) Level switch (B22-N037A-D)
| |
| MS-LIS-37A-D Drywell high pressure Pressure switch (B22-N048A-D)
| |
| MS-PS-48A-D Condensate storage tanks low water level Level switch (E51-N015A, B) RCIC-LS-15A, B a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.4-2 ATWS-Recirculation Pump Trip System Instrumentation Function Instrumenta 7.4-22 Reactor vessel low water level (level 2) Level indicating switch MS-LIS-36A-D (B22-N036) Reactor vessel high pressure Pressure switch MS-PS-45A-D (B22-N045) a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.4-3 ATWS-Alternate Rod Insertion System Instrumentation Function Instrumenta 7.4-23 Reactor vessel low water level (level 2) Level indicating switch MS-LIS-36A-D (B22-N036) Reactor vessel high pressure Pressure switch MS-PS-45A-D (B22-N045) a Instruments in parentheses are the GE designation.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 53 FINAL SAFETY ANALYSIS REPORT November 1998 7.5-1 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5.1 SUMMARY DESCRIPTION 7.5.1.1 General This section describes the instrumentation that provides information to the operator to enable him to assess the status of safety-related systems and the need to perform required safety functions including a discussion of conformance to Regulatory Guide 1.97. The safety-related display instrumentation is listed in Table 7.5-1. It tabulates equipment identified on the various figures located in Sections 7.2, 7.3, 7.4, and 7.6.
| |
| | |
| The instrumentation and ranges shown in Table 7.5-1 are selected on the basis of giving the reactor operator the necessary information to perform normal plant operations and yet the capability to track process variables pertinent to safety following design-basis accidents (DBAs).
| |
| | |
| The following information is provided to the control room operator to monitor reactor conditions and allow assessment of safety system status following a DBA.
| |
| The power sources to the instrumentation described in this section originate from the Division 1, Division 2, or Division 3 safety-related emergency ac and/or dc buses unless indicated otherwise.
| |
| | |
| 7.5.1.1.1 Reactor Water Level Two divisionally separated ranges of water level instrumentation are provided: wide range and fuel range.
| |
| | |
| Wide range water level is sensed by two divisionally separated differential pressure transmitters. The signals are displayed in the control room on two recorders. Wide range instruments cover the level from +60 in. to -150 in.
| |
| | |
| Fuel range water level overlaps the wide range to provide water level in the actual core region. Level is sensed by two divisionally separated differential pressure transmitters. The level is displayed in the control room on a recorder and an indicator. The fuel range covers from -310 in. to -110 in.
| |
| The two ranges provide continuous level indication from 60 in. above the bottom of the dryer skirt to 150 in. below the top of the active fuel. Both ranges have a common zero reference point located 527.5 in. above the inside bottom of the reactor vessel.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-98-116 7.5-2 In addition to the wide range and fuel zone range, the following are provided.
| |
| Upset range water level is sensed by a single channel to monitor from 0 in. to 180 in. and is recorded in the control room.
| |
| Shutdown range water level is sensed by a single channel to monitor from 0 in. to +400 in. and is indicated in the control room.
| |
| The combination of all fourranges monitor from just below the bottom of the active fuel to the top of the reactor head, a total span of -310 in. to +400 in. In response to NRC Bulletin 93-03 a continuous backfill capability was added for the reactor pressure vessel (RPV) level reference legs to ensure the level instrumentation system design is of high functional reliability for long-term operation by minimizing the transport of dissolved noncondensable gas down the reference legs. The control rod drive (CRD) system is the source of backfill water as described in Section 4.6.1. 7.5.1.1.2 Reactor Pressure Reactor pressure is sensed by two divisionally separated pressure transmitters. These pressure transmitters are recorded in the control room. 7.5.1.2 Reactor Shutdown Indication The following information is provided to the control room operator to monitor reactor shutdown. a. Control rod status lamps indicating each rod fully inserted. Power is supplied from a highly reliable non-Class 1E uninterruptible power supply (UPS) system; b. Control rod scram pilot valve position status lamps indicating open valves; c. Neutron monitoring power range channels and recorders downscale. The power sources are from reactor protection system (RPS) motor-generator (MG) sets;
| |
| : d. Source range neutron monitoring channels and recorders on scale. When fully withdrawn from the core, the range covered is approximately 10% to 10-3% power. When fully inserted, the range is 10-3% to 7% power;
| |
| : e. Annunciators for RPS variables and trip logic in the tripped state. Power is supplied from a Class 1E power source;
| |
| : f. The computer work stations provide logging of trips and control rod position log and provides thermal hydraulic information to the operator which is used to COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-15-033 7.5-3 keep the plant operating within Technical Specifications limits. Power is supplied by a non-Class 1E UPS power source; and g. Reactor water sample analysis to determine soluble boron concentration via the postaccident sample station. 7.5.1.3 Primary Containment and Reactor Vessel Isolation Indication The following information is provided to the control room operator to monitor the integrity of the primary containment. a. Power operated primary containment isolation valve (excluding check valves) position indication is displayed (valve position indicating lamps) at valve controls in the control room which are Class 1E and is also displayed by a non-Class 1E transient data acquisition system (TDAS) (see Section 7.7). The non-Class 1E RPS MG sets provide an acceptable power supply in conjunction with the independently powered TDAS display. Although the hardened containment vent primary containment isolation valves are power operated, their function is to operate in a beyond-design-basis event. Position indication is provided at the controls in the control room. These valves are spring closed with the operating pneumatics isolated and locked requiring a manual action to place in service and therefore, are not powered from a Class 1 E supply. b. Main steam line flow indication; c. Annunciators for the primary containment and reactor vessel isolation system variables and trip logic in the tripped state. Power is supplied by Class 1E power; and d. Process computer logging of trips. Power is from a non-Class 1E UPS power supply. 7.5.1.4 Emergency Core Cooling System and Reactor Core Isolation Cooling Indication The following information is provided to the control room operator to monitor emergency core cooling system (ECCS) and reactor core isolation cooling (RCIC) system status. a. Annunciators for high-pressure core spray (HPCS), low-pressure core spray (LPCS), residual heat removal (RHR), automatic depressurization system (ADS), and RCIC sensor initiation logic trips; b. Flow and/or pressure indications for each ECCS and RCIC are provided; c. ECCS and RCIC valve position indication; COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 LDCN-00-018 7.5-4 d. Process computer logging of trips in the ECCS and RCIC. Power is provided from the UPS, a highly reliable non-Class 1E power supply;
| |
| : e. Transient data acquisition system display of RCIC and ECCS functions. Power is provided from the UPS, a highly reliable non-Class 1E power supply; and
| |
| : f. Main steam safety/relief valve (SRV) position indication.
| |
| 7.5.1.5 Containment Indications The following information is provided to the control room operator to monitor primary containment status.
| |
| | |
| 7.5.1.5.1 Primary Containment Pressure Monitoring There are two divisions of drywell pressure monitoring instruments. Each division consists of three monitoring ranges. The narrow range is -5 to +3 psig; the intermediate range is 0 to 25 psig; and the high range is 0 to 180 psig. Each range is recorded and the narrow range is indicated in the control room.
| |
| | |
| 7.5.1.5.2 Primary Containment Temperature
| |
| | |
| Containment temperature is monitored continuously by a recorder in the control room. Points of measurement are as follows:
| |
| Points Description 4* Air inlet vicinity recirculation pump motors 5* Fan coil inlets 5 Fan coil outlets 3* RPV head flange area 6 Sacrificial shield annulus 3 CRD area
| |
| * Some of these points are summed to provide average drywell temperature information during normal operation and postaccident conditions.
| |
| COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 7.5-5 2 RPV head area 5 SRV area 3* Fan coil inlet minus annulus air 5 Upper drywell area return ducts 5 Miscellaneous areas 2 Suppression chamber air temperature 2 Suppression pool water temperature Drywell average temperature and suppression chamber air temperature are recorded in the control room. Indication from all points is also available.
| |
| 7.5.1.5.3 Primary Containment Radiation
| |
| | |
| The atmosphere of the primary containment is monitored for low levels (leak detection) and high levels [loss-of-coolant accident (LOCA)] of radioactivity and recorded in the control room on two redundant recorders.
| |
| | |
| The leak detection monitoring system consists of two identical divisionally separated offline samplers with racks located in the reactor building sample rooms. Each sample rack has a two-channel unit containing a particulate and a noble gas scintillation detector. The detectors are of high sensitivity to detect the presence or increase of radioactivity in the atmosphere indicating small leaks in the reactor coolant pressure boundary (RCPB). The output signals from the detectors are sent to panels in the main control room, which contain count ratemeters, recorders, and controls.
| |
| | |
| An air sample is piped from the containment atmosphere to the local leak detector racks and returned to containment. The control room operator has complete control of the operation and checking of the monitor system from the main control room. The leak detection channels described above are isolated when a LOCA occurs because they would rapidly be saturated by the high levels of radioactivity.
| |
| | |
| The LOCA detection system provides a means to detect a rupture of the RCPB which has released large amounts of radioactive material into primary containment. The LOCA detection system consists of two divisionally separated redundant systems. Each system contains an
| |
| * Some of these points are summed to provide average drywell temperature information during normal operation and postaccident conditions.
| |
| COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 7.5-6 ionization chamber type detector located inside the primary containment. The LOCA monitors provide signals to panels in the main control room, which contain count ratemeters and recorders.
| |
| 7.5.1.5.4 Primary Containment Hydrogen and Oxygen Concentration Atmosphere samples from a minimum of two locations inside the primary containment and one location in the suppression chamber are sequentially monitored for hydrogen and oxygen percentage levels by each of two redundant analyzer systems (see Figure 9.4-8).
| |
| Each gas analyzer system contains a hydrogen and an oxygen sensor with calibrated resistance temperature detectors (RTDs) and pressure transducers that allow a microprocessor in the H2-O2 analyzer system to automatically compensate the measured H2 or O2 concentrations for changes in temperature and pressure. The microprocessor provides for periodic calibration of the analyzers. All gases are pumped back to the primary containment at all times.
| |
| The analyzers are single range, i.e., 0 to 30% hydrogen and 0 to 30% oxygen. The output signal from each analyzer is sent to a recorder in the main control room. Two redundant (divisional) recorders are provided. Each analyzer has three adjustable alarm contacts which annunciate abnormal conditions (Hi H2, Hi O2, and Hi Hi O2) in the main control room.
| |
| 7.5.1.5.5 Suppression Chamber Pressure Suppression chamber pressure is recorded in the control room from two separate pressure transmitter systems. Range of recording is from 0 to 100 psig.
| |
| 7.5.1.5.6 Suppression Pool Temperature Monitoring Postaccident suppression pool temperature data is provided by four thermocouples, one per wetwell quadrant, which feed signals to a summer via millivolt to current converters (MV/Is). The average suppression pool temperature is then recorded and displayed in the control room. Backup thermocouples are available for use in the monitoring scheme. See Section 7.6.1.7 for additional information.
| |
| | |
| 7.5.1.5.7 Suppression Pool Water Level Monitoring Both wide range and narrow range suppression pool water level are monitored by two sets of redundant Class 1E sensors. Each sensor consists of one level transmitter which provides a signal to a recorder in the control room. The range of these sensors is +/-25 in. from normal water level in the pool for the narrow range and 2 ft to 52 ft for the wide range.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-07-001 7.5-7 7.5.1.6 Monitoring for Radioactive Release to the Environment 7.5.1.6.1 Building Effluent Gas Monitors The effluent activity from the reactor building ventilation exhaust, the condenser offgas system, the condenser vacuum pump system, and the standby gas treatment system (SGTS) is monitored by using an on-line isotopic analysis system. This system uses three detectors to monitor the reactor building elevated release duct, providing both gross gamma and isotopic information. Two postaccident detectors, using collimators and shielding, monitor activity through the stack, and one detector mounted in a well inside the stack monitors normal operational levels. Both the postaccident and normal operational data are recorded in the control room and trended via computer work stations. The turbine building effluent release path is monitored using an isokinetic system. A sample is withdrawn from the duct through an array of isokinetic nozzles then through particulate and charcoal filters and into a low range and high range set of gas detectors. Each of these effluent stacks or ducts have a continuous vent flow rate monitoring system as described in Section 7.5.2.2.3. As described in Sections 11.5.2.2.1.5 and 11.5.2.2.1.6, signals from these radiation detectors are sent to a ratemeter and recorder located in the control room. Similar systems are installed to monitor the radwaste building ventilation release path as described in Section 11.5.2.2.1.7, except that flow rate monitoring is available on computer work stations rather than on a separate flow recorder. Even though flow monitoring is Category 2 which requires environmental qualification, TDAS is not environmentally qualified. However, TDAS is located in the main control room (a mild environment) and is designed for this service environment. If TDAS is unavailable, radwaste building effluent flow will be determined in accordance with the ODCM.
| |
| 7.5.1.6.2 Meteorological Conditions The wind speed, wind directions, and stratified atmospheric temperature information is sensed by the meteorological tower primary and backup instrumentation and is recorded in the control room. Indicated meteorological conditions are used to calculate doses downwind due to a radiation release. Wind speed and direction is monitored by separate channels at the 33 ft and 245 ft elevations. Primary and backup channels provide the air temperature difference between 33 ft and 245 ft elevations.
| |
| | |
| 7.5.1.7 Radiation Exposure (Postaccident) (See Section 12.3.4.2)
| |
| High range area radiation monitors are located inside the reactor building to monitor the exposure rates at entry points to that building following an accident. These also serve to provide indication of any radioactive releases into the reactor building from the primary containment and provide trend monitoring during accident conditions. Signals from the detectors are recorded in the control room.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.5-8 7.5.1.8 Postaccident Sampling System The postaccident sampling system provides a means for obtaining grab samples of highly radioactive liquid samples of primary coolant directly from the reactor vessel, the RHR loops, or the suppression pool and atmospheric samples of the drywell, wetwell, and reactor building. All samples may be transported for analysis in the onsite or offsite facilities.
| |
| 7.5.1.9 Primary System Relief Valve Position Indication Two methods are available to monitor SRV position in the main control room: a. Direct indication: Uses linear variable differential transformers (LVDTs) mounted directly on the relief valves. These sensors generate a voltage signal proportional to valve lift which is processed to provide an OPEN/CLOSED indication and annunciation; and b. Tail pipe thermocouples: Uses thermocouples attached to the SRV tailpipes which monitor the temperature rise in the piping resulting from open or leaking relief valves. These signals are recorded and annunciated. 7.5.1.10 Power Supply Status Monitoring Voltage indication for standby power buses of 4160-V ac and 480-V ac switchgear are provided in the control room. Voltage and amperage indication is also provided for batteries, battery chargers, inverters, and dc and UPS buses.
| |
| 7.5.1.11 Primary Water Source Indication The amount of feedwater flow to the reactor is detected by flow transmitters located on the feedwater lines. The flow rate is recorded in the control room. The reserve of water available in the condensate storage tanks is monitored and transmitted to the control room for operator information.
| |
| | |
| 7.5.1.12 Residual Heat Removal System Residual heat removal system loops A and B may function in several different modes. The flow for each of these modes, except for the reactor vessel head spray, is indicated by a single flow meter for each loop. The flow rate for each mode is determined by observing both indicated flow and valve position. The head spray has its own individual flow meter. All flow information is displayed in the control room. Residual heat removal system loop C functions only in one mode. The flow rate for this mode is also displayed in the control room.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.5-9 Heat from the RHR loops A and B is removed via heat exchangers. The outlet temperature of the heat exchangers is recorded in the control room.
| |
| 7.5.1.13 Standby Liquid Control System The standby liquid control (SLC) system flow into the reactor is monitored and displayed in the control room. Additionally, the SLC system tank level is displayed in the control room as a backup indication to the flow. 7.5.1.14 (DELETED) 7.5.1.15 High Levels in Radioactive Liquid Tanks Each tank used to hold or collect radioactive liquids is equipped with a level indicating system. The level is recorded on local panels in the radwaste building.
| |
| 7.5.1.16 Emergency Ventilation Damper Position Indication Damper position indication is provided in the control room for all dampers necessary to prevent release of radioactive gases to the environment or for the protection of operating personnel during accident conditions.
| |
| | |
| 7.5.1.17 Standby Service Water System Flow rate in each loop is detected by a flow transmitter providing signals to indicators in the control room. The spray pond temperature is indicated in the control room. The spray pond provides the source of cooling water to engineered safety feature (ESF) components.
| |
| 7.5.1.18 Spent Fuel Pool Cooling System The temperature of the spent fuel pool is monitored by instrumentation that provides indication and hi-alarms in the control room.
| |
| | |
| 7.5.1.19 Main Control Room Heating, Ventilating, and Air Conditioning Redundant temperature indications are provided in the control room to monitor control room temperature.
| |
| | |
| 7.5.1.20 Standby Gas Treatment System Each division of the SGTS is provided with loop flow indication in the control room.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.5-10 7.5.1.21 Containment Instrument Air Each division of the containment instrument air (CIA), the common header and both ADS main steam relief valve trains, provides system line pressure indication in the control room. The sequence programmers for the backup nitrogen bottles on each train provide annunciator signals to the control room when the last bottles are connected to the train manifolds.
| |
| 7.5.1.22 Safety Parameter Display 7.5.1.22.1 Description The safety parameter display system (SPDS) design is based on the emergency response information system (ERIS) concept developed by the BWR Owner's Group. The ERIS control room information requirements are defined as a minimum by the Emergency Procedures Guidelines (EPG).
| |
| | |
| The purpose of the SPDS is to assist control room personnel in making quick assessments of plant safety status. The functional criteria for the SPDS are described in NUREG-0696. These requirements are satisfied using human engineered hard-wired control room instrumentation. Additional support information that is useful for emergency response is supplied by the Graphic Display System (GDS). The displays provide information related to the following plant functions:
| |
| a. Reactivity control,
| |
| : b. Reactor core cooling and heat removal,
| |
| : c. Reactor coolant system integrity, d. Radioactivity control, and
| |
| : e. Containment integrity.
| |
| 7.5.1.22.2 Conformance to NUREG-0696
| |
| | |
| The overall SPDS design consists of two display systems. The human engineered hard wired control room instrumentation needed to comply with Regulatory Guide 1.97 is the primary source of plant safety status. These displays are Class 1E and sufficiently concentrated to allow rapid safety assessment. (Additional information is contained in Appendix B, TMI Item I.D.1.)
| |
| | |
| The hard-wired control room displays afford continuous parameter status indication. Real time validation of critical parameters is accomplished by comparison of signals from redundant divisions. Operating procedures and operator training provide guidance resolution of unsuccessful data validation. Recorders indicate magnitude and trend of important parameters, and alarms provide audible notification of an unsafe operating condition. Redundant COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-15-039 7.5-11 divisionally separate instrumentation provided for critical parameters ensures a very high degree of reliability during both plant operation and cold shutdown.
| |
| Additional support information is supplied by the GDS. The GDS consists of high performance human factored HMI displays of critical plant functions. The GDS and Class 1E equipment are adequately isolated to meet IEEE 279-1974. Data is collected and processed by the control room real time data acquisition systems (see Section 7.7.1.15). Processed data of critical parameters is subsequently formatted and available for display in the control room automatically or on request. The HMI display of critical parameters is a dedicated function with formatted displays capable of indicating approaches to off normal conditions for critical plant parameters. Control room displays are available on a separate HMI on an "ON DEMAND" or "AUTOMATIC" basis as required. Power to the data acquisition system, computer processor, and HMI displays is uninterruptible. All analysis and display hardware is located in the main control room, however, both the TSC and EOF have access to any event response aid function.
| |
| The HMI displays provide continuous indication of plant safety status. Where applicable, real time validation of each signal is accomplished by comparing redundant signals. Display formats were developed by the BWR Owners' Group based on critical parameters and the EPG. Displays are capable of showing the magnitude and trend of critical parameters and parameter vs. parameter displays needed to support EPG requirements. The hardware and software designs allow system expansion and flexibility in display formats. The use of highly reliable components ensures a very high degree of reliability.
| |
| 7.5.2 ANALYSIS AND DESIGN BASIS
| |
| | |
| 7.5.2.1 Design Basis The safety-related display instrumentation is designed to provide the operator with all necessary information to assess the status of transients or accidents from their onset to a safe cold shutdown condition, to assess the status of safety-related systems used to mitigate the event, and to allow timely operator actions as necessary.
| |
| Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are discussed in Chapter 15.
| |
| Variables monitored are listed in Table 7.5-1. These variables have been selected using the methodology established in Regulatory Guide 1.97, NUREG-0737, and the EPG.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.5-12 The safety-related display instrumentation is categorized into types in accordance with Regulatory Guide 1.97, Revision 2 or 3, and according to the primary function during a transient or accident condition. These types are as follows: Type A Variables Those variables to be monitored that provide the primary information required to permit the control room operator to take specific manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for DBA events. Primary information is information that is essential for the direct accomplishment of the specified safety functions; it does not include those variables that are associated with contingency actions that may also be identified in written procedures.
| |
| A variable included as Type A does not preclude it from being included as Type B, C, D, or E or vice versa.
| |
| | |
| Type B Variables Those variables that provide information to indicate whether plant safety functions are being accomplished.
| |
| | |
| Type C Variables Those variables that provide information to indicate the potential for being breached or the actual breach of the barriers to fission product releases.
| |
| Type D Variables Those variables that provide information to indicate the operation of individual safety systems and other systems important to safety. These variables are to help the operator make appropriate decisions in using the individual systems important to safety in mitigating the consequences of an accident.
| |
| | |
| Type E Variables Those variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and continually assessing such releases. The instruments are further divided into categories by their importance to the operator during and following an accident, and to the importance to safety of the specific measured variable. These categories are as follows:
| |
| | |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.5-13 Category 1 Category 1 provides the most stringent requirements for equipment qualification and pertains to monitoring key variables.
| |
| | |
| Category 2 Category 2 display instruments require less stringent equipment qualification and generally applies to instrumentation designed for indicating system operating status.
| |
| Category 3 Category 3 display instruments are used as backup displays for Category 1 and Category 2 and to aid in diagnosing the type of transient or accident and determining the extent of damage, if any.
| |
| | |
| 7.5.2.2 Analysis The safety-related display instrumentation provides adequate information to allow the reactor operator to perform the necessary manual safety functions and to assess plant and system status during normal operation, transients, and accident conditions.
| |
| Normal Operation The information channel ranges were selected on the basis of giving the reactor operator the necessary information to perform all the normal plant startup, steady state maneuvers, and to be able to track all the process variables pertinent to safety.
| |
| Abnormal Transient Occurrences The ranges of indicators and recorders provided are capable of covering the extreme of process variables and provide adequate information for all abnormal transient events.
| |
| Accident Conditions Information readouts are designed to accommodate all credible accidents for operator actions, information, and event tracking requirements, and cover all other design basis events or incident requirements.
| |
| Postaccident monitoring instrumentation provides the operator with plant status information during and following an accident. The information is needed to follow the progress of an accident, assist the operator to safely shut down the reactor, assess the extent and type of COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.5-14 damage, if any, and to monitor critical parameters for extended periods of time if extensive damage has occurred.
| |
| 7.5.2.2.1 Conformance To 10 CFR 50 Appendix A, General Design Criteria The following is a discussion of conformance to those General Design Criteria (GDC) that apply specifically to the safety-related display instrumentation. See Section 7.1.2.2 for a discussion of GDC which apply equally to all safety-related systems. GDC 13, Instrumentation and Control Instrumentation is provided to monitor variables and systems over their anticipated ranges for accident conditions as appropriate to ensure adequate safety.
| |
| GDC 19, Control Room The safety-related instrumentation meets the requirements that a control room be provided from which actions can be taken to maintain the nuclear power unit in a safe condition under accident conditions, including LOCAs, and that equipment, including the necessary instrumentation, at appropriate locations outside the control room be provided with a design capability for prompt hot shutdown of the reactor.
| |
| GDC 64, Monitoring Radioactivity Releases The safety-related instrumentation includes the capability of monitoring the reactor containment atmosphere, spaces containing components for recirculation of LOCA fluid, effluent discharge paths, and the plant environs for radioactivity that may be released from postulated accidents.
| |
| | |
| 7.5.2.2.2 Conformance To IEEE Standards The following is a discussion of conformance to those IEEE Standards which apply specifically to the safety-related display instrumentation. See Section 7.1.2.3 for a discussion of IEEE Standards which apply equally to all safety-related systems. 7.5.2.2.2.1 IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations. The safety-related display instrumentation is part of the protection systems and provides information to the reactor operator during and after accident conditions, allowing assessment of reactor status, safety system status, and allowing the operator to control safety systems when necessary.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 LDCN-09-011 7.5-15 General Functional Requirements (IEEE 279-1971, paragraph 4.1)
| |
| The safety-related display instrumentation, in addition to providing the reactor operator the necessary information to perform normal plant operations, also provides information that allows assessment of plant and safety system status during and after transients and DBAs.
| |
| Single Failure Criterion (IEEE 279-1971, paragraph 4.2) The safety-related display instrumentation that is recommended by Regulatory Guide 1.97, Revision 2, to be redundant is designed to meet the single failure criterion. Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
| |
| For a discussion of the quality classifications and qualification of components and modules see Sections 3.2, 3.10, and 3.11.
| |
| Equipment Qualification (IEEE 279-1971, paragraph 4.4)
| |
| For a discussion of equipment qualification see Sections 7.5.2.2.2.2 (IEEE 323-1974), 3.10, 3.11, and 1.8.3 for conformance.
| |
| Channel Integrity (IEEE 279-1971, paragraph 4.5)
| |
| The safety-related display instrumentation is designed to provide information to the reactor operator under extreme conditions. See Sections 3.10, 3.11, 8.2.1, and 8.3.1.
| |
| Channel Independence (IEEE 279-1971, paragraph 4.6)
| |
| Safety-related display instrumentation independence is maintained through the application of separation criteria as described in Section 8.3.1.4.
| |
| Control and Protection System Interaction (IEEE 279-1971, paragraph 4.7)
| |
| There is no interaction between control systems and that safety-related display instrumentation which is part of the protection system.
| |
| | |
| Derivation of System Inputs (IEEE 279-1971, paragraph 4.8)
| |
| The safety-related display instrumentation, where feasible and practical, is a direct measure of the desired variable.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-16 Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9) The safety-related display instrumentation input sensors can be either perturbed, inputs substituted, or cross checked for proper operability. See Regulatory Guide 1.22 compliance in each of the sections in this chapter for a discussion of sensor check capability.
| |
| Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
| |
| See the compliance discussion of Regulatory Guide 1.22 in each section of this chapter.
| |
| Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
| |
| Removal from service of sensors which provide inputs to the safety-related display instrumentation is discussed in the respective system discussions in this chapter on compliance to IEEE 279.
| |
| | |
| Operating Bypasses (IEEE 279-1971, paragraph 4.12)
| |
| This paragraph does not apply as the safety-related display instrumentation does not incorporate operating bypasses.
| |
| | |
| Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
| |
| This paragraph does not apply as the safety-related display instrumentation does not incorporate bypasses.
| |
| | |
| Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)
| |
| Access to instrument valves is administratively controlled. Access to other means of bypassing are located in the control room and are also under administrative control.
| |
| Multiple Setpoints (IEEE 279-1971, paragraph 4.15)
| |
| This paragraph does not apply as the safety-related display instrumentation does not incorporate multiple setpoints. Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
| |
| This paragraph does not apply as the safety-related display instrumentation does not provide protective action.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-17 Manual Initiation (IEEE 279-1971, paragraph 4.17) This paragraph does not apply as the safety-related display instrumentation does not provide manual initiation.
| |
| | |
| Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971, paragraph 4.18)
| |
| Access to calibration adjustments are under administrative control. Identification of Protective Actions (IEEE 279-1971, paragraph 4.19) Certain safety-related display instrumentation is specifically designed to identify the need for operator-initiated protective actions while others only provide the reactor operator the necessary information to identify plant and safety system status.
| |
| Information Read-Out (IEEE 279-1971, paragraph 4.20)
| |
| The safety-related display instrumentation is designed to provide the operator with accurate, complete, and timely information to determine plant status and avoids anomalous indications which could confuse the reactor operator.
| |
| | |
| System Repair (IEEE 279-1971, paragraph 4.21)
| |
| The operator can identify and repair most failed sensors, recorders, or indications during plant operation. However, there are sensors such as neutron monitoring [local power range monitor (LPRM) and intermediate range monitor (IRM)] which cannot be replaced or repaired during plant operation and must be repaired or replaced during plant shutdown.
| |
| Identification (IEEE 279-1971, paragraph 4.22)
| |
| The safety-related display instrumentation is specifically identified on the control panels so that the operator can easily discern that they are intended for use under accident conditions.
| |
| 7.5.2.2.2.2 IEEE Standard 323-1974, Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations. Safety-related display instrumentation as recommended by Regulatory Guide 1.97, Revision 2. See Section 3.11 for equipment requirements based on NUREG-0588, 10 CFR 50.49, and IEEE-323.
| |
| 7.5.2.2.3 Regulatory Guide Conformance Regulatory Guide 1.32. Safety-related display instrumentation as recommended by Regulatory Guide 1.97, Revision 2, is powered from vital buses and, if necessary, with battery backup where momentary interruption is intolerable; or as noted in text discussion (see Section 7.5.1).
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 LDCN-09-011 7.5-18 Regulatory Guide 1.75, Revision 1. Redundant or diverse channels are provided where necessary as recommended by Regulatory Guide 1.97, Revision 2. These channels are electrically independent and physically separated from each other as discussed in Section 8.3.
| |
| Regulatory Guide 1.89, Revision 1. Safety-related display instrumentation is qualified to Regulatory Guide 1.89, Revision 1 as recommended by Regulatory Guide 1.97, Revision 2 or Revision 3 as clarified in Section 1.8.3. Regulatory Guide 1.100, Revision 1. Safety-related display instrumentation as recommended by Regulatory Guide 1.97, Revision 2 or Revision 3, meets the seismic qualifications requirements of IEEE-344-1975 as clarified in Section 3.10.1.2 and is purchased to the requirements in Regulatory Guide 1.100 which states that instrumentation should continue to read within the required accuracy following, but not necessarily during, a safe shutdown earthquake.
| |
| Regulatory Guide 1.97, Revision 2. Instruments meet the recommendations required by category and type as described in Revision 2 unless noted in the text discussions as meeting Revision 3 requirements.
| |
| | |
| An item by item general discussion of display instrumentation and the degree of conformance to Regulatory Guide 1.97 requirements is provided below and in Section 7.5.1.1. See Table 7.5-1 for instrument ranges, Regulatory Guide 1.97 category, and other specific information.
| |
| | |
| Neutron Flux (Table 7.5-1, item 3)
| |
| The facility operating license required the installation of a neutron flux monitoring system in the form of ex-core wide range monitors that were in conformance with the requirements of Regulatory Guide 1.97. The required wide range monitoring system was installed in 1989. Authorization to delete the license condition and remove the equipment was granted by the NRC in May 2000 (Amendment 162, Reference 7.5-4). The authorization was based on a demonstration that the wide range monitors were unnecessary because the originally installed neutron monitoring systems met the alternate criteria described in NEDO-31558 for post-accident neutron flux monitoring systems (References 7.5-1 and 7.5-3). Two exceptions to this are that the APRM system accuracy does not satisfy the NEDO-31558 requirements under all post accident conditions and that the NEDO-31558 requirement for an uninterruptible power source is not met. It was shown that alternate means are available to meet the intent of NEDO-31558 for both of these exceptions, and these alternate means were accepted by the NRC (References 7.5-3 and 7.5-4).
| |
| The installed neutron monitoring system (NMS) consists of the source range, intermediate range, and APRM/LPRM monitoring systems. The existing source range and intermediate COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.5-19 range detectors are powered from Class 1E power; the average power range instruments are powered from the reactor protection bus which is a highly reliable source backed up by a diesel generator. There are 43 strings of local power range detectors, 8 intermediate range detectors and 4 source range detectors. These are divided into two redundant divisions. The source and intermediate range detectors are inserted or retracted from the core by Quality Class 2 drive units; however, the drive units are supplied from reliable power supplies and failure of all drive units simultaneously is extremely remote even under accident conditions. The drive units are only required to drive the detector into the core. Any failure after insertion is inconsequential. If all drive units did fail and the source range monitors could not be inserted, the range of indicated power when withdrawn is sufficient to ensure that the reactor is subcritical since the source range instruments monitor a range of 10-3% to 10% power even in the fully withdrawn position. Neutron flux level indication is provided by recorders in the control room.
| |
| | |
| In accordance with the NRC authorization described above, the ex-core wide range neutron monitoring (WRM) system has been deactivated. The two detectors located in the drywell between the reactor pressure vessel and the sacrificial shield wall and the two preamplifier assemblies located on the reactor building 522' elevation have been abandoned in place. The amplifiers, recorders, and other hardware located in the main control room have been removed. The associated electrical cables have been spared in place.
| |
| Coolant Level in the Reactor (Table 7.5-1, item 2)
| |
| Regulatory Guide 1.97 recommends that reactor level be monitored from below the core support plate to the centerline of the main steam lines by Category 1 instruments.
| |
| There are two divisionally separated ranges of level instrumentation to cover the full range of reactor water level as discussed in Section 7.5.1.1.1. Additionally, a single channel (Category 3) of "upset" range (high) level and a single channel of shutdown range indication is also provided.
| |
| | |
| RCS Soluble Boron Concentration Regulatory Guide 1.97 recommends measurement of the soluble boron concentration in the circulating primary coolant. Grab samples of the circulating primary coolant will be analyzed by either the onsite of offsite facilities for determination of soluble boron concentration. These facilities will have capability to analyze 0 to 1000 ppm of soluble boron concentration in RCS.
| |
| | |
| Boiling Water Reactor Core Thermocouples Regulatory Guide 1.97 recommends the installation of in-core thermocouples.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-20 Columbia Generating Station (CGS) concurs with LRG and BWR Owners' Group that core thermocouples do not provide adequate indication of approach to or existence of inadequate core cooling. Energy Northwest's response to Generic Letter 84-23 closed this issue.
| |
| Primary System Pressure (Table 7.5-1, item 1)
| |
| Regulatory Guide 1.97 recommends that primary system pressure be monitored from 15 psia to 1500 psig by Category 1 instruments.
| |
| Redundant Class 1E pressure indicators with a range of 0 to 1500 psig are provided.
| |
| Control Rod Position Indication (Table 7.5-1, item 39)
| |
| Regulatory Guide 1.97 recommends that Category 3 indication be provided to indicate when a rod is in or not in.
| |
| | |
| A rod position display of full-in and full-out position provides this information.
| |
| Drywell Pressure (Table 7.5-1, item 37)
| |
| Regulatory 1.97 recommends Category 1 redundant instruments covering a range from 10 psia to three times design pressure.
| |
| | |
| Redundant channels are recorded, each having three ranges, a narrow range for -5 to +3 psig, an intermediate range for 0 to 25 psig, and a high range for 0 to 180 psig.
| |
| Drywell Sump Level Regulatory Guide recommends that the drywell sump level be measured by Category 1 instruments.
| |
| | |
| The drywell equipment and floor drain sumps drain by gravity to the reactor building equipment drain sump and reactor building floor drain sumps respectively. On a LOCA, the containment isolation valves from these drywell sumps flange lines close, isolating the sumps. Any major drywell flooding at this time will overflow these sumps and spill into the suppression pool via the downcomers.
| |
| | |
| When a LOCA isolation signal is not present the drywell sump drains to the reactor building sump where flow and sump level are continuously monitored in the control room.
| |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 7.5-21 Primary Containment Valve Position Indication (Table 7.5-1, item 40)
| |
| Regulatory Guide 1.97 recommends Category 1, closed-not closed indication on power operated primary containment isolation valves.
| |
| Valve position for each applicable containment isolation valve is provided at the valve controls in the control room.
| |
| Redundancy requirements are met by the two valve criteria required for containment isolation. Radioactivity Concentration or Radiation Level in Circulating Primary Coolant Regulatory Guide 1.97 recommends that Category 1 redundant detection systems be installed to measure this parameter. The recommended range is one-half Technical Specifications limit to 100 times Technical Specifications limit in R per hour.
| |
| | |
| There is presently no instrument available which will accomplish this task. Prior to isolation of main steam lines, the condenser offgas ssystem and the main steam line radiation monitors will give immediate warning of fuel failure. The postaccident sampling system (see Section 11.6) provides monitoring and a measure of primary coolant activity after an accident. For details about offgas system and main steam line radiation monitors, see Section 11.5.
| |
| Analysis of Primary Coolant Regulatory Guide 1.97 recommends provisions be made to analyze the primary coolant to determine the extent of core damage. This is a Category 3 system.
| |
| A postaccident sampling system (see Section 11.6) providing for grab samples of the primary coolant, suppression pool water, drywell atmosphere, wetwell atmosphere, and reactor building atmosphere is provided. Grab samples will be analyzed in onsite or offsite facilities. Grab samples of the reactor building equipment and floor drain sumps may also be taken with the same equipment.
| |
| | |
| Primary Containment Area Radiation (Table 7.5-1, item 8)
| |
| Regulatory Guide 1.97 recommends that the radiation levels in the primary containment be monitored by redundant Category 1 instruments.
| |
| | |
| Two detectors are located inside containment that have a range 100 R/hr to 107 R/hr. These monitors respond to gamma radiation of 60 KeV as required by Regulatory Guide 1.97 to detect the 133Xe gases. These radiation monitors display on recorders located in the control room.
| |
| ~ !"~#$!~%&'(~!)*+~~"~!!!()$,!(#-&-~.,/-!"!~~"~
| |
| | |
| !.!.!(!"!
| |
| ).~~0)(!12)(!#$!~%!&
| |
| 3+!"(,!,)(!.,!()45!!2)(!.,!()5!-'(~!)*+'!(,~46-,)(!6-2)(!,5!!~-!(-!(
| |
| | |
| 01!!~)7!".,!(-46-,(!!!!!~-!(-!($,01~"~!,~
| |
| ~*!/--~'!!")8#$!~%&
| |
| $!!"~(!",!,%'(~!)*+--~!~()!!!"(!()!~~~(
| |
| 2,!.,~!!)$,().~!().,!(-m94!,(,-.4!m94(,~!$,!~(~"!~!),"~!(~.%!%
| |
| !,(,!($,!!,(,!("!%)/!%!()!!%!((-3232m94%"((-!~~!!.!1:;,~.!(-,18~)$,!!,(,!(!!~
| |
| !~!"'(~!)*+%)/%!()4!!
| |
| (-(!~!%,!~(~!!~(!!)"
| |
| -!'!!/2'!#$!~%&
| |
| '(~!)*+#-$)/&,!!!!!"!!<~!-,!)!
| |
| | |
| $,!,~!!-!~()!,
| |
| ~(",5"!($,),!"!!(-'9,%!!()4%!!,~
| |
| COLUMBIA GENERATING STATION Amendment 58 FINAL SAFETY ANALYSIS REPORT December 2005 7.5-23 These monitors provide coverage for these areas described by Regulatory Guide 1.97. Additionally, grab samples of the reactor building atmosphere may be obtained from the postaccident sample system. These high range area monitors provide coverage for personnel access and long-term surveillance (see Reactor Building or Secondary Containment Area Radiation below).
| |
| | |
| Main Feedwater Flow Rate (Table 7.5-1, item 23)
| |
| Regulatory Guide 1.97 recommends a Category 3 indicator to display the feedwater flow rate. Feedwater flow indication is provided in the control room.
| |
| Condensate Storage Tank Level (Table 7.5-1, item 24)
| |
| Regulatory Guide 1.97 recommends that the condensate storage tank levels be indicated on Category 3 instruments.
| |
| | |
| Instrumentation is provided for this parameter with display in the control room.
| |
| Suppression Chamber Pressure (Table 7.5-1, item 12)
| |
| Regulatory Guide 1.97 recommends that a Category 2 flow instrument be provided to indicate suppression pool spray flow. Suppression pool pressure is the key variable and pressure will indicate whether or not spray flow has been established. Knowing the actual amount of spray flow in gpm is of no value. However, valve position, RHR pump running indication, RHR system flow (all indicated in the control room), and suppression chamber pressure will indicate the presence or absence of spray flow. Suppression chamber pressure will also be a basis for whether or not drywell spray initiation will be required, given a high drywell pressure condition.
| |
| | |
| Suppression Pool Water Temperature (Table 7.5-1, item 13)
| |
| Regulatory Guide 1.97 recommends temperature indication of the suppression pool water. This indication would be Category 2 and have a range of 30°F to 230°F. See Section 7.6.1.7 for the CGS design.
| |
| Drywell Atmosphere Temperature (Table 7.5-1, item 7) Regulatory Guide 1.97 recommends that the drywell atmosphere temperature be monitored with a range of 40°F to 440°F on Category 2 instruments. CGS has provided instrumentation monitoring a 50°F to 400°F range.
| |
| Postaccident drywell temperature data is provided by four thermocouples located in the drywell area. These thermocouples feed signals to a summer via MV/Is. The average drywell COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-05-009 7.5-24 temperature is then recorded and displayed in the control room. Backup thermocouples are available for use in the monitoring scheme.
| |
| Drywell Spray Flow (Table 7.5-1, item 25)
| |
| Regulatory Guide 1.97 recommends a drywell spray flow instrument capable of monitoring flow from 0 to 110% of flow. This instrument should be Category 2.
| |
| Drywell spray flow is provided by RHR pump flow indication. Valve position indication and drywell pressure will indicate proper flow path. Residual heat removal flow is indicated in the control room.
| |
| Primary System Safety/Relief Valve Position (Table 7.5-1, item 21)
| |
| Regulatory Guide 1.97 recommends monitoring the SRV position, closed or not closed, with Category 2 instruments.
| |
| | |
| Monitoring the SRV position is provided as discussed in Section 7.5.1.9.
| |
| This is also backed up by the suppression pool temperature and level instrumentation.
| |
| Reactor Core Isolation Cooling Flow Rate (Table 7.5-1, item 4)
| |
| Regulatory Guide 1.97 recommends RCIC be monitored from 0 to 110% of design flow with Category 2 instruments.
| |
| | |
| Reactor core isolation cooling pump discharge flow monitoring is provided. This, in conjunction with verification of RCIC system valve lineup, provides indication of system operability. Flow indication and valve position are displayed in the control room.
| |
| High-Pressure Core Spray Flow Rate (Table 7.5-1, item 5)
| |
| Regulatory Guide 1.97 recommends that HPCS flow be monitored from 0 to 110% of design flow with Category 2 instruments.
| |
| High-pressure core spray pump discharge flow monitoring is provided. This in conjunction with verification of HPCS system valve lineup provides indication of system operability. Flow indication and valve position are displayed in the control room. Low-Pressure Core Injection Flow Rate (Table 7.5-1, item 25)
| |
| Regulatory Guide 1.97 recommends that low-pressure coolant injection (LPCI) flow be monitored from 0 to 110% of design flow with Category 2 instruments.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-25 Residual heat removal (LPCI) pump discharge flow monitoring is provided. This in conjunction with verification of RHR system valve lineup provides indication of system operability. Flow indication and valve position are displayed in the control room.
| |
| Low-Pressure Core Spray Flow Rate (Table 7.5-1, item 6)
| |
| Regulatory Guide 1.97 recommends that LPCS flow be monitored from 0 to 110% of design flow with Category 2 instruments. Low-pressure core spray pump discharge flow monitoring is provided. This, in conjunction with verification of LPCS system valve lineup, provides indication of system operability. Flow indication and valve position are displayed in the control room.
| |
| Standby Liquid Control System Flow (Table 7.5-1, item 27)
| |
| Regulatory Guide 1.97 recommends that the flow rate in the SLC system be monitored by Category 2 instruments.
| |
| | |
| Standby liquid control system flow monitoring is provided. Display is provided in the control room.
| |
| | |
| Standby Liquid Control System Tank Level (Table 7.5-1, item 28)
| |
| Regulatory Guide 1.97 recommends SLC system tank level indication be monitored by Category 2 instruments.
| |
| | |
| The SLC system tank level instruments are provided as Category 3. Level indication is provided in the control room.
| |
| | |
| Residual Heat Removal System Flow Rate (Table 7.5-1, item 25)
| |
| Regulatory Guide 1.97 recommends that RHR system flow be monitored from 0 to 110% of design flow with Category 2 instruments.
| |
| Residual heat removal pump discharge flow monitoring is provided. This in conjunction with RHR pump suction and discharge pressures and verification of RHR system valve lineup provides indication of system operability. Flow indication and valve position are displayed in the control room.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-26 Residual Heat Removal Heat Exchanger Outlet Temperature (Table 7.5-1, item 26) Regulatory Guide 1.97 recommends that the RHR heat exchanger outlet temperature be monitored by Category 2 instruments with a range of 32°F to 350°F.
| |
| Columbia Generating Station considers this instrumentation to be backup to RHR/service water (SW) flow indications. For this reason Category 3 (Class 1E powered) instrumentation is provided.
| |
| Existing instrumentation is not Class 1E but is adequate for monitoring this parameter. Indication is provided in the control room since other Class 1E indication of system performance such as RHR flow and standby service water flow to heat exchanger are provided.
| |
| Cooling Water Temperature to ESF System Components (Table 7.5-1, item 31)
| |
| Regulatory Guide 1.97 recommends Category 2 instruments with a range of 32°F to 200°F.
| |
| Present instruments measure water temperature of the spray pond. This is the source of water for the ESF systems. The range of these instruments is 0°F to 200°F.
| |
| Further temperature indication is provided on the outlet of each individual heat exchanger in the ESF systems. There is sufficient indication available to verify proper operation of the system.
| |
| | |
| Cooling Water Flow to ESF System Components (Table 7.5-1, items 29 and 30)
| |
| Regulatory Guide 1.97 recommends Category 2 flow instruments to monitor flow in the ESF cooling system.
| |
| | |
| The SW return lines to the spray ponds are monitored by flow transmitters providing signals to indication in the control room for service water loop A and B. The HPCS service water loop status is detected by a pressure transmitter providing a signal to an indicator in the control room.
| |
| High Radioactivity Liquid Tank Level (Table 7.5-1, item 36) Regulatory Guide 1.97 recommends that all tanks containing radioactive liquids be provided with tank level indication (Category 3 instruments).
| |
| All tanks designed to handle radioactive liquids are equipped with remote reading tank level instruments. The indicators are located in the radwaste building which is accessible following a DBA.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-27 Emergency Ventilation Damper Position (Table 7.5-1, item 38)
| |
| Regulatory Guide 1.97 recommends Category 2 indication for the open-closed position of emergency ventilation dampers.
| |
| | |
| The position status on all emergency ventilation dampers is displayed in the control room.
| |
| Status of Standby Power and Other Energy Sources Important to Safety (Table 7.5-1, items 16 and 22)
| |
| Regulatory Guide 1.97 recommends that status information be provided for all standby power and other energy sources such as pneumatic or hydraulic power.
| |
| Voltage indication for standby electrical buses of 4.16-kV is displayed in the control room. Additionally, all vital 480-V switchgear voltage readout is provided along with all battery, battery charger, and inverter voltage and amperage. The pneumatic pressure for the CIA is also displayed in the control room.
| |
| | |
| Reactor Building or Secondary Containment Area Radiation (Table 7.5-1, item 20)
| |
| Regulatory Guide 1.97, Revision 3 (for Type E) recommends that area radiation monitors be placed inside buildings or areas where access is required to service equipment important to safety and in the reactor building. This is to monitor for significant releases, for release assessment, and for long-term surveillance.
| |
| Three high range area monitors with a range of 10-1 R/hr to 104 R/hr are located in the reactor building. They are located to monitor specific entry points to the building (to e1. 471 ft via door R202, e1. 501 ft via door R305, and e1. 606 ft via door R702). These are the same monitors discussed above in the item on radiation exposure rate. Portable equipment will be used whenever personnel enter a radiation area as required by entry procedures.
| |
| Airborne Particulate and Halogen Materials Released from Plant (Table 7.5-1, item 15)
| |
| Regulatory Guide 1.97 recommends that particulates and halogens be sampled at the identified plant release points. Onsite analysis capabilities are required. This sampling equipment should be Category 3 equipment. Off-line monitoring systems with low range and intermediate detectors are provided. These systems are provided for the turbine building exhaust and the radwaste building exhaust.
| |
| Particulates and halogens, as well as noble gases, are monitored and recorded by the on-line gamma spectroscopy system for the reactor building elevated release duct.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-28 Radiation Exposure Meters at Various Locations Around the Plant Regulatory Guide 1.97 recommends that continuously monitoring samplers be located at various locations around the plant to assess releases from the plant.
| |
| Adequate release information is already available through ventilation release point monitoring and atmospheric conditions information available from the meteorologic conditions information center located onsite. Backup monitoring facilities are readily available on the Hanford Reservation from fixed and mobile units. Airborne Radiohalogens and Particulates (Portable)
| |
| Regulatory Guide 1.97 recommends portable sampling with onsite analysis capability for airborne halogens and particulates.
| |
| Portable air samples and a radioanalytical laboratory are maintained by the plant health physics group capable of measuring concentrations from 10-9 µCi/cm3 to 10-3 µCi/cm3.
| |
| Plant and Environs Radiation (portable)
| |
| Regulatory Guide 1.97 recommends portable monitoring instrumentation capable of measuring gamma and beta dose rates from 10-3 R/hr to 104 R/hr.
| |
| The plant health physics personnel maintain such portable instruments onsite.
| |
| Plant and Environs Radioactivity Contrary to the Regulatory Guide 1.97 recommendation regarding the availability of a portable multichannel gamma ray spectrometer, alternative, equivalent methods are used to meet the intent of Regulatory Guide 1.97, Revision 2, Table 2, Plant and Environs Radioactivity (portable instrumentation).
| |
| | |
| Computerized dose projection capability is provided in certain emergency centers, with the capability to back fit field team sample results to verify initial dose projection calculations. Detection of fission products in the accident effluent stream is indicated by the presence of iodine. Field team air sample results are obtained by purging noble gasses from a silver zeolite cartridge and measuring the remaining radioactivity, which is conservatively assumed to be iodine until proven otherwise by a detailed analysis. Determination of the presence of iodine in the air sample indicates a degree of failed fuel cladding and fission product barrier breakdown. Onsite radiological analytical capability exists within the plant to perform detailed analysis. Near site capability is also available at the Emergency Operations Facility to perform detailed COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-29 analysis of field team samples. Additionally, agreements exist through Washington and Oregon analytical laboratories for analysis of field team samples by their respective emergency plans. This analytical and release assessment capability meets the intent of Regulatory Guide 1.97 without the need to maintain portable multichannel gamma-ray spectrometers. Wind Direction and Speed (Table 7.5-1, items 17 and 18)
| |
| Regulatory Guide 1.97 recommends that wind speed and direction be available on Category 3 instruments. Wind speed should be monitored from 0 to 67 mph and the direction from 0° to 360°.
| |
| | |
| Wind speed and direction is determined by instruments located on the meteorological tower and transmitted to the meteorological information center. This information is recorded in the control room.
| |
| | |
| Estimation of Atmospheric Stability (Table 7.5-1, item 19)
| |
| Regulatory Guide 1.97, based on vertical temperature differences spaced at set intervals down the meteorological tower, recommends that atmospheric stability (temperature inversion) be detected.
| |
| | |
| Vertical temperature stratification information is recorded in the control room.
| |
| Postaccident Sampling System (See Section 11.6)
| |
| Onsite and/or offsite facilities are provided to analyze primary coolant and containment air grab samples for variables and ranges listed in Regulatory Guide 1.97.
| |
| Reactor Building Pressure (Table 7.5-1, item 41)
| |
| Reactor building pressure is the controlling variable for the SGTS during accident conditions. Flow through the SGTS is automatically regulated to maintain the reactor building at minus 0.25 in. water column to prevent outleakage of potentially radioactive gases.
| |
| Emergency Core Cooling System Pump Room Flood Level (Table 7.5-1, item 42)
| |
| One level switch is provided in each of the ECCS and the RCIC pump rooms to monitor room flood conditions (due to breaks and/or leaks) in the rooms. Annunciators and safety-related indications are activated in the control room if flood levels reach 6 in. above the floor.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-30 Fuel Pool Cooling Flow (Table 7.5-1, item 43) Two redundant flow transmitters (one for each loop) monitor loop flows and send signals to control room indicators.
| |
| | |
| Fuel Pool Temperature (Table 7.5-1, item 44)
| |
| Two redundant temperature elements monitor fuel pool water temperature and send signals to control room indicators. Standby Service Water Radiation (Table 7.5-1, item 45)
| |
| For a short period of time during RHR shutdown cooling mode operation the RHR system pressure may exceed that of the SW system. If any RHR heat exchanger tube leaks have developed, it is possible, during accident conditions, to bypass secondary containment radioactivity release processing. To ensure that releases are monitored and appropriate actions taken as required, each of the SW Division 1 and Division 2 loops is provided with a radioactivity monitor providing input to a continuous indication located on a control room back panel. In addition, high radioactivity levels are annunciated in the control room and also recorded on a panel recorder.
| |
| | |
| Radioactive Gaseous Effluent Release Path Vent Flow Rate (Table 7.5-1, item 9)
| |
| Regulatory Guide 1.97 (for Type E) recommends that all effluent release paths from the plant be monitored from 0 to 110% of design flow, for the purpose of release assessment. The three release paths for CGS are via the reactor, turbine, and radwaste buildings. All three are monitored and trended on the plant TDAS system. Additionally the reactor building vent flow is recorded in the control room and the turbine building vent flow is recorded locally.
| |
| 7.
| |
| | |
| ==5.3 REFERENCES==
| |
| | |
| 7.5-1 Letter from B. A. Boger, NRC, to C. L. Tully, BWROG,
| |
| | |
| ==Subject:==
| |
| NRC Evaluation of BWR Owner's Group Topical Report NEDO-31558, Position on NRC Regulatory Guide 1.97, Revision 3, Requirements for Post-Accident Neutron Monitoring System (TAC M77660), dated January 13, 1993.
| |
| 7.5-2 Letter GO2-99-142 from R. L. Webring, Supply System, to NRC,
| |
| | |
| ==Subject:==
| |
| WNP-2 Operating License NPF-21 Request for Amendment, Post-Accident Neutron Flux Monitoring, License Condition 2.C.(16), Attachment 2, Item 3(b), dated July 29, 1999.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.5-31 7.5-3 Letter GO2-00-037 from D. W. Coleman, Supply System, to NRC,
| |
| | |
| ==Subject:==
| |
| WNP-2 Operating License NPF-21 Request for Amendment, Post-Accident Neutron Flux Monitoring, License Condition 2.C.(16), Attachment 2, Item 3(b) (Additional Information), dated February 28, 2000. 7.5-4 Letter GI2-00-088 from J. Cushing, NRC, to J. V. Parrish, Energy Northwest,
| |
| | |
| ==Subject:==
| |
| WNP Issuance of Amendment re: Wide Range Neutron Monitoring System (TAC NO. MA6165), dated May 18, 2000.
| |
| COLUMBIA GENERATING STATION Amendment 57 FINAL SAFETY ANALYSIS REPORT December 2003 Table 7.5-1 Safety-Related Display Instrumentation Design Criteria Type Readout Number of Channels Range Type and Categorya Location LDCN-00-093 7.5-33 1. Reactor vessel pressure Recorder MS-LR/PR-623A,Bb 2 0 to 1500 psig A,1 CR 2. Reactor vessel water level Recorder MS-LR/PR-623A,Bb 2 -150 in./0/+60 in. A,1 CR Indicator MS-LI-610b 1 -110 in. to -310 in. A,1 CR Recorder MS-LR-615 b 1 -110 in. to -310 in. A,1 CR Indicator MS-LI-605 1 0 in. to 400 in. B,3 CR Recorder RFW-LR-608 1 0 in. to 180 in. B,3 CR 3. Neutron Flux Recorders SRM SRM-LR-602A/B* 2 10-3 to 10% power (10-1 to 106 cps ) B,1 CR IRM/APRM IRM-LR-603A/B* 2 0 to 125% power B,1 CR 4. RCIC flow Indicator RCIC-FI-600/1 1 0 to 700 gpm D,2 CR 5. HPCS flow Indicator HPCS-FI-603 1 0 to 8000 gpm D,2 CR 6. LPCS flow Indicator LPCS-FI-600 1 0 to 8500 gpm D,2 CR 7.a. Drywell atmosphere temperature Recorder CMS-TR-5 1 50 to 400F D,2 CR b. Suppression pool atmosphere temperature Recorder CMS-TR-5 1 50 to 400F D,2 CR c. Drywell atmosphere temperature Indicator CMS-TI-5 1 50 to 400F D,2 CR
| |
| * See FSAR Section 7.5.2.2.3.
| |
| | |
| ~ !"#! $%#
| |
| ! & !#'
| |
| %#%!
| |
| (!!(#&)*!!'%'%!!!+,"~ !#,~-$!.'-/#+,"~ !#,~0$!.'1! %%!
| |
| !2!
| |
| +,0!/-/# %%!
| |
| !2!)1/-/2 %2 %%!
| |
| !2!/-/#!'!%
| |
| !!!
| |
| #,34/!)5#/)#!!6%!!!
| |
| #,34/!)5#/# !!!' !
| |
| #,+)/!%/7/#) !!!2 !
| |
| #,!°0#~!,~!°0# !!!28!"$
| |
| #,()/9!9:!
| |
| !#/#
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 Table 7.5-1 Safety-Related Display Instrumentation (Continued) Design Criteria Type Readout Number of Channels Range Type and Categorya Location LDCN-06-051, 07-001, 15-026 7.5-35 15. Building gaseous release monitor Recorder PRM-RR-3a CR Low range TEA-RIS-13 WEA-RIS-14 2 1 x 10-7 to 1 x 10-1 µCi/cc 1 x 10-6 to 1 x 10-1 µCi/cc E,C,2 Intermediate range PRM-LCRM-1B 2 101 to 106 cps E,C,2 High range PRM-LCRM-1C PRM-COMP-1 TEA-RIS-13 WEA-RIS-14 2 101 to 106 cps Isotopic 1 x 10-3 to 1 x 10+3 µCi/cc 1 x 10-3 to 1 x 10+3 µCi/cc E,C,2 E,3 16. Containment instrument air Indicator CIA-PI-21A,B 2 0 to 300 psig D,2 CR 17. Wind speed Recorder MET-WSR-4 1 0 to 90 mph E,3 CR 18. Wind direction Recorder MET-WDR-4 1 0 to 540 E,3 CR 19. Temperature differential Recorder MET-TR-1 1 15F E,3 CR 20. Radiation exposure rate and reactor building or secondary containment area radiation Recorder ARM-RR-32 3 10-1 to 104 R/hr E,3 CR 21. SRV position indication Direct indication MS-VPI-LVDT-1A through LVDT/5C 18 Closed or not closed D,2 CR Recorder MS-TR-614 18 0 to 600F D,3 CR COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 Table 7.5-1 Safety-Related Display Instrumentation (Continued) Design Criteria Type Readout Number of Channels Range Type and Categorya Location LDCN-12-020 7.5-36 22. Power supply monitoring Voltmeter/ammeter Various D,2 CR Voltmeters 0 to 5.25 kV ac HPCS-VM-R610 DG-VM-DG1/A DG-VM-DG1/B DG-VM-DG1/C DG-VM-DG2/A DG-VM-DG2/B DG-VM-DG2/C E-VM-SM/7 E-VM-SM/8 Various D,2 CR Voltmeters 0 to 600 V ac E-VM-SL71 E-VM-SL73 E-VM-SL81 E-VM-SL83 Various D,2 CR Voltmeters 0 to 300 V ac E-VM-PP7AA E-VM-PP8AA Various D,2 CR Voltmeters 0 to 300 V dc E-VM-DPS2/1 Various D,2 CR Voltmeters 0 to 150 V dc HPCS-VM-R618 E-VM-DPS1/1 E-VM-DPS1/2 Various D,2 CR Voltmeters 0 to 30 V dc E-VM-DP/S0/A E-VM-DP/S0/B Various D,2 CR COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 Table 7.5-1 Safety-Related Display Instrumentation (Continued) Design Criteria Type Readout Number of Channels Range Type and Categorya Location LDCN-12-020 7.5-37 Ammeters Various D,2 CR 22. Power supply monitoring (continued) HPCS-AM-B1 HPCS-AM-C1 E-AM-C0/1A/1B E-AM-C0/2A/2B E-AM-B0/1A/1B E-AM-B0/2A/2B E-AM-C1/1 E-AM-C1/2 E-AM-C2/1 E-AM-B1/1 E-AM-B1/2 E-AM-B2/1 E-AM-IN2/A E-AM-IN2/B E-AM-IN3/A E-AM-IN3/B E-AM-7/71 E-AM-7/73 E-AM-8/81 E-AM-8/83 DG-AM-DG1 DG-AM-DG2 HPCS-AM-R607 23. Feedwater flow Indicator RFW-FI-604A,B 2 0 to 8.5 x 106 #/hr D,3 CR 24. CST level indicator Indicator COND-LI-40A,B 2 0 to 35 ft D,3 CR 25. RHR flow (LPCI and shutdown cooling) (drywell spray) Indicator RHR-FI-603A,B,C 3 0 to 10,000 gpm D,2 CR 26. RHR heat exchanger outlet temperature Recorder (2 pen)
| |
| RHR-TRS-601 2 0 to 500F D,3 CR 27. SLCS flow rate Indicator SLC-FI-1 1 0 to 100 gpm D,2 CR 28. SLCS tank level Indicator SLC-LI-601 1 0 to 5000 gal D,3 CR
| |
| | |
| ~ !"#! $%#
| |
| ! & !#'
| |
| %#%!
| |
| (!!(#&)*+,-#.'% ~!.-~!%#).!0~!.1~+/2!/%#).!0 ~!
| |
| .~!°1#)3!0!31//
| |
| 2/2!4/#))(44)(44)(44)!565!!7)0 %~!!7)0 %)! !
| |
| #8-//!9)%/!%)/!*%/2//2/
| |
| /2/##
| |
| #)*4%5!!!~!:!!#)+#!!!!!~!1 !! 2/)#!!!55!!~!#!!!!2/#! %!'
| |
| "$!
| |
| 4/2)!9.##4##;#~# !!!!5~%%'
| |
| 1(~!";!!$!/#
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.5-1 Safety-Related Display Instrumentation (Continued) Design Criteria Type Readout Number of Channels Range Type and Categorya Location 7.5-39 43. FPC flow Indicator FPC-FI-16,17 2 0 to 1200 gpm D,2 CR 44. Fuel pool temperature Indicator FPC-TI-7,8 2 0 to 225°F D,2 CR 45. SW radiation monitor Indicator SW-RIS-604, SW-RIS-605 2 10-1 to 106 cps E,C,2 CR a The instruments meet the recommendations required by the category type as described in Regulatory Guide 1.97, Revision 2, unless otherwise noted in text discussion.
| |
| b These instruments are Technical Specifications postaccident monitoring instrumentation.
| |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-116 7.6-1 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY 7.6.1 DESCRIPTION
| |
| | |
| The instrumentation and control systems required for safety not discussed in other sections include the following:
| |
| : a. Process radiation monitoring system,
| |
| : b. High-pressure/low-pressure systems interlocks, c. Leak detection system (LDS), d. Neutron monitoring system (NMS),
| |
| : e. Recirculation pump trip (RPT) system, f. Spent fuel pool cooling and cleanup (FPC) system, and g. Suppression pool temperature monitoring (SPTM) system.
| |
| The sources which supply power to the safety-related systems described in this section originate from onsite ac and/or dc safety-related buses or, as in the case of the fail-safe NMS logic and portions of the LDS, from the non-safety-related reactor protection system (RPS) motor-generator (MG) sets. See Chapter 8 for a complete description of the safety-related systems power sources.
| |
| | |
| 7.6.1.1 Process Radiation Monitoring System The safety-related portions of the process radiation monitoring system are described in Section 7.3.1.1.2.
| |
| 7.6.1.2 High-Pressure/Low-Pressure Systems Interlocks and Alarms 7.6.1.2.1 Function
| |
| | |
| Instrumentation and controls are provided to prevent overpressurization of low-pressure piping which interface with the reactor coolant pressure boundary (RCPB).
| |
| 7.6.1.2.2 Operation Flow diagrams for the systems involved are shown in Figures 5.4-11, 5.4-15 and 6.3-4. Component control logic and alarms for the systems involved are shown in Figures 7.3-7, 7.3-9, 7.3-10 and 7.4-1. Instruments are listed in Table 7.6-1.
| |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-116 7.6-2 High-pressure/low-pressure interlocks are provided to sense reactor pressure and prevent the following valves from opening until reactor pressure is below system design pressure: Interlocked Process Line Type Valve Residual heat removal (RHR) shutdown cooling suction MO RHR-V-9 (F009) RHR-V-8 (F008) RHR shutdown cooling return MO RHR-V-53A RHR-V-53B (F053) RHR head spray MO RHR-V-23 (F023) LPCI injection MO RHR-V-42A,B,C (F042) LPCS injection MO LPCS-V-5 (F005) The interlock for RHR-V-9, suction valve inside the primary containment is redundant and diverse from the interlock for RHR-V-8, suction valve outside the primary containment to ensure that at least one of two valves in series will always isolate when required. Diversity is provided by selecting pressure sensors from two different manufacturers.
| |
| Each sub-system process line listed below is provided with an overpressure switch. The pressure switch activates an alarm in the control room to alert the operator to an intersystem leakage situation where a leaking shutoff valve may result in the sub-system pressure exceeding design limits.
| |
| | |
| The associated pressure switches are shown on the respective system flow diagrams.
| |
| a. RHR shutdown cooling suction, b. RHR A, B, and C pump discharge, c. Low-pressure core spray system (LPCS) pump discharge, d. High-pressure core spray (HPCS) pump suction, and e. Reactor core isolation cooling (RCIC) pump suction.
| |
| 7.6.1.3 Leak Detection System The safety-related portions of the LDS are as follows: a. Main steam line leak detection, b. RCIC system leak detection, COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 LDCN-11-005 7.6-3 c. RHR system leak detection,
| |
| : d. Reactor water cleanup (RWCU) system leak detection,
| |
| : e. Drywell/reactor building leak detection, f. Auxiliary steam line leak detection, g. ECCS pump room flooding detection.
| |
| 7.6.1.3.1 Function
| |
| | |
| The LDS instrumentation and controls are designed to monitor leakage from the RCPB plus other specific leakage within the Reactor Building and initiate alarms and/or isolation when predetermined limits are exceeded. See Sections 5.2.5, 3.6.1.15.3 and 9.3.3.2.2.1.
| |
| 7.6.1.3.2 Operation
| |
| | |
| LDS instrument arrangement drawings which contain operator information displays are shown in Figures 7.6-1 and 7.6-2. Instruments are listed in Table 7.6-2.
| |
| Systems or parts of systems that are in direct communication with the reactor vessel are provided with leakage detection systems.
| |
| | |
| The required leakage detection system inside the primary containment is designed with a capability to detect leakage less than established leakage rate limits. See the Technical Specifications for the specific values.
| |
| Major components within the primary containment that by nature of their design are sources of leakage (e.g., pump seals, equipment warming drains), are collected ultimately in an equipment drain sump located in the reactor building and thereby identified.
| |
| Equipment associated with systems within the primary containment (e.g., vessels, piping, fittings) share a common volume. Steam or water leaks from such equipment are collected ultimately in the floor drain sumps located in the reactor building and identified if possible.
| |
| Each of the sumps is protected against overflowing to prevent leaks of an identified source from masking those from unidentified sources.
| |
| Outside the primary containment, the piping within each system monitored for leakage is in compartments or rooms separate from other systems as feasible so that leakage may be detected by sump or room level, ambient or differential area temperature, or high process flow.
| |
| | |
| Sensors, wiring, and associated equipment of the LDS that are associated with the isolation valve logic are designed to withstand the conditions that follow a design-basis loss-of-coolant accident (LOCA) (see Section 3.11).
| |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-116 7.6-4 The operator is kept aware of the status of the LDS variables through displays or recorders that indicate the measured variables in the control room. If a trip occurs, the condition is annunciated in the control room.
| |
| | |
| 7.6.1.3.3 Main Steam Line Leak Detection The safety-related portions of the main steam line LDS are described in Section 7.3.1.1.2. 7.6.1.3.4 Reactor Core Isolation Cooling System Leak Detection The steam lines of the RCIC system are monitored for leaks by the LDS. Leaks from the RCIC will cause a change in at least one of the following monitored parameters. The RCIC LDS consists of the following: a. Equipment area and pipe routing area high ambient and equipment area differential temperature, b. High flow rate (differential pressure) through the steam line,
| |
| : c. The turbine exhaust diaphragm high pressure, and d. Low steam line inlet pressure.
| |
| If the monitored variables indicate that a leak may exist, the detection system initiates an RCIC isolation signal (after an approximate 3 sec delay for RCIC high flow).
| |
| The following sections describe each of the RCIC leak detection methods.
| |
| 7.6.1.3.4.1 Reactor Core Isolation Cooling Area Temperature Monitoring. The RCIC area ambient and differential temperature monitoring circuits are similar to those described for the main steam line tunnel temperature monitoring system (see Section 7.3.1.1.2).
| |
| Two redundant temperature monitoring channels are provided. Each redundant instrument provides input to one of two logic channels (Division 1 or 2).
| |
| | |
| Using 1 out of 2 logic, any RCIC equipment area or pipe routing area high ambient or equipment area high differential temperature initiates an isolation of the RCIC system.
| |
| A bypass/test switch is provided in each logic channel for the purpose of testing the temperature monitor without initiating RCIC system isolation.
| |
| Diversity is provided by RCIC steam line flow and pressure monitoring.
| |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-116 7.6-5 7.6.1.3.4.2 Reactor Core Isolation Cooling Steam Flow Rate Monitoring. The steam line flow rate from the reactor vessel to the RCIC turbine is monitored by redundant differential pressure switches. In the presence of a leak, the flow rate monitor responds by generating the auto-isolation signal. A time delay in each logic division prevents inadvertent system isolations due to pressure spikes. See Section 7.4.1.1.2.
| |
| Diversity is provided by ambient temperature, differential temperature, and RCIC steam line pressure monitoring.
| |
| 7.6.1.3.4.3 Reactor Core Isolation Cooling Turbine Exhaust Diaphragm Pressure Monitoring. The RCIC turbine exhaust diaphragm pressure is monitored by four redundant pressure switches. In the presence of a leak, the RCIC system responds by generating the isolation signal. See Section 7.4.1.1.2. Using 2 out of 2 logic high turbine exhaust diaphragm pressure initiates isolation of the RCIC system.
| |
| | |
| Diversity is provided by ambient temperature and differential temperature.
| |
| 7.6.1.3.4.4 Reactor Core Isolation Cooling Pressure Monitoring. The steam line pressure from the reactor vessel leading to the RCIC turbine is monitored by four redundant pressure switches. In the presence of a leak, the RCIC system responds by generating the auto-isolation signal. See Section 7.4.1.1.2.
| |
| Using 2 out of 2 logic low pressure in the steam line initiates isolation of the RCIC system.
| |
| Diversity is provided by ambient temperature, differential temperature, and RCIC steam line flow monitoring.
| |
| | |
| 7.6.1.3.5 Residual Heat Removal System Leak Detection Leaks from the RHR system are detected by equipment area ambient or differential temperature monitoring and by the shutdown cooling suction flow rate. If the monitored parameters indicate that a leak exists, the LDS initiates an RHR isolation signal. The RHR LDS consists of the following: a. Equipment area high ambient or high differential temperature,
| |
| : b. Shutdown cooling suction line high flow rate.
| |
| Outputs from both circuits are used to generate the RHR auto-isolation signal (one for each division) to isolate the inboard and outboard isolation valves.
| |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-116 7.6-6 The following is a description of each RHR leak detection method.
| |
| 7.6.1.3.5.1 Residual Heat Removal Area Temperature Monitoring. The RHR area temperature monitoring circuit is similar to the one described for the main steam line tunnel temperature monitoring system (see Section 7.3.1.1.2).
| |
| Two redundant temperature monitoring channels are provided. Each redundant instrument provides input to one of two logic channels (Division 1 or 2). Using 1 out of 2 logic, high RHR area ambient or differential temperature initiates an RHR isolation signal closing the RHR inboard and outboard isolation valves.
| |
| A bypass/test switch is provided in each logic channel for the purpose of testing the temperature monitor without initiating RHR system isolation.
| |
| 7.6.1.3.5.2 Residual Heat Removal Flow Rate Monitoring. Flow rate monitoring is provided on the RHR shutdown cooling suction line by redundant differential pressure switches.
| |
| Flow rates in excess of predetermined limits indicate a line leak or break.
| |
| Two redundant differential pressure switches monitor flow and each provides an input to one of the two logic channels (Division 1 or 2).
| |
| | |
| Using 1 out of 2 logic, the high flow rate initiates an isolation of the RHR inboard and outboard isolation valves.
| |
| | |
| Diversity is provided by ambient and differential temperature monitoring.
| |
| 7.6.1.3.6 Reactor Water Cleanup System Leak Detection The RWCU LDS monitors differential flow, blowdown flow, and temperature. Automatic isolation of the RWCU system isolation valves is initiated when high differential flow, high blowdown flow, or high temperature exists. The RWCU LDS consists of the following: a. Leakage monitoring by the flow comparison of RWCU system water inlet and outlet flow rate,
| |
| : b. Ambient and differential temperature monitoring, and COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-116 7.6-7 c. Monitoring the RWCU blow down line to the main condenser for high flow to mitigate a high energy line break.
| |
| The following is a description of each RWCU leak detection method:
| |
| 7.6.1.3.6.1 Reactor Water Cleanup Differential Flow Monitoring. The RWCU system inlet flow is compared to RWCU outlet flow to the feedwater lines or to the main condenser. A flow element, flow transmitter, and square root converter for each of these three lines provides signals to a common flow summer which trips two differential flow alarm units on a high differential flow condition. The high differential flow rate initiates a 45-sec time delay which bypasses the isolation signal during the normal operational system surges, i.e., pump startup or valving changes. If the high differential flow conditions still exists after the time delay, then isolation is initiated. Flow and differential flow indications are provided in the main control room.
| |
| | |
| Using 1 out of 2 logic in each logic channel (Division 1 or 2), the RWCU flow comparison monitoring initiates RWCU isolation signal. The signal closes the inboard and outboard isolation valves, after a time delay, when the flow rate difference exceeds a preset limit.
| |
| Diversity is provided by ambient and differential temperature.
| |
| 7.6.1.3.6.2 Reactor Water Cleanup Area Temperature Monitoring. See Section 7.3.1.1.2.
| |
| 7.6.1.3.6.3 Condenser Blowdown Line Flow Monitoring. The RWCU blowdown line to the main condenser is monitored to detect a high energy line break. Two redundant flow transmitters provide flow signals to two flow alarm units in the main control room. The Division 2 signal closes the inboard isolation valve and the Division 1 signal closes the outboard isolation valve when blowdown flow exceeds a preset limit after a specified time delay.
| |
| | |
| 7.6.1.3.7 Drywell Floor Drain Leak Detection The drywell floor drain sump collects unidentified leakage within the drywell. The leakage is gravity fed to the Reactor Building floor drain sump. The flow is monitored and leakage in excess of the acceptable limit is annunciated in the control room.
| |
| 7.6.1.3.8 Drywell Equipment Drain Leak Detection The drywell equipment drain sump collects identified leakage within the drywell. The leakage is gravity fed to the Reactor Building equipment drain sump. The flow is monitored and leakage in excess of the acceptable limit is annunciated in the control room.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 LDCN-06-048 7.6-8 7.6.1.3.9 Reactor Building Floor Drain and Equipment Drain Sumps Leak Detection The floor drain sumps leak detection instrumentation is designed to detect leakage from unidentified sources. The equipment drain sump leak detection instrumentation is designed to detect leakage from identified sources.
| |
| | |
| A level switch is mounted in each sump and controls the associated sump pump. The sump pump starts when the upper sump level is exceeded and turns off when the level in the sump reaches the lower setpoint. A timer is started and stopped by the upper and lower sump level switches respectively. If the timer exceeds a predetermined setpoint, high flow is annunciated. The timer resets to read when the sump pump stops. A second timer starts timing when the sump pump stops. If the sump pump starts before the second timer reaches a predetermined setpoint, high flow rate is annunciated. The timer is reset to read when the sump pump starts.
| |
| A level switch is provided for each sump for high sump water level annunciation purposes. The alarm setpoint is set above the pump start setpoint and will actuate an alarm in the main control room in the event the sump water level exceeds the switch setpoint.
| |
| In addition, the ECCS pump room floor drain sumps are provided with a drain header shutoff valve. This valve will isolate the sump from another connected pump room in the event the sump water level exceeds the valve control level switch setpoint, thus minimizing common mode flooding of more than a single pump room (see Figure 9.3-12). See Section 3.6.1.5.2 for the RCIC/CRD pump rooms.
| |
| | |
| 7.6.1.3.10 Emergency Core Cooling Systems Pump Room Flooding Detection A Class 1E level switch is provided for each of the RHR-A, RHR-B, RHR-C, RCIC, LPCS, and HPCS pump room area. Each level switch is set 6 in. above the pump room floor and will activate an alarm in the main control room in the event the pump room water level exceeds the level switch setpoint (see Figure 7.6-2). See Section 9.3.3.2.2.1.
| |
| 7.6.1.3.11 Drywell Atmosphere Radiation Monitoring System The drywell atmosphere is continuously monitored for gaseous and particulate radioactivity by redundant sampling systems. In each system the sample is drawn into the sample system by its vacuum pump. Flow control is provided to ensure proper sample flow. The sample flow path is from the sample point inside the primary containment, through the inlet isolation valve to the particulate monitor chamber. Here the sample is passed through a fixed filter where the particulate matter is deposited while allowing the noble gases to pass through.
| |
| After removal of any particulate matter as described above, the gaseous sample passes into a volume chamber where a second scintillation detector checks for noble gas activity.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-9 The sample gas then proceeds through the flow control device, vacuum pump, return line isolation valve, and is discharged back into the primary containment.
| |
| 7.6.1.3.12 Auxiliary Steam Line Leak Detection
| |
| | |
| Auxiliary steam line leak detection consists of redundant temperature sensors, temperature monitor with alarm/isolation output function, and the isolation valves (see Section 3.6.1.15.3).
| |
| When any one of the four temperature elements detects abnormally high temperature, the logic circuit actuates the closure of auxiliary steam line isolation valves (AS-V-68A or AS-V-68B) and provides audible alarm in the main control room.
| |
| Auxiliary steam line leak detection instrumentation provides testable features for motor-operated valve (MOV) closure tests.
| |
| | |
| 7.6.1.4 Neutron Monitoring System The safety-related portions of the NMS include the intermediate range monitor (IRM), local power range monitor (LPRM), average power range monitor (APRM), and oscillation power range monitor (OPRM).
| |
| | |
| The NMS instrumentation and controls are designed to monitor reactor power (neutron flux) from startup through full power operation.
| |
| | |
| The NMS uses in-core detectors, either fixed (LPRM) or removable (IRM), to determine neutron flux levels.
| |
| | |
| The NMS will initiate a scram when predetermined limits are exceeded and provide operator information during and after accident conditions.
| |
| The NMS component control logic is shown in Figure 7.6-3.
| |
| 7.6.1.4.1 Intermediate Range Monitor
| |
| | |
| 7.6.1.4.1.1 Function. The IRM monitors neutron flux from the upper portion of the source range monitor (SRM) to the lower portion of the power range monitor (APRM) as shown in Figure 7.6-4.
| |
| 7.6.1.4.1.2 Operation. The IRM has eight channels, each of which includes one detector that can be positioned in the core by remote control. See Figures 7.6-5 and 7.6-6. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is placed in the RUN position.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-10 Each detector assembly consists of a fission chamber attached to a low-loss, quartz-fiber-insulated transmission cable. When coupled to the signal conditioning equipment, the detector produces a reading of full scale on the six most sensitive ranges (8 KHz 16 KHZ flux level bandwidth). The detector cable is connected underneath the vessel to a triple-shielded cable that is connected to the preamplifier.
| |
| The preamplifier converts current pulses to voltage pulses, modifies the voltage signal, and provides impedance matching. The preamplifier output signal is then sent to the IRM signal conditioning electronics (see Figure 7.6-7).
| |
| Each IRM channel input signal from the preamplifier can be amplified and attenuated. The IRM preamplification is selected by a remote range switch that provides 10 ranges of increasing attenuation (the first six called low range and the last four called high range). As the neutron flux of the reactor core increases the signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range. The output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter, a remote meter and recorder.
| |
| The IRM scram trip functions are discussed in Section 7.2.1.1. The IRM setpoints are listed in the Technical Specifications.
| |
| | |
| The IRM range switches must be up-ranged or down-ranged to follow increases and decreases in power within the range of the IRM to prevent either a scram or a rod block. The IRM detectors must be inserted into the core whenever these channels are needed and withdrawn from the core, when permitted, to prevent unnecessary burnup.
| |
| 7.6.1.4.2 Local Power Range Monitor 7.6.1.4.2.1 Function. The LPRMs provide localized neutron flux detection over the full power range for input to the APRM.
| |
| | |
| 7.6.1.4.2.2 Operation. The LPRM includes 43 detector strings having detectors located at different axial heights in the core; each detector string contains four fission chambers. Figure 7.6-8 shows the LPRM detector radial layout scheme. The LPRM assembly consists of four neutron detector (ion chambers) permanently installed in a housing (see Figure 7.6-9), each with an associated solid sheath cable. The chambers are vertically spaced in the LPRM detector assemblies in a way that gives adequate axial coverage of the core, complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies.
| |
| Each chamber consists of two concentric cylinders, that act as electrodes. The inner cylinder (the collector) is mounted on insulators and is separated from the outer cylinder by a small COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-11 gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium-coated outer electrode. The chamber is operated at a polarizing potential of approximately 100-V dc. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage. Each assembly also contains a calibration tube for a traversing in-core probe. The enclosing tube around the entire assembly contains holes that allow circulation of the reactor coolant water to cool the ion chambers. Numerous tests have been performed on the chamber assemblies including tests of linearity, lifetime, gamma sensitivity, and cable effects (Reference 7.6-1). A modified LPRM assembly is used for measurement of electro-chemical corrosion potential (ECP). The modified assembly contains three ECP sensor strings, in addition to the neutron detectors. LPRM operation in the modified assembly is not affected by the ECP electrodes.
| |
| | |
| The current signals from the LPRM detectors are transmitted through coaxial cable to the LPRM amplifiers in the control room. The amplifier is a linear current amplifier whose voltage output is proportional to the current input and therefore proportional to the magnitude of the neutron flux. Low-level output signals are provided that are suitable as an input to the computer, recorders, etc. The output of each LPRM amplifier is isolated to prevent interference of the signal by inadvertent grounding or application of stray voltage at the signal terminal point.
| |
| | |
| When a central control rod is selected for movement, the output signals from the amplifiers associated with the nearest 16 LPRM detectors are displayed on reactor control panel meters. The four LPRM detector signals from each of the four LPRM assemblies are displayed on 16 separate meters. The operator can readily obtain readings of all the LPRM amplifiers by selecting the control rods in order.
| |
| | |
| The trip circuits for the LPRM provide trip signals to activate lights, instrument inoperative signals, and annunciators. See Table 7.6-3. These trip circuits are powered from the 24-V dc power supply and are set to trip on loss of power. They also trip when power is not available for the LPRM amplifiers. The trip levels can be adjusted from 2% to 100% of full-scale deflection and are accurate to +/-1% of full-scale deflection in the normal operating environment.
| |
| Each LPRM channel may be individually bypassed. When the maximum number of bypassed LPRMs associated with any APRM channel has been exceeded, an inoperative trip is generated by that APRM.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.6-12 Each individual detector chamber of the assembly is a moisture-proof, pressure-sealed unit. The detector assemblies are designed to operate up to 600°F and 1250 psig. The wiring, cables, and connectors located within the drywell are designed for continuous duty up to 165°F, 55% relative humidity and a 3-hr single exposure rating of 340°F at 100% relative humidity.
| |
| | |
| Power for the LPRM system is supplied by the two RPS buses. The PRNM equipment receives power from 120 Vac 50/60 Hz. Each PRNM chassis (LPRM) is powered by redundant Low Voltage Power Supply (LVPS) modules contained with a single Quad Low Voltage Power Supply (QLVPS) chassis. One LVPS module is connected to RPS power bus A and the other LVPS module connected to RPS power bus B. For maximum variation in the input voltage or line frequency, the overextended ranges of temperature and humidity, the output voltage varies no more than 2 V.
| |
| 7.6.1.4.3 Average Power Range Monitor
| |
| | |
| 7.6.1.4.3.1 Function. The function of the APRM is to average signals from the LPRMs and provide a continuous indication of average reactor power from a few percent to greater than rated reactor power. The APRM also provides signals to the OPRM which are used to detect thermal hydraulic oscillations.
| |
| | |
| 7.6.1.4.3.2 Operation. The APRM has four redundant channels. Each channel uses input signals from a number of LPRM detectors.
| |
| The APRM compares corrected LPRM values to high and low trip points and averages the filtered readings to obtain a value for the reactor average instantaneous neutron flux value (readings from bypassed LPRMs are automatically excluded from the average). Each APRM channel can average the output signals from as many as 43 LPRMs. Assignment of LPRMs to an APRM follows the pattern shown in Figure 7.6-10. Position A is the bottom position, Positions B and C are above Position A, and Position D is the topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions.
| |
| | |
| The APRM gain is adjusted using the instrument's front panel display or accepting the APRM gain calculated from the Percent Core Thermal Power (%CTP) downloaded from the core monitoring system. Each APRM instrument is designed to provide automatic periodic testing of the replaceable hardware modules in an APRM Channel at least every 15 minutes. The APRM firmware (or software) shall continuously cycle through a series of tests when the instrument keylock switch is in the "OPER" position. When the instrument keylock switch is in the "INOP" position, the module tests shall be performed under user control.
| |
| See Section 7.2.1.1 for a description of the APRM inputs to the RPS.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.6-13 The APRM system allowable values are listed in the Technical Specifications. The APRM circuit arrangement for RPS trip input is shown in Figure 7.6-11. APRM may be bypassed at any time. Each APRM provides a rod block output whenever the minimum number of LPRM inputs to it is not met. The PRNM equipment receives power from 120 Vac 50/60 Hz. Each PRNM chassis (APRM or RBM chassis) is powered by redundant Low Voltage Power Supply (LVPS) modules contained with a single Quad Low Voltage Power Supply (QLVPS) chassis. One LVPS module is connected to RPS power bus A and the other LVPS module connected to RPS power bus B. Thus, APRM Channels 1, 2, 3, and 4 are powered from the bus used for trip system A and B of the RPS. The AC buses that power an APRM channel also supply power to its associated LPRMs. 7.6.1.4.4 Oscillation Power Range Monitor 7.6.1.4.4.1 Function. The digital-based OPRM detects and suppresses reactor core power instabilities using the Option III approach described in NEDO-31960. The OPRM provides independent oscillation trip signals to the RPS when one of the instability algorithms (Period based, Amplitude based, or Growth based) for an operable OPRM cell has detected an instability condition.
| |
| 7.6.1.4.4.2 Operation. The OPRM upscale function monitors LPRMs combined into "cells" of 4 LPRMs each. The OPRM system consists of four independent channels capable of detecting thermal hydraulic instability by monitoring the neutron flux within the reactor core. The OPRM function combines the signals from each LPRM in an OPRM cell and evaluates that combined cell signal using the OPRM algorithms to detect thermal-hydraulic instabilities. An OPRM upscale trip output is generated from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals for the LPRM detectors in a cell, with the period confirmations and relative cell amplitude exceeding specific setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM upscale trip is also issued from any APRM channel is either the growth rate or amplitude based algorithms detect growing oscillatory changes in the neutron flux from one or more cells in that channel. The OPRM upscale trip output is automatically enabled (not-bypassed) when the APRM Simulated Thermal Power is equal to or above the OPRM auto-enable power setpoint and recirculation flow is equal to or below the OPRM auto-enable flow setpoint. The OPRM upscale trip output is automatically bypassed when Simulated Thermal Power and recirculation flow are not within the OPRM trip enabled region. The OPRM upscale trip is active only when the reactor mode switch is in the RUN position. At least two unbypassed APRM channels must be in the APRM upscale trip or inoperative trip state to cause an APRM/Inop RPS trip output from the ARPM 2-Out-of-4-Voter channels. Similarly, at least two unbypassed APRM channels must be in the OPRM upscale trip state or COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.6-14 inoperative state to cause an OPRM Upscale RPS trip output from the ARPM 2-Out-of-4-Voter channels. The APRM Upscale/Inop and OPRM Upscale/Inop trips are combined and input to the 2-Out-of-4-Voter channels. All four voter channels will provide RPS trip output, two to each RPS trip system. If only one unbypassed APRM channel is providing a trip output, each the four APRM 2-Out-of-4-Voter channels will have a half-trip, but no trip signals will be sent to the RPS. Removing voltage to a relay coil transmits trip outputs to RPS, so loss of power results in actuating the RPS trips. Loss of a 2-Out-of-4-Voter channel results in an RPS half-scram. The OPRM protection system provides the following control board annunciator outputs to the control room operator: OPRM TRIP ENABLED (reactor has reached the operating region where instability can occur and oscillation trip output has been enabled), OPRM ALARM (when one of the instability algorithms (Period based, Amplitude based, or Growth based) for an operable OPRM cell has exceeded user defined setpoints), OPRM TRIP (provides trip signal to RPS when one of the instability algorithms (Period based, Amplitude based, or Growth based) for an operable cell has detected an instability condition), and OPRM INOP (when the quantity of operable OPRM cells is less than the required 25 out of 30 OPRM cells for each of the four OPRM channels.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-16-005 7.6-15 7.6.1.5 Recirculation Pump Trip System 7.6.1.5.1 Function
| |
| | |
| The function of the RPT is to mitigate the thermal consequences of the turbine trip and generator trip transients by tripping the recirculation pumps early in the event, producing rapid pump flow coastdown and additional core voiding, which results in a core reactivity reduction. This system is linked to the RPS such that both a scram and a pump trip occur when the turbine stop valves start to close and when turbine governor valve fast closure occurs. Both scram and RPT are bypassed at low thermal power levels.
| |
| The RPT system is required to trip both recirculation pumps from their normal power source within 200 msec after a turbine/generator trip or load rejection event occurs with reactor power level greater than 29.5% of rated thermal power. This trip cannot be prevented or caused by any single component failure in the system.
| |
| 7.6.1.5.2 Operation
| |
| | |
| The RPT logic is derived from relays in the RPS which are activated by turbine stop valve limit switches and turbine control valve oil pressure switches. Contacts from these relays are arranged in a logic scheme so that deenergizing various combinations of the relays will energize the RPT trip coil in each of two main power source circuit breakers provided for each recirculation pump (see Figures 7.6-12 and 7.6-13).
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-16-005 7.6-16 Each main circuit breaker has two trip coils. One trip coil is activated by an RPT signal only. The other trip coil is activated by all other breaker trip functions. The dual trip coils serve to separate the breaker safety function from its non-safety functions.
| |
| Turbine governor valve fast closure signals to the RPT system from the RPS are derived from oil line pressure switches located on each of the four fast-acting control valve hydraulic mechanisms (see Figure 7.6-14).
| |
| Turbine stop valve closure signals to the RPT system from the RPS are derived from valve stem position switches mounted on the four turbine stop valves. The switches open before the valve is more than 10% closed to provide the earliest positive indication of valve closure (see Figure 7.6-15).
| |
| Turbine first-stage pressure signals to the RPT system from the RPS are derived from four pressure switches. The pressure switches trip at a pressure setpoint corresponding to 29.5% power to bypass the turbine stop valve and turbine control valve fast closure trips below this value (see Figure 7.6-14).
| |
| The RPT, when initiated, completes the recirculation pumps circuit breakers trip. Restarting the pumps for normal power operation requires deliberate operator actions.
| |
| Channel and logic relays are fast-response, high-reliability relays from the RPS. The relays are selected so that the continuous load will not exceed 50% of the continuous duty rating. The total response time from start of the turbine control valve fast closure signal or the turbine stop valve closure signal to complete suppression of the electric arc between the fully open contacts of the pump motor circuit breaker is less than 200 msec on a 60 Hz basis. With the adjustable speed drive (ASD) installation, this time delay varies from 185 to 200 msec.
| |
| The RPT logic is illustrated in Figure 7.6-13. The system is arranged as two separately powered trip systems. Each logic trip system has at least two channels of the monitored variable. Either of the two automatic trip systems will trip both of the two recirculation pump motors.
| |
| | |
| Table 7.6-4 provides a summary of the recirculation system trip functions and actions. 7.6.1.5.2.1 Bypasses and Interlocks. With the reactor power under 29.5%, the RPT is automatically bypassed by four pressure switches associated with the turbine first stage. Any one of the four channels in a bypass state initiates main control room annunciation. A manual key-locked bypass switch is provided for each of the two RPT systems, located on the relay panels, for logic testing. Placing the manual switch in bypass position initiates a control room annunciator. The RPT is not inhibited, since the redundant system is operable.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-17 The RPT system initiation logic is composed of contact from the RPS sensor channel relays. The interlock is performed using separate relay contacts so that no failure in the RPT system can prevent an RPS scram.
| |
| 7.6.1.5.2.2 Redundancy. The RPT is divided into two divisions. Each division duplicates the function of the other to the extent that either system performs the pump motor power supply trip regardless of the state of operation or failure of the other trip system. The turbine stop valve closure and turbine governor fast valve closure signals are diverse inputs to the RPT for pump motor trip. Each pump motor is provided with two circuit breakers in series tripped from redundant division logic.
| |
| | |
| 7.6.1.5.2.3 Testability. The RPT system logic can be tested during reactor operation without pumps trip and without inhibiting the pumps trip function by the redundant system.
| |
| A key-locked bypass switch for system circuit testing is provided for each system located at the RPS relay cabinets.
| |
| | |
| Since the RPT system logic consists of relay contacts actuated in the RPS, the RPS surveillance tests will include the testing of the RPT logic system. See Section 7.2 for RPS testing.
| |
| 7.6.1.5.2.4 Environmental Considerations. The electrical equipment and devices of the RPT system are located in the control building and in the electrical equipment rooms. These areas have a controlled environment isolated from an accident environment ensuring reliable operation. The logic channel sensors located at the turbine-generator are discussed in Section 7.2.
| |
| 7.6.1.5.2.5 Operational Considerations. The sensor channel logic relays are normally energized with contacts open in the RPT system logic. Loss of both RPS MG buses or sensor variables out of tolerance will cause RPT.
| |
| | |
| The RPT system has no manual trip feature. The pump motor power supply circuit breakers have their normal manual control switches at the control room panels for normal pump start and stop operation. These controls are isolated from the RPT circuits. Circuit breaker status indications for the operator consist of a green pilot light for breaker open position and one red pilot light for breaker closed. 7.6.1.6 Spent Fuel Pool Cooling and Cleanup System 7.6.1.6.1 Function
| |
| | |
| The function of the FPC system is to remove decay heat from the spent fuel storage pool to ensure adequate cooling of irradiated stored fuel assemblies. The FPC system also purifies the COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-14-049 7.6-18 storage pool water, maintains water clarity for fuel handling operations, and fills and drains the fuel transfer canal. See Section 9.1.3.
| |
| 7.6.1.6.2 Operation
| |
| | |
| Schematic arrangement of the FPC system mechanical equipment is shown in Figure 9.1-5. The FPC system component control logic is shown in Figures 7.6-16 through 7.6-26. Instruments are listed in Table 7.6-5. Operator information displays are shown in Figure 9.1-5 and Figures 7.6-16 through 7.6-26.
| |
| The FPC system consists of two redundant cooling loops. System operation is discussed in Section 8.1.3.
| |
| | |
| Instrumentation is provided to monitor the pool temperature, pool level, pump discharge pressures, and water conductivity to allow the control room operator to assess system operation. Channels provided versus channels required for protective action completion are listed in Table 7.6-6.
| |
| 7.6.1.7 Suppression Pool Temperature Monitoring System 7.6.1.7.1 Function
| |
| | |
| The SPTM system is designed to monitor suppression pool water temperature and alert the plant operator to the potentially hazardous condition of elevated pool water temperature.
| |
| The instrumentation for the SPTM system is shown in Figure 5.4-12. Instruments are identified in Table 7.6-7.
| |
| 7.6.1.7.2 Operation
| |
| | |
| The SPTM system consists of two separate divisions, each with 12 dual element thermocouples and multipoint recorder. The 24 channels are at eight locations evenly spaced around the perimeter of the pool. Sixteen channels are arranged in an upper ring at el. 465 ft 5.75 in. The remaining eight channels are mounted at el. 447 ft 10.25 in. Each quadrant contains four upper level and two lower level thermocouples. This arrangement was chosen to track stratification. Average suppression pool temperature is recorded in the control room using data from eight channels, one per division per quadrant. Temperature indication from all 24 channels is available at the control room. Additionally, a separate indicator is available for direct readout of suppression pool average temperature (Division 1 only).
| |
| The time constant for the thermocouples is no greater than 15 sec. The time from thermocouple signal input to initiation of alarm is no greater than 60 sec.
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-19 Each division of the SPTM system is provided with a multipen recorder for individual thermocouple temperature recording, a microprocessor for averaging the thermocouple outputs of both divisions and providing an average bulk suppression pool temperature, a recorder for recording the average bulk temperature, and audiovisual annunciators which alarm on abnormally high suppression pool temperature outputs of each division and of the bulk temperature averaging system.
| |
| 7.6.1.8 Design Basis The safety-related systems described in this section are designed to provide timely protective action inputs to other safety systems to protect against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are also presented in Chapter 15. The station conditions which require protective actions are described in Chapter 15.
| |
| 7.6.1.8.1 Variables Monitored to Provide Protective Actions The following variables are monitored to provide protective action inputs:
| |
| : a. High pressure/low pressure system interlocks - reactor pressure; b. LDS 1. RCIC area temperatures - differential and ambient, 2. RCIC steam line flow rate, 3. RCIC turbine exhaust diaphragm pressure, 4. RCIC steam line pressure, 5. RHR area temperatures - differential and ambient, 6. RHR shutdown cooling suction flow (not credited in the Columbia Generating Station [CGS] accident analysis), 7. RWCU area temperatures - differential and ambient, 8. RWCU differential flow (not credited in the CGS accident analysis), 9. RWCU blowdown line flow, COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-20 10. Identified and unidentified leakage from the drywell floor and equipment drain sumps, 11. Drywell atmosphere radiation monitor, 12. Main steam pipe tunnel area temperatures - differential and ambient, 13. Auxiliary steam line area temperature, 14. Reactor building floor drain and equipment drain sumps level, 15. Emergency core cooling systems (ECCS) pump room level;
| |
| : c. NMS 1. IRM neutron flux, 2. APRM neutron flux;
| |
| : d. RPT system
| |
| | |
| 1. Turbine throttle valve closure, 2. Turbine governor valve fast closure;
| |
| : e. Spent FPC system; and f. Suppression pool temperature monitoring system The plant conditions which require protective action involving the safety-related systems discussed in this section are described in Chapter 15.
| |
| 7.6.1.8.2 Location and Minimum Number of Sensors See the Technical Specifications for the minimum number of sensors required to monitor safety-related variables. The IRM and LPRM detectors are the only sensors which have spatial dependence.
| |
| | |
| 7.6.1.8.3 Prudent Operational Limits
| |
| | |
| Prudent operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels so that a spurious safety system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-21 postulated gross failures of the fuel or nuclear system process barrier, is kept within acceptable bounds.
| |
| 7.6.1.8.4 Margin
| |
| | |
| The margin between operational limits and the limiting conditions of operation of the safety-related systems are addressed in the Technical Specifications.
| |
| 7.6.1.8.5 Levels Levels requiring protective action are established in the Technical Specifications.
| |
| 7.6.1.8.6 Range of Transient, Steady State, and Environmental Conditions See Section 3.11 for environmental conditions. See Sections 8.2.1 and 8.3.1 for the maximum and minimum range of energy supply to the safety-related instrumentation and controls of the systems described in this section. All safety-related instrumentation and controls are specified and purchased to withstand the effects of energy supply ranges.
| |
| Environmental conditions for proper operation of the systems described in this section are discussed in Sections 3.10 and 3.11.
| |
| 7.6.1.8.7 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems Chapters 3, 6, 9, 15, and Appendix F describe the following credible accidents and events: floods, storms, tornadoes, earthquakes, fires, LOCA, pipe break outside containment, and missiles.
| |
| | |
| 7.6.1.8.7.1 Floods. The buildings containing safety-related components have been designed to meet the probable maximum flood (PMF) at the site location. See Section 2.4. Therefore, none of the functions are affected by external flooding. For a discussion of internal flooding protection see Sections 3.4 and 3.6.
| |
| 7.6.1.8.7.2 Storms and Tornadoes. The buildings containing safety-related components have been designed to withstand all credible meteorological events and tornadoes as described in Section 3.3.
| |
| 7.6.1.8.7.3 Earthquakes. The structures containing safety-related system components have been seismically qualified as described in Sections 3.7 and 3.8 and will remain functional during and following a safe shutdown earthquake (SSE).
| |
| COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 7.6-22 7.6.1.8.7.4 Fires. To protect the safety systems in the event of a postulated fire, the components have been separated by distance, electrical separation barriers, and/or fire barriers. The use of separation and barriers ensures that even though some portion of the system may be affected the safety function will not be prevented. Within the control room power generation control complex (PGCC) (underfloor cable routing ducts) heat detectors and products of combustion detectors are provided to initiate a Halon fire suppression system.
| |
| 7.6.1.8.7.5 Loss-of-Coolant Accident. The safety-related systems components described in this section and functionally required during and/or following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11. 7.6.1.8.7.6 Pipe Break Outside Containment. Protection for these components is described in Section 3.6.
| |
| 7.6.1.8.7.7 Missiles. Protection for safety-related components is described in Section 3.5.
| |
| 7.6.1.8.8 Minimum Performance Requirements Minimum performance requirements for safety-related systems instrumentation and controls are provided in the Technical Specifications and the Licensee Controlled Specifications (LCS).
| |
| 7.6.1.9 Final System Drawings Functional and architectural design difference between the PSAR and FSAR are listed in Table 1.3-8.
| |
| 7.6.2 ANALYSIS
| |
| | |
| 7.6.2.1 Safety-Related Systems - Instrumentation and Controls Chapter 15 evaluates the individual and combined capabilities of the safety-related systems described in this section.
| |
| The safety-related systems described in this section are designed such that a loss of instrument air, a plant load rejection, or a turbine trip will not prevent the completion of the safety function.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 7.6-23 7.6.2.2 Conformance to 10 CFR 50, Appendix A - General Design Criteria The following is a discussion of conformance to those General Design Criteria (GDC) which apply specifically to the safety-related systems described in this section. See Section 3.1 for a discussion of GDC which apply equally to all safety-related systems.
| |
| The GDC for the NMS and process radiation monitoring system are discussed in Sections 7.2.2.1 and 7.3.2.1.1.
| |
| GDC 12 - Suppression of Reactor Power Oscillations The NMS provides protective actions to the RPS to ensure that fuel design limits are not exceeded.
| |
| | |
| GDC 13 - Instrumentation and Control The safety-related instrumentation and controls monitor variables over their anticipated ranges for normal operation, anticipated occurrences, and accident conditions and initiate protective actions to limit or prevent fuel damage and maintain the integrity of the RCPB and the primary containment.
| |
| | |
| GDC 15 - Reactor Coolant System Design The safety-related systems provide sufficient margin to ensure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including anticipated operational occurrences. If the monitored variables exceed their predetermined settings, automatic safety actions are provided.
| |
| | |
| GDC 30, 34, 35, 38, and 40 The LDS provides means for detecting the source of reactor coolant leakage.
| |
| GDC 61, 62, and 63 The FPC system provides reliable fuel pool RHR capability. 7.6.2.3 Conformance to IEEE Standards The following is a discussion of conformance to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, that applies specifically to the safety-related systems described in this section. See Section 7.1.2.3 for a discussion of IEEE standards which apply equally to all safety-related systems.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 7.6-24 General Functional Requirement (IEEE 279-1971, paragraph 4.1)
| |
| The safety-related systems described in this section automatically initiate protective actions or provide information to the operator when a condition monitored reaches a preset level for all conditions described in Section 7.6.1. For example, the LDS initiates containment isolation by closure of containment isolation valves when area temperatures exceed preset limits.
| |
| Single Failure Criterion (IEEE 279-1971, paragraph 4.2)
| |
| The safety-related systems described in this section are not required to meet single failure criteria on an individual system basis. However, on a network basis, the single failure criteria does apply to ensure the completion of a protective function. Redundant sensors, wiring, logic, and actuated devices are physically and electrically separated such that a single failure will not prevent the protective function. See Section 8.3.1.4 for a discussion of the CGS separation criteria.
| |
| | |
| The RPT meets the single failure criterion. Sensors are electrically and physically separated with conduit provided to the RPS cabinets. The RPT signals to recirculation pump motor circuit breaker trip coils are separated into Division 1 and Division 2 and circuit breaker to pump motors are divisionally separated.
| |
| | |
| Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
| |
| See Section 3.11 for a discussion of safety system component quality. Equipment Qualification (IEEE 279-1971, paragraph 4.4)
| |
| Vendor certification verifies that the sensors associated with each of the systems required for safety trip variables, manual switches, and trip logic components located in mild environments perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the existing field experience with these components in this application, will serve to qualify these components.
| |
| See Sections 3.10 and 3.11 for a discussion of seismic and harsh environment structure, system, and component qualification.
| |
| For a complete discussion of equipment qualification for the safety-related systems described in this section, see Sections 3.5, 3.6, 3.10, and 3.11.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 7.6-25 Channel Integrity (IEEE 279-1971, paragraph 4.5) For a discussion of channel integrity for the safety-related systems described in this section under all extremes of conditions described in Section 7.6.1.8.6 see Sections 3.10, 3.11, 8.2.1, and 8.3.1.
| |
| Channel Independence (IEEE 279-1971, paragraph 4.6)
| |
| System channel independence is maintained by application of the CGS separation criteria as described in Section 8.3.1.4.
| |
| Control and Protection System Interaction (IEEE 279-1971, paragraph 4.7)
| |
| There are no control and protection system interactions for the systems described in this section. Derivation of System Inputs (IEEE 279-1971, paragraph 4.8) The variables discussed in this section are direct measures of the desired variables indicating the need for protective action.
| |
| | |
| Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9)
| |
| For a discussion of sensor checks for the safety-related systems described in this section, see Regulatory Guide 1.22 in Section 7.6.2.4.
| |
| Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
| |
| For a discussion of the test and calibration capability of the safety-related systems described in this section, see Regulatory Guide 1.22 in Section 7.6.2.4.
| |
| Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
| |
| During periodic testing, any one sensor of the safety-related systems described in this section may be valved-out-of-service and returned-to-service under administrative control procedures. Since only one sensor is valved-out-of-service at any given time during the test interval, protective action capability for the safety-related variables is maintained through the remaining redundant instrument channels.
| |
| A sufficient number of IRM channels has been provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the single failure criterion.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-16-005 7.6-26 One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be bypassed at any time. To accommodate a single failure of this bypass switch, electrical interlocks have also been incorporated into the bypass logic to prevent bypassing of more than one IRM in that trip system at any time. Consequently, with any IRM bypassed in a given trip system, three IRM channels remain in operation to satisfy the protection system requirements. The APRM system is designed so that only one APRM may be bypassed at any given time. The bypass switch is a five-position center locking joystick that mechanically switches four fiber optic signals. The bypass switch is optically isolated. When the switch is in one of the four bypass positions, light from only one of the four fiber optic signals (corresponding to the switch position) shall be allowed to pass through the switch. With an APRM bypassed, a trip of two or more APRM channels out of three will result in a trip output from all four-voter channels. The voter channels cannot be bypassed.
| |
| The LDS logic is provided with a bypass/test switch for the purpose of testing temperature sensors without initiating associated system isolation. Operation of one switch at a time will not prevent the remaining redundant isolation logic from providing system isolation if required.
| |
| The RPT system meets this design requirement as described in Section 7.6.1.5.2.1.
| |
| Operating Bypasses (IEEE 279-1971, paragraph 4.12)
| |
| There are no operating bypasses for any of the safety-related systems described in this section except for the RPT system.
| |
| | |
| The recirculation pump motors are not required to trip below 29.5% of rated power. The trip operating bypasses are automatically reinstated above 29.5% power.
| |
| Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
| |
| For a discussion of automatic bypass indication for the safety-related systems described in this section see Section 7.1.2.4, Regulatory Guide 1.47.
| |
| Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14) Access to means for bypassing any safety action or safety function is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with administrative control of the access to keys, procedurally controlled equipment lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional methods help to prevent inadvertent bypasses or to alert the plant operators to safety function bypasses occurring either COLUMBIA GENERATING STATION Amendment 57 FINAL SAFETY ANALYSIS REPORT December 2003 7.6-27 from equipment failures or from manually induced bypasses that result as part of testing, maintenance, or equipment repair activities. Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is procedurally controlled. When not in use, keys are under the administrative control of the control room supervisor/shift manager and stored in a key locker. The keys are audited once per day by the control room supervisor/shift manager. When operation of a key-locked control switch is required to be immediate, such as in the case of the reactor mode switch, the key may be left in the lock during normal plant operation to ensure timely actuation.
| |
| | |
| Multiple Set Points (IEEE 279-1971, paragraph 4.15)
| |
| There are no multiple setpoints within the safety-related systems described in this section.
| |
| Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
| |
| Initiation control logic for the safety-related systems described in this section seals in electrically and remains energized or deenergized. After initial conditions return to normal deliberate operator action is required to return (reset) the safety system logic to normal.
| |
| The FPC system is initiated manually for continuous pool cooling when the pool contains spent fuel.
| |
| | |
| Manual Initiation (IEEE 279-1971, paragraph 4.17)
| |
| For a discussion of the manual initiation capability for the safety-related systems described in this section, see Regulatory Guide 1.62 in Section 7.6.2.4.
| |
| Access to Set Point Adjustments, Calibration, and Test Points (IEEE 279-1971, paragraph 4.18)
| |
| | |
| During reactor operation access to setpoint adjustments, calibration controls, and test points for the safety-related systems variables described in this section is under administrative control of the control room operator.
| |
| | |
| Identification of Protective Actions (IEEE 2791971, paragraph 4.19)
| |
| When a safety-related system protective action sensor described in this section exceeds its predetermined setpoint, a control room annunciator is initiated to identify that variable and a typed record is available from the process computer and transient data acquisition system.
| |
| COLUMBIA GENERATING STATION Amendment 57 FINAL SAFETY ANALYSIS REPORT December 2003 7.6-28 Information Readout (IEEE 279-1971, paragraph 4.20) The safety-related systems described in this section are designed to provide the operator with accurate and timely information pertinent to their status. This information does not give anomalous indications confusing to the operator.
| |
| | |
| System Repair (IEEE 279-1971, paragraph 4.21)
| |
| During periodic testing of the safety-related systems described in this section (except as noted) the operator can determine defective components and replace them during plant operation.
| |
| Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the NMS may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair.
| |
| | |
| The RPT system components are designed to facilitate maintenance with the exception of the turbine stop valve limit switches. The redundancy of the eight switches permits plant operation with a defective switch until access can be gained to the switches for repair.
| |
| Identification of Protection Systems (IEEE 279-1971, paragraph 4.22)
| |
| Each cabinet containing safety system components is labeled with the system designation and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified specifically as belonging to a particular safety system. See Section 8.3.1.3. Redundant racks are identified by the identification marker plates.
| |
| 7.6.2.4 Conformance to Regulatory Guides The following is a discussion of conformance to those Regulatory Guides which apply specifically to the safety-related systems discussed in this section. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems.
| |
| Regulatory Guide 1.22 (February 1972) The APRMs are calibrated to reactor power by using reactor heat balance and the traversing in-core probe (TIP) system to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined. The gain-adjustment-factors for the LPRMs are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These COLUMBIA GENERATING STATION Amendment 57 FINAL SAFETY ANALYSIS REPORT December 2003 7.6-29 adjustments when incorporated into the LPRMs permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power. The IRMs are calibrated by comparison with the APRMs.
| |
| The proper operation of the sensors and the logic associated with the LDS is verified during the LDS surveillance tests that are provided for the various components during plant operation. Each temperature monitor channel, for both ambient and differential which provide isolation signals, is connected to one element of a dual thermocouple(s).
| |
| Each temperature monitor indicates when the temperature exceeds the setpoint. To verify the thermocouple (sensor) input, a comparison of the redundant sensor readings, one from the trip channel, and the recorded channel is made. The recorded channel monitors the second element of the dual thermocouple. The first element is part of the trip channel. To test the temperature trips a simulated trip level signal is inputed to the monitor from an external source. In addition, key lock test switches are provided so that instrument and logic channels can be tested without sending an isolation signal to the system involved. Thus, a complete system check can be confirmed by checking actuation of the trip logic relay associated with each temperature monitor.
| |
| | |
| The RWCU differential flow leak detection alarm units are tested by inputting an electrical signal to simulate a high differential flow. Alarm and indicator lights monitor the status of the trip circuit.
| |
| | |
| The RPT system is testable up to but not including actual RPT circuit breaker during periodic testing of the sensor channels and logic systems. The pump trip circuit breaker testing is performed during the refueling outage.
| |
| | |
| The turbine stop valves are tested individually by closing a stop valve and verifying RPT relay operation before the control room lights indicate the valve is closed. Calibration of the limit switches is possible only during shutdown and by physical observation. The turbine governor valve closure pressure switches may be valved out, tested, and calibrated during periodic testing.
| |
| | |
| All other system instrumentation is tested and calibrated during normal reactor operation by valving out the instrumentation and supplying a test pressure source.
| |
| Regulatory Guide 1.45 (May 1973)
| |
| The leakage to the primary reactor containment from identified sources such as recirculation pump seal, fuel storage pool, head seal, etc., is separated so that flow rates are monitored separately from unidentified leakage and total flow rate can be established and monitored. The leakage from the main steam line safety/relief valves (SRVs) is identified leakage because of COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 LDCN-11-005, 11-024 7.6-30 the location of the sensors which detect this leakage, but the leakage is not completely separated from unidentified sources.
| |
| Separation of this leakage is not required since any leak from the main steam line SRVs would not be from a crack or break in the line so there would be no identified leakage from the SRV lines during plant operation which necessitates separation from unidentified leakage. The leakage to the reactor containment from unidentified sources is collected and this flow rate is monitored with an accuracy of better than 1 gal/minute. The leak detection methods used to monitor unidentified leakage include sump flow monitoring, airborne particulate radioactivity monitoring, and airborne gaseous radioactivity monitoring.
| |
| Provisions are made to monitor systems connected to the RCPB for signs of intersystem leakage, including radioactivity monitoring of process fluids (process radiation system) and reactor vessel water level monitoring [nuclear steam supply system (NSSS)].
| |
| The sensitivity and response time of each system for detection of unidentified leakage is 1 gal/minute in less than 1 hr, except for the airborne particulate radioactivity and airborne gaseous activity monitoring channels, which have sensitivities of 1E-9 microcuries/cc and 1E-6 microcuries/cc respectively, which are consistent with the sensitivities suggested for these channels by Regulatory Guide 1.45. Design calculations demonstrate that the particulate monitors are capable of detecting a 1 gpm leak in 1 hour or gaseous monitors are capable of detecting 1 gpm leak in 10 hours against a background of design leakage. The specific conditions in the design calculations under which the stated capabilities can be met are as follows: Variable Particulate Monitors Gaseous Monitors Radioisotope concentration in reactor coolant Table 5 of ANS-18.1, Source Term Specification N237, reduced by a factor of 100 GE Specification 22A2703F Rev. 3 Background leakage rate 2.1 gpm and 5.5 gpm 2.1 gpm Duration of background leakage 1 day and 100 days 1 day The leakage detection system instruments listed in Table 7.6-2 have been evaluated and shown to be available for operation following an operating basis earthquake (OBE). The particulate radioactivity monitoring channel is available for operation following an SSE.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 7.6-31 The drywell floor drain and equipment drain sumps, piping to the sumps, and the equipment drain cooler are seismically supported such that they will continue to pass leakage flow following an OBE.
| |
| The level switches are used to monitor leakage from reactor building drains to the respective sumps.
| |
| | |
| Indicators and alarms for each leakage detection system are provided in the main control room. At the site, procedures for converting various indications (e.g., temperature, t, and pressure) to a flow rate measurement will be provided by means of conversion curves whenever meaningful.
| |
| | |
| Major components within the drywell that by nature of their design are sources of leakage (e.g., pump seals) are contained and piped to an equipment drain sump and thereby identified.
| |
| Equipment associated with systems within the drywell (e.g., vessels, piping, fittings) share a common free volume, therefore, their leakage detection systems are common. Steam or water leaks from such equipment are collected ultimately in an area drain sump.
| |
| Each of the sumps are protected against overflowing leaks from one source masking those from another.
| |
| | |
| As added backup to the unidentified leakage drain system, the main steam lines within the steam tunnel are monitored by temperature detectors within the tunnel.
| |
| Regulatory Guide 1.53 (June 1973)
| |
| See Section 7.6.2.3 (IEEE 279-1971, paragraph 4.2).
| |
| Regulatory Guide 1.62 (October 1973)
| |
| The FPC system is manually initiated from the main control room by actuation of system pump and valve controls.
| |
| | |
| 7.
| |
| | |
| ==6.3 REFERENCES==
| |
| | |
| 7.6-1 Morgan, W. R., "In-Core Neutron Monitoring System for General Electric Boiling Water Reactors," APED-5706, November 1968 (Rev. April 1969).
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.6-1 High to Low Pressure System Interlocks Instrumentation Function Instrumenta 7.6-33 RHR shutdown cooling valves isolation Pressure switch (B35-N018A, B) RRC-PS-18A, B LPCI injection valve permissive Pressure switch (B22-N413A, B, D) MS-PS-413A, B, D LPCS injection valve permissive Pressure switch (B22-N413C) MS-PS-413C a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.6-2 Leak Detection System Instrumentation Function Instrumenta 7.6-34 Reactor core isolation cooling steam supply pressure low Pressure switch (E31-N022A-D)
| |
| RCIC-PS-22A-D Reactor core isolation cooling steam supply high flow Differential pressure switch (E31-N007B)
| |
| RCIC-DPIS-7B (E31-N013A, B)
| |
| RCIC-DPIS-13A, B Reactor core isolation cooling turbine exhaust pressure high Pressure switch (E31-N012A-D)
| |
| RCIC-PS-12A-D Reactor core isolation cooling equipment room high differential temperature Temperature monitor LD-MON-1A LD-MON-1B Reactor core isolation cooling equipment room high temperature Temperature monitor LD-MON-1A LD-MON-1B Reactor water cleanup/RCIC steam line routing area temperature high Temperature monitor LD-MON-1A LD-MON-1B Main steam line tunnel temperature high Temperature monitor LD-MON-2A LD-MON-2B Main steam line tunnel differential temperature high Temperature monitor LD-MON-2A LD-MON-2B COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.6-2 Leak Detection System Instrumentation (Continued) Function Instrumenta 7.6-35 Residual heat removal equipment area temperature high Temperature monitor LD-MON-2A LD-MON-2B Residual heat removal equipment area differential temperature high Temperature monitor LD-MON-2A LD-MON-2B Residual heat removal shutdown cooling suction flow rate - high Differential pressure switch (E31-N012A, B)
| |
| RHR-DPIS-12A, B Residual heat removal heat exchanger area temperature - high Room 606 Room 507 Room 605 Room 505 Temperature monitor LD-MON-2A LD-MON-2B Main steam line high flow Differential pressure switch (E31-N008A-D through E31-N011A-D)
| |
| MS-DPIS-8A-D, 9A-D, 810A-D, 11A-D Reactor building equipment drain sump level high Level switch (G11-N014A, B)
| |
| EDR-LS-14A, B COLUMBIA GENERATING STATION Amendment 60 FINAL SAFETY ANALYSIS REPORT December 2009 Table 7.6-2 Leak Detection System Instrumentation (Continued) Function Instrumenta LDCN-06-048 7.6-36 Reactor building floor drain sumps level high Level switch (G11-N006A, B)
| |
| (G11-N005A, B) FDR-LS-6A, B FDR-LS-5A, B Drywell floor drain flow high Drywell equipment drain flow high Flow recorder switch EDR-FRS-623 Drywell atmosphere particulate monitor Radiation monitor CMS-RIS-12A, 12B Drywell atmosphere noble rad gas monitor Radiation monitor CMS-RIS-12A, 12B Reactor water cleanup flow - high Flow switch (E31-N605A, B)
| |
| LD-FS-605A, B Reactor water cleanup blowdown line flow - high Flow switch LD-FS-15, 16 Reactor water cleanup heat exchanger area temperature - high Temperature monitor LD-MON-1A LD-MON-1B Reactor water cleanup heat exchanger area temperature high Temperature monitor LD-MON-1A LD-MON-1B Reactor water cleanup pump area temperature - high Pump room A Pump room B Temperature monitor LD-MON-1A LD-MON-1B COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.6-2 Leak Detection System Instrumentation (Continued)
| |
| Function Instrumenta 7.6-37 Reactor water cleanup pump area temperature high Pump room A Pump room B Temperature monitor LD-MON-1A LD-MON-1B Reactor water cleanup line routing area temperature - high Room 509 Room 511 Room 408 Room 409 Temperature monitor LD-MON-1A LD-MON-1B Auxiliary steam line area temperature -
| |
| high Temperature monitor LD-MON-1A LD-MON-1B ECCS pump rooms water level - high (See Figure 7.6-2 for a table of each room and level switch) a Instruments in parentheses are the GE designation.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 Table 7.6-3 LPRM System Trips Trip Function Trip Action Trip Setpoint Trip Action LDCN-17-001 7.6-38 LPRM downscale 2% to full scale 3% ODA and annunciator LPRM upscale 2% to full scale 100% ODA and annunciator LPRM bypass Manual switch ODA and APRM averaging compensation
| |
| | |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.6-4 Recirculation System Trip Functions Action Event A B C D E 7.6-39 1 X 2 X 3 X X 4 X 5 X 6 X 7 X 8 X 9 X 10 X Events 1. Suction or discharge block valve less than 90% open.
| |
| 2. Loss of one ASD channel.
| |
| 3. Turbine control valve fast closure or stop valve <90% open. 4. Trip of one or two operating recirculation pumps. 5. Trip of both operating recirculation pumps.
| |
| 6. Loss of one feedwater pump plus vessel low level (L4). 7. Temperature difference between the steam dome and the recirculation pump suction temperature less than 10.7F. 8. Pump motor electrical protection logic is activated. 9. Vessel low level (level 3). 10. Vessel low-low level (level 2) or vessel high pressure (ATWS).
| |
| Actions A. Trip of pump motor 6.9-kV power supply.
| |
| B. "Runback" to 15 Hz. C. "Runback" or limit speed of impacted loop to single channel capability. D. "Runback" or limit speed to a speed determined within the capability of the remaining feed pump. E. Trip of RPT breakers (ASD output).
| |
| COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.6-5 Spent Fuel Pool Cooling and Cleanup System Instrumentation Specifications Function Instrumenta Instrument Range 7.6-40 Fuel pool level alarm high Level switch LS-4, 5 6-1/8 in. Fuel pool level alarm low/cooling/cleaning isolation Level switch LS-4, 5 6-1/8 in. Fuel pool temperature indicator Temperature indicator TI-7 and TI-88 0-225F Surge tank high level alarm Level indicating switch LIS-1A, LIS-1B 0-400 in. H2O Surge tank low level alarm pump shutoff Level indicating switch LIS-3A2, LIS-3B2 0-400 in. H2O Surge tank makeup control valve open Level indicating switch LIS-3A1, LIS-3B1 0-400 in. H2O Surge tank makeup control valve shut Level indicating switch LIS-2A, LIS-2B 0-400 in. H2O Pool return flow indicator Flow indicator FI-16, FI-17 0-1200 gpm Pool return water temperature indicator Temperature indicator TI-6 0-225F Pump suction pressure low shutoff Pressure switch PS-6A, PS-6B 4-75 psig Pump discharge pressure low alarm/standby pump start Pressure switch PS-9A, PS-9B 20-180 psig Return flow to pool controller Differential pressure indicator controller DPIC-1 0-100 psid F/D bypass AOV control Differential pressure indicator controller DPIC-11 0-130 psid F/D bypass MOV control Differential pressure indicating switch DPIS-12 0-130 psig Fuel pool high temperature alarm Temperature switch TS-7, TS-8 0-225F a All instruments prefixed - FPC COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 7.6-41 Table 7.6-6 Channels Required for Protective Action Completion for the Spent Fuel Pool Cooling and Cleanup System Instrument Channel Channels Provided Minimum Channels Required Fuel pool level alarm - high 2 1 Fuel pool level alarm - low 2 1 Fuel pool temperature high alarm/indicator 2 1 Surge tank level high 2 1 Surge tank level low 2 1 Fuel pool return flow indicator 2 1 FPC Recirculation pump suction pressure low/pump shut off 1 per pump 1 per pump FPC Recirculation pump discharge pressure low alarm/standby pump start 1 per pump 1 per pump COLUMBIA GENERATING STATION Amendment 56 FINAL SAFETY ANALYSIS REPORT December 2001 Table 7.6-7 Suppression Pool Temperature Monitoring Instrumentation Function Instrument 7.6-42 Monitor suppression pool temperature Thermocouple SPTM-TE-1A, 1B through 8A, 8B; 9 through 16 Temperature recorder Multipen recorder CMS-TR-5, CMS-TR-6 Average temperature indicator SPTM-TI-5
| |
| | |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-14-004 7.7-1 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.7.1 DESCRIPTION
| |
| | |
| This section describes instrumentation and controls of major plant control systems whose functions are not essential for the safety of the plant. This section also describes instrumentation and controls not essential for the safety of the plant, which are not discussed in any other FSAR section. The systems include a. Reactor vessel instrumentation,
| |
| : b. Reactor manual control system (RMCS),
| |
| : c. Recirculation flow control system,
| |
| : d. Feedwater control system,
| |
| : e. Digital Electro-Hydraulic (DEH) control system,
| |
| : f. Neutron monitoring system (NMS) - traversing in-core probe (TIP), source range monitor (SRM), rod block monitor (RBM),
| |
| : g. Process computer system and rod worth minimizer function (RWM),
| |
| : h. Loose parts detection system (LPDS), Retired
| |
| : i. Refueling interlocks,
| |
| : j. Safety/relief valve (SRV) relief function, and
| |
| : k. Transient data acquisition system (TDAS). See Tables 7.7-1 and 7.7-2 for system design and supply responsibility and similarity to licensed reactors, respectively.
| |
| 7.7.1.1 Reactor Vessel Figure 10.3-2 shows the arrangements of the sensors and sensing equipment used to monitor reactor vessel conditions.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-104, 98-117 7.7-2 7.7.1.1.1 Function
| |
| | |
| The purpose of the reactor vessel instrumentation is to monitor key reactor vessel variables to provide the operator with information during normal plant operation, startup, and shutdown.
| |
| 7.7.1.1.2 Operation
| |
| | |
| The following is a discussion of each reactor vessel variable monitored: 7.7.1.1.2.1 Reactor Vessel Temperature. The reactor vessel temperature is determined on the basis of reactor coolant temperature. Temperatures needed for operation and for compliance with the Technical Specifications operating limits are obtained from one of several sources, depending on the operating condition. During normal operation, either reactor pressure and/or the inlet temperature of the coolant in the recirculation loops can be used to determine the vessel temperature. The recirculation suction temperature (via thermocouples) is the primary temperature measurement when less than 100 psig. When greater than 100 psig, vessel pressure converted to saturation temperature is the primary measurement. During normal operation, vessel thermal transients are limited via operational constraints on parameters other than temperature.
| |
| 7.7.1.1.2.2 Reactor Vessel Water Level. Figure 7.7-1 shows the water level range and the reactor vessel tap location for each water level range. The instruments that sense the water level are differential pressure devices with a condensate reference leg calibrated to be accurate at a specific vessel pressure and liquid temperature condition. During operation, a continuous flow of gas-free water at a flow rate of about 0.12 to 0.48 gal/hr is also maintained through each reference leg to the reference leg condensing chamber to minimize the transport of dissolved noncondensable gases down the reference leg. The following is a description of each water level range shown in Figure 7.7-1: a. Shutdown water level range: This range is used to monitor the reactor water level during reactor shutdown conditions when the reactor system is flooded for maintenance and head removal. The vessel pressure and temperature conditions that are used for the calibration are 0 psig and 120°F water in the vessel. The two vessel instrument tap elevations used for this water level measurement are located at the top of the reactor vessel head and the instrument tap just below the bottom of the dryer skirt. b. Upset water level range: This range is used to monitor the reactor water level above the narrow range scale (see item c below). The design and vessel taps are the same as outlined above. The vessel pressure and temperature condition for accurate indication is at the normal power operating point. The upset water level is continuously indicated by a recorder in the control room. The upset range upper limit is higher than the narrow range upper limit. Therefore, when COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-104 7.7-3 the indication is upscale on the narrow range recorder, water level indication may be read immediately from the upset range recorder. See Section 7.7.1.4.
| |
| : c. Narrow water level range: This range uses reactor vessel taps at the elevation near the top of the dryer skirt and the taps at an elevation near the bottom of the dryer skirt. The zero of the instrument is the bottom of the dryer skirt and the instruments are calibrated to be accurate at the normal power operating point. The feedwater control system uses this range for its water level control and indication inputs. See Section 7.7.1.4.
| |
| : d. Wide water level range: This range uses reactor vessel taps at the elevation near the top of the dryer skirt and the taps at an elevation near the top of the active fuel. The zero of the instrument is the bottom of the dryer skirt (527.5 in. above the vessel bottom inside) and the instruments are calibrated to be accurate at the normal power operating point. See Section 7.5 for the safety-related features of this range.
| |
| : e. Fuel zone water level range: This range uses reactor vessel taps at the elevation near the top of the dryer skirt and the taps at the jet pump diffuser skirt. The zero of the instrument is the bottom of the dryer skirt (527.5 in. above the vessel bottom inside) and the instruments are calibrated to be accurate at 0 psig and saturated conditions. See Section 7.5 for the safety-related features of this range. To decouple the change in measured water level with changes in drywell temperature, the elevation drop from reactor vessel penetration to the drywell penetration remains uniform for the narrow-range and wide-range water level instrument lines.
| |
| 7.7.1.1.2.3 Reactor Core Hydraulics. A differential pressure transmitter indicates core plate pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly. The instrument sensing line used to determine the pressure below the core support assembly attaches to the reactor vessel nozzle N-11. An instrument sensing line is provided for measuring pressure above the core support assembly. The differential pressure of the core plate is recorded in the main control room. Another differential pressure device indicates the jet pump developed head by measuring the pressure difference between the pressure above the core and the pressure below the core plate. This is indicated locally and in the main control room. 7.7.1.1.2.4 Reactor Vessel Pressure. Pressure switches, indicators, and transmitters detect reactor vessel internal pressure from the same instrument lines used for measuring reactor vessel water level.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-104 7.7-4 7.7.1.2 Reactor Manual Control System 7.7.1.2.1 Function
| |
| | |
| The RMCS provides the operator with the means to make changes in nuclear reactivity by the operator manipulating control rods so that reactor power level and power distribution can be controlled.
| |
| | |
| This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The RMCS does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in Section 7.2. In addition, the mechanical devices of the control rod drives (CRD) and the CRD hydraulic system are not included in the RMCS. The latter mechanical components are described in Section 4.1.3.
| |
| 7.7.1.2.2 Operation
| |
| | |
| The RMCS includes the following:
| |
| a. Rod drive control system, b. Rod block trip system,
| |
| : c. Rod position probes, and
| |
| : d. Position indication electronics.
| |
| Figure 4.6-5 show the layout of the CRD hydraulic system. Figure 7.7-2 shows the functional arrangement of devices for the control of components in the CRD hydraulic system. The logic diagram for the RMCS is shown in Figure 7.7-3. Although the figure also shows the arrangement of scram devices, these devices are not part of the RMCS. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish these actions.
| |
| 7.7.1.2.2.1 Rod Drive Control System. When the operator selects a control rod for motion and operates the rod insert or withdraw control switch, independent messages are formulated in the A and B portions of the rod drive control system (RDCS). A comparison test is made of these two messages, and identical results confirmed; then a serial message in the form of electrical pulses is transmitted to all hydraulic control units (HCU). The message contains two portions: (1) the identity or "address" of the selected HCU and (2) operation data on the action to be executed. Only one HCU responds to this message and it proceeds to execute the rod movement commands.
| |
| | |
| On receipt of the transmitted signal the responding HCU transmits three portions of a message back to the control room for comparison with the original message:
| |
| : a. Hard-wire identity "address,"
| |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-104 7.7-5
| |
| : b. Operations currently being executed, and
| |
| : c. Status indications of valve positions, accumulator conditions, and test switch positions.
| |
| In either rod motion direction, the A and B messages are formulated and compared each millisecond and, if they agree, the A message is transmitted to the HCU selected by the operator. Continued rod motion depends on receipt of a train of sequential messages because the HCU insert, withdraw, and settle valve control circuits are ac coupled. The system must operate in a dynamic manner to effect rod motion.
| |
| | |
| Any disagreement between the A and B formulated messages or the responding echo message will prevent rod motion. Electrical noise disruptions will have only a momentary effect on system operation. Correct operation of the system will resume when the noise source ceases.
| |
| In Figure 7.7-4, the three modes of the solid-state RMCS are shown: a. Operator control mode: This mode (0.0002-sec duration) services the control rod selected by the operator to transmit action commands and receive status indications, i.e., presence of rod blocks.
| |
| : b. Scan mode: This mode (0.045-sec duration) continuously monitors the other control rods in the reactor, one at a time, to update their status display.
| |
| : c. Self test mode: This mode (on the order of 20 to 100-sec duration) automatically exercises one HCU at a time to ensure correct execution of actions commanded. This provides for a continuous, periodic self-test of the entire RMCS.
| |
| In the event that any discrepancy is detected in one of these three modes of operation, a rod motion inhibit is applied. This situation is alarmed and annunciated on the reactor control console as an "activity disagree" condition. The CRD control system is also designed to produce a rod motion inhibit condition should any failure of the system occur.
| |
| The cause of the discrepancy or failure must be corrected before rod movement can proceed. Note, however, that this system cannot affect normal shutdown capability via the reactor protection system (RPS).
| |
| | |
| The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod selection COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN-98-104 7.7-6 condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.
| |
| | |
| The direction in which the selected rod moves is determined by the position of four switches located on the reactor control panel. These four switches, "insert," "withdraw," "continuous insert," and "continuous withdraw" are push buttons which return by spring action to an off position. The following is a description of the operation of the RMCS during an insert cycle. The cycle is described in terms of the insert, withdraw, and settle commands from the RMCS. With a control rod selected for movement, depressing the "insert" switch and then releasing the switch energizes the insert command for a limited time. Just as the insert command is removed, the settle command is automatically energized and remains energized for a limited time. The insert command time setting and the rate of drive water flow provided by the CRD hydraulic system determine the distance traveled by a rod. The time setting results in a one-notch (6-in.) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement switch. Continuous insertion of a selected control rod is possible by holding the "insert" switch.
| |
| A second switch can be used to affect insertion of a selected control rod. This switch is the "continuous insert" switch. By holding this switch "in," the unit maintains the insert command in a continuous, energized state to cause continuous insertion of the selected control rod. When released, the "insert valves" close immediately and no settle function is available so rod motion stops via leakage past the seals.
| |
| The following is a description of the operation of the RMCS during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle commands. With a control rod selected for movement, depressing the "withdrawal" switch energizes the insert valves at the beginning of the withdrawal cycle to allow the collet fingers to disengage the index tube. When the insert valves are deenergized, the withdraw and settle valves are energized for a controlled period of time. The withdraw valve is deenergized before motion is complete; the drive then settles until the collet fingers engage. The settle valve is then deenergized, completing the withdraw cycle. This withdraw cycle is the same whether the withdraw switch is held continuously or momentarily depressed position. The timers that control the withdraw cycle are set so that the rod travels one notch (6-in.) per cycle. Provisions are included to prevent further control rod motion in the event of timer failure.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-14-003 7.7-7 A selected control rod can be continuously withdrawn if the "withdraw" switch is held in the depressed position at the same time that the "continuous withdraw" switch is held in the depressed position. With both switches held in these positions, the insert valves energize momentarily and then the withdraw valves are continuously energized. Upon releasing the switches the settle function will start.
| |
| 7.7.1.2.2.2 Rod Block Trip System. This portion of the RMCS on receipt of input signals from other systems inhibits movement or selection of control rods.
| |
| : a. Grouping of channels The same grouping of neutron monitoring equipment [SRM, intermediate range monitor (IRM), average power range monitor (APRM), and RBM] that is used in the RPS is also used in the rod block circuitry.
| |
| Half of the total monitors [SRM, IRM, APRM, RBM, reactor recirculation control (RRC) flow units, flow comparator, and scram discharge volume high level] provide inputs to one of the RMCS rod block logic circuits and the remaining half provide inputs to the other RMCS rod block logic circuit.
| |
| The rod withdrawal block from the RWM trip affects only one RMCS rod block logic. The rod insert block from the RWM function prevents both notch insertion and continuous insertion.
| |
| | |
| The APRM and RBM (see Section 7.7.1.8) rod block settings are varied as a function of recirculation flow. Analyses show that the selected settings are sufficient to avoid both RPS action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. Additional discussion of the NMS is in Sections 7.7.1.6, 7.7.1.7, and 7.7.1.8. The rod block from scram discharge volume high water level uses two nonindicating transmitter/level switches installed on the scram discharge volume. These two transmitter/level switches provide a control room annunciation of increasing level below the level at which a rod block occurs.
| |
| b. Rod block functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed in the following sections. The rod COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT April 2015 LDCN-14-004 7.7-8 Figures 7.7-3 and 7.6-3 show the rod block interlocks used in the RMCS. Figure 7.7-3 shows the general functional arrangement of the interlocks, and Figure 7.6-3 shows the rod blocking functions that originate in the NMS.
| |
| : 1. With the mode switch in the SHUTDOWN position, no control rod can be withdrawn. This enforces compliance with the intent of the shutdown mode. 2. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions: (a) Any APRM upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require RPS action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached. (b) Any APRM inoperative alarm. This ensures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or correctly bypassed.
| |
| (c) Scram discharge volume high water level. This ensures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level.
| |
| (d) Scram discharge volume high water level scram trip bypassed. This ensures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service.
| |
| (e) The RWM can initiate a rod insert block and a rod withdrawal block. The purpose of these functions is to reinforce procedural controls that limit the reactivity worth of control rods under lower power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident. Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT April 2015 LDCN-14-004 7.7-9 Additional information on the RWM function is in Section 7.7.1.10. (f) Rod position information system (RPIS) malfunction. This ensures that no control rod can be withdrawn unless the RPIS is in service.
| |
| (g) Either RBM upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.
| |
| (h) Either RBM inoperative alarm. This ensures that no control rod is withdrawn unless the RBM channels are in service or correctly bypassed. 3. With the reactor mode switch in the RUN position, any of the following conditions initiates a rod block.
| |
| | |
| (a) Any APRM downscale alarm. This ensures that no control rod will be withdrawn during power range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN mode.
| |
| (b) Either RBM downscale alarm. This ensures that no control rod is withdrawn during power range operation unless the RBM channels are operating correctly or are correctly bypassed. Unbypassed RBMs must be on scale during reactor operations in the RUN mode.
| |
| (c) Any recirculation flow unit upscale, inoperative, or comparator alarm. This ensures that no control rod is withdrawn unless the flow channels are operable, the difference between flow units is within limits, and the flow rate is not unusually high. 4. With the mode switch in the STARTUP or REFUEL position, any of the following conditions initiates a rod block:
| |
| | |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT November 2015 7.7-10 (a) Any SRM detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges. This ensures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information. (b) Any SRM upscale level alarm. This ensures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.
| |
| (c) Any SRM downscale alarm. This ensures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring.
| |
| (d) Any SRM inoperative alarm. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available.
| |
| (e) Any IRM detector not fully inserted into the core. This ensures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available.
| |
| (f) Any IRM upscale alarm. This ensures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provided a means to stop rod withdrawal in time to avoid conditions requiring RPS action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.
| |
| (g) Any IRM downscale alarm except when range switch is on the lowest range. This ensures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level. Thus, the rod block ensures that the IRM is on scale if control rods are to be withdrawn.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT November 2015 LDCN-14-004, 10-004 7.7-11 (h) Any IRM inoperative alarm. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available. c. Rod block bypasses To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are permitted as follows: 1. One SRM channel,
| |
| : 2. Two IRM channels (1 on either RPS bus A or bus B), 3. One APRM channel, and 4. One RBM channel. The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group.
| |
| These bypasses are affected by positioning switches in the control room.
| |
| A light in the control room indicates the bypassed condition.
| |
| | |
| An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM instrumentation. The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued.
| |
| | |
| An automatic bypass of the RBM rod block occurs when the power level is below a preselected level (less than 30% power) or when a peripheral control rod is selected. Either condition indicates that local fuel damage is not threatened and that RBM action is not required.
| |
| | |
| The RWM rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. The RWM can be manually bypassed for maintenance when not required by procedure.
| |
| COLUMBIA GENERATING STATION Amendment 54 FINAL SAFETY ANALYSIS REPORT April 2000 LDCN 98-104 7.7-12 7.7.1.2.2.3 Rod Position Probes. The position probe is a long cylindrical assembly that fits inside the CRD. It includes 53 magnetically operated reed switches, located along the length of the probe and operated by a permanent magnet fixed to the moving part of the hydraulic drive mechanism. As the drive, and with it the control rod blade, moves along its length, the magnet causes reed switches to close as it passes over the switch locations. The particular switch closed then indicates where the CRD, and hence the rod itself is positioned.
| |
| The switches are located as follows: one at each of 25 notch (even) positions, one at each of 24 mid-notch (odd) positions, one at the fully inserted position (approximately the same location as the "00" notch), one at the fully withdrawn position (approximately the same location as the "48" notch position), one at the overtravel full out (decoupled position), and one at the overtravel full in position.
| |
| All of the mid-notch or odd switches are wired in parallel and treated as one switch (for purposes of external connections), and the fully inserted and overtravel full-in switches are wired in parallel and treated as one switch. These and the remaining switches are wired in a 5 x 6 array (the switches short the intersections) and routed out in an 11-wire cable to the processing electronics (the probe also includes a thermocouple which is wired out separate from the 5 x 6 array). See Figure 7.7-5.
| |
| 7.7.1.2.2.4 Position Indication Electronics. The electronics consist of a set of probe multiplexer cards (one per four-rod group where the four-rod group is the same as the display grouping described later in this section), a set of file control cards (one per 11 multiplexer cards), and one set of master control and processing cards serving the whole system. All probe multiplexer cards are the same except that each has a pair of plug-in daughter cards containing the identity code of one four-rod group (the probes for the corresponding four rods are connected to the probe multiplexer card). The system operates on a continuous scanning basis with a complete cycle every 45 msec.
| |
| | |
| The control logic generates the identity code of one rod in the set and transmits it using time multiplexing to all of the file control cards. These in turn transmit the identity with timing signals to all of the probe multiplexer cards. The one multiplexer card with the matching rod identity will respond and transmit its identity (locally generated) plus the raw probe data for that rod back through the file control card to the master control and processing logic. The processing logic does several checks on the returning data. First a check is made to verify that an answer was received. Next the identity of the answering data is checked against that which was sent. Finally the format of the data is checked for legitimacy. Only a single even position or, full-in plus position "00," or full-out plus position "48," or odd, or overtravel, or blank (no switch closed) are legitimate. Any other combination of switches is flagged as a fault.
| |
| If the data passes all of these tests, it is (a) decoded and transmitted in multiplexed form to the displays in the main control panel and (b) loaded into a memory to be read by the computer as required.
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-17-001 7.7-13 As soon as data for one rod is processed, the identity for the next rod is generated and processed and so on for all of the rods. When data for all rods has been gathered, the cycle repeats. A rod information display on the reactor control panel is patterned after a top view of the reactor core. The display allows the operator to acquire information rapidly by scanning. Colored windows provide an overall indication of rod pattern and allow the operator to quickly identify an abnormal indication. The following information for each control rod is presented in the display: a. Rod fully inserted (green),
| |
| : b. Rod fully withdrawn (red),
| |
| : c. Selected rod identification (coordinate position, white), d. Accumulator trouble (amber),
| |
| : e. Rod scram (blue), and
| |
| : f. Rod drift (red). LPRM low flux levels and LPRM high flux levels are displayed on the Operator Display Assemblies (ODA) located below the display. Another display shows the positions of the control rod selected for movement and the other rods in the rod group. For display purposes the control rods are considered in groups of four adjacent rods (a four-rod group) centered around a common core volume monitored by four LPRM strings. Rod groups at the periphery of the core may have less than four rods. The four-rod display shows the positions, in digital form, of the rods in the group to which the selected rod belongs. A lighted background on the digital display indicates which of the four rods is selected for movement. The four-rod display allows the operator to focus attention on the portion of the core where rod motion is occurring. A full core rod position display would tend to be confusing and difficult to read. The ODA's permit the operator to monitor the core reactivity during rod motion. In addition, on demand by the operator, the process computer will provide a print out of all rod positions. During startup or shutdown all rods of a given sequence are either fully withdrawn or fully inserted. These patterns are indicated on the full core display with the full-in or full-out lights. In addition to the whole core display, a drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer. An indication is also provided for rod trend beyond the limits of normal rod movement. If the rod drive piston moves to the overtravel position, an alarm is sounded in the control room. The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact because COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-17-001 7.7-14 with the coupling in its normal condition the drive cannot be physically withdrawn to the overtravel position. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position. For the displays above the selected rod identification, accumulator trouble and rod scram indicators are provided by the RDCS. The ODA LPRM high and low flux level readings are provided by the power range monitor system. The remaining information to the displays and the position information for the process computer (via the RWM) are provided by the rod position information subsystem. The following main control room lights are provided to allow the operator to know the conditions of the CRD hydraulic system and the control circuitry: a. Stabilizer valve selector switch position, b. Insert command energized,
| |
| : c. Withdraw command energized,
| |
| : d. Settle command energized,
| |
| : e. Withdrawal not permissive,
| |
| : f. Continuous withdrawal,
| |
| : g. Pressure control valve position,
| |
| : h. Flow control valve position,
| |
| : i. Drive water pump low suction pressure (alarm and pump trip), j. Drive water filter high differential pressure (alarm only), k. Charging water (to accumulator) high pressure (alarm only),
| |
| : l. Scram discharge volume not drained (alarm only), and m. Scram valve pilot air header high/low pressure (alarm only). 7.7.1.3 Recirculation Flow Control System 7.7.1.3.1 Function The recirculation flow control function is to control reactor power level, over a limited range, by controlling the flow rate of the reactor recirculating water using recirculation pump speed. The recirculation flow control system is not required for safety purposes, nor required to operate during or after the design-basis accident. The system is required to operate in the normal plant environment for power-generation purposes only.
| |
| COLUMBIA GENERATING STATION Amendment 53 FINAL SAFETY ANALYSIS REPORT November 1998 7.7-15 7.7.1.3.2 Operation
| |
| | |
| Reactor circulation flow is varied by controlling the recirculation pump speed. By adjusting recirculation pump speed the change in recirculation flow will automatically change the reactor power level. Each recirculation pump has its individual manual control system as well as the capability of being controlled in unison or ganged by the master setpoint station.
| |
| Figure 7.7-6 shows a simplified control scheme for the reactor recirculation flow control system and its relationship to other nuclear steam supply system (NSSS) control schemes.
| |
| The reactor power change resulting from change in recirculation flow causes the turbine digital electrohydraulic (DEH) control system to reposition the turbine control valves. The turbine responds to the change in reactor power level by adjusting the control valves, and hence its power output, until the load/speed error signal is reduced to zero.
| |
| Operator Information Indication and alarms are provided to keep the operator informed of the status of the system and equipment and allow the operator to quickly determine the location of malfunctioning equipment.
| |
| | |
| Instrumentation provides loop flow, pump speed, and controller output and input deviation meters. Alarms are provided to alert the operator of malfunctioning control signals and increasing temperatures of cooling water. In most cases, alarms are supplemented by light indicators to more closely define the problem area.
| |
| Indicating lights are provided to indicate the status of the pump/motor control breakers. Alarms are provided to alert the operator of automatic trips and transfers of the pump/motor, malfunctions, and availability of automatic control circuitry.
| |
| The GE-FANUC reactor flow control system (RFCS) provides manual control of the RRC pump speed. The GE-FANUC is a programmable logic controller (PLC) located in panel H13-P634 in the main control room. It consists of digital control design which provides operator manual control for the RRC pump speed demand, permissive logic for starting the RRC pump motor, and runback limiter logic functions.
| |
| The operator sets the RRC pump speed from a manual ganged or individual loop control setpoint station located in panel H13-P602 in the main control room. The control station provides an adjustable speed drive (ASD) speed reference demand signal to adjust the supply frequency over the range 15 Hz to 63 Hz, which adjusts the speed of the RRC pump drive motors over the range 25% to 105% and in turn controls the recirculation flow rate.
| |
| Figure 7.7-7 shows a simplified version of the control system major functions. The individual COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT November 2015 LDCN-10-004 7.7-16 loop manual setpoint/bias station also has the ability to trim (bias) each loop speed to allow for dissimilarities in performance of the pumps. The GE-FANUC PLC consists of redundant central processing units (CPU) redundant data communication buses, and redundant genius input/output, (I/O) blocks. A single video display terminal (VDT) is located on the control benchboard, H13-P602, to provide operating status. Major component group alarms are also provided via the backlit annunciator windows located on the vertical section of H13-P602. The ASD speed demand reference signal is set by the operator. The GE-FANUC PLC conditions the speed demand signal for each loop for an acceptable ramp rate and for runback limiters, where required. The speed demand reference signal is routed from the control room to the ASD local communication panel via redundant data communication buses. At the ASD local communication panel, redundant genius I/O blocks transmit the speed demand reference signals (2-10-V dc) to the appropriate ASD loop/channel controls. The operator monitors the performance of the RRC using the indicators located on the vertical section of the benchboard H13-P602. The ASD runs at the lowest speed demand of either the limiter signal or the speed demand setpoint signal. On initiation of a limiter or development of an alarm or fault in the RFCS or ASD channel, a main control room annunciator alarms and the individual loop setpoint bias stations at H13-P602 are transferred from the ganged control to the individual loop control. Recirculation Pump Flow Measurement The recirculation loop elbow tap differential pressure is used to provide indirect core flow indication for the flow-biased simulated thermal power scram and to indicate pump performance and jet pump drive flow. In general these functions do not require high measurement accuracy, although repeatability is required. The flow-biased simulated thermal power scram requires a signal that is proportional to pump flow. The signal is used as an indicator of core flow. The proportionality constant (calibration coefficient - pressure drop versus flow) is unimportant as long as that constant does not change; that is, the element is repeatable. Control Interlocks Operating conditions have been identified that could result in cavitation of the recirculation pumps and/or jet pumps. Operating procedures require the plant operator to avoid these conditions. In the event that due to operator error these conditions are not avoided, automatic interlocks exist which will prevent operation at these conditions.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT November 2015 LDCN-10-004 7.7-17 Cavitation Protection The cavitation characteristics (thermal power level at which cavitation will occur for a given flow) of the jet pumps and recirculation pump are similar to a BWR/3 and BWR/4 except that jet pump cavitation occurs at higher thermal power levels. Protection is provided by measuring the available subcooling and reducing the pumps to 25% speed when there is inadequate subcooling. Temperature elements in the loop suction line and steam dome pressure transmitters measure the amount of subcooling available to the system. For the pump suction temperature an RTD is used. For the discharge measurement, steam dome pressure is used. With GE-FANUC digital capability a programmed "look up" table converts pressure to temperature and hence a differential temperature interlock is provided for the measurement of subcooling. If the minimum differential temperature becomes less than a predetermined value, the control logic will provide a time delayed command and run its output down to 15 Hz; hence the dual channel ASD output will reduce to 15 Hz and each recirculation pump motor will run back to 25% speed.
| |
| | |
| Feedwater Pump Trip Runback The recirculation pump(s) will runback to a specific speed setpoint in response to the combination of a feedwater turbine trip and a low reactor pressure vessel (RPV) water level (L4). If the recirculation pump(s) were operating at or below the specified speed setpoint, a change in speed will not incur. This runback feature prevents a scram from a low level condition caused by one feedwater pump trip from rated conditions based on testing results.
| |
| High Loop Flow Mismatch Mismatch of the flow in one loop to the other loop of greater than 50% is known to create abnormal conditions in the jet pumps having the lower flow. Such operation is normally precluded by operating procedures. Following a trip of one of two operating pumps, the tripped pump coasts down to zero.
| |
| | |
| Loop Suction and Discharge Isolation Valve Position The pump is tripped at less than 90% open position of either valve to prevent pump damage from no flow if isolation valve closure is initiated while the pumps are running.
| |
| Trip to 25% Speed The pumps are tripped to 25% speed in specific cases to avoid scram recovery delays due to vessel bottom head fluid stratification.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.7-18 Startup Interlocks Interlocks ensure that the following conditions are established before the recirculation pump will start:
| |
| a. The ASD is ready for operation,
| |
| : b. The suction and discharge block valves are greater than 90% open, c. The electrical protection "lock out" relay is reset, d. The pump motor breakers, end-of-cycle recirculation pump trip (EOC-RPT) breakers, and ASD source and load breakers are racked in place and closed,
| |
| : e. The RPT function is reset, and
| |
| : f. The operator manual control station is set to minimum pump speed demand.
| |
| The flow control system has been designed to limit the maximum demand signal to the ASD at a rate of less than 10% of rated pump speed/sec. This is to ensure that the RPS will not initiate scram. Interlocks are installed to ensure that this limit is not exceeded.
| |
| | |
| Recirculation Pump Speed Rate of Change Single failures can result in a recirculation pump speed maximum rate of change in both recirculation pumps of 10% of rated pump speed/sec, which may result in RPS activation. This value is the average continuous rate used in the transient analysis for the two loop controller failure event. For a one loop controller failure event, a higher than maximum rate of 25%/sec was assumed in the analysis.
| |
| The worst single failure would be an ASD control circuit failure which provides a high voltage/frequency power source to the motor.
| |
| | |
| Scram Avoidance Provisions a. One pump trip-pump inertia is greater than 21,500 lbm-ft2 to allow coastdown without an RPS trip,
| |
| : b. Recirculation pump speed runback if there is a trip of one feedwater pump and vessel low level from rated conditions based on testing results.
| |
| COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 LDCN-00-058 7.7-19 Reliability The reliability of the ASD system and its GE-FANUC controls have been evaluated in NEDC-32232-P, "WNP-2 Reactor Recirculation Adjustable Speed Drive (ASD) System Reliability Analysis," August 1993. This reliability evaluation concludes that no credible failure modes were found that could affect safety assumptions for the loss-of-coolant (LOCA), anticipated transient without scram (ATWS), transient, and stability analyses. 7.7.1.4 Feedwater Control System 7.7.1.4.1 Function
| |
| | |
| The feedwater control system controls the flow of feedwater into the reactor vessel to maintain the vessel water level within predetermined limits during all normal plant operating modes. The range of water level is based on the requirements of the steam separators. The feedwater control system uses vessel water level, steam flow, and feedwater flow as a three-element control.
| |
| | |
| Normally, the signal from the feedwater flow is approximately equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will result from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow which causes the level of the water in the reactor vessel to rise or fall accordingly. Single-element control is also available based on water level only.
| |
| 7.7.1.4.2 Operation
| |
| | |
| During normal plant operation, the feedwater control system automatically regulates feedwater flow into the reactor vessel. The system can also be manually operated (see Figure 7.7-8).
| |
| The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel.
| |
| The optimum reactor vessel water level is determined by the requirements of the steam separators. The separators limit water carry-over in the steam going to the turbines and limit steam carry-under in water returning to the core. The water level in the reactor vessel is maintained within +/-2 in. of the setpoint value during normal operation and within the high and low level trip setpoints during normal plant maneuvering transients. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow is regulated by controlling the speed of the turbine-driven feedwater pumps to deliver the required flow to the reactor vessel.
| |
| | |
| COLUMBIA GENERATING STATION Amendment 55 FINAL SAFETY ANALYSIS REPORT May 2001 7.7-20 The following is a discussion of the variables sensed for system operation. 7.7.1.4.2.1 Reactor Vessel Water Level. Reactor vessel narrow range water level is measured by three identical, independent sensing systems. For each channel, a differential pressure transmitter senses the difference between the pressure caused by a constant reference column of water and the pressure caused by the variable height of water in the reactor vessel. The differential pressure transmitter is installed on lines that serve other systems (see Section 7.7.1.1). Two of the differential pressure signals are used for indication and control and the third for indication only. The narrow-range level signal from one of the two control channels can be selected by the operator as the signal to be used for feedwater flow control. A third-narrow range level sensing channel is used in conjunction with the two control channels to provide high water level trips of the main turbine and feed pump turbines. All three narrow-range reactor level signals and reactor pressure are indicated in the main control room. A fourth level sensing system (upset range) provides level information beyond the span of the narrow range devices. The selected narrow-range water level and upset range water level signals are continually recorded in the main control room.
| |
| 7.7.1.4.2.2 Main Steam Line Steam Flow. Steam flow is sensed at each main steam line flow restrictor by a differential pressure transmitter. A signal proportional to the true mass steam flow rate is linearized and indicated in the main control room. The signals are summed to produce a total steam flow signal for indication and feedwater flow control. The total steam flow signal is recorded in the main control room.
| |
| | |
| Alarms on steam flow are provided for use in the RWM logic. Interlocks from steam flow and feedwater flow are used to initiate insertion of the RWM block. An alarm on low steam flow indicates that the above RWM insertion interlock setpoint is being approached. Alarms are also provided for (1) high and low water level and (2) reactor high pressure. Interlocks will trip the plant turbine and feedwater pumps in event of reactor high water level.
| |
| 7.7.1.4.2.3 Feedwater Flow. Feedwater is delivered to the reactor vessel through turbine-driven feedwater pumps, which are arranged in parallel. The feedwater control system sends a flow demand signal to the master level setpoint station and to the turbine governor control system. The turbine governor control system converts the flow demand signal to a turbine speed signal. On either system failure, the turbine speed signal is maintained at the steady value by each turbine operator control station, until the operator takes manual control. Both systems share data via a communications bus, and any transfer of control signal is bumpless. On reactor SCRAM, level setpoint setdown is performed in the feedwater control system. This immediately demands a low flow value, thus rapidly reducing feedwater flow and the likelihood of carryover.
| |
| | |
| Feedwater flow is sensed at a flow element in each feedwater line by differential pressure transmitters. Each feedwater signal is linearized and then summed to provide a total mass flow signal which is sent to the feedwater control system and recorded in the control room.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.7-21 Three modes of feedwater flow control and thus level control are provided. a. Startup automatic level control,
| |
| : b. Run mode automatic flow control, and
| |
| : c. Manual control.
| |
| Four level controllers are provided for startup valve control and automatic feed pump control. The master level setpoint station and startup valve control station contain, as a minimum, level setpoint digital display, signal output display, manual output control, manual/automatic switching capability, and manual setpoint adjustment. The two feed pump operator control stations contain turbine speed and pump discharge pressure displays, pump speed bias and signal output displays, manual output control, and manual/automatic switching capability. Each of these manual/automatic stations are software configured for its specific function. In the startup level control mode, measured level is compared to level setpoint within the controller. The resulting signal is conditioned by the proportional plus integral controller circuits and transmitted to the startup level control valves.
| |
| During normal operation three element automatic control is provided. The total steam flow/feed flow signal, modified by the conditioned level error signal, provides a flow demand signal to the feedwater flow control loop. The demanded flow is converted to a speed demand which is compared to actual speed for each active pump. The resulting speed error signal changes the turbine speed, zeroing the error signal.
| |
| Manual control is available by selecting manual on the controller manual/automatic stations. Flow change is accomplished by depressing the raise button or lower button depending on the desired flow change.
| |
| | |
| The level control system also provides interlocks and control functions to other systems. If the recirculation pumps are running at a speed greater than the single feed turbine capability setpoint, loss of one of the reactor feed pumps and coincident or subsequent low water level, recirculation flow is reduced to within the power capabilities of the remaining reactor feed pump. This reduction aids in avoiding a low level scram by reducing the steaming rate from rated conditions based on testing results. 7.7.1.5 Digital Electro-Hydraulic Control System 7.7.1.5.1 Function
| |
| | |
| The function of turbine pressure regulation and control is performed by the DEH system. As a direct cycle boiling water reactor the turbine is slaved to the reactor in that all (except steam to the moisture separator reheaters) steam generated by the reactor is normally accepted by the turbine. The operation of the reactor requires pressure regulation to maintain a constant COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-06-057 7.7-22 (within the range of the DEH proportional controller setting) turbine inlet pressure with load following ability accomplished by variation of reactor power.
| |
| | |
| The DEH control system normally controls the turbine governor valves to maintain this constant turbine inlet pressure. In addition, the DEH control system also operates the steam bypass valves such that a portion of nuclear boiler flow can be bypassed when operating at steam generation levels that exceed the turbine load limits as well as during the startup and shutdown phase.
| |
| The overall turbine DEH control system accomplishes the following: a. Control turbine speed and turbine acceleration, b. Control the steam bypass system to keep reactor pressure within limits, and avoid large power transients, and
| |
| : c. Control turbine inlet pressure within the DEH proportional controller range. 7.7.1.5.2 Operation
| |
| | |
| Pressure control is accomplished by controlling main steam pressure immediately upstream of the main turbine throttle and governor valves through modulation of the turbine-governor or steam bypass valves. Command signals to these valves are generated by the DEH control system which receives input from three redundant turbine inlet pressure sensors, as shown in Figure 7.7-9. For normal operation, the turbine governor valves regulate steam pressure. The plant ability to change turbine generator output is enabled by adjusting reactor power level, by varying reactor recirculation flow and by manually moving control rods. In response to the resulting steam production changes, the DEH control system adjusts the turbine governor valves to accept the steam output change, thereby regulating steam pressure and changing turbine generator power output.
| |
| 7.7.1.5.2.1 Steam Pressure Control. During normal plant operation, steam pressure is controlled by the main turbine governor valves, positioned in response to the pressure demand signal (see Figure 7.7-9). The steam bypass valves are normally closed. The DEH control system selects from three redundant pressure transmitters to control steam pressure. Separate pressure taps for each transmitter are provided at the turbine inlet. A median selector is used by the DEH control system to determine which throttle pressure transmitter is controlling. In addition, if one throttle pressure transmitter fails, the DEH control system will automatically select the higher value of the two remaining transmitters for control.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-06-057 7.7-23 The total steam flow (pressure demand) signal is limited, after passage through the low value gate (as shown in Figure 7.7-9), to that required for full power operation of the turbine (plus a deadband) or the load setpoint. Thus, if the DEH control system senses additional steam flow is needed to control reactor pressure when the governor valves have reached the load setpoint (plus a deadband) or the governor valve (position) demand limit, the control signal error to the bypass valves will increase and cause bypass valve actuation.
| |
| Control for the turbine governor valves is designed so that the valves will close upon loss of control system electric power or loss of hydraulic system pressure.
| |
| 7.7.1.5.2.2 Steam Bypass System. The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements such as during startup (pressure control, speed ramping, and synchronizing), sudden load reduction, and shutdown.
| |
| The bypass capacity of the system is approximately 25% of NSSS rated steam flow; sudden load reductions of up to the capacity of the steam bypass can be accommodated without reactor scram.
| |
| | |
| Normally, the bypass valves are held closed and the DEH control system controls the turbine governor valves, directing all steam flow to the turbine. If the speed/load demand limiter restricts steam flow to the turbine, the DEH controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine cannot accept an increase in steam flow, the main steam pressure will rise and RPS action will cause shutdown of the reactor.
| |
| | |
| The bypass valves are an automatically operated, regulating type which are proportionally controlled by the turbine DEH control system.
| |
| The turbine DEH control system provides a signal to the bypass valves corresponding to the error between the turbine governor valve opening required by the pressure demand signal by the output of the low value gate circuit and the turbine governor valve position flow limit (see Figure 7.7-9). A bias signal is provided to maintain the bypass valves closed for momentary differences during normal operational transients.
| |
| 7.7.1.5.2.3 Turbine Control System Variables. The turbine DEH control system is designed to receive input parameters of turbine throttle inlet pressure, governor and bypass valve position, and turbine speed to process the following signals in turbine modes 3 and 4: a. The pressure setpoint signal varies the turbine inlet pressure operating point, b. The pressure demand signal varies governor valve position corresponding to a steam flow from 0% to 100%,
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-16-005 7.7-24
| |
| : c. The combined turbine and bypass valve steam flow limiter signal range adjusts valve position limits to limit steam flow from 90% to 150%; however it is set equal to or less than 130% of 15.013 Mlb/hr steam flow, which is the fuel analysis limit, and
| |
| : d. The governor valve position (load) demand signal varies to close or open the valves. The governor valve position limiter limits the governor valve position demand signal so that it does not exceed the value corresponding to valves fully open. The load demand and pressure demand signals are compared and the bypass valves are opened when high steam pressure causes the pressure demand signal to be higher than the load demand signal.
| |
| 7.7.1.5.2.4 Turbine Speed/Load Control Interfaces. a. Normal control functions The DEH control system performs three major functions: a monitoring function (Tricon 1 module), a control function (Tricon 3 module), and a trip function (Tricon 2 module). The control function can also initiate a turbine overspeed trip through the Tricon 2 module. b. Normal modes of operation The DEH control system (Tricon 3) has five turbine control modes. The modes are based on a system of steps that control the operation of the turbine. These modes are normally automatically entered depending on the current operating conditions. Each mode is tightly interlocked, so the next mode is only entered when the conditions are correct. This ensures an orderly progression through the steps and appropriate actions in the event of malfunctions. The five modes are Reactor Start, Speed Control, Load Control, Turbine Follow Reactor and Overspeed Test (numbered Mode 1 through Mode 5, respectively).
| |
| : 1. Turbine Mode 1: Reactor start In Mode 1, the turbine throttle and bypass valves are controlled to allow the turbine to be latched and proceed to the speed control mode. Throttle pressure controller output demand selection only allows for control of the bypass valves to maintain throttle pressure. After a successful latch of the turbine, the sequence automatically enters Speed Control (Mode 2).
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-06-057 7.7-25 2. Turbine Mode 2: Speed control In Mode 2, the turbine speed is ramped up to near synchronous speed by using the turbine throttle valves to control turbine speed and the bypass valves to control reactor pressure. The turbine valve control is transferred from the throttle valves to the governor valves when near synchronous speed. When speed measurement reaches approximately 20 rpm below target, the throttle valve minimum limit is ramped to 100%, opening the valves fully. As the throttle valves open, the governor valve speed controller is enabled to control speed. Overspeed Protection Controller (OPC) logic is active in this mode. If nominal turbine speed is 103% speed, the OPC solenoids are energized which will close the governor and intercept valves. When turbine speed is reduced to less than 101%, the OPC solenoids close and return the DEH control system to Speed Control Mode. The sequence will proceed to Load Control (Mode 3) if the generator breaker is detected closed or Overspeed Test (Mode 5) if Overspeed Test is selected. 3. Turbine Mode 3: Load (limit) control Mode 3 is entered from Speed Control (Mode 2) when control is transferred to the governor valves and the generator output breaker is closed upon synchronizing with the grid. Mode 3 is also entered from Turbine Follow Reactor (Mode 4), when the throttle pressure controller output demand is equal to the governor valve load demand signal and when throttle pressure controller output demand is equal to the scaled valve position limit signal. See Figure 7.7-9. When entering this mode, a load reference is set along with a ramp rate providing an initial electrical load on the generator by ramping the governor valves open increasing measured electrical load. During this initial operating condition, any increase or decrease in throttle pressure results in the bypass valves operating to maintain pressure. During Mode 3, OPC remains enabled. 4. Turbine Mode 4: Turbine follow reactor Mode 4 is entered from Load Control (Mode 3) when the throttle pressure controller output demand is lower than the governor valve load COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-06-057 7.7-26 demand signal. This is an indication that the throttle pressure controller is controlling pressure by modulating the governor valves. During Mode 4, as in the Load Control Mode, a load reference is set and the throttle pressure controller sets the governor and bypass valve flow demands, provided the demand is not restrained by the flow, load, or valve position limiters. Sequential and Optimized valve management may also be selected in this Mode. In Sequential valve operation, governor valves two and three are modulated together following the same demand vs. position schedule; similarly, valves one and four are modulated together following a different schedule. Sequential valve selection is the only available selection during turbine startup and when operating below 95% electrical measured load. Optimized valve selection can only be entered if operating 95% electrical load. In Optimized valve operation, governor valves two and three follow the same schedule as if operating in Sequential valve. Valves one and four each have their own schedule. This mode allows testing the throttle valves, governor valves, reheat/intercept valve pairs, and bypass valves to meet technical specification surveillance requirements. Only one valve may be tested at a time in this mode. 5. Turbine Mode 5: Overspeed/OPC test The sequence enters Mode 5 from Mode 2, Speed Control, when the Overspeed Test Mode is selected. This Mode allows for the overspeed logic in the Control Tricon, the Trip Tricon, and each of the OPC solenoids to be tested without overspeeding the turbine. This is accomplished by ramping down the trip point to the operating speed range to initiate a trip. When the Overspeed Test select is returned to normal, the trip point automatically returns to its original setting. c. Turbine shutdown or turbine generator trip During turbine shutdown or turbine generator trip conditions, the main turbine throttle valves and governor valves are or will be closed. Reactor steam flow will then be passed through the steam bypass valves under steam pressure control, and through the reactor SRVs, as needed. See Section 10.2.2 for a complete description of the turbine generator protective and overspeed trips.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-06-057 7.7-27 d. Steam bypass operation The main turbine bypass system is designed to control steam pressure when reactor steam generation exceeds turbine requirements during plant startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine. The technical specifications require the main turbine bypass system to be operable at greater than or equal to 25% reactor thermal power (RTP). To ensure this limit is met, the bypass valve logic is set to be armed based on generator load when the reactor is approximately 20% RTP during plant startup. This accounts for any thermal losses from the reactor and the turbine generator. Fast opening of the steam bypass valves during a turbine trip, a generator load rejection, or an OPC actuation requires coordinated action with the turbine control system. When the turbine governor valves are under pressure control, no bypass steam flow is demanded. During turbine or generator trip events, fast-closure of the turbine throttle or governor valves occurs. The bypass valves fully open until load drops below 20% load, plus a 3-5 sec delay and then modulate under pressure control. The turbine governor valve demand is immediately tripped to zero as an anticipatory response, causing the bypass steam flow demand to equal the pressure regulation demand.
| |
| During an OPC actuation, fast closure of the governor and intercept valves occurs. If operating at or above approximately 20% RTP, the bypass valves will fast open. e. Loss of turbine control system power Turbine controls and valves are designed so that the turbine throttle and governor valves will close on loss of control system power or hydraulic pressure.
| |
| f. Operator information The control interface and indications for the DEH control system are via soft control on two touch screen monitors mounted on the turbine generator section of the main control board. All controls and indications for the DEH control system during the various turbine generator operational modes (such as reactor start, speed control, load control, turbine follow reactor, or overspeed/OPC test) are available to the operator from the two Human Machine Interface (HMI) touch screens.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 LDCN-06-057 7.7-28 The DEH control system is self-diagnostic, therefore in the event of a component or control malfunction, an alarm will activate to indicate the failure to the operator. Also, the DEH control system is fault tolerant and redundant, so any single failed active component can be replaced on-line without impact to power operations.
| |
| The DEH control system (load demand) receives input from three independent pressure transmitters in the main steam line upstream of the main turbine throttle valves. The pressure setpoint can be set by the operator from the HMI stations. The DEH control system has the following controls and information displayed in the main control room from the HMI stations: 1. Main steam throttle pressure transmitter A, 2. Main steam throttle pressure transmitter B, 3. Main steam throttle pressure transmitter C, 4. Main steam pressure setpoint, 5. Bypass valve position indication and controls, and 6. Main steam throttle, governor, reheat stop, and intercept valve position indication, and controls. g. Protection system interface The DEH control system is designed as a fail-safe, fault tolerant, redundant digital electro-hydraulic control system. The control system is designed to fail in a manner that is within the protection system capability for coping. See Section 3.5.1.3 for turbine missile protection and Section 10.2 for overspeed protection features.
| |
| 7.7.1.6 Neutron Monitoring System - Traversing In-Core Probe 7.7.1.6.1 Function
| |
| | |
| Flux readings along the axial length of the core are obtained by fully inserting the traversing ion chamber into one of the calibration guide tubes, then taking data as the chamber is withdrawn. The analog data is available for driving a recorder and for use by the process computer. One traversing ion chamber and its associated drive mechanism is provided for each group of seven to nine fixed in-core assemblies.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.7-29 7.7.1.6.2 Operation The number of TIP machines is indicated in Figure 7.6-10. The TIP machines have the following components:
| |
| a. One TIP detector,
| |
| : b. One drive mechanism,
| |
| : c. One indexing mechanism, and
| |
| : d. Up to 10 in-core guide tubes.
| |
| The system allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated TIP machine.
| |
| A TIP drive mechanism uses a fission chamber attached to a flexible drive cable (Figure 7.7-11). The cable is driven from outside the drywell by a gearbox assembly. The flexible cable is contained by guide tubes that penetrate the reactor core. The guide tubes are a part of the LPRM detector assembly. The indexing mechanism allows the use of a single detector in any one of 10 different tube paths. The tenth tube is used for TIP cross calibration with the other TIP machines. The control system provides for both manual and semiautomatic operation. Electronics of the TIP panel amplify and provide the TIP signal. Core position versus neutron flux may be recorded on the X-Y recorder in the main control room and is provided to the process computer. A block diagram of the drive system is shown in Figure 7.6-10. Actual operating experience has shown the system to reproduce within approximately 1.0% of full scale in a sequence of tests.
| |
| A valve system is provided with a valve on each guide tube entering the drywell. A ball valve and a cable shearing valve are mounted in the guide tubing just outside the drywell. The ball valves are closed except when the TIP is in operation. They maintain the leaktightness integrity of the drywell. A valve is also provided for a nitrogen gas purge line to the indexing mechanisms. A guide tube ball valve opens only when the TIP is being inserted. The shear valve is used only if containment isolation is required and the ball valve cannot be isolated. The shear valve, which is controlled by a manually operated key lock switch, can cut the cable and close off the guide tube. The shear valves are actuated by explosive squibs. The continuity of the squib circuits is monitored by indicator lights in the main control room. On receipt of containment isolation command from the NSSS, all detectors which are not withdrawn into the shield are withdrawn at full speed, removing the TIP detector from the containment and allowing the ball valves to close. The purge valve is also closed at this time.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.7-30 7.7.1.7 Neutron Monitoring System - Source Range Monitor 7.7.1.7.1 Function
| |
| | |
| The SRM provides neutron flux information during reactor startup and low flux level operations.
| |
| | |
| 7.7.1.7.2 Operation There are four SRM channels. Each includes one detector that can be physically positioned in the core from the control room (see Figures 7.6-8 and 7.7-10). The detectors are inserted into the core for a reactor startup. They can be withdrawn if the indicated count rate is between preset limits or if the IRM is on the third range or above (see Figure 7.6-10).
| |
| During initial fuel load neutron flux was monitored by source range neutron monitoring channels, providing a scram signal when the preset flux level of any channel has been reached. The logic was removed from the scram circuitry after initial fueling by the installation of "shorting links."
| |
| | |
| The "shorting links" may be periodically removed from the RPS circuitry during control rod withdrawal to perform a shutdown margin demonstration. See Section 7.2.1.1 for the verification requirement for "shorting links" removal.
| |
| Each detector assembly consists of a miniature fission chamber and a low-noise, quartz-fiber-insulated transmission cable. The sensitivity of the detector is 1.2 x 10-3 cps/nv nominal, 5.0 x 10-4 cps/nv minimum, and 2.5 x 10-3 cps/nv maximum. The detector cable is connected underneath the reactor vessel to the multiple-shielded coaxial cable. This shielded cable carries the pulses of a pulse current preamplifier located outside the drywell.
| |
| The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote controlled detector drive system moves the detector along the dry tube. Vertical positioning of the chamber is possible from above the centerline of the active length of fuel to 30 in. below the reactor fuel region (see Figures 7.6-6 and 7.6-5). When a detector arrives at a travel end point, detector motion is automatically stopped. The SRM/IRM drive control arrangement and logic are presented in Figures 7.6-6 and 7.6-3. The electronics for the SRMs, their trips, and their bypasses are located in four cabinets. Source range signal conditioning equipment is designed so that it can also be used for open vessel experiments.
| |
| | |
| A current pulse preamplifier provides amplification and impedance matching for the signal conditioning electronics (Figure 7.7-10).
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.7-31 The signal conditioning equipment converts the current pulses to analog dc currents and voltages that correspond to the logarithm of the count rate (LCR). The equipment also derives the period. The output is displayed on front panel meters and is provided to remote meters and recorders. The LCR meter displays the rate of occurrence of the input current pulses. The period meter displays the time in seconds for the count rate to change by a factor of 2.7. In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits. The trip outputs of the SRM operate in the fail-safe mode. Loss of power to the SRM causes the associated outputs to become tripped.
| |
| The SRM provides signals indicating SRM upscale, downscale, inoperative, and incorrect detector position to the RMCS to block rod withdrawal under certain conditions. Any SRM channel can initiate a rod block. These rod blocking functions are discussed in Section 7.7.1.2.2.
| |
| One of the four SRM channels can be bypassed at any one time by the operation of a switch on the operator's control panel.
| |
| | |
| Inspection and testing are performed as required on the SRM detector drive mechanism; the mechanism can be checked for full insertion and retraction capability. The various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions.
| |
| | |
| 7.7.1.8 Neutron Monitoring System - Rod Block Monitor 7.7.1.8.1 Function
| |
| | |
| The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during operator control rod manipulations.
| |
| 7.7.1.8.2 Operation
| |
| | |
| The RBM has two channels. Each channel uses input signals from a number of LPRM channels. A trip signal from either RBM channel initiates a rod block. One RBM channel can be bypassed at any time without loss of subsystem function. The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is four when using four LPRM assemblies, three when using three LPRM assemblies, and two when using two LPRM assemblies, see Figures 7.7-12 and 7.6-3.
| |
| The RBM signal is generated by averaging a set of LPRM signals. The LPRM signals used depends on the control rod selected. Upon selection of a rod for withdrawal or insertion, the COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-10-004 7.7-32 conditioned signals from the LPRMs around that rod will be automatically selected by the two RBM channels. For a typical non-edge rod, each RBM channel averages LPRM inputs from two of the four B-level and D-level detectors, and all four of the C-level detectors. A-level LPRM detectors are not included in the RBM averages, but are displayed to the operator. If a detector has been bypassed in the LPRM system, that detector is automatically deleted from the RBM processing and the averaging logic is adjusted to average only the remaining unbypassed detectors. After selection of a control rod, each RBM channel calculates the average of the related LPRM detectors and calculates a gain factor that adjusts the average to 100. Thereafter, until another rod is selected, the gain factor is applied to the LPRM average to obtain the RBM signal value. The RBM signal value is compared to RBM trip setpoints. When a peripheral rod is selected or the RBMs associated Reference APRM power signal is below the automatic bypass level, the RBM function is automatically bypassed, the rod block outputs are set to "permissive", and the RBM average is set to zero. If the Reference APRM is bypassed, the APRM power signal is automatically provided by a second APRM. In the operating range, the RBM signal is accurate to approximately 1% of full-scale. The RBM has three upscale trip levels and one downscale trip level. Figure 7.7-17 illustrates the trip setpoints. The percent rated power input used to automatically select the applicable RBM trip is provided in the form of simulated thermal power from the RBM channel's Reference APRM. With increasing or decreasing power, the RBM setpoint automatically changes to the higher or lower rod block setpoint line based on the APRM simulated thermal power input. No operator action is required.
| |
| 7.7.1.9 Process Computer System 7.7.1.9.1 Function
| |
| | |
| The function of the process computer is to provide a real time plant data collection, processing, and output system that is designed to support the following:
| |
| a. Input of real time plant data simultaneously from both TDAS and PPCRS multiple sources,
| |
| : b. Processing of plant input data parameters to produce results in "engineering units,"
| |
| COLUMBIA GENERATING STATION Amendment 64 FINAL SAFETY ANALYSIS REPORT December 2017 LDCN-15-039 7.7-33 c. Compare plant inputs against alarm ranges,
| |
| : d. Output alarm information and other pertinent information to the real time HMI displays,
| |
| : e. Historical archiving of monitored plant data to circular files. 7.7.1.9.2 Operation The process computer is half of an integrated dual processor telemetry processing system that provides redundant PPCRS and TDAS functions. With the exception of the data acquisition hardware, the software and hardware is identical between the PPCRS and TDAS system. This duplication provides manual failover capability in the event of a failure on either system. The configuration of the process computer, since redundant to TDAS, is described in Section 7.7.1.15.3 and shown in Figure 7.7-16. The Human Machine Interface (HMI) is provided through redundant computer work stations. These workstations, as shown in Figure 7.7-16, consist of a Data Acquisition Control Module, Calculation Module and Real Time Display Module. The user (Control Room personnel) accesses these modules by a menu system. The Data Acquisition Control Module provides the user the capability of stopping and starting the receipt of data from different sources and the transmission of data to other receiving processes. Each source deposits its specific data in the Current Value Table (CVT) for use by other modules. These sources include the RWM, TIP, Alarm, Core Monitoring System Code, and the data acquisition preprocessor. Data can only be sent to PDIS. Sending data to PDIS can be started or stopped by the Data Acquisition Control Module. Screens are provided to monitor the health/status of each function. The Calculation Module derives information (Plant Data) from the CVT, performs predefined calculations and deposits the results back into the CVT at prescribed frequencies. These calculations include core thermal power, corrected flows, and time averages. The results are then available in the CVT and to the Real Time Display Module. The Real Time Display Module provides the capability to examine data from all the data sources via the CVT and present them in various formats. These displays are in the form of strip charts, alphanumeric scrolling, and non-scrolling and mimic displays.
| |
| The process computer monitors and alarm checks each analog variable at a selectable rate of up to 20 times/sec. Each digital plant input to the process computer can be monitored and alarm checked at up to 250 times/sec. For all analog inputs two types of limit checking and alarming are available: process alarm high/low limits and high/low instrument range limits. Both printed and historical disk storage are provided for analog and digital system alarms.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.7-34 All alarms logs are printed on the alarm printing device informing the control room personnel of computer system malfunctions, system operation exceeding acceptable limits, and potential unreasonable, off normal, or failed input sensors.
| |
| 7.7.1.10 Rod Worth Minimizer Function 7.7.1.10.1 Function The RWM functions to assist and supplement the operator with an effective backup control rod monitoring routine that enforces adherence to established startup, shutdown, and low power level control rod sequences. The RWM computer prevents the operator from establishing control rod patterns that are not consistent with the pre-stored RWM sequence by initiating appropriate rod withdrawal block, and rod insert block interlock signals to the RMCS rod block circuitry (see Figure 7.7-3). The RWM sequence stored in the computer memory are based on control rod withdrawal procedures designed to limit (and thereby minimize) individual control rod worths to acceptable levels as determined by the design basis rod drop accident.
| |
| 7.7.1.10.2 Operation
| |
| | |
| The RWM function does not interfere with normal reactor operation, and in the event of a failure does not itself cause rod patterns to be established. The RWM will not function on loss of offsite power. The RWM function can be bypassed and its block function can be disabled only by specific procedural control initiated by the operator.
| |
| For the operator to bypass the RWM a. Plant management approval is required,
| |
| : b. A second operator or technically qualified plant staff member, with no other duties, is required to verify the first operator's actions while the first operator is performing rod movements,
| |
| : c. The startup and shutdown sequences with their respective signoff sheets are provided to the second operator for verification of each step rod movement made by the first operator, and
| |
| : d. The startup and shutdown sequences follow the same control rod patterns that the RWM enforces if it were not bypassed.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.7-35 The following operator and sensor inputs are used by the RWM: a. Rod test. In selecting this input, the operator is permitted to withdraw and reinsert one control rod at a time while all other control rods are maintained in the fully inserted position;
| |
| : b. Normal/bypass mode. A key lock switch permits the operator to apply permissives to RWM rod block functions at any time during plant operation; c. System start/reset. This input is initiated by the operator to start or restart the RWM programs and system at any time during plant operation; d. Control rod select. Binary coded identification of the control rod selected by the operator;
| |
| : e. Control rod position. Binary coded identification of the selected control rod position;
| |
| : f. Control rod drive selected and driving. The RWM program uses this input as a logic diagnostic verification of the integrity of the rod select input data;
| |
| : g. Control rod drift. The RWM program recognizes a position change of any control rod using the control rod drift signal input;
| |
| : h. Reactor power level. Flow signals are used to implement two digital inputs to permit program control of the RWM function. These two inputs, the low power setpoint (LPSP) and the low power alarm setpoint, are used to disable/alarm the RWM function at power levels above the intended service range of the RWM function;
| |
| : i. Permissive echoes. Rod withdraw and rod insert permissive echo inputs are used by the RWM as a verification "echo" feedback to the system hardware to ensure proper response of an RWM output; and
| |
| : j. Diagnostic inputs. The RWM uses selected diagnostic inputs to verify the integrity and performance of the processor.
| |
| Isolated contact outputs to plant instrumentation provide RWM rod block functions to the RMCS to permit or inhibit withdrawal or insertion of a control rod. These actions do not affect any normal instrumentation displays associated with the selection of a control rod.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-14-004 7.7-36 The RWM control panel provides the following indication:
| |
| a. Insert error. Control rod coordinate identification for as many as two insert errors;
| |
| : b. Withdrawal error. Control rod coordinate identification for one withdrawal error; c. Latch group identification of the RWM sequence group number currently enforced by the computer; d. Rod test select indicates that the rod test function test selected by the operator was honored by the RWM Program;
| |
| : e. RWM bypass - indicates that the RWM is manually bypassed;
| |
| : f. Select error - indicates a control rod selection error;
| |
| : g. Rod blocks - indication that a withdrawal block or insertion block is in effect for all control rods;
| |
| : h. Out of sequence indication that the actual rod patterns is out of sequence;
| |
| : i. Below LPSP. Indication that the reactor core power is below the LPSP;
| |
| : j. Below low power alarm point (LPAP). Indication that the reactor core power is below the LPAP; and
| |
| : k. Rod drift. Indication that a rod drift condition is detected.
| |
| COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-14-004 7.7-37
| |
| | |
| DELETED COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-14-004 7.7-38
| |
| | |
| DELETED COLUMBIA GENERATING STATION Amendment 63 FINAL SAFETY ANALYSIS REPORT December 2015 LDCN-14-004 7.7-39 7.7.1.12 Loose Parts Detection System The LPDS has been deactivated and spared-in-place (retired). The System mainframe panel (LPDS-PNL-1) remains installed on the 522 ft. level of the Reactor Building. The accelerometer charge-converters (pre-amps) remain installed inside containment, except those posing interference. All power to the system has been disconnected and the cables "spared."
| |
| 7.7.1.13 Refueling Interlocks 7.7.1.13.1 Function The purpose of the refueling interlocks is to restrict the movement of control rods and the operation of the refueling platform. Refueling interlocks are shown in Table 7.7-3. This reinforces operational procedures that prevent the reactor from becoming critical during refueling operations. 7.7.1.13.2 Operation The refueling interlocks circuitry senses the condition of the refueling platform and the control rods to prevent the movement of the refueling platform or withdrawal of control rods (rod block). Redundant circuitry is provided to sense the following conditions: a. All rods inserted, b. Refueling platform positioned near or over the core, c. Refueling platform hoists fuel loaded (main - fuel grapple, auxiliary - frame mounted hoist, monorail - trolley mounted hoist), and
| |
| : d. Reactor mode switch in "refuel" position.
| |
| COLUMBIA GENERATING STATION Amendment 62 FINAL SAFETY ANALYSIS REPORT December 2013 LDCN-11-031 7.7-40 d. Reactor mode switch in "refuel" position.
| |
| The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement (Figure 7.7-2). The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe.
| |
| | |
| The rod-in switch must be closed for each rod before the all-rods-in signal is generated. Loss of "all-rods-in" signal will remove grapple control power, if the refueling platform is over the core.
| |
| | |
| During refueling operations, no more than one control rod is permitted to be withdrawn; this is enforced by a redundant logic circuit that uses the all-rods-in signal and a rod selection signal from the RMCS to prevent the selection of a second rod for movement. The simultaneous selection of two control rods is prevented by the interconnection arrangement of the select push buttons. With the mode switch in the refuel position, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.
| |
| | |
| Operation of refueling equipment is prevented by interrupting the power supply to the equipment. The refueling platform is provided with two mechanical switches attached to the platform, which are tripped open by a long, stationary ramp mounted adjacent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel to indicate the approach of the platform toward its position over the core.
| |
| In addition to the non-safety-related rod block interlocks provided by the RMCS, and as a safety-related backup, the IRMs provide a rod scram signal during refueling when neutron flux exceeds a preset flux level. The scram signal will provide a control room alarm and will insert any control rod that is withdrawn. The IRMs are required to be operable anytime a control rod is withdrawn in a fueled cell during refueling operations.
| |
| Load cell readout is provided for all hoists. The main hoist load is displayed on the flat panel display on the main trolley. The auxiliary frame hoist and the monorail hoist load displays are on the frame pendant and monorail pendant, respectively. Load sensing is via electronic load cells and strain gauge transmitters. The load for the main hoist and frame hoist are inputs to the PLC in the control center on the main trolley. Associated interlock and load functions for the main hoist and auxiliary frame hoist are performed by the PLC. Setpoint modules provide associated interlock and load functions for the monorail hoist.
| |
| The three hoists on the refueling platform are provided with switches that open when the hoists are fuel loaded. The switches open at a load weight that is lighter than that of a single fuel assembly. This indicates when fuel is loaded on any hoist.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.7-41 A bypass plug for the previously installed service platform hoist load interlock is provided which completes the circuit, preventing a false indication that the nonexistent hoist is loaded. Loaded hoist indication prevents control rod withdrawal with the mode switch in the startup or refuel positions. The bypass plug allows control rod movement in this situation. The bypass plug is physically arranged to prevent the connection of any power plug unless the bypass plug is removed.
| |
| | |
| The rod block interlocks and refueling platform interlocks provide two independent levels of interlock action. The interlocks which restrict operation of the refueling platform hoist and grapple provide a third level of interlock action since they would be required only after a failure of a rod block and refueling platform interlock.
| |
| In the refueling mode, the control room operator has an indicator light for "refueling mode select permissive" whenever all control rods are fully inserted. He can compare this indication with control rod position data from the computer as well as control rod in-out status on the full core status display. Whenever a control rod withdrawal block situation occurs, the operator receives annunciation and computer logs of the rod block. The operator can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree that permissive conditions exist to move control rods; otherwise, a control rod withdrawal block occurs. Failure of one channel may initiate a rod withdrawal block, and will not prevent application of a valid control rod withdrawal block from the remaining operable channel (see Figure 7.7-2).
| |
| Refueling platform interlock indication and main hoist load are displayed to the operator on the flat panel display mounted on the trolley cable. In addition, the bridge, trolley, and main hoist positions displays are on the flat panel display.
| |
| | |
| The auxiliary frame hoist load and the monorail hoist load are displayed on digital displays on the frame pendant and monorail pendant, respectively. Individual push button and control switches are provided for local control of the platform and its hoists. The platform operator can immediately determine whether the platform and hoists are responding to his local instructions, and can, in conjunction with the control room operator, verify proper operation of each of the three categories of interlocks listed previously. 7.7.1.14 Safety/Relief Valves - Relief Function 7.7.1.14.1 Function
| |
| | |
| The relief function of the SRVs is to relieve high pressure conditions in the nuclear system that could lead to the failure of the RCPB. The system activates the SRVs to vent steam to the suppression pool and reduce reactor pressure. See Section 5.2.2. Also, see Section 7.3.1.1.1.2 for the ADS function of selected SRVs.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 LDCN-09-040 7.7-42 7.7.1.14.2 Operation
| |
| | |
| Schematic arrangement of system mechanical equipment is shown in Figure 10.3-2. The SRV component control logic is shown in Figure 7.3-8.
| |
| The relief function of the SRVs is initiated by pressure switches, one per relief valve. These pressure switches are set to energize the relief valve solenoids in five groups at five respective trip settings. The relief valves will open in groups, the lowest setpoint group first, followed by groups of SRVs at progressively higher setpoints. This feature automatically adjusts the relief capacity to the magnitude of the over pressure condition. The reclose pressure for each SRV is based on the deadband (reset) of the associated pressure switches. Adequate deadband is provided to eliminate rapid open/close operation and minimize system stresses.
| |
| To manually open each SRV, remote manual switches are installed in the control room. Lights on the control room panel indicate when the SRVs are open. This monitoring is in accordance with NUREG-0737, Item II.D.3 (see Section 7.5.1.9).
| |
| 7.7.1.15 Transient Data Acquisition System To meet the data acquisition and analysis needs during the operation of Columbia Generating Station, and to support emergency response facility functions, a plant data center, referred to as the Plant Data Information System (PDIS), is installed at Columbia Generating Station. The PDIS configuration is shown in Figure 7.7-16. The TDAS, the front end of PDIS, collects and multiplexes plant analog and digital data to a central location for storage and emergency response facility functions such as the graphic display system (GDS) described in Section 7.5.1.22, and the emergency response data system (ERDS), which provides direct electronic data transmission of the required plant parameters from the TDAS computer to the NRC Operations Center. The plant ERDS computer receives data from the TDAS and the process computer system described in Section 7.7.1.9 and transmits it to the Operations Center via secure Internet-based communication protocol. The ERDS was added in response to Generic Letter 89-15, Emergency Response Data System.
| |
| 7.7.1.15.1 Function The purpose of the TDAS is to provide a data control center for the acquisition, monitoring, recording, and transfer of data to a computer for analysis and presentation for plant monitoring, testing and emergency response facility functions for selected plant parameters.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.7-43 7.7.1.15.2 Description The basis and criteria for the TDAS input signal selection is as follows: Basis Criteria Startup testing requirement Regulatory Guide 1.68 SRP Section 3.9.2 FSAR Section 3.9.2 Emergency response facility Regulatory Guide 1.23 requirement Regulatory Guide 1.97 NUREG-0737, Supplement 1 FSAR Section 7.1.1 Signals monitored may be either analog or digital (bilevel). The majority of the signals originate from existing equipment in the control room. Signals are hard-wired from the control room to TDAS remote modules (multiplexers). The remote modules provide the following:
| |
| a. Electrical isolation,
| |
| : b. Signal conditioning,
| |
| : c. Analog to digital conversion,
| |
| : d. Multiplexing of the input data, and
| |
| : e. Interface to fiber-optic cables.
| |
| The signal output from the remote modules is transmitted through fiber-optic cables to the TDAS central control unit (CCU). The fiber-optic cables provide electrical separation between remote module output signals.
| |
| | |
| The TDAS CCU controls the monitoring, recording, engineering unit conversion, alarming, and transfer functions. Discs are used for high speed storage of historical data.
| |
| Data is transferred from the TDAS CCU to a computer for data reduction, analysis, and display. A system console connected directly to TDAS is provided for operator interface.
| |
| 7.7.1.15.3 Operation
| |
| | |
| TDAS automatically records data from all input points on disc. Data is continuously overlaid on the disc such that in excess of three days of data exists at all times.
| |
| A secondary file can be created and archived from the history disk to preserve the data. The data contained in the secondary file can subsequently be displayed and printed.
| |
| COLUMBIA GENERATING STATION Amendment 61 FINAL SAFETY ANALYSIS REPORT December 2011 LDCN-09-040 7.7-44 Three data transfer interfaces are provided by the TDAS CCU. One link is dedicated for the transfer of data to the computer to support the control room GDS displays. The second link transfers TDAS real time data to the Process Computer work stations as user interface. The third link transfers data to the corporate network for use in ERDS and other data reporting services. As noted in Section 7.7.1.9.2, the TDAS hardware (excluding signal interface) software is identical in function and configuration to the Process Computer. This provides total computer redundancy.
| |
| 7.7.1.15.4 Conformance to NRC Regulatory Guides 7.7.1.15.4.1 Regulatory Guide 1.75, Revision 2, Physical Independence of Electric Systems. Regulatory Guide 1.75 is not applicable to Columbia Generating Station. However, based on commitment to the NRC the TDAS isolator design used the guidance provided in Regulatory Guide 1.75, Revision 2.
| |
| | |
| The TDAS is a non-safety-related, non-Class 1E system which interfaces with many safety-related components. To ensure that the safety-related components are protected from TDAS equipment failures, the following was implemented in the TDAS design:
| |
| : a. All TDAS input circuits within raceways are identified and routed to Class 1E requirements up to a remote isolation device. From the isolation device to the remote multiplexer the circuits are considered to be non-Class 1E;
| |
| : b. Remote multiplexer outputs are transmitted to the computer via a fiber optic cable which is inherently an isolation device. The fiber optic cable, therefore, can be routed in any raceway without regard to separation criteria; and
| |
| : c. Transient data acquisition system Class 1E input isolators are supplied from non-Class 1E 24-V dc current limiting power supplies. The power source to these power supplies is Class 1E and is provided with a Class 1E current interrupting device. The circuit to the power supply is routed as prime (see Section 8.3.1.4) for Division 1 and 2 isolators and as Class 1E for the Division 3 isolator. The power supply section of the isolator unit is internally isolated from the Class 1E signal input circuit. Downstream of the power supply, the circuits are treated as non-Class 1E. All Class 1E components of the TDAS are qualified according to the requirements of Regulatory Guide 1.100 as clarified in Section 1.8.3. All components which interface with Class 1E circuitry (isolation devices) to extract signals are qualified (if applicable) according to the requirements of Regulatory Guide 1.89, Revision 1 as clarified in Section 1.8.3.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 7.7-45 7.7.1.15.4.2 NUREG-0737, Supplement 1, Clarification of TMI Action Plan Requirements: Requirements for Emergency Response Capabilities. Parameters identified in Regulatory Guide 1.97, Revision 2, and Regulatory Guide 1.23 are hard-wired to the TDAS. The TDAS components are designed in a modular fashion with spare capacity. The system design allows the capability to expand. Physical separation or isolation devices prevent failures in the TDAS from interfering with safety-related or sensitive control functions. The TDAS components are powered from a highly reliable uninterruptible power source to ensure system availability and that power fluctuations will not result in the loss of software or stored data. The TDAS provides the equipment needed to gather, store, and transfer data helpful in assessing plant conditions. The system provides in excess of three days of pre-event data and the capability of recording post-event data. Data storage and retrieval functions are performed without interrupting real time data transfer. Data scan rates are more than sufficient to record transient events and determine the sequence of events. The TDAS has been designed to provide a high degree of reliability and redundancy with the Process Computer. Emergency and preventive maintenance procedures have been established. Spare parts or redundant processing is provided for critical components. Tests are performed to verify that the hardware and software meet performance requirements. Hardware and software modifications are performed in accordance with applicable procedures.
| |
| 7.7.1.16 Design Differences See Table 7.7-2 for a list of system designs and their similarity of designs of other nuclear power plants.
| |
| | |
| 7.7.2 ANALYSIS
| |
| | |
| See the safety evaluations in Chapter 15. Chapter 15 shows that the systems described in this section are not used to provide any design basis accident safety function. Safety functions are provided by other systems.
| |
| | |
| Chapter 15 also evaluates all credible control system failure modes, the effects of those failures on plant functions, and the response of various safety-related systems to those failures. The major plant control systems described above have no direct interface with any safety-related systems and, thus control system failures other than those described in Chapter 15 have no effect on the safety-related systems.
| |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.7-1 Design and Supply Responsibility of Plant Control Systems System GE Design GE Supply B&R Design Others Supply 7.7-47 Reactor vessel instrumentation X X Reactor manual control X X Recirculation flow control X X Feedwater control X X X Pressure regulator and turbine generator X X Neutron monitoring Source range monitor X X Rod block monitor X X Transversing in-core probe X X Process computer and RWM X Rod sequence control X X Loose parts detection (Retired) Refueling interlocks X X Safety/relief valve X X Transient data acquisition X X
| |
| | |
| COLUMBIA GENERATING STATION Amendment 59 FINAL SAFETY ANALYSIS REPORT December 2007 Table 7.7-2 Similarity to Licensed Reactors
| |
| | |
| Instrumentation and Controls System Plants Applying for or Having Construction Permit or Operating License Similarity of Design LDCN-06-057 7.7-48 Neutron monitoring (TIP, SRM, RBM) LaSalle Identical Refueling interlocks LaSalle Identical Reactor manual control Zimmer-1 Identical Reactor vessel - instrumentation Zimmer-1 Identical Recirculation flow - control None -- Feedwater control None -- Pressure regulator and turbine-generator None None Rod sequence control Zimmer-1 Identical Refueling interlocks Zimmer-1 Identical Process computer and RWM None None Loose parts detection (Retired) Safety/relief valve - relief function Zimmer-1 Identical Transient data acquisition None --
| |
| Table 7.7-3 Refueling Interlocks Refueling Platform Position Refueling TMHa Platform FMHa Hoist FGa Control Rods Mode Switch Attempts Results COLUMBIA GENERATING STATION Amendment59 FINAL SAFETY ANALYSIS REPORTDecember 20077.7-49Not near core UL UL UL All rods in Refuel Move refueling platform over core No restrictions Not near core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod Not near core UL UL UL One rod withdrawn Refuel Move refueling platform over core No restrictions Not near core Any hoist loaded One rod withdrawn Refuel Move refueling platform over core Platform stopped before over core Over core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod Over core Any hoist loaded All rods in Refuel Withdraw rods Rod block Not near core UL UL UL All rods in Startup Move refueling platform over core Platform stopped before over core Not near core UL UL UL All rods in Startup Withdraw rods No restrictions Over core UL UL UL All rods in Startup Withdraw rods Rod block Table 7.7-3 Refueling Interlocks (Continued) COLUMBIA GENERATING STATION Amendment 59FINAL SAFETY ANALYSIS REPORTDecember 20077.7-50a Legend TMH - Trolley Mounted Hoist (Monorail)
| |
| FMH - Frame Mounted Hoist (Auxiliary)
| |
| FG - Fuel Grapple (Main Hoist)
| |
| UL - Unloaded L - Fuel Loaded
| |
| | |
| }} | |
