ML21133A087: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot change) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
Line 16: | Line 16: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:LGS UFSAR CHAPTER 7 - INSTRUMENTATION AND CONTROL SYSTEMS | ||
==7.1 INTRODUCTION== | |||
This chapter presents the specific detailed design and performance information relative to the instrumentation and control aspects of the safety-related and power generation systems used throughout the plant. The design and performance considerations relative to these systems' safety function and their mechanical aspects are described elsewhere in this UFSAR. | |||
See Section 1.7 for a listing of elementary diagrams and schematic diagrams and Section 1.2 for equipment layout drawings. | |||
7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS 7.1.1.1 General Instrumentation and control systems supplied by GE are designated as either power generation systems or safety-related systems, depending on their function. Some portions of a system may have a safety function while other portions of the same system may be classified as power generation. A description of the system of classification can be found in Section 15.9.2.2.2. | |||
The systems presented in Chapter 7 are also classified according to Regulatory Guide 1.70 (Rev 3), namely, RPS, ESF systems, safe shutdown systems, safety-related display instrumentation, other systems required for safety, and control systems not required for safety. Table 7.1-1 lists the systems under each of these classifications and identifies the designer and/or the supplier. Table 7.1-2 identifies instrumentation and control systems that are identical to those of a nuclear power plant of similar design that has recently received NRC design or operation approval through the issuance of either a construction permit or an operating license. Differences and their effect on safety-related systems are also identified in Table 7.1-2. "First-of-a-kind" instruments including any microprocessors, multiplexers or computer systems used in or providing inputs to safety-related systems are identified in Table 7.1-8. | |||
7.1.1.2 Identification of Individual Systems A brief descriptive statement is given for each system. | |||
: 1. The RPS instrumentation and controls initiate an automatic reactor shutdown via control rods (scram) if monitored system variables exceed pre-established limits. | |||
This action prevents fuel damage and limits system pressure, thus restricting the release of radioactive material. | |||
: 2. The PCRVICS instrumentation and controls initiate closure of various automatic isolation valves if monitored system variables exceed pre-established limits. This action limits the loss of coolant from the RCPB and the release of radioactive materials from the RCPB, the primary containment, and the reactor enclosure. | |||
: 3. The ECCS instrumentation and controls provide initiation and control of systems that provide core cooling. These systems are the HPCI system, the ADS, the core spray system, and the LPCI mode of the RHR system. | |||
CHAPTER 07 7.1-1 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: 4. The NMS instrumentation and controls use incore neutron detectors to monitor core neutron flux. The NMS provides logic signals to the RPS when a condition necessitating a reactor shutdown is detected. Average neutron flux and Simulated Thermal Power are used as the overpower indicator during power operation and intermediate range detectors are used as overpower indicators during startup and shutdown. Oscillations in the local neutron flux are used as the indicator of thermal-hydraulic instability caused power oscillations. The NMS also provides power level indication during planned operation. Source range detectors are used to provide neutron flux information during reactor startup and low flux level operations. The TIP system gathers axial neutron flux information via a gamma-sensitive detector and uses this data to calibrate the LPRMS. The RBM system provides a signal to prevent control rod movement when local high neutron flux is sensed by the LPRMs. | |||
The NMS consists of the following six major systems: | |||
: a. SRM system | |||
: b. IRM system | |||
: c. LPRM system | |||
: d. APRM system (includes OPRM function) | |||
: e. TIP system | |||
: f. RBM system | |||
: 5. The RI instrumentation and controls serve as a backup to procedural core reactivity control during refueling operation. These interlocks prevent the withdrawal of control rods and the movement of refueling equipment when permissive conditions are not satisfied. | |||
: 6. The RMCS instrumentation and controls allow the operator to manipulate control rods and determine their positions. Various interlocks are provided in the control circuitry to prevent multiple operator errors or equipment malfunctions from requiring the action of the RPS. | |||
: 7. The RVI monitors and transmits information to the reactor operator concerning key reactor vessel operating variables. | |||
: 8. The RFCS instrumentation and controls regulate the speed of the reactor recirculation pumps (through ASDs) to vary the coolant flow rate through the core. | |||
: 9. The FCS instrumentation and controls regulate the feedwater system flow rate so that proper reactor vessel water level is maintained. The system is arranged to permit single-element (reactor vessel water level only), three-element (reactor vessel water level, main steam flow, and feedwater flow), or manual operation. | |||
: 10. The PRTGS instrumentation and controls work together to allow proper generator and reactor response to load demand changes. If the generator electrical load is lost, the turbine-generator speed-load controls initiate rapid closure of the turbine CHAPTER 07 7.1-2 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR governor valves (coincident with fast opening of the bypass valves) to prevent excessive turbine overspeed. | |||
: 11. The PRMS instrumentation and controls: | |||
The process radiation monitoring systems are those radiation monitoring systems other than the area monitoring system, the portable monitors, and the offsite monitors. The PRMS serve one or more of the following purposes: | |||
: a. Maintain surveillance over process liquid and gas lines that may serve as discharge routes for radioactive materials for the monitoring and/or controlling radioactive releases from the plant. | |||
: b. Maintain surveillance and/or control of ventilation systems for either maintaining the habitability of area that are vital for safe plant operation and shutdown or monitoring the quantity of radioactive effluents released to the environment. | |||
: c. Maintain surveillance and/or control of those process lines of power generating equipment whose malfunction is indicated by an abnormal increase in radiation levels. | |||
The following is a listing of the safety-related PRMS: | |||
: a. Main steam line radiation monitoring system | |||
: b. Reactor enclosure ventilation exhaust radiation monitoring system | |||
: c. Refueling area ventilation exhaust radiation monitoring system | |||
: d. Control room ventilation radiation monitoring system | |||
: e. Control room emergency fresh air radiation monitoring system | |||
: f. Primary containment post-LOCA radiation monitoring system | |||
: g. Residual heat removal service water radiation monitoring system The following is a listing of the nonsafety-related PRMS: | |||
: a. South stack effluent radiation monitoring system | |||
: b. Radwaste equipment rooms ventilation radiation monitoring system | |||
: c. Charcoal treatment system process exhaust radiation monitoring system | |||
: d. Recombiner rooms, hydrogen analyzer compartments, and equipment drain sump vent radiation monitoring system | |||
: e. Steam exhaust discharge and vacuum pump exhaust radiation monitoring system CHAPTER 07 7.1-3 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: f. Radwaste enclosure ventilation exhaust radiation monitoring system | |||
: g. Air ejector/holdup pipe discharge radiation monitoring system | |||
: h. Primary containment leak detection radiation monitoring system | |||
: i. Hot maintenance shop ventilation exhaust radiation monitoring system | |||
: j. Liquid radwaste discharge radiation monitoring system | |||
: k. Service water radiation monitoring system | |||
: l. Reactor enclosure cooling water radiation monitoring system | |||
: m. North stack effluent radiation monitoring system Some of the above safety and nonsafety-related PRMSs provide postaccident monitoring capabilities in accordance with Regulatory Guide 1.97. These systems are identified in Section 7.5. | |||
: 12. Area radiation monitoring system: | |||
The purpose of the ARMS is to indicate and record gamma radiation levels in areas where radioactive materials might be present, stored, handled, or inadvertently introduced. Alarm capability is provided in case these radiation levels rise above permissible limits. | |||
: 13. Deleted | |||
: 14. The HCRIS instrumentation and controls provide means to isolate the control room from radiation or chlorine entering through the control room ventilation system. The emergency fresh air system provides a means for pressurizing the control room with clean air during radiation isolation. The control room HVAC system provides the proper environment for the control room and adjacent areas. | |||
: 15. The service water systems instrumentation and controls provide cooling water to vital equipment as follows: | |||
: a. ESW to the diesel generators, RHR pumps, ECCS room coolers, and control room chillers | |||
: b. RHRSW to the RHR heat exchangers | |||
: 16. CAC system instrumentation and controls: | |||
: a. The CGCS monitors and controls the concentration of combustible gases (hydrogen and oxygen) in the containment during normal operation and after a LOCA. | |||
CHAPTER 07 7.1-4 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: b. The PCVR subsystem monitors the drywell and suppression chamber pressure to limit the amount by which suppression chamber pressure can exceed drywell pressure. | |||
: 17. The RCIC system instrumentation and controls provide initiation and control of a system that provides makeup water to the reactor vessel to remove decay heat from the reactor core in the event of reactor isolation from the main condenser system and loss of coolant flow from the reactor feedwater system. | |||
: 18. The SLCS instrumentation and controls provide initiation of a reactivity control system that can shut the reactor down from rated power if all withdrawn control rods cannot be inserted to achieve reactor shutdown. The SLCS instrumentation and controls also support the manual initiation of SLCS to control suppression pool pH post LOCA. | |||
: 19. The radwaste system instrumentation and controls support the manual processing and disposing of the radioactive process wastes generated during power operation. | |||
The radwaste control system includes liquid, gaseous, and solid radwaste subsystems. | |||
: 20. The RWCU system instrumentation and controls support manual operation of system equipment to maintain high reactor water purity and reduce concentrations of fission products in the reactor water. | |||
: 21. The Class 1E power system instrumentation and controls provide for reliable operation of the Class 1E power systems during normal and accident conditions. | |||
These power systems consist of: | |||
: a. 4 kV ac power system fed from offsite source with diesel generator backup | |||
: b. dc power system fed from offsite source with battery backup | |||
: 22. The LDS instrumentation and controls use various temperature, pressure, level, and flow sensors to detect and indicate water and steam leakage in selected reactor systems and to annunciate and provide isolation signals (in certain cases) to limit leakage from the RCPB when limiting leakage conditions exist. | |||
: 23. The RHR-SCM instrumentation and controls provides manual initiation of cooling to remove the decay and sensible heat from the reactor vessel during shutdown so that the reactor can be refueled and serviced. | |||
: 24. The FPCC system instrumentation and controls support manual operation of the system that cools the fuel pool. | |||
: 25. The RERS instrumentation and controls provide initiation and control of a system which filters and mixes the reactor enclosure and refueling floor ventilation air during isolation conditions. | |||
CHAPTER 07 7.1-5 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: 26. The SGTS instrumentation and controls provide the means to control reactor enclosure and refueling floor pressure at a negative value with reference to the outside atmosphere during an isolation of the reactor enclosure. | |||
: 27. Deleted | |||
: 28. The SRDI is provided to inform the reactor operator when a manual safety action should be taken or is required. Instrumentation is also provided to give the reactor operator the capability to track process variables pertinent to safety during expected operational perturbations and following postulated accidents. | |||
: 29. The CIGS instrumentation and controls support a system that provides the necessary compressed gas for the operation of the ADS SRVs, and for the operation of pneumatic devices located inside the drywell and suppression chamber. | |||
: 30. The RHR-CSM instrumentation and controls support the manual initiation of the portion of the RHR system that is provided to condense steam in the containment under postaccident conditions. | |||
: 31. The RSS instrumentation and controls provide the capability to ensure safe shutdown of the reactor when the control room is uninhabitable. | |||
: 32. The RHR-SPCM instrumentation and controls support the manual initiation of the portion of the RHR system that is provided to effect post-LOCA cooling of the suppression pool water. | |||
: 33. The safety-related equipment area cooling ventilation systems are as follows: | |||
: a. The SGTS filter room and access area unit coolers instrumentation and controls provide support to the system that provides cooling to SGTS filter room and access areas. | |||
: b. The DGEVS instrumentation and controls provide support to the system that provides ventilation to the diesel generator enclosures and equipment. | |||
: c. The SPPSVS instrumentation and controls provide support to the system that provides ventilation for the ESW pumps and RHRSW pumps located in the spray pond pump house. | |||
: d. The ESBRCS instrumentation and controls provide support to the system that provides ventilation and cooling to the emergency switchgear rooms, inverter rooms, battery rooms, and the chiller equipment rooms in the control structure. | |||
: e. The ECCS and RCIC pump compartment unit coolers instrumentation and controls provide support to the system that provides cooling to the core spray, HPCI, RHR, and RCIC pump rooms. | |||
CHAPTER 07 7.1-6 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: f. The AERVS instrumentation and controls provides support to the system that provides ventilation and cooling to the auxiliary equipment room, computer room, remote shutdown room, and control enclosure fan rooms. | |||
: 34. The DUC instrumentation and controls provide support to the system that provides atmosphere mixing in the primary containment after a LOCA and cooling during normal operation. | |||
: 35. The CECWS instrumentation and controls provide support to the system that provides chilled water to the control room air supply fan cabinets, the auxiliary equipment room air supply fan cabinets, the SGTS room and access area unit coolers, and emergency switchgear and battery room air supply fan cabinets. | |||
: 36. HPLPSI instrumentation and controls prevent over pressurization of the low pressure systems that interface with the RCPB. | |||
: 37. SRVPI system instrumentation and controls use acoustic sensors to provide the operator with reliable OPEN/NOT-OPEN status of the SRVs. | |||
: 38. The FPSS instrumentation and controls provide fire protection and suppression for the cable area of the PGCC and adjacent areas in the auxiliary equipment room. | |||
: 39. The REIS instrumentation and controls provide signals to isolate the reactor enclosure secondary containment and starts the RERS and SGTS under emergency conditions. | |||
: 40. Nonsafety-related equipment area cooling ventilation systems: | |||
: a. Reactor enclosure ventilation system instrumentation and controls provide support to the system that provides ventilation to the reactor enclosure during normal plant operation. | |||
: b. Turbine enclosure ventilation system instrumentation and controls provide support to the system that provides ventilation to the turbine enclosure and to el 180', el 200', el 217', and el 254' in the control structure. | |||
: c. Radwaste enclosure ventilation system instrumentation and controls provide support to the system that provides ventilation to the radwaste enclosure. | |||
: d. Chemistry laboratory expansion ventilation system instrumentation and control provided to the system that provides ventilation to the chemical laboratories. | |||
: e. Hot maintenance shop ventilation system instrumentation and controls provide support to the system that provides ventilation to the hot maintenance shop. | |||
: e. Miscellaneous enclosure ventilation systems instrumentation and controls provide support to the systems that provide ventilation to the circulating water pump structure, water treatment enclosure, Schuylkill River pump structure, Perkiomen Creek pump structure, sewage treatment enclosure, CHAPTER 07 7.1-7 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR auxiliary boiler enclosure, boiler fuel transfer enclosure, lube oil structure, chlorine and acid feed enclosure, and the administration building. | |||
: 41. The SPFS instrumentation and controls provide support to a system which ensures that the ECCS and RCIC piping is maintained full of water when the systems are in standby mode. The SPFS also discharges to the feedwater lines to provide a seal on the isolation valves in the event of a feedwater line break outside containment. | |||
: 42. The RRCS is a system designed to mitigate the potential consequences of an anticipated transient without scram event. The system consists of control panels, detection and actuation logic, and the necessary interface logic for input to the recirculation system, feedwater system, SLCS, RWCU system, and the ARI function of the CRD. | |||
: 43. The RAIS instrumentation and controls provide signals to isolate the refueling area and start the SGTS under emergency conditions. | |||
: 44. The RWM monitors and enforces adherence to established rod insert and withdraw sequences at low power levels. This function prevents the operator from establishing control rod patterns that are not consistent with the prescribed sequence by initiating the appropriate rod insert block and rod withdrawal block. | |||
When RWM is inoperable both insert and withdraw rod blocks are enforced unless the RWM is bypassed. | |||
: 45. The PMS is a centralized, integrated system which performs the process monitoring and calculations that are necessary for the effective evaluation of normal and emergency power plant operation. The PMS acquires and records process data (e.g., temperatures, pressures, flows, status indicators) to produce displays, logs, and plots of current or historical plant performance. | |||
: 46. The ERFDS is a part of the PMS and performs the process monitoring and calculations defined as being necessary for the effective evaluation of normal and emergency power plant operation. The PMS acquires and records process data for ERFDS including temperatures, pressures, flows, and status indicators. This data is processed to produce meaningful displays, logs, and plots of current or historical plant performance and is presented to plant personnel in the plant main control room or other user definable locations. | |||
7.1.1.3 Classification 7.1.1.3.1 Safety-Related Systems Safety-related systems provide actions necessary to ensure safe shutdown, protect the integrity of radioactive material barriers, or prevent the release of radioactive material in excess of allowable limits. These safety-related systems may consist of components, groups of components, systems, or groups of systems. ESF systems are included in this category. ESF systems function to mitigate the consequences of DBAs. | |||
7.1.1.3.2 Power Generation Systems CHAPTER 07 7.1-8 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Power generation systems are not required to ensure safe shutdown, protect the integrity of radioactive material barriers, or prevent the release of radioactive material in excess of allowable limits. The instrumentation and control portions of these systems, may, by their actions, prevent the plant from exceeding preset limits that would otherwise initiate action of the safety-related systems. | |||
7.1.1.3.3 General Functional Requirements of Design Basis Plant systems may have both a safety design basis and a power generation design basis, depending on their function. The safety design basis states in functional terms the unique design requirements that establish limits for the operation of the system. The general functional requirements portion of the safety design basis presents those requirements that have been determined to be sufficient to ensure the adequacy and reliability of the system from a safety viewpoint. Many of these requirements have been incorporated into various codes, criteria, and regulatory requirements. | |||
7.1.1.3.4 Specific Regulatory Requirements The plant systems have been examined with respect to specific regulatory requirements that are applicable to the subject instrumentation and controls systems. These regulatory requirements include: | |||
: a. Conformance to regulatory guides | |||
: b. Conformance to 10CFR50, Appendix A, "General Design Criteria" | |||
: c. Conformance to industry codes and standards The specific regulatory requirements applicable to each system's instrumentation and controls are specified in Table 7.1-3. | |||
7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1.2.1 General Design bases and criteria for instrumentation and control equipment design are based on the need to have the system perform its intended function while meeting the requirements of applicable general design criteria, regulatory guides, industry standards, and other documents. | |||
7.1.2.1.1 Reactor Protection System - Instrumentation and Controls 7.1.2.1.1.1 RPS Safety Design Bases The RPS is designed to meet the following functional requirements: | |||
: a. The RPS initiates a reactor scram with precision and reliability to prevent or limit fuel damage following abnormal operational transients. | |||
: b. The RPS initiates a scram with precision and reliability to prevent damage to the RCPB as a result of excessive internal pressure, that is, to prevent nuclear system pressure from exceeding the limit allowed by applicable industry codes. | |||
CHAPTER 07 7.1-9 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: c. To limit the uncontrolled release of radioactive materials from the RCPB, the RPS precisely and reliably initiates a reactor scram on gross failure of this barrier. | |||
: d. To detect conditions that threaten the fuel assembly or RCPB, the RPS inputs are derived from variables that are true, direct measures of operational conditions. | |||
: e. The RPS responds correctly to the sensed variables over the expected range of magnitudes and rates of change. | |||
: f. A sufficient number of sensors are provided to monitor essential variables that have spatial dependence. | |||
: g. The following bases ensure that the RPS is designed with sufficient reliability: | |||
: 1. If failure of a control or regulating system causes a plant condition that requires a reactor scram but also prevents action by necessary RPS channels, the remaining portions of the RPS meet safety design basis (g.6). | |||
: 2. The loss of one or both power supplies does not prevent a reactor scram. | |||
: 3. Once initiated, an RPS action goes to completion. The return-to-normal operation requires deliberate operator action. | |||
: 4. There is sufficient physical separation between redundant instrumentation and control equipment monitoring the same variable to prevent environmental factors, electrical transients, or physical events from impairing the ability of the system to respond correctly. | |||
: 5. Ground motions of a SSE magnitude as amplified by building and supporting structures do not impair the ability of the RPS to initiate a reactor scram. | |||
: 6. No single failure within the RPS prevents proper RPS action, when required, to satisfy safety design bases (a), (b), and (c) above. | |||
: 7. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the ability of the RPS to respond correctly. | |||
: 8. The system is designed so that the required number of sensors for any monitored variable exceeding the scram setpoint initiates an automatic scram. | |||
: h. The following bases reduce the probability that RPS operational reliability and precision are degraded by operator error: | |||
: 1. Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant procedures. | |||
: 2. Manual bypass of instrumentation and control equipment components is under the control of the control room operator. If the ability to trip some CHAPTER 07 7.1-10 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR essential part of the system has been manually bypassed, this fact is continuously annunciated in the control room. | |||
7.1.2.1.1.2 RPS Specific Regulatory Requirements The specific requirements applicable to the RPS instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.1.3 RPS Power Generation Design Bases The RPS has one objective, which is availability. The setpoints, power sources, and controls and instrumentation are arranged so as to preclude spurious scrams. | |||
7.1.2.1.2 Primary Containment and Reactor Vessel Isolation Control System - Instrumentation and Controls 7.1.2.1.2.1 PCRVICS Safety Design Bases The following safety design bases are implemented in the PCRVICS: | |||
: a. To limit the release of radioactive materials to the environment, the PCRVICS precisely and reliably initiates timely isolation of penetrations through the primary containment whenever the values of monitored variables exceed preselected operational limits. | |||
: b. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis requirements (a), the PCRVICS responds correctly to the sensed variables over the expected design range of magnitudes and rates of change. | |||
: c. To ensure that important variables are monitored to fulfill safety design basis (a), a sufficient number of sensors is provided for monitoring essential variables. | |||
: d. To ensure that conditions indicative of a failure of the RCPB are detected to fulfill safety design basis (a), PCRVICS inputs are derived from variables that are accurate, direct measures of existing plant conditions. | |||
: e. The time required to close the MSIVs is short, to limit the radiological consequences and loss of coolant from a steam line break outside containment. However, the time required to close the MSIVs is long enough so that inadvertent isolation of steam lines does not cause a transient as severe as that resulting from closure of the turbine stop valves coincident with failure of the turbine bypass system. This ensures that the MSIV closure speed is compatible with the ability of the RPS to protect the fuel assemblies and the RCPB. | |||
: f. The following safety design bases are specified for the systems controlling automatic isolation valves to ensure that the closure of automatic isolation valves is initiated when required to fulfill safety design basis (a): | |||
CHAPTER 07 7.1-11 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: 1. Any single failure, maintenance operation, calibration operation, or test to verify operational availability does not impair the functional ability of the isolation control system. | |||
: 2. The system is designed so that a specified number of sensors for any monitored variable exceeding the isolation setpoint initiate automatic isolation. | |||
: 3. Where a plant condition that requires isolation can be caused by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system meet the requirements of safety design bases (a), (b), (c), and (f.1). | |||
: 4. The power supplies for the PCRVICS are arranged so that the loss of one supply cannot prevent automatic isolation when required. | |||
: 5. The system is designed so that, once initiated, automatic isolation action goes to completion. The return-to-normal operation after isolation action requires deliberate operator action. | |||
: 6. There is sufficient electrical and physical separation of wiring and piping between instrument channels monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly. | |||
: 7. Earthquake ground motions of SSE magnitude do not impair the ability of the primary containment and reactor vessel isolation control system to initiate automatic isolation. | |||
: g. The following safety design basis is specified to ensure that the isolation of main steam lines is accomplished: | |||
The isolation valves in each of the main steam lines do not rely on electrical power to achieve closure. Valve closure power is from diverse stored energy sources. | |||
: h. To reduce the probability that the operational reliability of the PCRVICS is degraded by operator error, the following safety design bases are specified for automatic isolation valves: | |||
: 1. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables is under the control of the plant procedures. | |||
: 2. The means for bypassing instrument channels, trip logics, or system components are under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact is continuously annunciated in the control room. | |||
CHAPTER 07 7.1-12 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: i. The system provides the operator with a means to take manual isolation action that is independent of the automatic isolation. If there is a failure of the RCPB, it is possible for the operator to manually initiate isolation of the primary containment and reactor vessel from the control room. | |||
: j. The following bases are specified to provide the operator with the means to assess the condition of the PCRVICS and to identify conditions indicative of a failure of the RCPB. | |||
: 1. The PCRVICS is designed to provide the operator with information pertinent to the status of the system. | |||
: 2. Means are provided for prompt identification of instrument channel and trip system responses. | |||
: k. It is possible to check the operational availability of each instrument channel and trip logic during reactor operation. | |||
7.1.2.1.2.2 PCRVICS Specific Regulatory Requirements The specific regulatory requirements applicable to the PCRVICS instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.2.3 PCRVICS Power Generation Design Bases There are no power generation design bases for the PCRVICS. | |||
7.1.2.1.3 Emergency Core Cooling System - Instrumentation and Controls 7.1.2.1.3.1 ECCS Safety Design Bases The ECCS control and instrumentation is designed to meet the following functional safety design bases: | |||
: a. Automatically initiate and control the ECCS to prevent fuel cladding temperatures from reaching 2200F. | |||
: b. Respond to a need for emergency core cooling, regardless of the physical location of the malfunction or break that causes the need. | |||
: c. The following safety design bases are specified to limit dependence on operator judgement in times of stress: | |||
: 1. The ECCS responds automatically so that no action is required of plant operators within 10 minutes after a LOCA. | |||
: 2. The performance of the ECCS is indicated by control room instrumentation. | |||
: 3. Facilities for manual control of the ECCS are provided in the control room. | |||
7.1.2.1.3.2 ECCS Specific Regulatory Requirements CHAPTER 07 7.1-13 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The specific regulatory requirements applicable to the controls and instrumentation for the ECCS are shown on Table 7.1-3. | |||
7.1.2.1.3.3 ECCS Power Generation Design Bases There are no power generation design bases for this system. | |||
7.1.2.1.4 Neutron Monitoring System - Instrumentation and Controls 7.1.2.1.4.1 Source Range Monitor Subsystem 7.1.2.1.4.1.1 SRM Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.4.1.2 SRM Specific Regulatory Requirements There are no specific regulatory requirements for this system. | |||
7.1.2.1.4.1.3 SRM Power Generation Design Bases The SRM subsystem meets the following power generation design bases: | |||
: a. Neutron sources and neutron detectors together result in a signal-to-noise ratio of at least 2:1 and a count rate of at least three counts per second with all control rods fully inserted before initial power operation. | |||
: b. The SRM is able to perform the following functions: | |||
: 1. Indicate a measurable increase in output signal from at least one detecting channel before reactor period reaches 20 seconds duration during the worst possible startup rod withdrawal conditions | |||
: 2. Indicate substantial increases in output signals with the maximum permitted number of SRM channels out of service during normal reactor startup operations | |||
: 3. Ensure that the SRM channels are on scale when the IRM first indicates neutron flux during a reactor startup | |||
: 4. Provide a measure of the time rate of change of the neutron flux (reactor period) for operational convenience | |||
: 5. Generate interlock signals to block control rod withdrawal if the count rate exceeds a preset value or falls below a preset limit (if the IRMs are not above the second range) or if certain electronic failures occur | |||
: c. Perform its function in the maximum normal thermal and radiation environment | |||
: d. Ensure that loss of a single power bus does not disable the monitoring and alarming functions of all the available monitors CHAPTER 07 7.1-14 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.4.2 Intermediate Range Monitor Subsystem 7.1.2.1.4.2.1 IRM Safety Design Bases The IRM generates a trip signal that can be used while operating in the intermediate range to prevent fuel damage resulting from anticipated or abnormal operational transients that occur. The independence and redundancy incorporated in the design of the IRM is consistent with the safety design bases of the RPS. | |||
7.1.2.1.4.2.2 IRM Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the IRM are given in Table 7.1-3 for the NMS. | |||
7.1.2.1.4.2.3 IRM Power Generation Design Bases The IRM generates an interlock signal to block rod withdrawal if the IRM reading exceeds a preset value or if the IRM is not operating properly. The IRM is designed so that overlapping neutron flux indications exist with the SRM and APRM subsystems. | |||
7.1.2.1.4.3 Local Power Range Monitor Subsystem 7.1.2.1.4.3.1 LPRM Safety Design Bases The LPRM is designed to provide a sufficient number of LPRM signals to satisfy the APRM safety design bases. | |||
7.1.2.1.4.3.2 LPRM Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the LPRM are given in Table 7.1-3 for the NMS. | |||
7.1.2.1.4.3.3 LPRM Power Generation Design Bases The LPRM supplies the following: | |||
: a. Signals to the APRM that are proportional to the local neutron flux at various locations within the reactor core | |||
: b. Signals to alarm high or low local neutron flux | |||
: c. Signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of power distribution, local heat flux, minimum critical power ratio, and fuel burnup rate | |||
: d. Signals to the RBM to indicate changes in local relative neutron flux during the movement of control rods 7.1.2.1.4.4 Average Power Range Monitor Subsystem CHAPTER 07 7.1-15 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.4.4.1 APRM Safety Design Bases Under the worst permitted input LPRM bypass conditions, the APRM is capable of generating a trip signal in response to average neutron flux increases or thermal-hydraulic instability caused power oscillations in time to prevent fuel damage. The independence and redundancy incorporated into the design of the APRM are consistent with the safety design bases of the RPS. | |||
7.1.2.1.4.4.2 APRM Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the APRM are given in Table 7.1-3 for the NMS. | |||
7.1.2.1.4.4.3 APRM Power Generation Design Bases The APRM provides the following functions: | |||
: a. A continuous indication of average reactor power (neutron flux) from a few percent to 125% of rated reactor power | |||
: b. Interlock signals for blocking further rod withdrawal to avoid an unnecessary scram actuation | |||
: c. A reference power level for the RBM subsystem 7.1.2.1.4.5 Traversing Incore Probe Subsystem 7.1.2.1.4.5.1 TIP Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.4.5.2 TIP Specific Regulatory Requirements. | |||
There are no specific regulatory requirements applicable to this system. | |||
7.1.2.1.4.5.3 TIP Power Generation Design Bases The TIP subsystem meets the following power generation design bases: | |||
: a. It provides a signal proportional to the axial neutron flux distribution at the radial locations of the LPRM detectors. This signal is of high precision to allow reliable calibration of LPRM gains. | |||
: b. It provides an accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial neutron flux distribution. | |||
CHAPTER 07 7.1-16 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.4.6 Rod Block Monitor Subsystem 7.1.2.1.4.6.1 RBM Safety Design Bases There are no safety design bases for the RBM subsystem. | |||
7.1.2.1.4.6.2 RBM Specific Regulatory Requirements Specific regulatory requirements applicable to this subsystem are given in Table 7.1-3. | |||
7.1.2.1.4.6.3 RBM Power Generation Design Bases The RBM subsystem meets the following power generation design bases: | |||
: a. Prevents local fuel damage that may result from a single rod withdrawal error under the worst permitted conditions of RBM bypass | |||
: b. Provides a signal used by the operator to evaluate the change in the local relative power level during control rod movement 7.1.2.1.5 Refueling Interlocks - Instrumentation and Controls 7.1.2.1.5.1 RI Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.5.2 RI Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for refueling interlocks are given in Table 7.1-3. | |||
7.1.2.1.5.3 RI Power Generation Design Bases Refueling interlocks meet the following power generation design bases: | |||
: a. During fuel movements in or over the reactor core, they prevent control rod withdrawal. | |||
: b. No more than one control rod is withdrawn from its fully inserted position at any time when the reactor is in the refueling mode. | |||
: c. They prevent the operation of fuel loaded refueling equipment over the core whenever any control rod is withdrawn. | |||
When fuel is being moved from the core to the spent fuel pool during refueling, the refueling interlocks may be disabled for core cells from which the four fuel assemblies have been removed if the conditions contained in Technical Specifications 3.9.10.2 are met and compensating administrative controls are established. | |||
7.1.2.1.6 Reactor Manual Control System - Instrumentation and Controls CHAPTER 07 7.1-17 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.6.1 RMCS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.6.2 RMCS Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the RMCS are given in Table 7.1-3. | |||
7.1.2.1.6.3 RMCS Power Generation Design Basis The RMCS is designed to meet the following power generation design basis: | |||
: a. Enforce adherence to predetermined control rod withdrawal and insertion sequences | |||
: b. Provide the operator with the means to achieve prescribed control rod patterns | |||
: c. Inhibit control rod motion following receipt of rod block trip signals | |||
: d. Provide information pertinent to the position and motion of the control rods to the control room. | |||
7.1.2.1.7 Reactor Vessel Instrumentation 7.1.2.1.7.1 RVI Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.7.2 RVI Specific Regulatory Requirements There are no specific regulatory requirements applicable to this system. | |||
7.1.2.1.7.3 RVI Power Generation Design Bases RVI is designed to provide the reactor operator with sufficient indication of reactor vessel coolant temperature, reactor vessel water level, reactor vessel pressure, and nuclear system leakage to maintain proper normal operating conditions. These instruments augment safety-related information so that the operator can startup, operate, shutdown, and service the reactor in an efficient manner. | |||
7.1.2.1.8 Recirculation Flow Control System - Instrumentation and Controls 7.1.2.1.8.1 RFCS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.8.2 RFCS Specific Regulatory Requirements The specific regulatory requirements applicable to the RFCS are given in Table 7.1-3. | |||
7.1.2.1.8.3 RFCS Power Generation Design Bases CHAPTER 07 7.1-18 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The RFCS is designed to allow manual recirculation flow rate adjustment of reactor power level. | |||
7.1.2.1.9 Feedwater Control System - Instrumentation and Controls 7.1.2.1.9.1 FCS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.9.2 FCS Specific Regulatory Requirements The specific regulatory requirements applicable to the FCS are given in Table 7.1-3. | |||
7.1.2.1.9.3 FCS Power Generation Design Bases The reactor FCS regulates the feedwater flow over the entire power range of the reactor to maintain adequate water level in the reactor vessel and to prevent unnecessary initiation of safety-related systems due to low water level. | |||
7.1.2.1.10 Pressure Regulator and Turbine-Generator System - Instrumentation and Controls 7.1.2.1.10.1 PRTGS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.10.2 PRTGS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3. | |||
7.1.2.1.10.3 PRTGS Power Generation Design Bases The operation of the reactor demands that a pressure regulator concept be applied to maintain a constant turbine inlet pressure. | |||
The turbine pressure regulator, to maintain constant turbine inlet pressure, operates the steam bypass valves so that a portion of nuclear boiler rated flow can be bypassed for transient steam flow loads above that which can be accepted by the turbine and for the startup and shutdown phase. The PRTGS accomplishes the following control functions: | |||
: a. Control turbine speed and turbine acceleration | |||
: b. Operate the steam bypass system to keep reactor pressure within limits and avoid large power transients | |||
: c. Control main turbine control valve pressure within the proportional band setting of the pressure regulator 7.1.2.1.11 Process Radiation Monitoring System - Instrumentation and Controls 7.1.2.1.11.1 Main Steam Line Radiation Monitoring System CHAPTER 07 7.1-19 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.11.1.1 MSL-RMS Safety Design Bases The MSL-RMS is designed to meet the following safety design bases: | |||
: a. Detect a gross release of fission products from the fuel under any anticipated operating combination of main steam lines | |||
: b. Promptly indicate a gross release of fission products from the fuel 7.1.2.1.11.1.2 MSL-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this subsystem are shown in Table 7.1-3. | |||
7.1.2.1.11.1.3 MSL-RMS Power Generation Design Bases The MSL-RMS is designed to display in the control room an indication of gross gamma radiation level at the main steam tunnel. | |||
7.1.2.1.11.2 Reactor Enclosure Ventilation Exhaust Radiation Monitoring System 7.1.2.1.11.2.1 REVE-RMS Safety Design Bases This system is designed to meet the following design bases: | |||
: a. Detect a gross release of radioactive material into the reactor enclosure ventilation duct | |||
: b. Promptly indicate a gross release of radioactive material | |||
: c. Provide, on detection of a gross release of radioactive material: | |||
: 1. A trip signal for the reactor enclosure fans and closure of the valves to the vent exhaust system | |||
: 2. A trip signal to isolate the primary containment atmosphere purge and vent lines and start the SGTS | |||
: 3. An annunciation alarm signal in the control room 7.1.2.1.11.2.2 REVE-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are shown in Table 7.1-3. | |||
7.1.2.1.11.2.3 REVE-RMS Power Generation Design Bases The system provides the following: | |||
: a. Recorder indication in the control room of the gross gamma radiation level | |||
: b. An alarm annunciation in the control room CHAPTER 07 7.1-20 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.11.3 Refueling Area Ventilation Exhaust Radiation Monitoring System 7.1.2.1.11.3.1 RAVE-RMS Safety Design Bases This system is designed to meet the following design bases: | |||
: a. Detect a gross release of radioactive material into the refueling area ventilation duct | |||
: b. Promptly indicate a gross release of radioactive material | |||
: c. Provide on detection of a gross release of radioactive material: | |||
: 1. A trip signal for the refueling area fans and closure of the valves to the ventilation exhaust system | |||
: 2. A trip signal to isolate the primary containment atmosphere purge and vent lines and start the SGTS | |||
: 3. An alarm annunciation in the control room 7.1.2.1.11.3.2 RAVE-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are shown in Table 7.1-3. | |||
7.1.2.1.11.3.3 RAVE-RMS Power Generation Design Bases This system is designed to display an alarm in the control room and record gross releases of radioactive material from the refueling area duct. The control trip capability is stated above. | |||
7.1.2.1.11.4 Control Room Ventilation Radiation Monitoring System 7.1.2.1.11.4.1 CRV-RMS Safety Design Bases This system is designed to meet the following design bases: | |||
: a. Detect the presence of a hazardous quantity of radioactive material infiltrating the control room ventilation duct | |||
: b. Promptly indicate the presence of hazardous amounts of radioactivity | |||
: c. Provide, on detection of hazardous amounts of radioactive material: | |||
: 1. A trip signal to close the control room ventilation intake dampers | |||
: 2. A trip signal to start the control room emergency fresh air system 7.1.2.1.11.4.2 CRV-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3. | |||
7.1.2.1.11.4.3 CRV-RMS Power Generation Design Bases CHAPTER 07 7.1-21 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The system provides continuous indication and recording of the concentration of radioactive material entering the control room under all conditions of plant operation, including accidents. It provides annunciation alarms in the control room. | |||
7.1.2.1.11.5 Control Room Emergency Fresh Air Radiation Monitoring Systems 7.1.2.1.11.5.1 CREFA-RMS Safety Design Bases This system is designed to detect the presence of residual radiation in the effluent from the HEPA/charcoal filters during operation of the CREFAS. | |||
7.1.2.1.11.5.2 CREFA-RMS Specific Regulatory Requirements This system satisfies the requirement that the control room ventilation system is monitored at all times for radioactivity. If there is closure of the control room ventilation intake dampers, the control room radiation monitoring system becomes inoperative, so it becomes necessary to transfer surveillance to an active station. The specific regulatory requirements of this system are shown in Table 7.1-3. | |||
7.1.2.1.11.5.3 CREFA-RMS Power Generation Design Bases During operation of the CREFAS, the monitoring system provides continuous indication and recording of the concentration of radioactive material entering the control room. It provides annunciation alarms in the control room. | |||
7.1.2.1.11.6 Primary Containment Post-LOCA Radiation Monitoring System 7.1.2.1.11.6.1 PCPL-RMS Safety Design Bases This system is designed to maintain surveillance of the gross gamma radioactivity of the primary containment atmosphere under postaccident conditions. | |||
7.1.2.1.11.6.2 PCPL-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are shown in Table 7.1-3. | |||
7.1.2.1.11.6.3 PCPL-RMS Power Generation Design Bases This monitoring system becomes operational during and after accident conditions when shutdown occurs. As such, it does not serve any power generation design basis. However, indications of radiation levels are transmitted to the control room for readout, recording, and alarm annunciation at preset levels. | |||
7.1.2.1.11.7 Residual Heat Removal Service Water Radiation Monitoring System 7.1.2.1.11.7.1 RHRSW-RMS Safety Design Bases This system is designed to meet the following safety design bases: | |||
: a. Detect the presence of significant amounts of radioactivity in the RHRSW downstream of the RHR heat exchangers CHAPTER 07 7.1-22 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: b. Promptly indicate the release of radioactive material to the spray pond | |||
: c. Provide a trip signal to the RHRSW Pumps on detection of the presence of significant amounts of radioactive material. | |||
7.1.2.1.11.7.2 RHRSW-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3. | |||
7.1.2.1.11.7.3 RHRSW-RMS Power Generation Design Bases: | |||
This system provides the following: | |||
: a. Recorder indication in the control enclosure of the radioactivity level in the RHRSW | |||
: b. Annunciates alarms in the control room. | |||
7.1.2.1.11.8 Nonsafety-Related Radiation Monitoring Systems The following process radiation monitoring systems are classified as power generation systems in that they do not serve safety-related functions. The postaccident monitoring functions of some of these systems are discussed in Section 7.5. | |||
: a. South stack effluent (ventilation) | |||
: b. Radwaste equipment rooms ventilation | |||
: c. Charcoal treatment system process exhaust (gas) | |||
: d. Recombiner rooms, hydrogen analyzer compartments, and equipment drain sump vent (ventilation) | |||
: e. Steam exhauster discharge and vacuum pump exhaust (gas) | |||
: f. Radwaste enclosure ventilation exhaust (ventilation) | |||
: g. Air ejector offgas | |||
: h. Primary containment leak detector (gas) | |||
: i. Hot maintenance shop ventilation exhaust (ventilation) | |||
: j. Liquid radwaste discharge (liquid) | |||
: k. Service water (liquid) | |||
: l. Reactor enclosure cooling water (liquid) | |||
: m. North stack effluent (ventilation) | |||
CHAPTER 07 7.1-23 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR With the exception of items (g) and (j), these monitoring systems have no control functions. The above systems are described in Section 11.5. | |||
7.1.2.1.11.8.1 Nonsafety-Related RMS Safety Design Bases There are no safety design bases for these systems. The postaccident design bases of some of the systems are described in Section 7.5. | |||
7.1.2.1.11.8.2 Nonsafety-Related RMS Specific Regulatory Requirements The specific regulatory requirements applicable to these systems are shown in Table 7.1-3. | |||
7.1.2.1.11.8.3 Nonsafety-Related RMS Power Generation Design Bases These systems provide the following: | |||
: a. Except for the hot maintenance shop monitor, the systems provide an indication in the control room of the radiation levels measured in each application. All indications of the hot maintenance shop monitor are local. | |||
: b. Except for the hot maintenance shop monitor, the systems provide recorder signals to the control room. | |||
: c. Alarm annunciation is provided if high or downscale trip signals are transmitted to the control room. Alarm annunciator signals from the hot maintenance shop monitor are local. | |||
: d. The liquid radwaste discharge monitor trip signal closes the liquid radwaste discharge valve if there is a high signal. Data from this monitor are transmitted to the radwaste enclosure control room rather than to the main control room. | |||
7.1.2.1.12 Area Radiation Monitoring System 7.1.2.1.12.1 ARMS Safety Design Bases The ARMS is not a safety-related system and provides no control function. | |||
7.1.2.1.12.2 ARMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3. | |||
7.1.2.1.12.3 ARMS Power Generation Design Bases The system provides continuous indication and recording of gamma radiation intensities in those areas where radioactive materials may be present, handled, or inadvertently introduced. It provides annunciation alarms both locally and in the control room if preset limits of radiation are exceeded. Local alarms and readouts are located either adjacent to the detectors or at the entrance-ways to those areas that might prove hazardous to personnel. | |||
7.1.2.1.13 Deleted CHAPTER 07 7.1-24 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.14 Habitability and Control Room Isolation System - Instrumentation and Controls 7.1.2.1.14.1 HCRIS Safety Design Bases The system is designed to meet the following safety design bases: | |||
: a. During a radiation accident, isolate the main air intake and pressurize the control room with clean, filtered air | |||
: b. During a chlorine accident, isolate the control room and provide cleanup of the control room atmosphere by recirculation 7.1.2.1.14.2 HCRIS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.14.3 HCRIS Power Generation Design Bases This system is designed to provide a safe and comfortable environment for the control room personnel. | |||
7.1.2.1.15 Service Water Systems - Instrumentation and Controls 7.1.2.1.15.1 Emergency Service Water - Instrumentation and Controls 7.1.2.1.15.1.1 ESW Safety Design Bases The system is designed to meet the following safety design bases: | |||
: a. During and after transient and accident conditions, the system provides cooling for the control room chillers and diesel generators, serves safety-related pump-motor units needing water cooling, and maintains cooling of safety-related equipment via space coolers. | |||
: b. During loss of fuel pool cooling, the system provides makeup water to maintain the water level in the fuel pool. | |||
7.1.2.1.15.1.2 ESW Specific Regulatory Requirements The specific regulatory requirements applicable to the ESW system are shown in Table 7.1-3. | |||
7.1.2.1.15.1.3 ESW Power Generation Design Bases The system is designed to provide cooling for recirculation pump motors and oil coolers and the RECW system heat exchangers. | |||
7.1.2.1.15.2 Residual Heat Removal Service Water System - Instrumentation and Controls 7.1.2.1.15.2.1 RHRSW Safety Design Bases The system is designed to meet the following safety design bases: | |||
CHAPTER 07 7.1-25 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: a. During normal shutdown, the RHRSW system provides cooling for the RHR system heat exchangers. | |||
: b. During and after transient and accident conditions, the system provides cooling for the RHR system heat exchangers. | |||
: c. After an accident, the RHRSW system provides water for flooding the reactor core, and spraying the primary containment, if required. | |||
7.1.2.1.15.2.2 RHRSW Specific Regulatory Requirements The specific regulatory requirements applicable to the RHRSW system are shown in Table 7.1-3. | |||
7.1.2.1.15.2.3 RHRSW Power Generation Design Bases There are no power generation design bases for this system. | |||
7.1.2.1.16 Containment Atmospheric Control System - Instrumentation and Controls 7.1.2.1.16.1 Combustible Gas Control System 7.1.2.1.16.1.1 CGCS Safety Design Bases The system provides the means to measure and control the concentration of hydrogen and oxygen in the primary containment atmosphere following postulated accidents to ensure that the primary containment integrity is maintained. | |||
The system monitors the concentration of hydrogen and oxygen in the primary containment atmosphere during normal operation and following postulated accidents. Limits are established on abnormal concentrations of hydrogen and oxygen so that corrective action can be taken before unacceptable results occur. The unacceptable results are as follows: | |||
: a. A threat of significant compromise to the primary containment structure | |||
: b. A threat of significant compromise to the equipment inside the primary containment 7.1.2.1.16.1.2 CGCS Specific Regulatory Requirements The specific regulatory requirements applicable to the CGCS instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.16.1.3 CGCS Power Generation Design Bases The system is designed to provide the means to measure and control the amount of oxygen to ensure containment inerting. | |||
7.1.2.1.16.2 Primary Containment Vacuum Relief System - Instrumentation and Controls 7.1.2.1.16.2.1 PCVR Safety Design Bases The PCVR is designed to meet the following safety design bases: | |||
CHAPTER 07 7.1-26 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: a. Operate automatically to allow air from the suppression chamber to enter the drywell when a differential pressure exceeds a pre-established limit | |||
: b. Check the operational availability of each valve and the disc position indication system for each valve during reactor operation 7.1.2.1.16.2.2 PCVR Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.16.2.3 PCVR Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.17 Reactor Core Isolation Cooling System - Instrumentation and Controls 7.1.2.1.17.1 RCIC Safety Design Bases The system is designed to meet the following safety design bases: | |||
: a. Sufficient coolant can be maintained in the reactor vessel in case of an isolation with a loss of main feedwater flow. | |||
: b. Provisions are made for automatic and remote manual operation of the system. | |||
: c. Components of the RCIC system are designed to satisfy seismic Category I design requirements. | |||
: d. The power supply for the system is from immediately available energy sources of high reliability. | |||
: e. Provision is made so that periodic testing can be performed during plant operation. | |||
7.1.2.1.17.2 RCIC Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3. | |||
7.1.2.1.17.3 RCIC Power Generation Design Bases There are no power generation design bases for this system. | |||
7.1.2.1.18 Standby Liquid Control System - Instrumentation and Controls 7.1.2.1.18.1 SLCS Safety Design Bases This system is capable of shutting the reactor down from full power to cold shutdown and maintaining the reactor in a subcritical state at atmospheric temperature and pressure conditions by pumping sodium pentaborate, a neutron absorber, into the reactor. This system is also capable of maintaining suppression pool pH at a level of 7.0 or greater following a LOCA. | |||
CHAPTER 07 7.1-27 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.18.2 SLCS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are given in Table 7.1-3. | |||
7.1.2.1.18.3 SLCS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.19 Radwaste Systems - Instrumentation and Controls 7.1.2.1.19.1 Liquid Radwaste System 7.1.2.1.19.1.1 LRS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.19.1.2 LRS Specific Regulatory Requirements Specific regulatory requirements applicable to the system are listed in Table 7.1-3. | |||
7.1.2.1.19.1.3 LRS Power Generation Design Bases The instrumentation and control system is designed to provide dependable measurement and control for the various liquid processing systems during normal and expected occurrence conditions. | |||
7.1.2.1.19.2 Gaseous Radwaste System 7.1.2.1.19.2.1 GRS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.19.2.2 GRS Specific Regulatory Requirements Specific regulatory requirements applicable to the system are listed in Table 7.1-3. | |||
7.1.2.1.19.2.3 GRS Power Generation Design Bases The instrumentation and control system is designed to perform the following: | |||
: a. Monitor and control the GRS | |||
: b. Detect, indicate, and alarm a system upset to provide sufficient time for corrective action 7.1.2.1.19.3 Solid Radwaste System 7.1.2.1.19.3.1 SRS Safety Design Bases There are no safety design bases for this system. | |||
CHAPTER 07 7.1-28 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.19.3.2 SRS Specific Regulatory Requirements No specific regulatory requirements are imposed on the SRS. | |||
7.1.2.1.19.3.3 SRS Power Generation Design Bases The instrumentation and control system is designed to: | |||
: a. Monitor and control the SRS | |||
: b. Detect, indicate, and alarm a system upset to provide sufficient time for corrective action 7.1.2.1.20 Reactor Water Cleanup System - Instrumentation and Controls 7.1.2.1.20.1 RWCU Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.20.2 RWCU Specific Regulatory Requirements The specific regulatory requirements applicable to this system are provided in Table 7.1-3. | |||
7.1.2.1.20.3 RWCU Power Generation Design Bases The purpose of the RWCU system is to provide continuous processing of the reactor water to maintain the purity within specified limits. The system also provides the means for removal of reactor water. Although the RWCU system is of importance to startup and long-term operation, the reactor may operate while the RWCU is out of service. | |||
7.1.2.1.21 Class 1E Power Systems 7.1.2.1.21.1 Class 1E Power Systems Safety Design Bases The safety design bases for the electrical power systems required to support the safety-related systems are described in Sections 8.1 and 8.3. | |||
7.1.2.1.21.2 Class 1E Power Systems Specific Regulatory Requirements The specific regulatory requirements applicable to the standby power systems are given in Sections 8.1 and 8.3. | |||
7.1.2.1.21.3 Class 1E Power Systems Power Generation Design Bases The power generation design bases for the standby power systems are described in Sections 8.1 and 8.3.1. | |||
7.1.2.1.22 Leak Detection Systems - Instrumentation and Controls 7.1.2.1.22.1 LDS Safety Design Bases CHAPTER 07 7.1-29 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The safety design bases for the LDS are as follows: | |||
: a. Signals are provided that initiate automatic isolation (or permit manual isolation) of abnormal leakage before the results of this leakage become unacceptable. | |||
: b. The unacceptable results of failure to detect leakage are as follows: | |||
: 1. The potential for degradation of the RCPB in excess of specified limits | |||
: 2. The potential for release of primary coolant fluid sufficient to cause unacceptable offsite radiological doses | |||
: 3. The potential for a leakage rate in excess of the capability of operating equipment to maintain reactor vessel water level | |||
: 4. A threat of significant compromise to the steam and power conversion system boundary | |||
: 5. The potential for a leakage rate in excess of radiological limits | |||
: 6. The potential for a leakage rate that negates the safety equipment function 7.1.2.1.22.2 LDS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3. | |||
7.1.2.1.22.3 LDS Power Generation Design Bases A means is provided to detect and indicate in the control room abnormal leakage from the RCPB, steam, and the power conversion system boundary. | |||
7.1.2.1.23 Reactor Shutdown Cooling Mode of the RHR System - Instrumentation and Controls 7.1.2.1.23.1 RHR-SCM Safety Design Bases The RHR-SCM is designed to meet the following functional design bases: | |||
: a. Instrumentation and controls are provided that enable the system to remove the residual heat (decay heat and sensible heat) from the reactor vessel during normal shutdown. | |||
: b. Manual controls of the RHR-SCM are provided in the control room, and manual controls for one loop are provided at the remote shutdown panel. | |||
: c. Performance of the RHR-SCM is indicated by control room instrumentation and instrumentation on the remote shutdown panel. | |||
7.1.2.1.23.2 RHR-SCM Specific Regulatory Requirements CHAPTER 07 7.1-30 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The specific requirements applicable to the RHR-SCM are shown in Table 7.1-3. | |||
7.1.2.1.23.3 RHR-SCM Power Generation Design Bases The RHR-SCM meets the following power generation design bases: | |||
: a. Cooling is provided for the reactor during the shutdown operation when the vessel pressure is below the prescribed limit. | |||
: b. The reactor water is cooled to a temperature that is practicable for refueling and servicing operation. | |||
7.1.2.1.24 Fuel Pool Cooling and Cleanup System - Instrumentation and Controls 7.1.2.1.24.1 FPCC Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.24.2 FPCC Specific Regulatory Requirements The specific regulatory requirements applicable to the FPCC are given in Table 7.1-3. | |||
7.1.2.1.24.3 FPCC Power Generation Design Bases The purpose of the FPCC instrumentation and controls is to maintain the shielding water in the spent fuel and equipment storage pools and the reactor water well below a desired temperature and at a degree of clarity necessary to refuel and service the reactor. | |||
7.1.2.1.25 Reactor Enclosure Recirculation System - Instrumentation and Controls 7.1.2.1.25.1 RERS Safety Design Bases During an isolation of the reactor enclosure the RERS filters and mixes the air in this area. | |||
7.1.2.1.25.2 RERS Specific Regulatory Requirements The specific regulatory requirements applicable to the RERS instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.25.3 RERS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.26 Standby Gas Treatment System - Instrumentation and Controls 7.1.2.1.26.1 SGTS Safety Design Bases This system is designed to meet the following safety design bases: | |||
CHAPTER 07 7.1-31 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: a. During an isolation of the reactor enclosure and/or refueling area, the SGTS restores and maintains these areas at a negative pressure with reference to the outside atmosphere | |||
: b. Further filter the air drawn from the reactor enclosure recirculation system before exhausting it to the atmosphere 7.1.2.1.26.2 SGTS Specific Regulatory Requirements The specific regulatory requirements applicable to the SGTS instrumentation and control are shown in Table 7.1-3. | |||
7.1.2.1.26.3 SGTS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.27 Deleted 7.1.2.1.28 Safety-Related Display Instrumentation 7.1.2.1.28.1 SRDI Safety Design Bases The necessary display instrumentation is available to the reactor operator in the control room for determining when conditions exist that require specified manual control actions and to monitor the results of these and automatic actions, and to identify and follow the source of the accident to the degree necessary for the operator to perform his/her role and to verify adequate core cooling and containment integrity. | |||
7.1.2.1.28.2 SRDI Specific Regulatory Requirements The specific regulatory requirements applicable to the SRDI are given in Table 7.1-3. | |||
7.1.2.1.28.3 SRDI Power Generation Design Bases The safety-related instruments that are also used for power generation are designed so that all the expected power operation actions and maneuvers can be reasonably accomplished by the reactor operator. | |||
7.1.2.1.29 Containment Instrument Gas System - Instrumentation and Controls 7.1.2.1.29.1 CIGS Safety Design Bases The CIGS is designed to provide a compressed gas supply for the ADS SRVs. | |||
7.1.2.1.29.2 CIGS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
CHAPTER 07 7.1-32 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.29.3 CIGS Power Generation Design Bases See Section 9.3. | |||
7.1.2.1.30 Containment Spray Mode of the RHR System - Instrumentation and Controls 7.1.2.1.30.1 RHR-CSM Safety Design Bases The RHR-CSM is designed to meet the following safety design bases: | |||
: a. Instrumentation and controls are provided to sense drywell pressure and to enable the system to condense steam in the drywell and the suppression pool air volume during a transient or accident event. | |||
: b. All manual controls for the containment spray mode of the RHR system are provided in the control room. | |||
: c. Performance of the RHR-CSM is indicated by control room instrumentation. | |||
7.1.2.1.30.2 RHR-CSM Specific Regulatory Requirements Specific regulatory requirements applicable to the RHR-CSM are listed in Table 7.1-3. | |||
7.1.2.1.30.3 RHR-CSM Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.31 Remote Shutdown System - Instrumentation and Controls 7.1.2.1.31.1 RSS Safety Design Bases The capability to remotely shutdown the reactor is designed to meet the following functional design bases: | |||
: a. Instrumentation and controls are provided outside the control room to allow prompt hot shutdown of the reactor and to maintain safe conditions during hot shutdown. | |||
: b. Suitable procedures provide the capability for subsequent cold shutdown of the reactor. | |||
7.1.2.1.31.2 RSS Specific Regulatory Requirements Specific regulatory requirements applicable to the RSS are listed in Table 7.1-3. | |||
7.1.2.1.31.3 RSS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.32 Suppression Pool Cooling Mode of the RHR System - Instrumentation and Controls 7.1.2.1.32.1 RHR-SPCM Safety Design Bases CHAPTER 07 7.1-33 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Instrumentation and controls are provided to allow the reactor operator to manually initiate suppression pool cooling to ensure that the pool temperature does not exceed the pre-established pool temperature limit. | |||
7.1.2.1.32.2 RHR-SPCM Specific Regulatory Requirements The specific regulatory requirements applicable to this mode of operation are the same as listed in Table 7.1-3 for the RHR-SCM. | |||
7.1.2.1.32.3 RHR-SPCM Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.33 Safety-Related Equipment Area Cooling Ventilation Systems 7.1.2.1.33.1 Standby Gas Treatment System Filter Room and Access Area Unit Coolers - | |||
Instrumentation and Controls 7.1.2.1.33.1.1 SGTS-UC Safety Design Bases Instruments and controls are provided to enable the unit coolers to provide cooling to the areas around the SGTS filter to keep ambient conditions within the prescribed limits. | |||
7.1.2.1.33.1.2 SGTS-UC Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.33.1.3 SGTS-UC Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.33.2 Diesel Generator Enclosure Ventilation System - Instrumentation and Controls 7.1.2.1.33.2.1 DGEVS Safety Design Bases Instruments and controls are provided to enable the diesel generator fans to provide ventilation to the diesel generator cells to keep the ambient conditions within the prescribed limits. | |||
7.1.2.1.33.2.2 DGEVS Specific Regulatory Requirements The specific regulatory requirements applicable to the DGEVS instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.33.2.3 DGEVS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.33.3 Spray Pond Pump Structure Ventilation System - Instrumentation and Controls CHAPTER 07 7.1-34 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.33.3.1 SPPSVS Safety Design Bases Instruments and controls are provided to enable the fan systems to maintain the environment of the spray pond pump structure within the prescribed limits. | |||
7.1.2.1.33.3.2 SPPSVS Specific Regulatory Requirements This specific regulatory requirements applicable to the SPPSVS instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.33.3.3 SPPSVS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.33.4 Emergency Switchgear and Battery Rooms Cooling System - Instrumentation and Controls 7.1.2.1.33.4.1 ESBRCS Safety Design Bases Instruments and controls are provided to enable the cooling units to keep the ambient conditions of the affected areas within the prescribed limits and provide exhaust recirculation from the battery rooms. | |||
7.1.2.1.33.4.2 ESBRCS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.33.4.3 ESBRCS Power Generation Design Bases Instruments and controls are provided to enable the cooling units to keep the ambient conditions of the affected areas within the prescribed limits and provide exhaust from the battery rooms. | |||
7.1.2.1.33.5 Emergency Core Cooling Systems (ECCS and RCIC) Pump Compartment Unit Coolers - Instrumentation and Controls 7.1.2.1.33.5.1 ECCS-UC Safety Design Bases Instruments and controls are provided to enable the unit coolers to keep the ambient conditions of the affected areas, except for HPCI and RCIC within the prescribed limits. | |||
7.1.2.1.33.5.2 ECCS-UC Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.33.5.3 ECCS-UC Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.33.6 Auxiliary Equipment Room Ventilation System - Instrumentation and Controls 7.1.2.1.33.6.1 AERVS Safety Design Bases CHAPTER 07 7.1-35 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Instruments and controls are provided to enable the fan systems to maintain the environment in the auxiliary equipment room within the prescribed limits. | |||
7.1.2.1.33.6.2 AERVS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.33.6.3 AERVS Power Generation Design Bases Instruments and controls are provided to ensure adequate ventilation for the equipment in the auxiliary equipment room. | |||
7.1.2.1.34 Drywell Unit Coolers - Instrumentation and Controls 7.1.2.1.34.1 DUC Safety Design Bases Instruments and controls are provided to enable the unit coolers to provide atmosphere mixing in the primary containment. | |||
7.1.2.1.34.2 DUC Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.34.3 DUC Power Generation Design Bases Instruments and controls are provided to enable the unit coolers to provide cooling in the primary containment. | |||
7.1.2.1.35 Control Enclosure Chilled Water System - Instrumentation and Controls 7.1.2.1.35.1 CECWS Safety Design Bases Instruments and controls are provided to enable the chiller and its circulating pumps to supply chilled water to the cooling coils of the associated equipment. | |||
7.1.2.1.35.2 CECWS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3. | |||
7.1.2.1.35.3 CECWS Power Generation Design Bases Instruments and controls are provided to enable the chiller and its circulating pumps to supply chilled water to the cooling coils of the associated equipment. | |||
7.1.2.1.36 High Pressure/Low Pressure System Interlocks 7.1.2.1.36.1 HPLPSI Safety Design Bases CHAPTER 07 7.1-36 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR HPLPSI is not a system, but provides interlocks between pressure in the reactor coolant and pressure in the RHR system. Therefore safety design bases do not apply directly to HPLPSI. | |||
7.1.2.1.36.2 HPLPSI Specific Regulatory Requirements There are no specific regulatory requirements for the HPLPSI. | |||
7.1.2.1.36.3 HPLPSI Power Generation Design Bases There are no power generation design bases for the HPLPSI. | |||
7.1.2.1.37 Safety/Relief Valve Position Indication System - Instrumentation and Controls 7.1.2.1.37.1 SRVPI Safety Design Bases Indication and alarms, provided in the control room, alert the operator to, and identifies, OPEN/NOT-OPEN SRVs. | |||
7.1.2.1.37.2 SRVPI Specific Regulatory Requirements The specific regulatory requirements applicable to the SRVPI are shown in Table 7.1-3. | |||
7.1.2.1.37.3 SRVPI Power Generation Design Bases There are no power generation design bases for this system. | |||
7.1.2.1.38 Fire Protection and Suppression System 7.1.2.1.38.1 FPSS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.38.2 FPSS Specific Regulatory Requirements There are no specific regulatory requirements for this system. | |||
7.1.2.1.38.3 FPSS Power Generation Design Bases There are no power generation design bases for this system. | |||
7.1.2.1.39 Reactor Enclosure Isolation System 7.1.2.1.39.1 REIS Safety Design Bases The system is designed to meet the following safety design bases: | |||
: a. Instruments and controls are provided that enable the system to isolate the reactor enclosure secondary containment. | |||
CHAPTER 07 7.1-37 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: b. Manual controls for the isolation system are provided in the control room. | |||
: c. Performance of the isolation is indicated by control room instrumentation. | |||
7.1.2.1.39.2 REIS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and control are shown in Table 7.1-3. | |||
7.1.2.1.39.3 REIS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.40 Nonsafety-Related Equipment Area Cooling Ventilation Systems 7.1.2.1.40.1 Safety Design Bases There are no safety design bases for the instrumentation and controls for these systems. | |||
7.1.2.1.40.2 Specific Regulatory Requirements There are no specific regulatory requirements for these systems' instruments and controls. | |||
7.1.2.1.40.3 Power Generation Design Bases Instruments and controls are provided to ensure adequate ventilation for equipment and personnel located in the areas serviced by the nonsafety-related equipment area cooling ventilation systems during normal plant operation. | |||
7.1.2.1.41 Safeguard Piping Fill System 7.1.2.1.41.1 SPFS Safety Design Bases The SPFS is designed to perform two functions: | |||
: a. Provide a safety-related backup source of makeup water to the ECCS and RCIC pump discharge lines to prevent drainage of the lines from back leakage through the discharge check valves in the event of failure of the primary source (condensate transfer system) | |||
: b. Provide a water seal in the feedwater lines to forestall the possibility of drainage of the feedwater lines and subsequent bypass leakage of containment atmosphere 7.1.2.1.41.2 SPFS Specific Regulatory Requirements The specific regulatory requirements for this system are listed in Table 7.1-3. | |||
7.1.2.1.41.3 SPFS Power Generation Design Bases This system has no power generation design bases. | |||
CHAPTER 07 7.1-38 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.1.42 Refueling Area Isolation System 7.1.2.1.42.1 RAIS Safety Design Bases The system is designed to meet the following safety design bases: | |||
: a. Instruments and controls are provided that enable the system to isolate the refueling floor. | |||
: b. Manual controls for the isolation system are provided in the control room. | |||
: c. Performance of the isolation is indicated by control room instrumentation. | |||
7.1.2.1.42.2 RAIS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and control are shown in Table 7.1-3. | |||
7.1.2.1.42.3 RAIS Power Generation Design Bases There are no power generation design bases for this system. | |||
7.1.2.1.43 Redundant Reactivity Control System 7.1.2.1.43.1 RRCS Safety Design Basis The RRCS is designed to mitigate the potential consequences of an ATWS event. The RRCS provides signals to mitigate an ATWS event by: | |||
: a. Initiating an ARI which is redundant and diverse from the normal RPS | |||
: b. Tripping the recirculation pump | |||
: c. Providing feedwater runback function | |||
: d. Automatically initiating the SLCS. | |||
7.1.2.1.43.2 RRCS Specific Regulatory Requirements The regulatory requirements applicable to the RRCS are given in Table 7.1-3. | |||
7.1.2.1.43.3 RRCS Power Generation Design Bases This system has no power generation design bases. | |||
7.1.2.1.44 Rod Worth Minimizer 7.1.2.1.44.1 RWM Safety Design Bases CHAPTER 07 7.1-39 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR There are no safety design bases for the RWM. | |||
7.1.2.1.44.2 RWM Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and control are listed in Table 7.1-3. | |||
7.1.2.1.44.3 RWM Power Generation Design Basis The RWM monitors and enforces operator adherence to established startup, shutdown, and low power level control rod sequences. | |||
7.1.2.1.45 Plant Monitoring System 7.1.2.1.45.1 PMS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.45.2 PMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are listed in Table 7.1-3. | |||
7.1.2.1.45.3 PMS Power Generation Design Bases The PMS is a centralized, integrated system which performs the process monitoring and calculations defined as being necessary for the effective evaluation of power plant operation. The PMS acquires and records process data (e.g., temperatures, pressure, flows, and status indicators) to produce meaningful displays, logs, and plots of current and historical plant performance. The PMS has the following major functions: | |||
: a. Provide real-time and historical emergency response information necessary to meet and support SPDS requirements; that is, information to maintain adequate core cooling, shut down the reactor, cool the RPV to cold shutdown conditions, maintain primary containment integrity, and protect equipment in the primary containment. | |||
: b. Provide functions, such as scan, log, and alarm, certain NSSS programs, SOE, trend recorder, and BOP programs. | |||
: c. Provide information to personnel in the control room, the TSC, and the EOF. | |||
: d. Provide real-time and historical information during normal, startup, and emergency operation at high resolution recording speeds for event monitoring and analyses. | |||
7.1.2.1.46 Emergency Response Facility Data System 7.1.2.1.46.1 ERFDS Safety Design Bases There are no safety design bases for this system. | |||
7.1.2.1.46.2 ERFDS Specific Regulatory Requirements CHAPTER 07 7.1-40 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The specific regulatory requirements applicable to this system are listed in Table 7.1-3. | |||
7.1.2.1.46.3 ERFDS Power Generation Design The ERFDS is a part of the PMS and performs the process monitoring and calculations defined as being necessary for the effective evaluation of normal and emergency power plant operation. The PMS acquires and records process data for ERFDS including temperatures, pressures, flows, and status indicators. This data is processed to produce meaningful displays, logs, and plots of current or historical plant performance and is presented to plant personnel in the plant main control room or other user definable locations. | |||
7.1.2.2 Independence of Redundant Safety-Related Systems 7.1.2.2.1 Introduction This section defines separation criteria for safety-related mechanical and electrical equipment. | |||
Safety-related equipment to which the criteria apply is that equipment that is necessary to mitigate the effects of DBAs and is identified in Section 7.1.1. The objective of the criteria is to delineate the separation requirements necessary to achieve independence of safety-related equipment. | |||
7.1.2.2.2 Mechanical Systems Separation Criteria 7.1.2.2.2.1 General | |||
: a. Separation of the affected mechanical systems and equipment is accomplished so that the substance and intent of the General Design Criteria of 10CFR50, Appendix A are fulfilled. | |||
: b. Consideration is given to the redundant and diverse requirements of the affected systems. | |||
: c. Consideration is given to the type, size, and orientation of possible breaks of the RCPB specified in Section 3.6. | |||
: d. A single active component failure is an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be part of the single failure. | |||
Fluid systems are considered to be designed against an assumed single failure if a single failure of any active component (assuming passive components function properly) does not result in a loss of capability of the system to perform its safety function. | |||
: e. The affected mechanical systems and equipment, along with their associated structures, are appropriately separated so that they are adequately protected against: | |||
: 1. The design basis LOCA dynamic effects outlined in Section 3.6 | |||
: 2. Missiles as defined in Section 3.5 CHAPTER 07 7.1-41 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: 3. Fires and floods capable of damaging redundant mechanical safety equipment (Sections 9.5.1 and 3.4) | |||
The need for and the adequacy of separation are determined in conjunction with the criteria specified in Sections 3.5 and 3.6. | |||
7.1.2.2.2.2 Mechanical Systems Separation | |||
: a. Piping for a redundant safety system is run independently of its counterpart. | |||
Redundant piping supports, restraints, and mechanical components of the same system are not shared unless it can be shown that such sharing does not impair their ability to perform their safety functions. | |||
: b. Entrance penetrations to the containment are separated so that damage to or failure of one branch of a system does not render its redundant counterpart(s) inoperable. | |||
: c. Equipment for redundant safety systems or redundant groups of safety systems is separated so that damage to or failure of one division of a system does not render its redundant counterpart inoperable. | |||
7.1.2.2.2.3 Mechanical Systems Physical Separation | |||
: a. Mechanical equipment, piping, and tubing for safety-related systems are separated so that no single credible event is capable of disabling sufficient equipment to prevent reactor shutdown, removal of decay heat from the core, long-term suppression pool cooling, isolation, and integrity of the containment. Separation is accomplished either by distance or by physical barriers such as walls and intervening structural components. | |||
A representation of the separation is shown in Tables 7.1-4, 7.1-5, and 7.1-6. | |||
: b. The equipment in each group is separated from that in the other group by the required practical distance. | |||
: c. Separation barriers are constructed between the functional groups as required to ensure that the environmental disturbances (such as fire, flood, pipe rupture phenomena, falling objects, etc.) affecting one functional group do not affect the remaining groups. | |||
7.1.2.2.3 Electrical Systems Separation Criteria 7.1.2.2.3.1 General The electrical separation criteria are described in Section 8.1.6.1.14, compliance with Regulatory Guide 1.75. In addition to the criteria described there, the following applies: | |||
: a. Panels and Racks CHAPTER 07 7.1-42 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Panels and racks associated with the RPS or ESF are labeled with marker plates which distinctively identify the equipment as being in the protective system; the difference may be in color, or color of engraving-fill. The marker plates include identification of the proper division of the equipment included. | |||
: b. Junction or Pullboxes Junction and/or pullboxes enclosing wiring for the RPS or ESF have identification similar to and compatible with the panels and racks. | |||
: c. Cables Refer to Section 8.1.6.1.14. | |||
: d. Raceways Refer to Section 8.1.6.1.14. | |||
: e. Sensory Equipment Grouping and Designation Letters Redundant sensory equipment is identified by suffix letters in accordance with Table 7.1-4 for all de-energized-to-operate systems, including the RPS, and in accordance with Table 7.1-5 for the NMS. These tables also show the allocation of sensors to their separated divisions. | |||
: f. Isolation Devices Three types of isolation devices are used in control and instrumentation circuits: | |||
: a. Auxiliary relays and control switches | |||
: b. Fiber optic couplers | |||
: c. Solid-state signal isolators Auxiliary relays are the most widely used type of isolation device. Several relay types are used with both contact-to-contact and coil-to-contact isolation being used in both BOP and NSSS circuits. Relays and control switches are considered to be acceptable isolation devices if they have a minimum breakdown voltage of at least 600 V RMS between adjacent contacts. This level was chosen because the maximum credible voltage that could be impressed on a control circuit is 530 V ac based on a hot short occurring between a power and control cable in a cable tray. | |||
To confirm the suitability of relays as isolation devices, tests were performed on the several relay types that are mort widely used at LGS. These tests are documented in PECo Test Report 48503, dated September 1, 1982. This test report was submitted to the NRC by letter from J.S. Kemper (PECo) to A. Schwencer (NRC) dated November 20, 1982 and shows that these relays perform satisfactorily in preventing a postulated failure in a non-Class 1E circuit from adversely affecting a Class 1E circuit. | |||
CHAPTER 07 7.1-43 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Fiber optic couplers are used to isolate the inputs to the PMS, which is non-safety related, from certain safety-related instrument loops that it monitors. The fiber optic transducers are part of the input modules of the PMS, some of which are Class 1E. | |||
The safety related modules are mounted in panels that contain cables of only one division. These panels are located in the control structure from which the multiplexer output is transmitted via fiber optic cable to the TSC where the PMS CPUs are located. Any failure of the PMS would not be reflected back into the safety systems through the fiber optic link because this fiber optic cable has a typical dielectric breakdown of 1.4 MV per inch. | |||
Fiber optic isolators are also used between the Class 1E postaccident radiation monitors and the computer-based RMMS. | |||
The RRCS also uses fiber optic isolators for logic interface between Class 1E divisions and Class 1E/non-Class 1E inputs. Test data for the isolators in these systems was transmitted to the NRC by letter from J.S. Kemper (PECo) to A. | |||
Schwencer (NRC) dated December 14, 1983. | |||
Solid-state isolators are used to provide isolation of Class 1E analog inputs to the Plant Monitoring System. Because the computer input cables are routed in raceways that contain only instrumentation cables, it can be shown by analysis that these isolators adequately prevent any failure in the computer or the instrumentation raceways from adversely affecting any safety-related system. | |||
Solid-state isolators are used to isolate inputs from the NMS (except PRNM) and from the dc battery bus to the Plant Monitoring System. | |||
The NMS (except PRNM) isolators consist of an operational amplifier with a 10 volt maximum output which is reduced to 160 mV maximum by a resistive network. A 30 mA fuse is then provided in series prior to taking the signal to the computer. The dc voltage transducer/isolator has been tested to ensure that either a short circuit, open circuit, or short to ground on the output terminals would not cause an unacceptable effect on the dc system. | |||
The PRNM uses fiber optic isolators between divisions and to the Plant Monitoring System, optically coupled relays for isolation of outputs to non-divisional circuits, and magnetically coupled analog isolators for isolation of analog outputs. It has been shown by analysis that these methods in combination with the wire and cable routing within the system assure adequate isolation between redundant channels of the safety-related functions. | |||
Solid-state analog isolators are also used in several HVAC analog control loops to provide isolation of cross-division signals. Test data for all solid-state isolators was transmitted to the NRC by letter from J.S. Kemper (PECo) to A. Schwencer (NRC) dated December 14, 1983. | |||
7.1.2.2.3.2 Electrical Systems Separation Requirements 7.1.2.2.3.2.1 RPS and Normally Energized Portions of PCRVICS The following general rules apply to RPS wiring. Portions of the NMS wiring are considered as part of the RPS. | |||
CHAPTER 07 7.1-44 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: a. RPS cable in raceways outside of the main protection system cabinets run in enclosed raceways used only for the RPS. Under-vessel neutron monitoring cables are not placed in any enclosure that unduly restricts their flexibility. Neutron monitoring cables (SRM, IRM, and APRM) may be run in the same raceway, provided that divisional separation is maintained. | |||
: b. Wiring to redundant sensors on a common process tap is run in separate raceways to separate destinations to meet the single failure criterion. | |||
: c. Wiring for sensors of more than one variable in the same trip channel may be run in the same raceway. | |||
: d. Wires from both RPS trip systems that trip actuators to a single group of scram solenoids may be run in a single conduit; however, a single conduit does not contain wires to more than one group of scram solenoids or any other wiring. | |||
Wiring for two solenoids on the same control rod may be run in the same conduit. | |||
: e. Cables through the primary containment penetrations are so grouped that failure of all cabling in a single penetration cannot prevent a scram (this applies specifically to the neutron monitoring cables and the MSIVs position switch cables). | |||
: f. Power supplies to systems that de-energize to operate (so-called "fail-safe" power supplies) require only separation that is deemed prudent to give reliability (continuity of operation). Therefore, the protection system power supplies and load circuit breakers are not required to comply with the separation requirements for safety reasons, even though the load circuits go to separated panels. | |||
: g. Wiring providing power for the movement of each RPS backup scram valve and the solenoids for the SDV vent and drain valves is routed in rigid conduit, and wires are separated from one another and from all other cables. | |||
: h. The RPS wiring is run and/or protected so that no common source or potentially damaging energy (e.g., electrical fire in non-RPS wireways, malfunction, misoperation of plant equipment, pipe rupture, etc.) could reasonably result in a loss of ability to scram when required. | |||
7.1.2.2.3.2.2 All Other Safety-Related Systems Electrical Systems Separation Criteria | |||
: a. Separation is designed so that no single failure can prevent the performance of any safety-related function. Redundant (even dissimilar) systems may be required to perform the required function to satisfy the single failure criterion. Figures 7.1-1 through 7.1-4, and Table 7.1-6 show equipment separation into divisions and the allowable interconnections through isolating devices. | |||
: b. The inboard and outboard NSSS system isolation valves are backups for each other, so they must be independent of and protected from each other, to the extent that no single failure can prevent the operation of at least one valve of an inboard/outboard pair. Figure 7.1-3 illustrates the MSL isolation valve separation concept. | |||
: c. Isolation valve circuits require special attention because of their function in limiting the consequences of a pipe break outside the primary containment. Isolation valve CHAPTER 07 7.1-45 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR control and power circuits are protected from the pipelines that they are responsible for isolating, as follows: | |||
: 1. Essential isolation valve wiring in the vicinity of the outboard valve (or downstream from the valve) is installed in conduit and routed to take advantage of the mechanical protection afforded by the valve operator or other available structural barriers not susceptible to disabling damage from the pipeline break. Additional mechanical protection (barriers) is interposed as necessary. | |||
: 2. Isolation valve control and/or power wiring run in a raceway with other cables is protected from secondary effects of damage to those cables that might result from a pipe break in a line requiring isolation (i.e., short circuits that might overheat cables in an ESF raceway). | |||
: 3. When the downstream piping from the containment is not seismic Category I, the isolation valve wiring in the vicinity of the inboard valve is in rigid conduit and routed so as to take advantage of the mechanical protection afforded by the valve operator or other available structural barriers not susceptible to disabling damage from a pipe line break. Additional mechanical protection (barriers) are interposed as necessary between wiring and potential sources of disabling mechanical damage consequential to a pipe break. Except for the requirements of this paragraph, wiring near the inboard valve does not require special treatment discussed in paragraphs (1) and (2) above. | |||
: 4. MOVs that have a mechanical check valve backup for their isolation function are included in the division that embraces the system in which the valves are located rather than adhering strictly to the inboard/outboard divisional classification. | |||
: d. Steam Leakage Zone Electrical equipment and raceways for systems listed in Section 7.1.1.2 are not located in a steam leakage zone insofar as is practicable, or they are designed for short-term exposure to the high temperature and humidity associated with a steam leak. | |||
: e. Suppression Pool Level Swell Zone Any electrical equipment and/or raceways for the RPS or ESF located in this zone are designed to complete their function satisfactorily before being rendered inoperable due to exposure to the environment created by the level swell phenomena. | |||
7.1.2.3 Physical Identification of Safety-Related Equipment The physical identification of equipment is described in Section 8.1. | |||
7.1.2.4 Instrument Errors CHAPTER 07 7.1-46 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The design considers instrument performance, as well as engineering judgment and historical practices in the selection of instrumentation and controls and in the determination of setpoints. An adequate margin between safety limits and Limiting Safety System Settings is provided based on the appropriate combination of engineering judgment, historical practice, and allowances for instrument performance. The Limiting Safety System Settings are contained in the Technical Specifications. When computational techniques are employed, nominal trip setpoints and allowable values are determined by combining allowances for instrument channel performance, such as accuracy (e.g., reference accuracy, pressure effects, temperature affects, radiation effects, etc.), process measurement accuracy, primary element accuracy, instrument drift, calibration accuracies and other uncertainties as appropriate. The specific performance allowance and the environmental and process conditions used, are based on the design, application, functional and calibration requirements of the instrument channel. The surveillance frequency is factored into time based instrument performance parameters. | |||
Process instrument setpoints for LGS Units 1 and 2 are controlled in plant documentation and logs. | |||
The setpoints include automatic trip, indication, interlock and alarm setpoints for plant instruments such as analog and digital switches, time delays and similar devices. | |||
The setpoint values shown on the logic diagrams in Chapter 7 are intended to assist the reader in the understanding of the document. | |||
Administrative process control and document instrument setpoints for LGS Units 1 & 2. The scope of these processes include trip, alarm, and initiation setpoints for plant instruments such as analog and digital switches, time delays and similar devices. | |||
The setpoint values shown on the logic diagrams in Chapter 7 are intended to assist the reader in the understanding of the document. | |||
7.1.2.5 Conformance to Regulatory Guides The statements on the degree of conformance to various regulatory guides which follow are intended to demonstrate an overall safety system level of compliance. The applicability of the conformance statements to each system is found in Table 7.1-3. Each individual system analysis discussion defines any difference in the degree of conformance to a particular regulatory guide. | |||
7.1.2.5.1 Regulatory Guide 1.6 (March 1971) - Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems (Safety Guide 6) | |||
Independence is maintained between redundant standby (onsite) sources and between their distribution systems in compliance with Regulatory Guide 1.6. Further discussion is presented in Section 8.1.6.1. | |||
7.1.2.5.2 Regulatory Guide 1.7 (November 1978) - Control of Combustible Gas Concentrations in Containment Following a Loss-of-Coolant Accident Conformance with Regulatory Guide 1.7 is discussed in Section 6.2.5.4. | |||
7.1.2.5.3 Regulatory Guide 1.9 (March 1971) - Selection of Diesel Generator Set Capacity for Standby Power Supplies (Safety Guide 9) | |||
See Section 8.1.6.1 for a complete discussion of conformance with Regulatory Guide 1.9. | |||
CHAPTER 07 7.1-47 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.5.4 Regulatory Guide 1.11 (March 1971) - Instrument Lines Penetrating Primary Reactor Containment (Safety Guide 11) | |||
Conformance to Regulatory Guide 1.11 is discussed in Section 6.2.4. | |||
7.1.2.5.5a Regulatory Guide 1.21 (June 1974) - Measuring, Evaluating, and Reporting Radioactivity in Solid Wastes and Releases of Radioactive Materials in Liquid and Gaseous Effluents from Light-Water-Cooled Nuclear Power Plants The LGS process and effluent radiological monitoring and sampling systems are designed to allow conformance to this guide, as discussed in Sections 11.5, 7.6 and 7.7. Evaluation and reporting procedures during operation will conform to this guide. | |||
7.1.2.5.5b Regulatory Guide 1.22 (February 1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22) | |||
The LGS design is in conformance with this guide. With respect to paragraph D.3 of the guide, administrative controls are considered "positive means" to limit the expansion of a bypass to redundant or diverse systems. Collective annunciation of bypassing by manual means is considered to satisfy the guidelines. Additional details are provided below: | |||
D.3a The indications of system inoperability provided under the guidelines of Regulatory Guide 1.47 are used by the operator to prevent, through administrative procedures, the bypassing of a redundant channel of a protection system. The conditions that render the system inoperable during test are annunciated. The conditions that automatically bring up the out-of-service alarm are identifiable to the operator in the control room by means of the out-of-service status light. | |||
D.3b A manual out-of-service switch is provided to annunciate any bypass condition that does not automatically energize the system out-of-service annunciator. A single status light indicates that the annunciator has been manually actuated. Individual indication for each manually induced inoperability is not provided. | |||
Details for each system are discussed in Sections 7.2, 7.3, 7.4 and 7.6. | |||
7.1.2.5.6 Regulatory Guide 1.29 (September 1978) - Seismic Design Classification LGS is in conformance with this Guide with respect to instrumentation and controls. | |||
The instrumentation and control equipment required to meet seismic Category I requirements is identified in general in Table 3.2-1, and specifically in the system piping and instrumentation drawings. | |||
7.1.2.5.7 Regulatory Guide 1.30 (August 1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30) | |||
Conformance to this guide is discussed in Section 8.1.6.1. | |||
7.1.2.5.8 Regulatory Guide 1.32 (February 1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Refer to Section 8.1.6.1 for a discussion of this guide. | |||
CHAPTER 07 7.1-48 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1.2.5.9 Regulatory Guide 1.40 (March 1973) - Qualification Tests of Continuous-Duty Motors Installed Inside the Containment of Water-Cooled Nuclear Power Plants There are no continuous-duty motors installed inside the containment that are part of the instrumentation and control systems. | |||
7.1.2.5.10 Regulatory Guide 1.45 (May 1973) - Reactor Coolant Pressure Boundary Leakage Detection Systems The RCPB leakage detection systems are provided to detect and, to the extent practical, identify the location(s) of the source of reactor coolant leakage. | |||
Conformance to Regulatory Guide 1.45 is discussed in Section 5.2. | |||
7.1.2.5.11 Regulatory Guide 1.47 (May 1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems In accordance with the requirements of Regulatory Guide 1.47, bypassed and inoperable status indication has been provided for all plant protection systems. These systems are listed below. | |||
Also listed are the conditions that cause annunciation of system inoperability. | |||
Equipment monitored within a protection system is that equipment which, when bypassed on removed from service, will cause inoperability of a redundant portion of the protection system. | |||
Bypass or removal of equipment will automatically initiate the system level out-of-service annunciator and illuminate a status light on the system control panel indicating the cause of the out-of-service condition. | |||
All auxiliary and supporting systems to protection systems are monitored as part of the protection system availability in accordance with Regulatory Guide 1.47. The inoperability of these support systems causes the actuation of the out-of-service annunciator for the protection systems that these systems support. A status light is provided to indicate that the inoperability of the support system is the cause of inoperability of the protection system. | |||
The bypass indication system is designed and installed in a manner which precludes the possibility of adverse affects on the plant safety system. The bypass indication system is electrically isolated from the protection circuits so that the failure or bypass of a protective function is not a credible consequence of failures in the bypass indication system and the bypass indication system cannot reduce the independence between redundant safety systems. | |||
Equipment that is bypassed or removed from service not more than once per year is not monitored. A manual out-of-service switch is provided for this equipment and for other equipment that cannot be monitored. | |||
Regulatory Positions C.1, C.2, and C.3: | |||
Automatic indication is provided in the main control room to inform the operator that a system is inoperable. Annunciation is provided to indicate that a system or part of a system is not operable. | |||
Individual lights indicate what part of the system is out of service. Manual actuation is provided to cover situations which cannot be automatically annunciated. For example, the reactor protection (trip) system, and the containment and reactor vessel isolation system have annunciators lighting CHAPTER 07 7.1-49 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR and sounding whenever one or more channels of an input variable are bypassed. Bypassing is not allowed in the trip logic or actuation logic. | |||
Instruments which form part of a one-out-of-two-twice logic system can be removed from service for calibration. Removal of the instrument from service is indicated in the main control room by manual actuation of the system out-of-service annunciator. | |||
Regulatory Position C.4: | |||
All the annunciators can be tested by depressing the annunciator test switches on the control room bench boards and can be brought up by manual switches as discussed in Regulatory Positions C.1, C.2, and C.3. | |||
The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and of reducing the possibility for the indicating equipment to adversely affect its monitored safety system. | |||
: a. Individual indicator lights are arranged together on a control room panel to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed. | |||
: b. As a result of design, preoperational testing, and startup testing, no erroneous bypass indication is anticipated. | |||
: c. These indication provisions serve to supplement administrative controls and aids the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function. | |||
: d. All circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects. | |||
: e. Each indicator is provided with dual lamps and can be periodically tested. | |||
The individual out-of-service condition that initiates a system level out-of-service alarm is listed below. | |||
: a. Pump breaker control power undervoltage | |||
: b. Pump breaker not connected | |||
: c. Pump breaker locked out | |||
: d. Loss of power to relay logic | |||
: e. Loss of power to control valve or valve motor overload | |||
: f. System logic in test | |||
: g. Trip unit in calibration or failure CHAPTER 07 7.1-50 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: h. Loss of power to trip unit or trip unit out of file | |||
: i. Manual out of service | |||
: j. Loss of system support HVAC | |||
: k. Valves operated from the control room that are not automatically positioned by the initiation signal | |||
: l. Transfer switch out of position For the specific alarms that are associated with a system, refer to the functional control diagram for that system as listed in Chapter 7 figures and to the schematics E-648 as listed in Table 1.7-1. | |||
Systems monitored as discussed above are as follows: | |||
: a. RPS Drawings C71-1010-F-002, C71-1010-F-003, C71-1010-F-004, and C71-1010-F-005 | |||
: b. CS System Figure 7.3-9 | |||
: c. PCRVICS Figure 7.3-8 | |||
: d. HPCI System Figure 7.3-7 | |||
: e. RHR System Drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003 | |||
: f. ESW System Table 1.7-1 | |||
: g. Standby ac Power System Table 1.7-1 | |||
: h. RCIC Drawings E51-1030-F-004, E51-1030-F-005, E51-1030-F-006, E51-1030-F-007, E51-1030-F-008, and E51-1030-F-009 | |||
: i. RHR-SCM Drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003 | |||
: j. REIS Drawings B21-1030-F-002, B21-1030-F-002, B21-1030-F-003, B21-1030-F-004, B21-1030-F-005 and M-76FD | |||
: k. SGTS Drawing M-76FD | |||
: l. RERS Drawing M-76FD | |||
: m. Control Enclosure HVAC Systems Drawing M-78FD | |||
: n. NMS Figure 7.6-1 CHAPTER 07 7.1-51 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: o. SLCS Table 1.7-1 | |||
: p. CGCS Table 1.7-1 Regulatory Guide 1.47 compliance for Items (k), (l), and (m) above is through the use of a trouble alarm in the control room that will direct the operator to a local control panel in the control enclosure for more information. For Items (n) through (p), alarms are provided in the control room that provide the cause of the out-of-service condition. No status lights are provided. | |||
The following three systems do not have system level out-of-service alarms in the control room: | |||
NMS, SLCS, and CGCS. The following conditions which can make these systems out of service are specifically annunciated in the control room: | |||
: a. NMS (Drawing E-620) | |||
SRM Downscale SRM Upscale/Inoperable SRM Retracted When Not Permitted IRM Upscale/Inoperable IRM Downscale IRM Upscale RBM Downscale/Trouble APRM/RBM Flow Reference Off-Normal RBM Upscale/Inoperable APRM Downscale APRM Upscale LPRM Downscale LPRM Upscale APRM Upscale Trip/Inoperable OPRM/APRM Trouble OPRM Upscale Trip OPRM Trips Enabled | |||
: b. SLCS (Drawing E-620) | |||
SLCS Pump A/B/C Overload/Loss of Power SLCS Tank High/Low Level SLCS Tank High/Low Temperature SLCS Squib Valve Loss of Continuity SLCS Isolation Valves Not Fully Open | |||
: c. CGCS (Drawing E-622) | |||
Drywell H2 Recombiner System Trouble 1A Drywell H2 Recombiner System Trouble 1B The following alarms are provided on the recombiner control panels which are located in the control room behind the main control boards: | |||
Return Gas Temperature High Reaction Chamber Shell Temperature High CHAPTER 07 7.1-52 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Blower Inlet Gas Pressure High Reaction Chamber Gas Temperature High Blower Inlet Temperature High Blower Inlet Gas Flow Low Reaction Chamber Gas Temperature Low Heater Wall Temperature High The above alarms for these four systems represent all conditions which can prevent the system from performing its safety function. The requirements of Regulatory Guide 1.47 for these systems are therefore satisfied. Any other conditions can be annunciated by manually causing one of the above annunciators to light. | |||
Details of the administrative procedures that control access as a means for bypassing are contained in Section 7.2.2.1.1.1.8. | |||
7.1.2.5.12 Regulatory Guide 1.53 (June 1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems LGS is in conformance with this guide which provides that protection systems meet section 4.2 of IEEE 279 (1971), in that any single failure within the protection systems will not prevent proper protective action at the system level when required. Conformance is achieved by specifying, designing, and constructing the ESFs to meet the single failure criterion, section 4.2 of IEEE 279 (1971), "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379 (1972), "IEEE Trial Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems." See Sections 7.2, 7.3, 7.4, and 7.6 for a discussion of conformance for each system. | |||
7.1.2.5.13 Regulatory Guide 1.56 (July 1978) - Maintenance of Water Purity in Boiling Water Reactors The RWCU instrumentation is in conformance with Regulatory Guide 1.56. Further discussion is provided in Sections 7.7.2.8.2.3 and 5.4.8. Conformance of the deep bed condensate demineralizer system is discussed in Section 10.4.6. | |||
7.1.2.5.14 Regulatory Guide 1.62 (October 1973) - Manual Initiation of Protective Actions LGS is in conformance with this guide which provides that manual initiation of each protective action at the system level be provided, that such initiation accomplish all actions performed by automatic initiation, and that protective action at the system level goes to completion once manually initiated. In addition, manual initiation is by switches readily accessible in the control room, and a minimum of equipment should be used in common with automatically initiated protective action. | |||
Means are provided for manual initiation of the PCRVICS, the ECCS, and for RPS scram at the system level through the use of armed push buttons, as described below: | |||
ACTION INITIATED NUMBER OF SWITCHES PCRVICS Four ADS Four: two in Division 1 and two in Division 3 HPCI One in Division 2 CHAPTER 07 7.1-53 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR RHR A/CS A* One in Division 1 RHR B/CS B* One in Division 2 RHR C/CS C* One in Division 3 RHR D/CS D* One in Division 4 RPS Four The note "*" indicates that pumps A and C are for one CS injection system, and the B and D pumps are for the other system. | |||
The operation of these switches initiates all actions performed by the automatic initiation circuitry. | |||
For a detailed discussion on Regulatory Guide 1.62 compliance, refer to the following UFSAR Sections: | |||
PCRVICS Section 7.3.2.2.2.1.7 ADS Section 7.3.2.1.2.1.9 HPCI Section 7.3.2.1.2.1.9 RHR/CS Section 7.3.2.1.2.1.9 RPS Section 7.3.2.1.2.1.9 7.1.2.5.15 Regulatory Guide 1.63 (July 1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants Conformance to this guide is discussed in Section 8.1.6.1. | |||
7.1.2.5.16 Regulatory Guide 1.68 (August 1978) - Preoperational and Initial Startup Test Programs for Water-Cooled Power Reactors Conformance to this guide is discussed in Section 14.2. | |||
7.1.2.5.17 Regulatory Guide 1.70 (November 1978) - Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants Chapter 7 conforms to the format of Regulatory Guide 1.70. | |||
7.1.2.5.18 Regulatory Guide 1.73 (January 1974) - Qualification Tests of Electric Valve Operators Installed Inside the Containment of Nuclear Power Plants Conformance to this guide is discussed in Sections 8.1.6.1 and 3.11.2.2. | |||
7.1.2.5.19 Regulatory Guide 1.75 (September 1978) - Physical Independence of Electric Systems Conformance is discussed in Section 8.1.6.1.14. | |||
7.1.2.5.20 Regulatory Guide 1.80 (June 1974) - Preoperational Testing of Instrument Air Systems CHAPTER 07 7.1-54 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Conformance to this guide is discussed in Section 14.2. | |||
7.1.2.5.21 Regulatory Guide 1.89 (November 1974) - Qualification of Class 1E Equipment for Nuclear Power Plants Discussion of degree of conformance to Regulatory Guide 1.89 is given in Section 3.11.2 for NSSS equipment and in Section 8.1.6.1 for non-NSSS equipment. | |||
7.1.2.5.22 Regulatory Guide 1.96 (May 1975) - Design of Main Steam Isolation Valve Leakage Control Systems for Boiling Water Reactor Nuclear Power Plants In 1994, LGS received approval to remove the MSIV-LCS and replace it with the MSIV Leakage Alternate Drain Pathway discussed in Section 6.7. | |||
7.1.2.5.23 Regulatory Guide 1.97 (December 1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5 for a discussion of the degree of conformance. | |||
7.1.2.5.24 Regulatory Guide 1.100 (August 1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants The degree of conformance to this guide is discussed in Section 3.10. | |||
7.1.2.5.25 Regulatory Guide 1.105 (November 1976) - Instrument Setpoints Although this guide does not apply to LGS per its implementation section except for the RRCS, the following is an assessment of the design supplied. | |||
The nominal trip setpoint and allowable value for Limiting Safety System Settings are contained in the Technical Specifications. These parameters are determined based on the appropriate combination of engineering judgment, historical practice, and allowances for instrument performance (7.1.2.4). The setpoints are within the operating capability of the associated instruments. The established setpoints provide sufficient margin to satisfy both safety requirements, and plant availability objectives. | |||
Related setpoint methodology concerns have been addressed by Reference 7.1-1. In a May 15, 1984 submittal, LGS endorsed the work scope and schedule proposed by Reference 7.1-1, which was accepted by the NRC staff in Reference 7.1-2. The licensee agreed to show compliance with the methodology within 6 months of NRC approval of the methodology. The methodology was submitted by GE on November 19, 1986. This methodology has been accepted by the NRC by virtue of issuance of an SSER for the Power Re-Rate for LGS. | |||
7.1.2.5.26 Regulatory Guide 1.118 (June 1978) - Periodic Testing of Electric Power and Protection Systems This guide, which endorses/modifies IEEE 338 (1977), is not applicable to LGS per its implementation section except for the RRCS. Discussion of IEEE 338 is presented on a system-by-system basis in the analysis portion of Section 7.2, 7.3, 7.4, and 7.6 with the following clarification of the regulatory guide requirements: | |||
CHAPTER 07 7.1-55 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Position C.2 - Insofar as is practical and safe, response time testing will be performed from sensor inputs (at the sensor input connection for process instruments) to and including the actuated device. | |||
Sensor response time testing for pressure sensors for the RPS will be performed in accordance with Regulatory Guide 1.118 (June, 1978). Response of the sensor output and the final actuation device will be measured. Response time testing for the differential pressure (level) sensors is not required based on the analysis performed in NEDO-32291-A. Response time testing of the trip unit and relay logic are required. Neutron detectors are exempt from response time testing; response time will be measured from the input of the first electronic component in the channel. Except for the MSIVs, individual sensor response times and logic system response times are not required for isolation systems because the signal delay (sensor response) is concurrent with the 13 second diesel startup. (Refer to LGS Technical Specification Bases 3/4.3.2 "Isolation Actuation Instrumentation" and 3/4.3.3 "ECCS Actuation Instrumentation.") | |||
Position C.6b - Trip of an associated protective channel or actuation of an associated Class 1E load group is required on removal of fuses or opening of a breaker only for the purpose of deactivating instrumentation and control circuits. | |||
Evaluation of the systems to be surveillance tested has determined that the actions required will include opening of circuit breakers. This action is required in a limited number of cases. The circuit breakers will be opened during monthly testing but will also bring up an out-of-service alarm that will not clear with the breaker open. | |||
A review of safety-related control circuits that may be affected by racking-out their individual circuit breakers reveals that disabling of one component does not render redundant components inoperable. All modes of test, operation, and failure were considered; specifically, a study was conducted to identify safety systems with crossover interlocks. The effects of disabling of these components and their associated interlocks were then analyzed. The review identified that several crossover interlocks exist in the ESW and RHRSW systems and in several of the NSSS fail-safe logic circuits. However, the analysis did not disclose any cases where disabling the component or the associated interlocks would adversely affect the redundant safety circuit or components. | |||
Response to Information Notice 84 Lifting of leads will be required to perform a limited number of the surveillance tests. Each of these tests, however, will follow the guidance provided by Information Notice 84-37, dated May 10, 1984. | |||
The procedure for these tests will include instructions requiring the reconnecting of the lifted leads following the completion of the surveillance. This procedural step will be documented by a sign-off sheet to be initialed by the tester when the lifted leads have been reconnected. An independent or double verification will be performed and documented in the procedure to verify that the lifted leads have been returned to service. If permitted by existing plant design, functional tests designed to verify the restoration of proper system configuration will be performed. | |||
The lifting of leads will be limited to surveillance tests that fall into one of the four categories below: | |||
: a. Test that involve thermocouples | |||
: b. Test that require the introduction of test equipment into the instrument channel being tested CHAPTER 07 7.1-56 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: c. Tests on extensive systems that would otherwise become unnecessarily large and complex | |||
: d. Tests on systems or components for which the plant design permits no other reasonable alternative. | |||
7.1.2.5.27 Regulatory Guide 1.139 (May 1978) - Guidance for Residual Heat Removal Conformance to this guide is discussed in Section 5.4. | |||
7.1.2.6 Conformance to 10CFR50, Appendix A, General Design Criteria The statements which follow on the degree of conformance to various GDC are intended to demonstrate an overall safety system level of compliance. The applicability of the conformance statements to each system is found in Table 7.1-3. Each individual system analysis discussion defines any difference in the degree of conformance to a particular GDC. | |||
7.1.2.6.1 GDC 1 - Quality Standards and Records All systems required for safety are designed and built in accordance with an established quality assurance program. | |||
7.1.2.6.2 GDC 2 - Design Bases for Protection Against Natural Phenomena All systems required for safety are designed to withstand the effects of natural phenomena without loss of capability to perform their safety functions. | |||
7.1.2.6.3 GDC 3 - Fire Protection All systems and components required for safety are designed and located to minimize the probability and effect of fires and explosions. Materials that are heat-resistant and noncombustible have been chosen wherever practicable. | |||
7.1.2.6.4 GDC 4 - Environmental and Dynamic Effects Design Bases Systems and components required for safety are designed to accommodate the effects of and be compatible with the environmental conditions associated with normal operations maintenance testing and postulated accidents, including LOCAs. These systems and components are appropriately protected against dynamic events such as missiles and pipe whipping. | |||
7.1.2.6.5 GDC 5 - Sharing of Structures, Systems, and Components Systems and components required for safety are not shared with any other nuclear power unit, except for the RHRSW, the ESW, the SGTS and the control structure ventilation systems, which are common systems. | |||
7.1.2.6.6 GDC 10 - Reactor Design The reactor core and associated coolant, control, and protection systems are designed with appropriate margins to ensure that specified acceptable fuel design limits will not be exceeded CHAPTER 07 7.1-57 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR during any condition of normal operation, including the effects of anticipated operational occurrences. | |||
7.1.2.6.7 GDC 12 - Suppression of Reactor Power Oscillations The instrumentation and control systems are designed to readily detect and initiate action to suppress reactor power oscillations. | |||
7.1.2.6.8 GDC 13 - Instrumentation and Control Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions and to control these variables and systems to ensure adequate safety. | |||
7.1.2.6.9 GDC 15 - Reactor Coolant System Design The RCS instrumentation and control systems are designed to ensure that the design conditions of the RCPBs are not exceeded. | |||
7.1.2.6.10 GDC 19 - Control Room A control room is provided where actions can be taken to operate the nuclear power unit under normal and abnormal conditions. A remote shutdown capability is also provided. | |||
7.1.2.6.11 GDC 20 - Protection System Functions The protection systems are designed to sense accident conditions and automatically initiate the operation of appropriate systems important to safety to ensure that specified fuel design limits are not exceeded. | |||
7.1.2.6.12 GDC 21 - Protection System Reliability and Testability The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6. | |||
7.1.2.6.13 GDC 22 - Protection System Independence The protection systems are designed with independence through redundancy or functional diversity to prevent loss of the protection function. | |||
7.1.2.6.14 GDC 23 - Protection System Failure Modes The protection systems are designed to be fail-safe during anticipated operational occurrences including postulated adverse environments. | |||
7.1.2.6.15 GDC 24 - Separation of Protection and Control Systems The protection systems are separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection CHAPTER 07 7.1-58 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR system component or channel which is common to both, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. | |||
7.1.2.6.16 GDC 25 - Protection System Requirements for Reactivity Control Malfunctions The protection system is designed so that fuel design limits are not exceeded even with any single malfunction of the reactivity control system. | |||
7.1.2.6.17 GDC 26 - Reactivity Control System Redundancy and Capability The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.4, 7.6, and 7.7. | |||
7.1.2.6.18 GDC 27 - Combined Reactivity Control Systems Capability The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.4, and 7.7. | |||
7.1.2.6.19 GDC 28 - Reactivity Limits The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.6 and 7.7. | |||
7.1.2.6.20 GDC 29 - Protection Against Anticipated Operational Occurrences The protection and reactivity control systems are designed to ensure an extremely high probability of accomplishing their safety function in the event of an anticipated operational occurrence. | |||
7.1.2.6.21 GDC 30 - Quality of Reactor Coolant Pressure Boundary The conformance discussion of this GDC is presented in the analysis portions of Sections 7.3, 7.4, and 7.6. | |||
7.1.2.6.22 GDC 33 - Reactor Coolant Makeup Reactor coolant makeup is provided to ensure that specified acceptable fuel design limits are not exceeded because of reactor coolant losses in the RCPB. | |||
7.1.2.6.23 GDC 34 - Residual Heat Removal A system is provided to remove reactor residual heat to ensure that the specified acceptable fuel design limits are not exceeded even assuming a single failure. | |||
7.1.2.6.24 GDC 35 - Emergency Core Cooling An ECCS is provided to ensure cooling of the reactor following any loss of reactor coolant at undesirable rates even assuming a single failure. | |||
7.1.2.6.25 GDC 37 - Testing of Emergency Core Cooling System CHAPTER 07 7.1-59 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The ECCS is designed to permit appropriate periodic pressure and functional testing including the controls which bring the system into operation. | |||
7.1.2.6.26 GDC 38 - Containment Heat Removal A system is provided to ensure heat removal from the reactor containment following any LOCA even assuming a single failure. | |||
7.1.2.6.27 GDC 40 - Testing of Containment Heat Removal System The containment heat removal system is designed to permit appropriate periodic and functional testing including the controls which bring the system into operation. | |||
7.1.2.6.28 GDC 56 - Primary Containment Isolation Each line that connects directly into the containment atmosphere and penetrates the primary reactor containment is provided with isolation valves that comply with the requirements of this criterion. | |||
7.1.2.6.29 GDC 57 - Closed System Isolation Valves See GDC 56. | |||
7.1.2.6.30 GDC 60 - Control of Releases of Radioactive Materials to the Environment The nuclear power unit is designed to control the release of radioactive material and from gaseous, liquid, and solid effluents to within prescribed limits, through monitoring the release points and processing the effluent. | |||
7.1.2.6.31 GDC 61 - Fuel Storage and Handling and Radioactivity Control The conformance discussion of this GDC is presented in the analysis portion of Section 7.7. | |||
7.1.2.6.32 GDC 63 - Monitoring Fuel and Waste Storage The conformance discussion of this GDC is presented in the analysis portion of Section 7.7. | |||
7.1.2.6.33 GDC 64 - Monitoring Radioactivity Releases The conformance discussion of this GDC is presented in the analysis portion of Section 7.6. | |||
7.1.2.7 Conformance to Industry Codes and Standards The statements which follow on the degree of conformance to various industry standards are intended to demonstrate an overall safety system level of compliance. The applicability of the conformance statements to each system is found in Table 7.1-3. Each individual system analysis discussion will define any difference in the degree of conformance to a particular industry standard. | |||
Reference 7.1-3 discusses the conformance of the sensors to industry standards and regulatory guides. | |||
CHAPTER 07 7.1-60 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Conformance other than that discussed in NEDO-21617-A is discussed in Section 7.1.2.5 and 7.1.2.6 and also on a system-by-system basis in Sections 7.2, 7.3, and 7.4. | |||
7.1.2.7.1 IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations This discussion is presented on a system-by-system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6. | |||
7.1.2.7.2 IEEE 308 (1971 and 1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Conformance to IEEE 308 as described in Section 8.3 is applicable to safety-related instrumentation and control equipment. | |||
7.1.2.7.3 IEEE 317 (1972) - Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations Penetration assemblies meet the requirements of IEEE 317 (1972) and GDC 50 of 10CFR50, Appendix A. | |||
All containment electrical penetration assemblies used for Class 1E and non-Class 1E circuits are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent versus time conditions, assuming a single failure of the circuit primary overcurrent protection apparatus. | |||
7.1.2.7.4 IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations Written procedures and responsibilities are developed for the design and qualification of Class 1E electric equipment. This includes preparation of specifications, qualification procedures, and documentation. Whenever possible qualification testing or analysis is accomplished before release of the engineering design for production. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements. The environmental qualification of this equipment is being evaluated to the criteria of NUREG-0588 Category II. An Environmental Qualification Report will be provided to present the results of this evaluation. | |||
See Sections 3.11.2 and 8.1.6.1 for a conformance discussion of IEEE 323 and Regulatory Guide 1.89 for NSSS and non-NSSS equipment, respectively. | |||
7.1.2.7.5 IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations See Section 8.1.6.1 for a conformance discussion of Regulatory Guide 1.30 which endorses/modifies IEEE 336 (1971). | |||
7.1.2.7.6 IEEE 338 (1971, 1975, and 1977) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems CHAPTER 07 7.1-61 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR This discussion is presented on a system-by-system basis in the analysis portion of Sections 7.2, 7.3, 7.4, and 7.6. | |||
See Section 7.1.2.5.26 for a conformance discussion of Regulatory Guide 1.118, which endorses/modifies this standard. | |||
7.1.2.7.7 IEEE 344 (1971 or 1975) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations All safety-related instrumentation and control equipment is classified as seismic Category I and designed to withstand the effects of an SSE, and function before, during and after such a seismic event. Equipment required to function after an SSE is also qualified for such service. Qualification and documentation procedures used for seismic Category I equipment and systems meet the provisions of IEEE 344 as identified in Section 3.10. | |||
7.1.2.7.8 IEEE 379 (1972 or 1977) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The extent to which the single failure criteria of IEEE 379 are satisfied is specifically covered for each system in the analysis of IEEE 279, paragraph 4.2. | |||
7.1.2.7.9 IEEE 382 (1972) - Trial Use Guide for Type Test of Class 1 Electric Valve Operators for Nuclear Power Generating Stations The extent of conformance to this standard is given in Sections 3.11.2 and 8.1.6.1.13. | |||
7.1.2.7.10 IEEE 383 (1974) - Standard for Type Test of Class 1E Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations The extent of conformance to this standard is given in Section 7.7.2.21.2.2.1. | |||
7.1.2.7.11 IEEE 384 (1974 or 1977) - Criteria for Separation of Class 1E Equipment and Circuits The safety-related systems described in Sections 7.2, 7.3, 7.4, and 7.6 meet the independence and separation criteria for redundant systems in accordance with IEEE 279, paragraph 4.6 (Section 7.1.2.5.1). | |||
The electrical power supply, instrumentation, and control wiring for redundant portions of safety-related systems have physical separation to preserve redundancy and ensure that no single credible event prevents operation of the associated function. Credible events include, but are not limited to, the effects of short circuits, pipe rupture, pipe whip, high pressure jets, missiles, fire, earthquake, and falling objects, and are considered in the basic plant design. | |||
The independence of tubing, piping, and control devices for safety-related controls and instrumentation is achieved by physical space or barriers between separation groups of the same protective function. In locations where a specific hazard exists (missile, jet, etc.) that could produce damage to safety-related controls and instrumentation, the physical separation or structural protection provided is adequate to ensure that no multiple failures can result from a single common event. | |||
CHAPTER 07 7.1-62 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The criteria and bases for the independence of electrical cable, including routing, marking, and cable derating, are discussed in Section 8.1. Fire detection and protection in the areas where wiring is installed are discussed in Section 9.5.1. | |||
Regulatory Guide 1.75, which endorses/modifies this standard, is discussed in Section 7.1.2.5.19. | |||
7.1.2.8 Conformance to Branch Technical Positions 7.1.2.8.1 BTP ICSB 3 The HPLPSI conform to BTP ICSB 3 as discussed in Section 7.6.1.2. | |||
7.1.2.8.2 BTP ICSB 21 Conformance to BTP ICSB 21 is discussed below, by position: | |||
B1. Individual indicator lights are arranged together on a control room panel to indicate what function of the system is out-of-service, bypassed, or otherwise inoperable. | |||
All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed. | |||
B2. LGS has only one control room. When a protective function of a shared system is bypassed, it is annunciated on the annunciator panel for the shared system, and status indication for the system is provided on the control panel for the shared system. | |||
B3. As a result of design, preoperational testing, and startup testing, no erroneous bypass indication is anticipated. Capability for cancelling bypass indications is not provided. | |||
B4. These indication provisions serve to supplement administrative controls and to aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function. | |||
B5. All circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects. | |||
B6. The out-of-service annunciators can be tested by depressing the annunciator test switches on the control room bench boards. Each status indicating light can be tested by depressing the light assembly. | |||
The bypass and inoperable status indicators are further discussed in Section 7.1.2.5.11. | |||
7.1.2.8.3 BTP ICSB 22 The conformance to the provisions of D.4 of Regulatory Guide 1.22 for actuated equipment not tested during power operation is discussed in Section 7.3.2.1.2.3.1.10 for the ADS valves and Sections 7.4.2.2.2.3.1.9 and 7.4.2.2.2.3.1.10 for the SLCS explosive valves. | |||
7.1.2.8.4 BTP ICSB 26 CHAPTER 07 7.1-63 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Anticipating or backup trips for the system comply with the requirements of IEEE 279 (1971) as discussed in Section 7.2.2.1.2.3.1. | |||
7.1.2.9 Technical Design Bases The technical design bases appear as follows: | |||
RPS Section 7.2.1 ESFs Section 7.3.1 Systems required for safe shutdown Section 7.4.1 Other systems required for safety Section 7.6.1 7.1.2.10 Safety System Settings The Limiting Safety System Settings are listed in the Technical Specifications discussions for each safety system. The settings are determined based on operating experience and conservative analyses. The settings are set to preclude inadvertent initiation of the safety action, while ensuring that a sufficient margin is maintained to satisfy safety requirements. The appropriate combination of engineering judgment, historical practice, and allowances for instruments performance are considered in the setpoint determination (Section 7.1.2.4). The margin between the limiting safety system settings and the actual safety limits includes consideration of the design basis transients in the process being measured, expected for the time the specific functions are required. | |||
7.1.2.11 Operating Experience Assessment Review of operating experiences and assessment of their applicability to LGS is conducted as discussed in Section 13.4.5. The actions taken by the licensee for LGS for some specifically requested NRC Bulletins, Circulars and Information Notices is provided in Table 7.1-7. Specific actions taken for some of these is provided below. | |||
7.1.2.11.1 Bulletin 80-06, Engineered Safety Feature Reset Controls Bulletin 80-6 requires that safety-related equipment remain in its emergency mode on reset of an ESF actuation signal. | |||
To determine whether or not all safety-related equipment remains in its emergency mode on isolation signal reset, schematic drawings for all LGS systems serving safety-related functions were reviewed. The review showed that a number of valves were subject to reverting to their normal mode on isolation signal reset. All continuous-duty loads were found to remain in their emergency mode on isolation signal reset. | |||
In general, control schemes of safety-related valves found not to remain in their emergency mode on reset of an isolation signal were revised to provide a control switch interlock with the isolation signal reset circuit (Figure 7.1-5). To reset an isolation signal, every valve subject to reverting to normal mode on reset of the isolation signal must have its control switch placed in the closed position. A normally open contact of each of the valve control switches is wired in series with the CHAPTER 07 7.1-64 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR isolation signal reset contact. On manual placement of all of the subject control switches in the closed position, the permissive series of control switch contacts will all be closed, thus allowing the isolation signal reset contact to complete the reset circuit. | |||
On the bases of the design review, the following systems and valve control schemes were modified as described above: | |||
System Valve No. | |||
CAC System HV57-117 SV57-133 HV57-118 SV57-183 HV57-104 SV57-191 HV57-114 SV57-181 HV57-123 SV57-132 HV57-124 SV57-134 HV57-121 SV57-150 HV57-131 SV57-141 SV57-184 SV57-142 SV57-185 SV57-143 SV57-186 SV57-144 SV57-190 SV57-145 SV57-195 SV57-159 PCIG System HV59-129A SV59-131 HV59-102 SV59-135 HV59-129B NSSSS HV41-1F084 HV51-1F079A HV41-1F085 HV51-1F079B HV43-1F019 HV51-1F080A HV43-1F020 HV51-1F080B In addition to the foregoing valves, drywell purge exhaust fan inlet isolation valves HV76-030 and HV76-031 were found to revert to their normal mode on isolation signal reset. Thus, if the valves were in their open purge mode on receipt of an isolation signal, the valves would revert to the open purge mode isolation signal reset. To ensure that these valves remain in their closed emergency mode on isolation signal reset, the valve control schemes were modified to the configuration shown on Figure 7.1-6. The auxiliary relay (95-2) is picked up by the normally closed isolation signal contacts and by the placement of the valve control switch in the "CLOSE" position. Once picked up, the auxiliary seals itself in with a contact around the valve control switch "CLOSE" contact. The valves are placed in the "OPEN" purge position through a contact from the auxiliary relay and the placement of the valve control switch in the "OPEN" position. On receipt of an isolation signal, the normally closed isolation signal contacts open, thus dropping out the auxiliary relay, which in turn opens the auxiliary relay seal-in circuit and de-energizes the valve "OPEN" circuit, thus closing the valve. Resetting the isolation signal will not re-energize the auxiliary relay because the valve control switch is in the "OPEN" position. Thus, the valve "OPEN" circuit will remain de-energized and the valves will remain closed. | |||
The liquid radwaste collection isolation valves, HV61-110, HV61-111, HV61-130 and HV61-131 were found to revert to normal mode on isolation signal reset. To ensure that these valves CHAPTER 07 7.1-65 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR remained in their emergency mode, seal-in relays were added in their control circuit. Because these valves are a part of the drywell sump tank level control system and the primary containment leakage detection system, these valves have been excluded from the system logic reset and are provided with individual reset circuits. | |||
The following are exceptions to Bulletin 80-06 guidance: | |||
: a. RCIC All actuated equipment remains in its abnormal condition, except for the RCIC system inboard and outboard steam line isolation valves, E51-F007 and E51-F008. | |||
: b. HPCI All actuated equipment remains in its abnormal condition, except for the HPCI system inboard and outboard steam line isolation valves, E41-F002 and E41-F003. | |||
The reset control for the HPCI/RCIC isolation logics do not strictly meet the intent of Bulletin 80-06. If the isolation logic is reset with the valve control switches in the open position, the isolation valves will open, but we believe the design is acceptable. There are two completely independent isolation logics for the HPCI and RCIC. Each of these logics consists of two logic channels, one for the inboard valves and one for the outboard valves. Each of these logic channels is sealed in until a reset switch in that logic is depressed. Therefore activation of the reset switch only affects one logic channel and will only cause the inboard or outboard valves to open on the system being reset. The line will remain isolated, i.e., in its safe mode, until both the isolation logics for each system are reset. In addition, the logic reset has no effect if the initiation signal is still present. Administrative Procedures will instruct the operator to place the control switches in the closed position before resetting the isolation logic. In addition to this procedural caution, a caution tag will be added to the control board next to the reset switch. This tag will instruct the operator to place the control switches for the associated valves in the closed position before resetting the logic. | |||
Even if the HPCI of RCIC isolation valves were inadvertently reopened before the pipe break condition was corrected, due to both isolation logics being reset after the isolation parameters have cleared, the pipe break condition would be detected again and the isolation valves would reclose. The offsite radiological doses due to the released steam would be a small fraction of the 10CFR50.67 limits. | |||
The results of this review will be verified as part of the system preoperational testing. | |||
7.1.2.11.2 Information Notice 79-22, Qualification of Control Systems Information Notice 79-22 discusses the effects of a HELB on nonsafety-related control systems to determine whether any adverse effects initiated by a HELB could result in an event more severe than the transient and accident events analyzed in Chapter 15. | |||
In response, a comprehensive, systematic study has been conducted to determine the consequences of postulated HELBs and their effects on adjacent, nonsafety-related, control systems components. In most cases, the effects of the postulated HELB (control systems failures) events are less severe than the Unacceptable Results for Incidents of Moderate Frequency - | |||
CHAPTER 07 7.1-66 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Anticipated Operational Transients presented in Chapter 15. In all cases, the effects of the postulated events are bounded by the Unacceptable Results for Limiting Faults - Design Basis (Postulated) Accidents presented in Chapter 15. It is concluded that safe reactor shutdown is assured for all events postulated therein, and the consequences of these postulated events do not result in any significant risk to the health and safety of the public. | |||
Details of the LGS Unit 1 analysis were submitted on May 4, 1984. The report was later updated to confirm its applicability to Unit 2 and submitted on February 17, 1989. | |||
7.1.2.11.3 Bulletin 79-27, Loss of Non-Class 1E Instrumentation and Control Power Systems Bus During Operation Bulletin 79-27 discussed a failure of a bus supplying power to control systems and vital instrumentation resulting in a malfunction of the control systems and a simultaneous loss to the operator of information required for a safe shutdown. In response, an analysis has been conducted to demonstrate that the control systems used to achieve a hot shutdown are designed to perform their intended function with a loss of any single power source. Subsequent cooldown to cold shutdown conditions will be accomplished using diverse means. One method utilizes the shutdown cooling mode of the RHR system. An alternate method utilizes the ADS to depressurize, core spray for make up, and RHR in the suppression pool cooling mode. | |||
An analysis has also been conducted to demonstrate that for a loss of power to an instrument there is another instrument available, fed from an independent bus, that monitors the same parameter or a diverse parameter that will provide sufficient information to achieve cold shutdown. | |||
From these reviews we conclude that there exists sufficient diversity and redundancy of the plant's power supplies and that the capability to place the plant in a cold shutdown condition would not be compromised by a loss of Class 1E or non-Class 1E instrument and/or control system power supply and that for all instrumentation and controls needed for safe shutdown a loss of power is annunciated directly or indirectly in the control room. | |||
Details of the LGS Unit 1 analysis were submitted on December 14, 1983 and supplementation on June 5, 1984. The report was later updated to confirm its applicability to Unit 2 and submitted on February 17, 1989. | |||
7.1.3 PROTECTION SYSTEM INSERVICE TESTABILITY Testability provisions for each system are discussed in Sections 7.2, 7.3, 7.4, and 7.6. | |||
7. | |||
==1.4 REFERENCES== | |||
7.1-1 Letter from J.F. Carolan (Chairman, LRG Instrumentation Setpoint Methodology Group) to T.M. Novak (NRC), "Action Plan to Answer the NRC Staff concerns on Setpoint Methodology for General Electric Supplied Protection System Instrumentation," (June 29, 1984). | |||
7.1-2 Letter from B.J. Youngblood (NRC) to J.F. Carolan (Chairman, LRG Instrumentation Setpoint Methodology Group), "Acceptance of Action Plan to Answer NRC Staff Concerns on Setpoint Methodology for General Electric Supplied Protection System Instrumentation," (July 23, 1984). | |||
CHAPTER 07 7.1-67 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.1-3 "Analog Transmitter/Trip Unit Systems for Engineered Safeguard Sensor Trip Inputs," Licensing Topical Report, NEDO-21617-A. | |||
CHAPTER 07 7.1-68 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Table 7.1-1 DESIGN AND SUPPLY RESPONSIBILITY GE GE Design Supply Others Reactor Trip System Reactor protection system x x x Engineered Safety Feature Systems Emergency core cooling systems x x HPCI system ADS CS system LPCI mode of the RHR system Primary containment and reactor vessel isolation control system x x x Service water systems x RHRSW ESW Containment atmosphere control system, x combustible gas control system, primary containment vacuum relief system Class 1E power system x Suppression pool cooling mode of RHR system x x Containment spray mode of RHR system x x SGTS x Reactor enclosure recirculation system x Reactor enclosure isolation system x Habitability, control room isolation x SGTS filter room and access area unit coolers x Diesel generator enclosure ventilation system x Spray pond pump structure ventilation system x Emergency switchgear and battery rooms cooling system x ECCS pump compartment unit coolers x CHAPTER 07 7.1-69 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-1 (Cont'd) | |||
GE GE Design Supply Others Engineered Safety Feature Systems Drywell unit coolers x Control enclosure chilled water system x Auxiliary equipment room ventilation system x Refueling area isolation system x Systems Required for Safe Shutdown RCIC system x x SLCS x x Shutdown cooling mode at the RHR system x x Remote shutdown system x x Safety-Related Display Instrumentation x x x(1) | |||
All Other Systems Required for Safety Process radiation monitoring system Main steam line radiation monitoring system x x Reactor enclosure ventilation exhaust radiation monitoring system x x Refueling floor ventilation exhaust radiation monitoring system x x Control room ventilation radiation monitoring system x Control room emergency fresh air radiation monitoring system x Primary containment post-LOCA radiation monitoring system x RHRSW radiation monitoring system x x High pressure/low pressure systems interlocks x x SRV position indication system x Containment instrument gas system-ADS control x Safeguard piping fill system x Neutron monitoring system x x Intermediate range monitor Local power range meter Average power range monitor Redundant reactivity control system x x CHAPTER 07 7.1-70 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-1 (Cont'd) | |||
GE GE Design Supply Others Leak detection systems x x Main steam line leak detection subsystem RCIC system leak detection subsystem RWCU system leak detection subsystem HPCI system leak detection subsystem Control Systems Not Required for Safety Fuel pool cooling and cleanup system x RPV instrumentation x x Reactor manual control system x x Rod movement control Rod block trips Recirculation flow control systems x Feedwater control system x x x Pressure regulator & turbine-generator system x Process Radiation Monitoring Systems South stack effluent radiation system x North stack effluent radiation monitoring system x Charcoal offgas treatment ventilation radiation monitoring system x x Charcoal offgas treatment effluent radiation monitoring system x x Recombiner compartments, hydrogen/oxygen analyzers compartments, and equipment drain sump vent radiation monitoring system x x Steam seal effluent radiation monitoring system x x Radwaste enclosure ventilation exhaust radiation monitoring system x x Air ejector offgas effluent radiation monitoring system x x Primary containment leak detection radiation monitoring system x x Hot maintenance shop ventilation exhaust radiation monitoring system x Liquid radwaste discharge radiation monitoring system x x Service water radiation monitoring system x CHAPTER 07 7.1-71 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-1 (Cont'd) | |||
GE GE Design Supply Others Reactor enclosure cooling water radiation monitoring system x x Neutron monitoring system x x Traversing incore probe Rod block monitor Source range monitor Reactor water cleanup system x x Refueling interlocks x x Radwaste system x Gaseous radwaste system x Liquid radwaste system x Solid radwaste system x Area radiation monitoring system x x Leak detection system Recirculation pump seal leak detection x x RHR system leak detection x x Drywell leak detection x SRV leak detection x Reactor vessel head leak detection x x CS system leak detection x x Containment instrument gas system x Fire protection and suppression system Nonsafety-related equipment area cooling ventilation systems Plant monitoring system (PMS) x(2) | |||
Rod worth minimizer x x Emergency Response Facility Data System x x (1) | |||
The software specifications used for non-NSSS calculations are supplied by others. | |||
(2) | |||
Designed and Supply by Scientech CHAPTER 07 7.1-72 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-2 SIMILARITY TO LICENSED REACTORS PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (1)(2) | |||
(1) Reactor protection system SSES (1)(3) | |||
(2) Primary containment, and reactor SSES vessel isolation control system (1) | |||
(3) Emergency core cooling system SSES (16) | |||
(4) Neutron monitoring system SSES (5) Refueling interlocks SSES Identical (4) | |||
(6) Reactor manual control system SSES (5) | |||
(7) Reactor vessel instrumentation SSES (13) | |||
(8) Recirculation flow control system SSES (9) Feedwater control system LASALLE Identical (10) Pressure regulator and turbine- SSES Identical generator system (6) | |||
(11) Process radiation monitoring SSES systems (6) | |||
(12) Area radiation monitoring system PBAPS (13) | |||
(14) Habitability and control room None isolation system (15) Service water system SSES Identical (16) RHR service water system SSES Identical (17) Containment atmosphere control None system (1)(8) | |||
(18) Reactor core isolation cooling SSES system CHAPTER 07 7.1-73 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-2 (Cont'd) | |||
PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (19) Standby liquid control system None (19a) Liquid radwaste systems None (19b) Gaseous radwaste systems SSES (19c) Solid radwaste systems - | |||
(20) Reactor water cleanup system None (12) | |||
(21) Class 1E power systems PBAPS (1)(7) | |||
(22) Leak detection systems SSES (1) | |||
(23) Reactor shutdown cooling mode SSES of RHR system (24) Fuel pool cooling and cleanup None system (25) Reactor enclosure recirculation None system (26) Standby gas treatment system None (1)(10) | |||
(27) Safety-related display SSES instrumentation (28) Containment instrument gas None system (1) | |||
(29) Containment spray mode of SSES RHR system (9) | |||
(30) Remote shutdown system Shoreham (1) | |||
(31) Suppression pool cooling SSES mode of RHR system CHAPTER 07 7.1-74 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-2 (Cont'd) | |||
PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (32) Safety-related equipment area SSES cooling ventilation systems (32.1) SGTS filter room and access area Hope Creek unit coolers (32.2) Diesel generator enclosure None ventilation system (32.3) Spray pond pump structure None ventilation system (32.4) Emergency switchgear and battery None rooms cooling system (32.5) Emergency core cooling systems SSES unit coolers (32.6) Auxiliary equipment room Hope Creek ventilation system (33) Drywell unit coolers SSES (34) Control enclosure chilled water SSES system (35) High pressure/low pressure SSES system interlocks (36) Safety/relief valve position PBAPS indication (37) Fire protection and suppression None system (38) Reactor enclosure isolation Hope Creek system CHAPTER 07 7.1-75 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-2 (Cont'd) | |||
PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (39) Nonsafety-related equipment None area cooling ventilation systems (40) Safeguard piping fill system None (41) Redundant reactivity control None system (42) Refueling area isolation None system (14) | |||
(43) Rod worth minimizer Millstone (44) Plant monitoring system Hatch (45) Emergency Response Facility Data Hatch System (1) | |||
LGS and SSES designs are very similar; however, there are differences common to all systems that refer to this note. The differences are that LGS uses transmitter/trip unit system for testability, four divisions of separation, and uninterruptible power supplies for the RPS. | |||
(2) | |||
The RPS logics are the same, however, LGS uses a single relay contact for trip functions. | |||
(3) | |||
The PCRVICS logics are the same, however, LGS utilizes more sensors for the leak detection system. | |||
(4) | |||
The RMCS for LGS and SSES are designed to perform the same. The differences that exists are due to SSES's use of the advanced control room. The advanced control room layout full core display is on the console rather than a wall panel. The differences in the control rooms change the panel location of RMCS modules. These changes don't change the module functions. | |||
CHAPTER 07 7.1-76 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-2 (Cont'd) | |||
(5) | |||
Instrumentations used for SSES and LGS are of similar design, they both use testability and four division separation. The setpoints, instrument numbering, quantity of instruments, and division assignments are different for LGS. LGS uses excess flow checks and orificing on instrument lines connected to the reactor vessel. Nonessential vessel instrumentation is functionally identical to SSES, except LGS has added gauge pressure transmitters for measurement of shutdown and upset range water level during refueling. | |||
(6) | |||
LGS uses more detectors. | |||
(7) | |||
The leak detection system for LGS uses 94 sensors as compared to 51 for SSES. This increases the redundant instruments available. The power for sensors not supplied by RPS bus are powered from four instrument ac buses. LGS uses meters rather than a recorder for the spare thermocouple in each location. | |||
(8) | |||
RCIC is identical except as indicated in note (1). | |||
(9) | |||
LGS and Shoreham shutdown systems are designed to provide all of the same control functions. The differences are due to divisional separation and device numbering related to this. LGS has four divisions of separation making divisional assignment of valves different. | |||
(10) | |||
The safety-related display instruments for LGS and SSES are designed to provide the same types of indications to the operator. LGS provides more redundant indication and utilizes four divisions of separation. SSES has the advanced control room making differences in location of the display to the operator. | |||
(11) | |||
Deleted (12) | |||
PBAPS uses 4 diesel generators and batteries shared between 2 units. LGS has 8 diesel generators and batteries which are not shared between units. | |||
(13) | |||
The LGS recirculation system does not have a bypass valve at the discharge block valve; the SSES system does. The SSES recirculation pumps are provided with decontamination connections; these connections are not required for LGS. | |||
(14) | |||
The rod worth minimizers are functionally identical. The differences are in plant interfaces. | |||
Millstone Unit 1 is a BWR, 660 MWe, 145 control rods. Each LGS Unit is a BWR, 1055 MWe, 185 control rods. | |||
(15) | |||
Deleted (16) | |||
The neutron monitoring system is identical to SSES's except for the TIP system, which uses a gamma-measuring probe instead of a thermal neutron-measuring probe. | |||
(17) | |||
Deleted Note: Historical Information - Comparative plant data provided to support original plant licensing. | |||
CHAPTER 07 7.1-77 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR Table 7.1-3 CODES AND STANDARDS APPLICABILITY MATRIX REGULATORY GUIDES(1) IEEE STANDARDS(2) 1.6 1.7 1.9 1.11 1.21 1.22 1.29 1.30 1.32 1.40 1.45 1.47 1.53 1.56 1.62 1.63 1.68 1.70 1.73 1.75 1.80 1.89 1.96 1.97 1.100 1.105 1.118 1.139 279 308 317 323 336 338 344 379 382 384 REACTOR PROTECTION SYSTEM X X X X X X X X X X X X X X X X X X X X X X X X X ENGINEERED SAFETY FEATURE SYSTEMS Emergency Core Cooling X X X X X X X X X X X X X X X X X X X X X X X X X X X X Primary Containment and Reactor Vessel Isolation Control X X X X X X X X X X X X X X X X X X X X X X X X X Residual Heat Removal Service Water X X X X X X X X X X X X X X X X X X X Emergency Service Water X X X X X X X X X X X X X X X X X X X Containment Atmospheric Control X X X X X X X X X X X X X X X X Primary Containment Vacuum Relief X X X X X X X X X X X X X Suppression Pool Cooling Mode (RHR) X X X X X X X X X X X X X X X X X X X X X X X X Containment Spray Mode (RHR) X X X X X X X X X X X X X X X X X X X X X X X X Standby Gas Treatment X X X X X X X X X X X X X X X X X X X X Reactor Enclosure Recirculation X X X X X X X X X X X X X X X X X X X X Reactor Enclosure Isolation X X X X X X X X X X X X X X X X X X X X Habitability and Control Room Isolation X X X X X X X X X X X X X X X X X X X X Safety-Related Equipment Area Cooling/Vent X X X X X X X X X X X X X X X X X X X X Drywell Unit Coolers X X X X X X X X X X X X X X X X X X X X X X Control Enclosure Chilled Water System X X X X X X X X X X X X X X X X X X X X Refueling Area Isolation X X X X X X X X X X X X X X X X X X X X SYSTEMS REQUIRED FOR SAFE SHUTDOWN Reactor Core Isolation Cooling X X X X X X X X X X X X X X X X X X X X X X X X Standby Liquid Control X X X X X X X X X X X X X X X X X X X X X Reactor Shutdown Cooling Mode (RHR) X X X X X X X X X X X X X X X X X X X X X X Remote Shutdown X X X X X X X X X X X X X X X X X X Shutdown Ventilation X X X X X X X X X X X X X X X X X X X SAFETY-RELATED DISPLAY INSTRUMENTATION X X X X X X X X X X X X X X X X X X X X X X X X CHAPTER 07 7.1-78 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-3 (Cont'd) | |||
GENERAL DESIGN CRITERIA(3) 10CFR50 1 2 3 4 5 10 12 13 15 19 20 21 22 23 24 25 26 27 28 29 30 33 34 35 37 38 40 54 56 57 60 61 63 64 APP I REACTOR PROTECTION SYSTEM X X X X X X X X X X X X X X X ENGINEERED SAFETY FEATURE SYSTEMS Emergency Core Cooling X X X X X X X X X X X X X X Primary Containment and Reactor Vessel Isolation Control X X X X X X X X X X X X X X Residual Heat Removal Service Water X X X X X X X X X X X X X X Emergency Service Water X X X X X X X X X X X X X Containment Atmospheric Control X X X X X X X X X X X X X Primary Containment Vacuum Relief X X X X X X X Suppression Pool Cooling Mode (RHR) X X X X X X X X X X X X X Containment Spray Mode (RHR) X X X X X X X X X X X X X Standby Gas Treatment X X X X X X X X X X X X X X Reactor Enclosure Recirculation X X X X X X X X X X X X X Reactor Enclosure Isolation X X X X X X X X X X X X X Habitability and Control Room Isolation X X X X X X X X X X X X X Safety-Related Equipment Area Cooling/Vent X X X X X X X X Drywell Unit Coolers X X X X X Control Enclosure Chilled Water System X X X X X X Refueling Area Isolation X X X X X X X X X X X X X SYSTEMS REQUIRED FOR SAFE SHUTDOWN Reactor Core Isolation Cooling X X X X X X X X X Standby Liquid Control X X X X X X Reactor Shutdown Cooling Mode (RHR) X X X X X X X X Remote Shutdown X X X X X X Shutdown Ventilation X X X X X SAFETY-RELATED DISPLAY INSTRUMENTATION X X X X X X CHAPTER 07 7.1-79 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-3 (Cont'd) | |||
REGULATORY GUIDES(1) IEEE STANDARDS(2) 1.6 1.7 1.9 1.11 1.21 1.22 1.29 1.30 1.32 1.40 1.45 1.47 1.53 1.56 1.62 1.63 1.68 1.70 1.73 1.75 1.80 1.89 1.96 1.97 1.100 1.105 1.118 1.139 279 308 317 323 336 338 344 379 382 383 384 ALL OTHER SYSTEMS REQUIRED FOR SAFETY Process Radiation Monitoring X X X X X X X X X X X X X X X X X X X X High Pressure/Low Pressure System Interlocks X X X X X X X X X X X X X X X X X X X Leak Detection X X X X X X X X X X X X X X X X X X X X Neutron Monitoring X X X X X X X X X X X X X X X X X X Safety Relief Valve Position Indication X X X X X X X X X X X Containment Instrument Gas System-ADS X X X X X X X X X X X X X X X Safeguard Piping Fill X X X X X X X X X X X X X Redundant Reactivity Control System X X X X X X X X X X X X X X X X X X X X X CONTROL SYSTEMS NOT REQUIRED FOR SAFETY Reactor Pressure Vessel Instrumentation X X X X X X Reactor Manual Control X Recirculation Flow Control X X Feedwater Control X X Pressure Regulator and Turbine Generator X Neutron Monitoring X Reactor Water Cleanup X X X X Process Radiation Monitoring X X X Area Radiation Monitoring X Radwaste X Fuel Pool Cooling and Cleanup X Refueling Interlocks X Leak Detection X X X X Containment Instrument Gas System X X X X X Fire Protection and Suppression X Nonsafety-Related Equipment Area Cooling/Vent X Plant Monitoring System X X X X Rod Worth Minimizer X X Emergency Response Facility Data X X X X System CHAPTER 07 7.1-80 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-3 (Cont'd) | |||
GENERAL DESIGN CRITERIA(3) 10CFR50 1 2 3 4 5 10 12 13 15 19 20 21 22 23 24 25 26 27 28 29 30 33 34 35 37 38 40 54 56 57 60 61 63 64 APP I ALL OTHER SYSTEMS REQUIRED FOR SAFETY Process Radiation Monitoring X X X X X X X X X X X X X X X X X X X X X High Pressure/Low Pressure System Interlocks Leak Detection X X X X X X X X X X X X X X X Neutron Monitoring X X X X X X X X X X X X X Safety Relief Valve Position Indication X X X X X Containment Instrument Gas System-ADS X X X X X X X X X X X Safeguard Piping Fill X X X X X X X X X X Redundant Reactivity Control System X X X X X X X X X X CONTROL SYSTEMS NOT REQUIRED FOR SAFETY Reactor Pressure Vessel Instrumentation X X Reactor Manual Control X X X Recirculation Flow Control X X X Feedwater Control X X Pressure Regulator and Turbine Generator Neutron Monitoring X Reactor Water Cleanup X Process Radiation Monitoring X X X X X Area Radiation Monitoring X X Radwaste Fuel Pool Cooling and Cleanup Refueling Interlocks Leak Detection X X X X Containment Instrument Gas System X Fire Protection and Suppression Nonsafety-Related Equipment Area Cooling/Vent Plant Monitoring System Rod Worth Minimizer Emergency Response Facility Data System (1) | |||
See Section 7.1.2.5 for degree of conformance. | |||
(2) | |||
See Section 7.1.2.7 for degree of conformance. | |||
(3) | |||
See Section 7.1.2.6 for degree of conformance. | |||
CHAPTER 07 7.1-81 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-4 RPS AND PCRVICS (DE-ENERGIZE-TO-OPERATE PORTIONS) SEPARATION(1) | |||
DIVISION IA DIVISION IB DIVISION IIA DIVISION IIB RPS Trip Logic Trip Logic Trip Logic Trip Logic A1 B1 A2 B2 SENSORS A, E, J, N, B, F,K, P C, G, L, R D, H, M, S, T, AA W, DD Part of Trip Part of Trip Part of Trip Part of Trip System A System B System A System B PCRVICS Trip Logic Trip Logic Trip Logic Trip Logic A B C D MSIV inboard MSIV outboard valve ac valve ac logic and logic and solenoid solenoid (1) | |||
This separation does not apply to the NMS. Reference Table 7.1-5 for NMS separation. | |||
CHAPTER 07 7.1-82 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-5 DIVISIONAL GROUPING OF NEUTRON MONITORING SYSTEM IN DRYWELL PENETRATIONS Drywell(1)(2)(3)(4) | |||
Penetration Designations A B C D Instrument IRM A & E IRM B & F IRM C & G IRM D & H Channels APRM 1 APRM 2 APRM 3 APRM 4 (SRM A) (SRM B) (SRM C) (SRM D) | |||
Wireway NA NB NC ND Neutron monitoring channel APRM 1 2 3 4 IRM A&E B&F C&G D&H RPS trip A1 B1 A2 B2 logic APRM flow A B C D reference (1) Penetrations across top of table for 4 penetration grouping carry cables for neutron monitoring channels shown, and each channel serves RPS trip logic directly below it. | |||
(2) Horizontal zoning represents LPRM cable distribution to APRMs from various penetrations, e.g., penetration B carries cables for LPRMs going to APRM channel 2 (Figure 7.1-1). | |||
(3) Designations for penetrations and wireways are arbitrary and may be deviated from provided that an equivalent separation is maintained. | |||
(4) Routing of SRM channels has been chosen for convenience and not for safeguard separation reasons. | |||
CHAPTER 07 7.1-83 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-6 SYSTEM AND SUBSYSTEM SEPARATION DIV 1 DIV 2 DIV 3 DIV 4 Sensors A, E, J, Sensors B, F, K, Sensors C, G, L, Sensors D, H, N, T, X P, U, Y R, V M, S, W RCIC(1) Controls HPCI Controls RCIC OBV(2) HPCI OBV RCIC IBV HPCI IBV ADS A - ADS C - | |||
RHR A RHR B RHR C RHR D Pump and Valves Pump and Valves Pump and Valves Pump and Valves CS A CS B CS C CS D Pump and Pump and Pump and Pump and Suction Valve Suction Valve Suction Valve Suction Valve and inject A and inject B ESW ESW ESW ESW Pumps and Valves Pumps and Valves Pumps and Valves Pumps and Valves RHRSW RHRSW RHRSW RHRSW Pumps and Valves Pumps and Valves Pumps and Valves Pumps and Valves PCRVICS Inboard PCRVICS Outboard - - | |||
Valves & Logic Valves & Logic MSIV Inboard MSIV Outboard - - | |||
Valve dc Logic Valve dc Logic and Solenoid and Solenoid SPPSVS A SPPSVS B SPPSVS C SPPSVS D | |||
- - ESBRCS A ESBRCS B Drywell Unit Drywell Unit Drywell Unit Drywell Unit Coolers A, E Coolers B, F Coolers C, G Coolers D, H | |||
- - CECWS A CECWS B | |||
- - AERVS A AERVS B RRCS I RRCS II CHAPTER 07 7.1-84 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-6 (Cont'd) | |||
DIV 1 DIV 2 DIV 3 DIV 4 | |||
- - Control Room Control Room HVAC A HVAC B | |||
- - Emergency Fresh Emergency Fresh Air Fan & Air Fan & | |||
Filter A Filter B Control Room Control Room Control Room Control Room Isolation A Isolation B Isolation C Isolation D RERS A RERS B - - | |||
SGTS A SGTS B - - | |||
REIS A REIS B - - | |||
SGTS Unit SGTS Unit - - | |||
Coolers A Coolers B DGEVS A DGEVS B DGEVS C DGEVS D | |||
- - Containment Containment Hydrogen Hydrogen Recombiner A Recombiner B Isolation Isolation Valves Valves Class 1E power Class 1E power Class 1E power Class 1E power Channel A Channel B Channel C Channel D RCIC pump-room HPCI pump-room - - | |||
unit coolers unit coolers A&E RHR pump- B&F RHR pump- C&G RHR pump- D&H RHR pump-room unit room unit room unit room unit coolers coolers coolers coolers A&E CS pump- B&F CS pump- C&G CS pump D&H CS pump-room unit room unit room unit room unit coolers coolers coolers coolers CHAPTER 07 7.1-85 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-6 (Cont'd) | |||
DIV 1 DIV 2 DIV 3 DIV 4 | |||
- - SLCS A pump SLCS B pump | |||
& valves & valves Control Room Control Room Control Room Control Room Radiation Radiation Radiation Radiation Monitor A Monitor B Monitor C Monitor D | |||
- - Control Room Control Room Emergency Fresh Emergency Fresh Air Radiation Air Radiation Monitor A Monitor B RHRSW loop A RHRSW loop B Radiation Radiation SGTS discharge - - - | |||
radiation RHR Loops A/C RHR Loops B/D - - | |||
Differential Differential Pressure Pressure Core Spray - - - | |||
Loops A/B Differential Pressure Containment Containment Containment Containment Atmosphere Atmosphere Atmosphere Atmosphere Sampling System Sampling System Sampling System Sampling System Inboard Inboard Outboard Outboard Isolation Isolation Isolation Isolation Valves Valves Valves Valves CIGS Inboard CIGS Suction - - | |||
Isolation Valve Line, B Line and A Line Header and Tip Header Outboard Purge Outboard Isolation Isolation Valve Valves CHAPTER 07 7.1-86 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-6 (Cont'd) | |||
DIV 1 DIV 2 DIV 3 DIV 4 Refueling area Refueling area isolation A isolation B (1) | |||
RCIC is not part of ESF (2) | |||
OBV = Outboard isolation valve and logic IBV = Inboard isolation valve and logic CHAPTER 07 7.1-87 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-7 NRC BULLETINS, CIRCULARS, AND INFORMATION NOTICES Bulletin # Description LGS Response 78-01 Flammable contact arm retainers GE performed an inspection to verify that all in GE relays CR120A relays have proper fire resistant retainers. | |||
78-05 Malfunction of CR105 relay It was confirmed by review that no auxiliary auxiliary contacts contacts from these relays are used in safety related circuits. | |||
79-09 Failures of GE type AK-2 None of these type breakers are used in circuit breakers safety related circuits. | |||
79-12 Short period scrams at BWR Station staff to prepare procedure and review with operators during training. This Bulletin applied to operating plants. No modifications required. | |||
79-24 Frozen instrument lines A review of the ECCS minimum flow lines was made as well as the criteria for application and design of heat tracing and freeze protection on instrument, process and sample lines. No modifications were made as existing design was deemed adequate. | |||
79-27 Loss of Instrument ac Study complete and submitted to NRC. No modifications needed. | |||
79-28 Failure of Namco limit switches No switches of this type were found. Some Namco switches are being replaced with qualified models due to environmental qualification concerns. | |||
80-06 Engineered safety feature Study completed. Modifications to circuitry control reset completed. Detailed discussion provided in Section 7.1.2.11.1. | |||
80-09 Failure of ITT actuators Vendor reviews and testing determined that several actuators required spring replacements. Corrective actions have been completed. | |||
CHAPTER 07 7.1-88 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-7 (Cont'd) | |||
Bulletin # Description LGS Response 80-14 Degradation of Scram Discharge Volume Diverse means of measuring SDV capacity Capability have been added to the LGS design. | |||
80-16 Misapplication of Rosemount transmitters Transmitters to be replaced have been identified. Unit 1 replacements completed. | |||
Unit 2 was completed prior to fuel load. | |||
80-17 Failure of control rods to insert Modification made as part of ATWS fix. | |||
80-23 Failure of Valcor solenoid valves Review indicated that no Valcor valves of the type described are used in safety related applications. | |||
Circular # Description LGS Response 79-07 Recirculation pump speed increase Maintenance procedures to include recommended actions. | |||
79-24 Calibration of pipe detection equipment Problem not applicable as design is different at LGS than Duane Arnold. | |||
80-08 RPS Response time Start up test program will verify adequate response time on as-built system. | |||
81-01 Honeywell push button switches Review shows that no switches of this type are used in any safety related systems. | |||
81-03 Inoperable seismic monitoring equipment Maintenance procedure to include lessons learned. | |||
81-06 Foxboro transmitter defects Review indicated that this type transmitter is not used in any safety related systems. | |||
81-11 Inadequate decay heat removal Preliminary review of calculations showed flow rates to be adequate. Shutdown procedures will address this concern. | |||
CHAPTER 07 7.1-89 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-7 (Cont'd) | |||
Circular # Description LGS Response 81-13 MOV torque switch bypass circuit MOV rework program on all safety related MOVs includes rewiring and checking connections internal to the operator. | |||
81-14 MSIV Failures Reviewed operating experience at PBAPS and other plants. Causes of failures were identified. Based on analyses no modifications to LGS valve or air supply design are required. | |||
Notice # Description LGS Response 79-13 Water Level Instrumentation Review indicated LGS will not experience problem due to different design. | |||
79-22 Environmental Effects on non-Class 1E Study indicated no potential problems. | |||
control systems Analysis and rationale provided in Section 7.1.2.11.2. | |||
79-32 Separation of HPCI and ADS cables Review of LGS design shows this problem does not exist. | |||
80-11 ASCO valve problems Review showed that ASCO valves are not used in the conditions described. | |||
80-13 SBM Switch defects All SBM switches have been inspected. | |||
Defective switches have been replaced. | |||
80-30 Control air-CRD interactions Review shows that LGS design precludes this problem 80-31 Defective K600 circuit breakers These breakers are used at LGS. Each breaker is inspected and tested to procedures before installation and acceptance. Any corrective work if needed is completed before final acceptance. | |||
80-34 SDV water level instrumentation failure Problem not applicable to LGS due to different design. | |||
CHAPTER 07 7.1-90 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR LGS UFSAR Table 7.1-7 (Cont'd) | |||
Notice # Description LGS Response 80-39 Valcor solenoid valve malfunction This type valve is not used in safety systems at LGS. | |||
80-45 Failure of backup scram capability Not applicable to LGS RPS Design. | |||
81-01 HFA relay failures All Class 1E HFA relays have been replaced. All non-Class 1E relay coils are being replaced. | |||
81-06 Failure of ITE K600 circuit breakers Inspections completed to find and fix loose connections. | |||
81-11 ARI design This concern will be addressed by GE in the LGS ATWS modifications. | |||
81-16 CRD system possible malfunctions Operator training and plant procedures to be used to avoid problem. | |||
81-25 P-transmitter valve misalignment Plant procedures to be used to avoid problem. | |||
CHAPTER 07 7.1-91 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.1-8 "FIRST-OF-A-KIND" INSTRUMENTS AND CONTROLS Instruments Type Manufacturer Model Use Pressure Switch ITT Barton 580A2 Various Microprocessors, Multiplexers, Computer Systems (3) | |||
Type Manufacturer Model Radiation Monitor General Atomic RM-80 Process Radiation Monitor General Atomic RM-80 Digital High Range Radiation Display General Atomic RM-23 Radiation Monitor(1) Digital Equip. Corp. PDP-11-34 Radiation Monitor(2) Digital Equip. Corp. VAX-11-780 ERFDS RTP Corp. Series 3000 ERFDS RTP Corp. Series 3000 RWM (Unit 2) GE NUMAC Plant Monitoring Scientech and HP DL38OP Gen8 System (1) | |||
Radiation monitoring display system (2) | |||
Meteorological monitoring display and reporting subsystem (3) | |||
These systems are used for monitoring and display only, not for control of any system. | |||
Microprocessors (which incorporate ROMs) are used in the RRCS. The RRCS does not perform any reactor control functions. It does provide signals to trip the recirculation system, to run back the feedwater system, to initiate SLCS, and to initiate ARI to mitigate an ATWS event. No plant control is implemented by microprocessors, multiplexers, or computers. | |||
CHAPTER 07 7.1-92 REV. 19, SEPTEMBER 2018 | |||
LGS UFSAR 7.2 REACTOR TRIP SYSTEM (REACTOR PROTECTION SYSTEM) - INSTRUMENTATION AND CONTROLS 7. | |||
==2.1 DESCRIPTION== | |||
7.2.1.1 System Description 7.2.1.1.1 RPS Identification The RPS includes sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. The RPS also includes outputs to the process computer system and annunciators, which are not part of the RPS. Trip signals are received from the NMS; other portions of this system are treated in Sections 7.5, 7.6, and 7.7. | |||
A completely separate and diverse system, the RRCS, is provided to mitigate the potential consequences of an ATWS event (Section 7.6.1.8). | |||
7.2.1.1.2 RPS Classification The RPS is classified as Safety Class 2, seismic Category I, Quality Group B, and electric Class 1E. | |||
7.2.1.1.3 RPS Power Sources Power to each of the two RPS trip systems is supplied by separate buses powered by independent static inverter sets. Each static inverter set is designed to provide uninterruptible ac power to the loads. Each static inverter set is supplied by two electrical sources, one from the plant auxiliary electrical source (alternate) and the other from the class 1E 250 V dc system (preferred). The inverter output and the plant auxiliary electrical source are connected to a static transfer switch within the inverter set and ahead of the loads. The switch will normally connect the load to the preferred source. Upon failure or undervoltage of the preferred source, the switch will automatically transfer the load to the alternate source. Additionally, if an overload occurs while the load is supplied from the inverter, the switch will automatically transfer the load to the ac source. If, while being fed from the alternate supply the inverter recovers, and the static transfer switch is in auto, the transfer switch will automatically transfer the load to the inverter. Alternatively, if the static transfer switch is in manual, the load transfer requires manual action. Refer to Section 7.6.1.4.5 for independent powering of APRMs. | |||
The static inverter sets are not part of the RPS and are not Class 1E devices. Two Class 1E circuit breakers are located between each static transfer switch and its respective RPS distribution panel (Drawing E-32) to isolate the RPS from the inverter and the bypass ac source if there is an overvoltage, undervoltage, or underfrequency condition. The trip points of the overvoltage, undervoltage, and frequency relays are set to ensure that the power supplied to the RPS is within the limits to which the RPS equipment has been designed and qualified. | |||
A bypass disconnect test switch is installed in parallel with the two class IE circuit breakers. The test switch allows for testing of the breakers without loss of power to the RPS distribution panels. | |||
During the test, when the breakers are bypassed, the AC source is monitored for overvoltage, undervoltage, or underfrequency conditions as determined by the trip points. When not in test, the disconnect test switch is locked open. | |||
CHAPTER 07 7.2-1 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Dc power is supplied to the backup scram valve solenoids from the Class 1E station batteries. | |||
The power source used to drive the control rods during scram is pressurized water contained in the scram accumulator furnished as part of each HCU, as described in Section 4.6.1. | |||
7.2.1.1.4 RPS Equipment Design 7.2.1.1.4.1 General Trip systems are designated A and B. Trip system A is comprised of instrument channels A, C, E, and G; trip logics A1 and A2; and the scram contactors A, E, C and G. Trip system B comprises of instrument channels B, D, F and H; trip logics B1 and B2; and the scram contactors B, D, F and H. | |||
During normal operation, all sensor and trip contacts essential to safety and corresponding trip logic channel contacts are closed, and the scram contactors are energized. Trip channel bypass contacts are normally open. | |||
Table 7.2-1 lists the instruments that provide signals for the system. Figure 7.2-2 summarizes the RPS signals that cause a scram. | |||
The functional arrangement of channels that constitute trip system A is shown in Figure 7.2-5. | |||
When a channel sensor contact opens, its sensor relay de-energizes, opening its contacts and thereby de-energizing its associated scram contactors. Trip system B is similar to that shown on Figure 7.2-5 for trip system A. Scram contactors and scram contactor logics for trip systems A and B are shown in Figure 7.2-4. When a scram contactor is de-energized, its contacts associated with the pilot solenoids open and those associated with the backup scram valves close. As seen on Figure 7.2-4, tripping A1 or A2 or both A1 and A2 trip logics will open the circuits associated with the trip system A pilot solenoids and close corresponding contacts in both trip system A and B backup scram valve circuits. When both trip systems A and B have tripped, all pilot solenoids are de-energized and both backup scram valves are energized, either of which will cause a reactor scram. | |||
There is one scram pilot valve and two scram valves for each control rod, arranged as shown in Drawing C71-1010-F-002. Each scram pilot valve is solenoid-operated with two normally energized pilot solenoids. The scram pilot valve control the air supply to the scram valves for each control rod. With either pilot solenoid energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for CRD water. As shown in Figure 7.2-4, one of the pilot solenoids for each control rod is controlled by trip system A logic A1 and A2, and the other solenoid is controlled by trip system B logic B1 and B2. | |||
When trip system A, logic A1 or A2, and trip system B, logic B1 or B2, are tripped, air is vented from the scram valves, allowing CRD water to act on the CRD piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is exhausted into a SDV. | |||
To restore the RPS to normal operation following any single trip of the trip logic or a scram, the trip logic must be reset manually. Reset is possible only if the conditions that caused the trip have been cleared. Reset after a scram is permissible only after a 10 second delay. The trip systems are reset by a three-position switch in the control room. Figure 7.2-5 shows the functional arrangement of reset contacts for trip system A. | |||
There are two dc solenoid-operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for either backup scram valve is energized, the backup scram valve vents the air supply for the scram CHAPTER 07 7.2-2 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR valves. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valve solenoids are energized (initiate scram) when trip logic A1 or A2 and trip logic B1 or B2 are tripped. | |||
7.2.1.1.4.2 RPS Initiating Circuits The RPS scram functions, shown in Figure 7.2-2, are discussed in the following paragraphs. | |||
: a. Neutron Monitoring System NMS instrumentation is described in Section 7.6.1.4. Figure 7.2-6 clarifies the relationship between NMS channels and the trip system logics. The NMS channels are considered to be part of the NMS; however, the NMS logics are considered to be part of the RPS. Each NMS logic receives signals from one IRM channel and one APRM voter channel. The position of the reactor mode switch determines which input signals affect the output signal from the logic. | |||
The NMS logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. As shown in Drawings C51-1020-F-009, C51-1020-F-010, C51-1020-F-011, C51-1020-F-012, C51-1020-F-013, C51-1020-F-014, C51-1020-F-015, and C51-1020-F-016, there are eight NMS logics associated with the RPS. Each trip system logic receives inputs from two NMS logics. | |||
For the initial fuel load, and during shutdown margin demonstration testing performed as a special test, trip contacts from each SRM are combined with IRM trips to produce a noncoincident reactor NMS trip via removal of the RPS "shorting links". | |||
Note that during the routine shutdown margin demonstra-tion testing performed during the first startup following refueling operations, the RPS "shorting links" remain installed and the SRMS do not contribute to the SCRAM function. | |||
: 1. IRM System Logic The IRMs monitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM range. The IRM detectors can be positioned in the core by remote control. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor reaches a predetermined power level within the power range. | |||
The IRM is able to generate a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range. The IRM is divided into two groups of IRM channels arranged in the core as shown in Drawings C51-1010-F-002, C51-1010-F-003, and C51-1010-F-0023. Four IRM channels are associated with one of the two trip systems of the RPS. Two IRM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining two channels are installed in a separate bay of the cabinet. Full-length side covers separate the cabinet bays. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring. | |||
CHAPTER 07 7.2-3 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on four conditions: when the high voltage drops below a preset level; when one of the modules is not plugged in; when the negative 20 V dc supply is lost: or when the operate-calibrate switch is not in the operate position. Each of the other trip circuits can be specified to trip when preset downscale or upscale levels are reached. | |||
The trip functions actuated by the IRM trips are indicated in Table 7.6-2. | |||
The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram (Figure 7.2-6). Section 7.7.1.2.3.2.3.3 describes the IRM rod block trips. With the reactor mode switch in refuel or startup, an IRM upscale or inoperative trip signal actuates an NMS trip of the RPS. Only one of the IRM channels must trip to initiate an NMS trip of the associated trip system of the RPS. | |||
: 2. APRM System Logic The APRM channels receive input signals from the LPRM detectors and provide a continuous indication of average reactor power from a few percent to greater than rated reactor power. | |||
The APRM subsystem has sufficient redundant channels to meet industry and regulatory safety criteria. Even with the permitted APRM bypasses, the subsystem is capable of generating a scram trip signal before the average neutron flux or the magnitude of any thermal-hydraulic instability caused power oscillations increases to the point that fuel damage is probable. | |||
The digital electronics for each APRM channel, via APRM interface hardware, provides trip signals directly to the Reactor Manual Control System (RMCS) and Redundant Reactivity Control System (RRCS) and via the APRM 2-out-of-4 voter channels to the Reactor Protection System (RPS). An APRM upscale trip or inoperative in any two unbypassed APRM channels can initiate an RPS trip in both RPS trip systems. Similarly, an OPRM upscale trip from any two unbypassed APRM channels can initiate an RPS trip in both RPS trip systems if the reactor mode switch is in the RUN position, and the plant is operating within the OPRM trip enabled region of the power-flow map. Any single APRM upscale trip or inoperative or OPRM upscale trip will not initiate an NMS trip in the RPS. Table 7.6-4 itemizes the APRM system trip functions. Any one unbypassed APRM can initiate a rod block, depending upon the position of the reactor mode switch. | |||
Section 7.7.1.2.3.2.3.3 describes in detail the APRM rod block interlock functions. The APRM Simulated Thermal Power - Upscale rod block and the APRM Simulated Thermal Power - Upscale scram trip setpoints vary as a function of reactor recirculation loop flow. The OPRM upscale trip output to the RPS is automatically bypassed when the reactor is operating below the lower power limit or above the upper flow limit of the OPRM trip enabled region. | |||
Manually moving the reactor mode switch out of the RUN position to any other position causes the APRM rod block and APRM neutron flux scram CHAPTER 07 7.2-4 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR setpoints to be lowered. The manual positioning of the reactor mode switch is governed by the standard reactor startup (shutdown) procedure. The operator can bypass the trips from any one APRM channel, but only one APRM channel may be bypassed at any time. No APRM voter channels may be bypassed. | |||
A simplified circuit arrangement is shown in Figure 7.6-7. | |||
NMS scram operating bypasses are described in Section 7.2.1.1.4.4.6. | |||
Diversity of trip initiation for unusual excursions in reactor power is provided by the NMS trip signals and reactor vessel high pressure trip signals. An increase in reactor power initiates protective action from the NMS discussed in the above paragraphs. The increase in power causes reactor pressure to increase because of a higher rate of steam generation with no change in turbine control valve position resulting in a trip from reactor vessel high pressure. These variables are independent of one another and provide diverse initiation of protective action for this condition. | |||
: b. Reactor Pressure (RPS Initiating Circuits) | |||
Reactor pressure is measured at four physically separated locations. A pipe from each location is routed through the drywell and terminates in the reactor enclosure. | |||
One locally mounted pressure sensor monitors the pressure in each pipe. Cables from these sensors are routed to the RPS logic cabinets. Each sensor provides a high pressure signal to one channel as shown in Figure 7.2-3. The physical separation and the signal arrangement ensure that no single physical event can prevent a scram caused by nuclear system high pressure. | |||
The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the reactor pressure sensors is shown in Drawing M-41. | |||
The discussion of diversity for reactor vessel high pressure is provided in Section 7.2.1.1.4.6. | |||
: c. Reactor Vessel Water Level (RPS Initiating Circuits) | |||
Reactor vessel low water level signals are initiated from level sensors that sense the difference between the pressure that is due to a constant reference column of water and the pressure that is due to the actual water level in the vessel. The level sensors (A, B, C and D) have separate RPV reference leg taps; however, sensors A and B share the same variable leg tap and common piping to the outside of the primary containment where the piping is split for these and other sensors as shown in Drawing M-42. Sensors C and D are of a similar configuration with their tap and piping physically separated from that used by sensors A and B. A break (or blockage) in either of the common piping runs will result in a reactor scram because the one-out-of-two-twice logic is arranged with sensors A and C in trip logic A and sensors B and D in trip logic B. The physical separation of redundant sensors and the signal arrangement ensure that no single physical event can prevent a scram that is due to reactor vessel low water level. | |||
CHAPTER 07 7.2-5 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Diversity of trip initiation for breaks in the RCPB is provided by reactor vessel low water level trip signals and high drywell pressure trip signals. If a break in the primary system boundary occurs, a volume of primary coolant is released to the drywell in the form of steam. This release causes reactor vessel water level to decrease and drywell pressure to increase, resulting in protective action initiation. | |||
These variables are independent of one another and provide diverse initiation of protective action for this condition. | |||
The locations of the reactor vessel low water level sensors are shown in Drawings C71-1010-F-002, C71-1010-F-003, C71-1010-F-004, and C71-1010-F-005, and the environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the reactor vessel low water level sensors is shown in Drawing M-42. | |||
: d. Turbine Stop Valve (RPS Initiating Circuits) | |||
Turbine stop valve closure inputs to the RPS come from valve stem position switches mounted on the four turbine stop valves. Each of the double-pole, single-throw switches opens before the valve is more than 7% closed to provide the earliest positive indication of closure (Technical Specification - Setpoint <= 5%, | |||
Allowable Value <= 7%). Either of the two channels associated with one stop valve, can signal valve closure, as shown in Figure 7.2-7. The logic is arranged so that closure of three or more valves initiates a scram. | |||
Turbine stop valve closure trip channel operating bypasses are described in Section 7.2.1.1.4.4.1. | |||
Diversity of trip initiation for increases in reactor vessel pressure that are due to termination of steam flow by turbine stop valve or control valve closure is provided by reactor vessel high pressure and high power trip signals. A closure of the turbine stop valves or control valves at steady-state conditions would result in an increase in reactor vessel pressure. If a scram were not initiated from these closures, a scram would occur from high reactor vessel pressure or power. Reactor vessel high pressure and power are independent variables for this condition and provide diverse initiation of protective action. | |||
The locations of the turbine stop valve closure position switches are shown in the instrument location drawing provided in Drawing E-1112. The environmental conditions for the RPS are described in Section 3.11. | |||
: e. Turbine Control Valve (RPS Initiating Circuits) | |||
Turbine control valve fast closure inputs to the RPS are from oil line pressure sensors on each of four fast-acting control valve hydraulic mechanisms. These hydraulic mechanisms are part of the turbine control, and they are used to effect fast closure of the turbine control valves. These pressure switches provide signals to the RPS. If hydraulic oil line pressure is lost, a turbine control valve fast closure scram is initiated. | |||
Turbine control valve fast closure trip channel operating bypasses are described in Section 7.2.1.1.4.4.1. | |||
CHAPTER 07 7.2-6 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The discussion of diversity for turbine control valve fast closure is the same as that for turbine stop valve closure provided in Sections 7.2.1.1.4.2.d and 7.2.1.1.4.6. | |||
The locations of the turbine control valve fast closure pressure switches are shown in the instrument location drawings provided in Drawing M-677. The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the turbine control valve fast closure pressure switch is shown in Drawing M-01. | |||
: f. Main Steam Isolation Valves (RPS Initiating Circuits) | |||
Position switches mounted on the eight MSIVs signal MSIV closure to the RPS. | |||
Each of the double-pole, single- throw switches is arranged to open before the valve is more than 12% closed to provide the earliest positive indication of closure (Technical Specification - Setpoint <= 8%, Allowable Value <= 12%). Either of the two channels associated with one isolation valve can signal valve closure. To facilitate the description of the logic arrangement, the position-sensing channels for each valve are identified and assigned to RPS logics as follows: | |||
Valve Position-Sensing Feeds Identification Channels Trip Logic Main steam line A, F022A A1, B1 inboard valve Main steam line A, F028A A1, B1 outboard valve Main steam line B, F022B A1, B2 inboard valve Main steam line B, F028B A1, B2 outboard valve Main steam line C, F022C A2, B1 inboard valve Main steam line C, F028C A2, B1 outboard valve Main steam line D, F022D A2, B2 inboard valve Main steam line D, F028D A2, B2 outboard valve Thus, each logic receives signals from the valves associated with two steam lines (Figure 7.2-8). The arrangement of signals within each logic requires closing of at least one valve in each of the two steam lines associated with that logic to cause a trip of that logic. For example, closure of the inboard valve of steam line A and the outboard valve of steam line C causes a trip of logic B1. This in turn causes trip system B to trip. | |||
CHAPTER 07 7.2-7 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR No scram occurs, because no trips occur in trip system A. In no case does closure of two valves or isolation of two steam lines cause a scram that is due to valve closure. Closure of at least one valve in three or more steam lines causes a scram. | |||
The wiring for the position-sensing channels from one position switch is physically separated in the same way that wiring to duplicate sensors on a common process tap is separated. The wiring for position-sensing channels feeding the different trip logics of one trip system is also separated. | |||
MSIV closure trip channel operating bypasses are described in Section 7.2.1.1.4.4.2. | |||
Diversity of trip initiation that is due to main steam isolation is provided by reactor vessel high pressure and power trip signals. A closure of the MSIVs at steady-state conditions would cause an increase in reactor vessel pressure and power. If a scram were not initiated from MSIV closure, a scram would occur from high reactor vessel pressure or high power. These variables are independent and provide diverse initiation of protective action for this condition. | |||
The locations of the MSIV closure position switch are shown in the instrument location drawing in Figures 7.2-12 and 7.2-13. The environmental conditions for the RPS are described in Section 3.11. | |||
: g. Scram Discharge Volume (RPS Initiating Circuits) | |||
Four nonindicating float switches (one for each channel) provide SDV high water level inputs to the four RPS channels. In addition, a trip unit, with a level transmitter, in each channel provides diversity with the float-type level switch in that channel. This arrangement provides diversity, as well as redundancy, to ensure that no single event can prevent a scram caused by SDV high water level. With the predetermined scram setting, a scram is initiated when sufficient capacity still remains in the tank to accommodate a scram. | |||
SDV water level trip channel operating bypasses are described in Section 7.2.1.1.4.4.3. | |||
The SDV function is to receive water that is discharged from the CRD during a scram. If at the completion of the scram the level of water in the SDV is greater than the trip setting, the RPS cannot be reset until the discharge volume has been drained or the discharge volume level switch is in the bypass position and the reactor mode switch is in the shutdown or refuel mode. In addition, the SDV water level scram setting has been selected so that the CRD water discharged because of a scram can fit in the volume, along with prior leakage that would have initiated the scram. | |||
The locations of the SDV water level sensors are shown in the instrument location drawing in Drawings E-1164 and E-1165. The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the SDV level sensors is shown in Drawings C11-1030-F-008,C11-1030-F-009,C11-1030-F-010,C11-1030-F-011,C11-1030-F-012,C11-1030-F-013, and C11-1030-F-014. | |||
: h. Drywell Pressure (RPS Initiating Circuits) | |||
CHAPTER 07 7.2-8 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Drywell pressure is monitored by four pressure sensors mounted on instrument racks outside the drywell in the secondary containment. Pipes that terminate in the secondary containment connect the sensors with the drywell interior. The sensors are physically separated and electrically connected to the RPS so that no single event prevents a scram caused by drywell high pressure. Cables are routed from the sensors to the RPS logic cabinets. Each sensor provides an input to one channel (Figure 7.2-3). | |||
The discussion of diversity for high drywell pressure is provided in Sections 7.2.1.1.4.2 and 7.2.1.1.4.6. | |||
The drywell pressure sensors are located on instrument racks outside the drywell. | |||
Instrument location drawings listed in Table 1.7-3 show the rack locations. The environmental conditions of the RPS are described in Section 3.11. | |||
: i. Deleted | |||
: j. Manual Scram (RPS Initiating Circuits) | |||
A scram can be initiated manually. There are four scram buttons, one for each trip logic (A1, A2, B1, and B2). To initiate a manual scram, at least one button in each trip system must be depressed. The manual scram logic is the same as the automatic scram logic. The manual scram buttons are arranged in two groups of two switches. One group contains the A1 and B1 switches. The A2 and B2 switches are in the other group. The switches in each group are located close enough to permit one hand motion to initiate a scram. By operating the manual scram button for one trip logic at a time and then resetting that logic, each actuator logic can be tested for manual scram capability. The reactor operator can also scram the reactor by placing the mode switch in its shutdown position. | |||
: k. Mode Switch in Shutdown (RPS Initiating Circuits) | |||
A scram is initiated whenever the mode switch is placed in the shutdown position. | |||
The mode switch has four electrically separated banks of gear-driven contacts. | |||
Each bank provides inputs into a separate RPS trip logic. The mode switch is located on the reactor control console in the control room. The environmental conditions for the control room are described in Section 3.11. The discussion of mode switch in shutdown operating bypass is discussed in Section 7.2.1.1.4.4.4. | |||
The discussion of mode switch interlocks is given in Sections 7.2.1.1.4.5 and 7.2.1.1.6.2.1. | |||
The mode switch in shutdown does not require diversity as discussed in Section 7.2.1.1.4.4.4. | |||
7.2.1.1.4.3 RPS Logic The basic one-out-of-two-twice logic arrangement of the RPS is illustrated in Drawings C71-1010-F-002, C71-1010-F-003, C71-1010-F-004, and C71-1010-F-005. The system is arranged as two separately powered trip systems. Each trip system has two redundant logics, as shown in Figures CHAPTER 07 7.2-9 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.2-4 and 7.2-5. Each logic receives input signals from at least one channel for each monitored variable. Each variable is monitored by at least four channels. | |||
Channel and logic relays are fast response, high reliability relays. Power relays for interrupting the scram pilot valve solenoids have high current carrying capabilities and are highly reliable. All RPS relays are selected so that the continuous load will not exceed 50% of the continuous-duty rating. | |||
The time response for the RPS sensor and sensor trip to actuators de-energized is provided in Chapter 16. The time requirements for control rod movement are discussed in Section 4.6.3. | |||
Each trip logic provides inputs into each of the actuator logics of one trip system, as shown in Figures 7.2-4 and 7.2-5. Thus, either of the two logics associated with one trip system can produce a trip system trip. The arrangement is a one-out-of-two-twice logic. To produce a scram, the actuator logics of both trip systems must be tripped. | |||
Diversity of variables is provided for the RPS but not in the logic. One-out-of-two-twice logic is used, but the logic channels are identical. | |||
The RPS reset switch is used to momentarily bypass the seal-in contacts of the final actuators of the RPS. The reset is effected in conjunction with auxiliary relays. If a single channel is tripped, the reset is accomplished immediately upon operation of the reset switch. On the other hand, if a reactor scram condition is present, manual reset is prohibited for a 10 second period to permit the control rods to achieve their fully inserted position. | |||
7.2.1.1.4.4 RPS Scram Operating Bypasses A number of manual and automatic scram bypasses are provided to accommodate the varying protection requirements that depend on reactor conditions. These are automatically removed when the permissives conditions are not present. In addition, individual channels can be bypassed under administrative control for test and maintenance. | |||
All manual bypass switches are in the control room, under the direct control of the control room operator. | |||
7.2.1.1.4.4.1 Turbine Stop Valve and Turbine Control Valve Fast Closure Turbine stop valve closure and turbine control valve fast closure trip bypass is effected by four pressure sensors associated with the turbine first stage. | |||
Two physically separate and redundant pressure taps located in the turbine steam supply lines upstream of the high pressure turbine first stage are each piped to two non-redundant pressure sensors that sense first stage pressure. Redundancy has been achieved by connecting one pressure transmitter output to each of the four divisional trip logics so that at least two divisions must be bypassed, by action of the turbine first-stage pressure scram bypass trip units, to prevent a scram from turbine stop valve closure or turbine control valve fast closure. | |||
The turbine stop valve closure scram and turbine control valve fast closure scram are automatically bypassed if the turbine first-stage pressure is less than a predetermined value. Closure of these turbine valves below a low initial power level does not threaten the integrity of any radioactive material release barrier. Any one channel in a bypass state produces a control room annunciation. | |||
The sensors are arranged so that no single failure can prevent a turbine stop valve closure scram CHAPTER 07 7.2-10 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR or turbine control valve fast closure scram. In addition, this bypass is automatically removed when the turbine first-stage pressure exceeds the setpoint corresponding to 29.5% of rated power. | |||
7.2.1.1.4.4.2 MSIV Closure (RPS Scram Bypass) | |||
At plant shutdown and during initial plant startup, a bypass is required for the MSIV closure scram trip to properly reset the RPS. This bypass is in effect when the reactor mode switch is in the SHUTDOWN, REFUEL, or STARTUP position. The bypass allows plant operation when the MSIVs are closed during low power operation. The operating bypass is removed when the mode switch is placed in the run position. | |||
The discussion of diversity for MSIV closure is provided in Section 7.2.1.1.4.2.f. | |||
7.2.1.1.4.4.3 Scram Discharge Volume Level (RPS Scram Bypass) | |||
The SDV high water level trip bypass is controlled by the manual operation of two key-locked switches, a bypass switch, and the mode switch. The mode switch must be in the shutdown or refuel position to allow manual bypass of this trip. This bypass allows the operator to reset the RPS scram relays so that the SDV may be drained. Resetting the trip actuators opens the SDV vent and drain valves. An annunciator in the control room indicates the bypass condition. | |||
The discussion of diversity of the SDV level trip is provided in Section 7.2.1.1.4.2.g. | |||
7.2.1.1.4.4.4 Mode Switch in Shutdown (RPS Scram Bypass) | |||
The scram initiated by placing the mode switch in shutdown is automatically bypassed after a short time delay. The bypass allows the CRD hydraulic system valve lineup to be restored to normal. | |||
An annunciator in the control room indicates the bypassed condition. | |||
Diversity of variables is not provided for this function because the placing of the mode switch in shutdown is part of the normal method for shutting down the reactor and requires only operator action for initiation. The mode switch in shutdown is not a safety function and does not require diversity. | |||
7.2.1.1.4.4.5 Maintenance, Calibration, or Test RPS Scram Bypasses Each reactor scram sensor can be tested and calibrated. When an instrument is valved out for test or calibration, the administratively controlled system out-of-service annunciation is manually actuated. | |||
Individual channels for drywell high pressure, reactor vessel high pressure, reactor vessel low water level, CRD SDV high water level, and main steam line high radiation are tripped when any one sensor is physically removed for maintenance. The bypass of the turbine stop valve closure and turbine control valve fast closure trip remains in the unbypassed state when the one turbine first-stage pressure sensors are physically removed for maintenance. | |||
7.2.1.1.4.4.6 NMS (RPS Scram Bypass) | |||
Bypasses for the NMS channels are described below. | |||
CHAPTER 07 7.2-11 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The neutron monitoring scram logic trip outputs for IRM and APRM can be bypassed, during any mode of operation by hand operated selector switches located on the reactor control bench board in the control room. The bypasses for APRM channels 1, 2, 3, and 4 are controlled by one fiber-optic selector switch. None of the four APRM 2-out-of-4 voter channels can be bypassed. The bypasses for IRM channels A, C, E, and G are controlled by one selector switch and the bypasses for IRM channels B, D, F, and H are controlled by a second selector switch. | |||
The APRM and IRM bypass switches can bypass only one NMS channel at a time. Each APRM and IRM bypass is indicated by a light in the control room. | |||
Bypassing one APRM channel with the APRM selector switch does not inhibit the NMS from providing protective action when required. Bypassing one IRM channel with each IRM selector switch does not inhibit the NMS from providing protective action when required. Bypass indication is discussed in Section 7.2.2.1.2.1.7. | |||
The operating bypasses of the NMS are controlled by the reactor mode switch located on the control room reactor control bench board. When the reactor mode switch is in the RUN mode, the IRM trips are bypassed; protection is provided by the APRM trips. When the reactor mode switch is not in the RUN mode, the IRM trips are active. As reactor power is increased and the APRM system reaches its operating range, by procedure the IRM detectors are withdrawn from the reactor core. When reactor power is decreased to the IRM operating range, by procedure the IRM detectors are inserted into the reactor core. | |||
Plant administration procedures manuals specify the administrative controls used during maintenance, test, and calibration. | |||
7.2.1.1.4.5 RPS Interlocks The SDV high water level trip bypass signal interlocks with the RMCS to initiate a rod block. The interlock is isolated by relay contacts so that no failure in the control system can prevent a scram. | |||
Reactor vessel low water level, reactor vessel pressure, main steam line radiation, turbine stop valve closure, and drywell high pressure signals are shared with the PCRVICS. The sensors operate relays in the RPS whose contacts interlock with the PCRVICS. | |||
A discussion of the NMS interlocks to rod block functions is provided in Section 7.6.1.4. | |||
Each APRM and IRM bypass is indicated by a light in the control room. The reactor mode switch has interlocks to systems other than the RPS. These interlocks are discussed in Section 7.6.1.4. | |||
7.2.1.1.4.6 RPS Redundancy and Diversity Redundant portions of the RPS have physically separated sensor taps, sensing lines, sensors, sensor racks, cable routing, and logic. By the use of redundant sensors for each RPS variable and separate redundant logic and wiring, the RPS system has been protected from the credible single failures. For additional information on redundancy of RPS subsystems, see Section 7.2.1.1.4.2. | |||
Redundancy of the fail-safe RPS power supply is not required. There are two uninterruptible power supplies for continuity of service only. | |||
CHAPTER 07 7.2-12 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Diversity is provided by monitoring diverse sets of independent reactor vessel variables. MSIV closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of a reactor vessel high pressure and power scram trip. Therefore reactor high pressure and power are diverse scram inputs to main steam line closure. Drywell high pressure and reactor low water level are diverse scram variables for a steam or water line break inside the containment. Diversity of variables for main steam line breaks outside the drywell, which initiate main steam line isolation and in turn reactor trip initiation, is covered in Section 7.3.1.1.2.8.1. | |||
Additional discussion of diversity of RPS variables is provided in Section 7.2.1.1.4.2. | |||
7.2.1.1.4.7 RPS Actuated Devices The trip system logic opens when a trip signal is received and de-energizes the scram pilot valve solenoids. There are two pilot solenoids per control rod. Both solenoids must de-energize to bleed the instrument air from, and open, the inlet and outlet scram valves to allow drive water to scram a control rod. One solenoid receives its signal from trip system A, and the other receives it from trip system B. The control rods are arranged in four groups. Within each trip system, each group of control rods has its own scram contactor logic as shown in Figure 7.2-4. The failure of one control rod group to scram does not prevent a complete shutdown. The instrument air system provides support to the RPS by keeping the air operated scram valve closed until a scram is required. | |||
The individual control rods and their controls, the scram valves, and the pilot solenoids are not part of the RPS; however, the RPS does interface with these devices by controlling the pilot solenoids. | |||
The pilot solenoids for the scram pilot valves are part of the HCU (C11-D001) of the associated control rod in the CRD system. The backup scram valves (C11-F110A & B), classified as nonessential, are also not part of the RPS, but are part of the CRD system. The valves are supplied with 125 V dc safeguard power from separate supplies. For further information on the scram valves and control rods, see Section 4.6.1.2.4.3. | |||
The pilot solenoid valves are supplied from the RPS uninterruptible power sources. | |||
In addition to the two scram valves for each CRD, there are two backup scram valves that are used to vent the common header for all control rods. Both backup scram valves are energized to initiate venting and are individually supplied with 125 V dc power from the Class 1E plant batteries. In any auxiliary use of the plant instrument air system, a failure of the air system causes a safe direction actuation of the safety device. | |||
7.2.1.1.4.8 RPS Separation Four independent sensor channels monitor the various process variables listed in Section 7.2.1.1.4.2. The redundant sensor devices are separated so that no single failure can prevent a scram. All RPS wiring outside the control system cabinets is run in totally enclosed metallic raceways or in embedded PVC conduits. Physically separated cabinets or cabinet bays are provided for the four trip logics. The rack number for RPS sensors is shown in Drawing M-01 and M-42. The locations for local RPS racks and panels are shown on the instrument location drawings listed in Table 1.7-3. Cable routing from sensor to panel is shown in raceway plans listed in Section 1.7. The criteria for separation of sensing lines and sensors are discussed in Section 7.1.2.2. | |||
The mode switch, SDV high water level trip bypass switch, scram reset switch, and manual scram switches are all mounted on one control console. Each device is mounted in a metal enclosure CHAPTER 07 7.2-13 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR and has a sufficient number of barrier devices when required to maintain adequate separation between redundant portions of the RPS. Within the panel, conduit is provided from the metal enclosures to the point where adequate physical separation can be maintained without barriers. | |||
The outputs from the logic cabinets to the pilot solenoids are run in four separate raceway systems to match the four scram groups shown in Drawings C71-1010-F-002 and C71-1010-F-003. The groups are selected so that the failure of one group to scram does not prevent a reactor shutdown. | |||
RPS inputs to annunciators and the computer are arranged so that no malfunction of the annunciating or computing equipment can functionally disable the RPS. Direct signals from RPS sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output. | |||
7.2.1.1.4.9 RPS Testability The RPS has components that are not activated or tested during normal operation with an integrated testing procedure. These components are tested using manual test methods which allow for independent checking of individual system components. This testing includes verification of each channel trip, including scram contactors, by using the associated installed sensors and circuits to verify proper operation. The frequency of these tests and parameters to be verified are identified in the Technical Specifications. | |||
The RPS can be tested during reactor operation by an overlapping series of tests. | |||
: a. The manual scram test is as follows: By depressing the manual scram button for one trip channel, appropriate scram contactors are de-energized, opening contacts in the scram contactor logics. After the first trip channel is reset, the second trip channel is tripped manually and so forth for the four manual scram buttons. The total test verifies the ability to de-energize the scram pilot valve solenoids without scram by using the manual scram push button switches. In addition to control room and computer printout indications, scram group indicator lights verify that the scram contractor contacts have opened and interrupted power in these pilot solenoids. | |||
: b. Calibration of the NMS is by simulated inputs from calibration signal generators. | |||
Calibration and test controls for the NMS are located in the auxiliary equipment room. Their physical location places them under control of the operating shift management. Section 7.6.1.4 describes the calibration procedure of the NMS. | |||
: c. The single rod scram test verifies the capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular CRD. Timing traces can be made for each rod scrammed. Before the test, a physics review must be conducted to ensure that the rod pattern during scram testing does not create a rod of excessive reactivity worth. | |||
: d. MSIV position switches, turbine control valve fast closure sensors, and turbine stop valve position switches can be checked for operability. | |||
: e. The process computer verifies the correct operation of many sensors during plant startup and shutdown. The verification provided by the process computer is not considered in the selection of test and calibration frequencies and is not required for plant safety. | |||
CHAPTER 07 7.2-14 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: f. The overall RPS response time from sensor trip to channel relay de-energization and scram contactor de-energization is verified by test. | |||
: g. The fourth test involves one of two methods for applying test signals to each RPS channel in turn and observing that a logic trip results. This test also verifies the independence of the channel circuitry. The test signals can be applied to the process-type sensing instruments (pressure and differential pressure) through calibration taps, or a calibration input may be applied to each instrument trip unit by use of a built-in calibrator. Calibration and test controls for pressure sensors and differential pressure sensors are located in the turbine enclosure and secondary containment. Calibration controls for the trip units are located in the auxiliary equipment room. To gain access to the setting controls for each sensor, a cover plate or sealing device must be removed. The control room operator is responsible for granting access to the setting controls. Only properly qualified plant personnel are granted access for testing or calibration adjustments. | |||
In addition to the above test, the operability of the pressure and level sensors may be verified by cross-checking instrument readouts in the auxiliary equipment room at any time during operations. | |||
The CRD SDV level sensors are tested by valving the sensor out of service and injecting and varying a test source to the level sensor. | |||
7.2.1.1.5 RPS Environmental Considerations Electrical modules for the RPS are located in the drywell, control structure, secondary containment, and turbine enclosure. The environmental conditions for these are discussed in Section 3.11. | |||
7.2.1.1.6 RPS Operational Considerations 7.2.1.1.6.1 Reactor Operator Information 7.2.1.1.6.1.1 Indicators Scram group indicators extinguish when trip logic opens. | |||
Recorders in the control room also provide information regarding reactor vessel water level, reactor vessel pressure, drywell pressure, and reactor power level. | |||
7.2.1.1.6.1.2 Annunciators (RPS Operator Information) | |||
Each manual and/or automatic RPS input is annunciated in the control room by isolated relay contacts. Trip logic trips also actuate the annunciator system. | |||
When an RPS sensor channel trips, a corresponding red annunciator window on the reactor control panel in the control room indicates the out-of-limit variable. Each trip logic also initiates a corresponding red annunciator window that indicates the trip logic that has tripped. An RPS channel trip also actuates an annunciator system horn, which can be silenced by the operator. The annunciator window lights latch-in until reset manually. Reset is not possible until the condition that CHAPTER 07 7.2-15 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR caused the trip has been cleared. The location of alarm windows permits the operator to quickly identify the cause of RPS trips and to evaluate the threat to the fuel or RCPB. | |||
7.2.1.1.6.1.3 Computer Alarms (RPS Operator Information) | |||
A computer printout identifies each tripped channel. All RPS trip events are recorded by the NSSS process computer system. This permits subsequent analysis of an operational transient that occurs too rapidly for operator comprehension of events as they occur. The first 80 events are recorded in chronological sequence; events occurring within 4 milliseconds of one another are treated as having occurred simultaneously. The use of the computer is not required for plant safety. The printout of trips is particularly useful in routinely verifying the correct operation of pressure, level, and valve position switches as trip points are passed during startup, shutdown, and maintenance operations. | |||
7.2.1.1.6.2 RPS Reactor Operator Controls 7.2.1.1.6.2.1 Mode Switch A conveniently located, multiposition mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate sensors for scram functions and provides appropriate bypasses. The switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the RPS. | |||
The switch is designed to provide separation between the four trip channels. The mode switch positions and their related scram functions are as follows: | |||
: a. Shutdown Initiates a reactor scram; bypasses main steam line isolation scram. | |||
: b. Refuel Selects the IRM trips for low neutron flux level operation (disables the OPRM upscale trip but does not disable the APRM upscale and inoperative trips); | |||
bypasses main steam line isolation scram. | |||
: c. Startup Selects the IRM trips for low neutron flux level operation (disables the OPRM upscale trip but does not disable the APRM upscale and operative trips); bypasses main steam line isolation scram. | |||
: d. Run Selects the APRM trips, including the OPRM upscale trip, for power range operation. | |||
7.2.1.1.6.3 Setpoints (RPS Operational Considerations) | |||
Instrument ranges are chosen to cover the range of expected conditions for the variable being monitored. Additionally, the range is chosen to provide the necessary accuracy for any required setpoints and to meet the overall accuracy requirements of the channel. | |||
CHAPTER 07 7.2-16 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: a. NMS Trip To protect the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The NMS setpoints and their bases are discussed in Section 7.6.1.4. | |||
: b. Reactor Vessel High Pressure Excessively high pressure within the reactor vessel threatens to rupture the RCPB. A reactor vessel pressure increase during reactor operation compresses the steam voids and results in a positive reactivity insertion; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The reactor vessel high pressure scram setting selected is slightly above the reactor vessel maximum normal operation pressure, to permit normal operation without a spurious scram and yet provide a wide margin to the maximum allowable reactor vessel pressure. The location of the pressure measurement, as compared to the location of the highest nuclear system pressure during transients, was also considered in the selection of the high pressure scram setting. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable pressure. The reactor vessel high pressure scram setting also protects the core from exceeding thermal-hydraulic limits resulting from pressure increases during events that occur when the reactor operates below rated power and flow. | |||
: c. Reactor Vessel Low Water Level (RPS Setpoints) | |||
Low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. Decreasing water level while the reactor operates at power decreases the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. If the water level decreases further, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core. The reactor vessel low water level scram setting was selected to prevent fuel damage following abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. The scram setting is far enough below normal operational levels to prevent spurious scrams. The setting is high enough above the top of the active fuel to ensure that enough water is available to account for evaporation, loss, and displacement of coolant following the most severe abnormal operational transient involving a level decrease. | |||
: d. Turbine Stop Valve Closure (RPS Setpoints) | |||
Closure of the turbine stop valve with the reactor operating at power can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the NMS or reactor vessel high pressure. It is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. By inserting CHAPTER 07 7.2-17 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR negative reactivity with control rods, the scram counteracts the addition of positive reactivity caused by increasing pressure. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the reactor vessel pressure limit. The turbine stop valve closure scram setting provides the earliest positive indication of valve closure. | |||
: e. Turbine Control Valve Fast Closure (RPS Setpoints) | |||
With the reactor and turbine-generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the NMS or reactor vessel high pressure. It is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. By inserting negative reactivity with control rods, the scram counteracts the addition of positive reactivity resulting from increasing pressure. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure. | |||
: f. Main Steam Line Isolation (RPS Setpoints) | |||
MSIV closure can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The main steam line isolation trip initiates a scram earlier than either the NMS or reactor vessel high pressure. By inserting negative reactivity with control rods, the scram counteracts the addition of positive reactivity resulting from increasing pressure. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the main steam line isolation scram provides additional margin to the nuclear system pressure limit. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The logic allows functional testing of main steam line isolation trip channels by partially closing an MSIV. | |||
: g. SDV High Water Level (RPS Setpoints) | |||
Water displaced by the CRD pistons during a scram goes to the SDV. If the SDV fills with water so that insufficient capacity remains for the water displaced during a scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram. | |||
: h. Drywell High Pressure (RPS Setpoints) | |||
High pressure inside the drywell may indicate a break in the RCPB. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and CHAPTER 07 7.2-18 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR to reduce energy transfer from the core to the coolant. The drywell high pressure scram setting is selected to be as low as possible without inducing spurious scrams. | |||
: i. Left blank intentionally. | |||
: j. Manual Scram (RPS Setpoints) | |||
Push buttons are located in the control room to enable the operator to shut down the reactor by initiating a scram. | |||
: k. Mode Switch in Shutdown (RPS Setpoints) | |||
When the mode switch is in shutdown, the reactor is to be shut down with all control rods inserted. This scram is not considered a protective function, because it is not required to protect the fuel or reactor vessel process barrier, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short delay, permitting a scram reset that restores the normal valve lineup in the CRD hydraulic system. | |||
: l. Turbine First-Stage Pressure (RPS Setpoints) | |||
The turbine stop valve closure scram and turbine control valve fast closure scram are automatically bypassed if the turbine first-stage pressure is less than a predetermined value. This setpoint is chosen so that closure of these valves below the setpoint does not threaten the integrity of any radioactive material release barrier. | |||
7.2.1.1.7 RPS Containment Electrical Penetration Assignment See Section 6.2.6. | |||
7.2.1.1.8 RPS Control Room Area The control room area is divided into three floors, the auxiliary equipment room, the control room, and the cable spreading room. Each floor is divided into a Unit 1 and Unit 2 section. The RPS control board is located in the control room. The bench board for reactor control contains the reactor mode switch, bypass switches, scram solenoid valve status indicating lights, and manual scram switches. The RPS vertical boards are located in the auxiliary equipment room. The RPS vertical boards contain the trip units, trip channel and logic relays, test switches, trip indicating lights, and terminal boards. The vertical boards are installed on PGCC floor sections and are connected to individual termination cabinets by under-floor cable ducts. A general description of the cable spreading in the PGCC floor sections is contained in NEDO-10466A, "Power Generation Control Complex", and a further description is contained in Section 8.1.6.1.14.b.6. | |||
There is no RPS equipment except for cables located in the cable spreading room. In the cable spreading room the RPS cables are routed in identified, totally enclosed metallic raceways. The arrangement of the equipment is shown in Drawings M-602 and M-603. | |||
7.2.1.1.9 Test Methods that Enhance RPS Reliability Surveillance testing is performed periodically on the RPS during operation and shutdown. This testing includes sensor calibration, response time testing, trip channel actuation, and trip time CHAPTER 07 7.2-19 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR measurement with simulated inputs to individual trip units and sensors. The sensors that are transmitters can be checked by comparison of the readings on other channels of the same variable. | |||
7.2.1.1.10 Interlock Circuits to Inhibit Rod Motion as Well as Vary the Protection Function Section 7.7.1.2.3.2.3.3 describes interlock circuits to inhibit rod motion that are derived from neutron flux and recirculation flow measurements. Electrical isolation is provided between the RBM interlock circuits and the APRM protective action circuits. | |||
There are no interlock circuits that inhibit rod motion as well as vary the protective functions. | |||
7.2.1.1.11 RPS Support Cooling Systems Operation of the control enclosure chilled water system and associated unit coolers is required to ensure operation of the RPS components within their design requirements. The control enclosure chilled water system is described in Section 7.3.1.1.13. | |||
7.2.1.2 RPS Design Bases Design basis information requested by IEEE 279 (1971) is discussed in the following paragraphs. | |||
These IEEE 279 design bases aspects are considered separately from those more broad and detailed design bases for this system cited in Section 7.1. | |||
7.2.1.2.1 Conditions The generating station conditions that require reactor trip system protective action are as follows: | |||
: a. Generator load rejection above the turbine steam bypass capability | |||
: b. Turbine trip above the turbine steam bypass capability | |||
: c. MSIV closure during operation in the run mode | |||
: d. Turbine pressure regulator failure (valve open) resulting in MSIV closure that is due to dropping line pressure | |||
: e. Excess reactor coolant inventory resulting in turbine trip that is due to high reactor water level | |||
: f. Loss of feedwater flow | |||
: g. Recirculation flow control failure with increasing flow | |||
: h. Control rod-drop accident | |||
: i. LOCA | |||
: j. Main steam line break | |||
: k. Feedwater system piping break CHAPTER 07 7.2-20 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.2.1.2.2 Variables The generating station variables that require monitoring in order to provide protective actions, are identified in Table 7.2-2. | |||
7.2.1.2.3 Sensors A minimum number of LPRMs per APRM are required to provide adequate protective action. This is the only variable that has spatial dependence as discussed in IEEE 279, paragraph 3.3. A discussion of these requirements is in Section 7.6. | |||
7.2.1.2.4 Operational Limits Operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious scram is avoided. It is then verified by analysis that the calculated radioactive material releases are kept within acceptable bounds. Design basis operational limits are listed in Chapter 16. Technical Specifications are based on operating experience and constrained by the safety design basis and the safety analyses. | |||
7.2.1.2.5 Margin Between Operational Limits The margin between operational limits and the levels requiring protective action for the RPS are listed in Chapter 16, Technical Specifications. The margin includes the allowance for instrument accuracy, calibration error, sensor response times, and sensor and setpoint drift. | |||
7.2.1.2.6 Levels Requiring Protective Action Levels requiring protective action are provided in Chapter 16, Technical Specifications. | |||
7.2.1.2.7 Ranges of Energy Supply and Environmental Conditions The RPS 120 V ac power is provided by two static inverter sets that are each fed by two electrical sources, one from the plant auxiliary source and the other from the station batteries. The plant auxiliary source is a 480/120 V transformer, which is supplied through a transfer switch either from a non-Class 1E 440 V MCC or from a non-Class 1E 440 V MCC energized by a non-Class 1E UPS. Voltage regulation of the RPS power source is +/-2% under steady-state conditions. | |||
Environmental conditions for the RPS components inside and outside the containment are discussed in Section 3.11. | |||
7.2.1.2.8 Unusual Events Unusual events are defined as malfunctions, accidents, and other events that could cause damage to safety systems. The following accidents and events are considered: floods; storms; tornadoes; earthquakes; fire; LOCA; pipe break outside containment; feedwater line break; and missiles. | |||
Each of these events is discussed below for the RPS. | |||
: a. Floods The structures containing RPS components are designed to meet the PMF at the site location as described in Section 3.4. This ensures that the structures remain CHAPTER 07 7.2-21 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR water-tight under PMF, including wind-generated wave action and wave run-up. | |||
Therefore, none of the RPS functions is affected by flooding. | |||
: b. Storms and Tornados (RPS Design Bases Unusual Events) | |||
The structures containing RPS components are designed to withstand all credible meteorological events and tornados as described in Section 3.3.2. Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair the RPS capabilities. | |||
: c. Earthquakes (RPS Design Bases Unusual Events) | |||
The structures containing RPS components, except the turbine enclosure, are seismically qualified as described in Sections 3.7 and 3.8. These structures containing RPS components remain functional during and following a SSE. The only RPS components located in the nonseismically qualified turbine enclosure are the sensors and associated cables for turbine stop valve closure, turbine control valve fast closure, turbine stop valve closure, and control valve fast closure bypass. | |||
Since reactor pressure and power trips are diverse to these turbine scram variables, locating these sensors in the turbine enclosure does not compromise the ability of the RPS to provide protective action when required. | |||
: d. Fires (RPS Design Bases Unusual Events) | |||
To protect the RPS from a fire, the RPS trip logics are divided into four separate sections within two separate RPS panels. The sections within a panel are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the RPS functions would not be prevented by the fire. | |||
The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the RPS continues to provide the required protective action. | |||
A nonsafety-related fire detection system using both thermal (rate of temperature rise) and ionization smoke detectors is provided in the PGCC floor sections, termination cabinets, and the space between the slab and the elevated floor in the periphery of the auxiliary equipment room. The entire space, with the exception of the termination cabinets, is protected by a Halon 1301 total flooding fire suppression system. The system is automatically initiated by heat detectors within the protected space. Detection of fire by smoke detectors and automatic initiation of the Halon suppression system are annunciated in the control room. | |||
The control room is provided with ionization smoke detectors. Manual fire fighting capability provided for the control room consists of portable halon fire extinguishers within the control room and carbon dioxide hose stations outside of the control room. Additionally, fire hose stations with hose lines equipped with combination nozzles are installed outside the control room. | |||
These fire protection systems are fully discussed in Section 9.5.1. | |||
: e. LOCA (RPS Design Bases Unusual Events) | |||
CHAPTER 07 7.2-22 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The following RPS components are located inside the drywell and would be subjected to the effects of a design basis LOCA: | |||
: 1. NMS cabling from the detectors to the control room | |||
: 2. MSIV inboard position switches | |||
: 3. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines that terminate outside the drywell | |||
: 4. Drywell pressure instrument taps These items and all RPS Class 1E components are environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11. | |||
: f. Pipe Break Outside Secondary Containment (RPS Design Bases Unusual Events) | |||
This condition would not affect the reliability of the RPS. | |||
: g. Feedwater Break (RPS Design Bases Unusual Events) | |||
This condition would not affect the reliability of the RPS. | |||
: h. Missiles (RPS Design Bases Unusual Events) | |||
See Section 3.5. | |||
7.2.1.2.9 Performance Requirements The minimum performance requirements are referenced in Chapter 16. | |||
A logic combination (one-out-of-two-twice) of instrument channels and their trips, actuated by abnormal or accident conditions, initiates a scram and produces independent logic seal-ins within each of the four logic divisions. The trip conditions are annunciated and recorded on the process computer. The trip seal-in maintains a scram signal condition at the CRD system terminals until the instrument channels have returned within their normal operating range and the seal-in is manually reset by operator action. Thus, once a trip signal is present long enough to initiate a scram, the protective action goes to completion. | |||
7.2.1.3 RPS Final System Drawings The final RPS drawings are processed at two different levels relative to this UFSAR. | |||
: a. System IED and channel logic diagrams are provided in this section. | |||
: b. Detailed circuit diagrams, electrical elementary diagrams, and cabinet and panel layout drawings are listed in Section 1.7. This documentation is complementary to discussions and drawings included in this UFSAR. | |||
CHAPTER 07 7.2-23 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR There are no functional or architectural design basis differences or changes to this system between the approved preliminary PSAR design and the FSAR final design, except for the following changes: | |||
: 1. 600 psi permissive in MSIV closure trip was deleted. | |||
: 2. 15% APRM trip was added. | |||
: 3. Trip units/transmitters were added. | |||
: 4. Logics A3 and B3 were deleted. | |||
A direct comparison of the PSAR and FSAR verifies these observations. | |||
7.2.2 ANALYSIS 7.2.2.1 Reactor Protection System - Instrumentation and Controls 7.2.2.1.1 RPS General Functional Requirements Conformance Presented below are analyses to demonstrate how the various general functional requirements and the specific regulatory requirements listed under the RPS design bases (Section 7.1.2.1) are satisfied. | |||
7.2.2.1.1.1 RPS Conformance to Design Bases Requirements 7.2.2.1.1.1.1 Design Basis (Section 7.1.2.1.1.1.a) | |||
The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are detected and identified, are presented in that chapter. | |||
The design basis from Section 7.1.2.1.1 requires that the precision and reliability of the initiation of reactor scrams be sufficient to prevent or limit fuel damage. | |||
Table 7.2-1 lists the sensors selected to initiate reactor scrams and delineates the needed accuracy, range, and time response for each sensor. This information, along with the information in the Technical Specifications establishes the precision of the RPS variable sensors. | |||
The reliability of the RPS is ensured by design through the selection of reliable components, configuration of components in redundant logic, the use of components based on previous design, and periodic testing. | |||
The selection of scram trip settings has been developed through analytical modeling, experience, historical use of initial setpoints, and adoption of new variables and setpoints as experience was gained. The initial setpoint selection method provided for settings that were sufficiently above the normal operating levels (to preclude the possibilities of spurious scrams or difficulties in operation) but low enough to protect the fuel. As additional information became available or systems were changed, additional scram variables were provided using the above method for initial setpoint selection. The selected scram settings are analyzed to verify that they are conservative and that CHAPTER 07 7.2-24 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR the fuel and fuel barriers are adequately protected. In all cases, previous operating experience and the analytical models have been taken into consideration, so that the specific scram trip point selected is a conservative value that prevents damage to the fuel. | |||
7.2.2.1.1.1.2 RPS Design Basis (Section 7.1.2.1.1.1.b) | |||
The scram initiated by the RCPB high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the RCPB as a result of internal pressure. The MSIV closure scram provides a greater margin to the RCPB pressure safety limit than the high pressure scram does. For turbine-generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the nuclear system pressure safety limit than the high pressure scram does. Chapter 15 identifies and evaluates accidents and abnormal operational events that result in nuclear system pressure increases. In no case does pressure exceed the RCPB safety limits. | |||
7.2.2.1.1.1.3 RPS Design Basis (Section 7.1.2.1.1.1.d) | |||
The scram initiated by the reactor vessel low water level satisfactorily limits the radiological consequences of gross failure of the RCPB. Chapter 15 evaluates gross failures of the RCPB; in no case does the release of radioactive material to the environment result in exposures that exceed the guide values of applicable published regulations. | |||
7.2.2.1.1.1.4 RPS Design Basis (Section 7.1.2.1.1.1.d) | |||
Scrams are initiated by variables that are designed to indirectly monitor fuel temperature and protect the RCPB. The NMS monitors fuel temperature indirectly using incore detectors. The incore detectors monitor the reactor power level by detecting the neutron level in the core. Reactor power level is directly proportional to neutron level and the heat generated in the fuel. Although the NMS does not monitor fuel temperature directly, by establishing a correlation between fuel temperature and reactor power level, scram setpoints can be determined for protective action, which prevents fuel damage. | |||
The RCPB is protected by monitoring parameters that indicate reactor pressure directly or anticipate reactor pressure increases. Reactor pressure is monitored directly by pressure sensors that are connected directly to the RPV through sensing lines and pressure taps. In addition, reactor pressure transients are anticipated by monitoring the closure of valves that shut off the flow of steam from the RPV and cause rapid pressure increases. The variables monitored to anticipate pressure transients are MSIV position, turbine stop valve closure, and turbine control valve fast closure. If any of these valves were to close, pressure would rise very rapidly. Therefore, the pressure rise is anticipated, and a trip is initiated to minimize the pressure transient. | |||
Chapter 15 identifies and evaluates the conditions that threaten fuel and RCPB integrity. In no case does the core exceed a safety limit. | |||
7.2.2.1.1.1.5 RPS Design Basis (Section 7.1.2.1.1.1.e) | |||
The scrams initiated by the NMS, drywell pressure, reactor vessel pressure, reactor vessel water level, turbine stop valve closure, and the turbine control valve fast closure prevent fuel damage. | |||
The scram setpoints and response time requirements for these variables are referenced in Chapter 16 and have been designed to cover the expected range of magnitude and rates of change during abnormal operational transients without fuel damage. Chapter 15 identifies and evaluates CHAPTER 07 7.2-25 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR the conditions that threaten fuel integrity. With the selected variables and scram setpoints, adequate core margins are maintained relative to thermal-hydraulic safety limits. | |||
7.2.2.1.1.1.6 RPS Design Basis (Section 7.1.2.1.1.1.f) | |||
Neutron flux is the only essential variable with spatial dependence that provides inputs to the RPS. | |||
Neutron flux is monitored both as an indication of average reactor power (APRM upscale trips) and as indication of thermal-hydraulic instability caused power oscillations (OPRM upscale trip). | |||
Two transient analyses are used to determine the minimum number and physical location of required LPRMs for each APRM for average power monitoring. | |||
: a. The first analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum number and locations of detectors needed to provide protective action are determined for this condition. | |||
: b. The second analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a reduction of recirculation flow at a fixed design rate. Again, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum number and locations of detectors needed to provide protective action are determined for this condition. | |||
The results of the two analyses are evaluated and compared to establish the actual minimum number and location of LPRMs needed for each APRM channel. | |||
The OPRM upscale function monitors LPRMs combined into cells of 4 LPRMs each (see Figure 7.2-17). If more than 2 of the 4 LPRMs in an OPRM cell are bypassed the cell is determined to be inoperable and removed from the logic. The minimum required number of operable OPRM cells per APRM channel is determined by performing an analysis that mathematically removes LPRMs (and OPRM cells when the number of remaining LPRMs in a cell falls below the required minimum) and calculates the hot-bundle MCPR change that will result prior to an OPRM trip due to a power oscillation. That calculated value is compared to the hot-bundle MCPR change calculated with no LPRMs bypassed. The minimum required number of operable OPRM cells is that number that assures that the hot-bundle MCPR change that results prior to an OPRM upscale trip is equal to or less than the corresponding value calculated with no LPRMs bypassed (References 7.6-1 through 7.6-4). | |||
Analyses like those discussed above for APRMs have also been conducted for the IRMs. These analyses have established the actual minimum number and location of IRM sensors and channels (Reference 7.2-1). | |||
7.2.2.1.1.1.7 RPS Design Basis (Sections 7.1.2.1.1.1.g.1 through 7.1.2.1.1.1.g.8) | |||
Sensors, channels, and logics of the RPS are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system. | |||
CHAPTER 07 7.2-26 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR The RPS system is a normally energized system. Failure of either RPS power supply results in the de-energization of one of the two pilot solenoids associated with each control rod. Alternate power is available to the RPS buses. A complete loss of electrical power to both power supplies results in a scram. Loss of one or both power supplies does not prevent a reactor scram. | |||
The RPS is designed so that trip variables need only exceed their trip setpoints for a sufficient length of time to de-energize the scram relay contactors and open the seal-in contacts of the associated trip logic. Once this is accomplished, the scram will go to completion, regardless of the state of the variable that initiated the protective action. | |||
When the initiating condition has cleared and a sufficient (10 second) time delay has occurred, the scram logic may be reset only by actuation of the scram reset switches in the control room by the operator. | |||
Reactor protection cabling is routed in separate, totally-enclosed metallic raceways or in embedded PVC conduits for all wiring between sensors, racks, panels, and scram solenoids. | |||
Physical separation and electrical isolation among redundant portions of the RPS are provided by separated process instrumentation, separated racks, separated portions of panels, and separated cabling, as described in Section 7.2.1.1.4.8. This separation ensures that environmental factors, electrical transients, and physical events do not impair the ability of the RPS to respond correctly when required. | |||
The RPS has four divisions housed in two panels in the auxiliary equipment room and one panel in the control room. Each panel has metallic fireproof barriers between divisions. Where equipment from more than one division is in a panel, divisional separation is provided by fire barriers or a physical distance of 6 inches or more where practicable. Where wiring from more than one redundant division is present at a single component, divisional separation is provided by fire barriers on the component, in addition to routing the wiring from the component in separate conduits or by routing wiring in such a way as to prevent any failure within the component from affecting redundant divisions. Separate racks are provided for the reactor protection sensor instrumentation in redundant divisions and they are either installed in different locations or separated by metal barriers. | |||
The ability of the RPS to withstand an SSE is discussed in Section 7.2.2.1.2.1.4. | |||
The ability of the RPS to function properly with a single failure is discussed in Section 7.2.2.1.2.3.1.2. | |||
The ability of the RPS to function properly while any one sensor or channel is bypassed or is undergoing testing or maintenance is discussed in Section 7.2.2.1.2.3.1.11. | |||
The RPS logic circuit is designed so that an automatic scram is initiated when at least one sensor in each trip system for any monitored variable exceeds the scram setpoint. | |||
7.2.2.1.1.1.8 RPS Design Basis (Section 7.1.2.1.1.1.h) | |||
Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant operations supervisory personnel. | |||
CHAPTER 07 7.2-27 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Access control is provided by the use of administration control procedures. These require that approved procedures be used to perform calibration and testing; permission must be obtained before performance of all calibration and testing. It is also required that operations personnel, within the control room, monitor and control access to panels and cabinets within the control room. | |||
Manual bypass of instrumentation and control equipment components is under the control of the control room operator. If the ability to trip some essential part of the system is bypassed during a mode of operation that requires operability of that part of the system, this fact is continuously annunciated in the control room, as described in Section 7.2.2.1.2.1.7. | |||
7.2.2.1.1.1.9 Other RPS Design Basis Requirements The RPS is a one-out-of-two-twice logic system. Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system. However, because the differences are slight, they can be neglected. The dual trip system is advantageous because it can be tested thoroughly during reactor operation without causing a scram. This capability for a thorough testing program significantly increases reliability. | |||
The environment in which the instruments and equipment of the RPS must operate is discussed in Section 3.11. | |||
The control room maximum environment is predicated on supplying the control room with 100% | |||
outside air with no refrigeration. The minimum environment is predicated on a mixture of outside and recirculated air concurrent with minimum equipment heat loss. The RPS components that must function in the environment resulting from a RCPB break inside the drywell are the condensing chambers and the inboard MSIV position switches. Special precautions are taken to ensure their operability after the accident. | |||
The condensing chambers have been qualified by analysis to the applicable ASME Codes. The chamber itself is strictly a mechanical assembly with no moving parts and no active functions. | |||
There is no environmental requirement on the condensing chambers, other than that each maintain its integrity under the most severe environmental condition. The results of the seismic qualification of the condensing chambers are documented in the LGS SQRT Program. | |||
The environmental qualification of the existing MSIV limit switches has been evaluated as part of the LGS environmental qualification program. As a result of the licensees evaluation, the originally supplied limit switches have been replaced with prequalified limit switches. The selection criteria for the replacement switches include qualification levels appropriate for a RCPB break inside the drywell. | |||
Other essential components of the control and electrical equipment are either similar to those that have successfully undergone qualification testing in connection with other projects, or additional qualification testing under simulated environmental conditions has been conducted. | |||
To ensure that the RPS remains functional, the number of operable channels for the essential monitored variables is maintained at or above the minimums referenced in Chapter 16. The minimums apply to any untripped trip system; a tripped trip system may have any number of inoperative channels. Because reactor protection requirements vary with the mode in which the reactor operates, the tables show different functional requirements for the run and startup modes. | |||
These are the only modes in which more than one control rod can be withdrawn from the fully inserted position. | |||
CHAPTER 07 7.2-28 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR In case of a LOCA, reactor shutdown occurs immediately following the accident as process variables exceed their specified setpoint. Operator verification that shutdown has occurred may be made by observing one or more of the following indications: | |||
: a. Control rod status lamps indicating each rod fully inserted | |||
: b. Control rod scram pilot valve status lamps indicating open valves | |||
: c. Neutron monitoring power range channels and recorders downscale | |||
: d. Annunciators for RPS variables and trip logic in the tripped state | |||
: e. Process computer logging of trips and control rod position log Following generator load rejection, a number of events occur in the following chronological order: | |||
: a. The pressure in the hydraulic oil lines to the control valve fast closure solenoid drops, and the pressure sensors provide a trip signal to RPS. Simultaneously the turbine control logic initiates fast opening of the turbine bypass valves which minimizes the pressure from the transient. | |||
: b. The RPS scrams the reactor upon receipt of the turbine control valve fast closure signal, provided that at the time of load rejection the unit load is equal to or greater than 29.5% of rated power output. | |||
The reactor scram is averted, if at the time of load rejection, the unit load is within the capacity of the turbine bypass system. | |||
: c. The APRM Simulated Thermal - Upscale trip setting is automatically reduced from 117% to 97% Simulated Thermal Power, as recirculation flow is run back from 100% to 50% of the rated flow. | |||
The trip settings discussed in Section 7.2.1.1.6.3 are not changed to accommodate abnormal operating conditions. Actions required during abnormal conditions are discussed in Chapter 16. | |||
Transients requiring activation of the RPS are discussed in Chapter 15. The discussions there designate which systems and instrumentation are required to mitigate the consequences of these transients. | |||
Operability of the anticipatory signals from the turbine control valve fast closure or turbine stop valve closure following an SSE is not a system design basis. There is no reason to expect concurrent failures of these trips without the SSE. However, if the gross failure of these trips should occur, the reactor would scram on high neutron flux or high reactor pressure. The results of this event would not be more severe than the one caused by closure of all the MSIVs without the MSIV position switch trip. That event is discussed in Section 5.2.2.2.2.4 as the relief valve sized transient. | |||
7.2.2.1.2 RPS Specific Regulatory Requirements Conformance 7.2.2.1.2.1 RPS Conformance to Regulatory Guides CHAPTER 07 7.2-29 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Conformance of the transmitter/trip unit system used in the RPS is discussed in Licensing Topical Report NEDO-21617-A, "Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Inputs." Conformance of the other features with the regulatory guides is discussed in the following sections. | |||
7.2.2.1.2.1.1 RPS - Regulatory Guide 1.6 (1971) - Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems (Safety Guide 6) | |||
Conformance is discussed in Section 7.1.2.5.1. | |||
7.2.2.1.2.1.2 RPS - Regulatory Guide 1.11 (1971) - Instrument Lines Penetrating Primary Reactor Containment (Safety Guide 11) | |||
Conformance to Regulatory Guide 1.11 is discussed in Section 6.2.4.3. | |||
7.2.2.1.2.1.3 RPS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22) | |||
The system is designed so that it may be tested during plant operation from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram does not occur as a result of the testing. | |||
7.2.2.1.2.1.4 RPS - Regulatory Guide 1.29 (1978) - Seismic Design Classification All electrical and mechanical devices and circuitry between process instrumentation and protection actuators and monitoring of systems important to safety are classified as seismic Category I. | |||
7.2.2.1.2.1.5 RPS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30) | |||
See Section 8.1.6.1.5 and Chapter 17. | |||
7.2.2.1.2.1.6 RPS - Regulatory Guide 1.32 (1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Although not a design basis, an assessment of the LGS design shows that it meets the guidelines of Regulatory Guide 1.32 (1977) and conforms to IEEE 308 (1971). | |||
7.2.2.1.2.1.7 RPS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems | |||
: a. Regulatory Positions C.1, C.2, and C.3 Automatic indication is provided in the control room to inform the operator that a system is out-of-service. Indicator lights indicate which part of a system is not operable. System out-of-service annunciators energize whenever one or more of the following conditions occur: | |||
: 1. Trip units are being tested or a gross failure of a transmitter is detected. | |||
CHAPTER 07 7.2-30 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: 2. Trip units are out of their card file, or there is a loss of power to the transmitters, or trip units. | |||
These are the only conditions expected to occur more than once a year that would cause inoperability of the RPS. In addition, there is a switch in the control room that the operator can use to manually bring up the system out-of-service annunciator. | |||
Instruments that form part of a one-out-of-two-twice logic system can be removed from service for calibration. Removal of the instrument from service is indicated in the control room by manual actuation of the system out-of-service annunciator by the system out-of-service switch. | |||
: b. Regulatory Position C.4 All the annunciators can be tested by depressing the annunciator test switches on the control room bench boards. | |||
The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system. | |||
: 1. Individual indicator lights are arranged together on the control room console to indicate what function of the system is out-of-service, bypassed, or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that prevent a system from operating if needed. | |||
: 2. A manual switch is provided for manual actuation to cover out-of-service conditions that could not be automatically annunciated. | |||
: 3. These indication provisions serve to supplement administrative controls and to aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function. | |||
: 4. All system out-of-service annunciator circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects. | |||
: 5. Each indicator light is provided with dual lamps. These are tested periodically, along with the other devices in the circuit. | |||
7.2.2.1.2.1.8 RPS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is obtained by specifying, designing, and constructing the RPS to meet the single failure criterion, section 4.2 of IEEE 279 (1971), "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379 (1972), "IEEE Trial Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant instrument tubing, sensors, wiring, logic, and actuators are separated to ensure that a single failure in any portion of the RPS does not prevent protective action. | |||
CHAPTER 07 7.2-31 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it operates properly when required. Testing incorporates all elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing, there are always enough channels and systems available for operation to provide proper protection action. | |||
7.2.2.1.2.1.9 RPS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Means are provided for manual initiation of reactor manual scram at the system level through the use of four, armed push button switches, one for each trip logic. Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry. These switches are located on the control room bench board and are easily accessible to the operator so that action can be taken expeditiously. | |||
The amount of equipment common to the initiation of both manual scram and automatic scram is kept to a minimum through the implementation of manual scram as close to the final devices (scram contactor) as practicable. No single failure in the manual, automatic, or common portions of the protection system prevents initiation of reactor scram by manual or automatic means. | |||
The "minimum of equipment" objective is accomplished for the initiation of manual scram through its implementation "as close as practicable to" the final actuating devices (scram contactor) of the protection system. | |||
Manual initiation of reactor scram, once initiated, goes to completion as required by IEEE 279 (1971), section 4.16. | |||
7.2.2.1.2.1.10 RPS - Regulatory Guide 1.63 (1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants Conformance to Regulatory Guide 1.63 is discussed in Section 8.1.6.1.12. | |||
7.2.2.1.2.1.11 RPS - Regulatory Guide 1.68 (1978) - Preoperational and Initial Startup Test Programs for Water-Cooled Power Reactors Conformance to Regulatory Guide 1.68 is discussed in Section 14.2. | |||
7.2.2.1.2.1.12 RPS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Conformance is discussed in Section 8.1.6.14. | |||
7.2.2.1.2.1.13 RPS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants Conformance is discussed in Sections 3.11 and 8.1.6.1.16. | |||
7.2.2.1.2.1.14 RPS - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident Conformance to this guide is discussed in Section 7.5.2.5.1.1.2. | |||
CHAPTER 07 7.2-32 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.2.2.1.2.1.15 RPS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants General compliance for Regulatory Guide 1.100 is found in Section 3.10.2. | |||
7.2.2.1.2.1.16 RPS - Regulatory Guide 1.105 (November 1976) - Instrument Setpoints RPS conformance to this guide is discussed in Section 7.1.2.5.25. | |||
7.2.2.1.2.1.17 RPS - Regulatory Guide 1.118 (June 1978) - Periodic Testing of Electric Power and Protection Systems RPS conformance to this guide is discussed in Section 7.1.2.5.26. | |||
Position C.5 for APRM: | |||
With respect to conformance to position C.5, the inherent time response of the incore sensors used for APRM (fission detectors operated in the ionization chamber mode) is many orders of magnitude faster than the APRM channel response time requirements and the signal conditioning electronics. | |||
The sensors cannot be tested without disconnecting and reconnecting to special test equipment. | |||
7.2.2.1.2.2 RPS Conformance to 10CFR50, Appendix A, General Design Criteria 7.2.2.1.2.2.1 RPS - GDC 1 - Quality Standards and Records The QA program for the system ensures sound engineering in all phases of design and construction through conformity to regulatory requirements and design bases described in the license application. The QA program is discussed in Chapter 17. | |||
Documents are maintained that demonstrate that all the requirements of the QA program are being satisfied. These records are maintained during the life of the operating licenses. | |||
7.2.2.1.2.2.2 RPS - GDC 2 - Design Bases for Protection Against Natural Phenomena Wind and tornado loadings are discussed in Section 3.3, flood design is described in Section 3.4, and seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10. | |||
7.2.2.1.2.2.3 RPS - GDC 3 - Fire Protection The fire protection system and its design basis are discussed in Section 9.5.1. Fire protection for cable systems is described in Sections 8.3.1.1.7 and 8.3.1.1.8. | |||
7.2.2.1.2.2.4 RPS - GDC 4 - Environmental and Dynamic Effects Design Bases The system is designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including LOCAs. | |||
The system is appropriately protected against dynamic effects including the effects of missiles, pipe whipping, and discharging fluids that may result from equipment failures. Missile protection is discussed in Section 3.5, pipe whip in Section 3.6, and environmental qualification of equipment in Section 3.11. | |||
CHAPTER 07 7.2-33 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.2.2.1.2.2.5 RPS - GDC 10 - Reactor Design The RPS is designed to monitor certain reactor parameters, to sense abnormalities, and to scram the reactor, thereby preventing fuel design limits from being exceeded when trip points are exceeded. Scram trip setpoints are selected based on operating experience and by the safety design basis. There is no case in which the scram trip setpoints allow the core to exceed the thermal-hydraulic safety limits. Power for the RPS is supplied by two independent uninterruptible ac power supplies. | |||
The system is designed to ensure that the specified fuel and RCPB design limits are not exceeded during conditions of normal or abnormal operation. | |||
7.2.2.1.2.2.6 RPS - GDC 12 - Suppression of Reactor Power Oscillations The system design provides protection from excessive fuel cladding temperatures and protects the RCPB from excessive pressures that threaten the integrity of the system. An OPRM Upscale Function BWROG Long Term Stability Solution Option III is incorporated into each APRM channel to detect power oscillations in the operating ranges where thermal-hydraulic instability has been determined to be credible. Upon detection of power oscillations, the OPRM Upscale Function generates a trip signal to RPS which results in an automatic scram to suppress the oscillation before the MCPR Safety Limit is reached. High reliability of the reactor protection system is achieved through the combination of redundant sensors, logic, trip channel actuators, and physical separation of these redundant portions of the RPS. | |||
7.2.2.1.2.2.7 RPS - GDC 13 - Instrumentation and Control Instrumentation is provided to monitor the variables identified in Table 7.2-1 over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions. If these variables exceed a predetermined setpoint, the RPS automatically takes action to ensure the integrity of the reactor core and the RCPB. | |||
7.2.2.1.2.2.8 RPS - GDC 15 - Reactor Coolant System Design The RPS acts to provide sufficient margin to ensure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including anticipated operational occurrences. | |||
If the monitored variables exceed their predetermined settings, the RPS automatically responds to maintain the variables and systems within allowable design limits. | |||
7.2.2.1.2.2.9 RPS - GDC 19 - Control Room Controls and instrumentation for the RPS are provided in the control room to allow the operator to safely shut down the plant. The reactor can also be shut down in an orderly manner from outside the control room as described in Section 7.4.1.4. | |||
7.2.2.1.2.2.10 RPS - GDC 20 - Protection System Functions The RPS constantly monitors the appropriate plant variables to maintain the fuel barrier and primary coolant pressure boundary and initiates a scram automatically when the variables exceed the established setpoints. | |||
CHAPTER 07 7.2-34 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.2.2.1.2.2.11 RPS - GDC 21 - Protection System Reliability and Testability The system is designed with four redundant, independent, and separated channels. No single failure can prevent a scram. Removal from service of any component or channel does not result in loss of the required minimum redundancy. The system can be tested during plant operation to ensure its reliability. | |||
7.2.2.1.2.2.12 RPS - GDC 22 - Protection System Independence The redundant portions of the RPS are separated so that no single failure or credible natural disaster can prevent a scram. Even though the turbine scram inputs originate from the nonseismic turbine enclosure, reactor pressure and power are diverse to these turbine scram variables to ensure protective action during and following a seismic event. Diversity is used to the extent practicable in the monitoring of other variables as described in Section 7.2.1.1.4.6 to prevent loss of the protective function. | |||
7.2.2.1.2.2.13 RPS - GDC 23 - Protection System Failure Modes The RPS is fail-safe. A loss of electrical power, a loss of air supply, or postulated adverse environments do not prevent a scram. | |||
7.2.2.1.2.2.14 RPS - GDC 24 - Separation of Protection and Control Systems The RPS has no control function and no components common to any control systems. There are interlocks to control systems through isolation devices. Failure of any single control system component or channel leaves the integrity of the RPS system intact, without compromising any reliability, redundancy, or independence requirements of the RPS. | |||
7.2.2.1.2.2.15 RPS - GDC 25 - Protection System Requirements for Reactivity Control Malfunctions The system provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier. Any monitored variable that exceeds the scram setpoint initiates an automatic scram and does not prevent the remaining variables from being monitored. Fuel design limits are not exceeded for any single malfunction of the reactivity control system. | |||
7.2.2.1.2.2.16 RPS - GDC 29 - Protection Against Anticipated Operational Occurrences The RPS is highly reliable so that it causes a scram if there are anticipated operational occurrences where any of the RPS trip setpoints are exceeded. | |||
7.2.2.1.2.3 RPS Conformance to Industry Codes and Standards Conformance of the transmitter/trip unit system, used in the RPS, is discussed in Licensing Topical Report NEDO-21617-A, "Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Inputs." Conformance of the other features with the industry standards is discussed in the following sections. | |||
7.2.2.1.2.3.1 RPS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations CHAPTER 07 7.2-35 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.2.2.1.2.3.1.1 RPS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The following RPS trip variables provide automatic initiation of protective action in compliance with this requirement: | |||
: a. SDV high water level trip | |||
: b. MSIV closure trip | |||
: c. Turbine stop valve closure trip | |||
: d. Turbine control valve fast closure trip | |||
: e. Reactor vessel low water level trip | |||
: f. Left blank intentionally. | |||
: g. Neutron monitoring (APRM) system trip (including OPRM trip) | |||
: h. Neutron monitoring (IRM) system trip | |||
: i. Drywell high pressure trip | |||
: j. Reactor vessel high pressure trip The reactor system mode switch selects appropriate operating bypasses for various RPS variables in the shutdown, refuel, startup, and run modes of operation. Other manual controls, such as the SDV high water level bypass, the manual scram push button switches, and the three-position RPS reset switch are arranged to ensure that the process variables providing automatic initiation of protective action continue to remain in compliance with this requirement. | |||
The three-position RPS reset switch is under the administrative control of the reactor operator. | |||
Since the reset switch does not connect redundant circuits in parallel with the trip logic, failure of the reset switch cannot prevent initiation of protective action. | |||
Manual reset by the operator bypasses the seal-in contact to permit a trip system to be reset to its normally energized state when all process sensor trip channels are within their normal (untripped) range of operation. | |||
The trip system logic, scram contactors, and scram contactor logic are designed to comply with this requirement through automatic removal of electric power to the CRD scram solenoids when one or more RPS variables exceed the specified trip setpoint. | |||
7.2.2.1.2.3.1.2 RPS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The following RPS trip variables are individually implemented with four physically separated, redundant channels in compliance with this requirement: | |||
: a. MSIV closure trip | |||
: b. Turbine stop valve closure trip | |||
: c. Turbine control valve fast closure trip CHAPTER 07 7.2-36 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: d. Reactor vessel low water level trip | |||
: e. Drywell high pressure trip | |||
: f. Reactor vessel high pressure trip | |||
: g. SDV high water level trip The APRM and IRM trips comply with the single failure criterion through the use of physical panel barriers and electrical isolation provisions to provide independence among the two redundant APRM 2-out-of-4 voter channels and four redundant IRM channels in either trip system A or B. | |||
Four redundant APRM channels provide inputs to both trip system A and trip system B. | |||
Redundant sensors, wiring, logic, and actuators are physically separated to prevent a single failure from preventing the protective action. Wiring between redundant portions of the RPS and between RPS and non-Class 1E circuitry is configured to eliminate a possible single failure. | |||
Wiring to each group of scram solenoids is routed in individual raceways separated from wiring to the other groups of scram solenoids. | |||
Wiring from each sensor to the relay cabinets is run in a separate, totally enclosed metallic raceway or embedded PVC conduit to maintain electrical isolation and physical separation among redundant sensor trip channels. | |||
RPS manual controls also comply with the single failure criterion. Four manual scram push buttons are arranged into two groups on one control room panel. The switch contact blocks are physically separated by metal barriers. | |||
The reactor mode switch consists of a single manual actuator connected to four separated switch banks. Each bank is housed within a fire-retardant cover. Contacts from each bank are wired in conduit to a metallic terminal box with separation barriers. | |||
Although the SDV high water level trip bypass is controlled by only one switch, the design of the bypass circuit complies with the single failure criteria. This bypass requires manual operation of a bypass switch and the mode switch to establish four bypass channels; the design of the bypass function complies with this design requirement. For the bypass switch, a single operator connects to two physically and electrically separated blocks of switch contacts within the switch body that separates redundant trip channels. Wiring from the contacts is routed in conduit to separate metallic terminal boxes. One set of switch contacts in conjunction with separated mode switch contacts is used to energize each trip channel bypass relay when the bypass condition is desired. | |||
There is no single failure of this bypass function that could establish a spurious bypass condition of more than one channel. Hence, this function complies with the single failure criterion. | |||
The main steam line valve closure trip operating bypass is implemented with separated mode switch contacts. | |||
The turbine stop valve closure trip and control valve fast closure trip operating bypass complies with the single failure criterion. Nonredundant pairs of pressure sensors are mounted at each of two, physically separated pressure taps located in the turbine steam supply lines upstream of the high pressure turbine first stage. Wiring from the metallic raceway or embedded PVC conduit CHAPTER 07 7.2-37 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR sensors is routed in a TEMR or to the RPS cabinets in the auxiliary equipment room. A single bypass is associated with a single trip channel for stop valve closure and for control valve fast closure. The worst case single failure could result in the bypass of the turbine stop valve closure and turbine control valve fast closure for the A and B trip logics or the C and D trip logics. The logic is arranged so that this failure does not interfere with the normal protective action of the RPS. | |||
The three-position RPS reset switch and associated logic comply with this design requirement. | |||
The reset switch is constructed with a single operator and two physically and electrically separated contact blocks. The wires from the contact blocks go through conduit to metallic terminal boxes. | |||
Since the opening of the process sensor trip channel contact is the initiating event for reactor scram, failure of the reset switch does not prevent de-energization of the trip actuators during the time interval that the process actually exceeds the trip setpoint. | |||
Those portions of the RPS downstream of the trip channels also comply with this design requirement. Any postulated single failure of a given trip logic does not affect the remaining three trip logics. Similarly, any single failure of a scram contactor does not affect the remaining scram contactors, and any single failure of one trip logic does not affect the other trip logics. The cabling associated with one control rod group is routed in conduit that is physically separated from similar cabling associated with the other control rod groups. Cabling from the scram contactor logic to the scram solenoid groups is routed in individual, totally-enclosed, metallic raceway or in PVC conduits when embedded in concrete to comply with this design requirement. Because both the "A" or "B" solenoid valves must de-energize to scram, the wiring of these two solenoids for one control rod group is routed together within a single raceway, separate from all other wiring. | |||
7.2.2.1.2.3.1.3 RPS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All RPS trip variables are implemented with components and modules used on previous GE BWR plants and that exhibit high quality and high reliability characteristics. | |||
The selected RPS manual switches are also of high quality and reliability. | |||
The four pressure sensors selected for the turbine stop valve closure and control valve fast closure operating bypass are of high quality and reliability. | |||
The RPS trip system logic consists of series-connected relay contacts from the trip channel output relays. The relays are of high quality and reliability. | |||
The RPS scram contactor logic consists of interconnecting trip logics to form a trip system by means of scram contactor contacts. The scram contactors are of high quality and reliability. | |||
7.2.2.1.2.3.1.4 RPS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Qualification tests of RPS equipment are conducted to confirm their adequacy. Details of this testing are contained in Section 3.10 and 3.11. In addition, the vendor is required to certify that the sensors associated with each of the RPS trip variables, manual switches, and trip logic components perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the qualification tests and existing field experience with these components in this application, serves to qualify these components. | |||
CHAPTER 07 7.2-38 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Qualification tests of the panels are conducted to confirm their adequacy. Details of this testing are contained in Sections 3.10 and 7.1.2.7.4. | |||
7.2.2.1.2.3.1.5 RPS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity All the components of the RPS trip variables are specified to operate under normal and abnormal conditions of environment, energy supply, and accidents, except as follows: | |||
: a. Turbine stop valve closure trip (not guaranteed to operate under an SSE design basis event) | |||
: b. Turbine control valve fast closure trip (not guaranteed to operate under an SSE design basis event) | |||
: c. Turbine stop valve bypass circuit (not guaranteed to operate under an SSE design basis event) | |||
The RPS trip systems, trip logics, and scram contactors are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents. | |||
The cables for the turbine stop valves and fast closure valves are run in protective conduit from the sensor to the seismic Category I qualified auxiliary equipment room. Each channel is run in its own conduit which provides the required separation. Starting at the sensor is a flexible metallic conduit section which is connected to a rigid steel conduit section leading to the flooring. The cables are routed in PVC conduit embedded in the floor from the turbine enclosure to the auxiliary equipment room, which contains the reactor trip system. | |||
Table 7.3-6 shows these and other sensors and circuits located in nonseismically qualified structures. Drawings showing the cable routing are E-1112, E-1121, E-1124, E-1125, and E-1183. | |||
The applicable sensors shown on E-1112 are ZS01-104A through D and PS01-102A through D. | |||
The routing of the four cables, each in its own separate run, to the trip sensors in the turbine enclosure for the turbine stop valve and turbine valve fast closure trips is such that the only credible failures that will challenge the system are: 1) a SSE, 2) a turbine missile, and 3) a HELB. The expected failure mode caused by these events would be loss of the sensors due to opening or loss of continuity, which would result in a reactor trip. | |||
If the trip sensors failed closed or shorted due to the fault, the reactor pressure and reactor power trips, which are diverse, will still function to prevent damage to the reactor. Shorting of a single sensor would not prevent protective action by the other sensors. Each of the inputs is isolated from the remainder of the RPS logic by the use of interposing relays. If a sensor circuit opened, the signal would be a trip from that input. | |||
7.2.2.1.2.3.1.6 RPS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The four redundant trip channels for the following RPS trip variables are physically separated from one another to meet this design requirement: | |||
: a. SDV high water level trip | |||
: b. Turbine stop valve closure trip CHAPTER 07 7.2-39 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: c. Turbine control valve fast closure trip | |||
: d. Reactor vessel low water level trip | |||
: e. Left blank intentionally. | |||
: f. Drywell high pressure trip | |||
: g. Reactor vessel high pressure trip. | |||
The individual switch boxes for the turbine variables are physically separated. | |||
The MSIV closure trip is derived from 8 individual channels. Two channels associated with each trip logic are separated as shown in Figure 7-2.8. | |||
The 8 IRM and 4 APRM channels and 4 APRM 2-out-of-4 voter channels are electrically isolated and physically separated from one another so as to comply with this design requirement. | |||
The redundant scram push buttons are physically separated and electrically isolated to comply with this design requirement. | |||
The mode switch banks are physically separated and electrically isolated to comply with this design requirement. | |||
The circuitry for the RPS operating bypasses complies with this design requirement. Sufficient physical separation and electrical isolation of redundant circuits exists to ensure that the operating bypass channels are satisfactorily independent. | |||
The four RPS reset channels to the trip logics are physically separated and electrically isolated. | |||
Similarly, the four RPS trip logics and scram contactors are physically separated. The wiring to each rod group scram schedules A and B is routed in TEMRs with module wiring. The details of the physical independence provided between redundant channels are in Section 7.1.2.2.3.2.1. | |||
7.2.2.1.2.3.1.7 RPS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The RPS is electrically isolated from the plant control systems in compliance with this design requirement. | |||
Each trip channel output relay uses one contact within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room, and another contact on each relay is wired to the process computer cabinets to provide a written log of the channel trips. There is no single failure that prevents proper functioning of any protective function when it is required. | |||
The MSIV and turbine stop valve limit switch contacts for RPS use are routed through TEMRs separated from the other limit switches used for indicator lights in the control room. After the cabling emerges from the limit switch junction box associated with each MSIV or turbine stop valve, it is routed in Class 1E raceway to the RPS panels in the auxiliary equipment room. | |||
Turbine control valve fast closure pressure sensor outputs for RPS use are routed separately relative to other outputs used for indicator lights and turbine control purposes. After the cabling CHAPTER 07 7.2-40 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR emerges from the junction boxes, it is routed in Class 1E raceway to the logic cabinets in the auxiliary equipment room. | |||
Within the IRM modules (i.e., before their output trip unit driving the RPS), analog outputs are derived for use with control room meters, recorders, and the process computer. Electrical isolation is incorporated into the design at this interface to prevent any single failure from influencing the protective output from the trip unit. The trip unit outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panels. | |||
Within the APRM equipment (i.e., before their output trip driving the RPS), analog outputs are derived for use with control room meters and recorders. Electrical isolation is incorporated into the design at this interface to prevent any single failure from influencing the protective trip output. The trip outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panel. | |||
The manual scram push buttons have no control interaction. | |||
The reactor system mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement. Additional contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator. No control functions are associated with the mode switch. Hence, the switch complies with this design requirement. The system interlocks to control systems only through isolation devices so that no failure or combination of failures in the control system has any effect on the RPS. | |||
The RPS SDV high water level trip operating bypass complies with this design requirement. For each trip channel, one contact is used in the bypass logic. One contact of each relay is also wired to a common annunciator in the control room. One contact from A1 and one contact from B1 trip systems are wired to the control rod block circuitry to prevent rod withdrawal whenever the trip channel bypass is in effect. The system interlocks for control rod block are through isolation devices so that no failure or combination of failures in the control system has any effect on the RPS. | |||
The MSIV closure trip bypass has no interaction with any control system in the plant. Two contacts of each relay are used to initiate a control room annunciator for this bypass function. | |||
Turbine stop valve and control valve trip bypasses have no interaction with any control system in the plant. One output relay contact is used in the RPS trip logic, one output relay contact is used in the Recirc Pump Trip circuitry, and one additional contact from each relay is used to initiate a control room annunciator for this bypass function. | |||
Switch contacts of the three-position reset switch are used only to control auxiliary relays. | |||
Contacts from the relays are used only in the scram contactor coil circuits. Consequently, this RPS function has no interaction with any other system in the plant. | |||
The four RPS trip logics are totally separate from all other plant systems. The RPS trip logics use the power contacts of the scram contactors to provide the scram contactor logic and the seal-in contact of the trip logics, and use auxiliary contacts for control room annunciation, the process computer inputs, and initiation of the backup scram valves. Because of the design of this output CHAPTER 07 7.2-41 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR and separation of the cabling, there is no interaction with control systems of the plant. The scram solenoids are physically separate and electrically isolated from the other portions of the CRD HCU. | |||
In summary, the transmission of signals from the RPS to control systems is through isolation devices that are part of the RPS. No credible failure at the output of these isolation devices can prevent the RPS from meeting its minimum performance requirements. No single random failures can cause a control system action that results in a condition requiring action by the RPS that can also disable a portion of the RPS designed to protect against that condition. | |||
An SSE is the only single credible event that can cause a control system action resulting in a condition requiring protective action and that can concurrently prevent operation of a portion of the RPS. In an SSE, the turbine stop valve closure trip and the turbine control valve fast closure trip may be disabled. The reactor vessel high pressure and high power trips provide diverse protection for this event. | |||
7.2.2.1.2.3.1.8 RPS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The following RPS trip variables are direct measures of a reactor overpressure condition, a reactor overpower condition, a gross fuel damage condition, or abnormal conditions within the RCPB: | |||
: a. Reactor vessel low water level trip | |||
: b. Left blank intentionally. | |||
: c. Neutron monitoring (APRM) system trip | |||
: 1. Neutron flux trip | |||
: 2. Simulated thermal power trip | |||
: 3. OPRM upscale trip | |||
: d. Neutron monitoring (IRM) system trip | |||
: e. Drywell high pressure trip | |||
: f. Reactor vessel high pressure trip The measurement of SDV water level is an appropriate variable for this protective function. The desired variable is "available volume" to accommodate a reactor scram. However, the measurement of consumed volume is sufficient to infer the amount of remaining available volume, because the total volume is a fixed, predetermined value established by the design. | |||
The measurement of MSIV position and turbine stop valve position is an appropriate variable for the RPS. The desired variable is "loss of the reactor heat sink"; however, isolation or stop valve closure is the logical variable from which to infer that the steam path has been blocked between the reactor and the heat sink. | |||
Because of the normal throttling action of the turbine control valves with changes in the plant power level, measurement of control valve position is not an appropriate variable from which to infer the desired variable, which is "rapid loss of the reactor heat sink." Consequently, a measurement of valve closure rate is necessary. | |||
CHAPTER 07 7.2-42 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Protection system design practice has discouraged the use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation would be a more positive means of determining fast closure of the control valves. | |||
Loss of hydraulic pressure in the EHC oil lines, which initiates fast closure of the control valves, is monitored. These measurements indicate that fast closure of the control valves is imminent. | |||
This measurement is adequate and a proper variable for the protective function, taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of control valve fast closure rate. | |||
Since the mode switch is used to bypass certain RPS trips depending on the operating state of the reactor, the selection of particular contacts to perform this logic operation is an appropriate means for obtaining the desired function. | |||
The turbine stop valve closure trip and control valve fast closure trip operating bypass permits continued reactor operation at low power levels when the turbine stop or control valves are closed. | |||
The selection of turbine first-stage pressure is an appropriate variable for this bypass function. In the power range of reactor operation, turbine first-stage pressure is essentially linear with increasing reactor power. Consequently, this variable provides the desired measurement of power level. | |||
7.2.2.1.2.3.1.9 RPS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks During reactor operation, the analog outputs of each of the four redundant transmitters for the following RPS trip variables may be directly cross-compared to meet this requirement: | |||
: a. Reactor vessel low water level trip | |||
: b. Drywell high pressure trip | |||
: c. Reactor vessel high pressure trip During reactor operation, one transmitter of each of these variables may also be valved out of service at a time to perform calibration. During this test, operation of the sensor and the RPS trip unit and relay may be confirmed. At the conclusion of the test, administrative control must be used to ensure that the sensor has been properly returned to service. | |||
In addition, the trip unit associated with these variables may be tested by injecting an electronic calibration signal into the trip unit input. | |||
During reactor operation, the sensors associated with the SDV high water level trip may be valved out of service to perform a functional test. During the test, one RPS trip logic is tripped and produces both control room annunciation and computer logging of the trip. At the conclusion of the test, administrative control is used to ensure that the sensors have been returned to service. | |||
The MSIV position switches are tested during valve movements that cause the limit switches to operate at the setpoint value of the valve position. | |||
The eight MSIV isolation channels are combined into the four RPS logics as follows: | |||
CHAPTER 07 7.2-43 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: a. A1 (tripped) = inboard or outboard valve partially closed in main steam line A, and inboard or outboard valve partially closed in main steam line B | |||
: b. A2 (tripped) = inboard or outboard valve partially closed in main steam line C, and inboard or outboard valve partially closed in main steam line D | |||
: c. B1 (tripped) = inboard or outboard valve partially closed in main steam line A, and inboard or outboard valve partially closed in main steam line C | |||
: d. B2 (tripped) = inboard or outboard valve partially closed in main steam line B, and inboard or outboard valve partially closed in main steam line D For any test of a single valve closure, two of the eight instrument channels are placed in a tripped condition, but none of the channel logics is tripped, and no RPS annunciation or NSSS computer logging occurs. This arrangement permits single valve testing without corresponding tripping of the RPS. At full power operation the main steam line closure logic test switch for one main steam line may be opened, and the other MSIV may be closed to produce a channel trip with annunciation and computer output. | |||
At reduced power levels, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. For example, closure of one valve in main steam line A and another valve in main steam line B produces an A1 logic trip and does not produce trips in A2, B1, or B2 channel logic circuits. These observations are another important test result that confirms proper RPS operation. | |||
In sequence, each possible combination of single valve closure and switch operation is performed to confirm proper operation of all eight instrument channels. | |||
The turbine stop valve position switches are also tested during valve movements that cause the limit switches to operate at the setpoint value. | |||
The eight turbine stop valve isolation channels are combined into the four RPS logics as follows: | |||
: a. A1 (tripped) = turbine stop valve 3 partially closed, and turbine stop valve 4 partially closed | |||
: b. A2 (tripped) = turbine stop valve 1 partially closed, and turbine stop valve 2 partially closed | |||
: c. B1 (tripped) = turbine stop valve 1 partially closed, and turbine stop valve 3 partially closed | |||
: d. B2 (tripped) = turbine stop valve 2 partially closed, and turbine stop valve 4 partially closed For any test of a single stop valve closure, two of the eight instrument channels are placed in a tripped condition, but none of the RPS trip logics is tripped, and no RPS annunciation or NSSS computer logging occurs. This arrangement permits single valve testing without corresponding tripping of the RPS, and the observation that no RPS trips result is a valid and necessary test CHAPTER 07 7.2-44 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR result. At full power, the stop valve logic test switch can be activated and the other stop valve in the same logic can be closed, causing a logic trip with annunciation and computer logging. | |||
At reduced power levels, but greater than 29.5% of rated power, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. These observations are another important test result that confirms proper RPS operation. | |||
In sequence, each possible combination of single valve closure and test switch operation is performed to confirm proper operation of all eight instrument channels. | |||
The turbine control valve fast closure EHC oil pressure sensors may be tested during the routine turbine system tests. During any control valve fast closure test, one RPS trip logic is tripped and produces both control room annunciation and computer logging of the trip. | |||
The four RPS instrument logics are arranged as follows, assuming initial operation above 29.5% of rated power: | |||
: a. A1 (tripped) = pressure switch A loss of oil pressure | |||
: b. A2 (tripped) = pressure switch B loss of oil pressure | |||
: c. B1 (tripped) = pressure switch C loss of oil pressure | |||
: d. B2 (tripped) = pressure switch D loss of oil pressure During reactor operation in the run mode, the IRM detectors are stored below the reactor core in a low flux region. Movement of the detectors into the core permits the operator to observe the instrument response from the different IRM channels and confirms that the instrumentation is operable. | |||
Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input, and each IRM instrument channel may be calibrated by introducing an external signal source into the amplifier input. | |||
During these tests, proper instrument response may be confirmed by observation of instrument lights in the control room and trip annunciators. | |||
Proper operation of the mode switch may be verified by the operator during plant operation by performing certain sensor tests to confirm proper RPS operation. Movement of the mode switch from one position to another is not required for these tests, since the connection of appropriate sensors to the RPS logic as well as the bypass of inappropriate sensors may be confirmed from the sensor tests. | |||
7.2.2.1.2.3.1.10 RPS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The following RPS trip variable sensors may be tested by cross-comparison of channels. They also have provisions for sensor test and calibration during reactor operation in compliance with this design requirement. See Section 7.1.3. | |||
: a. Reactor vessel low water level trip CHAPTER 07 7.2-45 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: b. Neutron monitoring (APRM) system trip (including OPRM trip) | |||
: c. Neutron monitoring (IRM) system trip | |||
: d. Drywell high pressure trip | |||
: e. Reactor vessel high pressure trip. | |||
A test of individual SDV water level switches can be performed during full power operation by valving out the sensor and injecting water into a test tap. At plant shutdown, the level switches may be calibrated by introducing a fixed volume of water into the discharge volume and observing that all level switches operate at the specified capacity. | |||
During plant operation the operator can set the turbine stop valve or main steam line closure logic test switch in a test position and actuate the other valve, which results in a logic trip, with annunciation and computer logging. The operator can confirm that the MSIV and turbine stop valve limit switches operate during valve motion, from fully open to fully closed and vice-versa, by comparing the time that the RPS channel trip occurs with the time that the valve position indicator lights in the control room signal that the valve is fully open and fully closed. This test does not confirm the exact setpoint but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. During reactor shutdown, calibration of the MSIV and turbine stop valve limit switch setpoint is possible by physical observation of the valve stem. | |||
During reactor operation, the operability of the individual EHC oil line pressure sensors associated with turbine control valve fast closure is confirmed during each test of the turbine control valve closure. Calibration of the sensor may be accomplished by valving one sensor out-of-service at a time and introducing a test pressure input during shutdown. | |||
The APRMs are calibrated to reactor power by using a reactor heat balance and the TIP system to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined. | |||
The gain adjustment factors for the LPRMs are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These adjustments, when incorporated into the LPRMs, permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power. | |||
During reactor operation, one manual scram push button may be depressed to test the proper operation of the switch and trip logic relay. Once the RPS has been reset, the other switches may be depressed to test their operation one at a time. For each such operation, a control room annunciation is initiated and the process computer logs the trip. | |||
Operation of the reactor mode switch from one position to another may be employed to confirm certain aspects of the RPS trip channels during periodic test and calibration at shutdown only. | |||
During tests of the trip channels, proper operation of the mode switch contacts may be easily verified by noting that certain sensors are connected into the RPS logic and that other sensors are bypassed in the RPS logic in an appropriate manner dependent on the position of the mode switch. | |||
CHAPTER 07 7.2-46 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR In the startup and run modes of plant operation, tests confirm that SDV high water level trip channels cannot be bypassed as a result of the operating bypass switches. In the shutdown and refuel modes of plant operation, tests may be used to bypass all four scram discharge volume trip channels. Because of the discrete on-off nature of the bypass function, calibration is not meaningful. | |||
Administrative control must be exercised to valve one turbine first-stage pressure sensor out-of-service for the periodic test. During this test, a variable pressure source may be introduced to operate the sensor at the setpoint value. When the condition for bypass has been achieved on an individual sensor under test, the control room annunciator for this bypass function is initiated. If the RPS trip channel associated with this sensor has been in its tripped state, the process computer logs the return-to-normal state for the RPS trip logic. When the plant is operating above the switch setpoint, testing of the turbine stop valve and control valve fast closure trip channels confirms that the bypass function is not in effect. | |||
Operation of the three-position RPS reset switch following a trip of one RPS trip system confirms that the switch is performing its intended function. Operation of the reset switch following trip of both RPS trip systems confirms that all portions of the switch and relay logic are functioning properly, since half of the scram contactors are returned to a normal state for each actuation of the switch. | |||
The manual scram switches permit each trip logic, scram contactor, and scram contactor logic to be tested on a periodic basis. Testing of each process sensor of the protection system affords an opportunity to verify proper operation of these components. Calibration of the time response of the trip channel relays and trip logics may be accomplished by the connection of external test equipment. | |||
7.2.2.1.2.3.1.11 RPS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation The following RPS trip variables have no provision for sensor removal from service because of the use of valve position limit switches as the channel sensor: | |||
: a. MSIV closure trip | |||
: b. Turbine stop valve closure trip During periodic testing of any one of the following trip channels, a sensor may be valved out of service and returned to service under administrative control procedures. Since only one sensor is valved out-of-service at any given time during the test interval, protective capability for the following RPS trip variables is maintained through the remaining redundant instrument channels: | |||
: a. SDV high water level trip | |||
: b. Turbine control valve fast closure trip | |||
: c. Reactor vessel low water level trip | |||
: d. Drywell high pressure trip | |||
: e. Reactor vessel high pressure trip CHAPTER 07 7.2-47 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR A sufficient number of IRM channels are provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the IEEE 279 single failure design requirements. | |||
One IRM manual bypass switch is provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be bypassed at any time. To accommodate a single failure of this bypass switch, electrical interlocks are incorporated into the bypass logic to prevent the bypassing of more than one IRM in that trip system at any time. Consequently, with any IRM bypassed in a given trip system, three IRM channels remain in operation to satisfy the protection system requirements. | |||
One manual APRM bypass switch is provided for all four APRM channels. This is a mechanical/optical switch which allows only one APRM channel to be bypassed at any time. This interlock is accomplished independently in each of the APRM 2-out-of-4 voter channels. With any one APRM channel bypassed, the three remaining operating channels provide the necessary protection of the reactor. | |||
None of the APRM 2-out-of-4 voter channels may be bypassed. | |||
7.2.2.1.2.3.1.12 RPS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses The following RPS trip variables have no provision for an operating bypass: | |||
: a. Reactor vessel low water level trip | |||
: b. Left blank intentionally. | |||
: c. Neutron monitoring (APRM) system trip | |||
: d. Drywell high pressure trip | |||
: e. Reactor vessel high pressure trip An operating bypass of the SDV high water level trip is provided in the control room for the operator to use to bypass the trip outputs in the shutdown and refuel modes of operation. Control of this bypass is achieved through administrative means, and its only purpose is to permit reset of the RPS following reactor scram. The bypass is manually initiated and must be manually removed to commence withdrawal of control rods after a reactor shutdown. | |||
An operating bypass is provided for the MSIV closure trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in the shutdown, refuel, or startup positions. The only purpose of this bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the MSIVs closed or not fully open. | |||
The operating bypasses of the NMS are controlled by the reactor mode switch located on the control room reactor control bench board. When the reactor mode switch is in the RUN mode, the IRM trips are bypassed; protection is provided by the APRM and OPRM trips. When the reactor mode switch is not in the RUN mode, the IRM and APRM flux trips are active, but the OPRM trip is bypassed. As reactor power is increased and the APRM system reaches CHAPTER 07 7.2-48 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR its operating range, by procedure the IRM detectors are withdrawn from the reactor core. When reactor power is decreased to the IRM operating range, by procedure the IRM detectors are inserted into the reactor core. | |||
For each of these operating bypasses, four independent bypass channels are provided through the mode switch to ensure that all of the protection system criteria are satisfied. | |||
An operating bypass of the turbine stop valve and control valve fast closure trip is provided whenever the turbine is operating at a low initial power level. The purpose of the bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the turbine stop valves not fully open. | |||
During normal plant operation above the switch setpoint, the bypass is automatically removed. | |||
Under these conditions, removal of the bypass for periodic testing is permitted, since it has no effect on plant safety. Under plant conditions below the switch setpoint, one bypass channel may be removed from service at a time without initiating protective action or affecting plant safety. This removal from service is accomplished under administrative control of plant personnel. | |||
7.2.2.1.2.3.1.13 RPS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses The mode switch produces operating bypasses that need not be annunciated, because they are numbered by manual reactor operating sequence. | |||
The control room operator must exercise administrative control over the valving out-of-service of one RPS trip variable sensor at a time. The out-of-service condition is manually alarmed as described in Section 7.2.2.1.2.1.7. Once a sensor is removed from service and a simulated test signal is introduced in excess of the setpoint, a control room annunciator indicates the tripped condition, and the process computer provides a typed record of the channel identification. The trip unit in calibration also causes actuation of the system out-of-service annunciator. | |||
When any IRM or APRM instrument channel output to the RPS is bypassed, this fact is indicated by lights for each channel located on the control room panels. | |||
Operating bypasses are annunciated in the control room. The SDV high water level trip operating bypass, the MSIV closure trip operating bypass, and the turbine stop valve closure and control valve fast closure trips operating bypass are individually annunciated to the operator. | |||
When the conditions for any single bypass channel are satisfied, the control room operator is notified by an annunciator for the particular set of bypass conditions. Bypassing is not allowed in the trip logic or scram contactor logic. | |||
7.2.2.1.2.3.1.14 RPS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing All instrumentation valves associated with the periodic testing of individual RPS trip variable sensors are under administrative control. | |||
During periodic testing, administrative control procedures must be followed to remove one main steam line high radiation monitor from service and subsequently return it to service. | |||
CHAPTER 07 7.2-49 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Manual bypassing of any IRM or APRM channel is accomplished with control room selector switches under the administrative control of the operator. | |||
Manual controls for the SDV high water level trip operating bypass and the MSIV closure trip operating bypass are located in the control room and are under the direct administrative control of the operator. Manual key-lock switches are used to control these operating bypasses. | |||
The mode switch is a key-lock switch under the administrative control of plant personnel. Since other controls must be operated or other sensors must be in an appropriate state to complete the operating bypass logic, the mode switch itself satisfies this requirement. | |||
Under normal operating conditions, all four channels of the turbine stop valve closure trip and control valve fast closure trip operating bypass are in operation and are automatically removed from service as reactor power is increased above the switch setpoint and are automatically reinstated as reactor power is reduced below this same setpoint. During periodic testing of each bypass channel, one sensor is removed from service under administrative control. | |||
7.2.2.1.2.3.1.15 RPS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The design requirement is not applicable to the following RPS trip variables, because the setpoint values are fixed and do not vary with other reactor or plant parameters: | |||
: a. SDV high water level trip | |||
: b. MSIV closure trip | |||
: c. Turbine stop valve closure trip | |||
: d. Turbine control valve fast closure trip | |||
: e. Reactor vessel low water level trip | |||
: f. Left blank intentionally. | |||
: g. Neutron monitoring neutron flux and OPRM trips | |||
: h. Drywell high pressure trip | |||
: i. Reactor vessel high pressure trip The trip setpoint of each IRM channel is established at a fixed percentage of full-scale for each range of IRM operation. The IRM is a linear, half decade per range instrument. Therefore, as the operator switches an IRM from one range to the next, the trip setpoint tracks the operator's selection. In the startup mode the APRM Neutron Flux - Upscale trip setpoint is reduced to 15% of Rated Thermal Power. | |||
In the run mode, the APRM Simulated Thermal Power - Upscale trip varies automatically with recirculation flow. For further discussion, see Section 7.6.1.4. | |||
Each of these multiple setpoint provisions is a portion of the RPS and complies with the design requirements of IEEE 279. | |||
CHAPTER 07 7.2-50 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Operation of the mode switch from one position to another bypasses various RPS trip channels in accordance with the reactor conditions implied by the given position of the mode switch. This action does not influence the established setpoint of any given RPS trip channel, but merely connects one set of channels as another set is disconnected. Consequently, the mode switch meets this design requirement. | |||
7.2.2.1.2.3.1.16 RPS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated It is only necessary that the instrument channel remain in a tripped condition for a sufficient length of time to de-energize the scram contactors and open their seal-in contacts. | |||
Once the manual scram push buttons are depressed, it is only necessary to maintain them in that condition until the scram contactors have de-energized and opened their seal-in contacts. | |||
The function of the mode switch is to provide appropriate RPS trip channels for the RPS trip logic on a steady-state basis for each of four given reactor operating states: shutdown, refuel, startup, and run. Protective action, in terms of the needed transient response, is derived from the other portions of the trip channels independent of the mode switch. Hence, the mode switch does not influence the completion of protective action in any manner. | |||
The turbine operating bypass is put into effect only when the turbine first-stage pressure is at or below a preset level. For plant operation above this setpoint, the trip channels initiate protective action once the scram contactors have de-energized and opened the seal-in contact. | |||
The interface of the RPS trip logic and the scram contactors ensures that this design requirement is accomplished. The trip logic is normally energized and is sealed in by one of the contacts of the scram contactor. Once the trip logic has been open-circuited as a result of a process sensor trip channel becoming tripped or the depression of a manual scram push button, the scram contactor seal-in contact opens, and completion of protective action is directed without regard to the state of the initiating process sensor trip channel. | |||
Reset of the RPS logic is permissible only after a 10 second time delay and requires deliberate operator action. | |||
7.2.2.1.2.3.1.17 RPS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation Four manual scram push button controls are provided on one control room panel to permit manual initiation of reactor scram at the system level. Failure of an automatic RPS function cannot prevent the manual portions of the system from initiating the protective action. The manual scram push buttons are wired as close as is practicable to the scram contactor coil circuits to minimize the dependence of manual scram capability on other equipment. | |||
Additional backup to these manual controls is provided by the shutdown position of the reactor system mode switch. | |||
No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram. | |||
7.2.2.1.2.3.1.18 RPS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points CHAPTER 07 7.2-51 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR During reactor operation, access to setpoint or calibration control is not possible for the SDV high water level trip. (The instrument is accessible, but the setpoint is not adjustable). | |||
Access to setpoint adjustments, calibration controls, and test points for the following RPS trip variables is under the administrative control of plant personnel: | |||
: a. Main steam line isolation valve closure trip (accessible with radiation exposure) | |||
: b. Turbine stop valve closure trip (accessible with radiation exposure) | |||
: c. Turbine control valve fast closure trip (accessible with radiation exposure) | |||
: d. Turbine stop valve closure and turbine control valve fast closure trip bypass (accessible with radiation exposure) | |||
: e. Reactor vessel low water level trip | |||
: f. Left blank intentionally. | |||
: g. Neutron monitoring (APRM) system trip (including OPRM trip) | |||
: h. Neutron monitoring (IRM) system trip | |||
: i. Drywell high pressure trip | |||
: j. Reactor vessel high pressure trip 7.2.2.1.2.3.1.19 RPS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions When any one of the redundant sensors exceeds its setpoint value for the following RPS trip variables, a control room annunciator is initiated to identify the particular variable: | |||
: a. SDV high water level trip | |||
: b. Turbine control valve fast closure trip | |||
: c. Reactor vessel low water level trip | |||
: d. Left blank intentionally. | |||
: e. Neutron monitoring (APRM) system trip (including OPRM trip) | |||
: f. Neutron monitoring (IRM) system trip | |||
: g. Drywell high pressure trip | |||
: h. Reactor vessel high pressure trip Identification of the particular trip channel exceeding its setpoint is accomplished as a typed record from the process computer or visual observation of the annunciators. | |||
CHAPTER 07 7.2-52 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR When any manual scram push button is depressed, a control room annunciation is initiated and a process computer record is produced to identify the tripped RPS trip logic. | |||
Identification of the mode switch in shutdown position scram trip is provided by the manual scram annunciator and the process computer trip logic identification printout. | |||
Partial or full closure of any MSIV or turbine stop valve causes a change in the status of position indicator lights in the control room. These indications are not a part of the RPS, but they do provide the operator with valid information pertinent to the valve status. Partial or full closure of one or both valves in a particular set of two main steam lines initiates a control room annunciator when the trip setpoint has been exceeded. A turbine stop valve closure trip will be indicated if an RPS channel is tripped by a two-out-of-four valve closure combination. This information is displayed on panel 1AC803 (reactor control annunciator panel) and on the main turbine annunciator panel (1BC807). The closed position of each turbine stop valve is also indicated in the control room using a position switch independent of those used in the RPS logic and powered from a separate electrical power source. This same condition permits identification of the tripped channels in the form of a typed record from the process computer or by visual observation of the valve position indicator lights. | |||
NMS annunciators provided in the control room indicate the NMS RPS trip. The process computer provides a typed record of the tripped NMS channel as well as identification of individual IRM and APRM channel trips. | |||
Two control room annunciators are provided to identify the tripped portions of the RPS in addition to the previously described trip channel annunciators: | |||
: a. A1 or A2 trip logics tripped | |||
: b. B1 or B2 trip logics tripped These same functions are connected through independent auxiliary contacts of the scram contactors to the process computer to provide a typed record of the relay operations. | |||
7.2.2.1.2.3.1.20 RPS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The data presented to the control room operator for each of the RPS trip variables complies with this design and provide accurate, complete, and timely information pertinent to the status of the RPS. The design minimizes the development of conditions that would cause anomalous indications that are confusing to the operator. | |||
7.2.2.1.2.3.1.21 RPS - IEEE 279 (1971), Paragraph 4.21 - System Repair During periodic testing of the sensor channels for the following RPS trip variables, the operator can determine any defective component and replace it during plant operation: | |||
: a. SDV high water level trip | |||
: b. Reactor vessel low water level trip | |||
: c. Drywell high pressure trip CHAPTER 07 7.2-53 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR | |||
: d. Reactor vessel high pressure trip During periodic testing of the sensor channels for the trip variables listed below, all defective components can be identified. Replacement and repair of failed sensors can only be accomplished during reactor shutdown. All other components can be replaced, repaired, or adjusted during plant operation. | |||
: a. MSIV closure trip | |||
: b. Turbine stop valve closure trip | |||
: c. Left blank intentionally. | |||
: d. Neutron monitoring (APRM) system trip (including OPRM trip) | |||
: e. Neutron monitoring (IRM) system trip | |||
: f. Turbine control valve fast closure trip Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the NMS may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair. | |||
7.2.2.1.2.3.1.22 RPS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each system logic cabinet is identified distinctively as being in the protection system, and the particular redundant portion is listed on a distinctive marker plate. Cabling outside the cabinets is identified specifically as RPS wiring. An identification scheme is used to distinguish between redundant cables and raceways. Redundant racks are identified by the identification marker plates of instruments on the racks. Control room devices are identified by tags on the panels. These tags indicate the function of the device. | |||
7.2.2.1.2.3.2 RPS - IEEE 308 (1971) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations The RPS is a fail-safe logic system, and its power supplies are non-Class 1E. The backup scram circuitry is powered by Class 1E power. The backup scram circuitry is designed to meet the requirements of IEEE 308 (1971). | |||
7.2.2.1.2.3.3 RPS - IEEE 317 (1972) - Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations See the discussion of Regulatory Guide 1.63 in Section 8.1.6.1.12. | |||
7.2.2.1.2.3.4 RPS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations IEEE 323 (1971) is satisfied by complete qualification testing and certification of all essential components. Records covering all essential components are maintained. | |||
CHAPTER 07 7.2-54 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR 7.2.2.1.2.3.5 RPS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations See Chapter 17. | |||
7.2.2.1.2.3.6 RPS - IEEE 338 (1971) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems IEEE 338 (1971) is satisfied by being able to test the RPS from sensors to the scram contactors at any time during plant operation. The tests are performed in overlapping portions. | |||
7.2.2.1.2.3.7 RPS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Station IEEE 344 (1971) is satisfied by all Class 1 RPS equipment as described in Section 3.10. | |||
The above does not apply to turbine stop valve and control valve fast closure trips during or after an SSE, as discussed in Section 7.2.1.2.8. | |||
7.2.2.1.2.3.8 RPS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems IEEE 379 (1972) requirements are satisfied by considering the different single failure modes and carefully designing all potential violations of the single failure criterion out of the system. | |||
7.2.2.1.2.3.9 RPS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11. | |||
The standard requires that redundant sensors and their connections to the process system be sufficiently separated to ensure that functional capability of the protection system is maintained despite any single design basis event or resulting effect. | |||
The RPS conforms to IEEE 384 except for the requirement that redundant sensors and their connections to the process system be sufficiently separated to ensure that functional capability of the protection system is maintained despite any single design basis event or resulting effect. The above does not apply to the turbine stop valve and control valve fast closure trips in a nonseismic turbine enclosure during or after an SSE, as discussed in Section 7.2.1.2.8. | |||
Additional details of the separation criteria used for the RPS are provided in Sections 8.1.6.1.14 and 7.1.2.2. | |||
7.2.2.1.2.4 RPS Power Generation Design Bases The RPS is a one-out-of-two-twice logic system, which inherently provides both reliability of action and availability of function. This permits testing during reactor operation without causing a scram. | |||
7.2.2.1.3 RPS Additional Design Considerations Analyses 7.2.2.1.3.1 RPS Spurious Rod Withdrawals CHAPTER 07 7.2-55 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Spurious control rod withdrawals do not normally cause a scram.A control rod withdrawal block may occur, however. Rod block is discussed in Section 7.6.1.4 and is not part of the RPS. A scram does occur, however, if the spurious control rod withdrawal causes the average flux to exceed the trip setpoint. | |||
7.2.2.1.3.2 Loss of Plant Instrument Air System Loss of plant instrument air causes opening of the scram valves on the hydraulic control units, resulting in a scram. | |||
7.2.2.1.3.3 Loss of Cooling Water to Vital Equipment There is no loss of cooling water that affects the RPS. | |||
7.2.2.1.3.4 Plant Load Rejection Electrical grid disturbances could cause a significant loss of load that would initiate a turbine-generator overspeed trip and control valves fast closure, resulting in a reactor scram. The reactor scram occurs to anticipate an increase in reactor vessel pressure that is due to shutting off the path of steam flow to the turbine. Any additional increase in pressure is prevented by the SRVs that open to relieve reactor pressure and close as pressure is reduced. The RCIC or HPCI systems automatically actuate and provide vessel makeup water if required. | |||
The fuel temperature or pressure boundary thermal-hydraulic limits are not exceeded during the event, as described in Chapter 15. | |||
7.2.2.1.3.5 Turbine Trip Initiation of turbine trip by the turbine system closes the turbine stop valves initiating a reactor scram. The stop valve scram anticipates a reactor pressure or power scram that is due to the closure of turbine stop valves. Any additional increase in reactor vessel pressure is prevented by the SRVs that open to relieve reactor vessel pressure and close as pressure is reduced. The RCIC and HPCI automatically actuate and provide vessel makeup water if a low water level occurs. | |||
Initiation of turbine trip by loss of condenser vacuum causes simultaneous closure of the turbine stop valves and MSIVs initiating a reactor scram. | |||
The fuel temperature, pressure boundary, and thermal-hydraulic limits are not exceeded during these events, as described in Chapter 15. | |||
7. | |||
==2.3 REFERENCES== | |||
7.2-1 W.R. Morgan, "Incore Neutron Monitoring System for General Electric Boiling Water Reactors", APED-5706, (November 1968, Revised April 1969). | |||
CHAPTER 07 7.2-56 REV. 17, SEPTEMBER 2014 | |||
LGS UFSAR Table 7.2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS SCRAM FUNCTION INSTRUMENT INSTRUMENT RANGE Reactor vessel high Pressure sensor 0-1500 psi pressure Drywell high pressure Pressure sensor 0-10 psig Reactor vessel low Level sensor 0-60 inches(1) water level (2) | |||
SDV high water level Level switch Level transmitter 0-100 in H2O Turbine stop valve Position switch 0-100% | |||
closure Turbine control valve Pressure sensor 250-3000 psig fast closure MSIV closure Position switch 0-100% | |||
Neutron monitoring IRM 0-125 divisions system trips APRM Neutron Flux- 10%-125% rated Upscale trip thermal power APRM Simulated 10%-125% rated Thermal Power- thermal power Upscale trip OPRM Upscale Trip Period Based Detection Algorithm - | |||
Confirmation Count: 2-25 Amplitude: 1.00-1.30 Amplitude Based Algorithm: 1.05-1.50 Growth Rate Algorithm: 1.00-1.50 SDV high water level Bypass switch -- | |||
trip bypass CHAPTER 07 7.2-57 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.2-1 (Continued) | |||
SCRAM FUNCTION INSTRUMENT INSTRUMENT RANGE Turbine stop valve Pressure sensor 0-1000 psi and control valve fast closure trip bypass MSIV closure trip Reactor mode switch -- | |||
bypass (1) | |||
Instrument zero equal to 527.5 inches above vessel zero. | |||
(2) | |||
Instrument range dependent on installation. | |||
CHAPTER 07 7.2-58 REV. 13, SEPTEMBER 2006 | |||
LGS UFSAR Table 7.2-2 TRIP SYSTEM CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF RPS This table shows the normal and minimum number of trip system channels required for the functional performance of the RPS. The "normal" column lists the normal number of channels provided per trip system. The "minimum" column lists the minimum number of trip system operable channels required to maintain functional performance. | |||
Channel Description Normal Minimum Neutron monitoring system (APRM)(4)(5) 4 3 Neutron monitoring system 2 2 APRM 2-out-of-4 voter (5) | |||
Neutron monitoring system (IRM)(1) 4 3 Nuclear system high pressure 2 2 Drywell high pressure 2 2 Reactor vessel low water level 2 2 SDV high water level 2 2 Manual scram 2 2 Each MSIV position(2) 1/valve 1/valve Each turbine stop valve position(3) 1/valve 1/valve Turbine control valve fast closure, 2 2 trip oil pressure low (3) | |||
Reactor mode switch shutdown position 2 2 (1) | |||
Not required in run and shutdown modes (2) | |||
Not required in shutdown, refuel and startup modes (3) | |||
Not required when reactor power is less than 29.5% of rated power (4) | |||
APRM channels, including OPRM trip, provide input to both RPS trip systems via the 2-out-of-4 voters. | |||
(5) | |||
Not required in shutdown and refuel modes. | |||
CHAPTER 07 7.2-59 REV. 16, SEPTEMBER 2012}} |
Latest revision as of 13:02, 19 January 2022
Text
LGS UFSAR CHAPTER 7 - INSTRUMENTATION AND CONTROL SYSTEMS
7.1 INTRODUCTION
This chapter presents the specific detailed design and performance information relative to the instrumentation and control aspects of the safety-related and power generation systems used throughout the plant. The design and performance considerations relative to these systems' safety function and their mechanical aspects are described elsewhere in this UFSAR.
See Section 1.7 for a listing of elementary diagrams and schematic diagrams and Section 1.2 for equipment layout drawings.
7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS 7.1.1.1 General Instrumentation and control systems supplied by GE are designated as either power generation systems or safety-related systems, depending on their function. Some portions of a system may have a safety function while other portions of the same system may be classified as power generation. A description of the system of classification can be found in Section 15.9.2.2.2.
The systems presented in Chapter 7 are also classified according to Regulatory Guide 1.70 (Rev 3), namely, RPS, ESF systems, safe shutdown systems, safety-related display instrumentation, other systems required for safety, and control systems not required for safety. Table 7.1-1 lists the systems under each of these classifications and identifies the designer and/or the supplier. Table 7.1-2 identifies instrumentation and control systems that are identical to those of a nuclear power plant of similar design that has recently received NRC design or operation approval through the issuance of either a construction permit or an operating license. Differences and their effect on safety-related systems are also identified in Table 7.1-2. "First-of-a-kind" instruments including any microprocessors, multiplexers or computer systems used in or providing inputs to safety-related systems are identified in Table 7.1-8.
7.1.1.2 Identification of Individual Systems A brief descriptive statement is given for each system.
- 1. The RPS instrumentation and controls initiate an automatic reactor shutdown via control rods (scram) if monitored system variables exceed pre-established limits.
This action prevents fuel damage and limits system pressure, thus restricting the release of radioactive material.
- 2. The PCRVICS instrumentation and controls initiate closure of various automatic isolation valves if monitored system variables exceed pre-established limits. This action limits the loss of coolant from the RCPB and the release of radioactive materials from the RCPB, the primary containment, and the reactor enclosure.
- 3. The ECCS instrumentation and controls provide initiation and control of systems that provide core cooling. These systems are the HPCI system, the ADS, the core spray system, and the LPCI mode of the RHR system.
CHAPTER 07 7.1-1 REV. 17, SEPTEMBER 2014
- 4. The NMS instrumentation and controls use incore neutron detectors to monitor core neutron flux. The NMS provides logic signals to the RPS when a condition necessitating a reactor shutdown is detected. Average neutron flux and Simulated Thermal Power are used as the overpower indicator during power operation and intermediate range detectors are used as overpower indicators during startup and shutdown. Oscillations in the local neutron flux are used as the indicator of thermal-hydraulic instability caused power oscillations. The NMS also provides power level indication during planned operation. Source range detectors are used to provide neutron flux information during reactor startup and low flux level operations. The TIP system gathers axial neutron flux information via a gamma-sensitive detector and uses this data to calibrate the LPRMS. The RBM system provides a signal to prevent control rod movement when local high neutron flux is sensed by the LPRMs.
The NMS consists of the following six major systems:
- a. SRM system
- b. IRM system
- c. LPRM system
- e. TIP system
- f. RBM system
- 5. The RI instrumentation and controls serve as a backup to procedural core reactivity control during refueling operation. These interlocks prevent the withdrawal of control rods and the movement of refueling equipment when permissive conditions are not satisfied.
- 6. The RMCS instrumentation and controls allow the operator to manipulate control rods and determine their positions. Various interlocks are provided in the control circuitry to prevent multiple operator errors or equipment malfunctions from requiring the action of the RPS.
- 7. The RVI monitors and transmits information to the reactor operator concerning key reactor vessel operating variables.
- 8. The RFCS instrumentation and controls regulate the speed of the reactor recirculation pumps (through ASDs) to vary the coolant flow rate through the core.
- 9. The FCS instrumentation and controls regulate the feedwater system flow rate so that proper reactor vessel water level is maintained. The system is arranged to permit single-element (reactor vessel water level only), three-element (reactor vessel water level, main steam flow, and feedwater flow), or manual operation.
- 10. The PRTGS instrumentation and controls work together to allow proper generator and reactor response to load demand changes. If the generator electrical load is lost, the turbine-generator speed-load controls initiate rapid closure of the turbine CHAPTER 07 7.1-2 REV. 17, SEPTEMBER 2014
LGS UFSAR governor valves (coincident with fast opening of the bypass valves) to prevent excessive turbine overspeed.
- 11. The PRMS instrumentation and controls:
The process radiation monitoring systems are those radiation monitoring systems other than the area monitoring system, the portable monitors, and the offsite monitors. The PRMS serve one or more of the following purposes:
- a. Maintain surveillance over process liquid and gas lines that may serve as discharge routes for radioactive materials for the monitoring and/or controlling radioactive releases from the plant.
- b. Maintain surveillance and/or control of ventilation systems for either maintaining the habitability of area that are vital for safe plant operation and shutdown or monitoring the quantity of radioactive effluents released to the environment.
- c. Maintain surveillance and/or control of those process lines of power generating equipment whose malfunction is indicated by an abnormal increase in radiation levels.
The following is a listing of the safety-related PRMS:
- a. Main steam line radiation monitoring system
- b. Reactor enclosure ventilation exhaust radiation monitoring system
- c. Refueling area ventilation exhaust radiation monitoring system
- d. Control room ventilation radiation monitoring system
- e. Control room emergency fresh air radiation monitoring system
- f. Primary containment post-LOCA radiation monitoring system
- g. Residual heat removal service water radiation monitoring system The following is a listing of the nonsafety-related PRMS:
- a. South stack effluent radiation monitoring system
- b. Radwaste equipment rooms ventilation radiation monitoring system
- c. Charcoal treatment system process exhaust radiation monitoring system
- d. Recombiner rooms, hydrogen analyzer compartments, and equipment drain sump vent radiation monitoring system
- e. Steam exhaust discharge and vacuum pump exhaust radiation monitoring system CHAPTER 07 7.1-3 REV. 17, SEPTEMBER 2014
- f. Radwaste enclosure ventilation exhaust radiation monitoring system
- g. Air ejector/holdup pipe discharge radiation monitoring system
- h. Primary containment leak detection radiation monitoring system
- i. Hot maintenance shop ventilation exhaust radiation monitoring system
- j. Liquid radwaste discharge radiation monitoring system
- k. Service water radiation monitoring system
- l. Reactor enclosure cooling water radiation monitoring system
- m. North stack effluent radiation monitoring system Some of the above safety and nonsafety-related PRMSs provide postaccident monitoring capabilities in accordance with Regulatory Guide 1.97. These systems are identified in Section 7.5.
- 12. Area radiation monitoring system:
The purpose of the ARMS is to indicate and record gamma radiation levels in areas where radioactive materials might be present, stored, handled, or inadvertently introduced. Alarm capability is provided in case these radiation levels rise above permissible limits.
- 13. Deleted
- 14. The HCRIS instrumentation and controls provide means to isolate the control room from radiation or chlorine entering through the control room ventilation system. The emergency fresh air system provides a means for pressurizing the control room with clean air during radiation isolation. The control room HVAC system provides the proper environment for the control room and adjacent areas.
- 15. The service water systems instrumentation and controls provide cooling water to vital equipment as follows:
- 16. CAC system instrumentation and controls:
- a. The CGCS monitors and controls the concentration of combustible gases (hydrogen and oxygen) in the containment during normal operation and after a LOCA.
CHAPTER 07 7.1-4 REV. 17, SEPTEMBER 2014
- b. The PCVR subsystem monitors the drywell and suppression chamber pressure to limit the amount by which suppression chamber pressure can exceed drywell pressure.
- 17. The RCIC system instrumentation and controls provide initiation and control of a system that provides makeup water to the reactor vessel to remove decay heat from the reactor core in the event of reactor isolation from the main condenser system and loss of coolant flow from the reactor feedwater system.
- 18. The SLCS instrumentation and controls provide initiation of a reactivity control system that can shut the reactor down from rated power if all withdrawn control rods cannot be inserted to achieve reactor shutdown. The SLCS instrumentation and controls also support the manual initiation of SLCS to control suppression pool pH post LOCA.
- 19. The radwaste system instrumentation and controls support the manual processing and disposing of the radioactive process wastes generated during power operation.
The radwaste control system includes liquid, gaseous, and solid radwaste subsystems.
- 20. The RWCU system instrumentation and controls support manual operation of system equipment to maintain high reactor water purity and reduce concentrations of fission products in the reactor water.
- 21. The Class 1E power system instrumentation and controls provide for reliable operation of the Class 1E power systems during normal and accident conditions.
These power systems consist of:
- a. 4 kV ac power system fed from offsite source with diesel generator backup
- b. dc power system fed from offsite source with battery backup
- 22. The LDS instrumentation and controls use various temperature, pressure, level, and flow sensors to detect and indicate water and steam leakage in selected reactor systems and to annunciate and provide isolation signals (in certain cases) to limit leakage from the RCPB when limiting leakage conditions exist.
- 23. The RHR-SCM instrumentation and controls provides manual initiation of cooling to remove the decay and sensible heat from the reactor vessel during shutdown so that the reactor can be refueled and serviced.
- 24. The FPCC system instrumentation and controls support manual operation of the system that cools the fuel pool.
- 25. The RERS instrumentation and controls provide initiation and control of a system which filters and mixes the reactor enclosure and refueling floor ventilation air during isolation conditions.
CHAPTER 07 7.1-5 REV. 17, SEPTEMBER 2014
- 26. The SGTS instrumentation and controls provide the means to control reactor enclosure and refueling floor pressure at a negative value with reference to the outside atmosphere during an isolation of the reactor enclosure.
- 27. Deleted
- 28. The SRDI is provided to inform the reactor operator when a manual safety action should be taken or is required. Instrumentation is also provided to give the reactor operator the capability to track process variables pertinent to safety during expected operational perturbations and following postulated accidents.
- 29. The CIGS instrumentation and controls support a system that provides the necessary compressed gas for the operation of the ADS SRVs, and for the operation of pneumatic devices located inside the drywell and suppression chamber.
- 30. The RHR-CSM instrumentation and controls support the manual initiation of the portion of the RHR system that is provided to condense steam in the containment under postaccident conditions.
- 31. The RSS instrumentation and controls provide the capability to ensure safe shutdown of the reactor when the control room is uninhabitable.
- 32. The RHR-SPCM instrumentation and controls support the manual initiation of the portion of the RHR system that is provided to effect post-LOCA cooling of the suppression pool water.
- 33. The safety-related equipment area cooling ventilation systems are as follows:
- a. The SGTS filter room and access area unit coolers instrumentation and controls provide support to the system that provides cooling to SGTS filter room and access areas.
- b. The DGEVS instrumentation and controls provide support to the system that provides ventilation to the diesel generator enclosures and equipment.
- c. The SPPSVS instrumentation and controls provide support to the system that provides ventilation for the ESW pumps and RHRSW pumps located in the spray pond pump house.
- d. The ESBRCS instrumentation and controls provide support to the system that provides ventilation and cooling to the emergency switchgear rooms, inverter rooms, battery rooms, and the chiller equipment rooms in the control structure.
- e. The ECCS and RCIC pump compartment unit coolers instrumentation and controls provide support to the system that provides cooling to the core spray, HPCI, RHR, and RCIC pump rooms.
CHAPTER 07 7.1-6 REV. 17, SEPTEMBER 2014
- f. The AERVS instrumentation and controls provides support to the system that provides ventilation and cooling to the auxiliary equipment room, computer room, remote shutdown room, and control enclosure fan rooms.
- 34. The DUC instrumentation and controls provide support to the system that provides atmosphere mixing in the primary containment after a LOCA and cooling during normal operation.
- 35. The CECWS instrumentation and controls provide support to the system that provides chilled water to the control room air supply fan cabinets, the auxiliary equipment room air supply fan cabinets, the SGTS room and access area unit coolers, and emergency switchgear and battery room air supply fan cabinets.
- 36. HPLPSI instrumentation and controls prevent over pressurization of the low pressure systems that interface with the RCPB.
- 37. SRVPI system instrumentation and controls use acoustic sensors to provide the operator with reliable OPEN/NOT-OPEN status of the SRVs.
- 38. The FPSS instrumentation and controls provide fire protection and suppression for the cable area of the PGCC and adjacent areas in the auxiliary equipment room.
- 39. The REIS instrumentation and controls provide signals to isolate the reactor enclosure secondary containment and starts the RERS and SGTS under emergency conditions.
- 40. Nonsafety-related equipment area cooling ventilation systems:
- a. Reactor enclosure ventilation system instrumentation and controls provide support to the system that provides ventilation to the reactor enclosure during normal plant operation.
- b. Turbine enclosure ventilation system instrumentation and controls provide support to the system that provides ventilation to the turbine enclosure and to el 180', el 200', el 217', and el 254' in the control structure.
- c. Radwaste enclosure ventilation system instrumentation and controls provide support to the system that provides ventilation to the radwaste enclosure.
- d. Chemistry laboratory expansion ventilation system instrumentation and control provided to the system that provides ventilation to the chemical laboratories.
- e. Hot maintenance shop ventilation system instrumentation and controls provide support to the system that provides ventilation to the hot maintenance shop.
- e. Miscellaneous enclosure ventilation systems instrumentation and controls provide support to the systems that provide ventilation to the circulating water pump structure, water treatment enclosure, Schuylkill River pump structure, Perkiomen Creek pump structure, sewage treatment enclosure, CHAPTER 07 7.1-7 REV. 17, SEPTEMBER 2014
LGS UFSAR auxiliary boiler enclosure, boiler fuel transfer enclosure, lube oil structure, chlorine and acid feed enclosure, and the administration building.
- 41. The SPFS instrumentation and controls provide support to a system which ensures that the ECCS and RCIC piping is maintained full of water when the systems are in standby mode. The SPFS also discharges to the feedwater lines to provide a seal on the isolation valves in the event of a feedwater line break outside containment.
- 42. The RRCS is a system designed to mitigate the potential consequences of an anticipated transient without scram event. The system consists of control panels, detection and actuation logic, and the necessary interface logic for input to the recirculation system, feedwater system, SLCS, RWCU system, and the ARI function of the CRD.
- 43. The RAIS instrumentation and controls provide signals to isolate the refueling area and start the SGTS under emergency conditions.
- 44. The RWM monitors and enforces adherence to established rod insert and withdraw sequences at low power levels. This function prevents the operator from establishing control rod patterns that are not consistent with the prescribed sequence by initiating the appropriate rod insert block and rod withdrawal block.
When RWM is inoperable both insert and withdraw rod blocks are enforced unless the RWM is bypassed.
- 45. The PMS is a centralized, integrated system which performs the process monitoring and calculations that are necessary for the effective evaluation of normal and emergency power plant operation. The PMS acquires and records process data (e.g., temperatures, pressures, flows, status indicators) to produce displays, logs, and plots of current or historical plant performance.
- 46. The ERFDS is a part of the PMS and performs the process monitoring and calculations defined as being necessary for the effective evaluation of normal and emergency power plant operation. The PMS acquires and records process data for ERFDS including temperatures, pressures, flows, and status indicators. This data is processed to produce meaningful displays, logs, and plots of current or historical plant performance and is presented to plant personnel in the plant main control room or other user definable locations.
7.1.1.3 Classification 7.1.1.3.1 Safety-Related Systems Safety-related systems provide actions necessary to ensure safe shutdown, protect the integrity of radioactive material barriers, or prevent the release of radioactive material in excess of allowable limits. These safety-related systems may consist of components, groups of components, systems, or groups of systems. ESF systems are included in this category. ESF systems function to mitigate the consequences of DBAs.
7.1.1.3.2 Power Generation Systems CHAPTER 07 7.1-8 REV. 17, SEPTEMBER 2014
LGS UFSAR Power generation systems are not required to ensure safe shutdown, protect the integrity of radioactive material barriers, or prevent the release of radioactive material in excess of allowable limits. The instrumentation and control portions of these systems, may, by their actions, prevent the plant from exceeding preset limits that would otherwise initiate action of the safety-related systems.
7.1.1.3.3 General Functional Requirements of Design Basis Plant systems may have both a safety design basis and a power generation design basis, depending on their function. The safety design basis states in functional terms the unique design requirements that establish limits for the operation of the system. The general functional requirements portion of the safety design basis presents those requirements that have been determined to be sufficient to ensure the adequacy and reliability of the system from a safety viewpoint. Many of these requirements have been incorporated into various codes, criteria, and regulatory requirements.
7.1.1.3.4 Specific Regulatory Requirements The plant systems have been examined with respect to specific regulatory requirements that are applicable to the subject instrumentation and controls systems. These regulatory requirements include:
- a. Conformance to regulatory guides
- b. Conformance to 10CFR50, Appendix A, "General Design Criteria"
- c. Conformance to industry codes and standards The specific regulatory requirements applicable to each system's instrumentation and controls are specified in Table 7.1-3.
7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1.2.1 General Design bases and criteria for instrumentation and control equipment design are based on the need to have the system perform its intended function while meeting the requirements of applicable general design criteria, regulatory guides, industry standards, and other documents.
7.1.2.1.1 Reactor Protection System - Instrumentation and Controls 7.1.2.1.1.1 RPS Safety Design Bases The RPS is designed to meet the following functional requirements:
- a. The RPS initiates a reactor scram with precision and reliability to prevent or limit fuel damage following abnormal operational transients.
- b. The RPS initiates a scram with precision and reliability to prevent damage to the RCPB as a result of excessive internal pressure, that is, to prevent nuclear system pressure from exceeding the limit allowed by applicable industry codes.
CHAPTER 07 7.1-9 REV. 17, SEPTEMBER 2014
- c. To limit the uncontrolled release of radioactive materials from the RCPB, the RPS precisely and reliably initiates a reactor scram on gross failure of this barrier.
- d. To detect conditions that threaten the fuel assembly or RCPB, the RPS inputs are derived from variables that are true, direct measures of operational conditions.
- e. The RPS responds correctly to the sensed variables over the expected range of magnitudes and rates of change.
- f. A sufficient number of sensors are provided to monitor essential variables that have spatial dependence.
- g. The following bases ensure that the RPS is designed with sufficient reliability:
- 1. If failure of a control or regulating system causes a plant condition that requires a reactor scram but also prevents action by necessary RPS channels, the remaining portions of the RPS meet safety design basis (g.6).
- 2. The loss of one or both power supplies does not prevent a reactor scram.
- 3. Once initiated, an RPS action goes to completion. The return-to-normal operation requires deliberate operator action.
- 4. There is sufficient physical separation between redundant instrumentation and control equipment monitoring the same variable to prevent environmental factors, electrical transients, or physical events from impairing the ability of the system to respond correctly.
- 5. Ground motions of a SSE magnitude as amplified by building and supporting structures do not impair the ability of the RPS to initiate a reactor scram.
- 6. No single failure within the RPS prevents proper RPS action, when required, to satisfy safety design bases (a), (b), and (c) above.
- 7. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the ability of the RPS to respond correctly.
- 8. The system is designed so that the required number of sensors for any monitored variable exceeding the scram setpoint initiates an automatic scram.
- h. The following bases reduce the probability that RPS operational reliability and precision are degraded by operator error:
- 1. Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant procedures.
- 2. Manual bypass of instrumentation and control equipment components is under the control of the control room operator. If the ability to trip some CHAPTER 07 7.1-10 REV. 17, SEPTEMBER 2014
LGS UFSAR essential part of the system has been manually bypassed, this fact is continuously annunciated in the control room.
7.1.2.1.1.2 RPS Specific Regulatory Requirements The specific requirements applicable to the RPS instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.1.3 RPS Power Generation Design Bases The RPS has one objective, which is availability. The setpoints, power sources, and controls and instrumentation are arranged so as to preclude spurious scrams.
7.1.2.1.2 Primary Containment and Reactor Vessel Isolation Control System - Instrumentation and Controls 7.1.2.1.2.1 PCRVICS Safety Design Bases The following safety design bases are implemented in the PCRVICS:
- a. To limit the release of radioactive materials to the environment, the PCRVICS precisely and reliably initiates timely isolation of penetrations through the primary containment whenever the values of monitored variables exceed preselected operational limits.
- b. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis requirements (a), the PCRVICS responds correctly to the sensed variables over the expected design range of magnitudes and rates of change.
- c. To ensure that important variables are monitored to fulfill safety design basis (a), a sufficient number of sensors is provided for monitoring essential variables.
- d. To ensure that conditions indicative of a failure of the RCPB are detected to fulfill safety design basis (a), PCRVICS inputs are derived from variables that are accurate, direct measures of existing plant conditions.
- e. The time required to close the MSIVs is short, to limit the radiological consequences and loss of coolant from a steam line break outside containment. However, the time required to close the MSIVs is long enough so that inadvertent isolation of steam lines does not cause a transient as severe as that resulting from closure of the turbine stop valves coincident with failure of the turbine bypass system. This ensures that the MSIV closure speed is compatible with the ability of the RPS to protect the fuel assemblies and the RCPB.
- f. The following safety design bases are specified for the systems controlling automatic isolation valves to ensure that the closure of automatic isolation valves is initiated when required to fulfill safety design basis (a):
CHAPTER 07 7.1-11 REV. 17, SEPTEMBER 2014
- 1. Any single failure, maintenance operation, calibration operation, or test to verify operational availability does not impair the functional ability of the isolation control system.
- 2. The system is designed so that a specified number of sensors for any monitored variable exceeding the isolation setpoint initiate automatic isolation.
- 3. Where a plant condition that requires isolation can be caused by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system meet the requirements of safety design bases (a), (b), (c), and (f.1).
- 4. The power supplies for the PCRVICS are arranged so that the loss of one supply cannot prevent automatic isolation when required.
- 5. The system is designed so that, once initiated, automatic isolation action goes to completion. The return-to-normal operation after isolation action requires deliberate operator action.
- 6. There is sufficient electrical and physical separation of wiring and piping between instrument channels monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.
- 7. Earthquake ground motions of SSE magnitude do not impair the ability of the primary containment and reactor vessel isolation control system to initiate automatic isolation.
- g. The following safety design basis is specified to ensure that the isolation of main steam lines is accomplished:
The isolation valves in each of the main steam lines do not rely on electrical power to achieve closure. Valve closure power is from diverse stored energy sources.
- h. To reduce the probability that the operational reliability of the PCRVICS is degraded by operator error, the following safety design bases are specified for automatic isolation valves:
- 1. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables is under the control of the plant procedures.
- 2. The means for bypassing instrument channels, trip logics, or system components are under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact is continuously annunciated in the control room.
CHAPTER 07 7.1-12 REV. 17, SEPTEMBER 2014
- i. The system provides the operator with a means to take manual isolation action that is independent of the automatic isolation. If there is a failure of the RCPB, it is possible for the operator to manually initiate isolation of the primary containment and reactor vessel from the control room.
- j. The following bases are specified to provide the operator with the means to assess the condition of the PCRVICS and to identify conditions indicative of a failure of the RCPB.
- 1. The PCRVICS is designed to provide the operator with information pertinent to the status of the system.
- 2. Means are provided for prompt identification of instrument channel and trip system responses.
- k. It is possible to check the operational availability of each instrument channel and trip logic during reactor operation.
7.1.2.1.2.2 PCRVICS Specific Regulatory Requirements The specific regulatory requirements applicable to the PCRVICS instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.2.3 PCRVICS Power Generation Design Bases There are no power generation design bases for the PCRVICS.
7.1.2.1.3 Emergency Core Cooling System - Instrumentation and Controls 7.1.2.1.3.1 ECCS Safety Design Bases The ECCS control and instrumentation is designed to meet the following functional safety design bases:
- a. Automatically initiate and control the ECCS to prevent fuel cladding temperatures from reaching 2200F.
- b. Respond to a need for emergency core cooling, regardless of the physical location of the malfunction or break that causes the need.
- c. The following safety design bases are specified to limit dependence on operator judgement in times of stress:
- 1. The ECCS responds automatically so that no action is required of plant operators within 10 minutes after a LOCA.
- 2. The performance of the ECCS is indicated by control room instrumentation.
- 3. Facilities for manual control of the ECCS are provided in the control room.
7.1.2.1.3.2 ECCS Specific Regulatory Requirements CHAPTER 07 7.1-13 REV. 17, SEPTEMBER 2014
LGS UFSAR The specific regulatory requirements applicable to the controls and instrumentation for the ECCS are shown on Table 7.1-3.
7.1.2.1.3.3 ECCS Power Generation Design Bases There are no power generation design bases for this system.
7.1.2.1.4 Neutron Monitoring System - Instrumentation and Controls 7.1.2.1.4.1 Source Range Monitor Subsystem 7.1.2.1.4.1.1 SRM Safety Design Bases There are no safety design bases for this system.
7.1.2.1.4.1.2 SRM Specific Regulatory Requirements There are no specific regulatory requirements for this system.
7.1.2.1.4.1.3 SRM Power Generation Design Bases The SRM subsystem meets the following power generation design bases:
- a. Neutron sources and neutron detectors together result in a signal-to-noise ratio of at least 2:1 and a count rate of at least three counts per second with all control rods fully inserted before initial power operation.
- b. The SRM is able to perform the following functions:
- 1. Indicate a measurable increase in output signal from at least one detecting channel before reactor period reaches 20 seconds duration during the worst possible startup rod withdrawal conditions
- 2. Indicate substantial increases in output signals with the maximum permitted number of SRM channels out of service during normal reactor startup operations
- 3. Ensure that the SRM channels are on scale when the IRM first indicates neutron flux during a reactor startup
- 4. Provide a measure of the time rate of change of the neutron flux (reactor period) for operational convenience
- 5. Generate interlock signals to block control rod withdrawal if the count rate exceeds a preset value or falls below a preset limit (if the IRMs are not above the second range) or if certain electronic failures occur
- c. Perform its function in the maximum normal thermal and radiation environment
- d. Ensure that loss of a single power bus does not disable the monitoring and alarming functions of all the available monitors CHAPTER 07 7.1-14 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.4.2 Intermediate Range Monitor Subsystem 7.1.2.1.4.2.1 IRM Safety Design Bases The IRM generates a trip signal that can be used while operating in the intermediate range to prevent fuel damage resulting from anticipated or abnormal operational transients that occur. The independence and redundancy incorporated in the design of the IRM is consistent with the safety design bases of the RPS.
7.1.2.1.4.2.2 IRM Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the IRM are given in Table 7.1-3 for the NMS.
7.1.2.1.4.2.3 IRM Power Generation Design Bases The IRM generates an interlock signal to block rod withdrawal if the IRM reading exceeds a preset value or if the IRM is not operating properly. The IRM is designed so that overlapping neutron flux indications exist with the SRM and APRM subsystems.
7.1.2.1.4.3 Local Power Range Monitor Subsystem 7.1.2.1.4.3.1 LPRM Safety Design Bases The LPRM is designed to provide a sufficient number of LPRM signals to satisfy the APRM safety design bases.
7.1.2.1.4.3.2 LPRM Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the LPRM are given in Table 7.1-3 for the NMS.
7.1.2.1.4.3.3 LPRM Power Generation Design Bases The LPRM supplies the following:
- a. Signals to the APRM that are proportional to the local neutron flux at various locations within the reactor core
- b. Signals to alarm high or low local neutron flux
- c. Signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of power distribution, local heat flux, minimum critical power ratio, and fuel burnup rate
- d. Signals to the RBM to indicate changes in local relative neutron flux during the movement of control rods 7.1.2.1.4.4 Average Power Range Monitor Subsystem CHAPTER 07 7.1-15 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.4.4.1 APRM Safety Design Bases Under the worst permitted input LPRM bypass conditions, the APRM is capable of generating a trip signal in response to average neutron flux increases or thermal-hydraulic instability caused power oscillations in time to prevent fuel damage. The independence and redundancy incorporated into the design of the APRM are consistent with the safety design bases of the RPS.
7.1.2.1.4.4.2 APRM Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the APRM are given in Table 7.1-3 for the NMS.
7.1.2.1.4.4.3 APRM Power Generation Design Bases The APRM provides the following functions:
- a. A continuous indication of average reactor power (neutron flux) from a few percent to 125% of rated reactor power
- b. Interlock signals for blocking further rod withdrawal to avoid an unnecessary scram actuation
- c. A reference power level for the RBM subsystem 7.1.2.1.4.5 Traversing Incore Probe Subsystem 7.1.2.1.4.5.1 TIP Safety Design Bases There are no safety design bases for this system.
7.1.2.1.4.5.2 TIP Specific Regulatory Requirements.
There are no specific regulatory requirements applicable to this system.
7.1.2.1.4.5.3 TIP Power Generation Design Bases The TIP subsystem meets the following power generation design bases:
- a. It provides a signal proportional to the axial neutron flux distribution at the radial locations of the LPRM detectors. This signal is of high precision to allow reliable calibration of LPRM gains.
- b. It provides an accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial neutron flux distribution.
CHAPTER 07 7.1-16 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.4.6 Rod Block Monitor Subsystem 7.1.2.1.4.6.1 RBM Safety Design Bases There are no safety design bases for the RBM subsystem.
7.1.2.1.4.6.2 RBM Specific Regulatory Requirements Specific regulatory requirements applicable to this subsystem are given in Table 7.1-3.
7.1.2.1.4.6.3 RBM Power Generation Design Bases The RBM subsystem meets the following power generation design bases:
- a. Prevents local fuel damage that may result from a single rod withdrawal error under the worst permitted conditions of RBM bypass
- b. Provides a signal used by the operator to evaluate the change in the local relative power level during control rod movement 7.1.2.1.5 Refueling Interlocks - Instrumentation and Controls 7.1.2.1.5.1 RI Safety Design Bases There are no safety design bases for this system.
7.1.2.1.5.2 RI Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for refueling interlocks are given in Table 7.1-3.
7.1.2.1.5.3 RI Power Generation Design Bases Refueling interlocks meet the following power generation design bases:
- a. During fuel movements in or over the reactor core, they prevent control rod withdrawal.
- b. No more than one control rod is withdrawn from its fully inserted position at any time when the reactor is in the refueling mode.
- c. They prevent the operation of fuel loaded refueling equipment over the core whenever any control rod is withdrawn.
When fuel is being moved from the core to the spent fuel pool during refueling, the refueling interlocks may be disabled for core cells from which the four fuel assemblies have been removed if the conditions contained in Technical Specifications 3.9.10.2 are met and compensating administrative controls are established.
7.1.2.1.6 Reactor Manual Control System - Instrumentation and Controls CHAPTER 07 7.1-17 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.6.1 RMCS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.6.2 RMCS Specific Regulatory Requirements The specific regulatory requirements applicable to the controls and instrumentation for the RMCS are given in Table 7.1-3.
7.1.2.1.6.3 RMCS Power Generation Design Basis The RMCS is designed to meet the following power generation design basis:
- a. Enforce adherence to predetermined control rod withdrawal and insertion sequences
- b. Provide the operator with the means to achieve prescribed control rod patterns
- c. Inhibit control rod motion following receipt of rod block trip signals
- d. Provide information pertinent to the position and motion of the control rods to the control room.
7.1.2.1.7 Reactor Vessel Instrumentation 7.1.2.1.7.1 RVI Safety Design Bases There are no safety design bases for this system.
7.1.2.1.7.2 RVI Specific Regulatory Requirements There are no specific regulatory requirements applicable to this system.
7.1.2.1.7.3 RVI Power Generation Design Bases RVI is designed to provide the reactor operator with sufficient indication of reactor vessel coolant temperature, reactor vessel water level, reactor vessel pressure, and nuclear system leakage to maintain proper normal operating conditions. These instruments augment safety-related information so that the operator can startup, operate, shutdown, and service the reactor in an efficient manner.
7.1.2.1.8 Recirculation Flow Control System - Instrumentation and Controls 7.1.2.1.8.1 RFCS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.8.2 RFCS Specific Regulatory Requirements The specific regulatory requirements applicable to the RFCS are given in Table 7.1-3.
7.1.2.1.8.3 RFCS Power Generation Design Bases CHAPTER 07 7.1-18 REV. 17, SEPTEMBER 2014
LGS UFSAR The RFCS is designed to allow manual recirculation flow rate adjustment of reactor power level.
7.1.2.1.9 Feedwater Control System - Instrumentation and Controls 7.1.2.1.9.1 FCS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.9.2 FCS Specific Regulatory Requirements The specific regulatory requirements applicable to the FCS are given in Table 7.1-3.
7.1.2.1.9.3 FCS Power Generation Design Bases The reactor FCS regulates the feedwater flow over the entire power range of the reactor to maintain adequate water level in the reactor vessel and to prevent unnecessary initiation of safety-related systems due to low water level.
7.1.2.1.10 Pressure Regulator and Turbine-Generator System - Instrumentation and Controls 7.1.2.1.10.1 PRTGS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.10.2 PRTGS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3.
7.1.2.1.10.3 PRTGS Power Generation Design Bases The operation of the reactor demands that a pressure regulator concept be applied to maintain a constant turbine inlet pressure.
The turbine pressure regulator, to maintain constant turbine inlet pressure, operates the steam bypass valves so that a portion of nuclear boiler rated flow can be bypassed for transient steam flow loads above that which can be accepted by the turbine and for the startup and shutdown phase. The PRTGS accomplishes the following control functions:
- a. Control turbine speed and turbine acceleration
- b. Operate the steam bypass system to keep reactor pressure within limits and avoid large power transients
- c. Control main turbine control valve pressure within the proportional band setting of the pressure regulator 7.1.2.1.11 Process Radiation Monitoring System - Instrumentation and Controls 7.1.2.1.11.1 Main Steam Line Radiation Monitoring System CHAPTER 07 7.1-19 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.11.1.1 MSL-RMS Safety Design Bases The MSL-RMS is designed to meet the following safety design bases:
- a. Detect a gross release of fission products from the fuel under any anticipated operating combination of main steam lines
- b. Promptly indicate a gross release of fission products from the fuel 7.1.2.1.11.1.2 MSL-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this subsystem are shown in Table 7.1-3.
7.1.2.1.11.1.3 MSL-RMS Power Generation Design Bases The MSL-RMS is designed to display in the control room an indication of gross gamma radiation level at the main steam tunnel.
7.1.2.1.11.2 Reactor Enclosure Ventilation Exhaust Radiation Monitoring System 7.1.2.1.11.2.1 REVE-RMS Safety Design Bases This system is designed to meet the following design bases:
- a. Detect a gross release of radioactive material into the reactor enclosure ventilation duct
- b. Promptly indicate a gross release of radioactive material
- c. Provide, on detection of a gross release of radioactive material:
- 1. A trip signal for the reactor enclosure fans and closure of the valves to the vent exhaust system
- 2. A trip signal to isolate the primary containment atmosphere purge and vent lines and start the SGTS
- 3. An annunciation alarm signal in the control room 7.1.2.1.11.2.2 REVE-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are shown in Table 7.1-3.
7.1.2.1.11.2.3 REVE-RMS Power Generation Design Bases The system provides the following:
- a. Recorder indication in the control room of the gross gamma radiation level
- b. An alarm annunciation in the control room CHAPTER 07 7.1-20 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.11.3 Refueling Area Ventilation Exhaust Radiation Monitoring System 7.1.2.1.11.3.1 RAVE-RMS Safety Design Bases This system is designed to meet the following design bases:
- a. Detect a gross release of radioactive material into the refueling area ventilation duct
- b. Promptly indicate a gross release of radioactive material
- c. Provide on detection of a gross release of radioactive material:
- 1. A trip signal for the refueling area fans and closure of the valves to the ventilation exhaust system
- 2. A trip signal to isolate the primary containment atmosphere purge and vent lines and start the SGTS
- 3. An alarm annunciation in the control room 7.1.2.1.11.3.2 RAVE-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are shown in Table 7.1-3.
7.1.2.1.11.3.3 RAVE-RMS Power Generation Design Bases This system is designed to display an alarm in the control room and record gross releases of radioactive material from the refueling area duct. The control trip capability is stated above.
7.1.2.1.11.4 Control Room Ventilation Radiation Monitoring System 7.1.2.1.11.4.1 CRV-RMS Safety Design Bases This system is designed to meet the following design bases:
- a. Detect the presence of a hazardous quantity of radioactive material infiltrating the control room ventilation duct
- b. Promptly indicate the presence of hazardous amounts of radioactivity
- c. Provide, on detection of hazardous amounts of radioactive material:
- 1. A trip signal to close the control room ventilation intake dampers
- 2. A trip signal to start the control room emergency fresh air system 7.1.2.1.11.4.2 CRV-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3.
7.1.2.1.11.4.3 CRV-RMS Power Generation Design Bases CHAPTER 07 7.1-21 REV. 17, SEPTEMBER 2014
LGS UFSAR The system provides continuous indication and recording of the concentration of radioactive material entering the control room under all conditions of plant operation, including accidents. It provides annunciation alarms in the control room.
7.1.2.1.11.5 Control Room Emergency Fresh Air Radiation Monitoring Systems 7.1.2.1.11.5.1 CREFA-RMS Safety Design Bases This system is designed to detect the presence of residual radiation in the effluent from the HEPA/charcoal filters during operation of the CREFAS.
7.1.2.1.11.5.2 CREFA-RMS Specific Regulatory Requirements This system satisfies the requirement that the control room ventilation system is monitored at all times for radioactivity. If there is closure of the control room ventilation intake dampers, the control room radiation monitoring system becomes inoperative, so it becomes necessary to transfer surveillance to an active station. The specific regulatory requirements of this system are shown in Table 7.1-3.
7.1.2.1.11.5.3 CREFA-RMS Power Generation Design Bases During operation of the CREFAS, the monitoring system provides continuous indication and recording of the concentration of radioactive material entering the control room. It provides annunciation alarms in the control room.
7.1.2.1.11.6 Primary Containment Post-LOCA Radiation Monitoring System 7.1.2.1.11.6.1 PCPL-RMS Safety Design Bases This system is designed to maintain surveillance of the gross gamma radioactivity of the primary containment atmosphere under postaccident conditions.
7.1.2.1.11.6.2 PCPL-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are shown in Table 7.1-3.
7.1.2.1.11.6.3 PCPL-RMS Power Generation Design Bases This monitoring system becomes operational during and after accident conditions when shutdown occurs. As such, it does not serve any power generation design basis. However, indications of radiation levels are transmitted to the control room for readout, recording, and alarm annunciation at preset levels.
7.1.2.1.11.7 Residual Heat Removal Service Water Radiation Monitoring System 7.1.2.1.11.7.1 RHRSW-RMS Safety Design Bases This system is designed to meet the following safety design bases:
- a. Detect the presence of significant amounts of radioactivity in the RHRSW downstream of the RHR heat exchangers CHAPTER 07 7.1-22 REV. 17, SEPTEMBER 2014
- b. Promptly indicate the release of radioactive material to the spray pond
- c. Provide a trip signal to the RHRSW Pumps on detection of the presence of significant amounts of radioactive material.
7.1.2.1.11.7.2 RHRSW-RMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3.
7.1.2.1.11.7.3 RHRSW-RMS Power Generation Design Bases:
This system provides the following:
- a. Recorder indication in the control enclosure of the radioactivity level in the RHRSW
- b. Annunciates alarms in the control room.
7.1.2.1.11.8 Nonsafety-Related Radiation Monitoring Systems The following process radiation monitoring systems are classified as power generation systems in that they do not serve safety-related functions. The postaccident monitoring functions of some of these systems are discussed in Section 7.5.
- a. South stack effluent (ventilation)
- b. Radwaste equipment rooms ventilation
- c. Charcoal treatment system process exhaust (gas)
- e. Steam exhauster discharge and vacuum pump exhaust (gas)
- f. Radwaste enclosure ventilation exhaust (ventilation)
- g. Air ejector offgas
- h. Primary containment leak detector (gas)
- i. Hot maintenance shop ventilation exhaust (ventilation)
- j. Liquid radwaste discharge (liquid)
- k. Service water (liquid)
- l. Reactor enclosure cooling water (liquid)
- m. North stack effluent (ventilation)
CHAPTER 07 7.1-23 REV. 17, SEPTEMBER 2014
LGS UFSAR With the exception of items (g) and (j), these monitoring systems have no control functions. The above systems are described in Section 11.5.
7.1.2.1.11.8.1 Nonsafety-Related RMS Safety Design Bases There are no safety design bases for these systems. The postaccident design bases of some of the systems are described in Section 7.5.
7.1.2.1.11.8.2 Nonsafety-Related RMS Specific Regulatory Requirements The specific regulatory requirements applicable to these systems are shown in Table 7.1-3.
7.1.2.1.11.8.3 Nonsafety-Related RMS Power Generation Design Bases These systems provide the following:
- a. Except for the hot maintenance shop monitor, the systems provide an indication in the control room of the radiation levels measured in each application. All indications of the hot maintenance shop monitor are local.
- b. Except for the hot maintenance shop monitor, the systems provide recorder signals to the control room.
- c. Alarm annunciation is provided if high or downscale trip signals are transmitted to the control room. Alarm annunciator signals from the hot maintenance shop monitor are local.
- d. The liquid radwaste discharge monitor trip signal closes the liquid radwaste discharge valve if there is a high signal. Data from this monitor are transmitted to the radwaste enclosure control room rather than to the main control room.
7.1.2.1.12 Area Radiation Monitoring System 7.1.2.1.12.1 ARMS Safety Design Bases The ARMS is not a safety-related system and provides no control function.
7.1.2.1.12.2 ARMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3.
7.1.2.1.12.3 ARMS Power Generation Design Bases The system provides continuous indication and recording of gamma radiation intensities in those areas where radioactive materials may be present, handled, or inadvertently introduced. It provides annunciation alarms both locally and in the control room if preset limits of radiation are exceeded. Local alarms and readouts are located either adjacent to the detectors or at the entrance-ways to those areas that might prove hazardous to personnel.
7.1.2.1.13 Deleted CHAPTER 07 7.1-24 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.14 Habitability and Control Room Isolation System - Instrumentation and Controls 7.1.2.1.14.1 HCRIS Safety Design Bases The system is designed to meet the following safety design bases:
- a. During a radiation accident, isolate the main air intake and pressurize the control room with clean, filtered air
- b. During a chlorine accident, isolate the control room and provide cleanup of the control room atmosphere by recirculation 7.1.2.1.14.2 HCRIS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.14.3 HCRIS Power Generation Design Bases This system is designed to provide a safe and comfortable environment for the control room personnel.
7.1.2.1.15 Service Water Systems - Instrumentation and Controls 7.1.2.1.15.1 Emergency Service Water - Instrumentation and Controls 7.1.2.1.15.1.1 ESW Safety Design Bases The system is designed to meet the following safety design bases:
- a. During and after transient and accident conditions, the system provides cooling for the control room chillers and diesel generators, serves safety-related pump-motor units needing water cooling, and maintains cooling of safety-related equipment via space coolers.
- b. During loss of fuel pool cooling, the system provides makeup water to maintain the water level in the fuel pool.
7.1.2.1.15.1.2 ESW Specific Regulatory Requirements The specific regulatory requirements applicable to the ESW system are shown in Table 7.1-3.
7.1.2.1.15.1.3 ESW Power Generation Design Bases The system is designed to provide cooling for recirculation pump motors and oil coolers and the RECW system heat exchangers.
7.1.2.1.15.2 Residual Heat Removal Service Water System - Instrumentation and Controls 7.1.2.1.15.2.1 RHRSW Safety Design Bases The system is designed to meet the following safety design bases:
CHAPTER 07 7.1-25 REV. 17, SEPTEMBER 2014
- b. During and after transient and accident conditions, the system provides cooling for the RHR system heat exchangers.
- c. After an accident, the RHRSW system provides water for flooding the reactor core, and spraying the primary containment, if required.
7.1.2.1.15.2.2 RHRSW Specific Regulatory Requirements The specific regulatory requirements applicable to the RHRSW system are shown in Table 7.1-3.
7.1.2.1.15.2.3 RHRSW Power Generation Design Bases There are no power generation design bases for this system.
7.1.2.1.16 Containment Atmospheric Control System - Instrumentation and Controls 7.1.2.1.16.1 Combustible Gas Control System 7.1.2.1.16.1.1 CGCS Safety Design Bases The system provides the means to measure and control the concentration of hydrogen and oxygen in the primary containment atmosphere following postulated accidents to ensure that the primary containment integrity is maintained.
The system monitors the concentration of hydrogen and oxygen in the primary containment atmosphere during normal operation and following postulated accidents. Limits are established on abnormal concentrations of hydrogen and oxygen so that corrective action can be taken before unacceptable results occur. The unacceptable results are as follows:
- a. A threat of significant compromise to the primary containment structure
- b. A threat of significant compromise to the equipment inside the primary containment 7.1.2.1.16.1.2 CGCS Specific Regulatory Requirements The specific regulatory requirements applicable to the CGCS instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.16.1.3 CGCS Power Generation Design Bases The system is designed to provide the means to measure and control the amount of oxygen to ensure containment inerting.
7.1.2.1.16.2 Primary Containment Vacuum Relief System - Instrumentation and Controls 7.1.2.1.16.2.1 PCVR Safety Design Bases The PCVR is designed to meet the following safety design bases:
CHAPTER 07 7.1-26 REV. 17, SEPTEMBER 2014
- a. Operate automatically to allow air from the suppression chamber to enter the drywell when a differential pressure exceeds a pre-established limit
- b. Check the operational availability of each valve and the disc position indication system for each valve during reactor operation 7.1.2.1.16.2.2 PCVR Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.16.2.3 PCVR Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.17 Reactor Core Isolation Cooling System - Instrumentation and Controls 7.1.2.1.17.1 RCIC Safety Design Bases The system is designed to meet the following safety design bases:
- a. Sufficient coolant can be maintained in the reactor vessel in case of an isolation with a loss of main feedwater flow.
- b. Provisions are made for automatic and remote manual operation of the system.
- c. Components of the RCIC system are designed to satisfy seismic Category I design requirements.
- d. The power supply for the system is from immediately available energy sources of high reliability.
- e. Provision is made so that periodic testing can be performed during plant operation.
7.1.2.1.17.2 RCIC Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3.
7.1.2.1.17.3 RCIC Power Generation Design Bases There are no power generation design bases for this system.
7.1.2.1.18 Standby Liquid Control System - Instrumentation and Controls 7.1.2.1.18.1 SLCS Safety Design Bases This system is capable of shutting the reactor down from full power to cold shutdown and maintaining the reactor in a subcritical state at atmospheric temperature and pressure conditions by pumping sodium pentaborate, a neutron absorber, into the reactor. This system is also capable of maintaining suppression pool pH at a level of 7.0 or greater following a LOCA.
CHAPTER 07 7.1-27 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.18.2 SLCS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are given in Table 7.1-3.
7.1.2.1.18.3 SLCS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.19 Radwaste Systems - Instrumentation and Controls 7.1.2.1.19.1 Liquid Radwaste System 7.1.2.1.19.1.1 LRS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.19.1.2 LRS Specific Regulatory Requirements Specific regulatory requirements applicable to the system are listed in Table 7.1-3.
7.1.2.1.19.1.3 LRS Power Generation Design Bases The instrumentation and control system is designed to provide dependable measurement and control for the various liquid processing systems during normal and expected occurrence conditions.
7.1.2.1.19.2 Gaseous Radwaste System 7.1.2.1.19.2.1 GRS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.19.2.2 GRS Specific Regulatory Requirements Specific regulatory requirements applicable to the system are listed in Table 7.1-3.
7.1.2.1.19.2.3 GRS Power Generation Design Bases The instrumentation and control system is designed to perform the following:
- a. Monitor and control the GRS
- b. Detect, indicate, and alarm a system upset to provide sufficient time for corrective action 7.1.2.1.19.3 Solid Radwaste System 7.1.2.1.19.3.1 SRS Safety Design Bases There are no safety design bases for this system.
CHAPTER 07 7.1-28 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.19.3.2 SRS Specific Regulatory Requirements No specific regulatory requirements are imposed on the SRS.
7.1.2.1.19.3.3 SRS Power Generation Design Bases The instrumentation and control system is designed to:
- a. Monitor and control the SRS
- b. Detect, indicate, and alarm a system upset to provide sufficient time for corrective action 7.1.2.1.20 Reactor Water Cleanup System - Instrumentation and Controls 7.1.2.1.20.1 RWCU Safety Design Bases There are no safety design bases for this system.
7.1.2.1.20.2 RWCU Specific Regulatory Requirements The specific regulatory requirements applicable to this system are provided in Table 7.1-3.
7.1.2.1.20.3 RWCU Power Generation Design Bases The purpose of the RWCU system is to provide continuous processing of the reactor water to maintain the purity within specified limits. The system also provides the means for removal of reactor water. Although the RWCU system is of importance to startup and long-term operation, the reactor may operate while the RWCU is out of service.
7.1.2.1.21 Class 1E Power Systems 7.1.2.1.21.1 Class 1E Power Systems Safety Design Bases The safety design bases for the electrical power systems required to support the safety-related systems are described in Sections 8.1 and 8.3.
7.1.2.1.21.2 Class 1E Power Systems Specific Regulatory Requirements The specific regulatory requirements applicable to the standby power systems are given in Sections 8.1 and 8.3.
7.1.2.1.21.3 Class 1E Power Systems Power Generation Design Bases The power generation design bases for the standby power systems are described in Sections 8.1 and 8.3.1.
7.1.2.1.22 Leak Detection Systems - Instrumentation and Controls 7.1.2.1.22.1 LDS Safety Design Bases CHAPTER 07 7.1-29 REV. 17, SEPTEMBER 2014
LGS UFSAR The safety design bases for the LDS are as follows:
- a. Signals are provided that initiate automatic isolation (or permit manual isolation) of abnormal leakage before the results of this leakage become unacceptable.
- b. The unacceptable results of failure to detect leakage are as follows:
- 1. The potential for degradation of the RCPB in excess of specified limits
- 2. The potential for release of primary coolant fluid sufficient to cause unacceptable offsite radiological doses
- 3. The potential for a leakage rate in excess of the capability of operating equipment to maintain reactor vessel water level
- 4. A threat of significant compromise to the steam and power conversion system boundary
- 5. The potential for a leakage rate in excess of radiological limits
- 6. The potential for a leakage rate that negates the safety equipment function 7.1.2.1.22.2 LDS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are given in Table 7.1-3.
7.1.2.1.22.3 LDS Power Generation Design Bases A means is provided to detect and indicate in the control room abnormal leakage from the RCPB, steam, and the power conversion system boundary.
7.1.2.1.23 Reactor Shutdown Cooling Mode of the RHR System - Instrumentation and Controls 7.1.2.1.23.1 RHR-SCM Safety Design Bases The RHR-SCM is designed to meet the following functional design bases:
- a. Instrumentation and controls are provided that enable the system to remove the residual heat (decay heat and sensible heat) from the reactor vessel during normal shutdown.
- b. Manual controls of the RHR-SCM are provided in the control room, and manual controls for one loop are provided at the remote shutdown panel.
- c. Performance of the RHR-SCM is indicated by control room instrumentation and instrumentation on the remote shutdown panel.
7.1.2.1.23.2 RHR-SCM Specific Regulatory Requirements CHAPTER 07 7.1-30 REV. 17, SEPTEMBER 2014
LGS UFSAR The specific requirements applicable to the RHR-SCM are shown in Table 7.1-3.
7.1.2.1.23.3 RHR-SCM Power Generation Design Bases The RHR-SCM meets the following power generation design bases:
- a. Cooling is provided for the reactor during the shutdown operation when the vessel pressure is below the prescribed limit.
- b. The reactor water is cooled to a temperature that is practicable for refueling and servicing operation.
7.1.2.1.24 Fuel Pool Cooling and Cleanup System - Instrumentation and Controls 7.1.2.1.24.1 FPCC Safety Design Bases There are no safety design bases for this system.
7.1.2.1.24.2 FPCC Specific Regulatory Requirements The specific regulatory requirements applicable to the FPCC are given in Table 7.1-3.
7.1.2.1.24.3 FPCC Power Generation Design Bases The purpose of the FPCC instrumentation and controls is to maintain the shielding water in the spent fuel and equipment storage pools and the reactor water well below a desired temperature and at a degree of clarity necessary to refuel and service the reactor.
7.1.2.1.25 Reactor Enclosure Recirculation System - Instrumentation and Controls 7.1.2.1.25.1 RERS Safety Design Bases During an isolation of the reactor enclosure the RERS filters and mixes the air in this area.
7.1.2.1.25.2 RERS Specific Regulatory Requirements The specific regulatory requirements applicable to the RERS instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.25.3 RERS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.26 Standby Gas Treatment System - Instrumentation and Controls 7.1.2.1.26.1 SGTS Safety Design Bases This system is designed to meet the following safety design bases:
CHAPTER 07 7.1-31 REV. 17, SEPTEMBER 2014
- a. During an isolation of the reactor enclosure and/or refueling area, the SGTS restores and maintains these areas at a negative pressure with reference to the outside atmosphere
- b. Further filter the air drawn from the reactor enclosure recirculation system before exhausting it to the atmosphere 7.1.2.1.26.2 SGTS Specific Regulatory Requirements The specific regulatory requirements applicable to the SGTS instrumentation and control are shown in Table 7.1-3.
7.1.2.1.26.3 SGTS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.27 Deleted 7.1.2.1.28 Safety-Related Display Instrumentation 7.1.2.1.28.1 SRDI Safety Design Bases The necessary display instrumentation is available to the reactor operator in the control room for determining when conditions exist that require specified manual control actions and to monitor the results of these and automatic actions, and to identify and follow the source of the accident to the degree necessary for the operator to perform his/her role and to verify adequate core cooling and containment integrity.
7.1.2.1.28.2 SRDI Specific Regulatory Requirements The specific regulatory requirements applicable to the SRDI are given in Table 7.1-3.
7.1.2.1.28.3 SRDI Power Generation Design Bases The safety-related instruments that are also used for power generation are designed so that all the expected power operation actions and maneuvers can be reasonably accomplished by the reactor operator.
7.1.2.1.29 Containment Instrument Gas System - Instrumentation and Controls 7.1.2.1.29.1 CIGS Safety Design Bases The CIGS is designed to provide a compressed gas supply for the ADS SRVs.
7.1.2.1.29.2 CIGS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
CHAPTER 07 7.1-32 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.29.3 CIGS Power Generation Design Bases See Section 9.3.
7.1.2.1.30 Containment Spray Mode of the RHR System - Instrumentation and Controls 7.1.2.1.30.1 RHR-CSM Safety Design Bases The RHR-CSM is designed to meet the following safety design bases:
- a. Instrumentation and controls are provided to sense drywell pressure and to enable the system to condense steam in the drywell and the suppression pool air volume during a transient or accident event.
- b. All manual controls for the containment spray mode of the RHR system are provided in the control room.
- c. Performance of the RHR-CSM is indicated by control room instrumentation.
7.1.2.1.30.2 RHR-CSM Specific Regulatory Requirements Specific regulatory requirements applicable to the RHR-CSM are listed in Table 7.1-3.
7.1.2.1.30.3 RHR-CSM Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.31 Remote Shutdown System - Instrumentation and Controls 7.1.2.1.31.1 RSS Safety Design Bases The capability to remotely shutdown the reactor is designed to meet the following functional design bases:
- a. Instrumentation and controls are provided outside the control room to allow prompt hot shutdown of the reactor and to maintain safe conditions during hot shutdown.
- b. Suitable procedures provide the capability for subsequent cold shutdown of the reactor.
7.1.2.1.31.2 RSS Specific Regulatory Requirements Specific regulatory requirements applicable to the RSS are listed in Table 7.1-3.
7.1.2.1.31.3 RSS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.32 Suppression Pool Cooling Mode of the RHR System - Instrumentation and Controls 7.1.2.1.32.1 RHR-SPCM Safety Design Bases CHAPTER 07 7.1-33 REV. 17, SEPTEMBER 2014
LGS UFSAR Instrumentation and controls are provided to allow the reactor operator to manually initiate suppression pool cooling to ensure that the pool temperature does not exceed the pre-established pool temperature limit.
7.1.2.1.32.2 RHR-SPCM Specific Regulatory Requirements The specific regulatory requirements applicable to this mode of operation are the same as listed in Table 7.1-3 for the RHR-SCM.
7.1.2.1.32.3 RHR-SPCM Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.33 Safety-Related Equipment Area Cooling Ventilation Systems 7.1.2.1.33.1 Standby Gas Treatment System Filter Room and Access Area Unit Coolers -
Instrumentation and Controls 7.1.2.1.33.1.1 SGTS-UC Safety Design Bases Instruments and controls are provided to enable the unit coolers to provide cooling to the areas around the SGTS filter to keep ambient conditions within the prescribed limits.
7.1.2.1.33.1.2 SGTS-UC Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.33.1.3 SGTS-UC Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.33.2 Diesel Generator Enclosure Ventilation System - Instrumentation and Controls 7.1.2.1.33.2.1 DGEVS Safety Design Bases Instruments and controls are provided to enable the diesel generator fans to provide ventilation to the diesel generator cells to keep the ambient conditions within the prescribed limits.
7.1.2.1.33.2.2 DGEVS Specific Regulatory Requirements The specific regulatory requirements applicable to the DGEVS instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.33.2.3 DGEVS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.33.3 Spray Pond Pump Structure Ventilation System - Instrumentation and Controls CHAPTER 07 7.1-34 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.33.3.1 SPPSVS Safety Design Bases Instruments and controls are provided to enable the fan systems to maintain the environment of the spray pond pump structure within the prescribed limits.
7.1.2.1.33.3.2 SPPSVS Specific Regulatory Requirements This specific regulatory requirements applicable to the SPPSVS instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.33.3.3 SPPSVS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.33.4 Emergency Switchgear and Battery Rooms Cooling System - Instrumentation and Controls 7.1.2.1.33.4.1 ESBRCS Safety Design Bases Instruments and controls are provided to enable the cooling units to keep the ambient conditions of the affected areas within the prescribed limits and provide exhaust recirculation from the battery rooms.
7.1.2.1.33.4.2 ESBRCS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.33.4.3 ESBRCS Power Generation Design Bases Instruments and controls are provided to enable the cooling units to keep the ambient conditions of the affected areas within the prescribed limits and provide exhaust from the battery rooms.
7.1.2.1.33.5 Emergency Core Cooling Systems (ECCS and RCIC) Pump Compartment Unit Coolers - Instrumentation and Controls 7.1.2.1.33.5.1 ECCS-UC Safety Design Bases Instruments and controls are provided to enable the unit coolers to keep the ambient conditions of the affected areas, except for HPCI and RCIC within the prescribed limits.
7.1.2.1.33.5.2 ECCS-UC Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.33.5.3 ECCS-UC Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.33.6 Auxiliary Equipment Room Ventilation System - Instrumentation and Controls 7.1.2.1.33.6.1 AERVS Safety Design Bases CHAPTER 07 7.1-35 REV. 17, SEPTEMBER 2014
LGS UFSAR Instruments and controls are provided to enable the fan systems to maintain the environment in the auxiliary equipment room within the prescribed limits.
7.1.2.1.33.6.2 AERVS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.33.6.3 AERVS Power Generation Design Bases Instruments and controls are provided to ensure adequate ventilation for the equipment in the auxiliary equipment room.
7.1.2.1.34 Drywell Unit Coolers - Instrumentation and Controls 7.1.2.1.34.1 DUC Safety Design Bases Instruments and controls are provided to enable the unit coolers to provide atmosphere mixing in the primary containment.
7.1.2.1.34.2 DUC Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.34.3 DUC Power Generation Design Bases Instruments and controls are provided to enable the unit coolers to provide cooling in the primary containment.
7.1.2.1.35 Control Enclosure Chilled Water System - Instrumentation and Controls 7.1.2.1.35.1 CECWS Safety Design Bases Instruments and controls are provided to enable the chiller and its circulating pumps to supply chilled water to the cooling coils of the associated equipment.
7.1.2.1.35.2 CECWS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and controls are shown in Table 7.1-3.
7.1.2.1.35.3 CECWS Power Generation Design Bases Instruments and controls are provided to enable the chiller and its circulating pumps to supply chilled water to the cooling coils of the associated equipment.
7.1.2.1.36 High Pressure/Low Pressure System Interlocks 7.1.2.1.36.1 HPLPSI Safety Design Bases CHAPTER 07 7.1-36 REV. 17, SEPTEMBER 2014
LGS UFSAR HPLPSI is not a system, but provides interlocks between pressure in the reactor coolant and pressure in the RHR system. Therefore safety design bases do not apply directly to HPLPSI.
7.1.2.1.36.2 HPLPSI Specific Regulatory Requirements There are no specific regulatory requirements for the HPLPSI.
7.1.2.1.36.3 HPLPSI Power Generation Design Bases There are no power generation design bases for the HPLPSI.
7.1.2.1.37 Safety/Relief Valve Position Indication System - Instrumentation and Controls 7.1.2.1.37.1 SRVPI Safety Design Bases Indication and alarms, provided in the control room, alert the operator to, and identifies, OPEN/NOT-OPEN SRVs.
7.1.2.1.37.2 SRVPI Specific Regulatory Requirements The specific regulatory requirements applicable to the SRVPI are shown in Table 7.1-3.
7.1.2.1.37.3 SRVPI Power Generation Design Bases There are no power generation design bases for this system.
7.1.2.1.38 Fire Protection and Suppression System 7.1.2.1.38.1 FPSS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.38.2 FPSS Specific Regulatory Requirements There are no specific regulatory requirements for this system.
7.1.2.1.38.3 FPSS Power Generation Design Bases There are no power generation design bases for this system.
7.1.2.1.39 Reactor Enclosure Isolation System 7.1.2.1.39.1 REIS Safety Design Bases The system is designed to meet the following safety design bases:
- a. Instruments and controls are provided that enable the system to isolate the reactor enclosure secondary containment.
CHAPTER 07 7.1-37 REV. 17, SEPTEMBER 2014
- b. Manual controls for the isolation system are provided in the control room.
- c. Performance of the isolation is indicated by control room instrumentation.
7.1.2.1.39.2 REIS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and control are shown in Table 7.1-3.
7.1.2.1.39.3 REIS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.40 Nonsafety-Related Equipment Area Cooling Ventilation Systems 7.1.2.1.40.1 Safety Design Bases There are no safety design bases for the instrumentation and controls for these systems.
7.1.2.1.40.2 Specific Regulatory Requirements There are no specific regulatory requirements for these systems' instruments and controls.
7.1.2.1.40.3 Power Generation Design Bases Instruments and controls are provided to ensure adequate ventilation for equipment and personnel located in the areas serviced by the nonsafety-related equipment area cooling ventilation systems during normal plant operation.
7.1.2.1.41 Safeguard Piping Fill System 7.1.2.1.41.1 SPFS Safety Design Bases The SPFS is designed to perform two functions:
- a. Provide a safety-related backup source of makeup water to the ECCS and RCIC pump discharge lines to prevent drainage of the lines from back leakage through the discharge check valves in the event of failure of the primary source (condensate transfer system)
- b. Provide a water seal in the feedwater lines to forestall the possibility of drainage of the feedwater lines and subsequent bypass leakage of containment atmosphere 7.1.2.1.41.2 SPFS Specific Regulatory Requirements The specific regulatory requirements for this system are listed in Table 7.1-3.
7.1.2.1.41.3 SPFS Power Generation Design Bases This system has no power generation design bases.
CHAPTER 07 7.1-38 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.1.42 Refueling Area Isolation System 7.1.2.1.42.1 RAIS Safety Design Bases The system is designed to meet the following safety design bases:
- a. Instruments and controls are provided that enable the system to isolate the refueling floor.
- b. Manual controls for the isolation system are provided in the control room.
- c. Performance of the isolation is indicated by control room instrumentation.
7.1.2.1.42.2 RAIS Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and control are shown in Table 7.1-3.
7.1.2.1.42.3 RAIS Power Generation Design Bases There are no power generation design bases for this system.
7.1.2.1.43 Redundant Reactivity Control System 7.1.2.1.43.1 RRCS Safety Design Basis The RRCS is designed to mitigate the potential consequences of an ATWS event. The RRCS provides signals to mitigate an ATWS event by:
- b. Tripping the recirculation pump
- c. Providing feedwater runback function
- d. Automatically initiating the SLCS.
7.1.2.1.43.2 RRCS Specific Regulatory Requirements The regulatory requirements applicable to the RRCS are given in Table 7.1-3.
7.1.2.1.43.3 RRCS Power Generation Design Bases This system has no power generation design bases.
7.1.2.1.44 Rod Worth Minimizer 7.1.2.1.44.1 RWM Safety Design Bases CHAPTER 07 7.1-39 REV. 17, SEPTEMBER 2014
LGS UFSAR There are no safety design bases for the RWM.
7.1.2.1.44.2 RWM Specific Regulatory Requirements The specific regulatory requirements applicable to the system instrumentation and control are listed in Table 7.1-3.
7.1.2.1.44.3 RWM Power Generation Design Basis The RWM monitors and enforces operator adherence to established startup, shutdown, and low power level control rod sequences.
7.1.2.1.45 Plant Monitoring System 7.1.2.1.45.1 PMS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.45.2 PMS Specific Regulatory Requirements The specific regulatory requirements applicable to this system are listed in Table 7.1-3.
7.1.2.1.45.3 PMS Power Generation Design Bases The PMS is a centralized, integrated system which performs the process monitoring and calculations defined as being necessary for the effective evaluation of power plant operation. The PMS acquires and records process data (e.g., temperatures, pressure, flows, and status indicators) to produce meaningful displays, logs, and plots of current and historical plant performance. The PMS has the following major functions:
- a. Provide real-time and historical emergency response information necessary to meet and support SPDS requirements; that is, information to maintain adequate core cooling, shut down the reactor, cool the RPV to cold shutdown conditions, maintain primary containment integrity, and protect equipment in the primary containment.
- b. Provide functions, such as scan, log, and alarm, certain NSSS programs, SOE, trend recorder, and BOP programs.
- d. Provide real-time and historical information during normal, startup, and emergency operation at high resolution recording speeds for event monitoring and analyses.
7.1.2.1.46 Emergency Response Facility Data System 7.1.2.1.46.1 ERFDS Safety Design Bases There are no safety design bases for this system.
7.1.2.1.46.2 ERFDS Specific Regulatory Requirements CHAPTER 07 7.1-40 REV. 17, SEPTEMBER 2014
LGS UFSAR The specific regulatory requirements applicable to this system are listed in Table 7.1-3.
7.1.2.1.46.3 ERFDS Power Generation Design The ERFDS is a part of the PMS and performs the process monitoring and calculations defined as being necessary for the effective evaluation of normal and emergency power plant operation. The PMS acquires and records process data for ERFDS including temperatures, pressures, flows, and status indicators. This data is processed to produce meaningful displays, logs, and plots of current or historical plant performance and is presented to plant personnel in the plant main control room or other user definable locations.
7.1.2.2 Independence of Redundant Safety-Related Systems 7.1.2.2.1 Introduction This section defines separation criteria for safety-related mechanical and electrical equipment.
Safety-related equipment to which the criteria apply is that equipment that is necessary to mitigate the effects of DBAs and is identified in Section 7.1.1. The objective of the criteria is to delineate the separation requirements necessary to achieve independence of safety-related equipment.
7.1.2.2.2 Mechanical Systems Separation Criteria 7.1.2.2.2.1 General
- a. Separation of the affected mechanical systems and equipment is accomplished so that the substance and intent of the General Design Criteria of 10CFR50, Appendix A are fulfilled.
- b. Consideration is given to the redundant and diverse requirements of the affected systems.
- c. Consideration is given to the type, size, and orientation of possible breaks of the RCPB specified in Section 3.6.
- d. A single active component failure is an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be part of the single failure.
Fluid systems are considered to be designed against an assumed single failure if a single failure of any active component (assuming passive components function properly) does not result in a loss of capability of the system to perform its safety function.
- e. The affected mechanical systems and equipment, along with their associated structures, are appropriately separated so that they are adequately protected against:
- 1. The design basis LOCA dynamic effects outlined in Section 3.6
- 2. Missiles as defined in Section 3.5 CHAPTER 07 7.1-41 REV. 17, SEPTEMBER 2014
- 3. Fires and floods capable of damaging redundant mechanical safety equipment (Sections 9.5.1 and 3.4)
The need for and the adequacy of separation are determined in conjunction with the criteria specified in Sections 3.5 and 3.6.
7.1.2.2.2.2 Mechanical Systems Separation
- a. Piping for a redundant safety system is run independently of its counterpart.
Redundant piping supports, restraints, and mechanical components of the same system are not shared unless it can be shown that such sharing does not impair their ability to perform their safety functions.
- b. Entrance penetrations to the containment are separated so that damage to or failure of one branch of a system does not render its redundant counterpart(s) inoperable.
- c. Equipment for redundant safety systems or redundant groups of safety systems is separated so that damage to or failure of one division of a system does not render its redundant counterpart inoperable.
7.1.2.2.2.3 Mechanical Systems Physical Separation
- a. Mechanical equipment, piping, and tubing for safety-related systems are separated so that no single credible event is capable of disabling sufficient equipment to prevent reactor shutdown, removal of decay heat from the core, long-term suppression pool cooling, isolation, and integrity of the containment. Separation is accomplished either by distance or by physical barriers such as walls and intervening structural components.
A representation of the separation is shown in Tables 7.1-4, 7.1-5, and 7.1-6.
- b. The equipment in each group is separated from that in the other group by the required practical distance.
- c. Separation barriers are constructed between the functional groups as required to ensure that the environmental disturbances (such as fire, flood, pipe rupture phenomena, falling objects, etc.) affecting one functional group do not affect the remaining groups.
7.1.2.2.3 Electrical Systems Separation Criteria 7.1.2.2.3.1 General The electrical separation criteria are described in Section 8.1.6.1.14, compliance with Regulatory Guide 1.75. In addition to the criteria described there, the following applies:
- a. Panels and Racks CHAPTER 07 7.1-42 REV. 17, SEPTEMBER 2014
LGS UFSAR Panels and racks associated with the RPS or ESF are labeled with marker plates which distinctively identify the equipment as being in the protective system; the difference may be in color, or color of engraving-fill. The marker plates include identification of the proper division of the equipment included.
- b. Junction or Pullboxes Junction and/or pullboxes enclosing wiring for the RPS or ESF have identification similar to and compatible with the panels and racks.
- c. Cables Refer to Section 8.1.6.1.14.
- d. Raceways Refer to Section 8.1.6.1.14.
- e. Sensory Equipment Grouping and Designation Letters Redundant sensory equipment is identified by suffix letters in accordance with Table 7.1-4 for all de-energized-to-operate systems, including the RPS, and in accordance with Table 7.1-5 for the NMS. These tables also show the allocation of sensors to their separated divisions.
- f. Isolation Devices Three types of isolation devices are used in control and instrumentation circuits:
- a. Auxiliary relays and control switches
- b. Fiber optic couplers
- c. Solid-state signal isolators Auxiliary relays are the most widely used type of isolation device. Several relay types are used with both contact-to-contact and coil-to-contact isolation being used in both BOP and NSSS circuits. Relays and control switches are considered to be acceptable isolation devices if they have a minimum breakdown voltage of at least 600 V RMS between adjacent contacts. This level was chosen because the maximum credible voltage that could be impressed on a control circuit is 530 V ac based on a hot short occurring between a power and control cable in a cable tray.
To confirm the suitability of relays as isolation devices, tests were performed on the several relay types that are mort widely used at LGS. These tests are documented in PECo Test Report 48503, dated September 1, 1982. This test report was submitted to the NRC by letter from J.S. Kemper (PECo) to A. Schwencer (NRC) dated November 20, 1982 and shows that these relays perform satisfactorily in preventing a postulated failure in a non-Class 1E circuit from adversely affecting a Class 1E circuit.
CHAPTER 07 7.1-43 REV. 17, SEPTEMBER 2014
LGS UFSAR Fiber optic couplers are used to isolate the inputs to the PMS, which is non-safety related, from certain safety-related instrument loops that it monitors. The fiber optic transducers are part of the input modules of the PMS, some of which are Class 1E.
The safety related modules are mounted in panels that contain cables of only one division. These panels are located in the control structure from which the multiplexer output is transmitted via fiber optic cable to the TSC where the PMS CPUs are located. Any failure of the PMS would not be reflected back into the safety systems through the fiber optic link because this fiber optic cable has a typical dielectric breakdown of 1.4 MV per inch.
Fiber optic isolators are also used between the Class 1E postaccident radiation monitors and the computer-based RMMS.
The RRCS also uses fiber optic isolators for logic interface between Class 1E divisions and Class 1E/non-Class 1E inputs. Test data for the isolators in these systems was transmitted to the NRC by letter from J.S. Kemper (PECo) to A.
Schwencer (NRC) dated December 14, 1983.
Solid-state isolators are used to provide isolation of Class 1E analog inputs to the Plant Monitoring System. Because the computer input cables are routed in raceways that contain only instrumentation cables, it can be shown by analysis that these isolators adequately prevent any failure in the computer or the instrumentation raceways from adversely affecting any safety-related system.
Solid-state isolators are used to isolate inputs from the NMS (except PRNM) and from the dc battery bus to the Plant Monitoring System.
The NMS (except PRNM) isolators consist of an operational amplifier with a 10 volt maximum output which is reduced to 160 mV maximum by a resistive network. A 30 mA fuse is then provided in series prior to taking the signal to the computer. The dc voltage transducer/isolator has been tested to ensure that either a short circuit, open circuit, or short to ground on the output terminals would not cause an unacceptable effect on the dc system.
The PRNM uses fiber optic isolators between divisions and to the Plant Monitoring System, optically coupled relays for isolation of outputs to non-divisional circuits, and magnetically coupled analog isolators for isolation of analog outputs. It has been shown by analysis that these methods in combination with the wire and cable routing within the system assure adequate isolation between redundant channels of the safety-related functions.
Solid-state analog isolators are also used in several HVAC analog control loops to provide isolation of cross-division signals. Test data for all solid-state isolators was transmitted to the NRC by letter from J.S. Kemper (PECo) to A. Schwencer (NRC) dated December 14, 1983.
7.1.2.2.3.2 Electrical Systems Separation Requirements 7.1.2.2.3.2.1 RPS and Normally Energized Portions of PCRVICS The following general rules apply to RPS wiring. Portions of the NMS wiring are considered as part of the RPS.
CHAPTER 07 7.1-44 REV. 17, SEPTEMBER 2014
- a. RPS cable in raceways outside of the main protection system cabinets run in enclosed raceways used only for the RPS. Under-vessel neutron monitoring cables are not placed in any enclosure that unduly restricts their flexibility. Neutron monitoring cables (SRM, IRM, and APRM) may be run in the same raceway, provided that divisional separation is maintained.
- b. Wiring to redundant sensors on a common process tap is run in separate raceways to separate destinations to meet the single failure criterion.
- c. Wiring for sensors of more than one variable in the same trip channel may be run in the same raceway.
- d. Wires from both RPS trip systems that trip actuators to a single group of scram solenoids may be run in a single conduit; however, a single conduit does not contain wires to more than one group of scram solenoids or any other wiring.
Wiring for two solenoids on the same control rod may be run in the same conduit.
- e. Cables through the primary containment penetrations are so grouped that failure of all cabling in a single penetration cannot prevent a scram (this applies specifically to the neutron monitoring cables and the MSIVs position switch cables).
- f. Power supplies to systems that de-energize to operate (so-called "fail-safe" power supplies) require only separation that is deemed prudent to give reliability (continuity of operation). Therefore, the protection system power supplies and load circuit breakers are not required to comply with the separation requirements for safety reasons, even though the load circuits go to separated panels.
- g. Wiring providing power for the movement of each RPS backup scram valve and the solenoids for the SDV vent and drain valves is routed in rigid conduit, and wires are separated from one another and from all other cables.
- h. The RPS wiring is run and/or protected so that no common source or potentially damaging energy (e.g., electrical fire in non-RPS wireways, malfunction, misoperation of plant equipment, pipe rupture, etc.) could reasonably result in a loss of ability to scram when required.
7.1.2.2.3.2.2 All Other Safety-Related Systems Electrical Systems Separation Criteria
- a. Separation is designed so that no single failure can prevent the performance of any safety-related function. Redundant (even dissimilar) systems may be required to perform the required function to satisfy the single failure criterion. Figures 7.1-1 through 7.1-4, and Table 7.1-6 show equipment separation into divisions and the allowable interconnections through isolating devices.
- b. The inboard and outboard NSSS system isolation valves are backups for each other, so they must be independent of and protected from each other, to the extent that no single failure can prevent the operation of at least one valve of an inboard/outboard pair. Figure 7.1-3 illustrates the MSL isolation valve separation concept.
- c. Isolation valve circuits require special attention because of their function in limiting the consequences of a pipe break outside the primary containment. Isolation valve CHAPTER 07 7.1-45 REV. 17, SEPTEMBER 2014
LGS UFSAR control and power circuits are protected from the pipelines that they are responsible for isolating, as follows:
- 1. Essential isolation valve wiring in the vicinity of the outboard valve (or downstream from the valve) is installed in conduit and routed to take advantage of the mechanical protection afforded by the valve operator or other available structural barriers not susceptible to disabling damage from the pipeline break. Additional mechanical protection (barriers) is interposed as necessary.
- 2. Isolation valve control and/or power wiring run in a raceway with other cables is protected from secondary effects of damage to those cables that might result from a pipe break in a line requiring isolation (i.e., short circuits that might overheat cables in an ESF raceway).
- 3. When the downstream piping from the containment is not seismic Category I, the isolation valve wiring in the vicinity of the inboard valve is in rigid conduit and routed so as to take advantage of the mechanical protection afforded by the valve operator or other available structural barriers not susceptible to disabling damage from a pipe line break. Additional mechanical protection (barriers) are interposed as necessary between wiring and potential sources of disabling mechanical damage consequential to a pipe break. Except for the requirements of this paragraph, wiring near the inboard valve does not require special treatment discussed in paragraphs (1) and (2) above.
- 4. MOVs that have a mechanical check valve backup for their isolation function are included in the division that embraces the system in which the valves are located rather than adhering strictly to the inboard/outboard divisional classification.
- d. Steam Leakage Zone Electrical equipment and raceways for systems listed in Section 7.1.1.2 are not located in a steam leakage zone insofar as is practicable, or they are designed for short-term exposure to the high temperature and humidity associated with a steam leak.
- e. Suppression Pool Level Swell Zone Any electrical equipment and/or raceways for the RPS or ESF located in this zone are designed to complete their function satisfactorily before being rendered inoperable due to exposure to the environment created by the level swell phenomena.
7.1.2.3 Physical Identification of Safety-Related Equipment The physical identification of equipment is described in Section 8.1.
7.1.2.4 Instrument Errors CHAPTER 07 7.1-46 REV. 17, SEPTEMBER 2014
LGS UFSAR The design considers instrument performance, as well as engineering judgment and historical practices in the selection of instrumentation and controls and in the determination of setpoints. An adequate margin between safety limits and Limiting Safety System Settings is provided based on the appropriate combination of engineering judgment, historical practice, and allowances for instrument performance. The Limiting Safety System Settings are contained in the Technical Specifications. When computational techniques are employed, nominal trip setpoints and allowable values are determined by combining allowances for instrument channel performance, such as accuracy (e.g., reference accuracy, pressure effects, temperature affects, radiation effects, etc.), process measurement accuracy, primary element accuracy, instrument drift, calibration accuracies and other uncertainties as appropriate. The specific performance allowance and the environmental and process conditions used, are based on the design, application, functional and calibration requirements of the instrument channel. The surveillance frequency is factored into time based instrument performance parameters.
Process instrument setpoints for LGS Units 1 and 2 are controlled in plant documentation and logs.
The setpoints include automatic trip, indication, interlock and alarm setpoints for plant instruments such as analog and digital switches, time delays and similar devices.
The setpoint values shown on the logic diagrams in Chapter 7 are intended to assist the reader in the understanding of the document.
Administrative process control and document instrument setpoints for LGS Units 1 & 2. The scope of these processes include trip, alarm, and initiation setpoints for plant instruments such as analog and digital switches, time delays and similar devices.
The setpoint values shown on the logic diagrams in Chapter 7 are intended to assist the reader in the understanding of the document.
7.1.2.5 Conformance to Regulatory Guides The statements on the degree of conformance to various regulatory guides which follow are intended to demonstrate an overall safety system level of compliance. The applicability of the conformance statements to each system is found in Table 7.1-3. Each individual system analysis discussion defines any difference in the degree of conformance to a particular regulatory guide.
7.1.2.5.1 Regulatory Guide 1.6 (March 1971) - Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems (Safety Guide 6)
Independence is maintained between redundant standby (onsite) sources and between their distribution systems in compliance with Regulatory Guide 1.6. Further discussion is presented in Section 8.1.6.1.
7.1.2.5.2 Regulatory Guide 1.7 (November 1978) - Control of Combustible Gas Concentrations in Containment Following a Loss-of-Coolant Accident Conformance with Regulatory Guide 1.7 is discussed in Section 6.2.5.4.
7.1.2.5.3 Regulatory Guide 1.9 (March 1971) - Selection of Diesel Generator Set Capacity for Standby Power Supplies (Safety Guide 9)
See Section 8.1.6.1 for a complete discussion of conformance with Regulatory Guide 1.9.
CHAPTER 07 7.1-47 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.5.4 Regulatory Guide 1.11 (March 1971) - Instrument Lines Penetrating Primary Reactor Containment (Safety Guide 11)
Conformance to Regulatory Guide 1.11 is discussed in Section 6.2.4.
7.1.2.5.5a Regulatory Guide 1.21 (June 1974) - Measuring, Evaluating, and Reporting Radioactivity in Solid Wastes and Releases of Radioactive Materials in Liquid and Gaseous Effluents from Light-Water-Cooled Nuclear Power Plants The LGS process and effluent radiological monitoring and sampling systems are designed to allow conformance to this guide, as discussed in Sections 11.5, 7.6 and 7.7. Evaluation and reporting procedures during operation will conform to this guide.
7.1.2.5.5b Regulatory Guide 1.22 (February 1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)
The LGS design is in conformance with this guide. With respect to paragraph D.3 of the guide, administrative controls are considered "positive means" to limit the expansion of a bypass to redundant or diverse systems. Collective annunciation of bypassing by manual means is considered to satisfy the guidelines. Additional details are provided below:
D.3a The indications of system inoperability provided under the guidelines of Regulatory Guide 1.47 are used by the operator to prevent, through administrative procedures, the bypassing of a redundant channel of a protection system. The conditions that render the system inoperable during test are annunciated. The conditions that automatically bring up the out-of-service alarm are identifiable to the operator in the control room by means of the out-of-service status light.
D.3b A manual out-of-service switch is provided to annunciate any bypass condition that does not automatically energize the system out-of-service annunciator. A single status light indicates that the annunciator has been manually actuated. Individual indication for each manually induced inoperability is not provided.
Details for each system are discussed in Sections 7.2, 7.3, 7.4 and 7.6.
7.1.2.5.6 Regulatory Guide 1.29 (September 1978) - Seismic Design Classification LGS is in conformance with this Guide with respect to instrumentation and controls.
The instrumentation and control equipment required to meet seismic Category I requirements is identified in general in Table 3.2-1, and specifically in the system piping and instrumentation drawings.
7.1.2.5.7 Regulatory Guide 1.30 (August 1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)
Conformance to this guide is discussed in Section 8.1.6.1.
7.1.2.5.8 Regulatory Guide 1.32 (February 1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Refer to Section 8.1.6.1 for a discussion of this guide.
CHAPTER 07 7.1-48 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1.2.5.9 Regulatory Guide 1.40 (March 1973) - Qualification Tests of Continuous-Duty Motors Installed Inside the Containment of Water-Cooled Nuclear Power Plants There are no continuous-duty motors installed inside the containment that are part of the instrumentation and control systems.
7.1.2.5.10 Regulatory Guide 1.45 (May 1973) - Reactor Coolant Pressure Boundary Leakage Detection Systems The RCPB leakage detection systems are provided to detect and, to the extent practical, identify the location(s) of the source of reactor coolant leakage.
Conformance to Regulatory Guide 1.45 is discussed in Section 5.2.
7.1.2.5.11 Regulatory Guide 1.47 (May 1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems In accordance with the requirements of Regulatory Guide 1.47, bypassed and inoperable status indication has been provided for all plant protection systems. These systems are listed below.
Also listed are the conditions that cause annunciation of system inoperability.
Equipment monitored within a protection system is that equipment which, when bypassed on removed from service, will cause inoperability of a redundant portion of the protection system.
Bypass or removal of equipment will automatically initiate the system level out-of-service annunciator and illuminate a status light on the system control panel indicating the cause of the out-of-service condition.
All auxiliary and supporting systems to protection systems are monitored as part of the protection system availability in accordance with Regulatory Guide 1.47. The inoperability of these support systems causes the actuation of the out-of-service annunciator for the protection systems that these systems support. A status light is provided to indicate that the inoperability of the support system is the cause of inoperability of the protection system.
The bypass indication system is designed and installed in a manner which precludes the possibility of adverse affects on the plant safety system. The bypass indication system is electrically isolated from the protection circuits so that the failure or bypass of a protective function is not a credible consequence of failures in the bypass indication system and the bypass indication system cannot reduce the independence between redundant safety systems.
Equipment that is bypassed or removed from service not more than once per year is not monitored. A manual out-of-service switch is provided for this equipment and for other equipment that cannot be monitored.
Regulatory Positions C.1, C.2, and C.3:
Automatic indication is provided in the main control room to inform the operator that a system is inoperable. Annunciation is provided to indicate that a system or part of a system is not operable.
Individual lights indicate what part of the system is out of service. Manual actuation is provided to cover situations which cannot be automatically annunciated. For example, the reactor protection (trip) system, and the containment and reactor vessel isolation system have annunciators lighting CHAPTER 07 7.1-49 REV. 17, SEPTEMBER 2014
LGS UFSAR and sounding whenever one or more channels of an input variable are bypassed. Bypassing is not allowed in the trip logic or actuation logic.
Instruments which form part of a one-out-of-two-twice logic system can be removed from service for calibration. Removal of the instrument from service is indicated in the main control room by manual actuation of the system out-of-service annunciator.
Regulatory Position C.4:
All the annunciators can be tested by depressing the annunciator test switches on the control room bench boards and can be brought up by manual switches as discussed in Regulatory Positions C.1, C.2, and C.3.
The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and of reducing the possibility for the indicating equipment to adversely affect its monitored safety system.
- a. Individual indicator lights are arranged together on a control room panel to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed.
- b. As a result of design, preoperational testing, and startup testing, no erroneous bypass indication is anticipated.
- c. These indication provisions serve to supplement administrative controls and aids the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function.
- d. All circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects.
- e. Each indicator is provided with dual lamps and can be periodically tested.
The individual out-of-service condition that initiates a system level out-of-service alarm is listed below.
- a. Pump breaker control power undervoltage
- b. Pump breaker not connected
- c. Pump breaker locked out
- d. Loss of power to relay logic
- e. Loss of power to control valve or valve motor overload
- f. System logic in test
- g. Trip unit in calibration or failure CHAPTER 07 7.1-50 REV. 17, SEPTEMBER 2014
- h. Loss of power to trip unit or trip unit out of file
- i. Manual out of service
- j. Loss of system support HVAC
- k. Valves operated from the control room that are not automatically positioned by the initiation signal
- l. Transfer switch out of position For the specific alarms that are associated with a system, refer to the functional control diagram for that system as listed in Chapter 7 figures and to the schematics E-648 as listed in Table 1.7-1.
Systems monitored as discussed above are as follows:
- a. RPS Drawings C71-1010-F-002, C71-1010-F-003, C71-1010-F-004, and C71-1010-F-005
- b. CS System Figure 7.3-9
- c. PCRVICS Figure 7.3-8
- d. HPCI System Figure 7.3-7
- e. RHR System Drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003
- f. ESW System Table 1.7-1
- g. Standby ac Power System Table 1.7-1
- h. RCIC Drawings E51-1030-F-004, E51-1030-F-005, E51-1030-F-006, E51-1030-F-007, E51-1030-F-008, and E51-1030-F-009
- i. RHR-SCM Drawings E11-1030-F-001, E11-1030-F-002, and E11-1030-F-003
- j. REIS Drawings B21-1030-F-002, B21-1030-F-002, B21-1030-F-003, B21-1030-F-004, B21-1030-F-005 and M-76FD
- k. SGTS Drawing M-76FD
- l. RERS Drawing M-76FD
- m. Control Enclosure HVAC Systems Drawing M-78FD
- n. NMS Figure 7.6-1 CHAPTER 07 7.1-51 REV. 17, SEPTEMBER 2014
- o. SLCS Table 1.7-1
- p. CGCS Table 1.7-1 Regulatory Guide 1.47 compliance for Items (k), (l), and (m) above is through the use of a trouble alarm in the control room that will direct the operator to a local control panel in the control enclosure for more information. For Items (n) through (p), alarms are provided in the control room that provide the cause of the out-of-service condition. No status lights are provided.
The following three systems do not have system level out-of-service alarms in the control room:
NMS, SLCS, and CGCS. The following conditions which can make these systems out of service are specifically annunciated in the control room:
- a. NMS (Drawing E-620)
SRM Downscale SRM Upscale/Inoperable SRM Retracted When Not Permitted IRM Upscale/Inoperable IRM Downscale IRM Upscale RBM Downscale/Trouble APRM/RBM Flow Reference Off-Normal RBM Upscale/Inoperable APRM Downscale APRM Upscale LPRM Downscale LPRM Upscale APRM Upscale Trip/Inoperable OPRM/APRM Trouble OPRM Upscale Trip OPRM Trips Enabled
- b. SLCS (Drawing E-620)
SLCS Pump A/B/C Overload/Loss of Power SLCS Tank High/Low Level SLCS Tank High/Low Temperature SLCS Squib Valve Loss of Continuity SLCS Isolation Valves Not Fully Open
- c. CGCS (Drawing E-622)
Drywell H2 Recombiner System Trouble 1A Drywell H2 Recombiner System Trouble 1B The following alarms are provided on the recombiner control panels which are located in the control room behind the main control boards:
Return Gas Temperature High Reaction Chamber Shell Temperature High CHAPTER 07 7.1-52 REV. 17, SEPTEMBER 2014
LGS UFSAR Blower Inlet Gas Pressure High Reaction Chamber Gas Temperature High Blower Inlet Temperature High Blower Inlet Gas Flow Low Reaction Chamber Gas Temperature Low Heater Wall Temperature High The above alarms for these four systems represent all conditions which can prevent the system from performing its safety function. The requirements of Regulatory Guide 1.47 for these systems are therefore satisfied. Any other conditions can be annunciated by manually causing one of the above annunciators to light.
Details of the administrative procedures that control access as a means for bypassing are contained in Section 7.2.2.1.1.1.8.
7.1.2.5.12 Regulatory Guide 1.53 (June 1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems LGS is in conformance with this guide which provides that protection systems meet section 4.2 of IEEE 279 (1971), in that any single failure within the protection systems will not prevent proper protective action at the system level when required. Conformance is achieved by specifying, designing, and constructing the ESFs to meet the single failure criterion, section 4.2 of IEEE 279 (1971), "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379 (1972), "IEEE Trial Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems." See Sections 7.2, 7.3, 7.4, and 7.6 for a discussion of conformance for each system.
7.1.2.5.13 Regulatory Guide 1.56 (July 1978) - Maintenance of Water Purity in Boiling Water Reactors The RWCU instrumentation is in conformance with Regulatory Guide 1.56. Further discussion is provided in Sections 7.7.2.8.2.3 and 5.4.8. Conformance of the deep bed condensate demineralizer system is discussed in Section 10.4.6.
7.1.2.5.14 Regulatory Guide 1.62 (October 1973) - Manual Initiation of Protective Actions LGS is in conformance with this guide which provides that manual initiation of each protective action at the system level be provided, that such initiation accomplish all actions performed by automatic initiation, and that protective action at the system level goes to completion once manually initiated. In addition, manual initiation is by switches readily accessible in the control room, and a minimum of equipment should be used in common with automatically initiated protective action.
Means are provided for manual initiation of the PCRVICS, the ECCS, and for RPS scram at the system level through the use of armed push buttons, as described below:
ACTION INITIATED NUMBER OF SWITCHES PCRVICS Four ADS Four: two in Division 1 and two in Division 3 HPCI One in Division 2 CHAPTER 07 7.1-53 REV. 17, SEPTEMBER 2014
LGS UFSAR RHR A/CS A* One in Division 1 RHR B/CS B* One in Division 2 RHR C/CS C* One in Division 3 RHR D/CS D* One in Division 4 RPS Four The note "*" indicates that pumps A and C are for one CS injection system, and the B and D pumps are for the other system.
The operation of these switches initiates all actions performed by the automatic initiation circuitry.
For a detailed discussion on Regulatory Guide 1.62 compliance, refer to the following UFSAR Sections:
PCRVICS Section 7.3.2.2.2.1.7 ADS Section 7.3.2.1.2.1.9 HPCI Section 7.3.2.1.2.1.9 RHR/CS Section 7.3.2.1.2.1.9 RPS Section 7.3.2.1.2.1.9 7.1.2.5.15 Regulatory Guide 1.63 (July 1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants Conformance to this guide is discussed in Section 8.1.6.1.
7.1.2.5.16 Regulatory Guide 1.68 (August 1978) - Preoperational and Initial Startup Test Programs for Water-Cooled Power Reactors Conformance to this guide is discussed in Section 14.2.
7.1.2.5.17 Regulatory Guide 1.70 (November 1978) - Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants Chapter 7 conforms to the format of Regulatory Guide 1.70.
7.1.2.5.18 Regulatory Guide 1.73 (January 1974) - Qualification Tests of Electric Valve Operators Installed Inside the Containment of Nuclear Power Plants Conformance to this guide is discussed in Sections 8.1.6.1 and 3.11.2.2.
7.1.2.5.19 Regulatory Guide 1.75 (September 1978) - Physical Independence of Electric Systems Conformance is discussed in Section 8.1.6.1.14.
7.1.2.5.20 Regulatory Guide 1.80 (June 1974) - Preoperational Testing of Instrument Air Systems CHAPTER 07 7.1-54 REV. 17, SEPTEMBER 2014
LGS UFSAR Conformance to this guide is discussed in Section 14.2.
7.1.2.5.21 Regulatory Guide 1.89 (November 1974) - Qualification of Class 1E Equipment for Nuclear Power Plants Discussion of degree of conformance to Regulatory Guide 1.89 is given in Section 3.11.2 for NSSS equipment and in Section 8.1.6.1 for non-NSSS equipment.
7.1.2.5.22 Regulatory Guide 1.96 (May 1975) - Design of Main Steam Isolation Valve Leakage Control Systems for Boiling Water Reactor Nuclear Power Plants In 1994, LGS received approval to remove the MSIV-LCS and replace it with the MSIV Leakage Alternate Drain Pathway discussed in Section 6.7.
7.1.2.5.23 Regulatory Guide 1.97 (December 1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident See Section 7.5 for a discussion of the degree of conformance.
7.1.2.5.24 Regulatory Guide 1.100 (August 1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants The degree of conformance to this guide is discussed in Section 3.10.
7.1.2.5.25 Regulatory Guide 1.105 (November 1976) - Instrument Setpoints Although this guide does not apply to LGS per its implementation section except for the RRCS, the following is an assessment of the design supplied.
The nominal trip setpoint and allowable value for Limiting Safety System Settings are contained in the Technical Specifications. These parameters are determined based on the appropriate combination of engineering judgment, historical practice, and allowances for instrument performance (7.1.2.4). The setpoints are within the operating capability of the associated instruments. The established setpoints provide sufficient margin to satisfy both safety requirements, and plant availability objectives.
Related setpoint methodology concerns have been addressed by Reference 7.1-1. In a May 15, 1984 submittal, LGS endorsed the work scope and schedule proposed by Reference 7.1-1, which was accepted by the NRC staff in Reference 7.1-2. The licensee agreed to show compliance with the methodology within 6 months of NRC approval of the methodology. The methodology was submitted by GE on November 19, 1986. This methodology has been accepted by the NRC by virtue of issuance of an SSER for the Power Re-Rate for LGS.
7.1.2.5.26 Regulatory Guide 1.118 (June 1978) - Periodic Testing of Electric Power and Protection Systems This guide, which endorses/modifies IEEE 338 (1977), is not applicable to LGS per its implementation section except for the RRCS. Discussion of IEEE 338 is presented on a system-by-system basis in the analysis portion of Section 7.2, 7.3, 7.4, and 7.6 with the following clarification of the regulatory guide requirements:
CHAPTER 07 7.1-55 REV. 17, SEPTEMBER 2014
LGS UFSAR Position C.2 - Insofar as is practical and safe, response time testing will be performed from sensor inputs (at the sensor input connection for process instruments) to and including the actuated device.
Sensor response time testing for pressure sensors for the RPS will be performed in accordance with Regulatory Guide 1.118 (June, 1978). Response of the sensor output and the final actuation device will be measured. Response time testing for the differential pressure (level) sensors is not required based on the analysis performed in NEDO-32291-A. Response time testing of the trip unit and relay logic are required. Neutron detectors are exempt from response time testing; response time will be measured from the input of the first electronic component in the channel. Except for the MSIVs, individual sensor response times and logic system response times are not required for isolation systems because the signal delay (sensor response) is concurrent with the 13 second diesel startup. (Refer to LGS Technical Specification Bases 3/4.3.2 "Isolation Actuation Instrumentation" and 3/4.3.3 "ECCS Actuation Instrumentation.")
Position C.6b - Trip of an associated protective channel or actuation of an associated Class 1E load group is required on removal of fuses or opening of a breaker only for the purpose of deactivating instrumentation and control circuits.
Evaluation of the systems to be surveillance tested has determined that the actions required will include opening of circuit breakers. This action is required in a limited number of cases. The circuit breakers will be opened during monthly testing but will also bring up an out-of-service alarm that will not clear with the breaker open.
A review of safety-related control circuits that may be affected by racking-out their individual circuit breakers reveals that disabling of one component does not render redundant components inoperable. All modes of test, operation, and failure were considered; specifically, a study was conducted to identify safety systems with crossover interlocks. The effects of disabling of these components and their associated interlocks were then analyzed. The review identified that several crossover interlocks exist in the ESW and RHRSW systems and in several of the NSSS fail-safe logic circuits. However, the analysis did not disclose any cases where disabling the component or the associated interlocks would adversely affect the redundant safety circuit or components.
Response to Information Notice 84 Lifting of leads will be required to perform a limited number of the surveillance tests. Each of these tests, however, will follow the guidance provided by Information Notice 84-37, dated May 10, 1984.
The procedure for these tests will include instructions requiring the reconnecting of the lifted leads following the completion of the surveillance. This procedural step will be documented by a sign-off sheet to be initialed by the tester when the lifted leads have been reconnected. An independent or double verification will be performed and documented in the procedure to verify that the lifted leads have been returned to service. If permitted by existing plant design, functional tests designed to verify the restoration of proper system configuration will be performed.
The lifting of leads will be limited to surveillance tests that fall into one of the four categories below:
- a. Test that involve thermocouples
- b. Test that require the introduction of test equipment into the instrument channel being tested CHAPTER 07 7.1-56 REV. 17, SEPTEMBER 2014
- c. Tests on extensive systems that would otherwise become unnecessarily large and complex
- d. Tests on systems or components for which the plant design permits no other reasonable alternative.
7.1.2.5.27 Regulatory Guide 1.139 (May 1978) - Guidance for Residual Heat Removal Conformance to this guide is discussed in Section 5.4.
7.1.2.6 Conformance to 10CFR50, Appendix A, General Design Criteria The statements which follow on the degree of conformance to various GDC are intended to demonstrate an overall safety system level of compliance. The applicability of the conformance statements to each system is found in Table 7.1-3. Each individual system analysis discussion defines any difference in the degree of conformance to a particular GDC.
7.1.2.6.1 GDC 1 - Quality Standards and Records All systems required for safety are designed and built in accordance with an established quality assurance program.
7.1.2.6.2 GDC 2 - Design Bases for Protection Against Natural Phenomena All systems required for safety are designed to withstand the effects of natural phenomena without loss of capability to perform their safety functions.
7.1.2.6.3 GDC 3 - Fire Protection All systems and components required for safety are designed and located to minimize the probability and effect of fires and explosions. Materials that are heat-resistant and noncombustible have been chosen wherever practicable.
7.1.2.6.4 GDC 4 - Environmental and Dynamic Effects Design Bases Systems and components required for safety are designed to accommodate the effects of and be compatible with the environmental conditions associated with normal operations maintenance testing and postulated accidents, including LOCAs. These systems and components are appropriately protected against dynamic events such as missiles and pipe whipping.
7.1.2.6.5 GDC 5 - Sharing of Structures, Systems, and Components Systems and components required for safety are not shared with any other nuclear power unit, except for the RHRSW, the ESW, the SGTS and the control structure ventilation systems, which are common systems.
7.1.2.6.6 GDC 10 - Reactor Design The reactor core and associated coolant, control, and protection systems are designed with appropriate margins to ensure that specified acceptable fuel design limits will not be exceeded CHAPTER 07 7.1-57 REV. 17, SEPTEMBER 2014
LGS UFSAR during any condition of normal operation, including the effects of anticipated operational occurrences.
7.1.2.6.7 GDC 12 - Suppression of Reactor Power Oscillations The instrumentation and control systems are designed to readily detect and initiate action to suppress reactor power oscillations.
7.1.2.6.8 GDC 13 - Instrumentation and Control Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions and to control these variables and systems to ensure adequate safety.
7.1.2.6.9 GDC 15 - Reactor Coolant System Design The RCS instrumentation and control systems are designed to ensure that the design conditions of the RCPBs are not exceeded.
7.1.2.6.10 GDC 19 - Control Room A control room is provided where actions can be taken to operate the nuclear power unit under normal and abnormal conditions. A remote shutdown capability is also provided.
7.1.2.6.11 GDC 20 - Protection System Functions The protection systems are designed to sense accident conditions and automatically initiate the operation of appropriate systems important to safety to ensure that specified fuel design limits are not exceeded.
7.1.2.6.12 GDC 21 - Protection System Reliability and Testability The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6.
7.1.2.6.13 GDC 22 - Protection System Independence The protection systems are designed with independence through redundancy or functional diversity to prevent loss of the protection function.
7.1.2.6.14 GDC 23 - Protection System Failure Modes The protection systems are designed to be fail-safe during anticipated operational occurrences including postulated adverse environments.
7.1.2.6.15 GDC 24 - Separation of Protection and Control Systems The protection systems are separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection CHAPTER 07 7.1-58 REV. 17, SEPTEMBER 2014
LGS UFSAR system component or channel which is common to both, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.
7.1.2.6.16 GDC 25 - Protection System Requirements for Reactivity Control Malfunctions The protection system is designed so that fuel design limits are not exceeded even with any single malfunction of the reactivity control system.
7.1.2.6.17 GDC 26 - Reactivity Control System Redundancy and Capability The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.4, 7.6, and 7.7.
7.1.2.6.18 GDC 27 - Combined Reactivity Control Systems Capability The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.4, and 7.7.
7.1.2.6.19 GDC 28 - Reactivity Limits The conformance discussion of this GDC is presented on a system-by-system basis in the analysis portions of Sections 7.6 and 7.7.
7.1.2.6.20 GDC 29 - Protection Against Anticipated Operational Occurrences The protection and reactivity control systems are designed to ensure an extremely high probability of accomplishing their safety function in the event of an anticipated operational occurrence.
7.1.2.6.21 GDC 30 - Quality of Reactor Coolant Pressure Boundary The conformance discussion of this GDC is presented in the analysis portions of Sections 7.3, 7.4, and 7.6.
7.1.2.6.22 GDC 33 - Reactor Coolant Makeup Reactor coolant makeup is provided to ensure that specified acceptable fuel design limits are not exceeded because of reactor coolant losses in the RCPB.
7.1.2.6.23 GDC 34 - Residual Heat Removal A system is provided to remove reactor residual heat to ensure that the specified acceptable fuel design limits are not exceeded even assuming a single failure.
7.1.2.6.24 GDC 35 - Emergency Core Cooling An ECCS is provided to ensure cooling of the reactor following any loss of reactor coolant at undesirable rates even assuming a single failure.
7.1.2.6.25 GDC 37 - Testing of Emergency Core Cooling System CHAPTER 07 7.1-59 REV. 17, SEPTEMBER 2014
LGS UFSAR The ECCS is designed to permit appropriate periodic pressure and functional testing including the controls which bring the system into operation.
7.1.2.6.26 GDC 38 - Containment Heat Removal A system is provided to ensure heat removal from the reactor containment following any LOCA even assuming a single failure.
7.1.2.6.27 GDC 40 - Testing of Containment Heat Removal System The containment heat removal system is designed to permit appropriate periodic and functional testing including the controls which bring the system into operation.
7.1.2.6.28 GDC 56 - Primary Containment Isolation Each line that connects directly into the containment atmosphere and penetrates the primary reactor containment is provided with isolation valves that comply with the requirements of this criterion.
7.1.2.6.29 GDC 57 - Closed System Isolation Valves See GDC 56.
7.1.2.6.30 GDC 60 - Control of Releases of Radioactive Materials to the Environment The nuclear power unit is designed to control the release of radioactive material and from gaseous, liquid, and solid effluents to within prescribed limits, through monitoring the release points and processing the effluent.
7.1.2.6.31 GDC 61 - Fuel Storage and Handling and Radioactivity Control The conformance discussion of this GDC is presented in the analysis portion of Section 7.7.
7.1.2.6.32 GDC 63 - Monitoring Fuel and Waste Storage The conformance discussion of this GDC is presented in the analysis portion of Section 7.7.
7.1.2.6.33 GDC 64 - Monitoring Radioactivity Releases The conformance discussion of this GDC is presented in the analysis portion of Section 7.6.
7.1.2.7 Conformance to Industry Codes and Standards The statements which follow on the degree of conformance to various industry standards are intended to demonstrate an overall safety system level of compliance. The applicability of the conformance statements to each system is found in Table 7.1-3. Each individual system analysis discussion will define any difference in the degree of conformance to a particular industry standard.
Reference 7.1-3 discusses the conformance of the sensors to industry standards and regulatory guides.
CHAPTER 07 7.1-60 REV. 17, SEPTEMBER 2014
LGS UFSAR Conformance other than that discussed in NEDO-21617-A is discussed in Section 7.1.2.5 and 7.1.2.6 and also on a system-by-system basis in Sections 7.2, 7.3, and 7.4.
7.1.2.7.1 IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations This discussion is presented on a system-by-system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6.
7.1.2.7.2 IEEE 308 (1971 and 1974) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations Conformance to IEEE 308 as described in Section 8.3 is applicable to safety-related instrumentation and control equipment.
7.1.2.7.3 IEEE 317 (1972) - Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations Penetration assemblies meet the requirements of IEEE 317 (1972) and GDC 50 of 10CFR50, Appendix A.
All containment electrical penetration assemblies used for Class 1E and non-Class 1E circuits are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent versus time conditions, assuming a single failure of the circuit primary overcurrent protection apparatus.
7.1.2.7.4 IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations Written procedures and responsibilities are developed for the design and qualification of Class 1E electric equipment. This includes preparation of specifications, qualification procedures, and documentation. Whenever possible qualification testing or analysis is accomplished before release of the engineering design for production. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements. The environmental qualification of this equipment is being evaluated to the criteria of NUREG-0588 Category II. An Environmental Qualification Report will be provided to present the results of this evaluation.
See Sections 3.11.2 and 8.1.6.1 for a conformance discussion of IEEE 323 and Regulatory Guide 1.89 for NSSS and non-NSSS equipment, respectively.
7.1.2.7.5 IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations See Section 8.1.6.1 for a conformance discussion of Regulatory Guide 1.30 which endorses/modifies IEEE 336 (1971).
7.1.2.7.6 IEEE 338 (1971, 1975, and 1977) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems CHAPTER 07 7.1-61 REV. 17, SEPTEMBER 2014
LGS UFSAR This discussion is presented on a system-by-system basis in the analysis portion of Sections 7.2, 7.3, 7.4, and 7.6.
See Section 7.1.2.5.26 for a conformance discussion of Regulatory Guide 1.118, which endorses/modifies this standard.
7.1.2.7.7 IEEE 344 (1971 or 1975) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations All safety-related instrumentation and control equipment is classified as seismic Category I and designed to withstand the effects of an SSE, and function before, during and after such a seismic event. Equipment required to function after an SSE is also qualified for such service. Qualification and documentation procedures used for seismic Category I equipment and systems meet the provisions of IEEE 344 as identified in Section 3.10.
7.1.2.7.8 IEEE 379 (1972 or 1977) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems The extent to which the single failure criteria of IEEE 379 are satisfied is specifically covered for each system in the analysis of IEEE 279, paragraph 4.2.
7.1.2.7.9 IEEE 382 (1972) - Trial Use Guide for Type Test of Class 1 Electric Valve Operators for Nuclear Power Generating Stations The extent of conformance to this standard is given in Sections 3.11.2 and 8.1.6.1.13.
7.1.2.7.10 IEEE 383 (1974) - Standard for Type Test of Class 1E Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations The extent of conformance to this standard is given in Section 7.7.2.21.2.2.1.
7.1.2.7.11 IEEE 384 (1974 or 1977) - Criteria for Separation of Class 1E Equipment and Circuits The safety-related systems described in Sections 7.2, 7.3, 7.4, and 7.6 meet the independence and separation criteria for redundant systems in accordance with IEEE 279, paragraph 4.6 (Section 7.1.2.5.1).
The electrical power supply, instrumentation, and control wiring for redundant portions of safety-related systems have physical separation to preserve redundancy and ensure that no single credible event prevents operation of the associated function. Credible events include, but are not limited to, the effects of short circuits, pipe rupture, pipe whip, high pressure jets, missiles, fire, earthquake, and falling objects, and are considered in the basic plant design.
The independence of tubing, piping, and control devices for safety-related controls and instrumentation is achieved by physical space or barriers between separation groups of the same protective function. In locations where a specific hazard exists (missile, jet, etc.) that could produce damage to safety-related controls and instrumentation, the physical separation or structural protection provided is adequate to ensure that no multiple failures can result from a single common event.
CHAPTER 07 7.1-62 REV. 17, SEPTEMBER 2014
LGS UFSAR The criteria and bases for the independence of electrical cable, including routing, marking, and cable derating, are discussed in Section 8.1. Fire detection and protection in the areas where wiring is installed are discussed in Section 9.5.1.
Regulatory Guide 1.75, which endorses/modifies this standard, is discussed in Section 7.1.2.5.19.
7.1.2.8 Conformance to Branch Technical Positions 7.1.2.8.1 BTP ICSB 3 The HPLPSI conform to BTP ICSB 3 as discussed in Section 7.6.1.2.
7.1.2.8.2 BTP ICSB 21 Conformance to BTP ICSB 21 is discussed below, by position:
B1. Individual indicator lights are arranged together on a control room panel to indicate what function of the system is out-of-service, bypassed, or otherwise inoperable.
All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed.
B2. LGS has only one control room. When a protective function of a shared system is bypassed, it is annunciated on the annunciator panel for the shared system, and status indication for the system is provided on the control panel for the shared system.
B3. As a result of design, preoperational testing, and startup testing, no erroneous bypass indication is anticipated. Capability for cancelling bypass indications is not provided.
B4. These indication provisions serve to supplement administrative controls and to aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function.
B5. All circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects.
B6. The out-of-service annunciators can be tested by depressing the annunciator test switches on the control room bench boards. Each status indicating light can be tested by depressing the light assembly.
The bypass and inoperable status indicators are further discussed in Section 7.1.2.5.11.
7.1.2.8.3 BTP ICSB 22 The conformance to the provisions of D.4 of Regulatory Guide 1.22 for actuated equipment not tested during power operation is discussed in Section 7.3.2.1.2.3.1.10 for the ADS valves and Sections 7.4.2.2.2.3.1.9 and 7.4.2.2.2.3.1.10 for the SLCS explosive valves.
7.1.2.8.4 BTP ICSB 26 CHAPTER 07 7.1-63 REV. 17, SEPTEMBER 2014
LGS UFSAR Anticipating or backup trips for the system comply with the requirements of IEEE 279 (1971) as discussed in Section 7.2.2.1.2.3.1.
7.1.2.9 Technical Design Bases The technical design bases appear as follows:
RPS Section 7.2.1 ESFs Section 7.3.1 Systems required for safe shutdown Section 7.4.1 Other systems required for safety Section 7.6.1 7.1.2.10 Safety System Settings The Limiting Safety System Settings are listed in the Technical Specifications discussions for each safety system. The settings are determined based on operating experience and conservative analyses. The settings are set to preclude inadvertent initiation of the safety action, while ensuring that a sufficient margin is maintained to satisfy safety requirements. The appropriate combination of engineering judgment, historical practice, and allowances for instruments performance are considered in the setpoint determination (Section 7.1.2.4). The margin between the limiting safety system settings and the actual safety limits includes consideration of the design basis transients in the process being measured, expected for the time the specific functions are required.
7.1.2.11 Operating Experience Assessment Review of operating experiences and assessment of their applicability to LGS is conducted as discussed in Section 13.4.5. The actions taken by the licensee for LGS for some specifically requested NRC Bulletins, Circulars and Information Notices is provided in Table 7.1-7. Specific actions taken for some of these is provided below.
7.1.2.11.1 Bulletin 80-06, Engineered Safety Feature Reset Controls Bulletin 80-6 requires that safety-related equipment remain in its emergency mode on reset of an ESF actuation signal.
To determine whether or not all safety-related equipment remains in its emergency mode on isolation signal reset, schematic drawings for all LGS systems serving safety-related functions were reviewed. The review showed that a number of valves were subject to reverting to their normal mode on isolation signal reset. All continuous-duty loads were found to remain in their emergency mode on isolation signal reset.
In general, control schemes of safety-related valves found not to remain in their emergency mode on reset of an isolation signal were revised to provide a control switch interlock with the isolation signal reset circuit (Figure 7.1-5). To reset an isolation signal, every valve subject to reverting to normal mode on reset of the isolation signal must have its control switch placed in the closed position. A normally open contact of each of the valve control switches is wired in series with the CHAPTER 07 7.1-64 REV. 17, SEPTEMBER 2014
LGS UFSAR isolation signal reset contact. On manual placement of all of the subject control switches in the closed position, the permissive series of control switch contacts will all be closed, thus allowing the isolation signal reset contact to complete the reset circuit.
On the bases of the design review, the following systems and valve control schemes were modified as described above:
System Valve No.
CAC System HV57-117 SV57-133 HV57-118 SV57-183 HV57-104 SV57-191 HV57-114 SV57-181 HV57-123 SV57-132 HV57-124 SV57-134 HV57-121 SV57-150 HV57-131 SV57-141 SV57-184 SV57-142 SV57-185 SV57-143 SV57-186 SV57-144 SV57-190 SV57-145 SV57-195 SV57-159 PCIG System HV59-129A SV59-131 HV59-102 SV59-135 HV59-129B NSSSS HV41-1F084 HV51-1F079A HV41-1F085 HV51-1F079B HV43-1F019 HV51-1F080A HV43-1F020 HV51-1F080B In addition to the foregoing valves, drywell purge exhaust fan inlet isolation valves HV76-030 and HV76-031 were found to revert to their normal mode on isolation signal reset. Thus, if the valves were in their open purge mode on receipt of an isolation signal, the valves would revert to the open purge mode isolation signal reset. To ensure that these valves remain in their closed emergency mode on isolation signal reset, the valve control schemes were modified to the configuration shown on Figure 7.1-6. The auxiliary relay (95-2) is picked up by the normally closed isolation signal contacts and by the placement of the valve control switch in the "CLOSE" position. Once picked up, the auxiliary seals itself in with a contact around the valve control switch "CLOSE" contact. The valves are placed in the "OPEN" purge position through a contact from the auxiliary relay and the placement of the valve control switch in the "OPEN" position. On receipt of an isolation signal, the normally closed isolation signal contacts open, thus dropping out the auxiliary relay, which in turn opens the auxiliary relay seal-in circuit and de-energizes the valve "OPEN" circuit, thus closing the valve. Resetting the isolation signal will not re-energize the auxiliary relay because the valve control switch is in the "OPEN" position. Thus, the valve "OPEN" circuit will remain de-energized and the valves will remain closed.
The liquid radwaste collection isolation valves, HV61-110, HV61-111, HV61-130 and HV61-131 were found to revert to normal mode on isolation signal reset. To ensure that these valves CHAPTER 07 7.1-65 REV. 17, SEPTEMBER 2014
LGS UFSAR remained in their emergency mode, seal-in relays were added in their control circuit. Because these valves are a part of the drywell sump tank level control system and the primary containment leakage detection system, these valves have been excluded from the system logic reset and are provided with individual reset circuits.
The following are exceptions to Bulletin 80-06 guidance:
- a. RCIC All actuated equipment remains in its abnormal condition, except for the RCIC system inboard and outboard steam line isolation valves, E51-F007 and E51-F008.
- b. HPCI All actuated equipment remains in its abnormal condition, except for the HPCI system inboard and outboard steam line isolation valves, E41-F002 and E41-F003.
The reset control for the HPCI/RCIC isolation logics do not strictly meet the intent of Bulletin 80-06. If the isolation logic is reset with the valve control switches in the open position, the isolation valves will open, but we believe the design is acceptable. There are two completely independent isolation logics for the HPCI and RCIC. Each of these logics consists of two logic channels, one for the inboard valves and one for the outboard valves. Each of these logic channels is sealed in until a reset switch in that logic is depressed. Therefore activation of the reset switch only affects one logic channel and will only cause the inboard or outboard valves to open on the system being reset. The line will remain isolated, i.e., in its safe mode, until both the isolation logics for each system are reset. In addition, the logic reset has no effect if the initiation signal is still present. Administrative Procedures will instruct the operator to place the control switches in the closed position before resetting the isolation logic. In addition to this procedural caution, a caution tag will be added to the control board next to the reset switch. This tag will instruct the operator to place the control switches for the associated valves in the closed position before resetting the logic.
Even if the HPCI of RCIC isolation valves were inadvertently reopened before the pipe break condition was corrected, due to both isolation logics being reset after the isolation parameters have cleared, the pipe break condition would be detected again and the isolation valves would reclose. The offsite radiological doses due to the released steam would be a small fraction of the 10CFR50.67 limits.
The results of this review will be verified as part of the system preoperational testing.
7.1.2.11.2 Information Notice 79-22, Qualification of Control Systems Information Notice 79-22 discusses the effects of a HELB on nonsafety-related control systems to determine whether any adverse effects initiated by a HELB could result in an event more severe than the transient and accident events analyzed in Chapter 15.
In response, a comprehensive, systematic study has been conducted to determine the consequences of postulated HELBs and their effects on adjacent, nonsafety-related, control systems components. In most cases, the effects of the postulated HELB (control systems failures) events are less severe than the Unacceptable Results for Incidents of Moderate Frequency -
CHAPTER 07 7.1-66 REV. 17, SEPTEMBER 2014
LGS UFSAR Anticipated Operational Transients presented in Chapter 15. In all cases, the effects of the postulated events are bounded by the Unacceptable Results for Limiting Faults - Design Basis (Postulated) Accidents presented in Chapter 15. It is concluded that safe reactor shutdown is assured for all events postulated therein, and the consequences of these postulated events do not result in any significant risk to the health and safety of the public.
Details of the LGS Unit 1 analysis were submitted on May 4, 1984. The report was later updated to confirm its applicability to Unit 2 and submitted on February 17, 1989.
7.1.2.11.3 Bulletin 79-27, Loss of Non-Class 1E Instrumentation and Control Power Systems Bus During Operation Bulletin 79-27 discussed a failure of a bus supplying power to control systems and vital instrumentation resulting in a malfunction of the control systems and a simultaneous loss to the operator of information required for a safe shutdown. In response, an analysis has been conducted to demonstrate that the control systems used to achieve a hot shutdown are designed to perform their intended function with a loss of any single power source. Subsequent cooldown to cold shutdown conditions will be accomplished using diverse means. One method utilizes the shutdown cooling mode of the RHR system. An alternate method utilizes the ADS to depressurize, core spray for make up, and RHR in the suppression pool cooling mode.
An analysis has also been conducted to demonstrate that for a loss of power to an instrument there is another instrument available, fed from an independent bus, that monitors the same parameter or a diverse parameter that will provide sufficient information to achieve cold shutdown.
From these reviews we conclude that there exists sufficient diversity and redundancy of the plant's power supplies and that the capability to place the plant in a cold shutdown condition would not be compromised by a loss of Class 1E or non-Class 1E instrument and/or control system power supply and that for all instrumentation and controls needed for safe shutdown a loss of power is annunciated directly or indirectly in the control room.
Details of the LGS Unit 1 analysis were submitted on December 14, 1983 and supplementation on June 5, 1984. The report was later updated to confirm its applicability to Unit 2 and submitted on February 17, 1989.
7.1.3 PROTECTION SYSTEM INSERVICE TESTABILITY Testability provisions for each system are discussed in Sections 7.2, 7.3, 7.4, and 7.6.
7.
1.4 REFERENCES
7.1-1 Letter from J.F. Carolan (Chairman, LRG Instrumentation Setpoint Methodology Group) to T.M. Novak (NRC), "Action Plan to Answer the NRC Staff concerns on Setpoint Methodology for General Electric Supplied Protection System Instrumentation," (June 29, 1984).
7.1-2 Letter from B.J. Youngblood (NRC) to J.F. Carolan (Chairman, LRG Instrumentation Setpoint Methodology Group), "Acceptance of Action Plan to Answer NRC Staff Concerns on Setpoint Methodology for General Electric Supplied Protection System Instrumentation," (July 23, 1984).
CHAPTER 07 7.1-67 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.1-3 "Analog Transmitter/Trip Unit Systems for Engineered Safeguard Sensor Trip Inputs," Licensing Topical Report, NEDO-21617-A.
CHAPTER 07 7.1-68 REV. 17, SEPTEMBER 2014
LGS UFSAR Table 7.1-1 DESIGN AND SUPPLY RESPONSIBILITY GE GE Design Supply Others Reactor Trip System Reactor protection system x x x Engineered Safety Feature Systems Emergency core cooling systems x x HPCI system ADS CS system LPCI mode of the RHR system Primary containment and reactor vessel isolation control system x x x Service water systems x RHRSW ESW Containment atmosphere control system, x combustible gas control system, primary containment vacuum relief system Class 1E power system x Suppression pool cooling mode of RHR system x x Containment spray mode of RHR system x x SGTS x Reactor enclosure recirculation system x Reactor enclosure isolation system x Habitability, control room isolation x SGTS filter room and access area unit coolers x Diesel generator enclosure ventilation system x Spray pond pump structure ventilation system x Emergency switchgear and battery rooms cooling system x ECCS pump compartment unit coolers x CHAPTER 07 7.1-69 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-1 (Cont'd)
GE GE Design Supply Others Engineered Safety Feature Systems Drywell unit coolers x Control enclosure chilled water system x Auxiliary equipment room ventilation system x Refueling area isolation system x Systems Required for Safe Shutdown RCIC system x x SLCS x x Shutdown cooling mode at the RHR system x x Remote shutdown system x x Safety-Related Display Instrumentation x x x(1)
All Other Systems Required for Safety Process radiation monitoring system Main steam line radiation monitoring system x x Reactor enclosure ventilation exhaust radiation monitoring system x x Refueling floor ventilation exhaust radiation monitoring system x x Control room ventilation radiation monitoring system x Control room emergency fresh air radiation monitoring system x Primary containment post-LOCA radiation monitoring system x RHRSW radiation monitoring system x x High pressure/low pressure systems interlocks x x SRV position indication system x Containment instrument gas system-ADS control x Safeguard piping fill system x Neutron monitoring system x x Intermediate range monitor Local power range meter Average power range monitor Redundant reactivity control system x x CHAPTER 07 7.1-70 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-1 (Cont'd)
GE GE Design Supply Others Leak detection systems x x Main steam line leak detection subsystem RCIC system leak detection subsystem RWCU system leak detection subsystem HPCI system leak detection subsystem Control Systems Not Required for Safety Fuel pool cooling and cleanup system x RPV instrumentation x x Reactor manual control system x x Rod movement control Rod block trips Recirculation flow control systems x Feedwater control system x x x Pressure regulator & turbine-generator system x Process Radiation Monitoring Systems South stack effluent radiation system x North stack effluent radiation monitoring system x Charcoal offgas treatment ventilation radiation monitoring system x x Charcoal offgas treatment effluent radiation monitoring system x x Recombiner compartments, hydrogen/oxygen analyzers compartments, and equipment drain sump vent radiation monitoring system x x Steam seal effluent radiation monitoring system x x Radwaste enclosure ventilation exhaust radiation monitoring system x x Air ejector offgas effluent radiation monitoring system x x Primary containment leak detection radiation monitoring system x x Hot maintenance shop ventilation exhaust radiation monitoring system x Liquid radwaste discharge radiation monitoring system x x Service water radiation monitoring system x CHAPTER 07 7.1-71 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-1 (Cont'd)
GE GE Design Supply Others Reactor enclosure cooling water radiation monitoring system x x Neutron monitoring system x x Traversing incore probe Rod block monitor Source range monitor Reactor water cleanup system x x Refueling interlocks x x Radwaste system x Gaseous radwaste system x Liquid radwaste system x Solid radwaste system x Area radiation monitoring system x x Leak detection system Recirculation pump seal leak detection x x RHR system leak detection x x Drywell leak detection x SRV leak detection x Reactor vessel head leak detection x x CS system leak detection x x Containment instrument gas system x Fire protection and suppression system Nonsafety-related equipment area cooling ventilation systems Plant monitoring system (PMS) x(2)
Rod worth minimizer x x Emergency Response Facility Data System x x (1)
The software specifications used for non-NSSS calculations are supplied by others.
(2)
Designed and Supply by Scientech CHAPTER 07 7.1-72 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-2 SIMILARITY TO LICENSED REACTORS PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (1)(2)
(1) Reactor protection system SSES (1)(3)
(2) Primary containment, and reactor SSES vessel isolation control system (1)
(3) Emergency core cooling system SSES (16)
(4) Neutron monitoring system SSES (5) Refueling interlocks SSES Identical (4)
(6) Reactor manual control system SSES (5)
(7) Reactor vessel instrumentation SSES (13)
(8) Recirculation flow control system SSES (9) Feedwater control system LASALLE Identical (10) Pressure regulator and turbine- SSES Identical generator system (6)
(11) Process radiation monitoring SSES systems (6)
(12) Area radiation monitoring system PBAPS (13)
(14) Habitability and control room None isolation system (15) Service water system SSES Identical (16) RHR service water system SSES Identical (17) Containment atmosphere control None system (1)(8)
(18) Reactor core isolation cooling SSES system CHAPTER 07 7.1-73 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-2 (Cont'd)
PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (19) Standby liquid control system None (19a) Liquid radwaste systems None (19b) Gaseous radwaste systems SSES (19c) Solid radwaste systems -
(20) Reactor water cleanup system None (12)
(21) Class 1E power systems PBAPS (1)(7)
(22) Leak detection systems SSES (1)
(23) Reactor shutdown cooling mode SSES of RHR system (24) Fuel pool cooling and cleanup None system (25) Reactor enclosure recirculation None system (26) Standby gas treatment system None (1)(10)
(27) Safety-related display SSES instrumentation (28) Containment instrument gas None system (1)
(29) Containment spray mode of SSES RHR system (9)
(30) Remote shutdown system Shoreham (1)
(31) Suppression pool cooling SSES mode of RHR system CHAPTER 07 7.1-74 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-2 (Cont'd)
PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (32) Safety-related equipment area SSES cooling ventilation systems (32.1) SGTS filter room and access area Hope Creek unit coolers (32.2) Diesel generator enclosure None ventilation system (32.3) Spray pond pump structure None ventilation system (32.4) Emergency switchgear and battery None rooms cooling system (32.5) Emergency core cooling systems SSES unit coolers (32.6) Auxiliary equipment room Hope Creek ventilation system (33) Drywell unit coolers SSES (34) Control enclosure chilled water SSES system (35) High pressure/low pressure SSES system interlocks (36) Safety/relief valve position PBAPS indication (37) Fire protection and suppression None system (38) Reactor enclosure isolation Hope Creek system CHAPTER 07 7.1-75 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-2 (Cont'd)
PLANTS APPLYING FOR OR HAVING CONSTRUCTION PERMIT OR SIMILARITY INSTRUMENTATION AND CONTROLS (SYSTEM) OPERATING LICENSE OF DESIGN (39) Nonsafety-related equipment None area cooling ventilation systems (40) Safeguard piping fill system None (41) Redundant reactivity control None system (42) Refueling area isolation None system (14)
(43) Rod worth minimizer Millstone (44) Plant monitoring system Hatch (45) Emergency Response Facility Data Hatch System (1)
LGS and SSES designs are very similar; however, there are differences common to all systems that refer to this note. The differences are that LGS uses transmitter/trip unit system for testability, four divisions of separation, and uninterruptible power supplies for the RPS.
(2)
The RPS logics are the same, however, LGS uses a single relay contact for trip functions.
(3)
The PCRVICS logics are the same, however, LGS utilizes more sensors for the leak detection system.
(4)
The RMCS for LGS and SSES are designed to perform the same. The differences that exists are due to SSES's use of the advanced control room. The advanced control room layout full core display is on the console rather than a wall panel. The differences in the control rooms change the panel location of RMCS modules. These changes don't change the module functions.
CHAPTER 07 7.1-76 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-2 (Cont'd)
(5)
Instrumentations used for SSES and LGS are of similar design, they both use testability and four division separation. The setpoints, instrument numbering, quantity of instruments, and division assignments are different for LGS. LGS uses excess flow checks and orificing on instrument lines connected to the reactor vessel. Nonessential vessel instrumentation is functionally identical to SSES, except LGS has added gauge pressure transmitters for measurement of shutdown and upset range water level during refueling.
(6)
LGS uses more detectors.
(7)
The leak detection system for LGS uses 94 sensors as compared to 51 for SSES. This increases the redundant instruments available. The power for sensors not supplied by RPS bus are powered from four instrument ac buses. LGS uses meters rather than a recorder for the spare thermocouple in each location.
(8)
RCIC is identical except as indicated in note (1).
(9)
LGS and Shoreham shutdown systems are designed to provide all of the same control functions. The differences are due to divisional separation and device numbering related to this. LGS has four divisions of separation making divisional assignment of valves different.
(10)
The safety-related display instruments for LGS and SSES are designed to provide the same types of indications to the operator. LGS provides more redundant indication and utilizes four divisions of separation. SSES has the advanced control room making differences in location of the display to the operator.
(11)
Deleted (12)
PBAPS uses 4 diesel generators and batteries shared between 2 units. LGS has 8 diesel generators and batteries which are not shared between units.
(13)
The LGS recirculation system does not have a bypass valve at the discharge block valve; the SSES system does. The SSES recirculation pumps are provided with decontamination connections; these connections are not required for LGS.
(14)
The rod worth minimizers are functionally identical. The differences are in plant interfaces.
Millstone Unit 1 is a BWR, 660 MWe, 145 control rods. Each LGS Unit is a BWR, 1055 MWe, 185 control rods.
(15)
Deleted (16)
The neutron monitoring system is identical to SSES's except for the TIP system, which uses a gamma-measuring probe instead of a thermal neutron-measuring probe.
(17)
Deleted Note: Historical Information - Comparative plant data provided to support original plant licensing.
CHAPTER 07 7.1-77 REV. 19, SEPTEMBER 2018
LGS UFSAR Table 7.1-3 CODES AND STANDARDS APPLICABILITY MATRIX REGULATORY GUIDES(1) IEEE STANDARDS(2) 1.6 1.7 1.9 1.11 1.21 1.22 1.29 1.30 1.32 1.40 1.45 1.47 1.53 1.56 1.62 1.63 1.68 1.70 1.73 1.75 1.80 1.89 1.96 1.97 1.100 1.105 1.118 1.139 279 308 317 323 336 338 344 379 382 384 REACTOR PROTECTION SYSTEM X X X X X X X X X X X X X X X X X X X X X X X X X ENGINEERED SAFETY FEATURE SYSTEMS Emergency Core Cooling X X X X X X X X X X X X X X X X X X X X X X X X X X X X Primary Containment and Reactor Vessel Isolation Control X X X X X X X X X X X X X X X X X X X X X X X X X Residual Heat Removal Service Water X X X X X X X X X X X X X X X X X X X Emergency Service Water X X X X X X X X X X X X X X X X X X X Containment Atmospheric Control X X X X X X X X X X X X X X X X Primary Containment Vacuum Relief X X X X X X X X X X X X X Suppression Pool Cooling Mode (RHR) X X X X X X X X X X X X X X X X X X X X X X X X Containment Spray Mode (RHR) X X X X X X X X X X X X X X X X X X X X X X X X Standby Gas Treatment X X X X X X X X X X X X X X X X X X X X Reactor Enclosure Recirculation X X X X X X X X X X X X X X X X X X X X Reactor Enclosure Isolation X X X X X X X X X X X X X X X X X X X X Habitability and Control Room Isolation X X X X X X X X X X X X X X X X X X X X Safety-Related Equipment Area Cooling/Vent X X X X X X X X X X X X X X X X X X X X Drywell Unit Coolers X X X X X X X X X X X X X X X X X X X X X X Control Enclosure Chilled Water System X X X X X X X X X X X X X X X X X X X X Refueling Area Isolation X X X X X X X X X X X X X X X X X X X X SYSTEMS REQUIRED FOR SAFE SHUTDOWN Reactor Core Isolation Cooling X X X X X X X X X X X X X X X X X X X X X X X X Standby Liquid Control X X X X X X X X X X X X X X X X X X X X X Reactor Shutdown Cooling Mode (RHR) X X X X X X X X X X X X X X X X X X X X X X Remote Shutdown X X X X X X X X X X X X X X X X X X Shutdown Ventilation X X X X X X X X X X X X X X X X X X X SAFETY-RELATED DISPLAY INSTRUMENTATION X X X X X X X X X X X X X X X X X X X X X X X X CHAPTER 07 7.1-78 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-3 (Cont'd)
GENERAL DESIGN CRITERIA(3) 10CFR50 1 2 3 4 5 10 12 13 15 19 20 21 22 23 24 25 26 27 28 29 30 33 34 35 37 38 40 54 56 57 60 61 63 64 APP I REACTOR PROTECTION SYSTEM X X X X X X X X X X X X X X X ENGINEERED SAFETY FEATURE SYSTEMS Emergency Core Cooling X X X X X X X X X X X X X X Primary Containment and Reactor Vessel Isolation Control X X X X X X X X X X X X X X Residual Heat Removal Service Water X X X X X X X X X X X X X X Emergency Service Water X X X X X X X X X X X X X Containment Atmospheric Control X X X X X X X X X X X X X Primary Containment Vacuum Relief X X X X X X X Suppression Pool Cooling Mode (RHR) X X X X X X X X X X X X X Containment Spray Mode (RHR) X X X X X X X X X X X X X Standby Gas Treatment X X X X X X X X X X X X X X Reactor Enclosure Recirculation X X X X X X X X X X X X X Reactor Enclosure Isolation X X X X X X X X X X X X X Habitability and Control Room Isolation X X X X X X X X X X X X X Safety-Related Equipment Area Cooling/Vent X X X X X X X X Drywell Unit Coolers X X X X X Control Enclosure Chilled Water System X X X X X X Refueling Area Isolation X X X X X X X X X X X X X SYSTEMS REQUIRED FOR SAFE SHUTDOWN Reactor Core Isolation Cooling X X X X X X X X X Standby Liquid Control X X X X X X Reactor Shutdown Cooling Mode (RHR) X X X X X X X X Remote Shutdown X X X X X X Shutdown Ventilation X X X X X SAFETY-RELATED DISPLAY INSTRUMENTATION X X X X X X CHAPTER 07 7.1-79 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-3 (Cont'd)
REGULATORY GUIDES(1) IEEE STANDARDS(2) 1.6 1.7 1.9 1.11 1.21 1.22 1.29 1.30 1.32 1.40 1.45 1.47 1.53 1.56 1.62 1.63 1.68 1.70 1.73 1.75 1.80 1.89 1.96 1.97 1.100 1.105 1.118 1.139 279 308 317 323 336 338 344 379 382 383 384 ALL OTHER SYSTEMS REQUIRED FOR SAFETY Process Radiation Monitoring X X X X X X X X X X X X X X X X X X X X High Pressure/Low Pressure System Interlocks X X X X X X X X X X X X X X X X X X X Leak Detection X X X X X X X X X X X X X X X X X X X X Neutron Monitoring X X X X X X X X X X X X X X X X X X Safety Relief Valve Position Indication X X X X X X X X X X X Containment Instrument Gas System-ADS X X X X X X X X X X X X X X X Safeguard Piping Fill X X X X X X X X X X X X X Redundant Reactivity Control System X X X X X X X X X X X X X X X X X X X X X CONTROL SYSTEMS NOT REQUIRED FOR SAFETY Reactor Pressure Vessel Instrumentation X X X X X X Reactor Manual Control X Recirculation Flow Control X X Feedwater Control X X Pressure Regulator and Turbine Generator X Neutron Monitoring X Reactor Water Cleanup X X X X Process Radiation Monitoring X X X Area Radiation Monitoring X Radwaste X Fuel Pool Cooling and Cleanup X Refueling Interlocks X Leak Detection X X X X Containment Instrument Gas System X X X X X Fire Protection and Suppression X Nonsafety-Related Equipment Area Cooling/Vent X Plant Monitoring System X X X X Rod Worth Minimizer X X Emergency Response Facility Data X X X X System CHAPTER 07 7.1-80 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-3 (Cont'd)
GENERAL DESIGN CRITERIA(3) 10CFR50 1 2 3 4 5 10 12 13 15 19 20 21 22 23 24 25 26 27 28 29 30 33 34 35 37 38 40 54 56 57 60 61 63 64 APP I ALL OTHER SYSTEMS REQUIRED FOR SAFETY Process Radiation Monitoring X X X X X X X X X X X X X X X X X X X X X High Pressure/Low Pressure System Interlocks Leak Detection X X X X X X X X X X X X X X X Neutron Monitoring X X X X X X X X X X X X X Safety Relief Valve Position Indication X X X X X Containment Instrument Gas System-ADS X X X X X X X X X X X Safeguard Piping Fill X X X X X X X X X X Redundant Reactivity Control System X X X X X X X X X X CONTROL SYSTEMS NOT REQUIRED FOR SAFETY Reactor Pressure Vessel Instrumentation X X Reactor Manual Control X X X Recirculation Flow Control X X X Feedwater Control X X Pressure Regulator and Turbine Generator Neutron Monitoring X Reactor Water Cleanup X Process Radiation Monitoring X X X X X Area Radiation Monitoring X X Radwaste Fuel Pool Cooling and Cleanup Refueling Interlocks Leak Detection X X X X Containment Instrument Gas System X Fire Protection and Suppression Nonsafety-Related Equipment Area Cooling/Vent Plant Monitoring System Rod Worth Minimizer Emergency Response Facility Data System (1)
See Section 7.1.2.5 for degree of conformance.
(2)
See Section 7.1.2.7 for degree of conformance.
(3)
See Section 7.1.2.6 for degree of conformance.
CHAPTER 07 7.1-81 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-4 RPS AND PCRVICS (DE-ENERGIZE-TO-OPERATE PORTIONS) SEPARATION(1)
DIVISION IA DIVISION IB DIVISION IIA DIVISION IIB RPS Trip Logic Trip Logic Trip Logic Trip Logic A1 B1 A2 B2 SENSORS A, E, J, N, B, F,K, P C, G, L, R D, H, M, S, T, AA W, DD Part of Trip Part of Trip Part of Trip Part of Trip System A System B System A System B PCRVICS Trip Logic Trip Logic Trip Logic Trip Logic A B C D MSIV inboard MSIV outboard valve ac valve ac logic and logic and solenoid solenoid (1)
This separation does not apply to the NMS. Reference Table 7.1-5 for NMS separation.
CHAPTER 07 7.1-82 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-5 DIVISIONAL GROUPING OF NEUTRON MONITORING SYSTEM IN DRYWELL PENETRATIONS Drywell(1)(2)(3)(4)
Penetration Designations A B C D Instrument IRM A & E IRM B & F IRM C & G IRM D & H Channels APRM 1 APRM 2 APRM 3 APRM 4 (SRM A) (SRM B) (SRM C) (SRM D)
Wireway NA NB NC ND Neutron monitoring channel APRM 1 2 3 4 IRM A&E B&F C&G D&H RPS trip A1 B1 A2 B2 logic APRM flow A B C D reference (1) Penetrations across top of table for 4 penetration grouping carry cables for neutron monitoring channels shown, and each channel serves RPS trip logic directly below it.
(2) Horizontal zoning represents LPRM cable distribution to APRMs from various penetrations, e.g., penetration B carries cables for LPRMs going to APRM channel 2 (Figure 7.1-1).
(3) Designations for penetrations and wireways are arbitrary and may be deviated from provided that an equivalent separation is maintained.
(4) Routing of SRM channels has been chosen for convenience and not for safeguard separation reasons.
CHAPTER 07 7.1-83 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-6 SYSTEM AND SUBSYSTEM SEPARATION DIV 1 DIV 2 DIV 3 DIV 4 Sensors A, E, J, Sensors B, F, K, Sensors C, G, L, Sensors D, H, N, T, X P, U, Y R, V M, S, W RCIC(1) Controls HPCI Controls RCIC OBV(2) HPCI OBV RCIC IBV HPCI IBV ADS A - ADS C -
RHR A RHR B RHR C RHR D Pump and Valves Pump and Valves Pump and Valves Pump and Valves CS A CS B CS C CS D Pump and Pump and Pump and Pump and Suction Valve Suction Valve Suction Valve Suction Valve and inject A and inject B ESW ESW ESW ESW Pumps and Valves Pumps and Valves Pumps and Valves Pumps and Valves RHRSW RHRSW RHRSW RHRSW Pumps and Valves Pumps and Valves Pumps and Valves Pumps and Valves PCRVICS Inboard PCRVICS Outboard - -
Valves & Logic Valves & Logic MSIV Inboard MSIV Outboard - -
Valve dc Logic Valve dc Logic and Solenoid and Solenoid SPPSVS A SPPSVS B SPPSVS C SPPSVS D
- - ESBRCS A ESBRCS B Drywell Unit Drywell Unit Drywell Unit Drywell Unit Coolers A, E Coolers B, F Coolers C, G Coolers D, H
- - CECWS A CECWS B
- - AERVS A AERVS B RRCS I RRCS II CHAPTER 07 7.1-84 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-6 (Cont'd)
DIV 1 DIV 2 DIV 3 DIV 4
- - Control Room Control Room HVAC A HVAC B
- - Emergency Fresh Emergency Fresh Air Fan & Air Fan &
Filter A Filter B Control Room Control Room Control Room Control Room Isolation A Isolation B Isolation C Isolation D RERS A RERS B - -
REIS A REIS B - -
Coolers A Coolers B DGEVS A DGEVS B DGEVS C DGEVS D
- - Containment Containment Hydrogen Hydrogen Recombiner A Recombiner B Isolation Isolation Valves Valves Class 1E power Class 1E power Class 1E power Class 1E power Channel A Channel B Channel C Channel D RCIC pump-room HPCI pump-room - -
unit coolers unit coolers A&E RHR pump- B&F RHR pump- C&G RHR pump- D&H RHR pump-room unit room unit room unit room unit coolers coolers coolers coolers A&E CS pump- B&F CS pump- C&G CS pump D&H CS pump-room unit room unit room unit room unit coolers coolers coolers coolers CHAPTER 07 7.1-85 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-6 (Cont'd)
DIV 1 DIV 2 DIV 3 DIV 4
& valves & valves Control Room Control Room Control Room Control Room Radiation Radiation Radiation Radiation Monitor A Monitor B Monitor C Monitor D
- - Control Room Control Room Emergency Fresh Emergency Fresh Air Radiation Air Radiation Monitor A Monitor B RHRSW loop A RHRSW loop B Radiation Radiation SGTS discharge - - -
radiation RHR Loops A/C RHR Loops B/D - -
Differential Differential Pressure Pressure Core Spray - - -
Loops A/B Differential Pressure Containment Containment Containment Containment Atmosphere Atmosphere Atmosphere Atmosphere Sampling System Sampling System Sampling System Sampling System Inboard Inboard Outboard Outboard Isolation Isolation Isolation Isolation Valves Valves Valves Valves CIGS Inboard CIGS Suction - -
Isolation Valve Line, B Line and A Line Header and Tip Header Outboard Purge Outboard Isolation Isolation Valve Valves CHAPTER 07 7.1-86 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-6 (Cont'd)
DIV 1 DIV 2 DIV 3 DIV 4 Refueling area Refueling area isolation A isolation B (1)
OBV = Outboard isolation valve and logic IBV = Inboard isolation valve and logic CHAPTER 07 7.1-87 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-7 NRC BULLETINS, CIRCULARS, AND INFORMATION NOTICES Bulletin # Description LGS Response 78-01 Flammable contact arm retainers GE performed an inspection to verify that all in GE relays CR120A relays have proper fire resistant retainers.
78-05 Malfunction of CR105 relay It was confirmed by review that no auxiliary auxiliary contacts contacts from these relays are used in safety related circuits.
79-09 Failures of GE type AK-2 None of these type breakers are used in circuit breakers safety related circuits.
79-12 Short period scrams at BWR Station staff to prepare procedure and review with operators during training. This Bulletin applied to operating plants. No modifications required.
79-24 Frozen instrument lines A review of the ECCS minimum flow lines was made as well as the criteria for application and design of heat tracing and freeze protection on instrument, process and sample lines. No modifications were made as existing design was deemed adequate.
79-27 Loss of Instrument ac Study complete and submitted to NRC. No modifications needed.
79-28 Failure of Namco limit switches No switches of this type were found. Some Namco switches are being replaced with qualified models due to environmental qualification concerns.
80-06 Engineered safety feature Study completed. Modifications to circuitry control reset completed. Detailed discussion provided in Section 7.1.2.11.1.
80-09 Failure of ITT actuators Vendor reviews and testing determined that several actuators required spring replacements. Corrective actions have been completed.
CHAPTER 07 7.1-88 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-7 (Cont'd)
Bulletin # Description LGS Response 80-14 Degradation of Scram Discharge Volume Diverse means of measuring SDV capacity Capability have been added to the LGS design.
80-16 Misapplication of Rosemount transmitters Transmitters to be replaced have been identified. Unit 1 replacements completed.
Unit 2 was completed prior to fuel load.
80-17 Failure of control rods to insert Modification made as part of ATWS fix.
80-23 Failure of Valcor solenoid valves Review indicated that no Valcor valves of the type described are used in safety related applications.
Circular # Description LGS Response 79-07 Recirculation pump speed increase Maintenance procedures to include recommended actions.
79-24 Calibration of pipe detection equipment Problem not applicable as design is different at LGS than Duane Arnold.
80-08 RPS Response time Start up test program will verify adequate response time on as-built system.
81-01 Honeywell push button switches Review shows that no switches of this type are used in any safety related systems.
81-03 Inoperable seismic monitoring equipment Maintenance procedure to include lessons learned.
81-06 Foxboro transmitter defects Review indicated that this type transmitter is not used in any safety related systems.
81-11 Inadequate decay heat removal Preliminary review of calculations showed flow rates to be adequate. Shutdown procedures will address this concern.
CHAPTER 07 7.1-89 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-7 (Cont'd)
Circular # Description LGS Response 81-13 MOV torque switch bypass circuit MOV rework program on all safety related MOVs includes rewiring and checking connections internal to the operator.
81-14 MSIV Failures Reviewed operating experience at PBAPS and other plants. Causes of failures were identified. Based on analyses no modifications to LGS valve or air supply design are required.
Notice # Description LGS Response 79-13 Water Level Instrumentation Review indicated LGS will not experience problem due to different design.
79-22 Environmental Effects on non-Class 1E Study indicated no potential problems.
control systems Analysis and rationale provided in Section 7.1.2.11.2.
79-32 Separation of HPCI and ADS cables Review of LGS design shows this problem does not exist.
80-11 ASCO valve problems Review showed that ASCO valves are not used in the conditions described.
80-13 SBM Switch defects All SBM switches have been inspected.
Defective switches have been replaced.
80-30 Control air-CRD interactions Review shows that LGS design precludes this problem 80-31 Defective K600 circuit breakers These breakers are used at LGS. Each breaker is inspected and tested to procedures before installation and acceptance. Any corrective work if needed is completed before final acceptance.
80-34 SDV water level instrumentation failure Problem not applicable to LGS due to different design.
CHAPTER 07 7.1-90 REV. 13, SEPTEMBER 2006
LGS UFSAR LGS UFSAR Table 7.1-7 (Cont'd)
Notice # Description LGS Response 80-39 Valcor solenoid valve malfunction This type valve is not used in safety systems at LGS.
80-45 Failure of backup scram capability Not applicable to LGS RPS Design.
81-01 HFA relay failures All Class 1E HFA relays have been replaced. All non-Class 1E relay coils are being replaced.
81-06 Failure of ITE K600 circuit breakers Inspections completed to find and fix loose connections.
81-11 ARI design This concern will be addressed by GE in the LGS ATWS modifications.
81-16 CRD system possible malfunctions Operator training and plant procedures to be used to avoid problem.
81-25 P-transmitter valve misalignment Plant procedures to be used to avoid problem.
CHAPTER 07 7.1-91 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.1-8 "FIRST-OF-A-KIND" INSTRUMENTS AND CONTROLS Instruments Type Manufacturer Model Use Pressure Switch ITT Barton 580A2 Various Microprocessors, Multiplexers, Computer Systems (3)
Type Manufacturer Model Radiation Monitor General Atomic RM-80 Process Radiation Monitor General Atomic RM-80 Digital High Range Radiation Display General Atomic RM-23 Radiation Monitor(1) Digital Equip. Corp. PDP-11-34 Radiation Monitor(2) Digital Equip. Corp. VAX-11-780 ERFDS RTP Corp. Series 3000 ERFDS RTP Corp. Series 3000 RWM (Unit 2) GE NUMAC Plant Monitoring Scientech and HP DL38OP Gen8 System (1)
Radiation monitoring display system (2)
Meteorological monitoring display and reporting subsystem (3)
These systems are used for monitoring and display only, not for control of any system.
Microprocessors (which incorporate ROMs) are used in the RRCS. The RRCS does not perform any reactor control functions. It does provide signals to trip the recirculation system, to run back the feedwater system, to initiate SLCS, and to initiate ARI to mitigate an ATWS event. No plant control is implemented by microprocessors, multiplexers, or computers.
CHAPTER 07 7.1-92 REV. 19, SEPTEMBER 2018
LGS UFSAR 7.2 REACTOR TRIP SYSTEM (REACTOR PROTECTION SYSTEM) - INSTRUMENTATION AND CONTROLS 7.
2.1 DESCRIPTION
7.2.1.1 System Description 7.2.1.1.1 RPS Identification The RPS includes sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. The RPS also includes outputs to the process computer system and annunciators, which are not part of the RPS. Trip signals are received from the NMS; other portions of this system are treated in Sections 7.5, 7.6, and 7.7.
A completely separate and diverse system, the RRCS, is provided to mitigate the potential consequences of an ATWS event (Section 7.6.1.8).
7.2.1.1.2 RPS Classification The RPS is classified as Safety Class 2, seismic Category I, Quality Group B, and electric Class 1E.
7.2.1.1.3 RPS Power Sources Power to each of the two RPS trip systems is supplied by separate buses powered by independent static inverter sets. Each static inverter set is designed to provide uninterruptible ac power to the loads. Each static inverter set is supplied by two electrical sources, one from the plant auxiliary electrical source (alternate) and the other from the class 1E 250 V dc system (preferred). The inverter output and the plant auxiliary electrical source are connected to a static transfer switch within the inverter set and ahead of the loads. The switch will normally connect the load to the preferred source. Upon failure or undervoltage of the preferred source, the switch will automatically transfer the load to the alternate source. Additionally, if an overload occurs while the load is supplied from the inverter, the switch will automatically transfer the load to the ac source. If, while being fed from the alternate supply the inverter recovers, and the static transfer switch is in auto, the transfer switch will automatically transfer the load to the inverter. Alternatively, if the static transfer switch is in manual, the load transfer requires manual action. Refer to Section 7.6.1.4.5 for independent powering of APRMs.
The static inverter sets are not part of the RPS and are not Class 1E devices. Two Class 1E circuit breakers are located between each static transfer switch and its respective RPS distribution panel (Drawing E-32) to isolate the RPS from the inverter and the bypass ac source if there is an overvoltage, undervoltage, or underfrequency condition. The trip points of the overvoltage, undervoltage, and frequency relays are set to ensure that the power supplied to the RPS is within the limits to which the RPS equipment has been designed and qualified.
A bypass disconnect test switch is installed in parallel with the two class IE circuit breakers. The test switch allows for testing of the breakers without loss of power to the RPS distribution panels.
During the test, when the breakers are bypassed, the AC source is monitored for overvoltage, undervoltage, or underfrequency conditions as determined by the trip points. When not in test, the disconnect test switch is locked open.
CHAPTER 07 7.2-1 REV. 17, SEPTEMBER 2014
LGS UFSAR Dc power is supplied to the backup scram valve solenoids from the Class 1E station batteries.
The power source used to drive the control rods during scram is pressurized water contained in the scram accumulator furnished as part of each HCU, as described in Section 4.6.1.
7.2.1.1.4 RPS Equipment Design 7.2.1.1.4.1 General Trip systems are designated A and B. Trip system A is comprised of instrument channels A, C, E, and G; trip logics A1 and A2; and the scram contactors A, E, C and G. Trip system B comprises of instrument channels B, D, F and H; trip logics B1 and B2; and the scram contactors B, D, F and H.
During normal operation, all sensor and trip contacts essential to safety and corresponding trip logic channel contacts are closed, and the scram contactors are energized. Trip channel bypass contacts are normally open.
Table 7.2-1 lists the instruments that provide signals for the system. Figure 7.2-2 summarizes the RPS signals that cause a scram.
The functional arrangement of channels that constitute trip system A is shown in Figure 7.2-5.
When a channel sensor contact opens, its sensor relay de-energizes, opening its contacts and thereby de-energizing its associated scram contactors. Trip system B is similar to that shown on Figure 7.2-5 for trip system A. Scram contactors and scram contactor logics for trip systems A and B are shown in Figure 7.2-4. When a scram contactor is de-energized, its contacts associated with the pilot solenoids open and those associated with the backup scram valves close. As seen on Figure 7.2-4, tripping A1 or A2 or both A1 and A2 trip logics will open the circuits associated with the trip system A pilot solenoids and close corresponding contacts in both trip system A and B backup scram valve circuits. When both trip systems A and B have tripped, all pilot solenoids are de-energized and both backup scram valves are energized, either of which will cause a reactor scram.
There is one scram pilot valve and two scram valves for each control rod, arranged as shown in Drawing C71-1010-F-002. Each scram pilot valve is solenoid-operated with two normally energized pilot solenoids. The scram pilot valve control the air supply to the scram valves for each control rod. With either pilot solenoid energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for CRD water. As shown in Figure 7.2-4, one of the pilot solenoids for each control rod is controlled by trip system A logic A1 and A2, and the other solenoid is controlled by trip system B logic B1 and B2.
When trip system A, logic A1 or A2, and trip system B, logic B1 or B2, are tripped, air is vented from the scram valves, allowing CRD water to act on the CRD piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is exhausted into a SDV.
To restore the RPS to normal operation following any single trip of the trip logic or a scram, the trip logic must be reset manually. Reset is possible only if the conditions that caused the trip have been cleared. Reset after a scram is permissible only after a 10 second delay. The trip systems are reset by a three-position switch in the control room. Figure 7.2-5 shows the functional arrangement of reset contacts for trip system A.
There are two dc solenoid-operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for either backup scram valve is energized, the backup scram valve vents the air supply for the scram CHAPTER 07 7.2-2 REV. 17, SEPTEMBER 2014
LGS UFSAR valves. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valve solenoids are energized (initiate scram) when trip logic A1 or A2 and trip logic B1 or B2 are tripped.
7.2.1.1.4.2 RPS Initiating Circuits The RPS scram functions, shown in Figure 7.2-2, are discussed in the following paragraphs.
- a. Neutron Monitoring System NMS instrumentation is described in Section 7.6.1.4. Figure 7.2-6 clarifies the relationship between NMS channels and the trip system logics. The NMS channels are considered to be part of the NMS; however, the NMS logics are considered to be part of the RPS. Each NMS logic receives signals from one IRM channel and one APRM voter channel. The position of the reactor mode switch determines which input signals affect the output signal from the logic.
The NMS logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. As shown in Drawings C51-1020-F-009, C51-1020-F-010, C51-1020-F-011, C51-1020-F-012, C51-1020-F-013, C51-1020-F-014, C51-1020-F-015, and C51-1020-F-016, there are eight NMS logics associated with the RPS. Each trip system logic receives inputs from two NMS logics.
For the initial fuel load, and during shutdown margin demonstration testing performed as a special test, trip contacts from each SRM are combined with IRM trips to produce a noncoincident reactor NMS trip via removal of the RPS "shorting links".
Note that during the routine shutdown margin demonstra-tion testing performed during the first startup following refueling operations, the RPS "shorting links" remain installed and the SRMS do not contribute to the SCRAM function.
- 1. IRM System Logic The IRMs monitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM range. The IRM detectors can be positioned in the core by remote control. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor reaches a predetermined power level within the power range.
The IRM is able to generate a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range. The IRM is divided into two groups of IRM channels arranged in the core as shown in Drawings C51-1010-F-002, C51-1010-F-003, and C51-1010-F-0023. Four IRM channels are associated with one of the two trip systems of the RPS. Two IRM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining two channels are installed in a separate bay of the cabinet. Full-length side covers separate the cabinet bays. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring.
CHAPTER 07 7.2-3 REV. 17, SEPTEMBER 2014
LGS UFSAR Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on four conditions: when the high voltage drops below a preset level; when one of the modules is not plugged in; when the negative 20 V dc supply is lost: or when the operate-calibrate switch is not in the operate position. Each of the other trip circuits can be specified to trip when preset downscale or upscale levels are reached.
The trip functions actuated by the IRM trips are indicated in Table 7.6-2.
The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram (Figure 7.2-6). Section 7.7.1.2.3.2.3.3 describes the IRM rod block trips. With the reactor mode switch in refuel or startup, an IRM upscale or inoperative trip signal actuates an NMS trip of the RPS. Only one of the IRM channels must trip to initiate an NMS trip of the associated trip system of the RPS.
- 2. APRM System Logic The APRM channels receive input signals from the LPRM detectors and provide a continuous indication of average reactor power from a few percent to greater than rated reactor power.
The APRM subsystem has sufficient redundant channels to meet industry and regulatory safety criteria. Even with the permitted APRM bypasses, the subsystem is capable of generating a scram trip signal before the average neutron flux or the magnitude of any thermal-hydraulic instability caused power oscillations increases to the point that fuel damage is probable.
The digital electronics for each APRM channel, via APRM interface hardware, provides trip signals directly to the Reactor Manual Control System (RMCS) and Redundant Reactivity Control System (RRCS) and via the APRM 2-out-of-4 voter channels to the Reactor Protection System (RPS). An APRM upscale trip or inoperative in any two unbypassed APRM channels can initiate an RPS trip in both RPS trip systems. Similarly, an OPRM upscale trip from any two unbypassed APRM channels can initiate an RPS trip in both RPS trip systems if the reactor mode switch is in the RUN position, and the plant is operating within the OPRM trip enabled region of the power-flow map. Any single APRM upscale trip or inoperative or OPRM upscale trip will not initiate an NMS trip in the RPS. Table 7.6-4 itemizes the APRM system trip functions. Any one unbypassed APRM can initiate a rod block, depending upon the position of the reactor mode switch.
Section 7.7.1.2.3.2.3.3 describes in detail the APRM rod block interlock functions. The APRM Simulated Thermal Power - Upscale rod block and the APRM Simulated Thermal Power - Upscale scram trip setpoints vary as a function of reactor recirculation loop flow. The OPRM upscale trip output to the RPS is automatically bypassed when the reactor is operating below the lower power limit or above the upper flow limit of the OPRM trip enabled region.
Manually moving the reactor mode switch out of the RUN position to any other position causes the APRM rod block and APRM neutron flux scram CHAPTER 07 7.2-4 REV. 17, SEPTEMBER 2014
LGS UFSAR setpoints to be lowered. The manual positioning of the reactor mode switch is governed by the standard reactor startup (shutdown) procedure. The operator can bypass the trips from any one APRM channel, but only one APRM channel may be bypassed at any time. No APRM voter channels may be bypassed.
A simplified circuit arrangement is shown in Figure 7.6-7.
NMS scram operating bypasses are described in Section 7.2.1.1.4.4.6.
Diversity of trip initiation for unusual excursions in reactor power is provided by the NMS trip signals and reactor vessel high pressure trip signals. An increase in reactor power initiates protective action from the NMS discussed in the above paragraphs. The increase in power causes reactor pressure to increase because of a higher rate of steam generation with no change in turbine control valve position resulting in a trip from reactor vessel high pressure. These variables are independent of one another and provide diverse initiation of protective action for this condition.
- b. Reactor Pressure (RPS Initiating Circuits)
Reactor pressure is measured at four physically separated locations. A pipe from each location is routed through the drywell and terminates in the reactor enclosure.
One locally mounted pressure sensor monitors the pressure in each pipe. Cables from these sensors are routed to the RPS logic cabinets. Each sensor provides a high pressure signal to one channel as shown in Figure 7.2-3. The physical separation and the signal arrangement ensure that no single physical event can prevent a scram caused by nuclear system high pressure.
The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the reactor pressure sensors is shown in Drawing M-41.
The discussion of diversity for reactor vessel high pressure is provided in Section 7.2.1.1.4.6.
- c. Reactor Vessel Water Level (RPS Initiating Circuits)
Reactor vessel low water level signals are initiated from level sensors that sense the difference between the pressure that is due to a constant reference column of water and the pressure that is due to the actual water level in the vessel. The level sensors (A, B, C and D) have separate RPV reference leg taps; however, sensors A and B share the same variable leg tap and common piping to the outside of the primary containment where the piping is split for these and other sensors as shown in Drawing M-42. Sensors C and D are of a similar configuration with their tap and piping physically separated from that used by sensors A and B. A break (or blockage) in either of the common piping runs will result in a reactor scram because the one-out-of-two-twice logic is arranged with sensors A and C in trip logic A and sensors B and D in trip logic B. The physical separation of redundant sensors and the signal arrangement ensure that no single physical event can prevent a scram that is due to reactor vessel low water level.
CHAPTER 07 7.2-5 REV. 17, SEPTEMBER 2014
LGS UFSAR Diversity of trip initiation for breaks in the RCPB is provided by reactor vessel low water level trip signals and high drywell pressure trip signals. If a break in the primary system boundary occurs, a volume of primary coolant is released to the drywell in the form of steam. This release causes reactor vessel water level to decrease and drywell pressure to increase, resulting in protective action initiation.
These variables are independent of one another and provide diverse initiation of protective action for this condition.
The locations of the reactor vessel low water level sensors are shown in Drawings C71-1010-F-002, C71-1010-F-003, C71-1010-F-004, and C71-1010-F-005, and the environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the reactor vessel low water level sensors is shown in Drawing M-42.
- d. Turbine Stop Valve (RPS Initiating Circuits)
Turbine stop valve closure inputs to the RPS come from valve stem position switches mounted on the four turbine stop valves. Each of the double-pole, single-throw switches opens before the valve is more than 7% closed to provide the earliest positive indication of closure (Technical Specification - Setpoint <= 5%,
Allowable Value <= 7%). Either of the two channels associated with one stop valve, can signal valve closure, as shown in Figure 7.2-7. The logic is arranged so that closure of three or more valves initiates a scram.
Turbine stop valve closure trip channel operating bypasses are described in Section 7.2.1.1.4.4.1.
Diversity of trip initiation for increases in reactor vessel pressure that are due to termination of steam flow by turbine stop valve or control valve closure is provided by reactor vessel high pressure and high power trip signals. A closure of the turbine stop valves or control valves at steady-state conditions would result in an increase in reactor vessel pressure. If a scram were not initiated from these closures, a scram would occur from high reactor vessel pressure or power. Reactor vessel high pressure and power are independent variables for this condition and provide diverse initiation of protective action.
The locations of the turbine stop valve closure position switches are shown in the instrument location drawing provided in Drawing E-1112. The environmental conditions for the RPS are described in Section 3.11.
- e. Turbine Control Valve (RPS Initiating Circuits)
Turbine control valve fast closure inputs to the RPS are from oil line pressure sensors on each of four fast-acting control valve hydraulic mechanisms. These hydraulic mechanisms are part of the turbine control, and they are used to effect fast closure of the turbine control valves. These pressure switches provide signals to the RPS. If hydraulic oil line pressure is lost, a turbine control valve fast closure scram is initiated.
Turbine control valve fast closure trip channel operating bypasses are described in Section 7.2.1.1.4.4.1.
CHAPTER 07 7.2-6 REV. 17, SEPTEMBER 2014
LGS UFSAR The discussion of diversity for turbine control valve fast closure is the same as that for turbine stop valve closure provided in Sections 7.2.1.1.4.2.d and 7.2.1.1.4.6.
The locations of the turbine control valve fast closure pressure switches are shown in the instrument location drawings provided in Drawing M-677. The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the turbine control valve fast closure pressure switch is shown in Drawing M-01.
- f. Main Steam Isolation Valves (RPS Initiating Circuits)
Position switches mounted on the eight MSIVs signal MSIV closure to the RPS.
Each of the double-pole, single- throw switches is arranged to open before the valve is more than 12% closed to provide the earliest positive indication of closure (Technical Specification - Setpoint <= 8%, Allowable Value <= 12%). Either of the two channels associated with one isolation valve can signal valve closure. To facilitate the description of the logic arrangement, the position-sensing channels for each valve are identified and assigned to RPS logics as follows:
Valve Position-Sensing Feeds Identification Channels Trip Logic Main steam line A, F022A A1, B1 inboard valve Main steam line A, F028A A1, B1 outboard valve Main steam line B, F022B A1, B2 inboard valve Main steam line B, F028B A1, B2 outboard valve Main steam line C, F022C A2, B1 inboard valve Main steam line C, F028C A2, B1 outboard valve Main steam line D, F022D A2, B2 inboard valve Main steam line D, F028D A2, B2 outboard valve Thus, each logic receives signals from the valves associated with two steam lines (Figure 7.2-8). The arrangement of signals within each logic requires closing of at least one valve in each of the two steam lines associated with that logic to cause a trip of that logic. For example, closure of the inboard valve of steam line A and the outboard valve of steam line C causes a trip of logic B1. This in turn causes trip system B to trip.
CHAPTER 07 7.2-7 REV. 17, SEPTEMBER 2014
LGS UFSAR No scram occurs, because no trips occur in trip system A. In no case does closure of two valves or isolation of two steam lines cause a scram that is due to valve closure. Closure of at least one valve in three or more steam lines causes a scram.
The wiring for the position-sensing channels from one position switch is physically separated in the same way that wiring to duplicate sensors on a common process tap is separated. The wiring for position-sensing channels feeding the different trip logics of one trip system is also separated.
MSIV closure trip channel operating bypasses are described in Section 7.2.1.1.4.4.2.
Diversity of trip initiation that is due to main steam isolation is provided by reactor vessel high pressure and power trip signals. A closure of the MSIVs at steady-state conditions would cause an increase in reactor vessel pressure and power. If a scram were not initiated from MSIV closure, a scram would occur from high reactor vessel pressure or high power. These variables are independent and provide diverse initiation of protective action for this condition.
The locations of the MSIV closure position switch are shown in the instrument location drawing in Figures 7.2-12 and 7.2-13. The environmental conditions for the RPS are described in Section 3.11.
- g. Scram Discharge Volume (RPS Initiating Circuits)
Four nonindicating float switches (one for each channel) provide SDV high water level inputs to the four RPS channels. In addition, a trip unit, with a level transmitter, in each channel provides diversity with the float-type level switch in that channel. This arrangement provides diversity, as well as redundancy, to ensure that no single event can prevent a scram caused by SDV high water level. With the predetermined scram setting, a scram is initiated when sufficient capacity still remains in the tank to accommodate a scram.
SDV water level trip channel operating bypasses are described in Section 7.2.1.1.4.4.3.
The SDV function is to receive water that is discharged from the CRD during a scram. If at the completion of the scram the level of water in the SDV is greater than the trip setting, the RPS cannot be reset until the discharge volume has been drained or the discharge volume level switch is in the bypass position and the reactor mode switch is in the shutdown or refuel mode. In addition, the SDV water level scram setting has been selected so that the CRD water discharged because of a scram can fit in the volume, along with prior leakage that would have initiated the scram.
The locations of the SDV water level sensors are shown in the instrument location drawing in Drawings E-1164 and E-1165. The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the SDV level sensors is shown in Drawings C11-1030-F-008,C11-1030-F-009,C11-1030-F-010,C11-1030-F-011,C11-1030-F-012,C11-1030-F-013, and C11-1030-F-014.
- h. Drywell Pressure (RPS Initiating Circuits)
CHAPTER 07 7.2-8 REV. 17, SEPTEMBER 2014
LGS UFSAR Drywell pressure is monitored by four pressure sensors mounted on instrument racks outside the drywell in the secondary containment. Pipes that terminate in the secondary containment connect the sensors with the drywell interior. The sensors are physically separated and electrically connected to the RPS so that no single event prevents a scram caused by drywell high pressure. Cables are routed from the sensors to the RPS logic cabinets. Each sensor provides an input to one channel (Figure 7.2-3).
The discussion of diversity for high drywell pressure is provided in Sections 7.2.1.1.4.2 and 7.2.1.1.4.6.
The drywell pressure sensors are located on instrument racks outside the drywell.
Instrument location drawings listed in Table 1.7-3 show the rack locations. The environmental conditions of the RPS are described in Section 3.11.
- i. Deleted
- j. Manual Scram (RPS Initiating Circuits)
A scram can be initiated manually. There are four scram buttons, one for each trip logic (A1, A2, B1, and B2). To initiate a manual scram, at least one button in each trip system must be depressed. The manual scram logic is the same as the automatic scram logic. The manual scram buttons are arranged in two groups of two switches. One group contains the A1 and B1 switches. The A2 and B2 switches are in the other group. The switches in each group are located close enough to permit one hand motion to initiate a scram. By operating the manual scram button for one trip logic at a time and then resetting that logic, each actuator logic can be tested for manual scram capability. The reactor operator can also scram the reactor by placing the mode switch in its shutdown position.
- k. Mode Switch in Shutdown (RPS Initiating Circuits)
A scram is initiated whenever the mode switch is placed in the shutdown position.
The mode switch has four electrically separated banks of gear-driven contacts.
Each bank provides inputs into a separate RPS trip logic. The mode switch is located on the reactor control console in the control room. The environmental conditions for the control room are described in Section 3.11. The discussion of mode switch in shutdown operating bypass is discussed in Section 7.2.1.1.4.4.4.
The discussion of mode switch interlocks is given in Sections 7.2.1.1.4.5 and 7.2.1.1.6.2.1.
The mode switch in shutdown does not require diversity as discussed in Section 7.2.1.1.4.4.4.
7.2.1.1.4.3 RPS Logic The basic one-out-of-two-twice logic arrangement of the RPS is illustrated in Drawings C71-1010-F-002, C71-1010-F-003, C71-1010-F-004, and C71-1010-F-005. The system is arranged as two separately powered trip systems. Each trip system has two redundant logics, as shown in Figures CHAPTER 07 7.2-9 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.2-4 and 7.2-5. Each logic receives input signals from at least one channel for each monitored variable. Each variable is monitored by at least four channels.
Channel and logic relays are fast response, high reliability relays. Power relays for interrupting the scram pilot valve solenoids have high current carrying capabilities and are highly reliable. All RPS relays are selected so that the continuous load will not exceed 50% of the continuous-duty rating.
The time response for the RPS sensor and sensor trip to actuators de-energized is provided in Chapter 16. The time requirements for control rod movement are discussed in Section 4.6.3.
Each trip logic provides inputs into each of the actuator logics of one trip system, as shown in Figures 7.2-4 and 7.2-5. Thus, either of the two logics associated with one trip system can produce a trip system trip. The arrangement is a one-out-of-two-twice logic. To produce a scram, the actuator logics of both trip systems must be tripped.
Diversity of variables is provided for the RPS but not in the logic. One-out-of-two-twice logic is used, but the logic channels are identical.
The RPS reset switch is used to momentarily bypass the seal-in contacts of the final actuators of the RPS. The reset is effected in conjunction with auxiliary relays. If a single channel is tripped, the reset is accomplished immediately upon operation of the reset switch. On the other hand, if a reactor scram condition is present, manual reset is prohibited for a 10 second period to permit the control rods to achieve their fully inserted position.
7.2.1.1.4.4 RPS Scram Operating Bypasses A number of manual and automatic scram bypasses are provided to accommodate the varying protection requirements that depend on reactor conditions. These are automatically removed when the permissives conditions are not present. In addition, individual channels can be bypassed under administrative control for test and maintenance.
All manual bypass switches are in the control room, under the direct control of the control room operator.
7.2.1.1.4.4.1 Turbine Stop Valve and Turbine Control Valve Fast Closure Turbine stop valve closure and turbine control valve fast closure trip bypass is effected by four pressure sensors associated with the turbine first stage.
Two physically separate and redundant pressure taps located in the turbine steam supply lines upstream of the high pressure turbine first stage are each piped to two non-redundant pressure sensors that sense first stage pressure. Redundancy has been achieved by connecting one pressure transmitter output to each of the four divisional trip logics so that at least two divisions must be bypassed, by action of the turbine first-stage pressure scram bypass trip units, to prevent a scram from turbine stop valve closure or turbine control valve fast closure.
The turbine stop valve closure scram and turbine control valve fast closure scram are automatically bypassed if the turbine first-stage pressure is less than a predetermined value. Closure of these turbine valves below a low initial power level does not threaten the integrity of any radioactive material release barrier. Any one channel in a bypass state produces a control room annunciation.
The sensors are arranged so that no single failure can prevent a turbine stop valve closure scram CHAPTER 07 7.2-10 REV. 17, SEPTEMBER 2014
LGS UFSAR or turbine control valve fast closure scram. In addition, this bypass is automatically removed when the turbine first-stage pressure exceeds the setpoint corresponding to 29.5% of rated power.
7.2.1.1.4.4.2 MSIV Closure (RPS Scram Bypass)
At plant shutdown and during initial plant startup, a bypass is required for the MSIV closure scram trip to properly reset the RPS. This bypass is in effect when the reactor mode switch is in the SHUTDOWN, REFUEL, or STARTUP position. The bypass allows plant operation when the MSIVs are closed during low power operation. The operating bypass is removed when the mode switch is placed in the run position.
The discussion of diversity for MSIV closure is provided in Section 7.2.1.1.4.2.f.
7.2.1.1.4.4.3 Scram Discharge Volume Level (RPS Scram Bypass)
The SDV high water level trip bypass is controlled by the manual operation of two key-locked switches, a bypass switch, and the mode switch. The mode switch must be in the shutdown or refuel position to allow manual bypass of this trip. This bypass allows the operator to reset the RPS scram relays so that the SDV may be drained. Resetting the trip actuators opens the SDV vent and drain valves. An annunciator in the control room indicates the bypass condition.
The discussion of diversity of the SDV level trip is provided in Section 7.2.1.1.4.2.g.
7.2.1.1.4.4.4 Mode Switch in Shutdown (RPS Scram Bypass)
The scram initiated by placing the mode switch in shutdown is automatically bypassed after a short time delay. The bypass allows the CRD hydraulic system valve lineup to be restored to normal.
An annunciator in the control room indicates the bypassed condition.
Diversity of variables is not provided for this function because the placing of the mode switch in shutdown is part of the normal method for shutting down the reactor and requires only operator action for initiation. The mode switch in shutdown is not a safety function and does not require diversity.
7.2.1.1.4.4.5 Maintenance, Calibration, or Test RPS Scram Bypasses Each reactor scram sensor can be tested and calibrated. When an instrument is valved out for test or calibration, the administratively controlled system out-of-service annunciation is manually actuated.
Individual channels for drywell high pressure, reactor vessel high pressure, reactor vessel low water level, CRD SDV high water level, and main steam line high radiation are tripped when any one sensor is physically removed for maintenance. The bypass of the turbine stop valve closure and turbine control valve fast closure trip remains in the unbypassed state when the one turbine first-stage pressure sensors are physically removed for maintenance.
7.2.1.1.4.4.6 NMS (RPS Scram Bypass)
Bypasses for the NMS channels are described below.
CHAPTER 07 7.2-11 REV. 17, SEPTEMBER 2014
LGS UFSAR The neutron monitoring scram logic trip outputs for IRM and APRM can be bypassed, during any mode of operation by hand operated selector switches located on the reactor control bench board in the control room. The bypasses for APRM channels 1, 2, 3, and 4 are controlled by one fiber-optic selector switch. None of the four APRM 2-out-of-4 voter channels can be bypassed. The bypasses for IRM channels A, C, E, and G are controlled by one selector switch and the bypasses for IRM channels B, D, F, and H are controlled by a second selector switch.
The APRM and IRM bypass switches can bypass only one NMS channel at a time. Each APRM and IRM bypass is indicated by a light in the control room.
Bypassing one APRM channel with the APRM selector switch does not inhibit the NMS from providing protective action when required. Bypassing one IRM channel with each IRM selector switch does not inhibit the NMS from providing protective action when required. Bypass indication is discussed in Section 7.2.2.1.2.1.7.
The operating bypasses of the NMS are controlled by the reactor mode switch located on the control room reactor control bench board. When the reactor mode switch is in the RUN mode, the IRM trips are bypassed; protection is provided by the APRM trips. When the reactor mode switch is not in the RUN mode, the IRM trips are active. As reactor power is increased and the APRM system reaches its operating range, by procedure the IRM detectors are withdrawn from the reactor core. When reactor power is decreased to the IRM operating range, by procedure the IRM detectors are inserted into the reactor core.
Plant administration procedures manuals specify the administrative controls used during maintenance, test, and calibration.
7.2.1.1.4.5 RPS Interlocks The SDV high water level trip bypass signal interlocks with the RMCS to initiate a rod block. The interlock is isolated by relay contacts so that no failure in the control system can prevent a scram.
Reactor vessel low water level, reactor vessel pressure, main steam line radiation, turbine stop valve closure, and drywell high pressure signals are shared with the PCRVICS. The sensors operate relays in the RPS whose contacts interlock with the PCRVICS.
A discussion of the NMS interlocks to rod block functions is provided in Section 7.6.1.4.
Each APRM and IRM bypass is indicated by a light in the control room. The reactor mode switch has interlocks to systems other than the RPS. These interlocks are discussed in Section 7.6.1.4.
7.2.1.1.4.6 RPS Redundancy and Diversity Redundant portions of the RPS have physically separated sensor taps, sensing lines, sensors, sensor racks, cable routing, and logic. By the use of redundant sensors for each RPS variable and separate redundant logic and wiring, the RPS system has been protected from the credible single failures. For additional information on redundancy of RPS subsystems, see Section 7.2.1.1.4.2.
Redundancy of the fail-safe RPS power supply is not required. There are two uninterruptible power supplies for continuity of service only.
CHAPTER 07 7.2-12 REV. 17, SEPTEMBER 2014
LGS UFSAR Diversity is provided by monitoring diverse sets of independent reactor vessel variables. MSIV closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of a reactor vessel high pressure and power scram trip. Therefore reactor high pressure and power are diverse scram inputs to main steam line closure. Drywell high pressure and reactor low water level are diverse scram variables for a steam or water line break inside the containment. Diversity of variables for main steam line breaks outside the drywell, which initiate main steam line isolation and in turn reactor trip initiation, is covered in Section 7.3.1.1.2.8.1.
Additional discussion of diversity of RPS variables is provided in Section 7.2.1.1.4.2.
7.2.1.1.4.7 RPS Actuated Devices The trip system logic opens when a trip signal is received and de-energizes the scram pilot valve solenoids. There are two pilot solenoids per control rod. Both solenoids must de-energize to bleed the instrument air from, and open, the inlet and outlet scram valves to allow drive water to scram a control rod. One solenoid receives its signal from trip system A, and the other receives it from trip system B. The control rods are arranged in four groups. Within each trip system, each group of control rods has its own scram contactor logic as shown in Figure 7.2-4. The failure of one control rod group to scram does not prevent a complete shutdown. The instrument air system provides support to the RPS by keeping the air operated scram valve closed until a scram is required.
The individual control rods and their controls, the scram valves, and the pilot solenoids are not part of the RPS; however, the RPS does interface with these devices by controlling the pilot solenoids.
The pilot solenoids for the scram pilot valves are part of the HCU (C11-D001) of the associated control rod in the CRD system. The backup scram valves (C11-F110A & B), classified as nonessential, are also not part of the RPS, but are part of the CRD system. The valves are supplied with 125 V dc safeguard power from separate supplies. For further information on the scram valves and control rods, see Section 4.6.1.2.4.3.
The pilot solenoid valves are supplied from the RPS uninterruptible power sources.
In addition to the two scram valves for each CRD, there are two backup scram valves that are used to vent the common header for all control rods. Both backup scram valves are energized to initiate venting and are individually supplied with 125 V dc power from the Class 1E plant batteries. In any auxiliary use of the plant instrument air system, a failure of the air system causes a safe direction actuation of the safety device.
7.2.1.1.4.8 RPS Separation Four independent sensor channels monitor the various process variables listed in Section 7.2.1.1.4.2. The redundant sensor devices are separated so that no single failure can prevent a scram. All RPS wiring outside the control system cabinets is run in totally enclosed metallic raceways or in embedded PVC conduits. Physically separated cabinets or cabinet bays are provided for the four trip logics. The rack number for RPS sensors is shown in Drawing M-01 and M-42. The locations for local RPS racks and panels are shown on the instrument location drawings listed in Table 1.7-3. Cable routing from sensor to panel is shown in raceway plans listed in Section 1.7. The criteria for separation of sensing lines and sensors are discussed in Section 7.1.2.2.
The mode switch, SDV high water level trip bypass switch, scram reset switch, and manual scram switches are all mounted on one control console. Each device is mounted in a metal enclosure CHAPTER 07 7.2-13 REV. 17, SEPTEMBER 2014
LGS UFSAR and has a sufficient number of barrier devices when required to maintain adequate separation between redundant portions of the RPS. Within the panel, conduit is provided from the metal enclosures to the point where adequate physical separation can be maintained without barriers.
The outputs from the logic cabinets to the pilot solenoids are run in four separate raceway systems to match the four scram groups shown in Drawings C71-1010-F-002 and C71-1010-F-003. The groups are selected so that the failure of one group to scram does not prevent a reactor shutdown.
RPS inputs to annunciators and the computer are arranged so that no malfunction of the annunciating or computing equipment can functionally disable the RPS. Direct signals from RPS sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output.
7.2.1.1.4.9 RPS Testability The RPS has components that are not activated or tested during normal operation with an integrated testing procedure. These components are tested using manual test methods which allow for independent checking of individual system components. This testing includes verification of each channel trip, including scram contactors, by using the associated installed sensors and circuits to verify proper operation. The frequency of these tests and parameters to be verified are identified in the Technical Specifications.
The RPS can be tested during reactor operation by an overlapping series of tests.
- a. The manual scram test is as follows: By depressing the manual scram button for one trip channel, appropriate scram contactors are de-energized, opening contacts in the scram contactor logics. After the first trip channel is reset, the second trip channel is tripped manually and so forth for the four manual scram buttons. The total test verifies the ability to de-energize the scram pilot valve solenoids without scram by using the manual scram push button switches. In addition to control room and computer printout indications, scram group indicator lights verify that the scram contractor contacts have opened and interrupted power in these pilot solenoids.
- b. Calibration of the NMS is by simulated inputs from calibration signal generators.
Calibration and test controls for the NMS are located in the auxiliary equipment room. Their physical location places them under control of the operating shift management. Section 7.6.1.4 describes the calibration procedure of the NMS.
- c. The single rod scram test verifies the capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular CRD. Timing traces can be made for each rod scrammed. Before the test, a physics review must be conducted to ensure that the rod pattern during scram testing does not create a rod of excessive reactivity worth.
- d. MSIV position switches, turbine control valve fast closure sensors, and turbine stop valve position switches can be checked for operability.
- e. The process computer verifies the correct operation of many sensors during plant startup and shutdown. The verification provided by the process computer is not considered in the selection of test and calibration frequencies and is not required for plant safety.
CHAPTER 07 7.2-14 REV. 17, SEPTEMBER 2014
- f. The overall RPS response time from sensor trip to channel relay de-energization and scram contactor de-energization is verified by test.
- g. The fourth test involves one of two methods for applying test signals to each RPS channel in turn and observing that a logic trip results. This test also verifies the independence of the channel circuitry. The test signals can be applied to the process-type sensing instruments (pressure and differential pressure) through calibration taps, or a calibration input may be applied to each instrument trip unit by use of a built-in calibrator. Calibration and test controls for pressure sensors and differential pressure sensors are located in the turbine enclosure and secondary containment. Calibration controls for the trip units are located in the auxiliary equipment room. To gain access to the setting controls for each sensor, a cover plate or sealing device must be removed. The control room operator is responsible for granting access to the setting controls. Only properly qualified plant personnel are granted access for testing or calibration adjustments.
In addition to the above test, the operability of the pressure and level sensors may be verified by cross-checking instrument readouts in the auxiliary equipment room at any time during operations.
The CRD SDV level sensors are tested by valving the sensor out of service and injecting and varying a test source to the level sensor.
7.2.1.1.5 RPS Environmental Considerations Electrical modules for the RPS are located in the drywell, control structure, secondary containment, and turbine enclosure. The environmental conditions for these are discussed in Section 3.11.
7.2.1.1.6 RPS Operational Considerations 7.2.1.1.6.1 Reactor Operator Information 7.2.1.1.6.1.1 Indicators Scram group indicators extinguish when trip logic opens.
Recorders in the control room also provide information regarding reactor vessel water level, reactor vessel pressure, drywell pressure, and reactor power level.
7.2.1.1.6.1.2 Annunciators (RPS Operator Information)
Each manual and/or automatic RPS input is annunciated in the control room by isolated relay contacts. Trip logic trips also actuate the annunciator system.
When an RPS sensor channel trips, a corresponding red annunciator window on the reactor control panel in the control room indicates the out-of-limit variable. Each trip logic also initiates a corresponding red annunciator window that indicates the trip logic that has tripped. An RPS channel trip also actuates an annunciator system horn, which can be silenced by the operator. The annunciator window lights latch-in until reset manually. Reset is not possible until the condition that CHAPTER 07 7.2-15 REV. 17, SEPTEMBER 2014
LGS UFSAR caused the trip has been cleared. The location of alarm windows permits the operator to quickly identify the cause of RPS trips and to evaluate the threat to the fuel or RCPB.
7.2.1.1.6.1.3 Computer Alarms (RPS Operator Information)
A computer printout identifies each tripped channel. All RPS trip events are recorded by the NSSS process computer system. This permits subsequent analysis of an operational transient that occurs too rapidly for operator comprehension of events as they occur. The first 80 events are recorded in chronological sequence; events occurring within 4 milliseconds of one another are treated as having occurred simultaneously. The use of the computer is not required for plant safety. The printout of trips is particularly useful in routinely verifying the correct operation of pressure, level, and valve position switches as trip points are passed during startup, shutdown, and maintenance operations.
7.2.1.1.6.2 RPS Reactor Operator Controls 7.2.1.1.6.2.1 Mode Switch A conveniently located, multiposition mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate sensors for scram functions and provides appropriate bypasses. The switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the RPS.
The switch is designed to provide separation between the four trip channels. The mode switch positions and their related scram functions are as follows:
- a. Shutdown Initiates a reactor scram; bypasses main steam line isolation scram.
- b. Refuel Selects the IRM trips for low neutron flux level operation (disables the OPRM upscale trip but does not disable the APRM upscale and inoperative trips);
bypasses main steam line isolation scram.
- c. Startup Selects the IRM trips for low neutron flux level operation (disables the OPRM upscale trip but does not disable the APRM upscale and operative trips); bypasses main steam line isolation scram.
7.2.1.1.6.3 Setpoints (RPS Operational Considerations)
Instrument ranges are chosen to cover the range of expected conditions for the variable being monitored. Additionally, the range is chosen to provide the necessary accuracy for any required setpoints and to meet the overall accuracy requirements of the channel.
CHAPTER 07 7.2-16 REV. 17, SEPTEMBER 2014
- a. NMS Trip To protect the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The NMS setpoints and their bases are discussed in Section 7.6.1.4.
- b. Reactor Vessel High Pressure Excessively high pressure within the reactor vessel threatens to rupture the RCPB. A reactor vessel pressure increase during reactor operation compresses the steam voids and results in a positive reactivity insertion; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The reactor vessel high pressure scram setting selected is slightly above the reactor vessel maximum normal operation pressure, to permit normal operation without a spurious scram and yet provide a wide margin to the maximum allowable reactor vessel pressure. The location of the pressure measurement, as compared to the location of the highest nuclear system pressure during transients, was also considered in the selection of the high pressure scram setting. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable pressure. The reactor vessel high pressure scram setting also protects the core from exceeding thermal-hydraulic limits resulting from pressure increases during events that occur when the reactor operates below rated power and flow.
- c. Reactor Vessel Low Water Level (RPS Setpoints)
Low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. Decreasing water level while the reactor operates at power decreases the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. If the water level decreases further, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core. The reactor vessel low water level scram setting was selected to prevent fuel damage following abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. The scram setting is far enough below normal operational levels to prevent spurious scrams. The setting is high enough above the top of the active fuel to ensure that enough water is available to account for evaporation, loss, and displacement of coolant following the most severe abnormal operational transient involving a level decrease.
- d. Turbine Stop Valve Closure (RPS Setpoints)
Closure of the turbine stop valve with the reactor operating at power can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the NMS or reactor vessel high pressure. It is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. By inserting CHAPTER 07 7.2-17 REV. 17, SEPTEMBER 2014
LGS UFSAR negative reactivity with control rods, the scram counteracts the addition of positive reactivity caused by increasing pressure. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the reactor vessel pressure limit. The turbine stop valve closure scram setting provides the earliest positive indication of valve closure.
- e. Turbine Control Valve Fast Closure (RPS Setpoints)
With the reactor and turbine-generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the NMS or reactor vessel high pressure. It is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. By inserting negative reactivity with control rods, the scram counteracts the addition of positive reactivity resulting from increasing pressure. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure.
- f. Main Steam Line Isolation (RPS Setpoints)
MSIV closure can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The main steam line isolation trip initiates a scram earlier than either the NMS or reactor vessel high pressure. By inserting negative reactivity with control rods, the scram counteracts the addition of positive reactivity resulting from increasing pressure. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the main steam line isolation scram provides additional margin to the nuclear system pressure limit. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The logic allows functional testing of main steam line isolation trip channels by partially closing an MSIV.
Water displaced by the CRD pistons during a scram goes to the SDV. If the SDV fills with water so that insufficient capacity remains for the water displaced during a scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram.
- h. Drywell High Pressure (RPS Setpoints)
High pressure inside the drywell may indicate a break in the RCPB. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and CHAPTER 07 7.2-18 REV. 17, SEPTEMBER 2014
LGS UFSAR to reduce energy transfer from the core to the coolant. The drywell high pressure scram setting is selected to be as low as possible without inducing spurious scrams.
- i. Left blank intentionally.
- j. Manual Scram (RPS Setpoints)
Push buttons are located in the control room to enable the operator to shut down the reactor by initiating a scram.
- k. Mode Switch in Shutdown (RPS Setpoints)
When the mode switch is in shutdown, the reactor is to be shut down with all control rods inserted. This scram is not considered a protective function, because it is not required to protect the fuel or reactor vessel process barrier, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short delay, permitting a scram reset that restores the normal valve lineup in the CRD hydraulic system.
- l. Turbine First-Stage Pressure (RPS Setpoints)
The turbine stop valve closure scram and turbine control valve fast closure scram are automatically bypassed if the turbine first-stage pressure is less than a predetermined value. This setpoint is chosen so that closure of these valves below the setpoint does not threaten the integrity of any radioactive material release barrier.
7.2.1.1.7 RPS Containment Electrical Penetration Assignment See Section 6.2.6.
7.2.1.1.8 RPS Control Room Area The control room area is divided into three floors, the auxiliary equipment room, the control room, and the cable spreading room. Each floor is divided into a Unit 1 and Unit 2 section. The RPS control board is located in the control room. The bench board for reactor control contains the reactor mode switch, bypass switches, scram solenoid valve status indicating lights, and manual scram switches. The RPS vertical boards are located in the auxiliary equipment room. The RPS vertical boards contain the trip units, trip channel and logic relays, test switches, trip indicating lights, and terminal boards. The vertical boards are installed on PGCC floor sections and are connected to individual termination cabinets by under-floor cable ducts. A general description of the cable spreading in the PGCC floor sections is contained in NEDO-10466A, "Power Generation Control Complex", and a further description is contained in Section 8.1.6.1.14.b.6.
There is no RPS equipment except for cables located in the cable spreading room. In the cable spreading room the RPS cables are routed in identified, totally enclosed metallic raceways. The arrangement of the equipment is shown in Drawings M-602 and M-603.
7.2.1.1.9 Test Methods that Enhance RPS Reliability Surveillance testing is performed periodically on the RPS during operation and shutdown. This testing includes sensor calibration, response time testing, trip channel actuation, and trip time CHAPTER 07 7.2-19 REV. 17, SEPTEMBER 2014
LGS UFSAR measurement with simulated inputs to individual trip units and sensors. The sensors that are transmitters can be checked by comparison of the readings on other channels of the same variable.
7.2.1.1.10 Interlock Circuits to Inhibit Rod Motion as Well as Vary the Protection Function Section 7.7.1.2.3.2.3.3 describes interlock circuits to inhibit rod motion that are derived from neutron flux and recirculation flow measurements. Electrical isolation is provided between the RBM interlock circuits and the APRM protective action circuits.
There are no interlock circuits that inhibit rod motion as well as vary the protective functions.
7.2.1.1.11 RPS Support Cooling Systems Operation of the control enclosure chilled water system and associated unit coolers is required to ensure operation of the RPS components within their design requirements. The control enclosure chilled water system is described in Section 7.3.1.1.13.
7.2.1.2 RPS Design Bases Design basis information requested by IEEE 279 (1971) is discussed in the following paragraphs.
These IEEE 279 design bases aspects are considered separately from those more broad and detailed design bases for this system cited in Section 7.1.
7.2.1.2.1 Conditions The generating station conditions that require reactor trip system protective action are as follows:
- a. Generator load rejection above the turbine steam bypass capability
- b. Turbine trip above the turbine steam bypass capability
- c. MSIV closure during operation in the run mode
- d. Turbine pressure regulator failure (valve open) resulting in MSIV closure that is due to dropping line pressure
- e. Excess reactor coolant inventory resulting in turbine trip that is due to high reactor water level
- f. Loss of feedwater flow
- g. Recirculation flow control failure with increasing flow
- h. Control rod-drop accident
- i. LOCA
- j. Main steam line break
- k. Feedwater system piping break CHAPTER 07 7.2-20 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.2.1.2.2 Variables The generating station variables that require monitoring in order to provide protective actions, are identified in Table 7.2-2.
7.2.1.2.3 Sensors A minimum number of LPRMs per APRM are required to provide adequate protective action. This is the only variable that has spatial dependence as discussed in IEEE 279, paragraph 3.3. A discussion of these requirements is in Section 7.6.
7.2.1.2.4 Operational Limits Operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious scram is avoided. It is then verified by analysis that the calculated radioactive material releases are kept within acceptable bounds. Design basis operational limits are listed in Chapter 16. Technical Specifications are based on operating experience and constrained by the safety design basis and the safety analyses.
7.2.1.2.5 Margin Between Operational Limits The margin between operational limits and the levels requiring protective action for the RPS are listed in Chapter 16, Technical Specifications. The margin includes the allowance for instrument accuracy, calibration error, sensor response times, and sensor and setpoint drift.
7.2.1.2.6 Levels Requiring Protective Action Levels requiring protective action are provided in Chapter 16, Technical Specifications.
7.2.1.2.7 Ranges of Energy Supply and Environmental Conditions The RPS 120 V ac power is provided by two static inverter sets that are each fed by two electrical sources, one from the plant auxiliary source and the other from the station batteries. The plant auxiliary source is a 480/120 V transformer, which is supplied through a transfer switch either from a non-Class 1E 440 V MCC or from a non-Class 1E 440 V MCC energized by a non-Class 1E UPS. Voltage regulation of the RPS power source is +/-2% under steady-state conditions.
Environmental conditions for the RPS components inside and outside the containment are discussed in Section 3.11.
7.2.1.2.8 Unusual Events Unusual events are defined as malfunctions, accidents, and other events that could cause damage to safety systems. The following accidents and events are considered: floods; storms; tornadoes; earthquakes; fire; LOCA; pipe break outside containment; feedwater line break; and missiles.
Each of these events is discussed below for the RPS.
- a. Floods The structures containing RPS components are designed to meet the PMF at the site location as described in Section 3.4. This ensures that the structures remain CHAPTER 07 7.2-21 REV. 17, SEPTEMBER 2014
LGS UFSAR water-tight under PMF, including wind-generated wave action and wave run-up.
Therefore, none of the RPS functions is affected by flooding.
- b. Storms and Tornados (RPS Design Bases Unusual Events)
The structures containing RPS components are designed to withstand all credible meteorological events and tornados as described in Section 3.3.2. Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair the RPS capabilities.
- c. Earthquakes (RPS Design Bases Unusual Events)
The structures containing RPS components, except the turbine enclosure, are seismically qualified as described in Sections 3.7 and 3.8. These structures containing RPS components remain functional during and following a SSE. The only RPS components located in the nonseismically qualified turbine enclosure are the sensors and associated cables for turbine stop valve closure, turbine control valve fast closure, turbine stop valve closure, and control valve fast closure bypass.
Since reactor pressure and power trips are diverse to these turbine scram variables, locating these sensors in the turbine enclosure does not compromise the ability of the RPS to provide protective action when required.
- d. Fires (RPS Design Bases Unusual Events)
To protect the RPS from a fire, the RPS trip logics are divided into four separate sections within two separate RPS panels. The sections within a panel are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the RPS functions would not be prevented by the fire.
The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the RPS continues to provide the required protective action.
A nonsafety-related fire detection system using both thermal (rate of temperature rise) and ionization smoke detectors is provided in the PGCC floor sections, termination cabinets, and the space between the slab and the elevated floor in the periphery of the auxiliary equipment room. The entire space, with the exception of the termination cabinets, is protected by a Halon 1301 total flooding fire suppression system. The system is automatically initiated by heat detectors within the protected space. Detection of fire by smoke detectors and automatic initiation of the Halon suppression system are annunciated in the control room.
The control room is provided with ionization smoke detectors. Manual fire fighting capability provided for the control room consists of portable halon fire extinguishers within the control room and carbon dioxide hose stations outside of the control room. Additionally, fire hose stations with hose lines equipped with combination nozzles are installed outside the control room.
These fire protection systems are fully discussed in Section 9.5.1.
CHAPTER 07 7.2-22 REV. 17, SEPTEMBER 2014
LGS UFSAR The following RPS components are located inside the drywell and would be subjected to the effects of a design basis LOCA:
- 1. NMS cabling from the detectors to the control room
- 2. MSIV inboard position switches
- 3. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines that terminate outside the drywell
- 4. Drywell pressure instrument taps These items and all RPS Class 1E components are environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11.
- f. Pipe Break Outside Secondary Containment (RPS Design Bases Unusual Events)
This condition would not affect the reliability of the RPS.
This condition would not affect the reliability of the RPS.
- h. Missiles (RPS Design Bases Unusual Events)
See Section 3.5.
7.2.1.2.9 Performance Requirements The minimum performance requirements are referenced in Chapter 16.
A logic combination (one-out-of-two-twice) of instrument channels and their trips, actuated by abnormal or accident conditions, initiates a scram and produces independent logic seal-ins within each of the four logic divisions. The trip conditions are annunciated and recorded on the process computer. The trip seal-in maintains a scram signal condition at the CRD system terminals until the instrument channels have returned within their normal operating range and the seal-in is manually reset by operator action. Thus, once a trip signal is present long enough to initiate a scram, the protective action goes to completion.
7.2.1.3 RPS Final System Drawings The final RPS drawings are processed at two different levels relative to this UFSAR.
- a. System IED and channel logic diagrams are provided in this section.
- b. Detailed circuit diagrams, electrical elementary diagrams, and cabinet and panel layout drawings are listed in Section 1.7. This documentation is complementary to discussions and drawings included in this UFSAR.
CHAPTER 07 7.2-23 REV. 17, SEPTEMBER 2014
LGS UFSAR There are no functional or architectural design basis differences or changes to this system between the approved preliminary PSAR design and the FSAR final design, except for the following changes:
- 1. 600 psi permissive in MSIV closure trip was deleted.
- 2. 15% APRM trip was added.
- 3. Trip units/transmitters were added.
- 4. Logics A3 and B3 were deleted.
A direct comparison of the PSAR and FSAR verifies these observations.
7.2.2 ANALYSIS 7.2.2.1 Reactor Protection System - Instrumentation and Controls 7.2.2.1.1 RPS General Functional Requirements Conformance Presented below are analyses to demonstrate how the various general functional requirements and the specific regulatory requirements listed under the RPS design bases (Section 7.1.2.1) are satisfied.
7.2.2.1.1.1 RPS Conformance to Design Bases Requirements 7.2.2.1.1.1.1 Design Basis (Section 7.1.2.1.1.1.a)
The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are detected and identified, are presented in that chapter.
The design basis from Section 7.1.2.1.1 requires that the precision and reliability of the initiation of reactor scrams be sufficient to prevent or limit fuel damage.
Table 7.2-1 lists the sensors selected to initiate reactor scrams and delineates the needed accuracy, range, and time response for each sensor. This information, along with the information in the Technical Specifications establishes the precision of the RPS variable sensors.
The reliability of the RPS is ensured by design through the selection of reliable components, configuration of components in redundant logic, the use of components based on previous design, and periodic testing.
The selection of scram trip settings has been developed through analytical modeling, experience, historical use of initial setpoints, and adoption of new variables and setpoints as experience was gained. The initial setpoint selection method provided for settings that were sufficiently above the normal operating levels (to preclude the possibilities of spurious scrams or difficulties in operation) but low enough to protect the fuel. As additional information became available or systems were changed, additional scram variables were provided using the above method for initial setpoint selection. The selected scram settings are analyzed to verify that they are conservative and that CHAPTER 07 7.2-24 REV. 17, SEPTEMBER 2014
LGS UFSAR the fuel and fuel barriers are adequately protected. In all cases, previous operating experience and the analytical models have been taken into consideration, so that the specific scram trip point selected is a conservative value that prevents damage to the fuel.
7.2.2.1.1.1.2 RPS Design Basis (Section 7.1.2.1.1.1.b)
The scram initiated by the RCPB high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the RCPB as a result of internal pressure. The MSIV closure scram provides a greater margin to the RCPB pressure safety limit than the high pressure scram does. For turbine-generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the nuclear system pressure safety limit than the high pressure scram does. Chapter 15 identifies and evaluates accidents and abnormal operational events that result in nuclear system pressure increases. In no case does pressure exceed the RCPB safety limits.
7.2.2.1.1.1.3 RPS Design Basis (Section 7.1.2.1.1.1.d)
The scram initiated by the reactor vessel low water level satisfactorily limits the radiological consequences of gross failure of the RCPB. Chapter 15 evaluates gross failures of the RCPB; in no case does the release of radioactive material to the environment result in exposures that exceed the guide values of applicable published regulations.
7.2.2.1.1.1.4 RPS Design Basis (Section 7.1.2.1.1.1.d)
Scrams are initiated by variables that are designed to indirectly monitor fuel temperature and protect the RCPB. The NMS monitors fuel temperature indirectly using incore detectors. The incore detectors monitor the reactor power level by detecting the neutron level in the core. Reactor power level is directly proportional to neutron level and the heat generated in the fuel. Although the NMS does not monitor fuel temperature directly, by establishing a correlation between fuel temperature and reactor power level, scram setpoints can be determined for protective action, which prevents fuel damage.
The RCPB is protected by monitoring parameters that indicate reactor pressure directly or anticipate reactor pressure increases. Reactor pressure is monitored directly by pressure sensors that are connected directly to the RPV through sensing lines and pressure taps. In addition, reactor pressure transients are anticipated by monitoring the closure of valves that shut off the flow of steam from the RPV and cause rapid pressure increases. The variables monitored to anticipate pressure transients are MSIV position, turbine stop valve closure, and turbine control valve fast closure. If any of these valves were to close, pressure would rise very rapidly. Therefore, the pressure rise is anticipated, and a trip is initiated to minimize the pressure transient.
Chapter 15 identifies and evaluates the conditions that threaten fuel and RCPB integrity. In no case does the core exceed a safety limit.
7.2.2.1.1.1.5 RPS Design Basis (Section 7.1.2.1.1.1.e)
The scrams initiated by the NMS, drywell pressure, reactor vessel pressure, reactor vessel water level, turbine stop valve closure, and the turbine control valve fast closure prevent fuel damage.
The scram setpoints and response time requirements for these variables are referenced in Chapter 16 and have been designed to cover the expected range of magnitude and rates of change during abnormal operational transients without fuel damage. Chapter 15 identifies and evaluates CHAPTER 07 7.2-25 REV. 17, SEPTEMBER 2014
LGS UFSAR the conditions that threaten fuel integrity. With the selected variables and scram setpoints, adequate core margins are maintained relative to thermal-hydraulic safety limits.
7.2.2.1.1.1.6 RPS Design Basis (Section 7.1.2.1.1.1.f)
Neutron flux is the only essential variable with spatial dependence that provides inputs to the RPS.
Neutron flux is monitored both as an indication of average reactor power (APRM upscale trips) and as indication of thermal-hydraulic instability caused power oscillations (OPRM upscale trip).
Two transient analyses are used to determine the minimum number and physical location of required LPRMs for each APRM for average power monitoring.
- a. The first analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum number and locations of detectors needed to provide protective action are determined for this condition.
- b. The second analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a reduction of recirculation flow at a fixed design rate. Again, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum number and locations of detectors needed to provide protective action are determined for this condition.
The results of the two analyses are evaluated and compared to establish the actual minimum number and location of LPRMs needed for each APRM channel.
The OPRM upscale function monitors LPRMs combined into cells of 4 LPRMs each (see Figure 7.2-17). If more than 2 of the 4 LPRMs in an OPRM cell are bypassed the cell is determined to be inoperable and removed from the logic. The minimum required number of operable OPRM cells per APRM channel is determined by performing an analysis that mathematically removes LPRMs (and OPRM cells when the number of remaining LPRMs in a cell falls below the required minimum) and calculates the hot-bundle MCPR change that will result prior to an OPRM trip due to a power oscillation. That calculated value is compared to the hot-bundle MCPR change calculated with no LPRMs bypassed. The minimum required number of operable OPRM cells is that number that assures that the hot-bundle MCPR change that results prior to an OPRM upscale trip is equal to or less than the corresponding value calculated with no LPRMs bypassed (References 7.6-1 through 7.6-4).
Analyses like those discussed above for APRMs have also been conducted for the IRMs. These analyses have established the actual minimum number and location of IRM sensors and channels (Reference 7.2-1).
7.2.2.1.1.1.7 RPS Design Basis (Sections 7.1.2.1.1.1.g.1 through 7.1.2.1.1.1.g.8)
Sensors, channels, and logics of the RPS are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system.
CHAPTER 07 7.2-26 REV. 17, SEPTEMBER 2014
LGS UFSAR The RPS system is a normally energized system. Failure of either RPS power supply results in the de-energization of one of the two pilot solenoids associated with each control rod. Alternate power is available to the RPS buses. A complete loss of electrical power to both power supplies results in a scram. Loss of one or both power supplies does not prevent a reactor scram.
The RPS is designed so that trip variables need only exceed their trip setpoints for a sufficient length of time to de-energize the scram relay contactors and open the seal-in contacts of the associated trip logic. Once this is accomplished, the scram will go to completion, regardless of the state of the variable that initiated the protective action.
When the initiating condition has cleared and a sufficient (10 second) time delay has occurred, the scram logic may be reset only by actuation of the scram reset switches in the control room by the operator.
Reactor protection cabling is routed in separate, totally-enclosed metallic raceways or in embedded PVC conduits for all wiring between sensors, racks, panels, and scram solenoids.
Physical separation and electrical isolation among redundant portions of the RPS are provided by separated process instrumentation, separated racks, separated portions of panels, and separated cabling, as described in Section 7.2.1.1.4.8. This separation ensures that environmental factors, electrical transients, and physical events do not impair the ability of the RPS to respond correctly when required.
The RPS has four divisions housed in two panels in the auxiliary equipment room and one panel in the control room. Each panel has metallic fireproof barriers between divisions. Where equipment from more than one division is in a panel, divisional separation is provided by fire barriers or a physical distance of 6 inches or more where practicable. Where wiring from more than one redundant division is present at a single component, divisional separation is provided by fire barriers on the component, in addition to routing the wiring from the component in separate conduits or by routing wiring in such a way as to prevent any failure within the component from affecting redundant divisions. Separate racks are provided for the reactor protection sensor instrumentation in redundant divisions and they are either installed in different locations or separated by metal barriers.
The ability of the RPS to withstand an SSE is discussed in Section 7.2.2.1.2.1.4.
The ability of the RPS to function properly with a single failure is discussed in Section 7.2.2.1.2.3.1.2.
The ability of the RPS to function properly while any one sensor or channel is bypassed or is undergoing testing or maintenance is discussed in Section 7.2.2.1.2.3.1.11.
The RPS logic circuit is designed so that an automatic scram is initiated when at least one sensor in each trip system for any monitored variable exceeds the scram setpoint.
7.2.2.1.1.1.8 RPS Design Basis (Section 7.1.2.1.1.1.h)
Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant operations supervisory personnel.
CHAPTER 07 7.2-27 REV. 17, SEPTEMBER 2014
LGS UFSAR Access control is provided by the use of administration control procedures. These require that approved procedures be used to perform calibration and testing; permission must be obtained before performance of all calibration and testing. It is also required that operations personnel, within the control room, monitor and control access to panels and cabinets within the control room.
Manual bypass of instrumentation and control equipment components is under the control of the control room operator. If the ability to trip some essential part of the system is bypassed during a mode of operation that requires operability of that part of the system, this fact is continuously annunciated in the control room, as described in Section 7.2.2.1.2.1.7.
7.2.2.1.1.1.9 Other RPS Design Basis Requirements The RPS is a one-out-of-two-twice logic system. Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system. However, because the differences are slight, they can be neglected. The dual trip system is advantageous because it can be tested thoroughly during reactor operation without causing a scram. This capability for a thorough testing program significantly increases reliability.
The environment in which the instruments and equipment of the RPS must operate is discussed in Section 3.11.
The control room maximum environment is predicated on supplying the control room with 100%
outside air with no refrigeration. The minimum environment is predicated on a mixture of outside and recirculated air concurrent with minimum equipment heat loss. The RPS components that must function in the environment resulting from a RCPB break inside the drywell are the condensing chambers and the inboard MSIV position switches. Special precautions are taken to ensure their operability after the accident.
The condensing chambers have been qualified by analysis to the applicable ASME Codes. The chamber itself is strictly a mechanical assembly with no moving parts and no active functions.
There is no environmental requirement on the condensing chambers, other than that each maintain its integrity under the most severe environmental condition. The results of the seismic qualification of the condensing chambers are documented in the LGS SQRT Program.
The environmental qualification of the existing MSIV limit switches has been evaluated as part of the LGS environmental qualification program. As a result of the licensees evaluation, the originally supplied limit switches have been replaced with prequalified limit switches. The selection criteria for the replacement switches include qualification levels appropriate for a RCPB break inside the drywell.
Other essential components of the control and electrical equipment are either similar to those that have successfully undergone qualification testing in connection with other projects, or additional qualification testing under simulated environmental conditions has been conducted.
To ensure that the RPS remains functional, the number of operable channels for the essential monitored variables is maintained at or above the minimums referenced in Chapter 16. The minimums apply to any untripped trip system; a tripped trip system may have any number of inoperative channels. Because reactor protection requirements vary with the mode in which the reactor operates, the tables show different functional requirements for the run and startup modes.
These are the only modes in which more than one control rod can be withdrawn from the fully inserted position.
CHAPTER 07 7.2-28 REV. 17, SEPTEMBER 2014
LGS UFSAR In case of a LOCA, reactor shutdown occurs immediately following the accident as process variables exceed their specified setpoint. Operator verification that shutdown has occurred may be made by observing one or more of the following indications:
- a. Control rod status lamps indicating each rod fully inserted
- b. Control rod scram pilot valve status lamps indicating open valves
- c. Neutron monitoring power range channels and recorders downscale
- d. Annunciators for RPS variables and trip logic in the tripped state
- e. Process computer logging of trips and control rod position log Following generator load rejection, a number of events occur in the following chronological order:
- a. The pressure in the hydraulic oil lines to the control valve fast closure solenoid drops, and the pressure sensors provide a trip signal to RPS. Simultaneously the turbine control logic initiates fast opening of the turbine bypass valves which minimizes the pressure from the transient.
- b. The RPS scrams the reactor upon receipt of the turbine control valve fast closure signal, provided that at the time of load rejection the unit load is equal to or greater than 29.5% of rated power output.
The reactor scram is averted, if at the time of load rejection, the unit load is within the capacity of the turbine bypass system.
- c. The APRM Simulated Thermal - Upscale trip setting is automatically reduced from 117% to 97% Simulated Thermal Power, as recirculation flow is run back from 100% to 50% of the rated flow.
The trip settings discussed in Section 7.2.1.1.6.3 are not changed to accommodate abnormal operating conditions. Actions required during abnormal conditions are discussed in Chapter 16.
Transients requiring activation of the RPS are discussed in Chapter 15. The discussions there designate which systems and instrumentation are required to mitigate the consequences of these transients.
Operability of the anticipatory signals from the turbine control valve fast closure or turbine stop valve closure following an SSE is not a system design basis. There is no reason to expect concurrent failures of these trips without the SSE. However, if the gross failure of these trips should occur, the reactor would scram on high neutron flux or high reactor pressure. The results of this event would not be more severe than the one caused by closure of all the MSIVs without the MSIV position switch trip. That event is discussed in Section 5.2.2.2.2.4 as the relief valve sized transient.
7.2.2.1.2 RPS Specific Regulatory Requirements Conformance 7.2.2.1.2.1 RPS Conformance to Regulatory Guides CHAPTER 07 7.2-29 REV. 17, SEPTEMBER 2014
LGS UFSAR Conformance of the transmitter/trip unit system used in the RPS is discussed in Licensing Topical Report NEDO-21617-A, "Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Inputs." Conformance of the other features with the regulatory guides is discussed in the following sections.
7.2.2.1.2.1.1 RPS - Regulatory Guide 1.6 (1971) - Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems (Safety Guide 6)
Conformance is discussed in Section 7.1.2.5.1.
7.2.2.1.2.1.2 RPS - Regulatory Guide 1.11 (1971) - Instrument Lines Penetrating Primary Reactor Containment (Safety Guide 11)
Conformance to Regulatory Guide 1.11 is discussed in Section 6.2.4.3.
7.2.2.1.2.1.3 RPS - Regulatory Guide 1.22 (1972) - Periodic Testing of Protection System Actuation Functions (Safety Guide 22)
The system is designed so that it may be tested during plant operation from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram does not occur as a result of the testing.
7.2.2.1.2.1.4 RPS - Regulatory Guide 1.29 (1978) - Seismic Design Classification All electrical and mechanical devices and circuitry between process instrumentation and protection actuators and monitoring of systems important to safety are classified as seismic Category I.
7.2.2.1.2.1.5 RPS - Regulatory Guide 1.30 (1972) - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment (Safety Guide 30)
See Section 8.1.6.1.5 and Chapter 17.
7.2.2.1.2.1.6 RPS - Regulatory Guide 1.32 (1977) - Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants Although not a design basis, an assessment of the LGS design shows that it meets the guidelines of Regulatory Guide 1.32 (1977) and conforms to IEEE 308 (1971).
7.2.2.1.2.1.7 RPS - Regulatory Guide 1.47 (1973) - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems
- a. Regulatory Positions C.1, C.2, and C.3 Automatic indication is provided in the control room to inform the operator that a system is out-of-service. Indicator lights indicate which part of a system is not operable. System out-of-service annunciators energize whenever one or more of the following conditions occur:
- 1. Trip units are being tested or a gross failure of a transmitter is detected.
CHAPTER 07 7.2-30 REV. 17, SEPTEMBER 2014
- 2. Trip units are out of their card file, or there is a loss of power to the transmitters, or trip units.
These are the only conditions expected to occur more than once a year that would cause inoperability of the RPS. In addition, there is a switch in the control room that the operator can use to manually bring up the system out-of-service annunciator.
Instruments that form part of a one-out-of-two-twice logic system can be removed from service for calibration. Removal of the instrument from service is indicated in the control room by manual actuation of the system out-of-service annunciator by the system out-of-service switch.
- b. Regulatory Position C.4 All the annunciators can be tested by depressing the annunciator test switches on the control room bench boards.
The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system.
- 1. Individual indicator lights are arranged together on the control room console to indicate what function of the system is out-of-service, bypassed, or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that prevent a system from operating if needed.
- 2. A manual switch is provided for manual actuation to cover out-of-service conditions that could not be automatically annunciated.
- 3. These indication provisions serve to supplement administrative controls and to aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function.
- 4. All system out-of-service annunciator circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects.
- 5. Each indicator light is provided with dual lamps. These are tested periodically, along with the other devices in the circuit.
7.2.2.1.2.1.8 RPS - Regulatory Guide 1.53 (1973) - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Compliance with Regulatory Guide 1.53 is obtained by specifying, designing, and constructing the RPS to meet the single failure criterion, section 4.2 of IEEE 279 (1971), "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379 (1972), "IEEE Trial Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant instrument tubing, sensors, wiring, logic, and actuators are separated to ensure that a single failure in any portion of the RPS does not prevent protective action.
CHAPTER 07 7.2-31 REV. 17, SEPTEMBER 2014
LGS UFSAR Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it operates properly when required. Testing incorporates all elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing, there are always enough channels and systems available for operation to provide proper protection action.
7.2.2.1.2.1.9 RPS - Regulatory Guide 1.62 (1973) - Manual Initiation of Protective Actions Means are provided for manual initiation of reactor manual scram at the system level through the use of four, armed push button switches, one for each trip logic. Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry. These switches are located on the control room bench board and are easily accessible to the operator so that action can be taken expeditiously.
The amount of equipment common to the initiation of both manual scram and automatic scram is kept to a minimum through the implementation of manual scram as close to the final devices (scram contactor) as practicable. No single failure in the manual, automatic, or common portions of the protection system prevents initiation of reactor scram by manual or automatic means.
The "minimum of equipment" objective is accomplished for the initiation of manual scram through its implementation "as close as practicable to" the final actuating devices (scram contactor) of the protection system.
Manual initiation of reactor scram, once initiated, goes to completion as required by IEEE 279 (1971), section 4.16.
7.2.2.1.2.1.10 RPS - Regulatory Guide 1.63 (1978) - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants Conformance to Regulatory Guide 1.63 is discussed in Section 8.1.6.1.12.
7.2.2.1.2.1.11 RPS - Regulatory Guide 1.68 (1978) - Preoperational and Initial Startup Test Programs for Water-Cooled Power Reactors Conformance to Regulatory Guide 1.68 is discussed in Section 14.2.
7.2.2.1.2.1.12 RPS - Regulatory Guide 1.75 (1978) - Physical Independence of Electric Systems Conformance is discussed in Section 8.1.6.14.
7.2.2.1.2.1.13 RPS - Regulatory Guide 1.89 (1974) - Qualification of Class 1E Equipment for Nuclear Power Plants Conformance is discussed in Sections 3.11 and 8.1.6.1.16.
7.2.2.1.2.1.14 RPS - Regulatory Guide 1.97 (1980) - Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident Conformance to this guide is discussed in Section 7.5.2.5.1.1.2.
CHAPTER 07 7.2-32 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.2.2.1.2.1.15 RPS - Regulatory Guide 1.100 (1977) - Seismic Qualification of Electric Equipment for Nuclear Power Plants General compliance for Regulatory Guide 1.100 is found in Section 3.10.2.
7.2.2.1.2.1.16 RPS - Regulatory Guide 1.105 (November 1976) - Instrument Setpoints RPS conformance to this guide is discussed in Section 7.1.2.5.25.
7.2.2.1.2.1.17 RPS - Regulatory Guide 1.118 (June 1978) - Periodic Testing of Electric Power and Protection Systems RPS conformance to this guide is discussed in Section 7.1.2.5.26.
Position C.5 for APRM:
With respect to conformance to position C.5, the inherent time response of the incore sensors used for APRM (fission detectors operated in the ionization chamber mode) is many orders of magnitude faster than the APRM channel response time requirements and the signal conditioning electronics.
The sensors cannot be tested without disconnecting and reconnecting to special test equipment.
7.2.2.1.2.2 RPS Conformance to 10CFR50, Appendix A, General Design Criteria 7.2.2.1.2.2.1 RPS - GDC 1 - Quality Standards and Records The QA program for the system ensures sound engineering in all phases of design and construction through conformity to regulatory requirements and design bases described in the license application. The QA program is discussed in Chapter 17.
Documents are maintained that demonstrate that all the requirements of the QA program are being satisfied. These records are maintained during the life of the operating licenses.
7.2.2.1.2.2.2 RPS - GDC 2 - Design Bases for Protection Against Natural Phenomena Wind and tornado loadings are discussed in Section 3.3, flood design is described in Section 3.4, and seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.
7.2.2.1.2.2.3 RPS - GDC 3 - Fire Protection The fire protection system and its design basis are discussed in Section 9.5.1. Fire protection for cable systems is described in Sections 8.3.1.1.7 and 8.3.1.1.8.
7.2.2.1.2.2.4 RPS - GDC 4 - Environmental and Dynamic Effects Design Bases The system is designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including LOCAs.
The system is appropriately protected against dynamic effects including the effects of missiles, pipe whipping, and discharging fluids that may result from equipment failures. Missile protection is discussed in Section 3.5, pipe whip in Section 3.6, and environmental qualification of equipment in Section 3.11.
CHAPTER 07 7.2-33 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.2.2.1.2.2.5 RPS - GDC 10 - Reactor Design The RPS is designed to monitor certain reactor parameters, to sense abnormalities, and to scram the reactor, thereby preventing fuel design limits from being exceeded when trip points are exceeded. Scram trip setpoints are selected based on operating experience and by the safety design basis. There is no case in which the scram trip setpoints allow the core to exceed the thermal-hydraulic safety limits. Power for the RPS is supplied by two independent uninterruptible ac power supplies.
The system is designed to ensure that the specified fuel and RCPB design limits are not exceeded during conditions of normal or abnormal operation.
7.2.2.1.2.2.6 RPS - GDC 12 - Suppression of Reactor Power Oscillations The system design provides protection from excessive fuel cladding temperatures and protects the RCPB from excessive pressures that threaten the integrity of the system. An OPRM Upscale Function BWROG Long Term Stability Solution Option III is incorporated into each APRM channel to detect power oscillations in the operating ranges where thermal-hydraulic instability has been determined to be credible. Upon detection of power oscillations, the OPRM Upscale Function generates a trip signal to RPS which results in an automatic scram to suppress the oscillation before the MCPR Safety Limit is reached. High reliability of the reactor protection system is achieved through the combination of redundant sensors, logic, trip channel actuators, and physical separation of these redundant portions of the RPS.
7.2.2.1.2.2.7 RPS - GDC 13 - Instrumentation and Control Instrumentation is provided to monitor the variables identified in Table 7.2-1 over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions. If these variables exceed a predetermined setpoint, the RPS automatically takes action to ensure the integrity of the reactor core and the RCPB.
7.2.2.1.2.2.8 RPS - GDC 15 - Reactor Coolant System Design The RPS acts to provide sufficient margin to ensure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including anticipated operational occurrences.
If the monitored variables exceed their predetermined settings, the RPS automatically responds to maintain the variables and systems within allowable design limits.
7.2.2.1.2.2.9 RPS - GDC 19 - Control Room Controls and instrumentation for the RPS are provided in the control room to allow the operator to safely shut down the plant. The reactor can also be shut down in an orderly manner from outside the control room as described in Section 7.4.1.4.
7.2.2.1.2.2.10 RPS - GDC 20 - Protection System Functions The RPS constantly monitors the appropriate plant variables to maintain the fuel barrier and primary coolant pressure boundary and initiates a scram automatically when the variables exceed the established setpoints.
CHAPTER 07 7.2-34 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.2.2.1.2.2.11 RPS - GDC 21 - Protection System Reliability and Testability The system is designed with four redundant, independent, and separated channels. No single failure can prevent a scram. Removal from service of any component or channel does not result in loss of the required minimum redundancy. The system can be tested during plant operation to ensure its reliability.
7.2.2.1.2.2.12 RPS - GDC 22 - Protection System Independence The redundant portions of the RPS are separated so that no single failure or credible natural disaster can prevent a scram. Even though the turbine scram inputs originate from the nonseismic turbine enclosure, reactor pressure and power are diverse to these turbine scram variables to ensure protective action during and following a seismic event. Diversity is used to the extent practicable in the monitoring of other variables as described in Section 7.2.1.1.4.6 to prevent loss of the protective function.
7.2.2.1.2.2.13 RPS - GDC 23 - Protection System Failure Modes The RPS is fail-safe. A loss of electrical power, a loss of air supply, or postulated adverse environments do not prevent a scram.
7.2.2.1.2.2.14 RPS - GDC 24 - Separation of Protection and Control Systems The RPS has no control function and no components common to any control systems. There are interlocks to control systems through isolation devices. Failure of any single control system component or channel leaves the integrity of the RPS system intact, without compromising any reliability, redundancy, or independence requirements of the RPS.
7.2.2.1.2.2.15 RPS - GDC 25 - Protection System Requirements for Reactivity Control Malfunctions The system provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier. Any monitored variable that exceeds the scram setpoint initiates an automatic scram and does not prevent the remaining variables from being monitored. Fuel design limits are not exceeded for any single malfunction of the reactivity control system.
7.2.2.1.2.2.16 RPS - GDC 29 - Protection Against Anticipated Operational Occurrences The RPS is highly reliable so that it causes a scram if there are anticipated operational occurrences where any of the RPS trip setpoints are exceeded.
7.2.2.1.2.3 RPS Conformance to Industry Codes and Standards Conformance of the transmitter/trip unit system, used in the RPS, is discussed in Licensing Topical Report NEDO-21617-A, "Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Inputs." Conformance of the other features with the industry standards is discussed in the following sections.
7.2.2.1.2.3.1 RPS - IEEE 279 (1971) - Criteria for Protection Systems for Nuclear Power Generating Stations CHAPTER 07 7.2-35 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.2.2.1.2.3.1.1 RPS - IEEE 279 (1971), Paragraph 4.1 - General Functional Requirement The following RPS trip variables provide automatic initiation of protective action in compliance with this requirement:
- a. SDV high water level trip
- b. MSIV closure trip
- c. Turbine stop valve closure trip
- e. Reactor vessel low water level trip
- f. Left blank intentionally.
- h. Neutron monitoring (IRM) system trip
- i. Drywell high pressure trip
- j. Reactor vessel high pressure trip The reactor system mode switch selects appropriate operating bypasses for various RPS variables in the shutdown, refuel, startup, and run modes of operation. Other manual controls, such as the SDV high water level bypass, the manual scram push button switches, and the three-position RPS reset switch are arranged to ensure that the process variables providing automatic initiation of protective action continue to remain in compliance with this requirement.
The three-position RPS reset switch is under the administrative control of the reactor operator.
Since the reset switch does not connect redundant circuits in parallel with the trip logic, failure of the reset switch cannot prevent initiation of protective action.
Manual reset by the operator bypasses the seal-in contact to permit a trip system to be reset to its normally energized state when all process sensor trip channels are within their normal (untripped) range of operation.
The trip system logic, scram contactors, and scram contactor logic are designed to comply with this requirement through automatic removal of electric power to the CRD scram solenoids when one or more RPS variables exceed the specified trip setpoint.
7.2.2.1.2.3.1.2 RPS - IEEE 279 (1971), Paragraph 4.2 - Single Failure Criterion The following RPS trip variables are individually implemented with four physically separated, redundant channels in compliance with this requirement:
- a. MSIV closure trip
- b. Turbine stop valve closure trip
- c. Turbine control valve fast closure trip CHAPTER 07 7.2-36 REV. 17, SEPTEMBER 2014
- d. Reactor vessel low water level trip
- e. Drywell high pressure trip
- f. Reactor vessel high pressure trip
- g. SDV high water level trip The APRM and IRM trips comply with the single failure criterion through the use of physical panel barriers and electrical isolation provisions to provide independence among the two redundant APRM 2-out-of-4 voter channels and four redundant IRM channels in either trip system A or B.
Four redundant APRM channels provide inputs to both trip system A and trip system B.
Redundant sensors, wiring, logic, and actuators are physically separated to prevent a single failure from preventing the protective action. Wiring between redundant portions of the RPS and between RPS and non-Class 1E circuitry is configured to eliminate a possible single failure.
Wiring to each group of scram solenoids is routed in individual raceways separated from wiring to the other groups of scram solenoids.
Wiring from each sensor to the relay cabinets is run in a separate, totally enclosed metallic raceway or embedded PVC conduit to maintain electrical isolation and physical separation among redundant sensor trip channels.
RPS manual controls also comply with the single failure criterion. Four manual scram push buttons are arranged into two groups on one control room panel. The switch contact blocks are physically separated by metal barriers.
The reactor mode switch consists of a single manual actuator connected to four separated switch banks. Each bank is housed within a fire-retardant cover. Contacts from each bank are wired in conduit to a metallic terminal box with separation barriers.
Although the SDV high water level trip bypass is controlled by only one switch, the design of the bypass circuit complies with the single failure criteria. This bypass requires manual operation of a bypass switch and the mode switch to establish four bypass channels; the design of the bypass function complies with this design requirement. For the bypass switch, a single operator connects to two physically and electrically separated blocks of switch contacts within the switch body that separates redundant trip channels. Wiring from the contacts is routed in conduit to separate metallic terminal boxes. One set of switch contacts in conjunction with separated mode switch contacts is used to energize each trip channel bypass relay when the bypass condition is desired.
There is no single failure of this bypass function that could establish a spurious bypass condition of more than one channel. Hence, this function complies with the single failure criterion.
The main steam line valve closure trip operating bypass is implemented with separated mode switch contacts.
The turbine stop valve closure trip and control valve fast closure trip operating bypass complies with the single failure criterion. Nonredundant pairs of pressure sensors are mounted at each of two, physically separated pressure taps located in the turbine steam supply lines upstream of the high pressure turbine first stage. Wiring from the metallic raceway or embedded PVC conduit CHAPTER 07 7.2-37 REV. 17, SEPTEMBER 2014
LGS UFSAR sensors is routed in a TEMR or to the RPS cabinets in the auxiliary equipment room. A single bypass is associated with a single trip channel for stop valve closure and for control valve fast closure. The worst case single failure could result in the bypass of the turbine stop valve closure and turbine control valve fast closure for the A and B trip logics or the C and D trip logics. The logic is arranged so that this failure does not interfere with the normal protective action of the RPS.
The three-position RPS reset switch and associated logic comply with this design requirement.
The reset switch is constructed with a single operator and two physically and electrically separated contact blocks. The wires from the contact blocks go through conduit to metallic terminal boxes.
Since the opening of the process sensor trip channel contact is the initiating event for reactor scram, failure of the reset switch does not prevent de-energization of the trip actuators during the time interval that the process actually exceeds the trip setpoint.
Those portions of the RPS downstream of the trip channels also comply with this design requirement. Any postulated single failure of a given trip logic does not affect the remaining three trip logics. Similarly, any single failure of a scram contactor does not affect the remaining scram contactors, and any single failure of one trip logic does not affect the other trip logics. The cabling associated with one control rod group is routed in conduit that is physically separated from similar cabling associated with the other control rod groups. Cabling from the scram contactor logic to the scram solenoid groups is routed in individual, totally-enclosed, metallic raceway or in PVC conduits when embedded in concrete to comply with this design requirement. Because both the "A" or "B" solenoid valves must de-energize to scram, the wiring of these two solenoids for one control rod group is routed together within a single raceway, separate from all other wiring.
7.2.2.1.2.3.1.3 RPS - IEEE 279 (1971), Paragraph 4.3 - Quality of Components and Modules All RPS trip variables are implemented with components and modules used on previous GE BWR plants and that exhibit high quality and high reliability characteristics.
The selected RPS manual switches are also of high quality and reliability.
The four pressure sensors selected for the turbine stop valve closure and control valve fast closure operating bypass are of high quality and reliability.
The RPS trip system logic consists of series-connected relay contacts from the trip channel output relays. The relays are of high quality and reliability.
The RPS scram contactor logic consists of interconnecting trip logics to form a trip system by means of scram contactor contacts. The scram contactors are of high quality and reliability.
7.2.2.1.2.3.1.4 RPS - IEEE 279 (1971), Paragraph 4.4 - Equipment Qualification Qualification tests of RPS equipment are conducted to confirm their adequacy. Details of this testing are contained in Section 3.10 and 3.11. In addition, the vendor is required to certify that the sensors associated with each of the RPS trip variables, manual switches, and trip logic components perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the qualification tests and existing field experience with these components in this application, serves to qualify these components.
CHAPTER 07 7.2-38 REV. 17, SEPTEMBER 2014
LGS UFSAR Qualification tests of the panels are conducted to confirm their adequacy. Details of this testing are contained in Sections 3.10 and 7.1.2.7.4.
7.2.2.1.2.3.1.5 RPS - IEEE 279 (1971), Paragraph 4.5 - Channel Integrity All the components of the RPS trip variables are specified to operate under normal and abnormal conditions of environment, energy supply, and accidents, except as follows:
- a. Turbine stop valve closure trip (not guaranteed to operate under an SSE design basis event)
- b. Turbine control valve fast closure trip (not guaranteed to operate under an SSE design basis event)
- c. Turbine stop valve bypass circuit (not guaranteed to operate under an SSE design basis event)
The RPS trip systems, trip logics, and scram contactors are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents.
The cables for the turbine stop valves and fast closure valves are run in protective conduit from the sensor to the seismic Category I qualified auxiliary equipment room. Each channel is run in its own conduit which provides the required separation. Starting at the sensor is a flexible metallic conduit section which is connected to a rigid steel conduit section leading to the flooring. The cables are routed in PVC conduit embedded in the floor from the turbine enclosure to the auxiliary equipment room, which contains the reactor trip system.
Table 7.3-6 shows these and other sensors and circuits located in nonseismically qualified structures. Drawings showing the cable routing are E-1112, E-1121, E-1124, E-1125, and E-1183.
The applicable sensors shown on E-1112 are ZS01-104A through D and PS01-102A through D.
The routing of the four cables, each in its own separate run, to the trip sensors in the turbine enclosure for the turbine stop valve and turbine valve fast closure trips is such that the only credible failures that will challenge the system are: 1) a SSE, 2) a turbine missile, and 3) a HELB. The expected failure mode caused by these events would be loss of the sensors due to opening or loss of continuity, which would result in a reactor trip.
If the trip sensors failed closed or shorted due to the fault, the reactor pressure and reactor power trips, which are diverse, will still function to prevent damage to the reactor. Shorting of a single sensor would not prevent protective action by the other sensors. Each of the inputs is isolated from the remainder of the RPS logic by the use of interposing relays. If a sensor circuit opened, the signal would be a trip from that input.
7.2.2.1.2.3.1.6 RPS - IEEE 279 (1971), Paragraph 4.6 - Channel Independence The four redundant trip channels for the following RPS trip variables are physically separated from one another to meet this design requirement:
- a. SDV high water level trip
- b. Turbine stop valve closure trip CHAPTER 07 7.2-39 REV. 17, SEPTEMBER 2014
- d. Reactor vessel low water level trip
- e. Left blank intentionally.
- f. Drywell high pressure trip
- g. Reactor vessel high pressure trip.
The individual switch boxes for the turbine variables are physically separated.
The MSIV closure trip is derived from 8 individual channels. Two channels associated with each trip logic are separated as shown in Figure 7-2.8.
The 8 IRM and 4 APRM channels and 4 APRM 2-out-of-4 voter channels are electrically isolated and physically separated from one another so as to comply with this design requirement.
The redundant scram push buttons are physically separated and electrically isolated to comply with this design requirement.
The mode switch banks are physically separated and electrically isolated to comply with this design requirement.
The circuitry for the RPS operating bypasses complies with this design requirement. Sufficient physical separation and electrical isolation of redundant circuits exists to ensure that the operating bypass channels are satisfactorily independent.
The four RPS reset channels to the trip logics are physically separated and electrically isolated.
Similarly, the four RPS trip logics and scram contactors are physically separated. The wiring to each rod group scram schedules A and B is routed in TEMRs with module wiring. The details of the physical independence provided between redundant channels are in Section 7.1.2.2.3.2.1.
7.2.2.1.2.3.1.7 RPS - IEEE 279 (1971), Paragraph 4.7 - Control and Protection System Interaction The RPS is electrically isolated from the plant control systems in compliance with this design requirement.
Each trip channel output relay uses one contact within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room, and another contact on each relay is wired to the process computer cabinets to provide a written log of the channel trips. There is no single failure that prevents proper functioning of any protective function when it is required.
The MSIV and turbine stop valve limit switch contacts for RPS use are routed through TEMRs separated from the other limit switches used for indicator lights in the control room. After the cabling emerges from the limit switch junction box associated with each MSIV or turbine stop valve, it is routed in Class 1E raceway to the RPS panels in the auxiliary equipment room.
Turbine control valve fast closure pressure sensor outputs for RPS use are routed separately relative to other outputs used for indicator lights and turbine control purposes. After the cabling CHAPTER 07 7.2-40 REV. 17, SEPTEMBER 2014
LGS UFSAR emerges from the junction boxes, it is routed in Class 1E raceway to the logic cabinets in the auxiliary equipment room.
Within the IRM modules (i.e., before their output trip unit driving the RPS), analog outputs are derived for use with control room meters, recorders, and the process computer. Electrical isolation is incorporated into the design at this interface to prevent any single failure from influencing the protective output from the trip unit. The trip unit outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panels.
Within the APRM equipment (i.e., before their output trip driving the RPS), analog outputs are derived for use with control room meters and recorders. Electrical isolation is incorporated into the design at this interface to prevent any single failure from influencing the protective trip output. The trip outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panel.
The manual scram push buttons have no control interaction.
The reactor system mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement. Additional contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator. No control functions are associated with the mode switch. Hence, the switch complies with this design requirement. The system interlocks to control systems only through isolation devices so that no failure or combination of failures in the control system has any effect on the RPS.
The RPS SDV high water level trip operating bypass complies with this design requirement. For each trip channel, one contact is used in the bypass logic. One contact of each relay is also wired to a common annunciator in the control room. One contact from A1 and one contact from B1 trip systems are wired to the control rod block circuitry to prevent rod withdrawal whenever the trip channel bypass is in effect. The system interlocks for control rod block are through isolation devices so that no failure or combination of failures in the control system has any effect on the RPS.
The MSIV closure trip bypass has no interaction with any control system in the plant. Two contacts of each relay are used to initiate a control room annunciator for this bypass function.
Turbine stop valve and control valve trip bypasses have no interaction with any control system in the plant. One output relay contact is used in the RPS trip logic, one output relay contact is used in the Recirc Pump Trip circuitry, and one additional contact from each relay is used to initiate a control room annunciator for this bypass function.
Switch contacts of the three-position reset switch are used only to control auxiliary relays.
Contacts from the relays are used only in the scram contactor coil circuits. Consequently, this RPS function has no interaction with any other system in the plant.
The four RPS trip logics are totally separate from all other plant systems. The RPS trip logics use the power contacts of the scram contactors to provide the scram contactor logic and the seal-in contact of the trip logics, and use auxiliary contacts for control room annunciation, the process computer inputs, and initiation of the backup scram valves. Because of the design of this output CHAPTER 07 7.2-41 REV. 17, SEPTEMBER 2014
LGS UFSAR and separation of the cabling, there is no interaction with control systems of the plant. The scram solenoids are physically separate and electrically isolated from the other portions of the CRD HCU.
In summary, the transmission of signals from the RPS to control systems is through isolation devices that are part of the RPS. No credible failure at the output of these isolation devices can prevent the RPS from meeting its minimum performance requirements. No single random failures can cause a control system action that results in a condition requiring action by the RPS that can also disable a portion of the RPS designed to protect against that condition.
An SSE is the only single credible event that can cause a control system action resulting in a condition requiring protective action and that can concurrently prevent operation of a portion of the RPS. In an SSE, the turbine stop valve closure trip and the turbine control valve fast closure trip may be disabled. The reactor vessel high pressure and high power trips provide diverse protection for this event.
7.2.2.1.2.3.1.8 RPS - IEEE 279 (1971), Paragraph 4.8 - Derivation of System Inputs The following RPS trip variables are direct measures of a reactor overpressure condition, a reactor overpower condition, a gross fuel damage condition, or abnormal conditions within the RCPB:
- a. Reactor vessel low water level trip
- b. Left blank intentionally.
- c. Neutron monitoring (APRM) system trip
- 1. Neutron flux trip
- 2. Simulated thermal power trip
- 3. OPRM upscale trip
- d. Neutron monitoring (IRM) system trip
- e. Drywell high pressure trip
- f. Reactor vessel high pressure trip The measurement of SDV water level is an appropriate variable for this protective function. The desired variable is "available volume" to accommodate a reactor scram. However, the measurement of consumed volume is sufficient to infer the amount of remaining available volume, because the total volume is a fixed, predetermined value established by the design.
The measurement of MSIV position and turbine stop valve position is an appropriate variable for the RPS. The desired variable is "loss of the reactor heat sink"; however, isolation or stop valve closure is the logical variable from which to infer that the steam path has been blocked between the reactor and the heat sink.
Because of the normal throttling action of the turbine control valves with changes in the plant power level, measurement of control valve position is not an appropriate variable from which to infer the desired variable, which is "rapid loss of the reactor heat sink." Consequently, a measurement of valve closure rate is necessary.
CHAPTER 07 7.2-42 REV. 17, SEPTEMBER 2014
LGS UFSAR Protection system design practice has discouraged the use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation would be a more positive means of determining fast closure of the control valves.
Loss of hydraulic pressure in the EHC oil lines, which initiates fast closure of the control valves, is monitored. These measurements indicate that fast closure of the control valves is imminent.
This measurement is adequate and a proper variable for the protective function, taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of control valve fast closure rate.
Since the mode switch is used to bypass certain RPS trips depending on the operating state of the reactor, the selection of particular contacts to perform this logic operation is an appropriate means for obtaining the desired function.
The turbine stop valve closure trip and control valve fast closure trip operating bypass permits continued reactor operation at low power levels when the turbine stop or control valves are closed.
The selection of turbine first-stage pressure is an appropriate variable for this bypass function. In the power range of reactor operation, turbine first-stage pressure is essentially linear with increasing reactor power. Consequently, this variable provides the desired measurement of power level.
7.2.2.1.2.3.1.9 RPS - IEEE 279 (1971), Paragraph 4.9 - Capability for Sensor Checks During reactor operation, the analog outputs of each of the four redundant transmitters for the following RPS trip variables may be directly cross-compared to meet this requirement:
- a. Reactor vessel low water level trip
- b. Drywell high pressure trip
- c. Reactor vessel high pressure trip During reactor operation, one transmitter of each of these variables may also be valved out of service at a time to perform calibration. During this test, operation of the sensor and the RPS trip unit and relay may be confirmed. At the conclusion of the test, administrative control must be used to ensure that the sensor has been properly returned to service.
In addition, the trip unit associated with these variables may be tested by injecting an electronic calibration signal into the trip unit input.
During reactor operation, the sensors associated with the SDV high water level trip may be valved out of service to perform a functional test. During the test, one RPS trip logic is tripped and produces both control room annunciation and computer logging of the trip. At the conclusion of the test, administrative control is used to ensure that the sensors have been returned to service.
The MSIV position switches are tested during valve movements that cause the limit switches to operate at the setpoint value of the valve position.
The eight MSIV isolation channels are combined into the four RPS logics as follows:
CHAPTER 07 7.2-43 REV. 17, SEPTEMBER 2014
- a. A1 (tripped) = inboard or outboard valve partially closed in main steam line A, and inboard or outboard valve partially closed in main steam line B
- b. A2 (tripped) = inboard or outboard valve partially closed in main steam line C, and inboard or outboard valve partially closed in main steam line D
- c. B1 (tripped) = inboard or outboard valve partially closed in main steam line A, and inboard or outboard valve partially closed in main steam line C
- d. B2 (tripped) = inboard or outboard valve partially closed in main steam line B, and inboard or outboard valve partially closed in main steam line D For any test of a single valve closure, two of the eight instrument channels are placed in a tripped condition, but none of the channel logics is tripped, and no RPS annunciation or NSSS computer logging occurs. This arrangement permits single valve testing without corresponding tripping of the RPS. At full power operation the main steam line closure logic test switch for one main steam line may be opened, and the other MSIV may be closed to produce a channel trip with annunciation and computer output.
At reduced power levels, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. For example, closure of one valve in main steam line A and another valve in main steam line B produces an A1 logic trip and does not produce trips in A2, B1, or B2 channel logic circuits. These observations are another important test result that confirms proper RPS operation.
In sequence, each possible combination of single valve closure and switch operation is performed to confirm proper operation of all eight instrument channels.
The turbine stop valve position switches are also tested during valve movements that cause the limit switches to operate at the setpoint value.
The eight turbine stop valve isolation channels are combined into the four RPS logics as follows:
- a. A1 (tripped) = turbine stop valve 3 partially closed, and turbine stop valve 4 partially closed
- b. A2 (tripped) = turbine stop valve 1 partially closed, and turbine stop valve 2 partially closed
- c. B1 (tripped) = turbine stop valve 1 partially closed, and turbine stop valve 3 partially closed
- d. B2 (tripped) = turbine stop valve 2 partially closed, and turbine stop valve 4 partially closed For any test of a single stop valve closure, two of the eight instrument channels are placed in a tripped condition, but none of the RPS trip logics is tripped, and no RPS annunciation or NSSS computer logging occurs. This arrangement permits single valve testing without corresponding tripping of the RPS, and the observation that no RPS trips result is a valid and necessary test CHAPTER 07 7.2-44 REV. 17, SEPTEMBER 2014
LGS UFSAR result. At full power, the stop valve logic test switch can be activated and the other stop valve in the same logic can be closed, causing a logic trip with annunciation and computer logging.
At reduced power levels, but greater than 29.5% of rated power, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. These observations are another important test result that confirms proper RPS operation.
In sequence, each possible combination of single valve closure and test switch operation is performed to confirm proper operation of all eight instrument channels.
The turbine control valve fast closure EHC oil pressure sensors may be tested during the routine turbine system tests. During any control valve fast closure test, one RPS trip logic is tripped and produces both control room annunciation and computer logging of the trip.
The four RPS instrument logics are arranged as follows, assuming initial operation above 29.5% of rated power:
- a. A1 (tripped) = pressure switch A loss of oil pressure
- b. A2 (tripped) = pressure switch B loss of oil pressure
- c. B1 (tripped) = pressure switch C loss of oil pressure
- d. B2 (tripped) = pressure switch D loss of oil pressure During reactor operation in the run mode, the IRM detectors are stored below the reactor core in a low flux region. Movement of the detectors into the core permits the operator to observe the instrument response from the different IRM channels and confirms that the instrumentation is operable.
Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input, and each IRM instrument channel may be calibrated by introducing an external signal source into the amplifier input.
During these tests, proper instrument response may be confirmed by observation of instrument lights in the control room and trip annunciators.
Proper operation of the mode switch may be verified by the operator during plant operation by performing certain sensor tests to confirm proper RPS operation. Movement of the mode switch from one position to another is not required for these tests, since the connection of appropriate sensors to the RPS logic as well as the bypass of inappropriate sensors may be confirmed from the sensor tests.
7.2.2.1.2.3.1.10 RPS - IEEE 279 (1971), Paragraph 4.10 - Capability for Testing and Calibration The following RPS trip variable sensors may be tested by cross-comparison of channels. They also have provisions for sensor test and calibration during reactor operation in compliance with this design requirement. See Section 7.1.3.
- a. Reactor vessel low water level trip CHAPTER 07 7.2-45 REV. 17, SEPTEMBER 2014
- c. Neutron monitoring (IRM) system trip
- d. Drywell high pressure trip
- e. Reactor vessel high pressure trip.
A test of individual SDV water level switches can be performed during full power operation by valving out the sensor and injecting water into a test tap. At plant shutdown, the level switches may be calibrated by introducing a fixed volume of water into the discharge volume and observing that all level switches operate at the specified capacity.
During plant operation the operator can set the turbine stop valve or main steam line closure logic test switch in a test position and actuate the other valve, which results in a logic trip, with annunciation and computer logging. The operator can confirm that the MSIV and turbine stop valve limit switches operate during valve motion, from fully open to fully closed and vice-versa, by comparing the time that the RPS channel trip occurs with the time that the valve position indicator lights in the control room signal that the valve is fully open and fully closed. This test does not confirm the exact setpoint but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. During reactor shutdown, calibration of the MSIV and turbine stop valve limit switch setpoint is possible by physical observation of the valve stem.
During reactor operation, the operability of the individual EHC oil line pressure sensors associated with turbine control valve fast closure is confirmed during each test of the turbine control valve closure. Calibration of the sensor may be accomplished by valving one sensor out-of-service at a time and introducing a test pressure input during shutdown.
The APRMs are calibrated to reactor power by using a reactor heat balance and the TIP system to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined.
The gain adjustment factors for the LPRMs are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These adjustments, when incorporated into the LPRMs, permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power.
During reactor operation, one manual scram push button may be depressed to test the proper operation of the switch and trip logic relay. Once the RPS has been reset, the other switches may be depressed to test their operation one at a time. For each such operation, a control room annunciation is initiated and the process computer logs the trip.
Operation of the reactor mode switch from one position to another may be employed to confirm certain aspects of the RPS trip channels during periodic test and calibration at shutdown only.
During tests of the trip channels, proper operation of the mode switch contacts may be easily verified by noting that certain sensors are connected into the RPS logic and that other sensors are bypassed in the RPS logic in an appropriate manner dependent on the position of the mode switch.
CHAPTER 07 7.2-46 REV. 17, SEPTEMBER 2014
LGS UFSAR In the startup and run modes of plant operation, tests confirm that SDV high water level trip channels cannot be bypassed as a result of the operating bypass switches. In the shutdown and refuel modes of plant operation, tests may be used to bypass all four scram discharge volume trip channels. Because of the discrete on-off nature of the bypass function, calibration is not meaningful.
Administrative control must be exercised to valve one turbine first-stage pressure sensor out-of-service for the periodic test. During this test, a variable pressure source may be introduced to operate the sensor at the setpoint value. When the condition for bypass has been achieved on an individual sensor under test, the control room annunciator for this bypass function is initiated. If the RPS trip channel associated with this sensor has been in its tripped state, the process computer logs the return-to-normal state for the RPS trip logic. When the plant is operating above the switch setpoint, testing of the turbine stop valve and control valve fast closure trip channels confirms that the bypass function is not in effect.
Operation of the three-position RPS reset switch following a trip of one RPS trip system confirms that the switch is performing its intended function. Operation of the reset switch following trip of both RPS trip systems confirms that all portions of the switch and relay logic are functioning properly, since half of the scram contactors are returned to a normal state for each actuation of the switch.
The manual scram switches permit each trip logic, scram contactor, and scram contactor logic to be tested on a periodic basis. Testing of each process sensor of the protection system affords an opportunity to verify proper operation of these components. Calibration of the time response of the trip channel relays and trip logics may be accomplished by the connection of external test equipment.
7.2.2.1.2.3.1.11 RPS - IEEE 279 (1971), Paragraph 4.11 - Channel Bypass or Removal from Operation The following RPS trip variables have no provision for sensor removal from service because of the use of valve position limit switches as the channel sensor:
- a. MSIV closure trip
- b. Turbine stop valve closure trip During periodic testing of any one of the following trip channels, a sensor may be valved out of service and returned to service under administrative control procedures. Since only one sensor is valved out-of-service at any given time during the test interval, protective capability for the following RPS trip variables is maintained through the remaining redundant instrument channels:
- a. SDV high water level trip
- c. Reactor vessel low water level trip
- d. Drywell high pressure trip
- e. Reactor vessel high pressure trip CHAPTER 07 7.2-47 REV. 17, SEPTEMBER 2014
LGS UFSAR A sufficient number of IRM channels are provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the IEEE 279 single failure design requirements.
One IRM manual bypass switch is provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be bypassed at any time. To accommodate a single failure of this bypass switch, electrical interlocks are incorporated into the bypass logic to prevent the bypassing of more than one IRM in that trip system at any time. Consequently, with any IRM bypassed in a given trip system, three IRM channels remain in operation to satisfy the protection system requirements.
One manual APRM bypass switch is provided for all four APRM channels. This is a mechanical/optical switch which allows only one APRM channel to be bypassed at any time. This interlock is accomplished independently in each of the APRM 2-out-of-4 voter channels. With any one APRM channel bypassed, the three remaining operating channels provide the necessary protection of the reactor.
None of the APRM 2-out-of-4 voter channels may be bypassed.
7.2.2.1.2.3.1.12 RPS - IEEE 279 (1971), Paragraph 4.12 - Operating Bypasses The following RPS trip variables have no provision for an operating bypass:
- a. Reactor vessel low water level trip
- b. Left blank intentionally.
- c. Neutron monitoring (APRM) system trip
- d. Drywell high pressure trip
- e. Reactor vessel high pressure trip An operating bypass of the SDV high water level trip is provided in the control room for the operator to use to bypass the trip outputs in the shutdown and refuel modes of operation. Control of this bypass is achieved through administrative means, and its only purpose is to permit reset of the RPS following reactor scram. The bypass is manually initiated and must be manually removed to commence withdrawal of control rods after a reactor shutdown.
An operating bypass is provided for the MSIV closure trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in the shutdown, refuel, or startup positions. The only purpose of this bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the MSIVs closed or not fully open.
The operating bypasses of the NMS are controlled by the reactor mode switch located on the control room reactor control bench board. When the reactor mode switch is in the RUN mode, the IRM trips are bypassed; protection is provided by the APRM and OPRM trips. When the reactor mode switch is not in the RUN mode, the IRM and APRM flux trips are active, but the OPRM trip is bypassed. As reactor power is increased and the APRM system reaches CHAPTER 07 7.2-48 REV. 17, SEPTEMBER 2014
LGS UFSAR its operating range, by procedure the IRM detectors are withdrawn from the reactor core. When reactor power is decreased to the IRM operating range, by procedure the IRM detectors are inserted into the reactor core.
For each of these operating bypasses, four independent bypass channels are provided through the mode switch to ensure that all of the protection system criteria are satisfied.
An operating bypass of the turbine stop valve and control valve fast closure trip is provided whenever the turbine is operating at a low initial power level. The purpose of the bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the turbine stop valves not fully open.
During normal plant operation above the switch setpoint, the bypass is automatically removed.
Under these conditions, removal of the bypass for periodic testing is permitted, since it has no effect on plant safety. Under plant conditions below the switch setpoint, one bypass channel may be removed from service at a time without initiating protective action or affecting plant safety. This removal from service is accomplished under administrative control of plant personnel.
7.2.2.1.2.3.1.13 RPS - IEEE 279 (1971), Paragraph 4.13 - Indication of Bypasses The mode switch produces operating bypasses that need not be annunciated, because they are numbered by manual reactor operating sequence.
The control room operator must exercise administrative control over the valving out-of-service of one RPS trip variable sensor at a time. The out-of-service condition is manually alarmed as described in Section 7.2.2.1.2.1.7. Once a sensor is removed from service and a simulated test signal is introduced in excess of the setpoint, a control room annunciator indicates the tripped condition, and the process computer provides a typed record of the channel identification. The trip unit in calibration also causes actuation of the system out-of-service annunciator.
When any IRM or APRM instrument channel output to the RPS is bypassed, this fact is indicated by lights for each channel located on the control room panels.
Operating bypasses are annunciated in the control room. The SDV high water level trip operating bypass, the MSIV closure trip operating bypass, and the turbine stop valve closure and control valve fast closure trips operating bypass are individually annunciated to the operator.
When the conditions for any single bypass channel are satisfied, the control room operator is notified by an annunciator for the particular set of bypass conditions. Bypassing is not allowed in the trip logic or scram contactor logic.
7.2.2.1.2.3.1.14 RPS - IEEE 279 (1971), Paragraph 4.14 - Access to Means for Bypassing All instrumentation valves associated with the periodic testing of individual RPS trip variable sensors are under administrative control.
During periodic testing, administrative control procedures must be followed to remove one main steam line high radiation monitor from service and subsequently return it to service.
CHAPTER 07 7.2-49 REV. 17, SEPTEMBER 2014
LGS UFSAR Manual bypassing of any IRM or APRM channel is accomplished with control room selector switches under the administrative control of the operator.
Manual controls for the SDV high water level trip operating bypass and the MSIV closure trip operating bypass are located in the control room and are under the direct administrative control of the operator. Manual key-lock switches are used to control these operating bypasses.
The mode switch is a key-lock switch under the administrative control of plant personnel. Since other controls must be operated or other sensors must be in an appropriate state to complete the operating bypass logic, the mode switch itself satisfies this requirement.
Under normal operating conditions, all four channels of the turbine stop valve closure trip and control valve fast closure trip operating bypass are in operation and are automatically removed from service as reactor power is increased above the switch setpoint and are automatically reinstated as reactor power is reduced below this same setpoint. During periodic testing of each bypass channel, one sensor is removed from service under administrative control.
7.2.2.1.2.3.1.15 RPS - IEEE 279 (1971), Paragraph 4.15 - Multiple Setpoints The design requirement is not applicable to the following RPS trip variables, because the setpoint values are fixed and do not vary with other reactor or plant parameters:
- a. SDV high water level trip
- b. MSIV closure trip
- c. Turbine stop valve closure trip
- e. Reactor vessel low water level trip
- f. Left blank intentionally.
- g. Neutron monitoring neutron flux and OPRM trips
- h. Drywell high pressure trip
- i. Reactor vessel high pressure trip The trip setpoint of each IRM channel is established at a fixed percentage of full-scale for each range of IRM operation. The IRM is a linear, half decade per range instrument. Therefore, as the operator switches an IRM from one range to the next, the trip setpoint tracks the operator's selection. In the startup mode the APRM Neutron Flux - Upscale trip setpoint is reduced to 15% of Rated Thermal Power.
In the run mode, the APRM Simulated Thermal Power - Upscale trip varies automatically with recirculation flow. For further discussion, see Section 7.6.1.4.
Each of these multiple setpoint provisions is a portion of the RPS and complies with the design requirements of IEEE 279.
CHAPTER 07 7.2-50 REV. 17, SEPTEMBER 2014
LGS UFSAR Operation of the mode switch from one position to another bypasses various RPS trip channels in accordance with the reactor conditions implied by the given position of the mode switch. This action does not influence the established setpoint of any given RPS trip channel, but merely connects one set of channels as another set is disconnected. Consequently, the mode switch meets this design requirement.
7.2.2.1.2.3.1.16 RPS - IEEE 279 (1971), Paragraph 4.16 - Completion of Protective Action Once It Is Initiated It is only necessary that the instrument channel remain in a tripped condition for a sufficient length of time to de-energize the scram contactors and open their seal-in contacts.
Once the manual scram push buttons are depressed, it is only necessary to maintain them in that condition until the scram contactors have de-energized and opened their seal-in contacts.
The function of the mode switch is to provide appropriate RPS trip channels for the RPS trip logic on a steady-state basis for each of four given reactor operating states: shutdown, refuel, startup, and run. Protective action, in terms of the needed transient response, is derived from the other portions of the trip channels independent of the mode switch. Hence, the mode switch does not influence the completion of protective action in any manner.
The turbine operating bypass is put into effect only when the turbine first-stage pressure is at or below a preset level. For plant operation above this setpoint, the trip channels initiate protective action once the scram contactors have de-energized and opened the seal-in contact.
The interface of the RPS trip logic and the scram contactors ensures that this design requirement is accomplished. The trip logic is normally energized and is sealed in by one of the contacts of the scram contactor. Once the trip logic has been open-circuited as a result of a process sensor trip channel becoming tripped or the depression of a manual scram push button, the scram contactor seal-in contact opens, and completion of protective action is directed without regard to the state of the initiating process sensor trip channel.
Reset of the RPS logic is permissible only after a 10 second time delay and requires deliberate operator action.
7.2.2.1.2.3.1.17 RPS - IEEE 279 (1971), Paragraph 4.17 - Manual Initiation Four manual scram push button controls are provided on one control room panel to permit manual initiation of reactor scram at the system level. Failure of an automatic RPS function cannot prevent the manual portions of the system from initiating the protective action. The manual scram push buttons are wired as close as is practicable to the scram contactor coil circuits to minimize the dependence of manual scram capability on other equipment.
Additional backup to these manual controls is provided by the shutdown position of the reactor system mode switch.
No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram.
7.2.2.1.2.3.1.18 RPS - IEEE 279 (1971), Paragraph 4.18 - Access to Setpoint Adjustments, Calibration, and Test Points CHAPTER 07 7.2-51 REV. 17, SEPTEMBER 2014
LGS UFSAR During reactor operation, access to setpoint or calibration control is not possible for the SDV high water level trip. (The instrument is accessible, but the setpoint is not adjustable).
Access to setpoint adjustments, calibration controls, and test points for the following RPS trip variables is under the administrative control of plant personnel:
- a. Main steam line isolation valve closure trip (accessible with radiation exposure)
- b. Turbine stop valve closure trip (accessible with radiation exposure)
- c. Turbine control valve fast closure trip (accessible with radiation exposure)
- d. Turbine stop valve closure and turbine control valve fast closure trip bypass (accessible with radiation exposure)
- e. Reactor vessel low water level trip
- f. Left blank intentionally.
- h. Neutron monitoring (IRM) system trip
- i. Drywell high pressure trip
- j. Reactor vessel high pressure trip 7.2.2.1.2.3.1.19 RPS - IEEE 279 (1971), Paragraph 4.19 - Identification of Protective Actions When any one of the redundant sensors exceeds its setpoint value for the following RPS trip variables, a control room annunciator is initiated to identify the particular variable:
- a. SDV high water level trip
- c. Reactor vessel low water level trip
- d. Left blank intentionally.
- f. Neutron monitoring (IRM) system trip
- g. Drywell high pressure trip
- h. Reactor vessel high pressure trip Identification of the particular trip channel exceeding its setpoint is accomplished as a typed record from the process computer or visual observation of the annunciators.
CHAPTER 07 7.2-52 REV. 17, SEPTEMBER 2014
LGS UFSAR When any manual scram push button is depressed, a control room annunciation is initiated and a process computer record is produced to identify the tripped RPS trip logic.
Identification of the mode switch in shutdown position scram trip is provided by the manual scram annunciator and the process computer trip logic identification printout.
Partial or full closure of any MSIV or turbine stop valve causes a change in the status of position indicator lights in the control room. These indications are not a part of the RPS, but they do provide the operator with valid information pertinent to the valve status. Partial or full closure of one or both valves in a particular set of two main steam lines initiates a control room annunciator when the trip setpoint has been exceeded. A turbine stop valve closure trip will be indicated if an RPS channel is tripped by a two-out-of-four valve closure combination. This information is displayed on panel 1AC803 (reactor control annunciator panel) and on the main turbine annunciator panel (1BC807). The closed position of each turbine stop valve is also indicated in the control room using a position switch independent of those used in the RPS logic and powered from a separate electrical power source. This same condition permits identification of the tripped channels in the form of a typed record from the process computer or by visual observation of the valve position indicator lights.
NMS annunciators provided in the control room indicate the NMS RPS trip. The process computer provides a typed record of the tripped NMS channel as well as identification of individual IRM and APRM channel trips.
Two control room annunciators are provided to identify the tripped portions of the RPS in addition to the previously described trip channel annunciators:
- a. A1 or A2 trip logics tripped
- b. B1 or B2 trip logics tripped These same functions are connected through independent auxiliary contacts of the scram contactors to the process computer to provide a typed record of the relay operations.
7.2.2.1.2.3.1.20 RPS - IEEE 279 (1971), Paragraph 4.20 - Information Readout The data presented to the control room operator for each of the RPS trip variables complies with this design and provide accurate, complete, and timely information pertinent to the status of the RPS. The design minimizes the development of conditions that would cause anomalous indications that are confusing to the operator.
7.2.2.1.2.3.1.21 RPS - IEEE 279 (1971), Paragraph 4.21 - System Repair During periodic testing of the sensor channels for the following RPS trip variables, the operator can determine any defective component and replace it during plant operation:
- a. SDV high water level trip
- b. Reactor vessel low water level trip
- c. Drywell high pressure trip CHAPTER 07 7.2-53 REV. 17, SEPTEMBER 2014
- d. Reactor vessel high pressure trip During periodic testing of the sensor channels for the trip variables listed below, all defective components can be identified. Replacement and repair of failed sensors can only be accomplished during reactor shutdown. All other components can be replaced, repaired, or adjusted during plant operation.
- a. MSIV closure trip
- b. Turbine stop valve closure trip
- c. Left blank intentionally.
- e. Neutron monitoring (IRM) system trip
- f. Turbine control valve fast closure trip Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the NMS may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair.
7.2.2.1.2.3.1.22 RPS - IEEE 279 (1971), Paragraph 4.22 - Identification of Protection Systems Each system logic cabinet is identified distinctively as being in the protection system, and the particular redundant portion is listed on a distinctive marker plate. Cabling outside the cabinets is identified specifically as RPS wiring. An identification scheme is used to distinguish between redundant cables and raceways. Redundant racks are identified by the identification marker plates of instruments on the racks. Control room devices are identified by tags on the panels. These tags indicate the function of the device.
7.2.2.1.2.3.2 RPS - IEEE 308 (1971) - Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations The RPS is a fail-safe logic system, and its power supplies are non-Class 1E. The backup scram circuitry is powered by Class 1E power. The backup scram circuitry is designed to meet the requirements of IEEE 308 (1971).
7.2.2.1.2.3.3 RPS - IEEE 317 (1972) - Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations See the discussion of Regulatory Guide 1.63 in Section 8.1.6.1.12.
7.2.2.1.2.3.4 RPS - IEEE 323 (1971) - IEEE Trial Use Standard: General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations IEEE 323 (1971) is satisfied by complete qualification testing and certification of all essential components. Records covering all essential components are maintained.
CHAPTER 07 7.2-54 REV. 17, SEPTEMBER 2014
LGS UFSAR 7.2.2.1.2.3.5 RPS - IEEE 336 (1971) - Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations See Chapter 17.
7.2.2.1.2.3.6 RPS - IEEE 338 (1971) - Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems IEEE 338 (1971) is satisfied by being able to test the RPS from sensors to the scram contactors at any time during plant operation. The tests are performed in overlapping portions.
7.2.2.1.2.3.7 RPS - IEEE 344 (1971) - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Station IEEE 344 (1971) is satisfied by all Class 1 RPS equipment as described in Section 3.10.
The above does not apply to turbine stop valve and control valve fast closure trips during or after an SSE, as discussed in Section 7.2.1.2.8.
7.2.2.1.2.3.8 RPS - IEEE 379 (1972) - Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems IEEE 379 (1972) requirements are satisfied by considering the different single failure modes and carefully designing all potential violations of the single failure criterion out of the system.
7.2.2.1.2.3.9 RPS - IEEE 384 (1974) - Criteria for Separation of Class 1E Equipment and Circuits See Section 7.1.2.7.11.
The standard requires that redundant sensors and their connections to the process system be sufficiently separated to ensure that functional capability of the protection system is maintained despite any single design basis event or resulting effect.
The RPS conforms to IEEE 384 except for the requirement that redundant sensors and their connections to the process system be sufficiently separated to ensure that functional capability of the protection system is maintained despite any single design basis event or resulting effect. The above does not apply to the turbine stop valve and control valve fast closure trips in a nonseismic turbine enclosure during or after an SSE, as discussed in Section 7.2.1.2.8.
Additional details of the separation criteria used for the RPS are provided in Sections 8.1.6.1.14 and 7.1.2.2.
7.2.2.1.2.4 RPS Power Generation Design Bases The RPS is a one-out-of-two-twice logic system, which inherently provides both reliability of action and availability of function. This permits testing during reactor operation without causing a scram.
7.2.2.1.3 RPS Additional Design Considerations Analyses 7.2.2.1.3.1 RPS Spurious Rod Withdrawals CHAPTER 07 7.2-55 REV. 17, SEPTEMBER 2014
LGS UFSAR Spurious control rod withdrawals do not normally cause a scram.A control rod withdrawal block may occur, however. Rod block is discussed in Section 7.6.1.4 and is not part of the RPS. A scram does occur, however, if the spurious control rod withdrawal causes the average flux to exceed the trip setpoint.
7.2.2.1.3.2 Loss of Plant Instrument Air System Loss of plant instrument air causes opening of the scram valves on the hydraulic control units, resulting in a scram.
7.2.2.1.3.3 Loss of Cooling Water to Vital Equipment There is no loss of cooling water that affects the RPS.
7.2.2.1.3.4 Plant Load Rejection Electrical grid disturbances could cause a significant loss of load that would initiate a turbine-generator overspeed trip and control valves fast closure, resulting in a reactor scram. The reactor scram occurs to anticipate an increase in reactor vessel pressure that is due to shutting off the path of steam flow to the turbine. Any additional increase in pressure is prevented by the SRVs that open to relieve reactor pressure and close as pressure is reduced. The RCIC or HPCI systems automatically actuate and provide vessel makeup water if required.
The fuel temperature or pressure boundary thermal-hydraulic limits are not exceeded during the event, as described in Chapter 15.
7.2.2.1.3.5 Turbine Trip Initiation of turbine trip by the turbine system closes the turbine stop valves initiating a reactor scram. The stop valve scram anticipates a reactor pressure or power scram that is due to the closure of turbine stop valves. Any additional increase in reactor vessel pressure is prevented by the SRVs that open to relieve reactor vessel pressure and close as pressure is reduced. The RCIC and HPCI automatically actuate and provide vessel makeup water if a low water level occurs.
Initiation of turbine trip by loss of condenser vacuum causes simultaneous closure of the turbine stop valves and MSIVs initiating a reactor scram.
The fuel temperature, pressure boundary, and thermal-hydraulic limits are not exceeded during these events, as described in Chapter 15.
7.
2.3 REFERENCES
7.2-1 W.R. Morgan, "Incore Neutron Monitoring System for General Electric Boiling Water Reactors", APED-5706, (November 1968, Revised April 1969).
CHAPTER 07 7.2-56 REV. 17, SEPTEMBER 2014
LGS UFSAR Table 7.2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS SCRAM FUNCTION INSTRUMENT INSTRUMENT RANGE Reactor vessel high Pressure sensor 0-1500 psi pressure Drywell high pressure Pressure sensor 0-10 psig Reactor vessel low Level sensor 0-60 inches(1) water level (2)
SDV high water level Level switch Level transmitter 0-100 in H2O Turbine stop valve Position switch 0-100%
closure Turbine control valve Pressure sensor 250-3000 psig fast closure MSIV closure Position switch 0-100%
Neutron monitoring IRM 0-125 divisions system trips APRM Neutron Flux- 10%-125% rated Upscale trip thermal power APRM Simulated 10%-125% rated Thermal Power- thermal power Upscale trip OPRM Upscale Trip Period Based Detection Algorithm -
Confirmation Count: 2-25 Amplitude: 1.00-1.30 Amplitude Based Algorithm: 1.05-1.50 Growth Rate Algorithm: 1.00-1.50 SDV high water level Bypass switch --
trip bypass CHAPTER 07 7.2-57 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.2-1 (Continued)
SCRAM FUNCTION INSTRUMENT INSTRUMENT RANGE Turbine stop valve Pressure sensor 0-1000 psi and control valve fast closure trip bypass MSIV closure trip Reactor mode switch --
bypass (1)
Instrument zero equal to 527.5 inches above vessel zero.
(2)
Instrument range dependent on installation.
CHAPTER 07 7.2-58 REV. 13, SEPTEMBER 2006
LGS UFSAR Table 7.2-2 TRIP SYSTEM CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF RPS This table shows the normal and minimum number of trip system channels required for the functional performance of the RPS. The "normal" column lists the normal number of channels provided per trip system. The "minimum" column lists the minimum number of trip system operable channels required to maintain functional performance.
Channel Description Normal Minimum Neutron monitoring system (APRM)(4)(5) 4 3 Neutron monitoring system 2 2 APRM 2-out-of-4 voter (5)
Neutron monitoring system (IRM)(1) 4 3 Nuclear system high pressure 2 2 Drywell high pressure 2 2 Reactor vessel low water level 2 2 SDV high water level 2 2 Manual scram 2 2 Each MSIV position(2) 1/valve 1/valve Each turbine stop valve position(3) 1/valve 1/valve Turbine control valve fast closure, 2 2 trip oil pressure low (3)
Reactor mode switch shutdown position 2 2 (1)
Not required in run and shutdown modes (2)
Not required in shutdown, refuel and startup modes (3)
Not required when reactor power is less than 29.5% of rated power (4)
APRM channels, including OPRM trip, provide input to both RPS trip systems via the 2-out-of-4 voters.
(5)
Not required in shutdown and refuel modes.
CHAPTER 07 7.2-59 REV. 16, SEPTEMBER 2012