ML21294A188
Text
SSES-FSAR Text Rev. 66 7.2 REACTOR TRIP SYSTEM - (REACTOR PROTECTION SYSTEM)
- INSTRUMENTATION AND CONTROLS 7.
2.1 DESCRIPTION
7.2.1.1 System Description 7.2.1.1.1 Identification The reactor protection system includes the motor-generator power supplies, sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the process computer system and annunciators, although these latter two systems are not part of the reactor protection system. Trip signals are received from the neutron monitoring system; however, other portions of this system are treated in Sections 7.5, 7.6, and 7.7.
7.2.1.1.2 Classification The reactor protection system (RPS) is classified as safety Class 2, Seismic Category I, and quality Group B - Electric Safety Class 1E with the exception of the motor-generator power supplies which are non-Class 1E (see Section 3.2). RPS circuits located within the turbine building, (a non-Seismic Category I structure), are designed to meet the requirements of IEEE STD. 279, except for seismic design criteria. (This has been favorably evaluated by the NRC on GESSAR-238 Nuclear Island Standard Design, Docket #STN 50-447, SER - Supplement No. 1, Sections 7.2 and 15.5.)
7.2.1.1.3 Power Sources The reactor protection system receives power from two high inertia AC motor-generator sets (Dwg.
M1-C72-2, Sh. 1). A flywheel provides high inertia sufficient to maintain voltage and frequency within 5% of rated values for at least 1 second for switching or other transients of short duration on the input power to the drive motor. For a loss of power, the electrical distribution system acts very quickly to dynamically brake the rotating MG Set and trip the generator output breaker.
Alternate power is available to either reactor protection system bus. The alternate power switch is interlocked to prevent simultaneous feeding of both buses from the alternate sources. The switch also prevents paralleling of a motor-generator set with the alternate supply. The station batteries supply DC power to the backup scram valve solenoids.
An electrical protection assembly (EPA) consisting of Class 1E protective circuitry is installed between the reactor protection system and each of the power sources (two reactor protection system motor/generator sets and two alternate voltage supplies). The EPA provides redundant protection to the RPS and other systems which receive power from the RPS busses by acting to disconnect the RPS from the power source circuits. See Subsection 8.3.1.6 for a discussion of the RPS power supply.
FSAR Rev. 65 7.2-1
SSES-FSAR Text Rev. 66 7.2.1.1.4 Equipment Design 7.2.1.1.4.1 General Trip systems are designated A or B. Trip system A is comprised of instrument channels A, C, E and G; logics A1 and A2; and the A scram solenoids. Trip system B comprises instrument channels B, D, F and H; logics B1 and B2; and the B scram solenoids. During normal operation, all sensor and trip contacts essential to safety are closed, and channel logics and actuators are energized. In contrast, however, trip contact bypass channels are normally de-energized.
Table 7.2-1 lists the specifications for instruments that provide signals for the system. Figure 7.2-2 summarizes the reactor protection system signals that cause a scram.
The functional arrangement of sensors and channels that constitutes a single logic is shown in Figure 7.2-3. When a channel sensor contact opens, its sensor relay de-energizes its actuators which de-energizes the scram pilot valve solenoids associated with that actuator logic. However, the other scram pilot valve solenoid for each rod must also be de-energized before the rods will be scrammed.
There is one pilot scram valve and two scram valve solenoids for each control rod arranged as shown in Dwgs. M1-C72-2, Sh. 1, M1-C72-2, Sh. 2, M1-C72-2, Sh. 3, and M1-C72-2, Sh. 4.
Each pilot scram valve is solenoid operated with normally energized solenoids. The pilot scram valve controls the air supply to the scram valves for each control rod. With either pilot scram valve solenoid energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive water. As shown in Figure 7.2-4, one of the scram pilot valve solenoids for each control rod is controlled by Actuator Logic A, the other solenoid by Actuator Logic B.
When both actuator logics are tripped, air is vented from the scram valve and allows control rod drive water to act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume.
To restore the reactor protection system to normal operation following any single actuator logic trip or a scram, the actuators must be reset manually. After a 10-second delay, reset is possible only if the conditions that caused the scram have been cleared. The actuators are reset by operating a switch in the main control room. Figure 7.2-5 shows the functional arrangement of reset contacts for Actuator Logic A.
There are two DC solenoid operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for each backup scram valve is energized, the backup scram valves vent the air supply for the scram valve.
This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valves are energized (initiate scram) when Trip Systems A and B are both tripped.
FSAR Rev. 65 7.2-2
SSES-FSAR Text Rev. 66 7.2.1.1.4.2 Initiating Circuits The reactor protection system scram functions shown in Figure 7.2-2 are discussed in the following paragraphs.
a) Neutron Monitoring System Neutron monitoring system instrumentation is described in Section 7.6 clarifies the relationship between neutron monitoring system channels, neutron monitoring system logics, and the reactor protection system logics. The neutron monitoring system channels are considered to be part of the neutron monitoring system; however, the neutron monitoring system logics are considered to be part of the reactor protection system. Each neutron monitoring system logic receives signals from one IRM channel and one APRM/OPRM 2-Out-of-4 Voter channel. The position of the mode switch determines which input signals will affect the output signal from the logic.
The neutron monitoring system logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. Each reactor protection system logic receives inputs from two neutron monitoring system logics.
- 1) IRM System Logic The IRMs monitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM subsystems. The IRM detectors can be positioned in the core by remote control. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor reaches a predetermined power level within the power range. The IRM is able to generate a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range.
The IRM is divided into two groups of IRM channels arranged in the core as shown in Figure 7.6-3. Four IRM channels are associated with one of the two trip systems of the reactor protection system. Two IRM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining two channels are installed in a separate bay of the cabinet. Full-length side covers isolate the cabinet bays. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring.
Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on three conditions: (1) when the high voltage drops below a preset level, (2) when one of the modules is not plugged in, or (3) when the OPERATE-CALIBRATE switch is not in the OPERATE position.
Each of the other trip circuits can be specified to trip when preset downscale or upscale levels are reached.
The trip functions actuated by the IRM trips are indicated in Table 7.6-3. The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram (Dwg. M1-C51-2, Sh. 1). Subsection 7.7.1.2 describes the IRM rod block trips. With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates a neutron monitoring system trip of the reactor protection system. Only one of the IRM channels must trip to initiate a FSAR Rev. 65 7.2-3
SSES-FSAR Text Rev. 66 neutron monitoring system trip of the associated trip system of the reactor protection system.
- 2) APRM/OPRM System Logic The APRM channels, which include OPRM logic, receive input signals fro the LPRM detectors and provide a continuous indication of average reactor power form a few percent to greater than rated reactor power.
The APRM/OPRM subsystem has sufficient redundant channels to meet industry and regulatory safety criteria. Under the worst permitted input LPRM bypass conditions, the APRM/OPRM subsystem is capable of generating a scram trip signal before the average neutron flux or the magnitude of any thermal-hydraulic instability caused power oscillations increase to the point where fuel damage is probable.
The digital electronics for each APRM channel, via APRL interface hardware, provides trip signals directly to the Reactor Manual Control System (RMCS) and via the APRM 2-out-of-4 voter channels to the Reactor Protection System (RPS)> An APRM upscale trip or inoperative in any two unbypassed APRM channels can initiate an RPS trip in both RPS trip systems. Similarly, an OPRM trip from any two unbypassed APRM channels can initiate an RPS trip in both RPS trip systems. Any single APRM upscale trip or inoperative or OPRM trip will not initiate an NMS trip in the RPS. Table 7.6-4 itemizes the APRM system trip functions.
Any one unbypassed APRM can initiate a rod block, depending upon the position of the reactor mode switch. Section 7.7.1.2 describes the APRM rod block functions.
The APRM Simulated Thermal Power - Upscale rod block and the APRM Simulated Thermal Power - Upscale scram trip setpoints vary as a function of reactor recirculation loop flow. The OPRM trip output to the RPS is automatically bypassed when the reactor is operating below the lower power limit or above the upper flow limit of the OPRM trip enabled region, the limits for which are defined in Technical Specifications. The trip setpoints are given in the plant Technical Requirements Manual.
Manually moving the reactor mode switch out of the RUN position to any other position causes the APRM rod block and APRM neutron flux scram setpoints to be lowered. The manual positioning of the reactor mode switch is governed by the standard reactor startup (shutdown) procedure. The operator can bypass the trips from any one APRM channel, but only one APRM channel may be bypassed at any time. No APRM voter channels may be bypassed.
b) Reactor Pressure Reactor pressure is measured at two locations. A pipe from each location is routed through the primary containment and terminates in the reactor building. Two local panel mounted, non-indicating pressure switches monitor the pressure in each pipe. Cables from these switches are routed to the control room. One pair of the switches is physically separated from the other pair. Each switch provides a high pressure signal to one channel. The FSAR Rev. 65 7.2-4
SSES-FSAR Text Rev. 66 switches are arranged so that two switches provide an input to Trip System A while the two remaining switches provide an input to Trip System B as shown in Figure 7.2-3. The physical separation and the signal arrangement ensure that no single physical event can prevent a scram caused by reactor vessel high pressure.
The environmental conditions for RPS are described in Section 3.11. The piping arrangement of the reactor pressure sensors is shown on Dwgs. M-141, Sh. 1, and M-142, Sh. 1.
The discussion of diversity for reactor vessel high pressure is provided in Subsection 7.2.1.1.4.5.
c) Reactor Vessel Water Level Reactor vessel low water level signals are initiated from indicating type differential pressure switches which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The switches are arranged on two sets of taps in the same way as the nuclear system high pressure switches (Figure 7.2-3). Two instrument lines attached to taps, one above and one below the water level on the reactor vessel, are required for the differential pressure measurement for each switch. The two pairs of lines terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. Other systems sense pressure and level from these same pipes. The physical separation and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level.
Diversity of trip initiation for breaks in the primary pressure boundary is provided by reactor vessel low water level trip signals and high drywell pressure trip signals. If a break in the primary system boundary were to occur, a volume of primary coolant would be released to the drywell in the form of steam. This release would cause reactor vessel water level to decrease and drywell pressure to increase resulting in independent protective action initiation. These variables are independent of one another and provide diverse protective action for this condition.
Environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the reactor vessel low water level sensors is shown on Dwgs.
M-141, Sh. 1, and M-142, Sh. 1.
d) Turbine Stop Valve Turbine stop valve closure inputs to the reactor protection system come from position switches mounted on the four turbine stop valves. Each of the double-pole, single-throw switches opens before the valve is more than 10% closed to provide the earliest positive indication of closure. Either of the two channels associated with one stop valve can signal valve closure, as shown in Figure 7.2-7. The logic is arranged so that closure of three or more valves initiates a scram.
Turbine stop valve closure trip channel operating bypasses are described in Section 7.2.1.1.4.4.2.
FSAR Rev. 65 7.2-5
SSES-FSAR Text Rev. 66 Diversity of trip initiation for increases in reactor vessel pressure due to termination of steam flow by turbine stop valve or control valve closure is provided by reactor vessel high pressure trip signals. A closure of the turbine stop valves or control valves at steady state conditions would result in an increase in reactor vessel pressure. If a scram was not initiated from these closures, a scram would occur from high reactor vessel pressure.
Reactor vessel high pressure is an independent variable for this condition and provides diverse protective action.
The environmental conditions for the RPS are described in Section 3.11.
e) Turbine Control Valve Turbine control valve fast closure inputs to the reactor protection system come from oil line pressure switches on each of four fast acting control valve hydraulic mechanisms. These hydraulic mechanisms are part of the turbine control and are used to effect fast closure of the turbine control valves. These pressure switches provide signals to the reactor protection system. If hydraulic oil line pressure is lost, a turbine control valve fast closure scram is initiated.
Turbine control valve fast closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.2.
The discussion of diversity for turbine control valve fast closure is the same as that for turbine stop valve closure provided in Subsections 7.2.1.1.4.2(d) and 7.2.1.1.4.5.
The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the turbine control valve fast closure pressure switch is shown on Dwg. M1-C72-2, Sh. 3.
f) Main Steamline Isolation Valves Position switches mounted on the eight main steamline isolation valves signal main steamline isolation valve closure to the reactor protection system. Each of the double-pole, single-throw switches is arranged to open before the valve is more than 10% closed to provide the earliest positive indication of closure. Either of the two channels associated with one isolation valve can signal valve closure. To facilitate the description of the logic arrangement, the position-sensing channels for each valve are identified and assigned to reactor protection system logics as follows:
Position-Sensing Trip Channel Trip Logic Valve Identification ___Channels___ ___Relays__ Assignment Main steamline A, F022A A, B A1, B1 inboard valve (1) and (2)
Main steamline A, F028A A, B A1, B1 outboard valve (1) and (2)
FSAR Rev. 65 7.2-6
SSES-FSAR Text Rev. 66 Position-Sensing Channel Trip Logic Valve Identification ___Channels___ _Relays_ Assignment Main steamline B, F022B E, D A1, B2 inboard valve (1) and (2)
Main steamline B, F028B E, D A1, B2 outboard valve (1) and (2)
Trip Main steamline C, F022C C, F A2, B1 inboard valve (1) and (2)
Main steamline C, F028C C, F A2, B1 outboard valve (1) and (2)
Main steamline D, F022D G, H A2, B2 inboard valve (1) and (2)
Main steamline D, F028D G, H A2, B2 outboard valve (1) and (2)
Thus, each logic receives signals from the valves associated with two steamlines (see Figure 7.2-8). The arrangement of signals within each logic requires closing of at least one valve in each of the steamlines associated with that logic to cause a trip of that logic. For example, closure of the inboard valve of steamline A and the outboard valve of steamline C causes a trip of logic B1. This, in turn, causes Trip isolation of two steamlines causing a scram due to valve closure. Closure of one valve in three or more steamlines causes a scram. Wiring for the position sensing channels from one position switch is physically separated in the same way that wiring to duplicate sensors on a common process tap is separated. The wiring for position-sensing channels feeding the different trip logics of one trip system is also separated.
Main steamline isolation valve closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.3.
Diversity of trip initiation for increases in reactor vessel pressure due to main steam isolation is provided by reactor vessel high pressure trip signals. A closure of the MSIVs at steady state conditions would cause an increase in reactor vessel pressure. If a scram was not initiated from MSIV closure, a scram would occur from high reactor vessel pressure.
These variables are independent and provide diverse protective action for this condition.
The environmental conditions for the RPS are described in Section 3.11.
g) Scram Discharge Volume Four non-indicating level switches (one for each channel and four level indicating switch (trip unit) transmitter combinations (one transmitter trip unit combination for each channel)
FSAR Rev. 65 7.2-7
SSES-FSAR Text Rev. 66 provide scram discharge volume (SDV) high water level inputs to the four RPS channels.
This arrangement provides sensor diversity, as well as redundancy, to assure that no single event could prevent a scram caused by SDV high water level. An automatic scram is initiated at a predetermined water level when sufficient SDV capacity still remains to accommodate a scram.
Scram discharge volume water level trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.4.
The scram discharge volume function is to receive water which is discharged from the control rod drives during a scram. If at the completion of the scram the level of water in the scram discharge volume is greater than the trip setting, the RPS cannot be reset until the discharge volume has been drained. In addition, as described in the previous paragraph, the trip setting has been selected such that sufficient volume would be available to receive a full discharge of CRD water in the event that the scram discharge volume high level trip does not occur and subsequent scram protection is required.
The environmental conditions for the RPS are described in Section 3.11. The piping arrangement of the scram discharge volume level sensors is shown on Dwgs. M-146, Sh. 1, and M-147, Sh. 1.
h) Drywell Pressure Drywell pressure is monitored by four non-indicating pressure switches mounted on instrument racks outside the drywell in the secondary containment. Pipes that terminate in the secondary containment connect the switches with the drywell interior. The switches are physically separated and electrically connected to the reactor protection system so that no single event will prevent a scram caused by drywell high pressure. Cables are routed from the switches to the main control room. Each switch provides an input to one channel (see Figure 7.2-3).
The discussion of diversity for high drywell pressure is provided in Subsection 7.2.1.1.4.5.
The environmental conditions of the RPS are described in Section 3.11.
i) Manual Scram A scram can be initiated manually. There are four scram buttons, one for each division logic (A1, A2, B1, and B2). To initiate a manual scram, at least one button in each trip system must be depressed. The manual scram logic is the same as the automatic scram logic. The manual scram buttons are arranged in two groups of two switches. One group contains the A1 and B1 switches and A2 and B2 are in the other group. The switches in each group are located close enough to permit one hand motion to initiate a scram. By operating the manual scram button for one logic at a time and then resetting that logic, each actuator logic can be tested for manual scram capability. The reactor operator also can scram the reactor by interrupting power to the reactor protection system or by placing the mode switch in its shutdown position.
FSAR Rev. 65 7.2-8
SSES-FSAR Text Rev. 66 7.2.1.1.4.3 Logic The basic logic arrangement of the reactor protection system is illustrated in Dwg.
M1-C72-2, Sh. 1. The system is arranged as two separately powered trip systems. Each trip system has two logics as shown in Figure 7.2-4. Each logic receives input signals from at least one channel for each monitored variable. At least four channels for each monitored variable are required, one for each of its four automatic or manual logics.
Channel and logic relays are fast-response, high-reliability relays. Power relays for interrupting the scram pilot valve solenoids have high current carrying capabilities and are highly reliable. All reactor protection system relays are selected so that the continuous load will not exceed 50% of the continuous duty rating. The time requirements for control rod movement are discussed in Subsection 4.6.3.
The time response for RPS sensor and sensor trip to actuators de-energized is provided in FSAR Table 7.3-28.
Each logic provides two inputs into each of the actuator logics of one trip system as shown in Figure 7.2-5. Thus, either of the two logics associated with one trip system can produce a trip-system trip. The logic is a one-out-of-two twice arrangement. To produce a scram, the actuator logics of both trip systems must be tripped. The overall logic of the reactor protection system is termed "one-out-of-two taken twice."
Diversity of variables is provided for the RPS but not in the logic. One-out-of-two twice logic is utilized, but the logic channels are identical. Diversity would imply the use of different types of logic of each channel.
The RPS reset switch is used to momentarily bypass the seal-in contacts of the final actuators of the reactor shutdown system. The reset is effected in conjunction with auxiliary relays. If a single channel is tripped, the reset is accomplished immediately upon operation of the reset switch. On the other hand, if a reactor scram condition is present, manual reset is prohibited for a 10-second period to permit the control rods to achieve their fully inserted position.
7.2.1.1.4.4 Scram Operating Bypasses A number of manual and automatic scram bypasses are provided to accommodate the varying protection requirements that depend on reactor conditions.
All manual bypass switches are in the main control room under the direct control of the main control room operator. The bypass status of trip system components is continuously indicated in the main control room.
7.2.1.1.4.4.1 Neutron Monitoring System Bypasses for the neutron monitoring system channels and are described below.
The neutron monitoring scram logic trip outputs for IRM and APRM/OPRM can be bypassed by hand operated keylocked selector switches located on the reactor control FSAR Rev. 65 7.2-9
SSES-FSAR Text Rev. 66 benchboard in the main control room.
The bypasses for APRM channels 1, 2, 3 & 4 are controlled by one fiber-optic selector switch. Bypassing an APRM channel also bypasses the associated OPRM channel.
None of the four APRM 2-out-of-4 voter channels can be bypassed. The bypasses for IRM channels A, C, E and G are controlled by one selector switch and the bypasses for IRM channels B, D, F and H are controlled by a separate second selector switch.
Each APRM or IRM bypass switch can bypass only one NMS channel at any time.
Bypassing an APRM/OPRM or an IRM channel will not inhibit the neutron monitoring system from providing protective action when required.
7.2.1.1.4.4.2 Turbine Stop Valve and Turbine Control Valve Fast Closure Turbine first stage pressure is sensed from two physically separate and redundant pressure taps.
Each pressure tap is piped to two pressure switches which sense first stage pressure.
Redundancy has been achieved by connecting one pressure switch output in parallel with each of the turbine stop valve and turbine control valve fast closure trip contacts in each of four scram logic channels.
The turbine stop valve closure scram and turbine control valve fast closure scram are automatically bypassed if the turbine first stage pressure is less than 26% of the rated power. Closure of these turbine valves below a low initial power level does not threaten the integrity of any radioactive material release barrier. Turbine stop valve closure and turbine control valve fast closure trip bypass is effected by four pressure switches associated with the turbine first stage. Any one channel in a bypass state produces a control room annunciation.
The switches are arranged so that no single failure can prevent a turbine stop valve closure scram or turbine control valve fast closure scram. In addition, this bypass is automatically removed when the turbine first stage pressure exceeds the setpoint corresponding to 26% of rated power.
7.2.1.1.4.4.3 Main Steamline Isolation Valves At plant shutdown and during plant startup, a bypass is required for the main steamline isolation valve closure scram trip in order to properly reset the Reactor Protection System. This bypass has been designed to be in effect when the mode switch is in the shutdown, refuel or startup position.
The bypass allows plant operation when the main steam line isolation valves are closed during low power operation. The bypass is removed when the mode switch is placed on RUN.
The discussion of diversity for main steamline isolation valve closure is provided in Subsections 7.2.1.1.4.2(f) and 7.2.1.1.4.5.
7.2.1.1.4.4.4 Scram Discharge Volume Level The scram discharge high water level trip bypass is controlled by the manual operation of two keylocked switches, a bypass switch, and the mode switch. The mode switch must be in the FSAR Rev. 65 7.2-10
SSES-FSAR Text Rev. 66 SHUTDOWN or REFUEL position. Four bypass channels emanate from the four banks of the RPS mode switch and are connected into the RPS logic. This bypass allows the operator to reset the reactor protection system scram relays so that the system is restored to operation allowing the operator to drain the scram discharge volume. Resetting the trip actuators opens the scram discharge volume vent and drain valves. An annunciator in the main control room indicates the bypass condition.
The discussion of diversity of the scram discharge volume level trip is provided in Subsection 7.2.1.1.4.2(g).
7.2.1.1.4.4.5 Mode Switch in Shutdown The scram initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a short time delay. The bypass allows the control rod drive hydraulic system valve lineup to be restored to normal. An annunciator in the control room indicates the bypassed condition.
Redundancy of the operating bypass with the mode switch in shutdown is provided by four separate time delay relays connected in a manner which provides redundancy of the bypass operation, but will not inhibit the scram initiation.
Diversity of variables is not provided for this function because placing of the mode switch in shutdown is the normal method for shutting down the reactor and requires only operator action for initiation. The mode switch in shutdown is not a safety function and does not require diversity.
7.2.1.1.4.4.6 Maintenance, Calibration or Test Bypasses Each reactor scram sensor can be removed for maintenance, test or calibration. When a channel is removed from service, annunciation of the administrative tripping of one of the four trip channels or alarming of the channel bypass is provided in the main control room. Unnecessary actuation of the RPS trip logic can be prevented by use of an indicating jumper across the RPS Trip Channel logic input from the instrument channel under test. The jumper provides positive indication of channel operation when the bypassed instrument is actuated during the performance of maintenance, test, or calibration, and maintains the monitoring and trip function of the remaining portions of the RPS trip logic while this channel is removed from service.
Individual channels for drywell high pressure, reactor vessel high pressure, reactor vessel low water level, andCRD scram discharge volume high water level, are administratively tripped when any one sensor is removed for maintenance, test or calibration.
An individual channel for neutron monitoring APRM/OPRM or IRM trips can be manually bypassed during any mode of operation. Each bypass is indicated by a light in the main control room.
Main steamline isolation valve closure sensors may be removed from service during operation while the mode switch is in the RUN mode, but this causes a channel trip to occur and is annunciated in the main control room.
FSAR Rev. 65 7.2-11
SSES-FSAR Text Rev. 66 Turbine stop valve closure and turbine control valve fast closure sensors may be removed from service during operation. This results in an administratively controlled trip of the sensor channel and annunciation of a logic trip in the main control room.
Administrative controls during maintenance, test, and calibration are specified in the individual maintenance, test, and calibration procedure and in the plant administration procedure manual.
A discussion of the bypass indication is provided in Subsection 7.2.1.1.4.4.
7.2.1.1.4.4.7 Interlocks The scram discharge volume high water level trip bypass signal interlocks with the reactor manual control system to initiate a rod block. The interlock is performed using isolated relay contacts so that no failure in the control system can prevent a scram.
Reactor vessel low water level, reactor vessel pressure, and drywell high pressure signals are shared with the primary containment and reactor vessel isolation system. The sensors feed relays in the reactor protection system whose contacts interlock with the primary containment and reactor vessel isolation system.
A discussion of the Neutron Monitoring System interlocks to rod block functions is provided in Subsection 7.6.1a.5.
The reactor mode switch has interlocks to other than the Reactor Protection System. These interlocks are discussed in Subsection 7.6.1a.6.
7.2.1.1.4.4.8 RPS Shorting Links (Neutron Monitoring System)
RPS shorting links are installed in the Reactor Manual Scram Trip Channel A1, B1, A2 and B2 Circuits. The shorting links, when removed, add the neutron monitoring trip inputs to the Reactor Manual Scram Trip Logic. The IRM and SRM trip inputs will be applied with the APRM inputs remaining with the 2-out-of-4 Voter. This changes the neutron range monitoring trip logic to a one-out-of-twelve taken once logic. This changes the neutron monitoring trip logic to a one-out-of-eighteen taken once logic. The neutron monitoring system in this configuration provides a full scram in the event of any neutron monitoring trip signal. The shorting links are removed during Shutdown Margin Test RPS Instrumentation as described in the TRM Section 3.10.2.
7.2.1.1.4.5 Redundancy and Diversity Instrument piping from the reactor vessel is routed through the drywell wall and terminates inside the secondary containment. Instruments mounted on instrument racks in the secondary containment sense reactor vessel pressure and water level information from this piping. Valve position switches are mounted on valves from which position information is required. The sensors for reactor protection system signals from equipment in the turbine building are mounted locally.
The two motor generator sets that supply power for the reactor protection system are located in an area where they can be serviced during reactor operation. Cables from sensors and power cables are routed to two reactor protection system cabinets in the relay rooms. One cabinet is used for FSAR Rev. 65 7.2-12
SSES-FSAR Text Rev. 66 each of the two trip systems. The logics of each trip system are isolated in separate bays in each cabinet.
The redundancy requirements for the RPS have been met by the utilization of physically separate sensor taps, sensing lines, sensors, sensor rack locations, cable routing and termination in two separate panels in the control room. By the use of more than one sensor for each RPS variable feeding two separate trip systems and two logic per trip system, redundancy of the RPS system has been achieved. For additional information on redundancy of RPS subsystems, refer to Subsection 7.2.1.1.4.2, paragraphs (a), (b), (c), (d), (e), (f), (g), (h), and (i).
No redundancy of the RPS power supply is provided. There are two MG sets which supply electrical power, one each to two logic channels of the RPS. A loss of one MG set will not inhibit protective action nor cause a scram.
Functional diversity is provided by monitoring independent reactor vessel variables. Pressure, water level, and neutron flux are all independent and are separate inputs to the system. Also, main steam line isolation valve closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of a reactor vessel high pressure and are separate inputs to the system.
Additional discussions of diversity of RPS variables are provided in Subsection 7.2.1.1.4.2, paragraphs (a), (b), (c), (d), (e), (f), (g), (h), and (i).
7.2.1.1.4.6 Actuated Devices The actuator logic opens when a trip signal is received, and de-energizes the scram valve pilot solenoids. There are two pilot solenoids per control rod. Both solenoids must de-energize to open the inlet and outlet scram valves to allow drive water to scram a control rod. One solenoid receives its signal from Trip System A and the other from Trip System B. The failure of one control rod to scram will not prevent a complete shutdown.
The individual control rods and their controls are not part of the reactor protection system. For further information on the scram valves and control rods see Subsections 4.2.3 and 4.6-1.
The pilot solenoid valves are supplied from the 120 VAC RPS MG Sets A & B.
In addition to the two scram valves for each control rod drive, there are two backup scram valves which are used to vent the common header for all control rods. Both backup scram valves are energized to initiate venting and are individually supplied with 125 Vdc power from the plant batteries. Any use of plant instrument air system for auxiliary use is so designed that a failure of the air system will cause a safe direction actuation of the safety device.
7.2.1.1.4.7 Separation Four independent sensor channels monitor the various process variables listed in Subsection 7.2.1.1.4.2. The sensor devices are separated such that no single failure can prevent a scram.
FSAR Rev. 65 7.2-13
SSES-FSAR Text Rev. 66 All protection system wiring outside the control system cabinets is run in total enclosed metallic raceway. Physically separated cabinets or cabinet bays are provided for the four scram logics.
The RPS sensors and their local racks are shown in Dwg. M1-C72-2, Sh. 1, and M1-C72-2, Sh. 2.
The mode switch, scram discharge volume high water level trip bypass switch, scram reset switch, and manual scram switches are all mounted on one control panel. Each device is mounted in a metal enclosure and has a sufficient number of barrier devices to maintain adequate separation.
Conduit is provided from the metal enclosures to the point where adequate physical separation can be maintained without barriers.
The outputs from the logic cabinets to the scram valves are run in four totally enclosed metallic raceways for Trip System A and four for Trip System B. The four totally enclosed metallic raceways match the four scram groups shown in Dwgs. M1-C72-2, Sh. 1, and M1-C72-2, Sh. 2. The groups are selected so that the failure of one group to scram will not prevent a reactor shutdown.
Reactor protection system inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the reactor protection system. Direct signals from reactor protection system sensors are not used as inputs to annunciating or data logging equipment. Relay contact isolation is provided between the primary signal and the information output.
7.2.1.1.4.8 Testability The reactor protection system can be tested during reactor operation by four separate tests.
The first of these is the manual scram test. By depressing the manual scram button for one trip channel, the actuators are de-energized, opening contacts in the actuator logics. After the first trip channel is reset, the second trip channel is tripped manually and so forth for the four manual scram buttons. It also verifies the ability to de-energize all eight groups of scram pilot valve solenoids by using the manual scram pushbutton switches. In addition to control room and alarm display indications, scram group indicator lights verify that the actuator contacts have opened.
The second test includes calibration of the neutron monitoring system by means of simulated inputs from calibration signal units. Calibration and test controls for the neutron monitoring system are located in the relay rooms and control room. Their physical location places them under direct physical control of the control room operator. Subsection 7.6.1a.5 describes the calibration procedure of the neutron monitoring system.
The third test is the single rod scram test which verifies capability of each rod to scram. Timing traces can be made for each rod scrammed.
The fourth test involves applying a test signal to each reactor protection system channel in turn and observing that a channel or logic trip results. All parts of the RPS trip logic can be tested in overlapping portions, as described in section 7.2.2.1.2. This test also verifies the electrical independence of the channel circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps. Calibration and test controls for pressure switches, level switches, and valve position switches are located in the turbine building and secondary containment. To gain access to the setting controls on each switch, a FSAR Rev. 65 7.2-14
SSES-FSAR Text Rev. 66 cover plate or sealing device must be removed. The control room supervisory personnel are responsible for granting access to the setting controls. Only properly qualified plant personnel are granted access for the purpose of testing or calibration adjustments.
The alarm display provided with the NSSS process computer verifies the correct operation of many sensors during plant startup and shutdown. Main steamline isolation valve position switches and turbine stop valve position switches can be checked in this manner. The verification provided by the alarm typewriter is not considered in the selection of test and calibration frequencies and is not required for plant safety.
Required sensor response times are determined for each RPS function and are identified in the design specification data sheet as well as Table 7.3-28. The sensor manufacturer provides sensors which meet the required response times and certifies their ability to obtain these values.
During preoperational testing, the sensors are tested using an accepted industry method, and the actual response time data are compared to the design requirement for acceptance. In addition, the overall reactor protection system response time is verified during preoperational testing from sensor trip to channel relay de-energization and actuator de-energization, and can be verified thereafter by similar test.
7.2.1.1.5 Environmental Considerations Electrical modules for the reactor protection system are located in the drywell, the secondary containment, the turbine building and the control room. The environmental conditions for these areas are described in Section 3.11. Sensing elements have enclosures to withstand conditions that may result from a steam or water line break long enough to perform satisfactorily.
7.2.1.1.6 Operational Considerations 7.2.1.1.6.1 Reactor Operator Information 7.2.1.1.6.1.1 Indicators Scram group indicators extinguish when an actuator logic opens or if a loss of power occurs.
Additionally, both Units have Backup Scram indicators which extinguish if a loss of DC power occurs.
Recorders in the main control room also provide information regarding reactor vessel water level, reactor vessel pressure, drywell pressure, and reactor power level. The physical position of RPS relays may be used to identify the individual sensor that tripped in a group of sensors monitoring the same variable.
7.2.1.1.6.1.2 Annunciators Each reactor protection system input is provided to the annunciator system through isolated relay contacts. Trip system trips also signal the annunciator system. Manual trips signal the annunciator system.
FSAR Rev. 65 7.2-15
SSES-FSAR Text Rev. 66 When a reactor protection system sensor trips, it lights an engraved red annunciator window, common to all the channels for that variable, on the reactor control panel in the main control room to indicate the out-of-limit variable. Each trip system lights a red annunciator window to indicate which trip system has tripped. For Unit 1, a loss of power to the Backup Scram trip system, or to some but not all scram groups due to blown scram group fuses is also annunciated on the unit operating benchboard 1C651. A loss of power to the Backup Scram System or to the scram groups for each Unit are also annunciated on the Unit Operating Benchboards (1C651 for Unit 1 and 2C651 for Unit 2). As an annunciator system input, a reactor protection system channel trip also sounds an audible indication, which can be silenced by the operator. The annunciator window lights latch in until reset manually. Reset is not possible until the condition causing the trip has been cleared.
7.2.1.1.6.1.3 Computer Alarms A computer display identifies each tripped channel.
All reactor protection system trip events are recorded by the process computer system. This permits subsequent analysis of an operational transient that occurs too rapidly for operator comprehension of events as they occur. Use of the alarm display and computer is not required for plant safety. The display of trips is particularly useful in routinely verifying the correct operation of pressure, level, and valve position switches as trip points are passed during startup, shutdown, and maintenance operations.
7.2.1.1.6.2 Reactor Operator Controls 7.2.1.1.6.2.1 Mode Switch A conveniently located, multiposition keylock mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate sensors for scram functions and provides appropriate bypasses. The switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the reactor protection system. The switch is designed to provide separation between the four trip channels. The mode switch positions and their related scram functions are as follows:
a) SHUTDOWN Initiates a reactor scram; bypasses main steamline isolation scram.
b) REFUEL Selects neutron monitoring system scram for low neutron flux level operation; bypasses main steamline isolation scram.
c) STARTUP Selects neutron monitoring system scram for low neutron flux level operation, Disables the OPRM trip but does not disable the APRM scram), bypasses main steamline isolation scram.
FSAR Rev. 65 7.2-16
SSES-FSAR Text Rev. 66 d) RUN Selects neutron monitoring system scram for power range operation.
7.2.1.1.6.2.2 Safety-Related Portions of Control Systems Which Inhibit or Limit the Response of the Reactivity Control System There are no portions of control systems which inhibit or limit the response of the reactivity control system.
7.2.1.1.6.3 Setpoints Instrument ranges are chosen to cover the range of expected conditions for the variable being monitored. Additionally, the range is chosen to provide the necessary accuracy for any required setpoints and to meet the overall accuracy requirements of the channel.
a) Neutron Monitoring System Trip To protect the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The neutron monitoring system setpoints and their bases are discussed in Subsection 7.6.1a.5.
b) Reactor Vessel Dome Pressure High Interlock Excessively high pressure within the reactor vessel threatens to rupture the reactor coolant pressure boundary. A reactor vessel pressure increase during reactor operation compresses the steam voids and results in a positive reactivity insertion; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The reactor vessel high pressure scram setting is chosen slightly above the reactor vessel maximum normal operation pressure to permit normal operation without spurious scram, yet provide a wide margin to the maximum allowable reactor vessel pressure. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent nuclear system pressure from exceeding the maximum allowable pressure. The reactor vessel high pressure scram setting also protects the core from exceeding thermal hydraulic limits that result from pressure increases during events that occur when the reactor is operating below rated power and flow.
c) Reactor Vessel Low Water Level Low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. Decreasing water level while the reactor is operating at power decreases the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core. The reactor vessel low water level scram setting was selected to prevent fuel damage following abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level.
FSAR Rev. 65 7.2-17
SSES-FSAR Text Rev. 66 The scram setting is far enough below normal operational levels to avoid spurious scrams.
The setting is high enough above the top of the active fuel to assure that enough water is available to account for evaporation loss and displacement of coolant following the most severe abnormal operational transient involving a level decrease. The selected scram setting was used in developing thermal-hydraulic limits. The limits set operational limits on the thermal power level for various coolant flow rates.
d) Turbine Stop Valve Closure Closure of the turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the neutron monitoring system or reactor vessel high pressure. It is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure by inserting negative reactivity with control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the reactor vessel, the turbine stop valve closure scram provides additional margin to the reactor vessel pressure limit. The turbine stop valve closure scram setting provides the earliest positive indication of valve closure.
e) Turbine Control Valve Fast Closure With the reactor and turbine generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as reactor vessel pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure. It is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the reactor vessel, the turbine control valve fast closure scram provides additional margin to the reactor vessel pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure.
f) Main Steamline Isolation The main steamline isolation valve closure can result in a significant addition of positive reactivity to the core as reactor vessel pressure rises. The main steamline isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The logic allows functional testing of main steamline isolation trip channels by partially closing a main steamline isolation valve.
g) Scram Discharge Volume High Water Level Water displaced by the control rod drive pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for the water displaced during a scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the FSAR Rev. 65 7.2-18
SSES-FSAR Text Rev. 66 water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram.
h) Drywell High Pressure High pressure inside the drywell may indicate a break in the reactor coolant pressure boundary. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce energy transfer from the core to the coolant. The drywell high pressure scram setting is selected to be as low as possible without inducing spurious scrams.
i) Manual Scram Pushbuttons are located in the control room to enable the operator to shut down the reactor by initiating a scram.
j) Mode Switch in SHUTDOWN When the mode switch is in SHUTDOWN, the reactor is to be shut down with all control rods inserted. This scram is not considered a protective function, because it is not required to protect the fuel or RCPB and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short delay, permitting a scram reset that restores the normal valve lineup in the control rod drive hydraulic system.
7.2.1.1.7 Containment Electrical Penetration Assignment Refer to Table 6.2-12.
7.2.1.1.8 Cable Spreading Room Description RPS interconnecting cables, where required to run outside PGCC, are run in identified totally enclosed metallic raceways.
7.2.1.1.9 Control and Relay Rooms Vertical boards are located on separate Division 1 and 2 floors in separate divisionalized relay rooms. The RPS vertical boards for trip system "A" and trip system "B" are located in Division 1 and 2 floors respectively. The vertical boards are installed on PGCC floor modules and are connected to the field via underfloor ducts and termination cabinets.
The unit operating benchboard for reactor control is located in the main control room.
FSAR Rev. 65 7.2-19
SSES-FSAR Text Rev. 66 7.2.1.1.10 Control Boards and their Contents The Reactor Protection System vertical boards each contain the trip channel and trip system trip relays, test switches, trip indicating lights for the individual trip channels and trip system.
The unit operating benchboard section for reactor control contains the reactor mode switch, bypass switches, scram solenoid valve status indicating lights, and manual scram switches.
7.2.1.1.11 Test Methods that Insure RPS Reliability Surveillance testing is performed periodically on the reactor protection system during operation.
This testing includes sensor calibration, response time testing, trip channel actuation, and trip time measurement with simulated inputs to individual sensors.
Manual scram initiation channel functional tests periodically exercise the energized scram contactor, at a frequency specified in the Technical Specifications.
7.2.1.1.12 Interlock Circuits to Inhibit Rod Motion as Well as Vary the Protective Function Subsection 7.7.1.11 describes interlock circuits to inhibit rod motion which are derived from neutron flux and recirculation flow measurements. Electrical isolation is provided between the Rod Block Monitor interlock circuits and the APRM protective action circuits.
There are no interlock circuits which inhibit rod motion as well as vary the protective functions.
7.2.1.1.13 ATWS Provisions ATWS provisions have not been identified for RPS.
7.2.1.2 Design Bases Design bases information requested by IEEE 279-1971 are discussed in the following paragraphs.
These IEEE 279 design bases aspects are considered separately from those broader and detailed design bases for this system cited in Section 7.1.
7.2.1.2.1 Conditions The generating station conditions which require protective action are identified below:
a) Generator load rejection above 26% of rated power b) Turbine trip above 26% of rated power c) Main steamline isolation valve closure during operation in the "Run" mode FSAR Rev. 65 7.2-20
SSES-FSAR Text Rev. 66 d) Pressure regulator failure (open) resulting from low steamline pressure e) Excess coolant inventory resulting in turbine trip due to high water level f) Shutdown cooling (RHRS) malfunction causing decreasing coolant temperature g) Loss of feedwater flow h) Loss of auxiliary power i) Recirculation pump seizure j) Recirculation flow control failure with increasing flow k) Steam jet air ejector failure followed by low main condenser vacuum trip of the turbine l) Control rod drop accident m) Loss-of-coolant accident n) Main steamline break o) Feedwater system piping break p) Failure of air ejector lines - scram occurs when main condenser is isolated causing a turbine trip q) Malfunction of turbine gland sealing system resulting from turbine trip on high shaft vibration 7.2.1.2.2 Variables The generating station variables which require monitoring to provide protective actions are identified in the plant Technical Specifications.
7.2.1.2.3 Sensors A minimum number of LPRMs per APRM are required to provide adequate protective action as defined in Subsection 7.2.2.1.1.1.6. This is the only variable which has spatial dependence as discussed in IEEE 279, paragraph 3.3.
7.2.1.2.4 Operational Limits Operational limits for each safety-related variable trip function is selected with sufficient margin so that a spurious scram is avoided. Design basis operational limits (i.e., Allowable Values) as listed in the plant Technical Specifications are based on operating experience and constrained by the safety design basis and the safety analyses.
FSAR Rev. 65 7.2-21
SSES-FSAR Text Rev. 66 7.2.1.2.5 Margin Between Operational Limits The margin between operational limits and levels requiring protective action (i.e., the analytical limits) for the reactor protection system parameters as listed in the plant Technical Specifications includes allowance for instrument accuracy, calibration error, and sensor and setpoint drift.
7.2.1.2.6 Levels Requiring Protective Action The trip setpoints are shown in the plant Technical Requirements Manual. The Allowable Values of the trip setpoints are shown in the plant Technical Specifications.
7.2.1.2.7 Ranges of Energy Supply and Environmental Conditions The Reactor Protection System (RPS) 120 VAC power is provided by high inertia MG sets.
Voltage regulation is designed to respond to a step load change of 50% of rated load with an output voltage change of not more than 15% and output frequency change of not more than 5%.
The flywheel on each MG set provides stored energy to maintain voltage and frequency within
+5%, for one second, preventing momentary switchyard transients from causing a scram. RPS relays and contactors will operate without failure within the range of r10% of rated voltage. An alternate source of 120 volt power is provided to each RPS. This unregulated alternate power is provided for the RPS bus when maintenance is required for an MG set.
Environmental conditions for proper operation of the RPS components are described in Section-3.11.
7.2.1.2.8 Unusual Events Unusual events are defined as malfunctions, accidents, and other events which could cause damage to safety systems. Chapter 15 and Appendix 15A describe the following credible accidents and events; floods, storms, tornadoes, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break and missiles. Each of these events is discussed below for the subsystems of the RPS.
a) Floods: The buildings containing RPS components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain water tight under PMF including wind generated wave action and wave runup. Therefore, none of the RPS functions are affected by flooding.
b) Storms and Tornadoes: The buildings containing RPS components have been designed to withstand all credible meteorological events and tornadoes as described in Subsection 3.3.2. Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair the RPS capabilities.
c) Earthquakes: The structures containing RPS components except the turbine building have been seismically qualified as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). The RPS components contained in the turbine building are back up scram variables for the Reactor Pressure trip.
FSAR Rev. 65 7.2-22
SSES-FSAR Text Rev. 66 d) Fires: To protect the RPS in the event of a postulated fire, the RPS trip logics have been divided into four separate sections within two independent RPS panels. The sections are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the RPS functions would not be prevented by the fire. The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the RPS will continue to provide the required protective action. Vertical boards have halon systems which are automatically started in the event of a fire in the panel. A fire detection system using heat detectors and product of combustion detectors is provided in PGCC floor sections and RPS panels mounted on these floor sections. A Halon fire suppression system is provided in the PCCC and RPS Panels.
e) LOCA: The following RPS subsystem components are located inside the drywell and would be subjected to the affects of a design basis loss-of-coolant accident (LOCA):
- 1) Neutron Monitoring System (NMS) cabling from the detectors to the main control room
- 2) Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines, which terminate outside the drywell.
These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11 and indicated in Table 3.11-1.
f) Pipe Break Outside Secondary Containment: This condition will not affect the ability of the RPS to function.
g) Feedwater Break: This condition will not affect the RPS.
h) Missiles: With the exception of the RPS M-G sets, the RPS equipment is not mounted in a missile zone. The M-G sets may be mounted in a missile zone but they are not required for performance of the RPS safety action (scram).
7.2.1.2.9 Performance Requirements The minimum performance requirements are shown in Table 7.2-2.
A logic combination (one-out-of-two-twice) of instrument channels trips actuated by abnormal or accident conditions will initiate a scram, and produces independent logic seal-ins within each of the four logic divisions. The trip conditions will be annunciated and recorded on the process computer.
The trip seal-in will maintain a scram signal condition at the control rod drive system terminals until the trip channels have returned within their normal operating range and the seal-in is manually reset by operator action. Thus, once a trip signal is present long enough to initiate a scram and the seal-ins, the protective action will go to completion.
7.2.1.3 Final System Drawings The final RPS drawings are processed at two different levels relative to this document.
FSAR Rev. 65 7.2-23
SSES-FSAR Text Rev. 66 First, all the necessary system and subsystem level Piping and Instrumentation Diagrams (P&IDs),
Functional Control Diagrams (FCDs), Process Flow Diagrams (PFDs), and channel logic diagrams are provided in this section. This same technique is employed in other sections throughout the document.
Secondly, detailed circuit, component design elements, electrical elementary diagrams, cabinet and panel layout drawing (or similar finite detail design diagrams) are being provided under separate cover as allowed by the NRC regulations. This documentation is complementary to discussions and drawings included in this document.
There are no functional or architectural design basis differences or changes to this system between the approved preliminary PSAR design and the FSAR final design under review. A direct comparison of the subject documents verifies this observation. A list of drawings supplied under separate cover are given in Table 1.7-1.
7.2.2 ANALYSIS 7.2.2.1 Reactor Protection System-Instrumentation and Controls 7.2.2.1.1 General Functional Requirements Conformance Presented below are analyses to demonstrate how the various general functional requirements and the specific regulatory requirements listed under the reactor protection system design bases (Subsection 7.1.2a.1.1) are satisfied.
7.2.2.1.1.1 Conformance to Design Basis Requirements 7.2.2.1.1.1.1 Design Bases 7.1.2a.1.1.1.1(1)
The reactor protection system is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that chapter.
Design basis from Subsection 7.1.2a.1.1 requires that the precision and reliability of the initiation of reactor scrams be sufficient to prevent, or limit, fuel damage and to prevent damage to the RCPB as a result of excessive internal pressure.
Table 7.2-1 provides a listing of the sensors selected to initiate reactor scrams and delineates the specified accuracy. Accuracy, transient response, and time response for the sensed variables establishes the precision of the RPS variable sensors.
Reliability of the RPS is assured through the selection of reliable components and performance of analyses.
The selection of tentative scram trip settings has been developed through analytical modeling, experience, historical use of initial setpoints and adoption of new variables and setpoints as FSAR Rev. 65 7.2-24
SSES-FSAR Text Rev. 66 experience was gained. The initial setpoint selection method provided for settings which were sufficiently above the normal operating levels (to preclude the possibilities of spurious scrams or difficulties in operation), but low enough to protect the fuel and pressure barrier. As additional information became available or systems were changed, additional scram variables were provided using the above method for initial setpoint selection. The selected scram settings are analyzed to verify that they are conservative and that the fuel, fuel barriers, and RCPB are adequately protected. In all cases, the specific scram trip point selected is a conservative value that prevents damage to the fuel or RCPB taking into consideration previous operating experience and the analytical models.
7.2.2.1.1.1.2 Design Basis 7.1.2a.1.1.1.1(2)
The scram initiated by reactor vessel high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the reactor coolant pressure boundary as a result of internal pressure. The main steamline isolation valve closure scram provides a greater margin to the reactor vessel pressure safety limit than does the high pressure scram. For turbine-generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the reactor vessel pressure safety limit than does the high pressure scram. Chapter 15 identifies and evaluates accidents and abnormal operational events that result in reactor vessel pressure increases. In no case does pressure exceed RCPB safety limits.
7.2.2.1.1.1.3 Design Basis 7.1.2a.1.1.1.1(3)
The scram initiated by the reactor vessel low water level satisfactorily limits the radiological consequences of gross failure of the fuel or reactor coolant pressure boundary. Chapter 15 evaluates gross failures of the fuel and RCPB. In no case does the release of radioactive material to the environs result in exposures which exceed the guide values of applicable published regulations.
7.2.2.1.1.1.4 Design Basis 7.1.2a.1.1.1.1(4)
Scrams are initiated by variables which are designed to monitor fuel temperature and protect the RCPB. The neutron monitoring system monitors fuel temperature indirectly using incore detectors.
The incore detectors monitor the reactor power level by detecting the neutron level in the core.
Reactor power level is directly proportionate to neutron level and the heat generated in the fuel.
Although the neutron monitoring system does not monitor fuel temperature directly, by establishing a correlation between fuel temperature and reactor power level, scram setpoints can be determined for protective action which will prevent fuel damage.
The RCPB is protected by monitoring parameters which indicate reactor pressure directly or anticipate reactor pressure increases. Reactor pressure is monitored directly by pressure sensors which are connected directly to the reactor pressure vessel through sensing lines and pressure taps. In addition, reactor pressure transients are anticipated by monitoring the closure of valves which shut off the flow of steam from the reactor pressure vessel and cause rapid pressure increases. The variables monitored to anticipate pressure transients are Main Steamline Isolation Valve position, Turbine Stop Valve position, and Turbine Control Valve (Fast Closure) position. If FSAR Rev. 65 7.2-25
SSES-FSAR Text Rev. 66 any of these valves were to close, pressure would rise very rapidly, therefore, this condition is anticipated and a trip is initiated prior to any pressure transient occurring.
Chapter 15 identifies and evaluates those conditions which threaten fuel temperature and RCPB integrity. In no case does the core exceed a safety limit.
7.2.2.1.1.1.5 Design Basis 7.1.2a.1.1.1.1(5)
The scrams initiated by the neutron monitoring system, drywell pressure, reactor vessel pressure, reactor vessel water level, turbine stop valve closure, and turbine control valve fast closure variables will prevent fuel damage. The scram setpoints for these variables are identified in the plant Technical Requirements Manual and have been designed to cover the expected range of magnitude and rates of change during abnormal operational transients without fuel damage. The response time requirements for these variables are identified in Table 7.3-28. Chapter 15 identifies and evaluates those conditions which threaten fuel integrity. With the selected variables and scram setpoints, adequate core margins are maintained relative to thermal-hydraulic safety limits.
7.2.2.1.1.1.6 Design Basis 7.1.2a.1.1.1.1(6)
Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the reactor protection system. Neutron flux is monitored both as an indication of average reactor power (APRM upscale trips) and as in indication of thermal-hydraulic instability caused power oscillations (OPRM trip). The basis for the number and locations is discussed below. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy and component environmental capabilities.
Two transient analyses were used to determine the minimum number and physical location of required LPRMs for each APRM for average power monitoring.
a) The first analysis was performed with operating conditions of 100% of originally-licensed reactor power and 100% core flow (100 x 106 lbm/hr) using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.
b) The second analysis was performed with operating conditions of 100% of originally-licensed reactor power and 100% core flow (100 x 106 lbm/hr) using a reduction of core flow at a fixed design rate. Again, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.
The results of the two analyses are analyzed and compared to establish the actual minimum number and location of LPRMs needed for each APRM channel (Reference 7.6-1).
The OPRM trip function monitors LPRMs combined into cells of 4 LPRMs each. If more than 2 of the 4 LPRMs in an OPRM cell are bypassed, the cell is determined to be inoperable and removed from the logic. The minimum required number of operable OPRM cells per APRM FSAR Rev. 65 7.2-26
SSES-FSAR Text Rev. 66 channel is determined by performing an analysis that mathematically removes LPRMs (and OPRM cells when the number of remaining LPRMs in a cell falls below the required minimum) and calculates the hot-bundle MCPR change that will result prior to an OPRM trip due to a power oscillation. That calculated value is compared to the hot-bundle MCPR change calculated with no LPRMs bypassed. The minimum required number of operable OPRM cells is that number that assures that the hot-bundle MCPR change that results prior to an OPRM trip is equal to or less than the corresponding value calculated with no LPRMs bypassed (References 7.6-3 through 7.6-6).
7.2.2.1.1.1.7 Design Basis 7.1.2a.1.1.1.1(7a through 7h)
Sensors, channels, and logics of the reactor protection system are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system.
Failure of either reactor protection system power supply would result in the de-energization of one of the two scram valve pilot solenoids on each scram valve. Alternate power is available to the reactor protection system buses. A complete, sustained loss of electrical power to both power supplies would result in a scram if the loss exceeds the ride-through capability of the power supplies.
The RPS is designed so that it is only necessary for trip variables to exceed their trip setpoints for sufficient length of time to de-energize the scram relays and open the seal-in contacts of the associated trip logic. Once this is accomplished, the scram will go to completion, regardless of the state of the variable which initiated the protective action.
When initiating condition has cleared and a sufficient (10 second) time delay has occurred, the scram may be reset only by actuation of the scram reset switches in the main control room by the operator.
Reactor protection cabling is routed in separate totally enclosed metallic raceways for each division for all wiring for sensors, racks, panels, and scram solenoids. Physical separation and electrical isolation among redundant portions of the reactor protection system is provided by separated process instrumentation, separated racks, and either separated or protected panels and cabling.
Separate panels are provided for each division, except for the main control room benchboard which has internal metal barriers. Where equipment from more than one division is in a panel, divisional separation is provided by fire barriers and through the use of separated terminal boards.
Where wiring from more than one division is present at a single component, divisional separation is provided by fire barriers on the component in addition to routing of the wiring from the component in separate conduits.
Separate racks are provided for the reactor protection sensor instrumentation for each division and are installed in different locations.
7.2.2.1.1.1.8 Design Basis 7.1.2a.1.1.1.1(8)
Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant operations supervisory personnel.
FSAR Rev. 65 7.2-27
SSES-FSAR Text Rev. 66 Access control is provided by use of administration control procedures which require: (1) that panels and cabinets outside the main control room be secured in a manner such as wire locking; (2) that approved procedures be used to perform calibration and testing, which require obtaining permission prior to performance; (3) that locked open or closed valves be used to prevent manual bypass of mechanical systems, and (4) that operations personnel within the main control room monitor and control access to panels and cabinets within the main control room.
Manual bypass of instrumentation and control equipment components is under the control of the main control room operator. If the ability to trip some essential part of the system is bypassed, this fact is continuously annunciated in the main control room.
For the subsystem operational bypasses discussed in Subsection 7.2.1, bypassing of these subsystem components provides a continuous annunciation in the control room. Trip channel components are taken out-of-service for calibration or testing in accordance with Technical Specification Surveillance requirements, or are bypassed and placed in an Inoperable status, with the plant continuing to operate in accordance with the applicable Technical Specification Limiting Condition for Operation. In each case the amount of time each condition is allowed to exist and the number and function of coincident channels out of service are controlled by the Technical Specifications.
7.2.2.1.1.1.9 Other Design Basis Requirements The Reactor Protection System is a one-out-of-two taken twice system. The dual trip system is advantageous because it can be tested thoroughly during reactor operation without causing a scram. This capability for a thorough testing program significantly increases reliability.
The environment in which the instruments and equipment of the reactor protection system must operate is given in Section 3.11. The specifications for the instruments located in the containment or turbine building are based on the worst expected ambient conditions.
The reactor protection system components that must function in the environment resulting from a RCPB break inside the drywell are the condensing chambers which supply reactor water level for the RPS level indicating switches and the inboard main steamline isolation valve position switches.
Special precautions are taken to ensure their operability after the accident. The condensing chambers and all essential components of the control and electrical equipment are either similar to those that have successfully undergone qualification testing in connection with other projects, or additional qualification testing under simulated environmental conditions has been conducted.
To ensure that the reactor protection system remains functional, the number of operable channels for the essential monitored variables is maintained at or above the minimums described in the Technical Specifications. The minimums apply to any untripped trip system; a tripped trip system may have any number of inoperative channels. Because reactor protection requirements vary with the mode in which the reactor operates, there are functional requirements for the RUN and STARTUP modes. These are the only modes where more than one control rod can be withdrawn from the fully inserted position.
In case of a LOCA, reactor shutdown occurs immediately following the accident as process variables exceed their trip setpoints. Operator verification that shutdown has occurred may be made by observing one or more of the following indications:
FSAR Rev. 65 7.2-28
SSES-FSAR Text Rev. 66 a) Control rod status lamps indicating each rod fully inserted b) Control rod scram pilot valve status lamps indicating open valves c) Neutron monitoring channels and recorders indicating decreasing neutron flux d) Annunciators for RPS variables and trip logic in the tripped state e) NSSS process computer logging of trips and control rod position log Following generator load rejection, a number of events occur in the following chronological order:
a) The hydraulic pressure in the EHC lines to the control valve fast closure solenoids drops and the pressure sensors provide a trip signal to the RPS. Simultaneously the turbine control logic initiates fast opening of the turbine bypass valve which minimizes the pressure from the transient.
b) The reactor protection system will scram the reactor concurrently upon receipt of the turbine control valve fast closure signal.
The reactor scram will be averted if at the time of load rejection the unit load is equal to or less than a given value. This load value is 26% of rated power output.
c) The trip setting of the APRM channels will be automatically reduced as recirculation flow decreases.
The trip settings discussed in Subsection 7.2.1 are not changed to accommodate abnormal operating conditions. Actions required during abnormal conditions are discussed in Chapter 16.0.
Transients requiring activation of the reactor protection system are discussed in Chapter 15.0. The discussions there designate which systems and instrumentation are required to mitigate the consequences of these transients.
7.2.2.1.2 Conformance to Specific Regulatory Requirements 7.2.2.1.2.1 Conformance to NRC Regulatory Guides 7.2.2.1.2.1.1 Regulatory Guide 1.11 (1971)
Regulatory Guide 1.11 is not part of the RPS design basis, however, the degree of conformance is discussed in Section 3.13.
7.2.2.1.2.1.2 Regulatory Guide 1.22 (2/72)
The system is designed so that it may be tested during plant operation from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram will not occur as a result of the testing.
7.2.2.1.2.1.3 Regulatory Guide 1.29 (1972)
FSAR Rev. 65 7.2-29
SSES-FSAR Text Rev. 66 All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as Seismic Category I.
7.2.2.1.2.1.4 Regulatory Guide 1.30 (1972)
Refer to Section 3.13.
7.2.2.1.2.1.5 Regulatory Guide 1.47 (5/73)
Regulatory Position C.1, C.2 and C.3:
Automatic indication is provided in the main control room to inform the operator that a system is inoperable. Annunciation is provided to indicate a system or part of a system is not operable. For example, the reactor protection (trip) system, and the containment and reactor vessel isolation system have annunciators lighting and sounding whenever one or more channels of an input variable are bypassed. Bypassing is not allowed in the trip logic or actuator logic. An example of automatic indication of RPS inoperability follows.
Instruments which form part of a one-out-of-two twice logic system can be removed from service for calibration. Removal of the instrument from service will be indicated in the main control room as a single instrument channel trip.
Regulatory Position C.4:
Capability for manual initiation of the RPS system level bypass and inoperability indication is provided by activation of a control switch located in the main control room. This may be used to provide administrative control of the bypass indication for those bypasses or inoperabilities which cannot be automatically indicated. A control switch is provided for each system level bypass indicator.
The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system.
a) Individual indicators are arranged together on the Reactor Core Cooling Benchboard to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level will be grouped only with items that will prevent a system for operating if needed.
b) As a result of design, preoperational testing, and startup testing, no erroneous bypass indication is anticipated.
c) These indication provisions serve to supplement administrative controls and aids the operator in assessing the availability of component and system level protective actions.
This indication does not perform a safety function.
FSAR Rev. 65 7.2-30
SSES-FSAR Text Rev. 66 d) All circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects.
e) Each indicator which can be periodically tested is provided with dual lamps.
7.2.2.1.2.1.6 Regulatory Guide 1.53 (6/73)
Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the engineered safeguards systems to meet the single failure criterion, Section 4.2 of IEEE 279-1971 and IEEE 379-1972. Redundant sensors are used and the logic is arranged to ensure that a failure in a sensing element or the decision logic or an actuator will neither prevent nor initiate protective action. Separated channels are employed so that a fault affecting one channel will not prevent the other channels from operating properly. Specifications are provided to define channel separation for wiring not included with NSSS supplied equipment.
The RPS is normally energized with 2 motor generator sets for power, one for each separate trip system. Therefore, a single failure will produce a trip on one channel, and complete loss of power will trip the reactor.
Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when called upon. Testing incorporates all elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection.
7.2.2.1.2.1.7 Regulatory Guide 1.62 (10/73)
Means are provided for manual initiation of reactor manual scram at the system level through the use of four armed pushbutton switches.
Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry.
These switches are located on the Unit Operating Benchboard.
The amount of equipment common to initiation of both manual scram and automatic scram is kept to a minimum through implementation of manual scram at the final devices (scram relay) of the protection system. No single failure in the manual, automatic, or common portions of the protection system will prevent initiation of reactor scram by manual or automatic means.
The "minimum of equipment" objective is accomplished for the initiation of manual scram through its implementation at the final devices (scram relay) of the protection system.
Manual initiation of reactor scram, once initiated, goes to completion as required by IEEE 279-1971, paragraph 4.16.
FSAR Rev. 65 7.2-31
SSES-FSAR Text Rev. 66 7.2.2.1.2.1.8 Regulatory Guide 1.63 (10/73)
Refer to Section 3.13. Design is in compliance.
7.2.2.1.2.1.9 Regulatory Guide 1.68 (11/73)
Written procedures and responsibilities are developed for the preoperational and startup testing of the system. Response times of protection channels including sensors, as defined in Tables 7.3-28, 7.3-29, 7.3-30; proper operation in all combinations of logic, calibration, and operability of primary sensors, except for neutron monitoring system and process radiation sensors; proper trip and alarm settings; proper operation of permissive, prohibit, and bypass functions; and operability of bypass switches are verified. Redundancy, electrical independence, coincidence, and safe failure on loss of power and operability of backup scram solenoid valves and devices including detectors, logic, trip points, and final control elements are demonstrated.
7.2.2.1.2.1.10 Regulatory Guide.1.75 (1/75)
The Reactor Protection System complies with the criteria set forth in IEEE 279-1971, paragraph 4.6.
Physical and electrical independence of the instrumentation devices of the system is provided by channel independence for sensors exposed to each process variable. Separate and independent conduits are routed from each device to the respective control room panel. Each channel has a separate and independent section of a control room panel which is separated by a barrier from the other channel. Trip logic outputs are separate in the same manner as the channels.
7.2.2.1.2.1.11 Regulatory Guide 1.89 (11/74)
Regulatory Guide 1.89 is not part of the RPS design basis, RPS performs its safety related function in a mild environment. Therefore the environmental qualification Provisions of 10CFR50.49 Section C, item (3) are applicable.
7.2.2.1.2.2 Conformance to 10CFR50, Appendix A - General Design Criteria 7.2.2.1.2.2.1 General Design Criterion 1 The quality assurance program for the system assures sound engineering in all phases of design and construction through conformity to regulatory requirements and design bases described in the license application.
Documents are maintained which demonstrate that all the requirements of the quality assurance program are being satisfied. These records will be maintained during the life of the operating licenses.
FSAR Rev. 65 7.2-32
SSES-FSAR Text Rev. 66 7.2.2.1.2.2.2 General Design Criterion 2 Refer to Section 3.1 for details of conformance.
7.2.2.1.2.2.3 General Design Criterion 3 Refer to Subsection 9.5.1 for details of conformance.
7.2.2.1.2.2.4 General Design Criterion 4 The system is designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.
The system is appropriately protected against dynamic effects including the effects of missiles, pipe whipping and discharging fluids that may result from equipment failures.
Refer to Sections 3.5 and 3.6 for details of compliance.
7.2.2.1.2.2.5 General Design Criterion 5 Refer to Section 3.1 for discussion.
7.2.2.1.2.2.6 General Design Criterion 10 The RPS is designed to monitor certain reactor parameters, sense abnormalities, and to scram the reactor thereby preventing fuel design limits from - being exceeded when trip points are exceeded.
Scram trip setpoints are selected based on operating experience and by the safety design basis.
There is no case in which the scram trip setpoints allow the core to exceed the thermal hydraulic safety limits. Power for the reactor protection system is supplied by two independent ride-through AC power supplies. An alternate power source is available for each bus.
The system is designed to assure that the specified fuel design limits are not exceeded during conditions of normal or abnormal operation.
7.2.2.1.2.2.7 General Design Criterion 12 The system design provides protection from excessive fuel cladding temperatures and protects the RCPB from excessive pressures which threaten the integrity of the system. Local abnormalities are sensed and, if protection system limits are reached, corrective action is initiated through an automatic scram. High integrity of the protection system is achieved through the combination of logic arrangement, trip channel redundance, power supply redundancy, and physical separation.
FSAR Rev. 65 7.2-33
SSES-FSAR Text Rev. 66 7.2.2.1.2.2.8 General Design Criterion 13 Each system input is monitored and annunciated.
7.2.2.1.2.2.9 General Design Criterion 15 The system acts to provide sufficient margin to assure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including anticipated operational occurrences. If the monitored variables exceed their predetermined settings, the system automatically responds to maintain the variables and systems within allowable design limits.
7.2.2.1.2.2.10 General Design Criterion 19 Controls and instrumentation are provided in the main control room. The reactor can also be shutdown in an orderly manner from outside the main control room at the remote shutdown panel.
7.2.2.1.2.2.11 General Design Criterion 20 The system constantly monitors the appropriate plant variables to maintain the fuel barrier and RCPB and initiates a scram automatically when the variables exceed the established setpoints.
7.2.2.1.2.2.12 General Design Criterion 21 The system is designed with four independent and separated input channels and four independent and separated output channels. No single failure or operator action can prevent a scram. The system can be tested during plant operation to assure its availability.
7.2.2.1.2.2.13 General Design Criterion 22 The redundant portions of the system are separated such that no single failure or credible natural disaster can prevent a scram. Functional diversity is employed by measuring flux, pressure, and level in the reactor vessel, which are dependent variables and are diverse.
7.2.2.1.2.2.14 General Design Criterion 23 The system is fail safe. A loss of electrical power or air supply will not prevent a scram. Postulated adverse environments will not prevent a scram.
7.2.2.1.2.2.15 General Design Criterion 24 The system has no control function. It is interlocked to control systems through isolation devices.
FSAR Rev. 65 7.2-34
SSES-FSAR Text Rev. 66 7.2.2.1.2.2.16 General Design Criterion 25 The system provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Any monitored variable which exceeds the scram setpoint will initiate an automatic scram and not impair the remaining variables from being monitored, and if one channel fails the remaining portions of the reactor protection system will function.
7.2.2.1.2.2.17 General Design Criterion 29 The system is highly reliable so that it will scram in the event of anticipated operational occurrences.
7.2.2.1.2.3 Conformance with Industry Codes and Standards 7.2.2.1.2.3.1 IEEE 279 (1971) 7.2.2.1.2.3.1.1 General Functional Requirement (IEEE 279-1971, Paragraph 4.1)
The following RPS trip variables provide automatic initiation of protective action in compliance with this requirement:
a) Scram discharge volume high water level trip b) Main steamline isolation valve closure trip c) Turbine stop valve closure trip d) Turbine control valve fast closure trip e) Reactor vessel low water level trip f) Neutron monitoring (APRM) system trip g) Neutron Monitoring (IRM) system trip h) Drywell high pressure trip i) Reactor vessel high pressure trip j) Neutron monitoring (OPRM) system trip The reactor system mode switch selects appropriate operating bypasses for various RPS variables in the Shutdown, Refuel, Startup, and Run modes of operation. Other manual controls, such as the manual scram pushbutton switches and the RPS reset switch, are arranged so as to assure that the process variables providing automatic initiation of protective action will continue to remain in compliance with this requirement.
The RPS reset switch is under the administrative control of the reactor operator. Since the reset switch, through auxiliary relay contacts, is introduced in parallel with the trip actuator seal-in contact, failure of the reset switch cannot prevent initiation of protective action when a sufficient FSAR Rev. 65 7.2-35
SSES-FSAR Text Rev. 66 number of trip channels assume the tripped condition. Hence, the automatic initiation requirement for protective action is not invalidated by this reset switch.
The RPS logic, trip actuator logic, and trip actuators are designed to comply with this requirement through automatic removal of electric power to the control rod drive scram solenoids when one or more RPS variables exceeds the specified trip setpoint.
Manual reset by the operator bypasses the seal-in contact to permit the RPS to be reset to its normally energized state when all process sensor trip channels are within their normal (untripped) range of operation.
This requirement applies to the Period Based Detection algorithm and trip portion of the OPRM.
As no credit is taken for the Amplitude and Growth Rate trip algorithms, this requirement does not apply to those two functions.
7.2.2.1.2.3.1.2 Single Failure Criterion (IEEE 279-1971, Paragraph 4.2)
The following RPS trip variables are individually implemented with four redundant and physically separated channels in compliance with this requirement:
a) Main steamline isolation valve closure trip b) Turbine stop valve closure trip c) Turbine control valve fast closure trip The following RPS trip variables are individually implemented with four redundant channels divided into two physically separated groups in compliance with this requirement:
d) Scram discharge volume high water level trip e) Reactor vessel low water level trip f) Drywell high pressure trip g) Reactor vessel high pressure trip The neutron monitoring system APRM/OPRM, and IRM trips comply with the single failure criterion through the use of physical-panel barriers and electrical isolation provisions to provide independence among the two redundant APRM/OPRM 2-out-of-four voter channels and four redundant IRM channels in either Trip System A or B. Four redundant APRM/OPRM channels provide inputs to both Trip System A and Trip System B.
Wiring from each sensor to the relay cabinets is run in a separate totally enclosed metallic raceway to maintain electrical isolation and physical separation among redundant sensor trip channels.
A separate trip channel relay is provided for each sensor. These relays are installed in four redundant cabinets to maintain independence of the redundant trip channels.
RPS manual controls also comply with the single failure criterion. Four manual scram pushbuttons are arranged into two groups on one main control room panel, and the switch contact blocks are enclosed within metal barriers.
FSAR Rev. 65 7.2-36
SSES-FSAR Text Rev. 66 The mode switch consists of a single manual actuator connected to four distinct switch banks.
Each bank is housed within a fire retardant cover. Contacts from each bank are wired in conduit to individual metallic terminal boxes.
Since the scram discharge volume high water level trip operating bypass requires manual operation of a bypass switch and the mode switch to establish four bypass channels, the design of the bypass function complies with this design requirement. For the bypass switch, a single operator connects to four physically and electrically separated blocks of switch contacts within the switch body. Wiring from the contacts is routed in conduit to separate metallic terminal boxes.
One set of switch contacts in conjunction with mode switch contacts is used to energize each trip channel bypass relay when the bypass condition is desired. There is no single failure of this bypass function that will satisfy the condition necessary to establish the bypass condition. Hence, this function complies with the single-failure criterion.
The main steamline isolation valve closure trip operating bypass is implemented with redundant mode switch contacts in a similar manner.
The turbine stop valve closure trip and control valve fast closure trip operating bypass complies with the single-failure criterion. Two pressure sensors are mounted at each of two turbine first stage pressure taps. Contacts from the pressure sensors are routed in a totally enclosed metallic raceway to the RPS cabinets in the control structure. A single bypass is associated with a single trip channel for stop valve closure and for control valve fast closure. The worst-case single failure could result in the bypass of the turbine stop valve closure and turbine control valve fast closure for the A and B trip logics or the C and D trip logics. The logic is arranged so that this failure does not interfere with the normal protective action of the RPS.
The RPS reset switch and associated logic comply with this design requirement. The reset switch is constructed with a single, operator and two physically and electrically separated contact blocks.
The wires from the contact blocks go through totally enclosed metallic raceways to metallic terminal boxes.
Since opening of the process sensor trip channel is the initiating event for reactor scram, failure of the reset switch will not prevent de-energization of the trip actuators during the time interval that the process actually exceeds the trip setpoint.
Those portions of the RPS downstream of the trip channels also comply with this design requirement. Any postulated single failure of a given trip logic will not affect the remaining three trip logics. Similarly, any single failure of a trip actuator will not affect the remaining trip actuators, and any single failure of one trip actuator logic will not affect the other trip actuator logic networks. The cabling associated with one trip logic is routed in a totally enclosed metallic raceway that is physically separated from similar cabling associated with the other trip logics. Cabling from the trip actuator logic to the scram solenoid groups is routed in individual totally enclosed metallic raceways to comply with this design requirement. Because both the "A" and "B" solenoid coils must de-energize to scram, wiring of these two solenoids for one control rod are routed together within a single totally enclosed metallic raceways.
7.2.2.1.2.3.1.3 Quality of Components and Modules (IEEE 279-1971, Paragraph 4.3)
FSAR Rev. 65 7.2-37
SSES-FSAR Text Rev. 66 The RPS trip variables which are listed in Subsection 7.2.2.1.2.3.1.11 are implemented with components and modules used on previous BWR plants and which exhibit high quality and high reliability characteristics.
The RPS manual switches are also selected to be of high quality and reliability.
The four pressure sensors selected for the turbine stop valve closure trip and control valve fast closure trip operating bypass are of high quality and reliability.
The RPS trip logic consists of series-connected relay contacts from the trip channel output relays.
The relay is of high quality and reliability.
The RPS trip actuator logic consists of relay contacts connected in a specific arrangement from the trip actuators. The trip actuators are of high quality and reliability.
7.2.2.1.2.3.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4)
Vendor certification is required for the sensor associated with each of the RPS trip variables which are listed in Subsection 7.2.2.1.2.3.1.1, manual switches, and trip logic components performs in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the existing field experience with these components in this application, will serve to qualify these components.
NSSS supplier has conducted qualification tests of the relay panels to confirm their adequacy for this service. In situ operational testing of these sensors, channels, and the entire protection system will be performed at each project site during the preoperational test phase.
7.2.2.1.2.3.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5)
The manual switches and components of the RPS trip variables which are listed in Subsection 7.2.2.1.2.3.1.1, are specified to operate under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents.
The RPS trip logic, trip actuators, and trip actuator logic are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions and accidents.
7.2.2.1.2.3.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6)
The four redundant trip channels for the following RPS trip variables are physically separated and electrically isolated from one another to meet this design requirement:
a) Scram discharge volume high water level trip b) Turbine stop valve closure trip c) Turbine control valve fast closure trip d) Reactor vessel low water level trip e) Drywell high pressure trip FSAR Rev. 65 7.2-38
SSES-FSAR Text Rev. 66 f) Reactor vessel high pressure trip The individual switch boxes for the turbine variables are physically separated.
The main steamline isolation valve closure trip is derived from 8 individual channels which are physically separated and electrically isolated to meet this design requirement.
The eight IRM, four APRM/OPRM, and four APRM/OPRM 2-out-of 4 voter channels are electrically isolated and physically separated from one another so as to comply with this design requirement.
The manual scram pushbutton is a channel component. The trip channels are physically separated and electrically isolated to comply with this design requirement.
The mode switch banks are physically separated and electrically isolated to comply with this design requirement.
The circuitry for the RPS trip variable operating bypasses complies with this design requirement.
Sufficient physical separation and electrical isolation exists to assure that the operating bypass channels are satisfactorily independent. Moreover, the conditions for bypass have been made quite stringent in order to provide additional margin.
The four RPS reset channels to the trip actuators are physically separated and electrically isolated.
The RPS trip logic, trip actuators, and trip actuator logic are also physically separated and electrically isolated.
7.2.2.1.2.3.1.7 Control and Protection System Interaction (IEEE 279-1971, Paragraph 4.7)
The redundant channels for the RPS trip variables which are listed in Subsection 7.2.2.1.2.3.1.1 are electrically isolated from the plant control systems in compliance with this design requirement.
Each trip channel output delay uses one contact within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the main control room, and another contact on each relay is wired to the process computer cabinets to provide a written log of the channel trips.
There is no single failure that will prevent proper functioning of any protective function when it is required.
The main steamline isolation valve and turbine stop valve limit switch contacts for RPS use are routed through separate totally enclosed metallic raceways connections relative to the other limit switches used for indicator lights in the control room. After the cabling emerges from the limit switch junction box associated with each main steamline isolation valve or turbine stop valve, it is routed separately from any other cabling in the plant to the RPS panels in the control room.
Turbine control valve fast closure pressure sensor outputs for RPS use are routed separately relative to other outputs used for indicator lights and turbine control purposes. After the cabling emerges from the junction boxes, it is routed in totally enclosed metallic raceways to the logic cabinets in the control room.
Within the APRM equipment (i.e., before their output trip driving the RPS), analog outputs are FSAR Rev. 65 7.2-39
SSES-FSAR Text Rev. 66 derived for use with control room meters and recorders. Electrical isolation is incorporated into the design at this interface to prevent any single failure from influencing the protective trip output. The trip outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panel.
Each OPRM module is electrically isolated by fiber-optic data link from its companion OPRM in the same RPS channel, and electrically and physically isolated from other OPRM channels.
The manual scram pushbutton has no control interaction.
The reactor system mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement. Additional contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator. No control functions are associated with the mode switch. Hence, the switch complies with this design requirement. The system interlocks to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system.
The RPS scram discharge volume high water level trip variable operating bypass circuitry complies with this design requirement. For each trip channel bypass relay, four contacts are used in the bypass logic. One contact of each relay is also wired to a common annunciator in the control room and one contact is wired to the control rod block circuitry to prevent rod withdrawal whenever the trip channel bypass is in effect. There are no control system interactions with these bypass relay outputs. The system interlocks to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the RPS.
The main steamline isolation valve closure trip bypass has no interaction with any control system in the plant. One contact of each relay is used to initiate a control room annunciator for this bypass function.
Turbine stop valve and control valve trip bypasses have no interaction with any control system in the plant. Two output relay contacts in series are used in the RPS trip logic and one additional contact from each relay is used to initiate a control room annunciator for this bypass function.
Switch contacts of the RPS reset switch are used only to control auxiliary relays. Contacts from the relays are used only in the trip actuator coil circuit. Consequently, this RPS function has no interaction with any other system in the plant.
Reactor vessel high pressure switch contacts are routed in totally enclosed metallic raceways from the sensor to the RPS panels in the control room.
The four RPS trip logics are totally separate from all other plant systems. The RPS trip actuators utilize the power contacts of the scram relays to provide the trip actuator logic and the seal-in contact of the trip actuator, and utilize auxiliary contacts for control room annunciation, the process computer inputs, and initiation of the backup scram valves. Due to the design of this output and separation of the cabling, there is no interaction with control systems of the plant. The scram solenoids are physically separate and electrically isolated from the other portions of the control rod drive hydraulic control unit.
FSAR Rev. 65 7.2-40
SSES-FSAR Text Rev. 66 Reactor vessel low water level switch contacts for RPS use are routed through separate totally enclosed metallic raceways runs relative to the remaining switch contacts in these sensors.
7.2.2.1.2.3.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8)
The RPS trip variables are direct measures of:
a) Reactor vessel low water level trip b) Neutron Monitoring (APRM) system trip c) Neutron monitoring (IRM) system trip d) Drywell high pressure trip e) Reactor vessel high pressure trip f) Neutron monitoring (OPRM) system trip The measurement of scram discharge volume water level is an appropriate variable for this protective function. The desired variable is "available volume" to accommodate a reactor scram.
However, the measurement of consumed volume is sufficient to infer the amount of remaining available volume, since the total volume is a fixed, predetermined value established by the design.
The measurement of main steamline isolation valve and turbine stop valve position is an appropriate variable for the reactor protection system. The desired variable is "loss of the reactor heat sink"; however, isolation or stop valve closure is the logical variable to infer that the steam path has been blocked between the reactor and the heat sink.
Due to the normal throttling action of the turbine control valves with changes in the plant power level, measurement of control valve position is not an appropriate variable from which to infer the desired variable, "rapid loss of the reactor heat sink." Consequently, a measurement of control valve closure rate is required.
Protection system design practice has discouraged use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation would be a more positive means of determining fast closure of the control valves.
Loss of hydraulic pressure in the EHC oil lines which initiates fast closure of the control valves is monitored. These measurements provide indication that fast closure of the control valves is imminent.
This measurement is felt to be adequate and a proper variable for the protective function taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of control-valve fast-closure rate.
Since the mode switch is used to connect appropriate sensors into the RPS logic depending upon the operating state of the reactor, the selection of particular contacts to perform this logic operation is an appropriate means for obtaining the desired function.
FSAR Rev. 65 7.2-41
SSES-FSAR Text Rev. 66 Since the intent of the turbine stop valve closure trip and control valve fast closure trip operating bypass is to permit continued reactor operation at low power levels when the turbine stop or control valves are closed, the selection of turbine first stage pressure is an appropriate variable for this bypass function. In the power range of reactor operation, turbine first stage pressure is essentially linear with increasing reactor power. Consequently, this variable provides the desired measurement of power level.
Due to the manual action required for scram discharge volume high water level trip bypass, this design requirement is satisfied by operator interaction with a single bypass switch and the mode switch.
7.2.2.1.2.3.1.9 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9)
During reactor operation, one sensor for each of the following RPS trip variables may be valved out-of-service at a time to perform testing under administrative control. During this test, operation of the sensor and the RPS trip channel may be confirmed. At the conclusion of the test, administrative control must be used to ensure that the sensor has been properly returned to service:
a) Scram discharge volume high water level trip b) Reactor vessel low water level trip c) Drywell high pressure trip d) Reactor vessel high pressure trip The scram discharge volume level sensors may be tested by using the locked instrument valves in proper sequence in conjunction with quantities of demineralized water. The test procedure is similar to the calibration procedure for this variable.
The main steamline isolation valve position switches are tested during valve movements which cause the limit switches to operate at the setpoint value of the valve position.
The logic of four MSIV instrument channel logics is as follows:
A1 (tripped) = Inboard or outboard valve partially closed in MS-A, and inboard or outboard valve partially closed in MS-B A2 (tripped) = Inboard or outboard valve partially closed in MS-C, and inboard or outboard valve partially closed in MS-D B1 (tripped) = Inboard or outboard valve partially closed in MS-A, and inboard or outboard valve partially closed in MS-C B2 (tripped) = Inboard or outboard valve partially closed in MS-B, and inboard or outboard valve partially closed in MS-D For any single valve closure test, two of the eight instrument channels will be placed in a tripped condition, but none of the channel logics will be tripped, and no RPS annunciation or computer FSAR Rev. 65 7.2-42
SSES-FSAR Text Rev. 66 logging will occur. This arrangement permits single valve testing without corresponding tripping of the RPS. The observation that no RPS trips result is a valid and necessary test result.
At reduced power levels, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. For example, closure of one valve in Main Steamline A and another valve in Main Steamline B will produce an A1 Trip Logic trip and should not produce trips in B1 or B2 channel logic circuits. These observations are another important test result that confirms proper RPS operation.
In sequence, each possible combination of single valve closure and switch operation is performed to confirm proper operation of all eight instrument channels.
These test results confirm that the valve limit switches operate as the valves are manually closed.
The turbine stop valve position switches are also tested during valve movements which cause the limit switches to operate at the setpoint value.
The logic of the four turbine stop valve instrument channel logics is as follows:
A1 (tripped) = Turbine Stop Valve 1 partially closed, and Turbine Stop Valve 2 partially closed A2 (tripped) = Turbine Stop Valve 3 partially closed, and Turbine Stop Valve 4 partially closed B1 (tripped) = Turbine Stop Valve 1 partially closed, and Turbine Stop Valve 3 partially closed B2 (tripped) = Turbine Stop Valve 2 partially closed, and Turbine Stop Valve 4 partially closed For any single stop valve closure test, two of the eight instrument channels will be placed in a tripped condition, but none of the channel logics will be tripped, and no RPS annunciation or computer logging will occur. This arrangement permits single valve testing without corresponding tripping of the RPS, and the observation that no RPS trips result is a valid and necessary test result.
Although per design, the Turbine Stop Valve logic will allow for testing of TSVs in pairs, it is not desirable to test in this manner since it will lead to an EOC-RPT. Therefore, this feature is not used and stop valves are only tested individually.
The turbine control valve fast closure oil pressure sensors may be tested during the routine turbine system tests. During any control-valve fast-closure test, one RPS instrument channel will be tripped and will produce both control room annunciation and computer logging of the instrument channel identification.
The four RPS instrument logics are arranged as follows:
A1 (tripped) = Pressure Switch A loss of oil pressure A2 (tripped) = Pressure Switch C loss of oil pressure B1 (tripped) = Pressure Switch B loss of oil pressure B2 (tripped) = Pressure Switch D loss of oil pressure FSAR Rev. 65 7.2-43
SSES-FSAR Text Rev. 66 During plant operation, the individual pressure switches may be valved out-of-service, and the turbine control system may be used to operate the turbine bypass valves so as to perform a periodic test of the RPS inputs and channel logic.
During reactor operation in the "Run" mode, the IRM detectors are stored below the reactor core in a low flux region. Movement of the detectors into the core will permit the operator to observe the instrument response from the different IRM channels and will confirm that the instrumentation is operable.
In the power range of operation, the individual LPRM detectors will respond to local neutron flux and provide the operator with an indication that these instrument channels are responding properly.
The APRM channels may also be observed to respond to changes in the gross power level of the reactor to confirm their operation.
Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input and each IRM instrument channel may be calibrated by introducing an external signal source into the amplifier input. The OPRM is an integral part of the APRM and is calibrated with the APRM.
During these tests, proper instrument response may be confirmed by observation of instrument lights in the control room and trip annunciators. Unnecessary actuation of the RPS trip logic can be prevented by use of an indicating jumper across the RPS Trip Channel logic input from the instrument channel under test. The jumper provides positive indication of channel operation when the bypassed instrument is actuated during the performance of maintenance, test, or calibration, and maintains the monitoring and trip function of the remaining portions of the RPS trip logic while this channel is removed from service.
7.2.2.1.2.3.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10)
The following RPS trip variables have provisions for sensor test and calibration during reactor operation in compliance with this design requirement:
a) Reactor vessel low water level trip b) Neutron monitoring (APRM) system trip c) Neutron monitoring (IRM) system trip d) Drywell high pressure trip e) Reactor vessel high pressure trip f) Neutron monitoring (OPRM) system trip The reactor water level indicating switches can be calibrated during normal plant operation or during shutdown. The switches are valved out of service and a test source, using operational process fluid (demineralized water in this case) applies a differential pressure across the switches.
Pressures are analogous to those corresponding to reactor water levels over the instruments range. The same procedure is used for both setpoint and indication calibration.
FSAR Rev. 65 7.2-44
SSES-FSAR Text Rev. 66 A test of the scram discharge volume water level sensors and trip units can be performed during full power operation. At plant shutdown, the level switches may be calibrated by introducing a fixed volume of water into the discharge volume and observing that all level switches and trip units operate at the specified levels.
During plant operation, the operator can confirm that the main steamline isolation and turbine stop valve limit switches operate during valve motion, from full open to full closed and vice versa, by comparing the time that the RPS trip occurs with the time that the valve position indicator lights in the control room signaling that the valve is fully open and fully closed. This test does not confirm the exact setpoint, but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. During reactor shutdown, calibration of the main steam line isolation and turbine stop valve limit switch setpoint at a valve position of 10% closure is possible by physical observation of the valve stem.
During reactor operation, a test of the individual EHC oil line pressure sensors when the plant is operating above 26% of rated power may be accomplished by valving one sensor out-of-service at a time. Actual calibration of the setpoint can only be accomplished at plant shutdown.
The APRMs are calibrated to reactor power by using a reactor heat balance and the (TIP) system to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined.
The gain-adjustment-factors for the LPRMs are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These adjustments when incorporated into the LPRMS, permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power.
During reactor operation, one manual scram pushbutton may be depressed to test the proper operation of the switch, and once the RPS has been reset, the other switches may be depressed to test their operation one at a time. For each such operation, a control room annunciation will be initiated and the process computer will print the identification pertinent trip.
In the startup and run modes of plant operation, procedures may be used to confirm that scram discharge volume high water level trip channels are not bypassed as a result of the operating bypass switch. In the shutdown and refuel modes of plant operation, a similar procedure may be used to bypass all four trip channels. Due to the discrete "ON-OFF" nature of the bypass function, calibration is not meaningful.
Administrative control must be exercised to valve one turbine first stage pressure sensor out-of-service for the periodic test. During this test, a variable pressure source may be introduced to operate the sensor at the setpoint value. When the condition for bypass has been achieved on an individual sensor under test, the control room annunciator for this bypass function will be initiated. If the RPS trip channel associated with this sensor had been in its tripped state, the process computer will log the return to normal state for the RPS trip logic. When the plant is operating above 26% of rated power, testing of the turbine stop valve and control valve fast closure trip channels will confirm that the bypass function is not in effect.
Operation of the reset switch following a trip of one RPS trip system will confirm that the switch is performing its intended function. Operation of the reset switch following trip of both RPS trip FSAR Rev. 65 7.2-45
SSES-FSAR Text Rev. 66 systems will confirm that all portions of the switch and relay logic are functioning properly since half of the control rods are returned to a normal state for one actuation of the switch.
A manual scram and test switch permits each individual trip logic, trip actuator, and trip actuator logic to be tested on a periodic basis. Testing of each process sensor of the protection system also affords an opportunity to verify proper operation of these components. Calibration of the time response of the trip channel relays and trip actuators may be accomplished by connection of external test equipment to test points provided in the RPS control room panels in addition to the process computer sequential annunciation output log.
7.2.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11)
The following RPS trip variables have no provision for channel bypass or removal from service because of the use of valve position limit switches as the channel sensor:
a) Main steamline isolation valve closure trip b) Turbine stop valve closure trip During periodic test of any one main trip channel, a sensor may be valved out-of-service and returned-to-service under administrative control procedures. Since only one sensor is valved out-of-service at any given time during the test interval, protective capability for the following RPS trip variables is maintained through the remaining instrument channels:
c) Scram discharge volume high water level trip d) Turbine control valve fast closure trip e) Reactor vessel low water level trip f) Drywell high pressure trip g) Reactor vessel high pressure trip A sufficient number of IRM channels has been provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the IEEE 279 design requirements.
One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be bypassed at any time. In order to accommodate a single failure of this bypass switch, electrical interlocks have also been incorporated into the bypass logic to prevent bypassing of more than one IRM in that trip system at any time. Consequently, with any IRM bypassed in a given trip system, at least two and generally three IRM channels remain in operation to satisfy the protection system requirements.
One manual APRM bypass switch is provided for all four APRM channels. This is a mechanical/optical switch which allows only one APRM channel to be bypassed at any time.
This interlock is accomplished independently in each of the APRM/OPRM 2-out-of-4 Voter channels. With any one APRM channel bypassed, the three remaining operating channels provide the necessary protection of the reactor. Bypassing an APRM channel bypasses both the APRM and OPRM trips from that channel. None of the APRM/OPRM 2-out-of-4 Voter FSAR Rev. 65 7.2-46
SSES-FSAR Text Rev. 66 channels can be bypassed.
The use of four banks of contacts for the mode switch permits any RPS trip channel which is connected into the mode switch to be periodically tested in a manner that is independent of the mode switch itself. Consequently, for any stated position of the mode switch, a sufficient number of trip channels will remain operable during the periodic test to fulfill this design requirement.
Movement of the mode switch handle from one position to another will disconnect all redundant channels associated with the former position and will connect all redundant channels pertinent to the latter position. In this manner, the mode switch complies with this design requirement.
Since actuation of one manual scram pushbutton places its RPS trip system in a tripped condition, it is in compliance with this design requirement.
7.2.2.1.2.3.1.12 Operating Bypasses (IEEE 279-1971, Paragraph 4.12)
The following RPS trip variables have no provision for an operating bypass (i.e., removal of the protective capability for all channels of the RPS trip variable):
a) Reactor vessel low water level trip b) Neutron monitoring (APRM-) system trip c) Drywell high pressure trip d) Reactor vessel high pressure trip An operating bypass of the scram discharge volume high water level trip is provided in the control room for the operator to bypass the trip outputs in the shutdown and refuel modes of operation.
Control of this bypass is achieved through administrative procedures, and its only purpose is to permit reset of the RPS following reactor scram. The bypass is manually initiated and must be manually removed to commence withdrawal of control rods after a reactor shutdown.
An operating bypass is provided for the main steamline isolation valve closure trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in the shutdown, refuel, or startup positions. The only purpose of this bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the main steamline isolation valves not fully open.
For each of these operating bypasses, four independent bypass channels are provided through the mode switch to assure that all of the protection system criteria are satisfied.
An operating bypass of the turbine stop valve and control valve fast closure trip is provided whenever the turbine is operating at an initial power level below 26% of rated power. The only purpose of the bypass is to permit the reactor protection system to be placed in its normal energized state for operation at low power levels with the turbine stop valves not fully open.
During normal plant operation above 26% of rated power, the bypass circuitry is in its passive, de-energized state. At these conditions, removal of the bypass for periodic test is permitted since it has no effect on plant safety. Under plant conditions below 26% of rated power, one bypass FSAR Rev. 65 7.2-47
SSES-FSAR Text Rev. 66 channel may be removed from service at a time without initiating protective action or affecting plant safety. This removal from service is accomplished under administrative control of plant personnel.
When operating in the run mode, the IRM system is bypassed by the mode switch.
OPRM Trips are enabled when the plant is operated at the power and core flow boundary specified in the Technical Specification. OPRM trips are disabled when the plant is not within those boundaries.
7.2.2.1.2.3.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13)
The control room operator must exercise administrative control over the valving out-of-service of one RPS trip variable sensor at a time. Once a sensor has been removed from service and a simulated test signal has been introduced in excess of the setpoint, a control room annunciator will indicate the tripped condition and the process computer will provide a typed record of the channel identification.
When any IRM or APRM instrument channel output to the RPS is bypassed, this fact is indicated by lights for each channel located on the main control room panels.
Operating bypasses are annunciated in the main control room. The discharge volume high water level trip operating bypass, the main steamline isolation valve closure trip operating bypass, and the turbine stop and control valve fast-closure trips operating bypass are individually annunciated to the operator.
Control and tracking of trip channels taken out of service is described in Section 7.2.2.1.1.1.8.
Bypassing is not allowed in the trip logic or actuator logic.
7.2.2.1.2.3.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14)
All instrumentation valves associated with the periodic testing of individual RPS trip variable sensors are under administrative control of the operator.
Manual bypassing of any IRM, OPRM or APRM channel is accomplished with control room selector switches under the administrative control of the operator.
Manual controls for the scram discharge volume high water level trip operating bypass and the main steam line isolation valve closure trip operating bypass are located in the control room, and are under the direct administrative control of the operator. Manual keylock switches are used to control these operating bypasses.
The mode switch is a keylock switch under the administrative control of plant personnel. Since other controls must be operated or other sensors must be in an appropriate state to complete the operating bypass logic, the mode switch itself satisfies this requirement.
Under normal operating conditions, all four channels of the turbine stop valve closure trip and control valve fast closure trip operating bypass are in operation and will be automatically removed from service as reactor power is increased above the 26% setpoint and automatically reinstated as FSAR Rev. 65 7.2-48
SSES-FSAR Text Rev. 66 reactor power is reduced below this same setpoint. During periodic tests of each bypass channel, one sensor will be removed from service under administrative control.
7.2.2.1.2.3.1.15 Multiple Setpoints (IEEE 279-1971, Paragraph 4.15)
The design requirement is not applicable to the following RPS trip variables because the setpoint values are fixed and do not vary with other reactor or plant parameters:
a) Scram discharge volume high water level trip b) Main steamline isolation valve closure trip c) Turbine stop valve closure trip d) Turbine control valve fast closure trip e) Reactor vessel low water level trip f) Drywell high pressure trip g) Reactor vessel high pressure trip h) Neutron monitoring (OPRM) system trip The trip setpoint of each IRM channel is established at the 95% of full scale mark for each range of IRM operation. The IRM is a linear, half-decade per range instrument. Therefore, as the operator switches an IRM from one range to the next, the trip setpoint tracks the operator's selection. In the startup mode, the APRM Neutron Flux - High trip is automatically changed to the setdown value, nominally 18% of Rated Thermal Power.
In the transition from the "Startup" to the "Run" mode of operation, the reactor system mode switch is used to convert from IRM and APRM protection to APRM protection.
In the run mode, the APRM Simulated Thermal Power - High trip is automatically varied in relation to recirculation flow. The flow sensors are Class 1E. The setpoint never exceeds 120%
of rated neutron flux. For further discussion of the setpoint variation, refer to Subsection 7.6.1a.5.
Each of these multiple setpoint provisions is a portion of the reactor protection system and complies with the design requirements of IEEE 279.
Operation of the mode switch from one position to another imposes different RPS trip channels into the RPS logic in accordance with the reactor conditions implied by the given position of the mode switch. This action does not influence the established setpoint of any given RPS trip channel, but merely connects one set of channels as another set are disconnected. Consequently, the mode switch meets this design requirement.
FSAR Rev. 65 7.2-49
SSES-FSAR Text Rev. 66 7.2.2.1.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE 279-1971, Paragraph 4.16)
It is only necessary that the instrument channel remain in a tripped condition for a sufficient length of time to de-energize the scram contactors and open their seal-in contacts. Once this action is accomplished, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the instrument channel that initiated the sequence of events.
Once the manual scram push buttons are depressed, it is only necessary to maintain them in that condition until the scram contactors have de-energized and opened their seal-in contacts. At this point, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the manual scram push buttons.
The function of the mode switch is to provide appropriate RPS trip channels for the RPS trip logic on a steady-state basis for each of four given reactor operating states: shutdown, refuel, startup, and run. Protective action, in terms of the needed transient response, is derived from the other portions of the trip channels independent of the mode switch. Hence, the mode switch does not influence the completion of protective action in any manner.
The turbine operating bypass is put into effect only when the turbine first-stage pressure is at or below a preset level. For plant operation above this setpoint, the trip channels initiate protective action once the scram contactors have de-energized and opened the seal-in contact.
The trip actuator is normally energized and is sealed in by one of the power contacts to the trip logic string. Once the trip logic string has been open-circuited as a result of a process sensor trip channel becoming tripped or the depression of a manual scram pushbutton, the scram contactor seal-in contact opens, and completion of protective action is directed without regard to the state of the initiating process sensor trip channel. The interface of the RPS trip logic and the trip actuators ensures that this design requirement is accomplished.
Reset of the RPS logic is permissible only after a 10-second time delay and requires deliberate operator action.
7.2.2.1.2.3.1.17 Manual Actuation (IEEE 279-1971, Paragraph 4.17)
Four manual scram pushbutton controls are provided on one main control room panel to permit manual initiation of reactor scram at the system level. The four manual scram pushbuttons (one in each of the four RPS trip logics) comply with this design requirement. The logic for the manual scram is one-out-of-two twice. Failure of an automatic RPS function cannot prevent the manual portions of the system from initiating the protective action.
Additional back-up to these manual controls is provided by the Shutdown position of the Reactor System Mode Switch and by the electrical power controls associated with the RPS M-G sets.
No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram.
FSAR Rev. 65 7.2-50
SSES-FSAR Text Rev. 66 7.2.2.1.2.3.1.18 Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971, Paragraph 4.18)
Access to setpoint adjustments, calibration controls, and test points for the RPS trip variables which are listed in Subsection 7.2.2.1.2.3.1.1 is under the administrative control of plant operations supervisory personnel.
7.2.2.1.2.3.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19)
When any one of the redundant sensors exceeds its setpoint value for the following RPS trip variables, a main control room annunciator is initiated to identify the particular variable:
a) Scram discharge volume high water level trip b) Turbine control valve fast closure trip c) Reactor vessel low water level trip d) Neutron monitoring (APRM) system trip e) Neutron monitoring (IRM) system trip f) Drywell high pressure trip g) Reactor vessel high pressure trip h) Neutron monitoring (OPRM) system trip Identification of the particular trip channel exceeding its setpoint is accomplished as a typed record from the process computer or visual observation of the relay contacts at the RPS panels.
When any manual scram pushbutton is depressed, a control room annunciation is initiated and a process computer record is produced to identify the tripped RPS trip logic.
Identification of the mode switch in shutdown position scram trip is provided by the manual scram and the process computer trip logic identification printout, and the mode switch in shutdown position annunciator.
Partial or full closure of any main steamline isolation or turbine stop valve causes a change in the status of position indicator lights in the control room. These indications are not a part of the reactor protection system but they do provide the operator with valid information pertinent to the valve status. Partial or full closure of one or both valves in a particular set of two main steamlines will initiate a control room annunciator when the trip setpoint has been exceeded. Partial or full closure of two or more turbine stop valves will initiate a control room annunciator when the trip point has been exceeded. This same condition will permit identification of the tripped channels in the form of a typed record from the process computer or by visual observation of the relay contacts at the RPS panels.
Neutron monitoring system annunciators provided in the control room indicate the source of the RPS trip. The process computer provides a typed record of the tripped neutron monitoring system channel as well as identification of individual IRM, OPRM and APRM channel trips. Each instrument channel, whether IRM, OPRM or APRM, has control room panel lights indicating the status of the channel for operator convenience.
FSAR Rev. 65 7.2-51
SSES-FSAR Text Rev. 66 Two control room annunciators are provided to identify the tripped portions of the RPS auto scram in addition to the previously described trip channel annunciators:
a) A1 or A2 trip logics tripped b) B1 or B2 trip logics tripped These same functions are connected through independent auxiliary contacts of the scram relays to the NSSS process computer to provide a typed record of the relay operations.
7.2.2.1.2.3.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20)
The data presented to the control room operator for each of the RPS trip variables which are listed in Subsection 7.2.2.1.2.3.1.1 complies with this design requirement.
7.2.2.1.2.3.1.21 System Repair (IEEE 279-1971, Paragraph 4.21)
During periodic testing of the sensor channels for the following RPS trip variables, the operator can determine any defective component and have it replaced during plant operation:
a) Scram discharge volume high water level trip b) Turbine control valve fast closure trip c) Reactor vessel low water level trip d) Drywell high pressure trip e) Reactor vessel high pressure trip During reactor operation, the control room operator will be able to determine failed sensors for the following RPS trip variables, but subsequent repair can only be accomplished during reactor shutdown:
g) Main steamline isolation valve closure trip h) Turbine stop valve closure trip i) Neutron monitoring (APRM) system trip j) Neutron monitoring (IRM) system trip k) Neutron monitoring (OPRM) system trip Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the neutron monitoring system may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair.
FSAR Rev. 65 7.2-52
SSES-FSAR Text Rev. 66 7.2.2.1.2.3.1.22 Identification of Protection Systems (IEEE 279-1971, Paragraph 4.22)
Each system cabinet is marked with the words "Reactor Protection System" and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified specifically as Reactor Protection System Wiring. An identification scheme is used to distinguish between redundant cables and raceways. Redundant racks are identified by the identification marker plates of instruments on the racks. Control room panels are identified by tags on the panels, which indicate the function and identified the contained logic channels.
7.2.2.1.2.3.2 IEEE 308-1974 Criteria for Class 1E electric Systems - does not apply to the RPS. The RPS is fail safe and its power supplies are thus unnecessary for scram. A total loss of power will cause a scram. A loss of one power source will cause a trip system trip.
7.2.2.1.2.3.3 IEEE 317 - 1972 Refer to Section 3.13.
7.2.2.1.2.3.4 Intentionally Blank.
7.2.2.1.2.3.5 IEEE 336 - 1971 Refer to Section 3.13.
7.2.2.1.2.3.6 IEEE 338 - 1971 Periodic Testing of Protection Systems - is complied with by being able to test the RPS from sensors to final actuators at any time during plant operation. The test must be performed in overlapping portions.
7.2.2.1.2.3.7 IEEE 344 - 1971 Seismic Qualification of Class 1 Electric Equipment requirements are satisfied by all Class 1 RPS equipment as described in Section 3.10a.
7.2.2.1.2.3.8 IEEE 379 -1972 Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems
- requirements are satisfied by consideration of the different types of failure and carefully designing all potential violations of the single-failure criterion out of the system.
FSAR Rev. 65 7.2-53
SSES-FSAR Text Rev. 66 7.2.2.1.2.3.9 IEEE 384 - 1974 This standard requires that instrumentation be located in separate cabinets or compartments of a cabinet. Subsection 7.2.1.1.4.7 discusses physical and electrical separation of component and instrumentation in panels associated with the Reactor Protection System. The separation provided meets the requirements of IEEE 279-1971, paragraph 4.6.
Additionally, the standard requires that redundant sensors and their connections to the process system be sufficiently separated to assure that functional capability of the protection system will be maintained despite any single design basis event or resulting effect.
The effect on sensor and sensing lines as a result of design basis events are discussed in Subsection 7.2.1.2.8. Redundant pressure taps are located at widely divergent points around the reactor vessel. The sensing lines are routed to the sensors through separate penetrations in the primary containment. Redundant sensors are located on separated racks outside the primary containment. The location and routing of sensors, sensing lines, and pressure taps meet the requirements of IEEE 279-1971, paragraph 4.6.
The discussion of compliance with the separation requirements of IEEE 384-1974 for Class 1E power supplies for the RPS is provided in Section 3.13.
7.2.2.1.2.4 Conformance to NRC Branch Technical Positions 7.2.2.1.2.4.1 Branch Technical Position EICSB 10 Seismic qualification requirements of all Class 1E RPS equipment are satisfied as described in Section 3.10a.
7.2.2.1.2.4.2 Branch Technical Position EICS/B21 Indication is provided to inform the operator that a system is inoperable as described in 7.2.2.1.2.1.5.
7.2.2.1.2.4.3 Branch Technical Position EICSB 22 The system is designed so that it may be tested during plant operation from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram will not occur as a result of the testing. There is no actuated equipment in the system which is not tested during plant operation.
7.2.2.1.2.4.4 Branch Technical Position EICSB 26 Anticipating or "backup" trips for the system do comply with the requirements of IEEE Std. 279-1971 as discussed in Subsection 7.2.2.1.2.3.1.
FSAR Rev. 65 7.2-54
SSES-FSAR Text Rev. 66 7.2.2.1.3 Additional Design Considerations Analyses 7.2.2.1.3.1 Spurious Rod Withdrawals Spurious control rod removal will not normally cause a scram. A control rod withdrawal block may occur, however. Rod block is discussed in Subsection 7.6.1a.6 and is not part of the RPS. A scram will occur, however, if the spurious control rod withdrawal causes the average flux to exceed the trip setpoint.
7.2.2.1.3.2 Loss of Plant Instrument Air System Loss of plant instrument air will cause the control rods to drift in, resulting in a scram.
7.2.2.1.3.3 Loss-of-Cooling Water to Vital Equipment There is no loss-of-cooling water which will affect the RPS.
7.2.2.1.3.4 Plant Load Rejection Electrical grid disturbances could cause a significant loss of load which would initiate a turbine-generator overspeed trip and control valves fast closure resulting in a reactor scram. The reactor scram occurs to anticipate an increase in reactor vessel pressure due to shutting off the path of steam flow to the turbine. Any additional increase in pressure will be prevented by the safety/relief valves which will open to relieve reactor pressure and close as pressure is reduced. The reactor core isolation cooling (RCIC) or high pressure coolant injection (HPCI) systems will automatically actuate and provide vessel makeup water if required.
The fuel temperature of RCPB thermal/hydraulic limits are not exceeded during this event as described in Chapter 15.
7.2.2.1.3.5 Turbine Trip Initiation of turbine trip by the turbine system closes the turbine stop valves initiating a reactor scram. The reactor scram anticipates an increase in reactor pressure due to turbine stop valves closure. Any additional increase in reactor vessel pressure will be prevented by the safety/relief valves which will open to relieve reactor vessel pressure and close as pressure is reduced. The RCIC and HPCI will automatically actuate and provide vessel makeup water if low water level occurs.
Initiation of turbine trip by loss of condenser vacuum causes simultaneous closure of the turbine stop valves and main steam isolation valves initiating a reactor scram.
The fuel temperature or RCPB, thermal/hydraulic limits are not exceeded during these events as described in Chapter 15.
FSAR Rev. 65 7.2-55
SSES-FSAR Text Rev. 66 7.2.3 ALTERNATE ROD INJECTION SYSTEM 7.2.3.1 System Description 7.2.3.1.1 Identification The Alternate Rod Injection (ARI) system consists of two divisionally separate trip systems which will depressurize the Control Rod Drive (CRD) scram air header on receipt of automatic or manual initiating signals. The net effect of this system is similar to the rapid shutdown effected by the Reactor Protection System backup scram valves. This system also isolates the scram discharge volume vent and drain lines. Each trip system shares its automatic initiation signals with the ATWS-Recirculation Pump Trip (ATWS-RPT) system, has manual initiation capability as well as operator trip system reset control in the main control room, provides annunciator, process computer, and Transient Monitoring System (TMS) inputs on actuation. Electrical maintenance bypasses for each ARI trip system and for the associated ATWS-RPT trip systems are provided to allow system testing while at power operation; each bypass is continuously alarmed in the main control room.
7.2.3.1.2 Classification The ARI system is classified as a safety Class 2, with the exception of valve position indications, annunciator, process computer, and TMS outputs. Although not designed as a Seismic Category I, the ARI system is designed to withstand on Operating Basis Earthquake.
ARI is a balance of plant Class 1E system, but shall not be considered an Engineered Safety Feature (ESF) as defined by Table 1.8. Except where specifically noted, the ARI trip system complies with the requirements of IEEE Std. 279-1971.
7.2.3.1.3 Power Sources ARI is powered from divisionally separate 125 VDC 1E power supplies. ARI trip capability will be continuously available during a loss of offsite power.
7.2.3.1.4 Equipment Design 7.2.3.1.4.1 General ARI trip systems are distinguished by their associated electrical division, Division 1 and Division 2.
Division 1 derives its automatic trip signals from process sensors with suffix A and C; Division 2 derives from sensors with suffix B and D.
Each trip system energizes two two-way solenoid valves. One valve serves to block the instrument air supply to the scram air header, the second opens a vent path for blowdown of the header which allows the CRD hydraulic system scram valves to open, rapidly inserting the control rods in the normal manner.
FSAR Rev. 65 7.2-56
SSES-FSAR Text Rev. 66 The divisionally separate block valves are arranged in parallel, each allowing 100% normal flow to the scram air header. The divisionally separate vent valves are arranged in series, allowing either vent valve to open for testing without venting the header.
Tripping both trip systems vents the air header which effectively inserts the control rods in the event that the RPS failed to do so, either by the normal scram pilot valves or by the existing backup scram valves. ARI will not interfere in any way with the normal scram process via the RPS system.
To restore an ARI trip system to normal operation following any single trip system actuation, the control room operator actuates a reset switch following a 25 second time delay. Following an ARI scram, where both trip systems have actuated, the operator must reset both trip systems by separate switches following a 25 second delay from actuation of the last of the two trip systems to trip (i.e., 25 seconds from when an ARI scram air header blowdown has been initiated).
7.2.3.1.4.2 Initiating Circuits 7.2.3.1.4.2.1 Input Parameter Selection The selection of input parameters for ARI trip system actuation was based on ARI being an ATWS, not accident, mitigation system, and on the requirement that the design include prevention of unnecessary challenges to the safety system as a primary consideration. This second requirement leads to the requirement that the number of input parameters be kept to an absolute minimum.
RPV Pressure and Level - These parameters are direct indications of an ATWS event and are expected to exceed operating levels in an ATWS event which occurs at any operating power level.
MSIV closure - This is only applicable at high RPV pressures. Therefore, MSIV closure can be expected to increase pressure which will lead to ARI actuation. This parameter would constitute an unnecessary duplication of the RPV pressure input.
Primary Containment High Pressure - This parameter is indicative of an accident and therefore not required.
SDV High Water Level - This would be needed if there was an equipment failure causing an increase in SDV level and failure of the operator to take corrective action coincident with the transient and RPS failure. The probability of this sequence is judged to be sufficiently small to warrant exclusion of this parameter, particularly given the SDV level detection improvements made per 1E Bulletin 80-16.
Power (Neutron) Level - There is a close correlation between power level and RPV pressure.
Therefore the RPV pressure input can be used to indicate a power excursion transient.
Loss of Offsite Power - The RPS scram on loss of off-site power is anticipatory in nature in that the power loss does not directly affect the core. Rather, equipment loss is expected to lead to vessel level reduction and/or a pressure increase. Since both of these parameters are included in ARI, duplication is unnecessary.
FSAR Rev. 65 7.2-57
SSES-FSAR Text Rev. 66 Manual Initiation - Manual initiation is provided in keeping with the plant operating and design philosophy, and in keeping with compliance with IEEE-279 (1971) standards for the ARI trip system.
7.2.3.1.4.2.2 Reactor Steam Dome Pressure - High ARI utilizes reactor steam dome pressure instrumentation installed for ATWS-RPT. Each trip system measures reactor pressure at two locations. Instrument sensing lines penetrate containment and terminate in the reactor building at a non-indicating pressure switch. ARI shares the pressure switch output with the ATWS-RPT trip system up to and including the first trip channel relay. ARI derives a trip signal from that relay; cables from these local relays are routed to local, divisionally separate control and relay panels. At this point the separate pressure switch channels combine into the ARI trip system.
Single failure protection and diversity for the reactor pressure high signals are not required. See Subsection 7.2.3.1.4.5.
7.2.3.1.4.2.3 Reactor Vessel Water Level-Low Reactor vessel water level is sensed by indicating differential pressure switches which sense the difference in pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The level switches are arranged on two sets of taps, with the reference leg shared with the reactor pressure sensors, and the variable leg on the wide range tap.
The sensing lines penetrate containment and are terminated at the level switches located in the reactor building.
The switch output is taken by cable directly to the local divisionally separate control and relay panels. At this point the separate level switch channels combine into the ARI trip system.
Single failure protection and diversity for the reactor water level-low signals are not required. See Subsection 7.2.3.1.4.5.
7.2.3.1.4.2.4 Manual Trip The ARI trip system can be initiated manually from the main control room. There are two divisionally separate armed pushbutton switches located on the ECCS benchboard, which are adjacent to controls for the CRD hydraulic system and the Standby Liquid Control system. This provides a single location for operator control for all ATWS mitigation systems.
To initiate a manual scram, each pushbutton switch must be armed and depressed. Arming each pushbutton will activate an annunciator. The signal for each switch will be taken by cable to the local (Reactor Building) divisionally separate relay and control panel. At this point the manual trip channels combine into the ARI trip system.
FSAR Rev. 65 7.2-58
SSES-FSAR Text Rev. 66 7.2.3.1.4.3 Logic The basic logic for the ARI trip system is illustrated in Figure 7.2-10. This system consists of two divisionally separate trip systems, each of which will trip on coincidental occurrence of two reactor low level signals or two reactor steam dome high pressure signals or on actuation of the manual initiation armed pushbutton switch. Both trip systems must actuate to produce an ARI scram. The overall logic for ARI can be considered two out of two taken twice. This trip system is not required to be single failure proof. See Section 7.2.4.1.1.2.
The ARI vent valves are sized such that the scram air header will depressurize rapidly enough that all control rods will have initiated their scram motion no later than 15 seconds from receipt of the trip signal.
The ARI trip system adds diversity to the trip logic of the existing RPS system (Subsection 7.2.3.1.4.5). ARI is an energize to actuate 125 VDC trip system, providing a reactor trip actuation by a different operating principle from RPS. ARI contains no diversity or redundancy within itself.
Channel and logic relays are fast-response, high reliability relays. Power relays for energizing the block and vent valve solenoid coils have high current carrying capabilities and are highly reliable.
ARI reset momentarily de-energizes the ARI trip and logic seal-in relay. If a single trip system has tripped, this reset may be effected after a 25 second time delay from the time of actuation. If both trip systems have tripped, this reset may be effected only after both trip systems' time delays have expired. This allows all control rods to fully insert before the logic reset can be effected.
7.2.3.1.4.4 ARI Operating and Maintenance Bypasses There are no operating bypasses in the ARI system.
A bypass is provided in each trip system for system testing and maintenance. This bypass is effected from the local relay and control panel via keylocked switches. ARI bypasses are continuously alarmed in the control room.
ARI is inoperable when either trip system is bypassed or is otherwise inoperable.
Such bypasses are necessary to minimize the possibility of a spurious scram while at power.
Without a maintenance and testing bypass, ARI is vulnerable to a spurious trip as a result of single electrical failure while the maintenance or testing activity is under way.
Bypasses are also provided for the associated division of the ATWS-Recirculation Pump Trip System (ATWS-RPT). The ATWS-RPT bypasses will prevent ATWS-RPT actuation while testing the associated ARI trip system. ATWS-RPT is a divisionally redundant system; actuation of either ATWS-RPT system is sufficient to trip both recirculation pumps (Ref. Fig. 7.7-7). Without these bypasses, ARI system testing would trip both recirculation pumps.
The ARI and ATWS-RPT bypasses are not expected to be used more often than once a year.
Most bypasses for system testing are expected to occur during shutdown conditions.
FSAR Rev. 65 7.2-59
SSES-FSAR Text Rev. 66 Mechanical bypasses are provided to allow system maintenance while at power. Each bypass valve is keylocked in place. Manual bypass valve position indication is readily apparent by the orientation of the valve handle.
7.2.3.1.4.5 Redundancy and Diversity ARI is divisionally redundant for prevention of spurious scrams.
ARI is fully redundant to the Reactor Protection System, except that the actuating instrumentation described in 7.2.3.1.4.2 share sensing lines with the RPS sensors monitoring these same process conditions (Subsection 7.2.1.1.4.2 paragraphs b and c). ARI is diverse from RPS in that the actuation logic operates on a different operating principle from RPS. Additional diversity is provided for the scram function within RPS and is not necessary within ARI.
7.2.3.1.4.6 Actuated Devices The actuation trip systems energize one scram air header vent valve and one scram air header block valve each. Energizing all four valves will depressurize the scram air header. This will allow the diaphragm on each scram pilot valve to lift, allowing the scram valves to open, allowing the control rods to insert in the normal manner.
Depressurizing the scram air header will also isolate the scram discharge volume (SDV) vent and drain isolation valves.
Reset of the ARI trip system will re-pressurize the scram air header. If RPS had also tripped, RPS must be reset in order to fully return the CRD scram system operability. Note that the converse is also true.
Reset of the ARI trip systems will also open the SDV vent and drain line isolation valves. Each of these valves will open in the proper order to prevent water hammer transients.
7.2.3.1.4.7 Separation Separation is maintained between ARI trip systems and between the ARI trip systems and RPS by following the separation requirements for divisional Balance of Plant 1E systems.
7.2.3.1.4.8 Testability ARI contains sufficient bypass capability and operational redundancy to be fully testable, from actuating instrumentation to final actuation device (scram air header vent and block valves) while at power. Testing may be done with ARI logic bypasses in place to minimize the chance for spurious scram, or it may be done without ARI bypass, which would impose a half scram and would allow an ATWS induced trip while testing. ARI testing which includes actuation of the process sensors requires the use of the ATWS-RPT bypasses while at power (reference Subsection 7.2.3.1.4.4).
FSAR Rev. 65 7.2-60
SSES-FSAR Text Rev. 66 7.2.3.1.5 Environmental Considerations All active components in the ARI trip systems are located in Reactor Building general access areas. The Reactor Building environment does not change appreciably in the time scale that ARI is expected to actuate. All components are designed to be installed in a normal industrial environment.
ARI is not required to be operable following a LOCA or High Energy Line Break. The ARI trip systems are electrically isolated from ESF systems powered from the same 1E 125 VDC power systems.
7.2.3.1.6 Operational Considerations 7.2.3.1.6.1 Reactor Operator Information 7.2.3.1.6.1.1 Indicators Each ARI scram valve (scram air header block and vent valve) provides position indication in the main control room. Successful ARI initiation is evidenced by existing scram air header pressure low pressure alarms and by the full core display and nuclear instrumentation, as well as by the ARI valve position indicators and system trip annunciators.
7.2.3.1.6.1.2 Annunciators Each ARI trip system produces an alarm when actuated. These alarms are located adjacent to the RPS scram alarms on the Unit Operating Benchboard. These alarms are derived from the ARI scram valve position switches.
Each ARI trip system manual scram pushbutton armed collar activates an annunciator when engaged. This alarm guards against inadvertent bypass of the protection against accidental manual initiation.
Each ARI trip system manual maintenance and testing electrical bypass activates an annunciator when engaged. Similarly, each ATWS RPT system bypass is annunciated when engaged. These alarms provide control room confirmation that the bypasses are invoked for testing and maintenance activities, and serve as constant indication that the bypasses are engaged.
Reset for all these alarms is not possible until the conditions causing the alarms have been cleared.
7.2.3.1.6.1.3 Computer Alarms 7.2.3.1.6.1.3.1 Process Computer System All ARI trip events are recorded by the process computer system. The process computer also records each ARI system trip.
Use of the computer alarm display is not required for plant safety.
FSAR Rev. 65 7.2-61
SSES-FSAR Text Rev. 66 7.2.3.1.6.1.3.2 Transient Monitoring System The ARI system trip alarms are recorded by the transient monitoring system (TMS). On Unit 2, separate trip system signals are combined within the TMS system to give an ARI scram point which triggers the TMS recording mode.
7.2.3.1.6.2 Reactor Operator Controls All operator controls are located on the ECCS benchboard, grouped together with other controls used for ATWS mitigation-Standby Liquid Control and Control Rod Drive Hydraulic System controls.
Operator controls consist of armed pushbutton switches for manual initiation and pushbutton switches for system reset. Manual controls are separate for the divisional trip systems.
7.2.3.1.6.3 Setpoints Automatic initiation of the ARI trip system is concurrent with the initiation of ATWS-RPT. Each system shares process instrumentation as described in Subsection 7.2.3.1.4.2.
a) Reactor Steam Dome Pressure - High The Reactor high pressure setting is consistent with the design objectives of the License Topical Report NEDE-31096-A. Setpoints were chosen so as to minimize the possibility for spurious ARI actuation due to setpoint drift below the RPS setting, and to maximize the probability that the ARI setpoint will not drift above more Reactor pressure vessel relief valve settings than would prevent reactor pressure from reaching the ARI trip setpoint.
b) Reactor Water Level - Low The Reactor low water level setting is consistent with the design objectives of the License Topical Report NEDE-31096-A. Setpoints were chosen so as to minimize the possibility for spurious ARI actuation due to setpoint drift above the RPS low water level setting.
c) Manual Trip Pushbuttons are located in the control room for manual ARI initiation as described in Subsection 7.2.3.1.6.2.
7.2.3.1.7 Control Panels ARI control panels are wall mounted enclosures located in a Reactor Building general access area, adjacent to the CRD Master Control Station. These panels are divisionally separate from each other and are also separate from all RPS logic and raceway. Each panel contains trip channel and trip system relays, trip channel status indication, power supply status indication, keylocked switches for ARI and ATWS-RPT bypass control, and isolation relays for system reset control.
FSAR Rev. 65 7.2-62
SSES-FSAR Text Rev. 66 Control room panels for ARI are described in Subsection 7.2.3.1.6.
7.2.3.1.8 Test Methods to Ensure ARI Reliability Per Subsection 7.2.3.1.4.8, ARI is fully testable while at power, from the actuating instrumentation up to and including the final actuation devices, the ARI scram air header block and vent valves.
Channel calibration, channel checks and channel functional tests will be performed periodically during operation.
7.2.3.2 Design Bases Design bases as required by IEEE-279-1971 Section 3 are referred to below. Full discussion of these bases is contained in the License Topical Report NEDE-31096-A.
7.2.3.2.1 Operating Conditions ARI is required to mitigate the effects of a failure of the Reactor Protection System to effectively shut down the reactor. This capability is required for all power levels. ARI is not required during or following LOCA or Safe Shutdown Earthquake events.
7.2.3.2.2 Variables See Subsection 7.2.3.1.4.2.
7.2.3.2.3 Sensors None of the above sensors have a spatial dependence.
7.2.3.2.4 Operational Limits Margins between ARI trip settings and operational limits are sufficient to assure (1) ARI will not trip before RPS has had a chance to do so, and (2) ARI will trip before HPCI injection is initiated and before the second bank of reactor vessel relief valves open, when the analysis accounts for instrument accuracies, calibration, and setpoint drifts.
7.2.3.2.5 Levels Requiring Protection Action ARI must mitigate the effects of an electrical ATWS. The conditions which will always occur in an ATWS are high reactor pressure or low vessel water level.
FSAR Rev. 65 7.2-63
SSES-FSAR Text Rev. 66 7.2.3.2.6 Ranges of Energy Supply and Environmental Conditions ARI is powered from 1E 125 VDC batteries. ARI is normally de-energized; loss of the 125 VDC power supply is alarmed in the control room.
Environmental conditions remain constant for all circumstances throughout which ARI is expected to perform.
7.2.3.2.7 Unusual Events ARI is only required to operate under circumstances related to an ATWS event. ARI is operable under all anticipated operational occurrences except those associated with a LOCA or SSE.
7.2.3.2.8 Performance Requirements ARI shall depressurize the CRD scram air header in order to insert all control rods and close the scram discharge volume vent and drain line isolation valves in the event that RPS has failed to do so.
All rods shall have begun insertion by 15 seconds from ARI initiation. Once initiated, the trip signals shall be sealed in long enough for successful completion of the ARI trip function. Additional performance requirements listed in NEDE-31096-A are met when this requirement is satisfied.
ARI shall not affect normal shutdown or scram discharge volume isolation by the RPS trip system.
7.2.3.3 Final System Drawings ARI system piping and control valves are shown on Dwg. M-146, Sh. 1. Initiating instrumentation is shown on Dwgs. M-141, Sh. 1, and M-141, Sh. 2. Channel and trip system initiation logic diagrams are provided in this section.
Detailed logic, circuit, cabinet and panel layout drawings are provided under a separate cover.
7.2.4 ARI ANALYSIS 7.2.4.1 ARI General Functional Requirements Conformance 7.2.4.1.1 Conformance to Design Basis Requirements 7.2.4.1.1.1 Design Bases 7.1.2a.1.30 ARI is designed to produce a reactor scram in a manner functionally equivalent to the RPS backup scram valves. It has been demonstrated by test that rod insertion occurs quickly enough to assure all rods will be fully inserted before the scram discharge volume fills with water when effected by a single RPS backup scram valve. Scram air header blowdown pressure drop calculations have shown that all rods will begin insertion within 15 seconds of the ARI initiation signal when the vent path is through two vent valves in series. Control rod insertion travel time is not affected by ARI FSAR Rev. 65 7.2-64
SSES-FSAR Text Rev. 66 initiation, so that scram time measurements and Technical Specifications requirements for rod insertion times are preserved. Therefore, scram performance when initiated by ARI is similar to the proven performance of the RPS backup scram valves.
The adequacy of instrument setpoints is discussed in Subsection 7.2.3.1.6.3. Assurance of completion of the protective action and reset capabilities are discussed in Subsection 7.2.3.1.4.3.
ARI exceeds the design basis for the system stated in NEDE-31096-A by using a Class 1E system and meeting the requirements of IEEE-279-1971. ARI is separate from RPS and has no effect on its operation.
ARI is powered from 125 VDC, Class 1E electrical power, and is an energize to trip actuation system.
All hardware is capable of performing its function in the normal environment of the Reactor Building general access areas. ATWS events will not alter the environment to which this system will be exposed in the time frame in which it is required to operate.
ARI is dynamically qualified for Operating Basis Earthquakes.
Testability of ARI is discussed in Subsection 7.2.3.1.4.8; separation within ARI and between ARI and RPS is discussed in Subsection 7.2.3.1.4.7; minimizing inadvertent trips and challenges is described in Subsection 7.2.3.1.6.3, 7.2.3.1.4.8, and 7.2.3.1.4.4.
Quality assurance requirements consistent with the system classification as described in Subsection 7.2.3.1.2 meet or exceed the NRC QA requirements for ARI trip systems.
7.2.4.1.1.2 Conformance to Specific Regulatory Requirements 7.2.4.1.1.2.1 Conformance to 10CFR50.62 (C)(3)
ARI is a reliable, Class 1E system which is fully diverse from and redundant to the Reactor Protection System. ARI is fully independent of the Reactor Protection System from initiating sensors to final actuation devices. ARI is an energize to actuate trip system which shares no components, cables, raceway, or control with RPS. Further compliance with the ATWS rule is as described in NEDE-31096-A.
7.2.4.1.1.2.2 Conformance to NRC Regulatory Guides 7.2.4.1.1.2.2.1 Regulatory Guide 1.22 (February 17,1972)
ARI testability is described in Subsection 7.2.3.1.4.8.
7.2.4.1.1.2.2.2 Regulatory Guide 1.30 (August 11, 1972)
See Subsection 3.13.
FSAR Rev. 65 7.2-65
SSES-FSAR Text Rev. 66 7.2.4.1.1.2.2.3 Regulatory Guide 1.53 (June, 1973)
ARI does not, in itself, conform to the single failure criterion, Section 4.2 of IEEE-279-1971. This is in conformance with 10CFR50.62(C)(3) which requires only that ARI be redundant to the existing Reactor Protection System. The Reactor Protection System is fully redundant within itself (reference Subsection 7.2.2.1.2.16). The purpose of ARI is to add diversity to the scram initiation process (RPS). Therefore, the scram trip system, taken as RPS and ARI together, is fully redundant and conforms to Regulatory Guide 1.53.
7.2.4.1.1.2.2.4 Regulatory Guide 1.62 (October, 1973)
Manual initiation provisions are described in Subsection 7.2.3.1.4.2.
7.2.4.1.1.2.2.5 Regulatory Guide 1.70 (September, 1975)
Sections 7.2.3 and 7.2.4 provide the information relevant to ARI which is required by Section 7.2 of Regulatory Guide 1.70 for the Reactor Protection System.
7.2.4.1.1.2.2.6 Regulatory Guide 1.75 (January, 1975)
Physical independence of ARI from the Reactor Protection System is controlled by designing ARI as a Balance of Plant Class 1E divisionally separate trip system. Divisional separation between the ARI trip system assures reliable operation and protection from spurious scrams due to a single failure of any active component.
7.2.4.1.1.2.3 Conformance to 10CFR50 Appendix A - General Design Criteria 7.2.4.1.1.2.3.1 General Design Criterion 1 ARI is designed, built, tested, and maintained as a Class 1E safety system. The provisions of the applicable quality assurance program meet or exceed the special quality requirements provided for per 10CFR50.62(D).
7.2.4.1.1.2.3.2 General Design Criterion 2 ARI is designed to withstand all normal operating occurrences, including operating basis earthquakes, and the environmental conditions in which it is required to function. These conditions do not include LOCA or HELB events.
7.2.4.1.1.2.3.3 General Design Criterion 3 ARI is designed not to degrade the fire protection provisions of other safety-related systems. No failure of ARI due to fire can impede RPS from performing its safety function.
FSAR Rev. 65 7.2-66
SSES-FSAR Text Rev. 66 7.2.4.1.1.2.3.4 General Design Criterion 4 See Sections 3.5 and 3.6. No failure of ARI due to missiles or pipe whip can impede RPS from performing its safety related function.
7.2.4.1.1.2.3.5 General Design Criterion 13 See Subsection 7.2.3.1.6.
7.2.4.1.1.2.3.6 General Design Criterion 19 See Subsection 7.2.3.1.6.
7.2.4.1.1.2.3.7 General Design Criterion 20 ARI will shut down the reactor in time that core coolable geometry is maintained. This is accomplished by tripping on high reactor pressure or on low vessel level before depressurization or high pressure injection systems are initiated.
7.2.4.1.1.2.3.8 General Design Criterion 21 ARI is designed to be reliable and fully testable while at power. The system is composed of safety-related components, installed, maintained, and tested as a safety related system.
The system is designed to minimize the possibility of a spurious scram due to misoperation or equipment failure.
Conformance to the Single Failure criterion is discussed in Subsection 7.2.4.1.1.2.2.3.
Removal of ARI from service for testing and maintenance does not affect the ability of RPS to perform its safety-related function.
7.2.4.1.1.2.3.9 General Design Criterion 22 ARI increases the diversity of the reactor trip initiation capability. ARI is designed to withstand all normal operating occurrences, including operating basis earthquakes.
7.2.4.1.1.2.3.10 General Design Criterion 23 The system is not designed to fail in the safe state; failure of a single component, including valves, sensors, cables, and power supplies, can prevent ARI from functioning. However, failure within ARI cannot cause the Reactor Protection System to fail. Therefore, for the overall safe shutdown capability, this criterion is satisfied by RPS. (See Subsection 7.2.2.1.2.2.14.)
FSAR Rev. 65 7.2-67
SSES-FSAR Text Rev. 66 7.2.4.1.1.2.3.11 General Design Criterion 24 This system has no control function and does not interfaces with any control systems.
7.2.4.1.1.2.3.12 General Design Criterion 29 ARI is designed to be reliable, testable, and fully maintainable under all operating conditions. ARI is designed and maintained as a Class 1E system.
Bypasses are provided to assure that single failures or spurious trip while testing will not result in a scram.
ARI provides an extra margin of safety to the overall plant shutdown capability over the reliability of the existing Reactor Protection System.
7.2.4.1.1.2.4 Conformance to Industry Standards 7.2.4.1.1.2.4.1 IEEE 279-1971 7.2.4.1.1.2.4.1.1 General Functional Requirements (IEEE 279-1971, Paragraph 4.1)
Automatic and manual controls are described in Subsection 7.2.3. Operating conditions and performance requirements are described in Subsection 7.2.3.
7.2.4.1.1.2.4.1.2 Single Failure Criterion (IEEE 279-1971, Paragraph 4.2)
The ARI trip system does not conform to the single failure criterion as an independent, stand alone system. However, the purpose of ARI is to provide diversity to the reactor trip system; where the existing Reactor Protection System relies on de-energization of 120 VAC trip systems, ARI is a 125 VDC, energize to actuate trip system. The potential for common cause failures to defeat the overall plant shutdown capability is minimized.
Because of the redundance provided in the existing Reactor Protection System, ARI is not required to be redundant within itself.
The single failure criterion does apply to the protection afforded against spurious trips and shutdowns: no single failure can cause a reactor scram via the ARI trip system. ARI bypasses are provided to maintain this protection during all modes of testing, maintenance, and surveillances.
7.2.4.1.1.2.4.1.3 Quality of Components (IEEE-279-1971, Paragraph 4.3)
ARI is a Class 1E, safety related trip system. Components used in the ARI trip system are all selected for their quality and reliability. All components in the trip system are commonly used, assuring high maintainability and operator/technician familiarity with the components. The pilot solenoid valves are similar to other safety related pilot valves.
FSAR Rev. 65 7.2-68
SSES-FSAR Text Rev. 66 7.2.4.1.1.2.4.1.4 Equipment Qualification (IEE-279-1971), Paragraph 4.4)
All components used in the ARI trip systems perform their safety related function in an environment which at no time is more severe than the environment which occurs during normal operation.
Therefore, environmental qualification testing is not required per 10CFR50.49.
All components are qualified for anticipated operational occurrences, including Operational Basis Earthquakes. The probability that an electrical ATWS would occur concurrent with a Safe Shutdown Earthquake (SSE) is sufficiently small that SSE qualification is not required.
7.2.4.1.1.2.4.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5)
The ARI trip system is designed to operate under all anticipated operational occurrences, which include normal environmental extremes, trip system power supply fluctuations, and ATWS events.
7.2.4.1.1.2.4.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6)
The ARI trip systems are independent to the extent required of divisionally separate trip systems.
ARI is similarly independent of and separate from the Reactor Protection System per the electrical separation requirements.
7.2.4.1.1.2.4.1.7 Control and Protection System Interaction (IEEE 279-1971, Paragraph 4.7)
No ARI trip channels or actuation devices are used for control functions. No control system failures can affect the operation of the ARI trip system.
7.2.4.1.1.2.4.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8)
ARI trip system variables are defined in Subsection 7.2.3.1.4.2. These variables were chosen to be indicative of an ATWS condition, with the setpoints chosen in accordance with Subsection 7.2.3.1.6.3.
7.2.4.1.1.2.4.1.9 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9)
Each trip channel can be checked under any operating mode without causing a trip system actuation; the logic is described in Subsection 7.2.3.1.4.3, and bypasses are described in Subsection 7.2.3.1.4.4. Sensors are checked by imposing a simulated process signal to the sensor input.
7.2.4.1.1.2.4.1.10 Capability for Test and Calibration (IEEE-279-1971 Section 4.10)
Testability is described in Subsection 7.2.3.1.4.8.
FSAR Rev. 65 7.2-69
SSES-FSAR Text Rev. 66 7.2.4.1.1.2.4.1.11 Channel Bypasses for Removal from (IEEE 279-1971, Paragraph 4.11)
Each individual channel of the ARI trip system may be tested and maintained without causing a scram actuation. In view of the redundancy afforded by the Reactor Protection System (Subsection 7.2.4.1.1.2.4.1.2) and the importance of preventing a spurious scram, bypasses may be imposed, as described in Subsection 7.2.3.1.4.4, which can defeat the ARI trip function for the duration of the bypass.
7.2.4.1.1.2.4.1.12 Operating Bypasses (IEEE 279-1971, Paragraph 4.12)
ARI contains no operating bypasses.
7.2.4.1.1.2.4.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13)
Bypass indications are described in Subsection 7.2.3.1.6.1.2.
7.2.4.1.1.2.4.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14)
Bypass control is described in Subsection 7.2.3.1.4.4.
7.2.4.1.1.2.4.1.15 Multiple Setpoints (IEEE 279-1971, Paragraph 4.15)
This paragraph does not apply to the ARI trip system. Setpoints are described in Subsection 7.2.3.1.6.3.
7.2.4.1.1.2.4.1.16 Completion of Protective Action Once it is Initiated (IEEE 279-1971, Paragraph 4.16)
Each ARI trip system is sealed in for 25 seconds following actuation of both trip systems, as required to initiate an ARI scram. Resets for each of the divisionally separate trip systems are inhibited until both trip systems have timed out. Seal in circuits are separated by electrical isolation devices.
Reset controls are located in the main control room and requires deliberate operator action. Reset of either trip system will return the CRD scram trip system to normal operation.
7.2.4.1.1.2.4.1.17 Manual Initiation (IEEE 279-1971, Paragraph 4.17)
Capability for manual initiation as described in Subsection 7.2.3.1.4.2.
7.2.4.1.1.2.4.1.18 Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971, Paragraph 4.18)
FSAR Rev. 65 7.2-70
SSES-FSAR Text Rev. 66 Access to setpoint adjustments and test points is covered under the administrative control of plant operations supervision.
7.2.4.1.1.2.4.1.19 Identification of Protective Actions Actuation of the divisional ARI trip systems is annunciated in the main control room. The plant computer system records the actuation of all automatic and manual initiation trip signals. The plant variables monitored by the ARI trip systems are annunciated when the warning level and RPS trip level setpoints are exceeded. The RPS trip system annunciators will precede the initiation of the corresponding ARI trip channels.
7.2.4.1.1.2.4.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20)
Information readout is described in Subsection 7.2.3.1.6.1.
7.2.4.1.1.2.4.1.21 System Repair (IEEE 279-1971, Paragraph 4.21)
The system is fully testable, from initiating sensors up to and including the final actuation devices per Subsection 7.2.3.1.4.8. Bypasses are provided per Subsection 7.2.3.1.4.4 to allow maintenance and repair activities during operation.
7.2.1.1.2.4.1.22 Identification of Protection Systems (IEEE 279-1971, Paragraph 4.22)
All major components (control room devices, local panels, and final actuation devices) are labeled with device identification and system designations where appropriate. Interconnecting cables are identified by their divisional separation designation and scheme identification tags.
7.2.4.1.1.2.4.2 IEEE 336-1971 See Section 3.13.
7.2.4.1.1.2.4.3 IEEE 338-1971 Periodic testing of Nuclear Power Plant Safety Systems - is complied with by being able to test ARI from initiating sensors up to and including the final actuating devices during plant operation, as well as when the plant is shut down.
7.2.4.1.1.2.4.4 IEEE 344-1975 Seismic Qualification and Class 1 Electric Equipment - Requirements are satisfied by qualifying all system components for anticipated operational occurrences, including operating basis earthquakes. Qualification to Safe Shutdown Earthquake levels is not required.
FSAR Rev. 65 7.2-71
SSES-FSAR Text Rev. 66 7.2.4.1.1.2.4.5 IEEE 384-1981 Independence of Class 1E Equipment and circuits - Requirements are satisfied by conformance to divisional separation requirements for Balance of Plant 1E trip systems. ARI is therefore fully separate from RPS.
7.2.4.1.1.2.5 Branch Technical Positions 7.2.4.1.1.2.5.1 EICSB-10 See Subsection 7.2.4.1.1.2.4.4.
7.2.4.1.1.2.5.2 EICSB-21 See Subsection 7.2.3.1.6.
7.2.4.1.1.2.5.3 EICSB-22 See Subsection 7.2.3.1.4.8.
7.2.4.1.1.2.5.4 EICSB-24 ARI trip system response time verification is measured directly on a periodic basis of the trip channels described in Subsection 7.2.3.1.4.2.
FSAR Rev. 65 7.2-72
SSES-FSAR Table Rev. 55 TABLE 7.2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Scram Function Instrument Normal Range( 1l Reactor vessel dome pressure Pressure Switch 1050 psig (2l Drywell high Pressure Switch 0.65 to 0.85 psig Reactor vessel low water level Level Switch 567.5 to 577 .5" above vessel zero Scram discharge volume high water level - Level Switch Empty (3l
- Level Transmitter Empty Turbine stop valve closure Position Switch Fully open to fully closed( 4l Turbine control valve fast closure Pressure Switch 11 00- 1600 psig Main steamline isolation valve closure Position Switch Fully open to fully closed( 4l Neutron Monitoring System See Subsection 7.6. 1a.5 Discharge Volume High Water Level Trip Bypass N/A N/A Turbine Stop Valve and Control Valve Fast Closure Trip Bypass Pressure Switch 100-1200 psig (1)
See Technical Requirements Manual for the trip setpoints; and the plant Technical Specifications for Allowable Values, where applicable.
(2)
Pressure corresponds to 100% rated , power.
(3)
Steady state operational limits of the measured variables.
(4)
Fully open during normal RUN mode operation .
FSAR Rev. 60 Page 1 of 1
SSES-FSAR Table Rev. 56 TABLE 7.2-2 CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF RPS This table shows the normal number of sensors required for the functional performance of the reactor protection system in the run mode.
Channel Description Normal Neutron monitoring system (APRM) 4 Neutron monitoring system (IRM)
- 8 Nuclear system high pressure 4 Containment high pressure 4 Reactor vessel low water level 4 Scram discharge volume high water level, float switches 4 Manual scram 4 Each main steamline isolation valve position 2/valve Each turbine stop valve position 2/valve Turbine control valve fast closure 4 Turbine first stage pressure 4
(Bypass channel)
Scram discharge volume high water level, level transmitter/trip units 4 Neutron monitoring system (OPRM) 4
- In all modes except run.
FSAR Rev. 63 Page 1 of 1
TABLE 7.2*3 ATWS RECIRCULATION PUMP TRIP AND ALTERNATE ROD INJECTION INSTRUMENTATION SPECIFICATIONS Page 1 of 1 Parameter Instrument Normal Operating 111 Range Reactor vessel Pressure Switch 1 050 psig cii pressure-high Reactor vessel low water Level (differential pressure} 30 to 79 inches above level switch instrument zero
!11 See the Technical Requirements Manual for the trip setpo1nts; and the plant Technical Specifications for the Allowable Values.
!21 Pressure corresponds to 100% power.
Rev. 54, 10/99 Page 1 of 1
Page 1 of 1 SSES-FSAR TABLE 7.2-4 CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF ARI This table shows the normal number of sensors required for initiation of the ARI system. These sensors are evenly divided among divisionally separate trip channels.
Channel Description Normal Reactor vessel high pressure 4 Reactor vessel low water level 4 Manual trip 2 Rev. 39, 7/88
FIGURE 7.2-1-1 REPLACED BY DWG. M1-C72-2, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.2-1-1 REPLACED BY DWG. M1-C72-2, SH. 1 FIGURE 7.2-1-1, Rev. 55 AutoCAD Figure 7_2_1_1.doc
FIGURE 7.2-1-2 REPLACED BY DWG. M1-C72-2, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.2-1-2 REPLACED BY DWG. M1-C72-2, SH. 2 FIGURE 7.2-1-2, Rev. 56 AutoCAD Figure 7_2_1_2.doc
FIGURE 7.2-1-3 REPLACED BY DWG. M1-C72-2, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.2-1-3 REPLACED BY DWG. M1-C72-2, SH. 3 FIGURE 7.2-1-3, Rev. 49 AutoCAD Figure 7_2_1_3.doc
FIGURE 7.2-1-4 REPLACED BY DWG. M1-C72-2, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.2-1-4 REPLACED BY DWG. M1-C72-2, SH. 4 FIGURE 7.2-1-4, Rev. 49 AutoCAD Figure 7_2_1_4.doc
NEUIRON MAIN Sl9M MONITORING LINES ISOI.ATED 1RM TRP 1Ula£ MODE swm:tt IN OIHER OON1ROL VAI.IIE nw1 RUN MODE FAS!' CLOSURE TURBINE sr0P VAI.IIE CLOSURE NUCLEAR S\'STEM NEUTRON POWER MONITORING PRESSURE HIGH APRM lRIP >30X RATED MODE swm:tt DR'IWELL REACIOR VESSEL WATER NEUIRON IN SHUIDOWN PRESSURE IIGH I.E.'t'EL LOW MONITORING OPRM lRIP MODE MODE swm:tt swm:tt IN IN RUN SfARIUP FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT REACTOR PROTECTION SYSTEM SCRAM FUNCTIONS FIGURE 7.2-2, Rev 51 AutoCAD: Figure Fsar 7_2_2.dwg
SENSORS A B C D TRIP SYSTEM A POWER BUS 0 0 70 0 TRIP SYSTEM B POWER BUS CHANNELS
,~---/\..,_ ___,
TRIP SYSTEM A t
TRIP SYSTEM B
____,A""---.
\
0 NOTE : CONTACTSSHOWNIN NORMAL CONDITION A1 A2 81 82 REACTOR PROTECTION SYSTEM LOGICS CONFIGURATION FOR; SCRAM DISCHARGE VOLUME HIGH WATER LEVEL MAm STEAM LINE HIGH RADIATION TURBINE CONTROL VALVE FAST CLOSURE ORVWELL HIGH PRESSURE REACTOR VESSEL LOW WATER LEVEL NUCLEAR SYSTEM HIGH PRESSURE ss FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT ARRANGEMENT OF CHANNELS AND LOGICS FIGURE 7.2-3, Rev 49 AutoCAD: Figure Fsar 7_2_3.dwg
ACTUATORS HHP SYSTEM A TRIP SYSTEM 8 LOGIC LOGIC LOGIC LOGIC FSAR REV.65 AutoCAD: Figure Fsar 7_2_4.dwg Al A2 FIGURE 7.2-4, Rev 49 81 82 SUSQUEHANNA STEAM ELECTRIC STATION 8 e1 FBt 0 82 HB2 EAi ACTUATORS AND ACTUATOR UNITS 1 & 2 ACTUATOR LOGICS ASSOCIATED ACTUATOR LOGICS ASSOCIATED WITH TRIP SYSTEM A WITH TRIP SYSTEM B LOGICS FINAL SAFETY ANALYSIS REPORT AAI EAi I EAi I "At 0 e2 *1 He2 He2 De2 CA2 GA2 I GA2 I CA2 Be, I Fe, Fe1 Be1 GROUP1 GROUP 2 GROUP 3 GROUP 4 G~OUP 1 GROUP 2 GROUPJ GROUP4 SOLENOIDS SOLENOtDS SOLENOIDS SOLENOIDS SOLENOIDS SOLENOIDS SOLENOIDS SOLENOIDS NOTE: CONTACTS SHOWN IN NORMAL CONDITION
TURBINE A E STOP VM..VE C G CLOSURE TURBINE CONTROL A VM..VE FAST A BYPASS C CLOSURE DISCHARGE A VOLUME HIGH A BYPASS C C WATER LEVEL MAINSTEAM A LINE ISO E A BYPASS C G C VM..VE ADRYWELL C HIGH PRESSURE A NUCLEAR STEAM C HIGH PRESSURE A REACTOR LOW C WATER LEVEL A MAIN STEAM LINE HIGH RADIATION C JUMPER INSTM..LED 1
E NEUTRON MONIIORING SYSTEM JUMPER INSTM..LE0 C G
A MANUM.. CMANUM..
SCRAM SCRAM REACTOR PROTECTION REACTOR PROTECTION SYSTEM TRIP LOGIC SYSTEM TRIP LOGIC A1 A2 E C RESET G C RESET A1
~ CONTACTS SHOWN IN NORMAL CONDITION FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT LOGIC IN ONE TRIP SYSTEM FIGURE 7.2-5, Rev 57 AutoCAD: Figure Fsar 7_2_5.dwg
NEUTRON MONITORING SYSTEM TRIP CHANNELS (OTHER IRM DETECTOR LPRM DETECTOR DETECTORS) LPRM DETECTOR AMPLIFIER AMPLIFIER (LPRM) AMPLIFIER (LPRM)
NEUTRON MONITORING SYSTEM A A A AMPLIFIER-SUMMER INOP BYPASS UPSCALE TRIP APRM CHANNEL (ONE OF FOUR)
IRM CHANNEL A (ONE OF EIGHT) OTHER APRM CHANNELS A A TWO OUT OF FOUR VOTER A1 IRM IRM (ONE OF FOUR)
BYPASS INOP A
IRM A MODE SW UPSCALE IN RUN TRIP (APRM Neutron Flux-Upscale or APRM E REACTION PROTECTION SYSTEM A
A I
)
Simulated Thermal Power-Upscale QI:
APRM lnop) .Q.O.Q. (APRM Not Bypassed)
(OPRM Upscale Trip) .Q.O.Q.
(OPRM Not Bypassed)
E E
@~
NEUTRON MONITORING SYSTEM LOGICS (TWO OF EIGHT)
~ CONTACTS SHOWN IN NORMAL CONDITION TRIP SYSTEM A1 LOGIC (ONE OF FOUR)
FSAR REV.65
- (APRM Neutron Flux-Upscale or APRM SUSQUEHANNA STEAM ELECTRIC STATION Simulated Thermal Power-Upscale or APRM UNITS 1 & 2 lnop) and (APRM Not Bypassed) FINAL SAFETY ANALYSIS REPORT
RELATIONSHIP BETWEEN NEUTRON MONITORING SYSTEM & REACTOR PROTECTION SYSTEM FIGURE 7.2-6, Rev 57 AutoCAD: Figure Fsar 7_2_6.dwg
TRIP SYSTEM A POWER BUS TRIP SYSTEM B POWER BUS I I FSAR REV.65 t AutoCAD: Figure Fsar 7_2_7.dwg FIGURE 7.2-7, Rev 49 5 .I 3 'I 3 ,. I s I 5 -I 5 -I 3 I
I SVOS-1 wooa SUSQUEHANNA STEAM ELECTRIC STATION SVOS-2 SVOS CONFIGURATION FOR TURBINE A E r F lD ./ H UNITS 1 & 2 STOP VALVE CLOSURE REACTOR TU RBINE STOP VALVE CLOSURE CHA NNELS TRIP FINAL SAFETY ANALYSIS REPORT A E C G B F D H A1 A2 s, 82 REACTOR PROTECTION SYSTEM LOGICS NOTE: CONTACTS SHOWN IN NORMAL CONDITION NOTE : THREE OUT OF FOUR STOP VALVES MUST CLOSE TO CAUSE A SCRAM
F022 Alli :;i::,F022 Al21:;t:F022 B111~F022 01211/4 F022 c111.:z:. F022 c121~Fo2201111 f022 0121 F028 AIIJ,XF028 Al21:Z:,f()28 Bl11:Z::F028 8(21}F028 CIHZ,.F028 C121:Z::F028 DIU'.:Z' F028 0121 LJ~lo ACPOWE.R T I I Ac POWf:R FSAR REV.65 nc AutoCAD: Figure Fsar 7_2_8.dwg
~.
FIGURE 7.2-8, Rev 49
!MOTOR GENERATOFI (MOTOR SETM lA ~H GENERATOR SET Bl SUSQUEHANNA STEAM ELECTRIC STATION STEAM STEAM LINE B STEAM STEAM LINED STEAM LINE A STEAM STEAM STEAM LINE A LINE C LINE. C LINE B LINE [l CONFIGURATION FOR MAIN MAIN STEAM LINE ISOLATION CHANNEl.S
!SWITCH COMl' ACTS SHOWN IN POSIT IONS WHEN ISOLATION VALVES 1.,ESS THAN 10% CLOSED!
UNITS 1 & 2 STEAMLINE ISOLATION TRIP SYSTEM A TRIP SYSTEM 8
~*--
REACTOR TRIP FINAL SAFETY ANALYSIS REPORT
~
- 5~<C lii..1 lf tl ~ ~ l l" ~
AE ~~
lii..1ai
- ~
(.,
li;..J CG ~!O
~..I \n:i,,cl w~ BF l ~l
- 5~
- I u li;..1 w~
m lii..1 0 H 10 1
<l:w UJ I- -
z Ill ....J Al A2 Bl B2 REACTOR PDRTl:CTION SYSTEM LOGICS lCONTACTS SHOWN IN NORMAL CONOITlONI KEY :
F022A
- STEAM LINE A INBOARD VALVE F022C
- STEAM LINE C, INBOARD V.AlVE F028A
- SlEAM LINE A OUTBOARD VALVE F028C
- STEAM LINE C, OUTBOARD VALVE f02:<'8 ' STEAM LINE B INBOARIJ VALVE f'0220
- STEAM LINED. 1NOOARD VALVE F020B
- STEAM LINE B. OUTBOARD VALVE F028O , STEAM LINE D.OUTROARO VALVE NOH 1 WIRlfllG FOR THE TWO SWITCHES ON Tl-IE SAME VALVE IS PHVSICALL 'V SEPARATED.
2 ISOLATIOt~ OF THRl:E OR MORE STEAM LINES WILL CAUSE A SCl'lAM
480 VAC I 480 VAC 480 VAC 120 VAC
~ED
M G
480 VAC 120VAC
~
~
T ED
.ffi M
G RPS MG POWER SUPPLY FSAR REV.65 AutoCAD: Figure Fsar 7_2_9.dwg RELAY FIGURE 7.2-9, Rev 55 RELAY PROTECTIVE I - - 1-- PROTECTIVE CIRCUITRY CIRCUITRY I
SUSQUEHANNA STEAM ELECTRIC STATION C
C :'----J BLOCK DIAGRAM - RPS EPA EPA EPA EPA t---1 SOLID-STATE SOLID-STATE SOLID-STATE SOLID-STATE
~ t--- 1--
PROTECTIVE PROTECTIVE PROTECTIVE PROTECTIVE UNITS 1 & 2 PROTECTIVE CIRCUIT -
CIRCUITRY CIRCUITRY CIRCUITRY CIRCUITRY
~----J I
- ----J' I
C_ .... ,.... ___ .,I I
.... ____ ... I f
ELECTRICAL PROTECTION C
- ASSEMBLY(EPA)
- EPA EPA FINAL SAFETY ANALYSIS REPORT EPA EPA SOLID-STATE ~
SOLID-STATE SOLID-STATE SOLID-STATE PROTECTIVE PROTECTIVE t--- lo--
PROTECTIVE PROTECTIVE CIRCUITRY CIRCUITRY CIRCUITRY CIRCUITRY I
____ *I I I I t
i----J
~----J I
t I
- > _L .., __ ..,. __ ..._
RPS BUS B
- > ;;> ~ ~ ;;>
RPV LEVEL 2 I\
RPV LEVEL 2 C DIV 1 BLOCK
- - - VALVE CLOSED MANUAL INITIATION OR DIV 1 VENT
--VALVE OPEN RPV PRESS HI A RPV PRESS HI C ATWS-ARI TRIP SYSTEM INITIATION DIV 1 BLOCK VALVE CLOSED DIV 2 BLOCK VALVE CLOSED
,---"'---_J- - ARI SCRAM AND SCRAM AIR DIV 1 VENT VALVE OPEN HEADER BLOH DOWN DIV 2 VENT VALVE OPEN ARI SCRAM ACTUATION FSAR REV.65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT AIR TRIP SYSTEM LOGIC FIGURE 7.2-10, Rev 49 AutoCAD: Figure Fsar 7_2_10.dwg