ML11221A250

From kanterella
Revision as of 17:37, 10 March 2020 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Amendment 102 to Final Safety Analysis Report (Fsar), Section 7, Instrumentation and Controls
ML11221A250
Person / Time
Site: Watts Bar Tennessee Valley Authority icon.png
Issue date: 12/17/2010
From:
Tennessee Valley Authority
To:
Office of Nuclear Reactor Regulation
References
Download: ML11221A250 (272)


Text

WATTS BAR TABLE OF CONTENTS Section Title Page 7.0 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

7.1-1 7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS 7.1-4 7.1.1.1 SAFETY-RELATED SYSTEMS 7.1-4 7.1.1.2 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.1-5 7.1.1.3 INSTRUMENTATION AND CONTROL SYSTEM DESIGNERS 7.1-5 7.1.1.4 PLANT COMPARISON 7.1-5 7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1-5 7.1.2.1 DESIGN BASES 7.1-8 7.1.2.2 INDEPENDENCE OF REDUNDANT SAFETY-RELATED SYSTEMS 7.1-13 7.1.2.3 PHYSICAL IDENTIFICATION OF SAFETY-RELATED EQUIPMENT 7.1-16 7.1.2.4 PROCESS SIGNAL ISOLATION RELAYS 7.1-17 7.2 REACTOR TRIP SYSTEM 7.2-1 7.

2.1 DESCRIPTION

7.2-1 7.2.1.1 SYSTEM DESCRIPTION 7.2-1 7.2.1.2 DESIGN BASES INFORMATION 7.2-16 7.2.1.3 FINAL SYSTEMS DRAWINGS 7.2-19 7.2.2 ANALYSES 7.2-19 7.2.2.1 EVALUATION OF DESIGN LIMITS 7.2-20 7.2.2.2 EVALUATION OF COMPLIANCE TO APPLICABLE CODES AND STANDARDS 7.2-22 7.2.2.3 SPECIFIC CONTROL AND PROTECTION INTERACTIONS 7.2-32 7.2.2.4 ADDITIONAL POSTULATED ACCIDENTS 7.2-35 7.2.3 TESTS AND INSPECTIONS 7.2-35 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-1 7.

3.1 DESCRIPTION

7.3-1 7.3.1.1 SYSTEM DESCRIPTION 7.3-1 7.3.1.2 DESIGN BASES INFORMATION 7.3-6 7.3.1.3 FINAL SYSTEM DRAWINGS 7.3-8 7.3.2 ANALYSIS 7.3-9 Table of Contents 7-i

WATTS BAR TABLE OF CONTENTS Section Title Page 7.3.2.1 SYSTEM RELIABILITY/AVAILABILITY AND FAILURE MODE AND EFFECT ANALYSES 7.3-9 7.3.2.2 COMPLIANCE WITH STANDARDS AND DESIGN CRITERIA 7.3-9 7.3.2.3 FURTHER CONSIDERATIONS 7.3-16 7.3.2.4

SUMMARY

7.3-16 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.

4.1 DESCRIPTION

7.4-1 7.4.1.1 MONITORING INDICATORS 7.4-1 7.4.1.2 CONTROLS 7.4-2 7.4.1.3 EQUIPMENT AND SYSTEMS AVAILABLE FOR COLD SHUTDOWN 7.4-5 7.4.2 ANALYSIS 7.4-5 7.5 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-1 7.5.1 POST ACCIDENT MONITORING INSTRUMENTATION (PAM) 7.5-1 7.5.1.1 SYSTEM DESCRIPTION 7.5-1 7.5.1.2 VARIABLE TYPES 7.5-1 7.5.1.3 VARIABLE CATEGORIES 7.5-2 7.5.1.4 DESIGN BASES 7.5-3 7.5.1.5 GENERAL REQUIREMENTS 7.5-6 7.5.1.6 ANALYSIS 7.5-7 7.5.1.7 TESTS AND INSPECTIONS 7.5-7 7.5.1.8 POST ACCIDENT MONITORING SYSTEM (PAMS) 7.5-8 7.5.2 PLANT COMPUTER SYSTEM 7.5-8 7.5.2.1 SAFETY PARAMETER DISPLAY SYSTEM 7.5-9 7.5.2.2 BYPASSED AND INOPERABLE STATUS INDICATION SYSTEM (BISI) 7.5-11 7.5.2.3 TECHNICAL SUPPORT CENTER AND COMMUNICATION DATA LINKS 7.5-13 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-1 7.6.1 120V AC AND 125V DC VITAL PLANT CONTROL POWER SYSTEM 7.6-1 7.6.2 RESIDUAL HEAT REMOVAL ISOLATION VALVES 7.6-1 7.6.

2.1 DESCRIPTION

7.6-1 7.6.2.2 ANALYSIS 7.6-2 7-ii Table of Contents

WATTS BAR TABLE OF CONTENTS Section Title Page 7.6.3 REFUELING INTERLOCKS 7.6-2 7.6.4 DELETED BY AMENDMENT 63. 7.6-2 7.6.5 ACCUMULATOR MOTOR-OPERATED VALVES 7.6-2 7.6.6 SPURIOUS ACTUATION PROTECTION FOR MOTOR OPERATED VALVES 7.6-3 7.6.7 LOOSE PART MONITORING SYSTEM (LPMS) SYSTEM DESCRIPTION 7.6-4 7.6.8 INTERLOCKS FOR RCS PRESSURE CONTROL DURING LOW TEMPERATURE OPERATION 7.6-8 7.6.8.1 ANALYSIS OF INTERLOCK 7.6-9 7.6.9 SWITCHOVER FROM INJECTION TO RECIRCULATION MODE FOLLOWING A LOCA 7.6-10 7.7 CONTROL SYSTEMS 7.7-1 7.

7.1 DESCRIPTION

7.7-1 7.7.1.1 CONTROL ROD DRIVE REACTOR CONTROL SYSTEM 7.7-1 7.7.1.2 ROD CONTROL SYSTEM 7.7-4 7.7.1.3 PLANT CONTROL SIGNALS FOR MONITORING AND INDICATING 7.7-10 7.7.1.4 PLANT CONTROL SYSTEM INTERLOCKS 7.7-15 7.7.1.5 PRESSURIZER PRESSURE CONTROL 7.7-16 7.7.1.6 PRESSURIZER WATER LEVEL CONTROL 7.7-16 7.7.1.7 STEAM GENERATOR WATER LEVEL CONTROL 7.7-17 7.7.1.8 STEAM DUMP CONTROL 7.7-17 7.7.1.9 INCORE INSTRUMENTATION SYSTEM 7.7-19 7.7.1.10 CONTROL BOARD 7.7-20 7.7.1.11 DISTRIBUTION CONTROL SYSTEM 7.7-20 7.7.1.12 ANTICIPATED TRANSIENT WITHOUT SCRAM MITIGATION SYSTEM ACTUATION 7.7-23 7.7.2 ANALYSIS 7.7-24 7.7.2.1 SEPARATION OF PROTECTION AND CONTROL SYSTEM 7.7-25 7.7.2.2 RESPONSE CONSIDERATIONS OF REACTIVITY 7.7-25 7.7.2.3 STEP LOAD CHANGES WITHOUT STEAM DUMP 7.7-27 7.7.2.4 LOADING AND UNLOADING 7.7-27 7.7.2.5 LOAD REJECTION FURNISHED BY STEAM DUMP SYSTEM 7.7-28 7.7.2.6 TURBINE-GENERATOR TRIP WITH REACTOR TRIP 7.7-28 Table of Contents 7-iii

WATTS BAR TABLE OF CONTENTS Section Title Page 7A INSTRUMENTATION IDENTIFICATIONS AND SYMBOLS 7A-1 7A.1 IDENTIFICATION SYSTEM 7A-1 7A.1.1 FUNCTIONAL IDENTIFICATION 7A-1 7A.1.2 SYSTEM IDENTIFICATION 7A-3 7A.1.3 LOOP IDENTIFICATION 7A-3 7A.2 SYMBOLS 7A-3 7A.2.1 INSTRUMENT SYMBOL 7A-4 7-iv Table of Contents

WATTS BAR LIST OF TABLES Section Title TABLE 7.1-1 WATTS BAR NUCLEAR PLANT NRC REGULATORY GUIDE CONFORMANCE TABLE 7.1-2 DELETED BY AMENDMENT 8 TABLE 7.2-1 LIST OF REACTOR TRIPS TABLE 7.2-2 PROTECTION SYSTEM INTERLOCKS TABLE 7.2-3 REACTOR TRIP SYSTEM INSTRUMENTATION TABLE 7.2-4 REACTOR TRIP CORRELATION TABLE 7.3-1 INSTRUMENTATION OPERATING CONDITION FOR ENGINEERED SAFETY FEATURES TABLE 7.3-2 INSTRUMENTATION OPERATING CONDITION FOR ISOLATION FUNCTIONS TABLE 7.3-3 INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM TABLE 7.5-1 (SHEET 1 OF 2)

POST ACCIDENT MONITORING INSTRUMENTATION COMPONENT QUALIFICATION MATRIX (SEE NOTE)

TABLE 7.5-2 REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LISTS LEGEND (PAGE 1 OF 41)

TABLE 7.5-2 REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LISTS TABLE 7.5-3 DELETED BY AMENDMENT 89 TABLE 7.7-1 PLANT CONTROL SYSTEM INTERLOCKS List of Tables 7-v

WATTS BAR LIST OF TABLES Section Title THIS PAGE INTENTIONALLY BLANK 7-vi List of Tables

WATTS BAR LIST OF FIGURES Section Title FIGURE 7.1-1 PROTECTION SYSTEM BLOCK DIAGRAM FIGURE 7.1-2 POWERHOUSE-UNITS 1 AND 2 WIRING DIAGRAMS CONTROL BOARDS CRITICAL WIRING BRAID INSTALLATION FIGURE 7.1-3-SH-1 TRAIN A AND TRAIN B PROCESS INTERLOCKS FIGURE 7.1-3-SH-2 TRAIN A AND TRAIN B PROCESS INTERLOCKS FIGURE 7.1-3-SH-3 TRAIN A AND TRAIN B PROCESS INTERLOCKS FIGURE 7.1-3-SH-4 TRAIN A AND TRAIN B PROCESS INTERLOCKS FIGURE 7.2-1-SH-1 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAMS -

REACTOR PROTECTION SYSTEM FIGURE 7.2-1-SH-2 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAMS -

REACTOR PROTECTION SYSTEM FIGURE 7.2-1-SH-3 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAMS -

REACTOR PROTECTION SYSTEM FIGURE 7.2-1-SH-4 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAMS -

REACTOR PROTECTION SYSTEM FIGURE 7.2-2 SETPOINT REDUCTION FUNCTION FOR OVERPOWER AND OVERTEMPERATURE T TRIPS FIGURE 7.3-1 ESF TEST CIRCUITS (TYPICAL)

FIGURE 7.3-2 DELETED BY AMENDMENT 81 FIGURE 7.3-3-SH-1 POWERHOUSE UNITS 1 & 2 ELECTRICAL LOGIC DIAGRAM FEEDWATER SYSTEM FIGURE 7.3-3-SH-2 POWERHOUSE UNITS 1 & 2 AUXILIARY FEEDWATER SYSTEM LOGIC DIAGRAM FIGURE 7.3-3-SH-3 POWERHOUSE UNITS 1 & 2 ELECTRICAL LOGIC DIAGRAM FOR SAFETY INJECTION SYSTEM FIGURE 7.3-3-SH-4 POWERHOUSE UNITS 1 & 2 LOGIC ELECTRICAL DIAGRAM FOR CONTAINMENT ISOLATION FIGURE 7.6-1 DELETED BY AMENDMENT 65 FIGURE 7.6-2 DELETED BY AMENDMENT 65 FIGURE 7.6-3 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAM FOR SAFETY INJECTION SYSTEM FIGURE 7.6-4 POWERHOUSE AUXILIARY BUILDING UNITS 1& 2 WIRING DIAGRAMS FOR SAFETY INJECTION SYSTEM FIGURE 7.6-5 REACTOR BUILDING UNIT 1 VARIABLE PROCESSING FOR LOW TEMPERATURE INTERLOCKS FOR RCS PRESSURE CONTROL List of Figures 7-vii

WATTS BAR LIST OF FIGURES Section Title FIGURE 7.6-6-SH-1 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAM FOR SAFETY INJECTION SYSTEM FIGURE 7.6-6-SH-2 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAM FOR SAFETY INJECTION SYSTEM FIGURE 7.6-6-SH-3 POWERHOUSE ELECTRICAL LOGIC DIAGRAM RESIDUAL HEAT REMOVAL SYSTEM FIGURE 7.6-7-SH-1 RHR SUCTION ISOLATION VALVE INTERLOCKS FIGURE 7.6-7-SH-2 RHR BYPASS VALVE LOGIC FCV-74-8 T (FCV-7 4-9)

FIGURE 7.7-1 SIMPLIFIED BLOCK DIAGRAM OF REACTOR CONTROL SYSTEM FIGURE 7.7-2 CONTROL BANK ROD INSERTION MONITOR FIGURE 7.7-3 ROD DEVIATION COMPARATOR FIGURE 7.7-4 BLOCK DIAGRAM OF PRESSURIZER PRESSURE CONTROL SYSTEM FIGURE 7.7-5 BLOCK DIAGRAM OF PRESSURIZER LEVEL CONTROL SYSTEM FIGURE 7.7-6 BLOCK DIAGRAM OF STEAM GENERATOR WATER LEVEL CONTROL SYSTEM FIGURE 7.7-7 BLOCK DIAGRAM OF MAIN FEEDWATER PUMP SPEED CONTROL SYSTEM FIGURE 7.7-8 BLOCK DIAGRAM OF STEAM DUMP CONTROL SYSTEM FIGURE 7.7-9 INCORE INSTRUMENT SYSEM FIGURE 7.7-10 TYPICAL LOCATION OF CONTROL BOARD SYSTEMS FIGURE 7.7-11 SIMPLIFIED BLOCK DIAGRAM ROD CONTROL SYSTEM FIGURE 7.7-12 CONTROL BANK D PARTIAL SIMPLIFIED SCHEMATIC DIAGRAM POWER CABINETS 1BD AND 2BD FIGURE 7A-1 INSTRUMENTATION SYMBOLS AND TABULATION FROM TVA DS E18.3.3 FIGURE 7A-2 MECHANICAL SYSTEM IDENTIFICATION NUMBERS FIGURE 7A-3 MECHANICAL FLOW AND CONTROL DIAGRAM SYMBOLS FIGURE 7A-4 MECHANICAL BASIC INSTRUMENTATION AND RADIATION SYMBOLS FIGURE 7A-5 MECHANICAL APPLICATION OF BASIC INSTRUMENTATION SYMBOLS FIGURE 7A-6 MECHANICAL DIGITAL LOGIC SYMBOLS (AND/OR) 7-viii List of Figures

WATTS BAR WBNP-102 7.0 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

This chapter presents the various plant instrumentation and control systems by relating the functional performance requirements, design bases system descriptions, design evaluations, and tests and inspections for each. The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection system as defined in IEEE Std. 279-1971 "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations."

The primary purpose of the instrumentation and control systems is to provide automatic protection against unsafe and improper reactor operation during steady state and transient power operations (Condition I) and to provide initiating signals to mitigate the consequences of faulted conditions (Conditions II, III, IV). For a discussion of the four conditions see Chapter 15. The information presented in this chapter emphasizes those instrumentation and control systems which are essential to assuring that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public.

It is shown that the applicable criteria and codes, such as the General Design Criteria and IEEE Standards, concerned with the safe generation of nuclear power are met by these systems.

Definitions The definitions below establish the meaning of words in the context of their use in Chapter 7.

Channel - An arrangement of components and modules or software as required to generate a single protective action signal when required by a plant condition. A channel loses its identity where single action signals are combined.

DNBR (Departure from Nucleate Boiling Ratio) - The ratio of the critical heat flux (defined as the transition from nucleate boiling, to film boiling) to the actual local heat flux.

Module - An assembly of interconnected components which constitutes an identifiable device, instrument, or piece of equipment. A module can be disconnected, removed as a unit, and replaced with a spare. It has definable performance characteristics which permit it to be tested as a unit. A module could be a card or other subassembly of a larger device, provided it meets the requirements of this definition.

Software - The entire set of programs, procedures, and related documentation associated with a system, especially a computer system.

Components - Items from which the system is assembled (e.g., resistors, capacitors, wires, connectors, transistors, tubes, switches, springs, etc.).

INTRODUCTION 7.1-1

WATTS BAR WBNP-102 Single Failure - Any single event which results in a loss of protective function of a component or components of a system. Multiple failures resulting from a single event will be treated as a single failure.

Protective Action - A protective action can be at the channel or the system level. A protective action at the channel level is the initiation of a signal by a single channel when the variable sensed exceeds a limit. A protective action at the system level is the initiation of the operation of a sufficient number of actuators to effect a protective function.

Protective Function - A protective function is the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values of the variable established in the design basis.

Type Tests - Tests made on one or more units to verify adequacy of design.

Degree of Redundancy - The difference between the number of channels monitoring a variable and the number of channels which, when tripped, will cause an automatic system trip.

Minimum Degree of Redundancy - The degree of redundancy below which operation is prohibited or otherwise restricted by the Technical Specifications.

Reproducibility - This definition is taken from SAMA Standard PMC-20.1-1973.

Process Measurement and Control Terminology; "the closeness of agreement among repeated measurements of the output for the same value of input, under normal operating conditions over a period of time, approaching from both directions." It includes drift due to environmental effects, hysteresis, long-term drift, and repeatability. Long-term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long-term drift may be eliminated from this definition. Reproducibility, in most cases, is a part of the definition of accuracy (see below).

Accuracy - This definition is derived from SAMA Standard PMC-20.1-1973. An accuracy statement for a device falls under Note 2 of the definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditions: "Reference accuracy includes conformity, hysteresis and repeatability."

To adequately define the accuracy of a system, the term reproducibility is useful as it covers normal operating conditions. The following terms, "trip accuracy," etc., will then include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to another value established by testing, conformity may be eliminated, and the term reproducibility may be substituted for accuracy.

Readout Devices - For consistency the final device of a complete channel is considered a readout device. This includes indicators, recorders, isolators (nonadjustable) and controllers.

7.1-2 INTRODUCTION

WATTS BAR WBNP-102 Channel Accuracy - This definition includes accuracy of primary element, transmitter and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field mounted hardware. Rack environmental effects are included in the next two definitions to avoid duplication due to dual inputs.

Indicated and/or Recorded Accuracy - This definition includes channel accuracy, accuracy of readout devices and rack environmental effects.

Trip Accuracy - This definition includes comparator accuracy, channel accuracy for each input, and rack environmental effects. This is the tolerance expressed in process terms (or % of span) within which the complete channel must perform its intended trip function. This includes all instrument errors but no process effects such as streaming.

The term "actuation accuracy" may be used where the word "trip" might cause confusion (for example, when starting pumps and other equipment).

Actuation Accuracy - Synonymous with trip accuracy, but used where the word "trip" may cause ambiguity.

Cold Shutdown - The reactor is in the cold shutdown condition when the reactor is subcritical by at least 1% k/k and T(avg) is < 200°F with T(avg) defined as the average temperature across a reactor vessel as measured by the hot and cold leg temperature detectors.

Hot Shutdown Condition - When the reactor is subcritical by an amount greater than or equal to the margin to be specified in the applicable technical specification and T(avg) is within the temperature range specified in the applicable technical specification.

Phase A Containment Isolation - Closure of all nonessential process lines which penetrate containment, initiated by the safety injection signal.

Phase B Containment Isolation - Closure of remaining process lines, initiated by containment Hi-Hi pressure signal (process lines do not include Engineered Safety Features lines).

System Response Time Reactor Trip System Response Time: The time delays are defined as the time required for the reactor trip (i.e., the time the rods are free and begin to fall) to be initiated following a step change in the variable being monitored from at least 5% below (or above) to at least 5% above (or below) the trip setpoint.

Engineered Safety Features Actuation System Response Time: The interval required for the Engineered Safety Features sequence to be initiated subsequent to the point in time that the appropriate variable(s) exceed setpoints. The response time includes sensor (analog) and process/logic (digital) delay.

INTRODUCTION 7.1-3

WATTS BAR WBNP-102 Normal Operating Conditions - For this document, these conditions cover all normal process temperature and pressure changes. Also included are ambient temperature changes around the transmitters and racks.

Control Accuracy - This definition includes channel accuracy, accuracy of readout devices (isolator, controller), and rack environmental effects. Where an isolator separates control and protection signals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. It is simply defined as the accuracy of the control signal in percent of the span of that signal. This will then include gain changes where the control span is different from the span of the measured variable. Where controllers are involved, the control span is the input span of the controller. No error is included for the time in which the system is in a non-steady state condition.

7.1.1 Identification of Safety-Related Systems 7.1.1.1 Safety-Related Systems The Nuclear Steam Supply System (NSSS) instrumentation required to function to achieve the system responses assumed in the safety evaluations and those needed to shut down the plant are given in this section.

7.1.1.1.1 Reactor Trip System The Reactor Trip System (RTS) is a functionally defined system described in Section 7.2. The equipment which provides the trip functions is identified and discussed in Section 7.2. Design bases for the reactor trip system are given in Section 7.1.2.1.

Figure 7.1-1 is a block diagram of this system.

7.1.1.1.2 Engineered Safety Features Actuation System The engineered safety features actuation system (ESFAS) is a functionally defined system and is described in Section 7.3. The equipment which provides the actuation functions is identified and discussed in Section 7.3. Design bases for the Engineered Safety Features Actuation System are given in Section 7.1.2.1.

7.1.1.1.3 Vital Instrumentation and Control Power Supply System Design bases for the vital control power supply system are given in Section 7.1.2.1.

Further description of the system is provided in Section 8.3.

7.1.1.1.4 Auxiliary Control Air System The auxiliary control air system supplies essential control air to safety-related equipment such as the auxiliary feedwater control valves, dampers in the auxiliary building gas treatment system and the emergency gas treatment system; and the Control Building HVAC system. Further description of the system is given in Section 9.3.1.

7.1-4 INTRODUCTION

WATTS BAR WBNP-102 7.1.1.2 Safety-Related Display Instrumentation The Post Accident Monitoring System (PAMS) provides essential information required by the operator to diagnose and monitor significant accident conditions. The accident-monitoring instrumentation is designed with redundant channels so that a single failure does not prevent the operator from determining the nature of an accident, the functioning of the engineered safety features, the need for operator action, and the response of the plant to the safety measures in operation. This system is described in Section 7.5.1.8.

Other safety-related, along with non safety-related display instrumentation is discussed in Section 7.5..

7.1.1.3 Instrumentation and Control System Designers All systems discussed in Chapter 7 have definitive functional requirements developed on the basis of the Westinghouse NSSS design. TVA is responsible for the total design of the WBN instrumentation and controls systems. The RTS, ESFAS, and SSPS are generally the instrumentation and controls systems within the scope of the Westinghouse supply. Figures 7.2-1 and 7.3-3 show the logic for the Reactor Protection System (RPS).

7.1.1.4 Plant Comparison System functions for all systems discussed in Chapter 7 are similar to those of Sequoyah Nuclear Plant. Detailed comparison is provided in Section 1.3.

7.1.2 Identification of Safety Criteria Section 7.1.2.1 gives design bases for the systems given in Section 7.1.1.1, except for the auxiliary control air system which is described in Section 9.3.1 and the safety-related display instrumentation systems which are described in Section 7.5. Design bases for non safety-related systems are provided in the sections which describe the systems. Conservative considerations for instrument errors are included in the accident analyses presented in Chapter 15. Functional requirements, developed on the basis of the results of the accident analyses, which have utilized conservative assumptions and parameters are used in designing these systems and a preoperational testing program verifies the adequacy of the design. Accuracies are discussed in Sections 7.2, 7.3 and 7.5.

The documents listed below were considered in the design of the systems given in Section 7.1.1. In general, the scope of these documents is given in the document itself.

This determines the systems or parts of systems to which the document is applicable.

A discussion of compliance with each document for systems within its scope is provided in the referenced sections.

Because some documents were issued after design and testing had been completed, the equipment documentation may not meet the format requirements of some standards. Table 7.1-1 and Notes 1 through 12 identify the degree of conformance to applicable documents and justify exceptions. The documents considered are:

INTRODUCTION 7.1-5

WATTS BAR WBNP-102 (1) "General Design Criteria for Nuclear Power Plants, "Appendix A to Title 10 CFR Part 50, July 7, 1971." (See Sections 7.2, 7.3, 7.4, and 7.6).

(2) Deleted (3) "Regulatory Guide 1.22 - Periodic Testing of Protection System Actuation Functions," Regulatory Guides for Water-Cooled Nuclear Power Plants, Division of Reactor Standards, Atomic Energy Commission. (See Table 7.1-1, Note 2).

(4) Regulatory Guide 1.29 (Revision 1) - "Seismic Design Classification,"

Regulatory Guides for Water-Cooled Nuclear Power Plants," Directorate of Regulatory Standards, Atomic Energy Commission.

(5) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard:

Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Standard 279-1971. (See Sections 7.2, 7.3, 7.6).

(6) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations," IEEE Standard 308-1971.

(7) The Institute of Electrical and Electronic Engineers, Inc.," IEEE Standard for Electrical Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generating Stations," IEEE Standard 317-1976. (See Section 8.3.1.2.3).

(8) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Standard: General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations," IEEE Standard 323-1971. (See Table 7.1-1, Note 4).

(9) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations",

IEEE Std. 323-1974.

(10) Deleted by Amendment 90.

(11) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations," IEEE Standard 336-1971. (See Section 8.3.1.2.2).

(12) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," IEEE Standard 338-1971. (See Section 7.2.2.2, 7.3.2.2.5 and Table 7.1-1, Note 1).

7.1-6 INTRODUCTION

WATTS BAR WBNP-102 (13) IEEE-Std. 338-1987 "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems".

(14) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations," IEEE Standard 344-1971. (See Section 3.10).

(15) The Institute of Electrical and Electronic Engineers, Inc, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," IEEE Std. 344-1975.

(16) The Institute of Electrical and Electronic Engineers, Inc, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," IEEE Std. 344-1987.

(17) The Institute of Electrical and Electronic Engineers, Inc, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems," IEEE Std. 352-1975.

(18) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems," IEEE Standard 379-1972. (See Table 7.1-1, Note 3).

(19) The Institute of Electrical and Electronic Engineers, Inc, "IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems," IEEE Std. 379-1988.

(20) The Institute of Electrical and Electronic Engineers, Inc, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits," IEEE Std.

384-1981.

(21) The Institute of Electrical and Electronic Engineers, Inc, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," IEEE Std. 603-1980.

(22) "Regulatory Guide 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems," Regulatory Guides for Water-Cooled Nuclear Power Plant Division of Reactor Standards, Atomic Energy Commission. (See Table 7.1-1, Note 3).

(23) Regulatory Guide 1.47, May 1973 "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems".

(24) Regulatory Guide 1.75, September 1978 "Physical Independence of Electrical Systems".

(25) Regulatory Guide 1.89, November 1974 "Qualification of Class 1E Equipment for Nuclear Power Plants".

INTRODUCTION 7.1-7

WATTS BAR WBNP-102 (26) Regulatory Guide 1.97, December 1980 "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident".

(27) Regulatory Guide 1.100, August 1977 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants".

(28) Regulatory Guide 1.105, November 1976 "Instrument Setpoints".

(29) Regulatory Guide 1.118, June 1978 "Periodic Testing of Electric Power and Protection Systems".

(30) Regulatory Guide 1.153, December 1985 "Criteria for Power, Instrumentation and Control Portions of Safety Systems".

Regulatory Guide 1.153, endorses the guidance of IEEE-Std. 603-1980.

(31) ANSI/IEEE-ANS-7-4.3.2-1982 "Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations".

ANSI/IEEE-ANS-7-4.3.2-1982 - expands and amplifies the requirements of IEEE-Std. 603-1980 (32) Regulatory Guide 1.152, November 1985 "Criteria for Programmable Digital Computer System Software in Safety-Related Systems in Nuclear Plants".

Regulatory Guide 1.152, endorses the guidance of ANSI/IEEE-7-4.3.2-1982.

7.1.2.1 Design Bases The technical design bases for the protection systems are provided by Westinghouse equipment specifications which consider the functional requirements for these systems and applicable criteria as identified in Table 7.1-1.

7.1.2.1.1 Reactor Trip System The reactor trip system acts to limit the consequences of Condition II events by, at most, a shutdown of the reactor and turbine, with the plant capable of returning to operation after corrective action. The reactor trip system features impose a limiting boundary region to plant operation which ensures that the reactor safety limits analyzed in Chapter 15 are not exceeded during Condition II events and that these events can be accommodated without developing into more severe conditions.

The design requirements for the reactor trip system are derived by analyses of plant operating fault conditions where automatic rapid control rod insertion is necessary in order to prevent or limit core or reactor coolant boundary damage. The design bases addressed in IEEE Standard 279-1971 are discussed in Section 7.2.1. The design limits for this system are:

7.1-8 INTRODUCTION

WATTS BAR WBNP-102 (1) Minimum DNBR shall not be below the limiting value as a result of any anticipated transient or malfunction (Condition II faults).

(2) Power density shall not exceed the rated linear power density for Condition II events. See Chapter 4 for fuel design limits.

(3) The stress limit of the RCS for the various conditions shall be as specified in Chapter 5.

(4) Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion distance or to exceed the guidelines of 10 CFR 100 as a result of any Condition III fault.

(5) For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety nor shall it exceed the guidelines of 10 CFR 100, "Reactor Site Criteria."

7.1.2.1.2 Engineered Safety Features Actuation System (ESFAS)

The ESFAS acts to limit the consequences of Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the safety injection system). The ESFAS acts to mitigate Condition IV events (limiting faults which include the potential for significant release of radioactive material).

The design bases for the ESFAS are derived from the design bases given in Chapter

6. Design bases requirements of IEEE 279-1971 are addressed in Section 7.3.1.2.

General design requirements are given below.

(1) Automatic Actuation Requirements The primary functional requirement of the ESFAS is to receive input signals (information) from the various on-going processes within the reactor plant and containment and automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the engineered safety features system. These signals must assure that the engineered safety features system will meet its performance objectives as outlined in Chapter 6.

Figure 7.3-3 (Sheets 1 through 4) shows the logic associated with the ESF actuation system.

(2) Manual Actuation Requirements The ESFAS has provisions for manually initiating from the main control room the functions of the engineered safety features system. Manual actuation serves as backup to the automatic initiation and provides control of selective engineered safety features service features.

INTRODUCTION 7.1-9

WATTS BAR WBNP-102 7.1.2.1.3 Vital Control Power Supply System The vital control power supply system provides continuous, reliable, regulated single phase ac power to all instrumentation and control equipment required for plant safety.

Details of this system are provided in Section 8.3.

7.1.2.1.4 Standby Power Design bases and system description for the standby power supply are provided in Chapter 8.

7.1.2.1.5 Interlocks Interlocks are discussed in Sections 7.2, 7.3, 7.6, and 7.7. The protection (P) interlocks are given on Tables 7.2-2 and 7.3-3. The safety analyses demonstrate that even under conservative critical conditions for either postulated or hypothetical accidents, the protective systems ensure that the NSSS will be put into and maintained in a safe state following an ANS Condition II, III, or IV accident commensurate with applicable technical specifications and pertinent ANS Criteria. Therefore, the protective systems have been designed to meet IEEE Standard 279-1971 and are entirely redundant and separate, including all permissives and blocks. All blocks of a protective function are automatically cleared whenever the protective function would be required to function in accordance with General Design Criteria 20, 21, and 22, and Paragraphs 4.11, 4.12, and 4.13 of IEEE Standard 279-1971. Control interlocks (C) are identified on Table 7.7-1. Because control interlocks are not safety related, they have not been specifically designed to meet the requirements of IEEE Protection System Standards.

7.1.2.1.6 Bypasses Bypasses are designed to meet the requirements of IEEE 279-1971, Sections 4.11, 4.12, 4.13 and 4.14. A discussion of bypasses provided is given in Sections 7.2 and 7.3.

7.1.2.1.7 Equipment Protection The criteria for equipment protection are given in Chapter 3. Equipment related to safe operation of the plant is designed, constructed and installed to protect it from damage.

This is accomplished by working to accepted standards and criteria aimed at providing reliable instrumentation which is available under varying conditions. As an example, certain equipment is seismically qualified in accordance with IEEE 344-1971. During construction, independence and separation are achieved, as required by IEEE 279-1971, either by barriers or physical separation. This serves to protect against complete destruction of a system by fires, missiles or other natural hazards.

7.1.2.1.8 Diversity Functional diversity has been designed into the system. Functional diversity is discussed in WCAP 7706, "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," Reference [1]. The extent of diverse system variables has been evaluated for a wide variety of postulated accidents as discussed in WCAPs 7306 7.1-10 INTRODUCTION

WATTS BAR WBNP-102 and 13869, "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors," Reference [2] and Reference [6]. Generally, two or more diverse protection functions would automatically terminate an accident before unacceptable consequences could occur.

For example, there are automatic reactor trips based upon nuclear flux measurements, reactor coolant loop temperature and flow measurements, pressurizer pressure and level measurements, reactor coolant pump under frequency and under voltage measurements, and steam generator water level measurements, as well as manually, and by initiation of a safety injection signal.

Regarding the engineered safety features actuation system for a loss-of-coolant accident, a safety injection signal can be obtained manually or by automatic initiation from diverse parameter measurements as shown in Table 7.3-1.

7.1.2.1.9 Trip Setpoints The scope of TSTF-493 includes setpoints within the reactor protection system (RPS) which includes the Reactor Trip System (RTS) and the Engineered Safeguards Features Actuation System (ESFAS). The specific setpoints within the scope of TSTF-493 are identified in Technical Specifications 3.3.1 and 3.3.2. These trip setpoints have been selected to ensure that core damage and loss of integrity of the reactor coolant system are prevented during anticipated operational events. These setpoints were analytically determined in accordance with the methodology described in References 3 and 5. The TVA instrument setpoint methodology is based on ISA standard 67.04 (Reference 3) and is incorporated into TVA technical instructions. The Westinghouse setpoint methodology is described in Reference 5. Both the nominal (trip setpoint) and limiting (allowable value) settings have been incorporated into the Technical Specifications. Nominal settings are more conservative than the limiting setpoints. This allows for measurement and calibration uncertainties and instrument channel drift which may occur between periodic tests without exceeding the allowable value. Trip setpoint values are monitored by periodic performance of surveillance tests in accordance with Technical Specification requirements.

The setpoint calculations include the effects of both measurable and unmeasurable uncertainties to ensure the associated protective actions are performed before analytical limits are exceeded. The square root sum of the squares (SRSS) method is used for combining uncertainty terms to meet the following three criteria: random, independent, and normal distribution. The probability that all of the independent processes would simultaneously be at their maximum value (i.e., + or -) is very small.

The SRSS method provides a means to combine individual random uncertainty terms to establish a net random uncertainty term. All other uncertainties that do not meet any of the three criteria are arithmetically summed. Single-sided correction factors are not used in setpoint calculations within the scope of TSTF-493.

The following describes the methodology used for the setpoint calculations within the scope of TSTF-493 revision 4 as incorporated into the WBN Unit 2 Technical Specifications.

INTRODUCTION 7.1-11

WATTS BAR WBNP-102 Safety Limit (SL) - A safety limit is specified to protect the integrity of physical barriers that guard against the uncontrolled release of radioactivity. The safety limit for a parameter is typically provided in the plant safety analyses in accordance with 10 CFR 50.36(c).1.ii.A.

Analytical Limit (AL) - The analytical limit represents the parameter value at which a safety action is assumed to be initiated to ensure that the safety limits are not exceeded during either accidents or anticipated operational occurrences.

Nominal Trip Setpoint (NTSP) - The NTSP is the nominal value at which the instrument is set when it is calibrated. Since most instruments cannot be set to an exact value, the instrument is set to the nominal setpoint within an allowed tolerance band defined as Acceptable As Left (AAL).

Operational Limit (OL) - The operational limit is a value which the operating parameter is not expected to exceed during normal operation. The NTSP is set beyond the OL so that spurious trips of the instrument do not occur.

Acceptable As Found Tolerance (AAF) - A tolerance band on either side of the NTSP which defines the limits of acceptable instrument performance, beyond which the channel may be considered degraded and must be evaluated for operability prior to returning it to service. Channels which exceed the AAF will be entered into the Corrective Action Program for further evaluation and trending. The Acceptable As Found tolerance is the SRSS combination of drift, maintenance and test equipment (M&TE) accuracy and readability, and calibration/reference accuracy. Other uncertainties may be included in the AAF if applicable.

Acceptable As Left Tolerance (AAL) - A tolerance band on either side of the NTSP within which an instrument or instrument loop is left after calibration or setpoint verification. The Acceptable As Left tolerance is equal to or less than the SRSS combination of reference accuracy, M&TE accuracy and M&TE readability. Other uncertainties may be included in the AAL if applicable.

The trip setpoint must be adjusted within the AAL tolerance prior to returning the channel to service.

Allowable Value (AV) - The limiting value of the as-found trip setting used during surveillance testing for the portion of the channel being tested, beyond which the channel is inoperable. The AV ensures that sufficient margin exists to the AL to account for unmeasurable uncertainties such as process effects to ensure that the protective action is performed under worst case conditions before the analytical limit is exceeded when the channel is reset to within the AAL tolerance.

Calculation of the allowable value by the Westinghouse setpoint methodology is described in Reference 5. In the Westinghouse methodology, the AV is limited to rack surveillance testing. Two values are calculated. The first value is the arithmetic sum of the measurable rack uncertainties. The second value is based on the total allowance between the trip setpoint and the safety analysis limit. This value is the difference between the total allowance and those uncertainties which are not present during the 7.1-12 INTRODUCTION

WATTS BAR WBNP-102 rack surveillance test. These uncertainties are combined in accordance with Reference 5. The AV is the nominal trip setpoint plus or minus, dependent on the trip setpoint direction, the minimum of the two calculated values.

The TVA methodology for the allowable value calculation is described in TVA technical instructions based on Reference 3. An upper limit of AV is determined by subtracting the unmeasurable uncertainties from the AL. A lower limit of AV is determined by adding the measurable uncertainties to the NTSP. The actual AV is set within these limits. This applies to a high setpoint with an upper Analytical Limit; the directions would be reversed for a low setpoint with a lower AL.

7.1.2.2 Independence of Redundant Safety-Related Systems The safety-related systems in Section 7.1.1.1 are designed to meet the independence and separation requirements Criterion 22 of the of General Design Criteria (GDC)

(Appendix A to 10CFR50) and Paragraph 4.6 of IEEE 279-1971. The administrative responsibility and control provided during the design and installation is discussed in Chapter 17 which addresses the Quality Assurance programs applied by Westinghouse and TVA.

The electrical power supply instrumentation and control conductors for redundant circuits of a nuclear plant have physical separation including PAM Category 1 and protection set I, II, III and IV instrumentation and control. Their cables are run in separate raceways to preserve divisional integrity and to ensure that no single credible event will prevent operation of the associated function due to electrical conductor damage. Detailed information pertaining to electrical cable for safety-related systems is given in Section 8.3.1.4. Critical circuits and functions include: power, control, and process protection channels associated with the operations of the reactor trip system or engineered safety features actuation system. Failure events are evaluated for credibility and credible events shall include, but not be limited to, the effects of short circuits, pipe rupture, missiles, etc., and are considered in the basic plant design.

Control board details are given in Section 7.7.1.10. In the control board, separation of redundant circuits is maintained as described in Section 7.1.2.2.2.

Instrument sensing lines (including capillary systems) which serve safety-related systems identified in Section 7.1.1.1 are designed to meet the independence requirements of criterion 22 of the 1971 General Design Criteria and IEEE 279-1971 Section 4.6. The requirements consider the following events: (1) normal activities in the area (e.g., maintenance); (2) high and moderate energy jet streams, missiles, and pipe whip; and (3) possible damage caused by falling loads from the plant lifting systems (e.g., cranes, monorails). Exceptions to these requirements shall be evaluated for technical adequacy and documented in Design Basis Documents.

7.1.2.2.1 General Separation of cables and raceways of redundant circuits is described in Section 8.3.1.

INTRODUCTION 7.1-13

WATTS BAR WBNP-102 7.1.2.2.2 Specific Systems Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Each redundant channel is energized from a separate ac power feed.

Within the process protection system there are four separate protection channel sets.

Redundant protection channels are separated by locating the processing electronics of the redundant channels in different protection channel rack sets. Separation of redundant channels begins at the sensors and is maintained in the field wiring, containment penetrations, and process protection channel racks. Thus any single failure within a channel will not prevent initiation of a required protection system action.

In the nuclear instrumentation system and the solid state protection system racks where redundant channels of protection instrumentation are physically adjacent, there are no wireways or cable penetrations which would permit, for example, a fire resulting from electrical failure in one channel to propagate into redundant channels in the logic racks.

Independence of the logic trains is discussed in Sections 7.2 and 7.3. Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core.

(1) Reactor Trip System (a) Separate routing is maintained between the four reactor trip system process protection channels, including the sensor signals, comparator signals, and associated power supplies.

(b) Separate routing of the reactor trip signals from the two redundant logic system cabinets is maintained. In addition, they are separated (by spatial separation, by an approved barrier, or by separate cable trays or wireways) from the four protection instrumentation channels.

(2) Engineered Safety Features Actuation System (a) Separate routing is maintained for the four redundant sets of ESF actuation system process protection channels, comparator output signals and power supplies for such systems. The separation of these 7.1-14 INTRODUCTION

WATTS BAR WBNP-102 four redundant and independent protection channel sets is maintained from sensors through process protection racks to logic system cabinets.

(b) Separate routing of the ESF actuation signals from the two redundant logic system cabinets is maintained. The ESF actuation signals are also separated from the four process protection channels.

(c) Separate routing of redundant control and power circuits associated with the operation of engineered safety features equipment is required to retain redundancies provided in the system design and power supplies.

(3) Vital Control Power Supply System The separation criteria presented above also apply to the power supplies for the load centers and buses distributing power to redundant components and to the control of these power supplies. See Section 8.3.1 for the description of the system.

(4) Control Board Control board switches and associated lights are generally furnished in modules. Modules provide a degree of physical protection for the switches, associated lights and wiring. Teflon wire is used within the module and between the module and the first termination point.

Modular train column wiring is formed into wire bundles and carried to metal wireways (gutters). Gutters are run into metal vertical wireways (risers). The risers are the interface between field wiring and control board wiring. Risers are arranged to maintain the separated routing of the field cable trays.

Wiring within control boards has been designed and installed to maintain physical independence. Design features include enclosed modular switches, metal wireways, use of metallic woven braid over approved insulation of critical wires. PVC type tubing (Tygon) has been used in some installations to insulate up to approximately 6 inches of the drain wire where signal cable is broken out to terminate the cable at termination points.

Figure 7.1-2 shows the details of the control boards critical wiring braid installation. Wiring for each train is routed from the field to separate vertical risers, separated horizontally in enclosed horizontal wireways, and then routed from the wireway to the enclosed switch module in metallic braid.

Maximum air space between cables of different trains has been maintained and in no case do cables from different trains touch nor can they migrate with time to touch.

In order to maintain separation between wiring associated with different logic trains, mutually redundant safety train wiring is not terminated on a single device. Backup manual actuation switches link the separate trains by INTRODUCTION 7.1-15

WATTS BAR WBNP-102 mechanical means to provide greater reliability of operator action for the manual reactor trip function and manual engineered safety features actuations. The linked switches are themselves redundant so that operation of either set of linked switches will actuate safety trains "A" and "B" simultaneously.

Safety-related indicators, e.g., post accident monitoring indicators are separated by metallic barrier plates and/or air separation. Teflon insulated wire is used between the indicators and the first termination point. The wire routing method is similar to that used for the modules.

Reactor trip system and engineered safety features actuation system process protection channels may be routed in the same wireways provided circuits have the same power supply and channel set identity (I, II, III or IV).

7.1.2.2.3 Fire Protection Refer to Section 9.5.1 for fire protection information.

7.1.2.3 Physical Identification of Safety-Related Equipment There are four separate sets of process protection channel racks identifiable with equipment associated with the reactor trip system and with the engineered safety features actuation system. A process protection channel set may consist of more than one instrumentation rack. The color coding of each instrumentation rack nameplate coincides with the color code established for the protection instrumentation channel of which it is a part. Redundant channels are separated by locating them in different protection channel racks. Separation of redundant channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and process protection racks to the redundant trains in the logic racks. The solid state protection system input cabinets are divided into four isolated compartments, each serving one of the four redundant process protection channels. Horizontal 1/8-inch thick solid steel barriers, coated with fire-retardant paint, separate the compartments. Four solid steel wireways coated with fire-retardant paint enter the input cabinets vertically. The wireway for a particular compartment is open into that compartment so that flame could not propagate to affect other channels. At the logic racks the protection set color coding for redundant channels is clearly maintained until the channel loses its identity in the redundant logic trains. The color-coded nameplates described below provide identification of equipment associated with protective functions and their channel set association.

Protection Set Color Coding I Red with white lettering II Black with white lettering III Blue with white lettering IV Yellow with black lettering 7.1-16 INTRODUCTION

WATTS BAR WBNP-102 Post accident monitoring and train-oriented modules are identified as follows:

Color Train A Orange and white Train B Brown and White 1

Special Gold and Black Postaccident Monitoring Channel 1 Purple and White (outside MCR)

Black and White (inside MCR)

Postaccident Monitoring Channel 2 Green and Black (outside MCR)

Black and White (inside MCR)

Nondivisional White and Black (Nonsafety-related)

Normal Offsite Power Supply White and Black Alternate Offsite Power Supply White and Black All nonrack-mounted protective equipment and components are provided with an identification tag or nameplate. Small electrical components such as relays have nameplates on the enclosure which houses them. All cables are numbered with identification tags. In congested areas, such as under or over the control boards, instrument racks, etc., cable trays and conduits containing redundant circuits are identified using permanent markings. The purpose of such markings, discussed in detail in Section 8.3.1.4, is to facilitate cable routing identification for future modifications or additions. Positive permanent identification of field routed cables is provided by nameplates on the input panels of the solid state logic protection system.

1The circuits requiring special separations are suffix S and described in Section 8.3.1.4.3.

7.1.2.4 Process Signal Isolation Relays Criteria for Process Signal Isolation Relays The following criteria are to be used in providing isolation between process signals and safety circuits:

(1) A safety signal derived from the Solid-State Protection System (SSPS) shall override the process signal.

(2) The isolation relays shall have a coil to contact rating equal to or greater than the maximum credible ac or dc potential that could be applied to the non-1E circuit at its end points or intermediate routing.

(3) The isolation relays and racks designated as Train A or Train B shall be seismically qualified.

INTRODUCTION 7.1-17

WATTS BAR WBNP-102 Implementation of Criteria (1) The following is a listing of the Auxiliary Relay Racks (ARR) and the cable routing scheme utilized AUXILIARY RELAY RACKS (See Note.)

LOCATION TRAIN A NON-DIV TRAIN B AUXILIARY CONTROL 1-L-11A 1-L-10 1-L-11B B0P AUX INST ROOM 1-R-73,74 1-R-71,72,75,76,80 1-R-77,78 NSSS AUX INST ROOM 1-R-54 1-R-58 1-R-55 (ARl) (AR3) (AR2)

(Note: Use Prefix 2 for Unit # 2.)

ROUTING SCHEME-AUXILIARY RELAY RACKS (2) Figure 7.1-3 (Sheets 1-4) illustrates the various isolation configurations used in the design of Watts Bar.

REFERENCES (1) W. C. Gangloff and W. D. Luftus, "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," WCAP-7706-L, July 1971, (Westinghouse NES Proprietary), and WCAP-7706, July 1971.

(2) T. W. T. Burnett, "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors." WCAP-7306, April 1969.

(3) Setpoints for Nuclear Safety-Related Instrumentation Used in Nuclear Power Plants, ISA-DS-67.04, 1982.

7.1-18 INTRODUCTION

WATTS BAR WBNP-102 (4) Erin, L. E., "Topical Report Eagle 21 Microprocessor-Based Process Protection System," WCAP-12374, Rev. 1, December 1991 (Westinghouse Proprietary Class 2); WCAP-12375, Rev. 1, December 1991 (Westinghouse Proprietary Class 3).

(5) WCAP Westinghouse Setpoint Methodology for Protection Systems, Watts Bar Unit 2 WCAP-17044, Unit 2 only.

(6) WCAP-13869, Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors, Rev. 2, September 1994.

INTRODUCTION 7.1-19

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 1 of 9)

The extent to which the recommendations of the applicable NRC regulatory guides and IEEE standards are followed for the Class 1E instrumentation and control systems is shown below. The symbol (F) indicates full compliance. Those which are not fully implemented are discussed in the referenced sections of the FSAR and in the footnotes as indicated.

Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions" (F, see note 2).

Regulatory Guide 1.29, "Seismic Design Classification" (F).

Regulatory Guide 1.30, "Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment." (See Section 7.1 for compliance.)

Regulatory Guide 1.45, "Reactor Coolant Pressure Boundary Leakage Detection Systems" (See Note 7).

Regulatory Guide 1.47, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems" (F see note 5).

Regulatory Guide 1.53, "Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems" (F see note 3).

Regulatory Guide 1.62, "Manual Initiation of Protective Actions" (F).

Regulatory Guide 1.63, "Electrical Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants" (See Section 8.1.5.3 for compliance).

Regulatory Guide 1.68, "Preoperational and Initial Startup Test Program for Water-Cooled Power Reactors" (See Section 14.2.7).

Regulatory Guide 1.75, "Physical Independence of Electric Systems" (See Sections 7.1.2.2, 7.1.2.3, 8.1.5.3, 8.3.1.4, 8.3.2.4, and 8.3.2.5 for compliance).

Regulatory Guide 1.79, Preoperational Testing of Emergency Core Cooling Systems for Pressurized Water Reactors (See Section 6.3.4.1).

7.1-20 INTRODUCTION

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 2 of 9)

Regulatory Guide 1.80, "Preoperational Testing of Instrument Air Systems" (F).

Regulatory Guide 1.89, "Environmental Qualification of Certain Electrical Equipment Important to Safety for Nuclear Power Plants" (See note 4).

Regulatory Guide 1.97, December 1980 "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident" (See Section 7.5).

Regulatory Guide 1.100, August 1977 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants" (See Note 8).

Regulatory Guide 1.105, November 1976 "Instrument Setpoints" (See Note 8).

Regulatory Guide 1.133, May 1981 Loose-Part Detection Program for the Primary System of Light-Water Cooled Reactors, Revision 1 (See Note 12).

Regulatory Guide 1.118, June 1978 "Periodic Testing of Electric Power and Protection Systems" (See Notes 8 and 11), (See Section 8.1.5.3, Note 8, for electric power systems).

Regulatory Guide 1.153, December 1985 "Criteria For Power, Instrumentation and Control Portions of Safety Systems" (See Notes 8 and 9).

ANSI/IEEE-ANS-7-4.3.2-1982 "Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations" (See Notes 8 and 10).

Regulatory Guide 1.152, "Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants" (P) (See note 6).

IEEE Standard 279-1971, "Protection Systems for Nuclear Power Generating Stations" (F).

IEEE Standard 308-1971, "Class 1E Power Systems for Nuclear Power Generating Stations" (See Section 8.1.5).

INTRODUCTION 7.1-21

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 3 of 9)

IEEE Std. 323-1971, IEEE Trial-Use Standard: General Guide for Qualifying Class 1E Equipment for Nuclear Power Generating Stations (See Note 4).

IEEE Std. 323-1974, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations," (See Notes 4 and 8).

IEEE Standard 338-1971, "Periodic Testing of Nuclear Power Generating Station Safety Systems" (See note 1 and Section 7.3.2.2.5 for compliance).

IEEE Standard 338-1977, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems" (See Note 11).

IEEE-Std, 338-1987, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems," (See Note 8).

IEEE Standard 344-1971, "Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations" (F) (For clarification of conformance to IEEE Standard 344-1975, See Section 3.10.1).

IEEE Std. 344-1987, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," (See Note 8).

IEEE Std. 352-1975, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems," (See Note 8).

IEEE Std. 379-1972, IEEE Trial-Use Guide for the application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems, (See Note 3).

IEEE Std. 379-1988, "IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems," (See Note 8).

IEEE Std. 384-1981, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits,"

(See Note 8).

7.1-22 INTRODUCTION

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 4 of 9)

IEEE Std. 603-1980, IEEE Standard Criteria For Safety Systems for Nuclear Power Generating Stations," (See Note 8).

Note 1 Conformance to IEEE 338-1971 The periodic testing of the reactor protection systems conforms to the requirements of IEEE Standard 338-1971 with the following comments:

1. The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests at frequent intervals demonstrate this capability for the system.

Protection systems response times from the sensor through the actuated device, as identified in the Watts Bar Technical Requirements Manual, will be verified. Technical Specifications require periodic testing on at least 18-month intervals. Each test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once every (N times 18) months, where N is the total number of redundant channels in a specific protection function.

The measurement of response time at the specified frequencies provides assurance that the protective and Engineered Safety Features action function associated with each channel is completed within the time limit assumed in the accident analyses.

2. .The test frequencies established for the reactor protection system, evaluated in WCAP 10271 Supplement 1 and WCAP 10271-P-A Supplement 2, Westinghouse Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrument System, are consistent with the required reliability of the reactor protection system to provide acceptable risk results.
3. The periodic test frequency discussed in Paragraph 4.3 of IEEE Standard 338 and specified in the plant Technical Specifications is conservatively selected to assure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. If any protection channel appears to be marginal or requires more frequent adjustments due to plant condition changes, the test frequency is accelerated to accommodate the situation until the marginal performance is resolved.

INTRODUCTION 7.1-23

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 5 of 9)

4. The test interval discussed in Paragraph 5.2, IEEE Standard 388, is developed primarily on past operating experience and modified if necessary to assure that system and subsystem protection is reliably provided. Analytic methods for determining reliability are not used to determine test interval except for the Eagle 21 system for which a reliability study was conducted and documented in Westinghouse PCA (88)-129 Eagle 21 Process Protection System Reliability Study Rev. 1 dated June 22, 1988 (Westinghouse Proprietary Class 2).

Note 2 Conformance to Regulatory Guide 1.22 Periodic testing of the reactor trip and engineered safety features actuation systems, as described in Sections 7.2.2 and 7.3.2, complies with NRC Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions." There are functions which will not be tested at power because to do so would render the plant in a less safe condition. These include the following:

1. Turbine trip equipment that causes a reactor trip; the trip of turbine from this same turbine trip equipment also is taken credit for on a safety injection or reactor trip;
2. Generation of a reactor trip by use of the manual trip switch;
3. Generation of a reactor trip by use of the manual safety injection switch;
4. Closing the main steam line stop valves;
5. Closing the feedwater control valves;
6. Closing the feedwater isolation valves;
7. Reactor coolant pump component cooling water isolation valves (close);
8. Reactor coolant pump seal water return valves (close).

The actuation logic for the functions listed will be tested as described in Sections 7.2 and 7.3. As required by Regulatory Guide 1.22, where actuated equipment is not tested during reactor operation it has been determined that:

7.1-24 INTRODUCTION

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 6 of 9)

1. There is no practicable system design that would permit testing of the equipment without adversely affecting the safety or operability of the plant;
2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation; and
3. The equipment will be routinely tested when the reactor is shutdown as defined in the Technical Specification.

Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room by a separate annunciator for the train in test. SSPS test circuitry does not allow trains to be tested at the same time so that extension of the bypass condition to redundant systems is prevented.

Note 3 Conformance to IEEE 379-1972 and Regulatory Guide 1.53 The principles described in IEEE Standard 379-1972 were used in the design of the Westinghouse protection system. The system complies with the intent of this standard and the additional requirements of Regulatory Guide 1.53. The formal analyses required by the standard have not been documented exactly as outlined although parts of such analyses are published in various documents (e.g., WCP-7486-L, December 1970, and WCP-7486, May 1971, W.C. Gangloff, An Evaluation of Anticipated Operational Transient in Westinghouse Pressurized Water Reactors). Westinghouse has gone beyond the required analyses and has performed a fault-tree analysis Section 7.1 Reference [1].

The referenced Topical Reports provide details of the analyses of the protection systems previously made to show conformance with single failure criterion set forth in Paragraph 4.2 of IEEE Standard 279-1971. The interpretation of single failure criterion provided by IEEE-379 does not indicate substantial differences with the Westinghouse interpretation of the criterion except in the methods used to confirm design reliability. Established design criteria in conjunction with sound engineering practices form the bases for the Westinghouse protection systems. The reactor trip and engineered safeguards actuation systems are each redundant safety systems. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.

INTRODUCTION 7.1-25

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 7 of 9)

Note 4 Conformance to Regulatory Guide 1.89 Watts Bar Nuclear Power Plant 1E equipment within the scope of 10 CFR 50.49 is qualified in accordance with IEEE 323-1971 or IEEE 323-1974. (See Reference [1] of Section 3.11). Section 7.1 Reference [4] provides additional information for the Eagle 21 process protection system.

7.1-26 INTRODUCTION

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 8 of 9)

Note 5 Conformance to Regulatory Guide 1.47 Watts Bar Nuclear Plant will be in full compliance with the intent of Regulatory Guide 1.47 (BISI)

Revision 0, as described in Section 7.5.2.2.

Note 6 Conformance to Regulatory Guide 1.152 Watts Bar Nuclear Plant process protection racks are qualified by procedures and testing to Westinghouse's interpretation of Regulatory Guide 1.152 (WCAP-13191, Watts Bar Nuclear Plant Eagle 21 Process Protection System Replacement Hardware Verification and Validation Report, April 1992).

Regulatory Guide 1.152 endorses the guidance of ANSI/IEEE-ANSI-7-4.3.2-1982.

Note 7 Conformance to Regulatory Guide 1.45 Compliance to Regulatory Guide 1.45 is as identified in Section 5.2.7.3.

Note 8 These Rules, Regulations and standards are applicable to the design of the Eagle 21 process protection system cabinets. Unless stated otherwise, the revision in effect on December 1, 1983 is applicable to the design.

Note 9 Regulatory Guide 1.153 endorses the guidance of IEEE Std. 603-1980.

Note 10 ANSI/IEEE-ANS-7-4.3.2-1982 - expands and amplifies the requirements of IEEE Std. 603-1980.

Note 11 Conformance to Regulatory Guide 1.118 The design of the Eagle 21 process protection system cabinets complies with the requirements of Regulatory Guide 1.118 R2 except as follows:

Position C.6(a) - Where feasible, test switches or other necessary equipment will be installed permanently to minimize the use of temporary jumpers in testing in accordance with the requirements in IEEE Standard 338-1977.

INTRODUCTION 7.1-27

WATTS BAR WBNP-102 Table 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance (Page 9 of 9)

Note 12 Conforms except as noted below. Refer to Section 7.6.7 for a discussion of the digital metal impact monitoring system (DMIMS) which is the Watts Bar Unit 2 loose part monitoring system.

Posistion C.5.a. states that the sensor location should be noted in the Technical Specifications. The Watts Bar Loose-Part Detection System Technical Specifications were relocated to the Technical Requirements Manual. The Technical Requiremens Manual describes the sensor locations (TRM B 3.3.6, Loose-Part Detection System).

Positins C.3.a.(3) and C.5.c. recommend a channel calibration be performed at least once per 18 months. In lieu of this recommendation, the DMIMS is calibrated at the frequency stated in subsection TSR 3.3.6.3 of TR 3.3.6 (Loose-Part Detection System) which is the 18 month frequency defined in Reg Guide 1.133 Rev 1.

Positions C.3.a.(2) (a) and (e) state that the alert levels for startup and power operation be submitted to the Commission within 90 days (60 days for subsection (e)) following the completion of the startup test program or when there is a change to the preexisting alert levels for power operation. Watts Bar Unit 2 will report changes in the alert level alarm to the Commission when they exceed the setpoint determination criteria described in Section 7.6.7.

7.1-28 INTRODUCTION

WATTS BAR WBNP-102 Table 7.1-2 Deleted by Amendment 8 INTRODUCTION 7.1-29

WATTS BAR WBNP-102 THIS PAGE INTENTIONALLY BLANK 7.1-30 INTRODUCTION

WATTS BAR WBNP-102 Figure 7.1-1 Protection System Block Diagram Introduction 7.1-31

7.1-32 WATTS BAR Figure 7.1-2 Powerhouse-Units 1 and 2 Wiring Diagrams Control Introduction Boards Critical Wiring Braid Installation WBNP-102

WATTS BAR WBNP-102 Figure 7.1-3-SH-1 Train A and Train B Process Interlocks Introduction 7.1-33

WATTS BAR WBNP-102 Figure 7.1-3-SH-2 Train A and Train B Process Interlocks 7.1-34 Introduction

WATTS BAR WBNP-102 Figure 7.1-3-SH-3 Train A and Train B Process Interlocks Introduction 7.1-35

WATTS BAR WBNP-102 Figure 7.1-3-SH-4 Train A and Train B Process Interlocks 7.1-36 Introduction

WATTS BAR WBNP-102 7.2 REACTOR TRIP SYSTEM 7.2.1 Description 7.2.1.1 System Description The reactor trip system automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating region is defined by several considerations such as mechanical/hydraulic limitations on equipment, and heat transfer phenomena.

Therefore, the reactor trip system keeps surveillance on process variables which are directly related to equipment mechanical limitations, such as pressure, pressurizer water level (to prevent water discharge through safety valves, and uncovering heaters) and also on variables which directly affect the heat transfer capability of the reactor (e.g. reactor coolant flow and temperatures). Still other parameters utilized in the reactor trip system are calculated from various process variables. In any event, whenever a direct process or calculated variable exceeds a setpoint the reactor will be shutdown in order to protect against exceeding the specified fuel design limit, gross damage to fuel cladding or loss of system integrity which could lead to release of radioactive fission products into the containment.

The following systems make up the reactor trip system:

(1) Process Protection and Control System [1] and [11]

(2) Nuclear Instrumentation System (NIS) [2] and [15]

(3) Solid State Logic Protection System [3]

(4) Reactor Trip Switchgear (5) Manual Actuation Circuit The reactor trip system consists of two to four redundant sensors and associated process protection channels, which monitor various plant variables, and two redundant logic trains, which receive input protection actuation signals from the process protection and NIS channels to complete the logical decisions necessary to automatically open the reactor trip breakers.

Each of the two trains, A and B, is capable of opening a separate and independent reactor trip breaker, RTA and RTB, respectively. The two trip breakers in series connect three phase ac power from the rod drive motor generator sets to the rod drive power cabinets, as shown on Figure 7.2-1, Sheet 1. Normally both the dc undervoltage trip coil and the shunt trip relay for each breaker are kept energized allowing power to be available at the rod control power supply cabinets. For reactor trip, a loss of dc voltage to the undervoltage coil releases the trip plunger and trips open the breaker and the shunt trip relay drops out causing the shunt trip coil to energize and also trip the breaker. When either of the trip breakers opens, power is interrupted to the rod drive power supply, and the control rods fall, by gravity, into the core. The rods cannot be withdrawn until the trip breakers are manually reset. The trip breakers cannot be reset until the abnormal condition which initiated the trip is corrected or no longer REACTOR TRIP SYSTEM 7.2-1

WATTS BAR WBNP-102 requires a reactor trip. Bypass breakers BYA and BYB are provided to permit testing of the trip breakers, as discussed in Section 7.2.2.2.

7.2.1.1.1 Functional Performance Requirements The reactor trip system automatically initiates reactor trip:

(1) Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II),

(2) To limit core damage for infrequent faults (Condition III),

(3) So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV).

The reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to prevent the reactivity insertion that would otherwise result from excessive reactor system cooldown and to avoid unnecessary actuation of the engineered safety features actuation system.

The reactor trip system provides for manual initiation of reactor trip by operator action.

7.2.1.1.2 Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the reactor trip system reaches a preset level. To ensure a reliable system, high quality design, components, manufacturing, quality control and testing are used. In addition to redundant channels and trains, the design approach provides a reactor trip system which monitors numerous system variables, therefore providing protection system functional diversity. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is detailed in References [4]

and [5].

Table 7.2-1 provides a list of reactor trips which are described below. Protection system interlocks are described in Table 7.2-2. The functional logic for reactor trips is shown on Figure 7.2-1.

(1) Nuclear Overpower Trips The specific trip functions generated are as follows:

(a) Power range high neutron flux trip The power range high neutron flux trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint.

There are two independent bistables, each with its own trip setting used for a high and a low range trip setting. The high trip setting provides protection during normal power operation and is always active. The low 7.2-2 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 trip setting, which provides protection during startup, can be manually bypassed when two out of the four power range channels read above approximately 10% power (P-10). Three out of the four channels below 10% automatically reinstates the trip function.

(b) Intermediate range high neutron flux trip The intermediate range high neutron flux trip circuit trips the reactor when one out of the two intermediate range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if two out of four power range channels are above (P-10). Three out of the four power range channels below this value automatically reinstates the intermediate range high neutron flux trip.

The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

(c) Source range high neutron flux trip The source range high neutron flux trip circuit, trips the reactor when one of the two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when one of the two intermediate range channels exceeds the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two out of four logic from the power range protection interlock (P-10). This trip function can also be reinstated below P-10 by a manual action requiring simultaneous manual actuation of two control board mounted switches, one in each of the two protection logic trains. The source range trip point is set between the P-6 setpoint and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

(d) Power range high positive neutron flux rate trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of four power range channels. This trip provides DNB protection against rod ejection accidents of low worth from midpower and is always active.

REACTOR TRIP SYSTEM 7.2-3

WATTS BAR WBNP-102 Figure 7.2-1, Sheet 2, shows the logic for all of the nuclear overpower and rate trips. Detailed functional descriptions of the equipment associated with these functions are given in References [2] and [15].

(2) Core Thermal Overpower Trips The specific trip functions generated are as follows:

(a) Overtemperature T trip This trip protects the core against low DNBR and trips the reactor on two out of four coincidence with one set of temperature measurements per loop. The setpoint for this trip is continuously calculated by the Eagle-21 process protection circuitry for each loop by solving the following equation:

1 + 1 s OTT Stepoint = T o K 1 - K 2 ------------------ ( T - T ) + K 3 ( P - P ) - f 1 ( I )

1 + 2 s An overtemperature T reactor trip occurs when 1 + 4 s T ------------------ > OTT Stepoint 1 + 5 s where:

T = Measured temperature difference between hot and cold leg, °F To = Indicated loop T at rated thermal power (RTP), °F K1 = Reference trip setpoint 7.2-4 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 K2 = Penalty or benefit multiplier for deviation from indicated Tavg, /°F K3 = Penalty or benefit multiplier for deviation from reference pressure, /psig 1,2 = Lead/lag time constants for Tavg compensation, seconds 4,5 = Lead/lag time constants for T compensation, seconds s = Laplace transform operator, sec -1 T = Measured RCS average temperature (Tavg), °F T = Indicated loop Tavg at RTP, °F P = Measured pressurizer pressure, psig P = Nominal RCS operating pressure, psig f1(I) = Power shaped penalty - function of the indicated difference between the top and bottom detectors of the power range neutron ion chambers.

Values of these parameters are provided in the Technical Specifications or are controlled by plant procedures. (i.e., loop specific values of To and T determinined at the beginning of each fuel cycle are controlled by plant procedures).

Note: Additional information on associated tau values (6 and 7) is provided in Section 7.2.1.1.4.

A separate long ion chamber unit supplies the flux signal for each overtemperature T trip channel.

Increases in I beyond a predefined deadband result in a decrease in trip setpoint. Refer to Figure 7.2-2.

The required one pressurizer pressure parameter per loop is obtained from separate sensors connected to three pressure taps at the top of the pressurizer. Four pressurizer pressure signals are obtained from the three taps by connecting one of the taps to two pressure transmitters. Refer to Section 7.1.2.2 for a discussion of independence of redundant sense lines.

The logic for this function is shown on Figure 7.2-1, Sheet 3. A detailed functional description of the process equipment associated with this function is contained in Reference [11].

(b) Overpower T trip This trip protects against excessive power (fuel rod rating protection) and trips the reactor on two out of four coincidence with one set of temperature measurements per loop. The setpoint for each channel is continuously calculated by the process protection circuitry using the following equation:

An overpower T reactor trip occurs when:

REACTOR TRIP SYSTEM 7.2-5

WATTS BAR WBNP-102 3 s OPT Stetpoint = T o K - K -----------------

5 1 + s T - K 6 ( T - T ) - f 2 ( I )

4 3

1 + 4 s T ------------------ > OPT Setpoint 1 + 5 s where: T, T o ,T, 4 , 5and s are defined in Section 7.2.1.1.2(2)(a)

Overtemperature T trip and K4 = Reference Trip setpoint K5 = Penalty multiplier for rate of change in Tavg,/°F (T>T))

K6 = Penalty or benefit multiplier for deviation from reference Tavg,/°F 3 = Lag time constant for Tavg compensation, seconds T = Indicated loop Tavg at RTP, °F f2 (I) = Power shape penatly function, typically set to 0 for all I Values of these parameters are provided in the Technical Specifications or are controlled by plant procedures. (i.e., loop specific values of To and T determinined at the beginning of each fuel cycle are controlled by plant procedures).

Note: Additional information on associated tau values (6 and 7) is provided in Section 7.2.1.1.4.

The source of temperature and flux information is identical to that of the overtemperature T trip and the resultant overpower T setpoint is compared to the same T. The trip logic for this function is shown on Figure 7.2-1, Sheet 3. A detailed functional description of the process equipment associated with this function is contained in Reference [11].

(3) Reactor Coolant System Pressurizer Pressure and Water Level Trips:

The specific trip functions generated are as follows:

(a) Pressurizer low pressure trip The purpose of this trip is to protect against low pressure which could lead to DNB. The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-7 the reactor is tripped when two out of four pressurizer pressure measurements (compensated for 7.2-6 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 rate of change) fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1.

The trip logic is shown on Figure 7.2-1, Sheet 2. A detailed functional description of the process equipment associated with the function is contained in References [5] and [11].

(b) Pressurizer High Pressure Trip The purpose of this trip is to protect the reactor coolant system against system overpressure. The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate comparators are used for trip. These comparators trip the reactor when two out of four uncompensated pressurizer pressure signals exceed preset limits as listed in Table 7.2-1. There are no interlocks or permissives associated with this trip function.

The logic for this trip is shown on Figure 7.2-1, Sheet 2. The detailed functional description of the process equipment associated with this trip is provided in References [5] and [11].

(c) Pressurizer High Water Level Trip This trip is provided as a backup to the high pressurizer pressure trip and serves to prevent water relief through the pressurizer safety valves.

Above P-7, the reactor is tripped when two out of three pressurizer water level measurements exceed preset limits. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1.

The trip logic for this function is shown on Figure 7.2-1, Sheet 2. A detailed description of the process equipment associated with this function is contained in References [5] and [11].

(4) Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss of coolant flow situation. The means of sensing the loss of coolant flow are as follows:

(a) Low Reactor Coolant Flow Trip Reactor coolant flow measurements are derived from elbow taps in each coolant loop. The basic function of these devices is to provide information as to whether or not a reduction in flow has occurred. An output signal from two out of the three comparators in a loop would indicate a low flow in that loop. Above P-8, low flow in one loop will trip the reactor. Between P-7 and P-8, low flow in two out of four loops will result in a reactor trip. This trip is blocked below P-7 to permit startup.

REACTOR TRIP SYSTEM 7.2-7

WATTS BAR WBNP-102 The coincidence logic and interlocks are given in Table 7.2-1. The logic for this trip is shown on Figure 7.2-1, Sheet 3. A detailed functional description of the process equipment associated with the trip function is contained in References [5] and [11].

(b) Reactor Coolant Pump Undervoltage Trip This trip is required in order to protect against low flow which can result from loss of voltage to more than one reactor coolant pump motor (e.g.,

from plant loss of voltage or reactor coolant pump breakers opening).

This trip is blocked below P-7 to permit startup.

There is one undervoltage sensing relay for each pump motor connected at the load side of each reactor coolant pump breaker.

These relays provide an output signal when the pump voltage goes below setpoint. Signals from these relays are time delayed to prevent spurious trips caused by short term voltage perturbations. The coincidence logic and interlocks are given in Table 7.2-1. The trip logic is shown on Figure 7.2-1, Sheet 3.

(c) Reactor Coolant Pump Underfrequency Trip This trip provides protection against low reactor coolant flow resulting from bus underfrequency (e.g., power grid frequency transients).

Above the P-7 interlock setpoint, an underfrequency condition on two out of four reactor coolant pump (RCP) motors will trip the reactor and open all of the RCP circuit breakers.

There is one underfrequency sensing relay connected to the load side of each RCP breaker. The signals from these relays are time delayed to prevent spurious trips caused by short-term frequency perturbations.

The coincidence logic and interlocks are given in Table 7.2-1. The trip logic is shown on Figure 7.2-1, Sheet 3.

Westinghouse analysis of loss of flow accidents caused by power system frequency transients [Reference 6] has shown that the reactor is adequately protected by the underfrequency reactor trip for frequency decay rates of less than 6.8 Hz/sec without taking credit for the RCP breaker trip. A grid analysis of the TVA power system determined the maximum system frequency decay rate to be less than 5 Hz/sec.

Consequently, no credit is taken for the underfrequency trip.

(5) Low-Low Steam Generator Water Level Trip (including Trip Time Delay)

This trip protects the reactor from loss of heat sink in the event of a loss of feedwater to one or more steam generators or a major feedwater line rupture outside containment. This trip is actuated on two out of three low-low water level signals occurring in any steam generator. If a low-low water level condition is detected in one steam generator, signals are generated to trip the 7.2-8 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 reactor and start the motor-driven auxiliary feedwater pumps. If a low-low water level condition is detected in two or more steam generators, a signal is generated to start the turbine-driven auxiliary feedwater pump as well.

The signals to actuate the reactor trip and start auxiliary feedwater pumps are delayed through the use of a Trip Time Delay (TTD) system for reactor power levels below 50% of RTP. Low-Low water level in any steam generator will generate a signal which starts an elapsed time trip delay timer. The allowable trip time delay is based upon the prevailing power level at the time the low-low level trip setpoint is reached and the number of steam generators that are affected. If power level rises after the trip time delay setpoints have been determined, the trip time delay is re-determined (i.e., decreased) according to the increase in power level.

At this point the timer will continue timing from the original timer initiation.

However, the trip time delay setpoints are not increased if the power level decreases after the TTD timer has started. The use of this delay allows added time for natural steam generator level stabilization or operator intervention to avoid an undesirable inadvertent protection system actuation.

There are no interlocks or permissives associated with this trip function. The logic for this protective function is shown on Figure 7.2-1, Sheet 4. A detailed functional description of the process equipment associated with this function is contained in References [11] and [14].

(6) Reactor Trip on a Turbine Trip The reactor trip on a turbine trip is actuated by two out of three logic from low autostop oil pressure signals or by closed signals from all four turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9.

The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public.

This trip is included as part of good engineering practice and prudent design.

No credit is taken in any of the accident analyses (Chapter 15) for this trip.

Channel separation is maintained from the sensors to the reactor protection system logic input cabinets for both the low autostop oil pressure signals and the steam stop valves closed signals. This design meets the redundancy and separation requirements identical to those for Class 1E circuits. Mounting and location is in non-seismic Category I structures.

The turbine provides anticipatory trips to the reactor protection system from contacts which change position when the turbine stop valves close or when the turbine autostop oil pressure goes below its setpoint.

One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse REACTOR TRIP SYSTEM 7.2-9

WATTS BAR WBNP-102 parameters which cause reactor trip. The contacts are closed during plant operation and open to cause reactor trip when the turbine is tripped. No power is provided to the protection system from the contacts; they merely serve to interrupt power to cause reactor trip.

This design functions in a de-energize-to-trip fashion to cause a reactor trip if power is interrupted in the trip circuitry. This ensures that the protection system will in no way be degraded by this anticipatory trip because seismic design considerations do not form part of the design bases for anticipatory trip sensors. (The reactor protection system cabinets which receive the inputs from the anticipatory trip sensors are seismically qualified as discussed in Section 3.10.). The anticipatory trips thus meet the intent of IEEE-279-1971, including redundancy, separation, single failure, etc.

Seismic qualification of the contacts sensors is not required.

The logic for this trip is shown on Figure 7.2-1, Sheet 3.

(7) Safety Injection Signal Actuation Trip A reactor trip occurs when the Safety Injection System is actuated. The means of actuating the Safety Injection System are described in Section 7.3.

This trip protects the core against a loss of reactor coolant or heat sink.

Figure 7.3-3, Sheet 3, shows the logic for this trip. A detailed functional description of the process equipment associated with this trip function is provided in References [5] and [11].

(8) Manual Trip The manual trip consists of two switches with two outputs on each switch.

One output is used to actuate the train A reactor trip breaker, the other output actuates the train B reactor trip breaker. Operating a manual trip switch removes the voltage from the undervoltage trip coil and energizes the shunt trip coil.

There are no interlocks which can block this trip. Figure 7.2-1, Sheet 2, shows the manual trip logic.

7.2.1.1.3 Reactor Trip System Interlocks (1) Power Escalation Permissives The overpower protection provided by the excore nuclear instrumentation consists of three overlapping, ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.

7.2-10 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 A one of two intermediate range permissive signal (P-6) is required prior to source range trip blocking. Source range level trips are automatically reactivated when both intermediate range channels are below the permissive (P-6) level. There are two manual reset switches for administratively reactivating the source range trip when between permissive P-6 and P-10 if required. Source range trip block is always maintained when above permissive P-10.

The intermediate range trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two of four power range channels. Four individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked (one switch for each train). These trips are automatically reactivated when any three of the four power range channels are below permissive P-10, thus ensuring automatic activation to more restrictive trip protection.

The development of permissives P-6 and P-10 is shown on Figure 7.2-1, Sheet 2. These permissives are derived from analog signals in the nuclear power range and intermediate range channels.

See Table 7.2-2 for the list of protection system interlocks.

(2) Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip below approximately 10% of full power on a low reactor coolant flow in more than one loop, reactor coolant pump undervoltage, reactor coolant pump underfrequency, pressurizer low pressure, or pressurizer high water level. The low power block signal is derived from three out of four power range neutron flux signals below the setpoint in coincidence with two out of two turbine impulse pressure signals below the setpoint (low plant load). See Figure 7.2-1, Sheets 2 and 3, for the derivation and application of P-7.

The P-8 interlock blocks a reactor trip when the plant is below approximately 48% of full power, on a low reactor coolant flow in any one loop. The block action (absence of the P-8 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor trip will not occur until two loops are indicating low flow.

See Figure 7.2-1, Sheet 3, for derivation of P-8 and applicable logic.

The P-9 interlock blocks a reactor trip on a turbine trip when the plant is below approximately 50% of full power. The block action (absence of the P-9 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-9 setpoint, the reactor will not trip directly from a turbine-tripped signal but will allow the reactor control system, utilizing steam dump to the condenser as an artificial load, to bring the reactor to zero power. See Figure 7.2-1, Sheet 2, for derivation of P-9, and Sheet 3 for logic applications.

REACTOR TRIP SYSTEM 7.2-11

WATTS BAR WBNP-102 See Table 7.2-2 for the list of protection system blocks.

7.2.1.1.4 Reactor Coolant Temperature Sensor Arrangement and Calculational Methodology The individual narrow range cold and hot leg temperature signals required for input to the reactor trip circuits and interlocks are obtained using RTDs installed in each reactor coolant loop.

The cold leg temperature measurement on each loop is accomplished with two narrow range RTDs mounted in thermowells. The cold leg sensors are inherently redundant in that either sensor can adequately represent the cold leg temperature measurement.

The hot leg temperature measurement on each loop is accomplished with three narrow range RTDs mounted in thermowells spaced 120 degrees apart around the circumference of the reactor coolant pipe for spatial variations.

These cold and hot leg narrow range RTD signals are input to the process protection system digital electronics and are processed as follows:

The two cold leg temperature signals are subjected to range and consistency checks and then averaged to provide a group value for T cold.

A consistency check is performed on the Tcold input signals. If these signals agree within an acceptance interval (DELTAC), the group quality is set to GOOD. If the signals do not agree within the acceptance tolerance DELTAC, the group quality is set to BAD and the individual signal qualities are set to POOR. The average of the two signals is used to represent the group in either case. If an input signal is manually disabled or subject to a diagnosed hardware failure, the group is represented by the active signal. DELTAC is a fixed input parameter based on operating experience. One DELTAC value is required for each loop/protection set.

The following parameters are used in conjunction with the Overtemperature T and Overpower T reactor trips:

T c = narrow range Tcold input signal T cf = Filtered Tcold signal; = Tc(1/(1 + 7s))

where:

7 = Time constant utilized in the lag compensator for Tcold. Typically set to 0.0 sec.

T cf ave = Group average of the valid input signals s is defined in Section 7.2.1.1.2 Each of the three hot leg temperature signals is subjected to a range check, and utilized to calculate an estimated average hot leg temperature which is consistency checked against the other two estimates for average hot leg temperature.

7.2-12 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 Then an average of the three estimated hot leg temperatures is computed and the individual signals are checked to determine if they agree within +DELTAH of the average value. If all of the signals do agree within +DELTAH of the average value, the group quality is set to GOOD. The group value is set to the average of the three estimated average hot leg temperatures.

If the signal values do not all agree within +DELTAH of the average, the algorithm will delete the signal value which is furthest from the average. The quality of this signal will be set to POOR and a consistency check will then be performed on the remaining GOOD signals. If these signals pass the consistency check, the group value will be taken as the average of these GOOD signals and the group quality will be set to POOR. However, if these signals again fail the consistency check (within +DELTAH),

then the group value will be set to the average of these two signals; but the group quality will be set to BAD. All of the individual signals will have their quality set to POOR. If one or two input signals is manually disabled or subject to a diagnosed hardware failure, the group value is based on the unaffected signal(s). DELTAH is a fixed input parameter based on temperature distribution tests with the hot leg and operating experience. One DELTAH value is required for each loop/protection set.

The following parameters are used in conjunction with the Overtemperature T and Overpower T reactor trips:

Th= narrow range Thot input signal Tfh = Filtered Thot signal = Th (1/(1 + 6s))

where:

6 = Time constant utilized in the lag compensator for Thot. Typically set to 0.0 sec Tfh ave = Group average of the valid Thot input signals The estimated average hot leg temperature is derived from each Thot input signal as follows:

f o Th = T - PB S h

where:

P B = power fraction being used to correct the bias value being used for any power level REACTOR TRIP SYSTEM 7.2-13

WATTS BAR WBNP-102 f f T h ave - T c ave P B = ------------------------------------------

T ° T° = the indicated loop T at rated thermal power.

S = manually input bias which corrects the individual Thot RTD value to the loop average.

T and Tavg are calculated as follows:

f f T = T h ave - T c ave f f

( T h ave + T c ave )

T avg = ---------------------------------------------

2.0 The calculated values for T and Tavg are then utilized for both the remainder of the Overtemperature and Overpower T protection channel and channel outputs used for control purposes.

The accuracy of the narrow range RTD loop temperature measurements will be demonstrated during plant startup tests and periodically with surveillance tests.

Testing compares temperature measurements from the narrow range RTDS with one another as well as with the temperature measurements obtained from the wide range RTDs located in the hot leg and cold leg piping of each loop. The comparisions are done with the reactor coolant system in an isothermal condition. The narrow range RTD signals will also be compared with the core exit thermocouple signals during plant start up test.

During plant startup test, T measurements obtained from the hot leg and cold leg narrow range loop RTDs will be compared to plant power, and if required normalized to plant power. The absolute value of T versus plant power is not important, per se, 7.2-14 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 as far as reactor protection is concerned. Reactor trip system setpoints are based upon percentages of the indicated T at nominal full power rather than on absolute values of T. This is done to account for loop differences which are inherent. Therefore the percent T scheme is relative, not absolute, and thus provides better protective action without sacrificing accuracy.

7.2.1.1.5 Pressurizer Water Level Reference Leg Arrangement The pressurizer water level instrumentation consists of three independent, redundant instrument channels which provide reactor trip and control functions. The associated high and low pressure sense lines for each level channel connect to the upper (vapor-filled) and lower (liquid-filled) regions of the pressurizer, respectively, and satisfy the independence requirements specified in Section 7.1.2.2. The high pressure sense line is called a reference leg because the line must be liquid filled and the fill elevation must be maintained at a know point by use of a condensing chamber. The main portion of the reference leg consists of a remote-seal/capillary system (integral to the level transmitter) which provides a mechanical seal (bellows) between the process fluid and the capillary line fill-fluid. The location of the remote seal is required to be 12-inches or less (measured vertically) from the associated condensing chamber. The condensing chamber and downstream piping is uninsulated and is thus cooled by the ambient environment. This remote seal location requirement minimizes the potential adverse effects of a loss of condensate between the condensing chamber and the remote seal due to a sudden RCS depressurization event. During reactor operation, the condensate could contain high concentration of dissolved hydrogen gas. Upon a rapid RCS depressurization event, the resulting dissolution of the hydrogen gas would force the condensate from the line segment between the remote seal and the condensing chamber. This remote seal location requirement limits the maximum head pressure loss error for this event to approximately 12-inches.

Pressurizer level channel maintenance features include transmitter/remote seal isolation and equalization capability without affecting other redundant channels. Also, the condensing chamber can be remotely vented by use of permanently installed vent lines with manual isolation valves.

7.2.1.1.6 Process Protection System The process protection instrumentation system is described in References [1] and [11].

The nuclear instrument system is described in References [2] and [15]. Reference [2]

is applicable to the power range only.

7.2.1.1.7 Solid State Logic Protection System The solid state logic protection system takes binary inputs from the process protection and nuclear instrument channels and other plant equipment corresponding to conditions (normal/abnormal) of plant parameters. The system combines these signals in the required logic combination and generates a trip signal (no voltage) to the undervoltage coils and the shunt trip relays (which energize the shunt trip coils) of the reactor trip circuit breakers when the necessary combination of signals occurs. The system also provides annunciator, status light and computer input signals which REACTOR TRIP SYSTEM 7.2-15

WATTS BAR WBNP-102 indicate the condition of partial trip and full trip functions and the status of the various blocking, permissive (See section 10.4.4.3 for exception on P-12 and actuation functions). In addition, the system includes means for semi-automatic testing of the logic circuits. A detailed description of this system is given in Reference [3].

7.2.1.1.8 Isolation Devices In certain applications, control signals and other non-protective functions are derived from individual protection channels through isolation devices contained in the protection channel, as permitted by IEEE Standard 279-1971. The isolation devices are part of the protection system and are located in the process protection racks. By definition, non-protective functions include those signals used for control, remote process indication, and computer monitoring.

Isolation device qualification type tests are described in References [7], [8], and [11].

7.2.1.1.9 Energy Supply and Environmental Variations The energy supply for the reactor trip system is described in Chapter 8. The environmental variations, throughout which the system will perform, are given in Section 3.11 and Chapter 8.

As documented in Reference [7], testing was performed on the Eagle 21 Process Protection System to demonstrate that the Eagle 21 system remained operational before, during and after applied noise, fault, surge withstand, electro-magnetic interference (EMI) and Radio Frequency Interference (RFI) operating conditions.

Objectives accomplished by the test demonstrated that the physical independence of the non-class 1E and Class 1E circuitry was maintained and that the system was designed to withstand worst-case noise environment conditions.

7.2.1.1.10 Setpoints The setpoints that require trip action are given in the Technical Specifications. The methodology used to derive the setpoints is described in References [13], [16] and

[18]. See Section 7.1.2.1.9 for additional discussion.

7.2.1.1.11 Seismic Design The seismic design considerations for the reactor trip system are given in Section 3.10.

This design meets the requirements of Criterion 2 of the 1971 General Design Criteria (GDC).

7.2.1.2 Design Bases Information The information given below presents the design bases information requested by Section 3 of IEEE Standard 279-1971, Reference [9]. The reactor trip logic is presented in Figure 7.2-1, Sheets 1 through 4.

7.2.1.2.1 Generating Station Conditions The following are the generating station conditions requiring reactor trip.

7.2-16 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 (1) DNBR approaching the limiting value.

(2) Power density (kilowatts per foot) approaching rated value for Condition II events (See Chapter 4 for fuel design limits).

(3) Reactor coolant system overpressure creating stresses approaching the limits specified in Chapter 5.

7.2.1.2.2 Generating Station Variables The following are the variables required to be monitored in order to provide reactor trips (see Table 7.2-1).

(1) Neutron flux (2) Reactor coolant temperature (3) Reactor coolant system pressure (pressurizer pressure)

(4) Pressurizer water level (5) Reactor coolant flow (6) Reactor coolant pump bus voltage and frequency (7) Steam generator water level (8) Turbine-generator operational status (autostop oil pressure and stop valve position).

7.2.1.2.3 Spatially Dependent Variables Reactor coolant temperature is a spatially dependent variable. See Section 7.3.1.2.3 for a discussion.

7.2.1.2.4 Limits, Margins and Levels The parameter values that will require reactor trip are given in the Technical Specifications. Chapter 15 demonstrates that the setpoints used in the Technical Specifications are conservative.

The setpoints for the various functions in the reactor trip system have been analytically determined such that the operational limits so prescribed will prevent fuel rod clad damage and loss of integrity of the reactor coolant system as a result of any ANS Condition II incident. As such, during any ANS Condition II incident, the reactor trip system limits the following parameters to:

(1) Minimum DNBR - limiting value.

(2) Maximum system pressure = 2750 psia REACTOR TRIP SYSTEM 7.2-17

WATTS BAR WBNP-102 (3) Fuel rod maximum linear power - maximum rated power The accident analyses described in Section 15.2 demonstrate that the functional requirements as specified for the reactor trip system are adequate to meet the above considerations, even assuming, for conservatism, adverse combinations of instrument errors (Refer to Table 15.1-3). A discussion of the safety limits associated with the reactor core and reactor coolant system, plus the limiting safety system setpoints, are presented in the Technical Specifications. The Technical Specifications incorporate both nominal and limiting setpoints. Nominal settings of the setpoints are more conservative than the limiting settings. This allows for calibration uncertainty and instrument channel drift without violating the limiting setpoint. Automatic initiation of protective functions occurs at the nominal setpoints (plus or minus the allowed tolerances). The methodology used to derive the setpoints is documented in References [13], [16], and [18]. A further discussion on trip setpoints is given in Section 7.2.2.1.1.

7.2.1.2.5 Abnormal Events The malfunctions, accidents or other unusual events which could physically damage reactor trip system components or could cause environmental changes are as follows:

(1) Earthquakes (see Sections 2.5 and 3.7).

(2) Fire (see Section 9.5)

(3) Explosion (hydrogen buildup inside containment) (see Section 6.2).

(4) Missiles (see Section 3.5).

(5) Flood (see Sections 2.4 and 3.4).

(6) Wind and Tornadoes (see Section 3.3).

The reactor trip system fulfills the requirements of IEEE Standard 279-1971 to provide automatic protection and to provide initiating signals to mitigate the consequences of faulted conditions. The reactor trip system provides protection against destruction of the system from fires, explosions, floods, wind, and tornadoes (see each item above).

The discussions in Section 7.1.2.1.7 and this section adequately address or reference the Safety Analysis Report coverage of the effects of abnormal events on the reactor trip system in conformance with applicable General Design Criteria.

7.2.1.2.6 Minimum Performance Requirements (1) Reactor Trip System Response Time Reactor trip system response time is defined in Section 7.1. The maximum allowable time delays in generating the reactor trip signal are provided in the Technical Requirements Manual. These values are verified in accordance with the Technical Specifications and are consistent with the safety analyses.

7.2-18 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 See Table 7.1-1 Note 1 for a discussion of periodic response time verification capabilities.

(2) Reactor Trip Accuracies Accuracy is defined in Section 7.1. Reactor trip accuracies are given in References [13] and [18].

(3) Protection System Ranges Typical Protection System ranges are tabulated in Table 7.2-3.

7.2.1.3 Final Systems Drawings Functional logic diagrams, electrical schematics and other drawings documenting the protection system design are listed in Table 1.7-1.

7.2.2 Analyses A reliability study for the reactor trip and engineered safety features function of the Eagle 21 process protection system hardware was performed to compare the availability of the Eagle 21 digital system with the previous implementation of the same function using analog hardware. Availability is defined as the probability that a system will perform its intended function (e.g., actuate a partial trip) at a randomly selected instant in time. Results of the availability study determined that the Eagle 21 digital system is commensurate with an equivalent analog process protection system availability although no credit was given to the Eagle 21 process protection features of automatic surveillance testing, self calibration and self diagnostics when the study was performed. It is expected that if credit were given to the Eagle 21 self diagnostic features, automatic surveillance testing and self calibration capabilities, system availability would be improved. Therefore, the impact on the system operation due to channel drift being corrected by the Eagle 21 self-calibration feature and the impact on system downtime because of the automatic surveillance/self-diagnostic features, will be minimized. Additionally, with the MMI test unit provided with the Eagle 21 system, the amount of technician and engineering time required for maintenance and troubleshooting is minimized. Thus, large quantities of engineering time required for the review of the periodic functional tests, prior to restoring the channel to an operable condition, are eliminated because of the user-friendly printout provided from the MMI.

In total, interface with the Eagle 21 process protection system is reduced, resulting in a decreased potential for technician induced error which results in improved system reliability and availability.

In the Eagle 21 process protection system design, there are failure modes which could result in the failure of an entire protection rack. During these conditions, the rack will fail to the preferred failure mode (tripped/not tripped condition) providing maximum protection for the plant. The failure of a single rack is considered to be bounded by the loss of an entire protection set, which is the existing licensing basis. This failure has been shown not to adversely impact plant safety due to the existence of redundancy, functional diversity and defense-in-depth design measures employed in the design of the process protection system. Use of these design measures ensures that in the REACTOR TRIP SYSTEM 7.2-19

WATTS BAR WBNP-102 event of a single failure, the remaining protection system channels would be available for plant protection if required. Additional discussion of the defense-in-depth, redundancy and functional diversity design measures used in the design of the Eagle 21 process protection system can be found in References [5] and [14].

A failure mode and effects analysis (FMEA) of the logic portion of the reactor trip system was performed. The basis of the FMEA is that the reactor protection system is designed to sense abnormal plant conditions and to initiate action necessary to assure that acceptable fuel design limits are not exceeded for anticipated operational occurrences. Results of this study and a fault tree analysis are presented in Reference

[4]. The results of the study show that the probability of protection system failure in anticipated transients is sufficiently low that no provision need be made in plant design to accommodate such hypothetical failure.

7.2.2.1 Evaluation of Design Limits While most setpoints used in the reactor protection system are fixed, there are variable setpoints, most notably the overtemperature T and overpower T. All setpoints in the reactor trip system have been selected on the basis of engineering design or safety studies. The capability of the reactor trip system to prevent loss of integrity of the fuel cladding and/or reactor coolant system pressure boundary during Condition II and III transients is demonstrated in Chapter 15. These accident analyses are carried out using those setpoints determined from results of the engineering design studies.

Setpoint limits are presented in the Technical Specifications. A discussion of the intent for each of the various reactor trips and the accident analyses (where appropriate) which utilize this trip is presented, in Section 7.2.1.1.2 and in Table 7.2-4 The selection of trip setpoints provides for margin before protection action is actually required to allow for uncertainties and instrument errors References [13], [16] and [18]. The design meets the requirements of Criteria 10, 15, 20, and 29 of the 1971 GDC.

7.2.2.1.1 Trip Setpoint Discussion It has been pointed out previously that below the limiting value of DNBR there is likely to be significant local fuel cladding failure. The DNBR existing at any point in the core for a given core design can be determined as a function of the core inlet temperature, power output, reactor coolant operating pressure and flow. Consequently, core safety limits in terms of the limiting value of DNBR for the hot channel can be developed as a function of core T, Tavg, and pressure for a specified flow as illustrated by the dashed lines in Figure 15.1-1. Shown as a dashed line in Figure 15.1-1 are the loci of conditions designed to prevent exceeding 121% of power as a function of T and Tavg, thus representing the overpower (KW/ft) limit on the fuel. The solid lines indicate the maximum permissible setpoints (T) as a function of Tavg and pressure for the overtemperature and overpower reactor trips. Actual setpoint constants in the equation representing the solid lines are as given in the Technical Specifications. These values are conservative to allow for instrument errors. The design meets the requirements of Criteria 10, 15, 20 and 29 of the 1971 GDC.

DNBR is not a directly measurable quantity; however, the process variables that determine DNBR are sensed and evaluated. Small isolated changes in various 7.2-20 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 process variables may not individually result in violation of a core safety limit, whereas the combined variations, over sufficient time, may cause the overpower or overtemperature safety limit to be exceeded. The design concept of the reactor trip system takes cognizance of this situation by providing reactor trips associated with individual process variables in addition to the overpower/overtemperature safety limit trips. Process variable trips prevent reactor operation whenever a change in the monitored value is such that a core or system safety limit is in danger of being exceeded should operation continue. Basically, the high pressure, low pressure and overpower/overtemperature T trips provide sufficient protection for slow transients as opposed to such trips as low flow or high flux which will trip the reactor for rapid changes in flow or flux, respectively, that would result in fuel damage before actuation of the slower responding T trips could be effected.

Therefore, the reactor trip system has been designed to provide protection for fuel cladding and reactor coolant system pressure boundary integrity where: 1) a rapid change in a single variable or factor which will quickly result in exceeding a core or a system safety limit, and 2) a slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded. Overall, the reactor trip system offers diverse and comprehensive protection against fuel cladding failure and/or loss of reactor coolant system integrity for Condition II and III accidents. This is demonstrated by Table 7.2-4 which lists the various trips of the reactor trip system, the corresponding technical specification on safety limits and safety system settings and the appropriate accident discussed in the safety analyses in which the trip could be utilized.

The plant is prohibited by Technical Specifications from operating with an inactive loop for extended periods of time, and administrative procedures require that the unit be brought to a load of less than 25% of full power prior to starting the pump in the inactive loop in order to bring the inactive loop hot leg temperature closer to the core inlet temperature.

The P-8 interlock acts essentially as a high nuclear power reactor trip when operating in this condition.

The reactor trip system design was evaluated in detail with respect to common mode failure and is presented in References [4] and [5]. The design meets the requirements of Criterion 23 of the 1971 GDC.

Preoperational testing will be performed on reactor trip system components and systems to determine equipment readiness for startup and to serve as confirmation of the system design.

Analyses of the results of Condition II, III and IV events, including considerations of instrumentation installed to mitigate their consequences, are presented in Chapter 15.

The instrumentation installed to mitigate the consequences of load rejection and turbine trip is given in Section 7.7.

REACTOR TRIP SYSTEM 7.2-21

WATTS BAR WBNP-102 7.2.2.1.2 Reactor Coolant Flow Measurement Elbow taps installed in each loop of the primary coolant system are used to measure reactor coolant flow. The correlation between flow and elbow tap differential pressure signal is given by the following equation:

w 2 P- = ------

P 0 w 0

where P0 is the pressure differential at the reference flow w0, and P is the pressure differential at the corresponding flow, w. Nominal full power flow is established at the beginning of each fuel cycle by either elbow tap methodology or, performance of the RCS calorimetric flow measurement. Unit 1 utilizes elbow tap methodology Reference

[17]. Unit 2 utilizes the RCS calorimetric flow measurement. The results are used to normalize the RCS flow indicators and provide a reference point for the low flow reactor trip setpoint.

7.2.2.2 Evaluation of Compliance to Applicable Codes and Standards The reactor trip system meets the requirements of the General Design Criteria and Section 4 of IEEE Standard 279-1971[9] as indicated below.

(1) General Functional Requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset value.

Functional performance requirements are given in Section 7.2.1.1.1. Section 7.2.1.2.4 presents a discussion of limits, margins and setpoints; Section 7.2.1.2.5 discusses unusual (abnormal) events; and Section 7.2.1.2.6 presents minimum performance requirements.

(2) Single Failure Criterion The protection system is designed to provide two, three, or four redundant process protection channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective system action when required. Loss of input power, the most likely mode of failure, to a channel or logic train will result in a signal calling for a trip. This design meets the requirements of Criteria 21, 22 and 23 of the 1971 GDC.

7.2-22 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing as well as administrative control during design, production, installation and operation are employed, as discussed in references [4] and [5]. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

(3) Quality of Components and Modules For a discussion on the quality of the components and modules used in the reactor trip system, refer to Chapter 17. The quality assurance applied conforms to Criterion 1 of the 1971 GDC.

(4) Equipment Qualification For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11. The test results demonstrate that the design meets the requirements of Criterion 4 of the 1971 GDC.

(5) Channel Integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the reactor trip system is described in Chapter 8. The environmental variations, throughout which the system will perform is given in Section 3.11. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

(6) Independence Channel independence is carried throughout the system, extending from the sensor through the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters.

Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel.

Redundant protection channels are separated by locating the processing electronics of the redundant channels in different protection rack sets. Each redundant protection channel set is energized from a separate AC power feed. This design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

Independence of the logic trains is discussed in Reference[3]. Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core. See Figure 7.1-1.

REACTOR TRIP SYSTEM 7.2-23

WATTS BAR WBNP-102 The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is discussed in Reference [5].

Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur. This design meets the requirements of Criterion 22 of the 1971 GDC.

(7) Control and Protection System Interaction The protection system is designed to be independent of the control system.

In certain applications the control signals and other non-protective functions are derived from individual protective channels through isolation devices.

The isolation devices are classified as part of the protection system and are located in the process protection racks. Non-protective functions include those signals used for control, remote process indication, and computer monitoring. The isolation devices are designed such that a short circuit, open circuit, or the application of credible fault voltages on the isolated output portion of the circuit (i.e., the non-protective side of the circuit) will not affect the input (protective) side of the circuit. The signals obtained through the isolation devices are never returned to the process protection racks.

A detailed discussion of the design and testing of the protection system isolation devices is given in References [7], [8], and [11]. These reports include the results of applying various malfunction conditions on the output portion of the isolation devices. The results show that no significant disturbance to the isolation devices' input signal occurred.

Where failure of a protection system component can cause a process excursion which requires protective action and can also prevent the channel from performing its protective action, the protection system can withstand a second independent failure without loss of the protection function. The means of achieving this are provided in the discussions of specific control and protection system interactions in Section 7.2.2.3. Typically this requirement is satisfied by utilizing 2/4 logic for the trip function or by providing a diverse trip. This design meets the requirements of Criterion 24 of the 1971 GDC and paragraph 4.7 of IEEE Standard 279-1971 [Ref. 9].

(8) Derivation of System Inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2.

(9) Capability for Sensor Checks The operational availability of each system input sensor during reactor operation is accomplished by cross checking between channels that bear a 7.2-24 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 known relationship to each other and that have read-outs available. Channel checks are discussed in the Technical Specifications.

(10) Capability for Testing The reactor trip system is capable of being tested during power operation.

Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22 as discussed in Table 7.1-1.

The protection system is designed to permit periodic testing of the signal processing portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists.

This is because of the coincidence logic required for reactor trip. Source and intermediate range high neutron flux trips must be bypassed during testing.

These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode or bypass mode according to the Technical Specifications, in order to avoid spurious trips.

The Protection System is also designed to permit periodic response time testing of the reactor trip system, excluding neutron detectors.

Process Protection Channel Tests The Eagle 21 process protection system accommodates automatic or manual surveillance testing of the digital process protection racks via a portable Man Machine Interface (MMI) test cart. The MMI test cart is connected to the process rack test panel with a cable/connector assembly . The rack installed test processor permits performance of operations such as channel calibration, channel response time tests, partial trip actuation tests, and maintenance activities.

Administrative controls and multiple levels of security are provided to limit access to setpoint and tuning constant adjustments. The system is designed to permit testing of any protection channel during power operations without initiating a protective action at the systems level.

Individual channels can be tested in either the "Channel Trip" or "Bypass" mode:

The Channel Trip mode interrupts the individual channel comparator output.

Interruption of a comparator output in this mode for any reason (test, maintenance purposes or removed from service) causes that portion of the logic to be actuated and initiates a channel trip alarm and status light in the control room. Status lights on the process rack test panel indicate when the associated comparators have tripped.

The Bypass mode disables the individual channel comparator trip circuitry.

Interruption of a comparator output in this mode effectively "bypasses" the channel in REACTOR TRIP SYSTEM 7.2-25

WATTS BAR WBNP-102 test causing the associated logic relays to remain in the non-tripped state until the "bypass" is removed. This feature of the protection system eliminates the potential for an unwarranted actuation in the event of a failure. This condition is also accompanied by an alarm in the control room.

Nuclear Instrumentation Channel Tests The power range channels of the nuclear instrumentation system are tested by using the actual detector input to the channel and injecting test currents obtained from the detector response curves at various power levels. The output of the bistable is not placed in a tripped condition prior to testing. Also, since the power range channel logic is two out of four, bypass of this reactor trip function is not required.

Testing of a power range channel requires deliberate operator action and is annunciated in the control room. Bistable operation is tested by increasing the test signal up to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights.

It should be noted that a valid trip signal would cause the channel under test to trip at a lower actual reactor power. A reactor trip would occur when a second bistable trips.

No provision has been made in the channel test circuit for reducing the channel signal below that signal being received from the nuclear instrumentation system detector.

A nuclear instrumentation system channel which can cause a reactor trip through one of two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses are annunciated in the control room.

Periodic tests of the source, intermediate, and power range channels of the nuclear instrumentation system are performed in the applicable modes/power levels in accordance with the Technical Specifications.

For a detailed description of the nuclear instrumentation system see References [2]

and [15]. Reference [2] is applicable to the power range only.

Solid State Logic Testing The logic trains of the reactor trip system are designed to be capable of complete testing at power. Logic matrices are tested from the Train A and Train B logic rack test panels. During this test, the logic inputs are actuated automatically in all combinations of trip and non-trip logic. Trip logic is not maintained sufficiently long enough to permit opening of the reactor trip breakers. The reactor trip undervoltage coils are 'pulsed' in order to check continuity. During logic testing of one train, the other train can initiate any required protective functions. Annunciation is provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Details of the logic system testing are given in Reference [3].

A direct reactor trip resulting from undervoltage or underfrequency on the pump side of the reactor coolant pump breakers is provided as discussed in Section 7.2.1.1.2 and 7.2-26 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 shown on Figure 7.2-1, Sheet 3. The logic for these trips is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided.

This design complies with the testing requirements of IEEE Standard 279-1971 and IEEE Standard 338-1971[10] as discussed in Table 7.1-1. Details of the method of testing and compliance with these standards are provided in References [l], [3], and

[11].

The permissive and block interlocks associated with the reactor trip system and engineered safety features actuation system are given on Tables 7.2-2 and 7.3-3 and designated protection or 'P' interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standards 279-1971 and 338-1971 as discussed in Table 7.1-1.

Testability of the interlocks associated with reactor trips for which credit is taken in the accident analyses is provided by the logic testing and semi-automatic testing capabilities of the solid state protection system. In the solid state protection system the undervoltage coils (reactor trip) and master relays (engineered safeguards actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. Interlock testing may be performed at power.

Testing of the logic trains of the reactor trip system includes a check of the input relays and a logic matrix check. The following sequence is used to test the system:

(1) Check of input relays During testing of the process protection system and nuclear instrumentation system channels, each channel comparator/bistable is placed in a trip mode causing one SSPS input relay in train A and one in train B to de-energize except when individual channels are tested in bypass with the reactor at power. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions. Each reactor trip input relay contact causes a status lamp and an annunciator on the control board to operate. Either the Train A or Train B input relay operation will light the status lamp and annunciator.

Each train contains a multiplexing test switch, one of which (either train) normally remains in the A + B position. The A + B position allows information to be transmitted alternately from each train to the control board. During testing a steady status lamp indicates that both trains are receiving a trip mode logic input for the channel being tested. A flashing lamp indicates a failure in one train. Contact inputs to the logic protection system such as reactor coolant pump bus underfrequency relays operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for comparator/bistable input relays.

REACTOR TRIP SYSTEM 7.2-27

WATTS BAR WBNP-102 Actuation of the SSPS input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. These tests are performed periodically in accordance with the Technical Specifications. Test indications are status lamps and annunciators on the control board. Inputs to the logic protection system are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor when two out of four channels trip becomes a one out of three trip when one channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test.

(2) Check of logic matrices Logic matrices are checked one train at a time. Input relays are not operated during this test. Partial reactor trips to the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train. Details of semi-automatic tester operation are given in Reference [3].

At the completion of the logic matrix tests, closure of the input error inhibit switch contacts is checked using an appropriate test method such as verification of existing trip status lamps/computer points.

The logic test scheme uses pulse techniques to check the coincidence logic.

All possible trip and non-trip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage coil to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically.

Test indications provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester to indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not being tested.

The general design features and details of the testability of the logic system are described in Reference [3]. The testing capability meets the requirements of Criterion 21 of the 1971 GDC.

Testing of Reactor Trip Breakers Normally, reactor trip breakers RTA and RTB are in service, and bypass breakers BYA and BYB are withdrawn (out of service). In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers thereby eliminating the need to bypass them during this testing. Each of the reactor trip breakers is tested with the corresponding bypass breaker in service.

7.2-28 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 Auxiliary contacts of the bypass breakers are connected into the SSPS General Warning Alarm System of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically trip.

Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in one train while the bypass breaker of the other train is already closed, both bypass breakers and both reactor trip breakers will automatically trip.

The Train A and Train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate an annunciator in the control room.

Bypassing of a protection train with either the bypass breaker or with the test switches will result in audible and visual indications.

The complete reactor trip system is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, the Technical Specifications define the minimum number of operable channels. The Technical Specifications also define the required restriction to operation in the event that the channel operability requirements cannot be met.

(11) Channel Bypass or Removal from Operation The Eagle 21 Process Protection System is designed to permit any channel to be maintained in a bypassed condition and, when required, tested during power operation without initiating a protective action at the systems level.

This is accomplished without lifting electrical leads or installing temporary jumpers. Bypass of any channel in an Eagle 21 protection system rack for any purpose will be continuously indicated in the control room via the plant annunciator at the protection set level. In addition, the Eagle 21 design has provided for administrative controls and multiple levels of security for bypassing a protection channel.

The channel bypass feature of the Eagle 21 system will be used for the following purposes:

(1) To allow for an inoperable Reactor Trip (RT) or Engineered Safety Features Actuation System (ESFAS) channel to be maintained in a bypassed condition up to the time limit specified in the Technical Specifications, for the purpose of troubleshooting.

(2) To allow for a failed RT or ESFAS channel to be bypassed up to the time limit specified in the Technical Specifications, for the purpose of surveillance testing a redundant channel of the same function.

(3) To routinely allow testing of a RT or ESFAS channel in the bypassed condition instead of the tripped condition for the purpose of surveillance testing.

REACTOR TRIP SYSTEM 7.2-29

WATTS BAR WBNP-102 The Nuclear Instrumentation System (NIS) is designed to permit routine periodic testing of the Source Range and Intermediate Range portion of the reactor trip system during reactor power operation. To enable testing of the one-out-of-two channel logic for the NIS Source Range and Intermediate Range during reactor power operation, a channel bypass feature has been provided. Use of this feature will permit routine required surveillance testing to be completed without initiating a protective action unless a trip condition exists.

(12) Operating Bypasses Where operating requirements necessitate automatic or manual bypass of a protective function, (See Section 10.4.4.3 for exception on P-12), the design of the protection system is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protection system and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.

Bypasses associated with the reactor trip system are identified in Table 7.2-2.

(13) Indication of Bypasses Bypass of a process protection channel during testing is indicated by an alarm in the control room. This is discussed further in Section 7.2.2.2, subsections 10 and 11. Operating bypasses are discussed in Section 7.2.2.2 subsection 12.

(14) Access to Means for Bypassing The design provides for administrative control of access to the means for manually bypassing channels or protective functions. For details, refer to References [1] and [11].

(15) Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.

7.2-30 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 (16) Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion. Normal operation is restored in accordance with established procedures.

(17) Manual Initiation Switches are provided on the control board for manual initiation of protective action. A single failure in the automatic system will not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment. Additional discussion of manual actuation of protective functions is provided in Section 7.3.2.2.6.

(18) Access to Setpoint Adjustments, Calibration and Test Points The design provides for administrative control of access to all setpoint adjustments, processing electronics calibration adjustments, and test points.

For details refer to References [1], [2], [11] and [15].

(19) Identification of Protective Actions Indication and identification of protective actions is discussed in Item 20 below.

(20) Information Read Out The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip are either indicated, recorded or displayed on the plant computer for every channel, including neutron flux power range currents (top detector, bottom detector, algebraic difference and average of bottom and top detector currents).

Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified by the parameter being measured.

Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm, except for the source and intermediate range channels which have one out of two reactor trip logic. For these two functions, a channel trip alarm is not provided since a channel trip will also initiate reactor trip and rector trip alarm as described above.

REACTOR TRIP SYSTEM 7.2-31

WATTS BAR WBNP-102 (21) System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in Section 7.2.2.2, subsection 10 above.

(22) Identification Identification of protection system equipment is discussed in Section 7.1.2.3.

7.2.2.3 Specific Control and Protection Interactions A general discussion of control and protection system interaction criteria and compliance is provided in Section 7.2.2.2, subjection 7.

7.2.2.3.1 Neutron Flux Four power range neutron flux channels are provided for overpower (high flux) protection. Isolated outputs are provided to a distributed control system (DCS) for rod control. An auctioneered high signal is developed from the four channels in the DCS for automatic rod control. If any channel fails in such a way as to produce a low output, that channel is incapable of proper overpower protection but will not cause control rod movement because of the auctioneer. Two out of four overpower trip logic will ensure an overpower trip if needed even with an independent failure in another channel.

In addition, channel deviation signals in the control system will give an alarm if any neutron flux channel deviates significantly from the average of the flux signals or from the auctioneered high value. Also, the control system will respond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated by the temperature control signals. Finally, an overpower signal from any nuclear power range channel will block manual and automatic rod withdrawal. The setpoint for this rod stop is below the reactor trip setpoint.

7.2.2.3.2 Reactor Coolant Temperature Reactor control is based upon signals derived from protection system channels through isolation devices such that no feedback effect from the control system can perturb the protection channels. The isolated outputs are provided to a distributed control system (DCS) where an auctioneered high signal is developed for automatic rod control.

Since control is based on the highest of the loop average temperatures, the control rods are always moved based upon the most pessimistic temperature measurement with respect to margins to DNB. A spurious low average temperature measurement from any loop temperature control channel will cause no control action. A spurious high average temperature measurement will cause rod insertion (safe direction). If a failed channel is detected by the DCS, it will not be used in the control algorithm. The 2/4 trip logic ensures that the overpower and overtemperature T trip functions can provide the required protection even if degraded by a second random failure.

7.2-32 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 Channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the auctioneered (highest) value. Automatic rod withdrawal blocks and turbine runback (power demand reduction) will also occur prior to reaching the reactor trip setpoint if any two of the T channels indicate an overtemperature or overpower condition.

A discussion of reactor coolant temperature measurement is provided in Section 7.2.1.1.4 7.2.2.3.3 Pressurizer Pressure The pressurizer pressure protection channel signals are used for high and low pressure protection and as inputs to the overtemperature T trip protection function.

Isolated output signals from these channels are provided to the DCS for pressure control. From these, two median signals are developed in independent control groups of the DCS, each with dual redundant control processors. One of the median signals is used to control pressurizer spray and heaters; both are used for pressurizer PORV actuation. A spurious high or low signal from any one channel will not cause a control action. If a failed channel is detected by the DCS, it will not be used in the control algorithm. A coincident high pressure signal from both processors is needed for the actuation of each pressurizer PORV.

Failure of a DCS processor pair could result in a high or low control signal. A spurious high pressure signal can cause decreasing pressure by turning off the heaters and actuating spray. The two out of four low pressurizer pressure reactor trip logic ensures low pressure protection even with two independent channel failures.

Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2500 psia and an accumulation of 3%. Note that no credit is taken for the relief capability provided by the power-operated relief valves during this surge.

In addition, operation of any one of the power-operated relief valves can maintain pressure below the high pressure trip point for most transients. The rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available to alert the operator of the need for appropriate action.

7.2.2.3.4 Pressurizer Water Level Three independent, redundant instrument channels are provided for pressurizer high water level protection. This reactor trip condition is generated based on a 2-out-of-3 logic and serves to prevent water discharge through the pressurizer safety relief valves. The pressurizer level channels also provide isolated out put signals to the DCS which are used for pressurizer water level control (reference Section 7.7). A median signal selector in the DCS selects the median of the three signals for pressurizer level control so that a spurious high or low signal from any one channel will not cause a control room action. If a failed channel is detected by the DCS, it will not be used in the REACTOR TRIP SYSTEM 7.2-33

WATTS BAR WBNP-102 control algorithm and the average of the two remaining channels will be used for control.

A DCS failure resulting in a high or low control signal output could increase or decrease pressurizer level at a slow rate. The high water level trip setpoint provides sufficient margin such that the undersirable condition of discharging liquid coolant through the safety valves is avoided. Even at full power conditions, which would produce the worst thermal expansion rates, a failure of water level control would not lead to any liquid discharge through the safety valves. This is due to the automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve setpoint.

In addition, alarms are actuated on high or low water level and on significant deviations from programmed level or from the median signal. Channel failure can also be detected by comparison to the other two redundant level channel indicators located in the main control room. A discussion of the pressurizer water level reference leg arrangement is provided in Section 7.2.1.1.5.

7.2.2.3.5 Steam Generator Water Level The basic function of the reactor protection circuits associated with low steam generator water level is to preserve the steam generator heat sink for removal of long term residual heat. Should a complete loss of feedwater occur, the reactor would be tripped on low-low steam generator water level. In addition, redundant auxiliary feedwater pumps are provided to supply feedwater in order to maintain residual heat removal after trip. This reactor trip acts before the steam generators are dry to reduce the required capacity and increase the starting time requirements of the auxiliary feedwater pumps and to minimize the thermal transient on the reactor coolant system and steam generators.

Therefore, a low-low steam generator water level reactor trip is provided for each steam generator to ensure that sufficient initial thermal capacity is available in the steam generator at the start of the transient. It is desirable to minimize thermal transients on a steam generator for a credible loss of feedwater accident.

Implementation of the Median Signal Selector (MSS) feature in the feedwater distributed control system prevents failure of a single steam generator water level channel from causing a feedwater control system disturbance requiring subsequent protective action. Isolated outputs from all three narrow range level channels are input to the MSS. The MSS selects the median signal for use by the control system and control system actions are then based on this signal. Since the high and low signals are rejected, the control system is prevented from acting on a single, failed protection system instrument channel. If a failed channel is detected by the DCS, it will not be used in the control algorithm and the average of the two remaining channels will be used for control. Since no adverse control system action can then result from a failed protection channel, the potential for a control and protection system interaction is eliminated and it is not necessary to consider a second random protection system failure as would otherwise be required by IEEE 279-1971.

7.2-34 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 7.2.2.4 Additional Postulated Accidents Loss of plant instrument air or loss of component cooling water is discussed in Section 7.3.2. Load rejection and turbine trip are discussed in further detail in Section 7.7.

The control interlocks and permissives, called rod stops, are provided to inhibit automatic and/or manual rod withdrawal and initiate turbine runback. The rod stops indicate certain abnormal reactor operating conditions exist. The rod stop control action is used to stop positive reactivity additions due to rod withdrawal and to prevent reactor system parameters from reaching a condition requiring protective action (i.e.,

reactor trip actuation). The rod stops are not considered a protective feature. A listing of the initiating input signal and control function of each rod stop is provided in Section 7.7.1.4.1 and Table 7.7-1.

7.2.3 Tests and Inspections The reactor trip system meets the testing requirements of IEEE Standard 338-1971, Reference [10], as discussed in Section 7.1.2. The testability of the system is discussed in Section 7.2.2.2. The test intervals are specified in the Technical Specifications. Written test procedures and documentation, conforming to the requirements of Reference [10], are utilized in the performance of periodic tests.

Periodic testing complies with Regulatory Guide 1.22 as discussed in Section 7.1.2 .

To ensure the Median Signal Selector (MSS) functions as described in Section 7.2.2.3.5, operability of the MSS is verified commensurate with the Technical Specification surveillance interval for the associated narrow range steam generator level channels.

The steam generator level MSS is a software function in the feedwater DCS. Proper operation of the MSS can be determined by verifying that the output signal corresponds to the median of the three input signals. The MSS function is tested concurrently with the process protection channels which provide the inputs. Test signals are recieved from the protection system, as would normal process signals, when the individual protection channels are placed in the test mode. As the test signal magnitude is varied, the MSS will select a different input as the median signal, allowing proper operation of the MSS to be verified. As long as the other two channels are funtioning properly and they have not been tripped or bypassed, a single steam generator level channel can be tested during power operation without causing a feedwater control system upset.

REFERENCES (1) J. A. Nay, "Process Instrumentation for Westinghouse Nuclear Steam Supply Systems," WCAP 7671, April 1971.

(2) Lipchak, J. B., "Nuclear Instrumentation System," WCAP-8255, January 1974. Applicable to Power Range NIS only.

REACTOR TRIP SYSTEM 7.2-35

WATTS BAR WBNP-102 (3) Katz, D. N., "Solid State Logic Protection System Description,"

WCAP-7488-L, January 1971 (Proprietary) and WCAP-7672, June 1971 (Non-Proprietary).

(4) Gangloff, W. C. and Loftus, W. D., "An Evaluation of Solid State Logic Reactor Protection In Anticipated Transients," WCAP-7706-L, July 1971 (Proprietary) and WCAP-7706, July 1971 (Non-Proprietary).

(5) Burnett, T. W. T., "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors," WCAP-7306, April 1969.

(6) Baldwin, M. S. et al., "An Evaluation of Loss of Flow Accidents Caused by Power System Frequency Transients in Westinghouse PWR's,"

WCAP-8424, Revision 1, May 1975.

(7) Doyle, J. P., "Noise, Fault, Surge and Radio Frequency Interference Test Report for Westinghouse Eagle 21 Process Protection Upgrade System,"

WCAP-11733 June 1988 (Westinghouse Proprietary Class 2); WCAP-11896 July 1988 (Westinghouse Proprietary Class 3).

(8) Lipchak, J. B. and Bartholomew, R. R., "Test Report Nuclear Instrumentation System Isolation Amplifier," WCAP-7506-P-A, April 1975 (Proprietary) and WCAP-7819-Revision 1-A, April 1975 (Non-Proprietary).

(9) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard:

Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Standard 279-1971.

(10) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," IEEE Standard 338-1971.

(11) Erin, L. E., "Topical Report, Eagle 21 Microprocessor-Based Process Protection System," WCAP-12374 Rev. 1 December 1991 (Westinghouse Proprietary Class 2); WCAP-12375 Rev. 1 December 1991 (Westinghouse Proprietary Class 3).

(12) Deleted by Amendment 98 (13) Reagan, J. R., "Westinghouse Setpoint Methodology for Protection Systems, Watts Bar Units 1 and 2, Eagle 21 Version," WCAP-12096 Rev. 5 (Westinghouse Proprietary Class 2). (For Unit 1 Only)

(14) "Summary Report Process Protection System Eagle 21 Upgrade, NSLB, MSS, and TTD Implementation, Watts Bar Unit 1 and 2", WCAP-13462, Revision 2, September, 1994.

(15) System Description, "Neutron Monitoring System" N3-92-4003.

7.2-36 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 (16) ISA-DS-67.04, 1982, "Setpoints for Nuclear Safety-Related Instrumentation Used in Nuclear Power Plants."

(17) Bass, J.C., RCS Flow Measurement Using Elbow Tap Methodology at Watts Bar Unit 1, WCAP-16067, Rev 0 (Westinghouse Proprietary Class 2). (Unit 1 Only).

(18) WCAP Westinghouse Setpoint Methodology for Protection Systems Watts Bar Units 2, Eagle 21 Version, WCAP-17044-P. (Unit 2 Only).

(19) WCAP 13869, Reactor Protection System Diversity in Westinghous Pressurized Water Reactor, Rev 2 September 1994.

REACTOR TRIP SYSTEM 7.2-37

Table 7.2-1 List of Reactor Trips 7.2-38 (Page 1 of 2)

Coincidence Reactor Trip Logic Interlocks Comments

1. High neutron flux (Power Range) 2/4 Manual block of low setting High and low settings; manual block and WATTS BAR permitted by P-10 automatic reset of low setting by P-10
2. Intermediate range neutron flux 1/2 Manual block permitted by P-10 Manual block and automatic reset
3. Source range neutron flux 1/2 Manual block permitted by Manual block and automatic reset.

P-6, interlocked with P-10 Automatic block above P-10

4. Power range high positive 2/4 No interlocks neutron flux rate
5. Overtemperature T 2/4 No interlocks
6. Overpower T 2/4 No interlocks
7. Pressurizer low pressure 2/4 Interlocked with P-7 Blocked below P-7
8. Pressurizer high pressure 2/4 No interlocks
9. Pressurizer high water level 2/3 Interlocked with P-7 Blocked below P-7
10. Low reactor coolant flow 2/3 in Interlocked with P-7 and P-8 Low flow in one loop will cause a reactor any loop trip when above P-8 and a low flow in two loops will cause a reactor trip when above P-7. Blocked below P-7
11. Reactor coolant pump 2/4 Interlocked with P-7 Blocked below P-7 bus undervoltage REACTOR TRIP SYSTEM WBNP-102

Table 7.2-1 List of Reactor Trips (Page 2 of 2)

Coincidence Reactor Trip Logic Interlocks Comments WATTS BAR

12. Reactor coolant pump bus 2/4 Interlocked with P-7 Underfrequency on 2 pumps will trip all REACTOR TRIP SYSTEM underfrequency reactor coolant pump breakers and cause reactor trip; reactor trip and pump trip blocked below P-7
13. Low-low steam generator water 2/3 in any loop No interlocks Features Trip Time Delay (TTD) upgrade level
14. Turbine-generator trip*

a) Low auto stop oil pressure 2/3 Interlocked with P-9 Blocked below P-9 b) Turbine stop valve close 4/4 Interlocked with P-9 Blocked below P-9

15. Safety injection signal Coincident No interlocks (See Section 7.3 for Engineered Safety with actuation Features actuation conditions) of safety injection
16. Manual 1/2 No interlocks

7.2-39 WBNP-102

WATTS BAR WBNP-102 Table 7.2-2 Protection System Interlocks (Page 1 of 2)

Designation Derivation Function I POWER ESCALATION PERMISSIVES P-6 Presence of P-6: 1/2 neutron flux Allows manual blocks of Source (intermediate range) above setpoint Range reactor trip.

Absence of P-6: 2/2 neutron flux Defeats the block of source (intermediate range) below setpoint range reactor trip P-10 Presence of P-10: 2/4 neutron flux (power Allows manual block of power range) above setpoint range (low setpoint) reactor trip Allows manual block of intermediate range reactor trip and intermediate range rod stops (C-1)

Blocks source range reactor trip (back up for P-6)

Input to P-7 Absence of P-10: 3/4 neutron flux (power Defeats the block of power range range) below setpoint trip (low setpoint) reactor trip Defeats the block of an intermediate range reactor trip and intermediate range rod stops (C-1)

Input to P-7 7.2-40 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 Table 7.2-2 Protection System Interlocks (Page 2 of 2)

Designation Derivation Function II BLOCKS OF REACTOR TRIPS P-7 Absence of P-7: 3/4 neutron flux (power Blocks rector trip on: Low range) below setpoint (from P-10) and 2/2 Reactor Coolant Flow in more turbine impulse chamber pressure below than one loop. Undervoltage, setpoint (from P-13) pressurizer low Underfrequency, pressurizer low pressure, and pressurizer high level pressure, and pressurizer high level.

P-8 Absence of P-8: 3/4 neutron Blocks reactor trip on low reactor flux (power range) below set point coolant flow from one loop only P-9 Absence of P-9: 3/4 neutron flux (power Block reactor trip on turbine trip range) below setpoint Presence of P-9 Defeats block of reactor trip on turbine trip P-13 Absence of P-13: 2/2 turbine impulse Input to P-7 pressure below setpoint REACTOR TRIP SYSTEM 7.2-41

WATTS BAR WBNP-102 Table 7.2-3 Reactor Trip System Instrumentation Reactor Trip Signal Typical Range

1. Power range high neutron flux 1 to 120% power
2. Intermediate range high 10 decades of neutron neutron flux flux overlapping source range by 2 decades and including 100% power
3. Source range high neutron 6 decades of neutron flux flux (10 -1 to 2x105 counts/sec)
4. Power range high positive +2 to +30% of full power neutron flux rate
5. Overtemperature T: TH 530 to 650°F TC 510 to 630°F Tavg 530 to 630°F PPRZR 1700 TO 2500 PSIG F(I) -60 to + 60%

T Setpoint 0 to 150% power

6. Overpower T TH 530 to 650°F TC 510 to 630°F Tavg 530 to 630°F T Setpoint 0 to 150% power
7. Pressurizer low pressure 1700 to 2500 psig
8. Pressurizer high pressure 1700 to 2500 psig
9. Pressurizer high water Entire cylindrical level portion of pressurizer
10. Low reactor coolant flow 0 to 110% of rated flow
11. Reactor coolant pump bus 0 to 100% rated voltage undervoltage
12. Reactor coolant pump bus 50 to 65 Hz underfrequency
13. Low-low steam generator + 6ft., - 12 ft. from water level nominal full load water level
14. Turbine Trip (1)

NOTES:

(1) The reactor trip on turbine trip is anticipatory in that no credit is taken for it in the accident analyses.

7.2-42 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 Table 7.2-4 Reactor Trip Correlation (Page 1 of 5)

TRIP[a] ACCIDENT[b] TECH SPEC

1. Power Range 1. Uncontrolled Rod Cluster Control 3.3.1 High Neutron Assembly Bank Withdrawal From a Table 3.3.1-1 #2 Flux Trip Subcritical Condition (15.2.1)

(Low Setpoint)

2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)
3. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection)

(15.4.6)

2. Power Range 1. Uncontrolled Rod Cluster Control 3.3.1 High Neutron Assembly Bank Withdrawal From a Table 3.3.1-1 #2 Flux Trip Subcritical Condition (High Setpoint) (15.2.1)
2. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.2.2)
3. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)
4. Excessive Load Increase Incident (15.2.11)
5. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection)

(15.4.6)

3. Intermediate Range High 1. Uncontrolled Rod Cluster Control 3.3.1 Neutron Flux Trip Assembly Bank Withdrawal From a Table 3.3.1-1 #4 Subcritical Condition (15.2.1)
4. Source Range High Neutron 1. Uncontrolled Rod Cluster Control 3.3.1 Flux Trip Assembly Bank Withdrawal From a Table 3.3.1-1 #5 Subcritical Condition (15.2.1)
2. Uncontrolled Boron Dilution (15.2.4)

(Modes 2, 3, 4, and 5)

3. Excessive heat removal due to feedwater malfunction (15.2.10)

REACTOR TRIP SYSTEM 7.2-43

WATTS BAR WBNP-102 Table 7.2-4 Reactor Trip Correlation (Page 2 of 5)

TRIP[a] ACCIDENT[b] TECH SPEC

5. Power Range High Positive 1. Uncontrolled Rod Cluster Control 3.3.1 Neutron Flux Rate Trip Assembly Bank Withdrawal From a Table 3.3.1-1 #3 Subcritical Condition (15.2.1)
2. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection)

(15.4.6)

6. Overtemperature 1. Uncontrolled Rod Cluster Control 3.3.1 T Trip Assembly Bank Withdrawal at Table 3.3.1-1 #6 Power (15.2.2)
2. Uncontrolled Boron Dilution (15.2.4)
3. Loss of External Electrical Load and/or Turbine Trip (15.2.7)
4. Excessive Load Increase Incident (15.2.11)
5. Accidental Depressurization of the Reactor Coolant System (15.2.12)
6. Single Rod Cluster Control Assembly Withdrawal at Full Power (15.3.6)
7. Excessive Heat Removal Due to Feedwater Sytem Malfunctions (15.2.10)
8. Steam Generator Tube Rupture (15.4.3)
7. Overpower T Trip 1. Uncontrolled Rod Cluster Control 3.3.1 Assembly Bank Withdrawal at Table 3.3.1-1 #7 Power (15.2.2)
2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)
3. Accidental Depressurization of the Main Steam System (15.2.13)
4. Major Rupture of a Main Steam Line (15.4.2.1) 7.2-44 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 Table 7.2-4 Reactor Trip Correlation (Page 3 of 5)

TRIP[a] ACCIDENT[b] TECH SPEC

5. Excessive Load Increase Incident (15.2.11)
8. Pressurizer Low Pressure 1. Excessive Load Increase Incident 3.3.1 Trip (15.2.11) Table 3.3.1-1 #8
2. Accidental Depressurization of the Reactor Coolant System (15.2.12)
3. Accidental Depressurization of the Main Steam System (15.2.13)
4. Inadvertent Operation of Emergency Core Cooling System (15.2.14)
5. Loss of Reactor Coolant From Small Ruptured Pipes or From Cracks in Large Pipes Which Actuates ECCS (15.3.1)
6. Major Reactor Coolant System Pipe Ruptures (LOCA) (15.4.1)
7. Major Rupture of a Main Steam Line (15.4.2.1)
8. Major Rupture of a Main Feedwater Pipe (15.4.2.2)
9. Steam Generator Tube Rupture (15.4.3)
9. Pressurizer High Pressure 1. Uncontrolled Rod Cluster Control 3.3.1 Trip Assembly Bank Withdrawal at Table 3.3.1-1 #8 Power (15.2.2)
2. Loss of External Electrical Load and/or Turbine Trip (15.2.7)
3. Major Rupture of a Main Feedwater Pipe (15.4.2.2)
10. Pressurizer High Water Level 1. Uncontrolled Rod Cluster Control 3.3.1 Assembly Bank Withdrawal at Table 3.3.1-1 #9 Power (15.2.2)
2. Loss of External Electrical Load and/or Turbine Trip (15.2.7)

REACTOR TRIP SYSTEM 7.2-45

WATTS BAR WBNP-102 Table 7.2-4 Reactor Trip Correlation (Page 4 of 5)

TRIP[a] ACCIDENT[b] TECH SPEC

3. Major Rupture of a Main Feedwater Pipe (15.4.2.2)
11. Low Reactor 1. Partial Loss of Forced Reactor 3.3.1 Coolant Flow Coolant Flow (15.2.5) Table 3.3.1-1 #10

. 2. Complete Loss of Forced Reactor 3.3.1 Coolant Flow (15.3.4) Table 3.3.1-1 #11

. 3. Single Reactor Coolant Pump locked rotor (15.4.4)

12. Reactor Coolant Pump Bus 1. Complete Loss of Forced 3.3.1 Undervoltage Trip Reactor Coolant Flow (15.3.4) Table 3.3.1-1 #11

. 2. Partial Loss of Forced Reactor 3.3.1 Coolant Flow(15.2.5) Table 3.3.1-1 #10

13. Reactor Coolant Pump Bus 1. Complete Loss of Forced 3.3.1 Underfrequency Trip Reactor Coolant Flow (15.3.4) Table 3.3.1-1 #12

. 2. Partial Loss of Reactor coolant flow (15.2.5)

14. Low-low Steam 1. Loss of Normal Feedwater 3.3.1 Generator Water (15.2.8) Table 3.3.1-1 #13 Level Trip
2. Loss of Offsite Power to the Station Auxiliaries (Station Blackout)(15.2.9)
3. Major Rupture of a Main Feedwater Pipe (15.4.2.2) Outside Containment

. 4. Loss of External Electrical load and/or Turbine trip (15.2.7) Note c

15. Turbine Trip- 1. Loss of External Electrical 3.3.1 Reactor Trip Load and/or Turbine Trip Table 3.3.1-1 #14 (15.2.7) Note c
16. Safety Injection 1. Accidental Depressurization of 3.3.1 Signal Actuation the Main Steam System (15.2.13) Table 3.3.1-1 #15 Trip
2. Major Rupture of a Main Steam Line (15.4.2.1)
3. Major Rupture of a Main Feedwater Pipe (15.4.2.2) 7.2-46 REACTOR TRIP SYSTEM

WATTS BAR WBNP-102 Table 7.2-4 Reactor Trip Correlation (Page 5 of 5)

TRIP[a] ACCIDENT[b] TECH SPEC

17. Manual Trip 1. Available for all Accidents 3.3.1 (Chapter 15) Table 3.3.1-1 #1 NOTES:
a. Trips are listed in order of discussion in Section 7.2
b. References refer to Chapter 15 accident analyses in which the trip may be utilized, either as primary or backup trip.
c. The Reactor trip on Turbine trip is an anticipatory trip and is not credited in the accident analyses.

REACTOR TRIP SYSTEM 7.2-47

WATTS BAR WBNP-102 THIS PAGE INTENTIONALLY BLANK 7.2-48 REACTOR TRIP SYSTEM

Reactor Trip System WATTS BAR Figure 7.2-1-SH-1 Powerhouse Unit 1 Electrical Logic Diagrams - Reactor Protection System WBNP-102 7.2-49

7.2-50 WATTS BAR Figure 7.2-1-SH-2 Powerhouse Unit 1 Electrical Logic Diagrams - Reactor Protection System Reactor Trip System WBNP-102

Reactor Trip System WATTS BAR Figure 7.2-1-SH-3 Powerhouse Unit 1 Electrical Logic Diagrams - Reactor Protection System WBNP-102 7.2-51

7.2-52 WATTS BAR Figure 7.2-1-SH-4 powerhouse Unit 1 Electrical Logic Diagrams - Reactor Protection System Reactor Trip System WBNP-102

WATTS BAR WBNP-102 Figure 7.2-2 Setpoint Reduction Function for Overpower and Overtemperature T Trips Reactor Trip System 7.2-53

WATTS BAR WBNP-102 THIS PAGE INTENTIONALLY BLANK 7.2-54 Reactor Trip System

WATTS BAR WBNP-102 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features (ESF).

The occurrence of a limiting fault, such as a loss-of-coolant accident (LOCA) or a steamline break, requires a reactor trip plus actuation of one or more of the engineered safety features in order to prevent or mitigate damage to the core and reactor coolant system components, and ensure containment integrity.

In order to accomplish these design objectives the engineered safety features system has proper and timely initiating signals which are supplied by the sensors, transmitters and logic components making up the various protection system channels and trains of the engineered safety features actuation system (ESFAS).

7.3.1 Description The engineered safety features actuation system uses selected plant parameters, determines whether or not predetermined limits are being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures (Class III or IV faults). Once the required logic combination is completed, the system sends actuation signals to the appropriate engineered safety features components. The engineered safety features actuation system meets the requirements of Criteria 13, 20, 27, 28 and 38 of the 1971 General Design Criteria (GDC).

7.3.1.1 System Description The engineered safety features actuation system is a functionally defined system described in this section. The equipment which provides the actuation functions identified in Section 7.3.1.1.1 is listed below and discussed in this section and the references.

(1) Process Protection and Control System (References [1] and [5])

(2) Solid State Logic Protection System (Reference [2])

(3) Engineered Safety Features Test Cabinet (4) Manual Actuation Circuits The engineered safety features actuation system consists of two discrete portions of circuitry: 1) A process protection portion consisting of three or four redundant channels per parameter or variable to monitor various plant parameters such as the reactor coolant system and steam system pressure and temperatures and containment pressures; and 2) a logic portion consisting of two redundant trains which receive inputs from the process protection channels and perform the logic needed to actuate the engineered safety features. Each logic train is capable of actuating the engineered safety features equipment required. The intent is that any single failure within the ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-1

WATTS BAR WBNP-102 engineered safety features actuation system shall not prevent system action when required.

The redundant concept is applied to both the process protection and logic portions of the system. Separation of redundant process protection channels begins at the process sensors and is maintained in the field wiring, containment vessel penetrations and process protection racks terminating at the redundant safeguards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23 and 24 of the 1971 GDC.

The variables are sensed by the process protection circuitry as discussed in References [1] and [5] and in Section 7.2. The outputs from the process protection channels are combined into actuation logic as shown in Figure 7.3-3, Figure 7.2-1 Sheet 4 and Figure 7.6-6 Sheet 1. Tables 7.3-1 and 7.3-2 give additional information pertaining to logic and function.

The interlocks associated with the engineered safety features actuation system are outlined in Table 7.3-3. These interlocks satisfy the functional requirements discussed in Section 7.1.2.

Controls provided on the control board for manual initiation of protective actions are discussed in Section 7.3.2.2.6.

7.3.1.1.1 Function Initiation Functions which rely on the engineered safety features actuation system for initiation include:

(1) A reactor trip, provided one has not already been generated by the reactor trip system.

(2) EmergencyCore Cooling System (ECCS) pumps, and associated valving which provide emergency makeup water to the cold legs of the reactor coolant system following a loss-of-coolant accident.

(3) Essential raw cooling water and component cooling water pumps start and heat exchanger valve realignment.

(4) Auxiliary feedwater pumps andassociated valves which maintain the steam generator heat sink during emergency or accident conditions.

(5) Phase A containment isolation, whose function is to prevent fission product release (isolation of all lines not essential to reactor protection).

(6) Steamline isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown.

(7) Main feedwater isolation as required to prevent or mitigate the effect of excessive cooldown and the effects of Main Steam Valve Vault flooding due to a main feedwater line break.

7.3-2 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 (8) Start the emergency diesels to assure backup supply of power to emergency and supporting systems components.

(9) Isolate the control room intake ducts to meet control room occupancy requirements following a loss-of-coolant accident.

(10) Emergency gas treatment system actuation.

(11) Containment ventilation isolation.

(12) Containment spray actuation to reduce containment pressure and temperature on a loss-of-coolant accident or steamline break inside containment.

(13) Phase B containment isolation which isolates the containment following a loss-of-coolant accident or a steam or feedwater line break within containment to limit radioactive releases, and starts the containment air return fans to cool containment and reduce pressure following an accident.

(Phase B isolation together with Phase A isolation results in isolation of all but safety injection and spray lines penetrating the containment.)

(14) Automatic switchover of the RHR pumps from the injection to the recirculation mode (Post-LOCA).

(15) Auxiliary Building isolation.

7.3.1.1.2 Process Protection Circuitry The process protection system sensors and racks for the engineered safety features actuation system are described in References [1] and [5]. Discussed in these reports are the protection system parameters to be measured including pressures, flows, tank and vessel water levels, and temperatures as well as the measurement and signal transmission considerations. These latter considerations include the transmitters, flow elements, and resistance temperature detectors, as well as automatic calculations, signal conditioning/processing and location and mounting of the devices.

The sensors monitoring the primary system are located as shown on the system flow diagrams in Chapter 5, Reactor Coolant System. The secondary system sensor locations are shown on the feedwater and steam system flow diagrams given in Chapter 10, Main Steam and Power Conversion Systems.

Containment pressure is sensed by four physically separated,seismically mounted transmitters outside of the containment. The distance from penetration to transmitter is kept to a minimum, and separation is maintained.

The following is a description of those functions not included in the reactor trip or engineered safety features actuation systems which enable additional monitoring in the post loss-of-coolant accident recovery period.

(1) High head and low head ECCS pumps flow.

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-3

WATTS BAR WBNP-102 These channels clearly show that the ECCS pumps are operating. The transmitters are located outside the containment.

(2) ECCS Pumps Status ECCS pumps status is provided by red (running) and green (stopped) indicating lights on the control board. These lights are operated by pump motor circuit breaker auxiliary contacts.

(3) Valve position Engineered safety features remote operated valves are provided position indication on the control board to show proper positioning of the valves.

Valve position typically is displayed by red (open) and green (closed) lights actuated by limit switches integral to the valve operator, or in some instances by valve stem mounted limit switches which are independent of the valve operator. The RHR heat exchanger outlet flow control valves (FCV-74-16 and

28) are exceptions in that each valve has only a red light that is on when the valve is fully open. For the accumulator isolation valves, in addition to the valve position lights, annunciation is provided on the control board if the valves are not correctly positioned for ESF actuation.

7.3.1.1.3 Analog Instrumentation The miscellaneous safety-related analog process control and indication loops are made up of discrete analog modules that have been tested and qualified for use in safety related systems. The various components have been qualified to IEEE Standard 323-1983 (R-1996) "IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations", IEEE Standard 344-1987 (R-1993) "IEEE Standard Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations", and IEEE Standard 384-1984 (R-1992) "IEEE Standard Criteria for Independence of Class IE Equipment and Circuits". The modules are arranged in instrument loops to provide the safety functions listed below:

Turbine driven AFW Pump Flow Control Motor driven AFW pump differential pressure indication and recirculation valve control Steam generator AFW flow and level indication and control Containment Pressure indication Upper and Lower Compartment Containment Ambient Temperature indication RHR Heat Exchanger CCS Supply Header Flow Sample Heat Exchanger Header CCS Differential Flow ERCW Strainer Differential Pressure, Backwash and Flush Control CCS Heat Exchanger B Inlet Pressure CCS Surge Tank Level Control CCS Heat Exchanger B Outlet Temperature Reactor Vessel Head Vent Throttle Manual Loading Station (Unit 2 Only) 7.3-4 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 EGTS Annulus Differential Pressure Control The components are physically arranged in the racks to meet the requirements of IEEE-279 and Watts Bar Design Criteria WB-DC-30-4, Separation/Isolation. (Unit 2 Only) Two IE analog modules are used to isolate IE to Non-IE signals. These are the Contact Output Isolator and Voltage-to-Current Converter, both of which have the Input and Output signals isolated.

EMI testing and acceptance by TVA of the Foxboro Spec 200 hardware is documented in Reference [8].

7.3.1.1.4 Logic Circuitry The engineered safety features logic racks are discussed in detail in Reference [2].

The description includes the considerations and provisions for physical and electrical separation as well as details of the circuitry. Reference [2] also covers certain aspects of on-line test provisions, provisions for test points, considerations for the instrument power source, and considerations for accomplishing physical separation. The outputs from the process protection channels are combined into actuation logic as shown on Figure 7.3-3, Figure 7.2-1, Sheet 4, and Figure 7.6-6, Sheet 1.

To facilitate engineered safety features actuation testing, two cabinets (one per train) are provided which enable operation, to the maximum practical extent, of safety features loads on a group by group basis until actuation of all devices has been checked. Testing of the ESFAS and actuated devices is discussed in Section 7.3.2.2.5.

7.3.1.1.5 Final Actuation Circuitry The outputs of the solid state logic protection system (the slave relays) are energized to actuate, as are most final actuators and actuated devices. These devices include the following:

(1) ECCS pumps and valve actuators (see Chapter 6).

(2) Containment isolation: Phase A signal isolates all non-essential process lines on receipt of safety injection signal; Phase B signal isolates remaining process lines (which do not include safety injection and containment spray lines) on receipt of 2/4 high-high containment pressure signal (see Chapter 6).

(3) Essential raw cooling water and component cooling water pumps and valve actuators (see Chapter 9).

(4) Auxiliary feedwater pumps and valve actuators (see Chapter 10).

(5) Diesel generators start (see Chapter 8).

(6) Feedwater Isolation (see Chapter 10).

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-5

WATTS BAR WBNP-102 (7) Containment ventilation isolation valve and damper actuators (see Chapters 6 and 9).

(8) Steamline isolation valve actuators (see Chapter 10).

(9) Containment spray pump and valve actuators (see Chapter 6).

(10) Control room isolation (see Chapters 6 and 9).

(11) Auxiliary building isolation (see Chapters 6 and 9).

(12) Auxiliary Building Gas Treatment System (see Chapter 6).

(13) Emergency Gas Treatment System (see Chapter 6).

(14) Motor-Operated Valve Thermal Overload Bypass (see Chapter 8).

In the event of an accident concurrent with a station electrical blackout, the engineered safety features loads are sequenced onto the diesel generators to prevent overloading them. This sequence is discussed in Chapter 8. The design meets the requirements of Criterion 35 of the 1971 GDC.

7.3.1.1.6 Support Systems The following systems are required for support of the Engineered Safety Features:

(1) Essential Raw Cooling Water System - heat removal (see Chapter 9).

(2) Component Cooling Water System - heat removal (see Chapter 9)

(3) Electrical Power Distribution Systems (see Chapter 8).

(4) Auxiliary Control Air System (see Chapter 9).

(5) Heating, Ventilating and Air Conditioning Systems (see Chapter 9).

7.3.1.2 Design Bases Information The functional diagrams presented in Figure 7.3-3, Figure 7.2-1, Sheet 4, and Figure 7.6-6, Sheet 1 provide the functional logic associated with requirements for the engineered safety features actuation system. Requirements for the engineered safety features system are given in Chapters 6, 9 and 10. Given below is the design bases information required in IEEE Standard 279-1971[3].

7.3.1.2.1 Generating Station Conditions Chapter 15 identifies the generating station conditions which require protective action.

These conditions include primary system breaks, such as LOCA and steam generator tube rupture, and secondary system breaks such as steamline rupture and feedwater line break.

7.3-6 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 7.3.1.2.2 Generating Station Variables The generating stationvariables thatare monitored by the ESFAS for the automatic initiation of protective actionsfor the events identified in Chapter 15 include the following:

(a) Pressurizer pressure (b) Containment pressure (c) Steamline pressure (d) Steamline pressure rate (e) Steam generator level (f) Reactor coolant temperature (Tavg)

(g) Containment Purge air exhaust radiation monitors (h) Main steam valve vault level switches (i) Containment sump level 7.3.1.2.3 Spatially Dependent Variables The only variable sensed by the engineered safety features actuation system which has spatial dependence is reactor coolant temperature. The effect on the measurement is negated by taking multiple samples from the reactor coolant hot and cold legs and electronically averaging these samples in the process protection system.

7.3.1.2.4 Limits, Margin and Levels Prudent operational limits, available margins and setpoints before onset of unsafe conditions requiring protective action are discussed in Chapter 15 and the Technical Specifications. See Section 7.1.2.1.9 for additional discussion.

7.3.1.2.5 Abnormal Events The malfunctions, accidents, or other unusual events which could physically damage protection system components or could cause environmental changes are as follows:

(1) Loss-of-Coolant Accident (see Section 15.3 and 15.4)

(2) Steamline and feedwater line Breaks (see Sections 15.3 and 15.4)

(3) Earthquakes (see Sections 2.5 and 3.7)

(4) Fire (see Section 9.5.1)

(5) Explosion (Hydrogen buildup inside-containment) (see Section 6.2.5)

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-7

WATTS BAR WBNP-102 (6) Missiles (see Section 3.5)

(7) Flood (see Sections 2.4 and 3.4)

(8) Wind and tornadoes (See Section 3.3) 7.3.1.2.6 Minimum Performance Requirements Minimum performance requirements are as follows:

(1) System Response Times:

The ESFAS response time is defined in Section 7.1.

The maximum allowable engineered safety features response times are provided in the Technical Requirements Manual. These values are verified in accordance with the Technical Specifications and are consistent with the safety analyses. See Table 7.1-1, Note 1, for a discussion of periodic response time verification capabilities.

(2) System accuracies:

Accuracies required for generating the required ESFAS signals for mitigation of the design basis events considered in Chapter 15 are provided in References [6] and [7].

(3) Ranges of sensed variables to be accommodated until conclusion of protective action is assured:

Typical ranges ofinstrumentation used in generating the required ESFAS signals for protection against the postulated events given in Chapter 15 are as follows:

(a) Pressurizer pressure 1700 to 2500 psig (b) Containment pressure -2 to 15 psig (c) Steamline pressure 0 to 1300 psig (d) Steam generator level 0 to 100% (see Table 7.2-3)

(e) Tavg 530 to 630° F 7.3.1.3 Final System Drawings The functional logic diagrams, electrical schematic diagrams and other drawings for the systems discussed in this section are referenced in Table 1.7-1.

7.3-8 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 7.3.2 Analysis 7.3.2.1 System Reliability/Availability and Failure Mode and Effect Analyses A discussion on the reliability/availability of the Eagle 21 process protection system is provided in Section 7.2.2.

A failure mode and effects analysis (FMEA) was performed [Reference 4] on a generic ESFAS similar to the Watts Bar ESFAS including sensors, signal processing equipment, and Solid State Protection System (SSPS) logic. The results of the FMEA show that the ESFAS complies with the single failure criterion of IEEE 279-1971. No single failure was found which could prevent the ESFAS from generating the proper actuation signal on demand for an engineered safety feature. Failures are either in the safe direction, or a redundant channel or train ensures the necessary actuation capability. The actuation functions are essentially the same for the Watts Bar Nuclear Plant as for the generic system analyzed . The Watts Bar ESFAS has been designed to safety design criteria equivalent to the generic system analyzed. This ESFAS FMEA applies to all Watts Bar engineered safety features, both NSSS and BOP related, that are automatically actuated by the dry contacts of the slave relays in the output cabinets of the SSPS.

7.3.2.2 Compliance With Standards and Design Criteria Discussion of the General Design Criteria (GDC) is provided in various sections of Chapter 7 where a particular GDC is applicable. Compliance with certain IEEE Standards and Regulatory Guides is presented in Section 7.1, Table 7.1-1. The discussion given below shows that the engineered safety features actuation system complies with IEEE Standard 279-1971, Reference [3].

7.3.2.2.1 Single Failure Criterion The discussion presented in Section 7.2.2.2 (item 2) is applicable to the engineered safety features actuation system, with the following exception.

In the ESFAS, a loss of input power to a channel or logic train will result in a signal calling for a trip (except containment spray and switchover from injection to recirculation following a safety injection). The ESFAS slave relay outputs are energized to actuate the ESF equipment. In the event of a loss of instrument power to one ESFAS train, and independent, redundant train is available to actuate the required ESF equipment. The power supply for the protection systems is discussed in Chapter

8. For the noted exceptions, the final comparators are energized to trip to avoid spurious actuation. In addition, manual containment spray requires a simultaneous actuation of two manual controls. Two sets of manual containment spray controls are provided (2 switches/set). Simultaneous operation of both switches in either set will actuate containment spray in both trains. (Section 7.3.2.2.6 provides a discussion of protective action manual initiation capability.) This is considered acceptable because spray actuation on high-high containment pressure signal provides automatic initiation of the system via protection channels meeting the criteria in Reference [3]. Moreover, most ESF equipment (valves, pumps, etc.) can be individually manually actuated from ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-9

WATTS BAR WBNP-102 the control board. Hence, a third mode of containment spray initiation is available. The design meets the requirements of Criteria 21 and 23 of the 1971 GDC.

7.3.2.2.2 Equipment Qualification Equipment qualifications are discussed in Sections 3.10 and 3.11.

7.3.2.2.3 Channel Independence The discussion presented in Section 7.2.2.2 (Item 6) is applicable. The ESF slave relay outputs from the solid state logic protection cabinets are redundant, and the actuations associated with each train are energized up to and including the final actuators by the separate ac power supplies which power the logic trains.

7.3.2.2.4 Control and Protection System Interaction The discussions presented in Section 7.2.2.2 (Item 7) are applicable.

7.3.2.2.5 Capability for Sensor Checks and Equipment Test and Calibration The discussions of system testability in section 7.2.2.2 (Items 9,10, and 11) are applicable to the sensors, process protection system circuitry, and logic trains of the ESFAS.

The following discussions cover those areas in which the testing provisions differ from those for the reactor trip system.

Testing of ESFAS The ESF systems are tested to provide assurance that they will operate as designed and will be available to function properly in the unlikely event of an accident. The testing program meets the requirements of Criteria 21, 37, 40, and 43 of the 1971 GDC and RG 1.22 as discussed in Table 7.1-1. The tests described in this section and further discussed in Section 6.3.4 meet the requirements on testing of the ECCS as stated in GDC 37 except for the operation of those components that will cause an actual safety injection. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and emergency power sources and the operation of associated cooling water systems. The safety injection and RHR pumps are started and operated and their performance verified in a separate test discussed in Section 6.3.4. When the pump tests are considered in conjunction with the ECCS test, the requirements of GDC 37 on testing of the ECCS are met as closely as possible without causing an actual safety injection.

Testing as described in Sections 6.3.4, 7.2.2.2 (Item 10) and this section provides complete periodic testability during reactor operation of all logic and components associated with the ECCS. The program is as follows:

(1) Prior to initial plant operation, ESF system tests are conducted. (See Chapter 14.)

7.3-10 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 (2) Subsequent to initial startup, periodic ESF system tests are conducted in accordance with Technical Specification surveillance requirements.

(3) During on-line operation of the reactor, all of the ESFAS process protection and logic circuitry are fully tested. ESFAS slave relays and ESF final actuators are tested in accordance with Technical Specification Surveillance requirements. The final actuators whose operation is not compatible with continued on-line plant operation are checked by means of continuity testing.

Performance Test Acceptability Standard for the Safety Injection Signal and the Automatic Demand Signal for Containment Spray Actuation During reactor operation the basis for ESFAS acceptability is the successful completion of the tests performed on the initiating system and the ESFAS. Checks of process indications verify operability of the sensors. Protection system checks and tests verify the operability of the circuitry. Solid state logic testing also checks the signal path from logic input relay contacts through the logic matrices and master relays and performs continuity tests on the coils of the output slave relays. Final actuator testing operates the output slave relays and verifies operability of those devices which require safeguards actuation and which can be tested without causing plant upset. A continuity check is performed on the actuators of the untestable devices. Final actuator testing of devices which cannot be tested online is performed during a refueling outage in accordance with Technical Specification surveillance requirements.

Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves have completed their travel.

The basis for acceptability for the ESF interlocks is control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint.

Maintenance checks (performed in accordance with the plant procedures) such as resistance to ground of signal cables in radiation environments, are based on qualification test data which identifies what constitutes acceptable radiation, thermal, etc., degradation.

Frequency of Performance of Engineered Safety Features Actuation Tests Testing is performed on a periodic basis in accordance with the Technical Specifications.

Engineered Safety Features Actuation Test Description The following sections describe the testing circuitry and procedures for the on-line portion of the testing program. The guidelines used in developing the circuitry and procedures are:

(1) The test procedures must not involve the potential for damage to any plant equipment.

(2) The test procedures must minimize the potential for accidental tripping.

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-11

WATTS BAR WBNP-102 (3) The provisions for on-line testing must minimize complication of engineered safety features actuation circuits so that their reliability is not degraded.

Description of Initiation Circuitry Several systems comprise the total engineered safety features system, the majority of which may be initiated by different process conditions and be reset independently of each other. The remaining functions are initiated by a common signal (safety injection) which in turn may be generated by different process conditions. In addition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, component cooling and essential raw cooling water, is initiated by the safety injection signal. Each function is actuated by a logic circuit which is duplicated for each of the two redundant trains of engineered safety features initiation circuits. The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in the SSPS cabinets designated Train A and Train B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor operated valve contactors, solenoid operated valves, emergency generator starting, etc.

Process Protection System Testing Process protection system testing is identical to that used for reactor trip circuitry and is described in Section 7.2.2.2 (Item 10). Exceptions to this are containment spray and switchover from injection (RWST) to recirculation (containment sump), which are energized to actuate 2/4 and reverts to 2/3 when one channel is in test.

Solid State Logic Testing Except for the channels which actuate containment spray and switchover from the refueling water storage tank to containment sump, solid state logic testing is the same as that discussed in Section 7.2.2.2 (Item 10). Logic matrices are tested from the Train A and Train B logic rack test panels. During this test, each of the logic inputs is actuated automatically in all combinations of trip and non-trip logic. Trip logic is not maintained sufficiently long enough to permit master relay actuation; master relays are "pulsed" in order to check continuity. Following the logic testing, the individual master relays are actuated electrically to test their mechanical operation. Actuation of the master relays during this test will apply low voltage to the slave relay coil circuits to allow continuity checking but not slave relay actuation. Annunciation is provided in the control room to indicate when a train is in test. During logic testing of one train, the other train can initiate the required engineered safety features function. Additional details of the logic system testing are given in Reference [2].

Actuator Testing At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished. Slave relays do not operate because of reduced voltage.

7.3-12 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 The ESFAS final actuation device or actuated equipment testing is performed from the engineered safeguards test cabinets, which are located near the SSPS logic cabinets.

One test cabinet is provided for each of the two protection Trains A and B. Each cabinet contains individual test switches necessary to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be rotated and then depressed to operate the slave relays. Assignments of contacts of the slave relays for actuation of various final devices or actuators have been made such that groups of devices or actuated equipment can be operated individually during plant operation without causing plant upset or equipment damage. In the unlikely event that an ESFAS signal is initiated during the test of the final device that is actuated by this ESFAS signal, the device will already be in its safeguard position.

During this last procedure, close communication between the main control room operator and the operator at the test panel is required. Prior to the energizing of a slave relay, the main control room (MCR) operator assures that plant conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the MCR operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps, and annunciators on the control board, and, using a prepared check list, records all operations. He then resets all devices and prepares for operation of the next slave relay actuated equipment.

By means of the procedure outlined above, all ESF devices actuated by ESFAS initiation circuits are operated by the test circuitry, except those devices which cannot be operated at power without causing a plant upset (Reference Table 7.1-1, Note 2).

Actuator Blocking and Continuity Test Circuits Those few final actuation devices that cannot be actuated during plant operation (discussed in Section 7.1) have been assigned to slave relays for which additional test circuitry has been provided to individually block actuation of a final device upon operation of the associated slave relay during testing. Operation of these slave relays, including contact operations, and continuity of the electrical circuits associated with the final devices' control are checked in lieu of actual operation. The circuits provide for monitoring of the slave relay contacts and the devices' control circuit cabling, control voltage, and actuation solenoids. These continuity test circuits for components that cannot be operated online are verified by proving lights on the safeguards test cabinets. Interlocking prevents blocking the output from more than one output relay in a protection train at a time. Interlocking between trains is also provided to prevent continuity testing in both trains simultaneously; therefore the redundant device associated with the protection train not under test will be available in the event protection action is required.

Time Required for Testing It is estimated that testing of a process protection system channel can be performed within one hour. Logic testing of either Train A or B can be performed in less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Testing of actuated components (including those which can only be partially tested) requires the involvement of a control room operator. It is expected to require several shifts to accomplish these tests. During this procedure automatic actuation ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-13

WATTS BAR WBNP-102 circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked. It is anticipated that continuity testing associated with a blocked slave relay could take several minutes. During this time the redundant devices in the other train would be functional.

Summary of On-Line Testing Capabilities The procedures described provide capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called upon to operate for an accident condition.

For those few devices whose operation could adversely affect plant or equipment operation, the same procedure provides for checking from the process signal to the logic rack. To check the final actuation device a continuity test of the individual control circuits is performed.

The procedure requires testing at various locations:

(1) Process protection system testing and verification of comparator setpoints are accomplished at protection system racks. Verification of comparator relay operation is done at the MCR status lights, except for those channels which may be tested in bypass.

(2) Logic testing through operation of the master relays and low voltage application to slave relays is done at the logic racks test panels.

(3) Testing of pumps, fans and valves is done at the safeguards test cabinets located near the logic racks in combination with actions initiated by the control room operator.

(4) Continuity testing for those circuits that can not be operated is also done at the safeguards test cabinets.

Testing During Shutdown Emergency core cooling system tests are performed as described in Section 6.3 and in accordance with Technical Specifications at each major fuel reloading with the reactor coolant system isolated from the emergency core cooling system by closing the appropriate valves. A test safety injection signal will then be applied to initiate operation of active components (pumps and valves) of the emergency core cooling system. This is in compliance with Criterion 37 of the 1971 GDC.

Containment spray system tests are performed as described in Section 6.2 and in accordance with Technical Specifications at each major fuel reloading. The tests will be performed with the isolation valves in the spray supply lines at the containment blocked closed and are initiated by tripping the normal actuation instrumentation.

7.3-14 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 Periodic Maintenance Inspections The maintenance procedures which follow may be accomplished in any order. The frequency will depend on the operating conditions and requirements of the reactor power plant. If any degradation of equipment operation is noted, either mechanically or electrically, remedial action is taken to repair, replace, or readjust the equipment.

Optimum operating performance must be achieved at all times.

Typical maintenance procedures include the following:

(1) Check cleanliness of accessible exterior and interior surfaces.

(2) Check fuses for corrosion.

(3) Inspect for loose or broken control knobs and burned out indicator lamps.

(4) Inspect for moisture and condition of cables and wiring.

(5) Mechanically check connectors and terminal boards for looseness, poor connection, or corrosion.

(6) Inspect the components of each assembly for signs of overheating or component deterioration.

(7) Perform complete system operating check.

The balance of the requirements listed in Reference [3] (paragraphs 4.11 through 4.22) are discussed in Sections 7.2.2.2 and 7.3.2.2.6.

7.3.2.2.6 Manual Initiation, Reset and Blocks of Protective Actions Capability is provided at the system level for manual initiation of reactor trip, safety injection, Phase A containment isolation and containment spray (along with Phase B containment isolation and containment ventilation isolation). Manual reset capability of these protective actions is also provided. This design meets the requirements of IEEE 279-1971, Section 4.17 and Regulatory Guide 1.62.

However, the manual initiation of both steamline isolation, and switchover from injection to recirculation following a loss of primary coolant accident are performed at the component level only, so that the initiation of these two systems is not specifically designed to meet Section 4.17 of IEEE 279-1971.

The main steam isolation valves are included in the plant design to mitigate the consequences resulting from steam line breaks, and protection logic is provided in the plant design to automatically close the valves when necessary. There are four individual main steam isolation valve control switches (one per loop) mounted on the control board. Each switch when actuated will isolate one of the main steam lines.

The inadvertent manual closure of any single MSIV or the simultaneous closure of all MSIV's both create Condition II events. If all valves are closed simultaneously when ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-15

WATTS BAR WBNP-102 the plant is operating at full power, a loss-of-load accident will result with a consequent primary and secondary side pressure increase, reactor trip and secondary side safety valve release (Refer to Section 15.2.7). In the event that only one valve closes on inadvertent manual actuation when the plant is operating at full power, the steam flow in the other loops will increase in an attempt to restore full power steam flow. The non-symmetric steam flow can cause an increase in reactor power due to the non-symmetric loop temperatures and to the moderator temperature coefficient of reactivity. Consequently margins to DNB are reduced.

Since remote individual closure of the steam line isolation valves from the control room is required for operational reasons, additional manual capabilities which could result in the inadvertent closure of all steam isolation valves would not improve reactor safety.

The manual operations performed at the component level for switchover from safety injection to cold leg recirculation following a loss of primary coolant accident are described in Table 6.3-3. An evaluation of the associated time sequences is presented in Table 6.3-3a.

The manual block features associated with pressurizer and steam line safety injection signals provide the operator with the means to block initiation of safety injection during plant startup or shutdown/cooldown. These block features meet the requirements of Paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.

7.3.2.3 Further Considerations In addition to the considerations given above, a loss of one train of auxiliary control air or loss of a component cooling water train to vital equipment has been considered.

Neither the loss of an auxiliary control air train nor the loss of one component cooling water train can cause safety limits as given in the Technical Specifications to be exceeded. Likewise, loss of either one of the two trains will not adversely affect the core or the reactor coolant system nor will it prevent safe shutdown if this is necessary.

Furthermore, in general, pneumatically operated valves and controls will assume a preferred failure position upon loss of control air.

The reactor coolant pumps are not tripped on a loss of component cooling water.

However indication in the control room is provided whenever component cooling water is lost. The reactor coolant pumps can run about 10 minutes after a loss of component cooling water. This provides adequate time for the operator to correct the problem or trip the plant if necessary.

In regards to the auxiliary feedwater system, there are two motor driven pumps and one turbine driven pump. Starting of these pumps and closing of blowdown isolation and sampling valves for all steam generators are initiated automatically by signals listed in Table 7.3-1 item 3, Auxiliary Feedwater.

7.3.2.4 Summary The effectiveness of the engineered safety features actuation system is evaluated in Chapter 15, based on the ability of the system to contain the effects of Condition III and 7.3-16 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 IV faults, including loss of coolant and steam break accidents. The engineered safety features actuation system parameters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system.

The engineered safety features actuation system must detect Condition III and IV faults and generate signals which actuate the engineered safety features. The system must sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by and consistent with the accident analyses in Chapter 15.

Much longer times are associated with the actuation of the mechanical and fluid system equipment associated with engineered safety features. This includes the time required for switching, bringing pumps and other equipment to speed and the time required for them to take load.

Operating procedures require that the complete engineered safety features actuation system normally be operable. However, redundancy of system components is such that the system operability assumed for the safety analyses can still be met with certain protection channels out of service. Channels that are out of service are to be placed in the tripped mode or bypass mode in accordance with the Technical Specifications.

7.3.2.4.1 Loss-of-Coolant Protection By analysis of the loss-of-coolant accident and in system tests it has been verified that except for very small coolant system breaks which can be protected against by the charging pumps followed by an orderly shutdown, the loss-of-coolant accident is reliably detected by the low pressurizer pressure signal; the emergency core cooling system is actuated in time to prevent or limit core damage. (Refer to Section 15.3.1.)

For large coolant system breaks the passive accumulators inject first because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating the active emergency core cooling system phase. (Refer to Section 15.4.1.)

High containment pressure also actuates the emergency core cooling system.

Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break; that is, the engineered safety features actuation system detects the leakage of the coolant into the containment. The generation time of the actuation signal of about 1.5 seconds, after detection of the consequences of the accident, is adequate.

Containment spray will provide additional emergency cooling of containment and also limit fission product release upon sensing elevated containment pressure (high-high) to mitigate the effects of a loss-of-coolant accident.

The delay time between detection of the accident condition and the generation of the actuation signal for these systems is assumed to be about 1.0 second; well within the ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-17

WATTS BAR WBNP-102 capability of the protection system equipment. However, this time is short compared to that required for startup of the fluid systems.

The analyses in Chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of loss-of-coolant.

7.3.2.4.2 Steam Line Break Protection The emergency core cooling system is also actuated in order to protect against a steam line break. About 2.0 seconds elapses between sensing low steam line pressure and generation of the actuation signal. Analysis of steam break accidents assuming this delay for signal generation shows that the emergency core cooling system is actuated for a steam line break in time to limit or prevent further core damage for steam line break cases. There is a reactor trip but the core reactivity is further reduced by the borated water injected by the emergency core cooling system.

Additional protection against the effects of steamline break is provided by feedwater isolation which occurs upon actuation of the emergency core cooling system.

Feedwater line isolation is initiated in order to prevent excessive cooldown of the reactor vessel and thus protect the reactor coolant system boundary.

Additional protection against a steamline break accident is provided by closure of all steam line isolation valves in order to prevent uncontrolled blowdown of all steam generators. The generation of the protection system signal is short compared to the time to trip the fast acting steam line isolation valves .

In addition to actuation of the engineered safety features, the effect of a steamline break accident also generates a signal resulting in a reactor trip on overpower or following emergency core cooling system actuation. However, the core reactivity is further reduced by the borated water injected by the emergency core cooling system.

The analyses in Chapter 15 of the steam break accidents and an evaluation of the protection system design shows that the Engineered Safety Features Actuation Systems are effective in preventing or mitigating the effects of a steam break accident.

REFERENCES (1) Nay, J., "Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant)" WCAP-7671, April 1971 (Non-Proprietary).

(2) Katz, D. N., "Solid State Logic Protection System Description,"

WCAP-7488-L, January 1971 (Proprietary) and WCAP-7672 June 1971 (Non-Proprietary).

(3) The Institute of Electrical and Electronics Engineers, Inc., IEEE Standard:

Criteria for Protection System for Nuclear Power Generating Stations, IEEE Standard 279-1971.

7.3-18 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 (4) Mesmeringer, J. C., "Failure Mode and Effects Analysis (FMEA) of the Engineered Safety Features Actuation System," WCAP-8584 Revision 1, February 1980 (Proprietary) and WCAP-8760, February 1980 (Non-Proprietary).

(5) Erin, L. E., "Topical Report, Eagle 21 Microprocessor-Based Process Protection System," WCAP-12374 Rev. 1 December 1991 (Westinghouse Proprietary Class 2); WCAP-12375 Rev. 1 December 1991 (Westinghouse Proprietary Class 3).

(6) Reagan, J. R., "Westinghouse Setpoint Methodology for Protection Systems, Watts Bar Units 1 and 2, Eagle 21 Version," WCAP-12096 Rev.7, (Westinghouse Proprietary Class 2). Unit 1 Only (7) WCAP Westinghouse Setpoint Methodology for Protection System, Watts Bar Unit 2, Eagle 21 Version, WCAP-17044-P. Unit 2 Only.

(8) Invensys Process Systems Document No. 800063-1830, Electromagnetic Compatibility Test Reports, dated August 21, 2008, Rev. 0 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-19

WATTS BAR WBNP-102 Table 7.3-1 Instrumentation Operating Condition For Engineered Safety Features NO. OF CHANNELS NO. FUNCTIONAL UNIT NO. OF CHANNELS TO TRIP

1. SAFETY INJECTION 1a. Manual 2 1 1b. Containment 3 2 Pressure High 1c. Pressurizer 3 2 Pressure Low (1) 1d. Steamline Pressure Low (Lead- 12 (3/steamline) 2/3 in any Lag compensated) (1) steamline
2. CONTAINMENT SPRAY 2a. Manual (2) 4 2 2b. Containment Pressure 4 2 High-High
3. AUXILIARY FEEDWATER 3a. Manual 3 1/pump 3b. Safety Injection See Item No. 1 3c. Steam Generator Level Low-Low 12 (3/SG) 2/3 in any SG (motor driven pumps); 2/3 in 2/4 SG (Turbine driven pumps) 3d. Loss of Offsite Power 16 (4/6.9kv shutdown 1/2 twice on any shutdown board) board 3e. Trip of Both Turbine Driven Main 2 2 Feedwater Pumps
4. SWITCHOVER FROM INJECTION TO RECIRCULATION AFTER SI

[See (3)]

4a. Safety Injection AND See item No. 1 4b. Refueling Water Storage Tank 4 2 Level Low AND 4c. Containment Sump Level High 4 2 (1) Interlocked with Permissive P-11; see functional description of P-11 in Table 7.3-3 (2) Manual actuation of containment spray is accomplished by actuating either of two sets (two 7.3-20 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 switches per set). Both switches in a set must be actuated to obtain a manually initiated spray signal. The sets are wired to meet separation and single failure requirements of IEEE Standard 279-1971. Simultaneous operation of two switches is desirable to prevent inadvertent spray actuation.

(3) All of the identified conditions (4a, 4b, 4c) must be present concurrently to satisfy the switchover logic.

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-21

WATTS BAR WBNP-102 Table 7.3-2 Instrumentation Operating Condition For Isolation Functions (Page 1 of 2)

NO. OF CHANNELS NO. FUNCTIONAL UNIT NO. OF CHANNELS TO TRIP

1. CONTAINMENT ISOLATION 1a. Safety Injection See Item No. 1 (Phase A) of Table 7.3-1.

1b. Containment Pressure 4 2 High-High (Phase B) 1c. Manual 1 Phase A 2 Phase B See Item No. 2a of Table 7.3-1.

2. STEAMLINE ISOLATION 2a. Steamline Pressure Low* 12 (3/Steamline) 2/3 in any Steamline (Lead-lag compensated) 2b. High Steamline Pressure Negative 12 (3/Steamline) 2/3 in any steamline Rate (Rate-Lag compensated)*

2c. Containment Pressure 4 2 High-High

3. FEEDWATER LINE ISOLATION 3a. Safety Injection See Item No. 1 of Table 7.3-1.

3b. Steam Generator 12 (3/Steam 2/3 in any Steam Level High-High Generator) Generator 3c. Main Steam Valve Vault 6 (3/MSVV) 2/3 in any MSVV High Flood Level 3d. Low Tavg** 4 2

4. CONTAINMENT VENTILATION ISOLATION 4a. Manual Containment Isolation Phase A See Item No. 1c above.

Containment Spray See Item No. 2a of Table 7.3-1.

4b. Containment Purge Air Exhaust Gas 2 1 Monitor Radioactivity High***

7.3-22 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 Table 7.3-2 Instrumentation Operating Condition For Isolation Functions (Page 2 of 2)

NO. OF CHANNELS NO. FUNCTIONAL UNIT NO. OF CHANNELS TO TRIP 4c. Safety Injection See Item No. 1 of Table 7.3-1.

  • Interlocked with Permissive P-11; see functional description of P-11 in Table 7.3-3.
    • Interlocked with Permissive P-4: see functional description of P-4 in Table 7.3-3.
      • During refueling operations, a CVI may also be initiated by High Radiation Detection from the Refueling Area Monitors in addition to the Containment Purge Exhaust Monitors, SI signal from the operating unit, or high temperature from the Unit 1 or Unit 2 Auxiliary Building air intake. The Refueling Area Monitor has 2 channels and requires only 1 channel to trip.

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-23

WATTS BAR WBNP-102 Table 7.3-3 Interlocks For Engineered Safety Features Actuation System Function Designation Input Performed P-4 Reactor trip Actuates turbine trip Closes main feedwater valves on Tavg below low setpoint Prevents opening of main feedwater valves which were closed by safety injection or High-High steam generator water level Allows manual block of the automatic reactuation of safety injection Reactor not tripped Defeats the block preventing automatic reactuation of safety injection P-11 2/3 Pressurizer pressure Allows manual block of safety injection actuation on below setpoint low pressurizer pressure signal. Allows manual block of safety injection and steamline isolation on low steamline pressure. Steamline isolation on high negative rate steamline pressure is permitted when this manual block is accomplished.

2/3 Pressurizer pressure Defeats manual block of safety injection actuation.

above setpoint Defeats manual block of safety injection and steamline isolation on low steamline pressure and defeats steamline isolation on high negative rate steamline pressure.

P-12 2/4 Tavg below low-low Blocks steam dump condenser dump valves setpoint Allows manual bypass of steam dump block for the cooldown valves only (Note) For the use of additional steam dump valves below the P-12 interlock, refer to Section 10.4.4.3.

3/4 Tavg above low-low Defeats the manual bypass of steam dump block setpoint P-14 2/3 steam generator Closes all feedwater control valves and isolation water level above valves setpoint on one or more steam generators 7.3-24 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 Table 7.3-3 Interlocks For Engineered Safety Features Actuation System Function Designation Input Performed Trips all main feedwater pumps which closes the pump discharge valves.

Actuates turbine trip.

Trips condensate booster pumps and condensate demineralizer pumps ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-25

WATTS BAR WBNP-102 THIS PAGE INTENTIONALLY BLANK 7.3-26 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM

WATTS BAR WBNP-102 Figure 7.3-1 ESF Test Circuits (Typical)

Engineered Safety Features Actuation System 7.3-27

WATTS BAR WBNP-102 Figure 7.3-2 Deleted by Amendment 81 7.3-28 Engineered Safety Features Actuation System

WATTS BAR Engineered Safety Features Actuation System Figure 7.3-3-SH-1 Powerhouse Units 1 & 2 Electrical Logic Diagram Feedwater System WBNP-102 7.3-29

7.3-30 WATTS BAR Figure 7.3-3-SH-2 Powerhouse Units 1 & 2 Auxiliary Feedwater System Logic Diagram WBNP-102 Engineered Safety Features Actuation System

WATTS BAR Engineered Safety Features Actuation System Figure 7.3-3-SH-3 Powerhouse Units 1 & 2 Electrical Logic Diagram for Safety Injection System WBNP-102 7.3-31

7.3-32 WATTS BAR Figure 7.3-3-SH-4 Powerhouse Units 1 & 2 Logic Electrical Diagram for Containment Isolation WBNP-102 Engineered Safety Features Actuation System

WATTS BAR WBNP-102 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels associated with major systems in both the primary and secondary of the nuclear steam supply system (NSSS). These channels normal alignment to serve a variety of operational functions, including startup and shutdown as well as protective functions. There are no systems identified strictly as safe shutdown systems.

However, procedures can institute appropriate alignment of selected systems to secure and maintain the plant in a safe condition. Other sections of the FSAR contain discussions of these systems with applicable codes, criteria and guidelines.

Discussions in Chapter 6 and Section 7.3 involve alignment of shutdown functions associated with engineered safety features under postulated limiting fault situations.

Discussed in this section is the minimum number of instrumentation and control (I&C) functions required for maintaining safe shutdown of the reactor. These functions permit the necessary operations that will:

(1) Prevent the reactor from achieving criticality in violation of the technical specifications and (2) Provide an adequate heat sink such that design and safety limits are not exceeded.

7.4.1 Description The designation of systems that can be used for safe shutdown depends on identifying those systems which provide the following capabilities for maintaining a safe shutdown:

(1) Boration (2) Adequate supply for auxiliary feedwater (AFW)

(3) Residual heat removal These systems are identified in the following sections together with the associated I&C provisions. The sections identify those monitoring indicators (Section 7.4.1.1) and controls (Section 7.4.1.2) necessary for maintaining hot standby. The equipment required for cold shutdown is identified in Section 7.4.1.3.

7.4.1.1 Monitoring Indicators Indicators for the following process functions are provided both inside and outside the main control room (MCR). The indicators satisfy monitoring the four capabilities for maintaining a safe shutdown.

(1) Water level indicator for each steam generator (2) Pressure and saturation temperature indicator for each steam generator SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1

WATTS BAR WBNP-102 (3) Pressurizer water level indicator (4) Pressurizer pressure indicator (5) Source range neutron flux (6) Reactor coolant system hot leg temperature (7) Auxiliary feedwater flow to each steam generator (8) Essential raw cooling water header flow (9) Charging pumps discharge header pressure and flow (10) Letdown heat exchanger outlet temperature (11) Emergency boration flow (12) Component Cooling System (CCS) flow to miscellaneous equipment (13) CCS surge tank level (14) CCS pumps discharge header pressure (15) Volume control tank level 7.4.1.2 Controls Controls provide the hardware and logic to shutdown the reactor and to maintain the plant in shutdown condition.

7.4.1.2.1 General Considerations The following lists actions (including possible locations) and considerations that are prerequisites to alignment of systems for safe shutdown.

(1) The turbine is tripped (this can be accomplished at the turbine as well as in the MCR).

(2) The reactor is tripped (this can be accomplished at the reactor trip switchgear as well as in the MCR).

(3) Automatic systems continued functioning (discussed in Sections 7.2 and 7.7).

(4) Equipment listed in Sections 7.4.1.2.2, 7.4.1.2.3 and 7.4.1.2.4 have motor controls outside the MCR. These controls have a selector switch which transfers control of the switchgear from the MCR to its auxiliary control station(s). Placing the local selector switch in the auxiliary operating position will give an alarm in the MCR.

7.4-2 SYSTEMS REQUIRED FOR SAFE SHUTDOWN

WATTS BAR WBNP-102 7.4.1.2.2 Pumps and Fans The following pumps and fans provide safe shutdown functions:

(1) Auxiliary feedwater pumps In the event of a main feedwater pump stoppage due to a loss of electrical power, the AFW pumps, which are powered from the emergency diesel generator (EDG), start automatically or can be started manually from inside the MCR. Additionally, the turbine driven AFW pump starts automatically or can be started manually from either the MCR or locally.

(2) Charging and boric acid transfer pumps Start/stop motor controls provided for both the centrifugal charging pumps (CCP) and the boric acid transfer pumps are located in the MCR and at the pump switchgear for the CCP and at the pump for the boric acid transfer pumps.

(3) Essential raw cooling water pumps These pumps, which are powered by the EDGs, sequence automatically following a loss of normal electrical power. Start/stop motor controls are located in the MCR and at the electrical switchgear.

(4) Component cooling water pumps These pumps, energized from the EDGs, start automatically following a loss of normal electrical power. Start/stop controls are located in the MCR and at the electrical switchgear.

(5) Auxiliary control air compressors These compressors start automatically on low air pressure.

(6) Reactor containment fan cooler units Start/stop motor controls with a selector switch are provided for the fan motors. The controls are located in the MCR and at the electrical switchgear.

SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-3

WATTS BAR WBNP-102 7.4.1.2.3 Diesel Generators These units start automatically following a loss of normal AC power. However, manual controls for diesel startup are provided locally (normal start only not emergency start) at the EDGs as well as in the MCR and auxiliary control room (ACR).

7.4.1.2.4 Valves and Heaters The following valves and heaters provide safe shutdown actions:

(1) Charging flow control valves Manual control for the charging line flow control valves are provided in both the MCR and the ACR.

(2) Letdown orifice isolation valves Open/close controls with a selector switch for the letdown orifice isolation valves are provided both in the MCR and the ACR.

(3) AFW control valves Automatic and manual control for the AFW control valves are located in both the MCR and the ACR for valves associated with the motor driven pumps or at the turbine pump room for valves associated with the turbine driven pump.

(4) Steam dump/atmospheric steam dump Automatic and manual control for the condenser steam dump is provided in the MCR. Condenser steam dump is blocked on high condenser pressure.

Atmospheric steam dump (ASD), in the form of SG PORVs, has automatic and manual control in both the MCR and ACR. Additionally, ASD has manual pneumatic controls locally located.

(5) Pressurizer heater control On-off control with selector switch is provided for two backup heater groups.

The heater groups are connected to separate buses, such that each can be connected to separate diesels in the event of loss of outside power. The control is both in the MCR and at the switchgear.

Instrumentation and controls listed in Sections 7.4.1.1 and 7.4.1.2, used to achieve and maintain safe shutdown (hot standy) can also be used for an evacuation of the MCR. Through the use of suitable procedures, these I&C channels together with the equipment identified in Section 7.4.1.3, available for the hot standby and cold shutdown, constitute the body of equipment potentially available to achieve cold shutdown after a MCR evacuation.

7.4-4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN

WATTS BAR WBNP-102 7.4.1.3 Equipment and Systems Available for Cold Shutdown (1) Reactor coolant pumps (See Chapter 5)

(2) Auxiliary feedwater pumps (See Chapter 10)

(3) Boric acid transfer pumps (see Chapter 9)

(4) Charging pumps (See Chapter 9)

(5) Essential raw cooling water pumps (See Chapter 9)

(6) Containment fans (See Chapter 9)

(7) Control room ventilation (See Chapter 9)

(8) Component cooling pumps (See Chapter 9)

(9) Residual heat removal pumps (see Chapter 5)

(10) Class 1E power systems (See Chapter 8)

(11) Controlled steam release and feedwater supply (See Section 7.7 and Chapter 10)

(12) Boration capability (See Chapter 9)

(13) Nuclear instrumentation system (source range or intermediate range) (See Section 7.2 and 7.7)

(14) Reactor coolant inventory control (charging and letdown) (See Chapter 9)

(15) Pressurizer pressure control including opening control for pressurizer relief valves (PORVs) Heaters and Spray valves(See Chapter 5)

To achieve cold shutdown, the safety injection signal trip circuit must be defeated and the accumulator isolation valves closed.

7.4.2 Analysis Hot standby is a stable plant condition, automatically attained following a plant shutdown. The hot standby condition can be maintained safely for an extended period of time. In the unlikely event that access to the MCR is restricted, the plant can be safely kept at hot standby until the control room can be reentered by the use of the indicators and controls listed in Sections 7.4.1.1 and 7.4.1.2. These indicators and controls are provided outside as well as inside the MCR.

The safety evaluation for maintaining shutdown with these systems and associated instrumentation and controls includes consideration of the accident consequences that might jeopardize safe shutdown conditions. The germane accident consequences are SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-5

WATTS BAR WBNP-102 those that would tend to degrade the capabilities for boration, adequate supply for auxiliary feedwater, or residual heat removal.

Instrumentation and controls for these systems may require some realignment in order that their functions may be performed from outside the MCR. Procedures for realignment of these controls and instruments are prepared in advance, upgraded as necessary, and available when needed. Note that the reactor plant design does not support attaining the cold shutdown condition from outside the MCR. An assessment of plant conditions can be made on the long term basis to establish the necessary physical realignment to I&C equipment in order to attain cold shutdown. During such time the plant could be safely maintained at hot standby condition.

The I&C functions which are required to be aligned for maintaining safe shutdown of the reactor are discussed above and are the minimum number of I&C functions under non-accident and nontransient conditions. Some of the equipment that provides some of these I&C functions are control systems discussed in Section 7.7 that are not part of the protection system. Proper operation of the control systems will allow a safe shutdown to be attained and maintained by preventing a transient. In considering more restrictive conditions than Section 7.4 examines, certain accidents and transients are postulated in Chapter 15.0 safety analyses which take credit for safe shutdown when the protection system's reactor trip terminates the transient and the engineered safety features system mitigates the consequences of the accident. In these transients, in general, no credit is taken for the operation of control systems listed in Section 7.7 should such operation mitigate the consequences of a transient. Should such operation not mitigate the consequences of a transient, no penalties are taken in the analyses for incorrect control system actions over and above the incorrect action of the control system whose equipment failure was assumed to have initiated the transient.

The Chapter 15.0 analyses show that safety is not adversely affected when a limited number of such transients are postulated. Such transients include the following:

(1) Uncontrolled boron dilution (2) Loss of normal feedwater (3) Loss of external electrical load and/or turbine trip (4) Loss of AC power to the station auxiliaries (station blackout).

REFERENCES None 7.4-6 SYSTEMS REQUIRED FOR SAFE SHUTDOWN

WATTS BAR WBNP-102 7.5 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5.1 Post Accident Monitoring Instrumentation (PAM) 7.5.1.1 System Description Post Accident Monitoring (PAM) instrumentation is required to monitor plant and environs conditions during and following design basis Condition II, III and IV faults as described in FSAR Chapter 15. PAM instrumentation will enable the Main Control Room (MCR) operating staff (operator) to take preplanned manual actions, provide information on whether critical safety functions are being accomplished, provide information for potential or actual breach of the barriers to fission product release, provide information of individual safety systems, and provide information on the magnitude of the release of radioactive materials.

Table 7.5-2 lists the process information required at the initiation of an accident. The variables' descriptions were selected through a systematic evaluation of parameters required for the mitigation of design basis events at Watts Bar, a comprehensive review of the Emergency Instructions (EIs), Function Restoration Guidelines (FRGs),

and Condition II, III and IV faults in Chapter 15 of the FSAR. In some cases, the EIs and FRGs address mitigation of events which may extend beyond the design of the plant. Instrumentation used for beyond design basis events may be exempted from being PAM instrumentation. Table 7.5-2 furnishes the appropriate variable classification types/categories for each variable description. PAM variable types/categories were determined using the guidance given in U.S. NRC Regulatory Guide 1.97, R2[1] and General Design Criteria for Nuclear Power Plants[12].

7.5.1.2 Variable Types Five (5) classifications of variable types, A, B, C, D and E, were identified to provide the PAM instrumentation. These classifications meet the PAM classifications contained in Regulatory Guide 1.97, R2. These five classifications are not mutually exclusive, in that a given variable (or instrument) may be included in one or more types.

When a variable is included in one or more of the five type classifications, the equipment monitoring this variable meets the most stringent category qualification requirements as noted in Table 7.5-1. Type A variables provide primary information to the operators to allow them to take preplanned manually controlled actions to mitigate the consequences of a Chapter 15 design basis event. Types B, C, D and E are variables for following the course of an accident and are to be used (1) to determine if the plant is responding to the safety measures in operation and (2) to inform the operator of the necessity for unplanned actions to mitigate the consequences of an accident should plant conditions evolve differently than predicted by Chapter 15.

Type A Variables Those variables that provide primary information to the MCR operators to allow them to take preplanned manually controlled actions for which no automatic action is provided and that are required for safety systems to accomplish their safety functions INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-1

WATTS BAR WBNP-102 for Chapter 15 design basis events. Primary information is information that is essential for the direct accomplishment of specified safety functions.

Type B Variable Those variables that provide information to monitor the process of accomplishing critical safety functions. Critical safety functions are those safety functions which are essential to prevent a direct and immediate threat to the health and safety of the public.

These are defined as reactivity control, core cooling, maintaining reactor coolant system integrity, and maintaining containment integrity (including radioactive effluent control).

Type C Variable Those variables that provide information to indicate the potential for breaching or the actual breach of the barriers to fission product release (including high level radioactive release through identifiable release points, i.e., plant vents). The barriers to fission product release are fuel cladding, reactor coolant pressure boundary and primary reactor containment.

Type D Variable Those variables that provide information to indicate the operation of individual safety systems and other plant systems. These variables are to help the operator make appropriate decisions in using the individual systems in mitigating the consequences of an accident.

Type E Variable Those variables used in determining the magnitude of the release of radioactive materials and for continuously assessing such releases.

7.5.1.3 Variable Categories The five types of variables are functionally classified into three (3) qualification categories (1, 2, and 3) according to the safety function provided by the variable.

Descriptions of the three categories are given below. Table 7.5-1 briefly summarizes the qualification criteria of the three designated categories.

The differentiation in the 3 categories was made in order that importance of information hierarchy could be recognized in specifying accident monitoring instrumentation.

Category 1 instrumentation has the highest pedigree and should be utilized for information which is essential to the main control room operating staff in order for them to determine if the plant critical safety functions are being performed. Category 2 and 3 instruments are of lesser importance in determining the state of the plant and do not require the same level of operational assurance.

The primary differences between category requirements are in the qualification, application of single failure, power supply, and display requirements.

7.5-2 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 7.5.1.4 Design Bases 7.5.1.4.1 Definitions Primary Information Primary information is information that is essential for the direct accomplishment of the specified functions; it does not include those variables that are associated with contingency actions that may also be identified in written procedures.

Key Variable A key variable is that single variable (or minimum number of variables) that provides primary information and most directly indicates the accomplishment of a safety function (in the case of Types B and C) or the operation of a safety system (in the case of Type D) or radioactive material release (in the case of Type E).

Backup Variable Additional variables beyond those classified as key that provide diagnostic or confirmatory information.

Diverse Variable Where failure of a Category 1 channel results in information ambiguity that can lead the operator to defeat or fail to accomplish a required safety function, a second variable shall be identified to allow the operators to deduce the actual condition in the plant.

The second variable, qualified identically to the first, is called a diverse variable and bears a known relationship to the multiple channels of the key variable.

Diverse variables are identified in Table 7.5-2.

7.5.1.4.2 Selection Criteria Type A variables are key variables and are designated Category 1.

Type B and C variables are determined to be either key or backup variables depending on their particular usage. Those variables determined to be key shall be classified as Category 1 except for those classified as Category 2 in accordance with the specific guidance presented in Regulatory Guide 1.97, R2, Table 2. Backup variables are considered Category 3.

The Type D and E variables determined to be key are classified as Category 2 except for those classified as Category 1 in accordance with the specific guidance presented in Regulatory Guide 1.97, R2, Table 2. Backup variables are considered Category 3.

The variable types were determined through (1) the guidance given in Regulatory Guide 1.97 R2, Table 2, (2) a review of the Emergency Instruction and Function Restoration Guidelines and, (3) a safety analysis performed for the FSAR Chapter 15 design basis accidents. These three steps insure that sufficient instrumentation is available to the operator to keep the plant in a safe condition under accident scenarios.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-3

WATTS BAR WBNP-102 7.5.1.4.3 Design Criteria For Category 1 Variables (A) Redundant Class 1E qualified continuous indication of these variables has been provided. Qualification applies from the sensor to the display.

The variables have been provided with a minimum of two independent channels (PAM 1 and PAM 2) for monitoring each variable. These two redundant channels allow the operator to deduce actual plant conditions.

Where failure of a channel would present ambiguous or confusing information to the operator, preventing the operator from taking action or misleading the operator, an additional redundant (PAM 3) channel has been provided. The PAM 3 channel has been qualified to the same requirements as the first two channels. Table 7.5-2 lists the redundancy requirements for each Category 1 variable.

(B) PAM instrumentation has components and cables environmentally qualified and installed to function in plant conditions for which they are expected to operate. Qualification is in accordance with 10 CFR 50.49 requirements.

(C) PAM instrumentation continues to function after a design basis seismic event in accordance with Watts Bar Nuclear Plant Design Criteria.

(D) Transmission of signals from PAM Category 1 devices to non-qualified equipment is only through an isolation device qualified to Category 1 requirements. No credible failure at the output of the isolation device prevents the monitoring channel from meeting its minimum performance requirements.

(E) Category 1 instrumentation supplied from Class 1E standby power sources is capable of operating independently of offsite power, and backed up by batteries. The physical separation between redundant channels has been preserved in field wiring by combining outputs from Train A or channels from instrumentation cabinets I or III into the PAM 1 channels. The redundant PAM 2 channels are from Train B or channels from instrumentation cabinets II or IV. PAM 3 channels are physically separated from both PAM 1 and PAM 2 channels.

(F) Category 1 analog variables have at least one of the redundant instrument loops recorded on the Plant Computer System. In addition to the Plant Computer System, a hardwired recorder for at least one instrument loop of the variable has been provided when trending of the Category 1 variable enhances the operator's ability to cope with mitigating various design basis events.

(G) Category 1 variables follow quality assurance requirements as described in FSAR Chapter 17 for safety related devices.

7.5-4 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 7.5.1.4.4 Design Criteria For Category 2 Variables (A) Redundant or Class 1E circuitry is not required for Category 2 variables.

However, the parent system may require the instrumentation to be classified Class 1E for non-PAM functions. Where this instrumentation has been used to provide PAM Category 2 indication, the Class 1E qualification applies from the sensor through the isolator/buffer. The display need not meet Class 1E requirements.

(B) PAM instrumentation has components and cables environmentally qualified and installed to the plant conditions for which they are expected to operate. Nondivisional and Class 1E PAM instrumentation located in a harsh environment has been qualified in accordance with 10 CFR 50.49 requirements. Mild environment Category 2 components do not have any special qualification requirements.

(C) There are no specific requirements for seismic operability. However, specific system requirements above that required for post accident monitoring may exist. In those cases, the most restrictive qualification level applies. In addition, components are designed and mounted such that they do not have an adverse effect on safety systems during a seismic event.

(D) Category 2 instruments are powered from highly reliable power sources, not necessarily divisional power, and are diesel generator or battery backed.

(E) Potential plant release point effluent radioactivity monitors and area radiation monitors are trended on a MCR recorder or on the Plant Computer System.

(F) Category 2 instrumentation located in a harsh environment follows quality assurance requirements as described in FSAR Chapter 17 for safety related devices.

7.5.1.4.5 Design Criteria For Category 3 Variables (A) Category 3 PAM instrumentation is high-quality commercial grade equipment. No redundancy, qualification, or signal isolation is required.

(B) Category 3 PAM loops are powered from normal station power supplies, such as nondivisional power.

(C) Components are designed and mounted such that they do not have an adverse effect on safety systems during design basis seismic events.

Instruments that are not part of a safety related system are not seismically qualified unless the Watts Bar FSAR specifies seismic requirements for the associated system.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-5

WATTS BAR WBNP-102 (D) The meteorology monitors are trended on the Plant Computer System.

7.5.1.5 General Requirements 7.5.1.5.1 Display Requirements Category 1 parameters are displayed on individual devices located in the main control room.

Category 2 and 3 devices are either displayed on individual instruments located in the main control room or processed for display by one of the computer-based systems available in the MCR except as described below.

Portable or postaccident sampling devices are not displayed in the main control room.

In addition, a limited number of Category 2 and 3 devices are displayed on local panels if the following guidelines are met:

(1) The information displayed is of a non-critical or non-diagnostic nature.

(2) The local panel display is accessible under accident conditions.

(3) The information can be retrieved in a time frame necessary to support the operator's actions.

(4) The parameter changes slowly such that only infrequent updates are needed.

Human factors principles have been used in determining the types and locations of the displays. To the extent practical, the same instruments are used for accident monitoring as are used for the normal operations of the plant. This enables the operators to use instruments with which they are most familiar during accident situations. Monitoring instrumentation is from sensors that directly measure the desired variables. Indirect measurements are made only when it can be shown by analysis to provide equivalent or unambiguous information. The PAM parameters have associated required accident ranges. The minimum required ranges are given in Table 7.5-2. The range of the instrumentation is sufficient to keep the indication on scale at all times as required for PAM. Where the required range of monitoring instrumentation results in a loss of instrumentation sensitivity or accuracy in the normal operating range by using a single instrument (such as radiation monitors), multiple instruments are used to encompass the entire required range. Where two or more instruments are needed to cover a particular range, overlapping of instrument spans and accuracies has been provided to ensure one of the two instruments will be on scale at all times.

7.5.1.5.2 Identification The Category 1 and 2 displays are uniquely identified on the main control board so that the operator can easily discern that they are intended for use under accident conditions. PAM Category 1 display devices have been identified with a nameplate with black background, white letters and the symbol "C1" inscribed on the nameplate.

PAM Category 2 display devices (which are not also PAM Category 1) have been 7.5-6 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 identified with a nameplate with a white background, black letters with the symbol "C2" inscribed on the nameplate.

Category 1 indicators are identified on the control diagrams as P1 and P2 (as well as P3 when a third redundant channel is required) to denote each redundant train of instrumentation. Category 1 and 2 components are identified as such in the Instrument Tabulation drawings and category 3 components are identified as such in the Mechanical Equipment List (MEL). Applicable Category 1 and 2 components are identified in the 10CFR50.49 List.

7.5.1.6 Analysis For Condition II, III and IV events sufficient duplication of information is provided to ensure that the minimum information required is available. The information is part of the operational monitoring of the plant which is under surveillance by the operator during normal plant operation. This is functionally arranged on the main control board to provide the operator with ready understanding and interpretation of plant conditions.

Redundant sensors are provided to develop the necessary information to enable the required manual functions to be performed following a Condition IV event. These sensors are environmentally and seismically qualified.

Range and accuracy requirements are determined through the analysis of Condition II, III, or IV events as described in FSAR Chapter 15. The display system meets the following requirements:

(a) The range of the readouts extends over the maximum expected range of the variables being measured.

(b) The combined indicated accuracies are within the errors used in the safety analysis.

Other information systems such as the Plant Computer System are integrated with the PAM instrumentation described in this section. In order to provide the operator adequate information to prevent and/or cope with events, those displays have been included in the Human Factors engineering review.

As described throughout FSAR Section 7.5, WBN meets the intent of Regulatory Guide 1.97, R2. Deviations from the Regulatory Guide have been identified to the NRC.[9, 10, 11, 13, 14, 15, 16] The deviation numbers are given in the notes column of Table 7.5-2 and correspond to the deviation numbers in the above references.

7.5.1.7 Tests and Inspections 7.5.1.7.1 Programs Services, testing and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where the required interval between testing is less than the normal interval between station shutdowns, capability for testing during operation is provided.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-7

WATTS BAR WBNP-102 7.5.1.7.2 Removal of Channels from Service Whenever a means for removing channels from service is included in the design, the design facilitates administrative control for such removal. The system is designed to permit at least one channel to remain operable when required during power operation.

During removal from service, the active parts of the channel need not continue to meet the single failure criteria. As such, monitoring systems comprised of two redundant channels are permitted to violate the single failure criterion during channel bypass.

The bypass time interval allowed for a maintenance operation is specified in the plant technical specifications.

7.5.1.7.3 Administrative Control The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments and test points.

7.5.1.8 Post Accident Monitoring System (PAMS)

The PAMS is a computer based system that meets all requirements for Type A, Category 1 variables as previously described. The system displays three post accident variables:

(1) Core Exit Thermocouples (2) Reactor Vessel Level (3) Subcooled Margin Monitor The PAMS software uses inputs from plant instrumentation and core exit thermocouples to calculate subcooled margin. The PAMS variables are displayed on redundant monitors in the main control room.

7.5.2 Plant Computer System The non safety-related Plant Computer System (also referred to as the Integrated Computer System, (ICS) or plant process computer) acquires, processes, and displays all data to support the assessment capabilities of the MCR, Technical Support Center (TSC) and the Emergency Operation Facility (EOF) as stated in NUREG - 0696[2] and NUREG - 0737, Supplement 1[3]. The Plant Computer System also provides the safety parameter display system and the bypassed and inoperable status indications system for WBN.

The Plant Computer System is a real time data acquisition and analysis computer system. This computer system also drives display equipment in the Technical Support Center (TSC) and provides plant data to the off-site computer located at the Emergency Operations Facility (EOF).

The operators use a keyboard to request additional detailed information about the parameters used to determine the Critical Safety Functions (CSF) status as well as other plant conditions. This information is provided in three formats: mimic, tabular, and trend displays.

7.5-8 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 The data undergoes several validation steps before being presented to the operators.

When redundant sensors are used, the data received by the computer can be processed by software to determine if the quality of one or more points is questionable.

Sections 7.5.2.1 though 7.5.2.3.2 describe some of the key functions performed by the Plant Computer System.

7.5.2.1 Safety Parameter Display System 7.5.2.1.1 System Description The principal purpose and function of the Safety Parameter Display System (SPDS) is to aid control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing if abnormal conditions require corrective action by the operators to avoid a degraded core. During emergencies the SPDS serves as an aid to evaluating the current safety status of the plant, executing function-oriented emergency procedures, and monitoring the impact of engineered safeguards or mitigation activities. The SPDS also operates during normal operations, continuously displaying information from which the plant safety status can be readily and reliably accessed.

The Unit 2 SPDS has at least two color graphic monitors in the main control room which continuously display information on the CSF.

7.5.2.1.2 Design Bases Location of SPDS The SPDS is conveniently located in the control room on at least two monitors for use by the control room operating staff.

Although both of these terminals are expected to be operational, only one is required to be operational in order for the SPDS to be considered available.

Continuous and Reliable Display of Plant Safety Status Information The SPDS displays information from which the plant safety status can be readily and reliably assessed by control room personnel responsible for the avoidance of degraded and damaged core events. This is accomplished by presenting the status of each CSF on every SPDS display. The status of the CSF is indicated on all Plant Computer System displays by use of a target on each screen. Redundant sensor algorithms are used to aid the operators in determining if display information is reliable.

The quality of the information is identified as being good, poor, bad, or manually entered. Data is tagged as poor if it is inconsistent with redundant sensors. Data is tagged as bad if it is outside the process sensor limits, or data acquisition system span, or because hardware checks indicated a malfunctioning input device. Data is tagged as manually entered when the value is operator entered. If a point is not poor, bad, or manually entered it is considered good. Calculated-points are tagged as poor if any of their constituent points are not good.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-9

WATTS BAR WBNP-102 The SPDS software and changes undergo formal verification and validation. Software changes are documented, approved, and controlled by qualified personnel and procedures.

Concise Display of Critical Plant Variables The SPDS provides a concise display of critical plant variables which provide information to plant operators about the following critical safety functions:

(a) Reactivity control (b) Reactor core cooling and heat removal from the primary system (c) Reactor coolant system integrity (d) Radioactivity control (e) Containment conditions When the SPDS logic determines the plant may not be in a safe condition, the operator is informed of the problem. After the SPDS indication is verified to be correct, the operator is directed to follow appropriate recovery procedures.

Human Factors Human factors are taken into account in the design of the SPDS. Flashing is used to draw operator attention to new alarm conditions. Page keys or mouse commands are used for screen navigation. Alarms are acknowledges with keystrokes at the Plant Computer System work stations located in the MCR.

Additional information is presented to control room personnel in numeric format, numeric displays, deviation barcharts, and trend displays.

Electrical and Seismic Qualification The SPDS is not class 1E qualified and is not powered from a class 1E power source.

As such, the SPDS is electrically isolated from equipment and sensors used in safety systems.

The SPDS equipment including display hardware has three power sources:

Normal: Unit board AC power rectified and inverted to 120V AC Alternate: Station battery 250V DC inverted to 120V AC Maintenance: Regulated 120V AC from 480V AC station unit board The hard copy equipment does not have to be powered by uninterruptable power.

The SPDS is not required to operate during or after a seismic event. SPDS equipment is designed so that it will not adversely affect any equipment important to safety, either during or after a seismic event.

7.5-10 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 7.5.2.2 Bypassed and Inoperable Status Indication System (BISI)

WBN fully complies with the intent of RG 1.47, Revision 0[5].

The Bypassed and Inoperable Status Indication System (BISI) does not perform a safety function, nor do administrative procedures call for immediate operator action based solely on BISI indication. The BISI equipment is isolated from the associated safety-related equipment so as to preclude any abnormal or normal action of the BISI from preventing the performance of a safety function.

The BISI system is a function of the Plant Computer System that provides automatic indication and annunciation of the abnormal status of each ESFAS actuated component of each redundant portion of a system that performs a safety-related function. The determination of the bypassed or inoperable status of a system is left up to the reactor operator.

Abnormal status indication may be applied administratively by the control room operators or automatically from monitored equipment.

Compliance with Regulatory Guide 1.47 is described below:

(1) An abnormal indication is provided for each safety system. Abnormal includes any deliberate action which renders a protection system inoperable.

The following systems are monitored:

main and auxiliary feedwater safety injection residual heat removal containment spray emergency gas treatment essential raw cooling water chemical and volume control heating, ventilation, and air conditioning component cooling control air (including auxiliary control air) standby diesel generator (2) Support system indication is provided for each safety system that requires auxiliary or support system(s) operation to perform its safety function.

(3) The indicators are at the system level with separate indication for each train.

(4) Sublevel information is provided to the control room operator for determination of the abnormal condition at the component level.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-11

WATTS BAR WBNP-102 (5) The abnormal indicators are operated automatically by actions which meet all of the following criteria:

(a) The action is deliberate. It is not the intent of the system to show operator errors or component failures.

(b) The action is expected to occur more often than once a year.

(c) The action is expected when the protection system must be operable per technical specifications.

(d) The action renders the system inoperable, not merely potentially inoperable.

(e) The deliberate action has taken place in the safety system or a necessary supporting system.

(6) The abnormal indication is separate from other plant indicators.

(7) A manual capability is provided to operate each safety system abnormal indication. This allows the operator to activate abnormal indication for an event that renders a safety system inoperable but does not automatically operate the BISI.

(8) Abnormal indication is accompanied by an audible alarm.

(9) There is no capability to defeat an automatic operation of an abnormal indication. (However audible alarms may be silenced.)

(10) The indication system is mechanically and electrically isolated from the safety system to avoid degradation of the safety system. The BISI is not safety-related; i.e., it is not designed to safety system criteria such as IEEE Standard 279-1971[6].

(11) In accordance with IEEE-279-1971, Paragraph 4.20[6], the operator must be able to determine why a system level abnormal status is indicated. This information can be accessed by the operator for display.

(12) Essential raw cooling water and diesel generator systems abnormal status indication are provided. These (support) systems are unique and important enough to warrant abnormal status indication.

(13) The system design meets the recommendations of ICSB-21[8] as follows:

(a) Each safety system has a Train A and Train B bypass indicator.

Support systems are arranged together with the associated train of 7.5-12 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 bypass indicators. Safety system indicators are lit whenever any support subsystem is abnormal.

(b) Means by which the operator can cancel erroneous bypassed indications are not provided.

(c) The BISI system does not perform functions essential to safety. No operator action is required based solely on the abnormal status indication.

(d) The BISI system has no effect on plant safety systems.

(e) The abnormal status indicating and annunciating function can be tested during normal plant operation.

7.5.2.3 Technical Support Center and Communication Data Links 7.5.2.3.1 Technical Support Center The information available includes the SPDS displays as well as special displays for use in the TSC. The displays are similar to the main control room and the software and man/machine interface is the same.

7.5.2.3.2 Communication Data Links The Plant Computer System provides a means of acquiring data from and supplying data to computer based systems both on and off site. The communications data links interconnect the following computer systems:

(1) Emergency Operations Facility (EOF)

For Watts Bar the Central Emergency Control Center (CECC) is the EOF. In response to NUREG 0737 Supplement 1[3], all data (real and calculated) along with status and quality information is available for transmission by data link to a compatible processor capable of displaying the information in the CECC. Upon request the Plant Computer System will send the CECC computer a dynamic data base snapshot (a maximum of 200 process variables) every 15 seconds over a high speed communications link. This data meets the requirements of NUREG-1394, Emergency Response Data System[7].

(2) Nuclear Data Link The CECC processor transmits data to the NRC over the Nuclear Data Link.

(3) Environmental Data Station (EDS)

Communications between the Plant Computer System and the EDS Computer allows the Plant Computer System to access variables that are input to the EDS computer. All EDS data required by RG 1.23[4] and required INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-13

WATTS BAR WBNP-102 to support the TSC functions can be transmitted at a rate of once per minute and displayed with the radiation release data.

REFERENCES (1) U. S. NRC Regulatory Guide 1.97, Rev. 2 (December 1980) and Rev. 3 (May 1983) "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident".

(2) NUREG 0696, Functional Criteria for Emergency Response Facilities, dated February 1981.

(3) NUREG-0737, Supplement 1, Requirements for Emergency Response Capability, Generic Letter 82-33, dated December 17, 1982.

(4) Regulatory Guide, 1.23, Onsite Meteorological Programs (Safety Guide 23)

Revision 0.

(5) Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems, Revision 0.

(6) IEEE-Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations (ANSI-N42.7-1972).

(7) NUREG-1394, Emergency Response Data System Implementation.

(8) Branch Technical Position ICSB-21, Guidance for Application of Regulatory Guide 1.47.

(9) TVA letter to NRC dated August 31, 1990, Watts Bar Nuclear Plant (WBN)

Conformance to Regulatory Guide (RG) 1.97 Revision 2.

(RIMS L44 900831 804)

(10) TVA letter to NRC dated October 29, 1991, Watts Bar Nuclear Plant WBN-Emergency Response Capability, Regulatory Guide 1.97, Revision 2 -

Request for Additional Information Response. (RIMS T04 911029 848)

(11) NUREG-0847, Supplement 9, "Safety Evaluation Report Related to the Operation of Watt Bar Nuclear Plant, Unit 1 and 2," June 1992.

(12) "General Design Criteria for Nuclear Power Plant," Appendix A to Title 10 CFR 50, Criterion 13, 19, and 64.

(13) TVA letter to NRC dated May 9, 1994, Watts Bar Nuclear Plant (WBN) -

Regulatory Guide (RG) 1.97, Revision 2, Postaccident Monitoring System (PAM) - Supplemental Response (RIMS T04 940509 901).

7.5-14 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 (14) TVA Letter to NRC dated April 21, 1995, Watts Bar Nuclear Plant (WBN)

Units 1 & 2 - Regulatory Guide (RG) 1.97, Revision 2, Post-Accident Monitoring System (PAM) - Supplemental Response (RIMS T04 950421 117).

(15) TVA Letter to NRC dated July 18, 1995, Watts Bar Nuclear Plant (WBN) Units 1 and 2 - Regulatory Guide (RG) 1.97, Revision 2, Post-Accident Monitoring System (PAM) - Supplemental Response (RIMS T04 950718 165)

(16) TVA Letter to NRC dated October 12, 1995, Watts Bar Nuclear Plant (WBN)

Units 1 & 2 - Regulatory Guide (RG) 1.97, Revision 2, Post-Accident Monitoring System (PAM) - Supplemental Response (T04 951012 228)

(17) U.S. NRC Regulatory Guide 1.7, Rev. 3 Control Of Combustable Gas Concentrations in Contrainment, May 2003.

(18) Nuclear Regulatory Commission 10 CFR Parts 50 and 52 RIN 3150-AG76 Combustable Gas Control in Containment AGENCY: Nuclear Regulatory Commission. ACTION: Final rule.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-15

WATTS BAR WBNP-102 Table 7.5-1 (Sheet 1 of 2)

Post Accident Monitoring Instrumentation Component Qualification Matrix (See Note)

Criteria Category 1 Category 2 Category 3 Redundancy At least 2 channels Not Required Not Required required EQ Qualify Per Qualify per Not Required (10 CFR 50.49) WB-DC-40-54, WB-DC-40-54, components placed in components placed in 10CFR50.49 program 10CFR50.49 program Seismic Must function after Not Required Not Required seismic event per WB-DC-40.31.2 QA Yes Yes-Equipment in harsh Not required environment same as Category 1 Power Supply Class-1E Non-Class 1E, diesel or Non-Class 1E Per WB-DC-30-27 battery-backed Physical Required per Not required Not Required Separation WB-DC-30-4 Electrical Non-1E circuit interfaces Not required Not Required Separation are through qualified isolation devices. (See WB-DC-30-4)

Indication Hardwired indicator Meter, indicator Meter, indicator light, (RVLIS and CET use CQ light,computer display, or computer display, or PAMS Flat Panel annunciator window annunciator window display), light Special Labeling C1 engraved on MCR C2 engraved on MCR Not Required on MCR Board label or window label or window.

Testing and Required Required Required Maintenance Isolation Device Required Required for loops with Not required Accessibility isolation devices Recording At least 1 channel per Effluent and area Recorder or analog variable is radiation monitors are computer for recorded as indicated in recorded. Not required meteorology; not Table 7.5-2. Recording for others. required for others is qualified to Category 2 requirements. The Plant Computer has at least 1 channel per analog variable trended.

7.5-16 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-1 (Sheet 2 of 2)

Post Accident Monitoring Instrumentation Component Qualification Matrix Note: These are only post accident monitoring requirements. Normal system requirements may impose more stringent qualification requirements on components selected for PAM use and in those cases the most stringent requirements are met.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-17

7.5-18 Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists Legend (Page 1 of 41)

Legend The following table of variables provides a listing of specific design requirements for the PAM instruments. The table represents WATTS BAR the minimum required to conform to Regulatory Guide (RG) 1.97, Revision 2. Additional qualification may be provided as a result of other plant, system, or design requirements. The topics described are:

Variable Name Type and Category Redundant Channels Range, Range Units Notes Type and Category The variable's type(s) and associated category are identified. Entries in this column are derived from the Type selection analysis and RG 1.97.

Redundancy -The number of instrument channels required to monitor the variable. For Category 1 variables, the number of channels is determined from the PAM single failure analysis. Diverse indication used to supplement or replace redundant information is also identified in Note 1.

Range -The required range and engineering units of the instrumentation are developed in the Type selection analyses or the required range and accuracy analysis. The radiation monitor ranges may reflect the interpreted range and not the equipment's scale.

Notes -Additional information is provided for clarification including any deviations from R.G. 1.97 R2. The deviations are found in references 9, 10, 11, 13, 14, 15, 16.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists (Page 2 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES

1. Auxiliary Feedwater A1 D2 P1 P2 0 700 GPM (Note 1)

WATTS BAR Flow 2 Channels Per Loop

2. Containment Lower A1 D2 P1 P2 0 350 Deg F Deviation #8 Compartment 2 Channels Atmosphere Temperature
3. Containment A1 B1 C1 D2 4 Channels -2 15 PSIG Deviation #24 Pressure (Narrow Note 9 Range)

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

4. Containment A1 C3 E1 P1 P2 1 1.0E7 R/hr Deviation #36 Radiation 2 Upper 2 Lower
5. Containment Sump A1 B1 C1 D2 P1 P2 0 200 Inches Deviation #32 Level (Wide Range)
6. Core Exit A1 B1 C1 D2 P1 P2 200 2300 Deg F Minimum of 16 Temperature 8 PAM 1 Operable 8 PAM 2 Thermocouples, 4 from each quarant (Note 1,9, 10)

Deviation #37

7. Main Steam Line C2 E2 1 Channel 1.0E -1 1.0E3 Ci/cc Note 7 Radiation Per Steam Generator
8. Nuclear A1 B1 D2 P1 P2 1.0E-1 2.0E5 CPS Note 9 Instrumentation (Source Range) 7.5-19 WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists 7.5-20 (Page 3 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES

9. RCS Pressurizer A1 D1 P1 P2 P3 0 100  % Note 9 & 12 WATTS BAR Level
10. RCS Pressure A1 B1 C1 D2 P1 P2 P3 0 3000 PSIG Note 9 & 12 Wide Range
11. RCS Temperature A1 B1 C1 D2 4 Channels 50 700 Deg F Note 1 & 9 T Cold 1 Per Loop Deviation #1
12. RCS Temperature A1 D2 4 Channels 50 700 Deg F Note 1 & 9 T Hot 1 Per Loop Deviation #1
13. Refueling Water A1 D2 P1 P2 0 100  % Note 9 Storage Tank Level 14 Steam Generator A1 B1 P1 P2 P3 0 100  % Note 1, 9, 12 Level 3 Channels (Narrow Range) Per Steam Generator 15 Steam Generator A1 B1 D2 P1 P2 0 1300 PSIG Deviation #3 Pressure 2 Channels Notes 1 & 9 Per SG 16 Subcooling Margin A1 B2 C1 D2 P1 P2 200 35 Deg F 200 Deg.

Monitor Subcooling to 35 Deg.

Superheat Notes 9 & 10 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists (Page 4 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 17 Auxiliary Building B1 C1 P1 P2 12.5 72.5 Inches Note 9 WATTS BAR Passive Sump Level 18 Containment B1 D2 1 Per Valve Closed Not Closed N/A Deviation #20 Isolation Valve Position Indication 19 Containment B1 C1 D2 P1 P2 0 10  % Deviation #2 Hydrogen Unit 1 Only Unit 1 Only Concentration C3 D3 E3 1 channel Unit 2 Only Unit 2 Only INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 20 Control Rod D3 1 Channel 0 235 Steps Deviation #35 Position Per Bank 21 Nuclear B1 D2 P1 P2 1.0E-8 200 %Power Note 9 Instrumentation (Intermediate Range) 22 REACTOR B1 C1 D2 P1 P2 See below (See Notes 5, 9, VESSEL LEVEL & 10) 22a Static Mode 0 100  % 0% represents (Pumps Not reactor vessel Running) empty. 100%

represents reactor vessel full.

7.5-21 WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists 7.5-22 (Page 5 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 22b Dynamic Mode 20 100  % 100% WATTS BAR (Pumps Running) represents reactor vessel full 23 Containment C1 P1 P2 -5 60 PSIG Pressure (Wide Range) 24 Shield Building C2 E2 1 Channel 1.0E-6 1.0E4 Ci/cc Vent (Noble Gas Activity) 25 ABGTS High D2 1 Channel NA -0.2 inch H20 Pressure Alarm Per Fan 26 ACAS Pressure D2 1 Channel 0 150 PSIG Per Train 27 AFW Valve Status D1 1 Channel Open Closed NA Per Valve 28 Accumulator Flow D3 1 Channel Open Closed NA Deviation #16 Isolation Valve Per Valve Status 29 Accumulator Tank D3 1 Channel 7450 8080 GAL Deviation #15 Level Per Tank INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists (Page 6 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 30 Accumulator Tank D3 1 Channel 0 700 PSIG Deviation #6 WATTS BAR Pressure Per Tank 31 Annulus Pressure D2 1 Channel -10 0 inch H20 32 Aux. Feed Pump D3 1 Channel Open Closed NA Turbine Steam Per Valve Supply Isolation Valve Status 33 Battery Current D2 1 Channel -200 +600 AMPS (125V dc Vital) Per Battery INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 34 Bus Voltage (125V D2 1 Channel 75 150 VOLTS dc Vital) Per Battery 35 Bus Voltage (480V D2 1 Channel 0 600 VOLTS Shutdown) Per Train 36 Bus Voltage D2 1 Channel 6400 7400 VOLTS Analog Scale (6.9KV Shutdown) Per Train & Digital Display 37 CCS Surge Tank D3 1 Channel 0 100  %

Level Per Train 38 Centrifugal D2 1 Channel 0 1000 GPM Charging Pump Total Flow 7.5-23 WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists 7.5-24 (Page 7 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 39 Charging Header D3 1 Channel 0 110 GPM Deviation #17 WATTS BAR Flow 40 Component D2 1 Channel 0 5561 GPM Cooling Water To Per Hx ESF Flow 41 Component D2 1 Channel 30 150 Deg F Deviation #7 Cooling Water Per Train Supply Temperature 42 Condensate D3 1 Channel 0 385,000 GAL Not Primary -

Storage Tank Water Per Tank Source of Aux.

Level Feedwater.

See Variable 27.

43 Containment Air D2 1 Channel On Off N/A Breaker Return Fan Status Per Fan Status 44 Containment D3 1 Channel Open Closed NA Cooling Valve Per Valve Status 45 Containment Spray D2 1 Channel 0 4400 GPM Flow Per Train 46 Containment Spray D2 1 Channel 0 200 Deg F HX Outlet Per HX OutletTemperature 47 Containment Sump D3 1 Channel 2 66 Inches Deviation #12 Water Level (Narrow Range)

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists (Page 8 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 48 Containment Sump D2 1 Channel 50 400 Deg F Used RHR Inlet WATTS BAR Water Temperature Temperature Loop 49 Diesel Generator D2 1 Channel 0 4.84 MWATTS Power Per DG 50 Diesel Generator D2 1 Channel 0 6900 VOLTS Volts Per DG 51 ECCS Valve Status D2 1 Channel Open Closed NA Per Valve 52 ERCW Header D2 1 Channel 0 20,000 GPM INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY Flow Per Header 53 ERCW Supply D2 1 Channel 32 200 Deg F Temperature Per Header 54 Emergency Gas D2 1 Channel Open Closed NA Treatment Damper Per Damper Position 55 Emergency D2 1 Channel Open Closed NA Ventilation Damper Per Damper Status 56 THIS LINE INTENTIONALLY LEFT BLANK 57 Igniter Group D3 1 Channel Per On Off NA Status Group 58 Inverter Current D2 1 Channel Per 0 167 AMPS Local (120V ac Vital) Inverter Indication Note 8 7.5-25 WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists 7.5-26 (Page 9 1 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 59 Inverter Voltage D2 1 Channel 115 125 VOLTS Local WATTS BAR (120V ac Vital) Indication Note 8 60 Letdown Flow D3 1 Channel 0 144 GPM Deviation #18 61 MCR Pressure D3 1 Channel 0 0.50 inch H20 62 MCR Radiation D2 1 Channel 1E-1 1E4 mR/Hr Level 63 Main Feedwater D3 1 Channel 0 4,372,720 lb/hr Flow Per Loop 64 Normal Emergency D2 1 Channel 0 150 GPM Deviation #4 Boration Flow 65 THIS LINE INTENTIONALLY LEFT BLANK 66 Pressurizer Heater D2 1 Channel 0 50.5 AMPS (See Note 3)

Status (Electric Per Group Current) 67 Pressurizer D2 1 Channel Closed Not Closed N/A Pressure Relief Per Valve Valve Position (PORV, Block, and Code) 68 Pressurizer Relief D3 1 Channel 0 100  %

Tank Level INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists (Page 10 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 69 Pressurizer Relief D3 1 Channel 0 100 PSIG WATTS BAR Tank Pressure 70 Pressurizer Relief D3 1 Channel 50 400 Deg F Deviation #11 Tank Temperature 71 RCP Seal Injection D3 1 Channel 0 13.2 GPM Flow Per RCP 72 RCS Head Vent D2 1 Channel Closed Not Closed NA Valve Status Per Valve INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 73 RHR Heat D2 1 Channel 50 400 Deg F Deviation #9 Exchanger Outlet Per HX Temperature 74 RHR Pump Flow D2 1 Channel 0 5500 GPM (RHR System Flow) Per Pump 75 RHR Valve Status D3 1 Channel Open Closed NA Per Valve 76 Ractor Coolant D3 1 Channel 0 712 AMPS Pump Status (Motor Per Pump Current) 77 Safety Injection D2 1 Channel 0 715 GPM Pump Flow Per Pump 78 Safety Injection D3 1 Channel Open Closed NA System Valve Per Valve Status 7.5-27 WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists 7.5-28 (Page 11 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 79 Spent Fuel Pool D2 1 Channel 74811.5 7492.5 ft,in Range Reflects WATTS BAR Level Alarm Low and High Alarm Setpoints 80 Spent Fuel Pool D2 1 Channel NA 127 Deg F Upper Range Is Temperature Alarm Alarm Setpoint 81 Steam Generator D2 1 Channel Closed Not NA Blowdown Isolation Per Valve Closed Valve Status 82 Steam Generator D1 4 Channels 1 0 100  % Deviation #10 Level (Wide Per SG Notes 1 & 9 Range) 83 Main Steam Flow D2 1 Channel 0 4,500,000 lb/hr.

Per SG 84 Tritiated Drain D3 1 Channel 4 96  % Local Collector Tank Per Train Indication Level Deviation #25 85 Volume Control D3 1 Channel 0 100  % Deviation #19 Tank Level 86 Waste Gas Decay D3 1 Channel 0 150 PSIG Local Tank Pressure Per Tank Indication Deviation #23 87 Radiation Exposure E3 NA NA NA NA Deviation #22 Meters INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists (Page 12 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 88 Airborne E3 Portable 1.0E-9 1.0E-3 Ci/cc Airborne I-131 WATTS BAR Radiohalogens And and particulates Particulates 89 Plant And Environs E3 Portable 1.0E-3 1.0E4 Rad/hr Radiation 90 Plant And Environs E3 Portable NA NA NA Multi Channel Radioactivity Gamma Ray Spectrometer 91 Auxiliary Building E2 1 Channel 1.0E-6 1.0E-2 Ci/cc Deviation #13 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY Vent (Noble Gas) 92 Auxiliary Building E2 1 Channel 0 250,800 CFM Vent (Flow Rate) 93 Auxiliary Building E3 1 Channel ----See Note 11---- Ci/cc Sampling With Vent (Particulates Onsite and Halogens) Analysis Capability Deviation #14 94 Condenser Vacuum E2 1 Channel 0 45 SCFM Pump Exhaust Vent (Flow Rate) 95 Condenser Vacuum C3 E2 1 Channel 4.0E-7 2.4E+3 Ci/cc Deviation #33 Pump Exhaust Vent (Noble Gas) 7.5-29 WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists 7.5-30 (Page 13 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 96 ERCW Radiation E2 1 Channel 3.3E-4 1.65E-2 Ci/cc WATTS BAR Monitors Per Discharge Point 97 POST ACCIDENT E3 1 System See below Sampling With SAMPLE SYSTEM Onsite Analysis Unit 1 Only Unit 1 Only Capability Unit 2 - Post Unit 1 Only Accident Sampling Unit 2 Only -

Grab sample with onsite analysis capabilty (See Note 13) 97a Reactor Coolant E3 NA 1 20 ppm Deviation #29 Chloride Concentration 97b Reactor Coolant E3 NA 10 2000 cc/kg (STP) Deviation #21 Dissolved Unit 1 Only Hydrogen 97c Reactor Coolant E3 NA 1 20 ppm Deviation #34 Dissolved Oxygen 97d Reactor Coolant E3 NA 100 2000 cc/kg(STP) Deviation #34 Total Dissolved Gas 97e Reactor Coolant E3 NA 50 6000 ppm Deviation #26 Boron 97f Reactor Coolant pH E3 NA 1 13 pH INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists (Page 14 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 97g Reactor Coolant C3 E3 NA 10Ci/ml 10Ci/ml Ci/ml Deviation #5 WATTS BAR Sample Activity 97h Reactor Coolant E3 NA NA NA NA Isotopic Gamma Spectrum Analysis 98 CONTAINMENT AIR 98a Containment Air E3 NA 0 10  % by volume Also Measured Hydrogen by Hydrogen INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY Analyzer Deviation #2 98b Oxygen Content NA NA NA NA Deviation #27 98c Gamma Spectrum E3 NA NA NA NA Isotopic Sample Analysis 99 Shield Building E2 1 Channel 0 28,000 CFM Vent Flow Per Unit 100 Shield Building E3 1 Channel 1.0E-3 1.0E2 Ci/cc Sampling With Vent Monitor Per Unit Onsite (Particulate And Analysis Iodine) Capability 101 Steam Generator E2 1 Channel Note 4 Note 4 Note 4 Discharge Vent Per Release (Flow Rate and Point Noble Gas) 7.5-31 WBNP-102

Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables Lists 7.5-32 (Page 15 of 41)

TYPE/ REDUNDANT MINIMUM MINIMUM VAR NUM VARIABLE NAME CATEGORY CHANNELS RANGE FROM RANGE TO RANGE UNITS NOTES 102 METEOROLOGY WATTS BAR 102a Vertical E3 1 Channel -9 +18 Deg F Temperature Difference 102b Wind Direction E3 1 Channel 0 360 Deg 102c Wind Speed E3 1 Channel 0 50 MPH Deviation #28 103 Radiation Exposure E3 Portable 1.0E- 3 1.0E4 R/hr Deviation #31 Rate INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY WBNP-102

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variable List (Page 16 of 41)

Notes:

(1) The following parameters are identified as diverse.

Parameter Diverse Parameter T (Hot) Core Exit Temperatire Core Exit Temperature T (Hot)

T (Cold) SG Pressure Auxillary Feedwater Flow SG NR/WR Level (2) Deleted.

(3) Pressurizer Heater Status required only for safety related heater banks (backup heater 1A-A and 1B-B). Range is given in amps per element.

(4) Recorder shall be provided for duration of release from all discharge points.

Noble Gas Activity (See Main Stream Line Radiation, Variable No. 7)

Steam Flow Rate 0 to 4,945,200 lb/hr PORV and Safety Valves 0 to 63,375 lb/hr To Aux. Feedwater Pump Turbine (5) Vessel level on the CQ PAMS Flat Panel display is the compensated actual vessel level derived from a controller algorithm using the upper range, lower range, dynamic range differential pressure, wide range temperature, and wide range pressure.

(6) Deleted.

(7) Also monitors steam generator discharge vent noble gas activity. Required range of sensitivity specified is met by indication displaying in units of dose rate. Conversion to required range is performed using conversion factor specified in Calc. WBNAPS3-048.

(8) The 120V AC vital Inverter has a trouble alarm in the MCR which notifies of trouble on the bus.

(9) At least one of the redundant loops is trended on a non divisional trend recorder qualified to meet Category 2 requirements.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-33

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variable List (Page 17 of 41)

(10) The Core Exit T/C Temperature, reactor vessel level, and Saturation Margin are trended on redundant Class 1E flat panel displays (the trend duration is user selectable) in the main control room.

(11) The range for the Auxiliary Building particulate is 5x10-10 to 10-5 Ci/cc and the range for halogens (Iodine) is 10-4 to 10-9 Ci/cc.

(12) The requirements for Category I variables which require a third independent channel to resolve ambiguity resulting when redundant displays disagree are being implemented at WBN as follows:

The requirements for each channel is assigned to a redundant protection set (I, II, III, and IV) and electrical independence is maintained from sensor to the isolator in the Auxiliary Instrument Room. From the isolator to the indicator in the Main Control Room, third channel (PAM 3) cables may be routed with either PAM 1 or PAM 2 cables (but not both) depending on its associated protection set.

(13) Unit 2 Only Reg. Guide 1.97 Rev. 2 requires the capability to sample both the reactor coolant and the containment sump. This capability exists by obtaining a sample off the RHR pump discharge after the suction has transferred to the containment sump following a LOCA. When this occurs the sample will be both the containment sump and the reactor coolant. For this reason, all samples are referred to as reactor coolant samples.

7.5-34 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 18 of 41)

DEVIATION 1 VARIABLES (11 and 12))

Reactor coolant system (RCS) Cold- and Hot-Leg Water Temperature DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 50 to 750°F; the recommendation for WBN is 50 to 700°F.

JUSTIFICATION The reactor coolant system description, N3-68-4001, states that the design temperature of the RCS is 650°F. RG 1.97, Revision 2 recommended range is 50-750°F. However, NRC has revised its position on this range and RG 1.97, Revision 3, now recommends a range of 50-700°F which will provide a 50°F margin over the design limit for both temperatures, which should provide the operator with adequate information for all transients. NRC concurs with WBN that an upper limit of 700°F is acceptable. (

Reference:

NRC letter to TVA dated July 24, 1986)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the RCS hot leg water temperature (Variable 12) parameter be a B1 variable. WBN recommends that this be an A1 and D2 variable.

JUSTIFICATION Type B variables provide information to indicate whether plant safety functions are being accomplished. WBN's position is that RCS pressure (Type A1, B1, C1 and D2),

core exit temperature (Type A1, B1, C1, and D2), reactor vessel level (Type B1, C1, and D2), and subcooling margin (A1, B2, C1, and D2) are sufficient to monitor for adequate core cooling and the approach to superheat conditions in order to determine the margin by which the core cooling safety function is being accomplished. Therefore, it is WBN's position the RCS hot leg water temperature be required only as a Type A1 and D2 variable.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-35

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 19 of 41)

DEVIATION 2 VARIABLE (19)

Containment Hydrogen Concentration DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 0 to 30%, whereas WBN has provided instrumentation for this variable with a range of 0 to 10%.

JUSTIFICATION Unit 1 Only WBN has performed an analysis that shows the worst-case hydrogen concentration will be less than 4% post-loss-of-coolant (LOCA) with one of the hydrogen recombiners operating. Also, the hydrogen igniter system handles degraded core hydrogen releases as specified in 10 CFR 50.44 and will also keep the hydrogen concentration below 10% for these events. Therefore, the instrumentation will always be on scale.

The hydrogen recombiner status is indicated by a PAM D3 variable.

Unit 2 Only The hydrogen igniter system handles degraded core hydrogen releases as specified in 10CFR50.44 and will keep the hydrogen concentration below 10% for these events.

Therefore, the instrumentation will always be on scale.

The Hydrogen recombiners have been abandoned in place as allowed by risk informed 10CFR50.44 under final rule making under 10CFR50.44, NUCLEAR REGULATORY COMMISSION 10 CFR Parts 50 and 52 RIN 3150-AG76 Combustible Gas Control in Containment AGENCY: Nuclear Regulatory Commission. ACTION: Final rule.[18]

The redundant Class 1E hydrogen analyzers have been replaced by a single NSR analyzer as allowed under risk informed 10CFR50.44 final rule under 10CFR50.44, NUCLEAR REGULATORY COMMISSION 10 CFR Parts 50 and 52 RIN 3150-AG76 Combustible Gas Control in Containment AGENCY: Nuclear Regulatory Commission.

ACTION: Final rule 7.5-36 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 20 of 41)

DEVIATION 3 VARIABLE (15)

Steam Generator (SG) Pressure DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 0 psig to 20% above the lowest safety valve setting (corresponding to 1422 psig at WBN); the recommended range for WBN is 0-1300 psig.

JUSTIFICATION The design pressure for the main steam system at WBN is 1185 psig. The main steam safety valves are designed to maintain system pressure less than 110% of design pressure, which is 1303.5 psig. RG 1.97, Revision 2, recommends a range of 0 psig to 20% above the lowest safety valve set pressure, which corresponds to a range of 0 to 1422 psig. The highest main steam safety valve set pressure is 1224 psig and the accumulation pressure for each of the highest pressure safety valves is 1284 psig.

Therefore, since the accumulation pressure is below 1300 psig and the 110% design pressure of approximately 1300 psig, the WBN recommended range of 0-1300 psig is adequate to cover the design range. The RG 1.97, Revision 2 range is well above the design requirements for the system and the ASME Code requirements for relief valves.

Thus it is concluded that the WBN SG pressure range provides adequate feedback to the operator on SG pressure response to accidents or transients, and should be acceptable.

DEVIATION 4 VARIABLE (64)

Normal/Emergency Boration Flow (Boric Acid Charging Flow)

DEVIATION FROM RG 1.97 GUIDANCE WBN recommends that this variable not be environmentally qualified (as required by RG 1.97, Revision 2, Category 2 variables) since other variables perform the required emergency boration monitoring function.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-37

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 21 of 41)

JUSTIFICATION The flow path monitored by this variable is a normally isolated path that requires operator action to utilize. This path is used for manual boration of the RCS. This path is not required for mitigation of any event. Postaccident reactivity control is accomplished by the Emergency Core Cooling System (ECCS) injecting borated water from the refueling water storage tank (RWST) into the RCS. Manual boration is not utilized. The ECCS flow is monitored by the centrifugal charging pump total flow (high pressure injection flow), the safety injection (SI) pump flow (low pressure injection flow), and the residual heat removal (RHR) pump flow (RHR System flow). These three variables are in the environmental qualification program and meet the 110%

design flow measurement requirement.

DEVIATION 5 VARIABLE 97g Radiation Level in Circulating Primary Coolant (Reactor Coolant Sample Activity).

DEVIATION FROM RG 1.97 GUIDANCE This variable has been identified in RG 1.97, Revision 2, as Type C, Category 1, here as WBN has identified this variable as Type C, Category 3.

JUSTIFICATION For the fuel cladding integrity safety function, RG 1.97 recommends core exit temperature and RCS activity as key variables and gamma spectrum analysis of the reactor coolant as a Category 3 variable. Core exit temperature provides primary indication of a significant breach or potential breach of fuel throughout the emergency instructions (Els), functional restoration guidelines (FRGs), and Final Safety Analysis Report (FSAR). Therefore, this variable was included as the Category 1 or key indication. Radiation level in circulating primary coolant was considered; however, it indicates conditions following fuel damage and provides less timely information. Thus, this variable is considered to be less useful to the operators and was included as a backup variable. TVA meets the intent of the RG 1.97 recommended range by monitoring this variable using the gross activity analysis of primary coolant samples taken in the post accident sampling facility. Samples are obtained from the post accident sampling system in Unit 1 only.

7.5-38 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 22 of 41)

DEVIATION 6 VARIABLE (30)

Safety Injection (Cold-Leg) Accumulator Tank Pressure DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the pressure instruments meet the D2 criteria with a range of 0 to 750 psig. WBN recommends retaining this variable as D3, with a range of 0 to 700 psig.

JUSTIFICATION The primary function of these instruments is to monitor the pre-accident status of the accumulators to ensure the passive safety function of the system. By design these instruments do not perform any safety function post-accident. Other seismically and environmentally qualified instruments such as RCS pressure can be monitored to determine if a cold leg accumulator injection has occurred.

The design pressure of the cold leg accumulator tanks is 700 psig. The precautions, limitations, and setpoints (PLS) limit the nitrogen cover gas to a maximum pressure of 632 psig. Therefore, WBN's position is that monitoring of the tanks to pressures higher than the relief setpoints is not needed. WBN considers the existing range of 0 to 700 psig to be acceptable.

DEVIATION 7 VARIABLE (41)

Component Cooling Water (CCW) Temperature to Engineered Safety Features (ESF)

Equipment DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 32 to 200°F; the recommendation for WBN is 30 to 150°F.

JUSTIFICATION WBN analysis has determined that the highest expected CCW temperature (post LOCA safety injection) is 120°F. An upward trend of the CCW temperature above 120°F could be readily detected and would be expected to be slow moving. Thus, there would be sufficient time well within the 150°F upper range to alert the operator to INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-39

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 23 of 41) the condition and the need to check other PAM related variables for potential manual actions.

DEVIATION 8 VARIABLE (2)

Containment atmosphere Temperature (Containment Lower Compartment Atmosphere Temperature)

DEVIATION FROM RG 1.97 GUIDANCE The range for this variable is recommended to be 40 to 400°F in accordance with RG 1.97, Revision 2. WBN recommends the range to be 0 to 350°F.

JUSTIFICATION WBN is an ice condenser plant and, therefore, has a lower containment temperature post-accident than dry containments. The maximum temperature expected post-LOCA at WBN is 250°F as compared to 275 to 290°F for dry containments. The maximum temperature expected at WBN after a steam line break is 327°F as compared to 380 to 450°F for dry containments. The minimum expected containment atmospheric temperature will be 60°F. This minimum temperature is due to the minimum allowable RWST water temperature which could be sprayed into containment by inadvertent operation of the containment spray. therefore, it is WBN's position that a range of 0 to 350°F is adequate.

DEVIATION 9 VARIABLE (73)

Residual Heat Removal (RHR) Heat Exchanger Outlet Temperature DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 32 to 350°F; the recommendation for WBN is 50 to 400°F.

JUSTIFICATION NRC letter to TVA dated July 24, 1986, states that RG 1.97, Revision 3, increased the minimum required range of this variable to 40°F and that WBN's range of 50 to 400°F was acceptable due to the minor deviation.

7.5-40 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 24 of 41)

DEVIATION 10 VARIABLE (82)

SG Level Wide Range DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends this variable as a Type D, Category 1 variable, which requires redundancy in the instrumentation. WBN recommends this variable be Category 1, Type D, but utilizing only one wide range transmitter per SG.

JUSTIFICATION SG wide range level indication is utilized as a diverse variable to auxiliary feedwater (AFW) flow for gross indication of flow to the SGs. The WBN AFW monitors are Types A1 and D2. WBN's position is that since SG wide range level is only used as a backup to redundant AFW flow monitors, it does not require redundancy.

DEVIATION 11 VARIABLE (70)

Quench Tank (Pressurizer Relief Tank [PRT]) Temperature DEVIATION FROM RG 1. 97 GUIDANCE The range for this variable is recommended to be 50 to 750°F in accordance with RG 1.97, Revision 2. WBN recommends the range to be 50 to 400°F.

JUSTIFICATION The purpose of this variable is to monitor operation. The PRT rupture disk is designed to operate between 86-100 psig. Assuming that the rupture disk operates at 100 psig and the pressurizer is at 2500 psig at saturated conditions, the maximum temperature during discharge when all valves in the line are open could be approximately 350°F.

High temperature due to discharges or leakage into the tank from the pressurizer or other sources would produce an early upward trend in PRT temperature above normal.

Temperatures far below the RG 1.97 recommended temperature of 750°F or the 400°F WBN recommended temperature would be sufficient to alert the operator to an abnormal condition and the potential need to check related PAM variables. Therefore, the recommended range of 50 to 400°F is sufficient to permit the operator to monitor plant operation.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-41

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 25 of 41)

DEVIATION 12 VARIABLE (47)

Containment Sump Water Level (Narrow Range)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends this variable as Types B and C, Category 2. WBN recommends this variable as Type D, Category 3.

JUSTIFICATION The operator does not monitor this variable to perform any required safety function. In addition Chapter 15 of the FSAR takes no credit for monitoring this variable for any design bases event. This variable is used primarily to monitor RCS leakage. This variable, along with the lower containment atmosphere particulate radioactivity monitoring systems are used to detect RCS leakage. These small leakages do not cause plant perturbations or transients that would cause a reactor trip or SI signal to be generated. Therefore, the operator does not enter the emergency procedures to detect or mitigate these leakages and corrective actions based on the emergency procedures and the use of PAM equipment are inappropriate. However, for the purpose of monitoring gross leakage, this variable is designated as a Type D3 variable.

The containment sump water level (wide range) is a Type A1, B1, C1, and D2 variable and is used at WBN to monitor the containment water level for the mitigation of accidents.

DEVIATION 13 VARIABLE (91)

Auxiliary Building Exhaust Vent Radiation Level-Noble Gas Release DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 10-6 to 103 microcuries/cubic centimeter (cc). The recommendation for WBN is 10-6 to 10-2 microcuries/cc.

JUSTIFICATION The Auxiliary Building vent monitor is provided to continuously monitor the airborne radioactivity released through the Auxiliary Building exhaust vent. An accident causing Auxiliary Building radiation level to be high will cause all ventilation paths exhausting into the Auxiliary Building vent duct to automatically close and the Auxiliary Building 7.5-42 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 26 of 41) gas treatment system to be activated. Because the isolation function occurs before accident range activity is reached, a normal range monitor only is employed to monitor activity in the Auxiliary Building exhaust vent. Therefore, the recommended range of 10-6 to 10-2 microcuries/cc is adequate for detecting and measuring noble gas concentrations.

DEVIATION 14 VARIABLE (93)

Auxiliary Building Exhaust Vent Radiation Level-Particulates and Halogens DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 10-3 to 102 microcuries/cc. The recommendation for WBN is 5 x 10-10 to 10-5 for particulates and 10-9 to 10-4 microcuries/cc for halogens (iodine).

JUSTIFICATION The Auxiliary Building exhaust vent monitor is provided to continuously monitor the radioiodine and particulate radioactivity released through the Auxiliary Building vent.

A design basis fuel handling accident in the Auxiliary Building or a design basis LOCA in the Reactor Building will cause all ventilation paths exhausting into the Auxiliary Building vent duct to automatically close and the Auxiliary Building Gas Treatment system to be activated. Because the isolation function occurs before accident range activity is reached, a normal range monitor only is employed to monitor activity in the Auxiliary Building vent.

Therefore, the recommended range of 5 x 10-10 to 10-5 microcuries/cc for particulates and 10-9 to 10-4 microcuries/cc for halogens is adequate for detecting and measuring normal operation particulate and radioiodine concentrations. Laboratory analysis of collected samples allows measurement over a wide range.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-43

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 27 of 41)

DEVIATION 15 VARIABLE (29)

Safety Injection (Cold-Leg) Accumulator Tank Level DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 10 to 90% volume using a D2 variable. WBN recommends a range of 73 to 80% volume, using a D3 variable.

JUSTIFICATION The present accumulator tank level indication range of 7450 to 8080 gallons corresponds to 73 to 80% of volume.

Postaccident level does not serve any safety function since the passive injection of the cold-leg accumulators (CLA) into the RCS would be observed through other qualified instrumentation such as RCS pressure. Hence, level instrumentation which meets the requirements of a D3 variable is appropriate.

DEVIATION 16 VARIABLE (28)

Cold-Leg Accumulator Isolation Valve Postition Indication DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the position indication of the CLA isolation valve be qualified to D2 requirements. WBN recommends designating this variable as D3.

JUSTIFICATION The CLA isolation valves do not need to change from their normally open position in the event of an accident which requires CLA injection. These valves will already have been opened during startup soon after the RCS pressure sufficiently exceeds the CLA normal operating pressure. Then the associated motive power will be removed.

7.5-44 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 28 of 41)

There is no accident event in which instantaneous emptying of all four CLAs could cause inadequate core cooling or cold overpressurization of the RCS. The steam line break is the only Condition IV event other than a LOCA that causes a rapid depressurization of the RCS. However, even for that accident the RCS depressurizes rapidly down to 900 psi where the pressure stabilizes or rises. Further depressurizations are at a much more controlled rate, giving the operator time to react.

For a Condition III event, such as a 4- or 6-inch break (small break LOCA), the depressurization of the RCS may cause emptying of the CLA. Even under such cases, emptying the CLAs will not cause inadequate core cooling or cold overpressurization of the RCS.

Furthermore, closing the CLA isolation valves is not a safety function for accident mitigation that necessitates environmentally qualified valve position indication. Hence, there is no need to environmentally qualify these valves.

WBN recommends designating the position indication of the CLA isolation valve as a D3 variable.

DEVIATION 17 VARIABLE (39)

Chemical and Volume Control system (CVCS) Makeup Flow-In (Charging Header Flow)

DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2, recommends that the design flow should be monitored using a D2 variable. WBN recommends designating this variable as D3.

JUSTIFICATION This variable is used to monitor operation. The charging flow is isolated on an SI signal. While certain events may produce a harsh environment for the flow instruments, makeup flow is not required to mitigate these events. Thus, the installed instrumentation qualified to D3 requirements is appropriate for the intended monitoring function at WBN.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-45

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 29 of 41)

DEVIATION 18 VARIABLE (60)

CVCS Letdown Flow Out (Let Down Flow)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends 0 to 110% design flow monitoring using D2 variables to monitor flow. TVA recommends this variable as D3.

JUSTIFICATION This variable is used to monitor normal operation. The letdown flow isolation valves close on a SI signal, low pressurizer level, or Phase A isolation signal. While certain events may produce a harsh environment for the flow instruments, letdown flow is not required to mitigate these events. Thus, the installed instrumentation qualified to D3 requirements is appropriate for the intended monitoring function at WBN.

DEVIATION 19 VARIABLE (85)

Volume Control Tank (VCT) Level DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2, recommends that the VCT level be monitored from top to bottom as a D2 variable. TVA recommends using a D3 variable and a range slightly less than top to bottom.

JUSTIFICATION The VCT is isolated on a SI signal. While certain events may produce a harsh environment for the level instruments, the VCT itself is not required to mitigate the events. Hence the D3 type and category variable is appropriate for its performance requirements.

The present VCT indication reads from 0 to 100% over a range of 70 inches which is entirely within the approximately 80-inch cylindrical portion of the tank. Extending the range to include the top and bottom hemispherical portions of the tank would result in nonlinear readings at the extreme ends of the scale. Including the hemisphere and the remaining 10 inches of the vertical cylinder would not add significantly to monitoring capability.

7.5-46 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 30 of 41)

DEVIATION 20 VARIABLE 18 Containment Isolation Valve (CIV) Position DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the CIV position indication should meet the requirements of a B1 variable (which encompasses position indication for the duration of the event). WBN's reactor coolant system (RCS) letdown CIVs flow control valves (FCV)-62,-72, -73, -74, and -76 will be submerged postaccident inside containment.

These valves' limit switches are not qualified for operation during post submergence.

In addition, safety relief valves which are also designated as CIVs are not monitored for position.

JUSTIFICATION The RCS letdown CIVs close on an SI signal, Phase A signal, or a low pressurizer level signal. The valves and associated position indication limit switches are qualified to perform their intended safety functions prior to being submerged. The limit switch for the valve position indication is located on the valve and hence subject to submergence.

The limit switch is not qualifiable for submergence. The limit switch performs its intended safety function well before submergence. Valve positions are indicated both in the Main Control Room and the Technical Support Center.

Once the limit switches are flooded, it must be assumed that the control circuit fuses will be blown and position indication will be lost. This indication circuit, however, is isolated from the other CIV indication circuits.

The solenoids for these valves are included in WBN's environmental qualification (EQ) program and will vent to automatically close the FCVs as required under accident conditions. An analysis in WBN's EQ binder demonstrates that once closed, a submergence failure of the solenoid will not cause the FCV to change position. Hence the valves are considered closed and no further indication is required.

For safety relief valves, position indication is not necessary since these valves are constantly in their containment isolation position (i.e., closed). verification that these valves have accomplished their containment isolation function is not necessary since they do not change position to provide this function.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-47

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 31 of 41)

DEVIATION 21 Unit 1 Only VARIABLE (97B)

Reactor Coolant Dissolved Hydrogen DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2 (refer to Table 2, Type E variables), recommends that primary coolant grab sample capability exists for hydrogen analysis.

JUSTIFICATION The WBN postaccident sampling facility (PASF) will have two independent methods for measuring dissolved hydrogen in the RCS. It will have the capability to measure dissolved hydrogen in the range from 10-2000 cc/kg with an inline ion chromatograph.

In addition, it will have a total dissolved gas analyzer to measure the total dissolved gas in the pressurized coolant in the range from 100-2000 cc/kg. Dissolved oxygen will be separately measured with a dissolved oxygen analyzer. These latter two measurements provide another determination of the dissolved hydrogen. The two available methods provide sufficient backup monitoring capability for dissolved hydrogen and will eliminate the need for handling highly radioactive, undiluted, pressurized reactor coolant grab samples. Diluted, unpressurized reactor coolant grab samples may be obtained as necessary at the PASF for other analyses.

DEVIATION 22 VARIABLE (87)

Radiation Exposure Meters DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that Type E radiation exposure meters with continuous indication be available at fixed locations. No category is specified. WBN recommends not classifying these meters as a RG 1.97 variable.

JUSTIFICATION RG 1.97, Revision 2, was issued with an outstanding question regarding the practicality of deploying radiation monitors at fixed locations. A study (NUREG/CR-2644) concluded that it is unlikely that a few fixed-station area monitors could provide sufficiently reliable information to be of use in detecting releases from unmonitored containment release points. NRC agreed with this conclusion and in 7.5-48 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 32 of 41)

Revision 3 of RG 1.97 deleted the environs radiation monitors from the pressure water reactor (PWR) table of variables.

DEVIATTON 23 VARIABLE (86)

Waste (Radioactive) Gas Holdup Tank Pressure (Waste Gas Decay Tank Pressure)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that waste (radioactive) gas holdup tank pressure be monitored from 0 to 150% of design pressure. WBN recommends that the pressure be monitored from 0 to 100% of design pressure (150 psig).

JUSTIFICATION The design pressure of the waste gas decay tanks is 150 psig. The waste gas decay tanks are equipped with pressure relief valves set at 150 psig. Therefore, WBN's position is that monitoring of the tanks to pressures higher than the relief setpoints is not necessary. WBN considers the existing range of 0 to 100% of design to be acceptable.

DEVIATION 24 VARIABLE (3)

Containment Pressure (Narrow Range)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends Type B and Type C variable which covers a range of -5 psig to the design pressure. WBN recommends a lower range of -2 psig using a Type A1, B1, C1, and D2 variable (with no deviation to the upper range).

JUSTIFICATION The WBN containment vessel design net external pressure is 2 psig. Inadvertant containment spray initiation will cause rapid depressurization inside containment.

However, for this event the pressure will drop below the minimum design pressure.

Another event that can cause a depressurization inside containment is continuous inadvertent air return fan operation. However, this will occur slowly enough to allow the operators sufficient time to observe trending of containment depressurization and afford ample opportunity to terminate the air fan operation and manually open the lower compartment pressure relief line.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-49

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 33 of 41)

In addition, the containment pressure wide range instrumentation (-5 to 60 psig) overlaps the -2 psig lower range instrumentation. The -2 psig value is the lower design limit and is consistent with the use of upper range design limit of 15 psig. Hence, a lower range value of -2 psig is appropriate for WBN.

DEVIATION 25 VARIABLE (84)

High Level Radioactive Liquid Tank Level (Tritiated Drain Collector Tank)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends a range for this variable from top to bottom. WBN recommends a range from 11 to 133 inches from the bottom of the tank.

JUSTIFICATION The capacity of the tank is approximately 24,700 gallons. The quantity of water that is excluded from the range of the indication is approximately 1000 gallons at the bottom and an equal amount at the top. Thus, the present range is capable of monitoring approximately 22,700 gallons which is about 92% of the total capacity of the tank. TVA thereby considers the proposed range for the existing level taps (11 to 133 inches from the bottom of the tank) to be sufficient for indicating post accident storage volume for this tank.

DEVIATION 26 VARIABLE (97E)

Reactor Coolant Boron DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the analysis range for boron content in the primary coolant and sump be between 0 to 6,000 parts per million (ppm) and be monitored with a Type B3 and E3 variable. WBN recommends that the range be between 50 to 6,000 ppm and be monitored with a Type E3 variable.

JUSTIFICATION For boron concentrations below 500 ppm, the tolerance for WBN's instrumentation would be limited to plus or minus 50 ppm. This tolerance band is considered by WBN to be acceptable for ensuring that postaccident shutdown margin is maintained.

7.5-50 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 34 of 41)

WBN's position is that the current range capability for boron analysis (50 to 6,000 ppm) is sufficient. RCS boron concentration used in conjunction with control rod position indication and RCS cold leg temperature only provides indirect indication. These are backup variables for monitoring reactivity control. Neutron flux is a direct variable that allows the operator to determine if reactivity is under control (i.e., the reactor has tripped and the core is in a subcritical condition). Neutron flux is a Type B1 and D2 variable at WBN. Therefore, the boron concentration. is not required for direct reactivity control determination. It is available as a Type E3 variable for backup verification of reactivity control.

DEVIATION 27 VARIABLE (98b)

Containment Air Oxygen Content DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2 recommends a measurement range of 0-30% volume for containment air oxygen content. WBN recommends that the measurement of this variable should not be required.

JUSTIFICATION The measurement of containment air oxygen content is not required by NUREG-0737.

Following a design basis LOCA at WBN, the combustible gas control system will maintain the hydrogen concentration in containment below the lower flammability limit of 4% volume. Therefore, the oxygen concentration in containment is not important for combustion control. A measurement of the containment oxygen concentration is not needed for any other reason after an accident.

DEVIATION 28 VARIABLE (102c)

Meteorology (Wind Speed)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the wind speed measurement range be 0 to 67 mph. WBN recommends that the range be 0 to 50 mph.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-51

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 35 of 41)

JUSTIFICATION RG 1.97, Revision 3, recommends that the wind speed measurement range be 0 to 50 mph. Also, NRC letter to TVA dated July 24, 1986, states that since WBN meets the range recommended in RG 1.97, Revision 3, the 0 to 50 mph range is acceptable.

DEVIATION 29 VARIABLE 97a Reactor Coolant Chloride Concentration DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends a range of 0 to 20 ppm for reactor coolant chloride concentration. WBN recommends a range of 1 to 20 ppm.

JUSTIFICATION The WBN recommended range of 1 to 20 ppm accurately represents TVA's commitment to the NRC.

DEVIATION 30 - Not Used DEVIATION 31 VARIABLE (103)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, includes exposure rate monitors as Type E (Category 2) variables. These monitors are required to have a range of 1.0E-1 Rem per hour (R/hr) to 1.0E4 R/hr and are to be located inside buildings or areas where access is required to service equipment important to safety. The area monitors are intended for use in detection of significant releases, release assessment, and long term surveillance.

RG 1.97, Revision 2, also included radiation exposure rate monitors, with ranges of 1.0E-1 R/hr to 1.0E4 R/hr as Type C variables (these monitors were to be installed inside buildings or areas in direct contact with primary containment where penetrations and hatches were located). This variable was removed from RG 1.97 in Revision 3 and will not be addressed further.

WBNs RG 1.97 monitoring instrumentation does not include installed high range exposure rate monitors as Type E variables. The intended objectives of such instrumentation will be achieved in a different manner than that described in RG 1.97.

7.5-52 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 36 of 41)

The following paragraphs describe how WBN's program is designed to monitor radiation exposure rates.

A large number of useful missions outside the MCR during accident conditions may be postulated. These missions would be for activities, such as equipment maintenance, grab sample acquisition, and laboratory analyses of grab samples, that might enhance accident mitigation. Exposure rates encountered on these missions would vary over a wide range. This variability arises from the fact that most high exposure outside the containment during accident conditions would be attributable to contained sources and, therefore, be strong functions of distance from the sources. Because of the wide exposure rate variability, the installation of even a large number of high range exposure rate monitoring instruments at selected locations on projected mission routes might not contribute substantially, either to the planning of missions for accident mitigation purposes or to the minimization of dose equivalent to personnel performing the missions.

Based on the above considerations, the WBN radiation monitoring system design uses portable high-range exposure rate instruments in lieu of installed high-range exposure rate monitors. Crews attempting missions outside the MCR following an accident would include Radiological Control personnel provided with high-range exposure rate instrumentation. The range of the Type E portable instrumentation available for this purpose is 1.0E-3 R/hr to 1.0E4 R/hr, which is consistent with the range required for area exposure rate monitoring.

Additionally, the TVA radiation monitoring system presently includes normal range area monitors, each with a range from 1.0E-1 MR/hr to 1.0E4 MR/hr. These monitors are located throughout the plant in areas where personnel access is common.

Although, the area monitors are not required to be within the scope of the environmental qualification program and they are not included in the PAM program, monitors located outside the primary containment and other locations of high postaccident exposure rates can be expected to remain on scale and to continue to provide exposure rate indication with required accuracy during accident conditions.

The monitors that remain on scale will provide useful input to MCR personnel for assessment of plant exposure rate levels during accident conditions. Based upon this assessment and WBN Radiological Emergency Plan dose limitations, a decision will be made as to whether or not missions outside the MCR would be attempted.

In summary, the WBN position on high range accident monitoring ;is that high range exposure rate instrumentation will not be installed and that high range monitoring will be provided by portable monitoring instrumentation that meets the RG 1.97 required range.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-53

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 37 of 41)

DEVIATION 32 VARIABLE (5)

Containment Sump Level (Wide Range)

DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is "Bottom of containment to 600,000 gallon level equivalent." Watts Bar recommends a range from 0-200 inches (with the "0" level starting at six inches above the reactor floor) (see Note).

JUSTIFICATION Watts Bar utilizes a containment sump level monitoring system that starts measuring at six inches above the containment floor (level tap located at elevation 703 ft. 3 3/8 inches). The range of the instrument is 200 inches (719 ft. 11 3/8 inches). The total volume of water available to flood containment post LOCA is 844,000 gallons, which equals approximately equivalent to 717 ft 2-2/5 inches steady state maximum flood level. Therefore, the recommended range is fully adequate to monitor the maximum equilibrium flood level that would be experienced.

Note:The containment sump level monitoring system is utilized only during an accident. During normal operation reactor coolant leakage is monitored by the Reactor Building floor and equipment drain pocket sump. For post accident monitoring, the operator is aware that the "0" level actually begins at 6 inches above the floor and will realize that there is extra water inside containment when the sump monitor begins to indicate.

DEVIATION 33 VARIABLE 95 Condenser Vacuum Pump Exhaust Vent (Noble gas)

DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2, required range for the condenser vacuum Pump exhaust monitors is 1.0 E-6 to 1.0 E+5uCi/cc.

7.5-54 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 38 of 41)

JUSTIFICATION TVA has determined the total gas required range of the condenser vacuum pump exhaust monitors to be less than the 1.0E-6 value in RG for the low end of the range and 2.4E+3uCi/cc at the upper end of the range.

The steam generator tube rupture (SGTR) is the only credible accident monitored by the condenser vacuum pump exhaust monitor. NUREG 0800, Revision 2 requires that the SGTR accident be analyzed using the highest isotope concentrations allowed by the Watts Bar Technical Specifications. The specific activity of the reactor coolant is limited to a) Less than or equal to 1 microcurie per gram dose equivalent Iodine 131, and b) Less than or equal to 100/E Ci/gm The dose equivalent I-131 is more than 4 times more restrictive that the 100/E limit.

The 100/E is more conservative and is selected to demonstrate that the monitor will remain on scale during the most severe accident. The highest concentration of mixed noble gas isotopes that can be present under the 100/E limit is 1.45E+3 Ci/cc. For the SGTR source spectrum, the maximum measurable concentration for the condenser vacuum pump exhaust monitors is 3.53E+4. Therefore, the Watts Bar required range for the condenser vacuum pump exhaust monitors meets the intent of RG 1.97, Revision 2 based on either the mixed gas or the SGTR specific source spectrum.

DEVIATION 34 VARIABLE (97c) and (97d)

Primary Coolant Dissolved Total Gas (97d) and Dissolved Oxygen (97c)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2 indicates the range for Variable (97d) is from 0 to 2000 cc/Kg and the range from Variable (97c) is 0 to 20 ppm. The TVA required range for Variable (97d) is 100 to 2000 cc/Kg, and 1 to 20 ppm for Variable (97c).

JUSTIFICATION The TVA required ranges for Variables (97c) and (97d) permit adequate assessment of the system for these dissolved gases, and therefore, meets the intent of RG 1.97.

INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-55

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 39 of 41)

DEVIATION 35 VARIABLE (20)

Control Rod Position DEVIATION FROM RG 1.97 GUIDANCE RG 1.97 recommends that control rod position indication be a Type B, Category 3 variable (B3) to monitor for reactivity control. Watts Bar recommends that this variable be a Type D, Category 3 variable (D3).

JUSTIFICATION Control rod position indication is an indirect variable. It provides backup indication for monitoring reactivity control. Neutron flux (Category 1) is a direct variable that allows the operator to determine if reactivity is under control (i.e., the reactor has tripped and the core is in a subcritrical condition). Since this provides backup indication, utilizing it as a Type D variable is sufficient.

DEVIATION 36 VARIABLE 4 Containment Area Radiation, High Range DEVIATION FROM RG 1.97 GUIDANCE Note 7 of RG 1.97, Revision 2 for the subject variable states, "detectors should respond to gamma photons within any energy range from 60 KeV to 3 MeV with an energy response accuracy of 20% at any specific photon energy from 0.1 MeV to 1 MeV. Overall system accuracy should be within a factor of 2 over the entire range.

TVA meets the requirements of RG 1.97, Revision 3 Note 7 for the subject variable, which states, "Detectors should respond to gamma radiation photons within any range from 60 KeV to 3 Mev with a dose rate response accuracy within a factor of 2 over the entire range."

JUSTIFICATION It is acceptable to meet the requirements of RG 1.97, Revision 3.

7.5-56 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 40 of 41)

DEVIATION 37 VARIABLE 6 Core Exit Temperature DEVIATION FROM RG 1.97 R2 GUIDANCE This Type A, Category 1 variable has been provided with a minimum of two independent channels (PAM 1 and PAM 2) for monitoring core exit temperature.

Where failure of a channel would present ambiguous or confusing information to the operator, preventing the operator from taking action or misleading the operator, RG 1.97 recommends that an additional redundant (PAM 3) channel be provided. One channel of the WBN core exit temperature indication is subject to direct failure as a result of a specific pipe break jet impingement and/or pipe whip impact on the cable/conduit routed near the safety injection (SI) accumulator cold leg injection line in Loop 1. The WBN design does not include a third redundant channel for this variable.

JUSTIFICATION The core exit thermocouples were added to the plant design to provide direct indication of degrading core cooling conditions following transient events similar to that' experienced at Three Mile Island (TMI). These events typically develop gradually over time and involve a great deal of operator action and control. The core exit temperature indication was intended to prevent erroneous operator termination of emergency core cooling system (ECCS) flow to the RCS after small breaks or transients that do not rapidly depressurize the RCS.

The challenge to the channel redundancy in this case is due to a specific primary loop, pipe break at the cold leg injection check valve. The injection line is 10-inches diameter, schedule 140 pipe and the postulated break is a full guillotine rupture which results in a blowdown flow area from the primary loop side of the break of 60. in2, or 0.4176 ft2. This break is included in the LOCA size, spectrum and is considered an intermediate size break. FSAR Chapter 15 analyses show that breaks in this range rapidly depressurize the primary system, causing automatic ECCS response which refloods the core and terminates the core heatup transient. However, should such a break occur the affected channel is expected to fail open and not give erroneous indication that could confuse the operators.

It is the WBN position that the RG 1.97 Revision 2 indication provided by reactor vessel level. RCS pressure, RCS temperatures Thot, and Tcold, and containment pressure and temperature will enable the operators to compensate for a loss of one channel of CET due to this specific pipe break plus a single failure of the redundant channel. The INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-57

WATTS BAR WBNP-102 Table 7.5-2 Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)

(Page 41 of 41) operators will be able to correctly assess the accident scenario and determine the effectiveness of post-accident core cooling system response during performance of the Emergency Operating Procedures.

7.5-58 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 Table 7.5-3 Deleted by Amendment 89 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-59

WATTS BAR WBNP-102 THIS PAGE INTENTIONALLY BLANK 7.5-60 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY

WATTS BAR WBNP-102 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6.1 120V ac and 125V dc Vital Plant Control Power System This system is described in Section 8.3.

7.6.2 Residual Heat Removal Isolation Valves 7.6.2.1 Description There are two motor-operated gate valves (FCV 74-1 (8702) and FCV 74-2 (8701) as shown in control diagram, Figure 5.5-4) in series in the inlet line from the Reactor Coolant System (RCS) to the Residual Heat Removal (RHR) System. They are normally closed and are only opened for residual heat removal after RCS system pressure is below RHR System design limits. (See Chapter 5 for details of the RHR system.)

The RHR system inlet isolation valves are interlocked with a pressure signal to prevent them from being opened whenever the RCS system pressure approaches the RHR System design pressure limit.

Should either or both of these valves fail to open when required, a letdown path can be established via bypass valves which have been provided around valves FCV 74-2 (8701) and FCV 74-1 (8702). The bypass valves are FCV 74-8 (8703) and FCV 74-9 (8704). A given set of two of these parallel valves is provided with trained power, so that failure of one power train will not defeat the establishment of the necessary letdown flow path.

Whenever the RHR isolation inlet and/or bypass valves are open and RCS pressure rises to a value near the RHR System design pressure limit an alarm in the main control room (MCR) alerts the operator to the RHR system alignment. The isolation valves should be closed before the pressure reaches the RHR suction line pressure relief valve setpoint but only if there is a steam bubble in the pressurizer or the charging pump has been stopped.

The motor-operated bypass valves are located in bypass lines paralleling the normal RHR suction isolation valves FCV 74-1 and FCV 74-2 which are in series in the flowpath. Valves FCV 74-8 and FCV 74-9 are normally closed and remain closed with power locked out unless one of the two main isolation valves (FCV 74-1 or FCV 74-2) cannot be opened and the plant must be cooled down. Then, the redundant flowpath through the appropriate bypass valve is used to provide RHR cooling flow. Valves FCV 74-8 and FCV 74-9 are interlocked with signals from RCS pressure transmitters PT 68-63 and PT 68-64, respectively, as shown in Figure 7.6-6 Sh. 3. These interlocks prevent inadvertent opening when RCS pressure is above the RHR system design pressure limit. The bypass valves are monitored by the Integrated plant computer system with an alarm generated on the computer alarm list in the main control room if either of the valves is not in its fully closed position.

ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-1

WATTS BAR WBNP-102 7.6.2.2 Analysis Based on the scope definitions presented in Reference [2] (IEEE 279-1971) and Reference [3] (IEEE 338-1971), it is considered that these criteria do not apply to the residual heat removal isolation valve interlocks. However, in order to meet NRC requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE 279-1971 will be applied with the following comments.

(1) For the purpose of applying IEEE 279-1971 to this circuit the following definitions will be used.

(a) Protective System The two valves in series and all components of their interlocking and closure circuits.

(b) Protective Action (1) The automatic initiation of interlocks to prevent opening of inlet isolation and bypass valves to maintain residual heat removal system isolation from the reactor coolant system for reactor coolant system pressure at or above the RHR system design pressure limit.

(2) Initiation of an alarm in the MCR to alert the operator to the RHR system alignment whenever the RHR inlet isolation and/or bypass valves are open and the RCS pressure is at or above the RHR system design pressure limit. Operator action in response to the alarm is required to close the valves in accordance with NRC Generic Letter 88-17 and References [4] and [5].

(2) IEEE Standard 279-1971, Paragraph 4.15: This requirement does not apply, since the setpoints are independent of mode of operation and are not changed.

The environmental qualification program is discussed in Section 3.11.

7.6.3 Refueling Interlocks Electrical interlocks (i.e., limit switches) as discussed in Section 9.1.4 are provided for minimizing the possibility of damage to the fuel during fuel handling operations.

7.6.4 Deleted by Amendment 63.

7.6.5 Accumulator Motor-Operated Valves The design of the interconnecting of the signals to the cold leg accumulator isolation valve meets the following criteria established in previous NRC positions on this matter (see Figure 7.6-3):

7.6-2 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

WATTS BAR WBNP-102 (1) Automatic opening of the accumulator valves when (a) the primary coolant system pressure exceeds a preselected value (to be specified in the Technical Specifications) or (b) a safety injection signal has been initiated.

Both signals are provided to the valves.

(2) Utilization of a safety injection signal to automatically override any features that are provided to allow an isolation valve to be closed.

The valves and control circuits are discussed in Sections 6.3.2.15, 7.3.1.1.2, and 6.3.5.5.

The safety injection system accumulator discharge isolation valves are motor-operated normally open valves which are controlled from the main control board.

These valves are interlocked during normal operation such that:

(1) They open automatically on receipt of an "S" signal.

(2) They open automatically whenever the RCS pressure is above the P-11 permissive setpoint (See Table 7.3-3) as specified in the Technical Specifications.

(3) They cannot be closed as long as an "S" signal is present. The main control board switches for these valves are three position switches which provide a "spring return to auto" from the open position and closed position.

During plant shutdown, the accumulator valves are in a closed position. To prevent an inadvertent opening of these valves during that period, the accumulator valve power will be removed.

Administrative control is again required to ensure that power to these valves is restored during the prestartup procedures. During startup the valves are manually opened prior to RCS pressure exceeding 1000 psig. After the valves are open, power is removed to prevent inadvertent valve closure. During cooldown, power is restored and the valves manually closed from the MCR before RCS pressure decreases below the cold leg accumulator pressure.

These normally open motor-operated valves have an alarm indicating a mispositioning (with regard to their Emergency Core Cooling System (ECCS) function during the injection phase). The alarms sound in the MCR.

7.6.6 Spurious Actuation Protection for Motor Operated Valves The design of Watts Bar Nuclear Plant is such that the failure of any single valve to operate on demand cannot result in the loss of capability to perform a system safety function. However, in the case of possible inadvertent valve misalignment, the following motor operated valves have been identified as valves whose spurious operation could result in the loss of a system safety function. (Westinghouse valve numbers are in parentheses).

ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-3

WATTS BAR WBNP-102 FCV 63-1 (8812) FCV 63-67 (8808D) FCV 63-98 (8808B)

FCV 63-3 (8813) FCV 63-72 (8811A) FCV 63-118 (8808A)

FCV 63-5 (8806) FCV 63-73 (8811B) FCV 63-156 (8802A)

FCV 63-8 (8804A) FCV 63-80 (8808C) FCV 63-157 (8802B)

FCV 63-11 (8804B) FCV 63-93 (8809A) FCV 63-172 (8840)

FCV 63-22 (8835) FCV 63-94 (8809B) FCV 62-98 (8110)

FCV 62-99 (8111)

Means have been provided to preclude such spurious misalignment. Except for FCV 62-98 and FCV 62-99, the design consists of modified control circuits for these valves to ensure that no single failure will be able to energize the opening and/or closing coils for the valve operator. The design utilizes separate contacts which are wired before and after each opening and closing coil as required. Figure 7.6-4 illustrates this protection scheme. In this typical schematic, isolation of the opening and closing coils is provided by contacts R11-R12, R31-R32, L2l-L22, and (L41-L42). Valves FCV 63-67, FCV 63-72, FCV 63-73, FCV 63-80, FCV 63-98, and FCV 63-118 require this protection scheme only for the closing coil.

In addition, single failure has been considered on the part of the operator. The design includes easily accessible, clear protective covers attached to the main control board panel over each respective control room switch except for valves FCV 62-98, FCV 62-99 and FCV-63-1. The operator would be required to open this protective cover before he operates the control switch.

For FCV 63-1, FCV 63-22, FCV 63-67, FCV 63-80, FCV 63-98, and FCV 63-118 operating instructions specify the removal of power during specific modes of Plant operation. For FCV 62-98 and FCV 62-99, the motive power has been removed.

For FCV 63-8, FCV 63-11 power will be removed and will be administratively controlled just prior to use of the RHR system for plant cooldown (<350 Deg. F) to prevent inadvertent valve opening and over pressurization of the SI pump and CCP suction piping.

7.6.7 Loose Part Monitoring System (LPMS) System Description General System Description The LPMS is designed to detect loose parts in the reactor coolant system. The system consists of sensors, preamplifiers, signal conditioners, signal processors, and a display. It contains 12 active instrument channels, each comprised of a piezoelectric accelerometer (sensor), signal conditioning and diagnostic equipment. Conformance with Regulatory Guide 1.133, Revision 1 is discussed in Table 7.1-1.

Two redundant sensors are fastened mechanically to the RCS at each of the following potential loose parts collection regions:

7.6-4 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

WATTS BAR WBNP-102 Reactor pressure vessel: upper head region Reactor pressure vessel: lower head region Each steam generator: reactor coolant inlet region The output signal from each accelerometer is passed through a preamplifier and an amplifier. The amplified signal is processed through a discriminator to eliminate noises and signals that are not indicative of loose parts. The processed signal is compared to a preset alarm setpoint. Alarm setpoints for each channel are determined through the analysis of baseline test data taken with the system prior to plant start-up. During baseline testing, the reactor vessel and steam generator are impacted three feet from each sensor with a force of 0.5 ft-lb. Loose parts detection is accomplished at a frequency of 1 kHz to 20 kHz, where background signals from the RCS are acceptable.

Spurious alarming from control rod stepping is prevented by a module that detects CRDM motion commands and automatically inhibits alarms during control rod stepping (Reference [9]).

If measured impact signals exceed the preset alarm level, audible and visible alarms in the control room are activated. Digital signal processors record the times that the first and subsequent impact signals reach various sensors. This timing information provides a basis for locating the loose part. The LPMS has a provision for audio monitoring of any channel. The audio signal can be compared to a previously recorded audio signal, if desired.

The online sensitivity of the LPMS is such that the system will detect a loose part that weighs from 0.25 to 30 Ib. and impacts with a kinetic energy of 0.5 ft-lb on the inside surface of the RCS pressure boundary within 3 ft of a sensor (References [8] and [9]).

The LPMS audio and visual alarm capability will remain functional after an Operating Basis Earthquake (OBE) (Reference [7]). All of the LPMS components are qualified for structural integrity during a Safe Shutdown Earthquake (SSE) and will not mechanically impact any safety-related equipment (Reference [7]). In addition, the equipment inside containment is designed to remain functional through normal radiation exposures anticipated during a 40-year operating lifetime (Reference [8]).

Physical separation of the two instrument channels, associated with the redundant sensors at each reactor coolant system location, exists from each sensor to the incontainment signal conditioning devices except the upper head channels which shall be physically separated, starting at the sensor location and extending out to the patch panel. The incontainment signal conditioning devices are accessible during power operation with the exception of the upper head signal conditioning modules which are mounted in junction boxes on upper head support in reactor cavity. The LPMS components outside containment located in a mild environment. Capabilities exist for subsequent periodic online channel checks and channel functional tests and for offline channel calibrations at refueling outages.

ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-5

WATTS BAR WBNP-102 Key Features, Components and Architecture Key features of system components and architecture are discussed in the following sections.

Sensors (In Containment)

The sensors are piezoelectric accelerometers that convert acceleration to electric charge. The acoustic waves created by an impacting metallic object can be detected by the piezoelectric accelerometers. While the excitation of the impact produces a very wideband frequency response, the frequency range of interest for most loose parts is 1 kHz to 20 kHz.

Piezoelectric accelerometers are high output impedance devices that convert acceleration to electric charge. The flat frequency response range for the accelerometers used in the LPMS is from 10 Hz to 10 kHz, and they have a useful frequency upper limit of over 20 kHz. The resonant frequency of the accelerometers is greater than 30 kHz. The accelerometers are designed to operate at high temperature (nominally 625°F) and have high radiation capability (Reference [8]).

The piezoelectric elements in the accelerometers are electrically isolated from the component to which they are attached in order to prevent unwanted noise due to ground loops. The accelerometers typically have an integral 4 foot mineral-insulated

("hardline") cable and a large triax connector. This hardline cable is also built to withstand high temperatures, while the connector allows for interfacing to lower temperature softline cables.

Softline Cable (In Containment)

Because the charge output of an accelerometer is a very low level signal, and normal cables can emit charge upon being vibrated, a special low-noise, radiation-resistant softline cable is used between the accelerometer and preamplifier.

Preamplifier (In Containment)

The remote preamplifier is mounted in a sealed metal enclosure inside containment.

The charge signal from the accelerometer is converted to a voltage signal. The preamplifier operates in a "charge" amplifier mode such that the capacitance of the cable between the high-output-impedance accelerometer and the preamplifier has very little effect on the signal or its calibration. The charge preamplifier output voltage is then a normal, low-impedance millivolt instrument signal requiring only normal cabling and shielding considerations.

Signal Conditioner The signal conditioner module provides power to the remote preamplifier, provides final amplification of the signal to a calibrated full scale range, and provides lowpass and highpass filtering.

7.6-6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

WATTS BAR WBNP-102 Audio Subsystem The audio patch panel, audio amplifier, and speakers make up the audio subsystem.

Listening by a trained ear can be a very effective tool for evaluation and validation of signal characteristics. The system is designed such that any channel may be selected at any time for audio monitoring. The audio subsystem features are only available locally in the LPMS cabinet.

Digital Signal Processing (DSP) Processor In the Digital Signal Processing (DSP) processor, the signals are converted from analog to digital at a high rate, and the impact detection algorithm is applied by a special microprocessor optimized for digital signal processing. The board contains a buffer memory that can store the complete impact signal time history for its monitored channels. Upon the detection of an impact, the data are normally transferred to the main Central Processing Unit (CPU) process for further evaluation, waveform storage, and alarm generation. However, if for some reason the CPU processor fails, the DSP processor has the capability for generating alarms on its own.

Central Processing Unit (CPU) Processor The CPU processor is a personal computer architecture device. It takes the data from the DSP processors, controls the mass storage devices, provides displays of monitoring system information, drives the printer, and generates alarms. The CPU uses a PCI bus for high speed communication with the other processor modules and drives the tape and disk peripherals by means of a parallel Small Computers System Interface (SCSI) interface. Addition of the peripherals provides for mass data storage onto high speed digital tape and writeable CDs.

Display The display is a qualified, high-resolution, color panel that is overlaid with a high-resolution touch screen surface. The display shows the system and alarm statuses at a glance, presents the waveforms used in impact analysis, and shows the analysis conclusions. By means of the touch screen, which has all of the capabilities of a standard mouse, many system functions can be run without opening the keyboard drawer. The color display features are only available locally in the LPMS cabinet.

Alarm Panel The alarm panel provides continuous indication of alarm or trouble status, allowing the color display to be turned off when not being viewed. The panel contains red LEDs for alarm indication, orange LEDs for trouble indication, yellow LEDs that flash each time an impact event is detected by their respective channels, and green LEDs for indication of proper DSP operation. The alarm panel features are only available locally in the LPMS cabinet.

ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-7

WATTS BAR WBNP-102 Printer A high-resolution laser printer is provided for printout of system status, waveform graphs, and other data for the generation of reports. The printer features are only availble locally in the LPMS cabinet.

Testing The testing program scope is addressed in Reference [6].

7.6.8 Interlocks for RCS Pressure Control During Low Temperature Operation The basic function of the RCS overpressure mitigation system during low temperature operation is discussed in Section 5.2.2.4. As noted in Section 5.2.2.4, this pressure control system includes manually armed semi-automatic actuation logic for the two Pressurizer Power Operated Relief Valves (PORVs). The function of this actuation logic is to continuously monitor RCS temperature and pressure conditions; the actuation logic is manually unblocked when plant operation is at a temperature below the arming setpoint. The monitored system temperature signals are processed to generate the reference pressure limit program which is compared to the actual measured system pressure. This comparison will provide an actuation signal to cause the PORV to automatically open if necessary to prevent pressure conditions from exceeding allowable limits. See Figure 7.6-5 for the block diagram showing the interlocks for RCS pressure control during low temperature operation.

Two separated, independent sets of controls are provided for the interlocks, with the required process variables being derived from redundant protection sets as follows:

(1) Protection Set I (a) Wide Range RCS Temperature (TE-68-1, TE-68-18, TE-68-24, TE-68-41)

(2) Protection Set II (a) Wide Range RCS System Pressure (PT-68-68).

(b) Wide Range RCS Temperature (TE-68-43, TE-68-60, TE-68-65, TE-68-83)

(3) Protection Set III (a) Wide Range RCS System Pressure (PT-68-66).

The wide range temperature signals, as inputs to the Protection Sets I and II, continuously monitor RCS temperature conditions. In Protection Set I, the existing RCS wide range temperature channels on RCS loops 1 and 2 provide inputs to the Eagle 21 digital process protection system. Eagle 21 provides isolated analog signals to the digital process control system. An auctioneer function selects the lowest temperature signal which is then used to calculate an acceptable reference pressure limit (PORV setpoint) considering the plants allowable pressure and temperature 7.6-8 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

WATTS BAR WBNP-102 limits. An isolated wide range RCS pressure signal is also provided from Eagle 21 Protection Set III. The calculated reference pressure is compared to the actual RCS pressure monitored by the wide range pressure channel. The auctioneered temperature signal will annunciate a main control room (MCR) alarm whenever the measured temperature approaches, within a predetermined amount, the reference temperature for arming the system. Similarly, whenever the measured pressure approaches within a predetermined amount of the programmed setpoint, another MCR alarm will be generated. When the measured RCS pressure is equal to or above the programmed setpoint (nominal values), a PORV open signal is initiated and a MCR alarm is actuated. A manually armed permissive allows this actuation signal to control the Train A PORV (PCV-68-340A). The manually armed permissive also serves to block a spurious PORV opening due to potential instrument failure whenever the RCS temperature is above the arming reference temperature.

The monitored generating station variables that generate the actuation signal for the Train B PORV (PCV-68-334) are processed in a similar manner. The RCS loops 3 and 4 wide range temperature signals and the RCS pressure signal are provided from Protection Set II. Therefore, the generating station variables used for the Train B PORV are derived from a protection set that is independent of the sets from which generating station variables used for the Train A PORV are derived. The wide range temperature auctioneer function and the programmed pressure setpoint calculation for the Train B PORV are performed in a different group of the digital process control system than those for the Train A PORV. Each of these control groups has a fault-tolerant, redundant processor pair and redundant power supplies with different power sources.

Upon receipt of the actuation signal, the actuation device will automatically cause the PORV to open when the manually armed permissive is present. Upon sufficient RCS inventory letdown, the operating RCS pressure will decrease, clearing the actuation signal. Removal of this signal causes the PORV to close.

7.6.8.1 Analysis of Interlock Many criteria presented in IEEE 279-1971 and IEEE 338-1971 do not apply to the interlocks for RCS pressure control during low temperature operation, because the interlocks do not perform a protective function but rather provide automatic pressure control at low temperatures as a backup to the operator. However, although IEEE 279-1971 criteria do not apply, some advantages of the dependability and benefits of an IEEE 279-1971 design have occurred by including the pressure and temperature signal elements as noted above in the protection sets and by organizing the control of the two PORVs into dual channels. Either of the two PORVs can accomplish the RCS pressure control function.

The design of the low temperature interlocks for RCS pressure control is such that pertinent features include:

ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-9

WATTS BAR WBNP-102 (1) No credible failure at the output of the protection set racks, after the output leaves the racks to interface with the interlocks, will prevent the associated protection system channel from performing its protective function because such outputs that leave the racks go through an isolation device.

(2) Testing capability for elements of the interlocks within (not external to) the protection sets that generate the temperature and pressure process signals for the overpressure mitigation system is consistent with the testing principles and methods discussed in Section 7.2.1.1.3.

(3) A loss of offsite power will not defeat the provisions for an electrical power source for the interlocks because these provisions are through onsite power which is described in Section 8.3.

7.6.9 Switchover From Injection to Recirculation Mode Following a LOCA (Refer to Section 6.3.3 for a detailed discussion of the ECCS Injection Mode and switchover to the Recirculation Mode). During the Injection Mode, the ECCS pumps take suction from the Refueling Water Storage Tank (RWST). The Residual Heat Removal (RHR) pumps are automatically realigned to take suction from the containment sump upon receipt of the switchover signal generated by the following coincident conditions:

Low RWST level signal (2-out-of-4 logic)

High Containment level signal (2-out-of-4 logic), and Safety Injection (S) signal Thus, when these conditions exist, the Containment Sump Isolation Valves

[1-FCV 63-72 (8811A) and -73 (8811B)] open and the RHR RWST Isolation valves

[1-FCV 74-3 (8700A) and -21 (8700B)] close (For Unit # 2 use Prefix 2). Refer to Figures 7.6-6 Sheet 1, 2, and 3 for the associated logic drawings. The Containment Sump Isolation Valve control circuit is designed to maintain the S signal, once received, by a latching feature. This feature ensures these valves remain open after the S signal is reset at the system level. Separate hand switches (1-HS-63-72D and

-73D (For Unit # 2 use Prefix 2)) are provided in the main control room (MCR) to allow the operator to unlatch the S signal. The automatic switchover of the RHR pumps from the Injection to the Recirculation Mode is part of the Engineered Safety Features Actuation System (ESFAS) discussed in Chapter 7.3.

The RWST level and Containment level are each measured by four, independent, safety-related channels. Each channel is assigned a separate protection set division.

The RWST low level and Containment high level logic signal are interfaced to the Containment Sump Isolation Valves through the appropriate Train A and B slave relay contact outputs of the Solid State Protection System (SSPS). All channels provide indication in the (MCR) with two indicators (for each measurement) designed as Post Accident Monitoring. (Refer to Section 7.5).

7.6-10 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

WATTS BAR WBNP-102 REFERENCES (1) Deleted by Amendment 81.

(2) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard:

Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Standard 279-1971.

(3) The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," IEEE Standard 338, 1971.

(4) Calculation WBN-RAG3-003, Probabilistic Analysis showing the effects of deleting the Residual Heat Removal (RHR) Auto Closure Interlock (ACI).

(5) Westinghouse Nuclear Safety Evaluation Check List (SECL), SECL 91-287, Revision 1, Wiring Modifications to Implement Residual Heat Removal System Automatic Closure Interlock Deletion and Add Control Room Alarm.

(6) Technical Requirements Manual Section TR 3.3.6, "Loose-Part Detection System."

(7) EQ-QR-33-WBT, Revision 0, Seismic Evaluation of the Digital Metal Impact Monitoring System (DMIMS-DX') for Watts Bar Unit 2 (8) 1TS3182, Revision 0, Watts Bar Unit 2 DMIMS-DX' System Validation Data Package, dated July 2010 (9) DMIMS-DX' Operations and Maintenance Manual, TS3176, Revision 0, dated August 2010 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-11

WATTS BAR WBNP-102 THIS PAGE INTENTIONALLY BLANK 7.6-12 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

WATTS BAR WBNP-102 Figure 7.6-1 Deleted by Amendment 65 All Other Systems Required For Safety 7.6-13

WATTS BAR WBNP-102 Figure 7.6-2 Deleted by Amendment 65 7.6-14 All Other Systems Required For Safety

WATTS BAR All Other Systems Required For Safety Figure 7.6-3 Powerhouse Unit 1 Electrical Logic Diagram for Safety Injection System WBNP-102 7.6-15

7.6-16 WATTS BAR Figure 7.6-4 Powerhouse Auxiliary Building Units 1& 2 Wiring Diagrams for Safety Injection System WBNP-102 All Other Systems Required For Safety

WATTS BAR All Other Systems Required For Safety Figure 7.6-5 Reactor Building Unit 1 Variable Processing for Low Temperature Interlocks for RCS Pressure Control WBNP-102 7.6-17

7.6-18 WATTS BAR Figure 7.6-6-SH-1 Powerhouse Unit 1 Electrical Logic Diagram for Safety Injection System WBNP-102 All Other Systems Required For Safety

WATTS BAR All Other Systems Required For Safety Figure 7.6-6-SH-2 Powerhouse Unit 1 Electrical Logic Diagram for Safety Injection System WBNP-102 7.6-19

7.6-20 WATTS BAR Figure 7.6-6-SH-3 Powerhouse Electrical Logic Diagram Residual Heat Removal System WBNP-102 All Other Systems Required For Safety

WATTS BAR WBNP-102 Figure 7.6-7-SH-1 RHR Suction Isolation Valve Interlocks All Other Systems Required For Safety 7.6-21

WATTS BAR WBNP-102 Figure 7.6-7-SH-2 RHR Bypass Valve Logic FCV-74-8 T (FCV-7 4-9) 7.6-22 All Other Systems Required For Safety

WATTS BAR WBNP-102 7.7 CONTROL SYSTEMS The general design objectives of the Plant Control Systems are:

(1) To establish and maintain power equilibrium between primary and secondary system during steady state unit operation; (2) To constrain operational transients so as to preclude unit trip and re-establish steady state unit operation; (3) To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator the capability of assuming manual control of the system.

(4) To reduce the likelihood of failure to shutdown the reactor following anticipated transients and to mitigate the consequences of an Anticipated Transient Without Scram (ATWS) event.

7.7.1 Description 7.7.1.1 Control Rod Drive Reactor Control System The control rod drive reactor control system consists of an automatic system designed to maintain a programmed average temperature in the reactor coolant system (RCS) by regulating the core reactivity. During steady-state operation the reactor control system maintains reactor coolant average temperature within + 3.5 °F of the reference temperature (see Reference 10).

This control system is designed to automatically control the reactor in the power range between 15 and 100% of rated power for the following design transients:

+10% step change in load 5% per minute ramp loading and unloading 50% step load decrease (with the use of automatically initiated and controlled steam dump)

The reactor control signal consists of an error signal used to direct rod speed and position to automatically control reactor power. The two channels used to generate the total error signal are the deviation of the actual auctioneered (highest) primary coolant temperature (Tavg) from the programmed average temperature (Tref) and the mismatch between turbine load and nuclear power (see Figure 7.7-1).

7.7.1.1.1 Reactor Control Input Signals (Unit 2 Only)

The reactor control functions described in this section are implemented by software modules in a distributed control system (DCS).

CONTROL SYSTEMS 7.7-1

WATTS BAR WBNP-102 Average Temperature Channel - One average temperature measurement per reactor coolant loop is provided. This measurement is obtained by averaging the hot leg temperature (Th) measured at the inlet of the steam generator and the cold leg temperature (Tc) measured at the discharge side of the reactor coolant pump of the associated loop. An auctioneered high Tavg signal is generated from the four loop average temperatures. (See Section 7.2.1.1.4 for detailed discussion of Tavg calculation and equations used to derive Tavg). This auctioneered Tavg signal is conditioned by a lead/lag filter which increases the effect of the signal and by a second lag to filter out signal noise. The resultant signal:

( 1 + t3 s )

T avg -------------------------------------------- where t = time constant (typical)

( 1 + t4 s ) ( 1 + t5 s )

is then compared with a reference temperature (Tref) signal. (The reference temperature is a function of turbine load, as described previously). Because the turbine impulse pressure is approximately linear with respect to the turbine load, this pressure signal is used to generate the reference average coolant temperature (Tref).

The Tref signal is represented by the median of three turbine impulse pressure signals as determined by a median signal selector in the DCS. The reference temperature signal is passed through a lag before it is compared with the compensated Tavg signal.

The resultant error signal is then:

1 ( 1 + t3 s )

T ref --------------------- - T avg ---------------------------------------------

( 1 + t2 s ) ( 1 + t4 s ) ( 1 + t5 s )

Power Mismatch Channel - This channel provides fast response to a change in load (by means of the turbine load feed-forward signal) as well as control stability (by means of the nuclear power feedback signal) in cases where the moderator coefficient is zero or is only slightly negative. Turbine load (Qtu) and nuclear power (Qn) provide input to this channel. Turbine load is represented by the median turbine impulse pressure as described above. Nuclear power is represented by the auctioneered highest of the four power range nuclear power signals.

7.7-2 CONTROL SYSTEMS

WATTS BAR WBNP-102 This deviation between Qtu and Qn is processed through a rate/lag (impulse) module, thus creating the error signal:

t1 s

( Q tu - Q n ) ----------------------

( 1 + t1 s )

Because the Tavg channel provides fine control during steady-state operation, the power mismatch channel must not produce a steady-state error signal. This is accomplished by the derivative action in the numerator of the transfer function which causes its output to go to zero during steady-state operation although the nuclear power and turbine load may not match exactly. A nonlinear gain, K1,applied to the output of the impulse module, varies the effect of this channel with larger load changes having a correspondingly larger effect. Also, since reactivity changes at lower power levels have a smaller effect on the rate of change of the nuclear power level than reactivity changes at high power levels, a variable-gain module, K2, is provided at the output of the power mismatch channel.

The variable-gain module imposes a high gain on the power mismatch error signal at lower power levels and a low gain at high power levels. This variable gain enables the mismatch channel to provide adequate control at low power levels as well as stable operation at high power levels.

7.7.1.1.2 Rod Speed Control Program Rod Speed Program - The total error signal (TE) sent to the rod speed program is the sum of the outputs of the two control channels described above. The rod speed program is a function of the total error signal (TE).

The dead band and lockup are provided to eliminate continuous rod stepping and bistable chattering. The maximum rod speed and the proportional and minimum rod speed bands are identical for rod withdrawal and rod insertion. The rod speed program produces an analog signal which is translated into actual movement by means of the rod stepping mechanism. The total error signal driving the rod speed program is represented in the following equation:

1 ( 1 + t3 s ) ( t1 s )

T E = T ref ---------------------- - T avg --------------------------------------------- + ( Q tu - Q n ) ---------------------- K 1 K 2

( 1 + t2 s ) ( 1 + t4 s ) ( 1 + t5 s ) ( 1 + t1 s )

CONTROL SYSTEMS 7.7-3

WATTS BAR WBNP-102 7.7.1.2 Rod Control System 7.7.1.2.1 Rod Control System Function The rod control system is composed of equipment required to raise or lower the control rod and shutdown rod banks. Control rod banks can be automatically controlled from input signals generated by the reactor control system or by manual means from the unit control room. Shutdown control rods are controlled by manual means from the unit control room (see Reference 1).

The control scheme used to position the control rods is dependent on reactor power level. Manual control of control rod position is used when the reactor thermal power is between 0% and 15% nominal. Above 15% nominal reactor thermal power, automatic control may be used to position the control rods to maintain the average reactor coolant temperature (Tavg) within +3.5°F of Tref.

The purpose of the rod control system is to provide the means for energizing the mechanism, thus controlling the rod cluster position. This system consists of two types of rod groups: 1) shutdown and 2) control. Shutdown rods along with soluble boron provides sufficient negative reactivity to ensure the reactor remains subcritical. The shutdown banks are fully withdrawn during normal operation. Control rods are used to control the reactor core reactivity. Shutdown and control rods are raised or lowered by a prescribed set of electromechanical actions by the CRD mechanisms.

The functional control requirements of the rod control systems are as follows:

All control drive mechanisms within a group step simultaneously.

Two groups within the same bank step such that the relative position of the groups does not differ by more than one step.

The control banks are controlled such that withdrawal is sequenced in the order bank A, B, C, and D. The insertion sequence is the opposite of the withdrawal.

The control bank withdrawal is controlled such that when Bank A reaches a preset position, Bank B will begin to withdraw simultaneously with Bank A. When bank B reaches a preset position, Bank C will begin to withdraw, etc. The reverse sequence will apply during bank insertion.

Abnormal reactor conditions shall inhibit rod withdrawal in the automatic or manual control mode. These conditions include 1) power range nuclear overpower, 2) intermediate range overpower, 3) overpower T, and 4) overtemperature T.

Automatic control mode shall be inhibited when turbine power is less than 15%

nominal.

Automatic withdrawal shall be stopped when Bank D rod withdrawal exceeds a preset limit.

7.7-4 CONTROL SYSTEMS

WATTS BAR WBNP-102 The bank overlap feature performs two functions; 1) it automatically selects the proper control bank for movement, and; 2) it overlaps the control banks which are to be moved according to a preset pattern. Bank overlap is required to keep the incremental changes in reactivity relatively constant while the control banks are being moved.

Shutdown bank overlap operation is not required.

The bank overlap feature works as follows. Control bank A is withdrawn until it reaches a preset position near the center of the core. At this point, Control Bank B starts moving out in synchronism with Control Bank A. Control Bank A stops when it reaches the top of the core and Control Bank B continues until it reaches a preset position near the center of the core. At this point, Control Bank C moves out in synchronism with Control Bank B. Control Bank B motion stops at the top of the core and Control Bank C sequencing continues until it nears the center position where Control Bank D engagement occurs. Control Bank C and D are withdrawn together until Control Bank C reaches the top of the core. Control Bank D withdrawal then continues as required for control. In the overlap region, group 1 rods of each of the two overlapped banks are stepping simultaneously; similarly, the group 2 rods of the two overlapped banks are stepped simultaneously.

In the manual mode, control bank stepping speed and shutdown bank stepping speed are preset. In the automatic mode (control banks, only), the rod stepping speed is variable between the limits of 8 to 72 steps per minute. The rod speed program of the reactor control system adjusts rod stepping speed to maintain a programmed average temperature in the RCS. The time required to complete a single sequencing of the rod mechanism coils is fixed at 780 milliseconds. This is the maximum reliable sequencing speed of the electro-mechanical components of the mechanisms. The time interval between mechanism coil sequencing operations is varied to obtain the desired rod speed.

Two motor-generator (MG) sets are used to supply 260V 3-phase AC power to the rod drive mechanisms. Each MG set is capable of delivering the total power requirements to the rod control system. Both MG sets are normally in operation. The motor is an induction type rated at 460 volt AC, 60 hertz. The motor is sized at 150 hp to drive the generator at a speed of 1750 rpm when the set is delivering rated power of 112 KVA.

7.7.1.2.2 Rod Control System Failures Credible rod control equipment malfunctions which could potentially cause inadvertent positive reactivity insertions due to inadvertent rod withdrawal, incorrect overlap or malpositioning of the rods are the following (see References 5 and 14):

(1) Failures in the Manual Rod Controls The Rod Motion Control Switch is a three position lever switch. The three positions are "In," "Hold," and "Out". These positions are effective when the bank selector switch is in manual control mode. Failure of the rod motion control switch (contacts failing short or activated relay failures) would have the potential, in the worst case, to produce positive reactivity insertion by rod CONTROL SYSTEMS 7.7-5

WATTS BAR WBNP-102 withdrawal when the bank selector switch is in the manual position or in a position which selects one of the banks.

When the bank selector switch is in the automatic position, the rods would obey the automatic commands and failures in the rod motion control switch would have no effect on the rod motion regardless of whether the rod motion control switch is in "In, " "Hold," or " Out".

In the case where the Bank Selector switch is selecting a bank and a failure occurs in the Rod Motion switch that would command the bank "Out" even when the Rod Motion Control switch was in an "In" or "Hold" position, the selected bank could inadvertently withdraw. This failure is bounded in the safety analysis (Chapter 15) by the uncontrolled bank withdrawal from subcritical and at power transients.

A failure that can cause more than one group of five mechanisms to be moved at one time within a power cabinet is not a credible event because the circuit arrangement for the movable and lift coils would cause the current available to the mechanisms to divide equally between coils in the two groups (in a power supply). The drive mechanism is designed such that it will not operate on half current. A second feature in this scenario would be the multiplexing failure detection circuit included in each power cabinet. This circuit would stop rod withdrawal (or insertion).

The second case considered in the potential for inadvertent reactivity insertion due to possible failures is when the selector switch is in the manual position. With a failure in the rod motion control switch, such a case could produce a scenario where the rods could inadvertently withdraw in a programmed sequence. The overlap and bank sequence are programmed when the selection is in either automatic or manual. This scenario is also bounded by the reactivity values assumed in the SAR accident analysis. In this case, the operator can trip the reactor, or the protection system would trip the reactor via Power Range Neutron Flux-High, overtemperature T, or overpower T.

A failure of the bank selector switch produces no consequences when the rod motion control switch is in the 'Hold' position. This is due to the following design feature. The bank selector switch is series wired with the in-hold-out lever switch for manual and individual control rod bank operation. With the

'in-hold-out' lever switch in the 'hold' position, the bank selector switch can be positioned without rod movement. Results of switch failures in other control positions are discussed above in conjunction with the rod motion control switch.

(2) Failures in the Overlap and Bank Sequence Program Control The rod control system design prevents the movement of the groups out of sequence as well as limiting the rate of reactivity insertion. A feature that performs the function of preventing malpositioning produced by groups out of 7.7-6 CONTROL SYSTEMS

WATTS BAR WBNP-102 sequence is included in the block supervisory memory buffer and control.

This circuitry accepts and stores the externally generated rod selection and motion direction command signals. When the memory buffer has accepted a command and the corresponding rod is in motion, a subsequent change in a command will not be immediately accepted. On recognition that a command change has occurred, an inhibit signal is sent to the pulser so that no other rod motion initiation signals are generated. However, the rod in motion is allowed to complete its stepping sequence. After rod motion is ceased, the memory buffer accepts the new cornmand and releases the pulser so that rod motion can resume. Any detected failure that affects the ability of the rod control system to properly move the rods is considered urgent. An urgent alarm will be followed by the following actions:

Automatic rod motion and overlapped rod motion is stopped.

Automatic de-energizing of the lift coil and reduced current energizing of the stationary gripper coils and movable gripper coils.

Activation of a lamp (urgent failure) located on the logic and power cabinet front panel.

Activation of control rod urgent failure annunciation window in the main control room.

The urgent alarm is produced by the following general conditions:

Regulation failure detector Phase failure detector Logic error detector Multiplexing error detector Circuit board interlock failure detector Oscillator and slave cycler failure detector.

(a) Logic Cabinet The function of the logic cabinet is to generate the necessary signals to step the control rods during startup, continuous operation, and shutdown of the reactor. The logic cabinet receives signals from the main control board and from the reactor control system. In response to these signals, it selects the drive mechanisms to be stepped and supplies the drive mechanism current profile orders to the power cabinet assigned to drive the mechanism.

A failure analysis was performed [Ref. 5] based on operation of the logic cabinet in the bank overlap mode with all shutdown banks and control CONTROL SYSTEMS 7.7-7

WATTS BAR WBNP-102 banks, except Control Bank D, in their fully withdrawn position. The analysis indicated that postulated failure modes could result in unidirectional outward movement of Control Bank D rods when operating in the bank overlap control mode. However, when operating in this mode, the speed of the outward movement of Control Bank D would be limited by the rod speed unit of the reactor control system. In the unlikely event of such a failure, the reactor would trip (e.g., T overtemperature trip) and mitigate the consequences of the postulated component failure. In summary, no single failures were discovered that would cause a rapid, uncontrolled withdrawal of Control Bank D. The results of the analysis indicated that all failure modes postulated are detectable through alarm monitoring internal to the logic cabinet or are terminated by a diverse means (i.e., reactor trip).

An additional failure assessment was performed to determine whether other single point failures can occur in the rod control system logic cabinet that corrupt the control rod drive mechanism (CRDM) coil current orders [Ref. 14]. This assessment was necessary due to an industry event where corrupt coil current orders were sent to the CRDM which caused a single rod to withdraw after IN motion was demanded.

As a result of this event, the logic cabinet slave cycle decoder cards timing changes were implemented to eliminate the possibility of a single rod withdrawal due to a single failure in the rod control system when insertion or withdrawal is commanded [Ref.15]. These timing changes ensure that in the event of the single failure, all rods in the affected bank(s) will insert when motion (in or out) is demanded. Based on the decoder cards timing change, this failure assessment concluded that all single rod control system failures identified result in rod movement in the direction demanded and are hence limited to a finite number of steps. Also, these single failures may result in some asymmetric rod movement following a rod motion demand signal; however, the movement is in the direction demanded. These events have been evaluated and determined to result in consequences less severe than the limiting single rod control system malfunction presented in accident analysis found in Chapter 15.

Effects of Failures on CRDM Speed of Operation The rod control system is designed to limit the rod speed control signal output to a value that causes the pulser (logic cabinet) to drive the control rod driving mechanism at 72 steps per minute. If a failure should occur in the pulser or the reactor control system, the highest stepping rate possible is 77 steps per minute, which corresponds to one step every 780 milliseconds. A commanded stepping rate higher than 77 steps per minute would result in 'GO' pulses entering a slave cycler while it is sequencing its mechanisms through a 780 millisecond step.

This condition stops the control bank motion automatically and alarms 7.7-8 CONTROL SYSTEMS

WATTS BAR WBNP-102 are activated locally and in the control room. It also causes the affected slave cycler to reject further 'GO' pulses until it is reset.

Failures that cause the 780 millisecond step sequence time to shorten will not result in higher rod speeds since, assuming the pulser and rod control system have not failed, the stepping rate is proportional to the pulsing rate.

Simultaneous failures in the pulser or rod control system and in the clock circuits that determine the 780 millisecond stepping sequence could result in higher CRDM speed. However, simultaneous failures of the clock and pulser or rod control system are not considered credible.

To preclude addressing failures in the rod speed signal that could cause rod stepping speeds to exceed the normal maximum speed of 72 spm, a test of the rod control system and reactor control system input signal is required. This testing of the reactor control system and the rod control system is performed at periodic intervals to detect failures that could lead to an increase in the rod speed. [Ref. 16]

The maximum rod stepping speed of 72 spm is used in the Chapter 15 safety analyses.

(b) Power Cabinet System Failures Analysis of the power cabinet disclosed no single component failures that would cause the uncontrolled withdrawal of a group of rods serviced by the power cabinet. The analysis substantiates that the design of the power cabinet is 'fail-preferred' in regard to a rod withdrawal accident if a component fails. The end results of the failure is either that of blocking rod movement or that of dropping an individual rod or rods. No failure within the power cabinet which could cause erroneous drive mechanism operation will remain undetected.

Sufficient alarm monitoring (including 'urgent' alarm) is provided in the design of the power cabinet for fault detection of those failures which could cause erroneous operation of a group of mechanisms. As noted in the foregoing, diverse monitoring systems are available for detection of failures that cause the erroneous operation of an individual control rod drive mechanism.

Conclusion In summary, no single failure within the rod control system can cause either reactivity insertions or malpositioning of the control rods resulting in core thermal conditions not bounded by analyses contained in Chapter 15.

CONTROL SYSTEMS 7.7-9

WATTS BAR WBNP-102 7.7.1.3 Plant Control Signals for Monitoring and Indicating 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System The Nuclear Instrumentation System (NIS) monitors neutron flux from reactor shutdown to 200% of full rated power by the use of three subsystems: 1) source range,

2) intermediate range, and 3) power range. The NIS consists of eight channels: two source range, two intermediate range, and four power range channels. The primary function of the NIS is to protect the reactor by monitoring neutron flux and generating appropriate reactor protection trips, operating permissives, indication and alarms for various phases of reactor operating and shutdown conditions. The safety function of each subsystem is to provide reactor trip input signals to the reactor protection system (RPS), provide power level permissives control signals (i.e., P-6, P-7, P-8, P-9, and P-10), and provide post accident monitoring indication. Refer to Section 7.2 for detailed description of the reactor protection features and operating permissives of the NIS. The NIS is described in References [2] and [11]. Also, refer to Section 7.5 for description of the NIS post accident monitoring features.

The NIS provides control, indication, and alarm features needed to maintain the reactor within safe operating limits. In addition to the reactor (protective) controls and permissives discussed in Section 7.2, the (non-protective) control features include the intermediate range high flux (1 of 2 logic) and power range high flux (1 of 4 logic) rod stop signals. The power range channels provide an input to the overtemperature T and overpower T rod stop/turbine runback signals. Isolated signals from the four power range channels are input to a distributed control system (DCS) where the second higest of the four channels is determined and provided as an input to the steam generator level control system. The DCS also provides the highest of the four power range channels to the Rod Speed Program as discussed in Section 7.7.1.1.2.

Main control room alarms are provided from various NIS channels during shutdown, startup, and power operation. These alarms are used to alert the operator to conditions which require administrative action and indicate abnormal reactor operating conditions. These alarms include reactor trip block status, control permissive status, abnormal reactor operation (e.g., high flux, flux deviation, power imbalance), rod stop status, channel bypass status, and channel trouble condition.

NIS indication on the main control board covers reactor neutron flux from shutdown to 200% of full power. The source range, intermediate range, and power range channels are designed with overlapping ranges to ensure a satisfactory transition during reactor startup and shutdown. The main control board indication includes reactor neutron flux count rate and startup rate for each of the two source range channels, flux rate and startup rate for each of the two intermediate range channels, and flux level and upper/lower detector differential flux indications for each of the four power range channels. Two channels of the total eight NIS channels may be selected for recording at anyone time. Also, the four power range channels (upper and lower detector sum) flux signals are recorded. The output signals of the NIS channels are monitored by the plant computer.

7.7-10 CONTROL SYSTEMS

WATTS BAR WBNP-102 7.7.1.3.2 Main Control Room Rod Position Indication Two separate systems are used to indicate rod position information in the main control room. One system measures the actual drive rod position as part of the Rod Position Indicator System (RPIS). The second system counts and displays the pulses for rod movement generated in the logic cabinet.

(1) Rod Position Indication System The position of each rod (57) [Shutdown and Control banks] is displayed on main control room (MCR) displays. The RPIS receives analog signals from sensors mounted on the rod drive mechanism, calculates rod position from these signals, and displays this information on the MCR displays. The scale is in units of steps and covers the entire range of travel.

Additionally, a rod bottom indicator light for each rod (57) is shown on the MCR displays to indicate a rod is near the fully inserted position.

(2) Rod Position Step Counter The position demand signal for each rod group (14) is displayed on a 3-digit, add-subtract step counter. The input signal is supplied from the logic cabinet circuitry.

The demand position and rod position indication systems are separate systems; the rod position indication system is described in detail in References [3] and [17].

Unit Operation with an Inoperable RPIS Indicator The malfunction of an indicator in the RPIS is addressed by controls established in the technical specifications. The controls include requirements to use the Power Distribution Monitoring System to verify the position of the affected rod whenever an indicator is inoperable. This action may be periodically repeated for the duration of the period the indicator is inoperable. A second action is available in the technical specifications to address the malfunction of an indicator for an extended period of time (referred to as the extended action in this discussion). The options provided by the extended action allows for continued operation in a situation where the component causing the indicator to be inoperable is inaccessible due to operating conditions (adverse radiological or temperature environment). In this situation, repair of the indicator cannot occur until the unit is in an operating mode that allows access to the failed components. The primary purpose for this option is to prevent unnecessary wear on the incore detectors due to repeated use over an extended period.

Implementation of the extended action involves the monitoring of test points associated with the control rod drive mechanism (CRDM) affected by the inoperable indicator. A CRDM consists of four separate subassemblies: 1) the pressure vessel,

2) the coil stack assembly, 3) the latch assembly, and 4) the drive rod assembly. The coil stack assembly contains three operating coils: 1) the stationary gripper coil, 2) the CONTROL SYSTEMS 7.7-11

WATTS BAR WBNP-102 moveable gripper coil, and 3) the lift coil. During the use of the extended action, signal cables are connected to the CRDM circuitry test points on a temporary basis to monitor the operation and timing of the lift coil and the stationary gripper coil and to provide instrumentation for the monitoring of the position of the affected rod in the MCR.

As indicated previously, the initial position of the affected rod (control or shutdown) is verified by use of the Power Distribution Monitoring System. Once the position is known and the monitoring circuits required for use of the extended action are in place, the position of the rod is programmed into the plant computer. The program displays the position of the rod on the plant computer or on a recorder located in the MCR.

Once the extended action is implemented, the parameters of the rod control system must be monitored until the failed indicator is repaired. The monitoring function is assisted by a series of alarms controlled by the plant computer that address unintended movement of the rod. Alarms are initiated if the affected rod steps in a direction other than what was demanded, if the affected rod stepped with no demand and/or if the monitoring circuitry fails. Receipt of any alarm requires the verification of the position of the rod by use of the Power Distribution Monitoring System.

The technical specifications that govern the use of the extended action contain the following provisions to ensure the temporary circuit is functioning properly and the position of the affected rod is periodically verified:

(1) Verification of the position of the rod every 31 days using the Power Distribution Monitoring System.

(2) Verification of the position of the rod with the inoperable analog rod position indication (ARPI) by use of the Power Distribution Monitoring System, whenever the rod is moved greater than 12 steps in one direction.

During the period the extended action is implemented, actions required by the technical specifications that address rod group alignment limits, heat flux hot channel factor and nuclear enthalpy rise hot channel factor may serve to verify the correct operation of the temporary circuit. Provisions are also provided in the technical specifications that address operation of the unit under the extended action when reactor thermal power (RTP) is less than or equal to 50% RTP and the unit is to be returned for full power operation.

Implementation of the extended action and the installation of the temporary circuit include a review of the modification for impact on plant procedures and training. This ensures that changes are initiated for key issues like the monitoring requirements in the MCR, and operator training on the temporary equipment.

7.7.1.3.3 Control Bank Rod Insertion Monitoring When the reactor is critical, the normal indication of reactivity status in the core is the position of the control bank in relation to reactor power (as indicated by the RCS loop T) and coolant average temperature. RCS T is the only parameter used to determine the rod insertion limits. Two alarms are provided for all control banks.

7.7-12 CONTROL SYSTEMS

WATTS BAR WBNP-102 (1) The "Rod Insertion Limit Lo" annunciation alerts the operator of an approach of one or more control bank rods to the insertion limit. This annunciation precedes the "Lo-Lo" annunciation by a preset number of steps.

(2) The "Rod Insertion Limit Lo-Lo" annunciation alerts the operator that one or more control bank rods are positioned at or below the insertion limit.

Corrective measures are to be taken after verifying that rod insertion limits are violated.

The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity, adequate shutdown margin (SDM) following reactor shutdown due to normal or design basis event assuming the highest worth rod remains fully withdrawn, and provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection, and limits rod insertion such that acceptable nuclear peaking factors are maintained. Since the amount of shutdown reactivity required for the design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be decreased (the rods must be withdrawn further) with increasing power. The rod insertion monitor uses %T as a direct function of reactor power (i.e.,

K1 = 0) as follows:

ZLL = K1 (Tavg -557°F) + K2 (%T) + K3 (see Reference [10])

where:

ZLL = maximum permissible insertion limit (steps withdrawn)

Tavg = highest average temperature of all loops (auctioneered)

T = highest T of all loops (auctioneered)

K1, K2, K3 = Constants based on physics calculation (K1 = 0)

The control bank position (steps withdrawn), Z, is compared to calculated ZLL as follows for alarm:

Low Alarm Z Low = ZLL + K4 Low-Low Alarm Z Low-Low = ZLL + K5 Where:

K4, K5 = Constants to allow alarms to occur prior to reaching insertion limit (steps).

(K5 = 0)

CONTROL SYSTEMS 7.7-13

WATTS BAR WBNP-102 Since the highest values of Tavg and T are chosen by auctioneering, a conservatively high representation of power is used in the insertion limit calculation.

Actuation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity situation. Administrative procedures require the operator to evaluate the need to add boron through the Chemical and Volume Control System (CVCS).

Actuation of the low-low alarm requires the operator to initiate immediate boration procedures after verifying the rod insertion limits are violated. The value for K4 is chosen to allow the operator to follow normal boration procedures. Figure 7.7-2 shows a block diagram representation of the control rod bank insertion monitor. In addition to the rod insertion monitor for the control banks, an alarm system is provided to warn the operator if any shutdown rod cluster control assembly leaves the fully withdrawn position.

Rod insertion limits are established by:

(1) The allowed rod reactivity insertion at full power consistent with the purposes given above.

(2) The differential reactivity worth of the control rods when moved in normal sequence.

(3) The change in reactivity with power level by relating power level to rod position.

(4) Linearizing the resultant limit curve. Key nuclear parameters used in establishing the limit curve are measured as part of the initial physics testing program and periodic surveillance testing program.

Any unexpected change in the position of the control bank under automatic control, or a change in coolant temperature under manual control, provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, samples are taken periodically of coolant boron concentration. Variations in concentration during core life provide an additional check on the reactivity status of the reactor, including core depletion.

7.7.1.3.4 Rod Deviation Alarm A rod deviation annunciation is actuated in the main control room when; 1) the deviation between the actual rod position and the bank demand position (control banks rods) exceed a preset value, or 2) the deviation between any two rods within a control bank exceed a preset value.

Figure 7.7-3 is a block diagram of the rod deviation comparator and alarm system.

7.7.1.3.5 Rods At Bottom A "Rods At Bottom" annunciation is actuated in the main control room when any of the shutdown and control bank rods are near the fully inserted position. The RPIS monitors the analog signal from the rod position detectors and actuates this alarm 7.7-14 CONTROL SYSTEMS

WATTS BAR WBNP-102 when the rods are positioned below the setpoint. (The RPIS blocks this alarm signal for control banks B, C, and D).

7.7.1.3.6 Bypassed and Inoperable Status Indication System (BISI)

Refer to Section 7.5 for description of BISI.

7.7.1.4 Plant Control System Interlocks The listing of the plant control system interlocks, along with the description of their derivations and functions, is presented in Table 7.7-1. It is noted that the designation numbers for these interlocks are preceded by 'C'.

7.7.1.4.1 Rod Stops Rod stops are provided to inhibit control rod withdrawal under certain abnormal operating conditions. Refer to Table 7.7-1 for description of each interlock.

7.7.1.4.2 Automatic Turbine Load Runback Automatic turbine load runback is initiated by an approach to an overpower T or overtemperature T condition. This will prevent high power operation that might lead to an undesirable condition, which, if reached, will be protected by reactor trip.

Turbine load reference reduction is initiated by either an overtemperature T or overpower T signal. Two out of four coincidence logic is used.

A rod stop and turbine runback are initiated when:

T > Trod stop for both the overtemperature and the over power condition.

For either condition in general:

T rod stop = Tsetpoint - Bp where:

Bp = a setpoint bias Tsetpoint = the overtemperature T reactor trip value and the overpower T reactor trip value for the two conditions.

The turbine runback will continue to cycle to maintain stability until T is equal to or less than Trod stop.

This function serves to maintain an essentially constant margin to trip.

CONTROL SYSTEMS 7.7-15

WATTS BAR WBNP-102 7.7.1.5 Pressurizer Pressure Control The RCS pressure is controlled by using either the heaters (in the water region) or the spray (in the steam region) of the pressurizer plus steam relief for large transients. The electrical immersion heaters are located near the bottom of the pressurizer. A portion of the heater group is proportionally controlled to correct small pressure variations.

These variations are due to heat losses, including heat losses due to a small continuous spray. The remaining (backup) heaters are energized when the pressurizer pressure controlled signal demands approximately 100% proportional heater power.

The spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure controller spray demand signal is above a given setpoint. The spray rate increases proportionally with increasing spray demand signal until it reaches a maximum value.

Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

Power operated relief valves (PORVs) limit system pressure for large positive pressure transients. In the event of a large load reduction, not exceeding the design plant load rejection capability, the pressurizer PORVs might be actuated for the most adverse conditions, e.g., the most negative Doppler coefficient, and the maximum incremental rod worth. The relief capacity of the PORVs is sized large enough to limit the system pressure to prevent actuation of high pressure reactor trip for the above condition.

A block diagram of the pressurizer pressure control system is shown on Figure 7.7-4.

See Reference [9].

7.7.1.6 Pressurizer Water Level Control The pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density of the reactor coolant adjusts to the various temperatures, the steam water interface moves to absorb the variations with relatively small pressure disturbances.

The water inventory in the RCS is maintained by the CVCS. During normal plant operation, the charging flow varies to produce the flow demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant average temperature, with the highest average temperature (auctioneered) being used. The pressurizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes.

The pressurizer water level input to the controoler is the median of the three pressurizer water level signals as determined by a median signal selector in the distributed control system.

7.7-16 CONTROL SYSTEMS

WATTS BAR WBNP-102 To control pressurizer water level during startup and shutdown operations, the charging flow is controlled from the main control room.

A block diagram of the pressurizer water level control system is shown on Figure 7.7-5.

See Reference [9].

7.7.1.7 Steam Generator Water Level Control Each steam generator is equipped with a three element feedwater flow controller which maintains a programmed water level which is a function of nuclear power. The three element feedwater controller regulates the feedwater valve by continuously comparing the feedwater flow signal, the steam generator water level signal, the programmed level and the pressure compensated steam flow signal. In addition, the feedwater pump speed is varied to maintain a programmed pressure differential between the steam header and the feed pump discharge header. The speed controller continuously compares the actual P with a programmed Pref which is a linear function of steam flow. Continued delivery of feedwater to steam generators is required to remove reactor core decay heat and RCS stored heat following a reactor trip and turbine trip. An override signal closes the feedwater valves when the average coolant temperature is below a given temperature and the reactor has tripped. Manual override of the feedwater control system is available at all times.

Three isolated steam generator water level signals from each steam generator are provided to a distributed control system (DCS) for feedwater control. A median signal selector (MSS) function in the DCS provides a median signal for use by the control system. Median signal selectors are also provided in the DCS for three feedwater header pressure (feed pump discharge) and three steam header pressure inputs to the feedwater pump speed controller. If the DCS detects a failed MSS input channel, the failed input will not be used in the control algorithm and the average of the two remaining channels will be used for control.

Two feedwater flow signals and two steam flow signals are provided to the DCS for feedwater control. The DCS calculates an average of the two inputs for each variable for input to the feedwater controller. If one channel of feedwater flow or one channel of steam flow fails, a voter signal will determine which channel should be used for control. The voter signal is the average of the feedwater flows for the other steam generators. The voter is not used for control.

For the evaluation of the compliance of steam generator low-low water level channels to Section 4 (Control and Protection System Interaction) of IEEE Standard 279-1971, refer to Section 7.2 A block diagram of the steam generator water level control system is shown in Figures 7.7-6 and 7.7-7. See Reference [8].

7.7.1.8 Steam Dump Control The steam dump system has 40% steam dump capacity to the condenser (i.e., 40% of rated full load steam flow can be passed at full load steam pressure when all of the steam dump valves are discharging steam). This allows the NSSS to withstand an CONTROL SYSTEMS 7.7-17

WATTS BAR WBNP-102 external load step reduction of up to 50% of plant rated electrical load (10% NSSS load step capability plus 40% steam dump) without reactor trip or safety valve actuation.

The automatic steam dump system is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the RCS. By bypassing main steam directly to the condenser, an artificial load is thereby maintained on the primary system. The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions.

If the difference between the reference Tavg (Tref) based on turbine impulse pressure and the lead/lag compensated auctioneered Tavg exceeds a predetermined amount, and the interlock mentioned below is satisfied, a demand signal will actuate the steam dump to maintain the RCS temperature within control range until a new equilibrium condition is reached.

The Tref input to steam dump control is the median of three turbine impulse pressure signals as determined by a median signal selector in the distributed control system. If a failed channel is detected by the DCS, it will not be used in the control algorithm and the average of the two remaining channels will be used for control.

To prevent actuation of steam dump on small load perturbations, an independent load rejection sensing circuit is provided in the DCS. This circuit senses the rate of decrease in the turbine load as detected by the turbine impulse pressure. It is provided to unblock the dump valves when the rate of load rejection exceeds a preset value corresponding to a 10% step load decrease.

A block diagram of the steam dump control system is shown Figure 7.7-8. See Reference [7].

7.7.1.8.1 Load Rejection Steam Dump Controller This controller prevents a large increase in reactor coolant temperature following a large, sudden load decrease. The error signal is a difference between the lead/lag compensated auctioneered Tavg and the reference Tavg based on turbine impulse pressure.

The Tavg signal is the same as that used in the RCS. The lead/lag compensation for the Tavg signal is to compensate for lags in the plant thermal response and in valve positioning. Following a sudden load decrease, Tref is immediately decreased and Tavg tends to increase, thus generating an immediate demand signal for steam dump.

Since control rods are available, in this situation steam dump terminates as the error comes within the maneuvering capability of the control rods.

7.7.1.8.2 Plant Trip Steam Dump Controller Following a plant trip, the load rejection steam dump controller is defeated and the plant trip steam dump controller becomes active. The demand signal is the error signal between the lead/lag compensated auctioneered Tavg and the no load reference Tavg.

7.7-18 CONTROL SYSTEMS

WATTS BAR WBNP-102 When the error signal exceeds a predetermined setpoint the dump valves are tripped open in a prescribed sequence. As the error signal reduces in magnitude indicating that the RCS Tavg is being reduced toward the reference no-load value, the dump valves are modulated by the plant trip controller to regulate the rate of removal of decay heat and thus gradually establish the equilibrium hot shutdown condition.

Following a plant trip, only sufficient steam-dump capacity is necessary to maintain steam pressure below the steam-generator relief-valve setpoint . The error signal determines whether a group is to be tripped open or modulated open. The valves are modulated when the error is below the trip-open setpoints.

7.7.1.8.3 Steam Header Pressure Controller Residual heat removal is maintained by the steam generator pressure controller (manually selected), which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers, which are used during the initial transient following turbine-reactor trip or load rejection.

7.7.1.9 Incore Instrumentation System The incore instrumentation system consists of Chromel-Alumel thermocouples and fixed incore neutron detectors contained within Incore Instrumentation Thimble Assemblies (I ITA) which are inserted into the fuel assemblies through the Bottom-Mounted Instrumentation (BMI) guide tubes and into the fuel assemblies served by the BMI guide tubes. The fixed incore neutron detectors reside in the core during reactor operation and provide digitized flux signals to the Power Distribution Monitoring System (PDMS) for development of core flux maps. The Incore Instrumentation System is shown in Figure 7.7-9.

7.7.1.9.1 Thermocouples The incore thermocouple system is a Post Accident Monitoring (PAM) safety related monitoring system. Refer to Section 7.5.

Chromel-Alumel thermocouples are contained in the tip of the IITAs which are located within the fuel assembly instrument tube. The thermocouple sensing tip is located with the fuel assembly instrument tube just below the bottom of the fuel assembly top nozzle.

The thermocouple cables, connectors, and cables outside the containment up to the Common Q Post Accident Monitoring System Cabinet are environmentally qualified and in compliance with 10CFR50.49. The thermocouple cables maintain adequate separation between post-accident monitoring channels I and II (PAM I and PAM II) after exiting the seal table area. Thermocouple readings will be monitored by a Common Q PAMS flat panel display screen (separate for PAM I and PAM II channels) in the main control room. The plant computer is also available for monitoring the thermocouple readings.

CONTROL SYSTEMS 7.7-19

WATTS BAR WBNP-102 7.7.1.9.2 Incore Instrumentation System The flux mapping system is a quality-related system. The portion of the system that interfaces with the RCS pressure boundary is safety related.

The IITAs are pushed into the thimble seal table through the concrete shield area and through the bottom of the reactor vessel and into the fuel assembly instrumentation thimble tubes.

7.7.1.9.3 Incore Instrumentation System Neutron Signal Processing The Incore Instrumentation System provides a signal processing capability that digitizes the analog self-powered detector signals and transmits the data to the PDMS workstation over the plant data highway. The 58 core locations are divided between two cabinets to provide redundancy while providing coverage of the entire core. Since the Incore Instrumentation System detectors reside in the core during operation, power distribution information is available from the PDMS workstation as needed.

7.7.1.10 Control Board A typical control board functional layout is shown on Figure 7.7-10.

The control board layout is based on operator ease in relating the control board devices to the physical plant and in determining at a glance the status of related equipment. This is referred to as providing a functional layout. Within the boundaries of a functional layout, modules are arranged in columns of control functions associated with separation trains defined for the RPS and ESFAS.

Monitor lights are provided in two places on the control board for automatically actuated valves and components for Phase A and B containment isolation and containment vent isolation, with the exception of all sampling and water quality system valves as well as those EGTS valves that are not in the containment annulus vacuum fans flowpath. Indicating circuits are paralleled to red (open) and green (closed) lights located next to the control station and to red and green split lens lights on the Containment Isolation Status Panel (CISP).

EGTS containment isolation valves not in the containment annulus vacuum fans flowpath have red and green position indication lights located on the control board at the control station.

Position indication for the sampling and water quality system containment isolation valves is provided by paralleling indicating circuits to red and green lights at the local control station in the Auxiliary Building and to red and green split-lens lights on the CISP.

For a description of separation of wiring within the control board refer to Section 7.1.

7.7.1.11 Distribution Control System Select non safety-related control and indication functions in WBN Unit 2 are implemented using a Distributed Control System (DCS). The functional design of the 7.7-20 CONTROL SYSTEMS

WATTS BAR WBNP-102 WBN unit 2 control system implemented in the DCS is similar to WBN Unit 1 analog control system but incorporates changes which improve reliability and eliminate significant single points of failure. The basic components of the DCS are redundant fault-tolerant processor pairs, redundant power supplies with diverse power sources, and redundant communication networks. Multiple inputs are provided for critical plant parameters. Redundant field-bus modules (FBMs) are utilized for critical inputs and outputs. Workstations are provided in the main control room and the auxiliary instrument room for trending, alarm monitoring and system maintenance activities.

Manual control is available from hand/auto stations on the main and auxiliary control boards.

7.7.1.11.1 Functional Groups The Unit 2 DCS consists of multiple functional groups, each with a redundant control processor (CP) pair (a master and a backup). The control systems are assigned to different CP pairs to maintain independence between redundant control functions and to limit the effects of failures on the critical control systems. The system configuration was evaluated to ensure that DCS failures are bounded by the safety analyses described in Chapter 15.

The primary functions of each DCS functional group is shown below. Two groups are dedicated to the Auxiliary Control System instrumentation which is not required for normal plant operation (refer to section 7.4). These two groups are isolated from the rest of the DCS network during normal operation, except for maintenance purposes, to eliminate the possibility of events external to the auxiliary control room causing loss of these processor pairs.

01 Steam Generator 1 Level, Feedwater Flow 02 Steam Generator 2 Level, Feedwater Flow 03 Steam Generator 3 Level, Feedwater Flow 04 Steam Generator 4 Level, Feedwater Flow 05 Main Feedwater Pump Speed Control & Condenser Steam Dump Loss of Load Interlock 06 Rod Control 07 Steam Generator 1PORV (Atmospheric Steam Dump) 08 Steam Generator 2 PORV (Atmospheric Steam Dump) 09 Steam Generator 3 PORV (Atmospheric Steam Dump) 10 Steam Generator 4 PORV (Atmospheric Steam Dump) 11 Condenser Steam Dump 12 Pressurizer A - Pressure, Level, Charging, Letdown, Spray, Cold Overpressure Mitigation System (COMS) 13 Pressurizer B - Pressure, Level, Charging, Letdown, Spray, Cold Overpressure Mitigation System (COMS) 14 Auxiliary Control System A 15 Auxiliary Control System B CONTROL SYSTEMS 7.7-21

WATTS BAR WBNP-102 7.7.1.11.2 Power Supplies Each of the redundant power supplies for the control groups is fed from an inverter with battery and emergency diesel generator backup. This arrangement ensures that a single power supply or inverter failure will not result in loss of function, eliminating loss of power as a single point of failure.

7.7.1.11.3 Signal Selection and Validation The use of multiple inputs for critical parameters such as steam header pressure and feedwater pressure allows the use of various signal selection functions to improve reliability and eliminate single point failures. Redundant inputs are typically assigned to different input modules to provide additional hardware redundancy and eliminate hardware common cause failure.

A median signal selector chooses the median value signal of three inputs for control use. With the median signal selector, a spurious high or low signal from any one channel will not cause a control action. Where only two inputs are available, an average is computed, and a third correlated signal may be provided as a voter. The voter is never used for control. With four inputs, either the highest input (auctioneered) or the second highest input (higher median) is selected for control.

The DCS employs signal validation which can remove bad or out-of-service signals from the algorithm and select from the remaining good signals or transfer control to manual in the event of multiple input signal failures. This scheme minimizes the potential for a transient initiated by the failure of a single input.

7.7.1.11.4 Shared Signals Some signals are used in more than one functional group or processor pair. They may be provided to each processor as separate inputs, or they may be input to one processor for development of the control signal (auctioneered, median, etc.) which is then transmitted to other processors by either a hardwired analog connection, peer-to-peer network connection or both. No critical control function is dependent upon the network alone. This design minimizes the possibility that failure of a single input signal, a single processor pair, or both communication networks will disable multiple control systems or functions.

7.7.1.11.5 External Communication Communication links are provided from the DCS to the plant computer. Firewalls between the systems limit the volume of data traffic to ensure that events external to the DCS, such as a data storm, do not impact the DCS.

There is no digital communication between the control system and the protection system. The DCS receives analog process inputs from the protection system via qualified isolators which are part of the protection system.

7.7-22 CONTROL SYSTEMS

WATTS BAR WBNP-102 7.7.1.12 Anticipated Transient Without Scram Mitigation System Actuation Circuitry (AMSAC) (Reference 13)

To meet the ATWS final rule, Watts Bar added equipment diverse from the existing reactor trip system. The existing reactor trip system is composed of the Westinghouse Eagle 21 process protection system, and the Westinghouse Solid State Protection System (SSPS). The AMSAC equipment consists of a freestanding panel which is installed in the auxiliary instrument room of the Control Building. This modification is diverse from sensor output to the final actuation device. The AMSAC is designed to automatically initiate auxiliary feedwater and trip the turbine under conditions indicative of an ATWS event. An ATWS event will be detected when low-low level in three out of four steam generators is coincidental with the turbine at or above 40% load. An AMSAC actuation will ensure the RCS pressure will remain below the pressure that will satisfy the ASME Boiler and Pressure Vessel Code Level C services limit stress criteria.

A turbine trip and startup of all auxiliary feedwater system (AFW) pumps occurs upon generation of an AMSAC signal. The AMSAC signal is generated by low-low water level signals in the steam generators. The AMSAC coincidence logic is 3 out of 4 (3/4) low-low level signals with one channel per steam generator and the turbine at or above 40% load. Load is determined by two pressure transmitters measuring turbine impulse pressure. When 2 of 2 transmitters sense 40% load, AMSAC is armed. Removal of the AMSAC arming signal is delayed for a specified time so that AMSAC will stay armed and be capable of performing its function after turbine trip or power reduction below 40% power. Only one of the three narrow range level channels per steam generator is used for input to AMSAC coincidence logic. AMSAC actuation is required at a setpoint that is less than the existing RPS steam generator low-low level setpoint.

The requirement allows the operation of the RPS before AMSAC. AMSAC actuation is delayed for a specified time to further ensure RPS operation prior to AMSAC.

There is no AMSAC interface to the RPS. The four steam generator level signals are from isolation devices in the AFW. Signals from two dedicated turbine impulse pressure transmitters are used to indicate if the plant is at or above 40% load and then to determine the trip setpoint. The output signals to start the auxiliary feedwater pumps and trip the turbine are from interposing relays.

AMSAC is designed so that once actuated, the completion of mitigating action shall be consistent with the plant turbine trip and auxiliary feedwater circuitry. AMSAC auxiliary feedwater initiation and turbine trip goes to completion after actuation. The output relays are energized to actuate in order to prevent spurious trips and false status indication on loss of power or logic.

The blocking switch prevents inadvertent actuation by inhibiting the output relays before enabling the test function. A test status output shall inform the control room that the AMSAC is in the test mode and actuation is bypassed.

AMSAC is powered from 120V ac preferred power which is independent from the RPS power supply.

CONTROL SYSTEMS 7.7-23

WATTS BAR WBNP-102 The AMSAC system, including input comparators, logic processing and actuation output to isolation relays, is non-safety. The QA requirements are given in NRC Generic Letter 85-06, "Quality Assurance Guidance of ATWS Equipment that is not Safety-Related." The AMSAC cabinet is qualified seismic Category I(L).

The TVA Watts Bar AMSAC design generally conforms to the Westinghouse Owners Group (WOG) Topical Report WCAP-10858 P-A, "AMSAC Generic Design Packages".

7.7.2 Analysis The plant control systems are designed to assure high reliability in any anticipated operational occurrences. Equipment used in these systems is designed and constructed with a high level of reliability.

Proper positioning of the control rods is monitored in the control room on flat panel displays which show the individual position indicators for each rod cluster control assembly. A rod deviation alarm alerts the operator of a deviation of one rod cluster control assembly from the other rod assemblies in that bank position. The insertion limit monitor provides control room information on control bank rod assembly positions and calculated insertion limits and annunciation when any control bank rod assembly is inserted below the Low or Low-Low insertion limit values. Rod bottom indication is provided in the control room for each rod assembly and a common annunciation is actuated when any rod assembly is positioned below the rod bottom setpoint. Four excore long ion chambers also detect asymmetrical flux distribution indicative of rod misalignment.

Overall reactivity control is achieved by the combination of soluble boron and rod cluster control assemblies. Long term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short term reactivity control for power changes is accomplished by the plant control system which automatically moves rod cluster control assemblies. This system uses input signals including neutron flux, reactor coolant average temperature, and turbine load.

The plant control systems are designed to prevent an undesirable condition in the operation of the plant that, if reached, will be protected by reactor trip. The description and analysis of this protection is covered in Section 7.2. Worst case failure modes of the plant control systems are postulated in the analysis of off-design operational transients and accidents covered in Chapter 15, such as, the following:

(1) Uncontrolled rod cluster control assembly withdrawal from a subcritical condition (2) Uncontrolled rod cluster control assembly withdrawal at power (3) Rod cluster control assembly misalignment (4) Loss of external electrical load and/or turbine trip (5) Loss of all ac power to the station auxiliaries (station blackout) 7.7-24 CONTROL SYSTEMS

WATTS BAR WBNP-102 (6) Excessive heat removal due to feedwater system malfunctions (7) Excessive load increase incident (8) Accidental depressurization of the RCS.

These analyses will show that a reactor trip setpoint is reached in time to protect the health and safety of the public under those postulated incidents and that the resulting coolant temperatures produce a DNBR well above the limiting value. Thus, there will be no cladding damage and no release of fission products to the RCS under the assumption of these postulated worst case failure modes of the plant control system.

7.7.2.1 Separation of Protection and Control System Refer to Sections 7.2.2.2 and 7.2.2.3.

7.7.2.2 Response Considerations of Reactivity Reactor trip shutdown with control rod insertion is completely independent of the control functions since the trip breakers interrupt power to the full length rod drive mechanisms regardless of existing control signals. The design is such that the system can withstand accidental withdrawal of control groups or unplanned dilution of soluble boron without exceeding acceptable fuel design limits. The design meets the requirements of the 1971 General Design Criteria 25.

The control rod drive system is designed to minimize the effects of a single electrical or mechanical failure in the rod control system that could cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation. The operator could deliberately withdraw a single rod cluster control assembly in the control bank; this feature is necessary in order to retrieve a rod, should one be accidentally dropped. In the extremely unlikely event of simultaneous electrical failures which could result in single rod cluster control assembly withdrawal, rod deviation would be displayed on the plant annunciator, and the rod position displays would indicate the relative positions of the rods in the bank.

Each bank of control and shutdown rods in the system is divided into two groups (group 1 and group 2) of up to 4 or 5 mechanisms each (except for Shutdown Banks C and D which have one group each). The rods comprising a group operate in parallel through multiplexing thyristors. The two groups in a bank move sequentially such that the first group is always within one step of the second group in the bank. The group 1 and group 2 power circuits are installed in different cabinets as shown in Figure 7.7-11, which also shows that one group is always within one step (5/8 inch) of the other group.

A definite schedule of actuation or deactuation of the stationary gripper, moveable gripper, and lift coils of a mechanism is required to withdraw the rod cluster control assembly attached to the mechanism. Since the stationary gripper, moveable gripper, and lift coils associated with the rod cluster control assemblies of a rod group are driven in parallel, any single failure which could cause rod withdrawal would affect a minimum of one group of rod cluster control assemblies. Mechanical failures are in the direction of insertion, or immobility.

CONTROL SYSTEMS 7.7-25

WATTS BAR WBNP-102 Figure 7.7-12 is provided for the following discussion associated with design features that minimize the effects of a single electrical failure that could cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation.

The Figure 7.7-12 shows the typical parallel connections on the lift, movable and stationary coils for a group of rods. Since single failures in the stationary or movable circuits will result in dropping or preventing rod (or rods) motion, the discussion of single failure will address the lift coil circuits. 1) Due to the method of wiring the pulse transformers which fire the lift coil multiplex thyristors, three of the four thyristors in a rod group could remain turned off when required to fire, if for example the gate signal lead failed open at point X1. Upon "up" demand, one rod in group 1 and 4 rods in group 2 would withdraw. A second failure at point X2 in the group 2 circuit is required to withdraw one rod cluster control assembly; 2) Timing circuit failures will affect the four mechanisms of a group or the eight mechanisms of the bank and will not cause a single rod withdrawal; 3) More than two simultaneous component failures are required (other than the open wire failures) to allow withdrawal of a single rod.

The identified multiple failure involving the least number of components consists of open circuit failure of the proper two out of sixteen wires connected to the gate of the lift coil thyristors. The probability of open wire (or terminal) failure is 0.016 x 10-6 per hour by MILHDB217A. These wire failures would have to be accompanied by failure, or disregard, of the indications mentioned above. The probability of this occurrence is therefore too low to have any significance.

Concerning the human element, to erroneously withdraw a single rod cluster control assembly, the operator would have to improperly set the bank selector switch, the lift coil disconnect switches, and the in-hold-out switch. In addition, the three indications would have to be disregarded or ineffective. Such series of errors would require a complete lack of understanding and administrative control. A probability number cannot be assigned to a series of errors such as these.

The rod position indication system provides direct visual displays of each control rod assembly position. The plant computer alarms for deviation of rods from their banks.

In addition, the RPIS provides a rod insertion limit monitor which provides an alarm to warn the operator of an approach to an abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to follow immediate boration procedures. The facility reactivity control systems are such that acceptable fuel damage limits will not be exceeded even in the event of a single malfunction of either system.

An important feature of the control rod system is that insertion is provided by gravity fall of the rods.

In all analyses involving reactor trip, the single, highest worth rod cluster control assembly is postulated to remain untripped in its full out position.

One means of detecting a stuck control rod assembly is available from the actual rod position information displayed on the control board. The control board position indicator displays give the plant operator the actual position of each rod in steps. The 7.7-26 CONTROL SYSTEMS

WATTS BAR WBNP-102 indications are grouped by banks (control bank A, control bank B, etc.) to indicate to the operator the deviation of one rod with respect to other rods in a bank. This serves as a means to identify rod deviation.

The plant computer monitors the actual position of all rods. Should a rod be misaligned from the other rods in that bank by a preset limit, the rod deviation alarm is actuated.

Misaligned rod cluster control assemblies are also detected and alarmed in the control room via the flux tilt monitoring system which is independent of the plant computer.

Isolated signals derived from the nuclear instrumentation system are compared with one another to determine if a preset amount of deviation of average power level has occurred. Should such a deviation occur, the comparator output will operate a bistable unit to actuate a control board annunciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod. By use of rod position indicator displays, the operator can determine the deviating control rod and take corrective action. The design of the plant control systems meets the requirements of the 1971 General Design Criteria 23.

The boron system can compensate for all xenon burnout reactivity transients.

The rod system can compensate for xenon burnout reactivity transients over the allowed range of rod travel. Xenon burnout transients of larger magnitude must be accommodated by boration or by reactor trip (which eliminates the burnout).

The boron system is not used to compensate for the reactivity effects of fuel/water temperature changes accompanying power level changes.

The rod system can compensate for the reactivity effects of fuel/water temperature changes accompanying power changes over the full range from full load to no load at the design maximum load uprate.

The boron system can maintain the reactor in the cold shutdown state irrespective of the disposition of the control rods.

7.7.2.3 Step Load Changes Without Steam Dump The reactor control system is designed to automatically control the reactor, without a trip, following a + 10% step load change over a 15% to 100% power range. Steam dump is blocked for load decrease less than or equal to 10%.

The plant control system minimizes the reactor coolant average temperature deviation during the transient within a given value and restores average temperature to the programmed setpoint. Excessive pressurizer pressure variations are prevented by using spray and heaters and power relief valves in the pressurizer.

7.7.2.4 Loading and Unloading Ramp loading and unloading of 5% per minute can be accommodated over the 15 to 100% power range under automatic control without tripping the plant. The function of CONTROL SYSTEMS 7.7-27

WATTS BAR WBNP-102 the control system is to maintain the coolant average temperature as a function of turbine-generator load.

The coolant average temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase. Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer heaters limit the resulting system pressure decrease. The pressurizer water level is programmed such that the water level is above the setpoint for heater cut out during the loading and unloading transients. The primary concern during loading is to limit the overshoot in nuclear power and to provide sufficient margin in the overtemperature T setpoint.

The automatic load controls are designed to adjust the unit generation to match load requirements within the limits of the unit capability and licensed rating.

7.7.2.5 Load Rejection Furnished By Steam Dump System When a load rejection occurs, if the difference between the required temperature setpoint of the RCS and the actual average temperature exceeds a predetermined amount, a signal will actuate the steam dump to maintain the RCS temperature within control range until a new equilibrium condition is reached.

The reactor power is reduced at a rate consistent with the capability of the rod control system. Reduction of the reactor power is automatic if rod control is in AUTO. The steam dump flow reduction is as fast as rod cluster control assemblies are capable of inserting negative reactivity.

The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and /or overpressure conditions. The steam dump steam flow capacity is 40% of full load steam flow at full load steam pressure.

The steam dump flow drops proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value.

The dump valves are modulated in accordance with the error signal developed by the difference between the reactor coolant average temperature and reactor coolant reference temperature. The required number of steam dump valves can be tripped quickly to stroke full open or modulate, depending upon the magnitude of the temperature error signal resulting from loss of load.

7.7.2.6 Turbine-Generator Trip With Reactor Trip Whenever the turbine-generator trips at an operating power-level above the P-9 interlock setpoint, the reactor also trips. The unit is operated with a programmed coolant average temperature as a function of load, with the full load coolant average temperature significantly greater than the equivalent saturation pressure and temperature of the SG safety valve setpoint. The thermal capacity of the RCS is greater than that of the secondary system, and because the full load coolant average 7.7-28 CONTROL SYSTEMS

WATTS BAR WBNP-102 temperature is greater than the no load temperature, a heat sink is required to remove heat stored in the reactor coolant. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of feedwater to the steam generators.

After a reactor trip, the steam dump controller is automatically placed in the plant trip steam dump control mode as described in subsection 7.7.1.8.2. This control mode compares the auctioneered reactor coolant average temperature (Tavg) signal to the no-load Tavg setpoint. This control mode opens selected dump valves based on the magnitude of the error signal in order to rapidly reduce the Tavg temperature and prevent actuation of the steam generator safety valves. As the error signal reduces below predetermined setpoints, the steam dump controller places the dump valves in the modulating mode to gradually establish the Tavg to the no-load Tavg value.

Following the reactor trip, the feedwater flow is cut off when the coolant average temperature decreases below a given temperature or when the steam generator water level reaches a given high level.

Additional feedwater makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam header pressure controller (manually selected) which controls the amount of steam flow to the condensers or by the steam generator PORVs if the condenser is unavailable. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following turbine and reactor trip.

The pressurizer pressure and level decrease during the transient because of coolant contraction. The pressurizer level is programmed such that the water level is above the heater cut-out during the loading and unloading transients. If heaters become uncovered following the trip, the CVCS will provide charging flow to restore water level in the pressurizer. Heaters are used to restore pressurizer pressure to normal.

The steam dump and feedwater control systems are designed to prevent the coolant average temperature from falling below the programmed no load temperature following the trip to ensure adequate shutdown margin.

REFERENCES (1) Blanchard, A. E. and Katz, D. N., "Solid State Rod Control System, Full Length," WCAP-9012-L, March, 1970 (Proprietary) and WCAP-7778, December, 1971 (Non-Proprietary).

(2) Lipchak, J. B. and Stokes, R. A., "Nuclear Instrumentation System",

WCAP-8255, January, 1974. (Applicable to Power Range NIS Only.)

(3) Blanchard, A. E., "Rod Position Monitoring", WCAP-7571, March, 1971.

(4) Not Used CONTROL SYSTEMS 7.7-29

WATTS BAR WBNP-102 (5) Shopsky, W. E., "Failure Mode and Effects Analysis (FMEA) of the Solid State Full Length Rod Control System", WCAP-8976, August 1977.

(6) Deleted by Amendment 98 (7) System Description Document Number N3-1-4002, "Main Steam System."

(8) System Description Document Number N3-3A-4002, "Main Feedwater, Feedwater Control, and Injection Water."

(9) System Description Document Number N3-68-4001, "Reactor Coolant System."

(10) System Description Document Number N3-85-4003, "Control Rod Drive System."

(11) System Description Document Number N3-92-4003, "Neutron Monitoring System."

(12) Deleted by Amendment 97 (13) Design Criteria Number WB-DC-40-57, "Anticipated Transients without Scram Mitigation System Actuation Circuitry (AMSAC)."

(14) Baker, Tony; Cassidy, Beverly; Freeland, Jim; and Fowler, Steve; Rod Control System Evaluation Program, WCAP-13864, Rev 1-A, November 10, 1994.

(15) Nuclear Regulatory Commission Generic Letter 93-04, Rod Control System Failure and Withdrawl of Rod Control Cluster Assemblies, dated June 21,1993.

(16) Westinghous Electrical Company, Nuclear Safety Advisory Letter No. NSAL-01-001, Rod Withdrawl Speed, dated February 13, 2001.

(17) CERPI Systm Requirement Specification WNS-DS-00001-WBT, Rev. 0.

August 27, 2008.

7.7-30 CONTROL SYSTEMS

WATTS BAR WBNP-102 Table 7.7-1 Plant Control System Interlocks DESIGNATION DERIVATION FUNCTION C-1 1/2 Neutron flux (intermediate Blocks automatic and manual range) above setpoint control rod withdrawal C-2 1/4 Neutron flux (power range) Blocks automatic and manual above setpoint control rod withdrawal C-3 2/4 Overtemperature T above Blocks automatic and setpoint manual control rod withdrawal Actuates turbine runback via load reference C-4 2/4 Overpower T above Blocks automatic and setpoint manual control rod withdrawal Actuates turbine runback via load reference C-5 1/1 Turbine impulse Blocks automatic pressure below setpoint control rod withdrawal Defeats remote load dispatching C-7 1/1 Time derivation (absolute Makes steam dump value) of turbine impulse valves available pressure (decrease for operation only) above setpoint C-9 2/2 Condenser pressure below Makes steam dump valves setpoint, and any condenser circulation water available for operation.

pump breaker closed C-11 2/2 Control Bank D rod position Blocks automatic rod above setpoint withdrawal CONTROL SYSTEMS 7.7-31

WATTS BAR WBNP-102 THIS PAGE INTENTIONALLY BLANK 7.7-32 CONTROL SYSTEMS

WATTS BAR WBNP-102 Figure 7.7-1 Simplified Block Diagram of Reactor Control System Control Systems 7.7-33

7.7-34 WATTS BAR Figure 7.7-2 Control Bank Rod Insertion Monitor Control Systems WBNP-102

WATTS BAR WBNP-102 Figure 7.7-3 Rod Deviation Comparator Control Systems 7.7-35

WATTS BAR WBNP-102 Figure 7.7-4 Block Diagram of Pressurizer Pressure Control System 7.7-36 Control Systems

WATTS BAR WBNP-102 Figure 7.7-5 Block Diagram of Pressurizer Level Control System Control Systems 7.7-37

WATTS BAR WBNP-102 Figure 7.7-6 Block Diagram of Steam Generator Water Level Control System 7.7-38 Control Systems

WATTS BAR WBNP-102 Figure 7.7-7 Block Diagram of Main Feedwater Pump Speed Control System Control Systems 7.7-39

WATTS BAR WBNP-102 Figure 7.7-8 Block Diagram of Steam Dump Control System 7.7-40 Control Systems

WATTS BAR WBNP-102 INSTRUMENTATION Figure 7.7-9 Incore Instrument Sysem Control Systems 7.7-41

7.7-42 WATTS BAR Figure 7.7-10 Typical Location of Control Board Systems Control Systems WBNP-102

Control Systems WATTS BAR Figure 7.7-11 Simplified Block Diagram Rod Control System WBNP-102 7.7-43

7.7-44 WATTS BAR Figure 7.7-12 Control Bank D Partial Simplified Schematic Diagram Power Cabinets 1BD and 2BD Control Systems WBNP-102

WATTS BAR WBNP-102 7A INSTRUMENTATION IDENTIFICATIONS AND SYMBOLS A standard set of instrumentation symbols and identifications is provided in this appendix to aid in the interpretation of the control and logic diagrams in figures reproduced from TVA drawings in this FSAR. A figure made from a TVA drawing can be identified by the words "TVA DWG" followed by a series of numbers in the title block of the figure.

The identification and symbols include the following designation:

(1) Instrument identification letters.

(2) Process system numbers.

(3) Flow and control diagram symbols.

(4) Basic instrumentation and radiation symbols.

(5) Basic digital logic symbols.

7A.1 IDENTIFICATION SYSTEM Each instrument is identified by a series of letters and numbers to designate the function, the process system, and the control loop.

7A.1.1 FUNCTIONAL IDENTIFICATION The functional identification of an instrument consists of letters from Figure 7A-l and generally includes one uppercase first letter covering the measured or initiating variable, and one or more uppercase succeeding letters covering the function of the individual instruments. The exceptions to this rule are as follows:

(1) The use of chemical symbols (e.g. pH, Cu, Na) as a first letter entity to better identify some of the measured variables.

(2) The use of An and Px in the succeeding letters to identify analyzer and power supply, respectively.

7A.1.1.1 Principal Function The functional identification of an instrument is made according to the principal function and not according to the construction. Thus, a differential pressure transmitter used for flow measurement is identified as an FT, not a PdT. A pressure indicator and a pressure switch connected to the output of a pneumatic level transmitter is identified as LI and LS, respectively. (Note: An instrument identified may also have secondary purposes, e.g., a signal originating from a pressure transmitter that is proportional to pressure may also be used as an inferred measurement of temperature.)

INSTRUMENTATION IDENTIFICATIONS AND SYMBOLS 7A-1

WATTS BAR WBNP-102 7A.1.1.2 Measured Variable In an instrument loop the first letter of the functional identification indicates the measured (initiating), not the inferred variable and the manipulated variable. Thus a control valve varying flow according to the dictates of a level controller is an LCV, not an FCV. Also, if two or more measured variable signals are combined to control a particular variable the instrument processing the combined signals is identified in accordance with the controlled variable (e.g., cascade control).

7A.1.1.3 Readout or Passive Functions The one or more succeeding letters of the functional identification designates one or more readout or passive functions, or output functions, or both. The readout or passive functional letters, such as R for recording and I for indicating, follow the first letter in sequence. The output functional letters, such as C for control and S for switch, follow these in sequence except that output letter C (control) shall precede output letter V (valve) and 0 (operator), e.g., HCV, a hand-actuated control valve. However, if these are not readout or passive functional letters, then the output functional letters follow the first letter in sequence.

7A.1.1.4 Modifying Letters Modifying letters may modify either a first letter or the succeeding letters, as applicable.

However, modifying letters, if used, are interposed so that they are placed immediately following the letter they modify except S for solenoid precedes output letter V (valve).,

e.g., FSV designates a solenoid-actuated flow valve.

7A.1.1.5 Tagging Symbols An instrument tagging designation on a control diagram may be drawn with as many circular tagging symbols as there are measured variables or outputs. Thus, a recorder charting temperature and flow may be identified by two tangent circles where possible, one inscribed TR-3-31 and the other FR-3-31. The instrument then would be designated T/FR-3-31.

7A.1.1.6 Special Identifying Letters The measured variable letter X (special) has been included in Figure 7A-l to cover unlisted variables that are used to a limited extent. It may also be used for an instrument function. Therefore, the letter may have any number of meanings as a first letter and any number of meanings as a succeeding letter.

Any first letter, if used in combination with the modifying letter, e.g., d (differential),

represents, as shown on Figure 7A-1 for pressure differential, a new and separate measured variable, and the combination shall be treated as a first-letter entity. Thus, instruments PdI and PI measure two different variables, namely, differential pressure and pressure.

7A-2 INSTRUMENTATION IDENTIFICATIONS AND SYMBOLS

WATTS BAR WBNP-102 7A.1.1.7 Pilot Lights A pilot light that serves only as position indication, power available, or alarm is not always identified. A pilot light that is part of an instrument loop, if numbered, is identified by a first letter Z or X (zone, position, or special) followed by a succeeding letter I or A (I - indicating.; A - alarm).

7A.1.2 SYSTEM IDENTIFICATION The system identification of an instrument uses a number assigned to the process system of which the instrument is a part. Each process system, e.g. feedwater, extraction steam, reactor coolant system, has been assigned a system identification number.

7A.1.2.1 Identification Numbers The system identification numbers are listed in Figure 7A-2. The system identification number follows the "succeeding letters" or the functional identification letters and is separated from them by a hyphen.

7A.1.2.2 Instruments Common to Multiple Process Systems If an instrument is common to two or more process systems, it is assigned to the one for which it is performing its principal function.

7A.1.3 LOOP IDENTIFICATION The control loop identification of an instrument generally uses a number assigned to the control loop of which the instrument is a part. There may be one or many instrument control loops in a process system. However, each control loop has a unique number.

7A.1.3.1 Instruments Common to Multiple Control Loops If an instrument is common to two or more control loops, it is assigned to the loop for which it is performing its principal function.

7A.1.3.2 Multiple Instruments with a Common Function If a given loop has more than one instrument with the same functional identification, a suffix letter or number is appended to the loop number, e.g., FCV-3-10A, FCV-3-1OB.

7A.2 SYMBOLS The symbols used to depict the instrumentation on flow, control, and logic diagrams and other drawings are illustrated in the following figures:

Figure 7A Flow and Control Diagram Symbols Figure 7A Basic Instrumentation and Radiation Symbols Figure 7A Application of Basic Instrumentation Symbols SYMBOLS 7A.2-3

WATTS BAR WBNP-102 Figure 7A Digital Logic Symbols The flow diagram symbols for valves, valve operators, and miscellaneous devices most frequently used by TVA are shown in Figure 7A-3.

7A.2.1 INSTRUMENT SYMBOL The circular symbol shown in Figure 7A-4 is the basic instrumentation symbol. It is used to depict the instrument proper and most other instrumentation items. Also, it is used as a "flag" to enclose identifications and point out items such as valves, which have their own pictorial symbols. Typical applications of the instrumentation symbols are shown in Figure 7A-5.

REFERENCES None.

7A.2-4 SYMBOLS

WATTS BAR Instrumentation Identifications and Symbols Figure 7A-1 Instrumentation Symbols and Tabulation from TVA DS E18.3.3 WBNP-102 7A-5

WATTS BAR WBNP-102 Figure 7A-2 Mechanical System Identification Numbers 7A-6 Instrumentation Identifications and Symbols

WATTS BAR WBNP-102 Figure 7A-3 Mechanical Flow and Control Diagram Symbols Instrumentation Identifications and Symbols 7A-7

7A-8 WATTS BAR Figure 7A-4 Mechanical Basic Instrumentation and Radiation Symbols WBNP-102 Instrumentation Identifications and Symbols

WATTS BAR Instrumentation Identifications and Symbols Figure 7A-5 Mechanical Application of Basic Instrumentation Symbols WBNP-102 7A-9

7A-10 WATTS BAR Figure 7A-6 Mechanical Digital Logic Symbols (and/or)

WBNP-102 Watts Bar FSAR Section 7.0 Instrumentation and Controls Instrumentation Identifications and Symbols