Text

Abb System 80+ Design Control Document - Volume 10
	ML22112A044
Person / Time
Site:	LaSalle, 05200002
Issue date:	01/31/1997
From:	; ABB Combustion Engineering
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML20148A597	List: LD-97-014, Transmits Final Version of Sys 80+ Design Control Document (DCD); LD-97-015, Informs That ABB-CE Has Completed Review of Effective Page Listing & Sys 80+ Design Control Document Revs Dtd Jan 1997; ML20148A821; ML22112A037; ML22112A038; ML22112A039; ML22112A042; ML22112A043; ML22112A044; ML22112A045; ML22112A046; ML22112A048; ML22112A049; ML22112A050; ML22112A051; ML22112A052; ML22112A075; ML22112A076; ML22112A077; ML22112A078; ML22112A079; ML22112A081; ML22112A085; ML22112A086; ML22112A088;
References
	NUDOCS 9705090171
	Download: ML22112A044 (1)
	v • d • e

{{#Wiki_filter:- - . . _ . - _ - . . . . - . . - - - - . ._ . - . - - - . i-O i the i System 80+ standardplant , I i i 1 1 Design ControlDocument i i O

Volume 10 5 l l

Combustion Engineering, Inc. 4

              ...         ,           - - ,              -        - - - . ,                         e v

O Copyright C 1997 Combustion Engineering, Inc., All Rights Reserved. Warning, Legal Notice and Disclaimer of Liability The design, engineering and other information contained in this document have been prepared by or for Combustion Engineering, Inc. in connection with its application to the United States Nuclear Regulatory Commission (US NRC) for design certification of the System 80+ nuclear plant design pursuant to Title 10, Code of Federal Regulations Part 52, No use of any such information is authorized by Combustion Engineering, Inc. except for use by the US NRC and its contractors in connection with review and approval of such application. Combustion Engineering, Inc. hereby disclaims all responsibility and liabihty in connection with unauthorized use of such information. t Neither Combustion Engineering, Inc. nor any other person or entity makes any warranty or representation to any person or entity (other than the US NRC in connection with its review of Combustion Engineering's application) concerning such information or its use, except to the extent an express warranty is made by Combustion Engineering, Inc. to its customer in a written contract for the sale of the goods or services described in this document. Potential users are hereby warned that any such information may be unsuitable for use except in connection with the performance of such a written contract by Combustion Engineering, Inc. Such information or its use are subject to copyright, patent, trademark or other rights of Combustion Engineering, Inc. or of others, and no license is granted with respect to such rights, except that the US NRC is authorized to make such copies as are necessary for the use of the US NRC and its contractors in connection with the Combustion Engineering, Inc. application for design certification. Pubhcation, distribution or sale of this document does not constitute the performance of engineering or other professional services and does not create or establish any duty of care towards any recipient (other than the US NRC in connection with its review of Combustion Engineering's application) or towards any person affected by this document. For information address: Combustion Engineering, Inc., Nuclear Systems Licensing, 2000 Day Hill Road; Windsor, Connecticut 06095 0-

System 80+ Design ControlDocument

,m.

Introduction

(] .

Certified Design Material 1.0 Introduction 2.0 System and Structure ITAAC 3.0 Non-System ITAAC 4.0 Interface Requirements 5.0 Site Parameters

     ~ Approved Design Material- Design & Analysis 1.0     General Plant Description 2.0     Site Characteristics 3.0     Design of Systems, Stmetures & Components 4.0     Reactor 5.0     RCS and Connected Systems 6.0     Engineered Safety Features 7.0     Instrumentation and Control 8.0     Electric Power 9.0     Auxiliary Systems
            -10.0    Steam and Power Conversion                                             >

11.0 Radioactive Waste Management . g\. 12.0 Radiation Protection d( 13.0 Conduct of Operations 14.0 Initial Test Program 15.0 Accident Analyses 16.0 Technical Specifications 17.0 Quality Assurance 18.0 Human Factors 19.0 Probabilistic Risk Assessment 20.0 Unresolved and Generic Safety Issues Approved Design Material - Emergency Operations Guidelines 1.0 Introduction

            -2.0     Standard Post-Trip Actions 3.0     Diagnostic Actions 4.0     Reactor Trip Recovery 5.0     Loss of Coolant Accident Recovery 6.0     Steam Geneistor Tube Rupture Recovery 7.0 '   Excess Steam Demand Event Recovery-8.0   - Loss of All Feedwater Recovery 9.0     Loss of Offsite Power Recovery 10.0    Station Blackout Recovery 11.0    Functional Recovery Guideline in                                                                                          '

cent.eu

O the System 80+ standardplant

4 Approved Design Material i Q Design & Analysis x

          ........,..._..........-._.._..._._._.......___.......___....____..._,_s_...._

Combustion Engineering, Inc.

e sy~ tem 80+ oesian contrat oocument Effective Page Listing

i. Appendix 6A Pages Date i, il 1/97 +

iii 11/% ' Original 6A-1 through 6A-5 j j. I r i- f I . e 6 1, .

    .                                                                                                                                                                        b s

i 1 I 3 I J i i I

l 1 l ( t r wm aeoon neww. ::- - _ .: soury ruwu nan rose L a i

                .-               .              - , - ,                   . _ . , , _ . _ ,_,   m.-.        ._ . , . , - _ _ , , , , - - - - - -,                  . - _-

l

                                                                                                                                                         -l System !~0 +                                                                                           oesian controlDocumast i

Appendix 6A'

           ' Single Failure Sensitivity Study for the Large Break LOCA ECCS Performance Analysis for the System 80+ Standard Design Contents                                                                    Page Abstract . . . . . . .   ..........................                                      ............. .....                            6A-1   ;

1.0 Introduction ......................... ............. . ..... 6A-1

          ' 2.0    Sensitivity Study . . . . . . . . . . . . . . .            ........... .                     ..... ........                      6A-1 3.0    Representation of the Safety Injection Tanks                      ............... . . ..                           ..            6A-2 Tables f*                                                                                                                                                     \

i 1 6A 1 Summary Description of the Cases for the Large Break LOCA Single Failure l Sensitivity Study .... . ................ ... .... .. . .... 6A-2 ) i Figures J i 6A-1 Large Break LOCA Single Failure Sensitivity Study Comparison of Downcomer Liquid j Level . . . . . . . . . . . . . . . . . . . . .......... .... ... .......... 6A-3 6A-2 Large Break LOCA Single Failure Sensitivity Study Comparison of Core Reflood ! Rate ...... .......... .. ... ........... ....... ...... 6A-4 , 6A-3 Large Break LOCA Single Failure Sensitivity Study Comparison of Containment Pressure . . . . . . ... . ............. .. .... ........ ..... . 6A-5 . i 1 J

 'J l

opeme onw motorw EW Sekty Featwn j U U$G Pope 5 l l

System 80+ Design ControlDocument g g Abstract This Appendix documents a sensitivity study which demonstrates that no failure to the SIS or the diesel-generator system is more limiting than any single failure to these systems for the large break LOCA ECCS performance analysis for the System 80+ Standard Design. Consequently, use of maximum safety injection pump flow is limiting for the large break LOCA ECCS performance analysis. 1.0 Introduction A sensitivity study was performed to demonstrate that maximum safety injection pump (SIP) flow is the limiting case for the System 80+ large break LOCA ECCS performance analysis. The results of the sensitivity study are described below. Following the description of the sensitivity study is a description of how the safety injection tanks (SITS) were conservatively represented in the System 80+ large break LOCA ECCS performance analysis. 2.0 Sensitivity Study In order to demonstrate that the maximum safety injection pump flow is the limiting case for the System 80+ large break LOCA ECCS performance analysis, the following three cases were analyzed: Case i Diesel Generator Failure q Case 2 Safety injection Pump Failure Case 3 No Failure The refill /reflood hydraulic transient was analyzed for each case using the COMPERC-II computer code. The study was performed for the 1.0 DEG/PD break, the limiting break of the large break LOCA spectrum. Table 6A-1 identifies the specific differences among the three cases. Figures 6A-1 through 6A-3 present the results of the sensitivity study. Figure 6A-1 compares the downcomer water level during reflood for the three cases. It shows that, in each case, the SIP flow rate is sufficient to maintain the downcomer water level at the elevation of the bottom of the reactor vessel inlet nozzle. Therefore, there is no single failure that results in an injection flow rate which cannot keep the downcomer filled to the elevation of the discharge leg. Since all three cases maintain the same downcomer level, they all provide the same head for reflooding the core. Figure 6A-2 compares the mass added to the core duririg reflood for the three cases. Case 1, diesel generator failure, results in the highest core reflood rate. This is primarily due to the fact that it has the highest containment pressure (see next paragraph) due to the failure of a containment spray pump and the fan coolers as a result of the loss of off-site power and failure of a diesel generator. Cases 2 and 3 result in similar core reflood rates with Case 3 (i.e., maximum SIP flow rate) being slightly worse. This is because Case 3 has a slightly more adverse (lower) containment pressure response (see next paragraph) than Case 2 due to the fact that it maximizes the safety injection spilling to containment which minimizes the containment pressure. Decreasing containment pressure decreases the core reflood rate because it makes the reflood generated steam more difficult to vent from the RCS. l i V Figure 6A-3 compares the containment pressure for the three cases. Case 1 results in the highest containment pressure because the loss of off-site power and subsequent diesel generator failure results Atywoved Design ntsterial- Engineered Safety Features Page 6A 1 P

System 80+ Design ControlDocument in the failure of one containment spray pump and the fan coolers whereas there are two spray pumps and four fan coolers in Cases 2 and 3 (see Table 6A-1). Cases 2 and 3 have nearly identical containment pressures because they have the same number of spray pumps and fan coolers operating. The containment pressure for Case 3 is slightly lower than for Case 2 for the reason described in the preceding paragraph. Because Case 3 results in the lowest core reflood rate, it will have the lowest reflood heat transfer coefficients and, consequently, the highest peak cladding temperature. Therefore, this sensitivity study demonstrates that maximum SIP flow is the limiting case for System 80+. 3.0 Representation of the Safety Injection Tanks The System 80+ large break LOCA ECCS performance analysis conservatively epresents injection from the SITS. In the minimum containment pressure analysis (Section 6.2.1.5), the spillage of SIT liquid into containment is based on maximum SIT inventory in order to minimize contai'unent pressure. This is the basis for the second condition given in Section 6.3.3.2.2. However, the RCS blowdown and refill /reflood hydraulic analyses conservatively represent the SITS by using the maximum safety injection line loss coefficient and the minimum SIT liquid inventory and nitrogen pressure. Since the SITS are already conservatively represented in the System 80+ large break LOCA ECCS performance analysis, they do not have to be included in the sensitivity study to demonstrate that maximum SI flow is the limiting case for System 80+. Table 6A-1 Sununary Description of the Cases for the Large Break LOCA Single Failure Sensitivity Study Parameter Case 1 Case 2 Case 3 Failure Diesel Generator Safety injection Pump None Number of Safety Injection 2 3 4 Pumps (SIPS) SIP Flow Rate, gpm/ pump 976 (minimum) 976 (minimum) 1232 (maximum) Number of Containment Spray 1 2 2 Pumps (CSPs) CSP Flow Rate. gpm/ pump 6500 (maximum) 6500 (maximum) 6500 (maximum) Number of Fan Coolers 0 4 4 Fan Cooler Performance --- Figure 6.2.1-31 Figure 6.2.1-31 (maximum) (maximum) O Asiproved Design Matens! Enginewed Safety Features Page 6A.2

System 80+ Design C ntrolDocument i t - ( ' 18 . M

                                               -            ,s.r y      v.i ,                  -                                         -

15 . i

i. l 12 ,

4 , . 3 N , 1 a 9 C 0 --O DG Fatuni C 0 3 SIP Faguep ; C 0 3 No Fatura l 6 I l 1 j- l 3 M [ 0 0 100 200 300 400 500 TIME AFTER CONTACT, SEC l Large Break LOCA Single Failure Sensitivity Study Comparison of Figure 6A - 1 k Downconner Liquid Level

                      .w =: onien nonawiat . Engmewed Sekty Feenwes                                                                                             !*9* 64'3

1 S Design ControlDocument Lvem 80+ _ - l Ol1 15** l 125000 .

0---G '-

O DG Falure / C

C 0

0 0 SITFalure 0 No Falure /

                                                                                                                                                /
                                                                         ~

100000 .

                                                                                                                                     ,f g a

2

LO

                                                  *                      :                                               /,
                                                  $             75000 s

a . , r 8 /,' e m cc

/./ O se

                                                                                                     '- a 50000   .
                                                                        .                    ,s
                                                                                                ./<

/

25000

'/

0 '''' O 100 200 300 400 500 TIME AFTER CONTACT, SEC 1 I l Large Break LOCA Single Failure Sensitivity Study Comparison of Core Figure 6A - 2 Reflood Rate , 1 Appmved Destes Materief

Ermineered Sekty Features P*9* W i

) [ _ _ _ _ _ - . - - _ _ - - _ - _ _ - - - - - - - - - - - - -

      , )!                                                                                                                                     i

- .. F* l I

System 80+ hsign ControlDocument i-t

     -f,
     &)).                                                                                                                                      ,

i

 ;                           60 .   .

i - ; 4 50 . . I C 3 DG FWhae C : O SF FaIwo C 0 % Fde , A :A

                            -40 .r

m. .

4 i w , ' e L-s. 30 's

                                                   \.                                                                                          ,

Q ._._ _._._._ _ ._. l b 20 , ! 4

i 10 ..

4

n . O 100 200 300 400 500 , 4 t TIME AFTER BREAK, SEC i t I

j!.;. Break LOCA Single Failure Sensitivity Study Compadson of Figure 6A - 3 s ICaetninoemt Pressure

i ; 4 1 i Appmed oney noeewaar . Enonmemt Sakty Feehnee !*S* 6A*5 1

Sy~ tem 80+ Design ControlDocument l C Effective Page Listing - Appendix 6B 4 l Pages Date ) i, ii 1/97 i iii Original l i 6B-1 11/% l , 6B-2 through 6B-5 Original l 4 6B4, 68-7 11/% : 6B-8 through 6B-12 Original ; 4 7 4 h

h

l i 4 l q-h

                                                                                                 'l 4

L . .;:Dee> Moseriel- L;-- _:-J Sehrty Feehues (1/97) Page L & l l i I

i Sy~ tem 80+ Design Control Document l Appendix 6B (V7 System 80+ Standard Design Boron Dilution During a Small Break LOCA with Natural Circulation Flow Contents Page 1.0 Introduction ............................ .......... ...... 6B-1 2.0 S u mmary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6B-1 3.0 Sequence of Events . . . . . ....... ........................... 6B-2 4.0 Analytical Assumptions .............. . . .... .... ........... 6B-2 5.0 Analytical Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ 6B-3 ns, 5.1 Establish initial Conditions . . . . . . . . ....... .. . ........ .. .... 6B-3 5.2 Core Physics and RCS Thermal Hydraulics Analyses . . . . . . . . . . . . . . . . . . . . . . 6B-4 5.3 Fuel Rod Temperature Analysis . . . . . . . . . ......................... 6B-5 6.0 Analytical Results and Conclusions . . . . . . . . . . . . ....... .... ...... 6B-5 7,0 References ........... .... ..... . . ................ 6B-6 Tables 6B 1 SBLOCA Representative Sequence of Events ......... ........... .... 6B-8 Figures 6B-1 Transient Reactivity After Core Becomes Critical . . . . . . . . . . .......... . 6B-10

     . 6B-2  Normalized Power After Core Becomes Critical . . . . . . . . . . . . . .. .... ..                           6B-11 6B-3  Hot Spot Temperature Transients           ...............................6B-12 t'  *

\ G wwe w neww- Enumeme soury reewes rege a

  . _ - .   - .     .     -     .    ~    ,      - - - .-             . . . -_ _ _     _   - - --              _- .-        .   .

t i i

System 80+ ' Dessan contmloccanent )

i ~O 2:ai 1

d *i - i In the course of a small break LOCA there is a span of time during which steam is generated in the core ,

and is condensed in the steam generator tubes. The steam that is generated in the core is largely devoid. }

}            of the boric acid which remains dissolved in the highly borated liquid in the core. Thus, the condensate              j

. formed from the steam is also largely devoid of dissolved boric acid. j

          . A portion, perhaps 50%, of the condensate runs down the upflow side of the steam generator tubes and -                 !

. returns to the reactor vessel. This process is designated reflux boiling and it serves to transfer heat from . i the core to the steam generators when the primary side liquid level falls below the tops of the steam generator tubes so that natural circulation of the RCS liquid _ ceases. Condensation, in the steam > i generators, continues so long as the primary side temperature exceeds that of the secondary side. : The ' s . remaining portion of the condensate forms and runs down the downflow side of the steam generator tubes , and collects in the cold side of the RCS, the lowest portions of which are the loop seals between the ) i steam generator outlet plena and the main coolant pumps. i i l

          ' A problem may occur if the unborated condensate which has accumulated in the cold side of the RCS                      j returns to the reactor vessel without sufficient mixing with the highly borated inventory in the reactor               !

downcomer and lower plenum. The resulting reduced boron concentration of the coolant entering the A core may result in a return to a critical condition. A critical core will result in neutron power generation l which will affect the fuel rod (clad) temperature. This latter parameter must be assessed for compliance ! 2 with the ECCS acceptance criteria (Reference 1). j lf There are two means by which the condensate in the loop seals may be driven into the core. These are restart of a RCP, or reestablishment of natural circulation in the RCS. j j i Operator restart of an RCP is prevented by the Emergency Operations Guidelines (EOGs) (Reference 2). l j 4 The LOCA recovery EOG instructions require confirmation of heat removal, pressurizer level and RCS l subcooling prior to RCP restart. In addition, the EOGs now prescribe a delay of RCP restart until natural ; circulation has been operating for at least 20 minutes so that any unborated water can pass through the j core. Thus, the rate of reactivity addition to the core from any unborated water will be based on the ! ! relatively slow natural circulation flowrate. This situation is shown in the following discussion to be i acceptable; a more detailed assessment of operator restart of a RCP is given in Appendix 6C. 1 The reestablishment of natural circulation occurs when the HPSI pump (s) refill the RCS with highly I borated liquid to the tops of the steam generator tubes so that a liquid circuit exists. Also, the primary

side temperature must exceed that of the secondary side so that heat can be rejected and the resultant cold, dense, primary liquid can return to the core via gravity.

2.0 Summary

i. A bounding analysis has been performed without crediting any of the mixing of borated and unborated water that is expected to occur in the RCS. Instead, the condensate was assumed to enter the core as a slug of pure water moving at a natural circulation flowrate consistent with that of a small cold side break at the time of RCS refill. The size of the unborated slug was assumed to be unlimited. That is, i

unborated enad-a=* was assumed to continue to enter the bottom of the core for the full duration of the calculated transient. The effective size of the slug that had entered the core up to the end of the A calculated transient was greater than that of the core liquid volume.

1-j 4proued Dee6n naeannw Engmeered Sonny foehnee ir1/96) Page 60-1 l l 4 l

System 80+ Design ControlDocument The analysis showed that the core returned to a critical condition when the unborated slug had progressed panly into the core. As the slug progressed funher into the core, the resultant neutron power function experienced a very brief spike which was terminated by Doppler feedback in the fuel. The power then dropped further as coolant heatup resulted in moderator density reactivity feedback. The power underwent several oscillations of diminishing amplitude and finally settled at a level which was a small fraction of full power. If the analysis had accounted for borated water entering the core behind the slug, then the power would have rapidly decreased towards zero. The analysis of the fuel rod temperature response accounted for the higher core axial and radial peaking factors which exist for control rods insened and the unborated slug panially entering the core. The latter is similar to the partial insertion of a strong CEA group in its affect on the axial peak. The transient analysis of the hot fuel rod showed that the peak clad temperature remained fairly low owing to the C that the fuel rod surface remained in a pre-DNB heat transfer mode. In addition, the fuel cent- , .emperature, at the hot spot, remained well below the melting value. The analysis revealed that boma dilution during a small break LOCA, even when calculated with the highly conservative assumption of an unborated slug of water entering the core, results in fuel rod conditions which are well below the acceptance criteria for ECCS (Reference 1). A separate analysis was performed to determine the minimum boron concentration required to avoid recriticality at beginning of cycle. The results, which varied with coolant temperature, were about 550 ppm at 300*F and 200 ppm at 500'F. 3.0 Sequence of Events g The transport of large amounts of steam generatot condensate from the loop seals to the core during a j small break LOCA occurs several hours after the start of the accident. Because of the long times ' l involved, this transient spans the times for both the small break LOCA and for the post LOCA long term cooling behavior (presented in Chapter 6.3.3). A representative sequence of events for this transient is given in Table 6B-1, 4.0 Analytical Assumptions Several assumptions have been factored into the analysis which serve to increase the conservative nature of the results. These assumptions are as follows:

1. The condensate that is produced in the steam generators was assumed to have zero boric acid concentration. Actually, there is a small boric acid concentration in the condensate which depends on the distribution coefficient for the water-steam boiling process in the core. In addition, during a ponion of the decompression transient, the velocity of the steam generated in the core may be great enough to entrain borated water droplets and carry them over the tops )

of the steam generator tubes to the cold side.

2. The unborated condensate which was assumed to exist in the loop seals was further assumed to travel to the core as a slug without mixing with any of the borated water. Actually, there are several opponunities for mixing. These include:

O1 1 Approved Design ntatorint Engheered Safety Footwas Pope 68-2 '

System 80+ oesign controlDocument

   >          +      - Backflow of borated safety injection or initial inventory liquid into the loop seals after the liquid level in the annulus rises to the cold leg elevation.

Mixing between the unborated condensate and the borated liquid as the condensate moves down the vessel annulus, t
Low density (hot) unborated condensate rising up in the annulus and mixing with the dense (cold) borated HPSI liquid which is falling in the annulus from its injection location.
Mising between the unborated condensate and the borated liquid as the condensate passes througn the flow skirt and then turns 180 degrees in the vessel lower head.

3. The axial and radial power peaks were conservatively determined and were assumed constant for i

the unborated slug passing into the rodded core (see HERMITE and ROCS descriptions, below). This served to maximize the fuel rod temperature results. Actually, the power peaks vary with position of the slug and with the reactivity feedback from fuel temperature and moderator l reactivity. 5.0 Analytical Procedure , The analytical prc:.edure employed to assess the effects of an assumed unborated slug of water entering the core involvr.d the use of several computer codes. The analytical procedure is as follows: v 5.1 Establish Initial Conditions The initial conditions are the RCS pressure, natural circulation flowrate, decay heat magnitude and inlet enthalpy at the time that the unborated slug ofliquid enters the core. This is effectively the time that the RCS is refilled and natural circulation flow is reestablished. The initial conditions (except for natural circulation flowrate) were obtained from the small break analytical results for the post-LOCA, long term cooling analysis (see Section 6.3.3.4) at approximately the time that the RCS was refilled. The RCS depressurization transient as well as the liquid enthalpy were determined by the CELDA code (Reference 3). The associated decay heat is an input to the CELDA code. CELDA is approved by the NRC (Reference 3). t' CEFLASH-4AS/ REM is a realistic evaluation model (REM) code for small break LOCA analysis, CEFLASH-4 AS/ REM was developed from the CEFLASH-4AS code which is the evaluation model code for small break LOCA analysis. CEFLASH-4AS is documented in References 6 and 8 and is approved by the NRC (Reference 9). j Given the above initial conditions, the CEFLASH-4AS/ REM code was then used to represent the RCS at the time of refill. The natural circulation flowrate, at the time of RCS refill and thereafter, was taken from the results of the analysis with the CEFLASH-4AS/ REM code. The documentation for the REM methodology with CEFLASH-4AS/ REM has been submitted to the NRC for review (Reference 10).

 .v am,,a o w u.n-w ur               a saney r u ,,                                                     r.o. es.s i

System l'O + Design ControlDocument For the present analysis, the REM code version was used because of certain operational features such as restart capability and an ability to input a decay heat function. However, every effort was made to replicate the approved evaluation model approach; this included type nodalization, equilibrium thermodynamics (the REM has non-equilibrium capability), and representation of the cold legs. The review of the post LOCA, long term cooling results showed that the RCS refills most rapidly for the smaller break sizes (see Figure 6.3.3.4-4). An early time of refill is associated with a slightly greater decay heat level than is a later time of RCS refill. The natural circulation flowrate, at the time that the slug enters the core, is driven by the decay heat rate. Hence, the slightly higher natural circulation flowrate, for a smaller break, results in a higher rate of reactivity addition as the unborated slug enters the core. For the present analysis, the time of RCS refill and associated decay heat, are for a conservatively selected cold side break size of 0.005 ft2, 5.2 Core Physics and RCS Thermal Hydraulics Analyses The core physics analysis was performed in order to determine reactivity, power peaking and transient power as the unborated slug passed into the core. The RCS thermal hydraulics analysis was performed in order to determine the change in pressure and in natural circulation flowrate as the energy from the core entered the coolant. The physics and RCS thermal hydraulics analyses were performed in an iterative manner because the variation in pressure and flowrate affected the two-phase moderator density which, in turn, affected the moderator reactivity feedback and the power. The major computer codes used for the physics portion of this analysis are ROCS and HERMITE, which are described in Section 4.3.3. ROCS and HERMITE are approved by the NRC (References 4 and 5). ROCS was used in 3D quarter core geometry to determine the best-estimate of reactivity and changes in reactivity for conditions ranging from cold, fully rodded, highly borated shut-down to an unborated retum-to-power at intermediate temperatures, including a significant moderator void feedback. Note that ROCS is routinely used for the generation of physics input for essentially all Chapter 15 events, for input to the Chapter 6 LOCA events, and in the determination of cold shutdown margin. Also,1D axial space-time HERMITE is used directly for the loss of flow and seized-rotor / sheared-shaft events in Chapter 15. ROCS was first used to determine the absolute reactivity (that is, the reactivity with no power being produced and therefore no reactivity feedback) of the system for selected states of interest. For the nominal post-LOCA conditions with highly borated moderator and all CEAs inserted, the core was, as expected, well sub-critical. For a hypothetical adverse condition with un-borated moderator and a presumed isothermal moderator, the core would be several dollars super-prompt critical. Such a reactivity condition will never actually occur in this LOCA scenario, since the intrinsic nuclear feedbacks will come into play before extreme positive reactivities can exist. That is, the fuel temperature and moderator density feedbacks are much faser than the natural circulation rate of water. j As with other events starting from zero power (e.g., CEA withdrawal, steam line break, CEA ejection), ; it is possible for the reactivity to exceed the prompt critical condition for a very short period of time. l This excess reactivity results in a classic power spike. However, as in this case, such spikes are of very i short duration, and usually result in acceptable deposited energy. i Amroved Design historiah Engineered Safety Features Page 68-4 l

i t Svstem 80+ Denkn ControlDocument > The similar zero power safety events mentioned above are either terminated by a rapid reactor trip (most frequent occurrence) or reach a new pseudo-steady state (infrequent, but possible). In the hypothetical LOCA scenario described here, a reactor trip is not possible, since all rods are initially inserted. Thus, a new pseudo-steady state will be achieved. The power level in this time period is determined by the excess reactivity, which is balanced by the thermal feedbacks. Determining the core response required several steps. First, the HERMITE code (1D axial model) was used to determine a transient power at the slug of un-borated water passed through the core. HERMITE was run with estimates of the core flowrate and pressure. These parameters change as the core generated i heat enters the coolant. They affect the power transient through the moderator density reactivity l feedback ~ The HERMITE generated power transient was then input to the CEFLASH-4AS/ REM code. : The CEFLASH-4AS/ REM code was run with the HERMITE generated power and the initial conditions. The CEFLASH-4AS/ REM results (pressu ce and flowrate) were then input to a 1D axial HERMITE model ; to more accurately determine the core power response. The transient power results from the final l HERMITE analysis were input to the STRIKIN-II code in order to determine the fuel rod temperature response. . t Power peaking information was also provided with ROCS and HERMITE. The core average axial power , I distribution results directly via a static, isothermal, ID axial HERMITE analysis. The largest value of the axial power peak, F,, after the excess reactivity reached prompt critical was selected. The associated ; hot-channel radial peaking factor, F,, was determined from a zero power, isothermal 3D ROCS analysis. : 7 No credit was taken for either fuel temperature nor moderator density feedback in the determination of power peaking.

As a cross-check of the ID axial HERMITE modeling, the pseudo-steady state condition was simulated using 3D ROCS, manually-iterating the power to critical. The resulting power level was about half of : that determined by the ID modeling. The three-dimensional peaking factor, F q, was also about half that ! supplied for the fuel rod temperature analysis. l t 5.3 Fuel Rod Tanperature Analysis 1 The transient fuel rod temperature analysis, performed with the STRIKIN-II code (Reference 7), was used [ , to assess compliance with the NRC acceptance criteria for ECCS (Reference 1). In particular, the 7 analysis was performed in order to determine the peak clad temperature and the amount of local zirconium-water reaction at the hot spot. The analysis also provided information on the variation of the

fuel pellet centerline temperature at the hot spot. STRIKIN-II is approved by the NRC (Reference 9).

I STRIKIN-II was used to model the hot fuel rod. The axial power distribution and the radial peakmg

factor were based on the ROCS and HERMITE analyses described above. Transient input so STRIKIN-II consisted of core power (neutron power plus decay heat), pressure and the natural circulation flowrate.

The inlet enthalpy was constant during the transient. i 6.0 Analytical Results and Conclusions The resultant reactivity of the core after criticality is achieved, as determined by the procedure described above, is given in Figure 6B-1. The reactivity undergoes an increase as the unborated slug continues to pass into the core. The positive reactivity causes an increase in power and in fuel temperature. The O increased fuel temperature then provides Doppler feedback which causes the net reactivity to become negative. This, in turn, reduces the power. As the heat passes from the fuel rod to the coolant, both the i named anew anenaw snomwee sewr neeww noe es-s ;

System 80+ Design controlDocument Doppler and moderator density reactivities change. The net reactivity undergoes oscillations with a decreasing trend. The resultant, normalized (to full power) core average power transient is given in Figure 6B-2. The results given in Figure 6B-2 are for the neutron (kinetics) power. The total power also includes a steady decay heat contribution of 1.09%. (The total power was used for the determination of clad temperature). The time scale for Figure 6B-2 starts when the core reaches a critical condition. This is several seconds after the unborated slug of condensate has entered the bottom of the core. The power trace in Figure 6B-2 shows a spike which was rapidly terminated by Doppler feedback in the fuel. The power then leveled off at a Fmall fraction of full power and then dropped further as coolant heatup resulted in moderator density reactivity feedback. The power underwent several oscillations of diminishing amplitude and finally settled at a level which was a fraction of full power. The power calculation assumed, very conservatively, that the unborated slug was unlimited in size. That is, unborated condensate was assumed to continue to enter the bottom of the core for the duration of the calculated transient. The effective size of the slug that had entered the core up to the end of the calculated transient was greater than that of the core liquid volume. If the analysis had assumed that borated water entered the core behind the slug, then the power would have rapidly decreased towards zero. The resultant clad surface and fuel centerline temperatures for the core hot spot are given in Figure 6B-3. The time scale for the temperatures starts when the core reaches a critical condition, in consonance with the reactivity and power traces. The temperatures for the core hot spot varied in accord with the transient core power and with the 3D power peaking factor. The clad surface temperature remained very low because the fuel rod surface remained in a pre-DNB condition throughout the transient. Also, the associated clad zirconium-water reaction remained very low because the clad temperature remained well below the temperature range (> 1600*F) where the zirconium water reaction becomes significant. The hot spot centerline temperature remained well below the melting value. The analysis reported above was based on an unborated slug of water entering the core. A separate analysis (using the core physics codes described above) was performed to determine the minimum critical boron concentration required to avoid recriticality at beginning of cycle with all rods inserted. This concentration depends on the temperature of the coolant. An average boron concentration of about 550 ppm is required to avoid recriticality at 300*F but only 200 ppm is required at 500*F. The results of this very conservative, bounding analysis show that even if an arbitrarily large slug of totally unborated coolant is assumed to pass through the core, the peak clad temperature and oxidation values remain well below the limits of the acceptance criteria for ECCS (Reference 1). 7.0 References for Appendix 6B

1. Code of Federal Regulations Title 10, Part 50, Section 50.46," Acceptance Criteria for Emergency Core Cooling Systems for Light Water Cooled Nuclear Power Reactors."

2. System 80+ Emergency Operatione Guidelines. Attachment to letter LD-94-043 from ABB to the NRC, June 17, 1994.

3. CENPD-254-P-A, " Post LOCA Long Term Cooling Evaluation Model," June,1980.

Approwd Design heatorial Engineered Safety Features (11/96) Page 684

Sy~ tem 80+ Deslan controlDocument

4. "The ROCS and DIT Computer Codes for Nuclear Design," CENPD-266-P-A, C-E Proprietary Topical Report, April 1983. t l

S. P. E. Rohan, S. G. Wagner, S. E. Ritterbusch: "HERMITE, A Multi-Dimensional Space-Time 1 Kinetics Code for PWR Transients," Combustion Engineering Topical Report CENPD-188-A, March 1976.

6. CENPD-133P, Supplement 1, "CEFLASH-4AS, A Computer Program for the Reactor Blowdown Analysis of the Small Break less of Coolant Accident," August,1974. l

7. CENPD-135P, "STRIKIN-II, A Cylindrical Geometry Fuel Rod Heat Transfer Program," l August,1974.

8. CENPD-137P, " Calculative Methods for the C-E Small Break LOCA Evaluation Model," l August,1974.

9. Letter from O.D. Parr (NRC) to F.M. Stern (C-E), June 13, 1975. -

10. CEN-420P, Volume I, "Small Break LOCA Realistic Evaluation Model, Volume I, Calculational Methods," October 1993; Volume II, "Small Break LOCA Realistic Evaluation Model Volume II, Verification, Uncertainty Evaluation and Plant Application," November 1993; Volume III, "Small Break LOCA Realistic Evaluation Model, Volume III, Computer Program Input and Output Description," November 1993.

O Annoweet Deshn Asenordel-: , . . Sohnty Foehner - (11/961 Page 66 7

System 80 + Design ControlDocument Table 6B-1 SBLOCA Representative Sequence of Events

1. A small break occurs in the cold side of the RCS Typically, the break size is less than about 0.05 ft z. A much larger size break will not allow the RCS to refill. For such larger break sizes a natural circulation flow will not develop to drive any condensate from the loop seals to the core.

2. The RCS loses mass through the break and the tops of the steam generator tubes uncover. This breaks the liquid loop in the RCS Thus, the natural circulation of liquid flow from the core to the SGs ends.

3. As the RCS pressure drops the IIPSI pump (s) deliver borated safety injection water (minimum of 4000 ppm) through the DVI line(s) to the vessel annulus.

4. The core is cooled by boiling liquid. The liquid consists of initial borated inventory, incoming borated llPSI liquid (minimum of 4000 ppm) and unborated liquid that has refluxed from the steam generator (hot side) condensate.

5. The steam evolved in the core has a very low boric acid concentration.

6 The steam condenses in the steam generators so long as the primary side temperature exceeds that of the secondary side. The condensate has a very low boric acid concentration.

7. Approximately, half of the condensate refluxes to the core and the remainder collects in the co!d legs. The condensate is at the saturation temperature.

8. The operator initiates a secondary side cooldown after it has been established that a small break LOCA has occurred. This maintains the secondary side temperature below the primary side temperature and causes continued condensation in the RCS.

9. Between 2 to 3 hrs, the IIPSI flow is realigned from the DVI line(s) to both tne DVI line(s) and the hot legs.

10. The 50 percent portion of the IIPS! flow into the hot legs enters the top of the core and is heated to saturation. Some steam is evolved and flows to the steam generators.

I1. The 50 percent portion of the llPSI flow into the DVI lines enters the upper part <of the annulus. This, together with the flow from the core, fills up the annulus.

12. When the annulus level rises above that of the cold legs there is a backflow of borated IIPSI liquid into the cold legs. This backflow should mix with the unborated condensate in the loop seals.

13. Continued IIPSI liquid inflow to the RCS causes the liquid levels to rise in both the cold and the hot sides of the steam generator tubes.

14. When the RCS is filled to the top of the shortest SG tubes there will be an initiation of natural circulation.

Approved Deshpn Materiel Engkseered Safety features Page 68-8

                                            -. .                  _    _   .            ~.           .            .

Sy~ tem 80 + Desion controlcgument Table 6B-1 SBLOCA Representative Sequence of Events (Cont'd.)

15. When all of the SG tubes are filled the KCS natural circulation flow will attain its full value based on the decay heat magnitude.

16. The natural circulation flow drives the dilute mixture of condensate and borated liquid from the loop seals into the armulus. Because of temperature and density differences between the condensate and the liquid in the annulus, mixing is expected to occur between the two liquids as they progress down the annulus, turn in the lower plenum and approach the core.

17. A mixture of highly borated water (from the HPSIs) and dilute mixture from the RCS cold side enters the core.

t O t 4 1

i i l l l 1 l l Anwom w uneaw nomear saw Feehm P=::is5 i

4 Sy0 tem 80+ D: sign CTntrolDocument O 2.0 . 1.0 -

                                /                                   --

0.0 - - - -.-- -- -- - ------------------------

n. -

            <3
            $                ~
                    -1.0     -

i ! 9

                    -2.0     -
                                    )
                    -3.0 h
                    -4.0 " ' ' '      ''              '        '

0 10 20 30 4J 50 TIME AFTER CORE BECOMES CRITICAL, SECONDS Transient Reactivity After Core Becomes Critical Figure 6B - 1 Approved Design Material- Engkseered Safety features Page 68-10

i l Sy" tem 80 + ~ Design ControlDocument l O 1

~~

0.6 ;

PEAK POWER = 383%

0.5 - O.4 - E - an. g 0.3 O.2 .

                                  &             i 0.1     -

i V 0.0 LJ 0 10 20 30 40 50 TIME AFTER CORE BECOMES CRITICAL, SECONDS i b Normalised Power After Core Becomes Critical Figure 6B - 2

        ,,,           h      8

System 80+ Design C'ntmlDocument 3600 . 1 2400 -

RAI m : 1

g PELLET CENTERLINE TEMP. sa00 g g ------------ CLAD TEMPERATURE 1200 - M 600 0 * ' ' ' ' O 10 20 30 40 50 TIME AFTER CORE BECOMES CRITICAL, SECONDS Hot Spot Temperature Transients Figure 6B - 3 Approted Desirs Meterial- Engkwered Sakty featwas Page 6812

i sy~ tem 80+ oestan contrat oocument _ o- ,

iQ Effective Page Listing Appendix 6C U Pages Date

     . i, il                         1/97 iii 'iv                   Original 6C-1 through 6C-13        Original.
     ' 6C-14                       11/%                                                                                     ,

I 6C-15 through 6C-21 Original 9 e I i f ,lb 4

e Y

                                                                                                                           ,i i
    ,         == n -      - ~   :-                                                        , , , , , ,-,                      ,

System 80+ Design Control Document >

           /~'N                                                                              Appendix 6C V-System 80+ Standard Design Boron Dilution During a Small Break LOCA Assuming RCP Restart I

Contents Page 1.0 Introduction ................... ................ .... . .. 6C-1 2.0 Summary of Results .... .... .... ......... ... . ....... . 6C-1 3.0 Small Break LOCA Scenarios ..... ......... ... ..... ... ... 6C-1 3.1 Break Sizes of Concern ............ ....... .. ............ ... 6C-1 3.2 Equipment Operating (RCPs and SIS) .. .. . .. .. .. ... ... .... 6C-2 3.3 Condensate Produced and Refill Times . . .......... . .. . .... ... 6C-2 3.4 Reactor Vessel Boric Acid Concentrations at Refill . . . ......, ,.. ...... 6C-2 t' 4.0 Critical Boron Concentrations ....... ... ... ... ....... . . . . 6C-2 , t v 5.0 Boron Mixing Analysis ................ .... ............ ..... 6C-3 5.1 FLUENT Code Description . . . . . . ....... . .............. ..... 6C-3 5.2 FLUENT Code Validation .................. ........ ...... ... 6C-4 5.3 Description of 2-D Model . . . . . . . . . . . . . . . . . . . . . . . . . ......... 6C-5 5.4 Justification of 2.D Model . . . ..... .......... .... ........... 6C-6 5.5 Minimum Boron Concentrations . . .. ......... ... ........ ... 6C-6 6.0 EOG Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . ..... ....... 6C-7 6.1 Objective . . . . . . . . . . . . .... . . . ................. 6C-7 6.2 Modifications . . . . . . ....... ............................6C-7 6.3 Human Reliability Analysis . . . ... ..................... ... .. 6C-10 7.0 Overall Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . .............. 6C-12 7.1 Scenario Probabilities ..................... ............. ... 6C-12 7.2 Impact on PRA Results .................... . ........... . 6C-13 8.0 Conclusion . . . . . . . . . . . . . . . . . . . . . .............. . . . ... 6C-13 9.0 References ............. ..... .. .................. . 6C-14 C v . Annrowed Des # hianmiel- E..,. .4 Safety Features PagekT

Sy* tem 80 + Design ControlDocument Tables Page 6C-1 System 80+ Unborated Condensate During a Small Break LOCA . . .. 6C-15 6C-2 Critical Boron Concentration at BOC . .. .. .... ... .. . .. . 6C-15 6C-3 Minimum Boron Concentration in Core for 1-Pump Start ... .. 6C-16 Figures 6C-1 Unwrapped Annulus - 4 Pump Operation ..... .. . . ..... .. 6C-17 6C-2 Unwrapped Annulus - 1 Pump Operation .... .. . . ....... ...... 6C-18 6C-3 Transient Boron Concentration with 1-Pump Start ...... . .. . . .. 6C-19 6C-4 Boron Dilution and RCP Restart Event Tree - Unweighted Estimate . .... 6C-20 6C-5 Boron Dilution and RCP Restart Event Tree - Overweighted Estimate . .. 6C-21 l 9 Approved Design Material . Engh,eered Safety Features Page iv l l

System 80+ Design ControlDocument ,n g( T 1.0 Introduction - System 80+ core response to a boron dilution event during a small break LOCA was shown in Appendix - 6B. The results demonstrated that the core remains adequately cooled even if it is assumed that unborated water enters the System 80+ core at natural circulation flow rates. An additional situation that could arise is restan of a RCP after a quantity of reflux condensate has accumulated in the loop seal piping between the steam generator outlet and the main coolant pumps. This appendix demonstrates the response of System 80+ to a RCP restart event during a small break LOCA. 2.0 Summary of Results Restart of a RCP could introduce unborated water into the core at an unacceptable rate. This appendix demonstrates that:

1. The possibility of unborated water in the RCS is limited to a very small range of break sizes (1 to 3 inch diameter),

2. The amount of unborated water produced is very limited because the boiling-condensing time is very short (< l.5 hours for the most limiting break),

3. Unborated water entering the core at RCP flow rates would only be significant for the first third of core life, and

4. The minimum concentration of borated water entering the core is well above that required for criticality.

Finally, in order to reduce the probability of this event to a level that is considered an engineering impossibility, the EOGs have been modified to further ensure that the operator cannot erroneously restart a RCP. 3.0 Small Break LOCA Scenarios 3.1 Break Sizes of Concern In order for unborated condensate to accumulate in the cold side of the RCS after a Small Break (SB) LOCA, the liquid circulation loop across the tops of the steam generators must be broken and the SG secondary side temperature must be less than that of the primary. This forces the core to boil steam in order to reject heat. The steam it condensed back to liquid in the steam generators and a portion flows into the cold side. 2 2 The break sizes of concern are in the range from 0.05ft (3"dia.) to 0.0055ft (l"dia.). For break sizes 2

    - smaller than 0.0055ft the liquid loop in the RCS is generally intact, the RCS refills very quickly and very little condensate is formed.

For break sizes larger than 0.05ft2 the RCS may not refill and condensation is minimized by removing O V much more energy through the break. This will minimize the condensate available to be delivered to the core should an RCP be restarted. w outon meoww. Eneamemt sarety fuaan rope sc-1

System 80+ Design ControlDocument 3.2 Equipment Operating (RCPs and SIS) If powef is not available for restart of an RCP, this mode of introducing boric acid to the core is ruled out. If it is assumed that offsite power is available, then the possibility of RCP restart does exist. However, the same offsite power is also available to power all four of the Safety injection (SI) pumps. On a best estimate basis all four of the SI pumps are avaihble to deliver highly borated liquid to the reactor vessel. Thus, the analysis described below considers 'he availability of offsite power and four operating SI pumps. 3.3 Condensate Produced and Refill Times Analyses have been performed with the NRC-approved CELDA code (Reference 1) to estimate the amount of low boration condensate produced on the cold side of the RCS for the long term after a SBLOCA. Break sizes of 0.05 ft 2and 0.0055 ft were 2 analyzed. The calculations were based on operator cooldown of the SG secondary side starting at one half hour after the SBLOCA occurred. In addition, the maximum cooldown rate permitted by the EOGs was assumed. The time dependent decay heat function employed is based on the licensing model described in Reference 1. The results are given in Table 6C-1 on a per cold leg basis. 3.4 Reactor Vessel Boric Acid Concentrations at R.efill The boric acid concentration in the inner vessel (core support barrel) continues to rise during the long , term following the SBLOCA for a cold side break. This is a result of the input of highly borated SI liquid from the vessel annulus and the boiloff of low boration steam in the core (only half of which r2 fluxes back from the hot side of the steam generators). The highly borated liquid in the cold discharge legs, the vessel annulus and inside the CSB is available to mix with the assumed unborated condensa;t arriving from the RCPs, loop seals and steam generators. Values for the concentration of the condensate inside the CSB at the RCS refill time are given in Table 6C-1. These values were obtained with the NRC-approved BORON code (Reference 1). 4.0 Critical Boron Concentrations The effect of the critical boric acid concentration and transient xenon effects on a hypothetical return to power after a SBLOCA have been investigated. The following conclusions are applicable.

1. Cycle Time Effects (Burnup)

At BOC the maximum boric acid concentration is approximately 1500 ppm at hot full power. The minimum boric acid concentration at EOC is essentially zero.
The variation of boric acid concentration with burnup is fairly linear. The fraction of the cycle time with any risk of post LOCA return to power is about one third.
For post-LOCA conditions, about 550 ppm of boric acid will maintain the core subcritical at BOC and 300*F. Zero ppm will maintain the core subcritical after the first third of the fuel cycle.

Approved Design Material Engineered Safety Features Page 6C-2

      - .                 .           -_.       _             -        _. . - - - . -                 - = -           .    .- - . -

i 5 System 80+ - Desinn ControlDocument ; 12.~ . Xenon Effects i l

Xenon peaks occur after shutdown from hot full power in all commercial PWRs. The i magnitude of the peak xenon is wonh about 250 ppm in terms of soluble boric acid. l

. r - *' The presence of xenon is wonh about 200 ppm in terms of soluble boric acid from about 5 to 15 hours after trip. 3

If xenon effects are accounted for then the fraction of cycle life with any risk of:

post-LOCA return to power, while near peak xenon (Xe wonh > 200 ppm equivalent), is about 0.20. l e

3. Critical Concentrations vs. Temperature

                       *.       The critical concentrations of boron are a function of temperature. Values of the critical boron concentration, at BOC, are given in Table 6C-2 where no credit has been taken                    .

for the negative reactivity effects of xenon. l $ 5.0 Boron Mixing Analysis j q Starting from a conservative estimate of the volume of an unborated slug of water which is assumed to collect in the suction legs of the primary coolant pumps, a computational fluid dynamic analysis

          ' demonstrates substantial mixing in the lower annulus and lower head of the reactor vessel with the stan .                  ;
!A         up of one reactor coolant pump (RCP). This mixing is sufficient to ensure the con, remains adequately

'V borated to remain subcritical. l 5.1 FLUENT Code Description FLUENT (2) is a general purpose computational fluid dynamic computer program for the modeling of fluid flow, heat transfer, and chemical reaction. The following list of capabilities make it a very suitable ! candidate for the boron mixing analysis in the reactor vessel:

2-D/3-D geometries in canesian, cylindrical, or generalized curvilinear coordinates, ;
Steady state or transient flow, ;
Incompressible or compressible flow, ,

)

Laminar or turbulent flow,
Chemical species mixing or reaction,
Coupled conduction / convection heat transfer, and

            *        ' Flow through porous media.'

The coupled conservation equations for mass, momentum, energy and chemical species are solved using a control volume based finite difference method. The conservation equations are discretized using the' , 3' _

          . power law scheme, and the pressure-velocity coupling is~made using the SIMPLE algorithm. The                               l resulting set of discrete algebraic equations are solved using line-iterative procedures.                                  ;

Anemment oenon neemuner . nnemeemer semy reemaen rene sc-2

System 80+ Design ControlDocument This solution technique has been the basis for incompressible computational fluid dynamic programs, including the two tools sponsored by the NRC and DOE: TEMPEST (Reference 3) and COMMIX (Reference 4). It is also the basis for other contemporary computational fluid dynamic programs such as PHOENICS and FLOW 3-D. There are three turbulence models available including the standard x-e model. The others are a renormalization-group based x-e model and the higher-order Reynolds Stress Model. A porous media approach is applied to model pressure loss characteristics for which component detail is finer than the grid size. For the purposes of this application, the approach includes an inertial resistance term for such pressure losses. 5.2 FLUENT Code Validation Validation of FLUENT, or any other computational fluid dynamic tool, has not specifically been conducted for this problem. However, the basic features of FLUENT applicable to this problem are validated (Reference 5). Validation of other computational fluid dynamic tools are conducted in the same manner (References 6,7). Since these tools are, in general, based on the same solution methodologies, the qualification of one program to represent a particular flow physics is sufficient to support that the others are also capable. In addition, the process of validating a program on specific elemental examples is the same type of procedure used to validate finite element analysis structural evaluation programs. Finally, FLUENT is being applied by approximately 800 licensees, and the combined user-base for this type of methodology is approximately 3000 licensees. The features of interest to this problem are the basic numerical solution procedure, turbulent boundary layer flows, unsteady flows, and species transport. The FLUENT validation manual contains 14 sample problems which address these concerns and the concerns of other applications. ; The laminar flow examples are proof that the numerical procedures are correct. These are the basic ; stepping-stones giving confidence that the program can model flow physics. One such problem, laminar i flow in a tube with a constriction, tests the inlet and outlet boundary conditions and the power law 1 discretization scheme. The results show the flow separation and reattactunent on the tube wall downstream of the constriction. The size of the separated zone is demonstrated to increase with Reynolds number, and the agreement with experimental measurements is good. l An example oflaminar flow around a circular cylinder demonstrates the ability of the program to model steady and unsteady flow around a bluff body and the flow separation and vortex shedding downstream of the body. The size of the recirculation regions and the frequency of the vortex shedding are shown to agree fairly well with experimental data. The prediction of the turbulent flow over a backward-facing step illustrates the capability of the x-e turbulence model and boundary layer development. Although the teattaciunent length is under predicted by about 25%, the overall velocity profile is well predicted at the point of attachment. Here, the near-wall velocities are over predicted because the x-e model suggests the boundary layer has already begun i to redevelop. A f~ mal example considers reacting flow in a conical combustor. This example tests the x-e turbulence model in axisymmetric flow and the mass transport capability. Without accurate representation of turbulent mass diffusion the combustion could not be correctly predicted. The mole fraction profiles of , a reactant and product of combustion are quite well predicted considering the complexity of the processes l and the approximations taken. l Aptwaved Desigrs Material Engmeered Safety Features Page GC-4

Sy~ tem 80 + oesign control Document The preceding represent a sampling of problems which exercise the basic modeling capabilities needed (Vn) to model this reactor problem. They yield sufficient confidence in FLUENT's ability to model mixing of boron in a reactor vessel. 5.3 Description of 2-D Model A two-dimensional axisymmetric model (radial plane) of the reactor vessel from the top of the fuel alignment plate to the bottom of lower head is applied to model the turbulent chemical species mixing. This model begins at an elevationjust below the inlet nozzles. The radial grid of the downcomer annulus is selected to be fine enough to allow the direct simulation of the annulus downflow pressure drop and radial mixing. In the lower head region, the grid structure is also fine enough for the prediction of turning losses and associated shear-generated turbulence and mixing. The inertial resistance factors of the porous media model are applied to the flow skirt, lower core support structure, and active core to represent flow resistances. A uniform downward velocity is specified on the core barrel side of the annulus to represent the lower ponion of the planar jet caused by the inlet nozzle. This inlet velocity is time dependent to reflect the pump flow rate acceleration. Based on a conservative maximum pump speed acceleration and ignoring reactor coolant inertia effects, the maximum pump flow rate is achieved in 15 seconds. Reactor coolant system hydraulic analyses for System 80+ indict'e the maximum RCP flow rate with one-pump operation is 150% of nominal. In the reactor vessel anaulus, this flow rate splits such that 98 % passes through the core and reverse flows exist in the three, non-operating cold legs. Although 98% fq of the pump flow rate passes downward through the annulus, the mixing analysis is conducted with an () inlet velocity boundary condition for both 98% and 150% of the pump flow rate. Before the unborated slug from the RCP inlet pipe may enter the reactor vessel, it must first pass through the RCP and the RCP discharge pipe. These volumes are considered as a delay of the injection, and the delay is accounted for in the time dependence of the model inlet velocity. The volume of the slug of unborated water immediately injected into the reactor vessel by the start-up of one RCP is chosen to be the volume below the centerline of the entire cold leg from the reactor vessel nozzle to the steam generator outlet plenum. This volume is 262 ft3 . Since there are two RCP's connected to one steam generator, there may be a second unborated slug which could be drawn into the RCP. Ilowever, this second slug must first pass through the steam generator outlet plenum. The boron dilution analysis is conducted for two volumes of the unborated slug: 262 and 524 ft). The latter volume exceeds the maximum amount of condensate that can occur (Section 3.3). The initial condition of the reactor coolant is assumed stagnant with a uniform 4000-ppm boron concentration and 300*F temperature. The actual boron concentration is much higher, as discussed in Section 3.4, and the temperature would likely be higher than 300'F when incorrect RCP starting is assumed. Since buoyancy forces generated by variations in the boron concentration and temperature are expected to be small relative to the inertia forces, the flow is assumed to be constant density without heat itansfer. () Approved Design Materiah Engheered Safety Features Page 6C-5

System 80+ Design ControlDocument 5.4 Justification of 2-D Model g This axisymmetric approach is a simplified model of very complex 3-dimensional mixing hydraulics. Ilowever, the approach is representative of the flow physics, and there are a number of reasons to judge this simpiified analysis of mixing in the downcomer annulus and lower head leads to a conservative approximation to predicting a minimum boron concentration in the active core.

1. No mixing is included in the RCP and pump discharge pipe. The total volume associated with these components is 251 ft). This volume, however, is included as a delay time to represent the velocity of the slug at the inlet to the model as the pump flow rate accelerates.

2. No mixing is included in the annulus at and above the elevation of the inlet nozzle. The associated volume is 439 ft3 . Deductions from the flow patterns known to exist from 4-pump operation (Figure 6C-1) and 1-pump operation (Figure 6C-2) suggest a planar mixing jet will form opposite the inlet nozzle, and much of this volume will participate in the mixing.

3. The entrainment of the volume of highly borated water in the downcomer annulus is significantly 3

underestimated. This volume totals 719 ft . In the axisymmetric model, the bulk of the mixing occurs at the slug front. In planar jets, substantial entrainment occurs along the lateral edges. At a distance of 10 jet-diameters from the inlet nozzle, roughly the height of the downcomer annulus, the entrainment rate may be 3-times the jet volumetric flow rate (Reference 8). This entrainment represents a substantial amount of mixing. 4 Flow mixing through the flow skin is underestimated. Although the porous media approach correctly models the pressure lass of the flow skirt, it does not model the intense turbulence producing shear layers created. by the jets through the skirt. Representation of this turbulence generation would greatly increase mixing downstream of the flow skin.

5. Flow mixing in the lower head and lower suppon structure is underestimated. The lower head contains many instrument lines in crossflow and a horizontal plate which create turbulence and additional mixing. The lower suppon structure is modeled using the porous media approach which, again, does not represent the additional turbulence production caused by the bluff bodies 3

and orifices in the flow stream. The volume associated with items 4 and 5 totals 679 ft .

6. The larger assumption for the unborated slug volume does not consider mixing of the second slug as it passes through the steam generator outlet plenum. This volume likely contains highly borated water which will mix with the seccM slug as it travels toward the core. The volume of the steam generator outlet plenum is .22 tt). In addition, a substantial flow rate (120% of the pump flow rate) of highly borated wate; a injected into this volume by flow from the steam generator tubes.

7. In Reference 9, a boron dilution analysis conducted with another computational fluid dynamic tool for start of the RCP's in a different PWR yields similar results to the current analysis.

5.5 Minimum Boron Concentrations The minimum boron concentration in the active core is found to be a function of time and position. As the pump stans and accelerates, approximately 5 seconds elapse before the unborated slug reaches the reactor vessel. Another 2 to 3 seconds elapse before the slug, which has been mixing with the borated water in the annulus, stans to enter the core. This small deviation in annulus transport time is due to the 4twoved Design MaterW Engheered Safety Features Page 6C-6 i

                                                                                                                                         .i System 80+                                                                            oestan contrar Document                  !
         ' different assumptions for the flow rate. After entering the core, the larger, initially unborated slug delays attainment of the minimum boron concentration about 2.5 seconds.                                                               ;

r As the mixing slug enters the core, boron concentration first decreases at the base and outer radius of the ! core, and the minimum boron concentration during the transient occurs at this location. Afterward, the ! minimum concentration sweeps radially inward and then upward through the core as the highly borated l water which follows flushes the mixing slug out of the core, j Time traces of the spacial minimum core boron concentration are shown in Figure 6C-3. At a slug i j volume of 262 ft', there is a slight reduction of minimum boron concentration at the lower annulus [ . downflow rate. Since specie diffusion is both a function of turbulent diffusion and time, the increased i turbulence due to the higher annulus Reynolds number increased the mixing at the higher flow rate. [ Tne minimum core boron is dominated by the initial slug volume. For either annulus flow rate, doubling the initial slug volume reduced the minimum boron concentration by approximately 35 % (Table 6C-3). ; , Case 5 is a special case with reduced time step size and grid size to tighten convergence of the solution. This case represents the minimum concentration predicted by this analysis and a conservative j . approximation of the minimum boron concentration,1350 ppm, in the core due to an initial unborated ' , slug volume of $24 ft3 . , i i 6.0 EOG Modifications : 6.1 Objective : "O ! V The Emergency Operations Guidelines (EOGs) were modified to reduce the likelihood of an erroneous j - restan of an RCP following a LOCA which results in significant reflux boiling. , i

6.2 Modifications ,

, t e Originally, the RCP restart steps of the EOG were presented in the following order: l

1. Determine if RCP restart is needed and desired. j

2. Verify that all RCP restart criteria are met. ,

3. Restan RCP. l

4. .iP not running, verify adequate single-phase natural circulation. }

i

,-                                                                                                                                        i

5. If single-phase natural circulation cannot be established, verify adequate two-phase natural circulation.

it was determined through consultation with human factors expens and operations personnel, that [' this may mislead the operator into believing that it is more imponant to restart an RCP than it is to verify natural circulation. While it is obvious that this is not the case, the EOG bases

                    . clearly state (introduction section) that the EOG procedure steps are presented in the order which                  ;

is most commonly expected during the event for which the EOG Optimal Recovery Guideline is i s designed. Therefore, the EOG was modified (along with its bases) to re-order the' steps as l I follows* l

System 80+ Design ControlDocument

1. Verify adequate single-phase natural circulation.

2. If single-phase natural circulation cannot be established, verify adequate two-phase natural circulation.

3. Determine if RCP restan is needed and desired.

4. Verify that all RCP restan criteria are met.

5. Restart RCP.

Add Supplementary Information item:

The EOGs contain a " Supplementary Information" section located after each guideline and prior to the bases section. This Supplementary Information section contains data that is helpful to the operator, but is not a procedure step (i.e., not an action statement). The EOG intends this information to become a site specific procedure " Caution" or " Note", and/or become information which is placed in the site operator training program. Since it is important for the operator to consider whether or not condensate could have built up in the suction leg of the RCP prior to RCP restan, Supplementary Information was added to the LOCA guideline that cautions the operator about this possibility prior to RCP restan. In addition, the Supplementary Information item specifies that this should become a caution in the plant specific procedures. It is intended for this caution to be placed prior to the RCP Restart Desirability Determination step (step #3 above) in the plant specific procedure.

Modifications to step #3 above (RCP Restart Desirability):

1. The EOGs were originally written with the assumption that if the performance of a step was optional (e.g., restaning RCPs after a LOCA), the operator would check with the Technical Suppon Center (TSC) to obtain concurrence on its performance before implementing it. It was felt by many that because the consequences of restarting an RCP post-LOCA were potentially unacceptable, rather than assume the operator would follow this process, it would be best to require the operator to obtain a recommendation from the TSC as to whether or not RCP restart was desirable. Therefore, a step requiring a TSC evaluation was added to the RCP restan desirability determination step

(#3 above).

2. Since this event is concerned with the buildup of condensate in the suction leg of an RCP following prolonged two-phase natural circulation (post-LOCA), a criterion was added to this step to require the operator and the TSC to consider the length of time the plant had been in two-phase natural circulation.

3. Studies have demonstrated that if single-phase natural circulation has been established for at least 20 minutes prior to RCP restart (following prolonged two-phase natural circulation), the consequences of RCP restart are acceptable. Therefore, this step was modified to require the operator and the TSC to consider the length of time the plant has been in continuous single-phase natural circulation (after it exited two-phase natural circulation) when evaluating the desirability of RCP restart.

Approved Desbyn Materia! Engmeowd Safety Featwes Page 6C-8

l t Sv' tem 80+ Deslan controlDocument ~ I

Modifications to step #4 above (RCP Restart Criteria):

1. As was the case with step #3 above, the EOGs were originally written with the assumption that if the performance of a step was optional, the operator would check with the TSC prior to implementing it. Therefore, this step originally did not require TSC '

permission prior to RCP restart. However, for the same reason as was stated above, rather than assume the operator would follow this process, this step was modified to require the operator to obtain permission from the TSC prior to starting an RCP. ,

2. Originally, the criterion to verify that at least 20 minutes of continuous single-phase natural circulation has been established prior to restarting an RCP, had been listed last.

2 However, it was felt by many that even though all RCP restart criteria receive equal , weight, if this was listed immediately following the criterion to obtain TSC permission to restart an RCP and the criterion could not be met, there would be no need for the operator and the TSC to observe the rest of the criteria. Since this would be more efficient, the step was modified accordingly.

Modifications to the Bases:

Since the steps were modified, it was necessary to modify the bases. All bases match the new step order, and the new steps all have bases explanations.

Summary of Procedure Implementation 4 -

y The operator will reach these steps after attempting to isolate the leak. First, the step to verify adequate single-phase natural circulation will be reached. If adequate single-phase natural circulation exists, the operator will skip the next step (verification of two-phase natural , circulation) and proceed to the step to determine the desirability of restarting an RCP. If the operator cannot verify adequate single-phase natural circulation, he/she will proceed to the next step which verifies adequate two-phase natural circulation. Once the "RCP restart" steps are reached, the caution will be read alerting the operator to the possibility of condensate buildup in the RCP suction leg. , Next, the operator will request that the TSC determine the desirability and need to restart an RCP. The operator will make a concurrent determination. Since the caution was just read by the operator, its information will be factored into the evaluation. Both the operator and the TSC will base their decisions on at least the following criteria:

                 -        Adequacy of corc heat removal using natural circulation
                 -        The need for main pressurizer spray capability Existing RCS pressure and temperature                                                          ;
                 -        The duration of CCW interruption to the RCPs 1-
   - d           -        RCP seal staging pressures and temperatures Anwend onien neww - Enphumf Sekty FnMn                                                           Page 6C-9

System 80+ Design ControlDocument

       -          Time the plant was in two-phase natural circulation 1
       -          Time the plant has been in single-phase natural circulation.

If any of the above criteria do not indicate that an RCP restan is desirable, the operator will skip I the remaining RCP steps. Otherwise, he/she will proceed to the next step. The operator next determines if an RCP restart can be performed based on at least the following criteria: The TSC has recommended RCP restart

        -         Single-phase natural circulation has been established for at least 20 minutes Power available to the RCP bus
        -         RCP auxiliaries are operating At least one SG is available Pressurizer level > 33%

RCS is subcooled

        -         Other criteria satisfied per RCP operating instructions.

If any of the above criteria do not indicate that an RCP restart is desirable, the operator will skip the remaining RCP steps. Otherwise, he/she will proceed to the next step. Once it has been determined that RCP restart is desirable, and the restart criteria are met, the operator will proceed to the next step and restart an RCP. 6.3 Human Reliability Analysis A Human Reliability Analysis (HRA) was perfonned to determine the probability of erroneously restarting an RCP prior to the establishment of at least 20 minutes of continuous single-phase natural circulation. The analysis is described below.

Model Assumptions The analysis provides a reasonable and conservative estimate of the frequency of erroneous RCP restart, given the existence of the physical plant conditions necessary for the event to occur. The following conservative assumptions are part of the model:

Operating experience suggests that it is unlikely that the operating crew would have reason to restart an RCP after prolonged post-LOCA two-phase natural cuculation. However, having such a reason is not necessarily an error, and HRA is thus not an appropriate method for estimating its probability. Therefore, the model conservatively assumes that the control room staff will always want to restart an RCP. Appwved Design Ataterle! Engmeered Safety features Page 6C-10

i System 80+ Desinn ControlDocument , i f

                   -           Other than the' lack of 20 minutes of single-phase natural circulation, it is assumed that              ,

no plant conditions exist to preclude RCP restart (even though at least 12 conditions must ' be considered). i

                   -           No credit is taken for improved plant or procedure ergonomics.                                          >
                   -           Activities required for pump restart are assumed to require no execution time (a potential l

mitigating factor), and to be 100% successful. t 3ree other reasonable assumptions have been made to limit the model complexity:

                   -            No single (i.e., raMom) error will cause an RCP restart.                                               !
                   -            If the TSC is asked to consider the RCP restart, it will proactively communicate to the Main Control Room (MCR) if any of the RCP restart criteria are not met.

I

                    --          The Main Control Room will follow the TSC directions if they are given.

i

t e Mode 1 Structure Two HRA event trees were constructed to determine the probability of erroneously restarting an ,

                 . RCP. The event trees determine the lower bound of probability and the upper bound.

l 1 e Model Quantification t THERP.models are highly sensitive to the adjustment of their individual event weights (i.e., { performance shaping factors). In addition, decision research has shown that model structure, ! rather than weighting, is the more frequent strength of " experts" (Dawes,1979). Thus, two l quantifications of the same model were used to provide reasonable limits for discussion and !i assessment. j l The lower limit was obtained by using unweighted nominal HEP values for each event in the tree. The unweighted quantification is presented as a best estimate result for this model. The upper limit was obtained by "overweighting" the model with a set of hyperconservative , values. Relatively poor procedure ergonomics were assumed. Therefore, a larger-than-nominal l - value was used as the basic Human Error Probability (HEP). The effects of stress and i dependency were then incorporated at unfavorably high levels. i Finally, the geometric mean of the two values was taken to account for uncertainty as follows:

Geometric mean is the N* root of the product'of N terms. , For this case: } N =2: i A = Lower Bound = (unweighted estimate) I B = Upper Bound = (overweighted estimate) l i Approveer Deedpe asseerder- r . _f sedpry Feenees pope sc-7 7 :

                                                                                                                                     -t
                                                                                                                                     .I

System 80+ Design Control Document The geometric mean = (A x B)t/2 This result is a conservative estimate of the total HEP for this event. 7.0 Overall Risk Assessment The overall risk associated with boron dilution during a small LOCA is assessed in this section of the report. The assessment involves the description of two potential scenarios of concern. 7.1 Scenario Probabilities Two small LOCA scenarios were assessed:

1. A small LOCA during which all safety injection pumps operate, and the operator initiates an incorrect restart of a Reactor Coolant Pump (RCP) during the first third of the fuel cycle.

2. A small LOCA during which only two of the four safety injection pumps operate, and the operator initiates an incorrect restart of a RCP during the first third of the fuel cycle.

The probability of Scenario I can be expressed as follows: F,3 = SLOCA

liEPger
Xcyci,

where, F,i = Scenario probability of small LOCA and incorrect restart of a RCP during the first third of fuel cycle SLOCA = Small LOCA initiator ilEPger = Iluman error probability for un-desired restart of a RCP X,yci, = Probability multiplier of a small LOCA occurring during the first third of cycle The frequency of a small break LOCA is used in the System 80+ PRA. The human error probability (IIEP) for incorrect restart of a RCP is based on the procedures for mitigating a small LOCA as shown iri Section 6.3 of this Appendix. The cycle time reflects the fact that boron is required during the first third of the fuel cycle and the small LOCA must also occur during this time in order for the scenario to be of safety significance.

The probability of Scenario 2 can be expressed as follows: Fa = SLOCA

S12
llEPacp
X,yci,

where, Fe = Scenario probability of small LOCA, failure of two of four safety injection pumps to operate, and incorrect restart of a RCP during the first third of the fuel cycle Approved Design Material- Engineered Safety features Page 6C-12

System 80+ Deelan ControlDocument SLOCA =- Small LOCA initiator S!2 = Failure probability of 2 of 4 safety injection pumps to operate j 1 HEPRCP = Human error probability for un-desired restart of a RCP (3.9E-04) X% = Probability multiplier of a small LOCA occurring during the first third of cycle j The frequency of a small LOCA, the HEP for incorrect restart of a RCP, and the probability multiplier for the cycle time are the same as described for Scenario 1. The dominant contributors to the probability of 2 of 4 safety injection pumps failing to operate include common cause failure of the pump breakers to close, common cause of the pumps to start, and common cause failure of the pumps to operate. Simultaneous independent failures of the pumps are not significant contributors to the overall failure probability of the pumps. l l 7.2 Impact on PRA Results Scenario 1 described in Section 7.1 is more likely to cause core damage than Scenario 2 Therefore, [ from a deterministic standpoint Scenario 2 is not considered. If the worst case conditions are assumed and boron mixing is ignored, the outcome of the limidng small l l LOCA boron dilution event is a damaged but otherwise coolable core. Core recovery is considered likely ! because of (1) the availability of safety injection, (2) the short duration of the induced core power spike, !' d (3) the RCS pressure relief through the existing hole in the RCS, and (4) the pressure absorption capability in the partially voided upper portions of the RCS when the reactivity insertion event takes + place. Severe accident analyses, as well as experience with TMI-2, indicate that adequate core cooling ; can be established even in the presence of severely damaged core, provided an adequate internal water supply is available. As long as the RCS pressure does not produce material stresses that exceed the ASME Service Level C limits, emergency core cooling system integrity is expected. As a consequence , of items 2, 3, and 4 above, pressurization of the RCS to levels that exceed Service Level C stresses is . highly unlikely.

         . In the event that an unrecoverable core damage event occurs, containment spray and cavity flooding systems would be capable of arresting the event within the intact containment. Since the systems required to mitigate the post-vessel breach corium progression are not influenced by the small LOCA boron dilution event, and both AC power and component cooling water are available, at least one train of the               .

containment spray system will be available and containment integrity will not be compromised. l Since in-vessel recovery of the scenario will occur if the RCS pressure remams below the Level C stress , limits, and since essential containment safeguard systems are available even if the RCS pressure exceeds the Level C stress limits the increase in overall plant radiation releases will be negligible. t

             . 8.0 : Conclusion                                                                                                    '

t

             - Although there is a potential to produce some unborated condensate during some small break LOCAs,                   ;

this enn%me will be mixed with highly borated water in the RCS upon the onset of single-phase natural J(4

   ' by<      circulation.- Appendix 6B provides a very conservative core coolability assessment of the natural circulation case assuming no mixing of the condensate.

d Amarewed Ame(ps Afeewdst. Sqphosrod Safety Feeewes Pope SC-13 . i

System 80+ Design ControlDocument l This appendix provides Emergency Operations Guideline (EOG) modifications which significantly reduce the probability of RCP restarting prior to achieving adequate mixing by natural circulation. It also provides a demonstration that, even if RCP restart is assumed to occur at the worst time, sufficient mixing occurs to ensure the core remains sul: critical and adequately cooled. 9.0 References for Appendix 6C

1. CENPD-254-P-A, Post-LOCA Long Term Cooling Evaluation Model, June 1980.

2. FLUENT User's Guide Version 4.0, Fluent, Inc., December 1991.

3. D.S. Trent and L.L. Eyler, TEMPEST: A Three-Dimensional Time-Dependent Computer Program for Hydrothermal Analysis: Vol. I Numerical Methods and Input Instructions, PNL-4348, Pacific Northwest Laboratory,1989.

4. H.M. Domanus, et al., COMMIX-1C: a Three-Dimensional Transient Single-. Phase Computer Program for Thermal-Hydraulic Analysis of Single-Component and Multicomponent Engineering Systems, NUREG/CR-5649, November 1990.

5. FLUENT V4.2 Validation Problems, TM-127, Fluent, Inc., July 1993.

6. D.S. Trent and L.L. Eyler, TEMPEST: A Three-Dimensional Time-Dependent Computer Program tr Hydrothermal Analysis: Vol. II Assessment and Verification Results, PNL-4573, Pacific ?k rthwest Laboratory,1983.

7. H.M. Domanus, et al., COMMIX-1 A: A Three-Dimensional Transient Single-Phase Computer Program for Thermal Hydraulic Analysis of Single and Multicomponent Systems: Vol. II Assessment and Verification, NUREG/CR-2896, December 1983.

8. W. Rodi, ed., Turbulent Buoyant Jets and Plumes, Pergamon Press,1982.

9. J.G. Sun and W.T. Sha, Analysis of Thermal Mixing and Boron Dilution in a PWR, NUREG/CR-5822, February 1993.

O Apnnroved Design Materin!- Engineered Safety Feenwes (11/96) Page 6C-14 1

System 80+ Design controlDocument

 'q    Table 6C-1         System 80+ Unborated Condensate During a Small Break LOCA
 . v                                                                                                                      ,

4 Parameter Valuel1 2 Break size (cold side)(ft ) 0.05 0.0055 Operating Si pumps 4 4 SG cooldown stans after LOCA (hr) 0.5 0.5 1.4 1.1 RCS fill time (hr.) Condensate volume available per cold leg (ft3 ) 375 290 Boric acid concentration inside CSB at RCS refill time (percent by weight)(21 14.6 12.3 (ppm) 25,500. 21,500. f til Based on licensing decay heat model which maximizes core boiloff and unborated condensate formation. [21 Based on results presented in Figure 6.3.3.4-3. (3 v Table 6C-2 Critical Boron Concentration at BOC Temperature Concentration!'2 31 500'F 200 ppm 300'F 550 ppm Ill These values do not credit the negative reactivity effect of xenon. (2) Prompt critical values are about 70 ppm lower. Ill No Boron is required after the first third of the fuel cycle.

  >O Y'

L e;; Desapn nieterial . Engmeeted Safety Features Pope 6C-15

System 80+ oesign control Document l 1 Table 6C-3 Minimum Boron Concentration in Core for 1-Pump Start h Case Description Boron Concentration, ppm

1. 1.5X-Pump Annulus Flow Rate i 262 ft3 Unborated Volume 2900

2. 1.5X-Pump Annulus Flow Rate 524-ft3 Unborated Volume 1870

3. 0.98X-Puenp Annulus Flow Rate 262-ft3 Unborated Volume 2820

4. 0.98X-Pump Annulus Flow Rate 524-ft3Unborated Volume 1850

5. 0.98X-Pump Annulus Flow Rate 524-ft 3 Unborated Volume (Reduced time 1350 step and grid size for better solution convergence)

O O Apswond Design Material Engineered Safety Festswes Page SC-16

Srtem 80+ Design ControlDocument O TOP OF ANNULUS

                                           d L STREAMLINES N@

h : f- @ ~, b ?; l C PLANAR JET

' f

e EXPANDING ON CORE BARREL

                                                                      ' ELEVATION I                                                          l OF SKlRT O                            (A) VELOCITY STREAMLINES i

j u ,r i r u (8) ANNULUS VELOCITY PROFILE ATSKIRT i HOT PIPE OB8TRUCTION h COLD LEG WITH OPERATING PUMP l l Unwrapped Annulus - 4 Pump Operation Figure 6C-1 l _ . _.,,__,,,.,,,._., ,. - m ,, I i 1

l Sy~ tem 80+ Design C:ntrolDocument i TOP OF

                           /' -                       '% g                      /                ANNULUS
                       /
                        /     /
                                          ~
                                             ~ ~s
                                                         \
                                                                \
                                                                  \           j
                                                                               /           i e-           -~

s \ / % b s /

           'i g                      100                f                         i g                                                         j
                                 ' .. ',/

s N 2o0/ /

                                                     / 520 /
                  \
                    \      \*                 /

j

                                                                      /
                           %                                  /l                           l                                  !
                                  '~        "

VOLUME OCCUPIED BY ; FRONT OF PLANAR ; ILETIN ANNULUS, FT8 ELEVATION I OF SKIRT (A) 2-DIMENSIONAL PLANAR JET EXPANSION i 1 f I (B) ANNULUS VELOCITY PROFILE AT SKIRT h HOT PIPE OBSTRUCTION

                    @      COLD LEG WITH OPERATING PUMP (INFLOW)

O cold LEG < OUTFLOW) , I i I I Unwrapped Annulus - 1 Pump Operation Figure 6C-2 4twowd Design Materie! Enganeered Safety Features Pope 6C-18

i Sy-t m 80+ Design ControlDocument l 'O 4000. . . . l 1 3500 - - 3 3000 -- 2 4 M . - x 2000 . - 1500 - - 1000 . - 500 . - 0 e i i i 0 5 10 15 20 TIME, SECONDS ANNULUS FLOW RATE UNBORATED VOLUME CASE (PUMP FACTOR) (FT8) l 1 1.5 262 l 2 1.5 524 l 3 0.es ses l 4 0.e8 524 l l Transient Boron Concentration with 1-Pump Start Figure 6C-3 Approved Desigru Material . Engmeered Safety Feetwes Page 6C-19

i System 80+ Design ControlDocument l l l Ol This Figure Intentionally Blank O Boron Dilution and RCP Restart Event Tree - Unweighted Estimate Figure 6C-4 4prennt Design Material- Engmeered Safety Festwes Page 6C-20

System 80+ Deslan ControlDocument }

     -.                                                                                                               l t
 ; \
                                                                                                                     )

i l l l 1 1 1 l i F F This Figure Intentionally Blank b%/ i e I I l i f

    - (~y     Boron IMistion and RCP Restart Event Tree - Overweighted Estimate          Figure 6C-5
    .y    .
            .Anwood outen asesenet - Engenerd Sekty fuewn                                                Page GC-21

       . sy~ tem 80 +                                                                oesian contros oocument j

U Effective Page Listing Chapter 7 ) i I l Pages Date Pages Date 1 i, ii 1/97 7.5-34 11/% lii - vil Original 7.5-35 through 7.5-37 Original 7.1-1 through 7.1-20 Original 7.6-1 through 7.6-17 Original 7.2-1 through 7.2-43 Original 7.7-1,7.7-2 Original 7.2-44 11/% 7.7-3 11/96 7.2-45 Original 7.7-4 through 7.7-18 Original 7.246,7.2-47 11/% 7.7-19 through 7.7-53 11/% 7.2-48 through 7.2-64 Original 7.7-54 through 7.7-90 Original 7.2-65' 2/95 7.2-66 through 7.2-119 Original 7.3-1 through 7.3-22 Original ; 7.3-23, 7.3-24 'p 11/% V 7.3-25 Original 7.3-2C 11/% 7.3-27 through 7.3-29 Original 7.3-30 11/% 7.3-31 Original 7.3-32 11/% 7.3-33, 7.3-34 Original 7.3-35 11/% 7.3-36 through 7.3-81 Original 7.4-1 through 7.4-12 Original 7.4-13, 7.4 14 11/% 7.4-15, 7.4-16 Original 7.5-1 through 7.5 6 Original '

        .7.5-7                                11/%

7.5-8 Original 7.5-9 11/% 7.5-10 through 7.5-25 Criginal 7.5-26, 7.5-27 11/% ( -J i 7.5-28 through 7.5-33 Original 4proweef Des &n A0stenial husrumentation and Controls (1/97) Page 1. E '

Sy: tem 80+ Design ControlDocument

   - xr J                                                     Chapter 7 Contents Page 7.0 -            Instrumentation and Controls              ...... ........... ...........                                        7.1-1 7.1              Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............                               7.1-1 7.1.1            Identification of Safety-Related Systems .                  .      .............     .....                      7.1-1 7.1.2          . Identification of Safety Criteria . . . . ................... .....                                             7.1-5 i

7.1.3 System Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1- 19 7.2 Reactor Protective System . . . . . . . . . . . .... .. ....., ..... 7.2-1 7.2.1 Description . . . . . . . . . . ...... ... .. .... ... . ...... . ..... 7.2-1 , 7.2.2 - Analysis . ........... ..... ........................ 7.2-30 7.2.3 Reactor Protective System Interfaces . . . . . . ..... . . . . . . . . . . . 7.2-46 7.2.4 Alternate Protection System . . . . . . . . . . . . . ..... ..... ...... 7.2 46 - 7.3 Engineered Safety Features Actuation System . . . . . . . . . . . . . . . . . . . 7.3-1 . 7.3.1 Description . . . . . . . . . . . . . . ..... .. ......... .... .... 7.3-1 l 7.3.2 Analysis . . . . . ............... ...... .... ......... 7.3-25 7.3.3 Engineered Safety Features Actuation System Interface Requirements ..... 7.3-38

 ,- y     7.4              Systems Required for Safe Shutdown                      ................... ..                                 7.4-1 7.4.1            Description . . . . . . . . . . . . . . . .                                                                    7.4-1

(}' 7.4.2 Analysis .

                                           . ......... ............ ........... ......                                                    7.4-7 7.5              Safety Related Display Instrumentation . . . . . . .                      ...            ... ... ...           7.5-1 7.5.1            Description . . . . , . . . . . . . . . . . .        ..............                          .........         7.5-1 7.5.2            Analysis . . .      ............. ............ ... .... ....                                                  7.5-11 7.6              All Other Instrumentation Systems Required for Safety                              ..... ......                7.6 .          7.6.1            Introduction . . . . . . . . .     ... ........ ........ ..... .....                                           7.6-1 7.6.2            Analysis . . . . . . . . . .     ... .......... ....                              ....... ... .                7.6-5 7.7              Control Systems Not Required for Safety . . . .                      ........ .........                         7.7-1 7.7.1            Description . .. ........................ .... ........                                                        7.7-1 7.7.2            Analysis . . . . . . . . . . . . . .      ........... ............ ....                                       7.7-51 Appendix 7A CMF Evaluation for Limiting Fault Events . . . . . . . . . . . . . .                                 ........        7A-1 Chapter 7 Tables                                                                         ;

7.11- Auxiliary and Supporting System Descriptions . . . . . . . . . . . . . . . . . . 7.1-20 7.2 i- Reactor Protective System Bypasses . . . . . . . . . . . . . . . . . . . . . . . . . 7. 2-4 8 , m s 7.2 2 Reactor Protective System Monitored Plant Variable Ranges ........... 7.2-49 7 7.2-3 Reactor Protective System Sensors .. ....... 7.2-50 V)I

        - 7.2-4~

Reactor Protective System Design inputs . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                      .. 7.2-51
        . Annrowed Dess e n nietenial-instrumentation and Controle                                                                          Page R l

Syotem 80+ Design Control Document Chapter 7 Tables (Continued) h Page 7.2-5 Plant Protection System Failure Modes and Effects Analysis . .... ... 7.2-53 7.2-6 System 80+ Critical Function Success Path Diversity . . . . ... ... .. 7.2-81 7.3-1 ESFAS Bypasses .... .. ........ ... . . ... . . 7.3-38 7.3-2 Design Basis Events Requiring ESF System Action . . . . ... 7.3-39 7.3 3 Monitored Variables Required for ESFAS Protective Signals .. ... . . 7.3-40 7.3-4 Engineered Safety Features Actuation System Sensors .... . . 7.3-40 7.3-5 Engineered Safety Features Actuation System Setpoints and Margins to Actuation . . . . . . . .. ....... .... . .. .. . .. . 7.3-41 7.3-6 Engineered Safety Features Actuation System Plant Variable Ranges ... . 7.3-42 7.4-1 Remote Shutdown Panel Instrumentation and Controls for Hot Standby . .. 7.4-12 7.4-2 Remote Shutdown Controlled Functions for Cold Shutdown . . ... .. . 7.4-14 7.5-1 Safety Related Plant Process Display Instrumentation . . ... . . 7.5-23 7.5-2 Engineered Safety Feature System Monitoring . . . .. .. . . .. 7.5-24 7.5-3 Post-Accident Monitoring Instrumenta: ion . . . . . .. 7.5-27 7.6-1 Shutdown Cooling System and Safety Injection Tank Interlocks . . . . 7.6-12 7.7-1 Alternate Protection System Sensed Parameters . . . . 7.7-52 7.7-2 DIAS Segments ....... ... .. . . . . . 7.7-53 7-7 Sensor Locations for Acoustic Leak Monitoring System . . 7.7-54 7.7-4 Location of Loose Parts Monitoring System Accelerometers . 7.7-55 7.7-5 DPS Nuclear Steam Supply System Application Programs . . . 7.7-56 7.7-6 COLSS Monitored Plant Variables . , . .. 7.7-57 7.7-7 Balance of Plant Application Programs .. . . .. . 7.7-58 Chapter 7 Figures 7.2-1 PPS Basic Block Diagram . . ...... . .. . . 7.2-82 7.2-2 PPS Functional Interface and Testing Diagram . . . ... . . 7.2-83 7.2-3 Typical PPS Low Reactor Coolant Flow Trip Setpoint Operation . . 7.2-84 7.2-4 Typical PPS Measurement Channel Functional Diagram (Pressurizer Pressure Wide Range) . . . . .. .. 7.2-85 7.2-5 Reed Switch Position Transmitter Assembly Schematic .. . . . 7.2-86 7.2-6 Reed Switch Position Transmitter Cable Assemblies .. .. . 7.2-87 7.2-7 Trip Logic Calculator Functional Block Diagram . .. . . . . 7.2-88 7.2-8 Ex-Core Neutron Flux Monitoring System . . . . . . .. ... ... 7.2-89 7.2-9 Reactor Coolant Pump Speed Sensors; Typical for each Reactor Coolant Pump. ....... ..... ... .. ....... .. . 7.2-90 7.2-10 Core Protection Calculator ... ..... ... .. ..... . . 7.2-91 7.2-11 PPS Bistable Trip Logic Functional Block Diagram .. . . .. 7.2-92 7.2-12 PPS Reactor System Simplified Functional Logic Diagram . . . ..... 7.2-93 7.2-13 Typical PPS Channel Functional Bistable Trip Channel Bypass . . .. 7.2-95 7.2-14 Typical PPS Channel Functional RPS Initiation Logic . . . . 7.2-96 7.2-15 Typical PPS Variable Setpoint Operation (Manual Reset) . . . 7.2-97 7.2 16 PPS Testing Overlap . . . . . . . . . . .. . .. . .. .. . 7.2-98 Approved Design Material-Instrumentation and Controls Pageiv

Sy~ tem 80+ . Desson contmlDocument l

I

.p

( Chapter 7 Figures (Continued)

  ,m
                                                                                                                                          .Page           !

7.2-17 Interface & Test Processor Block Diagram .................... . 7.2-99 7.2-18 Typical PPS Channel Contact Bistable Interface Diagram ............ 7.2-100

7.2 19 Plant Protection System Interface Logic Diagram . . . . . . . . . . . . . . . . . 7.2-101- ,

7.2-20 MCBD Symbols, Notes and Abbreviations ..................... . 7.2-103 .! 7.2-21a RCS Loop 1 Temperatures (Narrow) MCBD . . . . . . . . . . . . . ...... 7.2-104 : 7.2-21b . RCS Loop 2 Temperetures (Narrow) MCBD . . . . . . . . . . . . . . -. . . . . . 7.2-105 . 7.2-22a '_ RCS Loop 1 Temperatures (Wide) MCBD . . . . . . . . . . . . . . . . . . . . . , 7.2-1% l

           -7.2-22b -        RCS Loop 2 Temperatures (Wide) MCBD . . . . . . . . . . . . . . . . . . . . . . 7.2-107 7.2-23a         . Reactor Coolant Pt.mp Pressure MCBD . . . . . . . . . . . . . . . . . . . . .. . 7.2-108                                    l

~ 7.2-23b ' Reactor Coolant Pump Speed MCBD . . . . .................... 7.2-109 !

      '7.2-24                Pressurizer Pressure MCBD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2- 1 10                              !

7.2-25 Nuclear Instrumentation MCBD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 111

        '7.2-26 Containment Pressure MCBD             .............................                                     7.2-112              .

7.2-27a Steam Generator 1 Level (Wide) MCBD . . . . . . . . . . . . . . . . . . . . . . . - 7.2-113 7.2 27b Steam Generator 2 Level (Wide) MCBD . . . . . . . . ........ . ... 7.2-114 ; 7.2-28a Steam Generator 1 Pressure MCBD . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-115 1 4 7.2-28b Steam Generator 2 Pressure MCDB . . . . . . . . . . . . . . . . . . . . . .... 7.2-116 : 7.2-29a Steam Generator-1 Level (Narrow) MCBD . . . . . . . . . . . . . .. . .. 7.2-117 7.2-29b Steam Generator-2 Level (Narrow) MCBD . . . . . . . . . . . . . . . . . . . . 7.2-118 , h

  =d 7,2              7.3-la Steam Generator Primary D/P MCBD . . . . . . . . . . . . . . . . . ..

ESFAS Functional Logic (SIAS) . . . . . . . . ..... ......,. .....

                                                                                                                              .. 7.2-119 7.3-43 7.3-lb           ESFAS Functional Logic (CSAS, CIAS) . . . . . . . . . . . ....... ....                                      7.3-44

7.3 Ic' ESFAS Functional Logic (EFAS1, EFAS2) . . . . . . . . . .. ... . ... 7.3-45 l 7.3-Id ESFAS Functional Logic (EFAS1, EFAS2) . . . . . . . . . . . . . ........ 7.3-46

!- 7.3 EFS-CCS Simplified Logic Diagram for Typical Selective 2 out of 4 Actuation . . . . . . . . . . . . . . . . . . . . . . . ........... ....... 7.3-47 7.3-3 Functional Diagram of Engineered Safety Features Component Control System (ES F-CCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-49 i 7.3-4 Typical Electrical Interface for Panel-Mounted Switches and Status ' Indicators . . . . . . . . . . . . . . . . . . . . . . . . .......... .... .. 7.3-51

           .7.3-5            Loading Sequencer - Simplified Logic Diagram ............. ....                                             7.3-52           l 7.34             Loading Sequencer - Simplified Test Logic Diagram ..                        . . . . . . . . . . . .         7. 3-5 3          ,

, ._7.3-7 ESF-CCS Test Logic - Simplified Logic Diagram . . . . . . . . . . . . . . . . . 7.3-54 j

        - 7.3-8a             Typical FCLD for a Solenoid Operated Valve ......... .... .....                                             7.3-55
      . 7.3-8b               Typical Electrical Interface for a Solenoid Operated Valve . . . . . .......                                7.3-56            l
      ~ 7.3-9a :             Typical FCLD for a Modulating Valve with Solenoid Operator . . . . . . . . .                                7.3-57            .

?7.3-% Typical Electrical _ interface for a Modulating Valve with Solenoid- {

Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                 .........               7.3-58            l 7.3-10a          Typical Motor Operated Valve Functional Interface Design . . . . . . . . . . .                              7.3              7.3-10b      ' Typical Electrical Interface for a Motor Operated Valve . . . . . . - . . . . . .

7.3-60 !

      ~ 7.3 11               Typical FCLD for a Full Throw Motor Operated Valve . . . . . . . . . . . . .                                7. 3-61

_7.3-12 Typical FCLD for a Throttling Motor Operated Valve . . . . . . . . . . . . . . 7.3-62 i g- 7.3-13a Typical FCLD for a Contactor Operated Component . . . . . . . . . . . . . . . 7.3-6 3 * ( 7.3-13b . Typical Electrical Interface for a Contactor Operated Component

                                                                                                                    ........             7.3           ;

f 1

System 80+ Design ControlDocument Chapter 7 Figures (Continued) $ Page 7.3-14a Typical FCLD for a Circuit Breaker Operated Component . ... ... 7.3-65 7.3-14b Typical Electrical Interface for a Circuit Breaker Operated Component . 7.3-66 7.3-15a Typical FCLD for a Modulating Component . . . ........ . 7.3-67 7.3-15b Typical ElectricalInterface for a Modulating Component .. . .... . 7.3-68 7.3-16 Typical ESF Initiation to Actuation Logic Functional Diagram . . .. .. . 7.3-69 7.3 17 Simplified Schematic for Thermal Overload . . . . . . . .... 7.3-70 7.3-18 In-Containment Refueling Water Tank MCBD . . . .. ... 7.3-71 7.3-19 Emergency Feedwater MCBD . ... .... . . . ... . .. 7.3-72 7.3-20a Safety Injection Tank 1 MCBD . ....... .. . .. . 7.3-73 7.3-20b Safety Injection Tank 2 MCBD . .. .... . ... . . 7.3-74 7.3-20c Safety injection Tank 3 MCBD . . ... . .. . .. 7.3-75 7.3-20d Safety Injection Tank 4 MCBD . . . .... .... 7.3-76 7.3-21 Containment Spray MCBD . ....... .. . . . ... . 7.3-77 7.3-22 Shutdown Cooling MCBD . . . . . . . . . .. . . . . ...... 7.3-78 7.3'23 Safety injection MCBD . .. . .. ..... .. ... . 7.3-79 7.3-24 Safety Depressurization MCBD ... .. . . . . 7.3-80 7.3-25 Diverse Manual ESF Actuation Interface to ESF Components . . .. . .. 7.3-81 7.4-1 Interface Diagram for Division A Master Transfer Switches . . .. .. 7.4-15 7.4-2 Interface Dugram for Division NI Master Transfer Switches . ... 7.4-16 7.5-1 Diverse Display of Post-Accidere Monitoring Category 1 Parameters .. .. 7.5-30 7.5-2 HJTC Sensor - HJTC/ Splash Shield . . . . . . . . .. 7.5-31 7.5-3 Heated Junction Thermocouple Probe Assembly . .. . .. .. 7.5-32 7.5-4 HJTC Sensor and Separator Tube . . .. .. . . . 7.5-33 7.5-5 Incore Instrumentation Locations . .. .. ... . 7.5-34 7.5-6 Electrical Diagram of HJTC . . .. .. . . . . 7.5-35 7.5-7 HJTC System Processing Configuration (One Channel Shown) . . 7.5-36 7.5-8 Pressurizer Level MCBD . . . . ... . . . . . . . 7.5-37 7.6-la Functional Control Logic, Shutdown Cooling System . . .. . 7.6-13 7.6-lb Functional Control Logic, Shutdown Cooling System . .. . . 7.6-14 7.6-Ic Functional Control Logic, Shutdown Cooling System . . .. . 7.6-15 7.6-2 Functional Control Logic, Safety Injection System . .. . .. .. 7.6-16 7.6-3 Safety-Related Interlock Test Method . . . . .... . . 7.6-17 7.7-1 Reactor Regulating System Block Diagram . .. . . . .... . . 7.7-59 7.7-2 PCS (CEDMCS)- RPS Interface Block Diagram .. ..... ..... 7.7-60 7.7-3 Pressurizer Pressure Control System Block Diagram . .. .. . .. 7.7-61 7.7-4 Pressurizer Level Control System Block Diagram ... .... . . 7.7-62 7.7-5 Megawatt Demand Setter Block Diagram . .. . .. . ... ... 7.7-63 7.7-6 Simplified MDS Block diagram, Automatic Dispatch Mode . . ... .. 7.7-64 7.7-7 Feedwater Control System Block Diagram . ... .. . ... . 7.7-65 7.7-8 Steam Bypass Control System Block Diagram ..,.. .. . .. 7.7-66 7.7-9 Reactor Power Cutback System Simplified Block Diagram . . .. . . 7.7-67 7.7-10 Boronometer Block Diagram . .. ...... ... ... ... .. 7.7-68 7.7-11 Boron Dilution Alarm System Simplified Block Diagram .. .......... 7.7-69 7.7-12a Alternate Protection System Block Diagram . ... .. . ..... '7.7-70 Approved Design Materia!-Instrumentation and Controls Page vi

i Sy~ tem 80+ Design controlDocument

  ,e V]                                    Chapter 7 Figures (Continued)

Page 7.7-12b Diverse Turbine Trip and Emergency Feedwater Actuation . . . . . . . . . . . 7.7-71 7.7-13 Process Component Control System Simplified Block Diagram . . ....... 7.7-72 7.7-14 Nuplex 80+ Control Room . . . . . . . . . . . . . ........... ...... 7.7-73 7.7-15 ACC Information Processing Block Diagram . . . . . . . . . . . . . . . . . . . . 7.7-74 7.7-16 N-16 Detection and Alarm Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 .7-7 5 7.7-17 DIAS-N Segment Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-76 7.7-18 Discrete Indicator (Pressurizer Pressure and Level) . . . . . . . . . . . . . . . . . 7.7-77 7.7 19 IPSO / DIAS /DPS Data Communications .. . . . . . . . . . . . . . . . . . . . . .. 7.7-78

           - 7.7-20 :    Block Diagram of the Data Processing System . . . . . . . . . . . . . . . . . . .      7.7-79 7.7-21.-    Overview of Hierarchical Display Structure ........... .........                        7.7-80 7.7-22     . Data Processing System Configuration . . . . . .............                   .    . 7.7-81 7.7-23       Functional Diagram of the Core Operating Limit Supervisory System . . . . .           7.7-82 7.7-24      Alternate Protection System (ARTS) MCBD ...... . .........                           . 7.7-83  ,

7.7-25a Alternate Protection System (AFAS-1) MCBD . ....... .. ....... 7.7-84 7.7-25b Alternate Protection System (AFAS-2) MCBD . . . . . . .... ....... 7.7-85 7.7-26a Acoustic Let.k Monitoring System (ALMS) MCBD . ... .......... 7.7-86 7.7-26b Loose Parts Monitoring System (LPMS) MCBD . ..... ..... 7.7-87 7.7-27 IRWST/ Reactor Cavity Flooding System MCBD , . . . . . . ....... ... 7.7-88 f 7.7-28 Holdup Volume / Reactor Vessel Cavity Flooding System MCBD . . . . . .. 7.7-89 i 7.7-29 Reactor Vessel Cavity Flooding System . . . . . . . . . . . . . . . . . ...... 7.7-90 i 1 l i i l l I i

                                               .                                                                         l
 . .q.-                                                                                                                 j n .a o w a       w.w       ,, <.,, w c.,,,.=                                                        r.,.

_ _. .. ._ . . m . .

System 80+ oestan controlDocument 4 [( L7.0 Instrunnentation and Controls 7.1 Introduction ~ ,

   ' The System; 80+" ") Standard Design includes the Nuplex 80+= m Advanced Control Complex '                                 ,
.      (ACC). The design integrates the instrumentation and controls for an essentially complete plant into the-
      - ACC design.

The ACC design consists of the following major interdependent systems: Main Control Panels (MCP), ; Remote Shutdown Panel (RSP), Discrete Indication and Alarm System (DIAS), Data Processing System ,

   - (DPS), ESF and Process Component Control Systems (CCS), Plant Protection System (PPS) and Power                           ,

Control System (PCS) which includes the Megawatt Demand Setter (MDS). ;

!-     The Nuplex 80'+ deign takes advantage of modern digital processing equipment to implement the safety, control and information display systems. These systems are implemented in accordance with the Human

. ' Factors Engineering design criteria and process as described in Chapter 18. -; 7.1.1 Identification of Safety-Related Systems ; The safety-related instrumentation and controls, including supponing systems, are identified below. l 7.1.1.1 Plant Protection System : The Plant Protection System (PPS) includes the electrical and mechanical devices and circuitry required

- to perform the protective functions defined below.

, e ' Reactor Protective System (RPS) ; i The RPS is the ponion of the PPS that acts to trip the reactor when required. The RPS is described in Section 7.2. j e Engineered Safety Features Actuation System (ESFAS) The ESFAS is the ponion of the PPS which activates the Engineered Safety Features systems [ listed in Section 7.1.1.3 and described in Section 7.3. 7.1.1.1.1 Alternate Protection System The Alternate Protection System (APS) augments reactor protection and emergency feedwater actuation , by utilizing non-lE trip logic which is separate and diverse from the Plant Protection System. Refer to l

Section 7.7.1.1.11 for a description of these ATWS prevention and mitigation systems.

   '7.1.1.2                Reactor Trip System                                                                                 j
   ~ The' Reactor Trip System (RTS) includes the RPS ponion of the PPS, Reactor Trip Switchgear System                         l (RTSS) and the components that perform a reactor trip after receiving a signal from the RPS either .

i System 80+ and Nuplex 80+ are trademarks of Combustion Engineering, Inc. it i w._---, -,,-3 - -

System 80+ Design CTntrolDocument automatically or manually by the operator. The RTS initiates a reactor trip based on the signals from the sensors which monitor various NSSS parameters and the containment pressure. 7.1.1.3 Engineered Safety Feature Systems The Engineered Safety Feature (ESF) Systems include the ESF Actuation System (ESFAS) and the components that perform protective actions after receiving a signal from the ESFAS or the operator. The ESF Systems are:

Containment isolation System
Main Steam Isolation System
Safety Injection System

e. Emergency Feedwater System

Containment Spray System
Safety Depressurization System
Supporting Systems The instrumentation and controls for ESF Systems are described in Section 7.3.

7.1.1.4 Systems Required for Safe Shutdown Systems required for safe shutdown are defined as those essential for pressure and reactivity control, coolant inventory makeup, and removal of residual heat once the reactor has been brought to a suberitical condition. These systems are categorized according to the following shutdown modes:

Ilot Shutdowm Systems required for maintenance of the primary system at, or near, operating temperature and pressure.
Cold Shutdown Systems required to cool down and maintain the primary system at, or near, ambient conditions.

The systems required for safe shutdown are listed below and described in Section 7.4. The safe shutdown systems required to place the reactor in hot shutdown include:

Emergency Diesel Generator
Emergency Diesel Generator Fuel Storage and Transfer System
Emergency Power Storage System Approved Design Material. instrumentation and Controls Pope 7.12

System 80+ Design ControlDocument n

Emergency On-site Power Distribution System
Safety Injection System
Emergency Feedwater System
Atmospheric Steam Dump System
Safety Depressurization System
Station Service Water System
Component Cooling Water System
licating, Ventilating and Air Conditioning Systems In addition, Remote Shutdown Panel (RSP) equipment and systems are provided to allow emergency shutdown from outside the control room.

The safe shutdown systems or portions of systems required to place the reactor in cold shutdown include those listed above, plus the following:

Shutdown Cooling System

(/ ) 7.1.1.5 Safety-Related Display Instrumentation The safety-related display instrumentation provides information to the operator to allow him to adequately monitor plant operating conditions and to perform any required manual safety functions. Safety-related display instrumentation is described in Section 7.5. Safety-related displays are provided for:

Safety-Related Plant Process Display Instrumentation
Reactor Trip System Monitoring
Engineered Safety Features Actuation System Monitoring
CEA Position Indication
Post-Accident Monitoring Indication
ESF Systems Performance and Availability Indication
Critical Functions Monitoring Indication

-.A Apprend Design niemrief - ksemmentadon and Centroh Pope 7.13

System 80+ Design ControlDocument 7.1.1.6 All Other Systems Required for Safety Other systems required for safety include the interlocks required to prevent overpressurization of the Shutdown Cooling System and to ensure safety injection availability. These are provided as listed below and described in Section 7.6.

Shutdown Cooling System Suction Line Isolation Valve Interlocks
Safety Injection Tank Isolation Valve Interlocks 7.1.1.7 Design Comparison The RPS will be functionally identical to the system provided for the Palo Verde Nuclear Generating Station (PVNGS, NRC Docket No. 50-528) with the following exception:

The Supplementary Protection System (SPS) is replaced by the Alternate Protection System (APS), as described in Section 7.7.1.1.11. The APS is specifically designed to increase the reliability of reactor trip initiation and address ATWS Mitigating Systems Actuation Circuitry (AMSAC) requirements by incorporating an alternate emergency feedwater actuation signal. The System 80+ design expands the use of technology implemented in the Core Protection Calculators (CPCs) at Palo Verde. This technology transfer from the CPCs includes computer processing, fiber optics and multiplexing to other PPS equipment. In the Palo Verde Reactor Protection System (RPS) design, both the Plant Protection System (PPS) and the Engineered Safety Features Actuation System (ESFAS) are relay-based hardwired systems. For System 80+, both the PPS and Engineered Safety Features Component Control System (ESF-CCS) are computer based systems. Use of computer based technology allows the System 80+ RPS system to remain functionally identical to the proven RPS design, while utilizing off-the-shelf commercially available equipment vs. equipment of custom design and manufacture. This computer based technology also provides the capability for enhanced features such as automatic continuous on-line testing, and utilization of fiber optic technology for isolation between protec: ion system channels, and between equipment cabinets and operator interface devices in the Main Control Room. The ESF-CCS utilizes the advantages of remote multiplexing. The logic of each ESF initiation function, including testing features, is similar to the logic for the RPS and is contained in the same physical enclosures. The actuation logic and devices are contained in the ESF Component Control System (CCS). The design of this system is described in Section 7.3. The following ESFAS functional changes from the PVNGS design have been made:

Recirculation Actuation Signal (RAS) has been deleted due to the addition of the In-Centainment Refueling Water Storage Tank.
EFAS initiation logic is simplified by deleting the requirement for automatic identification and isolation of a ruptured steam generator. The addition of cavitating venturis in the auxiliary feedwater line prevents excess flow to the ruptured steam generator.

O Agnprowd Design Matenal. Jnstrumentation arnt Controls Page 7.14

i Sy tem 80+ Design ControlDocument

 ,a 7.1.1.8            System Drawings
    )

Instrumentation and Control (I&C) system Measurement Channel Block Diagrams (MCBDs) appear at the end of each section of Chapter 7. All other I&C drawings for the auxiliary support systems are located within the applicable system section of the Approved Design Material. 7.1.1.9 System Diversity The design of Nuplex 80+ systems maintains diversity in key areas to provide a defense-in-depth approach against the effects of common mode failures. Nuplex 80+ employs diversity in the system designs as follows: Function System Design Type 1 System Design Type 2 Reactor Trip Plant Protection System Alternate Reactor Trip Within Process-CCS Fluid System Controls Emergency Success Paths (e.g. Normal Success Paths (e.g., Main Emergency Feed-water) via ESF- Feedwater) via Process-CCS CCS "N Reactivity Controls Emergency Boration via ESF-CCS Normal CEA Control - via Power

;j

( Control System Alarm and Indication Alarm Tiles and Discrete Indicators VDU** Displays - via DPS

                                       -via DIAS 7.1.2     Identification of Safety Criteria Comparison of the design with applicable Regulatory Guide recommendations and the degree of compliance with the appropriate design bases, General Design Criteria, standards, and other documents used in the design of the systems listed in Section 7.1.1 is described in Sections 7.1.2.2 through 7.1.2.34, and in each of the sections describing the system. (Refer to Sections 7.2 through 7.6.)

7.1.2.1 Design Bases The design bases for the safety-related instrumentation and control of each safety-related systun are presented in the section of this chapter that discusses the system to which the information applies. Consideration has been given to instrument error in the selection of all safety system serpoints (Refer to Section 7.1.2.27). Where setpoints are listed in Chapter 7, it is understood that these are nominal values. The actual setpoint may vary within prescribed accuracies which have been considered in selection of the values. O ** VDU is an abbreviation of

Video Display Unit" and encompasses Cathode Ray Tube (CRT) technology.

b Some Approved Design Material may use "CRT* as an example of VDU technology for the DPS (i.e., as diverse from DIAS), but other diverse VDU technology is acceptable, subject to applicable requirements and qualifications. Approved Design Material- knstrumentation and Controls Page 7.15

Syntem 80+ Design ControlDocument 7.1.2.1.1 Systems Required for Plant Protection The instrumentation and controls for the Reactor Trip System and Engineered Safety Feature systems conform to the following:

The systems conform to IEEE Standards 279-1971 and 603-1980. Detailed discussion of conformance for these and other safety-related system instrumentation and controls is provided in the applicable section of this chapter. Conformance to these and other IEEE Standards is discussed in Sections 7.1.2.2 through 7.1.2.13.
Comparison with Regulatory Guide recommendations for Water-Cooled Nuclear Power Plants, Division of Reactor Standards, Nuclear Regulatory Commission, is discussed in Sections 7.1.2.5 through 7.1.2.10, and 7.1.2.13 through 7.1.2.34.

e The quality assurance program is described in Chapter 17.

General Design Criteria for Nuclear Power Plants, Appendix A to 10 CFR 50 as described in Section 3.1.

7.1.2.1.2 Systems Required for Safe Shutdown The design bases for the systems required for safe shutdown are described in Section 7.4. 7.1.2.1.3 Safety-Related Display Instrumentation The design bases for safety-related display instrumentation are described in Section 7.5. 7.1.2.1.4 All Other Systems Required for Safety The design bases for all other systems required for safety are described in Section 7.6. Auxiliary and support systems necessary for the proper functioning of safety systems are identified in the ADM section for the safety system requiring the support system. Descriptions of these systems are included in the appropriate section as identified in Table 7.1-1. 7.1.2.2 Confonnance to IEEE 279-1971 Extent of conformance to IEEE Standard 279-1971, "IEEE Standard Criteria for Protection Systems for Nuclear Power Generating Stations" is discussed in Sections 7.1.2.10, 7.2, 7.3 and 7.6. 7.1.2.3 Conformance to IEEE 308-1980 Descriptions of electrical components, equipment and systems which are vital to safe operation are described in Chapter 8. Conformance to IEEE 308-1980, "1EEE Standard Criteria for Class 1E Power Systems for Nuclear Power Generating Stations," as criteria in the design of these systems is also discussed in Chapter 8. O Approved Design Material Instrurnentation and Controls Page 7.1-6

i System 80+ Design ControlDocument 7.1.2.4 Conformance to IEEE 317-1983 Electrical penetrations and their conformance to IEEE 317-1983, " Electrical Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations," is discussed in Chapter 8.

 .7.1.2.5           Conformance to IEEE 323-IP74, as Augmented by Regulatory Guide 1.89 Compliance with IEEE 323-1974, "IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Sta: ions," for instrumentation is discussed in Combustion Engineering Topical Report CENPD-255-A, " Qualification of Combustion Engineering Class 1E Instrumentation" (Reference 1). The basic qualification requirements are discussed in Section 3.11.

7.1.2.6 Conformance to IEEE 336-1985, a; Augmented by Regulatory Guide 1.30 Conformance with IEEE 336-1985, Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations," is discussed in Section 1.8. 7.1.2.7 Conformance to IEEE 338-1977, as Augmented by Regulatory Guide 1.118 . The PPS and ESF-CCS, as well as the RTSS, are designed so that they can be periodically tested in accordance with the criteria of IEEE 338-1977, " Periodic Testing of Nuclear Power Generating Station Class 1E Power and Protection Systems." Combustion Engineering supplies the response times of f instrumentation and control components as a result of factory tests to the site operator. ((It is the site ( operator's responsibility to test the integrated response time of each protection system after installation.)) Testing criteria are specified in Sections 7.2.2.3.3 and 7.3.2.3.3. Minimum testing frequency requirements are provided in the Technical Specifications (Chapter 16). ; Since operation of the ESF Systems is not expected, the systems are periodically tested to verify operability. Complete channels, in the ESFAS, can be individually tested without initiating protective action and without inhibiting the operation of the system. The system can be checked from the sensor signal through the actuation devices. The functional modules in the sensor system can be tested during reactor operation. The sensors can be checked by comparison with similar channels. Those actuated devices, which are not tested during reactor operation, will be tested during scheduled reactor shutdown to show that they are capable of performing the necessary functions. 7.1.2.8 Confonnance to IEEE 344-1987, as Augmented by Regulatory Guide 1.100 Compliance with IEEE 344-1987, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," is discussed in Combustion Engineering Topical Report CENPD-182, " Seismic Qualification of Instrumentation Equipment," (Reference 2). The basic seismic qualification requirements are discussed in Section 3.10. I V 3 COL infonnation item; see DCD Introduction Section 3.2. Apnaroved Deelen nieteniel . hussrnmeentation and Controk Pope 7.17

Srtem 80+ Design ControlDocument The adequacy of the design of Class IE Equipment is verified by a combination of testing and/or analysis for the performance of its functions during and after the equipment is subjected to the forces resulting from a SSE preceded by a number of DBEs. Also, the similarity between the tested equipment and the installed equipment is proven (e.g., design, orientation, foundation, performance). The seismic tests take into consideration the operability of the equipment during seismic events. 7.1.2.9 Conformance to IEEE 379-1977, as Augmented by Regulatory Guide 1.53 Instrumentation for the PPS and ESF-CCS, and the RTSS conform to the requirements of IEEE 379-1977, "lEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems," as augmented by Regulatory Guide 1.53, " Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems." A discussion of the application of the single failure criterion is provided in Sections 7.2.2.3.2 and 7.3.2.3.2 for these systems. 7.1.2.10 Conformance to IEEE 384-1981, as Augmented by Regulatory Guide 1.75 The instrumentation for the safety-related electric systems conforms to the requirements of IEEE 384-1981, "IEEE Standard Criteria for Independence of Class IE Equipment and Circuits," as augmented by Regulatory Guide 1.75, " Physical Independence of Electric Systems." A discussion of the physical independence is provided below which describes the compliance with Section 4.6 of IEEE 279-1971 and General Design Criteria 3 and 21. The PPS is divided into four assemblies which are physically located in different geographic fire zones within the Nuclear Annex. Each assembly contains one of the four redundant channels of the RPS and ESFAS. This provides the separation and independence necessary to meet the requirements of Section 4.6 of IEEE 279-1971. The independence and separation of redundant Class IE circuits within and between the PPS assemblies or ESF-CCS assemblies is accomplished primarily through the use of fiber-optic technology and, as necessary, by 6-inch separation, barriers or conduits. The optical technology ensures that no single credible electrical fault in a PPS channel can prevent the circuitry in any other redundant channel from performing its safety function. The ESF Component Control System cabinets provide separation and independence for tb selective two-out-of-four actuation and component control logic of the redundant ESF systems trains. Each train's component control logic is contained in a separate cabinet. The redundant cabinets are physically separated from each other by locating them in separate zones. Redundant train remote I/O multiplexers are located to maintain physical separation. The RTSS consists of a set of four Reactor Trip Switchgears (RTSG). Each RTSG and its associated switches, contacts and relays is contained in a separate cabinet. Each cabinet is physically separate from the other cabinets. This method of construction ensures that a single credible failure in one RTSG cannot cause malfunction or failure in another cabinet. The separation and independence of the power supplies for each of the above systems is discussed further in Chapter 8. Protection system analog and digital signals sent to non-Class IE systems for status monitoring, alarm and display (e.g., DPS, DIAS, CEDMCS) are isolated from the protection system. Fiber-optic isolation Approved Design Meterial- hustrumentation and Controh Page 7.1-8

System 80+ Design control Document .m ') and other techniques are used to ensure no credible failures on the non-lE side of the isolation device will affect the PPS side and that independence of the PPS is not jeopardized. 7.1.2.11 Conformance to IEEE 387-1984 Conformance to IEEE 387-1984 , "IEEE Standard Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations," as criteria in the design of these systems is discussed in Sections 8.3.1, and 9.5.4 through 9.5.8. 7.1.2.12 Conformance to IEEE 450-1980 Conformance to IEEE 450-1980, "lEEE Recommended Practice for Large Lead Storage Batteries for Generating Stations and Substations," as criteria in the design of these systems is discussed in Chapter 8. 7.1.2.13 Conformance to IEEE 603-1980, as Augmented by Regulatory Guide 1.153 The safety systems such as PPS, ESF-CCS and RTSS conform to the requirements of IEEE 603-1980,

     " Standard Criteria for Safety Systems for Nuclear Power Generating Stations," as augmented by Regulatory Guide 1.153, " Criteria for Power, Instrumentation, and Control Portion of Safety Systems."

For descriptions of conformances, refer to Sections 7.1.2.2, 7.1.2.3, 7.1.2.5, 7.1.2.7, 7.1.2.9 and 7.1.2.10. 7.1.2.14 Comparison of Design with Regulatory Guide 1.6 m d See Chapter 8. 7.1.2.15 Conformance to Regulatory Guide 1.11 Guidelines for instrument lines which penetrate prirnary reactor containment, and which are part of the reactor coolant pressure boundary or are connected directly to the containment atmosphere do not apply, since there are no lines which fall into this category. Containment pressure is monitored by four , redundant pressure transmitters located outside of containment which monitor containment atmosphere. l The lines both inside and outside containment are kept as short as possible. These lines and the l transmitter diaphragm are considered an extension of the containment building and are seismically ) qualified and designed for higher pressure than containment design pressure. No other instrument lines ; penetrate reactor containment. l 7.1.2.16 Confonnance to Regulatory Guide 1.17 The following design features address the requirements of Regulatory Guide 1.17, " Protection of Nuclear Power Plants Against industrial Sabotage":

Separate Geographic Locations for Equipment

1. Redundant channels of safety-related instmmentation and control cabinets are designed )

to be located in separate plant locations. These equipment locations are designed consistent with the intent of NUREG-0908 (Reference 4) and are described in Chapter ( ) 13, Appendix 13A, Section 7. l ' .s' ' That Des}gn Atatorial hustrwnentation and Controts Page 7.1-9

System 80+ Design ControlDocument

Limited Abilhy to Change System Hardware and Software Configurations

1. Portions of systems are designed to limit the ability of operating and maintenance personnel to change basic system functions (e.g., setpoints can be changed, but the trip function calculation cannot be altered). Further details on the protection features of the I&C system, relative to setpoint security, are contained in Chapter 13, Appendix 13A, Section 8.

2. The transfer of control between the Main Control Room and Remote Shutdown Panel is under key lock administrative control with built-in alarms. Further details of the protection features of the IAC system, relative to impeding unauthorized transfer from the Main Control Room to the Remote Shutdown Panel, are contained in Chapter 13, Appendix 13A, Section 8.

3. The PPS design does not permit bypassing either the RPS or ESFAS signals at the system level. Bypasses can be initiated in only one of the four redundant protection channels at a time. Attempts to bypass additional channels will be rejected and be annunciated, as discussed in Sections 7.2.1 and 7.3.1.

4. Vital instrtunentation cabinet doors are locked and equipped with " door open" alarms.

Fail-Safe Design Philosophy

1. Systems are generally designed to fail safely upon de-energization, removal of printed circuit boards and disconnection of cables and data links.

2. Test modes are designed such that they do not prevent system actuation. Refer to Sections 7.2.1.1.9 and 7.3.1.1.8 for additional information regarding testing safety system I&C.

Safety System Status Monitoring

1. Critical safety system setpoints can be determined manually and, in addition, are automatically monitored via the Plant Protection System (PPS) Interface and Test Processor (ITP). The trip setpoints are also sent to the plant Data Processing System as an added defense against undesired setpoint changes.

ESF-CCS process control setpoints are periodically verified during selective group testing described in Section 7.3.1.1.8.6. These setpoints are also sent to the DPS as an added defense against undesired setpoint changes.

2. Reactor trip and ESFAS initiation trip channel bypass alarms are provided.

3. Component level bypasses in the ESF systems result in system level inoperable alarms for the affected systems, as described in Section 7.1.2.21.

Diverse Manual vs Automatic Reactor Trip and ESFAS Initiation

1. Reactor Trip and ESFAS are automatically initiated by the PPS. These same functions can be manually initiated by the operator. The RTSS and ESF-CCS manual initiation Approved Design Material- ksstrumentation and Controls Page 7.1-10

System 80+ oesign controlDocument p) i

trips do not rely on any PPS components for actuation. Therefore, these functions can be manually initiated with a complete failure of the PPS automatic initiation logic. The above features are designed to impede sabotage. See Chapter 13, Appendix 13A for a more comprehensive discussion on protection against sabotage. 7.1.2.17 Confonnance to Regulatory Guide 1.22 The PPS, ESF-CCS, and the RTSS, as described in Section 7.1.1, conform to the guidance of Regulatory Guide 1.22, " Periodic Testing of Protection System Actuation Functions." This conformance is described below.

Provisions are made to permit periodic testing of the complete PPS, ESF-CCS, and RTSS with the reactor operating at power or when shutdown. These tests cover the trip action from sensor input to actuated devices. Those ESF actuated devices which could affect operations are not tested while the reactor is operating but, instead, are tested while the reactor is shutdown.
The provisions of this position are incorporated in the testing of the PPS, from sensor to actuation device, including the ESFAS and ESF-CCS and the RTSS.
No provisions are made in the design of the PPS, ESF-CCS, and RTSS at the systems level to intentionally bypass an actuation signal that may be required during power operation. All bypasses are on a channel level to prevent an operator from inadvertently bypassing a trip G function. Refer to Sections 7.2.1.1.5 and 7.3.1.1.3 for a discussion of bypass methods.

U

The manual testing circuitry for an RPS channel is interlocked to prevent testing in more than one redundant channel simultaneously. When a channel is bypassed for manual testing, the ,

bypass is automatically indicated in the main control room. ! l

When an ESFAS is bypassed for manual testing, the bypass is automatically indicated in the main !

control room. l 1

Actuated devices which cannot be tested during reactor operation will be tested by the ESFAS circuitry when the reactor is shut down. i
An additional level of testing is the continuous self-diagnostic test of the PPS and ESF-CCS hardware. Programmable logic controllers will be used for implementation of the PPS and ESF- ;

CCS. This equipment does not utilize multi-tasking processors; therefore, testing is performed l for a short millisecond duration at the end of each processor scan cycle. This testing is not run i in background or in a bypass mode. Typical examples of "self-health" test criteria are given as follows:

AC Power On
Processor Running
Memory Parity Check

   -s e        liot Standby Controller Active

Program Checksum

('O )

Memory Protect Status Approved Desigru Meterkt. krssturnentation and Corstrols Page 7.111

Sy~ tem 80+ Design ControlDocument

I/O Communications Active
I/O Module Check ;

All self-diagnostic errors are annunciated via the DPS and DIAS. Errors that have the potential to degrade system performance cause the system to assume a fail safe condition. Examples of this error type are:

I/O Module Failure
Memory Checksum Error '.
Loss of I/O Communications (see Section 7.2.2.4)

Errors that only affect system robustness are annunciated but will not cause the system to assume a fail safe condition. Examples of this error type are:

Loss of Redundant Processor
Loss of Redundant Power Supply

       .*       Memory Protect Battery Low It is noted that trip processing does not occur during this self-health testing; however, the short delay imposed by these tests is accounted for in the overall system response time credited in the safety analysis.

In addition, watchdog timer functions are built into all systems using three basic methods:

1. Processors that directly generate control or protection , ; as a binary or analog discrete interface (i.e., not digitized data communi mn) employ watchdog timers to force the outputs to a pre-determined state upon time-out. Examples of these are:

PPS - Bistable and coincidence processors CCS - Group controllers

2. Processors that generate digitized data, interfaced to other control / protection processors rely on the data communication link to serve as the watchdog timer function. If the generating processor fails, the receiving processor will detect this via a communication link error. The receiving processor will then take the pre-programmed control action.

In most cases, this would be to alarm the failure and continue the control algorithm with the last good communicated data. Examples of this are: PPS - Interface and Test Processor trip channel bypass signals to the Coincidence Processors CCS - Division Gateway interface to the Group processors. There are also cases where a failure in the communication link will result in pre-defined data states, which may cause a deviation in the control actions. Examples of this are: PPS - Interface and Tect Processor auto test signals to coincidence processor CCS - Division Gateway signals Apprend Design Matenet katrumentat>on and Controh Page 7.1-12

Sy: tem 80 + Design ControlDocument ,n\ ()

3. Processors that generate operator displays are monitored via data communication links as described in item 2 above. In addition, the display itself provides an indication that the data is being continuously refreshed. This may be in the form of a dynamic ICON or simply a time of day field.

A further description of the PPS, RTSS and ESF-CCS test features is provided in Sections 7.2 and 7.3. 7.1.2.18 Conformance to Regulatory Guide 1.29 The PPS and ESF-CCS and other instrumentation and controls necessary for safety conform to the guidance of Regulatory Guide 1.29, " Seismic Design Classification." This conformance is described below. The systems designated as Seismic Category I are items listed in Regulatory Guide 1.29 Sections C.I.k, C. I .1, C. I .n and C.I .q. The seismic classification and qualification imthods are discussed in Combustion Engineering's Topical Report CENPD-182 (Reference 2), Chapter 18 and Section 3.10. Those portions of structures, systems, or components whose continued function is not required, are designated as Seismic Category II and designed so that the SSE will not cause a failure which will reduce the functioning of any plant safety feature to an unacceptable level, including incapacitating injury to the occupants of the control room. 7.1.2.19 Confonnance to Regulatory Guide 1.40 p. (), Continuous duty motors and their conformance to Regulatory Guide 1.40, " Qualification Tests of Continuous-Duty Motors Installed Inside the Containment of Water-Cooled Nuclear Power Plants," are discussed in the site-specific SAR. 7.1.2.20 Conformance to Regulatory Guide 1.45 Refer to Section 5.2.5 for a discussion of conformance to Regulatory Guide 1.45. The design of the Acoustic Leak Monitoring System is described in Section 7.7.1.6.2. 7.1.2.21 Conformance to Regulatory Guide 1.47 The design of the RPS and the ESFAS as indicated in Sections 7.2 and 7.3, is consistent with the recommendations of Regulatory Guide 1.47, " Bypassed and inoperable Status Indication for Nuclear Power Plant Safety Systems." Conformance is described below.

Annunciator outputs are provided to indicate, at the system level, the bypassing or deliberate inducing of inoperability of a protection system. The system level alarms are actuated when a component actuated by a protection system is bypassed or deliberately rendered inoperable.
Those auxiliary and support systems within the Approved Design Material (ADM) licensing scope provide automatic annunciator activation to indicate, on a system level, the bypassed or deliberately induced inoperability of an auxiliary or support system that effectively bypasses or

,s            renders inoperable a protection system and the systems actuated or controlled by a protection system.

J

Approved Design Material Instrsmsentation and Controls Pege 7.1 13

System 80+ Design Control Document

Annunciation is provided in the control room, at the system level, for each bypassed or deliberately induced inoperable status in a protection system.

1. Annunciation is supplied for those ADM protection, auxiliary and support systems discussed above.

2. All of these bypasses are expected to be used at least once a year.

3. All of these bypasses are expected to be usable when the annunciated system is expected to be operable.

The operator is able to activate each system level bypass indicator manually in the control room.

Bypasses and inoperable status conditions can be classified into the following groups:

1. operating bypasses,

2. trip channel bypasses, and

3. ESF components inoperable.

There are no system level bypasses for the RPS or ESFAS. 7.1.2.21.1 Operating Bypasses The operating bypass is used during routine startup and shutdown. These bypasses must be manually inserted. They utilize permissive logic generated from the parameter (s) being bypassed to ensure the bypass is removed if plant conditions deviate to the point where the bypass is no longer safe. (Example: If the coolant system pressure rises above a predetermined setpoint, the RPS/ESFAS pressurizer pressure bypass is automatically removed.) Once a bypass is automatically removed, the manual nonnal (unbypassed) position must be actuated and then the bypass position reactuated in order to reinsert the bypass. This prevents cycling the bypass with the permissive contact status. Bypass status indication is provided on the PPS remote operator's modules for each channel. The bypass and bypass permissive status are provided to the plant Data Processing System. Operating bypasses include the RPS/ESFAS pressurizer pressure bypass, the high log power bypass and the CPC DNBR/LPD trip bypass. 7.1.2.21.2 Trip Channel Bypasses These bypasses are used to individually bypass channel trip inputs to the protection system logic for maintenance or tcsting. The trip logic is converted from a two-out-of-four to a two-out-of-three logic for the parameters being bypassed, while maintaining a coincidence of two for actuation. Only one channel for any one parameter may be bypassed at any one time. These bypasses must be manually initiated and removed. Individual bypass indication is provided locally at the PPS and at the PPS remote operator's modules located in the control room. In addition, the status of each bypass is provided to the plant Data Processing System. 7.1.2.21.3 ESF Components Inoperable The bypassed and/or inoperable condition of ESF components is monitored by the ESF-CCS, as described in Section 7.3. ESF-CCS status outputs are provided to the Data Processing System (DPS) which Apprennt Design Material Metrumentation and Controls Page 7.114

       -   -       --        .           - - . - .- - -.. - - - .. - .. -.- -. . - . ~ . _

~ System 80+ Deslan ControlDocument

         - processes logic to indicate at the system level, the bypassing, inoperability or deliberate inducing of                    f inoperability of an ESF system. The DPS also provides status information at the component level. The                       l
;          operator has the ability to activate each ESF system level bypass indicator manually in the control room.                  !

l Inoperable indication is shown on the DPS VDUs, Integrated Process Status Overview (IPSO) panel and ' ~' Discrete Indication and Alarm System (DIAS) alarm tiles as further described in Sections 7.7.1.4 and i

          .7.7.1.5.                                                                                                                   !

7.1.2.22 Conformance to Regulatory Guide 1.62 l Manual initiation of the RPS is described in Sections 7.2.1.1.1.11 and 7.2.2.3.2. Manual initiation of i the ESFAS is described in Section 7.3.2.3.2. Conformance to Regulatory Guide 1.62, " Manual Initiation j of Protective Actions," is as follows: e Each of the above systems can be manually actuated. o . Manual initiation of a protective action is provided at the system level and causes the same actions to be performed by the protection system as would be performed if the protection system j 4 had been initiated by automatic action. j e Manual switches are located in the control room, ESF-CCS and at the RTSS for use by the j ^ operators. Some ESF functions also have manual actuation at the Remote Shutdown Panel. l

!

The amoun' af equipment common to the manual and automatic initiation paths is kept to a

!                     minimum, usuallyjust the actuation devices. No single credible failure in the manual, automatic, or common portions of the protective system will prevent initiation of a protective action by                   l

' manual or automatic means. ; 1 ; o Manual initiation requires a minimum of equipment consistent with the needs listed above. . t l e Once initiated, manual protective action will go to completion.

                                                                                                                                    .l 7.1.2.23            Confonnante to Regulatory Guide 1,63                                                                   ;

Electrical penetrations and their conformance to Regulatory Guide 1.63, " Electric Penetration Assemblies ) i in Containment Structures for Water-Cooled Nuclear Power Plants," are discussed in Section 3.8.2 and , the site-specific SAR. ; 7.1.2.24 Conformance to Regulatory Guide 1.68 Conformance with Regulatory Guide 1.68, "Preoperational and initial Start-Up Test Program for Water- ! Cooled Power Reactors," is discussed in Chapter 14. 7.1.2.25- ' Conformar= to Regulatory Guide 1.73 The Nuclear Power Module licensing scope electric valve operators intended to be installed inside the containment are qualified in compliance with Regulatory Guide 1.73, " Qualification Tests of Electric Valve Operators Installed Inside the Containment of Nuclear Power Plants," (see Section 3.11). The

Class 1 electric valve operators inside the containment are qualified according to the requirements of Section 11 of Appendix B to 10 CFR 50.' The qualification tests of the electric valve operators follow the applicable requirements ofIEEE 382-1980,344-1987 and 323-1974. The qualification tests demonstrate Appme@sWyn AsseuW.awaunmensak mW Coppoor Pepe 7.f-f 5

     .                           -             ,n                                         , --, -,, ,               . .,          -

Syntem 80+ Design ControlDocument the design adequacy of the operators for service inside containment. These tests simulate those conditions that would be imposed during and after a Design Basis Event (e.g., LOCA) and those occurring during normal operating conditions. The qualification tests verify the adequacy of design for service under DBE conditions subject to the following: e Subcomponents (e.g., limit switches) are not integrated with the valve operator mechanism but are, instead, part of the installed operator assembly.

The test sequence described in IEEE 382-1980 or the actual service sequence, whichever has the most severe operating conditions, is used during operator qualification tests.
The valve operator is tested under the severest environmental conditions (T. P, RH, Radiation) that simulate the conditions to which the valve operator is expected to be exposed during and following a DBA.

e The radiological source term for qualification tests is based on the same source term used in Regulatory Guide 1.7 taking into consideration the containment size, beta and gamma radiation. 7.1.2.26 Conformance to Regulatory Guide 1.97 The design of the post-accident monitoring instrumentation and information display via the DPS and DIAS is described in Sections 3.1 and 7.5. The design conforms to Regulatory Guide 1.97,

" Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident."

7.1.2.27 Conformance to Regulatory Guide 1.105 ((The generation of safety system setpoints conforms to ISA 567.04-1987, "Serpointsfor Nuclear Safety Related Instrumentation Used in Nuclear Power Plants. ")J' The setpoint methodology is similar to that explained in CEN-278(V), " Selection of Trip Serpoint Values for the Plant Protection System," submitted on the Palo Verde Nuclear Generating Station Unit 1 Docket, STN-50-528 and approved by the NRC. The environment considered when determining errors is the most detrimental realistic environment calculated or postulated to exist until the worst case time of the required Reactor Trip or Engineered Safety Feature Actuation. This environment may be different for different events analyzed. i'or the setpoint calculation, the accident environment error calculation for process equipment uses the environmental conditions up to the longest required time of trip or actuation that results in the largest errors, thus providing additional conservatism to the resulting setpoints. The reference leg heating component uncertainties for steam generator level also take into account pressure and temperature variation within the steam generator. For all temperature and pressure setpoints, the trip will be initiated at a point that is not at saturation for the equipment. For level setpoints, no analysis setpoint is within 5% of the ends of the level span.

'         NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction O

Section 3.5. Asswoved Onsign Material . kustnmrentation and Controls Page 7.116

Sv' tem 80+ Deslan ControlDocsanent 7.1.2.28 -- Conformance to Regulatory Guide 1.106 Conformance to Regulatory Guide 1.106, " Thermal Overload Protection for Electric Motors on Motor-Operated. Valves," is' accomplished as follows. Thermal overload protection devices are not used in safety-related motor-operated valve control circuits. Thermal overload signals are used only for status annunciation. : The ESF-CCS, as described in Section 7.3, has the design capability to provide MOV thermal overload l status which is available via the DIAS and DPS described in Section 7.7.1.4 and 7.7.1.7. l 7.1.2.29 Conformance to Regulatory Guide 1.120, as Augmented by BTP CMEB 9.5-1 The following design features address the guidelines contained in Regulatory Guide 1.120 " Fire j Protection Guidelines For Nuclear Power Plants": e Redundant channels and divisions of safety-related instrumentation and control cabinets are i designed to be located in separate geographic plant fire zones. , i

The Control Complex is designed to allow a safe plant shutdown with a major fire in the main l f

control room. The design utilizes fiber-optics and other signal isolation technologies in conjunction with the ability to manually transfer control to the Remote Shutdown Panel (s). e The minimization of combustible materials is considered in the design and fabrication of the instrumentation and controls. i O e The control room design includes provisions to locate fire protection system audible and visual i alarm panels within the control room or, alternately, to integrate the alarms into the DIAS and s DPS. ; e Control room and computer room equipment, panels and consoles that are safety related, contain i fire detection devices with local and remote alarm annunciators. I The above features and design considerations form onl) a part of the defense in depth fire protection philosophy. See Section 9.5 for a more comprehensive discussion of the plant's fire protection program. i 7.1.2.30 Conformance to Regulatory Guide 1.133 The design of the Loose Parts Monitoring System conforms to Regulatory Guide 1.133, " Loose-Part Detection Program for the Primary System of Light-W. ter-Cooled Reactors," and is described in detail in Section 7.7.1.6.3; 1

         .7.1.2.31              Conformance to Regulatory Guide 1.151                                                        ;

i All protection and control sensing methods meet the independence requirements of Regulatory Guide 1 . -1.151,' Instrument Sensing Lines" as described in Sections 3.1.20, and 7.7.1.1.13. All safety related

        . sensing lines within the scope of the ADM are located in a protected environment, such that they will not          !
        - be subject to adverse environmental conditions. Implementation of an In-containment Refueling Water l/ .
        ; Storage Tank, for example, eliminates the concern of measuring this safety related tank level out of               j
  \   -

doors. j i i Annrevent W aseenrint konumenenaten amt Conemer . Pnee 7.117 1 l M . .- _ - , ,, , . , _ _ , m - -- .,. -- -,

Srtem 80+ Design ControlDocument 7.1.2.32 Conformance to Regulatory Guide 1.152 Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants," states that the requirements set forth in ANSI /IEEE-ANS-7-4.3.2-1982 provide a method acceptable to the NRC staff for designing software, verifying software, implementing software, and validating computer systems in safety-related systems of nuclear power plants. \lThe software developmentprogram usedfor Nuplex 80+ is described in "Nuplex 80+ Software Program Manual"))' (Reference 3) and the Nuplex 80+ Software Safety Plan Description (Reference 5).

    \\The programfor utili:.ation of commercial grade hardware and software is described in " Requirements for the Supply of Commercial Digital Computer Hardware and Software Components to be used in Nuplex 80+ Safety Systems. "))' (Reference 6). ((NRC staffapprovalis requiredprior to implementing a change in certain sections of these guidelines. The a,[fected sections are idennfied in Section 9 of Reference 3, and Section 7 of Reference 6.))'

The Core Protection Calculator (CPC) described in Section 7.2.1.1.2.5 is a digital computer system that generates reactor trip signals for low DNBR and high Local Power Density. The CPC software is developed and tested in accordance with Regulatory Guide 1.152.
The Plant Protection System (PPS) described in Section 7.2 is a multiple microprocessor based system that generates RPS and ESF initiation signals. The PPS software is developed and tested in accordance with Regulatory Guide 1.152.
The ESF Component Control System (CCS) described in Section 7.3 is a multiple microprocessor based system that controls and actuates ESF fluid system components The ESF-CCS software is developed and tested in accordance with Regulatory Guide 1.152.
The Discrete Indication and Alarm System (DIAS) described in Section 7.7.1.4 is a microprocessor based system that includes PAMI. The DIAS software is developed and tested in accordance with Regulatory Guide 1.152.

l 7.1.2.33 Conformance to Regulatory Guide 1.156 Conformance to Regulatory Guide 1.156, " Environmental Qualification of Connection Assemblies for i Nuclear Power Plants", is as described in Sections 7.1.2.5, 7.1.2.8 and 7.1.2.18. 7.1.2.34 Conformance to Regulatory Guide 8.12 Conformance to Regulatory Guide 8.12, " Criticality Accident Alarm Systems," for the reactor is accommodated via the Boron Dilution Alarm Logic described in Section 7.7.1.1.10. In addition, the Ex-Core Neutron Flux Monitoring System Start-up Channels provide an audible count rate via speakers located in the main control room and containment building. Both the DIAS and DPS are designed to present this alarm information, as well as any other plant specific criticality accident alarms, to the control room operator.

    '         NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction O.

Section 3.5. Approved Design Material-Instrumentalism ernt Controls Page 7.1-18 4

t System 80+ oestan ControlDocument i 7.1.3 System Interfaces , General instrumentation and control interface and the specific interfaces are discussed in the principal section for the ' safety-related systems. Table 7.1-1 identifies the applicable section where standardized functional descriptions for the interfacing auxiliary and supporting systems are provided. o Operational Controls All control modules supplied by the site operator for installation in the Main Control Panels and/or the Remote Shutdown Panels shall be designed to be compatible with the HFE design ; assumptions, criteria and task analyses identified in Chapter 18. l+ e Design Reliability Assurance Program (DRAP) Redundant I&C equipment is described in Sections 7.2 through 7.7. To the extent that this I equipment supports the I&C functions described in Section 3.0 of the Plant Technical Specifications, this equipment is considered for inclusion in the Design Reliability Assurance j Program described in Section 17.3. i References for Section 7.1

1. . " Qualification of Combustion Engineering Class IE Instrumentation," Combustion Engineering, Inc., CENPD-255-A-1983, Revision 03, October 1985.

t \ 2.

Seismic Qualification of Instrumentation Equipment," Combustion Engineering, Inc., CENPD- -

182, May 1977. -

3. "Nuplex 80+ Software Program Manual," ABB-CE Inc., NPX80-SQP 0101.0. ;

4. " Acceptance Criteria for the Evaluation of Nuclear Power Reactor Security Plans", U.S. Nuclear Regulatory Commission Report, NUREG-0908, August 1982.

5. "Nuplex 80+ Software Safety Plan Description," ABB-CE Inc., NPX80-IC-QP790-02.

6. " Requirements for the Supply of Commercial Digital Computer Hardware and Software !

Components to be used in Nuplex 80+ Safety Systems," ABB-CE, NPX80-QPS-0401.1. I 4 i O : i 4pmest seeen asesenw. Assumenses <; . w ca.eede rey 7.r.ri

System 80+ Design ControlDocument Table 7.1-1 Auxiliary and Supporting System Descriptions h Description Applicable ADM Section Control Room 18.6 Emergency Operations Facility 13.3 Technical Support Center 13.3 Electric Power Distribution System 8.3 Fire Protection System 9.5 Diesel Generator System 8.3 and 9.5 Station Service Water System 9.2 Component Cooling Water System 9.2 lastrument Air System 9.3 Automatic Dispatch System 10.2 Environmental Support Systems (HVAC) 9.4 Alternate AC Source 8.3 O O l Approved Design Material . instrnenentation and Controls Page 7.120

a System 80+ Deslan ControlDocannnt

         ; 7.2 . Reactor Protective System 7.2.1 Description
          '7.2.1.1            System Description The Reactor Protective System (RPS) portion of the Plant Protection System (PPS) (as shown on Figure 7.2-1) is's vital system which consists of sensors, calculators, logic, and other equipment necessary to monitor selected plant conditions and to effect reliable and rapid reactor shutdown (reactor trip) if monitored conditions approach specified safety system settings. The system's functions are to protect the core fuel design limits and Reactor Coolant System (RCS) pressure boundary for Anticipted Operational Occurrences,' and also to provide assistance in mitigating the consequences of accidents. Four measurement channels with electrical and physical separation are provided for each parameter used in the direct generation of trip signals, with the exception of Control Element Assembly (CEA) position which is a two channel measurement.

The Reactor Protective System (RPS) portion of the PPS includes the following functions: bistable trip, local coincidence logic, reactor trip initiation logic and automatic testing of PPS logic. The bistable trip processors generate trips based on the measurement channel digitized value exceeding a digital setpoint. The bistable trip processors provide their trip signals to the coincidence processors located in the four redundant PPS channels. The coincidence processors evaluate the local coincidence logic based on the state of the four like trip signals and their respective bypasses. The coincidence signals are used in the generation of the Reactor Trip Switchgear System (RTSS) or Engineered Safety Features-Component Control System (ESF-CCS) initiation. Software is developed and tested for the above processors, as O stated in Section 7.1. A coincidence of two-out-of-four like trip signals is required to generate a reactor trip signal. The fourth channel is provided as a spare and allows bypassing of one channel while maintaining a two-out-of-three system. The Nuplex 80+ Plant Protection System (PPS) has four pairs of cabinets housing the Plant Protection Calculator (PPC). Each pair of cabinets is located in a separate equipment room and contains the bistable processors, coincidence processors and interface hardware of one of the four PPS safety channels designated A, B, C and D. The design is based upon the use of Programmable Logic Controller (PLC) type equipment in each safety channel. All protective channel process loop inputs, protective channel trip functions, and the 2/4 Logic , Matrix functions will be processed within the PLC's in that safety channel. i The reactor trip signal deenergizes the Control Element Drive Mechanism (CEDM) coils, allowing all-CEAs to drop into the core. PPS interfaces (RPS and ESFAS) for functions, such as operator interaction, alarm annunciation and testing (manual and automatic), are shown on Figure 7.2-2. The local and main control room PPS operator's modale (one per channel) provides for entering trip channel bypasses, operating bypasses, and variable setpoint resets. These modules also provide indication of status of bypasses, operating bypasses, bistable trip and pre-trip. The local operator module provides the man-machine interface during manual testing of bistable trip functions not tested automatically. Memmt Doelpr neeennw - swammeneeren omr cenamt rene 7.2-1. u

System 80+ Design ControlDocument The main control room (MCR) panels provide means to manually initiate engineered safeguards. The Remote Shutdown Panel (RSP) provides selected functions needed for safe shutdown and cooldown, as described in Section 7.4. Each PPS channel cabinet contains a manual transfer switch that enables the RSP or MCR for PPS channel functions that are common to both. The Interface and Testing Processor (ITP), one per channel, consists of a data bus and three functional blocks: 1.c., two gateway blocks and one test / bypass block, as shown in Figure 7.2-17. Gateway #1 interfaces to: the PPS Operators Module at the RSP; the Data Processing System, to provide selected PPS and CEAC channel status and test results information; and the CEAC, to retrieve status information. Gateway #2 interfaces to: the PPS Operators Module at the MCR; the Discrete Indication and Alarm System, to provide selected PPS and TLC channel status and test results informatien; the TLC, to retrieve status information; and the Power Control System, to retrieve status information. The test and bypass processor performs automatic on-line and manual testing of the PPC, processes the bypass logic and interfaces to the ITP's in other PPS channels via the data bus interfaces to the bistable processors and coincidence processors. A data bus bridge interfaces to the ESF-CCS. 7.2.1.1.1 Trips 7.2.1.1.1.1 Variable Overpower The variable overpower trip is provided to trip the reactor when indicated neutron flux power either increases at a great enough rate, or reaches a preset value. The flux signal used is the average of the three linear subchannel flux signals originating in each nuclear instrument safety channel. The nominal trip setpoints are provided in Table 7.2-4. Pre-trip alarms are initiated below the trip value to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.2 Iligh Logarithmic Power Level The high logarithmic power level trip is provided to trip the reactor who indicated neutron flux power reaches a preset value. The flux signal used is the logarithmic power signal originating in each nuclear instrument safety channel. The nominal setpoint is provided in Table 7.2-4. The trip may be manually bypassed by the operator. This bypass point is provided in Table 7.2-1. Pre-trip alarms are initiated below the trip value to provide audible and visible indication of approach to a trip condition. The trip bypass also bypasses the pre-trip alarms. 7.2.1.1.1.3 Iligh Local Power Density The high local power density trip is provided to trip the reactor when calculated core peak local power density reaches a preset value. The preset value is less than that value which would cause fuel centerline melting. The calculation of the peak local power density is performed by the Trip Ixgic Calculators (TLC) in the Core Protection Calculators (CPCs), which compensate the calculated peak local power density to account for the thermal capacity of the fuel. The calculation considers axial distribution, average power, and radial peaking factors (based on target CEA position) and CEAC penalty factors to calculate the current value of compensated peak local power density. A trip results if the compensated peak local power density reaches the preset value. The calculated trip assures a core peak local power Approved Design Material . instrumentation and Control Page 7.2-2

i . L System 80+' oeshw controlDocument density below the safety limit for peak linear heat rate (kW/ft). The nominal trip setpoint is given in i L( ; Table 7.24. The effects of core burnup are considered in the determination of the local power density trip. , i L . Pre-trip alarms are initiated below the trip value to provide audible and visible indication of approach to

                  . a trip condition.                                                                                                      ,

i 7.2.1.1.1.4 Low Departure from Nucleate Boiling Ratio ;

!                   The low Departure from Nucleate Boiling Ratio (DNBR) trip is provided to trip the reactor when the i

calculated DNBR approaches a' preset value. The calculation of DNBR is performed by the TLCs based on core average power, reactor coolant pressure, reactor inlet temperature, reactor coolant flow, and the ; core power distribution The calculations include allowances for sensor and processing time delays and inaccuracies such that a trip is generated within the TLCs before violation of the DNBR safety limit in the limiting coolant channel in the core occurs during Anticipated Operational Occurrences. The nominal . trip setpoint is giveu in Table 7.24. The low DNBR trip incorporates three auxiliary functions. First, a low pressurizer pressure floor, with the value given in Table.7.2-4; second, a combined low pressurizer pressure and low DNBR with the '

!                    values given in Table 7.24; and third, a low pump speed with value given in Table 7.24. Under these conditions, a low DNBR trip will automatically occur.

I Pre-trip alarms are initiated above the trip value to provide audible t.nd visible indication of approach to a trip condition. l i 7.2.1.1.1.5 High P. __o---i-.- Pressure The high pressurizer pressure trip is provided to trip the reactor when measured pressurizer pressure

reaches a high preset value. The nominal trip setpoint is provided in Table 7.24.

l Pre-trip alarms are initiated balow the trip setpoint to provide audible and visible indication of approach i to a trip condition. 7.2 1.1.1.6 Low Pressuriser Pressure e The low pressurizer pressure trip is provided to trip the reactor when the measured pressurizer pressure j falls to a low preset value. . The nominal trip setpoint for normal operation is provided in Table 7.24. At pressures below the normal operating range, this setpoint can be manually decreased to a fixed increment below the existing pressurizer pressure down to a minimum value. The incremental and ' minimum values are given in Table 7.24. This ensures the capability of a trip when required during g plant cooldown. - 1 The trip may be ' manually bypassed by the operator. This bypass point is provided in Table 7.2-1. The bypass is automatically removed as pressure is increased above a fixed value and the low pressure setpoint automatically increases, maintaining the fixed increment between the plant pressure and the setpoint. These values are shown in Table 7.24. f~\.

                    , Pre-trip alarms are initiated above the trip setpoint to provide audible and visible indication of approach F

(d. ' to a trip condition. ; l Amom.ar osetyn assearw. Awammenseeren arw censret ree. 7.2-3 ; i

Syctem 80+ Design ControlDocument 7.2.1.1.1.7 Low Steam Generator Water Level A variable low steam generator water level trip is provided to trip the reactor when measured steam generator water level falls to a low calculated value. The low level setpoint is programmed such that as reactor power decreases, the level setpoint is decreased from the nonnal full power value down to a minimum preset low power value. Separate trips are provided from each steam generator. The nominal trip setpoint is provided in Table 7.2-4. Pre-trip alarms are initiated above the trip setpoint to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.8 Low Steam Generator Pressure The low steam generator pressure trip is provided to trip the reactor when the measured steam generator pressure falls to a low preset value. Separate trips are provided from each steam generator. The nominal trip setpoint during normal operation is provided in Table 7.2-4. At steam generator pressures below normal, the operator has the ability to manually decrease the setpoint to a fixed increment below existing system pressure. This is used during plant cooldown. During startup, this setpoint is automatically increased and remains at the fixed increment below generator pressure. This fixed increment is provided in Table 7.2-4. Pre-trip alarms are initiated to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.9 Ifigh Containment Pressure The high containment pressure trip is provided to trip the reactor when measured containment pressure reaches a high preset value. The nominal trip setpoint is provided in Table 7.2-4. The trip is provided as additional design conservatism (i.e., additional means of providing a reactor trip). The high containment pressure trip setpoint is selected in conjunction with the high-high containment pressure setpoint to prevent exceeding the containment design pressure during a design basis LOCA or main steam line break accident. Pre-trip alarms are initiated to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.10 Iligh Steam Generator Water Level A high steam generator water level trip is provided to trip the reactor when measured steam generator water level rises to a high preset value. Separate trips are provided from each steam generator. The nominal trip setpoint is provided in Table 7.2-4. Pre-trip alarms are initiated to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.11 Manual Trip A manual reactor trip is provided to permit the operator to trip the reactor. Actuation of two adjacent switches in the main control room or remote shutdown room will cause interruption of the AC power to the CEDMs. In the main control room, two independent sets of trip pushbuttons are provided, either one of which will cause a reactor trip. There are also manual reactor trip switches at the reactor trip switchgear. Approved Design Material- ksstrumentation and Control Page 7.2-4

Syctem 80+ Desian controlDocument b O The remote manual initiation portion of the Reactor Trip System is designed as an input to the RTSS. This design is consistent with the recommendations of NRC Regulatory Guide 1.62. The amount of equipment common to both automatic and manual initiation is kept to a minimum. Once initiated, the manual trip will go to completion as required in Section 4.16 of IEEE Standard 279-1971. 7.2.1.1.1.12 Low Reactor Coolant Flow The low reactor coolant flow trip is provided to trip the reactor when the pressure differential across the primary side of either steam generator decreases below a rate limited variable setpoint, as shown in Figure 7.2-3. A separate trip is provided for each steam generator. This function is used to provide a reactor trip for a reactor coolant pump sheared shaft event. Pre-trip alarms are provided. 7.2.1.1.2 Initiating Circuits 7.2.1.1.2.1 Process Measurements Various pressures, levels, and temperatures are continuously monitored to provide signals to the RPS trip bistable processors. These process protective parameters are measured with four independent process instrument channels. A detailed listing of the parameters measured is contained in Table 7.2-3. A typical protective channel, as shown in Figure 7.2-4, consists of a sensor / transmitter, loop power G supply, current loop resistors, and fiber-optic transmitter outputs to the process control systems. Main V control room and RSP displays are provided from Data Processing System (DPS), and Discrete Indication and Alarm System (DIAS) via the PPS. The piping, wiring, and components of each channel are physically separated from that of other like protective channels to provide independence. The output of each transmitter is an ungrounded current loop. Exceptions are:

Nuclear instruments.
Reactor coolant pump speed sensors which provide a pulsed voltage signal.

Signal isolation is provided for DIAS, DPS, and process control system inputs via fiber-optic cables. Each redundant channel is powered from a separate vital AC bus. 7.2.1.1.2.2 CEA Position Measurements CEA positions are monitored by two diverse means. This monitoring is used for display of CEA position to the operator and to initiate alarms and control actions to prevent CEA misalignments. CEA misalignments are factored into the TLC calculation of DNBR and LPD to reduce the margins to trip. , 1 l 7.2.1.1.2.2.1 CEA Position Monitoring by the RPS I l O V The position of each CEA is an input to the RPS. These positions are measured by means of two reed switch assemblies on each CEA. j l 4 proved Desspn MaterW kutrumentnaion and Control Pope 7.2-5

i Srtem 80+ Design ControlDocurnent Each reed switch assembly consists of a series of magnetically actuated reed switches spaced at intervals along the CEA housing and wired with precision resistors in a voltage divider network (see Figure 7.2-5). A magnet attached to the CEA extension shaft actuates the adjacent reed switches, causing voltages proportional to position to be transmitted for each assembly. The two assemblies and wiring are physically and electrically separated from each other (see Figure 7.2-6). The CEAs are arranged into groups that are moved in response to operator or control system demand. Within each group the CEAs are divided into subgroups that are symmetric about the core centerline. CEAs within a subgroup are designed to move simultaneously and should always indicate the same CEA group position. Each TLC channel monitors the position of one " target" CEA in each subgroup via the reed switch position signal. The " target" CEA represents a measure of subgroup CEA position. To make each TLC channel aware of position deviations of CEAs within a subgroup, all CEA positions are monitored by the CEA Calculators. One set of the redundant reed switch signals for all CEAs is monitored by one CEA Calculator, and the other set of signals by the redundant CEA Calculator. Each CEA Calculator monitors the position of all CEAs within each control subgroup. Should a CEA deviate from its subgroup position, the CEA Calculators will monitor the event, activate alarms via DPS and DIAS, and transmit appropriate " penalty" factors to the TLCs. Within the TLCs, the penalty factors result in the initiation of control actions to mitigate the event and, if still needed, a reduction in margins-to-trip for low DNBR and high local power density. This assures conservative operation of the RPS. The control and protection actions for single CEA deviation events are described in more detail below. The CEA Calculators provide the position of each regulating, shutdown and part-strength CEA via the .CPC operator's module, and DPS displays in the main control room. Optical isolation is utilized at each CEA Calculator for these outputs. The detailed signal paths of CEA position information within the RPS are shown in Figure 7.2-7. 7.2.1.1.2.2.2 Control and Protective Actions for CEA Misalignments To avert unwarranted reactor trips due to single CEA deviation events, the contiol and protection systems have design features to minimize the probability of these events occurring. In addition, the RPS will initiate protective actions for those events that cannot be precluded and which have not been successfully terminated by the control systems. i

CEDMCS The Control Element Drive Mechanism Control System (CEDMCS) monitors the mechanical j actions of the Control Element Drive Mechanism for each CEA to provide continuous closed loop control of the drive mechanism. If, during control group motion, a mechanism fails to move its CEA, the CEDMCS will block further movement of the remainder of the control group to prevent CEA deviations from occurring. l in addition, the CEDMCS continuously determines CEA position based on counting the number j ofinward and outward mechanical actions of the CEDM latch mechanism. If a position deviation is detected among CEAs in a control group, a CEA Motion Inhibit (CMI) is generated. j The CEDMCS also monitors the dropped rod contact (DRC) of the reed switch position transmitter (RSPT). If a rod drop occurs for a 12-finger CEA, the CEDMCS will initiate a i reactor power cutback. The reduced power is sufficient to avert a condition requirmg protective ;

action. This is further explained below. I Approved Design Material Instrurnentation and Control Page 7.2-6 l

       .               -                   -.         - - . -            -  -.         ..             .    ~        -

d System 80+ oestan contrat Document - The CEDMCS CEA Withdrawal Prohibit (CWP) two-out-of-four logic utilizes three signals from each TLC to generate a CEA withdrawal prohibit signal. The TLC signals are Hi Pressurizer Pressure CWP, DNBR CWP and LPD CWP generated at pre-trip conditions of Hi Pressurizer j_ Pressure, DNBR and LPD respectively. , e Reactor Protection System j

Due to the differences in required control and protective actions for insertion and ' withdrawal I 1 deviations, each event is explained separately below. 1, insertion Deviations , - The TLCs use the most conservative insertion deviation penalty factors from the two : CEACs to initially generate a CEA Motion Inhibit.' This CMI initiation is effectively a i one-out-of-two logic function performed in each TLC channel. All four TLC channels ; generate a CMI signal which is interfaced to the CEDMCS to block rod motion and j* thereby prevent further CEA deviations. The CEDMCS executes the rod block on coincidence of two-out-of-four CMI signals from the TLCs. While the CMI logic is being executed, the TLCs also apply the most conservative l insertion' penalty factor to the DNBR and LPD calculations. If the calculations result in i a pre-trip condition, each TLC will generate a Reactor Power Cutback (RPC) signal. i The RPC demand signals are sent to the CEDMCS which actuates gravity insertion of l CEAs (i.e., Reactor Power Cutback) using a two-out-of-four actuation logic. j g N The reduction in reactor power will be sufficient to prevent a DNBR or LPD trip. However, regardless of this control action, the TLCs continue to use the most t conservative insertion penalty factor in the DNBR and LPD trip algorithms. If the Reactor Power Cutback is not successfully executed or does not result in sufficient thermal margin, a DNBR and/or LPD trip will be generated. : If a CEAC is out of service, the TLCs will use the available CEAC penalty factors to generate the CMI, RPC and reactor trip signals. To relax technical specification limitations during this mode of operation, the CEDMCS also initiates CMI and Reactor Power Cutback signals. This was described in Paragraph A above. ;

2. Withdrawal Deviations A CMI is generated by the integrated actions of the CEACs, TLCs and CEDMCS for withdrawal deviations in the same manner as for insertion deviations described in

! paragraph 1 above. The CEDMCS also prevents withdrawal deviations through its own f CEA position monitoring, group motion interlocks and self-generated CMI, as described i in A above. These four levels of single CEA deviation prevention, coupled with the ; inherent low probability of the event (i.e., these events are rare in C-E plants) and [ analysis that shows acceptable effects of the event (see Chapter 15), have resulted in the , reclassification of single CEA withdrawals from Anticipated Operational Occurrences to ! [g Accidents. Therefore, there is no need for the TLCs to initiate protective action for

    \]                   single CEA withdrawal deviation events. It is noted that this reclassification also           :

encompasses a group insertion with a single stuck CEA. ! ANweeed DeeQn henennief- heenrennenenreien and Cenere! Pope 7.2 7 j i

System 80+ Design ControlDocument

3. CEA Calculator Failures The Core Protection Calculator subsystem consists of four Trip Logic Calculators (TLCs) and two Control Element Assembly Calculators (CEACs). Each CEAC monitors all the CEA positions and calculates subgroup deviation penalty factors for different CEA configurations. The penalty factors are sent from each CEAC to all TLCs via serial data links. Any communication failure leading to all zeros (0) or ones (1) represents an invalid penalty factor and by design will be interpreted by the TLC as a CEAC failure.

In addition, there is a parity check on each TLC /CEAC data link as part of the signal validation which is also used to detect a CEAC failure. When the TLC determines that both CEACs are operable, the TLC applies the more conservative penalty factors from the two redundant CEACs in the local power density and DNBR calculation. If the TLC detects a failed CEAC, it alarms the condition and applies the penalty factors from the one remaining CEAC. If the TLC detects the remaining CEAC to also have failed, it applies the maximum possible penalty factor after a short time delay (discussed below). This penalty factor will result in a reactor trip under all operating conditions (with the exception of some extremely low power configurations). Each TLC will also alarm if the penalty factors from the two CEACs are different. Operators can remove deviating or failed CEACs from service. Restricted operation may continue under Technical Specification LCO with one or two CEACs failed or out of service. The time delay identified above is intended to allow the plant to reach the LCO prior to the trip occurring. 7.2.1.1.2.3 Ex-core Neutron Flux Measurements The ex-core nuclear instrumentation includes neutron detectors located around the reactor ( ore, and signal conditioning equipment located within the containment and the auxiliary building. Neutron flux is monitored from source levels through full power operation, and signal outputs are provided for reactor protection, control and information display. There are 4 channels of safety instrumentation (see Figure 7.2-8). The four safety channels provide neutron flux information from near startup neutron flux levels to 200% 4 of rated power covering a single range of approximately 2 x 10 to 200% power (9 decades). Each safety channel consists of three fission chambers, a preamplifier and a signal conditioning drawer containing power supplies, a logarithmic amplifier (including combination counting and mean square variation techniques), linear amplifiers, test circuitry, and a rate-of-change of power circuit. These channels provide the RPS information for rate-of-change of power display, DNBR, local power density, and overpower protection. The detector assembly provided for each safety channel consists of three identical fission chambers stacked vertically along the length of the reactor core. The use of multiple subchannel detectors in this arrangement permits the determination of axial power shape during power operation. The fission chambers are mounted in holder assemblies, which in turn are located in four dry instrument wells (thimbles) at or in the primary shield. The wells are spaced around the reactor vessel to provide optimum neutron flux information. O I Approved Desigrs Material- hwaun,entation and Control Page 7.2 8

1 l P . . Sv: tem 80 + . Desinn ControlDoce_nenj Four safety channel preamplifier / filter usemblies for the fission chambers are mounted outside the reactor

     +       containment building in the cable chase of the subsphere. Physical and electrical separation of the                                   J preamplifiers and cabling between redundant channels is provided.                                                                      ;

7.2.1.1.2.4. Reactor Coolant Flow Measure nents The speed of each reactor coolant pump motor is measured to provide a basis for calculation of reactor coolant flow through each pump. The measurement of reactor coolant pump speed is accurate to within L 0.43% of the actual pump speed. Two metal discs, each with 44 uniformly spaced slots about its , periphery are scanned by proximity devices. The metal discs are attached to the pump motor shaft, one ; to the upper ponion and one to the lower ponion (see Figure 7.2-9). Each scanning device produces a i voltage pulse signal. The pulse train that is input to the CPCs to calculate flow rate is based upon a l

 !           variable number of pulses from the scanning device. The frequency of this pulse train is proportional                               l to pump speed. Adequate separation between proximity devices is provided.                                                            l 3

a The mass flow rate is obtained using the pump speed inputs from the four reactor coolant pumps, the cold leg temperatures, and the hot leg temperatures. The volumetric flow rate through each reactor coolant j pump is dependent upon the rotational speed of the pump and the pump head. This relationship is l typically shown in pump characteristic curves. Flow changes resulting from changes in the loop flow ; resistances occur slowly (i.e., core crud buildup and increase in steam generator resistance). Calibration : of the calculated mass flow rate will be performed periodically using instrumentation which is not part ! of the Reactor Coolant Pump Speed Sensing System. . F Flow reductions associated with pump speed reductions are more rapid than those produced from loop l' flow resistance changes. Mass flow rate is calculated for each pump from the pump speed, the density of cold leg coolant and a correction term based on the hot leg temperature. ; 1 The mass flow rates calculated for each pump are summed to give a core mass flow rate. This flow rate , is then used in the CPC DNBR and AT power algorittuns. The RCP speed is also transmitted from each CPC channel over isolated fiber-optic data links to the DPS where signal cross-channel validation is performed prior to use for display and use in the Core Operating i Limit Supervisory System (COLSS). 4 The reactor coolant pump speed measurement system is designed, manufactured, tested, and installed to the identical design, quality assurance, and testing criteria as the remainder of the signal generation and processing equipment for signals utilized by the RPS. I 7.2.1.1.2.5 Core Protection Calculators Four independent Trip Logic Calculators (TLCs) are provided, one in each '.are Protection Calculator 1 (CPC) channel. Calculation of DNBR and local power density is performed in each TLC, utilizing the input signals described below. The DNBR and local power density so calculated are compared with trip I setpoints for initiation of a low DNBR trip (Section 7.2.1.1.1.4) and the high local power density trip (Section 7.2.1.1.1.3). A trip signal from a TLC in each channel is sent to the local coincidence 4 processors in all four protective channels. The TLC also provides pre-trip output signals. b V

            .Two independent CEA Calculators are provided as part of the CPC to calculate individual CEA deviations from the position of the other CEAs in their subgroup. The software design of the CPCs and CEACs i

j

           . is described in detail in Reference 1 and 2 and References 4 through 8, and has been reviewed and                                    i Annome neeon anne w. nwammenroenen aw coned                                                                    rene 7.2.s I

Sy' tem 80 + Design ControlDocument approved by the NRC in References 7 through 13. The algorithms described and approved in these references are applicable to System 80+. The System 80+ software also includes new algorithms for the following functions:

1. A combined low pressure / low DNBR trip described in Section 7.2.1.1.1.4.

2. Control and protective actions for CEA deviation events described in Section 7.2.1.1.2.2.2.

(( References 14 and 15 described the procedure which must be followed to incorporate changes to the algorithms, data base constants and data block constants for the CPCs and CEACs. Any changes to these procedures will be conducted in accordance with Reference 16.))3 As shown in Figure 7.2-10, each TLC receives the following inputs:

Core inlet and outlet temperature.
Pressurizer pressure.
Reactor coolant pump speed.
Ex-core nuclear instrumentation flux power (each subchannel from the safety channel).
Selected CEA position.
Penalty factors for CEA deviations within a subgroup from the CEA Calculators.

Input signals are conditioned and processed. The following calculations are performed in the TLC or the CEA Calculators:

CEA deviations.
Correction factor for excore flux power for shape annealing and CEA shadowing.
Reactor coolant flowrate from reactor coolant pump speeds and temperatures and DNBR penalty for pump speeds less than a setpoint.
AT power from reactor coolant temperatures, pressure, and flow infonnation.
Ex-core flux power:

Ex-core flux power signals are summed and corrected for CEA shadowing, shape annealing, and cold leg temperature shadowing. This corrected flux power is periodically calibrated to the actual core power measured independently of the Reactor Protection System. This calibration does not modify the inherent fast time response of the ex-core signals to power transients. O l COL information item: see DCD Introduction Section 3.2. Alyweved Design Meterial-instrumentation and Control Pope 7.210

;;                                                                                                                                y
                                                                                                                                  +
           . Sv= tem 80+                                                                         oesten coneret Document e    . Axial power distribution from the corrected ex-core flux power signals.

e Fuel rod and coolant channel planar radial peaking factors, selection of predetermined coefficients g based on CEA positions. e DNBR. e Comparison of DNBR with a fixed trip setpoint. $ .'e Local power density.

 ,-           e      Comparison of local power density with a fixed trip setpoint.

4 o CEA deviation alarm. e Calculation of cold leg temperature difference for asymmetric steam generator transient trip-determination. Outputs of each TLC are:

                                                                                                                                 .t o      DNBR trip and pre-trip.

l e DNBR margin (to DIAS and DPS for control board indication). i e Local power density trip and pre-trip. + 1 4 e Local power density margin (to DIAS and DPS for control board indication). ] e Calibrated neutron flux power (to DIAS and DPS for control board indication). i. l e High pressurizer pressure pre-trip to CEDM Control System CWP logic. u l e CEA inward deviation cutback demand to Reactor Power Cutback System. e CEA deviation motion inhibit to CEDM Control System. e RCP speeds and other TLC measurement channel parameters to Data Processing System. e RPC Demand Signal to RPCS logic. e CMI Signal to CEDM Control System C1 a logic. Each calculator. is mounted in cabinets located in separate channelized equipment rooms with an operator's display and control module located in the main control room. From the four modules an operator can monitor all calculators, including specific inputs or calculated functions. Changes to CPC 1- . constants by the operator are controlled by administrative procedures. ; i

    .v .

A : Denko asesond. huoumuneelen amt Ceneet Pope 7.211 4

System 80+ Design ControlDocument 7.2.1.1.2.6 Bistable Trip Generation The bistable processors compare input signals from the process measurement instrumentation to either fixml or variable setpoints. The PLC design Bistable Processors (two per channel) initiate a channel-trip, whenever any monitored parameter exceeds the trip setpoint. Each bistable processor is assigned process measurements for comparison based on a transient versus mitigating process analysis. When two process measurements are available for mitigating a transient, they are assigned to different bistable processors. Refer to Table 7.2-4 for identification of trip parameters vs. type setpoints. The trip outputs of the bistable processors are sent to the local coincidence processors. Each bistable processor trip output in each channel is input to each of the four protective channels - Figure 7.2-11. A pre-trip output is also provided as part of the bistable logic. In addition to the trip and pre-trip functions, the bistable processors contain test logic. The test logic allows testing of the following bistable information:

1. Analog input

2. Trip setpoint

3. Pre-trip setpoint

4. Status information (pre-trip, trip, operating bypass).

7.2.1.1.2.6.1 Bistable Processor IIardware The bistable processor design integrates various system components, features, and functions into a microprocessor based unit. Each bistable processor communicates hardwired trip output signals to the associated coincidence processor. Icolated fiber optic links transfer the trip states to coincidence processors in other channels. The analog input signals are directed to analog input modules within the PLC in the bistable processor; where A/D conversion is performed. Analog input modules include self-test and auto calibration features to eliminate the need for periodic calibration of inputs. Automatic calibration of each bistable input is performed against a precision reference voltage source contained in each module. This reference voltage source requires calibration on an annual basis. Drift between calibrations is detected via cross channel comparison. Common mode drift is detected within the DPS via comparison of validated values from diverse systems. Digitized analog values are automatically reported to the CPU in the bistable processor during each PLC scan cycle. Within the CPU a comparator algorithm determines the pretrip and trip output states. Each output state is determined by comparing the digitized process value from the analog-digital (A/D) converter, to the setpoint (pretrip and trip) from the setpoint algorithm. 7.2.1.1.2.6.2 Bistable Processor Software PPS bistable software is deterministic (i.e., repetitive and non-interrupt driven) to ens-e predictable system performance and response under all conditions. Software is divided into two major categories: operating system software and application software. Operating system software consists of the PLC processor operating system,1/O handling, communications Apsprend Design Material . Instrumentation and Control Page 7.212

System 80+ Deslan controlDocument handling and equipment self-test softwarec Application software is the implementation specific code that is developed during the PPS design process.

Operating system software code resides in non-volatile memory within the PLC processors. This code l is written by the PLC manufacturer. - Qualification is accomplished by a combination of vendor zudits l in accordance with the Commercial Grade Dedication Program and validation is achieved through !

extensive testing for the intended application in accordance the Nuplex 80+ Software Program Manual. After qualification testing, configuration controls are maintained for operating system software in j l accordance with the Configuration Management Plan which is included in the Software Program Manual. l l_ Application software code resides in the PLC processors non-volatile memory and is separate from the

operating system. This code is written using PLC relay ladder logic language. The individual application

, software functions are developed as separate software modules. The software modules are divided into l , - the following subdivisions: l Trip Initiation Functions l Automatic Test Functions j i

                -        Status Reporting Functions                                                                                           ;

Independent review is performed for each software module to determine that functional requirements are ' met. Software module operation is then validated by extensive and thorough testing. Software modules (- are then integrated and the independent review process and test process are repeated for integrated system operations. This process is in accordance with the Software Program Manual. l Bistable Logic Functions 7.2.1.1.2.6.3 f : The following types of functions are performed by the bistable processors: i

                 *-      Bistable with Fixed Setpoint For those bistables whose setpoint is fixed, (i.e., digital), the setpoint can be changed at the PPS.                !

Access to change the setpoint is controlled by administrative procedures. All of the fixed l setpoints are monitored by the automatic test network. l l

                 *-      Bistable with Variable Setpoint Variable setpoints are provided for some bistables to permit safe and orderly plant startup and                       )

shutdown. Three types of variable setpoints, described below, are utilized: 2

                              -                                                                                                                 i

1. Variable setpoint with manual reset .;

This type of variable'setpoint is a function of the input signal to the bistable. The design l t permits manually initiated automatic decrementing of the setpoint. Decrementing of the j setpoint may be initiated at the PPS operator's modules or remote shutdown panel. When decremented, the setpoint resets itself to a fixed value below the actual input signal which N exists at that time. By continuing to reset each time the pre-trip setpoint is reached the ; plant can be shutdown without causing any unnecessary protective actions. If the input l l 4provedDesden assenrist Aweisneneseren auf Csowet . Page 7.2.f3 l l

System 80+ Design ControlDocument signal rises above the point at which it was last reset, the variable setpoint logic will cause the setpoint to automatically rise to maintain a fixed value between the input signal and setpoint. If the input parameter falls, the setpoint will hold and the operator must again reset the setpoint to permit tracking. Figure 7.2-15 illustrates typical operation of a variable setpoint. Each variable setpoint contains a timer which allows a reset to be initiated only after some predetermined time interval has elapsed since the last reset. The design also includes the capability of fixed upper and lower limits. The design also provides a pre-trip variable setpoint which is always related to the trip setpoint by a fixed value. The actual value of the setpoint is available and may be displayed at the PPS cabinet or remotely via the DPS and operator's module in the control room. Separate reset pushbuttons are provided for each protection channel.

2. Variable Setpoint with Automatic Rate Limiting This type of variable setpoint permits automatic incrementing and decrementing of the setpoint based upon the action of the bistable input variable. (See Figure 7.2-3.) The design attempts to maintain a fixed differential between the bistable input and the setpoint. The design includes the ability to adjust the rate at which the setpoint is allowed to change. If the input signal is changing at a rate greater than the rate at which the setpoint can change, the differential between the two values eventually becomes zero, creating a condition such that the bistable trips. When the bistable trip occurs, it prevents the setpoint from changing until the bistable trip clears. The design includes the capability of having fixed upper and lower limits.

Two forms of the rate limited setpcint are utilized in the system. The first form provides a setpoint which is higher than the input signal, as such it provides protection for signals that should not increase at too rapid a rate. The second form provides a setpoint which is lower than the input signal, as such it provides protection for signals that should not decrease at too rapid a rate. Figure 7.2-3 illustrates typical operation of this type of variable setpoint. The design also provides a variable pre-trip setpoint which is always related to the trip setpoint by a fixed value. The actual value of the setpoint is available and may be displayed at the PPS cabinet or remotely in the control room via the DPS and PPS operator's module.

3. Variable Setpoint with Diverse Trip Parameter This type of variable setpoint is a function of a parameter that is different than the bistable trip input. The variable setpoint is preprogrammed as a function of the different parameter. The design includes the capability of having fixed upper and lower limits. .

1 The design also provides a variable pre-trip setpoint which is always related to the trip i serpoint by a fixed value. ! I Approved Design Material Instrumentation amt Control Page 7.2-14 l l

_ . . . .m . _ _ _ . _ System 80+ 1 Deslan controlDocument 4 r ~ '

 ,                                   The actual value of the setpoint is available and may be displayed at the PPS cabinet or

remotely in the control room via the DPS and PPS operator's module.

i 7.2.1.1.3 Logic n ; e Local Coincidence Logic 4

 ;.                        There is one Local Coincidence Logic (LCL) associated with each trip bistable logic of each                           !

channel. Each local coincidence logic receives four trip signals, one from its associated bistable logic in the channel and one from each of the equivalent bistable logic located in the other three ;

                        ; channels (Figure 7.2-12). The local coincidence logic also receives the trip channel bypass status                     t
                         ' associated with each of the above mentioned bistables (Figure 7.2-13 illustrates distribution of

, a typical bypass). The function of the local coincidence logic is to generate a coincidence signal whenever two or more like bistables are in a tripped condition. The LCL takes into consideration ! ' the trip bypass input state when determining the coincidence logics state. Designating the protective channels as A, B, C, D, with no trip bypass present, the local coincidence logic will

                        . produce a coincidence signal for any of the following trip inputs: AB,AC,AD,BC,BD,CD, l

ABC, ABD, ACD, BCD, ABCD. These represent all possible two- or more out-of-four trip combinations of the four protective channels. Should a trip bypass be present, the logic will ; i provide a coincidence signal when two or more of the three unbypassed bistables are in a tripped j condition. ! L t d On a system basis, a coincidence signal is generated in all four protective channels whenever a ! coincidence of two or more like bistables of the four channels are in a tripped state. l -In addition to a coincidence signal, each LCL also provides bypass status outputs. The bypass i status is provided to verify that a bypass has actually been entered into the logic either locally or l' remotely via the operator's module. The bypass status is available for display at the local and remote operators modules and DPS. e Initiation Circuit i There is an initiation circuit in each channel for each PPS protective function (e.g., initiation of ; i reactor trip, containment isolation, etc.). For the Reactor Protective System, the initiation logic - consists of an 'OR" circuit (i.e., a coincidence of high log power g low pressurizer pressure g j etc., will result in an initiation signal). For ESFAS's the initiation logic also consists of "OR" circuits. l The inputs to the initiation logic are the LCL outputs from the appropriate local coincidence logics. The initiation circuits also contain a time delay (TD). The TD functions as a noise ! and/or transient filter. It accomplishes this filter action by monitoring the continuous presence l of an input for a minimum period of time. If the signal is present for the required time, the i signal is transmitted to the initiation relay. Test capability is also provided. ; i If an initiation circuit fails it will fail-safe (i.e.. in a trip condition). This will result in a partial > trip (1 of 4) in the selective 2-out-of-4 ESFAS actuation logic or reactor trip breaker f arrangement. . The partial trip will be alarmed the same as a full ESF trip and actuation and ! Indicated by the DIAS and DPS; the partial trip cannot be bypassed. If the initiation circuit fails i

   ~\-                  -- in an undesired condition the failure will be promptly detected and alarmed via the automatic test                    ;

m w o mm-w ,w c w .r 7.37s j

                   . _u_._               ._u.      .         . -        - ,             ..,.J.     ,          ,.                     _    4 _ .

System 80+ Design ControlDocument function. Since the actuation functions in the RSTG and ESF-CCS work in a selective coincidence logic, this is considered a degraded condition and a technical specification LCO will apply. Figure 7.2-14 illustrates the initiation logic applied to the RPS function. There are separate "OR" circuits for undervoltage and shunt trip initiation. 7.2.1.1.4 Actuated Devices The final actuation logic for the Reactor Protection System is in the power path to the Control Element Drive Mechanism Control System and is called the Reactor Trip Switchgear System (RTSS). As illustrated in Figure 7.2-12, the initiation relays interface with the shunt trip and undervoltage devices to trip the circuit breakers that make up the Reactor Trip Switchgear System. To completely remove power from the output circuits requires a minimum of two initiation relays (in opposite legs of the circuit) opening their associated circuit breakers. Power input to the RTSS comes from two full-capacity motor-generator sets, so that the loss of either set does not cause a release of the CEAs. Each line passes through two trip circuit breakers (each actuated by a separate initiation circuit) in series so that, although both sides of the branch lines must be deenergized to release the CEAs, there are two separate means of interrupting each side of the line. Upon removal of power to the CEDM power supplies, the CEAs fall into the reactor core by gravity. Two pairs of manual trip switches are provided in the MCR and an additional pair is provided in the RSR. Actuation of any pair will open the trip circuit breakers. As can be seen in Figure 7.2-12, both manual trip switches in a pair must be actuated to initiate a reactor trip. The manual trip completely bypasses the trip logic. The trip switchgear is housed in separate cabinets from the RPS. In addition to the trip circuit breakers, the cabinet also contains current monitoring devices for testing purposes and pushbuttons on each trip switchgear which allow for manual opening the circuit breaker. Multiple levels of tamper resistance are provided for the reactor trip circuit breakers. Each reactor trip switchgear cabinet is designed such that access to the internals of a reactor trip circuit breaker is not possible without racking out the breaker. Front and rear cabinet doors provide access to front and rear control panels, respectively, which prevent access to the reactor trip circuit breaker internals. A reactor trip circuit breaker must be racked out to gain access to its internals. A reactor trip circuit breaker cannot be racked out without causing the breaker to trip (open). This design precludes interference with the reactor trip function by attempts to jam the reactor trip circuit breaker. Additional levels of tamper resistance are provided by providing each switchgear cabinet door with a locking device and key, and by locating the cabinets in the Equipment Rooms, which is a secured area. 7.2.1.1.5 Bypasses The design provides for two types of bypasses: operating bypasses and bistable trip channel bypasses as listed in Table 7.2-1. The status of any bypass is indicated at the PPS channel cabinet and PPS Remote Operators Module in the main control room. In addition, all operating bypasses and a summary of the bistable bypasses in each channel are made available for control room indication via the DIAS and DPS. ENweved Design hteterial- htstnanentation and Constol Pope 7.216

Sv! tem 80+ Deslan ControlDocument e_- Operating Bypasses

                   ' Operating bypasses are provided to permir orderly startup and shutdown of the plant and to allow
                 - low power testing,' The following operating bypasses are provided l

1. DNBR/LPD Trip Bypass ;

i The DNBR and local power density bypass, which bypasses the low DNBR and high I local power density trips from the TLC, is provided to allow system tests at low power when pressurizer pressure may be low or reactor coolant pumps may be off. The bypass

,                           may be manually initiated if power is below the bypass setpoint and is automatically removed when the power level increases above the bypass setpoim.                               i i

2. Low Pressurizer Pressure Bypass ,

The RPS/ESFAS pressurizer pressure bypass is provided for two conditions: 5 I e System tests at low pressure, , o Heatup and cooldown with shutdown CEAs withdrawn. The bypass may be manually initiated if pressurizer pressure is below the bypass setpoint. j 3. High Logarithmic Power Level Bypass , ( The high logarithmic power level bypass is provided to allow the reactor to be brought : to the power range during a reactor startup. The bypass may be manually initiated above the bypass setpoint and is automatically removed when power decreases below the bypass setpoint. i 4. TLC DNBR CWP and LPD CWP Bypass For each channel, an automatic bypass is provided for the DNBR CWP and LPD CWP ' signals to the CWP logic if the power level is less than IP percent full power. The high pressurizer pressure pre-trip to the CWP logic is unaffected by this bypass. Local - indication of the nuclear instrument bistable used to generate the IP percent full power ; signal is provided on the log power channel nuclear instrument drawer.

5. TLC RPC Demand Bypass >

For each channel, an automatic bypass is provided for the TLC RPC Demand signal if the power level is lea hn IP percent full po'wer. Local indication of the nuclear instrument bistable used to generate the IP percent full power signal is provided on the , log power channel nuclear instrument drawer. i 1 O an < o e.,as w. ,c.,, r r.,. 7.2 77 i

System 80+ Design ControlDocument

6. TLC CMI Bypass For each channel, an automatic bypass is provided for the TLC CMI signal if the power level is less than 104 percent full power. Local indication of the nuclear instrument 4

bistable used to generate the 10 percent full power signal is provided on the log power channel nuclear instrument drawer.

Bistable Trip Channel Bypass A bistable trip channel bypass prevents a bistable trip from contributing to the initiation of protective action. The bistable bypass converts the local coincidence logic to a two-out-of-three coincidence. (See Section 7.2.1.1.3.)

There are two methods of initiating a bistable bypass:

1. Individual bistable bypasses (i.e., trip channel bypass) located on each local and main control room PPS operators module for each bistable trip.

This method is used when removing a trip channel input from service for maintenance or manual testing. The trip bypass signal is distributed to the appropriate LCL's in the four redundant channels via its interface and test processor.

2. Four individual bistable bypasses (one for each channel) located on each local and main control room PPS operator's module, for each bistable trip.

This method is used when a complete channel becomes disabled (such as loss of vital bus) resulting in trips and no bypasses being sent to the LCL's in the remaining three channels. Each remaining channel's LCLs can be returned to a two-out-of-three condition for coincidence by the operator inserting trip bypasses, for the disabled channel trips from its own panel. Administrative procedures ensure the trip bypassing in the three remaining channels is consistent. Process sensors or transmitters can be bypassed using the trip channel bypass discussed above. If the sensor is used in more than one bistable function (i.e., high trip and low i trip), each function must be bypassed to fully bypass that sensor. Like functions may be ! bypassed in only one channel at a time. Fiber optic links transmitting bistable trip signals between channels cannot be bypassed directly. Ilowever, in theory a total data link can be bypassed by individually initiating trip channel bypasses for all functions in one channel (i.e.,16 trip functions). This can l only be done if there are no trip channel bypasses in any other channel. I Initiation logic cannot be bypassed in any manner, in any channel. O Approved Design Materkel. Instrumentation and Control page 7.218

  ~_            .             _.~ _           . ,         _ - .       - _ _ _ _ __ _ . _._._. _ _ _ _ . _ _                                                       _ . .

i. System 80+ ' conian comror Document . l 7.2.1.1.6 lateriocks The fdllowing interlocks are provided: !

                    *-       ' Bistable Trip Channel Bypass Interlock                                                                                                          !

t

                           - The LCL trip channel bypass logic allows only one (first entered) of the four trip bypass inputs -                                                l possible to affect coincidence generations. The coincidence logic becomes two-out-of-three for                                                    i the remaining unbypassed bistable trips. Bypassing of a bistable, associated with a particular                                                 .l parameter (e.g., high pressurizer pressure), does not place any restrictions on the bypassing of                                                  ,
                            ;ot herbistables (e.g. Iow pressurizer pressure) or other bistables associated with other parameters.                                              !

j

Manual Bistable Test Interlock l J . The manual bistable test function in the four redundant PPS cabinets are interlocked via the four j l > trip channel bypasses, so that only one of the four may be selected for manual bistable testing at .j

any one time. l i

Initiation Circuit Test Interlock l Testing of the initiation ' circuit is restricted to one redundant PPS cabinet at a time to prevent l spurious safeguard actuation. This restriction is accomplished by an interlock which prevents test ;

signals from being generated in more than one PPS cabinet at a time. ; l' (

Nuclear Instrumentation Test

                           - Placement of the linear calibration switch on the Nuclear Instrument (NI) drawer to other than                                                     i
                              " operate" will cause a channel variable overpower trip. Placement of the logarithmic calibration                                                !

swi:ch to other than " operate" will cause a channel high logarithmic power trip. In addition to these two trips, placing either of these calibration switches, or any other calibration switch on the l NI drawer to other than " operate" will cause a Power Trip Test interlock to generate a low i j DNBR, high LPD and steam generator low water level RPS bistable trips in that channel.

Trip Logic Calculator Test c The low DNBR and high local power density channel trips are interlocked such that they both must be bypassed to test a TLC channel. ,

                                                                                                                                                                            -i 7.2.1.1.7         . R: * ' - -- y -                                                                                                                         !

Redundant features of the RPS include

Four ind=mdent channels, from process sensor through and including channel trip bistables.-

The CEA position input is from two independent channels. t

e. - Four redundant sets of local coincidence logics, each set performs a full two-out-of-four trip

          -.                 function.
  !O-M            i * --   - Four initiation circuits, including four control logic paths and four sets of two initiation relays
                                                                                                                                                                            'i 1
                             .(shunt trip anf 'mdervoltage).

Apurewed W Assewdst. awsussemesess med Comes/ Pape 7.2 79 1 f 3 S , s -r , m -l w..----c. -sie - , , , - y - -

I l Syctem 80+ oesign controlDocument

Two pairs of manual trip pushbuttons with either pair being sufficient to cause a reactor trip.
AC power for the system from four separate vital instrument buses. DC power for the trip switchgear circuit breakers control logic is provided from four separate battery systems, as described in Chapter 8.

The iesult of the redundant features is a system that meets the single failure criterion, can be tested during reactor operation, and c m be shifted to two-out-of-three coincidence logic until the next time the unit is in Mode 5 if necessary. The benefit of a system tha: neludes four independent and redundant channels is that the system can be operated, if need be, with up to two channels out of service (one bypassed and another tripped) and still meet the single failure criterion. The only operating restriction while in this condition (effectively one-out-of-two logic) is that no provision is made to bypass another channel for periodic testing or maintenance. The system logic must be restored to at least a three operati:tg channel condition prior to removing another channel for maintenance. (See Technical Specifications for the RPS.) 7.2.1.1.8 Diversity The system is designed to eliminate credible multiple channel failures originating from a conunon cause. The failure modes of redundant channels and the conditions of operation that are common to them have been considered in the design to assure that a predictable common failure mode does not exist. The design provides reasonable assurance that:

The monitored variables provide adequate information during design basis events (design basis events are listed in Sections 7.2.2.1.1 and 7.2.2.1.2).
The equipment can perform as required.
The interactions of protective actions, control actions and the environmemal changes that cause, or are caused by the design basis events do not prevent the mitigation of the consequences of the event.
The system will not be made inoperable by the inadvertent actions of operating and maintenance personnel.
There are alternate bistable trips available to provide the reactor trip function, should the initial trip function used in the safety analysis be disabled. This is accomplished by distributing the systems protective functions between two processors within each of the redundant PPS cabinets, such that a degree of functional diversity is achieved. As depicted on Figure 7.2-12 bistable trip and local coincidence logic functions are not implemented together in the same processors.

In addition, the bistable trip functions are further distributed between the bistable processors within a redundant PPS cabinet. The distribution assignment h, bas-J un a review of the safety analysis transients, such that when multiple trips are availible to mitigate the transient, they are assigned between two separate bistable trip logic proassors. This diversity improves the availability of the system to handle a transient.

Plant protection is augmented through the use of a separate and divee Alternate Protection System as described in Section 7.7.1.1.11.

Approwd Dessen Material. instrumentation and Control Page 7.2-20

    .     -           - . . - - -..- - -                                   --     . . - . -. --- = - -                      -

I System 80+ Deslon ControlDocument l t i e Both the RPS and Process-CCS which includes the Alternate Protection System utilize two j different design types, thereby eliminating those hardware and software design common causes l which may make them both inoperable. l To elaborate on this philosophy, Table 7.2-6 defines all critical safety functions and identifies the ! plant systems available to maintain those functions (i.e., success paths) and the I&C systems that ! control them. i It is noted that the availability of System 80+ non-safety systems is significantly improved when j

                 ' compared to previous licensed designs due to the addition of battery-backed power to all Nuplex 80+ control systems and the Alternate AC gas turbine generator to power the plant's non-safety              l mechanical systems.

i

                - Events can occur which would result in the non-safety systems being only partially effective.

However, since these disabling events have a very low frequency of occurrence and a common j mode protection system failure has a very low frequency of occurrence, the frequency of these l occurring simultaneously is sufficiently low to be considered outside the design basis. ; e Miscalibration of redundant instrument channels and trip logic is minimized by not using a single unit to test all four redundant channels. - Additionally, appropriate maintenance and test i procedures are implemented by the site operator. } i e Incorrect operator action which directly affect the ability of the RPS to function are precluded i by designing the man machine interface such that two or more operator actions are required. For ! example, see the interlock logics and bypasses described in Sections 7.2.1.1.6 and 7.2.1.1.5. , i e Each RTSS circuit breakers has diverse methods of being automatically opened via the shunt trip { and undervoltage trip devices. In addition, the design is not encumbered with additional components or channels without reasonable j assurance that such additions are beneficial. j 7.2.1.1.9 Testing

      - Provisions are made to permit periodic testing of the complete RPS with the reactor operating at power                  !

d or when shutdown. These tests cover the trip actions from sensor input through the protective system ! and the trip circuit breakers. The system test does not interfere with the protective function of the j system. The testing system meets the criteria of IEEE Std. 338-1977, "IEEE Standard Criteria for the - l Periodic Testing of Nuclear Power Generating Station Class IE P0wer and Protection Systems," and is l

      . consistent with the recommendations of NRC Regulatory Guide 1.22, " Periodic Testing of Protection                      j
       . System Actuator Functions."                                                                                            l Periodic testing consists of automatic testing and manual testing. The two methods complement each                      l other and provide for complete testing of the protection system. There are areas of overlap between the                  l U        two methods so that the entire RPS can be tested. The overlap test methods also permit each system to,                q in part, verify proper functioning of the other. See Figure 7.2-16.                                                     l 3

i~ i . Major portions of the Reactor Protective System are monitored ar.d/or tested by the test network in the automatic mode.' Those portions of the system which are not amenable to automatic testing because they

      ' involve actuation of electromechanical devices, involve rate / time or involve devices which are not withm .            ;

4 e a s > aannw.a ww w.sw. .w c.,ew ese. 7.2. r j i

 ,.   ~ . _ - - n. .          ,          . - . ,,      ,.     .,,. . , - -

System 80+ Design ControlDocument the PPS cabinets, can be tested manually. The automatic mode is capable of performing tests during reactor operation. The automatic testing does not degrade the ability of the RPS to perform its intended function. The test network consists of channelized Interface and Test Processors (ITPs), their associated protection system interface circuits, and test prohibit circuits (the latter prevents malfunctions of the test system from interfering with the normal operation of the safety system). Overlap exists between the individual tests performed by the automatic test. The automatic test can test the protection system continuously. Operation of the automatic test may be verified locally at the PPS cabinet by requesting test results data. The status and a summary of the automatic testing results are available to the operator via the DIAS and DPS. The monitoring and testing pcrformed by the automatic test are described below. The monitoring tasks performed by the test processor are passive in nature; that is, no active test signals are applied to the protection system. The monitoring consists of reading into the ITPs all of the protection system data that is accessible to the test task. This data is then analyzed to determine if the protection system is operating properly. The analysis consists of: e

Channel to channel comparison of input signals to detect any channel to channel signal discrepancies (e.g., variance between channels exceeds a predetermined limit). Similar checks are done in the DPS. This monitors sensor and transmitter operation and A/D conversion accuracy.
Setpoint checks to verify proper setpoint settings.
Status consistency checks (i.e., determininb that a operating bypass, if initiated, is entered into all of the proper logic elements). '

The RPS is qualified to ensure that the test software cannot impact RPS performance under valid trip conditions. The test system is designed to Class IE requirements that include channel independence, seismic integrity and verification and validation. It is only demonstrated, however, that the test system will not impede RPS operation during design basis events. This approach is taken because historically, hardware supporting the RPS trip functions is considered Class IE while hardware for RPS testing has ) not been considered Class IE. i Periodic manual testing is used to confirm proper operation of the automatic test system for Nuplex 80+. I The individual tests are described briefly below. Overlap between individual tests exists so that the entire l RPS can be tested. Frequency of accomplishing these tests is listed in the Technical Specifications. ! l 7.2.1.1.9.1 Sensor Check During reactor operation, the measurement channels providing an input to the RPS are checked by comparing the outputs of similar channels and cross-checking with related measurements. The ITP provides sensor data to the DPS where a similar check is done. During extended shutdown periods or refueling, these measurement channels (where possible) are checked and calibrated against known standards. O Anwaved Design Motonal krstrumentetion end Control Page 7.2-22

j I System 80+ Deslan ControlDocument O 7.2.1.1.9.2 Tdp Bistable Tests -

fy I * ' Automatic Bistable Testing j The automatic test performs several tests to insure that the bistable logic is operating properly.
First, a status check is performed. - The test task reads the input signal after it has been converted into digital form by the analog input circuit,' and also reads the setpoints (trip and 3 pre-trip). From these readings the test task makes a determination of what the status should be j and compares it to the actual status of the bistable logic. -l.

If a discrepancy exists, the test task annunciates a test failure and provides a message that l

                               - describes the failure in more detail. If the bistable logic is not in a tripped state, testing is                     ;

continued. By applying known test input signals, the test task can determine if the pre-trip and

trip functions of the bistable logic are operating properly. To ensure that the test signal will not interfere with a valid trip signal which may be present, the bistable logic is designed to accept j the signal which is closest to the trip serpoint in the trip direction. Thus, the bistable logic function can never be forced to the untripped state by the test task. Additionally, testing of the bistable logic will not produce a system initiation because:

i

1. The test task removes the test signal before the initiation circuit time delay can respond.

1 2. Any test input signal not removed by the automatic test will be removed by the liming , logic built into the bistable trip logic. The actual measurement channel sigr.al is not affected by this function; its input into the bistable is thus assured at all times. '

Manual Bistable Testing ;

l Manual testing of the bistable logic functions can be performed to verify proper bistable logic functions not tested automatically. : t The testing is accomplished by varying the input signal up to or down to the trip setpoint level i on one bistable logic function at a time. i Varying the input signal is accomplished by the test function in the manual mode, via instructions entered at the maintenance and test panel. Testing is interlocked so that it can be used in only ~ e one channel at a time. The test signal is digitally displayed at the maintenance and test panel , along with the bistable's trip status. < The interlock assures the manual bistable testing can only be used in one channel at a time. The t interlock is satisfied when trip channel bypasses from the 4 protective channels for the selected l

                               - bistable are true; This places the selected bistable. LCLs in a two-out-of-three coincidence.                       .l Because a test signal can be less conservative than the process input applied during manual                         .;

bistable testing, the bistable trip output is forced into a tripped state while the momentary trip test i I switch is active. Deactivating the switch or changing the trip channel bypass status will remove the test input voltage and forced trip. ! a ; i

     <g                                                                                                                                              .f Neuwwed Dee> aseennief hwennnenenaien ener coneet                                                            rage 7.2 22

System 80+ Design ControlDocument

Manual Testing of Variable Serpoint with Automatic Rate Limiting Manual testing of bistables that utilize this type of setpoint verifies that:

1. The setpoint tracks the input signal both for increasing and decreasing signals.

2. For fixed input the setpoint is fixed and within the prescribed tolerance.

3. Maximum and minimum setpoint values if applicable are within the prescribed tolerances.

4. The setpoint no longer tracks once a bistable trip occurs but remains fixed until the signal returns to untripped levels.

Manual Testing of Variable Serpoint with Manual Reset Testing of bistables using this variable serpoint circuitry is accomplished by use of both automatic and manual tests. Automatic testing is .imited to a passive check. This check consists of determining if the setpoint is appropriate for a given input signal level (e.g., considering a bistable logic function that trips on a falling signal, the setpoint should not be more than a predetermined increment below the input signal level).

The ability of the variable setpoint circuitry to track the input signal can be verified by means of a manual test. From the maintenance and test panel the bistable input signal may be moved in any direction (i.e., toward the trip value or away from the trip value, whereas the automatic test system can only move the input signal level in the direction of a trip). Using this manual capability it is also possible to verify that a specific time interval must elapse between resets to the circuit. To test this, the setpoint is reset; the input is then manually changed. It is then verified that the manual reset has no effect upon the setpoint until the appropriate time interval has elapsed.

Manual Testing of Variable Setpoint with Diverse Trip Parameter Testing of bistables using a diverse trip process for setpoint generation will be manually tested in two parts. The first part is done when the bistable is selected and tested for normal trip process input variations. Since the variable setpoint is not controlled during the first part, the second part will test the variable setpoint function when the trip process used for setpoint l

i generation is varied. Bypassing of the bistable is required during both parts of the testing. 7.2.1.1.9.3 Core Protection Calculator Tests The operation and calculations of the Trip Logic Calculators (TLCs) in the Core Protection Calculators (CPCs) are tested at three overlapping levels. The first level makes use of operator's modules to make redundant channel comparisons. This testing verifies the proper operation of the sensors and data acquisition portion of the TLC. The second level is performed with the TLC off line. An interlock is provided to ensure that this testing is done on only one channel at a time. See Section 7.2.1.1.6E. Testing consists of loading test data from a disk into the TLC to test the program / calculations. During the period that the TLC is off line, trip signals are sent from the TLC to the PPS. The third level of testing takes place with the TLC on line. With the TLC on line and bistable bypasses present for high LPD and low DNBR, nuclear power is increased at the nuclear instrument until trip signals are generated by the calculator. Presence of the trip signals are verified at the PPS. Approwd Design Material-lastrwnentation and Control Page 7.2-24

   . System 80 +                                                                        ' Design ControlDocument 7.2.1.1.9.4-          Local Coincidence Logic Testing Testing of the local coincidence logic is done by the automatic test. One of the tests performed by the automatic test is a status check. It does so by reading the status of the inputs to the logic (trips and bypasses). Based upon those inputs, the test task determines what the outputs (coincidence signal and bypass status) should be. If there is a discrepancy between the actual outputs and the determined outputs, the test task annunciates a test failure and provides a message that describes the failure in more detail.

If there is no discrepancy and conditions are such that the local coincidence logic is not generating a coincidence signal, testing of the logic continues. The additional testing that is done is dependent upon the status of those inputs over which the test task has no control (bistable bypasses, operating bypasses, and bistable trips due to the signal inputs). Based upon the known inputs, the test system will generate all bistable trip combinations that are within its control, recalling that a tripped bistable cannot be forced to the untripped condition by the test task. The outputs of the local coincidence logic are then monitored for correctness. All possible combinations of bistable trips are generated. 7.2.1.1.9.5 RPS Initiation Logic Testing The initiation logic, which consists of an "OR" logic is tested at the same time the local coincidence logic is tested. (see Figure 7.2-14) Each time a coincidence signal is generated, the automatic test task verifies that the signal is propagated through the "OR" logic. Failure of the coincidence signal to propagate through the "OR" logic will result in the annunciation o' a test failure and a message that describes the p failure in more detail. V

Testing of RPS Time Delay and Reactor Trip Circuit Breakers The RPS time delay and circuit breaker test is a manually initiated test. The test is manually initiated because the test philosophy requires operator involvement in the testing and reclosing of these important reactor trip devices. The operator can obtain status information from the undervoltage, shunt trip and current monitors depicted in Figure 7.2-12 and thus determine the success or failure of the test for both of the diverse methods of tripping the breaker.

7.2.1.1.9.6 Manual Trip Test The manual trip feature is tested by depressing one of the four manual trip pushbuttons, observing a trip of a trip breaker, and resetting the breakerprior to depressing the next manual trip pushbutton. Closing of the circuit breaker can be initiated froth the PPJ, operator's module locally or at the main control room. i 7.2.1.1.9.7 Bypass Testing . ]

Operating Bypass Testing l l

The Operating Bypasses are automatically tested. Testing is both passive and active. The passive ; check consists of verifying the appropriateness of the bypass, i.e., is the input parameter in the i range of values over which the bypass is allowed. The active test, as a part of the bistable logic O V testing, verifies that the bistable can have an output consistent with the operating bypass status, i.e., if an operating bypm,s is not present, the bistable can be tripped; with an operating bypass , present, the bistable cannot be tripped.

      ?     2 Doelpn n000eriel Irrstrumentation and Control                                              Page 7.2,25 I

Syntem 80+ Design ControlDocument The permissive bistable logic from which the operating bypass logic receives the auto-removal signal is also verified. This is accomplished by actively testing the permissive bistable logic in the same manner that the trip bistable logic functions are tested. When testing the permissive bistable it can be verified that when the auto-removal condition is present, the operating bypass is removed.

Bistable Trip Channel Bypass Testing A description of testing bistable trip channel bypasses is included as part of the local coincidence logic testing described in Section 7.2.1.1.9.4.

7.2.1.1.9.8 Response Time Tests ! Response time testing of the complete Reactor Protective System, is accomplished by the combined use j of portable field installed test equipment and test features provided as part of the PPS test function. Measurement Channel Response Time Tests, which include portions of the system (such as cables and sensors) may be conducted on a system basis or an overlapping subsystem basis. Methods which may be used to conduct these tests include:

1. Perturbation and monitoring of plant parameters - either during operation or while shutdown.

This method is applicable to RTDs (monitored following a plant trip), reactor coolant pump speed sensors (monitored following turn-off of pump), and CEA position reed switches (monitored during CEA motion).

2. On-line power spectral density analysis. This method would be applicable to analog sensors as defined in ANSI /ISA-S67.06-1984, " Response Time Testing of Nuclear Safety-Related Instrument ;

l Channels in Nuclear Power Plants."

3. Off-line injection of step or ramp changes for RPS inputs. This method would be applicable to sensors (via special pressure test rigs, hot oil baths or hot sand boxes) or electronics and logic l (via special electrical test boxes).

4. The test function in the course of its normal testing implicitly verifies that the response time of the PPS is less than a known upper limit. The upper limit is bounded by the bistable logic l processor execution time (fixed) plus the coincidence processor execution time (fixed) plus the l worst case skew time due to the asychronous operation of the processor. An independent timer l monitors the fixed execution time and provides overrun status. The test function reads this status )

and will annunciate a failure. l

5. Operation and monitoring of actuated devices. This met'iod would be applicable to the CEDMs, ,

I including their control logic and switchgear.

6. System test - from sensor to actuated device - utilizing a combination of the above techniques.

This method might incorporate, for example, a step input from a test rig to a sensor, measuring i total time until CEDMs drop. l

7. Factory or laboratory tests of removed components. This method would be applicable to all components.

9ll Aptwoved Design Material Instrumentation and Control Page 7.2-26

System 80+ D* sign ControlDocument igl The trip delay times used in the Chapter 15 Safety Analysis for various trips are verified by using the

 'd   above methods. Specifically, the methods applicable to each trip are:

o High Logaritlunic and Variable Overpower Levels use methods 2,3,4, 6 or 7.

Low DNBR and High Local Power Density use methods 1 through 7.
High Pressurizer Pressure, Low Pressurizer Pressure, Low Steam Generator Water Level, Low Steam Generator Pressure and High Steam Generator Water Level use methods 2 through 7.

The design of the Reactor Protective System is such that connections may conveniently be made for the , appropriate test equipment. The hardware design includes test connections on the instrument lines going to pressure and differential pressure transmitters, and test points wired out to convenient connectors or terminal strips. C-E supplies to the site operator the data obtained during factory or laboratory testing so that this may be correlated with this field data. 7.2.1.1.10 Vital Instrument Power Supply The vital instrument power supply requirements are discussed in Chapter 8. 7.2.1.1.11 System Arrangement RPS components are arranged so as to conform to the separation, independence, and other criteria specified in this chapter. The safety-related components are located to provide access for maintenance, h(w testing and operation as required. The redundant channels and divisions of the PPS, RPS and RTSS instrumentation and control cabinets are designed to be located in separate plant control complex locations. These locations conform to Regulatory Guides 1.17 and 1.120 for safety system security and fire protection as described in Sections 7.1.2.16 and 7.1.2.29. The control complex and RPS arrangements are designed to maintain independence between the Main Control Room and Remote Shutdown Panel such that transfer of control can be achieved as described in Sections 7.4.1.1.10 and 7.7.1.3. 7.2.1.2 Design Bases The RPS is designed to assure adequate protection of the fuel, fuel cladding, and RCS boundary during Anticipated Operational Occurrences. In addition, the system is designed to assist the ESF Systems in mitigating the consequences of accidents. To ensure that these design bases are achieved, the reactor must be maintained within the limiting conditions of operation and the limiting safety system settings implemented consistent with the Technical Specifications. The system is designed on the following bases to assure adequate performance of its protective function:

l The system is designed in compliance with the applicable crit eria of the " General Design Criteria for Nuclear Power Plants," Appendix A of 10 CFR 50.

U

Instrumentation, function, and operation of the system conforms to the requirements of IEEE Standard 279-1971, " Criteria for Protective Systems for Nuclear Power Generating Stations." ,

1 Approved Design Material knstrurnentation and Control Page 7.2-27

System 80+ Design ControlDocument

System testing conforms to the requirements of IEEE Standard 338-1977, " Standard Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems."
The system is designed in consistence with the recommendations of Regulatory Guide 1.53,

       " Application of the Single-Failure Criterion to Nuclear Power Plant Protective Systems," and Regulatory Guide 1.22, " Periodic Testing of Protection System Actuation Functions."

The system is designed to determine the following generating station conditions in order to provide adequate protection during Anticipated Operational Occurrences:

1. Core power (neutron flux).

2. Reactor coolant system pressure.

3. DNBR in the limiting coolant channel in the core.

4. Peak local power density in the limiting fuel pin in the core.

5. Steam generator water level.

6. Reactor coolant flow.

The system is designed to determine the following generating station conditions in order to provide mitigation assistance to the ESF during accidents:

1. Core power.

2. RCS pressure.

3. Steam generator pressure.

4. Containment pressure.

5. Reactor coolant flow.

6. Steam generator water level.

7. DNBR in the limiting coolant channel in the core.

The system is designed to monitor all generating station variables that are needed to assure adequate determination of the conditions listed in the above two items over the entire range of normal operation and transient conditions. The full power nominal values and the maximum and minimum values that can be sensed for each monitored plant variable are given in Table 7.2-2. ,

The type, number, and location of the sensors provided to monitor these variables are given m i Table 7.2-3. ; 4

The system is designed to alert the operater when any monitored plant condition is approaching l a condition that would initiate protective action.

Approved Design Material kustrumentation and Control Page 7.2-28

System 80+ ' Design ControlDocument

The system is designed so that protective action will not be initiated due to normal operation of the generating station.

Nominal full power values of monitored conditions and their corresponding protective action (trip) setpoints are given in Table 7.2-4. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays and inaccuracies are taken into account. Reactor trip delay times and analysis setpoints are given in the Chapter 15 safety analyses. The reactor protective system sensor response times, reactor trip delay times, and analysis setpoints used in Chapter 15 are representative of the manner in which the RPS and associated instrumentation will operate. These quantities are used in the transient analysis documented in Chapter 15. Note that the reactor trip delay times shown in Chapter 15 do not include the sensor response times. Actual RPS equipment uncertainties, response times and reactor trip delay times are obtained from calculations and tests performed on the RPS and associated instrumentation. The verified system uncertainties are factored into all RPS settings and/or setpoints to assure that the system adequately performs its intended function when the errors and uncertainties combine in an adverse manner.

All system components are qualified for environmental and seismic conditions in accordance with IEEE Standard 323-1983, and IEEE Standard 344-1987. Compliance is addressed in Sections 3.10 and 3.11, respectively. In addition, the system is capable of performing its intended A function under the most degraded conditions of the energy supply, as addressed in Section 8.3.

U

System components are qualified according to an established plan for electromagnetic compatibility (EMC) that requires the equipment to function properly when subjected to electrical surges, electromagnetic interference (EMI), electrostatic discharge (ESD) and radio frequency interference (RFI). Qualification is applied for equipment based on operating environment and/or inh: rent design characteristics. EMI qualification is performed in ac:ordance with applicable ,

requirements of MIL-STD-461C,1986 (Sections RS03, RS02, CS01, CS02 and CS06),

             "Elxtromagnetic Emission and Susceptibility Requirements for the Control of Electromagnetic Interference." Radiated and conducted EMI envelopes are established for qualification. A site-specific' EMI survey is then performed to ensure that system exposure to EMI is within qualification envelope limits.

The RPS is considered a vital system. Vital instrumentation cabinet doors are locked and equipped with " door open" alarms. Refer to Chapter 13, Appendix 13A for additional details.

7.2.1.3 System Drawings The RPS MCBDs, signal logics, block diagrams, and test circuit block diagrams are shown in Figures 7.2-1 through 7.2-30. A U w o .a .,,, c.- ,.,. 7.u,

Srtem 80+ Design ControlDocument 7.2.2 Analysis 7.2.2.1 Introduction , l The RPS is designed to provide the following protective functions.

Initiate automatic protective action to assure that acceptable RCS and fuel design limits are not exceeded during specified Anticipated Operational Occurrences.
Initiate automatic protective action during accidents to aid the ESF Systems in limiting the ;

consequences of the accidents. A description of the reactor trips provided in the RPS is given in Section 7.2.1.1.1. Section 7.2.2.2 provides the bases for all the RPS trips and Table 7.2-4 gives the applicable nominal trip setpoints. Some of the trips in the RPS are single parameter trips (i.e., a trip signal is generated by comparing a single measured variable with a fixed setpoint). The RPS trips that do not fall into this category are as follows:

Low Pressurizer tressure Trip This trip employs a setpoint that is determined as a function of the measured pressurizer pressure or that is varied by the operator.
Low Steam Generator Pressure Trip This trip employs a setpoint that is determined as a function of the measured steam generator pressure or that is varied by the operator.
Low Steam Generator Water Level Trip This trip employs a variable setpoint that is a function of reactor power. The setpoint will track automatically in an increasing or decreasing direction. A fixed minimum low setpoint is also incorporated.
High Local Power Density Trip This trip is calculated as a fanction of several measured variables.
Low DNBR Trip This trip is calculated as a function of several measured variables.
Variable Overpower This trip employs a variable setpoint that will track automatically in an increasing or decreasing direction. Rate of change of an increasing neutron flux power input is limited by a predetermined input to setpoint margin and setpoint tracking rate. A fixed high setpoint is also incorporated.

Anwaved Design Material Instrumentation end Control page 7.2 30

r Sv tem'80 +^ Deslan ControlDocwnent (D 'e Low Reactor Coolant Flow Trip This trip employs a variable setpoint that will track automatically in an increasing or decreasing direction. - A decreasing rate of change of the differential pressure across the primary side of the steam generator input signal is limited by a predetermined input to setpoint margin and setpoint - tracking rate. A fixed low setpoint is also incorporated.- The low DNBR and high local power density trips are provided in the TLCs. All RPS trips are provided with a pre-trip alarm in addition to the trip alarm. Pre-trip alarms are provided to alert the operator to

        ' an approach to a trip condition and play no part in the safety evaluation of the plant.

Each RPS setpoint is chosen to be consistent with the function of the respective trip. The adequacy of - f all RPS trip setpoints, with the exception of the low DNBR and high local power density trips, is verified through an analysis of the pertinent system transients reported in Chapter 15. These analyses utilize an

          ' Analysis Setpoint (assumed trip initiation point) and system delay times associated with the respective trip
         . functions. The analysis setpoint along with instrument uncertainties provides the basis for the calculation of the final equipment setpoints to be reported in the Technical Specifications. Limiting trip delay times
        ; are given in Chapter 15. The manner by which these delay times and uncertainties will be verified is                                 '}

discussed in Section 7.2.1.2. l The adequacy of the low DNBR and high local power density trips was certified by a combination of i static and dynamic analyses. These analyses provide assurance that the low DNBR and high local power , density trips function as required and provide the justification for the TLC time response assumed in Chapter 15 safety analyses. This is accomplished by certifying that algorithms used in these two trips

predict results that are conservative widi respect to the results obtained from standard design methods, l models, and computer codes used in evaluating plant performance. This verification also takes into j account all errors and uncertainties associated with these two trips, in addition to trip delay times, and will assure that the consequences of any Anticipated Operational Occurrences do not include violation of specified acceptable fuel design limits. Examples of the computer codes that will be used in this i t verification are given in Chapter 15. 7.2.2.1.1 Anticipated Operational Occurrences Anticipated Operational Occurrences that are accommodated by the system are those conditions that may occur one or more times during the life of the plant. In particular, the occurrences considered include single component or control system failures resulting in transients which may require protective action. i The fuel design ard Reactor Coolant Pressure Boundary (RCPB) limits used in the RPS design for , Anticipated Operational Occurrences are: l e The DNBR, in the limiting coolant channel in the core, shall not be less than the DNBR safety } limit.' ; e The peak local power density in the limiting fuel pin in the core shall not be greater than the peak l linear heat rate safety limit. 'l e The RCS pressure shall not exceed established pressure boundary limits. : 2 The Anticipated Operational Occurrence that were used to determine the system design requirements are: r Pape 7.2-Jf ! Amurewest W Asseerdaf. 6wsrumenessise arW controf t

't

__ .. .c__ ,_am.-- . , . _, . _. _ _ _ _ _ _

System 80+ Design ControlDocument e Insertion or withdrawal of CEA groups, including: l

1. Uncontrolled sequential withdrawal of CEA groups.

2. Out of seauence insertion or withdrawal of CEA groups.

3. Excessive sequential insertion of CEA groups.

Insertion or withdrawal of CEA subgroups, including:

1. Uncontrolled insertion or withdrawal of a CEA subgroup.

2. Dropping of one CEA subgroup.

3. Misalignment of CEA subgroups comprising a designated CEA group.

Insertion of a single CEA, including:

1. Uncontrolled insertion of a single CEA.

2. A dropped full- or part-length CEA.

3. A statically misaligned CEA.

Uncontrolled boron dilution.
Excess heat removal due to secondary system malfunctions.

e Change of forced reactor coolant flow resulting from a loss of electrical power to reactor coolant pumps.

Inadvertent pressurization or depressurization of RCS resulting from anticipated single control system malfunctions.
Change of normal heat transfer capability between steam and reactor coolant systems resulting from improper feedwater flow, a loss of external load and/or turbine trip, or a loss of condenser vacuum.
Complete loss of AC power to the station auxiliaries.
Asymmetric steam generator transients due to instantaneous closure of one MSIV.
Uncontrolled axial Xenon oscillations.

l

Depressurization due to the inadvertent actuation of primary or secondary safety valves.

The implementation of TLC initiated CEA motion inhibit and cutback demand functians has resulted in j the reclassification of selected CEA malfunction events to be classed as Accidents. These events are l included in Section 7.2.2.1.2 as unplanned events for which the RPS will take action. 1 Approved Desipar Materiel krstrumentation and Control Page 7.2-32 l l w

System 80+ Design ControlDocument 7.2.2.1.2 Accidents The accidents for which the system will take action are those unplanned events under any conditions that l may occur once during the life of several stations and certain combinations of unplanned events and degraded systems that are never expected to occur. The consequences of most of these limiting faults will be limited by the ESF Systems; the RPS will provide action to assist in limiting these conditions for these accidents. The accidents for which the RPS will provide protective action assistance are:

RCS pipe rupture.
CEA events, including:

1. Ejection of any single CEA.

2. Uncontrolled withdrawal of single CEA.

3. A single CEA sticking, with the remainder of the CEAs in that group moving.

,

Steam system pipe rupture.
Feedwater system pipe rupture.
Reactor coolant pump shaft seizure.

C

Break in a line from the reactor coolant pressure boundary that penetrates containment.
A reactor coolant pump sheared shaft.
Steam generator tube rupture.

7.2.2.2 Trip Bases , The RPS consists of fifteen trips in each of the four RPS channels that will initiate the required autonatic protective action utilizing a coincidence of two like trip signals. A brief description of the inputs and purpose of each trip is presented in Sections 7.2.2.2.1 through 7.2.2.2. I 1. 7.2.2.2.1 Variable Overpower Trip ,

Input Neutron flux power from the excore neutron flux monitoring system.
Purpose To provide a reactor trip to assist the ESF Systems in the event of an ejected CEA Accident.

Anwowd DeeApn Atatene!- hwarumentation and Control Pese 7.2 33

Syotem 80+ Design ControlDocument 7.2.2.2.2 Iligh Logarithmic Power Level Tdp e input Neutron flux power from the excore neutron flux monitoring system. e Purpose To assure the integrity of the fuel cladding and RCS boundary in the event of unplarmed criticality from a shutdown condition, resulting from either dilution of the soluble boron concentration or uncontrolled withdrawal of CEAs. In the event that CEAs are in the withdrawn position, automatic trip action . vill be initiated. If all CEAs are inserted, an alarm is provided to alert the operator to take appropriate action in the event of an unplanned criticality. 7.2.2.2.3 Iligh Local Power Density Trip e inputs

1. Neutron flux power and axial power distribution from the excore neutron flux monitoring system.

2. Radial peaking factors from CEA position measurement system (reed switch assemblies).

3. Thermal power from coolant temperatures, pressure and flow measurements.

4. Penalty factors from CEACs for CEA deviation within a subgroup.

5. Penalty factors generated within the TLC for subgroup deviation and groups out-of-sequence.

e Purpose To prevent the linear heat rate (kW/ft) in the limiting fuel pin in the core from exceeding fuel design limits in the event of defined Anticipated Operational Occurrences. 7.2.2.2.4 Low DNBR Trip e Inputs

1. Neutron flux power and axial power distribution from the excore neutron flux monitoring system.

2. RCS pressure from pressurizer pressure measurement.

3. Thermal power from coolant temperatures, pressure and flow measurements.

4. Radial peaking factors from CEA position measurement (reed switch assemblies).

5. Reactor coolant mass flow from reactor coolant pump speeds and temperatures.

Astwaved Design Material-Instrurtnurtation and Control Pg ;.5

Sy tem 80+ . Design Control Document

6. Core inlet temperature from reactor coolant cold leg temperature measurements.

(n]

7. Penalty factors from CEACs for CEA deviation within a subgroup.

8. Penalty factors generated within the TLC for subgroup deviation and groups out-of-sequence.

Purpose To prevent the DNB ratio in the limiting coolant channel in the core from exceeding the fuel design limit in the event of defined Anticipated Operational Occurrences. In addition, this trip will provide a reactor trip to assist the ESF Systems in limiting the consequences of the steam line break inside and outside containment, steam generator tube rupture and reactor coolant pump shaft seizure accidents.

7.2.2.2.5 High Pressurizer Pressure Trip o Input Reactor coolant pressure from narrow range (1500-2500 psia) pressurizer pressure measurement.

Purpose To help assure the integrity of the RCS boundary for any defined Anticipated Operational

     )         Occurrence that could lead to an overpressurization of the RCS.

7.2.2.2.6 Low Pressuri.ter Pressure Trip

Input Reactor coolant pressure from combined high and low range pressurizer pressure measurements.
Purpose To provide a reactor trip in the event of reduction in system pressure, in addition to the DNBR trip, and to provide a reactor trip to assist the ESF Systems in the event of a LOCA.

7.2.2.2.7 Low Steam Generator Water Level Trips e Input Level of water in each steam generator downcomer region from wide range differential pressure measurements. Neutron flux power from the ex-core neutron flux monitors for deterndnation of the variable water level setpoint, e Purpose L [3 () To provide a reactor trip to assist the ESF systems to assure that there is sufficient time for actuating the emergency feedwater pumps to remove decay heat from the reactor in the event of a reduction of steam generator water inventory. Morem outen www knownente em1 conow n oe 1.2-3s

I System 80+ Design ControlDocument 7.2.2.2.8 Low Steam Generator Pressure Trips e Input Steam pressure in each steam generator.

Purpose To provide a reactor trip to assist the ESF Systems in the event of a steam line break accident.

7.2.2.2.9 Illgh Containment Pressure Trip e Input Pressure inside reactor containment.

Purpose To assist the ESF Systems by tripping the reactor coincident with the initiation of safety injection caused by excess pressure in containment.

7.2.2.2.10 Iligh Steam Generator Water Level Trips

Input Level of water in each steam generator downcomer region from narrow range differential pressure measurements.
Purpose To assist the ESF Systems by tripping the reactor coincident with initiation of Main Steam Isolation caused by a high steam generator water level.

7.2.2.2.11 Low Reactor Coolant Flow

Input Pressure differential measured across the steam generator primary side.

e Purpose To provide a reactor trip in the event of a reactor coolant pump sheared shaft. 7.2.2.2.12 Manual Reactor Trip

Input Two independent pairs of trip pushbuttons are provided at both Main Control Room and Remote ,

Shutdown Room panels. Approv,ed Design Material- kutrurnentation and Control Page 7.2 36 I I 1

Svitem 80+ Deslan controlDocument

Purpose A Manual Reactor Trip is provided to permit the cperator to trip the reactor.

7.2.2.3 Design

7.2.2.3.1 General Design Criteria Appendix A of 10 CFR 50, " General Design Criteria for Nuclear Power Plants," establishes minimum requirements for the principle design criteria for water-cooled nuclear power plants. This section describes how the requirements that are applicable to the RPS are satisfied. Criterion 1 Quality Standards and Records: Refer to Section 3.1.1 for compliance. Criterion 2 - Design Bases for Protection Against Natural Phenomenon: i , Refer to Section 3.1.2 for compliance. Criterion 3 - Fire Protection:

Refer to Section 3.1.3 for compliance.

    ~ Criterion 4     -         Environmental and Missile Design Bases:

Refer to Section 3.1.4 for compliance. i Criterion 5 - Sharing of Structures, Systems, and Components: Refer to Section 3.1.5 for compliance. - Criterion 10 - Reactor Design: Refer to Section 3.1.6 for compliance. Typical margins between the normal operating value and the trip setpoint are given on Table 7.2-4. l Criterion 12 - Suppression of Reactor Power Oscillations: Refer to Section 3.1.8 for compliance. The axial power distribution is 5 ] continuously monitored by the RPS and factored into the low DNBR and high LPD trips. This assures that acceptable fuel design limits are not exceeded in the , event of axial power oscillations. Allowances are made in the trip setpoints for ' azimuthal power tilts.

    ' Criterion 13    -.      ' Instrumentation and Control:

Refer to Section 3.1.9 for compliance. Appreemd W Mewd- hommeendar amt Cenend Page7. W

System 80+ Design Cor :olDocument Criterion 15 - Reactor Coolant System Design: Refer to Section 3.1.11 for compliance. Criterion 16 - Containment Design: Rcfer to Section 3.1.12 for compliance. Criterion 19 - Control Room: Refer to Section 3.1.15 for compliance. RPS status monitoring and controls necessary for safe operation of the unit are provided in the main control room via the DIAS, DPS, CPC Remote Operators Modules and the PPS Remote Operators Modules. Criterion 20 - Protection System Functions: Refer to Sections 3.1.16 and 7.2.2.1 for compliance. Criterion 21 - Protection System Reliability and Testability: Refer to Sections 3.1.17 and 7.2.2.3.3 for compliance. Criterion 22 - Protection System Independence: Refer to Sections 3.1.18 and 7.2.2.3.2 for compliance. Criterion 23 - Protection System Failure Modes: Refer to Sections 3.1.19 and 7.2.2.4 for compliance. Criterion 24 - Separation of Protection and Control Systems: Refer to Sections 3.1.20, 7.2.2.3.2 and 7.7.1.1.13 for compliance. Criterion 25 - Protection System Requirements for Reactivity Control Malfunctions: 1 Refer to Section 3.1.21 for compliance. l Criterion 29 - Protection Against Anticipated 0; stional Occurrences: Refer to Section 3.1.25 for compliance. 7.2.2.3.2 Equipment Design Criteria IEEE Std. 279-1971 " Criteria for Protection Systems for Nuclear Power Generating Stations," establishes j minimum requirements for safety-related functional performance and reliability of the RPS. This section ! describes how the requirements of Section 4 of IEEE Std. 279-1971 are satisfied. The parenthesized data, I following headings, correspond to the Section numbers of IEEE Std. 279-1971. l Approved Design Material-Instrumentatron and Control Page 7.2-38 i

Syztem 80+ Deslan ControlDocument

General Functional Requirement (Section 4.1):

The RPS is designed to limit reactor fuel, fuel cladding, and coolant conditions .to levels within plant and fuel design limits. Instrument performance characteristics, response times, and accuracy are selected for compatibility with and adequacy for the particular function. Trip serpoints are established by analysis of the system parameters. Factors such as instrument inaccuracies, bistable trip times, CEA travel times, and circuit breaker trip times are considered in the design of the system.

Single Failure Criterion (Section 4.2):

The RPS is designed so that any single failure within the system shall not prevent proper protective action at the system level. No single failure will defeat more than one of the four protective channels associated with any one trip function. The wiring in the system is grouped so that no single fault or failure, including either an open or shorted circuit, will negate protective system operation.. Signals routed between redundant PPS cabinets utilize fiber-optic cables. Signal conductors and power leads coming into or going out of each cabinet are protected and routed separately for each channel of each system to minimize possible interaction. Single failures considered in the design i of the RPS are described in the Failure Modes and Effects Analysis (FMEA) shown on Table 7.2-5.

Quality Control of Components and Modules (Section 4.3):

The systems which function to provide protective action are designed in accordance with the Quality Assurance Program described in Chapter 17.

Equipment Qualification (Section 4.4):

The RPS meets the equipment requirements described in Sections 3.10, 3.11, 7.1.2.5 and 7.1.2.8. Safety-related RPS equipment is located so as not to violate qualification limits.

Channel Integrity (Section 4.5):

Type testing of components, separation of sensors and channels, and qualification of the cabling by the site operator, are utilized to ensure that the channels will maintain their functional capability required under applicable extremes of environment, power supplied, malfunction and fault conditions. Loss of or damage to any one channel will not prevent the protective action of the RPS. Sensors are connected so that blockage or failure of any one connection does not prevent protective system action. The process transducers located in the containment building are specified and rated for the intended service. Components which must operate during or after an accident are qualified for the most limiting environment for the period of time for which they must maintain their functional capability. Results of type tests are used to verify this.

Channel Independence (Section 4.6):

r The routing of IE and associated cabling and sensing lines from sensors meets the requirements i \ - of Regulatory Guides 1.75 and 1.151. They are arranged to minimize the possibility of common mode failure. This requires that the cabling for the four safety channels be routed separately; amomt oa+, unum. kwoumerosa ome cauot rose u.as

System 80+ Design ControlDocument however, the cables of different safety functions within one channel may be routed together. Low energy signal cables are generally routed separately from all power cables. Safety-related sensors are separated. The separation of safety-related cables requires that the cables be routed in separate cable trays. Associated circuit cabling from redundant channels is handled the same as IE cabling. Cabling associated with redundant channels of safety-related circuits is installed such that a single credible event cannot cause multiple channel malfunctions or interactions between channels. Non-Class 1E instrumentation circuits and cables (low level) which may be in proximity to Class IE or associated circuits and cables, are treated as associated circuits unless analyses or tests demonstrate that credible failures therein cannot adversely affect Class IE circuits. Each redundant channel is independent of the other redundant channels. The sensors are separated, cabling is routed separately and each redundant channel is located in a separate cabinet, geographically located in different fire zones. This minimizes the possibility of a single event causing more than one channel's failure. The outputs from these redundant channels are isolated from each other so that a single failure does not cause impairment of the system function. The Reed Switch Position Transmitter signals are sent to separate CEA Calculators. To provide the required input to the CEAC, the signals utilized as inputs are sent through optical isolators (see Figure 7.2-7). Within the RPS, functional and software independence is maintained between Plant Protection Calculator (PPC) channels for Class IE trip-related functions by using conventional hardwired I/O to interface the bistable trip signals of one channel to the coincidence processor inputs of a different channel. There is no data communication hand-shaking. Therefore, for example, failure of the bistable logic in Channel A cannot impact proper operation of the coincidence logic in Channel B. In addition, functional and software independence is maintained between PPC channels for auxiliary test and channel bypass functions, by using data communication links only between the Interface and Test Processors (ITP) in each channel. The ITPs handle hand-shaking and data screening of inter-channel data link communications to ensure that the Class IE trip processors remain segregated and, therefore, cannot be adversely effected by communication errors. In addition, the trip processors include screening logic to ensure that only specific commands can be accepted from the ITPs. An example of this is in the trip channel bypass functions, where the coincidence processors contain first-in interlock logic that allows only one of four input channels to be bypassed, regardless of bypass requests for the ITP. Outputs from the redundant channels to non-safety related areas are isolated utilizing fiber-optic cable so that a failure in the non-safety related area does not cause loss of the safety system function. Outputs from the components of the RPS to the control boards are isolated. The signals originating in the RPS which feed the DIAS, DPS and control systems are isolated utilizing fiber optic cable to maintain their channel independence. It should be noted that, in the Nuplex 80+ designs, dataflow is unidirectional from Class IE systems to non-Class IE systems. Separate communication processors are utilized to protect the Class IE functional processors from handshaking and data communication errors. Approved Design Material . kutrumentation and Control Page 7.2-40

4 [

                                                                                                                            .I
           ~ Sv' tem 80 +                                                                          Design ControlDocument Qualification for the potential effect on Class IE systems of communication errors caused by hardware failure or software error originating in non-Class IE systems is an integral part of             ;

software verification and validation for all Class IE systems. Validation test methods are . developed on a case by case basis and are based on the software, hardware and data protocols inuse. The compliance of the RPS with the requirements of IEEE 384-1981, "lEEE Standard Criteria for Independence of Class IE Equipment and Circuits," and Regulatory Guide 1.75, " Physical Independence of Electric Systems," is discussed in Section 7.1.2.10.

           'e       Control and Protection System Interaction (Section 4.7):

1. Classification of Equipment (Section 4.7.1):

Protective system functions and control systems that have identical sensor requirements may utilize the same sensors (see the MCBDs for the specific sensors which are shared). The control systems use sensor signal validation logic, as described in Section 7.7.1.1.13, to avoid control protection system interactions. The RPS' DNBR, LPD, and high pressurizer pressure pre-trips provide a CEA Withdrawal Prohibit (CWP) to the CEDMCS. The TLCs provide CEA Motion inhibit (CMI) and Reactor Power Cutback Demand signals to the CEDMCS. The MDS monitors margin-to-trip conditions for RPS parameters to establish limiting conditions of operation for load following maneuvers. Portions of the protective channels used for both protection and control are classified as part of the protection system up to and including the isolation device used to interface with the control system.

2. Isolation Devices (Section 4.7.2):

Control signals from the RPS are isolated using fiber optic cable such that a failure will not affect the protective action of the RPS.

3. Single Random Failure (Section 4.7.3):

This criterion is not applicable. Due to signal validation, the signals which are sent to the control systems cannot cause a control action which could require a protective action.

4. Multiple Failures Resulting From a Credible Single Event (Section 4.7.4):

This cannot exist since failures within the protective system can not propagate to the control systems due to isolation devices. .

          - knuend Dee6n neenerter. kneumenseeton and coneet                                                     rare 7.24r

SvCtem 80+ Design ControlDocument

krivation of System Input (Section 4.8):

Insofar as is practicable, system inputs are derived from signals that are direct measures of the desired variables. Variables that are measured directly include neutron flux, temperatures, and pressures. Level information is derived from appropriate differential pressure measurements. Flow information is derived from steam generator primary side differential pressure measurements, reactor coolant pump speed measurement and coolant temperature.

Capability for Sensor Checks (Section 4.9):

RPS sensors are checked by cross-channel comparison. Each channel has a known relationship with the other channels of the same parameter.

Capability for Test and Calibration (Section 4.10):

The RPS design complies with IEEE Std. 338-1977, " Periodic Testing of Nuclear Power Generating Station Class 1E Power and Protection Systems," and the intent of Regulatory Guide 1.22, " Periodic Testing of Protection System Actuator Functions," as discussed in Section 7.2.2.3.3. e Channel Bypass or Removal From Operation (Section 4.11): Any one of the four protection channels in the RPS may be tested, calibrated, or repaired without impairing the systems' protective action capability. In the RPS, individual trip channels may be bypassed to create a two-out-of-three logic on the remaining channels which maintains the coincidence of two required for trip. The single failure criterion is met during this condition. Testing of each of the two CEA position indication channels can be accomplished in a very brief time. The probability of failure of the other position indication system is acceptably low during such testing periods. e Operating Bypasses (Section 4.12): Operating bypasses are provided as shown on Table 7.2-1. The operating bypasses are automatically removed when the permissive conditions are not met. The circuitry and devices which function to remove these inhibits are designed in accordance with IEEE Std. 279-1971.

Indication of Bypasses (Section 4.13):

      -Indication of test or bypass conditions, or removal of any channel from service is given via remote operator's modules and DPS, Operating bypasses that are automatically removed at fixed setpoints are alarmed and indicated via remote operator's modules and DPS.

Access to Means for Bypassing (Section 4.14):

Trip channel bypasses from the PPS cabinets are controlled since the equipment rooms have access controlled by means of key locked doors. Trip channel bypasses from the main control room PPS operator's modules are under the control room operator's cognizance. When the first parameter is bypassed there is an alarm to indicate which channel is being bypassed. The specific parameter or parameters which are being bypassed are indicated at the PPS cabinet and its remote operator's module. Approved Design Material . Instrumentation and Control Page 7.2-42

Srtem 80+ Desinn controlDocument The operating bypasses have audible and visible alarms. The operating bypasses have automatic features which provide a permissive range at which they can be actuated. Should the permissive range be exceeded, the bypass will be automatically removed.

Multiple Setpoints (Section 4.15):

I Manual reduction of the setpoints for low pressurizer pressure and low steam generator pressure trips are used for the controlled reduction of pressurizer pressure and steam generator pressure as discussed in Sections 7.2.1.1.1.6 and-7.2.1.1.1.8. The setpoint reductions are initiated by main control board pushbuttons for each channel, one pushbutton for the pressurizer pressure and one pushbutton for both steam generator pressures within the one channel. This method of setpoint reduction provides positive assurance that the setpoint is never decreased below the existing pressure by more than a predetermined amount. f

The variable low water level setpoint for each steam generator automatically tracks reactor power from a minimum low power value to a maximum full power value and vice versa. The variable setpoint is designed with maximum ceiling and minimum floor values such that sufficient water inventory is available to prevent unwarranted actuation of emergency feedwater following a reactor trip. The variable overpower trip setpoint tracks the actual reactor power from a ndnimum value to a high value or vice versa, if the power changes slowly enough. The variable overpower trip setpoint is designed with a maximum rate of decrease or increase. Should the actual power increase at too rapid a rate, it will catch up with the more slowly increasing setpoint and cause IO a trip. The low reactor coolant flow trip setpoint automatically tracks below the input variables by a fixed margin for all decreasing inputs with a rate less than the rate limit. The setpoint decreases at a fixed rate for all decreasing input variable changes greater than the rate limit. Should the input variable decrease at too rapid a rate, it will catch up with the more slowly decreasing i setpoint and cause a trip. The setpoint automatically increases as the input variable increases , independent of rate. l

Completion of Protective Action Once it is Initiated (Section 4.16):

The system is designed to ensure that protective action (reactor trip) will go to completion once initiated. Operator action is required to clear the trip and return to operation. Protective action is initiated when the reactor trip circuit breakers open. Protective action is completed when the CEAs arrive at their full-in position.

                      *-          Manual Initiation (Section 4.17):
                              ' A manual trip is effected by depressing either of two pairs of trip pushbuttons in the main control room or remotely tripping the RTSS or using the local pushbuttons on the RTSS. No single failure will prevent a manual trip.

O Annrevent Dee6n neonarinh huewnenseeien amt Centrol Page 7.2-43

 = _ _ _ - _ _ _ _ _ _ _ - - _ _ _ _ _ - _ = _ _ _ _ _ - _ _ _ _ - _ _ _ _ _ _ _ _ _ _ - _ _ _    _ _ -              _ _ _ _ - -

System 80+ Design ControlDocument

Access to Setpoint Adjustments, Calibration and Test Points (Section 4.18):

Keys or built-in features are provided to control setpoints, changes to CPC constants, calibration, and test point adjustments. Access is indicated to the operator. The site operator controls access via key locks, administrative procedures, and other means to limit access.

Identification of Protective Action (Section 4.19):

Indications are provided for all protective actions, including identification of channel trips. The breaker status and current indication are available to the operator.

Information Readout (Section 4.20):

Means are provided to allow the operator to monitor all trip system inputs, outputs and calculations. The specific displays that are provided for RPS status monitoring are described in Section 7.5. The RPS alarms and the remote PPS and CPC Operator's Modules are located in the main control room.

System Repair (Section 4.21):

Identification of a defective input channel will be accomplished by observation of system status lights or by testing as described in Section 7.2.1.1.9. Replacement or repair of components is accomplished with the affected input channel bypassed. The affected trip function then operate.s in a two-out-of-three trip logic while maintaining the coincidence of two required for trip.

Identification (Section 4.22):

All equipment, including panels, modules, and cables, associated with the trip system will be marked in order to facilitate identification. Physical identification is provided to enable plant personnel to recognize that PPS Cabinets, RTSS, and their cabling are safety-related. The cabinets are identified by nameplates. A color coding scheme is used to identify the physically separated channel cabling from sensor to the PPS. The same color code is used for interbay or intercabinet identification. Cabling or wiring within a bay at the cabinet which is in the channel of its circuit classification is not color coded. The cabinet nameplates and cabling between cabinets are color coded as follows: Protective Channel ESF Train Associated Channel Divisions Channel A: Red A: Red Channel J: White! Red Stripe Channel B: Green B: Green Channel K: White / Green Stripe Channel C: Yellow Channel L: White / Yellow Stripe Channel D: Blue Channel M: White / Blue Stripe Appmved Design Matenal Instrumentetion and Control (11/96) Page 7.2M

i l l System 80+ Design ControlDocument l l c 7.2.2.3.3 Testing Criteria , Conformance to IEEE Std. 338-1977 and the intent of Regulatory Guide 1.22 are discussed in Sections 7.1.2.7 and 7.1.2.17. Test intervals and their bases are included in the Technical Specifications. A complete channel can be tested without causing a reactor trip and without affecting system operability. ; Overlap in the RPS channel tests is provided to assure that the entire channel is functional. The testing scheme is discussed in detail in Section 7.2.1.1.9, " Testing". l Since operation of the RPS will be infrequent, the system is periodically and routinely tested to verify , its operability. A complete channel can be individually tested without initiating a reactor trip, without j violating the single failure criterion, and without inhibiting the operation of the system. The system can be checked from the sensor signal through the circuit breakers of the RTSS. The RPS can be tested during reactor operation. The sensors can be checked by comparison with similar channels or channels that involve related information. Minimum frequencies for checks, calibration, and testing of the RPS instrumentation are given in technical specifications. Overlap in the checking and testing is provided to assure that the entire channel is functional. The use of ground detection at the supply bus, assures that l I l grounds will be detected. 7.2.2.4 Failure Modes and Effects Analysis (FMEA) A FMEA for the RPS and ESFAS is provided in Table 7.2-5. The FMEA is for protection systems' sensors, and coincidence and actuating logics. The FMEA was prepared assuming that one set of the . p redundant channels is bypassed for maintenance. The logic interface for the protection systems is shown on Figure 7.2-19. l V The Failure Modes and Effects Analysis (FMEA) provided in Table 7.2-5 addresses all possible outputs from computers (e.g., conununication failures); not all of the possible causes of the output conditions. ! At the hardware interface level for all computers, the FMEA bounds all cases by considering the worst case effects at the computer outputs. For binary outputs, open and closed status is addressed. For digitized data, interfaces are analyzed for failure to transmit data, failure to receive data and ) communication of erroneous data. In the case of the ESF-CCS, loss of data communications with multiplexer output modules results in fail safe output operation. Fail safe is defined as the state corresponding to the electrical failure mode of the final actuation device for the actuated equipment (e.g., solenoid valves fail open or closed, motorized L valves fail as-is, etc.). Loss of data communication with multiplexer input modules or loss of data link l inputs generally results in continued control system operation with the last good input data. Specific exceptions to this are for equipment investment protection inputs and ESF actuation inputs from the PPS, which continue to control system operation with the input data set to its most conservative value. All data ' communication failures are alarmed. 7.2.2.5 Reliability

                           - Reliability / availability the RPS plus all Nuplex 80+ I&C components and subsystems is established in the following way. Each component vendor supplies mean-time between failure (MTBF) and mean-time-
    /7                        to repair (MTTR) information on their products. Due to the field proven requirement for any products V                         used in Nuplex 80 + this information is readily available. This information is then used in an availability analysis of the particular system. Parallel or backup systems or components are provided to achieve high Anwoved Dessen Moneriet . hustrumentation and Control                                                                                            Page 7.2 45

System 80+ Design ControlDocument availability. In addition to designing for random failures, diversity between similar systems is also provided as in the case of the Data Processing System (DPS) and the Discrete Indication and Alami System (DIAS) or the Control and Protection Systems, to provide defense against common mode failures. 7.2.3 Reactor Protective System Interfaces Refer to Section 7.1.3 for interface requirements. 7.2,4 Alternate Protection System The Alternate Protection System (APS) augments reactor protection by utilizing a separate and diverse trip logic from the Reactor Protective System (RPS) for initiation of reactor trip. The addition of the APS provides a simple, reliable, yet diverse mechanism which is designed to increase the reliability of initiating reactor trip, as described in Section 7.7. References for Section 7.2

1. " Functional Design Specification for a Core Protection Calculator," CEN-147(S)-P, January 1981.

2. " Functional Design Requirement for a Control Element Assembly Calculator," CEN-148-(S)-P, January 1981.

3. " Assessment of the Accuracy of PWR Safety System Actuation as Performed by the Core Protection Calculator (CPC)," Combustion Engineering, Inc., CENPD-170, July 1975, and Supplement 1, November 1975.

4. "CPC/CEAC Software Modification for Waterford 3," CEN-197(CFP, March 1982.

5. "CPC/CEAC Software Modifications for System 80," LD-82-038, March 1982.

6. "CPC/CEAC Software Modifications for San Onofre Nuclear Generating Station Units No. 2 and 3," CEN-281(S)-P, July 1984.

7. "CPC/CEAC Software Modifications for the CPC Improvement Program," CEN-308-P-A, April 1986.

8. "CPC/CEAC Software Modifications for the CPC Improvement Program Reload Data Block,"

CEN-330-P-A, October 1987.

9. " Safety Evaluation Report Related to Operation of San Onofre Nuclear Generating Station, Unit 2 and 3," Docket Nos. 50-361 and 50-362, Southern California Edison Company, January 1982.

10. " Safety Evaluation Reported Related to the Operation of Waterford Steam Electric Station Unit No. 3," Docket No. 50-382, Louisiana Power and Light Company, July 1981.

I1. " Safety Evaluation Report Related to the Operation of Palo Verde Nuclear Generating Station, Units 1,2 and 3," Docket Nos. STN-50-528, STN 50-529, and STN 50-530, Arizona Public Service Company, October 1984.

12. " Safety Evaluation Related to Amendment No. 32 to NPF-10 and Amendment No. 21 to NPF-15 for San Onofre Nuclear Generating Station, Units 2 and 3," Docket Nos. 50-361 and 50-362, Southern California Edison Company, March 1985.

Approved Design Material-Instrumentation and Control (11/96) Page 7.2-46

Syrtem 80+ Deslan ControlDocument \

13. " Safety Evaluation Related to Amendment No. 66 of Facility Onerating License No. NPF-6, Arkansas Power & Light Company, Arkansas Nuclear One 8 nit 2," Docket No. 50-368, May.

1985.

14. "CPC Protection Algorithm Software Change Procedure," CEN-39(A)-P, Revision.3-P-A, -

November 1986.

15. " Reload Data Block Constant Installation Guidelines," CEN-323-P-A, Revision 1-P, December

.j 1986. t

16. "Nuplex 80+ Software Program Manual," NPX80-SQP-0101.0. >

k i

i [ O I 4 l ..d 4

               . Amoremt Desinn neeserW- knaumenteeien and centrol                                                     (11/961    Page 7.2-47

System 80+ Design ControlDocument Table 7.2-1 Reactor Protective System Bypasses Title Function Initiated By Removed By Notes DNBR and Disable low DNBR Manual switch (1 per Automatic if power Allows low 4 power testing local power and high local channel) is 110 % density bypass power density trips Pressurizer Disables low Manual switch (1 per Automatic if pressure pressure pressurizer pressure channel) if pressure is is >500 psia bypass trip, SIAS, and CIAS <400 psia liigh log Disables high Manual switch (1 per Automatic if power Bypassed during power level logarithmic power channel) if power is is < 10-3% reactor startup bypass level trip > 10~ 3% Trip channel Disables any given Manually by Same switch Int erlocks allow bypass trip channel controlled access on!y one switch channel for any one type trip to be bypassed at one time CPC DNBR Disables DNBR Automatic when Automatic if power Allows low d d CWP & LPD CWP and LPD CWP power is <10 % is 110 % power testing CWP Bypass signals to CWP logic CPC CMI Disables CPC CMI Automatic when Automatic if power d Bypass signal power is < 10d% is 210 % CPC RPC Disables CPC RPC Automatic when Automatic if power Demand demand signal power is <10d% is 210 % d Bypass O AMwoved Design Material lastrumentation and Control page 7,2 4g

i Design ControlDocument Sftem 80 + _ Table 7.2-2 Reactor Protective System Monitored Plant Variable Ranges b]- s s j Monitored Variable Minimum Nominalt2] Maximum (full power) Neutron flux power, % of full 2x10-7 100 200 power Cold leg temperature 'F 465 556 615 Hot leg temperature. *F 525 615 675 Pressurizer Pressure (high ,ange), 1,500 2,250 2,500 psia Pressurizer Pressure (mid range), 600 131 1,650 psia (2) Pressurizer pressure (Iow range), 0 750 psta CEA positions full in NA full out Reactor coolant pump speed, rpm 100 1,190 1,200 Steam generator water level (wide 0 76.8 100 I range), %I43 _ Steam generator water level 0 59.1 100 /] (narrow range), %;5) Steam generator pressure, psia 15 1,000 1,500 : Containment pressure, psig -5 0 60 Steam generator primary pressure 0 43 47 differential, psig l [2] Nominal values given are typical. These values may be adjusted during the final de:ign process. 131 The high, mid and low pressurizer pressure sensor ranges are combined electronically within the PPS bistable for wide range applications.

 ,r'%

b) I'l % of the distance between the wide range level instrument nozzles (above the . tower nozzle). [5] % of the distance between the narrow range instrument nozzles (above the lower nozzle).

Appresed Design Atatoniet-instrumentabian arnt Cni'rol Page 7.2 4.9

i System 80+ Design ControlDocument l I Table 7.2-3 Reactor Protective System Sensors Number of Monitored Variable Type Sensors Location Neutron flux power Fission chamber 12tti Biological shield Cold leg temperature Precision RTD 8131 Cold leg piping Hot leg temperature Precision RTD 8l31 Hot leg piping Pressurizer pressure (high range) Pressure transducer 4tt21 Pressurizer Pressurizer pressure (mid range) Pressure transducer 4 t:1 Pressurizer Pressurizer pressure Oow range) Pressure transducer 4ti21 Pressurizer CEA positions Reed switch assemblies 2/CEAlli Control Element Drive Mechanism Reactor coolant pump speed Proximity device 4/ pump l'1 Reactor coolant pump Steam generator level Differential pressurr 8/ steam Steam generators transducer generatort2.3) Steam generator pressure Pressure transducet 4/ steam Steam generators generatorti.21 Containment pressure Pressure transducer 4t21 Containment structure Steam generator primary differential Differential pressure 4/ steam generator Steam generators pressure transducer ill Common with control systems. 121 Common with Engineered Safety Feature Actuation System. 131 Only narrow range common with control systems. Approved Design Material-Insownentation and Control Page 7.2 50

System 80+ Design ControlDocument Table 7.2-4 keactor Protective System Design Inputs (n] - Nominal Value at Nominal Nominal Type Full PowerI31 Trip Setpoint I31 Type t21 Margin to Trip l'1 High logarithmic power level NA 0.018% power F NA Variable Overpower (Ex-core) 100% power 112.7% power RLVSP 12.7% power 0%/ min 13.5%/ min RLVSP 13.5%/ min NA 12.5% bandl31 RLVSP NA Low DNBR > 2.2 'l 1 2 1.24 F s 0.% High local power density, kW/ft s 5.38 (peak) 21 F 2 15.62 High pressuri2.a pressure, psia 2,250 2370 F 120 low pressurizer pressure, psia 2,250 1825 ts.6) VSP 425 Imw steam generator water 76.8%WR 44.2l81 RLVSPD 32.6 level, %I73 Low steam generator pressure, 1000 843t5) VSP 157 psia High containment pressure,1.sig 0 2.7 F 2.7 High steam generator water 59.1%NR 90.8 NR F 31.7 level, %I'l Low reactor coolant flow, % 100 [101 RLVSP [1 01 Altemate Protection System, 2250 2420 F 170 High Pressurizer Pressure, psia Q CPC Auxiliary Trips: Cold Leg Temperature, 'F 556 505 to 590 F +34: -51 Primary Pressure, psia 2250 1860 to 2389 F + 139; -390 Hot Pin ASI 0.0 -0.5 to +0.5 F 0.5 One Pin Radial Peak 1.0 1.28 to 4.28 F +3.28; +0.28 Hot Leg Temperature. 'F 615 Two,> Ts ,,-13'F F 25 Asymmetric Steam Generator 0 15 F 15 Transient. *F Pump Speed, % 100 95.0 F 5.0 Variable Overpower 100% Power 110% Power VSP 10% Power increasing Rate 0 12%/ min VSP 12%/ min Decreasing Rate 0 300%/ min VSP 300%/ min Bandt3) NA 10% band VSP NA Low Pressure Floor, psia 2250 1750 F 500 Low Pressure, psia and DNBR 2250 and 2.2 2085 and 1.4 F 165 and 0.8 D Approved Design heaterin!- kmstrumentation and Control Page 7.2 51

1 System 80+ Design controlDocument Table 7.2-4 Reactor Protective System Design Inputs (Cont'd) l l Notes: [1] Values given are typical. Actual values are site dependent based on the equipment procured. Therefore, the site specific SAR shall make appropriate adjustments as necessary. [2] Type of setpoint generation: F= fixed, VSP = variable based on trip process with reset; RLVSP= rate limited variable based on trip process; RLVSPD= rate limited variable based on process diverse from trip. [3] % band is percent above measured excore power level. [4] Calculated value of DNBR assures trip conservatively considering all sensor and processing time delays and inaccuracies. Calculated DNBR will be less than or equal to actual core DNBR. [5] Setpoint can be manually decreased to a fixed increment below existing prersure as pressure is reduced during controlled plant cooldown and is automatically increased as pressure is increased maintaining a fixed increment. This fixed increment is 400 psia for pressurizer pressure and 200 psia for steam generator pressure. [6] Trip setpoint has a minimum value of 300 psia. [7] % of the distance between the wide range level instrument nozz!-s above the lower nozzle. [8] The nominal setpoint is a variable setpoint programmed as a function of reactor power. The trip setpoint has a minimum value. [9] % of the distance between the narrow range level instrument nozzles above the lower nozzle. [10] Actual differential pressure values are field determined, during calibration, using fractional setpoints that include all required uncenainty components. O Approved Design Material hustrumentation and Control page 7.2 52

        ,7 m    k                                                                                               i g        i                                                                                                   ,

4 N._ ] O 0 1 I I S"steem 80+ - - - - -- DesJa.n ControlCocannent Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis fee. Nonee Peshare heede Cause Sysepteme end Imral hierhed of Deteetten th Campensating Effect Upon PPS Rensarbs and Other Effects Effects includeng Provisten Dependene PaGuree l} Ea<ese a) t;me Or -1 tens of H.V Power 1 mss of dats, ersoneses Annuncienng. . _ by 3<hennel . y (44 Makes seacaw Trup lagic Loss of H.V. Power Supply wel feil na Neunen I% Supply Brestdown in data. Paihne so deuce HI DIAS red DPS sensor salvbty channelis bypass) See Noen for LO SG Level. verantdc three subchannel detectors. To sesesse Monitor insetarson Resistance fies levels. tem (1channelcompensen), (I) overpower. HI RSG PWR. she synenilegic to 2-eue+f-3 Periodic spannet erse. LO DNBR and HI PWR coincidence, the operator anne sessort DENS 24ut+f-2 the bypassed channel to opesaaten and coincidence. shen bypees the faded channet. b) It'gh Ousput e Detecww aberts. Erveneousdata. Potsdale Annunciatms. . by 3<hannel vedumdancy(4de Makes seacsor Trip tagic To sessen the systema Ingst to 2+atef.) continuoas inedravion channel trip for HI DIAS and DPS esturny test channel in bypass) See Neee for ID SG tevel. H1 ee acidence, the spesseur ents restore LINEAR PWR, LO DNBR. Pre. trip and are Hf tJN PWR (t) LINPWR, LO DNBR. and she bypassed channei to operneien and lll LOG PWR. Ett PWR and to SG Level sIsraut Ill PWR DENS t eus ed-2 then bypass the failed channel. DENSITY er LO Steam Necteer Instrument Inoperative coincidence. CWP tagic t-Genernent Levet. Atasm. out of-2 coincidence.

2) Core Outlet a) Low Output Power supply failure: Reduces deha-T power Annunciating, suenanstic sensor 3 channel edundancy (46 Reactor Trip tagic for LO Calcuissed values of DNBR calihented Tesnr. T. RTD buidge networt indicanon. Chancet will wahday test: 3<hannel channelin bypess) See Nose DNBR and HI PWR DENS nuclear power and local power densiey fashne not enp en a valid he ermp, ceanpervene via DIAS and (1) is convened to 2-nutet-2 (1.PD) will change. To sensese the condisinn. DPS. Perindic sen_ coincidence. systens logic en 2+ueof 3 coincusence, the operasnr some semost the bypassed channel en operaenne and then bypass the failed channet.

b) Ifish Output RTD opens or Netweek hicsesses deha-T power Annunctmeing.auenenenc DBAS 3 channet sedundanry (4th Rencoor Trip lati c for ID To seense she myseene logic to 2 cut of 3 failure indention. Possdde and DPS wahony eest. 3 channel h pess) See Nuee 6s DNBR and HI PWR DENS coincedence, the operamr unru tessere channel trips IDNBR. channel esenperium is convened to Ieutef 2 the bypassed channel es opesation and LPD). coinridence, then bypass the failed channel

3) Core Irdet a) Une Power supply failure; inctesses dehe-T power Annunchsting. ausomanc DIAS 3 thannet . - y(4th Restser trip Ingic for LO To seams the synene logic so 2eut-et-3 Temperaenre spurines low RTD bridge network indication. Postdde and DPS semnt vahdity sest. channet Lyress) See Noee (1) , DNBR and HI PWR DENS enencidence, the operamr enua eesenre T, fenere channel wips (DNBt 3<hannelcampatisne. Periode i is conversed to Icut+f -2 the bypsed chem:ct := =ptrasion and LPD). iese. coincidence. thee bypass the failed.

b) One RTD opens network Decteese in dehn T power Annunciering. .. DIAS 3<hannet sedundancy(44 Reactor trip kmic Ier LO Te vesaws the syseem logic to 2-eintef-3 spuesses failure indicarton Channet not and DPS senser entiday aest. chassiel bypass) See Nnee (!) DNBR and III PWR DENS coincidence,the eversent asast restore high trip if Tm goes law. 3<hannelcompenson is eenvened to 2 out of 2 she bypassed channel to operation anil coincidence. then bypass the faded channel. ' Ap;weved Destyn Meterent- hwemmentarJon aunt Coneel Page 1.2-52

System 80+ Deskn ControlDoctemst - Table 7.2-5 Plant Protection System Failure Modes and FReCP, Analysis (Cont'd.) N N.sne Peaur. hied. Cause sympe.ms sad tar.1 trfects Meth.d of Deteces.n sahere C ,ensatine Erreci op.n rrS meis eks and Other Eneci. Isrbsding thyendent Fe8 ices Provis6en

4) Reactor a) One spennes Power sergdy or Less of dara. Isw DNBR channet Annuncereg. DIAS 3<hannet sedundancy crip Reactor try logs for LO Sennet tranimals pelws. Ittua rate Caolans Fuenp loss of pulse amphfier trip persibee. and DPS senior wahday tm (4th CPC channet DNBR is coervened se laureef. seisted as flow. Te sensee the Sgeed Senior ennwasdom feduae, eneck. alena, trip scenes indcanon. anys in bypen) See Nose 2 coincidence sysien logic to 2eus43 daninge to sensor (1) coini;idence, the operaam aram semove thz 49pessed channel to operarsee and then typass die faned channel.

I b) High signal rate Betwenic noise HI RCP speed byus no CPC Annoncanng, autonnerw DBAS 3<hannet , (4tle RPS erip logic for in DNBR To sensore the syseem logic to 2eus- ! indicarms hi RCS flow, or nornial and DPS sensor vntahey 3- CPC channet trips in beconies 2euse02 cosecident. e03 coencadence. the operator unnt flow when flow ai.asany low. chenews - .. periodic bypse) See Note (1) sesence the bypassed channet to Calcutated DNBR wdl be higte een. cperasma and shen tiyposs the failed cheesnel will not trip en volut low channet. i RCS flow. l 3<hannel sedundancy (4th RPS trip Irgic for la DNBR c) Imie signal rese llegit sesestance in BAw RCP speed input as CPC Pse4ripferip alanns To sessere the systene logic to 2eut-lines, loss of signal indicaing le RCS flow. Possible le Annuncueing. . _ DIAS CPC channet trips in would becente I eut of 2 ef-3 coincidence, the opermeer seen sevength, intennsnent DNBR erip la channet, and D*S sensor valulity,3 bypass) See Note (1) coincident. sessore the tivpossed channel to faihue channet c -, periodic epetshen and then bypass the failed seu. channel.

3) Non Targes a) Lew Shoned sesnior. Ervoneous does input to one CEA Anndacianon, aukenutec DPS A pensky factor. See Note Penehy factors are ininseed in One CEA calcairer wet show CEA j CEA Posa,on reser sus pty calcuteene. Possilde CMI med RPCs sensor vnFdny tem CEA (1) the cose pmercuam calcutseors devietson so e5 CPC calcatenas.

i matfunction demand Imsa CPC channels. deveatton. CMI and RPCS (DNBR and tJD operstmg Possihte teactor erip win occur if actressed. mergkin seduced). RFCS noe svadatde.

                                 ),) lligte                             Shaned resnsor.       Erroneous data input to one CEA     Annuncionen. _               DPS  A penahy factor. See Nese    Pennhy factors are ininated an    One CEA cakulaser wiR show CEA i                                                                        power surgte          calculmine. Possible CMI sad RPCS   sentor validsey eest, CEA          (1)                         the cose pecerction calentamws    deviation en ett CPC calcuta mn.

innifoncema demand ison CPC channets. deviation. CMt and RPCS (DNBR and IID operaring Possible reacsor any will occur if acn aied. snargins veJuced). RPCS not avadahle. I c) Osher than Shorted vesseor, Enoneous data input to one CEA Aiunnerieram. DPS Penshy factnes. See Mate Presley fortoes see initiesed in One CEA calculator will show CEA actual position shoned reed calculatur. Possitde CMI and RFCS sensor valatwy sess. CEA (I) the core protectme calculseors devienen se a5 CPC c 1 swinches, power dennand frone CPC channels. deveamon CMI sad RPC (DNBR & LPD merges Possible reactor seip win occue if I seppey meinenction activated seesce(5- RPCS not avanshle. 1 i d) Off sente Becken wire, open I. mss of data or Snenhd data. Annoncienten.DPS eissoniane Penahy factors. See Mose Penasty factors are iniziated in One CEA calentator wiB show CEA . eesinor, electrical sensor valality test CEA (1) the enee pseeection calcolmsors deviatiosi te mR CPC calcutualon. l short, power supply deviaema. CMI and RPC (DNBR & t.PD neargins Possdde seacnor trip will eccur if smalfunction sciivened. eeduced). RPCS noe available,

6) Target CEA a) Imw Shorted sesueur, Er=oneses data enput affects DNBR Anrarutisten. DPS seiomatic 3< hens;et redundancy (4th Makes reactor trip logsc for LO la addmon so she effects klenref'ied in i

m esman power sur. ply and LPD calculanon and one CEA sensor wated,ey test. 3 channet channet in bypass) See DNBR and ill power densey (3) above for manierget CEA smalfenreion calcutseer. cornparisen. Nose (t) 1.nestef.2 coincidence. posieson, possetde trip en eee safety chstuwl. Trip effected will show CEA deviation. 4,y,s,v.ef oe,rp., u,re,w . h.s sw.s, ar nmf c f er,. u sd O O O

c, c. - /; v)

           <       s                                                                                                                                                                                                                          g

(

          !         )                                                                                                s                                                                                                                        ;

v v System 80+ _. _ oesyn confror occament Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont'd.) No. N.n. ran-e u.de C sr .id .nd imai rsats meth.d.f Dee-u inhoeid C n, ens. tine Errect tips. rPs Re.arha d Oiher rs.ca tartuding Deerndess Fogures Provimien

6) (Conrd.) b) Hgh Shorted vessseor, Ersomeeus man irput se TLC and Annonesanon. DPS ause!aimac 3 <hannel sedundancy (44 Makes teactor a y logic for ID in adminion so the effects idesw(mt is power supply (ene) CEA calcuraese. sensor wahdny sent CEA channet in bypass) See DNBR and HI power denssey (3) above for swin entget CEA sostfuncosos devassion. CMI sus' RPC Near (I) leut-et-2 coencodesire. posanon posssble enp in ene safety acevated. channet Trip effeceed ont show CEA deviation.

c) Other esa Shorned sesseint. Ersoneous data input es TLC and Annuncmson, DPS autoinatec 3<bannet 1(4th Makes reactor arty logic for LO In adduien es the effects hjemt(sed in scual posnion shoned reed (one)CEA calculaeor sensorvalduy test. CEA channelin bypass) See DNER and Hi POWFR DENS (5) shove for non-earget CEA swiethes. power deviation. CMI and RPC Neer (t) t eut ef-2 coincidence, posirsee, possahte trip in one safety supply snetfunesion acmented. channet. T6p effected w;5 show CEA devastwan. d) Oty sesht Becken wise, cree Lees of dans, ispalid dare. Annunciation DIAS, and DPS 3 channel; y(4th Makes reactor ergr higw for ID In add'aios es she effcces idewerled in sesisant, electncet sueoenatic senior wahdity eest. channelin bypess) DNBR sad Ill s'OWER DENS ($) above for non-earget CEA short. pow r supply CEA devianon. Ieusef-2 coinc6dence. position, possible trip in one safety snesfuncrina chaset Trip effected wist show CEA devianon.

7) Ime or Mid a) One fa:Is on Sensnr faduse, Hgh PZR press signal oo: LP PZR Annunciation, DIAS and DPS 3 channel redundancy (4th Rearsor Trip lugle for LP PZR Backisp for SIAS is the ceoupinenese Range PZR (High peesmtre ceenyonesit fateuee Press B/S. LO PZR preensre BIS ' . sement validity , chasteelin bypass) Press is coeweverd se 2 einef-2 pessese snessueemesechannel Te presere signal tevet) does not erip for a bona fide check. Periodic erit. 3 coincidence and CSAS, STAS testere the systene logic as 2eutef-3 s,geal condnson. channel cosuparison. logic LD PZR Press 2euter-2 conicklence, the opevaans snese coincidence. sestose the bypessed chasenel me opermison and then bypass the faded channet.

b) One fails off Sensor fashese; die Low PZR Press signal es ID PZR. Annonciating. DIAS and DPS 3<hannet ., y Trip Reecent Trip higic for ID PZR To eenerve the syseene logic so 2eut-(Law peessere power supply fail; Psess B/S. Bistable changes logic . semeer wahdisy Channet Bypess Piesa is convened se e-ousef-2 of-3 coincidence, the epesasar enuss signal level) cren circun stase and iniusers channr1 erip. check. Preirip and trip stoem coincidence and CSAs, STAS sessore the bypassed channet so in channel logic leut-of-2 coincidence, operation and shes bypass the failed channel. g) Hist te Range a) On (High Sensnr fa4ure, High PZR peess signal to HI PIR Annuncimeing. DIAS and DPS 3 channet sedundancy(4th Reactor TRtr logic for LO To sessore the syseein logic so 2eue. PZR Presase pressu% signet cosnronens fadese PRESS B/S and core proiection meannatic sensat validay channel bypass) See Nose DNBR is conversed so 2 eue of. of 3 coincidence, the opersent nause Signal level) calcetaser. HI PZR PRESS BIS wi8 check. Preedy and trip starins (t) 2 coincidence and for 111 PZR sesenes die bypessed channel es change logic suase and initisse in HI PZR channet PRESS it converted to leise- operar60n and ahen bypass the failed channet trip. ef-2 coincidence. channel CWP becornes leut-et-2 coincidence for Ill PZR in CEDMCS. Approveif Desdyre Afaserdet- Ars; erisse enaf Cenerof Pape 7.165

System 80+ Desion CentrolDocument Table 7.2-5 Plant Protection System failure Modes and Effects Analysis (Cont'd.) N Name resure M.de cm e :- ==d tee.i meca unh.d .f Dnan.n Inn-na c.mysanh g w asup.mers n.m rha .w Oiher mais including Dependent Fanuees Freetsien R) (Cont"d ) b) Off(taw Sensor faihne; d c. ID PZR PRE 3S we decrease Annunciar6ng. DIAS and DPS 3 channet . , tesh Reactor T"P bgic for LO To .essese the syseen kgic to Ieus-Piesnre signal power supply fail DN9R Margin and inniste LO ausentme sensor watedwy channel in bypess) See DNBR is unversed se leut of- of-3 coincidence, the operneer must levet) epen cirtvit DMBR channel trip. III PZR check. Pietrip and er'p alarms Nese (l) 2 coincidence, resense the bypnased channel es PRESS BIS will not trip for in LO DNBR channel operation and then bypass the faded bonarate cordnen. Hay cause LO channel. CWP tog'ebecomes 2 eut. FIR PRESS BIS charuset inp. of-2 camcidence enr this paramteter in CEDMCS

9) 3G No. 2 a) Off Cow Sement failure. d.c. Law slearn gemeensor waeer level Aumentission, DBAS avid DPS 3-channel seduedancy (4dt Reactor TRIP and EFAS logic One channelinoperatree for affeceed I2 vet S+gnal; signal levet) power supply fail; signal to channet bestabies. Ime _ sensor wahdwy channelin bypus) for affereed secase generseur eseam genevnear. To sesewe the SG No. I open circuir level b6standes (B/S) change logic clues Piewy and tnp alarm Inw weert levelin convened se sysnem logic se 2euter-3 Levet Signal state and prip channel fer affecord en tue waen generseer water leuref-2 comentence esencadence, the operneer nuest (Wide Range) sseam generecer level. sessose the bypassed channel as operasson and shea bypass the failed channet b) On(Iligh Senior fa9 eve. High snese generator water levet Asumacsation on hqtt S/O 3 channel redundancy (4th Reac*nr TRIP and EPAS logic One clummet inoperative for effected Signal levet) fadute sgnal to channel testahtes. Im level level. Auspenatic DIAS and channet in typass) for Inw steam generator waser asenne genereme. To sessore the bestatdes for effected secans DPS sensor vatniny tese,3- levet is converted to 2eut of 2 syseem logic to 2 out-of.3 gene star well ans snp on ID level. channel coenparaon_ coenridence for affected seen.4 coaccidence, die opermest noust generner. System win pdl restwe she bvpessed channet se operaie en non faded SG level. eperation and them bypen the railed shannel.

I to) Narrow a) Off (IAw Senser faduee, d c. La l* vel 56gnal as one H gh 3G Aenunciaeed auensnanc DBAS 3 channet .. , t4sh Reactor Trop Emger for HI es 2- To ressose she syseem logic she l Range tsvet Signal Levet) power supply failure, level Instalde for the affected steam and DPS memer valutiry test, channet in bypass) seene eut-et-3 cmacadence.she MSt3 epetamt meess resicae die bypassed Senspr. 30 epen ciscent generator. Distatde wel not enp on 3 channelcernparemon genevnter tevet and See actuaten tagic for H1 seesen channel to operstwa and then bypass No. I; actual HI levet in aseems generaser Neee { t) Genessent Isvel wdt be the failed channet. Nar,ow changed to 2eut-of-2 Range Ievet ***cid? ace. Sensor, SO No.2 ! b) On fHigh Level Sectne fadwee Fahe HI Levet Signet sem en one Annuncensed nuenneanc DIAS 1 channet redundancy (4de Reacer Tny Legic and MSf3 Same as to e) above. l Signal) componese failure swam generaserill1 vel Batable and DPS semer validay nest. channet in bypan). See scanneien ingic for Ill saram l for affected serem generner. Channel pre-grip and trip Note (1) generneor level re the affected l Bistatdc will change logic state and alarms. steam generator win be trip the channel changed to Icut of 2 coinc6dence. l Asproved Dessyer Afeter/af- &rstnumenteeder, amt Cearsrei Pope 7.Ms l l l l O O O

                      ,                                                                                                                                                               i       a i        1 s
              ,      /

1 (, /

                                                                                                                                                                                              /                                                                                                 \

g,<

System 80+ _ Design ControlDocumnt Table 7.2-5 Plant ProtectlOn Systern Failure Modes and Effects Analysis (Coni'd.)

Poe. Nasne Farmere Mode Came sad 1Aral F.ffeess Method of Drtectina taherent Compenserfag Effect Open PPS Remarks and Other Effects lerluding Dependens Feiheren Provisten II) S/G Pernese a) One storious Sensar fadere d c. Imw siese generator pressuse magnet Annuncinemg summerse DIAS 3<hennet redondancy (44 Reactor Trip logic for stemen To ressese ene syiseen logic se 2 eus-Signal No. 2; off. (1sw power fad; open so SG tmw Pressuee (LO PRESS) and DPS sensor estidity sess. channel in byrem). Few genersoor steene peesnare is of 3 conc 4dence the aperseer men signal level) enceit histaNe(B/S)in RPS and ESF5 Prearip and erip stann on low Noer IIL commtved se Beut+f-2 sensore er bypaned channet to theer chemels. B/3's change channet gnp pressure. ceuachtence. Ingsc stain and laneeses sernen in SG LO PRESS for seacane TRIP, generator creestsen sad then bypass and MSTS actuosion. the faded channel S/O Pressure b) One spurioins Sensor fader, d.c. Felse HI Levet sent so one surase Asuiucated sueusnaue DIAS 3<hennel redsedsacy (4sh Reactor Trip and M315 To sesense she symem logic se 2 nut. Sigant No. I off. (Low power reduve genevenis Ht tevet Batatde for and DPS senser wahday era. channet in bypasst See acension Logic for LO SG ef-3 coencatence dw epeator newst sigeel level) afterned secam genersent. Bumble nsanet pre 4 rip and trip Meer (1). Press changes to 24us4f2 resense the byrened channet es wd1 change logic sente and any the alarins. coincidence. , , . ^ then hyress the failed channel channel

12) 301 Ddf. a) One fads on Sesuor fadute edier Ill er normal ddferennat pres. Annuncimang _ _ DIAS 3<hannet sedendancy (4ih Reacsor Trip tegu for RCS Te resensu lhe symesa logic to 2+ne.

Pres. S> gnat. flitgh segnel ecmponent fadute segnet seceived by ene RC5 LO and DPS sensor wahony sess. channel in bypass) LO prhnery flow in affected of-3 coincidence, the opersoor must SG2 Diff. Deve4) FIDW bisable for offecord seenm Pemidie test. 3 channet SG changes so 2 eut-e02. eeneste she bypassed thennel so Pres. Signal genesasor. One channet will not trip compenson. operation and thes bypass the ineled en vahd LO flew candninn in channel, sfiected steam generator. b) On* fads eff Sensor faduee.open LO Differemist pres. signal eeceived Annuncinamg amomette DIAS 3<hennet sedundancy (4th Reactor Trip tegic for RCS Same as 12 a) above. (1sw Signal circuit by one RCS ID Plow Bestatde for and DPS neonor validiry eest. chaasmel in bypass? primefy Flow in af7ected SG Levef) affected scenen generaeor. Dir*ebte 3 channel coniperson. changes es I cut ad-2. will change state niitmemg a channel trip.

13) Narsow a) ON (gues hah) Sensor or I) High CONT P9ESS segnal to: Annunciating amoeinric DIAS 3<hannel # y (4th Reactor Tnp IAgic Sarne as 12 a) above.

Range Cesnponese indtive HI CONT PRES 1 basahne in and DPS sensor wahdgy era, channet in bypass) vedundancy poetawe is Contanwnent M ==nel and in ESFAS Pretrip, and alarm on high converted so 14ut+f 2 Pressere channet. BIS change logic state, comovernes peessave ESP. camcidence and CIAS. SIAS, Signet and initiates channet trip for CSAS channelindiceten. CSAS and MS!S Ingic for Ht hgh- . presawe for .. peesseee leut+f 2 PRS Trip. SIAS, CIAS. CSAS coincidence and Msts h) Off ignes low) Comprmem fadure, 2) One Ilf Ili Cons. Pres. twatatde Annuarianng _IMAS 3 channet sedendancy (4th Acasutena 1"gic for CSAS Sane as 12 m) above. DC power supply conssandy receives a LO or and DPS sensor validey tem. channelin bypass) changes to 2eut-of-2. failure. epen cirevis innrmat -_ pres seis. Perindic 3 channet sigerit. Bestatde will nos change comparigen. logice mate for a entid Hl HI cent. pees. condwwm.

14) . fly Bfank Approve <f Desipn nieteriel

hastramrenteeton end Caneef Page 1.757

System 8_0+ Desbn courfrat occument Table 7.2-5 Plant Protection Systein Failure Modes and Effects Analysis (Cont'd.) No. Name FmMure Mode Csuse Symptoms and Imal FRects Metaned of theection Inhereas Compenesting Effect L'psa PPS Reniecks and other Effeces inrluding Dependene Fellures Proverten

13) Ceeieval a) No dana ouvin f.ees of AC power; Ims of effectre CEAC. CEA Waschdog tuner toeces dam 2<hennel redundancy See None. TLC uses data frne she other CEAC Flement - . fadere; panwum display miernemen se DPS. hans en tranuun reros (0) to Mese (IL TLC's use and annuncontes f>5use. Resnicted Assemhty Data ind failuee; Less of CEAC crersant's module TLC's, which see tenerpreted peneky factor from per Techascal Specification LCO Cakulater petity check function. by TLC's as a failed semaanng CEAC as operonen web one er two CFACs Armit metic, lage er CEAC. Annonciareg on CPC generate CMt. RPC and cue of servae.

memory faduce operaser's mndde. DIAS and macear trip signels. DPS. b) Erroneous data CEA position senwr Fahe CEA devutun:s er CEAC Aarnmetaurg stana en CPC 2<hsenet sedundancy See if erroneous penahy facsor TIE compaws data froen the two eveput failuse 4epuer eueres c.L J seeule in ' of epeveene's nandute. Nose (1). TLC's u= siest large eneugh; and THBR er CEACs and asutuacities say failure; data tiet erveneous pensky facters to TLC's Compenseeof CEA posiion t conserveerve CEAC penehy LPD trip. signifkant dificiences. Resnicted faduce e whenesic, ehsplays. < , _ of hke factor to generase reactor operanon per Technical Specifientina Ingie er see.nory pe senecers en opersese's erip s'tnet. Em wah one se two CEACs one of faduee modules. service,Dependaag upost penalty

                             ..                                                                                                                                                                    facesr severny. TLC aney genrense CMI sad RPC desmand so Power Cowent Syssesa

16) Core a) Tripped Less of AC power. $sgaal walklassen alarna few censral Anmmciating PPS atann en 3<hannet redundancy dei Reactor trip ingic lur DNBR Computer shuts down he enterfy Pretectum inputteufpus failure. Deerd displays Fnoneems eskutaaed channet erips. 3<hannel channet en bypass) See end LPD is converted to teue- sequence upon toss of AC power sad Calcutasor arithnietec. logic or seguhs. compansons. Annuncisnng Nat (1) et 2 coincidence seennes mannel operarism when mentory failuee wasttuing timer. powes is seshered. RPC deniand.

senser failure. CWP logics in CEDMCS see convened as ieut-of 2 coencidence. To esense die systene logic em 2-emo of-3 coincidence, the operator snum resense die bypassed channet es opesstion and then bypass the faded channet. b) Semys in _, - -, fashnes Ernmeces esicaineed resuhs. 3 channel comparisans. 3<hannet vedendancy(4th Reactor anp 1;pgte for DNBR Computer dwes down in codesty unevirred state arnhmeist. Ingic or Annunciasms wachdog tiener. chaarriin bypass) See and ISD is en coincidencs of sequence upon kns of AC power sad i emenery Initore Name it) 2 out+f 2 sentammg channels. resinnes normet opeention when l sensor laJuve poner 6e ressesed. RPC Demand. l CMt and CWP Ingics in CEDMCS I are convened so 2-outef-2 I remaining channels. To restove the l system logic so 2ew of-3 l coencidence, de operator snust l sesenre the bypassed channet es j operation and then bypass the failed i channel. I l Apprevmf Desy afanerrar - ers . ^ nrore enef Contrer rege 1.2-5s l l 9 . O O

                                                                                                                             /
                                                                                                                               ,n.                                                                                                          -p      s f

i 1

                                                                                                                             \       ')

v/ v (Ns) - _ _ . System 80+ . - . - - - -- -- . - - - - . - - _ _ _ - - Desian Control Documeret Table 7.2-5 Plant Protection System FaHure Modes and Effects Analysis (Cont'd.) No. Name radere hiede Cause Symptems and Imcel F1reets Met %ed of Detecties latweent Casapesseting Effect Open FPS Remerks and Ottwe ENeces Including Dependens Fedures Pw4seen

37) Escore a) T:euble (ms of power Tenutde annunc. setsys de. Annunciating we a)lAS and khannes . "y fer RPS wir logs for W SO To reware she system logic es 2 eu&

Neutron Flus annunc. supply, open cacuse. energued; . : NI tenutde DPS. td SG level. LPD and levet, LPD and DNBR goes es of 3 concedence, etw egermest must b6niusorms twe=Ne fads .c foetuve indraemn and sparinus LO SG Deen; Mene for ersuble I eus ef-2. sese the bypassed chenect es Signal off level LFD and DNBR ch. wira. annus. (4th channelis egetation sad then bypass the failed Processor bypass) chamel. (Ch. A Safety Typica") 14 TawNe Covupanene fadure. Termble semane. retsys not de- Permde een, auch of ammac. 3-channet . _ , (4th RPS enp ings for LD SG Ssms as 87 a). annunc. shore ences energire durmg Mt seu er when dorms NI ses . chonnelin bypass) level. LPD and DNBR enay go NstsNe finils on there is eroutde la che NI drawer-. so 2eus of 2. Imes of swable anners. LO SG tevet. LPD and DNBR bestables not tripped; LO SG I.eert. LPD and DNBR Matatse= m one trip during Nt test due a erroneou; % c) Trowheelisas- Coniset e c and weld NI een er meuble as NI nne T erende P test, lect of annunc. Mene RPS erep higac mut effected. Sameesifsl. Ne setsy annuncias d. during Nt test. conosces s enruent. circuit fad cleted. d) TrouNe Open circun. sneck. Spurmes Nt en uble alarms. Annunciating wie DIAS and None RPS erip ingic not affcceed. Same as 87 s), bistaNe celay fadere DPS. cenesets e annuac. circuit fait open. e) TrouNe Contact sit and wekt LO $0 level. LPD and DNBR Annunciatmg via DIAS and 3-channel redundancy RPS enp logic for LPD sad Same as Iy a), bsstaNe relay bistat ses in affected ch. =di mot be DPS. (4th channel m bypers) TWBR goe se leut-of-2. contacts se seiered during NT ch. sess or wlien power trip test ease is escutde he the N: drawer inserlock fad LO SG level. LPD and DNBR closter bestaNes sney ant trip due to erroneous data. l 0 freuble Open circuit snech. Spurwue ch. orips for LD 50 Level. Annunciating via DIAS and 3 <hanacI scthemNy(ddi I Rf S enp logic for LO SG Sanw as 17 a) Instatde eetsy Indore LPD and DNBR If snp chaemet DPS. chaemet in bypass) sevel. LPD and DNBR poes as contacts is bypesws nne ergel. linetef-2. power er:p eent inserlock fad el*# Approved Derips Afarerret- Asseur reererios and Carrerof Pepe 7.769

System 80+ Des % ControlDocsarmut Table 7.2-5 Plant Protection System Failure Mos 8e3 and EITect3 Analysis (Cont'd.) No. Nasee FaDure Mode Cause Symidesna and Iacal Effecta Merhed of Deteetten Inherent Cesapensathg Effect Upon PPS Renterka and Otler Efrece, Imluding Dependesd Freures Provheon

17) (Cont'd1 g) >10'%los Same as 17 a) Butahle will met energue when "eriode test, anasone ch. erip 3<hannet sedundancy(4th One ch. of HI leg power Same as 17 m).

gwwer emsbie power escees e s 10 4. One til Ing Hilos power bypass channelin bypass) tripped at power. Other 3 benable fails power nip ch. cagnet be byyessed. perunssews not undicastil at channels can sedl be bypassed off Prebalde ch. any for lugh log power. for opermeson. I power. by DPS. h) > 10 '5' ing Same es 17 b) Bicatde em be energired at as 3.<hannet coenpsneon by 3<hannet redondency(4th RPS try Ingic for high Ing Some as 17 a). power esat4e powet levels. Operasor can bypass DPS and DIAS channel in bypass) power becernes 24ut42 if bestable fads on HI log power bistable at less than asuuriciased.penodic test. ch. is bypaswd. 10'% i) < 10 *% Ing Sense as 17 m) innenhae relay will ant tw energued Perindic test. 3 channel 3<hannel redundancy (4th Ovae ch. for CMI. LPD. DNBR Sanie as 17 al. power enable beknr 10*% power. CWP wel not compernen by DPS and DIAS channet in bypass) and CWP enpped at 14 power, bntaNe fails be bypassed end CPC cannot te annunciated. Osher 2 channels can still be off bypeswd. Srerious LPD asid bypassed , DNBR ch. erys at I.o power plus l spunres CMt. CWP's at Le power p < 10 *% k+g Same as 1714 thstable setsy wGI rentain energired CPC bypass pernesseet 3 channel redundancy (4th RPS nip kigic for LPD or Sans as 17a. CMI sad CWP Ingic power enable above 10*% power. One TLC well indicance, periodic test. channel he bypass) DCBR becomes 2+et+f-2. he CEDMCS become 2+utet 2. bestabbt fads scenain bypeseed and one ch. for en CMI. CWP em sessisen bypeseed h) < 10*% tog Mech. fsdu,e, open TLC bypass pennnseve lor one Periodz erst, annunc. for ch. 3<hannel redundancy (4th No knpect en RPS enp logic as Same as 17 a). power ts able circuis channet ant enshled below 10*% enp see DIAS med DPS. chasinet in bypass) ether CFCs can stdl be bistable power. Unable to bypass one TLC. bypassed. cessacan to Possdde CMt. LPD and DNBR ch. C PC fa4 open wips as low power.

1) <10*% log Contact arc and weid CPC bypass wHI nat he nues- CPC bypass indic. periodoc 3 channel redundancy (4ch RPS enp logic for LPD and Sarne as 17 at CWP. Ollt and RPC pwer contacts snaticatly eemoved at 1t*% test. cheenet in bypass) DNBR beconnes 2+utef-2. demasullogic in CI'DMCS becesnes so CPC fad 2+me of 2.

ch> sed m) Rase of change Some as 17 b) 1. ass of annonc. at HI raec et change Periode test. 3<hannet redundancy Ill rate of change of power erpower of power for one che anel. announc. logic goes ao 2 eus-InstaNe fads en of-3 in DIAS and DPS. l n) Race ei! change Sans as 17 b) SpurinsesIli raie of change of power Annunciateg was DIAS and None Ne isnpact en RPS sip logic. ! ef power alarms. DPS. bistat$t fails off Approved Des / pre Afererfor- hoserwertreffers ensf Ceneef Pepe 7.2 60 0 9 O

j-(~ .p. ()x _ ( U System 80+

 - - - _ . . _ _ _ -                                                                                                                                                                                                          Deaan coneer Docennance
  - Table 7.2-5 Plant Protection Systein Failure Modes and Effects Analysis (Cosit'd.)

No. Nesne Pseere heede Cause Svavpeams and taeet Efted, Method of Detertion henevne Compresat6mg Effect Upon PPS Renierks and Other FJ9ects Imeludhog Dependent Peaures Freenden

17) (Cont'd ) e) 1.mg power Camp. fadere Vehdanen sianu for leg power level Annunctanag 3thennel 3<hennel . y(4th No hupact en RPS any lager tevel sunumers inds, se ename cormal honed or , by DBAS and ctimenet in bypass) above le 4 power. Esse then fad III senmee shutdoes ases.143 power DPS. periodic sess. 1854. PPS aip ingic becomes channel eip it tens ihen IO*S I4nstof-2 coincidence.

p**er-pp Log power Casup. fadere, eren Validanon scann kw Ing power tevel Annunciarug 3thosuel 3<haues.. _ y teen fee snipecs on RPS erip less level susumers encun nuhc. at amen connel board er . ..by DtAS and thennet in byrees) logic than 108%. RPS erip Ingic fait sif senione shutdown ases. DPS Periodic test. shove IO 4 power. becomies 2+inef-2 eninh ag) Caisbrated Comp. faanse Vahdation alarm for hacar power . Annunciunag 3<hannet 3<hannel y teth RPS V0PT eny Inge See Nees (I), knear power indsc. se susui comesel homed. Rane comparisen by DIAS and thennelin bypass) becomes evincidenre, te,eg ameners Innised V0PT tsunable ch. erip. DPS. Perank erst. t endwsf-2 fad Ht r) Catttuated Cosny. fai!use, open Yahdation atsem Ice tueear power Annunciating 3<hannel 3<hannet sedundanry(4dt RPS YOPT wip ingic See Nase (1). lineer power cisceit indic. en main connal based. c . . by DIAS and cleanet in bypass) becomers concedence level sunumers DPS. Periodsc sens. 2+ut-ef 2

fads erf s) Rate of change Comp. fadine Yahdaeios alarm for power change Annunconting 3 channel 3 thannet . y (4th No hopect on RPS erip togic.

of power emne indic. at snain coursel beesd and . . . by DtAS and in bypass) summers fads DPS. DPS. Penodic test. Ett. O Rate of change Comp. fadere, open Valatanon alann for raer of change Operasar periodic sess. 3 3thannel -y (4th No impace en RPS erip logic. of power circun of power indic. lar enc channel. channel sedendarry channelin bypass) suneners fads Anamicamesng 3<hennes eff. cemparisonby DIAS and i DPS. ' 1P) ESF Innierson a) Off taas of power so Channel *A* SEAS imesanon segnal Annuncimang auseenene frone Redundant channel SIAS ESP - CCS acinanen logic for Relays (SIAS initimeing selay sene so each sedundens ESP-CCS PPS imerfaceAest pencessor Inisiaeine gelays and logic SIAS changed from nelective 2-Channet A cioruit. l'iber optie tram via DtAS and DPS. Vasal noe affecsed. of d so selective lef 3 Typical) driver cheme fads hadscanna at PPS local and coigeidence. off er electric centrat sonr* epersoors

                                                      ' cenyoners failure.                                                        nudules.

Wams er fdwr optic open circuit. Approwest Dealgse A8aferW - PossevnenreWsm enut Ceneet Pope 7.767

                                                              - - . .      . - .     . . _ , .         .            -. . . . . . . ,                                    . -.            .     , . , . ~          ..       .

i S. ystem 80+---_- Des &n contrer Doctanent Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont'd.) n en F.eine asede c==e syminem ==d nac.t mwts it *w .f swerie. i.here.it comic cmg mat op res memars. m.d other meca twehuhng Depnadem Paeures Freefden it) (Cess'd.) b) Oen Inmarang actmy er Channet *A* STAS enmuesan syvuut Annoncuams seminimac freet Resendant channet SIAS ESF -(TS acimasion legt for Tiber eggic drwer not aranusumed so each sedendant ITS inerrfacehrst processer inherum sc4ays and hge tMS e*1 nged heen setecisse 2-cucun Inds "ON* ESF4TS erne for boena fkle SIAS via DtAS and DPS. not affecsed. ef4 at selectwe 2ef-3 logic. Indaring wirug er try synal PPS kgr fauk keeps canns enehating setsy eerwed

19) Repecee ) Off Remaer sunneal De-energwen SIAS Nunel "A* Anamacimewg euomnant fnun $sme as 26 et Sanne et 26 m).

Stanual ESF swinch cceance er isneseeme sefay evepuis se an ESF- PPS minsfaceltest processor tenanwe wireg fair.epen CCS treaut von DtAS and DPS Visual (SIAS cacrit. edtcarson at F75 kzal had Channel A cesmei neem opevnents-Typust) andales b) Om Remnse tasanest Unable se deenergize the STAS Pencds manoat erweg. Saane as 2ti bt Rediendant Remose nennual acusasme logic Autommer STAS imrienna sqquaes swah coenace or chonnel "A" innehon velays esmg snant:st swisches evadalAe. changed from aefectr=e 2ef4 uma4ected. wwing fads showerd. the vensier manual twisettes as 2ef-3 comicidence. 201 Buentde Try a) Off Esse of power BastzNe trip emigges generated to Annuncienne : . tycas 34:hennel sedundancy (4di RFS and ESFAS t CI4 To sess we she sessem kgm se 2eus-Procesaws seppey er fashrers in LCL peacesmr em same channel and PPS inneface/ ten swocessor channet a bygess) renversed en ieutof 2 ' ef.3 coincidence. she creussor ame (AI.A2. b- . es sedundam chewwl LCI. wis DIAS and DPS Processer defnetes esigets comcideast. resepee die bypeswd steamrwin es Typical) menhag4euees: pencessors via reasone channet UO se try unee operatina and does typass the ftStd Federes (havdware denps. Pre 4 rip and trip siganis tusable trip processor . . er nonesee)of CPU gemesseeJ in chuseet loss of benetde input poennereres and or data stems to DIAS and DPS for affected

                                                   ,                                                                                                                                                         channels.

Finks; Erroneous tnp wgoiarn b) On input er suspur Bntat4e outpar devices will ans Amauncietmg aneneanc fema 3-channet redusadancy (4th RPS and ESFAS LCLs Same as 20 at medisplexors faa to change state for hannfase try ITS interface eens processor chsenr1 in bypen) convened to 2 eus of 2 sespond to CPU condninas eie DIAS med DPS. coincidence. twetable wip logic denenes CPU fsdures (hardware er sohwave) any esecution; Erroneous Hip SeToHWs Ap; rewed Desips Afererial- ArreursrettfsWore med Correrof Pope 7.2 62 O O O

i (j (v/ (I t A. ) System 80+ _ _ Deske ControlDocument Table 7.2-5 Plant Protection System Failure Modes and Effects AnalyslS (Cont'd.) No. NN Fanure Mode Cause Svanytems and Local Effects Methud of Detectisa Irlweent Cesapeasating Effect Upon PPS Reuterka and Othee Effects serioding Dependene Felleres Provis6em

21) Cross a) Oef IAssof peser Fanure es _ see over cross Annunciarms suennume fmse 3thessiet vedendancy (4eh RPS ard ESF LCLs with faded Te resome the syseem logic so 2e Channet supply er faause in cw eMa heks is detected by PPS beerface/sest peacessor channet in bypasst dam hnt er ervenecos trip of.3 coincidente, dte opersent munt Resnote I/O inpne/amiyat sedendome channel LCL processors, vis DIAS and DPS. inpos coweened te l<nnt+f-2 sessore she bypassed channels to Demps (AB, snuanplexer, dass which then inmase bntable channel coincidence. Others semeen in operation and then bypass the failed AC, AD _ trip inputs es their ceincidence 2+ur+f-3 connemiente. butable trip peacessor persnarers.

Typicaf) hnks er erncal logics. "'noneous trip segnals hetneurs; Open sensed by tfL 2+ut+f 4 corcensed bistable trip reincidence logic n a histable trip emipus wirtre es input. eenmie WO dmp irip iriput. Erveneous trips sees ever dma hnks. b) On I-adese of inpus Bonafsde histsene nip sigants are Annmacisting svensnatic fearn 3&nnet sedendancy (4th Affected RPS and ESF LCLs Same es 28 a). enndules to detect nos ecceived by redundant channel PPS inserfacelerst peacesses channet le bypass) caneersed so 2+ue+f-2 change of sense er ifl. processess. ein DIAS and DPS. coincidence. Others seemin in b6stahoe inputs. 2 esser 2 eoincidence. inputfeatput card stops enecutunior fans to sefresh entpua. Essenceus data in c__ '_ sfion buffer; Shorting of bmahle trip atnput woring se resnese I/O drop. Appread DeeApn Afsterhaf- konermerrration omf Connef Page 7.2-63

Dnign ControlDocumnt System 80+ __ _ . ._ _ Table 7.2-5 Plant Protection Sutem Failure Modes and Effects Analysis (Cont'd.) sympawns med f.mrel FRecte klethod of Detect 6mm Inherent Compensating Effect Upse PPS Remeeks and other Effects No. Nome Ifasure hie 6 Comme Rhuting Dependred Fanures Provtsion RPS and ESF mtmaten segnais are Awamcatmg aspoment fveen A senmusan of twe RPS er RPS and ESFAS LCLs sessam RTSS and ESFm acasaison logsc

22) tscal a) Off Emss of power is convened to selective ieutif 3 supply or faAsses in generased in she affeerd PPS bay. PPS interface acia r processee ESFAS nutsmsene channete in 2eus ci-3 m she other Comicidence The aflected RTSS breafter we via DIAS and DPS. nest be generated as cause sedundant LCL ptoce.Jors (4dt toencidence.

Inic (tfL) inputtoutput casd; sencter er, or ESF syssem channet bypassed at tussables'. Processors Faaores tha,dwam opent (Al,A2 er software)in CPU actuation. Typical) er data comnusnications fiser, Open circuited testable trip cusput wirmg en LCL processor; LCL RPS/ESFAS output inchavion re%s fad de<nergized WF* or wising open ciicut Feduse of tfL enpus Affected LCL processar win not Annunconng smoommac frem Two sedundant sets of tfL RPS and ESFAS tria semain RTSS and ESF CCS acusanna Ingic b) On siendules to detect sespond to boneTale inesbie trip PPS interface / test processor piecessors he other 24et+f-3 in edier redondant is convened so selective 2.eise of 3 change of sener of conditions. RPS sad ESF metaten via DtAS and DPS. channets. Unaffecord Ift, LCL processors (4th channel coincidence l processor in sans channet bypassed at Instandes). tesable psecessor signats will out be genernmed by ihe l is available to bunnee RPS I crip cuspues; Feikeses faded LCL processor in the affected (kaedwase er channel. and ESP functions. [ l softeare) senp CPU Manant acnastine em er fail to sefresh affected. LCL empdes; IfL RPS/ESI AS ouspur setay dnvers fail energized *0N* er l I centacts/ wiring shorted. c) blo,e dine one Failure of LCL tlypass creer annuncetor. Annunciating automatec from LCL designed so seject None, RPS and ESFAS Ifla bistable bypass peccessor input PPS interfaceA-m pmcessne ennse skam one trip channel temam in 2+ut of 3 (4tle presevat en nondule er wiring via DIAS and DPS bypass. FourchannelLCL channelin bypass). LCL input sedundancy. i l 1 l l l l 1 l Appresd Des. ape Ataterlat - hustremeentation anet Controf Page TJ.6d l O O O

lj b (n.) ! \

                                                                                                                                                                   %.. /                                                                                                     O System 80+                                                                                                                                                                                             oesion confror cocane,n.te n

Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont *d.) No. Name Pa8vre Mode Cause Sysnyteens and lacet Effects Method of Detection Inherent Compenseling Effect tipose PPS Reumarks and Othee Effects facteding Dependent Pderas Proviseen

21) Inierfaces a) ITP Garway-l I. mss of internal tma of CPAC, Btsemble. LCL and Announciacing automatic via ITP's in sedundant PPC tiene DPS preterms signal valdmon Tem Faits off pcwer supply. RTP status or data es DPS. Ims of Test processor PPC channels ' wels semaan avaiialde. based on semaining redunded Pvocessor fa5mes (hardware er PPC operators Module at RSP if resnnen self healdt sinus of . table and IIL channet _

(Channel A softwave) er desa coaeral aansferred froun MCP. data -_ -- L-- via Pmtessors csannue en Typical) conunumessions DIAS. DPS anraracistes da operate based en lae wahd links which halt heahh status snuestorms of dam input fuorn PPC esecesion. . Periodic operneor's snodule if m use serve!!!ance and sessing by at RSP. PPC Maimenance operasse. and sess penet sevnains avadatde. tv) fTP Oneway-l Fadeses (haidwave Frvoneous data seceived by DPS, Fxraneous saasus indicaeion Beste hle and tfL RPS and ESFAS tft.s PossAde spunousthanneltrips and faits en er software) cause RSP. PPC Operasers Module observed, periodic peccessors contmue to convesied to I+utef 2 IfL inittation in channet A. erroneous dma veceives erroneous data if in use, survedlance and testing by agerase. Also )<hannel coincidence. tra.. Erroneoes data transmmed se operator. Possible redundancy (4di channelin bisamble and ifL pmcessnes. z-of bisenhie trips bypass). and ifL suspenses to erroneous data via DlAS. c) ITP Gaseway 2 Same as 23 m) Ims of Ttf. bimable, ifL and Same as 23 a) Binable and ifL RPS and ESFAS coencidence DIAt and PCS rerfona signal faits off ITP status er data sa DIAS. tms of processors cemenee to k.gsc rema6ns ht 24ut403 vahdation based on segnammg PPS data so PCS. tms of MCP eperate based en test vahd logic. sedundam channel informat i on. PPC operators module, no response data input froen PPC en operators actions for variable operators anodule. 3-setpomes and bypasses. channel sedendancy(4th channet in bypass) eenance and een penet remains avaHable. d) ITP Caseway-2 Same as 23 b) Erroneous data received by DIAS, Same as 23 b) Same as 23 b) Same as 23 b) San as 23 b) PPC operasers madute and PCS seceive creeneous data. e) Test Psorenor Same as 23 a) Automatic sesring within channet Annunciasmg amenmatic by PPC rhannel A Instatde Same as 23 c) Automa=ic ersting af sema6nmg PPC fails off disabled. Inability to perfasa trip ITP's sett heshh status checus and tfL processors channel can cominue except for channel bypasses frone MCP er RSP l in sedundam PPC channels via cominue so operase wish initiation logic, due to lack of erst eperssors modules. DIAS and DPS. Periodic tast vafid trip channel permissive from affected ITF erst l mantenance and manual sests. bypass states until changed pmcessor, v6a PPC maisuenance and een panel. Alca 3-channel sedundancy (4di channct in bypass). Approved Design Meteriel- krstrannentation and C>mtrof $2/961 Page 1.2 65

System 80+ Destore confrat Document - Table 7.2-5 Plant Protection Systern Failure Modes and Effects Analysis (Cont'd.) Pie. Name Feenre hfede Cause Symiptoms and Local Erfata Method of Detectten Inherut Corspenenting Effect tJpen PPS Itesserks and Ottwe Erfats Includhes Dependent Fn9mres Provtsien

23) (Cent'd.) 0 Test processor Fadures (hantware same as 23 e) Same as 23 a) Same as 23 e)(In addunon. Same er 23 c) Same as 23 e) fails en er nohwere) wahm the fonowing comunions psocesser.110 er ave budt ime die PPC Icgic data se prevent acswe sest or tents shas hatts peacessor smalfunctions cuecmion with tem froen inseriereg with its signals apphed. psosecswa funclinns:

Processor er data _ send s. Ibsenhie logic is eneneous signals se designed en ese signal PPC. closee to lhe trip set W

b. Brneble logic hos build in tuner no seneve test signal

c. LCL bypass logic commins rrm-ta-interlock that allows only one of Ihe fuer kipet channets se the 2-out-of4 coincidence Ings to be bypassed.

3) Test psocessor Fadure of nest Operator observes erst sesuks does Assomatic _ R - cross Aunwnaue cross channet Sameas23c) Same as 23 e) produces software. I/O not agree wah cuneni PFC stanes. channelcomperinon scross cenustency checks by incorrect test e'ectronics, or dava tenen other . ' - 11P's redundans ITP's la ether sesuhs. communicatsons via DIAS and DPS. Periodic channets.

error. enanuat erst by steppmg thsough each test processor seu and comparing results to - actual PPC stases (bistable and 1Ct. values) esmg the PPC Mairmenance and Test Panet h) Network brutge Electrones fath =es. tess of sest feedback data hasa Autornatic annunciation from Same as 23 b) and 23 g) Same as 23 c) Same as 23 e) from EST-CCS epen er short citeelt ESFRS selective 2+f4 logic. test processor as ITP test Division A fails of wiring. Erroneous test fsehste alarm hdwre alarm k DPS and off or en Erroneous data generated. DBAS. transmissinn. Approved Destgre Afarerial . hrstramsentaucer and Ceeptree Page 1.2-66 O O O

( t ! (m s s s q/ yJ v System 80+ Destors confmr cc,

                                                                    ._            ___ __                                                                                                                                                    .....t Table 7.2-5 I' tant Protection System Failure Modes and Effects Analysis (Cont'd.)

n.. name ran.no u.de Cae., syn ,emas and t=al urum netmed.f Desothm inhenid C.mpenseing mantU,anPrs mem sa.mdone:rs== Inrhating Dependent raderea Pro, laten

24) RPS tsiriation a) Undervehage Less of powe, RTSS TCB 3 under vehage ny Annmicaeng saemnatic from keinsinssig LCL UV RTSS actieshon logic changes AR CEID4s rement energired.

Circuits inarimeion sierpfy, setay open encais de encesired and TCR wel PPS imenfacenest syssem ein iniharios seisys and logic feose seleceve 2ef4 no (Chansiet A selys) fails enceit, relay comace open. DIAS and DPS. hweic not not affected selecnve lef-3 coincatence. Typicat) *off- er wirmg epen affec#ed. Vismat isodicaeson as chcue PPS local and ecspeel sooen opersents modules. b) Undervelmgs Inhiarion seley RTSS TCB-t ander vokage trip Annunciates aissomatsc freen Renomm6mg tfL UV RTSS artmation becenies Manual sencsot wip capabahey ietssten contact shorted or semams energired and TOB will met PPS interfaceaeit syssem en hematma setsys in same selective 2ef.3 enencidence for relay (s) fans welded closed, une.fiected. AtJ.OEDM's wmain open for bona-fkle RPS UV trip DBAS and DPS. channel affeceed. Shunt wip affected LCL UV arip. RTSS energtred, "on* V' iring er PPS higic signat, instineen retays not acmation semains selective 2 fault keeps seley affected. UV innsatlan ef4 for shunt trip and energered setays en sedendans PPS unaffected UV innianon relays. channets not affected. IsHrladon selays IE vedundant PPS channets not affected inntston c) Shune nip relay Inuiarion stays open RTS5 TCB l shunt wip semams de- Annunciating annomatic from Renwning tfL S.T. RTSS acmation becomes Manual seactor trip capabihty fads "on* apon de- ener3* red ased TCB edl not open for PPS interfacehen processor isiination telays in same selective 2 of-3 coincidence for unaffected. All CF.DM's remain energiraeaoev. PPS bone-f=de RPS shima wir signal. esa plAS and DPS. channelnot affeceed. UV affected ifL shunt any energized. kigic fauk keeps inaiation selays not inweation relay. RTSS setsy energeted, or affected. acmation semams selective 2-open ciscened nuerus of4 for UV wip and unaffected en RTSS tfL S.T. initiation relays. d) Shunt pip t.ess of power RTSS TCB-l sham wip emett ired Annuncindeng . Evone Redundant seveasams 3 RTSS acmaroon becomes AR CEDM's semem energized. Wsiatman actay stepp'y. relay open sul TCB edt open. PPS interfacchese psoceswa PPS channels of S.T. selecove lef-3 concedence. fads *cif* circer et camact via DIAS and DPS. Visual inseimaton setays and logic shorsed or wasng indication at PPS local and not affected. UV inihmeinn short conWI sones operasny setsys not affected snodules et UV teme delay Time delay de. Same as 24 a). Sasese as 24 a). Redundant remaining 3 Same as 24 a). Same am 24 a). fads "otr energires or PPS channels of UV thne prematurely tinies delays ant affected. otit; Open circuts coil er camacs er less of power supply A,, . : .2 Destpse Afsterief - hesframeent.~eien ener Cenuof Pope 1.2 67

System 80+ . _ - - - . ._ _ _ _ -oesten centfor Document Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont'd.) No. name Panne ande Cm L .andEmmlEffate beethod of Desuden gedwem Compeasethig Effwa Upon PPS Remana and Mw Effecte lachsding Depended PaBeeren Provision

24) (Cont'd.) f) UV sinne delay Tune delay does not Same as 2414 Penndic nimiseensace and Redundam . . 3 RTSS actuanon logic becestwa Manual seecsor kg swech kigt faits "en* de-ene* gen er fads nunmal erst. PPS channels of UV sines selective 243 coincidence for beconws selective 2*f-3 TCB UV en time eue er detavs not affected. Shem UV enpa cesucie nce.

sha 1ed cowace og cheuers wanin enspus functional 2 et-4 comicidence. g? Shunt trip tune Tyne delay does noe same as 24 c). Same as 24 n. Reh'=== 3 PPS channels RTSS acasasina higic beconnes Muusal reactor enp swech leget delay fads "off* energize cr fads as of S.T. emne delays set selecnve 2-ef-3 concidence for becomes selecerve 2+f-3 TCB ST rene out. Open affected. UV trip cacerts ST erips. cemcidence. ciscoia coil se contact semmin functional 2 er 4 concidence h) Shavia trep delay T sne delay energtres Same as 24 dL Sanne as 24 d). Sanas as 24 sh Same as 24 d). Sanie as 24 dL fai's "on* er premannety tienes out er shoned ceemact output

23) RTSS Tnp a) Cren Less of 125Vdc Bus TCB l opens. Aansaciating auenestic fiens Oiher 3 TCBs not affected. RTSS acasation Insec changes All CFDMs unsain energteed.

Chreit I comrol power. PPS hiscrfacenest peacessor frem selece6*e 2 ef-4 se Breaker Spurious acsmation of via DIAS and DPS. Yhiset selective les.3 concedence. Actuanon S.T. or UV cods; indranon PPS kcal and (TCB t 108 enechanical control ennen operneur Typsal) fadure snadules. b) Closed TCB mechantal TCR-1 =dl not spes. Manual periodic test. Other 3 TCBs not affected. RTSS actuauon logic changes fashne: Fadu e of so selecive 24 3 cemcidence S T. and UV cods so for 3 other unaffected TCB's. trip becaker; Shortutg of 709 nemen comractors 24 Mantsat Tny a) Renesee swach Mechaarat swath TCB I wdl not open. Maneral periods test Other 3 sedundam remote Demost manual enp acMission Local manual snechanKal trip

       $wisches            at MCP or RSP    faihere of " shunt" er                                                             manual tnp swaches not           kegic changes se selective 2 of-   swaches at TCB's remain available.

(TCB I fads Off 'UV* er %nsh" srip affected for naher TCDs. 3 coincidence. Typiraf) sweech posnion Amiomatic RPS erips not contaces. UV affected. shofted or ST cpen l cieceis. spore,es oesma starw- s,sewnenfoawn mut coneco raos u ss O O O

         ,e                                                                                                                                                                                                                      ,m

( ! ; (\ ) ! \ 1 v

                  /                                                                                                  5 v
                                                                                                                             /
                                                                                                                                                                                                                               \v/

System 80+ Design ContmlDocument Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont'd.) sy=pe.ma.nd secas ffwa unn.d of Dominen inherent Conce-enes rfrmu v.nerS Remarks and Oihe, sfrecis N.. mee Panure u.de Cau including Dependen1 Facures Providen Mnhanical swhch TCB I creas. Annunciating auseneste fmm None. Renune mensal enp acasaisen

26) (Cent'd.) b) Resnose swach at MCP er RSP failuee of " shunt

er PPS inserfacettest processor logic beconnes sekenes lef-3 rads On "tF er "both* enp via DIAS and DPS. Vessel comcidence.

ewittle peestson indration at PPS local and comacts. UV open contegt secen operator er ST shoes escus. snodules c) Local swinn se Mechanical er!p TCB l wal not open. Manual periodic eest Oiher 3 sedundans local tacal manual erip ingic Remote snanual trip swaches semmin RTSS fads Off swech Jam er fads. Inansat trip swaches not changesto selectWe 2ef 3 avadJda. affected Ibr other TCBs. coincidence. Ansonentic RPS* enps d) Local sweech er Mectennical enp TCB-I opens. Same as 26 b). Mons not affected. tacal saanual erly actuation AN CEDM's sesnaen energized. RTSS fails On swach failues beceenes selecaive ler-3 coincidence.

27) Manual Close a) Off PPS operaenes thenble so energipe TCB cloeirg Visualindicasson inun PPS Other 3 TCBs are not RTSS actuation becomes No impact on RPS Initiation er Switch (TCB- mindule faensee er cucuie se close TCB after manual local and remose operaser affected. selecisve Ief 3 ceincidence if RTSS actuation.

I Typiral) imenfacehen eene or auennatic arip. nendules. Visualindication affected TCB is apen. processor eueput from DIAS and DPS via PPS selay fads to se< lose interfacehrst processor contact: Brden wire se TCB b) On PPS operators if TCB was previsedy open and no Mar:nal preinde test. TCB will saill open on trip RTSS acasation h sic nonsens Ne knpact on RPS intenehm or enndule failure or trip signal (S.T. er UV)is peesent; scenal Osher 3 TCBs not eclectwe 2+f 4 teencidence. Ri33 acenation. inserface/ test TCB wdl close and de<nergine hs affected. peacessor euspot ektse cons. If breaker parviously eetay closes contact; closed no effect.109 opening will Shrted wuc en TCB sety en sensed speing fos bana fide enp seinat.

28) Ahemsee Pro- a) Off APS any signal not M C41) ouepus load comiscear not Perknhc sumunemance and PPS sensors and RPS logic No effect on RPS or RTSS. M G oneput cesuractor enn be accolon generated due to opened by APS. sessing dunns sefueling. independent, diverse and snanually opened.

System Trip sensor faihsw or separam inun APS. Signal Process-CES fadute (ChannelX . Typeral) b) On APS arty segnal M4XI) emipur load contractor Annunciation ausommeie fruen RedeMam M O set No effect on RPS es RTSS. genesmaed by sensor opers. Process CCS via DIAS and maalVected and sired so fadure Psecess CCS DPS. carry fun CEDM load. fadore Approved Desipre Materte!- hesivaamentatio e am9 Caname Pope 1.769

System 80+ - . - _ . - . __ DesArs ControlDocument Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont'd.) No. Manie Fashsre Mede Cause Sywepteens and Local Effects Method of Deentnem Ininnet cesapensating EfratUponPPS Itenserks and Other Effects Including Dependese Fseures Preetstem

29) 4110 V AC a) Fads off Shost, em.h. dsanage I. mss of one of two sedundant 490 Y Ihes cuness urdsatsna via thh== bus as eser Nene.

Dus se MG AC seryters se the CEDMs. DPS and PPS operaenrs MG we. set. (Bus I neodules. Typican

30) MG See tapist a) Fads open Open cucun agech. I.ess of 490 V AC anput to I MG Annoncunhoe of input breaker Redundsen MG set and None.

Beesner (MG- dense set. toss of I-et 2 . - status indwarion vs DIAS and bus. I Typicat) supplers se CEDMs DPS. Im Fads clowd Centact meld, aneck. No isupsca en monnat operamon. Penods _._, and aest MG omsput breaker, Nesis. badmg 1.oss of evesemovent pseeecs for MG dunns sefuehags. vedundam MG set and bes. set. Possede damage se MG set if ovescunere eccers. 3I) Motor-Gene. a) Fods eff Motor fads, Ims of Id2 AC power sources em Annunciationof MG see Redundam MG set None. rasar Set generanos fads, Gy- she CEDMs. seams inde. era che DIAS and (MGI wheet fadure DPS. Typical)

32) MG See a) Fans open Open civesit, nicch. Some as 31 Same as 31. Sanic as 31. Same as 31.

Output danenge Beester b) Fads closed Contact meld, onech. No impact on nornist operance. loss Sanie as 30 b). Redundant MG set. None. bandmg of evertoed proseet for MG eusput. Possitde damage to gencestor en eventurrent. 333 MG Set Imed a) Fails open Open cured, snech. Senu as 31. Same as 31. Same as 31. Same as 31. Contractors damage, comact c b) Faits closed Cosunct weld, shost No impact en normat operanon. Same as 30 b). MG set heeskers, None. APS becenies ineffect6ee se de. circuit Possdde damage so generaentdue to Redundant MG ser. energire CEDM's. Diveru PPS eip snotoring when MG set is unloaded. avaitatdc. Wilt not respond to APS any demand

34) CEDM Bing a) Fails off Open e6rcuit, camp. Spurious nidicanon of loss of Annunciating automatic frein None sequired. None.

Bw Cunent fadere cisnent in ene side of ring bus. PPS ineciface and test symeen Stanes wie DPS. Indicasor (I of 2)

35) Synchronizing n) Faits III er Comp. failuse Unalde se synchronise one MG set Operaenr. when arying to Redundant MG set. Nene.

06ertsis (MG.t LOW so the CF.DM bus; possiede MG set synch. MG set. Typical) trip. Arvroved cesten afarerfar- keseem,entar on and ceneer rape 1.7to O O O

y-1 > i! 11! 99 I i !! !!ill li

     !                 l!;11 g1
           ,   1 1

L g -{ s,i

               ,f I       }qi!!f licd
                          -l Ila         !in!!!a'l!   l j

n u i

           -   ljo I

i ll !Uy; {a! #j u'!jl i, I ljj!, -l, i

If i!! ! i, [ i li l!i n ij ll! l i i "J zi 1s sa g ft !IIllIllkh bll!bI i 1 f I I 1 1

: : i I 1 O I 3 3 I

               !}to!            !sl!k.ii  }

{ f , , ,

System 30+_-__ Desten centrot Docennent Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont *d.) Pte. %me Fedure Mode Come hopeesus end tseet F.frects kleftsed of Deansten Inherene Conipensageng FMeet Upon Pr5 Rensarks and Other Effecse lurtmasq Dependred Feaures Pro,hien

37) (Cent'd ) b) On Fletsrenses Induees Femneous sensus enhcmann and Erseneous seems meicanon ESFtC3 sedusulare Affessed ESP eemgeeenre sney Sane as 37 m). Flene power enha Meinpieser, connel of componense essigned se endrer change in conyonem Divismes B C and D be acesseed er seeppedi ctesed. poeducten psecem may be shme eneum enwg mehireeneren MCP. epersesng seams stiserved by seeinn evedsNe. Im9 Possilde acmasine of Division pefarbcd. Spurious sessation of SIS to seaches end eperaser. commaers en enher A ccmpenes esterned as loop Train A boondalby SAR.

seems indiconom et Downen A greep eat cosasoners in thes gtougt Sts, Enoneeus acasarma of F3FM a enenrous does effeceed SDS, and CSS. SDS ==Ives is accepentde smee sransemed to edher sedundare SDS vatwes see esagned seen er sosp as diffesene ESF4TS diensens so Psewas spumus stepressuriratiost. Frecarees acemmion of ESP CCS CSS -_ , __ is accepenble, since the spray puenp sad a vatwo be series eve assigned se ddresent E5F CCS divisinns se prewns srerlons contenunem spray.

34) E3F-CCS a) Off Some as 37 m). Isso of sensus indacamos and cemeni tess of coinpanene seems ESFCC3 redundase same as 37 al. Sene as 37 al.

PSP Consrets of componems assigned se indication and cenmds dietsions B, C and D and Ishesnoe amteip'ener. ebserved by epessier. remain avsenNe. Opernmr B/O Annuaristed ar.immHy. con uke conwel of affected b$elhpiener Mattsplener heehlt sament componenPs eseng ESP. (CPM AO 2 _" by group CCSoperasersmodule A2 syperatp conm4ters and via DIAS and en RSP. DPS Apptreee9 Design destorier . hee:. ered Centrol M* I 2-12 O O O

                            . _ - -                                            .n.                     .             -        -,
                                                                                                                                                      -           ~                     w-.    -_                             _            ,                 , ..    .                        .                       .
                       +                                                                                                                                                                                                                                                                             rn
                                                                                                                                               ')

i a I Sysesen 80+ ___ Dosisse W W t Table 7.2-5 Mont Protection Systeen Falhere Modes and ENects Analysis (Cont'd.) .

                 ,se.      fseme         ee e Mode               Cou.e                   nr       e ndi.cssenn               Meand of De                    n                         indim. Co,n.e uing                              sn-i v,.e PPS                          me n.e      .nd oim. an-is laehdh4Depenend Fugum                                                                                     Freetaten

38) (Cenrd ) b) On Sanne as 37 H. Erseneeue sensus tuhcaston and Same as 37 bl. A87ected ESP _ . me as 38 m). Spuriums aceuosinn af SIS Tenin A ennent of componess assigned en ney be accessed er and die Train A SCS punip ese smpped4hund DMessa beended by SAR. Favencess

                                                                                            ' . ^ to RSP.en RSP. Itcontrolis .                                                    A componensinchsde:                                                                  actuosien of ESF4X'S DMeien A                                            '

j SIS, CSS, SDS, EINP-l. _ , in die CSS, EFW-8, EFW 2. CIS. CSIS, RPW 2 is accepenMe since an ItYAC, SCS, CWS, DOS, inseeirs puenp and vatwe are assaged ; Electrical. is diffevein ESF.CCS divisians as psevent spurious steemeten of these y thencanets. An revestrous eenmal i signea is apen ESF-CCS Di% A watwes in the SDS, CIS, MSIS sad SC1 is areeresMe since sedundmas wehen am sesigned a dinerce ESP-CCS divisions im each sysseni. An ervenecies conved signat en chine ; ESF{CS Devitami A valves in de SDS and SCS is acceptaNe since it wM affect only one of eso sedundens flee pashs in each syssena. An ervenrems contret signal to close ESF CCS Divisen A enivesin die Ct3 and MSt3 om sesult in . amp'ehle tanW9seneet I f ~

39) ESF{CS s) Orf, Sune Ems of imeenet lms of dass communeranen to PPS Aeuunnceaed mus e asent fann Opesenton er -^ --- Ims of PPS A. Transfer et Amenmem: tesang of . .PPS DiveJnn A deerday or no power supply, fue ITP Teming and MCPIRCP FPS 117 wie DIAS and DPS of PPS ITP does une cenesci freae MCP. channets - ' Lencept toe toevoork sesponse etecuumcs fateses, trasnfer en MCP. Assiencensed ' by sett peevens PPS safety ESFAS' . logic dus to feuery senJge spee er short circes heahh , of CSF- fbactions fan bemg sess feedhock.

auspus wirung. CCS iners diviseen dets accomphdied ,

                                                                                                                                             ; . in easeway AD to DPS and DtAS.                                       - Redimdans PPS htCPIRSP trender et connois Channels B.C and D not affected.
                                                                                                                                                                                    - PPSA stunnfee of connel can be acemmpfuhed frun bs incal _          -and tem penet.

i appeewed ornario neemsef ~ hw.- - ensi ceneef anPe 7.2-12 mm_________.___ _. . . _ . _ _ - , <e, m- _- , _1-.m , - . . , _ _ _ . _ , . _,,,._,__,,,,,.,,_-.r. ,._,-_,_,,y.- _ , , _ , _ - %. y, _.

                                                                                                                                                                                                                                                                                                       ,y.,    . , . , , _ , _ . , ,, , - . - ,

System 80+ Desien ControlDocumnt Tat >Ie 7.2-5 Plant Protection System Failure Modes and Effect$ Analysis (Cont'd.) Pte. Msme FeMure Mode Cause flymysesne end taral Effects Method of Detedien Inhereed Coenpennestrug Effect styen PPS Senecks ord Othee FJteres fortuding Depemiene FoGures Previslea s% fCons'd ) b) Die itsedweee se PPS A ITP are sendre do una sewe DPS and DEAS annunctated Sane as 39 al. Pendik esasfer et PPC A some es 39 m). sorrware rosases wwh espected seydrs. PPS A MCP emenenser free PPS A ITP. censuces en RSP. cauw ersmewees does eyeresars snodule emnperaNe. PossNe trassfer of conesel se ersonaseet RSP frene PPS 'A' anneerisied wie ITP. PossNe ersenfer of cearmt sa RSP foem PPS 'A' ennonciated.

40) ESF CCS el Off Sessic Imus of powes Pa*erve taas of morassons en OPS Less el ESF CCS sauces RSP eperneurs sundele or No effect en F3F CCS durmg Innbddy es uumnt ESF CCS sessus Mem Canmd despesy an suppiy in OPS nondose. F.SF4TS prnceeger keeps indresson en OPS nondwie. ESF-CES Inral morneel eperusena or take conesol of enenpanens in Panet sespnene end de. been of fihet OPS madete date srme fsanee es Annoncieseng _ by makeenence eni seis penet dev6mion when en MCP CPM is sh.

Operaeors epeer data link er prior se fadwe). FSFCCS ggiewey. Self MCP FSFRS operseers out of service. Medute (CCS electemut er dingsperws via DPS and sendules fne redundant A IOPS softweee faileres DIAS. Perioshe . - diviseenseneffected. MCP Module widun OPS mudule end ensaval seit. individual cornponens Tyrcal) cosmets wie MCP CPM availeNe. Manual ESFAS instintion wie PPS resneins sendsNo. M Out.dyennene. Decisenets er Aceve indusseems en OPS enadede Errearcus unaeus indwassese Some as 40 m). femmtier of sedundant ESP Ssme as 38 M and 40 a). sperious softwere faihraes erveneous or atmneneet PersNe endeer compeerne operstmg divisions availshle vedesced by random wtthe OPS snahsle erveneous centret segneis se stones change obweved by one. Sarne as 3Sb. ihspinys and or evennecos does conyourms esihm divesson. opersoor. PossNe conmes tranunined over - auseenmc by fibes oprie date huk FSFCCS process or self diagnostscs via DPS and DIAS. Perinde manuenance and noennel see

41) MCP/RSP at Off Imse ef power Passive fedwe. Instwhey se eransfer Pertedic sent und snesneteente ESF-CCS redundant None snesere surgey se fiber opets Devenssa A FSP (TS er PPS Ihieke B. C and D teensfer twierh. fiber nyee consels se RSP eems this twisch transfee scenene evadable.

swisch (East ' swikt fads closed. Fait 2 swisch and swiech as sonrh erveted fiter cret ennentenance and see panet typret) enNe reaseirs evedeNe. M On Fiber oper swsach Transfer of Division A ESF-CCS Annuncistion avessnetic frone Bungiest transfer occurs. Division A ESF.Cr5 and PPS Transfer rf centrat back en MCP f=ds open. and PPS resands to ItSP occurs DPS and DIAS. conhels remam in last connels transfeeved to RSP. achieved froen ESF-CCS centsch inopershle frene MCP. demanded sense. Asesnenc snennenence and test panels. FSF CTS and PPS consent ettens semene evadable. Approved Des &o efeseriet-hvshwanentaden enet Ceneet Page 7.2-14 O O O

                                                                                                                                                                                                                                                                                                                                                           . s f

l i _3rs_essw 80+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _. - ___ Dosis _m ceneet - __ 1 Table 7.2-5 Plant Protection System Failure Modes and ENects Analysis (Cont'd.) fee. Peaune Padure neede Come symysems amt Imret FNects ht:4hed of Invevetten Inkrmd Cosmpenseshag EffertIIpen PPS Rrsmeets and Other R9eces larhedue Dependred Fedures Provisese

42) ESF CCS a) Off shme Some es 40 al. Sense es 40 al, d eenrant is Some as 40 al. ESP CCS local No effret en ESFCCS during N connet tremefemd to RSP,less of Remote display or me eransferred to RSP. - esul een penet. morund operauen. ceewel sud seemse indramue of

                                      . Sheedowe                 sesponse                                                                                                                                                                 RSP ESP-(TS operasers                                                                      . ass he der devisiem desengh
                                       ' Penef                                                                                                                                                                                            modules far sedenuhmt                                                      opetussen needele. A-2 OPS Operemors                                                                                                                                                                                    d6eessues enaneced. RSP                                                     bedishhselesmponeet Module CSS                                                                                                                                                                                    cosmets na RSP CPM                                                                                                                                       y DCS                                                                                                                                                                                           evadehle MeneelESFAS                                                                                                                                     t Typicef)                                                                                                                                                                                       heitiesten yte PPS semeens avaamble.

til On. dyananc. $sme es 40 94 Some as 40 bl. N camvel is Same es 40 bl. Sonst as 42 a). feo esfect ce ESF CCS dovung N cosmet greedmed to RSP, same i spuesses, transfemd se RSP. smmet opernseen. N ceaevet es3h I sendnue transferred to RSP, sama es dnpeers or 3eb. [ i casernis ! i 41) t-SP CC3 al Off,seems tsesedpower Pass 6ve Imen et incat indrances on Ems of sensesindration. Akshey to use enhes MCP No enets on ESF CCS during Assosnenc ESPAS acuserene top PPS + Maennemence deggdey es no mapply,Ines of dass snedste. ESPCCS Genup e end era functions er RSP ESFCCS epesseous marsnel opetesion. not aMected Immedity to use end Tee sesponse hnk er elecwenics Cesesellers keep snodule desa seenc locaRy at ESF CCS Possuhte mindule end CPM for -, and sem penet se

Penet Modele bordwase er senwese (sesee as print se faihere), impowed _ _ amenmeine by . steens and transfer teammt femen MCR to RSP (Ibisten A fadese emhin --- and erse capelnhey ESF CCS geerway self conwet, dependent spoe se vies versa in ene dev6sinn.

Typocal) anodule. diagnostics via DPS and which was test selected for DIAS. Periode . -

consel. Redundant

and test. dovuton ESFCCS ansagenenes esul tro penets j enetha 1.

b) On, spurtnes, Elecnonees Aceve ersoneens or Same es 40 bl. A-' Same as 43 a) and 40 b). Pousdde imahday se trasister Plant power ;. _ i-- piecess eney .; sendoen hesdwese er indratens se module. Psesdale of connel sransfer se RSP by connet freen MCR se RSP er be pessusbed. Seems as 3eb. i dnplays er sapesse feihnes enenecas cesaret signals to geoup conneIIers. vice verse in ene diveston. tememis wahm mindute er . . willum divisinn. Sante es 38tr. , etsameses date Pessshie trans8ee of deutseen connet i frene MCP to RSP. [ i i i l I l Approved oest, deneerief - eve ===mweese and cower P ,e p.s.rs i P ___.______..m_._m._._ _ _ ___.________.__. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ , .._..._.-_.m.,,m.. ._._______.,,,,..m__m.~ ,_...,_,._.._m. , , , _ _ _ . . _ , , , _., , _ . . , , . _ _ __ , . . .

??* **_80!_ __ -__ ___ _ Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont'd.)

 %          mee            r.m-o unde                     C.te.s            sys.e,ee- e.ed i.een es-m                 ue,hed of tween                                 i.de, es Co,n, e.e heg             enneD,enrPs                   me e.rbs and onnee rrrma incteding Dependem Federes                                                                        Pro,teien

44) FS?c'S al O!Y Iseiaf west hos toes er data .. _ .eines er se Inos of componem srasus and ESFfC3 sederminus ESF CC5 *A" onepues seven es tsas of dass en DIAS meed DPS fier Derouan A power se og E5F- fesna Pos. Proceu Casuseners Peacess Coeneese,isednunn Devaines B, C and D tad safe cosedman p.temeerrs and _ stones Groep CCS Dmunne A lacneed en MCP and RSP beccane en MCP and R$P senssin e,sestde . _ . , .to de Must from this division..

Coseener espeipeness d6ssided. PPS insesfacervene ersnem Annoncinemg aseeenmeet freue fadeve monde of the fard (Psecevier Al ennunciaees PPS/ESF imerface segu DIAS and CTS due en healde acmatine device fer die Typecif ) faihere. uses dass _ .L Divisine A actueied eqmpnect (MOV's, meters. Ineskers fad-ass $ctenneds fad to thest fad safe stese). Nusnber of redundam ESF Drewscases evenshie vedered by ene. b) Off t.ess os peestetent Fad over se sesidhy Group Assusnciesed suesmanc v4 Standby precessor assunees Neue. morrest power cerenener occurs. imersyseem sairway ceneret. sepply.fanteres . seiendata hnks (ksedwege or freen seendby processor to sofresse) esthan DtAS and DP3 CPt7 er data leses whech beh esecumen c) On Fedmes thentense henbday to consect et change Asmunc6 seed outenante esa ESF4T3 r isss of PPS avseenhe W PP3 Thas precener's eampunctus vesnam er sonweee) wwhat opetsune urare of e . . DP5 sad DtAS due as PPS thvianas B, C esel D Rennese Mannet isenation of be test denusaded state of operanose peacessor diet caew assegned se das pencessor finna issee.faranes preresser sessista evaanble. Opeentne , _ coenmeted t.y weis wedens comend actina enken by laiss of fuerver sad Operaser Module en MCP. detecteen of E5F C05 setains compones cournet piecessor opeveses es yearess cosweeness. bans enecution C. . .c wasus indicene and inserfare arse faame Penadec femme eeseret swinches and dnplays senecin staric ar 3PS and noennenance end aest. tAes of peccess connellers se DtAS. cesnpenent censvot vetrenses MCP ein Inny coecetters. detPr#4 h *Mm"* j d) On Elecivenn-s or Possede erronenes e sovel signals to Same en 37 b) Same es 37 b) Sanee es 37 bl Sane es 37 bl. A Fauky Osoup onerw,se fodure Leap Cormopees se aceeved wah Ceemetteett) sney cause Msts, CIS whin ceasellet, er this Group Comtalke er Ef'WS dev6sinn A e , erroneous data actantion, depredese open their transmated, cause Asnctional group assignment which false E3F nusianna ese designed se samennme isnpact en signals. plant syvens. Based en esisung Sysmem 80 plana designs, diese apersees acmenon wel resula in acceptuNe comespeences. Apprewed Destgre nfetersef

hrs:.. _ - . ered Carnrol Page 7.2-76 O O O

1 Sysesver 80+ ossimie caneet onessian P ;? TsMe 7.2-5 Finut Protectlam Systen Falhere Medes and Effects Analysis (Cont'd.) peo, hoe Felture Mode Cause fbympsesne med taret Eggeres Method of Deteetten Edwreas C . Eftert Upme PPS Resnsets and Outer RIUwes snesedh t , thyende e P aerea pre.htm. 4 13 FSF 4TS el Off Emesof Moengteser ESF sessumme monsis fsem PPS Annoncissed .A ESF4TS sedendast Affecsal Dmesse A Mansel - ' eveduMe fuese PPS WO power supply. Omapeen A and C net seemd by DPS and DIAS due an PPS Dmunas B. C and D seinem in taas MCP er ItSP. Oiher Genup . heneiyerner e8:eineuses LoopCesamflees AS4 At 5.est. inersfacefTeu psecessor areissa availeMe. desemaded state of , Ossevellers de sanne diesessa met (MUX AI 2 walum Mahyteser The ESFAS emencme 244 tagscs desecenn e( ESF CCS (Fed-and teamsberet affected. ,

        *yprarp                            er laes of             eenqued as siis man's poucesser    innesface sees faame. Perieds                                                ndandums ESP Deehamns Mulapleset             wiB ese sespond se a boos 4ide     saaneet ESF4TS tessue                                                        arealehle for suesannetc inimiselma menet. fee see feedback                                                                              sesessieuof ESPsonquemenes response em PPS derne sesmag,                                                                                   neareced via Gus aminiptener seduced by one.
                                                                                                                                                                                                                             ^

b) On Electron 6ts fa#eees Puhe ESP hiinesien eigenes for Ammuncised .- _ ein Same as 37 bp and 43 aA Affected ESF acesence begic _ er Mansel Est. Acessenen wedum MueHylenar chamaets A and C senere by tany DPS and DIAS ese se two Afscreed Dieimos A becomes selecawe I of 2 via PPS act effeceed. cause fahe ESP Commeler 4 At4. Al-5.est e channel arip esmemen. canyonents ersusse in test concidence in dois dreseen. ; iniumnen signmes se beamf eg sigast to cidher deinended maan et i be pseevased tw one cheasr u er D woued vesult in operanna (Ped-as.es). tener et the selecuve acesamenef the essectand 2-ef 4 Ingic rangnurnes_ fchaseith A and C). . een Fews esses a) Off Emesof power Emes of PPS mgemis semed as half Same as 45 b) Some es 45 >]t Wesus Des divemann of ESFCCS Manent scesense avettable fseus isserfaces suppdy or esecerenscs Ing sunshoe try menal mien ESF- ESF CCS devisien, aceanseen angic teconees MCP. bee see ESF- fadust in fMer ereie MS psecesses selecews 244 . fiber epke selocerve tel-)coencidence. CCS and PPS . es coincidence Ingic. etceivers inseruel poner (MUX Al-2 seersver; Sevenne of supplies. Typerst) fiber syne cshlets)in , een seemismat PPS , chassiel . b) On Elecuesucs laAmes PPS ESF intienen signals not Sasne en 45 at Same as 45 m). This divhion of ESP-CCS Same as et causes filer speec sensed by ESP 4TS selecurve 2-ef4 sensatinalogic beceases arensnumer er coencidence engic. seleceve 2-et-3 concidence i secerwer to seer ce Iresa One Urdbendent PPS channel } f Appveveaf peegy afuerssi. eve: . ones cm.eef empo 7.zir e h

 . ,         ~                                          -

System 80+ Desirs ControlDocumerrt Table 7.2-5 Plant Protection System Failure Modes and Effects Analysis (Cont'd.) Peas Name Foeure Hede Cause Synoposens sad Emeal Effects Elethod of Deceetten Inherens Caumpermating Effect Lten IT5 Remarks sad Uttier Effects inrisdh g Dependrew Fanures Prownshen

47) ESF CCS a) Off Less of Leap Congionenes assigned so Leny Pereds -. and erse. ESF CCS .. . A8fected ESF<CS eenputs se Laes of cesitect and seness indmanen Loop Connoffer power ConneRet sevent so fsE-safe stase. Lossof counpmentcentrols Divisspos B, C and D es fad safe condaean of affected ESF syssein he ene Conwoher supply, electromes Precess a er sespanie detected by operneur. seemin avsaaNe. earrespondag se Sie electrical division.

Al4 Typust) failme wahen _ , _ simus inyms so affected Annuncienng musentatic be faduce made (steer)of the final Lenwetter. ESFICS Orcup Coneinner sat Oseup Cenendler self acteateen dewze for the neweigdesee er daea wfieshed for effected ESF system. diagnessirs een DFS and actueerd ,, _ (httJV's, senanumecanon DIAS enosors, bwekers Faa se is and mereerk causes solenceds fad to th-ir fait safe outpms es asusme sese). Numberof sedundant defsek sts;e ESF dtvisions avaitaNe seduced by one. b) On Fanure in Cerrponems assigned to lhe Iany Ersenreus simus indxamen er ESF CCS vedundant ESF syssens componems Plam power pecesction pescess may electuenics, Cunemtler any receeve ervenems change in componeae Dreisions B. C and D essigned to ens Lesy be perturbed. A fauky Emip Connetiers, connel signets. crerums stessa observed by veninin omnfrected. Centueller (SIS) acarated or Coenmner many envie SIS. CSS. neekipiener er data operavar. Periodic C. , see assigned senpred/ closed. Numberet MSIS, Cl3 nr EFWS devisine A

                                                                ~
                                                      .                              _                                                mamtensace and aesang.         en tanp Commfiers bawd    sedundant ESP divusons            _ ,      at actuarins or se umpictose causes niukipleser                                                                                             en ESF system fianctional aradside seduced by one.         depesident upon their fbartamal cuepms es aseeme                                                                                               genups se limir empact te                                  smup assigeness etiir's are their ernessed sense                                                                                           piam syneems. Reier to                                     destgwd to snenenure knpace en plant Remnds in 38 t4                                            syssena Rawd on esistmg Systens 80 plant desages, these spimous ecmanan ce f.ihnen sende in acceptmHe coesiessuences

48) ESF-CCS a) Off Open, shen, ground PosssMe damage to _ Annuactatues ausommeic by Redundant group network None.

Group . er opphratune of ello snodule. FSF4r3 Orcup assncimed E5F-CCS Group avaitalde. Netoeds V AC en one Consvoller. Leny Commflers, centrenes self diagnosters win (Channet Al netwerk in dronnen. Pincess C - and Mus*v self DPS and DIAS. Petinde Typical) Netwert does diagneuries detects ines et de's susumenores end test.

                                                                                                     ' stoons; shafts to sedundant ermes occur.                          merench and annuncieses via DPS sad DIAS.                                       ,

Approvetf Desiper nieterist-Irsseumerrfetitur ernf Corruel page 7,g.yg ' O O O

p ,x f C; U) r ( k System 80+ onw confror occum ar Table 7.2-5 Plant Protection Systern Faillere Modes and Effects Analysis (Cont'd.) pas. Nesse Faeure Mode Cause Arneptoms and ImenI Effects Method of Dreectlee Inherent CounpropeHng Effect Upea PP5 Rensarts and Other FEecta larhuang Dryended Fathrees Freetness

45) ICent'd ) b) Off Open, senwi, geened Fee ceanpenenes assigned en she 5ame as 47 m). Ja al. Same as 47 a). Some as 47 et Same es of al.

er agiphcatme of 420 netwerk: less of precess V AC to both _ et componem senses neswerks an dwesma. impens se die Pteress Centenner. Network dae CPM and Group CeasseHer for __ eampaneus eimened mi she netwert: essers scent. tess of ceasel unput ein the Puoteen CosmeMer, CPMs a=ed OPS Medeies; and loss of PPS -.- . . _ capabdsty. Componemas essignal en neewert seene se a faa safe sane.

49) ESP CC5 a) Off Same as at a). PossNe damese se . enons $sene as 48 al. Redundant hatradwtsion None Imre divesion snedele. DwouseGee'ap network Canunemcatie Canivellers, Opevanrs Modides, avadable.

e Netwnets Matenemente and Teu Panel and IChe mart Al Oeeeway self diagnosnes detece loss Typetar) of data - --6, shese e stTported by the sedinalent artwork and of the feehne is eta DPS and DIAS b) Off $ame as 48 bk Emes of Deweine dets Penodie weintenance and sesa Asenmatec and nenneal Imss of soner interloct ang less of carehdity es trossier centset

                                                                                            . between Oscup      Dwisenn Gateway self                ESFAS finen PPS, and         s6snels between Oveup        imni MCP se RSP lbr these Ceaueners, Mamsemence and Tem            d6sgeostics detect less of          nierusalcomentof tmop        CentreRers wiihin some ESP-  divisions.

Panel, Netwest Bndge se PPS, comunmecanno and Conevellers via Precess CCS dwisies. less of bas CPM sa RSP, and Georway to OPS auemenatically annoncentes via Cenivellees and CPMs as lead seguencing data se ESP-Madides, Mawr Transfer Swinches. DPS sof DIAS die MCP containe se CCS Dwtsion C. Bass of DPS seul DIAS. finediese, feedback for PPS teWing

10) ESP m e) Off Saee as 48 at Poesihte damage op dem Annemcented by DP3. Faher optic cohle pre. wenes None Dean sent en DIAS nas affected.

Innessyserne e alma nondule. DIAS Perinehc e and see. faepts origisiatnig in DPS resnenanne- annonciates less of does hnt. feens effettmg ESP (C3 einna Date Link in DPS. (D6vWren A T FPi ret) Asiproved Destyre A8eferauf- Ame;_ end Csw*fref Pepe 7.2 79 l I

System 80 + _ _ __ _ __ _ _ _ _ _ _ _ _ _ _ _DesRControl Docsmeent Table 7.2-511 ant Protection System Failure Modes and Effects Analysis (Cont'd.) pse. Nome Fssare Mode Cause Synspeams and tacal Effects Whed of Dreettien Inhereed Cesapeesetnng Effect Upkn Prs Remarks and Other Effects lachsding Depeneent Fa8ures Preenden a) Off Poesdee damege to date Annusciased amansnanc by Itedundsne Geseway dase thne Dean vers en DPS sene affened. SI) ESF-CCS Same es SSa) Insersyseem . ' 22_ mindute DEA 3 Dt AS self heaMk d=sgnowies het avsmatde. Ceesenennuca- mensacisnesloss of data fat. et dan hek. Persmhc eions Data snainsenance and test IJnt en DIAS (Devtsree A Typwa0 b) Off Same as 44 b). Possible damenge se besti date of dase Same as Si ap. Fiber optic cables None same as SI s). coanmunicaterms se DIAS. ensinasms he DIAS frene mindules. Less prevens faahn effectag Gateways.

32) FSF CC3 al Off taas of pewer taas of eperaser insesseed Emesof FSF{C3 senius Assaceaed tmop Iteterence es and enneralof apphcable stanual ESFAS from PFS not Poncess suppdy to pencess . indicaten en Piecess Comrenet(s) caminue to Consroner centroner,less of 14ny Conreeneits) cosnpaneses. Caseener. Poeside opermee based on less entid affened.

(Ptecess " epee dem heek Less of indications en psocess _

                                                                                                                            . ausesnesic by           daia input frone MCP ComroMer                               l er c!ectmenic or       contratter. ESPCC514ep                  Group er 14ap Conesoners                process eumsoner.

AI.I Typical) sidenere fadures Cesaronerts) keeps Process self diagnosens em DPS and Segerm CPM, MCP withm process Connener dess ass:ic (some as prior DIAS. Persedic - - - - - . Opersawn Metale and corscher to fadure). and manual test. ESF (T3 kwal e and sess panel renam avadehte. E3F. CCS sedundant Diensans B C and D sesnain avadatde b) On Enreseenics or Indacaceans on Pmcess C. 1. Ermnenus sennes indicanos Segment CPM, ESF CC3 Same as 31tb. Saane as Mb. Funcetonal genormg et software faderes ersencairs or abnormel. Possitde and#ne c . . .. eperating Operators Module er ESF. ADY, FFW3. FDG and SCS wahim Process erroneous centrol signals so actusee, stones observed by operaeor. CCS maineenance and sett coenponeneses LenpCentroBer(s)is Carandser er er mopectane associssed Possible anrencieeing penet remain available. desapned to annienese impaa en erveneens daia Impr Connoner components. auserneer by Group er Imap ESFC '3 redundant these plant syseems, Based on tramnnteed ever Conrroners self4ingnostics Dietstons B. C and D existmg Syseem 80 plant designs. fdwr spess dass hnk. we DPS and DtAS. Perludic semse avaitable. these erveneous acervations are mouneitance and sneneet test. eccomreedated(hounded)by the SAR. NOTEa (1) No effect on comeal syseem. The caemni system signal vahdarion tage overt Mesnable censvol actions due to failed senene signat innets. Apprewed Desipoe Morerior- h=enranerenreacion end Ceneret Pope 7.180 O O O

                                                                     .=                           . .                .     . ..                             .            .       .          .-.             . _ _ . -

m U 0x Sysserre 80+ ossess coneef peesessene Table 7.2-6 System 86+ Critical Function Success Path Diversity laderect Soceess Patin/ Control Reactivity RCS Pressure Cort Heat RCS Heat CNMT Radiellen Yttet Function Centrol leventory Centrol Centrol Removal Reusevel CNMT Isolation Envireassent Reh Aemilleries Normal Success Parh I.CVCS CVCS 1. Pressuriser RCPS Main Feed Control I. CNMT Fan Montoring 1. Nonvital (a) (Boration) Heaters and Valves Cooling Only AC from off Sprays site source

2. CEA Drive Mechanism 2.CVCS 2. Hydrogen 2. Alternate Reternhiner AC source

3. Nonsafety CCW Alternate (Emergency 1.RPS l. Safety injection 1. Safety injection I Emergency CIAS Actuation CNMT Spray Monitoring 1. Vital AC or safety) Success Feedwater Only from off site Path (b) source ,

2. Safety 2. Safety 2. Shutdown 2. Atmospheric 2. Emergency injection Depressurization Cooling Dump Valves Diesel Generators t

3. Safety Depressuriratio 3. Safety n Related

                                                                                                                                                                                                                    . CCW (a) Type 2 Ncplex 80+ Systems . PCS or PCCS (b) Type i Nuplex 80+ Systems - PPS or ESF-CCS                                                                                                                                                                                           ;

t t Approvat orsy neeanw . nos:._. --. . and coneet m 7.np i

_,. , , _m -- - - - - - - - - - - - , - - , - - - - - - , . , - - - - System 80+ Design ControlDocument O CH-A CH-B CH-C CH-D PROCESS PROCESS PROCESS PROCESS INST. INST. INST. INST.

                                                 ^                            ^                           ^                                 ^
                                   ,                         s,                         s,                                s,                                                 s U                        If                               If                            If i

l CPC l I ' CPC l I I CPC l I I CPC ONE TRIP BISTABLE CH-A CH-B CH-C CH-D PER PARAWETER BlSTABLE BISTABLE BISTAftE BISTABLE SET POINT TRIP TRIP TRIP TRIP CPC/CH, PROCESSORS. PROCESSORS. PROCESSORS. PROCESSORS. 2 BIST. PROC./CH. CHANNEL TO

GNA S ATION N l N NN M IN NN "' W W "U lBlCIol i FCT6111'TB7 6i^lBiCI d b NC DENCE LOGICS COI C NCE COI bNCE ColNC NCE ColNC NCE ONE/ TRIP PROCESSORS PROCESSORS PROCESSORS PROCESSORS 2 COlN. PROC./CH. U If f If If INITIATION LOGIC RT RT RT RT l ESP lESF l ESP lESF CH-D IC ^d C T CH-A CH-B CH-C E^" INIT INIT INITfINIT IN' T INIT INIT INIT CkoNn ON, PER CHANNEL U V lf lf hh00NS T IP l RT-A l l RT-B l l RT-C_j l RT-D l

                                                        ]                         )                               '

If iI

                                               '~  -}                            Yj            -O
                                                                                                                    ~t                         Yf
                                                          ~g                          y        .C                   ~}                         }                                             _

ESP FUNCTIONS U " "" l ESF-CCS-A F PPS Basic Block Diagram Figure 7.2-1 4 Approved Design Material . kastrumentation and Control Page 7.2-82

                                                                                       *             ,4.
                                                                            +A-Sy tem 80+                                                                        Design controlDocument O                       CHANNEL A CABINET                                       CliANNEL B.C.D SIMILAR TO CH-A BISTABLE TRIP j ,

PROCESSORS U COINCIDENCE PROCESSORS @@ n b

                                      . U       U h

H l INTERFACE e TEST THOCESSOR l H h h Il h d _ ."_k ^ ^ Lyg __ __ Fu 'O FC FO F0 FC rc rc WODULE { [ 1 " (N WCR ; OPERATOR WODULE REMOTE

                                 ' y-FIBER             FIBER SHUTDOWN                                                                   OPTIC OPTIC PANEL OPERATOR                                                 WODEWS            CABLE
                                     ~~

WODULE RTSS-A $TATUS F* SACK l CPC l STATUS l l ESF-CCS-A $TATUS F'BACNl l 0 Of SCRETE INDICATION l j l 8 ALARM SYSTEM g l DATA PROCESSING SYSTEWI l l 9 POWER CONTROL SYSTEM l l I l PPS Functioul Interface and Testing Diagram Figure 7.2-2 Approved DeeV Material. instmmentation and Control Page 7.2 83 l 1 l

System 80+ Design ControlDocument O TRIP OCCURS MAX RATE I I I I l i I I I ONE PUW PUWP SHAFT STOPPED PUWP STARTED SHEARS 7 100

                                              \        "

gi 8 N __ d so - l

                                                                                        ~
             ~

PRtWARY COOLANT FLOW 20 - ----NOMINAL TRIP SETPOINT - i I I I I I I I I o O 1 2 3 4 5 6 7 8 9 TIME, SECONOS , j CALMA FILE: l t.CLGONYNOR25YS80 FIG 720 ! I i l i On Hgun 7.2-3 1 l

D D ("\ V d ( g :,o

S.'Y. I 1 GEL E

      $                                                                  SAFETY RELATED                                                                      CD
   $  $v                                                      CHANNEL ~A* IB.C.D SIMILARI                                                                    Q I ik                                                                                                                                                     +

[ {3E ,,, ,,, : AuxiuARY PROCESS CABINET I $ NOTE I n (ANALM) PRESSURIZER { TRANStelTTER ~'~ I/E fleer OPT 8C _ CONTROL g g P-tos _ _ CONVERTER , _ TRANSMITTER f ; 5YSTEMS r 2. , s 5 y , NOTE 2 s PROTECTION SYSTEM NOTE 2 ( b - CABINET

                                                                                                                              ,      DIscnETE g,
        $g                                           :      -             'S
                                                                                                         +   L"," Kin               E**IE SYSTEM c!"1,'.?

INTERFACE / TEST AND g i ets' TABLE+ PROCESSOR > REMOTE PROCESSOR pgg gpyg ATA TOOWN h , TRAN5MITTER S MTEM P^'E' DISPLAY g

         $'                                                                                                    NOTE 2 NOTES:

l-INCLUDED ONLY WHERE PROTECTIVE CHANNEL IS ALSO USED FOR CONTROL ISEE SECTION 7.2.2.3.2.6) 2-FIBER OPTIC CABLE D R

n s-7 2 9

e,a 4 L R.

   ?                                                                                                                                                         e 1                                                                                                                                                         8
  -3                                                                                                                                                         =

4 3 t- g

System 80+ Design ControlDocument O REED SWITCH (TYPICAL) 4 C 10 ohms (TYPICAL 104 PLACES)

                           <   W"w                    >                                                                                                                           o
                                                                                                                                                                                                       )

REED SWITCH POWER SUPPLY 4 W> I l l I o h , I I l l 1 I C 980 ohms t c 3 4k OUTPUT TO (3020 TRIP LOGIC

              ',h* '3                                                                                  CALCULATOR 5-10 VDC f

Reed Switch Position Transmitter Assembly Schematic Figure 7.2-5 4 Altwoved Design Meterial Inspumantation ord Control page 7.2.sg

System 80+ Design controlDocum mg

  .<m U                                                                                                             '

l J CEDW POWER ' CONNECTION , u v OL20 _

                                                     ' ( NI   II)                                              ,

L _( O o v O u) O v

                                                 -                   L (I   _

() 7 REED SWITCH O h REED SWITCH POSITION POSITION ' TRANSMITTER TRANSMITTER CALMA FILE: t.CLGONYNOR 3SYS80 FIG 716 .; t ,I Reed Switch Position Transmitter Cable Assemblies Figure 7.24 ?

        . & -- :Deodon niesenief = knowmentaelen annt Cond                                 - Page 7.2-87

.2 2-1 = a CHANNEL CHANNEL CHANNEL 3 k { CHANNEL B

2 'E A CEA DISPLAYS CD k 2 23 CEAS 23 CEAS 47 CEAS IN NC ROL 4 AS 23 CEM 23 CEAS ik i-k CEA I \CEAMUxl

                                              ~~7 h               h lCEA MUX /
                                                                                                               ~~~
                                                                                                                                        $f#     I k     f                            l                             DISCRETE             DATA                                 I 2                                                       INDICATION 8 PROCESSING F                                                       ALARM SYSTEu           SYSTEu                   >                m

{' E

          !!!      FIBER OPTIC 7                t c

P CEA g a o CER t N FI8ER OPTIC F CALCULATOR CAL UL TOR GATE; { e h$ HATE g NO. I _ { CHANNELS O s- c > I < > l t > F f 3 3

                    , TO OIAS DPS TO .

j DEVIATION q# 4 FIBER OPTIC ISOLATED J > DEVIATION 4 FIBER OPTIC TO OIAS DPS TO l ISOLATION DATA ISOLATION ( j r DATA LINKS ORTA LINKS I t tgugs i

                                                                                                                                 \   ,

j PPC PPC e TO DIAS

l. PPC PPC ITP ITP ITP ITP

CH A CH B CH C CH D l 6 l o +-TO DIAS *I o I n: I .

I I I y i l y ) { ji FIBER /> y i f { h 4 I t I TRIP TRIP TRIP I ATED'[ TRIP LOGIC LOGIC - DATA - LOGIC LDGIC CALCULATOR CALCULATOR LINKS CALCULATOR CALCULATOR g CHANNEL A CHANNEL B ,g K , CHANNEL C CHANNEL D D* g FIBER OPTIC <

                                                                                              '                       FIBER OPTIQ l           3             # ISOLATED                                                                                     ISOLATED N) l          E                       DATA LINK                                                                             DATA LINK                                   h l

OPERATDRS OPERATORS OPERATORS OPERATORS w MODULE MODULE MODULE MODULE k

           *                                                                                                                                                        ?

a .

i a l

    ~                                                                                                                                                               s

, 6

1 O O O

l System 80+ Design ControlDocument i (/' SAFETY CHANNELS A B C 0 1 1 1 1 FISSION 2 2 2 2 CHAW 8ERS (3 SECTIONS 3 3 3 _3 PER CHANNEL) l CO_NTAINWENT _q _ PRE- PRE- PRE- PRE- ' AMP AWP AWP AMP l HV HV HV HV POWER POWER POWER POWER : SUPPLY SUPPLY SUPPLY SUPPLY I LOG LOG LOG LOG POWER POWER POWER POWER - RATE RATE RATE RATE LINEAR LINEAR LINEAR LINEAR POWER POWER POWER POWER TEST TEST TEST TEST CIRCUITS CIRCUITS CIRCUITS CIRCUITS , U p p p TO PLANT PROTECTIVE SYSTEW 2 X 10'7TO 200% FU' L POWER l Ex-Core Neutron Hux Monitoring Systens Hgure 7.2-8 i

     . Normd w neenenier. hesosanenneeton amt conver                                            rage 7.2-89

System 80+ Design ControlDocument O TERMINAL 80 TWO SENSORS ARE WOUNTED ON UPPER PORTION OF PUWP TWO ON LOWER PORTION f RCP I ~ ~ ~ ~ ~ ~ ~' PLAN VIEW l l 1 1 I I l l _ _ _ _ _ _ _ _ . ____L____ .____p____ _____

m. i i RAD. SPEED SPEED l SPEED i SPEED AREA TRANSWITTER I TRANSWITTER TRANSWITTER j TRANSWITTER l

I l l f CONTAINWENT l I I I I e l l PULSE l PULSE l PULSE l PULSE SHAPE l SHAPE SHAPE SHAPE g g POWER l POWER g POWER g POWER SUPPLY SUPPLY SUPPL" SUPPLY l ll .h i l H

               "                          P l                      l     F               l      U CPC    VITAL l             CPC    VITAL   l    CPC     VITAL l        CPC    VITAL CH-A     SUS               CH-C     3g5        CH-B      gyg          CH-O      BUS l                      g                     g
               $         A                $       C           $        B             $         D l                      g                     g ISOLATION l l              ISOLATION      l    ISOLATION        l     ISOLATION I                      i                     i FIBER                                        FIBER eOPTIC

me--OPTIC =

P CABLE D 1r CABLE F , v TO DATA PROCESSING SYSTEM FOR COLSS CALMA FILE: t.CLCONYNOR1SYS80 FIG 726 Reactor Coolant Pump Speed Senson; Typical for each Reactor Coolant Figure 7.2-9 Pump Approved Design Materia! Instrumentation

ni Control Page 7.2-90

       . _ . ._.                                  _ _.            . . . _ .          __      . _ . . _ . _ . . _ .__ .              .        ._.                                       _          _        .                      .. . _ .                .                 ._ ,   _m O                                                                                                                                                                                                                                                 ON
 ~1 g                 j                                                                                                                                                                                                                                                          E k                 7                                                                                                                                                                   NIPrAPREso                    TD                                                       I

( PRE 99URIZER

Cap Coup.

                                                                                                                                                                                                               -* PCS LOGIC 3

g i O PRE 9euRE , Os o . Cat.CULATION OF CEA tIOT104 feeNIBIT -* CMI + O CfAC -* Ape REACTOR POWER 9 P., PEwas.TY

CUT 8Acet CEaspee -* CUTSACM

     .                m.                                                       SUSSROUP                                                                                                                    gyppgggggg JCONTOL SOARD g                 P.                                                       DEvlATIOes                                                                                                                                                 tOIASeOPS)
                                                                  '#                                          '                                                                                                     W y gg m                              QUE CEMATm                                                                                                 l DNBR CWP k 1    Ig                                                                          fAC                                   OF PLAMAR RAOIALS                                                  ,

LOOIC g 2 { > TRIP CACULATION t g(Z) OneR E I j { , N TOR D

CosmECTION i.

5 FOR SDe4PE = > PRE-Q(Z) i { ANNEALINS AND CEA CALCULATION 0F CORE

                                                                                                                                                                                .                                     ,e                             TRF 8"8 sk$              :=

TORS = 5POWER - -FIXED SETPOINT ! 99 DISTRISUTION LPe LOCAL > TRIP *

                                                                                                                                                                                                               **              _ggggg y CAL,CULA,T30N O t.0                    _

9.,,E. ,

                                                                                                                                                                                                                                             .TD,_ ,T RP                              i fEACTOR       %                                                                                                   -=                             DENSITY COOLANT-   -

g CAI. TION i* TO Puur -,I - ' SPEED l LPD CWP }+ PCs

                                                                                                             *l SUMMER h                                                                                                                             L0est
                                                                                                                                                                                                                        -FIXED SETPOINT                                                 l
                                                           ~~"

Cat.CULATION ; I NOT LES Cat.CULATION M CAR.I TED --

                                                                  .[
                                                                               &T        R                                        _

U pg, g 9f 'OE*8 ' N g COLD LET POWER

lOlFFERENCEl i

[g < d MAXIMUM 'I TcMAX. l CONTR08.

                                                                                                                                                                                                                                              = BOARD tOIAS e DPsi                          Q l

TcMIN. MAXIMUM

                      -                                                                                                                                                                                                                                                          ~

p

Win PPS INTERFACE e TEST PROCESSOR $

   #                                                                                                                                                                                                                                                                             0 4 S TO PPS COINCIDENCE PROCESSOR
   .N
   ~                                                                                                                                                                                                                                                                             h k

l M I Y 'y l 0

i E 0 E TRIP '

VSP : VARIABLE SETPOINT

        ~{p-y    _
   "                                                              INTERFACE / TEST PROCESSOR PRE-                                7@             @ : INPUTS AND OUTPUTS.

{ kw TRIP -D i F VSP *

                                                                                                              -i Er

[- = k E E p-g g : OPERATING BYPASS { , E E h h h h s

                                                                              +A b                                                     ~B         TO
                                                                                         >toCAt            e U         . .         TRIP                      COINCIDENCE       =

NSSS LOGIC +C LostCs $* 21 PARAMETER ANALOG SETPOINT VS = S > r To -+ INPUT 2 OlGITAL r INPUT COMPARISON PRE-TRIP t> LOGIC = AS REQUIRED {e

>                                                                                                           R 1

5 C 2 1 9 . - 9 . -- - _ _ - _ _- e

T

      . ~
                                           *WPt e                                                                                                    E.'E t
              -   I                            _1_                1.                                                        i                                      i                            !,
                                                                                                                                                                                          =;;s *~}

_L_

                                       ..        ne'            *1;'   7                                                                   m,         ,     ==,y '~i                                                                                "                    c
                 "                                                                                                         CC              JA,.            y                ( +) y                                                                          0 7(i)         JL. is               7(*) T.        Q) i                                                                    Q)                                                            9 l                                             M                               Tlir
                                                                                                -r                          {                                      l                           li                             I 1T8
                                                                                                                                                                                                                                        ,r,      T

[h . 7 t mm. p_ s il<_c e l i,, 5 0= , .

                                                                                                                                                                                                                       ~            c y c,. ,                                                                                                                          c..

i. o o bI ea e e -

                                                                                                                   - r.

e _ ,.- f 1 M -

                                                       .f
                                                      ~_                                      ..

____T <r . - + - - - - c.a g i T f~. m.{ - tu. ep =,= . =al+tJ. fu_

                                                                                                                                                                                ---f dit
                                                                                                                                                                                                                             =.=                                  [-
                               =h:,Ge :: +3e                                                                                            = l:4e                                  :.Q-, .5e
                                                                                                                                                                                                                                                                  'm

{,. ..__ .- _.._ - v$dvh+t a e- , [_. vdb_ g _v >

o y .,i ( , ..

                                                        ----1)                              +~3                                                                        .- wD                                              4        --@
               "l'?ll? <                        CDW[iE                           CTJ$E                                 7lll? '                             WK[GD                                                  WYP                             'Tlll? (
                                                    + .-3                           s _._ 3                                                                      + . _ -3                                                        --3
                               ,,,,;*...                . . _ . _ . . . . {.                                                            M*,,,,._..                                        . _ _ _ . q .-- 2 r_

d

                               ,,,,,,3   m ,. ,__ . . - . . . . . . , ,                .                                                ,, g mp .
                                                          ^

f k

                                                .4                               ..                                                                        ..                                                     .

se; i E1 es;4 M.2J 4_, #N. [*E. i d - u.t~ y, 9' e t cab... .b I t_ _ . _._._

                                                                                                                                                                                                                      -                                j .my p h)_q..=, j
            = .sswidi       m emy=i me. .=i]                                                                      ,, , , ,,vi . ..}

__=_,_. m t re.i-we m w.e -

                                        , ,_y                                         . . ,

m , s- _ f

f.

l w a .e = l t ..er. r ---

                      . . . -                                                                   a q_                            py; i        .,<;p fr?.;.   - w,

_~e G 1.

                                                                                                                                                                                                                                                                 -.'I i.
             . _ t                                                                                                                    l   c.. m                                              '3           L'-

_._%.~s.-.-

                              ._o rM.            1                                  . * ,7>,<,.

r ,] 4 l ia u. . . .. , ,, H pL' %' ' ~' ' ' ' - * - T -"~_j_ ., " _-*~ C' ]

          '.,..     -NNvmM__ _                                       , _ _ _ . _
                                                                                  ~                                                                     ~

l- .-- M <~. EI _..= _.~~~ - -m__.___ . _ wa~ < _ .--** m m _..

                                                                                                                                                                                                       . . G.

m ,I, W.__.*.* _ . _ _ _ [__ --- t_ w ._ _f , m esw . men - . f r---- ,J ... . 4", ;-- ,g,,

                                                                                    -> ~ Ig                                                                                                                                                             ,, ]

1 i,I

                                                                                                                                            ,,n.                                                          r--
                                                                                                            ?-                VNO       '
                                                                                                                                                                                ~~~~
                                                                                                                                                                                                     '$                                                                   h
                                                                                                                                         '_a  1                                                   <_

Ji--- '.m.. ( '0.. 1t.__'f .3 ., c;;~; d

sg y t n-- wir 7s- -'~- __.. us. HjK.g

                                                                                                                                                                                                                   . .                 4.         T-~~

j qT*y. _ un s - ens u , em, e ,

T*** j u- I j ul- I rda

                                                                                                                                                                                                                      ;                    i                i ui                   ce               to.
 %gssW

r# Sy' tem 80 + De* ion controlDocument au _. I ' _: __- ., __ _ __ L

Um,7

          ,,y 6 .w                                                                                7w . :c , .w
                                                                                                                                   -s9 L                .                  ,. 7n                                                                                   ,..                            w                                                                  .

nr- -T.. g. i. .T!! t t .g . qq _ , 'J _._ F. , ,~ ,, ~

i<*=.. stes tamber f ( ~

                                                                                                                                                #*d5 Lseka O 0
                                                                    ,,o d*E'#$16 3                                          ,

1 g. e

-.         ---.                                                                    ,_.,j     -
 '                /         !                                                      6 c                          I '. )           f                                      ,..      .             {            ,
                                                                                                                                              - r+
               ..I          m __

cL--y

                                                             -                                                    ;                                                 ' ~ ' * " *

A
Q_-i in. --

                                             -                                                       --.                                                                                                   e cO :1 lu hz                                                     c' :.:                                       ..

m ikA . ."4

                                                                                                                                                        -               '=" M .

nt< - 3 1*$t' ? **0, 'O "$7' $ '*Y ' e 50 0 &

                                                                                                                                                                                      %   = ,,yC=.  ._ a                    ,

wh_o;v_d_. . _ . . _ , . _ . . _v4,4_v4_4._ i r~_._J ,-.- _ _ _ - __3 - 1 t a tJ., t ) > 1 1 ,, aw

                                                                                                                                                                              ~d m, -7                                 _       (f a                                                    j        @                             t~ w )                                                $

awn - m- c. w o am ; M-?-4 W ~"% 5 -+"3

        ;r...
                     < ., . . . . . - . .. .r - Re - + -- 3                                              ..

m iar . -;f - - - + - b

                                                                                                                                                                 --{       ,

, y... . _...... .. " }, ,.,,7,..,-.. r -- -- - -

                                                                                                                                                           -- " "[ ,.

I b.v.. w - pm as-e -- a..we.-, 1 u

--~

m w _ , 4

                                                      , 5__

r g b l

                                                            - . . . 4_. .__:             .      .
                                                                                                                                                                                                                             \
                         -                         x                                            ..
    ).--                                                            m. m ,< -

3 ,. Q

r. .:

                 ._<{                    y[             m r- -

s --

        ....A
                                -                      s___ ._. m. _. , _ :
                                                                                                                          .e........___._..
                                                                                                                          ....._ _ ~

x _2_ -.-= vq._

   \
                          ~
                              .:        .=
                                       ,.=_. _~,_
                                                     -            r~L m-m i

1 3 i 9705090171 9 PPS Reactor System Simplified Functional 1Agic Diagram Fq' ure 7.2-12 Appreew* & noneanter heatrumententen ed cand rare 1.2 ss ,

w. 1

                                                                                                                                                           .     .___.m.           _ . .. . . ...        .   . , , .      . . -

O O O t

!               1v                        MRIN CONTROL ROOM PPS CH-R M

v PPS CABBET - LOCAL OPERRTOR MODULE CHMSEL R

                                                                                                                                                                                                                       ]
                                                                                                                                                                                                                       $i 1      n                   DPERATOR MODULE r---                                                                     i p----                           #
                                                                                                                                                      ' g BYPRSS SW.                                                   4 d

LGBIC s LOGIC l SYPRSS SW. e i g g y ------ . a -- -2 g I k TR. 3 . SYPRSS :

                     "                                                                                                                                                                        M TED                              !

0 FROM CH D> ' - PER l !' BISTROLE LOSIC i FROM CH C3 - BISTROLE LOGIC PCHRNNEL ~~ , 5 FROM CH E> I

                      }                                                                                                                                                  -

i [ INTEWRCE/

TEST l PROCESSOR ..sg g sg i

                                                                                                                                                     . g--)      % s)

' /- N/ N/ / TO CH -

Bfl.D TRIP BTPRSS R BR BB SC ED , / y LOCAL COINCIDENCE LOGIC

                                                                                                                                                                            =;;       >1SOLRTED                        5 f

5 < r e t w To = TRIP DFUT to DetCRTES FROM CHRNMEL RAC OR D3 t B = TRIP CHANNEL BYPRSS i N

               .y I   -                                                                                                                                                                                                  '

i l

Syntem 80+ Design ControlDocument O

                            *4
                           -4
              +

f G , u il

                                  +              b                              E            $
                           -4                                                                :

I E wt e o WH_ _ ,s W-c (d 0

l8 EEab w p g g r _i.7 g r_i 1 5 W5 1 l 11 l l 8 WEE El I El 1

                                                                                       >ll5$
                            *a                              Illi 1lli gijligijli                  E en-    si!
                                 =6              n E           i_i i_ i           y          eeg-               a W
                                                  $g _1      LIJ       LIJ       .

5 X- 3

            .      s                             y       "                          .

i e '

                                 =6                                               8 o                                O=               md5 e                                                  "In 8

O= Bdt lR E ,a O

                                                                           =- -         '

31 og8 U C=

g. .

Typical PPS Channel Functional RPS Initiation Logic Figure 7.2-14 Approved Design Material. tastrurnentatiert and Control Page 7.2 96

O O O

                                                                           #                                                                                                                                 I s 2                                                                                                                                   1 i               E                                                                                                                                  it 3                                                                                                                                  3 F                i                                                                                                                                  =

g o y [5 ES or s i i i i i i i. i

+-

1,

E" m Q-1200 -

SYSTEM PRESSURE I 'N uI 1100 -

                                                                                                    ---- PRETRIP SETPOINT l.E l*                   E0  m                             TRIP SETPOINT l                   @   @ 1000 i

ka a 8 m w 900 x

                                                                             =  3   [

k 8 S a- 800 ---- \ OPERATOR RESETS AT f-- - - - E 2 G m i PRETRIP ALARM / 3

                                                           '                 B      O   700                     -
                                                                                                                                                                                              /

g

F

                                                                                                /                 I                                                                       /
                                                                                   $ 600 [SETPOINTS g     w                                   I j

f z W 500 - HOLD f - UNLESS i f

                                                                                   ]g 400    - y yQLLY                            I
                                                                                                                                                                            /

SETPOINTS

RISE WITH - m 300 - f f PRESSURE - ' I- I .

_ m 200 - -

                                                                                                                                                                   /                                      -

3

100 -

                                                                                                                                                              /                                           -
                                                                                                                                             -\

l / D I I I iN / I i 1 3

                                                                           $                0              2           4            6           8    10             12            14               16          T
                                                                            $                                                                TIME,HR s                                                                                                                                  g R.

3 E E 5 I r i

m 3 { E E f ,, 3 m o T PROCES5 pps CHANNEL CAs1HET 7 c RT5s OR ESF-CCS + R 9 TRANSOUCERS

                      ;    C

% 4 { SISTABLES LOCAL C01MC1DENCE LOGICS

                                ! cE TP 11NT                                 gylnTioH ES                                                                                      ACTUATION I                                     _

LOGIC $ }A/D MCOMPI 1 g 74% 1 e

+ To OPS ACTUATION k FEEosack e, I ~

upHUAL { d yu1TTER -M t putounTIC TESTING (7.2.1.1.9 I* MANUAL yANUAL , HI OH _ B1 STABLE e 7.2.1.1.9.51' (7.2.1.l A M '

                                     ,   1,. 2.B.C.0,E)*

AUT0gATIC 51STeeLE "h, 1. .2.Al' puTOWATIC (7.2.1.1 8 7 #

L%

[ONCIDENCE IC5 # TESTING (7.2.1.1 A*"*I* 5

   $                                                              (7.2.1.1A 7M*                                             $

a n O

                                                                                     , -TEXT REFERENCE                        ko N

? k o 5 3 - A{ O O O

O O O f E 3,

59 k N m

 ?                                 DPS       RSP OP.           TO     FROM     MCR OP. TO             3 CH      LS g
 ,n.

[ E (TW ggy3 NETWORK l MOO I PCS I TLC I WOO I DIAS I g

                                                                                                           +
        ,      ,_.,i. - - - - - - T - - - - - - '- - - - - -    r - -
                                                                                       - - d - - ,l E      R      I I L---

I J I I t 7- - i i~ -F~ g g g 7 1 r--- '-- 7 I I I I I I I I I I I l I i w y i . .- . .

 ,      [      i                B $5                                     $$$$                       ,

[ A E I i GATEWAY el GATEWAY *2 i 1

k 3 I

        "                                                                                           I
 ,F            i                                                                                    i         ,

d a g i i I i I TEST / BYPASS ' I F--- PROCESSOR ' I FROM TEST ! 5 I POINTS & I- mm ONN I I l I I I I , I 1 I t__ _______________y______________. .______a l 1 E 3 TO/FROM REACTOR E-TO/FROM (FROMP

       }a          ESF-CCS                     OTHER ITP'S CHGEAR
                                                                                                          =

y G ---- FIBER OPTIC DAT A LINK g i a C 5 e

 =   _
                                                                                                          .a.

I

l l \ l ) System 80+ Design ControlDocument u l 4 8+ 84 l h lee - O a . g I

                                                               .,y        E E!eI  [

14 5 st ng gu +

is b W

kh I gh, lt *u = n

                                                                          !           s,                 i d"s              ,                  ,

l

                                                                                    . g                l
                                                                                                                  .          1 N E             I                                      E         k                      i E    l      gl**                          s!!          t!        I Iu              E                           n M

8 g w$ grirl" 0 ,

-E~

NzN W g sla

                                                                                  >6                            5?"l4E 4

l-Iu la.J j y E b I - l o=p

                                                                                  =                              ...

l. 5 z it i e Er g- l ; y - l 5 !!!~ q II!S Typical PPS Channel Contact Bistable Interface Diagram Figure 7.2-18 Asywouwd Design Meterial Instrumentation and Control Pope 7.2-100 l

ms - .A,. s*tue causecea f- -- - 1 7*E s$UR 71 D ande.:n ra'ana e e:;p o gDE SWd AWA Saseg %i{ , LD N y3gthyeg g, MA0 Af8M ed! 2 Nf r l NO. I M,} ) %1 8d0 2 It r** % M1

                                                                                                             ,^ i.                      3                                 %                                           O.                                  f.                                         D                      y 4"'f/                               h'@%.* . '@Dd                                               GD                                  49                                           ' t'$@                                1 83) @                                   d'                      @

[T. . . T ; e i 4 E i _l _ P /R p P2 I nus .m L 1.

                                                                                                                                                                                                                                    $v                                                                        p~%

i i ,

                                                                                                                                                                                                                                         +--                                                        gz. ,.;s                          ;
                                                                                                                                                                                                                                                                                                           -^

o_.___ J , i

d' , , et ;1_ ., m _i _ o Y .,) 1%' t, ' .' W E ,I D O2

N 50 w

N$, rN a.

M.".,' , c"4,l- - c- -- AJ a x ..t a se b* e: 4"' T ._ tT. I

l. L Tr 1 j E_

                                                                                                                                      .q g.

yO I

                                                                                                                                                                                              'T._ .!_                                   ._

I

                                                                                                                                                                                                                                                            .I_              ._

i _i ~T ' _,,,f<._]} eg ~ g.1 m] r Vme, g , )m mg Lq gL m m m gL g"g -e m ., 9] t @]

                                                                           +              0]
                                                                                           +

4

                                                                                                                 , i                  0]

i i ,

                                                                                                                                                                                                                                                                                                                \s               .

l I ' w r _, l l

                                  \                                                                   .                                                                                                                                                              1                 l
                                    )                                             i t

l L_ ! l u J l T

-+ , .,

e 1 7,

                                                                                                                                                                                                                                                                                         ._j                          [

s i i o

                                                ~ ** *,_.L_

E ' Li k- ;j

,, .. m r'** * . -- __---____ -____ __-- ... __ j . sr,-i w-i parwsu:ra 6.T I1 SL

                                                                                                                                                                                                                                        ;              e) m wp       q cv      q                                                      ,
                                                              %(

y . (v)~. (4 ,- r ,-.. :

                                                                                                                                                                                                                                                         ,1n r,       1            I 412]                                                         as'il                               P~   r -]7                     Jf E~e  ~"Li3 ~[r                       f                                     I ~N l

[) g w l p .q i

pegi e -), l m m N aj i . , s ', ~ _, .c - - ,. i. A_1 : '

                                                                                                                                                                                                                                                                                                                   , T k ,/                                                                                                      kf                                                                                                           l- l-
                                                              \,                                 s                                   N.-                               e                                  x/                            l
                                                                                                                                                                                                                                                                                                                 "' ?;;"*-
                                                                                                                                                                                                                                                                                                               , ,na s.x w
                                                                                                                                                                     %                                    ~                                                                                                              b h                          k                               $                                                                      Y
                                   -        -u ,              -
                                                                         -et .

cc.. - , . -<. >} , r . . .

                                        #                           #'                               #                                  /                                /                                   '#                         e                                                                     nn .

4- . . . ... ..,- ...- - . ..-. . . . - _ . - . ., . . . . . ...--_--_..-.-. --- -----..- J em es.yfE S m I s , we s _,.

7 . .: s p f#F:PE I S'E fwacms.. 4EC fu. cm se

u. i .

L QC j{ ln. usts I L{EsK has saa i.- L (G V

                                                                                                                                                                                          .\          , ras-n.

LWC twul @'* L& l.6e( . I f l f 5F r<Tt.*T 1% '%>f5 t_T-. J l f g l % B. C 8 D ra.:r ic-nr n- m, c1 es c;- l ..- s2 I

                                                                                                                                                                                              .,j, c,.,wtw         l u '*'"~

Jcwun (cau=ut c rw arm. {c e it,s M-wu x L3iK _L f.A$ K L%. li { (C6IC . LCI"'K a l LCKil{ i 7 . t 0 I 6 9 t , n n-e, te c s *o si.s in ne rs vo rm i to cras-i grum i t t, as tpgg sv fua9 0 *K 1 # E O enc TW'E D aC TWED DE

1l14 (A
Et,'s CE
lit S (f v;rf u t(' v iit s LtvKES I A S. C. 0 # # 4. 0 t ( de 6. L. 0 t ' <A68 8 A EL L. D i

.m p

System 80+ Design ControlDocument

                                       -                m,           _ . , ,_,                                  ._,
 ,-                                                     P4 i f G'tf*
                                       = x w

( ar 4 s, r n'ra v tta y - wya% . 4 . 1 w .~ i .- 7rn r,s 1j

l i

h g g

                                                                                                                       ,stt 5

(

                                                                                                  ,. k b.                m irm              l            l                             1,                                   l           t r *-

e ~ ,, s i ss. l l \ i e 7tT .' : ( , l L [.frg

I _ _ _ _ _ _<=~=

                                                                               ._d                             l_.,

( my43 p\ \

                                                                                                                                                                                                                                           ,       pcagg     RryRg
 , l
 %                                                                                        u                    ui                                                                                                                        g E1
                      ! ::.,   .3 ,ay s_r                       n=

m e;--. ll ApefwII4bt e e*s t, i

   ,                  i

m. 2 l i

1 on

i,

                                           ,                               r                j
 -i                                                                ,

W_.,.,,. u_ 2

                                                                  , .. 4                    . _ . _
          $m..                            E
                                                                   ,1 l

_i , i i rior s. s [' * "

                                                                                                           sl t

[C ser-*, . D P(' ((( eg.f $l. .t.eet 4

                                                                                                                                  % I4'$ 54 +d*V3  a ' k ') /.
          ., m;                                            ,

s, s, / . .~....n....,.. - . . - I g g_y 9. f ew .e { 5F aar ' # '" I JN ' f*.* Pe *

4' F #+' "FL l'h. #d s { ' f. .

                                                                                                                                                                                                                                           --; - *+

r,- )

                 ,                                                                                                                      < .us t ,< . m. ,o,+ > : -, o -.s po-p L

J . i I dL, 7,

                                                                                                                                       < * , rm t ru j                                                 j                      ;c;t
                                                                                                        '           o i                                               ',                   r                  ,     <<<....s w <r - -,. - % us a-.s I

( l 4 ,, , i g c ..i. sw. :a s s . 4.* s 5 0 v.* s a. , u t 5 '-a *

t *4 a - ' ' - r ^ i - **

r..,,1, t,w es . i r e

                                                                                                                                                  ~ - . +5_.~.'a'                                                  . -c.r':- e..                        m"-     a
                      ,                   4
                                                    ,      1                                            ;

l , , , ,

                                                                                                                                          -, l 1       ;         o l
                      ,           i ,               ) -l i                                              ,              , 4
                                                                                                                                  . _ , _ . _ . _ . , _ .....x,-,

64*[ I'JB4I l@f ll s m e i r o <= n s .e a ve

                                                           ,                                                                      . - ,,.. ~ . ...
                                                           .                                                                      3 . - .                        o. m                                              . n .,

f

                                                                                    "~                                        ~

2 t t vis.t CJ.P4'IDE 54 E . :x : . wMe ma of W etatC=ed. L i f4 M hatt S ( Crp;:D( ms [. . t e.4, us'M r< e4 L ( !$ * 'F ? ) 'Wt e .s;t ;# e 45'. x. J4 'F. ; P U kF ' 56 [ 9 iM %

   , ' - " " ~ ~ " ' ' ~ " " '..                                                                                                         m7B TdVdl (+

__.._-._._! t ,,, g *.,,,,g,,

                                                                                                                                         +<
                                                                                                                                               ,,. **t Pr o,u ,,,,.c T ,,             :c.. s ,W v 5 wa

as * **

                                                                                                                                                                                                       ,t , g ,. e e t .e .E s _.xC .n                        e< c' u e'<f2e.      vi. .T_e( !.r'.: 7 " r_C L Dd ept O, t_#'t. K se t E D B4. m.m...s
                                                                                                                                               ,. . _.                               ..                                    ....-c-e ..n o r.., c n , #s ,.r                                        s~.s                  n . c w a c

nt . , w E40s;[( $ pp JM71,pa T; egg F 0 #4[pwsAL%

i L r r.l t' - ri. i g f;:I ; 1

m. ..

c5_iil

                                                                                                             ~ p'
                                                                                         . . .               -.- ,.. l L                                           1           .__.L._.___

E v t o e' g 9705090171 ' Plant Protection Systern Interface Logic Diagram Figure 7.2-19 4preved Ossign Maten'at heatrumentation and Centrol Page 7.2101

System 80+ ' Design ControlDocument r

           /D (v) i 5

i r agent wea T ryl E mpt AN A T ION e viA r um ExPL AN A T ION i AL u S ACOSTIC LE Am WONiTORING SYSTEu 56C5 S T E a u S v P A SS C ON T ROL Sv5TEu Aus AUTO uOliON WG4hli SC 5 SpeJTOOeN COQtNG Sv6TEu APC AusLI Amy PeOTECTid CAesw i sChi SPmav CHEwiC AL STORAGE TANw Asp AviouA fic eif acRAsat PmOpes T SG ST E au GE NE R A T OR eA postaC Acio slas SAFEtv iN gC TION ACTv4 TION SIGNAL e CC5 CCmd>OrdNT CONTROL Sv5ffu SIS SAFETY IN JE C T 'JN SYSTEu CEA CONTROL ELEnfNT ASSE uSL v VCT v0LunsE CONT'40L TANK C E DuC S CEOu CCNTROL SYSTEu CIAS CON'apeWN' PROLaticpe ActuaflON sag 844L lNSTfELasENT ATION C*C CORE PROTECTICN C ALCta. Afon IOENT P ]C A TION CLAS CONT A waENT SPmAv AC TVATiON SIGNAL M LETTER M TAGLE8 C' ,'P CONTAwaENT SPmAv Ptasp CHANDEL NO Surha C'il CONTapaENT SPmAv SYSTEu CvC5 CetueC AL 4 v0LuuE CONTR(k $v5fE46 IAOL[ t Cvw CCNT alma 4 NT vtNT *( ACEn iNSTALnENT ATiON O'N T IF IC A f lON LEYTERS OI AS 015CRE TE INO'C ATKN 4 AL ARu SYSTEu Fl#57 LETTER SUCCEED #4 LETTER ONeR QEPARTVME FSQu NLCLE AM GottPe3 mATIO utdeJED on memtso vamand PE AO Cn.st On Fust1 ION DPS OATA PROCE55isd., Sv5f fu a ANAL,v5!S AL ases EDT ;O NNT Omase TANn e EPAS .:W :RGENC' FEEO ACiv4 TION SIGNAL C CO>OUC T iv1T v CCNTROL Fe '

                                                  'E :CisATER                                         0 EEastiv CF EsWClat amaviiv OIFFE8ENTIAL A                        FeC5         FE .De Af tm CONTROL Sv57Eu                         E VOL T AGE (E uF t            ELEeENT

[ \- wu *E AT E *CHAN3ER F FLOW RATE OR FLos k lRS T eC3*T apes arf #dE814.edii calf e ST0inaGE Tasm G gager 4 (OleENSIChALt GLA55 tu ION E XCMANGER N Hue estaATED engosLv. uC40 miE ASUREndNT CHA*aEL BLOCm DIAGaAu i CumRENT motCA10R uCm asAiN CONiaCL ROOu > PosEm woS nEGAe A T T OEasANO SETTER Sv5I(u m Th( OR Tag SCp(CLLE RATE OR CmA*dlE unis RAA0N STE Au NL A TION SIGNAL L LEVEL L l(>'8 7 Ne ed.sCLE AR lh578%AdENT ATION u uOISTumE OR *a.assoif v NeuS NUCLE Am le.TEGRiTv uouwTORd4 Sv5f Eu N vtSR A T SON p a us . POST ACC CE NT woNITOmiNG NST8*i.asE* 7 0 aC T ATiON ORIFICE 58sE STmic f pONI

                                       *C5      i Post A CONT #0L 5v57Eu                              P PmES5t. PIE CW4 v ACULas A f5       187R LEVEL *ONTmat
                                                                 .          Sv5fEu                    O Ot,AL,i f y OR EVENT         tNTEGalATE OR TOT A t2ER
                                      **5       GPL*AT PROT CC ? ION s'5fEu                           R R ADIOACTivlT v              HE CO840E R an g e    i palEl5Ji?ER                                         S 5PEEO OR P REOtKNC Y SalTCM m;e       , RE AC TOR COOL ANT Puup                             7 TE uPE R A TuRE              inAN6uif TER 8eC 5     i RE ACTOR COCL Ah? Sv5fEu                            u so       3 m: ACTOm DrealN                                     v                              VALVE AOT        I4' AC T OR OR AIN IANK                               e eElGM T                      eELL Rup         4, AC T OR uAa b,P W A T E m                        a                              TEST pop

T R*C5 '*: ACTOR POutR Cvi8ACA 5'57Eu - Sit > eat PROCES$pc CEvlCE l 4RS RE AC TOR RE Gut A1:No Sv57Eu 2 SALvf PO53110N t

i i I

/%

1- MCBD Symbols, Notes and Abbreviations Figure 7.2-20 lJ Terend coeten neeenew - humanerneaion and conmW Page 7.2-103

System 80+ Design controlDocament O s I!-@-@i' s s l

                                                                                                           !                           lW p

9

                                                                         -@- - - >=

Fl ft iW f, 8 rg -

                                                                         $ e- m g

i fe t s -@- - -GliF - - , li_ O Gil i 2

                                                                                                               '          4:9 1
                                                                                      -          _e m_         a          h3 e        a               *
                                                                 .ss                  0               -

O E we l *O i o

                                                                          - @ g g- @g              ----J               E         a                        l s

s @-@ 3 O u d

5 $ @- - >g!

                                                             ^
                                                               ~

g -@ g i i i RCS Imop 1 Temperatures (Narrow) hlCBD Figure 7.2-21a Approwd Design Material Arrstrumentation and Control p,y 7,g,yog

        . System 80+                                                                           Desser controlDocument m

U h i [ LOOP 29 COLD LEO NOR

                ,o fEACTOR
                                                    %                                                         prsqCas ftEACTOR LOOP 2A COLO LEG                                                       NOT LEO I
                 @l      @l        @l    O !'      -10,   C-A      Nr G i'          @i          @l       @l_

J i L J i L i NOTE 486 ' NOTE 08 PPS A w lCPC) -- l i g e e i g NOTES: (' s in REDUNDANT CHA%($ SAaE A5 CHANPCL 6.C & D A SMDEp6 8 PCS 6 L. . . - gCEOneCS3

                                               ,          ERRS >   ====,*J i

, opg DI A $ =N e- ~- (4 h :- l 4 s I RCS Loop 2 Tesaperatures (Narrow) MCBD Figure 7.2-21b

  /]~'N

( L.:DeeQn Meswiel- hwaumentenien and Control page 7,2105 .

%3s*S gD+ ea( Dh' haa*R R e MO OT RC A E FE A U R L NPL .A OE I Cv S ISN G TANOu u APIA E H L S D G ECOC vX M E R S L 4+w AETM A E S S LOL T T C 8 TNAR A A L O C

                                                                                 '               INF H                                                                            LWG         PU E

u a li d i S E l N S

                                                                              -     sw        E IN O NN.SO T A N'8TI       L C

L C AO A IA sc HHLL S EL g-s]

                                               . t D
                                                                                 '  aw     : CSEO E S

E T TANINS U N N A SCL A D N

                                               -                                           O  ALHEN C         H Aw      N DECDI gl'              tli          i t I!I R                                                          -                           NN O

MT n o/ L _ I UNTV S I DA AO A M AA O_r # EN HR DPA I ERI _ RCTP TE SN E G T N E M e__.

1 (

                                                                                                          ) 3 23

( 8 N _. I A O p 2 n T N O C O S A I Ow4 2

  %ij                                                                        D T

S n RT i ONS T TAP C CLM R O l O Gw6 O AOU A E _ _ EOP R RC g u_Yi s

                                                   -                       e_  _

a - [ il' 1i tl>8!L n

                                             /-                                      +

I n O *s S C f P u I S O d[e tli S i C C G G " ' E E C. L L p O D L L O O C B C A 1 os P P O O O O L L R O O TC T A E R $* ygs.- d@]lrh YhEh aE m$2 gwhy O kS. f4E - gIkkE D4 ,aa8 -

                                  '           l    i             :*                                               -   i   b yeg %o+                                                                            f {D$q&OEe                    %

O R . E - A U MO L OT RCA NPL CVA . e FE OEI ISNG R STANO M APlOAL E H M E ECOC Mx T M R S AE MA S E , LOL TA G 8TNAR INP A L E LWG PU L T S , A. w NN IN O E ,SO I TC L A O C ' NW8T L C C H

                             -        l I

F 5 E N S A

                                                                                 -  l. w     :

S AO A HNLL CSEO E E E TANINS U N SL DN LA I D N A wT NN DI ALHEN O DEC N SC H 1 C

UNTv S f DAAOA u EHHRl OPA R hl l4I:J Aw RCTP ) ) -

@'(

O - l 23 O i MT t ( ( . AA ER2 TE SN T

~~~

9- - E ~~ - a O l

T

                                                      ~        ^

G P 19 n

                                         ~                                     S 0

v O ! A C G I O . m

l D

                                                                                 *-  1e                                       _

g,Er 1 - TC, - j E R g e-

                                                            )                                                                 _
                                                                      > Il L i                     l O @!d         ~
                                                       ~

S l

                                              'I         S C

C ' P D > - G i G - E E P L L D D L L O C S O C A I P P - O O O O L L . R O T OC T A E R O 5 [' " 'j

                            ,a j !                                                          a     MYN$

_ yf - F E y9 g f

D[0 ; 8 t D8=3k 43e3 @ +

                                        "A E
                                        "    L e

S BT ABEL A LO N IN

                                %N A LA VS.

A EH AR A SNC O S N YS2 I AM LN & HO NE "B CR OS 0

                                " T F S .1 PN E8S LEO R2P ECI         U O NXT NEA S AL S&    O A .O H        L E1 QS RPSI  I P

N T,A T : NLE S POO OOE S AED OL LL E T DNI NNV L M A A B 2 O UAO SO T 2 2 N OHR CR SN S ECP RFI P O O L P_ O O L 2 C R R

1 (

2 (

                                                       ,l8lI P

S A

                                                                     -    Ore s

{ ( ro l

                       )                               -

O s X O

Ik I

E T 9 RL N OE T S O e- w _ CS AE EV K;i S C C N S

                                                                      -     se R

Ig, A

9 4 2

                                                     ?G      S E

I O re m C R X @'- - T - N - B A E + I I M - 2 N - P O P O I A - S 0 T - O O N C S L L ri C P O C P

                                                                -     D       @

R [ O T C A E R 8kaOhI2 !2 O 3n5 u9 # f'i{T$g IiI . kg ,'8 ~.~4

I Sy~ tem 80 + ' Deslan ControlDocument p.

 . b l

LOOP e COLO LEO LOOP 2A COLO LEG - 1 LOOP fHOT LEO Yg LOOP 2 HOT LEG i ~ GE A .2 ,e

                                                                                                      '# E aa -

NOTES:

                                                                                           " ' &Jc' IMP &JW! ,f."'                            !

h, !!!! h, l!!t h, !!!$ h, !!!! k- .'h.f, ' 5 of0

                                                                                                          ..TED e,,H -P m                     l.

l i r , C=s aC 0 m sw as cNA - c , p) - s

                                             ..v643A li!:    Q,v4438 lIlt GT443C                                                                  e f

4 HEACTOR CONT AINasENT g l198Qve430l!!8

                                               ,               ,         a,          ,                                                        ;
                                               .           .i            i           i, a           sEE NOTE (28                                                              ;

so3A 4 l'aCN l=l ; 4 - dd a

                                                                                                                                            'I Reector Coolant Puenp Speed MCBD                                                     Figure 7.2-23b Annnned Den @rs nionerW henVemsentenien and Cantot                                     ,           Page 7.210s
         .w                                                                                                                                   ;

Il

v - v> } a i

    !a-                                                                                                                                a 3

F 5 RC-zoS c m yssyg o. T y nC-z m '< 3 eOT (TrPs o C g, mmr g, y g W 4.- O M [, N g '=F' y I o v t= er n n n wt n C n n n n n n Of CS C6 04 C2 01 3 04 01 2 i@i@i@ i@ i@ i@ i@e@e@ t E i, @gi O gi s I REACTOR CONTAINMENT l l g 3 h 3 h e h h,

                                     ,h    __h      h,                                      k      h o

3 I t

                      '      '                                                                            NOTE til NOT'E (Il                                          NOTES:

g { $3 (1) REDUNDANT CHANNELS B,C & D ARE SAME AS CHANNEL "A" SHOWN. EXCEPT ONLY TWO g # [g\@ \ ppS A CHANNELS (A.Bl PROVICE SIGNALS TO THE ii @I l Lt :)g gi PAMI PROCESSOR TO CALCULATE SMM VALUE. hltil 3 1 J . _ k . _ _ _ _ _ _ _ _g _ _ _ _ _ _ _ - + (CPCI (2) CHANNELS Pt01A.-B.-C.-O ARE HIGH NALROW It._1.! L h,._3g- _b----------------+ Ie I (PPC) RANGE. CNANNELS P-lO3.tO4.10S.lO6 ARE LOW NARROW RANGE. AND P-tO2A.-B.-C.-O I gai g,1b-~~~~~""~~~'~"*~A""~~~* g_~~b ARE MlO NARROW RANGE CHANNELS. s i i gg ,: L___@______,t UA (3) ESF-CCS USES SIGNAL FOR SCS & 1 i V J SBT INTERLOCKS. T I I ,@ l P-CCS h CNAN LA 3 hD PPS RANGE MEASUREuENT. V DE WI 8 g g l ESF-CCS (5) SETPOINT VALUES ALSO AVAILABLE l L__ __ A ON OPS & 01AS INDICATORS. DIAS-P ~ Ol AS-N D OPS ? E G O 1 M E Y 3 3 5 .

  #                                                                    G                                                             e

O O O f4 Y N h l E E l FLUX DETECTOR l 3 g i fg I REACTOR CONTAIPaENT l NOTES: [ l I k RT- N A (t) REDUNDANT CHANNELS B,C 4 O SAWE AS CHANNEL A ASSOCIATED CIRCU1TS y I

ARE K.L & M. IhESPECTIVELY: EXCEPT Y A ONLY TWO CHANNELS (A.8) TO DI AS-P.

Q g U NOTEI (2) REDUNDANT SIGNAL TO DIAS-P FOR . S CHANNEL 8 PFDVIDES ISOLATION FROM t 3 CHANNEL A. t :O PPS A g ooia

                                                                              --@--*        ICPC)
                                                 ,,,/                    s
                            ,, .                      g             ,           s-@__-      <PPC, r

I

                                           -I, ',-                  l@

I I i l 0 NIMS L--- ' PCS , gens, (IVMSI ; I e 1 DPS DI AS-N DI AS-P , O @ 2 h a , a SSP r sw 52 e ! ? VU ty t'/ I u e. I, s hh I

 .~              . .                .                 . - .             _ , - - . .            . ,_                  .   -                  - , -          _ _ . _

L. . n 4 0 % L il Am REACTOR CONTAINMENT { til REDUNDANT CHANNELS B,C & D SAME $ AS CHANNEL A. ASSOCI ATED CIRCUITS + t g ARE K,L & M. RESPECTIVELY: EXCEPT

  )2-     g a

ONLY TWO CHANNELS IA.8) TO DIAS-P

PT PT 12) PT-3S2A IS WIDE RANGE. E k '^ ^ NOTEI 131 PT-351A IS NARROW RANGE.

          $                                                                          14) REDUNDANT SIGNALS TO DIAS-P FOR c                           g                             g                              CHANNEL B PROVIDES ISOLATION FROM

{. CHANNEL A. PY PY g 3"2^ 35'^ __ _. ESP-CCS _ p s , ^

                                           's         @/

[ O!lL---lf 3 I I I l

                                                 -t - E - - - - - r - - - - ~ ~

I PPS A I i hI l f _-- l.' I i G ' r t___

                                 ;     l                      P_CCS i    i             e i     1 DPS                    DI AS-N DI AS-P O         O.                       '                                                                ?

{ m j 6uh 6MD Q_ i [SPh G g t^~y t') &

                                                               @W                                                                l a

c f e I G

  - .                                -         ._      ..                  .- -          - . .            =                --                            -       ..         . . ..                    ..                                      - -         . ..                       .

O P iF fe . i . I 1 i; o__

                                                                                                   --                                           n                        .
                                                                                                                                                                            .-                     IWTA"m                                                                              [

o~ o

=,

u=, a no _ a -- .o ' 4 ;- l 4 y g _.- w.mse u.eso _ so ori so w se

                                                                                                                                                                                           - e.

1 . [ is_ --J, w. "-~ % , p , I - n. - - , n n n T" -- , n n - - ,n sit ;g-I it f Al la g Ig t, 5 L-et-J

                                                                      . ti                   I. ,

L-te-J a j L-te-J t

                                              -                                                                                                                                                                                                    i tv                                  d tv E                          E              tv                                   tt                                                                              mas                                  \ asa                        I                                                 !

uso mac I 5 n gs IFEACTOR CONTAlpeENT I j@ j@ j@ 'O j i i w. . . @ av i [ r----- s m3A 8 I **"*"1, ESF-CCS-______O_.f,r#, I,

g @i@ # l - P-CCS =- - y I

                                                                                                     ,                                                       i I

r----------- ,f TV I .I l 't _ _ _ _ _ _1_ _ _ _ _ _ _ _, "Y^i _@_ _ _ {t_ _ i t.______. . _ _ _ _ _ _ _ _ _ _ . _ _ _ _________ _ _ i,_ _ _ s g I I ' PA83 I I L- - - -= CHANNEL I g 7________ NOTES:__ __ _ _ _ _ __ J g DI AS-N DI AS-P p DPS L REDUNDANT CHANNELS B C & D SAME AS CHANNEL A. ASSCSIATED t s CIRCUlTS ARE M.t. & M. l 2 @' @ RESPECTivELYg EXCEPT ONLY TWO n ' + s;*

                                                 .a                                e k                       kP LVL

[SM PA-t {SM PA-2 CHANNELS (A.51 TO DIAS-P.

2. REDUNDANT SIGNAL TO DIAS-P g

9 g t! LVL FOR CHANNEL B PROVIDES ISOLATION 32. FROM CHANNEL A. 0 w _ % _ _ _ _ _ _ . . . - _ _ _ - . .t

A - M

}'

e a.PT-e234 [ r W n b -cac r

                                                                                                                   ]
                                                                                                                               "- T3 PT-iorm. .

1 g

j. g LT-er'^ so-e22 so-e7 so-e2e LT-uroo

                                                                                                                     -s=. TE-e23ct TE-a230s e g
                                                                                                                                                               ,g, g     E                                      tt-e23es- -         so-ors tv-e2Sx.                                                                   LT-arsv.

g Pi*'go2

                                                 ,      FLY tzsm             30-s24 m       so-e S       LT**287 Mh-orx.

y a ,

                         ,   r---      ,                  r---        ,                 a                 r.---      ,                r---        ,

i i e a f 8 I g e I t I f I t I g l 8 I k i LT Lt E I LT tt 2x 2 y *. P' azas 5 8 : IREACTOR CONTAleadENT l ._ 1 8 l 'O j@ j@ j@ esoTE e esoft I

 @                    g'j       p         _

esoTE e g g 1123^ i s t

                         ;           g s _ _ @_ _ _ _ _ _ _ _ _ _,,,                _ _, _ _

I @,\\ \ r* I ES CCS

                                      \\    b--.
                                                                           !     h                      r --*-    P-CCS l                                                                                                       NOTES:

3At __J O h J - .'. _ _ _ _7~~~e _ __ J q I. REDUNDANT CHANNELS 'B.C & D w_ __ L __ __ __. SAME AS CHANNEL A. ASSOCIATED gI @8I g g CIRCUITS ARE K.L & W. PAMI g I RESPECTivELY; EXCEPT ONLY TWO CHANNEL ---I t I CHANNELS (A.Bl TO DIAS-P.

                         ^                                  8                                                              2. REDUNDANT SIGNAL TO DIAS-P I                                                                  FOR CHANNEL S PROVIDES ISOLATit I                                1 OJ L.           __       _      ,                                                                        FROM CHANNEL A.

1I e DIAS-N DPS I u a otAS-P %

5

        .i                                       G            @                                                       *

n 0 6h 6h (C h (Se% e $

g I3 t y t */ WW CNDI s Q O N b 3 4 O O O

f D' \ V 'O T h r f a "# n- "# "7 ID T h 't.aso, b so.sas so-em b t.T.asa. ,_ Q __gg g-,=,,. ' ' ~ + y a

                                                                                                                            '                               e         Lt-gan w                                                                        of-ese

[ '

=_

3 l E h le r n g av et ej l REACTOR CONTAINMENT l I j@ j@ j@ '@ E ., ... . . , e__ ev g y______________________________________gs I ______-- IOlfA n ,

                                                                                                                                                                     ' ESI'-CCS
                                                                                                                                                                            ^

h_/t P-CCS @ r _ _ _ _ _ _ _ ,, _{r n NOTES:

1. REDUNDANT CHANNELS B.C & D I SAME AS CHANNEL A. ASSOCIATED 8 CIRCUITS ARE K.L 4 u.

I 8 RESPECTivELY: EXCEPT ONLY TWO I CHANNELS (A.5) TO DI AS-P. I 2. REDUNDANT SIGNAL TO DIAS-P l FOR CHANNEL 5 PROvlDES ISOLATION FROM CHANNEL A. g 2 oes oiAS-N oi AS-P h-5

                               <                                                                                                                                      G            h                                                    &   l W cuce
                                                                                                           #C h (Sel                                               6uh /Swh

( . I h ww ev ,e Y 'h E _ 1

W 4 2 - ] B -ta g { O so-se so-sai X eor stres 3 , E 4

p X M

y r W N$$=+- L .I 00 Y E LT-s23A. LT-sa*A C so s22 so-er? Q Q + h E s , a

                                      ~'- hi$                  -

e b!3$'! g 5 C

   $                                                                                                           *T PT E

h py et l REACTOR CONTAltedENT l I 'O j@ j@ 1. j@ 1. l', Py ____e________________________________ , E 35 t s @ m_______________ sy , s 's _ . ESF-CCS g p

                        \_ _  _ _ q NOTES:

8 1. REDUNDANT CHANNELS 5.C & D I SAuE AS CHANNEL A. ASSOCIATED I CIRCUITS ARE K.L & M. I RESPECTivELY: EXCEPT ONLY TWO l I CHANNELS (A 83 TO DIAS-P. I I 2. REDUNDANT SIGNAL TO DIAS-P FOR CHANNEL 5 PROvlDES ISOLATION l FROM CHANNEL A. l D DI AS-P DIAS-N DPS . so 8 5 0 @ 9 sa sw sCd (Sn - - i fs 8 t '/ t 3' WW ' CD CD' se b

a

   =   _                                                                                                                                  %

9 - - - - - - 9 e

Desigr ControlDocument hvn 80+ .S I .U. C 43.'an C N =3

**=

A L..~~i. m C ND ti:mi - fi:'WE. * -

                                                                             -     26.             ,,
                     ----,61'"*'       r----           =a an ea,,    ,,,

W= - -- , s6 ';.2...'U. o :e-

                     ;}C- '

O I l l

                         ,,                  ,,                                             t,                       ,,

merm car,w~, , . ... h f I& a h3tt e org . seOft i Lv I' ^ PPS A '

                                                                                                                     'O
                                      - 9J            L2--               ,------------@-

n , E l ! /

q

\                                                                                                                    '

ESF-CCS g ^ .. . s'I P90CCSS I CCS sf ecS>l W CIAS*N NOTE S: L REDUNDANT CHANNELS B.C & C SAndi AS CHANNEL A. ASSOCIATED C E

u-e

[ch A%h, CfSJyM,,^g*gy,"A n yp+ WW o (j Ren Generator-1 Level (Narrow) MCBD Figure 7 2-29a

          & :.= oneApr noneww. swau,,,are,eia, w w                                                                                    Pnge 7.2117

CO E 1 a E-1 $ $ I E D y 3 -te C

 $      k   b                                                           e
                                                       ,,W 3

e -t'i.=sw D sDee W,, sdla O nem-et esse. 5 ** - y ,, t v -as s .. . - +tv-wIl[, pt- o 2 r i 7 ' ' * *' # ' " n i m, g ' * .

                                                                                    ---1*"#S'.r--- 1 Xii           i        i U

i

            .          .               .i           i                            i                     i        i b

ay :: >: 1: i: k ] REACTOR CONT AINMENT l { @l @ @ D NOTES: O C NOTE i NOTE I NOTE I

1. REDUNOANT CHANNELS B,C & D g Ly SAME AS CHANrEL A. ASSOCIATED g

E, up3 %g-__________ ___________. ppg g CIRCUITS ARE M.L & RESPEC TivEL Y. M. O! s

                    ,      ' s g_ _ _ __ _ _ _ _ _ _ _ _ ,                _Gl        lG_

I \ I 's ' t enoCESS. N----* E F -CCS A CCS iFWCSI ! O DI AS-N DPS L I e i 3 2 /[C D (Sel m T 5 WW CP C>. 9

                                                                                                                                                                       =
         ~                                                                                                                                                             g m                                                                                                                                                              ~

D

 '8                                                                                                                                                                    8 8                                                                                                                                                                     c 9                                                                                                                                                                     3              i

n. _

O O O _ . - _ _ _ . _ _ ____._____.__.__.__I

I r Sy tem 80+ Design ControlDocument O -i il .

4 0

                                      -            Mrt    ,a, n @ - ,           34
                                                                                .n s

c, -5 i - T g @;ll l1 <

p. _

                                   /             -

ta+s c,

                                                                    *lI lj

{- 1 q- a rl g Ohsl! LJ r, 1 i x e:slMg@g-l l 1 l g, i _.g .

o

   ~
                                   @                           l      i l                               id J            f'gl*j!                 l.s           '                                         !

j 1 l

                                                                                                                                   \
                               ~

I 3/

                                                 -+$             . il I
                                         ,,         e,                I
                                                                 .h"y j' 7- pr;        "'

ge . 4; l I @__a!

                        ,j_            d     ,

ha 1 Steam Genemtor Primary D/P MCBD R/re 7.2-30

     ^ ;:.:s Design Afaseriel. has&ampentagon and Coneet
      ,                                                                                               Page 7.2-119 i

System 80+ Design ControlDocument 4 1 y3 l 1 7.3 Engineered Safety Features Actuation System i J j 7.3.1 Description l The safety-related instrumentation and controls of the Engineered Safety Feature Systems (ESF Systems) are those of the Engineered Safety Features Actuation System (ESFAS). The safety-related instrumentation and controls consist of the electrical and mechanical devices and circuitry, from sensors 1 to actuation device input terminals, involved in generating those signals that actuate the required ESF Systems. The ESF Systems sense and command function is referred to as the ESFAS. The ESFAS utilizes bistable trip functions and coincidence logic in the Plant Protection System (PPS) and component control logic in the Engineered Safety Feature-Component Control System (ESF-CCS) to generate actuation signals. Actuation signals are providV -- input signals to ESF System execute features. The following actuation signals are generated by the carAS when the monitored variable reaches the levels that are indicative of conditions which require protective action:

Containment Isolation Actuation Signal (CIAS)
Containment Spray Actuation Signal (CSAS)
Main Steam Isolation Signal (MSIS)
Safety Injection Actuation Signal (SIAS)

{G

Emergency Feedwater Actuation Signal (EFAS)

The ESFAS signals actuate the ESF Systems equipment. The control circuitry for the components provides sequencing necessary to provide proper ESF Systems operation. In addition to providing actuation and control of Engineered Safety Features Systems, the ESF-CCS is the central controlling system for other safety related components. Such components include breaker and relay operated components (e.g., pumps, fans, heaters and motor operated valves), and solenoid operated components (e.g., pneumatic, electro-pneumatic and direct operated valves). The ESF System components are manually controlled through the ESF-CCS during normal plant operation, and automatically actuated upon receipt of ESFAS initiation signals from the PPS. 7.3.1.1 System Description The actuation system consists of the sensors, logic, and actuation circuits which monitor selected plant parameters and provide an actuating signal to each actuated component in the ESF System required to be actuated, if the selected plant parameters reach predetermined setpoints. ESF System functions are j distributed among various actuation systems. Each actuation system is identical except that specific inputs and logic (and blocks, where provided) vary from system to system and the actuated devices are different. The overall logic is shown in Figures 7.3-la through 7.3-Id. . / N. h V I 4

System 80+ Design ControlDocument Within the PPS, the Local Coincidence Logic (LCL) is like that shown on Figure 7.2-1. The LCL provides the full two-out-of-four coincidence. Each Local Coincidence Logic operates Initiation Logic which controls the initiation relays. The outputs of the initiation relays are directed to the selective two-out-of-four logic in the ESF-CCS where they are logically combined for the given function as shown on Figure 7.3-2.

ESF-CCS Configuration From the PPS cabinet the signals are sent to four ESF-CCS division cabinets.

Each cabinet contains the logic for only one ESF-CCS division; A, B, C, or D (refer to Figure 7.3-3). Each ESF-CCS division is similar, therefore only ESF-CCS division A is described. The ESF CCS division is segmented to include a Division Gateway (A,) and Group Controllers (Al through An). Each segment contains processors, local and remote multiplexers, and communications interfaces. The Division Gateway segment supports master transfer switch and operator's module interfaces, Intersystem Communication datalinks, and a Maintenance and Test Panel. Each Group Control segment supports component control and data acquisition interfaces, Component Control Switches and related Process Controllers. Redundancy is provided in each segment to enhance reliability. Primary and standby processors function such that the primary unit actively performs the control functions while the standby unit passively follows (tracks) the actions of the primary unit. Primary and standby processor performance is continuously monitored by a redundancy controller. ESF functions are assigned to individual group control segments within each ESF-CCS division (refer to Figure 7.3-3). (For example: Consider the Safety Injection System (SIS), Containment Spray System (CSS), Safety Depressurization System (SDS), Emergency Feedwater System 1 (EFW-1) and Emergency Feedwater System 2 (EFW-2) related to steam generators 1 and 2, respectively. SIS, CSS and SDS are assigned to ESF-CCS group control segment 1. EFW-1, EFW-2, CIS and MSIS are assigned to group control segment 2, and so forth). This functional assignment approach limits the effect of a single group failure to selected ESF functions in a given division. Additional segmentation of functional assignment is applied within each ESF-CCS group control segment. (For example: SIS and CIS components and instrumentation are assigned to separate multiplexers and initiation signals (SIAS and CS AS) are assigned to separate input modules within a multiplexer). These practices limit the effect of single multiplexer or module failure to selected ESF functions in the division. ESF system interfaces are also confined within group control segments to minimize reliance on the Intradivision Communication Network for ESF operability. (For example: SIAS initiation signals and SIS component and instrumentation interfaces are confined to group control segment 1.) Failure of the Intradivision Communication Network, therefore, will not affect SIS operation. Local and remote multiplexing is incorporated in the ESF-CCS to reduce and simplify plant wiring. Remote multiplexers, referred to as Control Panel Multiplexers (CPM),are physically located in the main control panels (MCP), and the remote shutdown panel (RSP). Loop Controllers, which also perform remote multiplexing, are housed in cabinets that are located near plant component and instrumentation interface locations. Multiplexers located in the ESF-CCS equipment cabinets accept ESF initiation signals from the PPS. Fiber-optic cable provides Approved Deslyn historial

Instrumentation and Control Page 7.3-2

System 80+ Design ControlDocument n electrical isolation where required to meet channel independence provisions of IEEE Std. 279-('") 1971. Networks utilize active redundant cabling to maintain multiplexer operability under single - cable fault conditions. Exchange of data between each segment within an ESF-CCS division is provided by an Intradivision Communication Network. This network utilizes active redundant cables to maintain communication between segments under single cable fault conditions. Two network types (Refer to Figure 7.3-3) are used in the Engineered Safety Features Actuation System (ESFAS) implemented in the PPS and the ESF-CCS. These are polled master / slave networks and token pass peer to peer networks. Both network types exhibit deterministic performance since all data is serviced (updated) on a continuous scan basis. Data update is not dependent on parameter change of state. The polled master / slave type network is applied as remote I/O networks in the PPS for cross channel bistable trip signal communication to coincidence logic. Processor (or Master) polls each node (or Slave), to elicit an update of its data base and to manipulate system inputs and outputs. The node then responds over the network and completes its transaction within a fixed time l period. Each node on the network is successively serviced in this manner and the cycle is I continuously repeated. The token pass peer to peer network is applied as the Intradivision Network to interconnect all segments within an ESF-CCS Division and interface to the maintenance and test panel, the Q ( ,/ network bridge to a PPS channel and the controls and indications at the Remote Shutdown Room. Upon receipt of the token, a Segment (or Node) acquires use of the network to read and/or write data between other segments and the interfaces. The token is then passed to the next segment l after a fixed time period and the cycle is continuously repeated. The data protocols for these networks are contingent on the specific equipment selected for system implementation; however, error detection methods such as Cyclic Redundancy Check or Longitudinal Redundancy Check are always employed. All networks are selected to have demonstrated field proven robustness to EMI. The token pass peer-to-peer networks are redundant in the ESF-CCS to maximize availability. Control hardware failures are annunciated, and modularity is utilized to minimize mean-time-to-repair (MTTR). Hardware reliability is enhanced by the use of redundancy, modularity, local and remote multiplexing and prudent distribution of power within each ESF-CCS division. These furntional distribution practices and ESF-CCS segment equipment redundancy provides a

            " defense indepth" approach resulting in a high degree of ESF-CCS reliability.

The ESF-CCS is a multiple microprocessor based system. The ESF-CCS software is developed and tested in accordance with Regulatory Guide 1.lf? as described in Section 7.1.2. Aptwaved Design Material butrwnentation and Control Page 7.3 3

System 80+ Design ControlDocument

ESF-CCS Logic In addition to the system level selective two-out-of-four logic for ESF actuation, the ESF-CCS also provides '3roup Control Logic (GCL), Component Control Logic (CCL), Selective Group Test Logic (SGT), and Diesel Loading Sequencer (DLS) Logic. DLS logic is described in Section 7.3.1.1J!.3 and SGT logic is described in Section 7.3.1.1.8.6.

GCL performs supervisory control of groups of components. The ESF-CCS also provides Master Transfer Switching (MTS) to disable all Main Control Room controls and enable Remote Shutdown Panel controls. Upon MTS, components are preprogrammed to remain as-is or to go to a predetermined state (e.g., safe shutdown lineup). CCL is the component level logic that monitors the various digital inputs, such as m::nual on-off demands, interlocks, and automatic group control signals from the GCL, and produces digital output signals to control the component (i.e., START /STOP, ON/OFF) through power level interface devices. This logic also generates digital outputs for status indication.

ESF-CCS Operator Interfaces Operator control functions are performed from the Main Control Panels (MCP) or Remote Shutdown Panel (RSP).

Automatic and manual component control and status indication is provided on the MCP by switches. Backlighted momentary pushbutton switches are used for major flow paths of critical safety function access paths. Other switches may be implemented on flat panel control devices similar to process controllers. A description of switch operation and component status indication is provided in Section 18.7.1.6, and the typical electrical interface for these devices is shown in Figure 7.3-4. These devices interface with the ESF-CCS through control panel multiplexers (CPMs) located in the MCPS. A remote ESF-CCS operator's module is also provided in the main control room for backup in the event of switch or multiplexer failure. This panel provides component control through menu selection using a qualified video display unit. Momentary pushbutton switches are also provided for the RSP controls identified in Table 7.4-1 to permit control of components required to achieve hot standby conditions when the main control room is uninhabitable. These devices also interface to the ESF-CCS through CPMs located in , the RSP. A remote ESF-CCS operator's module is provided at the RSP for backup of control l switch or multiplexer failure. This remote operator's module also provides for control of all ESF-CCS components including components necessary to achieve cold shutdown as identified in Table 7.4-2. Transfer of control from the main control room to the RSP is performed by Master Transfer Switches (MTS) located at the exit doors of the Main Control Room and on the ESF- ; CCS equipment cabinet. The operation of the transfer switches is further discussed in Section ! 7.4.1.1.10. Fiber optic cable is used to prevent fault propagation to the ESF-CCS from the mam i control room or the RSP. l l As a " defense-in-depth" measure, Local Control Switches (LCS) are provided independent from 1 the ESF-CCS for components essential to hot shutdown. Only manual control (i.e., ON/OFF, j START /STOP, OPEN/CLOSE) is provided through LCS. LCS are field-wired for direct control i of components or motor control center component actuators and are field located near actuated j components in loc tions such as the motor control centers. The LCS may also be used for test ; and maintenance. 1 Approved Design Matenal- knetrumentation and Control Pope 7.34

Sv tem 80+ Design ControlDocument Process controllers are supported where required from ESF-CCS group control segments to C facilitate operator manipulation of continuous process control functions (e.g., valve modulation control, auto / manual mode selection, etc.). A description of process controller operation is provided in Section 18.7.1.7. A maintenance and test panel is included in the ESF-CCS equipment cabinet. This operator interface provides indications for .ESF-CCS equipment status and is used for ESF-CCS maintenance, test and diagnostics. The panel includes the MTS for RSP transfer. ESFAS manual initiation interfaces to the ESF-CCS are through hardwired circuits in the PPS cabinet. The engineered safety features manual initiation function bypasses all computers used for automatic initiation of engineered safety features (i.e., PPS Bistable and Coincidence Processors). Within the ESF-CCS, one input multiplexer is common to system level manual and automatic initiation of engineered safety features. Another input multiplexer accepts manual train actuation and manual component actuation signals from the operators module and component control switches, respectively. These ESF-CCS multiplexers are independent to the extent that credible single failures will impact one multiplexer only. 7.3.1.1.1 ESFAS Measurement Channels 1 Process measurement channels, similar to those described in Section 7.2.1.1.2.1 are utilized to perform continuous monitoring of each selected generating station variable, provide indication of operational availability of each sensor to the operator, and transmit analog signals to bistables within the ESFAS O initiating logic. All protective parameters are measured with four independent process instrument ( channels. A typical measurement channel is shown in Figure 7.2-4. It consists of a sensor / transmitter, current loop resistors, loop / power supply, fiber-optic isolated outputs for the process control systems, DPS and DIAS. The DPS and DIAS receive digitized information over data links which are not part of the process measurement loop. Each measurement channel is separated from other like measurement channels to provide physical and electrical separation of the signals to the ESFAS coincidence logic. Cabling is separated within the cabinets and signals to non-lE systems are isolated. Each channel is supplied from a separate 120 volt vital AC distribution bus. 7.3.1.1.2 Logic 7.3.1.1.2.1 ESFAS Bistable and Coincidence Logic ! The ESFAS Bistable Logic compares the analog signal from the sensors with predetermined fixed or variable setpoints (see Figure _7.2-12). If the input signal exceeds the setpoint the bistable produces trip signals which are transmitted to the Local Coincidence Logics (LCLs). The serpoint values are controlled administratively and automatically monitored continuously. The fixed j serpoints are adjusted at the PPS cabinet. Access for serpoint adjustment is limited by keylock with .{ access annunciated by DIAS. The bistable setpoints are capable of being displayed at the PPS cabinet i /O and DPS displays in the main control room. Some serpoints are externally variable to avoid inadvenent ) 1.) i AMwevent Des &n Atenene! hwerumentation and Control Pope 7.3-5

System 80+ Design ControlDocument initiation during normal operations such as startup, shutdown, cooldown, and evolutions such as low power testing. The steam generator and pressurizer pressure setpoints can be manually decreased by the operator and will automatically increase as pressure increases. The bistable trip signals are directed to the LCLs (refer to Figure 7.3-16) in all channels such that full two-out-of-four coincidence is provided for each channel. The outputs of the LCLs control the initiation relays which send signals to the Actuation Logic in each ESF-CCS division cabinet. Besides the automatic actuation of the initiation logic by the LCL, the initiation relays can be tripped by remote manual switches. All ESF actuation signals can be manually initiated by the operator from the control room in accordance with procedures. Following initiation, each engineered safety system, including latched portions of EFAS, must be manually reset to restore the initiation logic to the non-actuated state. 7.3.1.1.2.2 Actuation Logic The ESFAS actuation and component control logics are physically located in four independent and geographically separate ESF-CCS cabinets. The four initiation circuits in the PPS actuate a selective two-out-of-four logic in the ESF-CCS. In the actuation logic (refer to Figure 7.3-2), each signal also sets a latch when the selective two-out-of-four logic actuates to assure that the signal is not automatically reset once it has been initiated. Receipt of two selective engineered safety system initiation channel signals will generate the actuation channel signals. This is done independently in each ESF-CCS cabinet, generating division A and division B and where required, division C, and division D signals. The group component control logic is used to actuate the individual ESF components which are actuated to mitigate the consequences of the occurrence that caused the actuation. 7.3.1.1.2.2.1 Component Control Logic This section describes the control logic designs for the five basic types of components to be controlled by the ESF-CCS:

Solenoid-Operated Valves
Motor-Operated Valves
Contactor-Operated Components
Circuit Breaker-Operated Components
Modulating Components O

Approved Design Material kustnanentatkwr and Control Page 7.3-6

P

                  - System 80 +                                                                        Deskn ControlDocument         i lq              7.3.1.1.2.2.1.1             Solenoid-Operated Valves l                   7.3.1.1.2.2.1.1.1           Two-State Solenoid Valve Control The ESF-CCS executes the control logic necessary to energize the solenoid, as a function of the                    j open/ closed state to which the energized solenoid corresponds (i.e., energize to open valve or energize            '

to close valve), in general, there is one solenoid for direct operating electro-hydraulic or electro-

]                  pneumatic valve types. Figure 7.3-8a is a typical Functional Control Logic Diagram (FCLD) that depicts i                   the control design for a solenoid-operated valve. Figure 7.3-8b depicts the generic electrical interface design for a solenoid-operated valve.              For valves that have multiple solenoids with various I

1 energize /deenergize sequencing requirements that apply to different operating or test modes, the generic control logic design and electrical interface design is modified appropriately. The following signals are utilized in the control logic: l

Position Status

)
                              'The control logic utilizes "not full open" (NFO) and "not full closed" (NFC) position signals.

These signals are from direct indicating limit switches on the process control valve. These

signals are used primarily for status indication aixi interlocking with other components.

1

Control Signal 4

The control logic utilizes the state of the output relay and the continuity monitoring circuit y

                             . associated with the output. A digital output module in the Loop Controller provides the relay output interface to energize the solenoid.

The position signals, control output status and continuity monitoring status are logically combined to provide component status indication (OPEN/CLOSE), component discrepancy indication (component not in the required position), and component inoperable indication (loss of control power or circuit continuity). The component inoperable signal is used to reset component control logic following a loss of motive or control power and is delayed momentarily to prevent normal switching transients or momentary losses - of power from unnecessarily resetting component logic. 7.3.1.1.2.2.1.1.2 Modulating Valves With Solenoid Operators These are solenoid-operated valves that have electro-pneumatic modulators to allow continuous valve positioning. Figure 7.3-9a is a typical FCLD depicting the generic control design for a modulating valve with a solenoid operator. Figure 7.3-9b depicts the generic electrical interface design. The following signals are utilized in the control logic: ,

                   *-        . Solenoid Energized This signalis used for status to indicate the energized state of the solenoid. This signal is derived iO~bf from limit switches on the solenoid itself. Where this is not available, the signal is derived from a logic element that is representative of solenoid energtzation.                                       !

l 4' 1

onewe noneeuw- knownensonian and coned rene 7.2 7

I Sy tem 80+ Design ControlDocument

Analog Position Continuous valve position indication is provided for valves where it is required for human factors engineering reasons. An analog input is received from a position transducer on the valve and interfaced with an analog input module in the Loop Controller.
Control Signal The continuous process signal for positioning the modulated valve is provided to the electro-pneumatic (E/P) or electro-hydraulic (E/H) positioner from an interface with an analog output module in the Loop Controller.

The control design for modulating valves and other modulated components without discrete state operators are discussed in Section 7.3.1.1.2.2.1.5. 7.3.1.1.2.2.1.2 Motor-Operated Valves This section describes the control logic for motor-operateJ valves (MOVs) that use reversing motor contactors. The ESF-CC executes the controllogic necessary to energize the open and close contactors. 7.3.1.1.2.2.1.2.1 Interface Signals interlocking of the open/close contactors, electrical fault and/or thermal overload protection, and interlocking with limit and torque switches are wired external to the ESF-CCS control logic. These are not shown on the FCLDs. Figure 7.3-10a depicts a typical MOV functional interface design. Figure 7.3 10b shows the generic electrical interface design for a motor-operated valve. These figures show the signals that the ESF-CCS uses in the control logic. The interface signals are described as follows: o Position Status These signals are the same as those for solenoid valves (see Section 7.3.1.1.2.2.1.1.1). All MOVs have discrete state position indicators. Throttling MOVs also have continuous position indication if required for human factors engineering reasons. e Control Signal The control logic utilizes the state of the output relays and the continuity monitoring circuit associated with each output. A digital output module in the Loop Controller provides the relay output interface to energize the contactor.

Contactor Deenergized The control logic utilizes one signal to determine when the opening coil and closing coil are deenergized. This signal is generated from a combination of opening and closing coil contacts which are wired together l' the motor starter. The signal interfaces with a digital input module in the Loop Controller. This design allows the valve motor to be stopped by torque or limit switches without ESF-CCS intervention. The contactor deenergized signal results in the ESF-CCS opening its control contacts thereby allowing utilization of local controls.

- . . . - - - . - , . ~

System 80+ nesign ControlDocument The position signals, contactor deenergized signal, control output status and continuity monitoring status are logically combined to provide component status indication (OPEN/CLOSE), component discrepancy indication (component not in the requested position), component inoperable indication (loss of control power or circuit continuity), and high torque conditions (torque switch open). The component inoperable signal prevents resetting latches in the control logic and is used to provide indication to the operator that the component is inoperable. 7.3.1.1.2.2.1.2.2 Throttling and Full Throw Designs The ESF-CCS provides full throw or throttling (orjogging) valve control. Full throw valves are actuated by signals that are latched in the control circuit such that valve travel will continue even if the initiating control signal is removed. All full throw MOVs can be reversed in mid-travel by removal of the initiating control signal and application of a control signal for travel in the opposite direction. Figure 7.311 is a typical FCLD depicting the generic design of a full throw motor-operated valve. Throttling MOVs stop traveling when the operator initiated control signal is removed. As such they can be positioned by the operator anywhere from 0-100%. Where throttling MOVs are also controlled by automatic ESF actuation signals, the control response to the automatic signal is always full-throw. Figure 7.3-12 is a typical FCLD depicting the generic design of a throttling motor-operated valve. 7.3.1.1.2.2.1.2.3 Thennal Overload Monitoring The application of thermal overload protection devices in Class IE motor-operated valve circuits is in ( compliance with Regulatory Guide 1.106. Thermal overload protection devices are not used in safety-( related motor-operated valve circuits. Thermal overload devices are used to provide alarm functions. Figure 7.3-17 provides a simplified schematic of this design. 7.3.1.1.2.2.1.3 Contactor-Operated Components A typical FCLD depicting the generic control design for a contactor-operated component is depicted in Figure 7.3-13a. The generic electrical interface design is shown in Figure 7.3-13b. The ESF-CCS provides the control logic necessary to energize the contactor. Designs for electrical fault and/or thermal overload protection are wired external to the ESF-CCS. The interface signals are described as follows:

Position Status The control logic utilizes "a" auxiliary contacts from the contactor for the status signal. This signal interfaces with a digital input module in the Loop Controller.
Control Signal The control logic utilizes the state of the output relay and continuity monitoring circuit associated

-            with the output. A digital output module in the Loop Controller provides the relay output interface to energize the contactor.

A 'V

    - o                    ,.         ,     - c.,      ,                                                 , ,. 7.u

System 80+ Design ControlDocument The position status signal, control signal, output status and continuity monitoring are logically combined to provide contactor status indication (ON/OFF), contactor discrepancy indication (contactor not in requested condition) and component inoperable (loss of control power or circuit continuity). The component inoperrble signal prevents resetting latches in control logic and is used to provide indication to the operator that the component is inoperable. 7.3.1.1.2.2.1.4 Circuit Breaker-O;;trated Components Circuit breakers are used to control most loads requiring voltage greater than 480V AC. Figure 7.3-14a is a typical FCLD depicting the generic control logic necessary to energize the breaker's closing circuit and energize the breaker's trip circuit. The generic design of the electrical interfaces to the closing and trip circuits is shown in Figure 7.3-14b. Electrical fault protection interfaces and rack-out or test position interlocks are wired external to the ESF-CCS. The following status signals are used in the electrical portion of the design:

Position Status The control logic utilizes an "a" contact from the circuit breaker auxiliary switch for position status indication. This signal interfaces with a digital input module in the Loop Controller.
Control Signal The control logic utilizes the state of the output relays and the continuity monitoring circuits associated with each output. A digital output module in the Loop Controller provides th: relay output interface to the circuit breaker opening and closing circuits.
Fault Trip The control logic utilizes a signal from the overcurrent relay to provide fault indication. This signal interfaces with a digital input module in the Loop Controller.
Control Power The control logic receives a signal derived from control power monitoring contacts for closing and trip circuits (74-1 and 74-2). This signal is logically combined with control output status and coil continuity status to derive a control power status signal.

The position status signal, fault trip status signal, control power status signal, control output status signal and continuity monitoring signals are logically combined to provide circuit breaker status indication (OPEN/CLOSE, ON/OFF), discrepancy indication (circuit breaker is not in requested condition) and component inoperable indication (loss of control power or circuit continuity.) The component inoperable signal prevents resetting latches in the control logic and is used to provide indication to the operator that the component is inoperable. 1 l O , 1 AM Design Material- htunentation ernt Control Pope 7.310 l 1

Sy^ tem 80+ _ _ Design control Document o 7.3.1.1.2.2.1.5 Modulating Co,nponents A typical FCLD showing the generic design for a modulating component is depicted on Figure 7.3-15a. The generic electrical design is shown in Figure 7.3-15b. These types of devices include electro-pneumatic (E/P) and electro-hydraulic (E/II) actuated components (pumps or valves) that require only analog signal inputs for continuous control (i.e., no discrete state controls from pilot solenoids). The following signals are in:erfaced to the ESF-CCS from the component:

Status

1. Valve Position

                       -          "NOT FULL OPEN" and "NOT FULL CLOSED" position signals from indicating limit switches interface with a digital input module in the Loop Controller.
                       -          Analog valve position is used, where required, based on human factors engineering considerations. The position signal is from a position transducer and interfaces with an analog input module in the Loop Controller.

2. Pumps p - "ON" and "OFF" signals are from contactor or circuit breaker auxiliary switch v "a" contacts which interface with digital input modules in the Loop Controller.

Turbine Speed are analog input and output signals that interface with analog input and output modules in the Loop Controller.

Component inoperable Component inoperable indication may be provided where loss of control or motive power signals are available from the component (i.e. circuit breaker or contactor).

7.3.1.1.2.2.2 Group Actuation Actuation signals, generated by the selective two-out-of-four logic in the ESF-CCS, are directed to actuate ' groups of ESF system components required by the ESFAS function. These components generally consist of solenoid-operated valves, motor operated valves or motors of pumps. Figures 7.3-8a, 7.3-11 and 7.3-14a show typical ESFAS interlocks in the functional control logic for override of each of these components. Valves and pumps, related to a specific engineered safeguard function, are grouped within an ESF-CCS division, as shown in Figure 7.3-7, such that the required component groups are actuated by the appropriate logic. The actual ESFAS interface exists in the component control logic for each component. 7.3.1.1.2.3 ESF-CCS - Loading Sequencer I

   ') Due to the large power requirements imposed on the auxiliary transformers and diesel generators, there exists a need to sequentially load them.

Asywesed Desbyn hieronet . onstrumentataan and Contro! Pope 7.311

1 Srtem 80+ Design controlDoeument The System 80+ plant equipment is arranged into several load groups. Load groups are energized one at a time by the ESF-CCS Loading Sequencer, thus avoiding coincident loading of large loads which could overload the auxiliary transformers or diesel generator. Equipment is energized as quicidy as possible to minimize the overall plant disturbance. The leading Sequencer function is implemented independently in two divisions of the ESF-CCS (A and B), such that each division controls one of two redundant divisions. The function is implemented in ESF-CCS group controllers which utilize redundant PLCs in a hot standby configuration. If one of the PLCs fails, automatic transfer to the hot standby PLC is initiated thereby protecting against a single faiNre, such that a single failure will not impact the Loading Sequencer function of either division. Diesel generators as described in Section 8.3.1.1.4 are utilized in the System 80+ design as a source of backup electrical power to ensure availability of the plant's safety systems. Further defense in depth is provided by the alternate AC power source (gas turbine generator) which can be aligned to feed power to either the Division I or Division II safety bus in the event of failure of either of the diesel generators or the preferred power source. To minimize auxiliar y transformer and diesel generator size and eliminate unnecessary equipment cycling, but sull meet concerns of plant safety, the ESF-CCS Loading Sequencer design ensures one group at a time loading but has the intelligence to vary the loading sequence in response to ch.uiging plant conditions (i.e., initiation of ESF systems). If an ESF system is actuated, the non-r.ccident load sequence is interrupted to load the appropriate ESF system (s). If an accident does not occur, energizing of non-accident equipment is not delayed unnecessarily, since the sequence does not progress through the steps for the unused accioent equipment. The sequencer is fully testable during on-line plant operation. The Loading Sequencer is used when offsite power is available to prevent a large voltage dip on the bus when multiple large 1E pump motors are started in response to either manual commands or ESF actuation signals. The Loading Sequencer is designed to respond to the occurrence of a plant accident prior to, concurrent with, or any time after the initial LOOP or blackout. The ESF equipment required in the event of a design basis accident is energized within a pre-determined time after the accident has occurred to maintain the plant within its design limits. The equipment required depends on the specific accident. Several load groups of equipment may be needed if multiple ESF systems are needed to accommodate the accident. Figures 7.3-5 and 7.3-6 are simplified diagrams of the ESF-CCS - Loading Sequencer. Figure 7.3-5 depicts the Diesel Loading Sequence operation. It consists of the following sections:

Sequence Initiation Logic Three undervoltage relays are associated with each of two 4.16 kilovolt buses in an emergency power division. An undervoltage condition occurs when two of three relays detect undervoltage.

Upon occurrence of an undervoltage condition, the logic which monitors that bus initiates an automatic start of the associated diesel generator, initiates Load Shed (trip) signals to large loads in that power division and sets all Sequencer Output Latches (eleven, typical). The Loading Sequencer monitors the position of the breakers which receive load shed signals and, upon receiving indication that all of the breakers are open, generates a permissive to allow load sequencing to pr=ud. When the diesel is ready to accept the first load group (Diesel Ready signal) a DG Circuit Breaker Close signal is transmitted to connect the diesel generator to the plant bus. A$vweved Design atatoria! Mstnanentation and Control Page 7.3-12

System 80+ Design ControlDocument

,/m

(") A DG Auto Start signal is also transmitted to the diesel generator upon occurrence of SIAS, CSAS or EFAS. If a bus undervoltage condition is not present, this signal is not sent and the diesel generator is not connected. The equipment loading sequence then begins.

Loading Sequence Logic The basis of the Loading Sequence Logic is a simple eight step counter (additional steps are added, as necessary to provide the sequencing control for all non-accident equipment). When the diesel generator has attained necessary operating pararreters (voltage, frequency, etc.) the breaker is closed and the counter advances, one step at a timc, with a constant time base interval between each step. The time base interval is determined by a clo:k pulse which is adjustable in distinct j digital increments. At each step of the counter, one Squencer Output Latch is reset, removing l the Load Shed signal from that load group and re-energizing the required plant equipment.

During non-accident plant conditions the counter will advance, uninterrupted, to reset eight output latches, re-energizing eight non-accident load groups. l The load sequence logic used when cffsite power is available is essentially the same as the logic used for sequencing the loads on the diesel generator. The key difference between the two sequences is that when normal offsite power is available there is no load shed and therefore sequencing of neri-safety loads is not needed.

Priority Interrupt Logic

 /7            Three priority load groups are designe.ted to handle plant ESF equipment (additional load groups V             are added, as necessary). The Priority Interrupt Logic continuously monitors ESF actuation signals from the Plant Protection System to detect a SIAS, CSAS or EFAS. If one of these signals is detected, the clock pulse from the Load Sequence Logic (above) is re-directed from the step counter, to reset the Sequencer Output Latch for the appropriate priority load group. Hence, the non-accident loading sequence is interrupted and the required ESF load group is re-energized instead. The time base interval (between each sequence step) is always maintained by the common clock pulse.

The non-accident loading sequence may be interrupted two or three times in the event that multiple ESF Actuations occur at different times. A priority between ESF load groups is established such that if two or three ESF actuations occur during any one time base interval, the ESF load groups will be sequenced in two or three successive steps and in the established priority order. After the ESF load groups have been energized tlw non-accident sequence will resume (always maintaining the same time base interval). When an ESFAS occurs with no undervoltage (loss of power) condition, the diesel generator is started as a standby source of power. Since no loss of power has occurred, the normal (non-accident) loads are not load shed and, therefore, only the accident loads need to be sequenced on. Also, because bus power was not interrupted, sequencing of these loads begins immediately, that is, prior to the diesel generator attaining normal operation. l l ( ) LJ Approved Design Materia! . tnstrumentatirm and Control Page 7.3-13

System 80+ Design ControlDocument The Loading Sequencer provides the following features:

Since all load groups are always energized one at a time, diesel generator size can be minimized.
Accident loads are always energized in the sequence step immediately following the accident occurrence. Thus, achieving the best availability possible, for accident equipment.
Since sequence steps are not pre-assigned to accident equipment (which may or may not be needed) no sequence step is wasted. All equipment is energized in the fasest time possible.
Equipment is load shed one time only. Once a Class IE Division load group is energized, that group is unaffected by the occurrence of an accident. See 8.3.1.1.4.6 for additional sequencing of permanent non-safety loads when the Alternate AC Source is not available.
The Loading Sequencer testing features, defined in Section 7.3.1.1.8.9, allow complete system check-out while the plant remains on-line.
When offsite power is lost at some time after the diesel generators are up to rated voltage and speed, and after the required ESF equipment is running following one or more ESF actuations, the following response time requirements are met:

1. Interrupted SIS flow to the core can be fully reestablished within 20 seconds.

2. Interrupted emergency feedwater flow to the steam generator (s) can be fully reestablished within 20 seconds.

In the event that offsite power is unavailable and the diesel generators are not yet up to rated i voltage and speed at the time that an ESFAS is generated, there can be a delay of up to 20 i seconds before the diesel generator output breakers close and power is supplied to the ESF buses. l After the generators are supplying the ESF buses, the ESF loads which are appropriate in the particular ESFAS shall be automatically sequenced on. See Section 8.3, Table 8.3.1-4.

7.3.1.1.3 Bypasses ; 7.3.1.1.3.1 Bistable Trip Channel Bypass 1 Bypasses are provided, in the PPS, as shown in Table 7.3-1. The trip channel bypass is identical to the l RPS trip channel bypass (Section 7.2.1.1.5) and is employed for maintenance and testing of a channel. l l 7.3.1.1.3.2 Operating Bypass The low pressurizer pressure bypass as shown in Figure 7.3-la, is provided to allow plant depressurization without initiating protective actions when not desired. The bypass may be initiated manually in each protective channel. However, the bypass cannot be initiated if pressurizer pressure is greater than that shown in Table 7.3-1. Once the bypass is initiated, it is automatically removed when pressurizer pressure increases above the value shown in the table. O Apprownf Design Material-Insuumentation and Control Page 7.1-14

_Syztem 80 + oesign controlDocument ,m 7.3.1.1.3.3 Bypasses and Inoperable Status (L;) Auxiliary and supporting systems for the safety-related instrumentation and controls are designed to cause a system level bypass indication when they are bypassed or deliberately made inoperable. The bypass indication is provided for the safety related system which is affected by the bypassing or deliberate inoperability of the auxiliary or supporting system. There is no I&C equipment that must be locked out during refueling; however, it is anticipated that i electro-mechanical devices such as breakers will require lock-out. All lock-outs that render a safety system inoperable will be accompanied by a " system inoperable" alarm in the main entrol room. In accordance with Reg. Guide 1.47, this alarm will be automatically generated for all lock-outs that are expected more frequently than once per year. 7.3.1.1.4 Interlocks The Bistable Trip Channel Bypass Interlocks for ESFAS, located in the PPS, prevent the operator from bypassing more than one trip channel of a tap parameter at a time. Different trip parameters may be bypassed simultaneously, either in the same channel or in different channels. This function is shown in Figure 7.2-13. During PPS testing, additional interlocks are provided as described in Section 7.2.1.1.6 to prevent disabling more than one redundant protection function at a time or to prevent maintenance personnel from inadvertently causing unwarranted ESFAS nignals. ESF-CCS component control interlocks are shown on the applicable component FCLDs. C/ 7.3.1.1.5 Redundancy There are many redundant features within the ESFAS. There are four independent channels for each parameter from process sensor through and including the initiation circuits located in four PPS channels. There are four redundant ESF-CCS divisions used to operate four (or two) totally redundant ESF trains. Where redundancy exists at the engineered safety system level, component assignments to redundant ESF-CCS divisions are made to maintain that level of design redundancy. Redundant flow paths are provided, such as the Safety Injection System, to ensure flow under single failure conditions. In this instance, components from each flow path are assigned to independent ESF-CCS divisions to maintain flow path availability upon single failure within an ESF-CCS division (i.e., division A and B). In addition, a redundant flow path may contain two valves in series, such as the Emergency Feedwater System or the Containment Spray System, to preclude spurious flow path initiation upon single failures. In this instance, each valve is assigned to independent ESF-CCS divisions such that a single failure within an ESF-CCS division will not cause spurious flow path initiation. Preventing spurious flow path initiation is accomplished while maintaining independence of redundant ESF flow paths. To achieve this, selected components in ESF system trains A ard B are assigned to ESF-CCS divisions C and D, respectively. Refer to mechanical systems sections for component to train assignments. Each ESFAS division; A. B, C and D receives vital AC power from separate I&C buses A, B, C and

  ; D respectively.

LJ Approved Design Materia! . instnanentation and Control Page 7.3-15

System 80+ Design controlDocument The result is a system which meets the single failure criterion and can be tested during operation. The PPS ESFAS can be shifted to two-out-of-three logic, when a channel is removed for testing or maintenance without affecting system availability. The ESF-CCS utilizes redundant selective two-out-of-four coincidence logic to actuate ESF components. The redundancy controller coordinates the operation of the primary and standby ESF-CCS system processors. The standby system processors are employed to improve system availability only and are not credited for compliance to the single failure criteria. As such, it is assumed that primary / standby processor pairs can fail as a result of single failures in redundancy controllers. These failures and their consequences have been analyzed and are defined in the Failure Modes and Effects Analysis (FMEA) Table 7.2-5. A description of typical redundancy controller operation is provided as follows: Redundancy controllers reside in both the primary and standby processor chassis of each ESF-CCS grot.s controller. A high speed datalink connects the redundancy controllers in a group controller. The primary processor executes the control software, reads system inputs, and controls system outputs. Timing and state memory information is provided to the standby processor from the primary processor via the redundancy controller to facilitate synchronization between the two processors and to keep the standby processor updated with current dynamic process values. This is necessary to facilitate bumpless transfer to the standby processor upon primary processor failure. Primary processor failure is detected by self diagnostic tests. The redundancy controller transfers system operation to the standby processor upon detection of primary processor failure. Standby processor status is continuously monitored to ensure that this transfer can occur. Transfer of system operation is inhibited if standby processor failure is detected. Similarly, transfer from the standby processor back to the primary processor is inhibited until the primary processor is restored to proper operation. Primary or I standby processor failure is annunciated through the DPS and DIAS upon failure detection. Failure of the redundancy controller will result in the inability to transfer system operation from the primary to the standby processor. This failure is also annunciated through the DPS and DIAS. 7.3.1.1.6 Diversity The system is designed to eliminate credible multiple channel failures originating from a common cause. 1 The failure modes of redundant channels and the conditions of opera: ion that are common to them are analyzed to assure that a predictable conunon failure mode does not exist. The Process-CCS is constructed from equipment which is diverse from the Plant Protection System and the ESF-CCS. The design provides assurance that the protective system cannot be made inoperable by the inadvertent acticas of operating or maintenance personnel. The design is not encumbered with additional channels or components without reasonable assurance that such additions are beneficial. , The only equipment common to all engineered safety feature initiation (automatic and manual) is the 3 Froup network. This network utilizes redundancy for increased reliability. To enhance software aiversity, train actuation (manual and automatic) and manual component actuation signals are processed in the software logic at different levels as shown in Figures 7.3-la, b, c and d. , Approved Design Metode! Instrumentation and Control Pope 7.3-16 L

                                                                                                                                   .i I

- Synom 80+ Desfon ContmlDocument i A defense in depth approach is employed to eliminate common mode software errors as a concern for l the Nuplex 80+ instrumentation and control systems. This approach is summarized as follows: , i : Deterministic Desian - The algorithm execution in the Nuplex 80+ Plant Protection System (PPS) and - .!

Engineered Safety Features Component Control System (ESF-CCS) is deterministic. _ This means that all

,                   data is updated on a continuous cycle and all programs execute on a continuous basis, without interrupts.        ;

j

                    'Ihis approach makes the software easier to design, verify and validate. The potential for hidden errors       '!

is significantly lower than in ether designs which include multi-tasking, event based execution, event l based data' communication, or interrupts. None of these non-deterministic features exists in the Nuplex j 80+ PPS or ESF-CCS. I Field Proven Products - Operating system software for Nuplex 80+ I&C systems is selected with at least c 1 ' 3000 operating years and at least one calendar year of field experience in similar applications. These l i

                 . products are mature and, therefore, judged to be free of infant design errors.                                    ,

Ygrification and Validation - For custom software generated by C-E, a comprehensive V&V program is . employed, including independent document review and independent test. The V&V program for Nuplex + !- '80+ is described in the Software Program Manual and its associated references. 1 Independence is mcintained between softwa;e development and verification personnel. Utility-Owner l configuration controls are also imposed throughout the software life cycle. The V&V program minimizes 1 l ~ the potential for introduction of common mode software errors during the design phase and during ; commissioned life of the system. ! l\ Segmentation- Within all Nuplex 80+ systems, including the PPS ESF-CCS, and Process-CCS functions are divided into separate processors. Segmentation within each PPS channel ensures that two different trip functions are available in two separate processors for each design basis event. Similarly, within 4 ESF-CCS Division A and B, ESFAS functions such as SIAS and EFAS are distributed to separate control processors. Within the Process-CCS critical plant control functions, such as inventory control, heat

                 . removal, etc., simultaneous errors in these multiple processors is minimized, since functional diversity is utilized and since software execution is asynchronous, e

Diversity- Diversity offers the final defeme against common mode failures. All critical safety functions, such as reactivity control, inventory control and heat removal, can be controlled by both the control , systems and the protection systems. These systems are functionally diverse, as are the fluid / mechanical systems they' control. In addition, to correspond with the hardware diversity of these fluid /nwchanical systems, both hardware and software diversity is employed between control and protection I&C systems to eliminate the potential for common mode failures to affect both the control and protection functions. This diversity exists in all software based aspects of these systems, including controllers, multiplexors, communication networks and MMI devices. This same diversity philosophy is applied between DIAS

and DPS to ensure availability of control room information.

Independent of the above design features, System 80+ implements a means for manual actuation of Engineered safety Feature functions using two safety grade channels which utilize hardwired inputs that bypass all data links, network communications,'and all computers with large software applications. Switches located in the Main Control Room provide for system level actuation of two trains of safety

                 . injection and one train each of containment spray, emergency feedwater, closure of main steam isolation valves, closure of containment air purge valves and closure of a letdown isolation valve as shown in Figure 7.3-25. The switches for safety injection, containment spray and emergency feedwater have 3 positions, as follows: normal, actuate and stop.

ww w a > asemw mee==mewe mw c ew r.e. 7.s. r7

Syotem 80+ Design controlDocument A control signal from each switch is directed to Leop Controllers which are PLC based devices at the lowest level in the digital control hierarchy. The Loop Controllers provide hardwired output signals to switchgear in motor control centers and electrical distribution panels that control plant components. Under normal plant operating conditions, the Loop Controller provides output signals to the plant components in response to digitized input signals received through a communication network interface. The hardwired manual input signal from the control room switches will override input data received from the network communication interface to actuate the plant components. Diverse manual actuations status indication is provided in the main control room. Reliability of implementing this override function at the Loop Controller PLC can be assured due to the simplicity of the device. The software in the Loop Controller PLC's resides in memory that is typically less than 6 Kbytes. The PLC responds to a limited number of digital input signals which direct the software to start or stop a pump, or open or close a valve with consideration of only a limited number of interlocking signals. Testing will be performed on loop controller PLC's for which the manual override function is implemented to assure that a common mode failure of the protective system software will not prevent the hardwired manual signals from actuating their associated ESF functions. This feature of the System 80+ design provides an additional level of protection against a postulated common mode failure of protective system software. 7.3.1.1.7 Sequencing Component sequencing methods are discussed in Section 7.3.1.1.2.3. Component sequencing requirements are provided in Chrpter 8. 7.3.1.1.8 Testing Provisions are made to permi; periodic testing of the complete ESFAS. These tests cover the trip actions from sensor input through the protection system and actuation devices. The system test does not interfere with the protective function of the system. Overlap between individual tests exists so that the entire ESFAS can be tested. The testing system meets the criteria of IEEE Std. 338-1977, "lEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Class IE Power and Protection Systems," and the intent of Regulatory Guide 1.22, " Periodic Testing of Protection System Actuator Functions." The frequency of testing is given in the Technical Specifications. 7.3.1.1.8.1 Sensor Checks During reactor operation, the measurement channels providbg an input to the ESFAS are checked by the methods described in Section 7.2.1.1.9.1. 7.3.1.1.8.2 Trip Bistable Test Testing of the ESFAS trip bistables, loca.ed in the PPS, is accomplished as described in Section 7.2.1.1.9.2. Testing of ESF-CCS bistable functions used for process control setpoint: ' interlocks is provided as follows. Approved Design Matedel . Instrumentation and Control Page 7.3-18

Sy tem 80+ Design Control Document n The DPS continuously monitors setpoints and provides alarn upon excessive setpoint deviations between (" ) channels. ESF-CCS bistable trip accuracy and interlock performance is also periodically verified during performance of the selective group testing described in Sr .on 7.3.1.1.8.6. This is accomplished through manual perturbation of the digitized interlocking parameter from the operator's module in the main control room. Analog to digital conversion accuracy is also periodically verified at the operators module during sensor testing. The overlap of testing defined above results in complete verification of ESF-CCS bistable trip accuracy and interlock performance. 7.3.1.1.8.3 Local Coincidence Logic Test Testing of the ESFAS local coincidence logic, located in the PPS, is accomplished as described in Section 7.2.1.1.9.4. 7.3.1.1.8.4 Initiation Logic Tests The initiation logic for each engineered safety system is automatically tested by the PPS test function to determine its ability to generate an initiation signal. Testing begins by interrogation of status of the input signals to the logic and the state of the output. The test function determines what the output of the logic should be, based upon the input signals. Should there be a discrepancy between the actual output and the output determined by the test function, the test function will annunciate the discrepancy and provide a message to identify the error. If there is no discrepancy, testing of the logic continues. The additional testing that will be done is dependent upon the status of those inputs to the logic over which the test 1 O (/ function has no control (e.g., genuine coincidence signals). Based upon the known inputs, the test function will generate all combinations of input signals and monitor the output of the logic for

j correctness. A genuine coincidence signal or other genuine signal cannot be changed by the test function. Testing of these functions is limited to one channel at a time to avoid the possibility of actuating any equipment during test. This testing is done in conjunction with the ESFAS initi. tion relay teste,, described below. The ESF-CCS actuation logic is a selective two-out-of-four circuit controlled by the outputs of the I initiation relays from the four PPS channels. Since the initiation relays are within the control of the PPS, it is possible to test them automatically. Before the automatic test function applies any signals to the system, it determines the status of the initiation circuit outputs. It then makes a determination of what the status of the actuation logic feedback signals should be. The actuation logic feedback signals, obtained from the actuation trains (refer to Figure 7.3-16), represent the state of the initiation relay outputs. if there is a difference between the actual output and the output that should exist, the condition is both annunciated and a message is provided on demand. If conditions are correct, the test system generates an initiation signal which propagates through to the ESF actuation trains. The test function monitors the ESF-CCS actuation logic circuit feedback signals to determine proper operation. If a fault is detected it is annunciated and a message is provided on demand. The initiation relay test is only performed in one PPS channel at a time. An interlock among the PPS channels ensures that only one channel at a time can be tested, Additionally the interlock verifies that the opposite leg of the actuation circuit is not already enabled. This interlock provides assurance that testing cannot result in inadvertent actuation, n 7.3.1.1.8.5 Actuating Logic Test The ESF-CCS actuation logic receives short duration initiation signals (test signals) from the PPS. These signals are processed in the ESF-CCS and returned to the PPS for detection of initiation signal failure Approved Design Matedal- kestrumentaten and Cwntro! Pogo 7.319

Sy tem 80 + Design ControlDocument ! or the loss of an actuation signal to a group (refer to Figures 7.3-7 and 7.3-16). Sequentially, the PPS transmits short duration initiation signals, AA, CA, BA and DA, for each ESFAS signal. (Note, that for initiation signal designations, first character represents PPS originating channel, and second character represents ESF-CCS destination division.) The PPS processes the returned test signal for both the presence of an actuation signal when there should be one, and the absence of an actuation signal when there should not be one. The absence of a desired actuation signal or the presence of an unwanted actuation signal is detected at the time an abnormal or failed condition occurs. When an actuation channel is manually actuated at the ESF-CCS (e.g. for latch testing), a discrepancy between the PPS initiation signals and the state of the actuation channel is automatically detected. 7.3.1.1.8.6 Schctive Group Test ESFAS selective group testing is performed by an operator in the main control room. This testing, as shown in Figure 7.3-7, overlaps the PPS automatic testing of the ESF-CCS selective two-out-of-four coincidence logic and includes complete testing of the ESFAS through to the actuation of the components. The components for each ESFAS are grouped. Testing is conducted one group at a time, thus preventing the complete undesired actuation of an ESF system during testing. Since this testing causes components to actuate, an ESFAS signal from the PPS will not be impeded and the ESF system will proceed to full actuation. The operator, using a written procedure, performs the following actions when making a selective group test.

1. Determines if the group test can be performed based on the plant conditions and lineup.

2. Selects the component group to be tested.

3. Depresses a test pushbutton, latching the test group selection and initiating a "Stop-and-Think" time delay. ,

4. Places the test group components and other related components in a test lineup (via component control switches).

5. A " Test Enabled" light will illuminate after the "Stop-and-Think" time delay. The operator then initiates the actuation of the group components to their ESFAS required state.

6. Confirms that the group components have actuated to the ESFA's required state for the group being tested (via component control switch indicators).

7. Places components back to their .'nitial lineup via component control switches).

The Stop-and-Think interlock is provided in the ESF-CCS. This feature enables the test actuation logic (Step 5 above) for a fixed period after the group to be tested is latched (Step 3 above). Each time a new group is selected the time delay is reset preventing further testing. The operator must re-initiate the delay for subsequent testing. The DPS Displays can be used as an operational aid during the Selective Group Testing described above. O Approved Des / prs Material . instrumentation and Control Page 7.3 20

l 1 l Sv:> tem 80+ Deslan ControlDocument The operator may use the DPS to: l 1 e L Store the initial state (position) of each component in-the test group prior to placing the l

                  . components in a test lineup.

l e Confirm that the operator has placed the components in the correct test lineup. Confirm that the group components have actuated to the ESFAS required state for the group l e being tested. e Confirm that the components have been returned to the initial state (position) after the test has been completed. This DPS application program is referred to as Computer Aided Testing (COMAT). The COMAT i signals from the ESF-CCS are transmitted to the DPS via fiber-optic data link (refer to Figure 7.3-3. The DPS is used to aid the operator in monitoring the manual selective group testing. No interlock or ! i control rignals are transmitted from the DPS to the ESF-CCS. Selective group testing may be performed without COMAT therefore DPS availability is not required for performance of selective group testing. ; 7.3.1.1.8.7 Bypass Tests System bypasses in the PPS, as itemized in Table 7.3-1, are tested on a channel basis as described in , Section 7.2.1.1.9.7.

  \.      7.3.1.1.8.8        Response Time Tests Required Response Time Tests for the ESFAS are identified in the Technical Specifications.
         .The design of the ESFAS is such that connections may be made for any of a variety of methods as described in Section 7.2.1.1.9.8 that may be used by the site operator. The hardware design includes            l test connections on instrument lines for pressure and differential pressure transmitters, and conveniently available test points.                                                                                        ]i Loading Sequencer Tests                                                                     !

7.3.1.1.8.9 , The Loading Sequencer incorporates design features, shown in Figure 7.3-6, which allow complete on- j l > line testing. During normal operation all output control signals are disabled, allowing all logic functions > to be tested without disturbing plant equipment. The outputs become enabled automatically, anytime a ; valid initiation Logic input signal is received. In this manner, testing may be conducted without impeding proper Sequencer operation in the event of an actual black-out condition. Three distinct test phases are employed to assure maximum system reliability. ;

          .e         Phase 1 - Automatic Testing i

The Automatic Test Phase provides continuous cycling of the Loading Sequence IAgic which , consists of the sequence counter, time base interval and all output latches. The latches are , sequentially set and reset by the counter at a rate controlled by the time base interval. A failure of a latch to operate in the correct sequence or within the correct time is automatically detected

 - O'- -             at the time the failure occurs. Alarm output signals and front panel indicators are provided to      l diagnose the failure.

Pope 7.3-21 M .. M W M *aIS$PMfBOSNGD$iWN W o0N#el l

Srtem 80+ Design ControlDocurnent

Phase 2 - Input Testing All external inputs are checked independent of Logic Testing. During this test actual Initiation Logic input signals are generated from the sensors. Front panel indicators allow verification thsi all signals are being communicated properly to the initiation Logic. Since these signals are considered (by the Logic Sequencer) to be valid inputs, the automatic output enabling logic, described above, is blocked during this testing. After completion of the test the block is removed.

With the control outputs remaining blocked, the second phase of testing verifies power operation of the Loading Sequence Logic and the Priority Interrupt Logic. Front panel controls allow simulating all required inputs to initiate the non-accident sequence. Other controb permit introduction of simulated accident signals at any point in the non-accident seq 2en' e. Any accident scenario may be simulated to verify that the correct loading sequence occurs. Front panel indicators display all Load Shed output signals.

Phase 3 - Load Shed Testing The final test phase involves actual load shedding and re-energizing plant loads. Each load group is further sub-divided into test groups which may contain from one to all components in the Load Group. Load Shed signals are simulated separately for each test group in conjunction with the ESF-CCS - Selective Group Testing. As for ESF Actuation testing, described in Section 7.3.1.1.8.6, the Computer Aided Test program (COMAT) in the DPS is used as an operator aid.

The equipment is actually tripped and re-energized, but since one group is tested at a time, the overall plant disturbance is minimal. 7.3.1.1.9 Vital Instrument Power Supply ; i The vital instrument power supply requirements are discussed in Section 7.1.3, and in Chapter 8. 7.3.1.1.10 Actuated Systems i The ESF Systems are maintained in a standby mode during nonnal operations. Actuating signals, generated by the ESFAS are provided to assure that the ESF Systems provide the required protective ! actions. The following descriptions of the instrumentation and controls of the ESF Systems is applicable to each ESF System. Table 7.3-2 presents the Design Basis Events (DBE) which require specific ESF System action. Table 7.3-3 presents the monitored variables required for ESF System actuation. The variables and their ranges are shown on Table 7.3-6. ) 1 7.3.1.1.10.1 Containment Isolation System Section 6.2.4 contains a description of the Containment isolation System (CIS). The actuation system is composed of redundant trains A and B. The instrumentation and controls of the two trains are physically and electrically separate and independent as discussed above such that the loss of one train will i not impair the safety function. The Containment Isolation System instrumentation and controls are designed for operation during all phases of plant operation. However, the system is removed from service prior to containment leak Apprmd Dess en Material- kustrumentaten and Control Page 7.322

System 80+ Design ControlDocument chs.cring at refueling intervals in order to prevent undesired system actuation. ((The removal from v' service is accomplished in accordance with procedures prepared by the site operator.))l The Containment isolation System is automatically actuated by a CIAS from the ESFAS. 7.3.1.1.10.2 Containment Spray System Refer to Section 6.5, " Containment Spray System," for a description of the Containment Spray System (CSS). The CSS is actuated by a CSAS. Containment spray pumps are also actuated by an SIAS. When used in the containment spray configuration, the shutdown cooling pumps are actuated by an SIAS or CSAS. The Annulus Ventilation System described in Section 6.2.3 is also activated by CSAS. The actuation system is composed of redundant trains A and B. The instrumentation and controls of each train are physically and electrically separate and independent. Each train is a 100% capacity system, therefore, the CSS can sustain the loss of an entire train and still provide its required protective action. The CSS instrumentation and controls are designed to operate under all plant conditions. The CSAS is removed from service prior to the containment leak test at refueling intervals in order to prevent undesired system actuation. ((The removal from service is accomplished in accordance with procedures prepared by the site operator.))l The ESF-CCS design accommodates realignment of a spray pump for use as a shutdown cooling pump and vice versa. tO) v 7.3.1.1.10.3 Main Steam Isolation System Refer to Section 10.3, " Main Steam Supply System," for a description of the Main Steam Isolation System. Refer to Section 10.4.7, " Condensate and Feedwater System," for a description of the Main Feedwater Isolation System. Refer to Section 10.4.8, " Steam Generator Blowdown System," for a description of the Blowdown Isolation System. The actuation system is composed of redundant trains A and B. The instrumentation and controls of the valves in train A are physically and electrically separate and independent of the instrumentation and control of the valves of train B. The separation and independence are such that a failure of one train will not impair the protective action. The Main Steam Isolation Valves (MSIVs), MSIV Bypass Valves, Main Feedwater Isolation Valves (MFIV) and the isolation valves for the blowdown lines are actuated by an MSIS. These valves effectively isolate the steam generators from the rest of the main steam and feed systems. A variable steam generator pressure setpoint is implemented to allow controlled pressure reductions, such as shutdown depressurization, without initiating an MSIS. The pressure setpoint will track the pressure up until it reaches its normal serpoint value. i~ I i V 8 COL information item; see DCD latroduction Section 3.2. Approved Design Material Instrsunentetson and Control (11/96) Page 7.3-23

i System 80+ Design ControlDocument 7.3.1.1.10.4 Safety Injection System Refer to Section 6.3, " Safety injection System," for a description of the Safety Injection System (SIS). The SIS is actuated by an SIAS.The actuation system is composed of redundant trains A, B, C and D. The instrumentation and controls of each train are physically and electrically separate and independent. The SIS can sustain the loss of an entire train and still provide its required protective action. The SIS instrumentation and controls are designed to operate under all plant conditions. The low pressurizer pressure setpoint can be decreased as described in Section 7.2.1.1.1.6 to avoid inadvertent operation during startup and shutdown. As pressurizer pressure increases, the setpoint will follow up to its normal value. The SIAS is removed from service during containment leak checking at refueling intervals to prevent undesired system operation. ((The removal from service is accomplished in accordance with procedures prepared by the site operator.))3 7.3.1.1.10.5 Emergency Feedwater System Refer to Section 10.4.9, " Emergency Feedwater System," for a description of the Emergency Feedwater System (EFWS). The EFWS is actua'.ed by an EFAS-1 for Steam Generator 1 and an EFAS-2 for Steam Generator 2. The EFWS is also actuated by the Alternate Protection System (APS), described in Section 7.7. The actuation system is composed of redundant trains A, B, C, and D. The instrumentation and controls of each train are physically and electrically separate and independent. The EFWS can sustain the loss of an entire train and still provide its required protective action. The EFWS instrumentation and controls are designed to operate under all plant conditions. On a low steam generator level, the EFAS signal starts the EFW pumps and opens the EFW isolation valves and flow control valves causing full flow system actuation. The actuation signal which opens the valves will clear automatically when normal steam generator level is restored. Upon clearing of the actuation signal, the valves will remain in their open posi. ion, however the plant operator can manually control (i.e., reduce flow) as defined in Section 10.4.9, otherwise, maximum flow will continue. If steam generator water level again falls below the low steam generator water level setpoint after the actuation signal clears, the EFAS signal will reactuate again causing full flow system actuation. To prevent steam generator overfill, a high steam generator level interlock is provided by the ESF-CCS to automatically close the isolation valves. This interlock is active only when EFAS actuation is not active. This interlock also protects against steam generator overfill due to erroneous operation of the EFW system by the operator or the APS. 7.3.1.2 Design Bases The design bases of the ESF Systems are discussed in Chapter 6. The ESFAS is designed to provide initiating signals for ESF components which require automatic actuation following the design bases events shown on Table 7.3-2. O 3 COL infcenation itern; see DCD Introduction Section 3.2 Appmved Design Motorial. instnanentation and Control (11/961 Page 7.3-24

System 80+ Desig:' Contrci Document The systems are designed in compliance with the applicable criteria of the NRC, " General Design Criteria [/')

 '       for Nuclear Power Plants," Appendix A,10 CFR 50. System testing conforms to the requirements of IEEE Std. 338-1977, " Standard Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems," and the intent of Regulatory Guide 1.22, " Periodic Testing of Protection System Actuation Functions."

Specific design criteria for the ESFAS are detailed in IEEE Std. 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations," Section 3. The following is a discussion of the specific items in IEEE Std. 279-1971 and their implementation. The generating station conditions requiring actuation of the ESFAS are listed on Table 7.3-2, which also shows which system will actuate for each event. The monitored variables required for ESF System protective action are listed on Table 7.3-3, which also shows which signals are generated by the variable. The number and location of the sensors required to monitor the variables are listed in Table 7.3-4. The normal operating ranges, actuation setpoints, the nominal full power value, and the margin between the last two are listed on Table 7.3-5. The ranges of the ESFAS variables are listed on Table 7.3-6. The ESFAS is designed with consideration given to unusual events which could degrade system performance. System components are qualified for the environmental conditions discussed in Section 3.11 and the seismic conditions discussed in Section 3.10. System components are qualified for electromagnetic interference (EMI) by methods defined in Section 7.2.1.2.K. Qualification is applied for equipment based on operating environment and/or inherent design characteristics. A single failure within the system will not prevent proper protective action at the system level. The single failure criterion is o discussed in Section 7.3.2.3.2. I

  "   ]  The ESFAS minimum response times are specified in the Technical Specifications. The accuracies of i

l the ESFAS measurement channels are given as ALLOWED VARIATION in the Technical Specifications. The total ranges of ESFAS variables are provided in Table 7.3-6. 7.3.1.3 System Drnwings l The typical MCBDs, functional logics and typical control circuits are shown in the figures following this section. 7.3.1.4 ESFAS Supporting Systems l The systems required to support the ESFAS are discussed in Section 7.4. The electrical power distribution is discussed in Section 8.3. 7.3.2 Analysis 7.3.2.1 Introduction The ESFAS is designed to provide protection against the Design Basis Events listed on Table 7.3-2. The i ESF Systems that are actuated are discussed in Chapter 6, along with their design bases and evaluations. j The ESFAS is addressed in the Chapter 15 Safety Analysis. I l 77 ! The sensor signals which will cause each ESF actuation signal are listed on Table 7.3-3. The bases are '

    -    discussed in .Section 7.3.1.2. The trip setpoints are given en Table 7.3-5. Most ESF actuation signals are based on fixed setpoint trips. The trip setpoints that do not fall into this category are:

Approved Desiswr Materia!- Instrumentation and Control Page 7.3-25

Syntem 80+ Design ControlDocument

Low pressurizer pressure - can be decreased to 400 psi below the existing pressurizer pressure by the operator.
Low steam generator pressure - can be decreased to 200 psi below the existing stearn generator pressure by the operator.

((These resets are controlled by administrative procedures provided by the site operator.))l Additionally, several ESF actuation signals can be actuated by more than one parameter. That is, different parameters can cause the same ESF actuation signal. The ESF signals which fall into this category are:

SIAS by either low pressurizer pressure or high containment pressure.
CIAS by receiving the SIAS for that channel so that it actuates on low pressurizer pressure or high containment pressure.
MSIS by high steam generator water level in either steam generator, low steam generator pressure in either steam generator, or high containment pressure.

Each trip setpoint is selected to be consistent with the function of the respective ESF System requirements. The setpoints are selected to provide ESF actuation in sufficient time to provide the necessary actions to mitigate the consequences of the Design Basis Events which caused the ESPAS. The adequacy of all ESF trip setpoints is verified through an analysis of the pertinent system transients reported in Chapter 15. These analyses utilize an Analysis Setpoint (assumed trip initiation point) and system delay times associated with the respective trip functions. The Analysis Setpoint along with instrument uncertainties provides the basis for the calculation of the final equipment setpoints to be reported in the Technical Specifications. Limiting trip delay times are given in Chapter 15. The manner by which these delay times and uncertainties will be verified is discussed in Section 7.2.1.2. 7.3.2.1.1 Design Bases Events (DBE) The DBE conditians for which the system will take action are those unplanned events under conditions that may occur once during the life of several nuclear generating stations, and certain combinations of unplanned events and degraded systems that are never expected to occur during the life of all nuclear power plants. The consequences of these events should be limited by the ESF Systems. The ESF Systems have a major responsibility to mitigate the consequences of the events listed below. This includes minimizing fuel damage and subsequent release of fission products or other related effects. The accidents for which the ESFAS actuates are:

RCS pipe rupture, including a double ended rupture.
Steam system pipe rupture.
Feedwater system pipe rupture.

O 8 COL information item; see DCD Introduction Section 3.2. Astrowed Des @n A*aterial Instrument. sten and Control (11/961 Page 7.3-26

Sy~ tem 80+ Desian controlDocument r

Steam generator tube rupture.
Break in a line from the reactor pressure coolant boundary that penetrates containment.
Single CEA Ejection.

The ESFAS will also m to mitigate the consequences of Anticipated Operational Occurrences as follows:

Excess heat removal due to secondary system malfunctions.
Inadvertent pressurization or depressurization of the RCS.
Change in normal heat transfer capability between steam and reactor coolant systems, including:

1. Improper main feedwater flow

2. Loss of external load

Complete loss of AC power to the station auxiliaries.
Depressurization due to the inadvertent opening of a pressurizer safety or relief valve.

7.3.2.2 Actuation Ba<es j The ESFAS consists of five signals based on five parameters. Each ESF actuation signal has manual actuation switches on the main control panels. MSIS also has manual actuation switches at the remote shutdown panel. 7.3.2.2.1 Safety Injection Actuation Signal (SIAS)

Input Pressurizer pressure, containment pressure, or manual pushbuttons. The pressure signals are shared with the RPS.
Function The SIAS actuates the components necessary to inject borated water into the reactor coolant system and actuates components for emergency cooling. SIAS also actuates containment spray pumps. SIAS is also initiated by a loss of power to two channels.

7.3.2.2.2 Containment Spray Actuation Signal (CSAS)

Input Containment pressure signals or manual pushbuttons.

'D j Q k-..; Demon nieterial heatrumentseien and Control Page 7.3 27

System 80+ Design ControlDocument

Function The CSAS actuates the Containment Spray System. CSAS is also initiated by a loss of power to two channels.

7.3.2.2.3 Containment Isolation Actuation Signal (CIAS)

Input Pressurizer pressure, containment pressure, or manual 1shbuttons. The pressurizer and containment pressure signals are provided via the SIAS.
Function The CIAS actuates the isolation of lines penetrating the containment. CIAS is also initiated by a loss of power to two channels.

7.3.2.2.4 Main Steam Isolation Signal (MSIS)

Input Pressure from each steam generator, containment pressure, level from each steam generator, or manual pushbuttons.
Function The MSIS is provided to actuate the isolation of each steam generator. MSIS is also initiated by a loss of power to two channels.

7.3.2.2.5 Emergency Feedwater Actuation Signal (EFAS)

Input Level from each steam generator or manual switches.
Function The EFAS actuates emergency feedwater on low water level to the steam generator (s). EFAS is also initiated by a loss of power to tw:: channels.

Actuation function EFAS-1 pertains to Steam Generator 1 and EFAS-2 actuation function pertains to Steam Generator 2. 7.3.2.3 Design 7.3.2.3.1 General Design Criteria Appendix A,10 CFR 50, " General Design Criteria for Nuclear Power Plants." estiolished minimum requirements for the principle design criteria for water cooled nut. lear power plants. This section describes the requirements that are applicable to the ESFAS. Anwoved Des 4n Mawint - besstumentatus and Control page 7.3 28

System 80+ Deslan contmlDocumart p) l Criterion 1 - Quality Standards and Records: .; L/ 3 Refer to Section 3.1.1 for compliance. ;

  ' Criterion 2     -

Design Bases for Protection Against Natural Phenomena: l Refer to Section 3.1.2 for compliance. Criterion 3 - Fire Protection: Refer to Section 3.1.3 for compliance. Criterion 4 - Environmental and Missile Design Bases: ; Refer to Section 3.1.4 for compliance.

  ' Criterion 13    -

Instrumentation and Control: i Refer to Section 3.1.9 for compliance. Variables monitored are those which , affect ESF Systems. Criterion 16 - Containment Design: ; i O Refer to Section 3.1.12 for compliance. ; L] Criterion 20 - Protection System Functions: L Refer to Section 3.1.16 for compliance. Criterion 21 - Protection System Reliability and Testability: Refer to Section 3.1.17 for compliance. Criterion 22 - Protection System Independence: Refer to Section 3.1.18 for compliance. Criterion 23 - Protection System Failure Modes: Refer to Section 3.1.19 for compliance. ; Criterion 24 - Separation of Protection and Control Systems: l Refer to Section 3.1.20 for compliance. Criteria 34,35,37,38,40,41,43,44 and 46: (O .V Refer to Sections 3.1.30,31,33,34,36,37,39,40 and 42 for compliance.

j

   ?_uf Dester Adedordsf.huseunenseeiser ansf Cenest                                          Pepe 7.7-29  ,

System 80+ Design ControlDocument The ESFAS provides the actuation which meets the requirements of IEEE Std. 279-1971 and IEEE Std. 338-1977. The single failure criterion is met for all ESFAS. The ESFAS is fully testable. Those components which cannot be tested during power operations are tested when the plant is shutdown. 7.3.2.3.2 Equipment Design Criteria Many of the design criteria for protection systems are discussed in Section 7.1.2. IEEE Std. 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations," establishes minimum requirements for safety-related functional performance and reliability of the ESFAS. This section describes how the requirements of Section 4 of IEEE Std. 279-1971 are satisfied. The following heading numbers correspond to the Section numbers of IEEE Std. 279-1971.

General Functional Requirements (Section 4.1):

The ESFAS is designed to actuate the appropriate ESF Systems, when required, to mitigate the consequences of the specified Design Basis Events. Instrument performance characteristics, response times, and accuracies are selected for compatibility with, and adequacy for, the particular function. Actuation setpoints are established by analysis of the RCS parameters, steam generator parameters and containment pressure. Factors such as instrument inaccuracies, bistable trip delay times, valve travel times and pump starting times, are considered in establishing the margin between the actuation setpoints and the safety limits. In addition, the possible loss of AC power and the tim: required to start standby power and to sequence loads must also be considered. ((The final determination of all of these times is the site operator's responsibility.))l The time response of the sensors or protection systems are evaluated for abnormal conditions. Since all uncertainty factors are considered as cumulative for the derivation of these times, the actual response time may be more rapid. However, even at the maximum times, the system provides conservative protection.

Single Failure Criterion (Section 4.2):

The ESFAS is designed so that any single failure within the system will not prevent proper protective action at the system level. No single failure will defeat more than one of the four protective channels associated with any one trip function. , l The effects of single faults in the RPS are discussed in Section 7.2.2.3.2. A similar analysis is applicable to that portion of the ESFAS located in the PPS cabinet. The initiating signal from the PPS goes to four separate ESF-CCS division cabinets. Each cabinet contains the actuation , circuitry for only one train, therefore, a failure in one cabinet cannot affect the circuitry and ) actuated equipment of the other divisions. i Single faults of initiation or actuation buses have no effect, as a selective two-out-of-four logic ! is required for actuation. Single faults of the actuation (or control) circuitry will cause, at worst, only a failure of a component, group of components, or one entire redandant train; actuation of the remaining redundant trains is sufficient for the protective action. . i Ol. 8 COL information item; see DCD Introduction Section 3.2. Approved Desspn historial. hustrumentaban and Control (11/96) Page 7.330

   - System 80+                                                                       Design ControlDocument l

e Quality Control of Components and Modules (Section 4.3): The system is subject to the requirements of the Quality Assurance Program described in Section i 17.0. l l QA program is designed to mimmize and detect defects. However, a more significant factor ! contributing to overall reliability is that Nuplex 80+ employs only proven products. A proven ! product is defined as equipment or commercial software which has been in the field for at least j 3000 operating years or has an equivalent installed base (e.g., 3000 units for 1 year). Itis ; generally believed that this is sufficient time to detect errors in both software and hardware. > lt can be expected that some limited applications may require commercial products with less than 3000 operating years experience. For these cases either additionaljustification, which establishes , the proven status of a product based on similarity to a proven product is required, or additional l component burn-in and factory testing would be required. l To ensure that lock-up conditions following unexpected trips have not been introduced during i implementation of the diesel load sequencer functional design, the independent design verification l and validation program will include factory and preoperational testing on an integrated system j level to assure that no credible scenarios, including those described in IN 91-06, are present in , the implemented design. l i e Equipment Qualification (Section 4.4): l The ESFAS equipment is qualified in accordance with the methodology discussed in Sections 3.10 and 3.11. Safety-related ESFAS equipment is located so as not to violate qualification limits. j e Channel haegrity (Section 4.5): l l Type testing of components, separation of sensors and channels, and qualification of cabling are l utilized to ensure that the channels will maintain their functional capability required under j applicable extremes of environment, power supplied, malfunction, and DBE conditions. Loss , or damage of any one path will not prevent the protective action of the ESFAS. Sensors are piped using materials of comparable quality to the systems to which they are attached so that, in . the unlikely event of blockage or failure of any one connection, protective action is not l prevented. The process sensors located in the containment building are specified and rated for l the intended service. Components which must operate during or after DF,Es are rated for the ! expected post-event environment. Results of type tests are used to verify these ratings. ! e Channel Independence (Section 4.6): The routing of IE and associated cabling and sensing lines from sensors meets the requirements l of Regulatory Guides 1.75 and 1.151. They are arranged to minimize the possibility of common ! mode failure. This requires that the cabling for the four safety channels be routed separately; : _ however, the cables of different safety functions within one channel may be routed together.

          ' Low energy signal cables are generally routed separately from all power cables.                            ;

iOd

           . Safety-related sensors are separated. The separation of safety-related cables requires that the cables be routed in separate cable trays. Associated circuit cabling from redundant channels is            !

handled the same as IE cabling. ! Aguswer Destn Afeeenist. asseussenepelse amt Coneef Pape 7.3-3r f

System 80+ Design ControlDocument Cabling associated with redundant channels of safety-related circuits is installed such that a single credible event cannot cause multiple channel malfunctions or interactions between channels. Non-Class IE instrumentation circuits and cables (Iow level) which may be in proximity to Class IE or associated circuits and cables are treated as associated circuits unless analyses or tests demonstrate that credible failures therein cannot adversely affect Class IE circuits. The location of the sensons, for the ESFAS, and the points at which the sensing lines are connected to the process loop have been selected to provide physical separation of the channels within the system, thereby precluding a situation in which a single event could remove or negate a protective action. The routing of cables from protection system transmitters is arranged so that the cables are separated from each other, and from power cabling, to minimize the likelihood of common event failures. This includes separation of the containment penetration areas. The initiation paths are located in four PPS cabinets and the actuation devices are fed from the four ESF-CCS division cabinets. Geographical separation and electrical isolation between these cabinets minimize the possibility of a common mode failure. Multiplexers are toally independent between redundant safety channels and between safety and control channels. All IEEE-384 and Reg. Guide 1.75 criteria are met; therefore, multiplexers are not a source of single failure that could compromise channel independence. Multiplexers are totally diverse in both hardware and software between safety and control systems, thereby eliminating the potential for common mode software errors to affect both the safety and control systems. Within an individual safety or control channel the design is such that a credible single failure will not degrade more than one multiplexor. To address this multiplexer failure susceptibility, I/O signals are assigned to separate multiplexer chassis to limit failure impact to a small set of functions. Impact of single multiplexer failures on the PPS and ESF-CCS have been assessed and are defined in the Failure Modes and Effects Analysis (FMEA) Table 7.2-5. To assure high multiplexer reliability, proven equipment with a high Mean Time Between Failure, deterministic data transmission, internal fault diagnostics and which is designed and qualified to operate in the environment where it will be located, is specified. The equipment is acquired per the Commercial Grade Dedication Program. The output from redundant channels are isolated from each other so that loss of a channel does not cause loss of the system. The signals from the ESF-CCS which supply the DPS and DIAS are isolated via fiber-optic cable. The criteria for separation and physical independence of channels are based on the need for decoupling the effects of DBE consequences and power supply transients, and for reducing the likelihood of channel interaction during testing or in the event of a channel malfunction. Electrical and functional independence is maintained between ESF-CCS divisions. Communications between ESF-CCS divisions is accomplished through dedicated point to point ' fiber-optic datalinks. Datalink processorsin each ESF-CCS division acquire data from their A,oproved Design Material hsstrurnentation and Control (11/96) Page 7.3-32

System 80+ Design ControlDocument

,~

( respective Intradivision Networks. Inter-channel data is transacted only between data link processors. Complete independence between ESF-CCS Intradivision Networks is maintained by this method. Communication device failures and their consequences have been analyzed and are defined in the Failure Modes and Effects Analysis (FMEA) Table 7.2-5. To ensure that erroneous interchannel ESF-CCS communications cannot disrupt multiple divisions, data communication is limited to the following:

1. Unrestricted data transmission is permitted only from safety channels to nor safety channels (i.e., unidirectional).

2. Data transmitted from non-safety channels to safety channels is disabled. Thi dissbling function occurs in the safety channels and is considered a Class IE function It is noted that no non-safety channel to safety channel data requirements have been identified for System 80+. Data communication of this type that existed in previous C-E plants, such as for the CVCS. have been eliminated in System 80+.

3. Between Safety channels there is a data communication only between Channels B and D -

(Division II). This has been limited to diesel load sequencing coordination within a division. There is no data communication between Division I and Division II (A or C to B or D).

Control and Protection System Interaction (Section 4.7):

1. Classification of Equipment:

No portion of the ESFAS is used for both protective and control functions except sensor input signals as described in Section 7.7.

2. Isolation Devices:

Signals sent from the ESFAS to the DPS and DIAS are isolated via fiber-optic cable such that a failure in these areas will not affect the protective action cf the ESFAS.

3. Single Random Failure:

This criterion is not applicable since there are no channels used for both control and protection except sensor input signals as described in Section 7.7. Therefore a single random failure can only occur in either a control or a protection channel.

4. Multiple Failures Resulting from a Credible Single Event:

This cannot exist, because control and protection channels have nothing in common, except the use of protection sensors. Protection sensors provide fiber-optic isolated signals to the control systems for signal validation and control. Protection sensor failure effects are discussed in Section 7.7.

      = -                    .a--- _                                                                      ,.

Design ControlDocument _ System 80+

Derivation of Signal Inputs (Section 4.8):

Insofar as possible, inputs are derived from signals that are direct measurements of the desired variable. Directly measured variables include pressurizer, containment, and steam generator pressures. The steam generator levels are derived from differential pressure signals.

Capability for Sensor Checks (Section 4.9):

ESFAS sensors are checked by methods described in Section 7.7 including cross-channel comparison. Each channel has a known relationship with the other channels of the same parameter.

Capability for Test and Calibration (Section 4.10):

The ESFAS design complies with IEEE Std. 338-1977, " Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Protection System Actuation Functions," as discussed in Section 7.3.2.3.3.

Channel Bypass or Removal from Operation (Section 4.11):

Any one of the four protection channels in the ESFAS may be tested, calibrated or repaired without detrimental effect on the system. Individual actuation channels (i.e., pressurizer pressure, containment pressure, steam generator level) may be bypassed to create a two-out-of-three logic while maintaining the coincidence of two on the remaining channels. The single failure criterion is met during this condition.

Operating Bypasses (Section 4.12):

Operating bypass is provided as shown on Table 7.3-1. The operating bypass is automatically removed when the permissive condition is not met. The circuitry and devices which function to remove this inhibit are designed in accordance with IEEE Std. 279-1971.

Indication of Bypasses (Section 4.13):

i Indication of test or bypass conditions, or removal of any channel from service is given by the DIAS and DPS. The operating bypass that is automatically removed at a fixed setpoint, is l alarmed and indicated. 1

Access to Means for Bypassing (Section 4.14):

Trip channel bypasses have controlled access. When the first parameter is bypassed there is an ; audible and visible alarm to indicate the bypass. The specific parameter or parameters which are l being bypassed are indicated in the respective channel by lights at the PPS cabinet and its remote operator's module, l The operating bypasses also have audible and visible alarms. The operating bypasses have automatic features which provide a permissive level at which they can be actuated and a second level at which they are automatically removed. I Asyvoved Design Motorial kustrumentation and Control Page 7.3-34 l 1

                                                                                                                                                     '4 l

System (0+ Deslan conerolDocument ( - l ~ ( .e Multiple Setpoints (Section 4.15): Manual reduction of the setpoints for low pressurizer and low steam generator pressures are used ! 3 for the controlled reduction of pressures as discussed in Sections 7.3.1.1.10.3 and 7.3.1.1.10.4. The setpoint reductions are initiated by main control board controls for each channel, one for the . ;

                             ' pressurizer pressure and one for both steam generator pressures within the one channel.                                 i

, Operation of the controls will reduce the pressure actuation setpoint a selected increment below 2 the existing system pressure. ~ As the pressurizer or steam generator pressure increases the .

actuation setpoint will increase automatically with the pressure, maintaining a fixed increment, until the setpoint reaches its normal actuation setpoint value.

                      -e       Completion of Protective Action Once It is Initiated (Section 4.16):                                                    ;

t I

The ESFAS is designed to ensure that protective action will go to completion once mitiated. j Actuation of an ESF can only be cleared by the operator after the trip condition clears by
manually resetting the ESF at the ESF-CCS operator's module. An ESF component actuation can only be overridden by the operator after protective action completion. A protective action 4 is initiated when the selective two-out-of-four logic reaches the proper coincidence of two state.

A protective action is completed when all of the appropriate ESF actuated components have , assumed the proper state for their ESF function. The EFAS valves are not locked into its actuation but the pumps are locked in. EFAS is designed to cycle based on the steam generator l level signal. . e Manual Initiation (Section 4.17): A manual initiation is effected by operating manual switches at the main control panel or at the . remote shutdown panel. These are arranged in a selective two-out-of-four logic. No single - failure will prevent a manual actuation at the system level.

o. Access to Setpoint Adjustments, Calibration and Test Points (Section 4.18):

Access to setpoint adjustments, calibration and test points is restricted. Access is also annunciated. Setpoints are continuously monitored by the DPS and PPS automatic test .:ontroller. o Identification of Protective Action (Section 4.19): 4 Indication lights are provided for all protective actions, including identification of the channel i

trips. ;

. e Information Readout (Section 4.20): I 1 Means are provided to allow the operator to monitor all actuation system inputs, outputs, and calculations. The specific displays that are provided for continuous display are described in Section 7.5.- The ESFAS alarms and ESF-CCS Operator's Modules are located in the main control room. ! j e System Repair (Section 4.21): e Identification of a defective channel is accomplished by observation of system status lights, or by testing as described in Section 7.3.1.1.8. Replacement or repair of components is esmosannen assenw.ame== seaw, w c ,ew trvesi p.,e 7.2-ss o__

System 80+ Design ControlDocument accomplished with the affected channel bypassed. Th:. affected function is then in a two-out-of-three logic, but still maintaining a coincidence of two for actuation.

Identification (Section 4.22):

All equipment associated with the actuation system, including panels, modules, and cables, is ' marked in order to facilitate identification. Physical identification is provided to enable plant personnel to recognize that ESF-CCS Cabinets and their cabling are safety-related. The cabinets , are identified by nameplates. A color coding scheme is used to identify the physically separated channel cabling from sensor to the ESF-CCS. The same color code is used for interbay or intercabinet identification. Cabling or wiring within a bay at the cabinet which is in the channel of its circuit classification is not color coded. The cabinet nameplates and cabling between cabinets are color coded as follows: Protective ESF-CCS Channel Divisions Associated Channel Channel A: Red A: Red Channel J: White / Red Stripe Channel B: Green B: Green Channel K: White / Green Stripe Channel C: Yellow C: Yellow Channel L: White / Yellow Stripe Channel D: Blue D: Blue Channel M: White / Blue Stripe 7.3.2.3.3 Testing Criteria Conformance of the ESFAS to the requirements of IEEE Standard 338-1977 and the intent of Regulatory Guide 1.22 is discussed in Sections 7.1.2.7 and 7.1.2.15. Test intervals and their bases are included in the Technical Specifications. The periodic testing of the ESFAS is the site operator's responsibility. Because the ESFAS is required to operate infrequently, the system is continuously tested automatically and periodically and routinely tested manually to verify its operability. A complete channel is tested without causing a system actuation and without affecting system operability and availability. Overlap in the testing of the channels is provided to assure that the entire channel is functional. The testing scheme is discussed in detail in Section 7.3.1.1.8. Each portion of the testing of the ESFAS, as discussed in Section 7.3.1.1.8, causes a portion of the system to act as it would if a real actuation setpoint had been reached. The difference, while testing the local coincidence logic, is that only one channel is actuated and it can be bypassed for testing. If a genuine input signal is received during test, the signal will propagate through the remaining charmels to cause actuation. It can be seen from Section 7.3.1.1.8 and the above discussion that the testing of the ESFAS does not affect the system integrity or availability. When any one channel in the PPS portion is in test the remaining three channels can still provide a coincidence of two to effect actuation via the ESF-CCS. AMweved Design Afsterial . hssVwnentatior" and Centrol Page 7.3-36

p i. System 80+ Deeinn cower Docummt } l The response time from an input signal to protective action, through the opening of the actuation relays ; is verified by measurement during plant startup testing. Sensor responses are measured during factory - l g or laboratory testing and provided to the site operator for his use in his test program. i i 7.3.2.4 Failum Modes and Effects Analysis (FMEA) {

The Failure Modes and Effects Analysis (FMEA) provided in Table 7.2-5 addresses all possible outputs

] , from computers (e.g., communication failures); not all of the possible causes of the output conditions. [ At the hardware interface level for all computers, the FMEA bounds all cases by considering the worst : case effects at the computer outputs. For binary outputs, open and closed status is addressed. For digitized data, interfaces are analyzed for failure to transmit ' data, failure to receive data and ; communication of erroneous data. l i In the case of the ESF-CCS, loss of data cocnmunications with Loop Controller output modules results i in fail safe output operation. Fail safe is delined as the state corresponding to the electrical failure mode i of the final actuation device for the actuated equipment (controlled mechanical equipment, e.g., solenoid valves fail open or closed, motorized va.ves fail as-is, etc.). Loss of data communication with multiplexor input modules or loss of data link inputs generally results in continued control system .

operation with the last good input data. Specific exceptions to this are for equipment investment l l protection inputs and ESF actuation inputs from the PPS, which continue to control system operation with the input data set to its most conservative value. All data communication failures are alarmed. The i FMEA for the ESFAS appears on Table 7.2-5. j 7.3.2.5 Setpoint Methodology Refer to Section 7.2.2.3.2.

4 E 7.3.2.6 ESF Valve Operability l The valves of the ESF systems are designed and tested as required by NUREG4)737, Section II.K.1.5, ! to ensure proper operation in the event of an accident. This is accomplished in several ways. e The valves of the ESF systems are interlocked to automatically provide the sequence of operations ; required after an actuation of the ESF. ; t e Actuator-operated valves are status controlled using a combination of administrative controls and l "stop and think" intericcks, where considered necessary, to prevent unintentional misalignment l of valves during power operation. Additionally, the DPS includes Critical Function Monitoring l and Success Path Monitoring displays to permit verification of proper valve alignments during l post-acchient conditions (rei'r to Section 7.7 and Chapter 18). i e All manual valves that are not required to operate on initiation of safety injection, in the injection flow path, are locked in the rost accident position. Administrative controls ensure tha: the valves ! are locked in the correct position. ! e- Periodic pump and valve group tests and inspections are performed, as defined in Section l 7.3.1.1.8, to verify proper operation of each active component of the safet, injection system. l l 4 proved Oss@n A0sesrief- 4essuneneselse and Coswet page 7.J-37 l I

System 80+ Design ControlDocument 7.3.2.7 Containment Hydrogen Recombiner System The Containment Hydrogen Recombiner System (CHRS) prevents the concentration of hydrogen in containment from reaching flammability limits following a design basis loss +f-coolant accident (LOCA). The CHRS is an Engineered Safety Features (ESP) System designed to be manually initiated. Emergency Operations Guidelines require hooking up and turning on the hydrogen recombiners within 84 hours following a LOCA. The hydrogen recombiners then operate continuously, i.e.. they are left on rather than cycled on and off. CHRS controls and instrumentation are discussed in Section 6.2.5. 7.3.3 Engineered Safety Features Actuation System Interface Requirements Refer to Section 7.1.3 for system interfaces. Table 7.3-1 ESFAS Bypasses Title Function Initiated By Removed By Notes Trip Channel Disables any Manually by Same switch Interlocks allow one Bypass given trip controlled access channel for any type channel switch trip to be bypassed at one time. Pressurizer Disables low Manual switch Automatic if Pressure pressurizer (1 per channel) pressurizer , Operating pressure if pressure pressure is Bypass ponion of < 400 psia > 500 psia SIAS/CIAStil O l'3 SIAS/CIAS actuation due to high containment pressure not affected. Approved Design Material Insoumentation and Control Page 7.3-38

System 80+ oesign controlDocument l'3 .

'V      Table 7.3-2 Design Basis Events Requiring ESF System Action Containment       Containment         Main       Safety     Emerge 7              '

Event isolation Spray Steam Injection Feedwater Isolation

                                             *                 *                *

i Feedline Break LOCA - Large Break LOCA - Small Break 131 Steam Generator Tube .[2] * .

Rupture Steam Line Break (Inside Containment) Steam Line Break (Outside Containment)l31 Excess Heat Removal Due , to Secondary System j Malfunctions inadvertent Pressurization or Depressurization of RCS Change in Normal Heat Transfer Capability Between Steam and Reactor Coolant System Complete Loss of AC Power to Station Auxiliaries l l l l II Includes CEA Ejection and Pressuriter Safety Valve Opening Q

Q I:1 Manual Actuation I

I l I31 Includes Opening of Secondary Safety Valve

     ^;, :2 Design A0*hwie! Jhstrumenteeion and Control
            -                                                                                         Pope 7.7 d

System 80+ Design Control ;; g Table 7.3-3 Monitored Variables Required for ES'/AS Protective Signals Monitored Variable CIAS CSAS MSIS SIAS EFAS Pressurizer Pressure 3 3 Containment Pressure 1 2 1 1 Steam Generator Pressure 3 1,3 Steam Generator Water Level , 1 Legend: 1 - liigh 2 - liigh liigh 3 - Low Table 7.3-4 Engineered Safety Features Actuation System Sensors Monitored Number of Sensors Variable Sensor Type Location Pressurizer Pressure Transducer 1201 Pressurizer Pressure (High, Mid, and Low range) Containment Pressure Transducer 401 Enclosure Pressure Complex Steam Generator Pressure Transducer 4/ Steam GeneratorDI Steam Generator Pressure Steam Generator Differential Pressure Transducer 8/ Steam Genera'.orU1 Steam Generator Level (Wide and Narrow Range) I l l

                                                                                                               @ll 03        Shared with the Reactor Protective System Approved Design Material- kustrumentation and Control                                                Page 7.340 I

Sy tem 80 + Design ControlDocument Table 7.3-5 Engineered Safety Features Actuation System Setpoints and Margins to Actuation Nominal Normal Nominal Margin A*tuation Signal Full Operation Attuation to Power!33 Rangel31 Se;pointI33 Actuationl33 SIAS & CIAS Low Prusurizer Pressure 2250 psia 2175-2325 psia 1825 psiau l 425 psia High Centainment Pressure 0 psig -0.3 to +0.3 psig 2.7 psig 2.7 psig CSAS High-High Containment Prenure 0 psig -0.3 to +0.3 psig 8.5 psig 8.5 psig MSIS Low Steam Generator Pressure 1000 psia 10001100 psia 843 psiaul 157 psia High Containment Pressure 0 psig -0.3 to +0.3 psig 2.7 psig 2.7 psig High Steam Generator level 59.1% NR 0-95% NR 90.8% NR 31.7 % ( EFAS

%/

Low Steam Generator level and 'i6.8% WR 40.7-97.2% WR 23.4% WR 53.4 % High Steam Generator level z)t 76.8% WR 40.7-97.2% WR 53.4 % 23.4 % ALTERNATE PROTECTIO V SYSTEM 1 Low Steam Generator Level 76.8% WR 40.7-97.2% WR 23.4% WR 53.4 % Notes: U3 Setpoint can > manually decreased as piessure is reduced and is automatically increased as pressure increases. (2) Narrow Range Transmitter Signal used to automatically close EFW valves. []

 \._/

D3 Values given are typical. Actual values are site dependent based on the equipment procured. Therefore, the site specific SAR shall make appropriate adjustments as necessary. Apprend outen anerww. swwwnentonien amt controt rope 7.3 41

System 80+ Design ControlDocument Table 7.3-6 Engineered Safety Features Actuation System Plant Variable Ranges Monitored Variable Minimum Nominal Full Powert21 Maximum Pressurizer Pressure 0 psia [ Note 1] 750 psia (low range) Pressurizer Pressure 600 [ Note 1] 1650 psia (Mid Range) Pressurizer Pressure 1500 psia 2250 psia 2500 psia (Iligh range) Containment Pressure -5 psig 0 psig 60 psig Steam Generator Pressure 15 psia 1000 psia 1500 psia Steam Generator level 0% 76.8 % 100 % (Wide Range) Steam Generator Level 0% $9.1 % 100 % (Narrow Range) O 4 Note: U3 The high, mid, and low pressurizer pressure sensor ranges are combined electronically within the PPS bistable for wide range applications. I21 Nominal values given are typical. These values may be adjusted during the fmal des?; , process. 4 proved Design Materiet -Instnanentation and Control page7,342

Design C*ntrol Document System (0+ J wa=== e e e @w= - m=O @ @ @ ma !El !El ini ini w =aA 1 maA w maA w m.e SVPASS i 9 A0C 1 t i AJC 1 t 4 A08D B

                                                                                                             *I     A8E        1 re-A. tA tA.H                 . Ma~t                     C, tatC.t-t                 .t+ rt
                          -(* iC'la i                 44"lC4"'I                  A4"iC4a'i                    ^4*imial
          ;7,.,,Cy     L_      ,g.                  -      ,g.                 -     ,g.                   -     ,g.             !B i--
                      =                          w                          =                            =                                      :

5_;' ; - 3:t i:t t- C

                                                                                          -              3:t m
                                                                                                                     ,y l

C

                                .g               -S
                                                               ,y                        ,y                                                    i
         'EE'l Ej $

i TO C8AS

                                . M            TO CIAS

h. 1

h. TO C1AS Y

                                                                                             @ TOh.CIAS                .
                                                                                                                          "1 M IlON
 -         1*.*raf'               Y
                               }}}}                       Illl SA SS SC 00 IllI CA CS CC CD I}})

DA DS OC Du i AA AS AC s0 _t'5________________________________________ iSr<Cs 1 AA SA CA DA Af SS CS OS AC SC CC OC AD SD CD CD l h h h h h h 2 N 0h 4 L OOlc 2h logic 4 2N O'r . LOO 3C

                                                                                           -  2 LOesc 4     AguATION L   nc l

I 'I L L L AC T L L taAnuAL MANUAL HAMJAL MAMuAL )

                                                   'I                                              '

TO 70 NT CE A t CSA +8 C 7 7 MT CIA 5 e CON A L OGtC LoelC L O64C AC TUATION L OG4C i i N I 1 g Ccl50"<$1s cms stas CO*Ts CE'ts g Figure 7.3-la (v/ ESFAS Functional legIC (SIAS) AppntOM 00$lgr} $$0f09500 * $99CifuR90nt0t500s and Con & PW 73M

Syotem 80+ Design ControlDocument O HiaN H10N CONT AINWENT PRCS$URE Sl$ TABLE TRIP tttt As A2 A3 A4 tttt 68 82 63 64 ttti Ce C2 C3 C4 i itt Di 02 03 De A8 88 C l DI A2 82 C2 02 A3 83 C3 03 A4 B4 C4 D4 h hhhh hh h hh h*

h. 2 NE g-a- 2
2
2 ~

{4 8Ene IL 81E 1' buort l' 8eeft if {N ATION tett ette BA BB BC HD tett CA CS CC CD DA 05 DC 00 u%- AA A8- AC - AD a ara u-- = areew - - xe ree ae -- ane co w----- hhhh hhhh hhhh hhhh reca*. Lotec reca".Loesc reca*. Lostc recr'. Loesc i I at esasem, at amMLag. En asasam. en swam. ATION CSASs TA8NWENT _ gang.A - SIAS-8 AC TUA TION l I' i ii 1l I' 9 s SIA TARTS N 8CL SPRAY PUtdP '* '* 'N 'N S 75 m, 75 b5 M M M M

                         ]            i'                   ]         it                                   j
                                                                                                                              ]        ir 04                                                               CR                               CR
                                                                                                                                                %TdATION sa ps               M A8                           SA BS                            CA C5                            DA De WM                                                      AA BA CA DA                     A8 88 CS DB hhh                          hh              h CIA 5s CONTAINedENT
                       ^                                            [ h4                              [hEh*g L                                   L uAT N SM)NAL                                                                   C AS SIA$a SAPETY INJECTION ACTUATION                                                4,                                 p SIWs LOO 8C cN losec
                                                                 $               05       g ,,,                         A ESFAS Functional Logic (CSAS, CIAS)                                                                                                          Figure 7.3-Ib Altprowd Design Material ksstrumentation and Control                                                                                                        Page 7.344

Sy~ tem 80+ Design ControlDocument n ( % LOe STEAu DD(RATOR M0J LEVEL iiti A 8 A2 A3 A4 tttt 88 h2 83 S4 ttti C0 C2 C3 C4 ti6i D 8 EXE D3 04 AI Be C f Da A2 B2 C2 C2 A3 R3 C3 D3 A4 84 C4 04 w 2 4

2 &4 e '2 4
2 4 IEENCE g_ g_ g_ g_

lt ll j ' II If 11 if It _g_ g _g_ _g_ l l ) l ) ) M ATION

 &                     If AA An Ac Ao                  aA se
                                                            ${

oc so j ' yJJ cA ca cc co g oA as oc co j

          ;;s_,_______________________________________
                                . ...                      A. . c. .                  ,e  c ce oc             ,o ao      m                     !

e rwac EFAS-1 4 e EFAS-f rww', e Myc E F A S-s 4 e Mcw' EP AS-1 bsANUAL UAL R$ANUAL NU l M SSd H SS/ M to/ M EGY tzvEL tsvEL LEVEL LevcL j ' j ' ji ll !! if it i' , API LOS4C M LOG 8C O losec W LOSIC bS S EFAS : L W EPAS-4 e EMERGENCY FEEDSATER ACTUATION $4SNAL.0 4 4 rr AS.2 LOGIC EFAS*2 s EW6 PEIDeATER ibtNT 3 CAL TQ ACTUATK>t $seMAL-2 Efdl"OIdE " ' ,W "'cT' " O I ESFAS Functional Logic (EFAS1, EFAS2) Figure 7.3-Ic Approved Design Meterial- kattenanentation eruf Control Pope 7.345

Sy tem 80+ Design C*ntrolDocument 9 __,_T__ tttt A8 A2 A3 A4 i6ti ee 32 83 94 httt CI C2 C3 C4 ttti D I D2 CD 04 83iCiOt m2 C2 D2 A3 53 C3 03 A4 D4 C4 04 T h h y hkh hhhh hhhh Ns

I Y E 08 m is eam -mis

                                                                                                                   -mfm r"

A h A "h Ah "A h

                                            -Mfg                        _ mfg                    -" Is                mf2 fsTAect4mp          A                    gh                        &                                              *d c stun. Am      o<
                   ^      "i                   -[M E                        ETE                    -N E                -EM wa                        ua                      xa                      xa
                                                 -M!?                      -MiW                     -5%'!?                -#*,a*niW Wd                        Wd                      2d                      2d W-teastro W-enaecat W-enasemo W-teasud.

Iri'1'I'Itj I!Irif1lIril i'1'Iliri'I' I'Itiritif1 W Cyt CN4 Cft INITI ATION LOGaC pps AA s as se CA cm cA ce i _ . - _ _ - _ _ - - . I EF-CC5 AA BA CA DA AB 08 Ce 08 hhh SELECTIVE hh GELE C TIVC l r- ' %7

r- * %r * ,

WSIS ws s I LOCAL LOCAL af A86UAL 16ANUAL W5IS* asAles STE And ACTUAI)ON ts0 LATH 3N LO64C

                 "'"                                             i,                       ,r gn                      ccarot i Loolc Looec                                                                                ;

I I TRAIM A TftAIN $ COdPop4MTS COMPOENTS M511 l ESFAS Functional Logic (EFAS1, EFAS2) Figure 7.3-Id l l

Approved Design Motenal- kssVtanentation and Control Page 7.3 45

l System 80+ Desion controlDocument s : O l t ESFAS NTIATION l SIGNALS FROM PPS l

A t

                                                ' AA CA        BA DAT                                                               ,-

MANUAL MANUAL ACTUATE ACTUATE i . t) .t) : I , r t i MANUAL MANUAL $ I RESET RESET l ( DELAY ) ( DELAY.) R S 6 5 R l

                                                                                                                                     -i O                                       O                                                   >

l

%=

P

l l,

        *$            S                                                                                                                g m .*"

UU l P Ago C DELAY ) ( M LAY ) TO TO !

OR VALVE GROUP PUWP GROUP !

COMPONENT COhPONENT l CONTROL CONTROL LOGIC LOGIC [ s NOT j e OlVISION A AS ILLUSTRATED- -! TYPICAL FOR DivlSION 8.C.D c ggg,y),7,, g y

                                                                                                                                      -i i
     ~

cs simpuned Imgic Diagram for Typical Selective 2 out of 4 Actuation Figure 7.3-2 l l W W M8W *b9tpB8FF088I88 W W fugge 7,347 j

-)

Lec

C.e n,, DevtSION OATEWAY SE0 DENT e s Cor41RCAS & ucP INDIC A f lON CCNT Q S & A iNolCAyiON r T A

r MASTER MANUAL PROCESS E CONTROLLER Sy I Agfu a TPICflON ALD AFI WCP ( I mm g p q., I - - - - - 7 ____ - - _ . _ > OPS l I _ .. asAINTE NANCE I c- -- Wim AND TEST EYhS < ("%,4 Ol..SiO,. .

                                                                                                        """             e='           =          =          11 8tNE T       ll       GATEWAY           ' = , . -                                             ,

Al* 2 Al- S GROUP AO e TEST CONTROLLER Ig L-);$5%C" . _[ . . d. ^' {-'"" _ } oiAS CNA-L A g , " 1 l 7" ) E SF-CCS-C

                                                                                   } eMcCESS-CCS-m s

i -- p v AP CA OA OA I I OAT ALINK T YPIC AL M SaScSAS _ CONfROLL R ( pcLggg g CA6ME S l l l FROM PPS u.4 As- S CMar*ELS ' A.B.C.O SIS CSS s ' y TO/FROM C4vtS8CH A Cow ANO INSTRUMEN1A' U* OPS woOULE A&2 A2 KEY: asp ( s D tat yop M, Cl%s s MONTROL ' ANEL 4A.LTIPLE MER CSAS s CONT AINWENT SPRAY ACTUATION y s BlNARY (WlRE D CW9 e +;tRCUL ATING WATER SYSTDs RSP CONTROLS 4 Me DIEEEL OENERATOR SYS?EW g INDIC AI)QN ------ e ANALOG sWlRE tr *

0c.ARu SrSTEM8SCftETE INDIC O A OR W . DA' A PROCESS 84 SYSTEM Mim EFAS a EWROENCY FEEDWATER ACTUAfl NOTES: a rinEROPTic ,cP , ,,,, m PA,e.

emARv CPS atira a t e Opl7tATCRS ICDLLE A L R TER PPS a PLANT PROTECTION SYSTEM 888[$F. ftsP e fEMOTE $>cTDOWN PM A SanssLAR 8 2 8 POR PPS INITIAf pON SlONAL S SCS e SECOtOARY COOLANT SYSTEM

                                #"'hkjl kkhg'                                                                                            SlAS e SAFE T T IN.KCTION ACTUAf fm $s INA T M0 CMANPEL SE O*C CMa854CTCR pgPntund Ey,F-CCS DEST $ NATION Dewtheors ce ~ *

ll'i mm u mmmumm

7 System 80 + Design Control Document AAm7:r-APET I$kE '""?rp" hLY"'"

                                                                          -                                                                  ^                                   -                           '

f?#C%?OA C#4'R D ' f4E"CMPoA

                                                                           ^                                                                                                       ^

s - s , s Also AwAble on 8'A'A Aperture Ccrd CPM gfAL PROCESS CPM PROCESS CPM An-1 Al 1 AC T UA TIOne CONTROLLER A2 1 CONTROLLER s T YPIC AL D A2-1 gp An-1 P L)

                                                                                                                  ,,nR AD   ,$io,.
                                                                                    , _                           gC ATION                                                    _
                                                                                                           ,      ET YPIC AL D                                    .                               .            ,
                                                                                                                                                    -                  Hi e                                                                                                     s
                                       ..-g, P*'                                                                                                                                                                l
                    =

A2-2

A2 3 ll OROUP

                                                                                               .1                                                           II           GROUP J                                                              CONT              LER     _,,    y                                                                    CONT         LCR i

gggg CON pit #C'n,

x tw a ,: >

e' AA CA SA OA i I e' s I page Amy e' I I I I PSOCESSCR 1 (FAS-tffAS-2 sOAER CMfKLLER CM ER CO 41LER CD R0u1R CO FELLER CMN211R n- A ::n~t

                     ^*'-

A -- As A -A L ,,0 ,,.L,,, A

                                                                                                                                                              ~--             -->                      AA-A l

Y- _J l l Il lilj ,Il ll lili, ! SOS CFW-4 EFe 2 v y DNYL i A'L ~, l TONRCne DrvfS60N A CohPO4NTS y APO pd$f N1 ATION TONRCha OtvfG80N A COWPONENTS EDENTS pH APO $NSTRUhsENT ATION it4NAL 4 510NAL 9 70 5 0~9 0'171 - Functional Diagram of Engineered Safety Features Component Control Figure 7.3-3 System (ESF-CCS) Approved Design Material- kutrumentation and Control Page 7.3-49 1

p ~a. 8 Vr.~ES 0o + D g.= nsk oR=33,

N E C ARY FE L - _ RWP P _ EOU TPS N

I I

yi LTE AUL TPU o ITD _ GIUO DOM R O T _ A _ o C I N O O E N _ T N C I T A yi I Asl / o HE C AKI ORM L E ATL O

a TmI W

NOu TUU Sr a UWu IPO n DTe s GNO L _ EEO

                                                                 \wRN O I                                                       _

RNC S dis e _ I I l T _ R I S O N EW LS O LO EA o C LO NH OR AC R P . .'

TT R * . .
NN LE
ft OE CM Ox RE TL PIP NP g1 UU OIT OQ CL RE U O( M LTE _

AUL TPU o - I1- lTO e tUO s OOa R - O b T A L C 0 I O E L w . 9 i I Aso HE E P / P N A e N. e CL

a TU L E L O ATL o led OO TUU SO R T lPO oNO iI \NE O L s

a T N O s D u R C E I rT N T o

O N O

C I A O. M E R _ g _ ggm m2 F' @Ehoc 1=;e$E=$E 3 e 5 l L l - (9 is a hq1 r- y e 8 n 8 e e Q

. . m u -g I
a El el 8 s I- a g - ,.,s ,_ m .s - ne m eo o,., _ n , - u -s e
- . .. . . - . . - ~ - -
(l System 80+ Design ControlDocument 1 7_ _. "7 "7 "- T
/
s <, ,, e, ,, ,, la s]']E '] '7' '7 ' 'l
'7 # .
5
- i a e 5g i* i* ~
3 g r - e e Eu M 59 E Eh E$ k! l
-(+'<+'<+'<+'<+'<+'<+'<+'
l 'l 'l 'l 'l 'l 'l 'l l ll fI_ b
< c u v y t- I d d ng i g e a
E-it a A
.) Loading Sequencer - Simplified Test Logic Diagram Figure 7.3-6 )
I Amroved Design Makvie!. instrurnentation and Control Page 7.3-53
System 80+ Design ControlDocument O a- n- n- n- , il ii MS,h
/\j s ,s * / \ / N j Nl D1h! s '!E , _3.h Doh i
r, ^ r,
-3.h g c, _ _ , c- , c, S 14 - ! !i d6:
B
^ ^ !4 ,
f : O
,_ r t_, 5 A ilA d!
e o
>gg r, i I r, I
X A V
^
ll l - g W 8ll d llW9J52 # 4 11 a 9 . g v ao A 4 = .. Jg!
$5a ESF-CCS Test Logic - Simplified Logic Diagram Figure 7.3-7 Approved Design Material-Instrumentation and Control Pago 7.3-54
o tea 3 4 $= ' _
'v e S S UM s DR n
T ANA _ i p tat c S A u T N N O C E F F . N o [E h' N N 7 c 9 u o "o 1 N c O I T c E S O N I D . S e E S S U C .
}S I
D
+
p)J _ i!
];_ _
_ 0 x ._ w _ 5 R s _ s _ e. _ a_ e _ t _ 9_ DD__ jl!!i
-I e t N P
c N E P s c m-o O' I T^ w O c c U= T Cs A _
)- .
4sH, %g g
t EE gg .2 ?5
((u .
)h. {g f ,.N. _
Syotem 80 + Design ControlDocument _ O h- !3 1~ g
$s1 lh .
gi u
=
k' Y 1 , ld gw 5 W > = ll
& ~
c ; i si
' =
9 Ili .
- - = s ;
Ol
- ee llll I' -
is ' ll 7, y ' s Typical Electrical Interface for a Solenoid Operated Valve Figure 7.3-8b Approwd Design MaterW - krstrumentation and Control Page 7.3-56 l
System 80+ Des /gr ControlDocument (. : T $i S 45 .
=
i ta , I i ' i f O u zo
- mw hO <5 gg< > > ee. geo 6 e % $5W4 ou w39 585 a
8 2 ta s 1 i 1-l o
-1 l tt) (t:
1 1 1 . 1 l l I I I I i l L 1 l l-1 i i I ' 8 ) 1 1 I l l l 1 1 1 I i l 1 I i I i l I I I I i
! l y $ 0 x ' l & -X g, zDi b 2 e S
. ,m Tygncal KLD for a Modulating Valve with Solenoid Operator Figure 7.3-9a
)
i '.]g Aww My asenerw.bwmuoian ener conear p, y,,,, 1
\
l System 80+ Design Contro! Document O 5 i oI * . e Iiggl T u sig. a
!L ggg .,w b i
t g*= c 1, 0-~ 23 gr l e ; c l g. {t: l -
+
i' l il.,l ? w = O til __ l$l n p
!g]i A , O il !I y
s Typical Electrical Interface for a Modulating Valve with Solenoid Figure 7.3-9b Operator Approved Desturr Materiel kustrumentacion ernt Control Page 7.3-S8
t t System 80+ oessan contrat Document 1
+ . f'%
i z g
) E{t $s el H5 EX P8 16 yu yu u o w w I I r g ?
l i
~
j i _ < , { E 5 7 t
,FT o-r 55E$ I l
5*
-f .
b5*5
$>s h.
lwt! [g fw S f 8 s*t4 va l4 v i . r 5r prd'sw
*E 'I .
H* M$
@$ @d To Yo Pm m , !l p!l I Es*
8" c5 o$ d d
+ +d , !- ' :N 4,
g h d !$ i i
- 1 I
i l l em i i- Typical Motor Operated Valve Functional Interface Design Figure 7.3-10s
.\ J i = . w meaww smewneo.nosa, eme coned reae 7.sss l 'I i
E eOOD33
.3 =g + gg ' g N . tM
v. R tY S
t S E'A D C'S 9 e OT T't n O N I yB L w vL 1 S C E u G4$ nD vE. R 6Ea 5E'w w R Y L S, IONLR St* L n E v V LE TIWC O T En'F MO L T CTE 'T 8 E A OS A T OA P WIE'T E
- W e
s W S C'U A O e E t T .N A L'9 tP " g. DR fV. tt M idE o E O OrU OH iR't n L T F F P O . N L 2. 3 4. R sE' CeC' eU TD'
g sN' OA' P R' T'
S* R L H N E s L L O s
- T C O O T! W T
NtT I m A DOay afAt f C n O COC FWe UTp o C N M. - _ S' L l e t 8' 1L dea Eoam P O F O O p o Rs C L # 1 r g Ees o LO 6 E LO 0TL i 4 OR R tUu aPO TT sNO i HN aI= m CE CM PS UU OO mE G P t aYs E. T%u teO e 9' O O 2 E T O N e s g
)
4 E T Q 9 tpO g O = O N1 O
- gC C g
tTE aUL 7Pu tTo e lUO OO=
. p k dI 2C 4 Q 20 4
gO g O Q 2O 4 _ 2 C
,U 4 -I "m ', =
c Y TR NY*. 2 C IVO 4 {. dI DI
" TN l.7 NO Oas C g .p o I ' l dsRO '(iT Os 6- a J-2 O haI 4
G W
e R
E D E R I r
'a 5hyi=ee3,a -
kkg , g k f p k** <!L N qbken 8 9 h E P" =* [*d=i F{ y1NbM*
i System 80+ Design ControlDocumart i [ v s 1 A Ek[< v e v s
~
o ;;;0 w
" ed 0 ;
u ' $3 To w- , J l -- O O ' m x m x i 1 p i 1
\ l '
s/ i r------ 7 P. I i9 l lz ie i e* i i t l c ul *O
. 8i a .
l* e "l o
!l 8; M i ai c u s I i $
8 Oi O 8 1
i. ,- i t._____..__:
a {1 fd g*5
.J g wj .p m
(% Typical FCLD for a Full Throw Motor Operated Valve Figure 7.3-11 4- s) Appred Deeen nieennd knernmeenteeton and Centrol Page 7.3-61
e"$. nEnP eo a, hN*3 =Q + p7 N e R
/ '=S A P
s r^L G T 4 t EN EE O ' izL 1ZS E " R A Gh" O sr GF3 O r E L A'o o nCR C P E E L E D N i. Ah u O ENONO T ET m C O 0 5 " 5 "
/
m 3 q 9 D y. f y
]b i
d N E S N E s s e E S O yr-P O L C' M C - O C L m e e
)) g-jYE qeC E2 YgO o ggo s C !s 7 37a ?vC O 41 Pa5 $IC a gg3 l
i t 21 Uh
System 80+ oestan controlDocument O : START 7 CCMAONENT
~ '
I M " M IO S C START STOP R U CR r - i ( 6 PUMP RUNNING ALARAG OFF l TANK LEVEL H! i i i l 1 l l O ~ ~ - - - - - - - ~ - ~ - J AnwevedDeekn A0eserset.bnesanentnaien and Convol Page 7.3-63 .t
System 80+ Design ControlDocument O GROUP CONTROLLER 4EQulPWENT NOOne 1 nEcueANT NE7 WORK CouuuNaCATRON l PROCES M OISITAL DIGITAL sets 0RK guTPUT m;T INTEMACE N PowCR g es000LE WMJ $UPPLY
- +
e o o o o Loop CONTINUITY CONTRA LER tFt LD L BON) i i
== 42e 3ccc .=.aa ,.,
42:a == N M49 CONTACTOR TEN 1 on N Typical Electrical Interface for a Contactor Operated Component Figure 7.3-13b I i Approved Desogn Ataterial. instrumentation and Control Page 7.3-64
Illi
1 { -
ij' Ng 4 kt ~ r'L 7 q s uO rN, AA f t p g s s> - P T T n re r N CrK% o o OT RI E P EER R O SK NE sm s TL o OA EK u LE P A E Pe RI F oaU O CR OR T tr A c C D B C F 7j
)
q)M.4
, ll, ,
- ( _ 7
- _ 8
- 8 - - _N
- _ O I - _T - _ C - c E - o D S s R M'_
L N I
-- E 9 D ! E - TS NSCU .
9h Dd-P_ _ S I D
ll, L _
_ T p T p N R O R o O IL P A T A T FTA C T S Y T s SAN M S " S EUG TI CS
- A v Ml_ Uk. h % { ngjE mT* y_
L,, -
If g( s m lII.lt
System 80+ Design ControlDocumen? O OROUP CONTptOLLER EEQUtPwENT ROOul RfDUNDANT NETWORK COWWUNCATtON LOOP CONTROLLEM ENCLOSURE N EI N #! ELD LOCATION) NE1 WORK DIGIT AL DiolTAL y pyy w nELD g MODULE MOOLLE WgyE
-Y ~ +
0 00 0 000Q l
CONTINUfT Y WQNI T OR r
I CIRCut? O 6 d- d enEuen
} T -, &-14 sto LHN ex 7e-2 ^ '
it;5=d"; g;;TrMg " 7, a
. . voC m
m, o o m
@@@?a=r, :gna M,..
I R 4, ., o x : $2 ear : V s g za52o
*eV W a 56 OP[N$NG eLos g g g ,,, c m., , , ,e,.,, , sx < T4-1 ,i o acu T, 6
Typical Electrical Interface for a Circuit Breaker Operated Component Mgure 7.3-14b we,y u,,,,w . u,ma,,,,,a, eor, s cor,w "'"
System 80+ oeskn controlDocument O [ \ COMPONENT HEC MODULAT!ON MODULATION OUTPUT
~~----------
CONTROL (FAIL LOwl MCP f NFO ' NFC STATUS
> AND ALARMS ANALOG POSITION ---
O -10 0 % l 1
}
m TyM KLD for a Moduisting Counponent Mgure 7.3-15a f() W Dechm Meennial seremmemesan, ,,,e c,,,w rape 7.5s7
System 80+ Design ControlDocument O I GROUP CONTROLLER (EOulPMENT ROOW) l REDUNDANT NETWORM COWWUNICATION MOCE5m D10lfAL ANALOG ANALOG MLD NEfWORE JNPUT INPUT OUTPUT INTERF ACE E MODULE MODULE WODULE gpj NE o o o o o o o toop CONTROLLER ENCLOSURE (FIELD LOCATION) 1 l l 4o o I _ _o o._8 " ts . Ls 20 vAc POWTION P* NP O NFC lNST ROWENT T W rfR , BUS _ _o e 1 Llulf SelTCH HOUSING O O 4-20WA - AIR E/P FC Typical Electrical Interface for a Modulating Component Figure 7.3-15b Approved Design Material hustrumentation and Control Page 7.3-68
i i System 80+ oessy, controlDocument
'o '
V 4 7----- 3;7>a ,
> a .
r>i : l n l...i pr ry!ggg til
. . . gffhr5:
s- O , g [" WatuatL --yi Og
" N 9 3})):: ,_ _} ,
9e g s - b
~
(----- g.... 3;7 a ggg si a (g pIIIII!!!dfib *
's-O ' ! g 5
{f JJLWJ1L --- dj , D )):: 8, } 9e 0E E l 1- 9 _ tg O ;;r a . ti !
'v/ . ..
sesej III s1 :
5" liffYr!gll @
8-
' [ :'
{ d4LMJhL -- Q
\}
_j g-----
, 9]lE n . *l <
f;;;;.i 337 !! i & pI l
. n::::i..i,ein i . 111 i
((" J4'W4*Lg-][i _j , t 'O'-
-D-Q"l ' 5 l i
i As I TYPi cal ESF Initiation to Actuation Logic Functional IHagrain Figure 7.3-16 i I 4*"*wd De*4n nonam.! konomenteet.n end conuer pay, 7.3.se
e System 80+ Design ControlDocument O sie, I
,Q : / !$g"V Cc 0 o- # l23 Ef"+-
f c 85E e, > g 1--4 g-r4 :#-T
;m- * @-.e4 ,7 -
e Ifg C O
/
a 55I c : d. b i 1 3-J W
, e-. gI kE 3
'T "[
n. !!
e QL g fo 1
-4 "4
-1

%- g gd os eg.: >--
g "A pm- -
~~
a
@-' O hw [ 'T r ll0 -
qt 95v 8 ^4 ,-: % -
^ g ! E}s - . i *- ^4
N- g JN- -
1 l Simplified Schematic for Thermal Overload figure 7.317 Astvoved Design hteterial Instrumentation and Control Page 7.3-70 l l
System 80+ Deskn ControlDocument O . J I > ,- n,, ,, 5, s- ;
. .. . 1 3
1 [~l]Q _ a : [0]$
=, :
I h, , __; h,E, __a 1 8 8 __ I i O 0 V l! i sa - i. h Li ' i _ _ _ = f) B. e .._ _ E 7
- G '/ In-Containment Refueling Water Tank MCBD Figure 7.3-18 Apprenaf Deelen nionerW kna,umentseien ard Control Page 7.3-71
eMt3 %o + 3$ g QO~~ 0 a3-
1 A.
L O
E N
L! fq A e r o
- e a 0 C 3ra e
m
- ars d'e @o e n
i r F s . 0
@ 1 1
A 7a Ill; il il i i i l ,i l ! l L C a e
- m t - m-r a
r S E Wi -
- ,s w- 9,E e li1 D
I T O I _ a " W
- S e g P .
s Naeaii N
- - - C e 5 l li,il ii.
r C c s r , L e F S C r E ,m ,j lgi gi 1 1 E -
-- _ a o -] ll gi 1 #
3'
-- S , C - r C . _e &
i l 'l
~ ~ " il - 2 ~~ ' -
ll
' ,- _- e e
_- - on
- i - ~~ ,sr o -
_- e ~ e _ -@ g' n g" .
- =4_ - - _-m gt i. !
g g
.i " =_ - ,5- l'il
_- _ =@ ym a T
- & /d =
_ , k_. r@i _ , li > =! i ,i,ll si' =
=_ -
_=_= O
-=_ = =
l@"Uj , _ = _y_y
=m - ). -
a"=
= ,,
_=- 7
- __=
m_=- g
- = ,
t
= @ =_ = _- ==_ = i =__ -
m, $, , O
= __+- ,iliiililL yibriL ,l l :
ii P [
====
S
A
_:_ g - - I O
== = __ __ , , l g i' - ,il g ili, - Q e
i
- Igil!tiii D
[
= _: = :-_ +: __
d' i
- ee - S e N === =_:_ _+_ _
c1 S C C P rt C C F S a efa g o S A I
== =__=__ _+_
_1 E l D [
= _
e E
=____ 5 r,f_cs 5_ .
i i ,
= ' C ===
I t
- i ,
S d P c= C "J' D
= - F s e M O - e ,
r'ill ,,l, i i , m8 REC m33_g ,s=* .
Y-O k E % =' i5l i d g,P. N4 s"0
System 80+ Deslan controlDocument
/^\
PT x p ..... .:;-===*---- K,, eb SI-849 ' 3 L1 e Esr-CCS
%,j PT .p Atuc$
56 24f
! ul' ' 343 ',
e g'_..p. 2-
.i..e., 4 - --
t i 4> ,c w b b. 8
, j p-242 5AFE f r 6* DO 7:3 j y , u-L * **
PROCESS-CCS I 3 it.! lll.I_l YAl'?' l lltl' I4r
'-- - - f.' . . . _;g, ~
s,.35, ':s e
..r.s i 4 '
i ( ' N
, A/S Si + 64 4N' 5 , i s
C
~\
a'5 r -
r' . . . . . .!
i i 5,. , F>: * .. i HC 004 'A g shb lNSIDE C ONT AINWE N 'I I-I"Y i 0 l ' l DPS OlAS-N l i
6. EENSORS ARE NARROW AANGE elTH ttC E XCE*1 r.IN LP PCE73 ggy, P343 & L341 D
l l i l l
. ,e ~
-I 'i Safety Iqjection Tank 1 MCBD Figure 7.3-20s iLJ
.'n.;f Desen Afesordsf.hssemensespekwt anaf Cenpot Pape 7.J-73
Syctem 80+ Design controlDocument 9 m 9 b. co g - _ y - _ 88 E EE
,aet 10 u-._------
7 - - - _. aj g*Ms
-1 i I ll E"*
I m I g I b% UE 5 !ER I -g "$ g"*
- - - - - - " a Ir 1 r- - :- -1 ,L)( Uj ' (_
d __ _ .Uj ek2
.. __ ,Y 6 __ <
Z E fj m [ I R A 3
,E
I ?
y5 pm m 5 u + kN x .y ~
!~i - v~
3 $ l-Y A W Y _s g g T , .3 G N A m I l l L-25..j """ M E 5 b G d, LAL.jd' r _l o i il Y 0 1
$= _
l g Safety Injection Tank 2 MCBD Figure 7.3 20b Approved Des &n Material. kstrurnentation and Control Page 7.3-74
-. . . - - . ~ . . . - - . . - - . . - . - - . . - . . .-- .. - . -
a . I System 80+ ' Desion ControlDocument l I i 4 4 i i _! ,q, = :: & --. q l Hsi-ise 1 4
,1 1 , ._J U i
1 AE 18 ser<cs
^- ._ . n sa ITanosasi . _ _ ==a l1i
gi.x,s7(
o o i c:D=
=
si a e n: L_t _ lo 1 ,1 f-I*y I" I i 1 br __
. ~- - - . \"" "% m:1.. i i l **** _ *r35 I i .t f 4 l ,
i i i im si-emlH us i g 1 a I I mT4 : j' O ITd us n sae
._ _I l 'l 8.*88 _" As M! a ::
GeBfSIDE CONTANGENTI
' W88EL I
ans osas N l 4 i b.N. 4bJ. Yor
=
l i i seray 14ection Tank 3 Mcso ngare 7.3-20e L -_r asetyn asesener- Awowwenerwen mW cene.I ras 7.3-75 j
System 80+ Design controlDocument O I :: :: p, __m y--_l, b-.p, ::si-a i',,i t, i
a. ec :,e
. _,5 .P.,. ,.> n __
L:!.=T,,
~,
e- t 9 9
,, LY 31t ir 6
M1AMN 4 g 1r a bg LT 312
, [m gd l I. LIM 53 si-5ze ~Eid l l 88*88 l 285 i
o>TI ti n- l 3 I l lCYSI-464 ld w I l i A l O I er A - a SI;s_3 , _ ,, l l
..S-=
I . . _. se!6alwS!OE CONT Apedf NTI
- - ~
OP5 DIAS *H
' wiTMTHEEXCEF"b P3s & L3e Safety Irgiection Tank 4 MCBD Figure 7. Mod AttwevedC. sign Ateneriel instrumentate and Control Pope 7.3-76
P System 80+ Design ControlDocument O
~
i.. .. k 1 jl i 31 i pi *, p. *, ti . llHG K llH@ OE lN O _ IN 5 - 4 ; r---- 1:ml:glr--1:41:g l lrl i I i 0 lr___i i Il 8 I i . l l
!!<p lli l9 ,i l i i eli il l
o hn1t l I Ll'< ii a l c llll 11W
=
lp-olLllll ii k g' " l iI l,i4 *E l e 2i@ l l,llii it_____s___ v. i - S l l - l l*_ l_g======== _ b_L _ _k" h====$=_== -
.- E e L____ . s - g 3
Yu 5 1 I Contalement Spray MCBD Figure 7.3-21
.% ..: Deeign A#eserW. hwmmsentation and Control Page 7.3-77
System 80+ Design Contro1 Document O rr ~ ~ ~
----- ---~~---- 7 i, , - . seaar - *7) c0NT 6l !lg 4 tlC5 WINIFLOW MX 1 1'
S t-430
,fT gg Ov! '8* > 3i.s 'g' ; i ,^4 W N0ZZEL lSCS HX 3l 0, 54-oos St-s7e St-843 3A ses EI M l I) gpg LW1 gg. <,
SCS Pune I gl
! Sm>TDosse 8%d$ re w k _$ tf i soo r .F.T, n ,g ,, coane So-3ir l 1, e Pus i ,.
ll,7 -__ ~F'" ei g u- sa l4 gg g I e I, ; Si-6 . t'*" *r*A*LW 1j3ir-._______________J - --
.* I i0 Lw's ~~. .~~ ::.:~ . : ::. ~~_ :::_ ' _ _ .J -
lllll g ,--T T.J _1_ O_t t_t_r_ : : C_r r_r_g3,r4 w ____ _
. f; , ,l ,i ,l,,
l , p__ _ _ L---- - > Esr-cc5 Esr-ccs C e INSIDE CONT AINWENT g g g g
==* NOTE L RfouNDANT SHUTDOWN COOLING l STSTEM INSTRUMENT CHANNELS ME Stu!Lart ExCEPT CIRCU1TS ARC e,@ANDee.
OPS Olm%-N
@$ Cl3 Shutdown Cooling MCBD Figure 7.3-22 Al'pwved Des &n nieterial . hustrumentation and Control Page 7.3-78
System 80+ oeslan controlDocument 0 d
., . n 1 il d, di !ili 8li ti F Y " i.,9 r s.,9 v.
i t _ ,0<, . 9 ;g
! h.- b- b eio %s'3
__g_J_j mn' N'_'
' ' LC J l l ' ' _J'nl r__ a gi i, ei ~
i f_.] eil ob'Il fgf~ ~~ . I I; i l __ .l_ i _ _. - _ _ _ g, , , 'L O ilg.+,1t) l.e a 'lt r ?
~ !!i ~b i 1 g t_ _m ;
l,i ,,li ; b-. ll l>!sl'l,llr-- ..
,=,. >\l' llgy_ i J 1 iii r,_ _ _ _
_ _ _ _Ij !
~ ~ "
e ii 4) ll h" G
I Lt_1 s _ i w
3 l [ o E 6 g , Safety Irdection MCBD Figure 7.3-23 4 provost Des > neaterial. kestrnamentseien and Cancel Page 7.3-79 1
System 80+ Design Control Jocument O
,- - = = . . . . _ _ _ ,
g, i P c----- j r---@@ g7=====P - ,i
, g::_@_ ___
l i
, o i ,3 me-amam asc-soo ll l l gg se-ass" "
ac m g g ll 1 i - o- %~ r____.!;j.*g y- ^
g. gp pl l,.ll. -- _ _ _ ,
i ,_ _ _ _, #. ,
,. s .. __r_
g,.g_
, n ,,
u____ .u n, ,.u , j il ~~
, , , y a w== -s ,- 31, 9,1 li,,, - e .l --4 @$ 1 il i i or @ e ._.
i l:III no e e a il l co'mianarn,,-f@- ,
~ , , ,,,- d i ~
l llll ini . W l; a aw g iii1
-=_= = = = = :==:.::": : q~l r( ~
_:- hl _
iull f lgi --i I . lese 1r- -- 8*18 l sl1 elenl l cr's osas-wl g$
@cA cA* 4 Safety Depressurization MCBD Hgure 7.3 24 g Attwowwl Desigers Material. kastrurrrentation and Control page 7.3 80
System 80+ Destwo controlDocumart 1
=======
Y. i E).'f Iaf l51:gl h
- p i- jggy l lI I l 'Ili N .i.!.ll -
e 5 -
!. . _, Bei
l iii; ;4 L,Q- -! *l I -
hu 7 . l G.3 0 - 4h kh khII Ig a ,, i _ ;, _ v"8Et iI.$ , .-, i -
*r gooooooo 9 3
q- _Vatlv . 5 _ ?--i s) t << - <.<
?,
l
3y 4 "$i,v 9% >
_t. . h i j i 1 e
.i i
Diverse Manual ESF Actuation Interface to ESF Components Figure 7.3-25
= _ .. - - , . . ,
J e - - . - r ~ , ,, e, ,s-
O i 1 a I l l
) .1 1
0 O
1 System 80+ Design ControlDocument
,a '
l ) 7.4 Systems Reauired for Safe Shutdown ! v This section describes the instrumentation and controls that are required to place and maintain the reactor , in a safe shutdown condition. These systems are in many cases utilized in the performance of normal l' plant operations and, as such, cannot be exclusively identified with the safe shutdown function. However, prescribed procedures for securing and maintaining the plant in a safe condition can be j instituted by appropriate alignment of selected subsystems. The discussion of these systems, together with the applicable codes, criteria and guidelines, is found in other sections. In addition, the alignment of shutdown functions associated with the engineena.d safety features that are invoked under postulated limiting fault conditions is discussed in Chaper 6 and Section 7.3. The instrumentation and control functions required to maintain the reactor in a safe shutdown condition are discussed in this section and represent the minimum number required under non-accident conditions. These functions permit necessary operations that will:
prevent the reactor from achieving criticality in violation of the technical specifications, and

provide an adequate heat sink such that design and safety limits are not exceeded.
The specific requirements for achieving safe shutdown that are contained in USNRC Branch Technical Position RSB 5-1 are met as follows-l l
The design of the safe shutdown systems permits the reactor to be taken from normal operating !
(~)/ U conditions to cold shutdown using only safety-grade systems. These systems satisfy General Design Criteria 1 through 5.
The systems all have suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities to assure that, for onsite electrical power system operation (assuming offsite power is not available) and for offsite electrical power system operation (assuming onsite power is not available), the system function can be accomplished osuming a single failure.

The systems are capable of being operated from the control room with either only onsite or only offsite power available.

The systems are capable of bringing the reactor to a cold shutdown condition, with only offsite or onsite power available, within a reasonable period of time following shutdown, assuming the most limiting single failure.
7.4.1 Description The following systems are required to achieve and maintain a safe shutdown of the reactor:
Emergency Feedwater System (EFW)

Atmospheric Dump System (ADS)
O) e Shutdown Cooling System (SCS) Approved Design Material b1strumentneian and Control Page 7.41
I System 80+ Design ControlDocument
Safety Injection System (SIS)

Safety Depressurization System (SDS)
The following auxiliary support systems are also required to function:
Station Service Water System (SSWS)

Component Cooling Water System (CCWS)

Emergency Diesel Generator

Emergency Diesel Generator Nel Storage and Transfer System

Emergency Power Storage System

Emergency On Site Power Distribution System

Ileating, Ventilating and Air Conditioning (IIVAC) Systems 7.4.1.1 Systems Required for Safe Shutdown The safe shutdown instrumentation and information displays provided on the nuin control panels are included in Section 7.5 Tables 7.5-1, 7.5-2 and 7.5-3, as part of the safety-related display instrumentation. The controls provided in the control room for safe shutdown systems are identified in their respective system description sections.
The safe shutdown auxiliary support systems instrumentation, information displays and controls are provided on the main control panels and are described in their respective system description sections as well. Additional information regarding main control panel layouts, including process instrumentation displays, controls and lluman Factors Engineering (life) task analysis for safe shutdown operations, is contained , in Chapter 18, 7.4.1.1.1 Plant Diesel Generaton Two independent,100% capacity diesel generators provide a dependable onsite power source capable of starting a0d supplying the essential loads necessary to shut the plant down safely and to maintain it in a safe shutdown condition under loss of offsite power conditions. Load sequences are provided to sequenially load the diesel generators and are a part of the Engineered Safety Features (ESP) Component Control System (CCS), as described in Section 7.3. The diesel generators are staned automatically by undervoltage (loss of offsite power on the associated 4.16 kV ESF bus), by an Emergency Feedwater Actuation Signal (EFAS), or by a Safety injection Actuation Signal (SIAS). Section 8.3.1 describes the standby power supply (diesel generator) and the diesel generator starting system is described in Section 9.5.6. Additional information on diesel generator supporting auxiliaries may be found in Sections 9.5.4, 9.5.5, 9.5.7, and 9.5.8. Approved Design Meterial kstrumentation and Control Pope 7.4-2
I l f stem 80+ Deshan ControlDocument V) 7.4.1.1.2 Plant Diesel Genera > Fuel Oil Storage and Transfer System ! 1 i The instrumentation and controls for this system are discussed in Sections 9.5.4. ! l 7.4.1.1.3 Class IE Power Distribution System ) l This system is described in Section 8.3. ) 7.4.L1.4 Station Service Water System ! The controls and instrumentation for this system are discussed in Sections 9.2.1. 7.4.1.1.5 Component Cooling Water System The controls and instrumentation for this system are discussed in Sections 9.2.2. 7.4.1.1.6 Emergency Feedwater System , The safe shutdown features of these systems are discussed in Section 10.4.9. The controls and instrumentation for the Emergency Feedwater System are discussed in Section 7.3.1. 7.4.1.1.7 Atmospheric Dump System (ADS) . The atmospheric dump valves are discussed in Section 10.3. The valves are located outside the
v containment upstream of the main steam isolation valves.
The valves are used to remove decay heat from the steam generator in the event that the main condenser is unavailable for service for any reason including a loss of AC power. The decay heat is dissipated by venting steam to the atmosphere. In this way, the Reactor Coolant System (RCS) can either be maintained at hot standby conditions or cooled down. The ADS valve control circuits are designed such that no single failure shall prevent operation of at least one ADV on each steam generator. 7.4.1.1.8 Shutdown Cooling System (SCS) The Shutdown Cooling System (SCS) is discussed in Section 5.4.7. The SCS instrumentation and control l necessary to achieve and maintain cold shutdown are discussed below. The piping is shown on Figure 5.4.7-3. 7.4.Lt.8.1 Initiating Circuits and Logic The SCS is designed to be manually initiated upon the attainment of the required Reactor Coolant System (RCS) conditions. The SCS valve interlocks prevent overpressurization of the low pressure portion of the system, and are discussed ir. Section 7.6. Control board process indication and status instmmentation are provided to enable the operator to
> 4 determine system status. evaluate system performance, and detect malfunctions. Control panel hand U
switches and valve position limit indication lights are provided for the isolation valves and the heat exchanger inlet, outlet, and bypass valves. Indication is provided for low Shutdown Cooling System Anwesed Deeen niesenief heatrumenteeien end Contral Pege 7.4-3 i
1 l System 80+ Design Contro1 Document j pump discharge pressure and temperature, heat exchanger outlet temperature, and shutdown cooling system flow and pressure. SCS pump operating status is also indicated on the control board. 7.4.1.1.8.2 Interlocks, Sequencing and Bypasses f The SCS has overpressure protection interlocks as discussed in Section 7.6. ((The system sequencing will be in approved operating procedures provided by the site operator for the manually controlled equipment.))3 There are no bypasses in the SCS instrumentation that would jeopardize the protection afforded by the interlocks. 7.4.1.1.8.3 Redundancy and Diversity Each of the two SCS trains has sufficient instrumentation to assure adequate monitoring during all modes of operation. The isolation valves are discussed in Section 7.6. 7.4.1.1.8.4 Supporting Systems The SCS trains A and B have independent Class IE power sources for their actuated equipment (e.g., pumps, valves). The SCS isolation valve interlocks are implemented via the ESF-CCS using a redundant channel configuration such that a single failure will not cause loss of shutdown cooling nor spuriously actuate it. 7.4.1.1.9 Safety Injection System (SIS) Boron addition via the SIS may be used if the CVCS is not available for the hot and cold shutdown processes. The CVCS is discussed in Section 9.3.4. The SIS instrumentation and controls that are utilized to achieve cold shutdown are described below. The SIS logic and piping are provided in Section 7.3 and Figures 6.3.2-1 A through 6.3.2-lF. 7.4.1.1.9.1 Initiating Circuits and Logic To aid in achieving cold shutdown the SIS component actuation steps required are:
Coordinated control of the SIS pumps and SIS pump discharge valves to adjust and maintain the correct pressurizer water level.

Periodic sampling and adjustment of the boron concentration to compensate for the temperature decrease and other variables until shutdown concentration is reached.
Pressurizer level is automatically controlled during normal operation by the Pressurizer Level Control System (PLCS) as discussed in Section 7.7.1.1.2.2. The operation of the SIS for RCS inventory control is further discussed in Section 6.3.2. Boric acid is injected to ensure that sufficient shutdown margin is maintained as the RCS is cooled down. Control board process indication and status instmmentation are provided to enable the operator to evaluate system performance and manually control system operation. O I' COL infonnation item; see DCD Introduction Section 3.2. Asywesed Design Material kestrumentaten and Control Page 7.4 4
System 80+ Design Control Document m 7.4.1.1.9.2 Interlocks, Sequencing and Bypasses (v) The interlocks, sequence of operation, and bypasses of the SIS are discussed in Section 6.3.1. 7.4.1.1.9.3 Redundancy and Diversity The SIS is redundant as discussed in Section 6.3.1 and diverse from the CVCS as described in Section 9.3.4. 7.4.1.1.9.4 Supporting Systems < The components of the system are powered from two separate IE electrical buses. Adc:itional SIS supporting systems are described in Section 3.6.1. 7.4.1.1.10 Emergency Shutdown from Outside the Control Room In the unlikely event that the control room should become inaccessible, sufficient instrumentation and controls are provided (per 10 CFR 50, Appendix A, Criterion 19) outside the control room to:
achieve prompt hot standby of the reactor (hot standby, as used here, means the reactor is suberitical at Mode 3 operating pressure and temperature),

maintain the unit in a safe condition during hot shutdown, and
() D
achieve cold shutdown of the reactor through the use of suitable procedures using the Remote Shutdown Panel (RSP).
Postulated conditions or events that make the centrol room uninhabitable are considered in the control complex design. It is assumed these circumstances may be attended by destruction of equipment due to a fire within the control room. The main control room panels and the remote shutdown panels are placed in separate physical locations, on separate elevations, with separate ventilation systems, with multiple communication systems and with lighted access routes between the two. The design includes signal isolation and disabling of all main controls and the transfer of all hot standby controls to the Remote Shutdown Panel. Therefore, no single credible event that will cause evacuation of the main control room (and/or fire damage in the main control panels) will also cause the remote shutdown panels to be inoperable. The NUPLEX 80+ design provides switches near each control room exit for transfer of control from the main control panel to the remote shutdown panel. Actuation of the switches at either exit initiates each division of the ESF-CCS and each division of the Process-CCS to perform a soft transfer to deactivate the main control panel as a control interface and to activate the remote shutdown panel control interface. 1 At each exit, one transfer switch is provided for each division of the ESF-CCS (4 divisions) and each ! channel of the Process-CCS (2 divisions), for a total of six switches at each exit. Transfer initiated from these switches is one way, they cannot transfer control back to the main control panel. Transfer of control back to the main control panel can be performed using the Maintenance & Test Panels provided ; [ j for each division of the ESF-CCS and Process-CCS in the channelized equipment rooms. The l V Maintenance & Test Panels also provide a backup means for performing the transfer of control from the i main control room to the remote shutdown panel. l 1 Approved Design hianviel hwtrumentation and Control Pope 7.& 5 i
System 80+ Design controlDocument Feedback indicating the status of a control transfer is provided at both the main control panel and remote shutdown panel via the DIAS and DPS. Each system. provides an alarm for each division in which the transfer logic has transferred control to the remote Autdown panel. The component controls within each division also report component group transfer status to the DIAS and the DPS. Feedback is also provided at the manual control interface via lack of response of lighted pushbuttons and control displays which have lost control capability due to the transfer. Use of fiber optic switches and cables for the transfer switches maintains isolation between the ESF-CCS divisions and between the Process-CCS divisions. No direct electrical connection exists between the switches and the ESF-CCS, the Process-CCS or the main control panel. Figure 7.4-1 shows the transfer switch implementation for one division of the ESF-CCS. Input to the transfer logic for Division A is provided from three locations: control room exit 1, control room exit 2, and the Division A Maintenance & Test Panel. The logic transfers the operator interface for ESF Components controlled by ESF-CCS Division A. A bridge between the data networks in ESF-CCS Division A and PPS Channel A communicates the transfer signal to effect the transfer of the interface for manual initiation of PPS Channel A signals for ESF actuation. The interface for manual initiation of reactor trip is not transferred, it can be performed from either the main control panel or the remote shutdown panel at any time. The transfer enables the operator's manually entered control signals from the location being transferred to, and blocks the operator control signals from the other. Therefore, upon transfer of cot trol no actual disconnecting takes place, only enabling or blocking of signals from the MCP/RSP as app.'icable. This transfer is completely bumpless, meaning no setpoints are disturbed and, therefore, there is no disturbance to the output of any control or protection system. Bumpless transfer is accomplished by retaining the memory of all operator entered setpoint and control commands, within the system electronics located in the channelized equipment areas, not in the operator interface devices of the MCP or RSP. All operator interface devices are totally passive, meaning they can be disconnected at any time (for control transfer or more routinely for maintenance) with no disturbance to the plant. Figure 7.4-2, attached, shows the transfer switch implementation for one division of the Process-CCS. The iluman Factors Engineering (HFE) design approach for the RSP is described in Chapter 18. 7.4.1.1.10.1 Ilot Standby Sufficient instrumentation and controls are provided external to the control room to achieve and maintain hot standby of the reactor should the control room become uninhabitable under the assumption that (1) the operator trips the reactor prior to evacuation from the control room and (2) no other adverse consequences occur in addition to the control room fire and evacuation (i.e., events proceed as expected as a result of a reactor trip). Ilot standby, as used here, means that the reactor is subcritical at normal operating pressure and temperature (Mode 3 per technical specifications). Table 7.4-1 lists the instrumentation and controls available at the remote shutdown panel. O Approwd Destyn h9steriel . shstnmutatoon and Control Page 7.4-6
System 80+ Design ControlDocument n I v 7.4.1.1.10.2 Cold Shutdown LJ Cold shutdown can be achieved from outside the control room through the use of suitable procedures with the RSP by virtue of control of the equipment listed in Tables 7.4-1 and 7.4-2. A Data Processing System Video Display Unit (VDU) is located on the RSP for operator convenience in monitoring the cold shutdown evolution. 7.4.1.1.11 Safety Depressurization System (SDS) The SDS may be used to depressurize the RCS if the CVCS auxiliary spray is not available. The system is also designed to remove decay heat via bleed and feed, if necessary, to reach SCS entry conditions. The SDS and its instrumentction and controls that may be used to achieve safe shutdown are described in Sections 6.7 and 7.3. 7.4.1.2 System Drawings The logic for the operation of the SCS and SDS are shown in Chapters 5 and 6. Section 1.7 includes a list of functional control logic, electrical and instrumentation drawings and piping and instrumentation diagrams for safe shutdown systems. The final functional control logic, electrical wiring diagrams and layout drawings for the SCS, SDS and the Remote Shutdown Panel appear in the site-specific SAR. 7.4.2 Analysis
p. 7.4.2.1 Conformance to IEEE 279-1971 t i IEEE 279-1971, " Criteria For Protection Systems For Nuclear Power Generating Stations," establishes minimum requirements for protection systems. The instrumentation and controls associated with the safe shutdown systems are not protection systems as defined in IEEE 279-1971. However, many criteria of IEEE 279-1971 have been incorporated in the design of the instrumentation and controls of the safe shutdown systems. Conformance of the instrumentation and controls to Section 4 of IEEE 279-1971 is discussed below.
General Functional Requirements (Section 4.1):
The instrumentation and controls of the safe shutdown systems enable the operator to:
1. Determine when a condition monitored by display instrumentation reaches a predetermined level requiring action; and

2. Manually accomplish the appropriate safety action (s).
Single Failure Criterion (Section 4.2):
The instrumentation and controls required for safe shutdown are designed and arranged such that no single failure can prevent a safe shutdown. Single failures considered include electrical faults and physical events resulting in mechanical damage. Each system is composed of redundant trains, including instrumentation and controls which are physically separated. f') ! 6 N.j hyvoved Design nesterkt. Jnstnanentaten and Control Page 7.4-7 I
System 80+ Design ConvolDocument
Quality Control of Components (Section 4.3):
The instrumentation and controls used for the safe shutdown systems are designated C-E Quality Class 1 and designed in accordance with the quality assurance program described in Chapter 17. Guidance for quality assurance of safe shutdown instrumentation channels used for monitoring and display are as defined by Regulatory Guide 1.97, Categories 1,2 and 3 (refer to Section 7.5).
Equipment Qualification (Section 4.4):
The essential instrumentation and controls associated with the safe shutdown systems are designed for the normal ambient conditions of the area in which they are located. Those components located in the control complex, which is air conditioned, are designed to operate with a loss of ) air conditioning for the time necessary to achieve safe shutdown. Instrumentation channels used for monitoring are qualified in accordance with the intent of Regulatory Guide 1.97, Categories 1,2 and 3 (refer to Section 7.5).
Channel Integrity (Section 4.5):
Essential instrumentation and controls are Class IE powered and designed as Seismic Category I to ensure their ability to operate during and following a design basis earthquake. The site operator is responsible for conducting preoperational tests and inspections to verify that all automatic and manual controls, and sequences of the integrated systems provided for safe shutdown, accomplish the intended design function. Preoperational test procedures are discussed in Section 14.2.
Channel Independence (Section 4.6):
Safe shutdown instrumentation and control channel independence is achieved by electrical and physical separation. This independence precludes a single event causing multiple channel failures.
Control and Protection System Interaction (Section 4.7):
Control and safe shutdown systems that have identical sensor input requirements utilize the same sensors. The control systems use sensor signal validation logic as described in Section 7.7.1.1.13 to avoid control / protection system interactions. No other portion of the safe shutdown systems is used for both protection and control functions. Therefore there are no control functions that can adversely affect operation of safe shutdown systems.
Derivation of System Inputs (Section 4.8):
Pressure and temperature are directly r.easured. Level and flow signals are derived from differential pressure signals. Valve position signals are provided by limit switches or variable resistance devices. The derivations of various other signals are discussed in the sections where the safe shutdown systems are discussed. Ajtveved Destyn Material
enstrannentation and Control Page 7.4-8
L T System 80+ - Deslan ControlDocument e~ Capability for Sensor Check (Section 4.9): Sensor checking is discussed in the sections where the safe shutdown systems are discussed. e ' Capability for Test and Calibration (Section 4.10): i The instrumentation and control components required for safe shutdown that are not normally in ; operation are capable of being periodically tested. This includes instrumentation and controls for t the SCS, St.S and SDS. All automatic and manual actuation devices are cap.ble of being tested > to verify their operability. Periodic testing is further discussed in Section 13.5 and the Technical ; Specifications. e Bypassing (Sections 4.11 through 4.14): , i l
' There are PPS bypasses in the instntmemation and controls for the SIAS that apply to the ; ; operation of the safe shutdown system (refer to Section 7.3.2.3.2). !
e Multiple Setpoints (Section 4,15): There are PPS variable setpoints associated with SIAS that permit a controlled reduction of RCS pressure as discussed in Section 7.3.2.3.2. e Completion of Protective Action Once It Is Initiated (Section 4.16): 3 Q The ESF-CCS, EFAS and SIAS, as described in Section 7.3.2.3.2,' are designed to go to completion should they be automatically actuated during a normal plant shutdown. All other safe shutdown systems are not automatic protection systems and do not take protective action unless manually actuated. e Manual Initiation (Section 4.17): The safe shutdown systems can be manually actuated. No single failure in the instrumentation - and controls for the safe shutdown systems will prevent achieving a safe shutdown. e Access to Setpoint Adjustments, Calibration and Test Points (Se: tion 4.18): l A key is required for access to setpoint adjustments, calibration and test points in the PPS and 1 ESF-CCS for the EFAS and SIAS instrumentation as described in Sections 7.2 and 7.3. Access l is also annunciated. Setpoints are continuously monitored by the DPS. e . Identification of Protective Action (Section 4.19): Indication lights are provided for all shutdown cooling interlock protective actions. e Information Readouts (Section 4.20): All safe shutdown system monitoring and control channels have appropriate indicators to provide the operator with sufficient, accurate information to evaluate system performance and to perform s necessary actions. The design of the RSP meets the HFE design criteria and methods of ; Limplementation as described in Chapter 18. 4p vosa 4m me nw. awe ne.v ans c ne.i p. ,. 7.4.s
1 I Design Control Document Sgm 80 +
System Repair (Section 4.21):
For safe shutdown systems actuated manually, replacement or repair of instmmentation and control components can be accomplished, in reasonable time, when the systems are not actuated. Outage of system instrumentation and control components for replacement or repair will be limited by the Technical Specifications.
Identification (Section 4.22):
Identification of redundant channels is as described in Sections 7.2.2.3.2,7.3.2.3.2 and 8.3.1. 7.4.2.2 Conformance to IEEE 308-1980 The electrical circuitry of the instrumentation and controls conforms to the criteria of IEEE 308-1980, "lEEE Standard Criteria for Class IE Electric Systems for Nuclear Power Generating Stations." The instrumentation and controls associated with other systems and components are discussed in Section 8.3. 7.4.2.3 Conformance to General Design Criterion 19 Conformance to GDC 19 is discussed in Section 3.1.15. Remote instrumentation enables hot standby to be achieved if the control room is not habitable. Hot standby, as used here, means the reactor is subcritical at normal operating pressure and temperature. The reactor can be brought to cold shutdown, outside of the control room, by use of appropriate procedures, the RSP and local controls. 7.4.2.4 Consideration of Selected Plant Contingencies 7.4.2.4.1 Loss ofInstrument Air System None of the essential control or monitoring instrumentation rely solely on instrument air. Where necessary, accumulator tanks are provided or the failure mode of pneumatic devices upon loss of air is designed to fail in the safe position. Therefore, loss of instrument air will not degrade instrumentation and control associated with systems required for plant shutdown. 7.4.2.4.2 Loss of Cooling Water to Vital Equipment None of the instrumentation and control equipment rely on cooling water for operation. 7.4.2.4.3 Plant Load Rejection, Turbine Trip, and Loss of Offsite Power In the event of loss of offsite power associated with plant load rejection or turbine trip, power for safe shutdown is provided by the onsite emergency power system. The standby diesel generators will provide power for operation of pumps and valves; the batteries and standby generators via the battery chargers will provide power for operation of instrumentation and control systems required to actuate and control essential components. 7.4.2.5 Emergency Shutdown from Outside the Control Room Equipment and arrangements discussed in Section 7.4.1 are in response to GDC 19 which requires certain functional capabilities outside of the control room as discussed below. Appresed Doslyn Atatoria!. Instrumentation and Control Page 7.4-10
SV tem 80 + Deskn controlDocument i 7.4.2.5.1 Design Capability for Prompt Hot Standby and to Maintsin Hot Standby Should the control room become uninhabitable, the reactor may be manually tripped from the control room, as it is being evacuated, or from the Reactor Trip Switchgear System (RTSS). Hot standby conditions can be neintahd from outside the control room as described in Section 7.4.1.1.10 by control of pressurize pr ssure and level, feedwater flow, and atmospheric steam dump. Hot standby, as used here, means the reactor is subcritical at normal operating pressure and temperature. 7.4.2.5.2 Cold Shutdown > (( Cold shutdown of the reactor without access to the control room is possible by use of instrumentation l and controls described in Section 7.4.1.1.10 and suitable procedures prepared by the site operator.])1 ; 4 i e r O f
%/
8 COL information item; see DCD Introduction Section 3.2. Appmod Doeien aneww kmerumenteden and cenarot rege 7.s.1s
l System 80+ Design ControlDocument Table 7.4-1 Remote Shutdown Panel Instrumentation and Controls for Hot Standby NSSS Instrumentation: Neutron Logarithmic Power liot/ Cold leg Temperature Pressurizer Pressure Pressurizer Level Pressurizer RCGV Valve Positions Steam Generator No.1 Pressure Steam Generator No. I level Steam Generator No. 2 Pressure Steam Generator No. 2 level CVCS Charging FlowU l CVCS Charging Pressure!'l Boric Acid Storage Tank Levelul In-containment Refueling Water Storage Tank (IRWST) Level EFW Motor-Driven Pump 1 Discharge Pressure EFW Motor-Driven Pump 2 Discharge Pressure EFW Steam-Driven Pump i Discharge Pressure EFW Steam-Driven Pump 2 Discharge Pressure EFW Motor-Driven Pump 1 Suction Pressure and lew Pressure Alarm EFW Motor Driven Pump 2 Suction Pressure and Low Pressure Alarm EFW Steam-Driven Pump 1 Suction Pressure and Low Pressure Alarm EFW Steam-Driven Pump 2 Suction Pressure and Low Pressure Alarm EFW Steam-Driven Pump Turbine 1 Inlet Pressure EFW Steam-Driven Pump Turbine 2 Inlet Pressure EFW Motor-Driven Pump 1 Flow EFW Motor-Driven Pump 2 Flow EFW Steam-Driven Pump 1 Flow EFW Steam-Driven Pump 2 Flow EFW Motor-Driven Pump 1 Recirculation Flow EFW Motor-Driven Pump 2 Recirculation Flow EFW Steam-Driven Pump 1 Recirculation Flow EFW Steam-Driven Pump 2 Recirculation Flow EFW Storage Tank I level and Low Alarm EFW Storage Tank 2 level and Low Alarm EFW Steam-Driven Pump 1 Turbine Speed EFW Steam Driven Pump 2 Turbine Speed EFW Turbine Trip and Throttle (Stop) Valves 1 & 2 Open/Close Position and Close Position Alarm SIS Pump No. 3&4 Discharge Flow SIS Pump No. 3&4 Discharge ficader Pressure Ul These are not required to achieve or maintain liot Standby but are pmvided for convenience as an operator O aid. E5woved Design Materiet - Jhstrurneatation and Contro! Page 7.4-12
i System 80+ Design ConoolDocument i Table 7.4-1 Remote Shutdown Panel Instrumentation and Controls for Hot Standby (Cont'd.) , BOP Instrumentation: l Ultimate Heat Sink Status Indicationtil Emergency Diesel Generator Status Indication ' NSSS Controlst21 l Reactor Coolant Pump Trip Pushbuttons , Backup Heater Groups 1 and 2 Controls Atmospheric Steam Dump Valve and ADV Block Valves Pressurizer Auxiliary Spray Valve Controlsl31 Pressurizer RCGV Valves RC-410, RC-411, RC-412, RC-413 , Charging Pump Controls l31 l Letdown Isolation Valve Controlsf ' Reactor Coolant Pump Seal Bleedoif Valve Controls t MSIS Actuation Switches Manual Reactor Trip Switches EFW Motor Driven Pump 1 Controls EFW Motor Driven Pump 2 Controls i EFW Steam Driven Pump 1 Controls ! EFW Steam Driven Pump 2 Controls O EFW Steam Generator Isolation Valves EF-100, EF-101, EF-102, EF-103 EFW Flow Control Valves EF-104 EF-105, EF-106, EF-107 EFW Steam Supply Bypass Valves EF 112. EF-113 EFW Steam Supply Isolation Valves EF-108, EF-109 EFW Turbine Trip and Throttle (Stop) Valves 1 & 2 Trip / Reset Control EFW Turbine 1 & 2 Speed Control SIS Pump No. 3&4 Controls SIS Pump No. 3&4 Valve Controls t BOP Controls: Ultimate Heat Sink Controlst:1 i Ill Ultimate Heat Sink Indication and Controls includes that set required to support the operation of Remote Shutdown Panel components needed for Hot Standby. [2] Status indication for essential equipment (i.e., valve position, punp on/off status, etc.) is provided on the Remote Shutdown Panel. I31 These are not required to achieve or maintain Hot Standby but are provided for convenience as an operator l aid. Anwowd Doeten noenww hwownentesen and control ir tis 6) Pope 7.413
System 80+ Design ControlDocument Table 7.4-2 Remote Shutdown Controlled Functions for Cold Shutdown Instrumentation: Pressurizer Pressure Variable Setpoints Steam Generator Pressure Variable Serpoints Shutdown Cooling System Suction Line Isolation Valve Interlock Status Safety injection Tank (SIT) Pressure SCS Pump Flow SCS Heat Exchanger / Bypass Inlet and Outlet Temperatures Data Processing System VDUtil l Controls t2)(3): Steam Generator Pressure Setpoint Reset Pressurizer Pressure Setpoint Reset and Operating Bypass SCS Putups SIT Vent Valves SIT isolation Valves Shutdown Cooling Header Valves Shutdown Cooling Heat Exchanger Flow Control Valves Shutdown Cooling Wann-up Bypass Valves Shutdown Cooling Suction Line Valves Shutdown Cooling Heat Exchanger Bypass Flow Control Valves O D3 VDU monitor provided for convenience as an operator aid. [23 On each P-CCS and ESF-CCS, Operator's modules are also provided for operator convenience. 131 Status indication for essential equipment (i.e., valve position, pump on/off status, etc.) is provided on the Remote Shutdown Panel. Anwend Design MetwM - insktunentation amt Contml (11/96) Page 7.4-14
Sy: tem 80+ Design controlDocument u ! g { Set CMnsedEL A CONDITIONING papuT5 8 I 5 TO N "8EC,E, SISTABLE
CPC TRIP PROCESSING i D ' O'_
1 *" i B ColNC10ENCE C PROCESSOR D NEs
. .C.
4 ftST PACCR990R l
' l l
l l
====.
DetTRA TIOis = MTSAflDM = l espeeted m Isch essested en 800A1 ,, 3 MACTM ., hT
==am 79F 98 WTL'TG peflAfttpe ". LODEC esasamo sens.AAL peTanTIDs - MTIAftDN =
egenoted in AGAD EIBeste8 > 8888b O _O
,0 .
DevtEMus
- g - - -CC.
I == l
. -C C penseek O W PPS gy.CCS-Brveteosa A l' m Cha m MLSC?tWE ENW, A a TS 4.ested in EC2 8 entst g Ta 1 ., ter ACfuA. - TION r.: .r': .
ttin gutt 3
= ,r.=
LOtet
,, = LOGIC DP$
hv. A st$ tensebes et - gyggg
. v wi gp a .-..W. m ,
t- ,,
.eru.T o. Or e0.e0 = =To ,,,, w CONTfl0LLEO $7 Sv5SfC38 A m
(\ Interface Diagram for Division A Master Transfer Switches Figure 7.4-1
' Approved Desipt Meterda( husertanenfah W CwtW p,,, 7,4 15
System 80+ Design ControlDocument f l I I i Paocros-Ces-emasoM a musmanL CONfn0L p* TEM ACS esv.es mTS comestes en nurJts tapeMe -
- a .e,,M. ;
Orv. 88 0875
Olh CompO8SNT semestes et 79tAssePgn SW CONTAQb estat f ulf 21 = L0tsC Loggc ops Orv.88 mTS f in A theetes e4 =
STATUS 888tatemene* taassaAL Costfact one
Test Penee Df1CM ACS N seseetoe m detRe feasseren ALAnas eeee INTEstract OF CCaroNrNTS CONTftCLLED ST DivttaQue 8e Interface Diagram for Division N1 Master Transfer Switches Figure 7.4-2 Asyveved Deshys Materte! tusstrumentstkus and Conutd Page 7.4-16 u
System 80+ Design ControlDocument ( ) 7.5 Safety Related Display Instrumentation 7.5.1 Description This section includes a description of that safety-related display instrumentation which is available to the operator to allow him to monitor conditions in the reactor, the Reactor Coolant System, containment, and safety-related process systems, for all operating conditions of the plant so that he may perform manual actions important to plant safety. The Nuplex 80+ Control Room uses an integrated information display hierarchy to present both safety-related and non-safety-related plant data for monitoring and control by the operator. All information is integrated (in accordance with Regulatory Guide 1.97) such that the same instrumentation used for accident monitoring is also used for normal plant operation. If an accident scenario develops, this integration allows the operators to diagnose and monitor the event using instruments with which they are most familiar. The Nuplex 80+ information systems also include automatic signal validation, through cross channel data comparison, prior to data presentation or alarm generation. This ensures that the process information displayed to the operator is correct. Multiple diverse systems are utilized to process and display the data to ensure that information processing errors are detected and alarmed. This integrated information display hierarchy is composed of the following major elements:
Integrated Process Status Overview (IPSO) Panel A simplified large panel mimic is provided to allow a quick assessment of the status of the plant i power production process and safety functions.
V i
Discrete Indication and Alarm System (DIAS)
Discrete indicators are used to display validated safety and non-safety plant process parameters. Alarms are generated, processed and presented in an integrated manner through the use of alarm indications, message displays and the DPS VDU pages.
Data Processing System (DPS) l l
The DPS acquires plant data, validates it, and executes monitoring and performance calculations j for presentatior of information through a hierarchical set of VDU pages. ' l
Component Control and System Operator Module Displays ,
1 Other I&C system operator modules and plant component (pumps, valves, heaters) on/off, l open/ closed status information provided directly from the controlling I&C system is integrated into the main control panel design. The following sections further describe the functional applications of these elements within the context of the ACC safety-related display instrumentation. Descriptions of the DIAS, IPSO, and DPS implementation for Nuplex 80+ are provided in Sections 7.7.1.4,7.7.1.5 and 7.7.1.7, respectively. See Chapter 18 for a further discussion of this hierarchical approach. task analysis and other HFE related aspects for these elements.
/ ,'*\ /
i l hywoved Design Matmal hstrumentation and Control Page 7.5-1
System 80+ Design ControlDocument I Display information identified on Tables 7.5-1 through 7.5-3, within the Reactor Coolant System, steam generating system and the containment, provides for the remote monitoring of process variables during and following design basis events. The safety-related display instrumentation is designed to satisfy NUREG-0737 TMI Action Plan requirements I.D.2 as described in the following categories:
Safety-Related Plant Process Display Instrumentation Information available to the operator for monitoring conditions in the reactor and related systems.

Reactor Trip System (RTS) Monitoring Information available to the operator for monitoring the status of the RTS.

Engineered Safety Feature (ESP) System Monitoring Information available to the operator for monitoring the status of each ESF system.

CEA Position Indication Information available to the operator for monitoring the position of the CEAs.

Post-Accident Monitoring Information available to the operator for monitoring the plant conditions during and following an accident. Safety-related post-accident monitoring instrumentation for Regulatory Guide 1.97 applicable Category 1,2, and 3 variables is provided to monitor plant variables and systems during and following an accident, in accordance with the intent of TMI action item II.F.3.

Automatic Bypass Indication Information available to the operator for monitoring the bypassed and inoperable status of the plant safety systems.

Inadequate Core Cooling Monitoring Information available to the operator for monitoring core cooling prior to and following an accident.
7.5.1.1 System Description 7.5.1.1.1 Safety-Related Plant Process Display Instrumentation Table 7.5-1 lists the significant process instrumentation that is provided to inform the operator of the status of the reactor and plant. This information, which is used for the startup, operation, and shutdown of the plant, is provided in the Control Room. The information is provided in a form that is useful to the operator and may be m ' dicated, recorded, or monitored in conjunction with a controlling function. Alternate indication and control instrumentation are provided at the remote shutdown panel and local Approved Desigru Material- kstnanentation and Control Page 7.5-2
System 80+ Design ControlDocument (q) stations outside the control room to allow reactor shutdown and maintenance of the reactor in a safe V hot standby condition should the control room become uninhabitable (refer to Section 7.4.1.1.10). 7.5.1.1.2 Reactor Trip System Monitoring Even though the RTS is automatic and does not require operator action (with the exception of a manual trip capability), sufficient information is provided to the operator in the control room to allow confirmation that a reactor trip has taken place and whether or not a Limiting Safety System Setting (LSSS) has been reached. This information consists of indication of:
Process parameters that initiate reactor trip

Trip, pre-trip, and bypass lights

Audible and visual alarms

Control Element Assembly (CEA) " dropped rod" information

Trip switchgear circuit breaker position Operating bypass indication is provided on the remote modules located in the main control room and is described in Section 7.1.2.21. Individual trip channel bypass indication k provided locally at the PPS as well as on the remote modules in the main control room (refer to Sections 7.1.2.21, 7.2,7.5.1.1.1 t'3 and 7.5.1.1.6).
! ) V 7.5.1.1.3 Engineered Safety Features Monitoring The Engineered Safety Features Actuation System (ESFAS) contiauously monitors the system input ) parameters and employs an actuation logic to initiate the Engineered Safety Fe'ture (ESF) systems should j these inputs reach their trip setpoints. 1 After automatic actuation, the ESF Systems will continue to function properly without operator action for up to 30 minutes. See applicable ESF system descriptions for any required subsequent manual operations. Operator action is taken to start other systems such as the Shutdown Cooling System (SCS). j Information is provided to the operator in the control room to allow him to monitor the operation of the ESF and related systems in the post-accident period. This information consists of valve position ! indication, pump operating st.ris, tank level indication, flow indication, indication of the process parameters that actuate Engineered Safety Feature systems (refer to Table 7.5-2) and ESF system ! performance displays via the DPS as disc ssed in Section 7.7.1.10. In addition, four remote modules provide indication of the pre-trip, trip, bypass, and operating bypass condition for each of the associated actuation system input signals. Individual trip channel bypass indication is provided at the PPS cabinet as well as on the modules in the main control room. 7.5.1.1.4 CEA Position Indication Two diverse, independent CEA position indication systems provide CEA position information to the ( ; operator. The systems are the pulse counting CEA position indication system and the reed switch CEA v position indication system. The pulse counting system is discussed in Section 7.7.1.1.1. The reed switch system is discussed below. CEA position displays are located on the main control board. Approved besign htsteriet- Justrumentation and Control Pope 7.5 3
System 80+ Design ControlDocument The reed switch CEA position indication system utilizes a series of magnetically actuated reed switches (reed switch position transmitters) to provide dgnals representing CEA position. Two independent reed switch posliion transmitters (RSPT) are provided for each CEA. The RSPT provides an analog position indication signal and three physically > prete discrete reed switch position signals. The analog position indication system utilizes a series of magnetically actuated reed switches spaced at 1.5-inch intervals along the RSFT assembly and arranged with precision resistors in a voltage divider network. The RSPT is affixed adjacent to the CEDM pressure housing, which contains the CEA extension shaft and actuating magnet. The analog output signal is proportional to the CEA position within the reactor core. The three discrete reed switch position signals are contact closure signals from three separately located reed switches. These signals are an Upper Electrical Limit (UEL), a Lower Electried Lich (LEL) and a Dropped Rod Contact (DRC). The analog reed switch CEA position signals are input to the Core Protector Calculator sys em (see Section 7.2). CEA position information is provided to the Trip Logic Calculators (TLC's) anc also to the CEA Calculators. The CEA Calculators display the position of each regulating, shutdown, and part-strength rod on demand by the operator in a bar chart format on channels B and C CPC operator modules at the main control board. The operator can address any analog position signal for display on the CPC operator's module. In addition to the displays, CEA deviation information is provided by the CEA Calculators to the CPCs and a CEA deviation alarm. A CEA deviation alarm is provided in the event a CEA Calculator indicates that the difference between the highest and lowest CEA positions in a subgroup exceeds a predetermined allowable deviation. The CEA deviation information is used in the TLC determination of power distribution. The power distribution is then factored into the low DNBR and high local power density trip function. Pre-trip alarms are initiated if the DNBR or LPD trip limits are approached. A pre-trip alarm indication is provided on the PPS operator's control panel (both local and remote). Also, a pre-trip alarm is provided to the plant annunciator system (DIAS). The three discrete CEA position reed switches (UEL, LEL, DRC) provide contact closure signals to the Control Element Drive Mechanism Control System (CEDMCS). These signals and the CEA positions based on CEDMCS pulse counting are utilized for CEDMCS CEA control and position indication on the main control panel. The DPS provides a validated CEA position VDU display based on the RSPT and CEDMCS pulse counting CEA position information. The validation logic identifies and alarms discrepancies between them. 7.5.1.1.5 Post-Accident Monitoring The Post-Accident Monitoring Instrumentation (PAMI) listed in Table 7.5-3 is provided to allow the operator to assess the state of the plant following Design Basis Events. Most of these indications monitor instruments, equipment, or systems that provide automatic action for the Design Basis Event. The Main Control Room (MCR) design utilizes the following three methods to integrate SPDS and PAMI. The design is in accordance with the intent of Regulatory Guide 1.97 as depicted in Figure 7.5-1.
Seismically qualified DIAS channel P processors and displays dedicated to continuously monitor and display Regulatory Guide 1.97 Category 1 individual parameters. These displays are located on the MCR Safety Monitoring Panel.
O Attwoved Design historial . Instrumentation and Control Page 7.S-4
System 80+ Design ControlDocument
)
SeLmically qualified DIAS channel N displays are integrated into the MCR panels for normal l
> operations as well as for providing Regulatory Guide 1.97 Categories 1,2, and 3 parameters. l These displays provide the ability to select various PAMI channels and are isolated from the l DIAS channel P displays. l 1
The DPS provides VDU displays for all Regulatory Guide 1.97 variables in a manner that is isolated from DIAS channels P and N. The system provides integrated displays, in accordance j with Chapter 18 IIFE design requirements, for Critical Safety Functions, Inadequate Core j Cooling Monitoring and other safety related plant parameters. The DPS also includes historical data storage, retrieval and trending. The DPS design includes data links to the On-Site Technical Support Center and Emergency Operations Facility to provide the capability for monitoring plant conditions.
7.5.1.1.6 Automatic Bypass Indication on a System Level Automatic bypass indication on a system level as defined in Regulatory Guide 1.47 is described in Section 7.1.2.21. 7.5.1.1.7 Inadequate Core Cooling Monitoring Instrumentation This section provides a description of the generic Nuplex 80+ approach to NUREG-0737, Section II.F.2, Inadequate Core Cooling (ICC) requirements. (] The instrument sensor package selected to monitor the ICC event progression consists of: L,)
Resistance Temperature Detectors (RTDs)

Pressurizer Pressure Sensors

Reactor Vessel Level Monitors employing the Heated Junction Thermocouples (HJTC) design concept

Core Exit Thermocouples The signals from the RTDs, unheated thermocouples in the IUTC system, and pressure sensors can be combined to indicate the loss of subcooling, occurrence of saturation and achievement of a subcooled condition following core recovery. The reactor vessel level monitors provide information to the operator on the decreasing liquid inventory in the reactor pressure vessel (RPV) regions above the fuel alignment plate (FAP), as well as the increasing RPV liquid inventory above the FAP following core recovery. The core exit thermocouples (CETs) monitor the increasing steam temperatures associated with ICC and the decreasing steam temperatures associated with recovery from ICC.
As shown in Figure 7.5-1, these sensors are inputs to:
DIAS channel P processing equipment for continuous display along with other Regulatory Guide 1.97 Category 1 variables located on the Safety Monitoring Panel in the Main Control Room.
('j
DIAS channel N processing equipment for display along with other plant parameters used by the operator for normal monitoring as well as post-accident monitoring.
Approved Design Matenial- kustrumentathm and Control Page 7.5-5
l System 80+ Design ControlDocument
Data Processing System for integration into the VDU plant process display pages. The DPS also processes saturation margin, reactor vessel level and ICC algorithms for critical safety functions for display and alarming.
i All of the above display methods provide validated information to the operator as further described in l Sections 7.7.1,4,7.7.1.7 and Chapter 18. 7.5.1.1.7.1 Sensor Design Detailed information on the associated ICC sensors is presented in the following sections. 7.5.1.1.7.1.1 Saturation Margin Sensors Saturation Margin Monitoring (SMM) provides information to the reactor operator on:
The approach to and existence of saturation.

The existence of core uncovery.
The SMM utilizes inputs from the RCS cold and hot leg temperatures measured by RTDs, the maximum temperature of the top three Unheated Junction Thermocouples (UHJTC), and pressurizer pressure sensors. The UHJTC input comes from the output of the Heated Junction Thermocouple (HJTC) processing units. In summary, the sensor inputs are as follows: Input Range Pressurizer Pressure 0-750 psia Pressurizer Pressure 600-1650 psia Pressurizer Pressure 1500-2500 psia RCS Pressure 0-4000 psia Cold Leg Temperature 50-750* F Hot Leg Temperature 50-750* F Maximum UHJTC Temperature of 32-2300*F top three sensors (from HJTC processing) Representative CET Temperature 32-2300*F 7.5.1.1.7.1.2 Heated Junction Thermocouple (HJTC) Probe Assembly The HJTC probe assembly measures reactor coolant liquid inventory above the fuel alignment plate with discrete HJTC sensors located at different levels within a separator tube ranging from the top of the fuel alignment plate to the reactor vessel head. The basic principle of operation is the detection of a temperature difference between adjacent heated and unheated thermocouples.
~~
Approved Desopn Material hsstrumentation and Contro! Page 7.5-6
. - - . . - . - . . . . - -- , . - . . - - - . - - - . . ~ - . - -
4 t I System 80+ oesnan coneet occammrr I As pictured in Figure 7.5-2 the HJTC sensor consists of a Chromel-Alumel thermocouple near a heater ( (or heated junction) and another Chromel-Alumel thermocouple positioned away from the heater (or . j unheated junction). In a fluid with relatively good heat transfer properties, the temperature difference
' between the adjacent thermocouples is small, in a fluid with relatively poor heat transfer properties, the !
4 temperature difference between the thermocouples is large. l Two probe assemblies are provided to allow two channels of HJTC instruments. Each HJTC probe
; assembly includes eight (8) HJTC sensors, a separator tube, a seal plug, and electrical connectors (Figure 7.5-3). The eight (8)iUTC sensors are electrically independent. ,
Two design features ensure proper operation under all thermal-hydraulic conditions. First, each HJTC : j is shielded to avoid overcooling due to direct water contact during two phase fluid conditions. The HJTC l with the splash shield is referred to as the HJTC sensor (see Figure 7.5-2). Second, a string of HJTC : 1 - sensors is enclosed in a tube that separates the liquid and gas phases that surround it.
The separator tube (see Figure 7.5-4) creates a collapsed liquid level that the HJTC sensors measure.
This collapsed liquid level is directly related to the average liquid fraction of the fluid in the reactor head
. volume above the fuel alignment plate. This mode of direct in-vessel sensing reduces spurious effects l due to pressure, fluid properties, and heterogeneities of the fluid medium. The string of HJTC sensors ,
3 and the separator tube are referred to as the probe assembly. l The probe assembly is housed in a stainless steel structure that protects it from flow loads.
?
!. 7.5.1.1.7.1.3 Core Exit Thermocouples (CET) A total of 61 Core Exit Thermocouples arranged into two channels provide a measure of core heatup via l measurement of core exit fluid temperature. The design of the neutron flux In-Core Instrumentation (ICI) system includes Type K (Chromel Alumel) ' thermocouples within each of the ICI detector assemblies. These Core Exit Thermocouples (CET) monitor the temperature of the reactor coolant as it exits the fuel assemblies. The core locations of the ICI detector assemblies are shown in Figure 7.5-5. 3 The CETs have a usable temperature range from 32*F to 2300*F. f 7.5.1.1.7.2 Description of ICC Sensor Signal Processing i The following sections provide a description of the processing control and disp!g famiors associated
.with each of the ICC detection instruments. The sensor inputs for the major ICC parameters (reactor ;
r vessel inventory / temperature above the core, and core exit temperature) are signal conditioned by the two-channel PAMI processors and transmitted to the DIAS and DPS for primary display and trending. 7.5.1.1.7.2.1 Hested Junction Thennoccuple , f I
- The signal conditioning equipment performs the following functions for the HJTC:
e Determine collapsed liquid level above core. ! The heated and unheated thermocouples in the HJTC are connected in such a way that absolute 2:d differential temperature signals are available. This is shown in Figure 7.5-6. When liquid t Ass = e oseen asses est-aweumannssa t ceaeor trr/ssi ree. 7.s.7 i W-W-' e+,- .+ 4 n e-e..w -w,-- w -- e +,-- - - ~ -,- + ---n,-- w e- - , ,- - ,e
System 80+ Design ControlDocument water surrounds the thermocouples, their temperature and voltage output are approximately equal. The voltage V(A-C) on Figure 7.5-6 is, therefore, approximately zero. In the absence of liquid, the thermocouple temperatures and output voltages become unequal, causing V(A-C) to rise. When V(A-C) of the individualIUTC rises above a predetermined setpoint, liquid inventory does not exist at this IUTC position.
Determine the maximum upper plenum / head fluid temperature of the top three unheated thermocouples for use as an output to the SMM calculation (the temperature processing range is from 32*F to 2300*F) in the DIAS channel N and DPS.

Process input signals to alarm and display, via the DIAS and DPS, collapsed liquid level and unheated junction thermocouple temperatures.

Provide control of heater power for proper HJTC output signal level. Figure 7.5-7 shows the design for one of the two channels, which includes the heater controller power supplies.
7.5.1.1.7.2.2 Core Exit Thermocouple The signal conditioning equipment performs the following CET processing functions:
Process core exit thermocouple inputs.

Calculate a representative core exit temperature. This temperature will be either the maximum valid core exit temperature or a statistically derived value representing 95% of the temperature distribution.

Process CETs for alarm and display of CET temperature and superheat via DIAS and DPS.
7.5.1.1.7.3 ICC Information Displays 7.5.1.1.7.3.1 DIAS Channel P The ICC sensed parameters previously described in Section 7.5.1.1.7.1 are continuously displayed on the Safety Monitoring Section of the main control panels by DIAS channel P. These displays are seismically qualified and provide dedicated, indication of each ICC sensed parameter. The DIAS channel P also generates en alarm signal when: (1) any of the HJTCs detects the absence of liquid level or (2) any of the CET temperatures reaches a value indicative of the potential for inadequate corc cooling. The alarm signal is transmitted to the DPS for display. Refer to Section 7.7.1.4 and Chapter 18 for a further description of the DIAS system configuration and display readout technology utilized. 7.5.1.1.7.3.2 DIAS Channel N
ICC Sensed Parameters The ICC sensed parameters previously described in Section 7.5.1.1.7.1 are available on DIAS G4J channel N displays located on the applicable plant system section of the main control panels.
Agnproved Desspn Material- hustrurnentation and Control Page 7.5-8 l l
I t i l ; System 80+ Design ControlDocument These displays are seismically qualified and provide validated information as described in Section d 7.7.1.4 and Chapter 18.
Saturation Margin The DIAS channel N processing e;gpment will perform the following saturation margin monitoring functions:
1. Perform signal validation on sensor inputs prior to determination of temperature i saturation margin.

2. Calculate the saturation margin.
The saturation temperature is calculated from the minimum pressure input. The i s temperature subcooled or superheat margin is the difference between saturation temperature and the sensor temperature input. , Validated sensor data is used in these margin calculations. Three temperature subcooled or superheat margin presentations will be available. These are as follows: RCS saturation margin - the temperature saturation margin based on the difference between the saturation temperature and the maximum temperature from the RTDs in the hot and cold legs. Upper head saturation margin - temperature saturation margin based on the difference between the saturation temperature and the UlHTC temperature (based on the maximum of the top three UHJTCs.) CET saturation margin - temperature saturation margin based on the difference between the saturation temperature and the representative core exit temperature calculated from the CETs.
3. Provide an alarm output for an annunciator when temperature saturation margin reaches a preselected (Tsar 20'F) setpoint for RCS or upper head saturation margin. CET saturation margin is not alarmed to avoid spurious indication.
~
7.6.1.1.7.3.3 DPS ICC Displays i The ICC parameters are incorporated into the Data Processing System (DPS) Critical Function l Monitoring (CFM) displays and alarm logic. The CFM is a computer applications program that is a part of the DPS as described in Section 7.7.1.10. The critical safety functions are directly monitored by a set of algorithms which process the measured plant variables to detemiine the plant's safety status relative to safety function control. If any of the critical functions are violated (by exceeding logic setpoints), a Critical Function Alarm (CFA) is initiated. The ICC instrument outputs ata incorporated in this critical function alarm logic. The DPS ICC detection displays have an ICC summary page as part of the core heat removal control critical function, supported by more detailed display pages for each of the ICC variable categories. Anwowed Desipt nieserint.. Asetrumenteeien amt Control (11/96) Page 7.5-9
System 80+ Design ControlDocument The summary page will include:
RCS/ Upper Head saturation margin - the maximum of the RCS and Upper Head saturation margin

Reactor vessel level above the core

Representative core exit temperature Since the DPS has more display capabilities than the DIAS, such as color graphics, trending and a larger format, additional information is added to enhance the presentation. All DPS displays are consistent with DIAS. These displays are designed to meet the HFE criteria as discussed in Chapter 18.
The DPS receives all channels of ICC input for the CFM displays. The following information is available on lower level display pages:
Saturation Margin Displays
1. Temperature and pressure saturation margins for RCS, upper head, and core exit temperature.

2. Temperature and pressure inputs.
* }{cated Junction Thermocouple Displays
1. Representative liquid inventory level above the fuel alignment plate.

2. Discrete HJTC positions indicating liquid inventory above the fuel alignment plate.

3. Inputs from the IUTCs
- Unheated junction temperature at each position.
lleated junction temperature at each position.
- Differentialjunction temperature at each position.
Core Exit Thennocouple Displays
1. A spatially oriented core map indicating the temperature at each of the CETs.

2. A selective reading of CET temperatures.

3. The representative core exit temperature.
ICC Trend Displays Although all DPS inputs are accessible for trending and historical recall, the DPS has a dedicated ICC trend page for RCS/ upper head saturation margin, reactor vessel level, and representative core exit temperature and core exit saturation margin.
Approved Design Material. Instrurnentation and Control Page 7.5-10
System 80+ Deska ControlDocument ( i 7.5.1.1.8 Diversity DIAS Channel N and the DPS implement diverse hardware and software to climinate the potential for common mode failures to affect both systems. This diversity exists in all software based aspects of these systems, including multiplexers, data acquisition devices, communication networks and display devices. , DIAS-P provides a continuous, dedicated display of Reg. Guide 1.97 Category-1 parameters. Two hardwired channels are provided from the sensor to the display processor for each sensed parameter displayed on DIAS-P as shown in Figure 7.5-1. Composed parameters, i.e. reactor vessel level, core exit temperature, subcooled margin, and containment isolation status are calculated by a computer. The display processor presents the parameter values from both hardwired channels side by side on the display screen. Isolation devices are implemented at the display screen. Isolation devices are implemented at the display processor for both channels to provide electrical separation between the channels. The use of hardwired t,ignal communication for DIAS P provides an additional level of protection against a postulated common mode failure by providing a display of key indicators of critical function status which
-would not be affected by the failure.
DIAS-P communications software is diverse from the communications software used by the PPS and ESF-CCS. [ 7.5.2 Analysis 7.5.2.1 Analys*s of Safety-Related Plant Process Display Instrumentation
/~N Plant process information is provided to enable the operator to monitor conditions in the plant and perform operations important to plant safety. In addition, the information allows the operator to perform the cross-checking of Plant Protection System measutement channels to assure operational availability of these channels as discussed in Sections 7.2.1.1.9 and 7.3.1.1.8. The following design criteria were used in the selection of plant instrumentation:
Provide continuous monitoring of validated process parameters required by the operator.

Provide a permanent record via the DPS of those parameters for which trend information is useful from a safety standpoint.

Provide display information to the operator that is reliable, comprehensible, and timely.

Provide multiple channels of indication for the RPS and ESFAS process parameters to allow cross-checking of channels.

Provide instrumentation display that adequately monitors the parameters over the ranges required for various conditions.
The information provided is sufficient to allow the operator to accurately assess the conditions within the reactor systems, and perform those appropriate actions in a timely manner to maintain the reactor systems within the conditions assumed by the safety analysis in Chapter 15 and the Human Factors Engineering n Task Analyses described in Chapter 18. In addition, the information allows the operator to perform the cross-checking of measurement channels to assure operational availability of these channels as discussed (v) in Sections 7.2.1.1.9 and 7.3.1.1.8. kuwow outen aseenser.hammoweresian w canear rege 7.s.s1
System 80+ Design ControlDocument 7.5.2.2 Analysis of Reactor Trip System Monitoring Sufficient information is provided to the operator to allow confirmation that a trip has occurred and to determine the process parameter that has provided a trip input. CEA insertion information can be determined by the operator after a trip by VDU bar chart information and CEA limit indication (refer to Section 7.5.1.1.4). Indication of neutron flux levels in the reactor core, as well as other reactor and Reactor Coolant System information, is provided for the operator. The following design criteria were used in the selection of information that is provided to the operator:
System conditions requiring operator attention during routine plant operations and at the time of reactor trip are available in the control room.

Annunciation in the control room of all operations performed at the RPS cabinet affecting the function of the system.

Indication of any selected plant variables that are manually bypassed.

Indication of automatic removal of a bypass.
7.5.2.3 Analysis of Engineered Safety Features Monitoring Information is provided to the operator so that he may monitor the status (pre-actuation availability and post-actuation performance) of the Engineered Safety Feature systems. The following design criteria were used in the selection of information that is provided to the operator:
System conditions requiring operator attention or action during routine plant operations are displayed and/or controlled in the control room.

Annunciation is provided in the control room of all operations performed at the ESFAS cabinets affecting the availability of the systems.

Indication of any selected plant variable that is manually blocked or bypassed is provided.

Indication of automatic removal of block or bypass status is provided.
Consistent with the above criteria, the information shown in Table 7.5-2 is provided to aid the operator in determining that manual actuation of an Engineered Safety Feature is required and to confirm proper system operation after automatic initiation. Input parameters used for actuation are indicated in the control room as are positive indications that pumps and valves have actuated and that flows have been established. The DPS ESF fluid system and CFM displays provide an integrated overview of the ESF system performance. O l hyveved Design Material hustrumentatswa and Control Page 7.S-12 l L
System 80+ Design ControlDocument ,a 7.5.2.4 Analysis of CEA Position Indication (] CEA position indication allows the operator to easily determine that the CEAs are in the required position, that a CEA has dropped into the core, or that the CEA positions are as required after a reactor trip. The following design criteria were used in providing the CEA position indication function:
Position readouts of all CEAs may be obtained.

Continuous position indication of all CEAs is provided.

A means is provided to alert the operator of CEA deviations within a group.

A permanent record may be made of the position of any or all CEAs.

The " full-in" and " full-out" indications are provided for each CEA.

Redundant and diverse means of monitoring and indicating CEA position are provided.
7.5.2.5 Analysis of Post-Accident Monitoring Instrumentation i I The Post-Accident Monitoring Instrumentation (PAMI) that is identified in Table 7.5-3 is provided for O remote monitoring of post-accident conditions. Post-accident conditions are defined as those conditions h which exist during and following an accident. The extensive instrumentation identified in Table 7.5-3 provides the plant operator with long-term l monitoring and surveillance capabilities of post-accident conditions within the primary containment. Table 7.5 3 identifies Category 1,2, and 3 variables from Regulatory Guide 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident." PAMI shall function with precision and reliability to display the appropriate monitored variables. Each instrument's performance characteristics, response time and accuracy are compatible with the design goal of providing the operator with reliable information. The guidance of Regulatory Guide 1.97 is applicable to the design of the PAMI and are applied to the design of this instrumentation by appropriate category for each variable as follows. 7.5.2.5.1 Equipment Qualification Category 1: Available displays for Category 1 variables are the DPS and DIAS channels P and N. l Class IE qualification inc!udes the entire instrument channel up to the channel isolation device. Class IE signals are isolated either prior to transmission to or within qualified I/O sections of the DIAS and DPS. The DIAS displays and processing units are non-Class IE, but are considered important to safety; therefore, they are seismically qualified to enhance channel availability. The DPS also displays all Category 1 variables, though it is designed as a non-safety system with no functional seismic qualification. ( Approved Design Atoterial Jhstrumentebon unt Control Pope 7.5-13
System 80+ Design ControlDocument Temperature and humidity qualification exceeds the most severe equipment environment by a design margin for DPS and DIAS display equipment including equipment used for PAMI display, DIAS and DPS cabinet temperature alarms are provided to alert the operator if the cabinet temperature exceeds the limit specified for that location. Category 2: Available displays for Category 2 variables are provided by the DIAS channel N and/or the DPS. All Category 2 variables are available on the DPS. Qulification for Category 2 variables is the same as for Category 1, except that there is no specific seismic qualification of the display devices. Category 3: No specific qualification requirements apply for sensors or displays. These variables are presented by DIAS channel N and/or the DPS, as appropriate for each variable. A more detailed discussion of the environmental qualification is provided in Section 3.11. 7.5.2.5.2 Redundancy Catepry 1: Redundancy with respect to Category 1 variables is provided for both the instrument channels supplying the signal and for the displays in the control room. Instrument channels are electrically independent and physically separated from each other and from non-safety equipment by qualified isolation devices. Credited redundancy for the display of Category 1 variables is 2provided by the channel P and channel N DIAS displays. These displays are electrically independent and physically separated. To minimize technical specification limitations for conditions when a DIAS channel is out of service, each Category I variable is also presented on the DPS. The DPS is physically separated and independent from both DIAS channels. Channel availability is further discussed in Section 7.5.2.5.4. Category 2: Although there are no specific provisions recommended by Regulatory Guide 1.97, the implementation of DIAS channel N and the DPS display methods do provide a degree of redundancy such that no single failure will result in a loss of this information displayed to the control room operator. Category 3: Although there are no specific provisions required by Regulatory Guide 1.97, the implementation of DIAS channel N and/or the DPS display methods may provide a degree of redundancy. To prevent ambiguity in the information presented to the operator (as required by Regulatory Guide 1.97) the information system employs a number of features to ensure that the information presented to the operator is correct. These are displayed in Figures 7.5-1 and 7.7-15.
DIAS channel P monitors two redundant PAMI instruments for each Category 1 process parameter. Both channels are displayed to allow the operator to select the correct instrument based on his evaluation of data from DIAS channel N, the DPS and/or other related process measurements.

DIAS channel N monitors the same redundant PAMI instruments as DIAS channel P as well as other instruments measuring the same process parameters. All measurements are compared, deviating sensors are eliminated and an average of the good sensors is displayed. [The average is considered validated data.] This process is conducted first with only narrow range sensors to Approved Design Material Instnanentation and Control Page 7.S-14
System 80+ Design ControlDocument display the most accurate data available to the operator. If valid data cannot be determined based (mV) on narrow range sensors (due to failures or out-of-range conditions) the validation and display process is then conducted for wide range sensors. In either case, wide or narrow range validation, all sensors are checked against the valid data and unacceptable deviations are alarmed. In addition, when the valid data shows an acceptable deviation from the PAMI sensors, a PAMI symbol is displayed indicating that the display may be used for post-accident monitoring. This technique ensures that the operator uses the most accurate unambiguous information at all times. It also allows him to use the same instruments during accident conditions as he uses during the normal operation of the plant because DIAS channel N displays are located on control panels where that parameter is most frequently monitored.
The DPS monitors the same measurement channels and processes the data for display in the same manner as DIAS channel N. Both systems conduct the validation sequence described in B above.
However, the systems employ diverse hardware and software to enhance the reliability of the overall Nuplex 80+ information display system. The DPS continuously compares its validation results to that of DIAS channel N and DIAS channel P and alarms unacceptable deviations. The DPS displays normal and accident monitoring information in the context of color graphic plant mimics and function achievement displays selectable at any VDU in the Nuplex 80+ ACC. As with DIAS channel N, the signal validation and cross system comparison technique provides the most accurate unambiguous displays to operating and technical support personnel allowing the same display media to be used for normal and accident monitoring. 7.5.2.5.3 Power Source n ( ) The PAMI displays are capable of operating independent of offsite power as follows: Category 1: Independent Class IE power busses are provided for each redundant sensor instrument channel up to and including the channel isolation devices. The DIAS channel P processing units and displays are powered from isolated Class IE power busses. The DIAS channel N processors and displays are powered from isolated Class IE, battery backed A and B instrument busses. The DPS is powered from non-safety, battery backed computer busses. Category 2: These variables are displayed on DIAS channel N and DPS with power supplies from the non-safety instrument busses and computer bus, respectively. Both are battery backed. Instrument channels are powered from the X or Y instrumentation bus. Category 3: Although no specific provisions are recommended by Regulatory Guide 1.97, these variables may be displayed on DIAS channel N and/or DPS with power supplies from the non-safety instrument busses and computer bus, respectively. Instrument channels are powered from X or Y instrumentation busses. 7.5.2.5.4 Channel Availability The system is designed to permit any one channel or muhod of display to be maintained when required during normal power operation. During such operations the active parts of the system need not continue to meet the single failure criterion. The limitations for maintenance procedures are detailed in the plant (D technical specifications, d Approved Design Meterial. kustrumentation and Control Page 7.5-15
System 80+ Design ControlDocument Category 1: Channel availability is assured for the display of Category 1 variables by the use of the seismically qualified channels P and N DIAS displays that are electrically isolated. Additional indication of Category 1 variables is provided by the non-safety DPS. This allows DIAS channels P or N to be out of service for maintenance. Channel availability is also assured for the instrument channels leading up to the displays. This is provided by the independence, separation and power supply requirements discussed previously for Category 1 instrument channels. Category 2: Channel availability for Category 2 variables is provided by the DIAS and DPS displays for these variables. DIAS and DPS are electrically independent and powered from independent battery backed sources. Both systems are internally redundant and the two designs are diverse from each other. Category 3: No specific channel availability requirements apply. Therefore, these variables are provided in DIAS and/or the DPS, as appropriate, similar to Category 2 parameters. 7.5.2.5.5 Quality Assurance Category 1: The PAMI channels are subject to a complete QA program described in Chapter 17 according to the requirements for Class IE equipment. DIAS and DPS processors and displays are designed in accordance with a QA program for non-Class IE equipment considered important to safety. Category 2: Quality assurance status is the same as described above for Category 1. Category 3: The PAMI channels are high quality commercial grade, selected to withstand the specified environment. The DIAS and DPS quality assurance status is the same as described for Category 1 variables above. 7.5.2.5.6 Display and Recording Category 1: All Category I variables are continuously displayed in the control room on a DIAS channel P display. DIAS channel N also displays all Category 1 parameters. These may I not be displayed continuously but are always available. All Category I variables also are available on demand from the DPS. No continuously displayed recorded information is necessary for post-accident operation; therefore, recording will be perfonned within the DPS and is available on demand. Both A and B channels of Category 1 variables are recorded by DPS. 1 Category 2: Category 2 variables are available on the DIAS channel N and/or the DPS display pages. These display methods are integrated into the control panel layouts based on Chapter 18 IIFE task analyses. Recording of radiation monitors will be performed by DPS. Category 3: Same as Category 2. Meteorological data will be recorded by DPS. t O i Approwd Design Material . instrurnentation arnt Contred Page 7.5-16 i
System 80+ Design ControlDocument
!n)
LJ 7.5.2.5.7 Range Categories 1, The range of the indicators extends over the maximum range of the variable being 2 and 3: measured. Where the required range of monitoring instrumentation results in a loss of sensitivity during normal operating conditions, separate instrumentation channel is provided. The DPS and DIAS channel N provide validated parameter displays with automatic range changes for variables requiring more than one instrument channel to cover the entire range. The DIAS channels P and N and the DPS also allow access to individual sensor channels for each range. DIAS channel P shows only digital representations of parameter values. However, where multiple ranges exist, the display will indicate if the value is from the narrow or wide range senser. DPS and DIAS channel N will attempt to validate data first using only narrow range sensors. If successful, narrow range scale and demarcation will be displayed. If the parameter is out of the narrow range, wide range sensors 'will be used for the display with wide range scale and demarcation. 7.5.2.5.8 Eqtdpment Identification l r3 Categories 1 Displays of Categories I and 2 types A, B and C variables provided in the control room ; () and 2: have a dedicated designation to indicate they are intended for use under accident l conditions. This is an integral part of the panel layout criteria. The DIAS channel P display is identified as post-accident monitoring instrumentation by l a red "PAMl" on the display label. Similarly, channel N DIAS indicators which present ( Categories 1 and 2 post-accident monitoring indications are identified on their labels by a red "PAMl". DPS and DIAS display validated parameters are based partially on PAMI channels. These displays are programmed to continuously conduct a validity check of the validated ! parameter against the PAMI channels. If a significant deviation from the post-accident j channels exists, a channel deviation alarm is generated. Deviation checking and the auto I ranging described in Section 7.5.2.5.7 allow narrow range sensors to be used normally and during accidents. When an individual post-accident instrumentation channel is being displayed on one of these DIAS indicators, the display indicates that with a dedicated "PAMl" light. Post-accident instrumentation is indicated on the DPS displays by the "PAMI" acronym located after the parameter value. Category 3: No specific provisions are required. Therefore, these parameters are identified on DIAS indicators as appropriate for the variables being displayed.
i Approved Design Motoria!. Anstrsonentation and Control Page 7.5-17
System 80+ Design ControlDocument 7.5.2.5.9 Interfaces Categories 1 Instrument channel interfaces for Categories 1 and 2 variables are provided with and 2: qualified isolation devices. Instrument channels that input to DIAS or the DPS have channel isolation devices to provide isolation from the display processing system. The transmission of signals for other non-safety related use from safety-related PAMI channels is also provided through isolation devices. Category 3: No specific provisions are required. 'Iherefore, these parameters are interfaced without isolation devices. 7.5.2.5.10 Servicing, Testing and Calibration Categories 1, The design permits the administrative control of access to all sensor adjustments, module 2, and 3: calibration adjustments, and test points. Periodic checking, testing, calibration, and verification will be done in accordance with intent of Regulatory Guide 1.118 pertaining to testing of sensor channels. Means are provided for removing DIAS processing units and displays from service. (( Administrative control of these actions will be developed by the site operator.)) Changes to constants, alarm setpoints and calibration must be made off-line and will be similarly controlled. Redundant processing units will assure continuous display or availability of Regulatory Guide 1.97 variables during adjustments. Administrative controls will also be required for the DPS. The display systems are designed to allow control of access to constants, alarm setpoints, calibration and test points. The DPS continuously checks the validated DIAS data against its own and alarms any deviations. Isolation devices are located outside containment so that they may be accessed by personnel for maintenance during accident conditions. 7.5.2.5.11 Iluman Factors Categories 1, The DIAS allows repair, adjustment or replacement of the display and processing system. 2 and 3: The DPS is also designed to facilitate repair, replacement and adjustment of processing modules and VDUs. Functional task analysis is used to determine the type and location of all displays in the Nuplex 80+ control room, including the Regulatory Guide 1.97 indications. The DIAS and DPS displays provide Regulatory Guide 1.97 indication through the same method as nonnal operating information. In addition, the instrument channels used normally are continuously validated against PAMI channels such that the displays used normally are the same displays used during an accident. Refer to Chapter 18 for further information regarding Human Factors Engineering display criteria utilized for the Nuplex 80+ control panels. O I COL information item; see DCD Introduction Section 3.2. Approved Design Material kustrumentation and Control Page 7.5-18
y.. - , .. - , .;.__ , _ . = - . . ~ 2 System 80+ Deskn ControlDocument
-7.5.2.5.12 Direct Measurement Categories 1, To the extent practical, the PAMI provides direct measurement of desired variables.
2 and 3: 7.5.2.6 Analysis of Automatic Bypass Indication
. The bypass / inoperable status is displayed in the control room for the following systems:
Containment Spray P

Containment isolation

Safety injection

Safety Depressurization

Emergency Feedwater

Shutdown Cooling

Essential Service Water

Component Cooling Water

Emergency Diesel Generators
>
ESF Electrical Auxiliary Power Buses

Reactor Containment Fan Coolers

Control Room HVAC

Switchgear Room HVAC

Diesel Generator Room HVAC

Mechanical and Electrical Penetration Exhaust System

Fuel Building Emergency Exhaust System Visual indication is provided on a system level. Input to the system is provided by direct measurement at the equipment or control logic or by administrative insertion into the program where direct measurement is not provided.
The automatic bypass indication meets the intent of Regulatory Guide 1.47 paragraph C guidance as c - described in Section 7.1.2.21. i
~ ANwesed Dee> Metenial hwVannentation and Convol Page 7.5-19 - i
System 80+ Design ControlDocument 7.5.2.7 Analysis of Inadequate Core Cooling Monitors The Inadequate Core Cooling (ICC) monitoring instrumentation provides the operator with indication of , the thermal-hydraulic states within the reactor pressure vessel during the progression toward and recovery j from ICC. The following design criteria were used in the selection of ICC monitoring instrumentation:
Provide continuous monitoring of parameters associated with ICC.

Provide the operator with advance warning of the approach to ICC.

Provide instrumentation to cover the full range of ICC from normal operation to core uncovery.

Provide multiple channels of instrumentation to ensure high availability.

Provide display information to the operator that is reliable, comprehensible, and timely.
7.5.2.7.1 Description of ICC Progression (Coolant States Related to ICC) The instrument sensor package for ICC detection provides the reactor operator with continuous indication of the thermal-hydraulic states within the Reactor Pressure Vessel (RPV) during the progression toward and away from ICC. This progression can be divided into conditions based on physical processes occurring within the RPV. These are characterized as followx Conditions Associated with the Approach to ICC Condition la Loss of fluid subcooling prior to the first occurrence of saturation conditions in the coolant. Condition 2a Decreasing coolant inventory within the upper plenum (from the top of the vessel to the top of the active fuel). Condition 3a Increasing core exit temperature produced by uncovery of the core resulting from the drop in level of the mixture of vapor bubbles and liquid from the top of the active fuel, Conditions Associated with Recovery from ICC Condition 3b Decreasing core exit steam temperature resulting from the increase in level within the core. Condition 2b Vessel fill by the increase in inventory above the fuel. Condition Ib Establishment of saturation conditions followed by an increase in fluid subcooling. In order to provide indicators during the entire progression of an event, an ICC instntmentation system consists of instruments which provide at least one appropriate indicator for each of the physical conditions described above. Amroved Design Material hsstrumentation and Control Page 7.5-20
System 80+ Design ControlDocument '(v Applying this description of the " approach to," and " recovery from" ICC to ICC instrument selection:
Provides assurance that the selected ICC system detects and indicates the entire progression.

Demonstrates the extent of instrument diversity or redundancy which is possible with the available instruments. ,
Furthermore, by defining the ICC progression on a physical basis the general labels of " approach to," and " recovery from" ICC can now be associated with the following specific physically measurable processes. 7.5.2.7.1.1 Approach to ICC The ICC instrumentation provides the operator with an advance warning of the approach to ICC by providing indications of:
The loss of subcooling and occurrence of saturation (Condition la) with a saturation margin display receiving input from primary system RTDs, upper head HJTCs, pressurizer pressure and RCS loop pressure sensors.

The loss of inventory in the RPV (Condition 2a) with the Heated Junction Thermocouples (HJTCs).
p
The increasing core coolant exit temperature (Condition 3a) with CETs.
U lt should be noted that the HJTCs measure inventory (collapsed liquid level) rather than two-phase level. This measurement provides the operator with an advanced indication of the coolant level should conditions arise to cause the two-phase froth to collapse via system overpressurization or the loss of operating reactor coolant pumps. 7.5.2.7.1.2 Recovery From ICC Following an event leading to ICC, the ICC instruments will provide information to the reactor operator so that he may:
Verify that the core heat removal safety function is being met.

Establish the potential for fission product release.
ICC instmmentation indications are used to support the operator in helping to verify that the core heat removal safety function is being met. ICC indications available to the operator are:
Increasing inventory level above the fuel alignment plate.

Increasing subcooling in the RPV and RCS piping.

Decreasing co.re ex t steam superheat.
(h L.)
^;;::::: Design Material husrumentaeien and Control Page 7.5 21
l 1 Sy~ tem 80 + Design ControlDocument \ The operator is informed about the progression of an event by both static and trend displays. The - trending of ICC information enables the operator to quickly assess the success of automatically or manually performed mitigating actions. 7.5.2.7.2 Instrument Range In the ICC sensor package, saturation temperature and water inventory are used as indicators for the
" approach to" and " recovery from" ICC when there is water inventory above the fuel alignment plate.
These measurements characterize Conditions la, Ib,2a, and 2b of the ICC progression. When the two-phase level is below the fuel alignment plate, the measurement of core exit fluid temperature represents a direct indication of the " approach to" and " recovery from" ICC (Conditions 3a and 3b). Therefore, the ICC sensor package is sufficient to provide infonnation to the reactor operator on the entire progression of an event with ICC potential. References for Section 7.5
1. " Description of the C-E Nuclear Steam Supply System Quality Assurance Program," Combustion Engineering, Inc., CENPD-210-A, Revision 7A, June,1992.
O; l O Approned Design Material hsstrumentation and Control page 7,5 22 i l
1 i System 80+ oestan controloccument Table 7.5-1 Safety-Related Plant Process Display Instrumentation ; Number of Sensor Minimum Parameter Sensed Ranges (4) Indicated Location t'3 l Channels Range t2J1 Pressurizer Presr're 4 0-750 psia ) Pressurizer Pressur,- 4 1500-2500 psia 0-4000 psig Control Room i Pressurizer Pressure 4 600-1650 psia ) RCS Pressure 2 0-4000 psia - j Steam Generator Differ.itial 4/SG 0-70 psid 0-70 psid Control Room i Pressure (RCS) Coolant Temperature (Hot) 8 525-675'F 50-750*F Control Room 4 50-750*F Coolant Temperature (Cold) 8 465-615'F 50-750*F Control Room 4 50-750'F Containment Pressure 2 -5 psig to + 4 times -5 psig to + 4 times Control Room i (Wide Range) design psig design psig ) Containment Pressure 4 -5 psig to + 1 times -5 psig to + 1 times Control Room ' (Narrow Range) design psig design psig Steam Geewnr Pressure 4/SG 15-1500 psia 0-1485 psig Control Room Steam Generator Level 4/SG 0-100 % 0-100 % Control Room (Wide Range) Steam Generator Level 4/SG 0 100 % (Narrow Range) Pressurizer level 2 0-100 % 0-100 % Control Room Local Power Density 4 0-?S kW/ft 0-25 kW/ft Control Room DNBR Margin 4 0-10 0-10 Control Room Neutron Flux level Rate of 4 -1 to +7 DPM -1 to +7 DPM Control Room Change Neutron Flux Power level 4 2x10-7 to 200% 2x104to 200% Control Room (Safety Channels) power Neutron Flux Power Level 4 0 200% power 2x1h7to 200% Control Room (Safety Channels) l Neutron Flux Power level 4 0-200% power 2x104to 200% Control Room (Cote Protection Calculators) l Notes: [1] See Chapter 18 for type of readout. ] V [2] Display channel inaccuracies negligible due to digital processing and display. [3] See Sections 7.7.1.4 and 7.7.1.7 for a description of the Discrete Indication and Alarm System and Data Processing System displays. w...:W neennet.hwannmmuoian and conener rage 1.5-22
System 80+ Design Control Document Table 7.5-2 Engineered Safety Feature System Monitoring i Number Number j of of IE Minimum 1 Parameter Channels Channels Indicated Range t21 Location til l Containment Isolation System Containment isolation Valve 1 pair / Open/Close Control Room Position valve Safety Injection System Safety injection 1 pair / 131 Open/Close Control Room Valve Positbn valve Safety injection 1/ Tank 1/ Tank 0-100 % (34 ft. scale) Control Room Tank Level 2/ Tank -- 0-100% ( 4 ft. scale) Control Room In-containment Refueling 1 pair / 1 Open/Close Control Room Water Storage Tank Isolation valve Valve Position in<ontainment Refueling 2 2 0-100 % Control Room Water Storage Tank Level In<ontainment Refueling 2 2 50-250*F Control Room Water Storage Tank Temperature in<ontainment Refueling 2 2 0-100 psig Control Room ' Water Storage Tank Pressure Safety injection Flow 4 4 0-1500 gpm Control Room Safety Injection 2 2 0-1500 gpm Control Room Hot Leg Flow Safety injection 4 - 0-2500 psig Control Room Pump Discharge Pressure Safety Injection 1/ Tank 1/ Tank 0-750 psig Control Room /RSP Tank Pressure 2/ Tank I/ Tank 450-650 psig Control Room Direct Vessel and Hot Leg 6 - 0-2500 psig Control Room Injection Line Pressure Shutdown Cooling System Shutdown Cooling Ileat 2 2 40-400*F Control Room /RSP Exchanger Inlet Temperature Shutdown Cooling Return 40-400*F Control Room /RSP Line Temperature Shutdown Cooling 2 -- 0-1000 psig Control Room Pump Discharge Pressure Shutdown Cooling Flow 2 2 0-7500 gpm Control Room / local Asywond Design Atarerh' Instrumentation and Control Page 7.5-24
System 80+ Deslan contrat Document { A V Table 7.5-2 Engineered Safety Feature System Monitoring (Cont'd.) Number Number of of IE Minimum Parameter Channels Channels Indicated Ranget21 goc ggo,til Shutdown Cooling Heat 2 2 40-400*F Control Room , Exchanger Outlet Temperature Shutdown Cooling Valve Positions I pair / - Open/Close Control RoomI 'l valve 1% Steam Isolation System Main Steam Isolation Valve I pair / - Open/Close Control Room Position valve Main Steam Isolation Valve 1 pair / - Open/Close Control Room Bypass Valve Position valve Main Feedwater Isolation I pair / - Open/Close Control Room Valve Position valve Steam Generator Blowdown Isolation 1 pair / - Open/Close Control Room Valve Position valve Emergency Feedwater System EFW Pump Status I pair / -- On/Off Control Roomidl Pump EFW Valve Position I pair / - Open/Close Control Roomidl valve EFW Pump Flow 4 4 0-800 gpm Control Rooml43 EFW Pump Discharge Pressure 4 4 0-2925 psia Control Roomidl j EFW Pump Suction Pressure 4 4 0-165 psia Control Room!'l EFW Steam Driven Pump Turbine 2 2 0-1235 psia Control Room!'l Inlet Steam Pressure EFW Storage Tank Temperature 2 2 0-200'F Control Room EFW Storage Tank Level 2/ Tank 2/ Tank 0-100 % Control Roomt41 I EFW Pump Turbine Speed 2 2 04450 rpm Control Room'l l EFW Line Temperature 4 4 40-250*F Control Room EFW Recirculation Flow 4 4 0-700 gpm Control Room!'l
,- a - . . _ , . ~ ,
l
System 80+ Design ControlDocument Table 7.5-2 Engineered Safety Feature System Monitoring (Cont'd.) Number Number of of IE Minimum Parameter Channels Channels l Indicated Ranget21 LocationI 'I Safety Depressuriration System Rapid Depressurization 1 -- Open/Close Control Room Valve Position pair / valve 0-100 % and Control Room 1 per valve RDS Line Temperature 2 2 50-700'F Control Room SDS Pressure 2 2 0-2500 psia Control Room Containment Spray System CS Pump Suction Pressure 2 2 0-25 psig Control Room l CS Pump Discharge 2 2 0-1000 psig Control Room CS Pump Flow 2 2 0-7500 gpm Control Room Spray licader Isolation 1 - Open/Close Control Room Valve Position pair / valve and Control Room 1 per 0-100 % valve CS Pump Status I pair / - On/Off Control Room pump CS Pump Motor Current 2 2 0-175 Amps Control Room l CS fleat Exchanger 2 2 40-400'F Control Room Outlet Temperature Control Building / Control Room Ventilation System Inlet Radiation Monitor 2/ inlet 2/ inlet 10 10*R/hr Control Room inlet Chemical Monitor 2/ inlet 2/ inlet Site Dependent Control Room Notes: [1] See Chapter 18 for type of readout. [2] Display channel inaccuracies negligible due to digital processing and display. [3] All indication on electtically actuated valves in the Safety Injection, Shutdown Cooling, and Containment Spray Systems with exception of SI-661, receive IE power. [4] Valves which are required to bring the plant to cold shutdown also have open/close position indicated outside the Control Room. O Atwoved Design Matenin! . brstunnerrtstion and Control (11/96) Pope 7.5-26 I
System 80+ Design ControlDocument Table 7.5-3 Post-Accident Monitoring Instrumentation Number of Reg. Guide Sensed Minimum Minimum 1.97 ChannelsI81 Sensor RangesI 'Jl Indicated Range LocationI1J1 Category Parameter RCS Pressure 2 04000 psig 0-4000 psig Control Room 1,2 Primary Safety Valve Position 1/ Valve N/A Closed /Not Control Room 2 (Acoustic Leak Detector) Closed in-containment RWST level 2 0-100 % 0-100 % Control Room 2 In-containment RWST 2 50-250'F 50-250'F Control Room 2 Temperature Coolant Temperature (Hot) 4 50-750*F $0-750*F Control Room 1 Coolant Temperature (Cold) 4 50-750*F 50-750*F Control Room 1,3 Containment Pressure (Wide 2 5 psig to 4 times -5 psig to 4 times Control Room 1 Range) design psig design psig Containment Pressure 4 -5 psig to I times -5 psig to I times Control Room 1 (Narrow Range) design psig design psig Steam Generator Pressure 2/SG 15-1500 psia 0-1485 psig Control Room 1,2 Steam Generator level (Wide 2/SG 0-100 % 0-100 % Control Room 1 Range) Pressurizer level 2 0-100 % 0-100 % Control Room 1 Pressurizer Heater Status I pair / N/A On/Off Control Room 2 (U beater bank Pressurizer Pressure (High 4 1500-2500 psia") Note 4 Control Room 1 Range) Pressurizer Pressure (Mid 4 600-1650 psia") Note 4 Control Room 1 Range) Pressurizer Pressure (lew 4 0-750 psia") Note 4 Control Room 1 Range) Degree of Subcooling 2 Note (4) 200'F subcooling Control Room I to 35'F superheat Neutron Flux Power level 2 2x10-7 to 200% 2x10-7 to 200% Control Room 1 (Safety Channels) Reactor Cavity level 2 0-100 % 0-100 % Control Room 1,2 Containment Area Radiation 2 1R/hr - 108R/hr 1R/hr - 108R/hr Control Room 1,3 Contamment Hydrogen 2 0-15% by volume 0-15 % Control Room 1 Concetstration Containment Spray Flow 2 0-7500 gpm 0-7500 gpm Control Room 2 Containment Atmosphere 2 0400'F 0-400'F Control Room 2 Temperature Containment Isolation Valve I pairl N/A Closed /Not Control Room 1 Position valve Closed Core Exit Temperature 2 32-2300'F 32-2300'F Control Room 1,3 l Reactor Vessel Coolant level 2 0-370 inches 0-100 % Control Room 1 above core support surface 4***wd Deeinn neeenrint hwawmweea~en amt ceneret tr rin) rere 7.5-27
System 80+ Design ControlDocument Table 7.5-3 Post-Accident Monitoring Instrumentation (Cont'd.) Number of Reg. Guide Sensed Minimum Minimum 1.97 Channelsts) Sensor Rangesf 'JI Indicated Range Locationl8J3 Category Parameter Emergency Feedwater Flow 2/SG 0-715 gpm 0-110 % Control Room 2 Emergency Feedwater Storage 2/ Tank 0-100 % 0-100 % Control Room 1 Tank level Safety injection Flow 4 0-1500 gpm 0-1500 gpm Control Room 2 Safety Injection Tank level 1/ Tank 0 - 34 ft 0-100 % Control Room 2 Safety Injection Tank Pressure 1/ Tank 0-750 psig 0-750 psig Control Room 2 SIT isolation Valve Position 1 pair / N/A Open/Close Control Room 2 tank Shutdown Cooling Flow 2 0-7500 gpm 0-7500 gpm Control Room 2 Shutdown Cooling HX 2 40400*F 40-400'F Control Room 2 Outlet Temperature SDS Valve Position 1 pair / N/A Closed /Not Control Room 2 valve Closed SDS Temperature 3 40-700'F $0-700*F Control Room 2 SDS Pressure 2 0-2600 psia 0-2600 psia Control Room 2 SG Safety Valve and ADV 1 pair / N/A Open/Close Control Room 2 Position valve Effluent Radioactive Noble Gas from Identified Release Points: Main Steam Line Area 2 0.1 - 1 E+7 0.1 - 1 E + 7 Control Room 2 Radiation mR/hr mR/hr Unit Vent Monitor: Particulate 1 I E-Il - 1 E-5 1 E-11 1 E-5 Control Room 2 pCi/cc pCi/cc lodine 1 1 E 1 E-6 1 E-12-1 E-6 Control Room 2 Ci/cc Ci/cc Gas 1 1 E 1 E-1 1 E-7-1 E-1 Control Room 2 pCi/cc pCi/cc liigh Gas 1 I E 1 E+3 1 E-3-1 E+3 Control Room 2 pCi/cc pCi/cc Unit Vent Post-Accident liigh Gas 1 1 - 1.0E+8 R/hr 1 - 1.0E+8 R/hr Control Room 2 Component Cooling Water 1 ' 0-200*F 0-200* F Control Room 2 Temperature to ESF System Component Cooling Water 1 0-20900 gpm 0-110 % Control Room 2 Flow to ESF System Vent Design Flow I 0-143500 cfm 0-110 % Control Room 2 Emergency Ventilation 1 pair / N/A Open/Close Control Room 2 Damper Position damper DC Bus Voltage 2 0-150 Vdc 0-150 Vdc Control Room 2 Diesel Generator Voltage 2 0-5250 Vac 0-5250 Vac Control Room 2 Approwd Design Moten\el. kastrumentation and Control Page 7.5-28
Sy: tem 80+ Design ControlDocument
<m
( ) Table 7.5-3 Post-Accident Monitoring Instrumentation (Cont'd.)
\
Number of Reg. Guide Sensed Minimum Minimum 1.97 Channelstsj Sensor Rangesf '*31 Indicated Range ti Iacation .21 Category Parameter Diesel Generator Current 2 0-1200 Amps 0-1200 Amps Control Room 2 4.16-kV Swgr. Voltage 2 0-5250 Vac 0-5250 Vac Control Room 2 480-V Swgr. Voltage 2 0-600 Vac 0-600 Vac Control Room 2 4.16-kV Swgr. Current 2 0-1200 Amps 0-1200 Amps Control Room 2 480-V Swgr. Current 2 0-150 Amps 0-150 Amps Control Room 2 Diesel Generator Staning 1 per DG N/A 2: 185 psig Control Room 2 Air Reservoir Pressure Reactor Coolant Pump 1/ pump 0468 Amps 01000 Amps Control Room 3 Current RCS Boron Concentration 1 0-6000 ppm 0-6000 ppm Control Room 3 Control Rod Position 1/ rod N/A Full In/Not Control Room 3 Full In Primary Coolant (T3 ) 2 1.0-108 R/br 1.0-108 R/hr Control Room i Radiation Level 6 Main Feedwater Flow 1/SG 0-19.4x101bm/hr 0-110 % Control Room 3 .p liigh level Radioactive 1 0-435,000 gal 0-100 % Control Room 3 Q Liquid Waste Tank level (Holdup Tank) Plant Area Radiation Monitors 15 10-l R/hr to 104 10-8 R/hr to Control Room 3 R/hr 104 R/hr Wind Direction 1 0-360' 0-360' Control Room 3 Wind Speed 1 0-50 mph 0-50 mph Control Room 3 Atmosphere Stability 2 -9 to + 18'F Exceeds Required Control Room 3 Temperature Delta-T Range Difference Notes: j [1] See Chapter 18 for type of readout. [2] All Category I variables are also tycorded via the DPS Historical Data Storage and Retrieval program. [3] Post-accident monitoring instrumentation is qualified for the appropriate environmental conditions (refer to Section 3.11). [4] Degree of subcooling is calculated from pressurizer pressure, RCS temperature and core exit temperature parameters. l [5] MCBDs are provided in appropriate sections of Chapter 7. [6] Post-accident channel accuracy is a time dependent function of post-accident environmental conditions. (O G) Apnpowsmf Design neateriel huerumentation and Convol Page 7.5-29 l
System 80+ Design ControlDocument O o 1 iegl*.e 4 g3'
; i l'j"III!lllIl'Ill1 9
_____7_______,._____1______,.______,_____ ,1i f l r . l l i 11 Hi i i e' I l g
- ,,l l l
l
! __ gl, dc gv lg I
i l g ll 9e . =
= 1 1
1 i
!It l 1 lly -
l l s . I i si ___inll , , I I - i I 1 1 I g . I 11 e i o 5 r x -
,. lll li l lll Ill l- ~ lll7 % g_ 9llll [" -i -
191 . . tilEEE ,
,-i g g
, d lIIIIll . f.5 l l n
1ra
f. a5 T. l.
l j l il: w I ( l l l l Diverse Display of 1%t Accident Monitoring Category 1 Parameters Figure 7.5-1 Approvent Des 4ps Meterial kutrumentadtm and Control Page 7.5-30
l
- System 80+ Design controlDocumart O )
au 5 REFERENCE T/C LOCATION
-a pa d d[
l HEATER : -
2ONE %
; .,5 , i ~
l* l HEATED T/C Y E LOCATION i SPLASH SHIELD () nrrC Sensor - HJTC/ Splash Shield Figure 7.5-2
" %-.:: Design nietwM = huwwnentation and Convol p,y 7,9y
Sy^ tem 80+ Design ControlDocument O 9 ' 1 ELECTRICAL CONNECTORS (DNE PER SENSOR)
=
SEALPLUG ( m
)
O o
)(
A A 4 t _ i \ SEPARATOR TUIE HJTC SENSOR 8 SENSORS
. SPLAIN , , SHIELD SECTION A A N
O IIcated Jianction Thermocouple Pavbe Assembly Figure 7.5-3 Ancrowed Desipre Maternt - krstrumentation and Control Page 7.5-32
System 80+ Deskn ControlDocument
)
i o ! A I
- l & TCSHEATH l
LEVEL OF STEAAMWATER MIXTURE M l
/ Q% l / \ /- \ c SEPARATOR TUSE I .\
_ J l
~
0
' ~
1
} l WATER LEVEL INSIDE SEPARATOR TUBE \ ..
O
COLLAPSED WATER LEVEL
%/ 7
_ . v . . .
~ "" 7 Cq (AlHEATED TC JL#iCTION / ~ \
l\ I .-
\
l I i CC HEATED TC JUNCTION
\ l \ "/ \ %s h PLASH GUARD i ..
l I I i l I b v IUTC Sensor and Separator Tube I1gure 7.5-4 i Apnprowaf Desiger Material . kustrumerrtatiert ared Corstrol Page 7.5-33 . l
. _ _ _ _. .. __ _ _ _\
SystCm 80+ Design ControlDocument l Gi
=
l ..
= .. H .. ..
I M I1 H I1 H II M I ; E H ;* M *; M E ; *, H .. E l i4 1! H II M I! H I1 H I! H ! :
.. H "; 8 '* = X 8 :: =
M H ., 4 I M II H l: B l i H M:: i 4 I 3 I M I! M
~
i I B : ', = E "; = E = E = i =- ., : 1 H Il i Hf tll i4 !1 H II N II M II N II H I l H H E ; *, ; '.
=
E :" = E H :" M l H !l H II M II H II H II H II H II H I 99 g 99 g .. oo o. oo g .. I I M I-! M I 3 1 H I! H I 3 I H II M I g
.,. H .. .. E- .. ,, ..
g. ..
g .. g .e II H II M II H Il H I-I M II H M E'" H M H E i B I MII M II H I! H I g .. , i { {>[I m tr.iisi,e . gf .El t., m t tCE. Loostions 1Nhich May Contak,4 Elorner,t CEAs
{+{ 4 Element ruti strensei CEA S
[ ,(
- Looedene of Pined In Core Detector setnge
($ .ElementPartseonglhCEA 4 i g
%. _.: Design Metenial . hastnanentation and Control (1 U5>6) Page 7.5-34 i
' System 80+ Deslan ControlDocument b
4 b i COPPER IN00NEL l {+) l A - ALUMEL C R y V (A . 81 = ABSOLUTE TEMPERATURE, UNHEATED JUNCTION j V IC. B) = ABSOLUTE TEMPERATURE, HEATED JUNCTION V(A.C) = DIFFERENTIALTEMPERATURE Electrical Diagram of IUTC Figure 7.54 Aeprovar w neomrw knemmenmeien and canent tage 7.5-35
. _ _ - _ - - --_ _ __-_ b
System 80+ Design ControlDocument O PAMI SIGNAL CONDITIONING EQUIPMENT
- DIAS P' SIGNAL PROCESSOR ISOLATED gRS
LOGIC AND CONTROLS hKS r DPS 6 H
POWER 120 VAC 1E CONTROL INSTRUMENT SIGNAL POWER O U F HEATER CONTROLLERS POWER SUPPLIES (2/ CHANNEL) U POWER TO HEATERS IUTC System Processing Configuration (One Channel Shown) Figure 7.5-7 Approvet! Design Material. Instrumentation and Control Page 7.5-36
l Ty-tem 80+ Design ControlDocument O ; p~ r- - ' 31_ , i':,7 8a f i d lEg t T- I l l M~ g l m ! I _:
Aii l l g
s 04 af '
"; A I l lt: 1 '!l,!,.8E______2-qg5"g!{0 l, l , y 5o 1
l h__' l I!
-~~ , 5" E gb f" !ll 9
6 p*"* iiu b -hhl%73$ - -
5
-ll l9li +1 i el!!gm E Wu U. s1 .
l
, ,h - i <; e 1i N m l I l ]e e ~~~
p g
! u I $ k d ! l, i. :l ll rr "
r , - M, , lrlI*J je , i
}}iil 1l! r-(rp--- @ .-0' ll-J ij ~ -]g m
E & C _JJ f" $2 l::. u;_- T, 6 qg g
-- -- - d a g
L s @ l (-',$.n
'e O -'c- " ' --
l
- 4 proved Des > hieserW . hwtrumustenorr and Carstrol Page 7.5-37 i}}

ML22112A044

Text

Navigation menu

Search