Text

1 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Control
	ML22340A198
Person / Time
Site:	Cook
Issue date:	11/30/2022
From:	; Indiana Michigan Power Co
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML22340A137	List: AEP-NRC-2022-62, 1 to Updated Final Safety Analysis Report, Chapter 14.3, Reactor Coolant System Pipe Rupture (Loss of Coolant Accident) (Unit 1); ML22340A128; ML22340A129; ML22340A131; ML22340A132; ML22340A133; ML22340A134; ML22340A135; ML22340A136; ML22340A138; ML22340A139; ML22340A141; ML22340A142; ML22340A143; ML22340A144; ML22340A145; ML22340A146; ML22340A147; ML22340A148; ML22340A149; ML22340A150; ML22340A151; ML22340A152; ML22340A153; ML22340A154; ML22340A155; ML22340A156; ML22340A157; ML22340A158; ML22340A159; ML22340A160; ML22340A161; ML22340A162; ML22340A163; ML22340A164; ML22340A165; ML22340A166; ML22340A167; ML22340A168; ML22340A169; ML22340A170; ML22340A171; ML22340A172; ML22340A173; ML22340A174; ML22340A175; ML22340A176; ML22340A177; ML22340A178; ML22340A179; ... further results
References
	AEP-NRC-2022-62
	Download: ML22340A198 (1)
	v • d • e

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: i of vi 7.0 INSTRUMENTATION AND CONTROL ................................ 1 7.1 APPLICATION OF PLANT DESIGN CRITERIA .................................. 1 7.2 PROTECTIVE SYSTEMS ............................................................... 1 7.2.1 Protective Systems .................................................................. 2 7.2.1.1 Application of Design Criteria .......................................................... 2 7.2.1.1.1 Principles of Design ............................................................................. 3 7.2.1.1.2 Electrical Isolation ............................................................................... 3 7.2.1.1.3 Protection System Identification .......................................................... 4 7.2.1.1.4 Manual Actuation................................................................................. 4 7.2.1.1.5 Channel Bypass or Removal from Operation ...................................... 4 7.2.1.1.6 Capability for Test and Calibration ...................................................... 5 7.2.1.1.7 Information Readout and Indication of Bypass .................................... 6 7.2.1.1.8 Vital Protective Functions and Functional Requirements .................... 6 7.2.1.1.9 Completion of Protective Action (Interlock).......................................... 6 7.2.1.1.10 Multiple Trip Settings ........................................................................... 6 7.2.1.1.11 Protective Actions ................................................................................ 6 7.2.1.1.12 Indication ............................................................................................. 7 7.2.1.1.13 Alarms and Annunciators .................................................................... 7 7.2.1.1.14 Operating Environment ....................................................................... 7 7.2.1.1.15 Seismic Performance .......................................................................... 7 7.2.2 System Design.......................................................................... 8 7.2.2.1 Reactor Protection System Description .......................................... 8 7.2.2.2 System Safety Features .................................................................. 9 7.2.2.2.1 Separation of Redundant Channels .................................................... 9 7.2.2.2.2 Design Basis for Critical Circuits ......................................................... 9 7.2.2.2.2.1 General ....................................................................................... 9 7.2.2.2.2.2 Specific Systems ...................................................................... 11 7.2.2.2.2.3 Power Sources ......................................................................... 12

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: ii of vi 7.2.2.2.2.4 Thermal Loading ....................................................................... 13 7.2.2.2.2.5 Physical Loading ....................................................................... 13 7.2.2.2.2.6 Fire Detection ........................................................................... 14 7.2.2.3 Protective System Independence.................................................. 14 7.2.2.4 Loss of Power ................................................................................ 14 7.2.2.5 Reactor Trip Signal Testing ........................................................... 14 7.2.2.6 Reactor Protection System Testing ............................................... 15 7.2.2.6.1 Process Analog/Digital Protection Channel Testing .......................... 15 7.2.3 Nuclear Instrumentation Channel Testing ............................ 17 7.2.3.1 Source Range ............................................................................... 17 7.2.3.2 Intermediate Range ....................................................................... 17 7.2.3.3 Power Range ................................................................................. 18 7.2.3.4 Logic Protection System Testing ................................................... 19 7.2.3.5 Reactor Trip Breaker Testing ........................................................ 20 7.2.3.6 Response Time Testing ................................................................ 21 7.2.3.7 Primary Power Source .................................................................. 21 7.2.3.8 Protective Actions .......................................................................... 21 7.2.3.8.1 Reactor Trip Description .................................................................... 21 7.2.3.8.2 Manual Trip ....................................................................................... 22 7.2.3.8.3 High Neutron Flux (Power Range) Trip ............................................. 22 7.2.3.8.4 High Positive Neutron Flux Rate (Power Range) Trip ....................... 22 7.2.3.8.5 High Neutron Flux (Intermediate Range) Trip.................................... 22 7.2.3.8.6 High Neutron Flux (Source Range) Trip ............................................ 22 7.2.3.8.7 Overtemperature T Trip ................................................................... 23 7.2.3.8.8 Overpower T Trip ............................................................................ 24 7.2.3.8.9 Low Pressurizer Pressure Trip .......................................................... 25 7.2.3.8.10 High Pressurizer Pressure Trip ......................................................... 25 7.2.3.8.11 High Pressurizer Water Level Trip ..................................................... 25

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: iii of vi 7.2.3.8.12 Low Reactor Coolant Flow Trip ......................................................... 25 7.2.3.8.13 Safety Injection System (SIS) Actuation Trip ..................................... 26 7.2.3.8.14 Turbine Generator Trip ...................................................................... 26 7.2.3.8.15 Low Feedwater Flow Trip .................................................................. 27 7.2.3.8.16 Low-Low Steam Generator Water Level Trip .................................... 27 7.2.3.8.17 Rod Stops.......................................................................................... 27 7.2.3.8.18 Automatic Turbine Load Runback ..................................................... 28 7.2.3.8.19 Control Bank Rod Insertion Monitor .................................................. 28 7.2.3.8.20 Rod Deviation Alarm ......................................................................... 29 7.2.3.8.21 Reactor Coolant Flow Measurement ................................................. 29 7.2.4 System Evaluation.................................................................. 30 7.2.4.1 Reactor Protection System and DNB ............................................ 30 7.2.4.2 Specific Control and Protection Interactions ................................. 32 7.2.4.2.1 Nuclear Flux ...................................................................................... 32 7.2.4.2.2 Coolant Temperature ........................................................................ 32 7.2.4.2.3 Unit 1 ................................................................................................ 32 7.2.4.2.4 Pressurizer Pressure ......................................................................... 34 7.2.4.2.5 Pressurizer Level ............................................................................... 34 7.2.4.2.6 High Level ......................................................................................... 35 7.2.4.2.7 Low Level .......................................................................................... 36 7.2.4.2.8 Steam Generator Water Level; Feedwater Flow ............................... 36 7.2.4.2.9 Steam Line Pressure ......................................................................... 37 7.2.4.2.10 Operating Environment ..................................................................... 37 7.3 CONTROL SYSTEMS ................................................................. 39 7.3.1 Design Basis ........................................................................... 39 7.3.2 System Design........................................................................40 7.3.2.1 Rod Cluster Control Assembly Arrangements .............................. 41 7.3.2.2 Rod Control ................................................................................... 41

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: iv of vi 7.3.2.3 Primary System Pressure Control ................................................. 41 7.3.2.4 Pressurizer Level Control .............................................................. 42 7.3.2.5 Secondary System Control............................................................ 42 7.3.2.6 Steam Dump ................................................................................. 42 7.3.2.7 Steam Generator Water Level Control .......................................... 43 7.3.2.8 Turbine Control .............................................................................. 44 7.3.2.9 Secondary System Description ..................................................... 44 7.3.2.10 Secondary System Evaluation ...................................................... 44 7.3.3 System Design Evaluation ..................................................... 44 7.3.3.1 Unit Stability .................................................................................. 44 7.3.3.2 Load Changes without Steam Dump ............................................ 45 7.3.3.3 Loading and Unloading ................................................................. 45 7.3.3.4 Loss of Load with Steam Dump .................................................... 46 7.3.3.5 Turbine-Generator Trip with Reactor Trip ..................................... 46 7.4 NUCLEAR INSTRUMENTATION ................................................... 48 7.4.1 Application of Design Criteria ............................................... 48 7.4.2 Nuclear Instrumentation Systems Design and Evaluation .. 48 7.5 ENGINEERED SAFETY FEATURES INSTRUMENTATION ................. 50 7.5.1 Design Bases..........................................................................50 7.5.2 System Design........................................................................ 52 7.5.2.1 Engineered Safety Features Actuation System Description ......... 52 7.5.2.2 Engineered Safety Features and Associated System Actuation ... 52 7.5.2.3 Engineered Safety Features Vital Functions ................................. 52 7.5.2.4 Reset Capability ............................................................................ 53 7.5.2.5 Engineered Safety Features Instrumentation Calibration and Test

....................................................................................................... 54 7.5.2.6 Feedwater Isolation ....................................................................... 55

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: v of vi 7.5.2.7 Main Steam Isolation ..................................................................... 55 7.5.2.8 Engineered Safety Features Instrumentation ................................ 55 7.5.2.9 Ice Condenser Instrumentation ..................................................... 55 7.5.2.10 Containment Pressure................................................................... 56 7.5.2.11 Containment Radiation .................................................................. 57 7.5.2.12 Refueling Water Storage Tank Level ............................................ 57 7.5.2.13 Emergency Core Cooling System Pumps Discharge Pressure .... 57 7.5.2.14 Pump Energization ........................................................................ 57 7.5.2.15 Valve Position ................................................................................ 57 7.5.2.16 Containment Water Level Instrumentation .................................... 57 7.5.2.17 Containment Recirculation Sump Water Level Instrumentation.... 58 7.5.2.18 Other Instrumentation.................................................................... 58 7.5.2.19 Instrumentation Used During Loss-of-Coolant Accident ............... 58 7.5.3 System Evaluation.................................................................. 59 7.5.3.1 Pressurizer Pressure ..................................................................... 60 7.5.3.2 Steam Generator Water Level Control .......................................... 61 7.5.3.3 Motor and Valve Control................................................................ 61 7.5.3.4 Environmental Capability............................................................... 61 7.6 IN-CORE INSTRUMENTATION ..................................................... 63 7.6.1 Design Basis ........................................................................... 63 7.6.2 System Design........................................................................ 63 7.6.2.1 General .......................................................................................... 63 7.6.2.2 Thermocouples .............................................................................. 64 7.6.2.3 Movable Miniature Flux Detectors ................................................. 64 7.6.2.3.1 Mechanical Configuration .................................................................. 64 7.6.2.3.2 Control and Readout Description ...................................................... 65 7.6.3 System Evaluation.................................................................. 65

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: vi of vi 7.7 OPERATING CONTROL STATIONS .............................................. 67 7.7.1 Application of Design Criteria ............................................... 67 7.7.2 General Layout ....................................................................... 67 7.7.3 Design Basis ........................................................................... 67 7.7.4 Control Room Lighting .......................................................... 70 7.7.5 Plant Communications ........................................................... 70 7.7.6 Fire Prevention Design .......................................................... 71 7.7.7 Control Room Availability ...................................................... 72 7.7.8 Hot Shutdown Control ........................................................... 72 7.7.9 Auxiliary Control Stations...................................................... 74 7.7.10 Local Shutdown and Cooldown Station ............................... 74 7.7.11 References for Sections 7.0 - 7.7........................................... 74 7.8 POST ACCIDENT MONITORING INSTRUMENTATION ..................... 77 7.8.1 R.G. 1.97 Display Instrumentation......................................... 77 7.8.2 Post-Accident Containment Hydrogen Monitoring .............. 78 7.8.3 References for Section 7.8..................................................... 81

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 1 of 82 7.0 INSTRUMENTATION AND CONTROL Instrumentation and control systems provide the reactor operator with required information and control capability to operate the plant in a safe and efficient manner. Where safety functions are involved, logic circuitry and actuators are provided to execute equipment actions without operator help.

Instrumentation and control systems are broadly classified as being either a protective system (Section 7.2) or a control system (Section 7.3). The nuclear instrumentation (Section 7.4) and engineered safety features instrumentation (Section 7.5) are discussed in separate parts of this chapter. Three other specific design features or topics are also separately discussed: In-core instrumentation (Section 7.6), operating control stations (Section 7.7) and post-accident monitoring instrumentation (Section 7.8).

7.1 APPLICATION OF PLANT DESIGN CRITERIA Plant specific design criteria are described in Section 1.4.

The applicable portions of the Missile Protection Criteria as stated in Section 1.4 apply to Class I equipment in this chapter.

7.2 PROTECTIVE SYSTEMS The protective systems consist of both the reactor protection system and the engineered safety features. All equipment from sensors to actuating devices is considered a part of that protective system. Engineered Safety Features Instrumentation is discussed in Sub-Chapter 7.5.

Design Criteria for protection systems permit maximum effective use of process measurements both for control and protection functions, thus enhancing the capability to provide an adequate system to deal with the majority of common mode failures as well as to provide redundancy for critical control functions. The design approach provides a Protection System, which monitors numerous system variables by different means, i.e., protection system diversity. This diversity has been evaluated for a wide variety of postulated accidents in Reference 3.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 2 of 82 7.2.1 Protective Systems 7.2.1.1 Application of Design Criteria The basic reactor operating philosophy is to define an allowable region of power, pressure and coolant temperature conditions. This allowable range is defined by the primary tripping functions:

The overpower T trip, the overtemperature T trip and the nuclear overpower trip. The operating region below these trip settings is designed so that no combination of power, temperatures, and pressures could result in DNBR less than the minimum DNBR for any credible operational transient when at power. Tripping functions in addition to those stated above are provided to back up the primary tripping functions for specific abnormal conditions.

Rod stops from nuclear overpower, overpower T and overtemperature T deviation are provided to prevent abnormal power conditions which would result from excessive control rod withdrawal initiated by a malfunction of the reactor control system or by operator violation of administrative procedures.

Protection and operational reliability is achieved by providing redundant instrumentation channels for each protective function. These redundant channels are electrically isolated and physically separated. The channel design incorporates separate sensors, separate power supplies, separate rack and panel mounted equipment and separate relays for the actuation of the protective function.

For protective functions where two-out-of-three or two-out-of-four coincident actuation is provided, a single channel failure will not impair the protective function nor will it cause an unnecessary unit shutdown.

Westinghouse design philosophy for Reactor Protection and Control Systems is to make maximum use, for both protection and control functions, of a wide range of measurements. The Protection and Control Systems are separate and identifiable. The design approach permits not only redundancy of protection, providing its own desirable increment to overall plant safety, but also provides a Protection System which continuously monitors numerous system variables by different means; i.e., protection system diversity.

The extent of Protection System diversity has been evaluated for a wide variety of postulated accidents in Reference 3. Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur.

The protection system is independent of the control system, although the control system is dependent upon signals derived from the protection system through isolation amplifiers. The

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 3 of 82 design approach is to make maximum and thereby most efficient use, for both control and protection purposes, of all measurements of plant variables.

In the Reactor Protection System, two reactor trip breakers are actuated by two separate logic matrices, which interrupt power to the rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full-length rod drive mechanisms permitting the rods to free fall into the core.

Further detail on redundancy is provided through the description of the respective system covered by the various sub-sections in this chapter. The power supply for the protection systems is discussed in Chapter 8.

One of the two reactivity control systems employs rod cluster control assemblies to regulate the position of the neutron absorbers within the reactor core. The other reactivity control system employs the Chemical and Volume Control System to regulate the concentration of boric acid solution neutron absorber in the Reactor Coolant System. These systems are described in Chapters 3 and 9, respectively.

Reactor shutdown with control rods is completely independent of the normal control functions since the trip breakers interrupt the power to the full-length rod mechanisms regardless of existing control signals. Effects of continuous withdrawal of a rod and of deboration are described in Chapter 14.

7.2.1.1.1 Principles of Design The Protective System is designed in accordance with IEEE 279 "Proposed Criteria for Nuclear Power Plant Protection Systems," August 1968 using digital equipment (see references 11, 12, 13, and 14). Detailed descriptions of the implementation of these principles are presented in the remainder of Sub-Chapter 7.2 and in Sub-Chapter 7.4 and 7.5.

7.2.1.1.2 Electrical Isolation The design criterion used to assure electrical isolation is that no analog signal which is required for initiation of reactor protection or engineered safety feature actuation is allowed to leave a set of protection channels. Where protection signal intelligence is required for other than protection functions, an isolation amplifier (part of the protection set) is used to transmit the intelligence. The isolation amplifier prevents the perturbation of the protection channel signal (input) due to any disturbance of the isolated signal (output) which normally could occur near any termination of the output wiring external to the protection racks. A description of the nuclear instrumentation

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 4 of 82 isolation amplifiers that are used in this plant is given in Reference l. A description of the process control system isolating device is given in References 2 and 18.

Isolation of the reactor protection and engineered safety feature signals is discussed in References 4 and 11 through 14.

7.2.1.1.3 Protection System Identification Electrical and instrumentation and control equipment in the reactor protection and engineered safety feature systems have nameplates that are color coded to facilitate the identification of the item as part of the reactor protection system or the engineered safety features. The name plates for the four channels of the reactor protection system are orange, blue, yellow or white backgrounds with black or white lettering. The two trains of engineered safety features have nameplates with red or green backgrounds. If several components or modules are mounted in or on assemblies that themselves have color coded nameplates, the individual items do not necessarily have nameplates.

Cables in the reactor protection and engineered safety features systems are identified with cable numbers in the 8,000, 9,000, 80,000 and 90,000 series of numbers only.

Each cable has a metallic number tag at each end and at any junction points in between. The tag has the cable number stamped in it, which includes a suffix letter denoting the train or channel color designation. Often the cables are also paint stripe identified at regular intervals along their entire length.

7.2.1.1.4 Manual Actuation Means are provided for manual initiation of protective system action. Failure in the automatic system does not prevent the manual actuation of protective functions. Manual actuation is designed to require the operation of a minimum of equipment.

7.2.1.1.5 Channel Bypass or Removal from Operation The system is designed to permit any one analog channel to be maintained, tested or calibrated during power operation without system trip. (Note: This does not include such backup trips as Reactor Coolant Pump Breakers.) During such operation the active parts of the system continue to meet the single failure criterion.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 5 of 82 EXCEPTION:

1. "One-out-of-two" systems are permitted to violate the single failure criterion during channel bypass provided that acceptable reliability of operation can be otherwise demonstrated and bypass time interval is short.

2. "Two-out-of-three" systems are permitted to violate the single failure criterion during channel bypass. WCAP-10271-P-A [Reference 20] has demonstrated that the interval required for test or calibration with a channel in bypass is short and that the probability of failure of the active channels is very low and is acceptable. The surveillance times allowed for test and calibrations are controlled by Technical Specifications.

7.2.1.1.6 Capability for Test and Calibration With the exception of sensor calibration and the Manual and Reactor Coolant Pump Breakers Open trips, the protection system is designed to permit periodic testing during reactor power operation without initiating a protective action on a systems level unless a trip condition actually exists.

The analog/digital portion of a protective channel provides an analog signal of the reactor or plant parameter. The bistable portion provides trip signals to the logic circuitry when its analog input signal reaches preset values.

Testing is performed at the analog/digital instrumentation cabinets by individually introducing dummy input signals into the instrumentation channels and observing the tripping of the appropriate output bistables.

Output to the logic circuitry is interrupted during individual channel testing by a test switch which, when thrown, either de-energizes the associated logic input or if bypassing is used, will maintain the logic input and inserts a proving lamp in the bistable output. When bypassing is not used, testing will result in loss of power of the bistable output to the logic circuitry which will cause that portion of the logic to be actuated (partial trip) accompanied by a partial trip alarm and channel status light actuation in the control room. If the channel is put into bypass an indication continuously shows that bypass capability is armed for the channel put in bypass.

The operability of the process sensors is ascertained by comparison with redundant channels monitoring the same process.

The design provides for administrative control for the purpose of manually bypassing channels for test and calibrating purposes if required.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 6 of 82 The design provides for administrative control of access to all trip settings, module calibration adjustments, test points and signal injection points.

7.2.1.1.7 Information Readout and Indication of Bypass The protective system provides the operator with complete information pertinent to system status and safety.

Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.

Trips are indicated and identified down to the channel level.

7.2.1.1.8 Vital Protective Functions and Functional Requirements The Reactor Protection System in conjunction with inherent plant characteristics is designed to prevent anticipated abnormal conditions from exceeding limits established in Chapters 3 and 4.

7.2.1.1.9 Completion of Protective Action (Interlock)

A listing of the operating bypasses is included in Table 7.2-2. Where operating requirements necessitate automatic bypass of a protective function, the design is such that the bypass is automatically removed whenever the permissive conditions listed in the "Derivation" column of Table 7.2-2 are not met. These bypasses are considered to be part of the protection system and are designed in accordance with the intent of the requirements of IEEE-279, as shown on the AEP 99000 series functional diagrams (provided as general reference) listed on Table 7.2-5.

The protective systems are so designed that, once initiated, a protective action goes to completion.

Return to normal operation requires action by the operator.

7.2.1.1.10 Multiple Trip Settings For monitoring nuclear flux, multiple trip settings are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the Protective System as designed provides positive assurance that the more restrictive trip setting is used. The devices used to prevent improper use of less restrictive trip settings are considered a part of the protective system and are designed in accordance with the criteria presented in this section.

7.2.1.1.11 Protective Actions The Reactor Protection System automatically trips the reactor as stated under Protection Systems.

Trip limits for these conditions were established during the final design and included in the current Technical Specifications.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 7 of 82 For anticipated abnormal conditions, protective system, in conjunction with inherent characteristics and engineered safeguards, are designed to assure that limits for energy release to the containment and for radiation exposure (per Regulatory Guide 1.183 and 10 CFR 50.67) are not exceeded.

7.2.1.1.12 Indication All transmitted signals (flow, pressure, temperature, etc.) which can lead to a reactor trip are either indicated or recorded for every channel.

All nuclear flux power range currents (top detector, bottom detector, algebraic difference between and average of bottom and top detectors) are indicated and/or recorded.

7.2.1.1.13 Alarms and Annunciators Alarms and annunciators are also used to alert the operator of deviation from normal operating conditions so that he may take corrective action to avoid a reactor trip. Further, actuation of any rod stop or trip of any reactor trip channel will actuate an alarm.

Alarms and/or annunciators also alert the operator when a protection channel is placed in the test condition.

7.2.1.1.14 Operating Environment The protective channels are designed to perform their functions when subjected to adverse environmental conditions. See Section 7.5 for those portions of the protective systems that must operate in a post-accident environment.

7.2.1.1.15 Seismic Performance For either earthquake (operational or design basis) the required equipment is designed to assure that it does not lose its capability to perform its function; i.e., shut the reactor down and maintain it in a safe shutdown condition.

Typical protection system equipment is subjected to type tests under simulated seismic accelerations to demonstrate its ability to perform its functions.

Type testing has been done on equipment using conservatively large accelerations and applicable frequencies. Analyses such as are done for structures are not done for the Reactor Protection System equipment. However, the peak accelerations and frequencies used are checked against those derived by structural analyses of operational and design bases earthquake loadings.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 8 of 82 Westinghouse topical reports, References 8, 9, and 10, provide typical seismic evaluation of safety related equipment. The type tests covered by this report are applicable to this plant.

The control board is not considered to be protection equipment. Typical switches for safeguards components have been tested to determine their ability to withstand seismic forces without malfunction which would defeat automatic operation of the required component.

The control boards are stiff and past experience indicates that the amplification due to the board structure is sufficiently low such that the acceleration seen by the device is considerably less than that which was shown the device would withstand in testing.

7.2.2 System Design 7.2.2.1 Reactor Protection System Description The core thermal limits and the maximum overtemperature and overpower delta-T(OTT and OPT) reactor trip points are illustrated by the Overtemperature and Overpower T Protection figures presented in the introductory sections of Chapter 14.1 for each unit. Chapter 14 discusses the relationship between the accident analyses and the reactor protection system in more detail for both units. The actual trip setpoints for the OPT and OTT reactor trip functions, which are listed in the Technical Specifications, are lower than those assumed in the accident analyses to account for all adverse instrumentation and setpoint errors. The combination of the OPT and OTT reactor trip functions and the steam generator safety valves provide protection against departure from nucleate boiling (DNB), hot-leg boiling, and fuel centerline melting.

Adequate margins exist between the maximum nominal steady state operating point (which includes allowance for temperature, calorimetric and pressure errors) and required trip points to preclude a spurious trip during design transients.

A block diagram of the reactor protection system showing various reactor trip functions and interlocks is shown in Figure 7.2-2.

The reactor trip system instrumentation channels response times are shown in Table 7.2-6. The response times in Table 7.2-6 represent the acceptance criteria of Technical Specifications SR 3.3.1.19.

The Engineered Safety Feature Actuation System (ESFAS) instrumentation channels response times are shown in Table 7.2-7. The response times in Table 7.2-7 represent the acceptance criteria of Technical Specification Surveillance Requirement (SR) 3.3.2.12.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 9 of 82 7.2.2.2 System Safety Features 7.2.2.2.1 Separation of Redundant Channels The Reactor Protection System is designed to achieve separation between redundant protection channels. The channel design is applied to the analog/digital and the logic portions of the protection system. See Reference 4 for details on separation. The digital portions of channels meet the requirements of IEEE 7-4.3.2.

Separation of redundant analog channels originates at the process sensors and continues along the wiring route and through containment penetrations to the protection racks. Isolation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Analog/Digital equipment is separated by locating redundant components in different protection racks. Each redundant channel set is energized from a separate a-c power feed.

The two redundant reactor trip logic channels are physically separated and electrically isolated from one another. The Reactor Protection System is comprised of identifiable channels, which are physically, electrically and functionally separated and isolated from one another. For additional information on this topic, see References 4 and 11 through 14.

7.2.2.2.2 Design Basis for Critical Circuits The cable systems were designed and installed to meet the single failure criterion of IEEE 279 such that no single failure or event affecting the cable systems can prevent the operation of the required functions of the reactor protection system and the engineered safety feature system; including the Class IE Electrical Systems as defined in the Proposed Criteria for Class IE Electrical Systems for Nuclear Power Generating Stations (IEEE 308).

Credible events include, but are not limited to, the effects of short circuits, pipe rupture, missiles, etc. Such electrical separation as is required for protection against plant design basis events is included in the basic plant design.

7.2.2.2.2.1 General

1. Cables of redundant or back-up circuits shall be run in separate conduits, cable trays, ducts, penetrations, etc.

2. Where it is impractical for reasons of terminal equipment arrangement to provide separate wireways, cables of redundant or back-up circuits will be isolated by physical barriers or be in separate metallic conduits.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 10 of 82

3. The minimum horizontal separation between cable trays of opposite train is three (3) feet. This separation distance shall be followed to the maximum extent practicable. Where this is not practical an analysis can be performed (for non-hazard and limited-hazard areas) to demonstrate adequate independence of electrical circuits with lesser separation distances. The analysis must be based on industry or CNP specific test results. In lieu of analysis a fire barrier between the trays is required. The minimum separation of the trays with the fire barrier installed is one (1) foot. In the cable vault, the minimum horizontal separation is reduced to one (1) foot without a barrier. Where this is not practical an analysis, as described above, can be performed.

This special consideration is necessitated by the limited area of the vault, which is the same as that of the room above, and by the large number of cables and which must converge on and be routed through this area.

The cable vault is used solely for cables and tubing entering the control room - no equipment is located there, nor is there any storage of material.

The vault is isolated from external sources of fire by its seismic Class I concrete walls, floor and ceiling and by fire seals at all penetrations into it.

Access to the vault is controlled.

Extensive fire detection and extinguishing systems are provided.

Parallel runs of cable trays of opposite train are not permitted in a vertical array.

Where trays of opposite train cross each other, a minimum vertical distance of five (5) feet must be maintained. This separation distance shall be followed to the maximum extent practicable. Where this is not practical an analysis can be performed (for non-hazard and limited-hazard areas) to demonstrate adequate independence of electrical circuits with lesser separation distances. The analysis must be based on industry or CNP specific test results. In lieu of analysis a fire barrier on the bottom and sides of the upper tray is required. The minimum separation of the trays with the fire barriers installed is one (1) foot.

4. Cables are segregated in tray systems on the following basis:

a. 4.16 kv power cables are run in their own trays.

b. Power cables of 600 volts or less are run in their own trays.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 11 of 82

c. Control cables are run in their own trays.

d. Instrument cables are run in their own trays.

5. Cable troughs (trays) have splice plates marked with the color assigned to the channel or train of the cables running in the troughs. These colored splice plates appear at least every ten feet along the trough. The section number of the cable trough also appears as a label on the side of the trough except for troughs in containment. In containment, the labels are not required on troughs due to potential debris impact on the containment recirculation sump strainer.

6. In congested areas, such as under or over the control boards, instrument racks, etc.,

wireways are identified using permanent markings. The purpose of such markings is to facilitate cable routing identification for future modifications or additions.

7. Positive, permanent identification of cables and/or conductors is made at all terminal points.

Cables are tagged with a metallic tag at each end and at any junction points in between. The tag has the cable number stamped in it, which includes a suffix letter denoting the train or channel color designation. Often these cables have the channel or train color applied in the form of stripes painted at regular intervals along the length of the cable during the installation process.

7.2.2.2.2.2 Specific Systems

1. Reactor Protection System

a. Separate routing is maintained for the four basic protection channel analog/digital sensing signals, bistable output signals and power supplies for such systems.

b. Separate routing of the two reactor trip trains (logic matrix outputs) is maintained and in addition, they shall be separated from the four analog/digital protection channel sets.

2. Engineered Safeguards System

a. Separate routing is provided for the four basic safeguards analog/digital sensing signals, bistable output signals and power supplies for such systems.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 12 of 82

b. Separate routing is also provided for the automatic actuation, control and power circuits to retain the redundancy of the two "train" concept provided in the system design and power supplies.

3. Shutdown System - Separate routing of the power and control cables of redundant components of the boric acid injection capabilities is provided.

4. Residual Heat Removal System - Separate routing of the power and control cables of redundant components of the residual heat removal system is provided.

5. Auxiliary Feedwater System - Separate routing of control and power cables of redundant components of the auxiliary feedwater system is provided.

6. Reactor Protection System Analog/Digital circuits, 7.2.2.2.2.2 item 1.a., and engineered safeguards system analog/digital circuits, 7.2.2.2.2.2 item 2.a., may be routed in the same wireways provided circuits have the same characteristics such as power supply and channel set identity (I, II, III or IV).

7. Power and control conductors for the engineered safeguards systems 7.2.2.2.2.2 item 2.b.; Shutdown Systems, 7.2.2.2.2.2 item 3; Residual Heat Removal System, 7.2.2.2 item 4; and Auxiliary Feedwater System, 7.2.2.2.2.2 item 5, may be routed in the same wireways provided circuits have the same characteristics, such as train or power supply.

8. Balance of plant (non-safety related) cables are allowed to run in the same troughs with reactor protection or engineered safeguards cables provided that once such a cable has been run with one channel or train of reactor protection or engineered safeguards cables, it may not be run with the cables of any other channel or train in any trough, conduit or other raceway. Selected BOP control cables routed in one train of reactor protection or engineered safeguards raceway were terminated to BOP control cables which had been routed in the redundant reactor protection or engineered safeguards raceway. These selected BOP control circuits were determined to be acceptable with respect to the above criteria (Reference 17).

7.2.2.2.2.3 Power Sources These separation criteria also apply to the power supplies to the separate load centers and buses distributing power to redundant components and to the control of these supplies.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 13 of 82 7.2.2.2.2.4 Thermal Loading Cables in power trays are sized using derating factors listed in IPCEA Publication P46-426, Vol.

1. The spacing of all power cables will be maintained in the trays.

The normal current rating of all insulated conductors is limited to that continuous value which does not cause excessive insulation deterioration from heating.

The ampacities selected have been based on IPCEA Pub. No. P-46-426 for copper and aluminum conductors.

Ratings for conduit installations assume metallic conduit in air at ambient temperatures of 40C and 50C. Installations in expanded metal tray assume in air ratings with a derating factor of 0.82 with a maintained spacing of 1/4 to 1 cable diameter. In the case of cable sizes 1000 MCM and larger, only three cables per tray are installed in which case a derating factor of 0.87 is applied to the in-air rating. Only one layer of power cable is allowed in a cable tray.

The addition of Thermal-lag or Mecatiss fire wrap material requires additional derating of power cable ampacities. Ampacity derating calculations are prepared to verify that conductor current ratings of fire wrapped cables do not result in conductor temperatures which cause excessive insulation deterioration from heating.

Control cables are applied in circuits using pilot devices where the current required by the circuit is very small compared to the thermal rating of the conductor.

The above tray thermal loading criteria are followed to the extent practicable. The above thermal loading limits can only be exceeded if it can be shown by analysis of the critical attributes that the cables are not adversely affected.

7.2.2.2.2.5 Physical Loading To minimize insulation and jacket damage due to the weight of upper cables pressing on lower ones in trays, the maximum number of control cables by design in a tray is limited.

The cable tray loading limit is based on occupancy of 40% of the cross-sectional area of the control or instrument cable tray with cable. The outside diameter of the cable including sheaths is used in determining the area of the cable.

Control and instrument cable insulation systems are selected on the basis of adequate electrical and physical properties such that the cables will not be damaged by compacting. The control and instrument cable trays are six inches deep and cable weight above cables in the bottom of the tray is not enough to damage the bottom cables.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 14 of 82 The above tray physical loading criteria are followed to the extent practicable. The above physical loading limits can only be exceeded if it can be shown by analysis of the critical attributes that the cables are not adversely affected.

7.2.2.2.2.6 Fire Detection Fire detection and protection is provided in cable spreading rooms, containment penetration areas and other congested areas to detect the start of or conditions that might lead to a fire; and to put out any fires that might occur before they can incapacitate redundant systems.

7.2.2.3 Protective System Independence The protective system is designed to be independent of the status of the control system, plant data logging computer, indicators, recorders, AMSAC and plant annunciators. However, these systems and monitors derive signals from the protective systems through isolation amplifiers, which are part of the protective systems. The isolation amplifiers prevent perturbation of the protection signal (input) due to disturbances of the isolated signal (output) which could occur near any termination of the output wiring external to the protection and safeguards racks. Detailed discussions of the isolation amplifiers are given in References 1 and 2.

7.2.2.4 Loss of Power A loss of power in the reactor protection system causes the affected channel to trip (except for containment spray). The bistables operate in a normally energized state and go to a de-energized state to initiate action, with the exception of the containment spray bistables, which must be energized to initiate spray.

7.2.2.5 Reactor Trip Signal Testing Provisions are made for process variables to be able to manually place the output of the bistable, either in a tripped condition, or in some cases in bypass, if required, for "at power" testing. When a channel is taken out of service for repair or testing, the channel will be placed in a trip or bypass mode except for NIS channels. Loss of power of the bistable output to the logic circuitry will cause that portion of the logic to be actuated (partial trip) accompanied by a partial trip alarm and channel status light actuation in the control room. If the channel is put into bypass, an indication continuously shows that bypass capability is armed for the channel put in bypass.

In the nuclear instrument source and intermediate range channels where the trip logic is 1/2 for each range, bypasses are provided. However, normal surveillance trip signal testing is not done when the reactor is at power.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 15 of 82 Nuclear instrument power range channels are generally tested by superimposing a test signal on the sensor signal or tripping the channel so that the reactor trip protection is not bypassed. Based upon coincident logic (2/4) this will not trip the reactor; however, a trip will occur if a reactor trip is required. See Power Range testing section for more details.

Containment spray actuation channels are tested by bypassing or negating the channel under test.

This is acceptable, since there are 4 channels and the two-out-of-four trip logic reduces to two-out-of-three during the test. Audible and visual annunciation is actuated if more than one channel at a time is attempted to be placed in test [2 rack doors open]. See Chapter 7.5 for more details on Containment Spray initiation.

Provision is made for the insertion of test signals in each analog/digital loop. Verification of the test signal is made by portable instruments at test points specifically provided for this purpose.

This enables testing which is described in the following paragraphs.

7.2.2.6 Reactor Protection System Testing 7.2.2.6.1 Process Analog/Digital Protection Channel Testing Each protection process instrument channel can be tested while the plant is operating and on-line.

Inaccessible transmitters and sensors are checked by channel checks. The sequential procedure for testing the remainder of the logic is given as follows with an explanation of the features provided and events that occur. The following discussion assumes a normal state for the equipment being tested, that is, a trip condition does not already exist on the bistable being tested.

The test technician receives approval to enter the racks associated with the channel to be tested.

As he opens the rack doors a status light on the main control board lights and the operator can confirm that the expected protection set has been entered. If the doors of two protection sets are opened, the operator will be alerted by an alarm.

The technician positions each bistable test switch associated with the analog/digital circuit to be tested into the test position.

This results in trip signals to the logic circuitry as if the process parameters had exceeded their set points or, if the channel bypass switch is armed, the output will appear normal. Either way, the plant will not trip unless the other protection sets channels sense valid trip level signals. The plant thus remains "safe" during test. As the output of each bistable is placed into the test position, the associated alarm occurs on the control board unless the bypass circuit is armed for which a continuous indication is provided in the control room of the bypass mode.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 16 of 82 The logic input relay and alarm circuitry are only tested when trip signals are allowed to go to the logic circuitry. So testing without channel bypass (most likely during an outage) will be performed at some interval.

A test lamp is permanently mounted in the rack and connected through each test switch to the output of the bistable in place of the input logic relay. This serves to inform the technician of the bistable's status when he checks its set point.

The technician opens the test panel cover to expose the test signal injection points and their associated switches. A status light on the main control board illuminates at this point in the procedure thus alerting the operator that his indicators for that protection set may reflect a test input rather than the actual process.

The technician connects his test input to the instrument loop in place of the field device via the provided test switch.

An additional contact on the test switch, in combination with alarm contacts of the bistable trip switches will actuate an alarm in the event that one or more of the bistable outputs associated with the analog circuit under test has not been placed into the test position.

With access now gained into the instrument loop, associated bistable set points, bias adjustments and the various dynamic settings can be checked and if necessary readjusted.

After completion of his tests, the technician removes his test input leads from the test jacks and returns the test switch to normal. The technician closes the test panel cover and the PROT Ch X CHANNEL ON TEST status light extinguishes. The operator is now alerted that his indicators read actual process values.

The action of closing the test panel cover, which cannot be closed unless the test signal plugs are removed, will mechanically return the test switches to their normal position. Closing this cover does not, however, transfer the bistable trip switches, so the technician must return them to their normal position. The operator can verify this as the alarms associated with each of the bistables clear.

Closing the rack doors extinguishes the "Rack Open" status light and indicates that the channel has been returned to normal operation.

Precision test points are provided in each instrument current loop and are available for checking loop current at any time regardless of whether or not the channel is "on test." Access to the test

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 17 of 82 points is gained by opening the rack door. The "Rack Open" status lights and alarm for more than one protection set open remain effective.

In summary, analog channel test is accomplished by simulating a process measurement signal, varying the simulated signal over its signal span and verifying the association of bistable set points.

Test jacks are provided in the test panel for injection of the simulated process signal into each process analog protection channel. Test points are provided in the channel to facilitate an independent means for precision measurement and correlation of the test signal.

7.2.3 Nuclear Instrumentation Channel Testing 7.2.3.1 Source Range The preamplifier assembly in the source Range has internal provisions for generating self-test frequencies in counts per second. These test oscillator circuits are energized by a switch located on the associated source range drawer.

A test-calibrate module is included in each source range drawer for self-check of that particular channel. A multi-position switch on the source range front panel controls this module and also the operation of the built-in oscillator circuits in the preamplifier. The module is capable of injecting test signals in counts per second at the input to the pulse-amplifier, or a variable dc voltage corresponding to counts per second at the input to the log amplifier. An electrical interlock between the trip-bypass switch and the test calibrate switch will prevent inadvertent actuation of the reactor trip circuits, (i.e., the channel cannot be put in the test mode unless the trip is blocked).

The trip-bypass is annunciated on the source-range drawer and on the main control board per the proposed IEEE 279 Standard, Section 4.13. Status lights indicate which channel is bypassed.

Operation of the test-calibrate module is annunciated on the control board as "NIS Channel Test."

This common annunciator for all NIS channels is alarmed when any channel is placed in the test position and will alert the operator that a test is being performed at the NIS racks.

7.2.3.2 Intermediate Range Administrative testing of each intermediate range channel is provided by a built-in test-calibrate module which injects a test signal at the input to the log amplifier. The signal is controlled by a multi-position switch on the front of each intermediate range drawer, which selects a pre-set value.

The signal may be adjusted about the selected pre-set value using another control dial.

As in source range testing, the test switch on the intermediate range must be operated in coincidence with a trip-bypass switch on the drawer. An electrical interlock between these

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 18 of 82 switches prevents injection of a test signal until the trip-bypass is in operation. Removal of the trip-bypass also removes the test signal.

7.2.3.3 Power Range For surveillance, the test-calibrate module which is provided on each power range is capable of injecting test signals at the inputs of the channel. In all cases, the test signals may be superimposed on the normal signal.

A test switch is provided to require deliberate operator action to perform testing of the power range channel. The power range bistables affected during channel test do not require bypasses since they operate in two-of-four logic or do not cause a reactor trip. The associated Delta T-Tavg Protection Channel bistables are placed into the test mode. Individually adjustable test signals can be injected independently or simultaneously at the input of either ammeter-shunt assembly to appear as the individual ion chamber currents. The test signals are continuously adjustable by means of two front panel mounted controls with calibrated dials. Operation of the test switch on any power range will cause the "Channel Test" annunciator to be alarmed on the main control board.

For calibration, the test-calibrate module, which is provided on each power range, is capable of injecting test signals at the inputs of the channel. During calibration, the detector is typically disconnected and the channel put into the tripped condition. To accommodate complete testing of a channel, the channel may be taken out of the tripped condition while the detector is disconnected which results in the trip logic converting to a two-out-of-three logic. However the time allowed for a channel to be in a non-tripped condition with the detector disconnected, is limited by Technical Specifications.

A test switch is provided to require deliberate operator action to perform testing of the power range channel. The associated Delta T- Tavg Protection Channel bistables are placed into the test mode.

Individually adjustable test signals can be injected independently or simultaneously at the input of either ammeter-shunt assembly to appear as the individual ion chamber currents. The test signals are continuously adjustable by means of two front panel mounted controls with calibrated dials.

Operation of the test switch on any power range will cause the "Channel Test" annunciator to be alarmed on the main control board.

Operation of the relay is verified by a control board annunciator and trip status lights.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 19 of 82 7.2.3.4 Logic Protection System Testing Testing of the logic protection system includes a check of the input relays and a logic matrix check.

The following sequence is used to test the system:

1. Check of Input Relays During testing of the process instrumentation system and nuclear instrumentation system bistables, when a channel bistable is placed in trip and it is not in bypass, it will cause one input relay in train A and one in train B to de-energize. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions. The contact that creates the reactor trip also causes a status lamp and an annunciator on the control board to operate. Either the train A or train B input relay operation will light the status lamp and annunciator.

Each train contains a multi-plexing test switch. At the start of a process or nuclear instrumentation system test, this switch (in either train) is placed in the A + B position. The A + B position alternately allows information to be transmitted from the two trains to the control board. A continuous status lamp and annunciator indicates that input relays in both trains have been de-energized. A flashing lamp indicates that the input relays in the two trains did not both de-energize. Contact inputs to the logic protection system such as reactor coolant pump bus under-frequency relays operate input relays which are tested by operating the remote contacts and using the same type of indications as those provided for bistable input relays.

Actuation of the input relays provides the overlap between the logic protection system and those systems supplying the inputs to the logic protection system. Test indications are status lamps and annunciators on the control board. Inputs to the logic protection system are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor when 2/4 channels trip becomes an l/3 trip when one channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test.

2. Check of Logic Matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 20 of 82 the use of the input error inhibit switch on the semi-automatic test panel in the train.

Details of semi-automatic tester operation are given in WCAP-7488-L, Solid State Logic Protection System Description (Reference 16 and WCAP-17867-P-A, Westinghouse SSPS Board Replacement Licensing Summary Report (Reference 22)).

The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and non-trip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. This connection provides the overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage coil to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically.

Manual input testing is an available option for testing the coincident logic.

Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester to indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not being tested.

7.2.3.5 Reactor Trip Breaker Testing Normally, reactor trip breakers 52/RTA and 52/RTB are in-service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers. The reactor trip bypass breaker is racked in and closed to ensure a reactor trip will not occur. The following procedure describes the method used for testing the trip breakers:

a. With bypass breaker 52/BYA racked out, manually close and trip it to verify its operation.

b. Rack in and close 52/BYA. Manually trip 52/RTA through a Protection System Logic Matrix.

c. Reset 52/RTA.

d. Trip and rack out 52/BYA.

e. Repeat above steps to test trip breaker 52/RTB using bypass breaker 52/BYB.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 21 of 82 An annunciator is provided in the control room to indicate when a breaker is bypassed.

Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically trip.

The train A and train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate an annunciator in the control room. The bypassing of a protection train with either the bypass breaker or with the test switch will result in audible and visual indications.

7.2.3.6 Response Time Testing Tests that provide assurance that response times for various reactor trip parameters are within acceptable limits can be performed during shutdown. System design does not permit such testing during normal operation.

7.2.3.7 Primary Power Source The primary power sources for the reactor protection system are described in Chapter 8. The source of electrical power for the measuring elements and the actuation of circuits in the engineered safety features instrumentation is also from these buses.

7.2.3.8 Protective Actions 7.2.3.8.1 Reactor Trip Description Rapid reactivity shutdown is provided by the insertion of full-length rods by free fall. Duplicate series-connected circuit breakers supply all power to the full-length control rod drive mechanisms.

The full-length rods must be energized to remain withdrawn from the core.

Automatic reactor trip occurs upon loss of power to the full-length control rods. The trip breakers are opened by de-energizing the undervoltage trip coils of both breakers. A contact of an auxiliary relay, connected in parallel with the undervoltage coils, activates the shunt trip coils at the same time to provide a redundant trip actuation. The undervoltage coils and auxiliary relays, which are normally energized, become de-energized by any one of the several trip signals.

The functional diagrams for reactor protection and control may be found in the 99000 Series function diagrams (provided as general reference).

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 22 of 82 7.2.3.8.2 Manual Trip The manual actuating devices are independent of the automatic trip circuitry, and are not subject to failures, which make the automatic circuitry inoperable. Actuating either of two manual trip switches located in the control room initiates a reactor trip and a turbine trip.

7.2.3.8.3 High Neutron Flux (Power Range) Trip This circuit trips the reactor when two out of the four power range channels read above the trip set-point. There are two independent trip ranges, a high and a low range set-point. The high range trip provides protection during normal power operation. The low range trip, which provides protection during start-up, can be manually bypassed when two out of the four power range channels read above P-10. (See Table 7.2-2 for a definition of P's and C's.) Three-out-of-the-four channels below this value automatically re-arms the trip function. The high setting is always active.

7.2.3.8.4 High Positive Neutron Flux Rate (Power Range) Trip This circuit trips the reactor when an abnormal rate of increase in nuclear power occurs in two-out-of-four power range channels. This trip provides protection against rod ejection accidents and is always active.

7.2.3.8.5 High Neutron Flux (Intermediate Range) Trip This circuit trips the reactor when one out of the two intermediate range channels reads above the trip set point. This trip, which provides protection during reactor start-up, can be manually bypassed if two-out-of-four power range channels are above P-10. Three-out-of-four channels below this value automatically re-arms the trip function. The intermediate range channels (including detectors) are separate from the power range channels.

7.2.3.8.6 High Neutron Flux (Source Range) Trip The circuit trips the reactor when one of the two source range channels reads above the trip set point. This trip, which provides protection during reactor start-up, can be manually bypassed when one of two intermediate range channels reads above the P-6 set-point value and is automatically re-armed when both intermediate range channels decrease below this value (P-6). This trip is automatically bypassed by two-out-of-four high power range signals above P-10. The trip function can also be manually re-armed below P-10. The trip point is set between the source range cutoff power level and the maximum source range power level.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 23 of 82 7.2.3.8.7 Overtemperature T Trip The purpose of this trip is to protect the core against DNB. This trips the reactor on coincidence of two-out-of-the-four signals, with one set of temperature measurements per loop. The set-point for this reactor trip is continuously calculated for each loop by solving the following equation:

1 + 1S Overtemperature o 1 2 ( ') + 3 ( ') f1 ( I) 1+ 2S Where:

To = Indicated T at rated thermal power T = Average Temperature (Tavg)

T' = Indicated Tavg at rated thermal power P = Pressurizer pressure P' = Indicated RCS nominal operating pressure K1 = Set point bias K2, K3 = Constants based on the effect of temperature and pressure on the DNB limits - (1/ oF, 1/psig) 1, 2 = Lead-lag time constants - (sec.)

S = Laplace transform operator.

(1+1S) = The function generated by the lead-lag controller for Tavg for dynamic compensation (1+2S) f1(I) = A function of the indicated difference between top and bottom detectors of the power-range nuclear ion chambers; with gains selected based on measured instrument response during plant startup tests. See Figure 7.2-9.

The four long ion chamber units separately feed each overtemperature T trip channel. Thus, a single failure neither defeats the function nor causes a spurious trip. Changes in f1 (I) can only lead to a decrease in trip setpoint.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 24 of 82 Initiation of automatic turbine load runback by means of an overtemperature T signal is discussed later.

7.2.3.8.8 Overpower T Trip The purpose of this trip is to protect against excessive power (fuel rod rating protection). This trips the reactor on coincidence of two out of the four signals, with one set of temperature measurements per loop.

The set point for this reactor trip is continuously calculated for each channel by solving equations of the form:

S Overpower o 4 5 3 6 ( ") f 2 ( )

1 + 3S Where:

To = Indicated T at rated thermal power T = Average temperature, oF T" = Indicated Tavg at RATED THERMAL POWER K4 = Setpoint bias K5, K6 = Constants relating the effect of Tavg.and its rate of change on the overpower limit.

3 = Rate-lag time constant (sec.)

S = Laplace transform operator 3S = The function generated by the rate lag controller for Tavg dynamic compensation 1+3S f2(I) = f1(I) as defined for overtemperature T Initiation of automatic turbine load runback by means of an overpower T signal is discussed below.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 25 of 82 7.2.3.8.9 Low Pressurizer Pressure Trip The purpose of this trip is to protect against excessive core steam voids and to limit the necessary range of protection afforded by the overtemperature T trip. This trips the reactor on coincidence of two out of the four low pressurizer pressure signals. This trip is blocked when three of the four power range channels and two of two turbine first stage pressure channels read approximately 10 percent power (P-7). Each channel is lead-lag compensated.

7.2.3.8.10 High Pressurizer Pressure Trip The purpose of this trip is to limit the range of required protection from the overtemperature T trip and to protect against Reactor Coolant System overpressure. The reactor is tripped on coincidence of two out of the four high pressurizer pressure signals.

7.2.3.8.11 High Pressurizer Water Level Trip This trip is provided as a backup to the high pressure trip. The coincidence of two-out-of-three high water level signals trips the reactor. This trip is interlocked with permissive P-7 described in Table 7.2-2.

7.2.3.8.12 Low Reactor Coolant Flow Trip This trip protects the core from DNB following a loss of flow. The means of sensing loss of flow are described below:

a. Low Primary Coolant Flow Trip A low loop flow signal is generated by two-out-of-three low flow signals per loop.

Above the P-7 set point low flow in any two loops results in a reactor trip. Above the P-8 set point low flow in any loop results in a reactor trip.

b. Reactor Coolant Pump Breaker Position Trip One open breaker signal is generated for each reactor coolant pump. Above the P-7 setpoint the reactor trips on two open breaker signals.

c. Reactor Coolant Pump Undervoltage and Underfrequency Trips A bus undervoltage signal is generated by one-out-of-two undervoltage relays per reactor coolant pump bus. Above the P-7 setpoint a reactor coolant pump bus undervoltage signal on 2/4 busses will actuate a reactor trip.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 26 of 82 A bus underfrequency signal is generated by one-out-of-two underfrequency relays per reactor coolant pump bus. Above the P-7 setpoint bus underfrequency signals on 2/4 reactor coolant pump busses produce a direct reactor trip.

A time delay is incorporated in both the undervoltage and underfrequency trips to prevent spurious reactor trips from momentary electrical power transients.

All of these low reactor coolant flow reactor trips are blocked below the P-7 setpoint.

7.2.3.8.13 Safety Injection System (SIS) Actuation Trip A reactor trip occurs when the safety injection system is actuated. The means of actuating the SIS trips are:

a. Low pressurizer pressure signal in 2/3 channels. May be manually blocked below P-11 and is automatically unblocked above P-11.

b. High containment pressure in 2/3 channels.

c. Steam line pressure in one steam line (2/3 channels) low in comparison to the other three steam lines (high steam line pressure differential).

d. Steam line pressure low in two-out-of-four steam lines.

e. Manual actuation from one panel mounted switch per train.

These trips are listed in Table 7.2-1.

7.2.3.8.14 Turbine Generator Trip A turbine trip is sensed by two-out-of-three signals from low emergency trip fluid pressure. A redundant 4/4 stop valve closed signal will also indicate a turbine trip condition. A turbine trip causes a direct reactor trip above P-8 and results in a controlled short term release of steam to the condenser which removes sensible heat from the reactor coolant system and thereby avoids steam generator safety valve actuation. A turbine trip also causes a generator trip and auxiliary bus transfer.

The turbine control system automatically trips the turbine generator under any of the following conditions:

1. Electrical overspeed trip

2. Independent overspeed trip

3. Low condenser vacuum

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 27 of 82

4. Thrust bearing failure

5. Reactor trip

6. Loss of stator cooling (low flow, low pressure, or hightemp)

7. Safety injection

8. High-high water level in steam generator (1/4 loops)

9. Low lube oil pressure

10. Manual operation of any of several trip levers

11. Low trip header pressure

12. Loss of all speed pickups when the unit is not paralleled

13. Low control fluid pressure

14. Initiation of AMSAC (ATWS Mitigation System Actuation Circuitry): less than 25% flow to 3/4 loops and above 40% reactor power

15. Unit or overall differential

16. Loss of power to Programmable Logic Controller (PLC)

17. All lube oil pressure transmitters fail

18. All control fluid header pressure transmitters fail 7.2.3.8.15 Low Feedwater Flow Trip This trip protects the reactor from a sudden loss of its heat sink. The trip is actuated by a steam/feedwater flow mismatch (1/2) in coincidence with low water level (1/2) in any steam generator.

7.2.3.8.16 Low-Low Steam Generator Water Level Trip The purpose of this trip is to prevent a loss of the reactor's heat sink in the case of a sustained steam/feedwater flow mismatch of sufficient magnitude to cause a low feedwater flow reactor trip.

The trip is actuated on two out of the three (2/3) low-low water level signals in any steam generator.

7.2.3.8.17 Rod Stops Rod stops are provided to prevent abnormal power conditions, which could result from excessive control rod withdrawal, initiated by either a control system malfunction or operator violation of administrative procedures.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 28 of 82 The stops are given in Table 7.2-3.

7.2.3.8.18 Automatic Turbine Load Runback Automatic turbine load runback is initiated by an approach to an overpower or overtemperature condition. This will prevent high power operation which might lead to an overpower or an overtemperature T trip.

Turbine load reference reduction is initiated by either an over-temperature or overpower T signal in two of four loops.

7.2.3.8.19 Control Bank Rod Insertion Monitor The purpose of the control bank rod insertion monitor is to give warning to the operator of a decrease in shutdown margin. Since the amount of shutdown reactivity required for the design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be decreased with increasing power. Two parameters which are proportional to power are used as inputs to the insertion monitor. These are the T between the hot leg and the cold leg, which is a direct function of reactor power, and Tavg, which is programmed as a function of power. The rod insertion monitor uses these parameters for each control rod bank as follows:

ZLL = K2(T)auct + K1(Tavg)auct + K3 Where:

ZLL = maximum permissible insertion limit for affected control bank (T)auct = Highest T for all four loops (Tavg)auct = Highest Tavg of all four loops K1,K2,K3 = constants chosen to maintain ZLL > actual limit based on physics calculations The actual control rod bank position (Z) is compared to ZLL as follows:

If Z - ZLL < K4a low alarm is actuated If Z - ZLL < K5a low-low alarm is actuated Since the highest values of Tavg and T are chosen by the auctioning ring unit, a conservatively high representation of power is used in the insertion limit calculation.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 29 of 82 With respect to the rod insertion limits in the technical specifications, the rod insertion monitor and its alarms will provide warning to the operators prior to reaching the limits of control bank D, and control bank C (dependent on power level). At full power operation, the rod insertion limits require control Banks A, B, and C to be fully withdrawn; thus, it is impossible to set an alarm to annunciate before the rod insertion limits could be violated. However, the rod insertion monitor's low alarm is set to annunciate upon rod insertion of a few steps into the active fuel region.

Actuation of the low alarm alerts the operator of a potential reduced shutdown reactivity situation.

Administrative procedures require him to add boron following normal procedures with the Chemical and Volume Control System. Actuation of the low-low alarm requires the operator to initiate emergency boration procedures. The value of "K5" is chosen to account for all instrumentation errors so that the low-low alarm would normally be actuated before the insertion limit is reached. The value for "K4" is chosen to allow the operator to follow normal boration procedures. Figure 7.2-3 shows a schematic representation of the control bank rod insertion monitor.

In addition to the rod insertion monitor for the control banks, a computer alarm is provided to warn the operator if any shutdown RCC leaves the full withdrawn position.

7.2.3.8.20 Rod Deviation Alarm The demand and actual rod position signals are displayed on the rod control panel. They are also monitored by the plant computer which provides a visual printout and an audible alarm whenever an individual rod position signal deviates from the bank demand signal by a preset limit. Figure 7.2-4 is a block diagram of the rod deviation comparator and alarm system. The design criterion for this system is that the alarm be actuated before rod deviation, which would allow the core design hot channel factors to be exceeded, with appropriate allowance for instrument error.

7.2.3.8.21 Reactor Coolant Flow Measurement Elbow taps are used on each of the four loops in the primary coolant system as an instrument device that indicates the status of the reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow rate has occurred. The correlation

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 30 of 82 between flow reduction and elbow tap read out has been well established by the following equation:

=

( )2 o o where Po is the referenced pressure differential with the corresponding referenced flow rate o and P is the pressure differential with the corresponding referenced flow rate .

The full flow reference point was established during initial plant startup. The low flow trip point was then established by extrapolating along the correlation curve. The technique has been well established in providing core protection against low coolant flow in Westinghouse PWR plants.

The expected absolute accuracy of the channel is within +10% and field results have shown the repeatability of the trip point to be within +1%. The analysis of the loss of flow transient presented in Chapter 14 assumes instrumentation error of +3%.

7.2.4 System Evaluation 7.2.4.1 Reactor Protection System and DNB The following is a description of how the Reactor Protection System prevents DNB.

The plant variables affecting the DNB ratio are:

1. Thermal power

2. Coolant flow

3. Coolant temperature

4. Coolant pressure

5. Core power distribution The overpower and overtemperature T reactor trips as a function of Tavg and pressure are discussed in Section 14.1 for both units. These trips are derived from the inlet temperature versus power relationships and encompass the endpoints of the range of vessel average temperatures for the potential rerating of Unit 1 at either 2250 psia or 2100 psia.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 31 of 82 Variations in both flow and power are monitored by the overpower and overtemperature T trips since a decrease in flow would have the same effect on the measured loop T signal as an increase in power. It is the nature of the DNB limits that a reduction in flow of 10 percent would require a reduction in power of only about 5 percent to maintain the same DNBR, all other variables remaining constant. Thus, the permissible T increases somewhat at a reduced flow. The trip setpoints are therefore set for a maximum flow. A reduction in flow increases the margin between the trip point and the actual core limit. Periodic measurements using the in-core instrumentation system are used to verify that the actual core power distribution is within design limits.

Reactor trips for a fixed high pressurizer pressure and for a fixed low pressurizer pressure are provided to limit the pressure range over which core protection depends on the overpower and overtemperature T trips.

Reactor trips on nuclear overpower and low reactor coolant flow are provided for direct, immediate protection against rapid changes in these parameters. However, for all cases in which the calculated DNBR approaches a minimum, a reactor trip on overpower and/or overtemperature T would also be actuated.

For the anticipated abnormal conditions, it is highly unlikely that the exact combination of conditions (reactor coolant pressure, temperature and core power, instrumentation inaccuracies, etc.) that cause a minimum DNBR will be approached before a reactor trip. The simultaneous loss of power to all of the reactor coolant pumps is the accident condition most likely to approach a minimum DNBR for the calculated worst fuel rod. In any event the DNBR at the worst fuel rod is near the minimum for only a few seconds.

The T trip functions are based on the differences between measured hot leg and cold leg temperatures. These differences are proportional to core power.

The T trip functions are provided with a nuclear differential flux feedback to reflect a measure of axial power distribution. This will assist in preventing an adverse axial distribution, which could lead to exceeding the allowable core conditions.

In the event of a difference between the upper and lower ion chamber signals that exceeds the desired range, automatic feedback signals are provided to reduce the overpower-overtemperature trip setpoints, block full-length rod withdrawal and reduce the load to maintain appropriate operating margins to these trip setpoints.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 32 of 82 7.2.4.2 Specific Control and Protection Interactions 7.2.4.2.1 Nuclear Flux Four power-range nuclear flux channels are provided for overpower protection. Isolated outputs from all four channels are auctioneered and the highest used for automatic rod control. If any channel fails in such a way as to produce a low output, that channel is incapable of proper overpower protection but will not cause control rod movement because of the auctioneer. Two-out-of-four overpower trip logic will ensure an overpower trip if needed even with an independent failure in another channel.

In addition, the control system will respond only to rapid changes in indicated nuclear flux; slow changes or drifts are compensated for by the temperature control signals. Finally, an overpower signal from any nuclear channel will block automatic rod withdrawal. The set point for this rod stop is below the reactor trip set point.

7.2.4.2.2 Coolant Temperature One hot leg and one cold leg temperature measurement is made for each reactor coolant loop to provide protection. In addition, by use of isolation amplifiers located in the protection rack, the temperature signals are used for control. The temperature measurements and temperature difference measurements for each loop are used for protection with one channel per loop and 2/4 reactor trip logic. The reactor control system uses the highest of the four isolated temperature signals.

7.2.4.2.3 Unit 1 The individual loop temperature signals required for input to the Reactor Control and Protection System are obtained using thermowell-mounted Resistance Temperature Detectors (RTDs) installed in each reactor coolant loop. One element of each RTD is active, while the other serves as an installed spare. The use of thermowells permits replacement of defective temperature elements without breaching the reactor coolant system pressure boundary.

In the hot leg, the thermowells are located within the scoops that are positioned at approximately 120 degree intervals around the periphery of the hot leg. Each of the scoops, which extend several inches into the hot leg coolant stream, has five inlet holes distributed along their length to provide a representative sampling of the hot leg temperature and one hole in the tip to facilitate the flow of water past the RTD thermowells. The signals from each of the three RTDs are electronically averaged in the reactor protection system to produce a hot leg temperature which is used to

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 33 of 82 calculate both the average temperature (Tavg) and differential temperature (T) for each reactor coolant loop.

Although the cold leg primary coolant flow is mixed by the reactor coolant pumps, temperature gradients have been observed and are accounted for in measurements and related analyses. Each of the cold leg RTDs are located in a penetration nozzle at the discharge of the reactor coolant pump. These RTDs measure the cold leg temperature, which is used to calculate both the average temperature (Tavg) and differential temperature (T) for each reactor coolant loop.

The main requirement for reactor protection is that the temperature difference between the hot leg and cold leg vary linearly with power.

All T setpoints are in terms of the full power T which is remeasured at the beginning of each cycle; thus, absolute T measurements are not required. Linearity of T with power has been verified during Startup Tests.

Reactor Protection logic using reactor coolant loop temperatures is 2/4 with one channel per reactor coolant loop. This complies with all applicable IEEE 279 criteria.

Reactor control is based upon signals derived from protection system channels after isolation by isolation amplifiers such that no feedback effect can perturb the protection channels.

Since control is based on the highest average temperature from the four loops, the control rod movements are always based upon the most pessimistic temperature measurement with respect to margins to DNB.

A spurious low average temperature measurement from any loop temperature control channel will cause no control action. A spurious high average temperature measurement will cause rod insertion (safe direction).

In addition, channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the auctioneered (highest) value. Automatic rod withdrawal blocks will also occur if any one of four nuclear channels indicates an overpower condition or if any two of four temperature channels indicate an over- temperature or overpower condition. Two-out-of-four (2/4) trip logic is used to ensure that an overtemperature or overpower T trip will occur if needed even with an independent failure in another channel. Finally, as shown in Sub-Chapter 14.1, the combination of trips on nuclear overpower, high pressurizer water level and high pressurizer pressure also serve to limit an excursion for any rate of reactivity insertion.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 34 of 82 7.2.4.2.4 Pressurizer Pressure The four pressurizer pressure protection channel signals are used for high and low pressure protection and as inputs to the overtemperature T trip protection function (See Figure 7.2-5).

Isolated output signals from these channels are used for pressure control. These are used to control pressurizer spray and heaters and power operated relief valves.

A spurious high pressure signal from one channel can cause low pressure by actuation of spray.

Additional redundancy is provided in the protection system to ensure low pressure protection, i.e.,

two-out-of-four low pressure reactor trip logic and two-out-of-three for safety injection.

The pressurizer heaters are incapable of overpressurizing the Reactor Coolant System. Maximum steam generation rate with heaters is about 15,000 lb./hr., compared with a total capacity of 1,260,000 lb./hr. for the three safety valves and a total capacity of 420,000 lb./hr. for two power-operated relief valves. (The third PORV is considered an installed spare). Therefore, overpressure protection is not required for a pressure control failure, however, two-out-of-four high pressure trip logic is used.

In addition, any one of the three relief valves can maintain pressure below the high pressure trip point for most transients. The relief valves are controlled in two sets by two independent pressure channels, one of, which is independent of the pressure channel used for heater control. Finally, the rate of pressure rise achievable with heaters is slow and ample time and pressure alarms are available for operator action.

The pressurizer power operated relief valves can be interlocked with Reactor Coolant pressure through switches to provide cold over-pressure (NDT) protection at shutdown modes of operation where RCS pressure and temperature are low. These controls for cold overpressure block switches have removable handles that are administratively controlled. These handles are only installed to manipulate the cold overpressure block switches.

7.2.4.2.5 Pressurizer Level Three pressurizer level channels are used for reactor trip (2/3 high level). Isolated signals from these channels are used for pressurizer water level control, increasing or decreasing the pressurizer water level as required. A failure in the level control system could fill or empty the pressurizer at a slow rate (on the order of half an hour or more). The design of the pressurizer water level instrumentation is a slight modification of the usual tank level arrangement using differential pressure between an upper and a lower tap. (See Figure 7.2-7.) The modification consists of the use of a sealed reference leg instead of the conventional open column of water.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 35 of 82 Experience has shown that hydrogen gas can accumulate in the upper part of the condensate pot on conventional open reference leg systems in pressurizer water level service. At RCS operating pressures, high concentrations of dissolved hydrogen in the reference leg water are possible. On sudden depressurization accidents, it has been hypothesized that rapid effervescence of the dissolved hydrogen could blow water out of the reference leg and cause a large level error, measuring higher than actual level. Accurate calculations of this effect have been difficult to obtain. To eliminate the possibility of such effects, a bellows is used in a pot at the top of the reference leg to provide an interface seal and prevent dissolving of hydrogen gas into the reference leg water.

The reference leg is uninsulated and will remain at local ambient temperature. This temperature will vary somewhat over the length of the reference leg piping under normal operating conditions but will not exceed approximately 140°F. During a blowdown accident, any reference leg water flashing to steam will be confined to the condensate steam interface in the condensate pot at the top of the temperature barrier leg and will have only a small (about one inch) effect on measured level.

Some additional error may be expected due to effervescence of hydrogen in the temperature barrier water. However, even if complete loss of this water is assumed, the error will be less than one foot and can be tolerated.

Calibration of the sealed reference leg system was done in place after installation by application of known pressure to the low-pressure side of the transmitter and measurement of the height of the reference column. The effects of static pressure variations are predictable. The largest effect is due to the density change in the saturated fluid in the pressurizer itself. The effect is typical of level measurements in all tanks with two-phase fluid and is not peculiar to the sealed reference leg technique. In the sealed reference leg, there is a slight compression of the fill water with increasing pressure, but this is taken up by the flexible bellows. A leak of the fill water in the sealed reference leg can be detected by comparison of redundant channel readings on line and by physical inspection of the reference leg off line with the channel out of service. Leaks of the reference leg to atmosphere will be immediately detectable by off-scale indications on the control board. Further detection of leakage is provided by the plant computer alarm for deviation between redundant channels.

7.2.4.2.6 High Level A reactor trip on pressurizer high level is provided to prevent filling the pressurizer in the event of a rapid thermal expansion of the reactor coolant. A rapid change from high rates of steam relief

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 36 of 82 to water relief could be damaging to the safety valves, relief piping and pressure relief tank.

However, a level control failure cannot actuate the safety valves because the high pressure reactor trip is set below the safety valve set pressure. With the slow rate of charging available, overshoot in pressure before the trip is effective is much less than the difference between reactor trip and safety valve set pressures. Therefore, a control failure does not require protection system action.

In addition, ample time and alarms are available for operator action.

7.2.4.2.7 Low Level For control failures, which tend to empty the pressurizer, two automatic letdown isolation and heater cut-off devices are provided; each actuated by signals from separate level channels. In addition, ample time and alarms exist for operator action. Therefore, a control failure does not require protective system action.

7.2.4.2.8 Steam Generator Water Level; Feedwater Flow Before describing control and protection interaction for these channels, it is beneficial to review the protection system basis for this instrumentation. (See Figure 7.2-8.)

The basic function of the reactor protection circuits associated with low steam generator water level and low feedwater flow is to preserve the steam generator heat sink for removal of long term residual heat. Should a complete loss of feedwater occur with no protective action, the steam generators would boil dry and cause an overtemperature-overpressure excursion in the reactor coolant. Reactor trips on T, pressure and pressurizer water level will trip the unit before there is any damage to the core or Reactor Coolant System. Redundant auxiliary feedwater pumps are provided to prevent residual heat after trip from causing thermal expansion and discharge of the reactor coolant through the pressurizer relief valves. Reactor trips act before the steam generators are dry to reduce the required capacity and starting time requirements of these pumps and to minimize the thermal transient on the Reactor Coolant System and steam generators. Independent trip circuits are provided for each steam generator for the following reasons:

1. Should severe mechanical damage occur to the feedwater line to one steam generator, it is difficult to ensure the functional integrity of level and flow instrumentation for that unit. For instance, a major pipe break between the feedwater flow element and the steam generator would cause high flow through the flow element. The rapid depressurization of the steam generator would drastically affect the relation between downcomer water level and steam generator water inventory.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 37 of 82

2. It is desirable to minimize thermal transients on a steam generator for credible loss of feedwater accidents. It should be noted that controller malfunctions caused by a protection system failure affect only one steam generator.

A spurious high signal from the feedwater flow channel being used for control would cause a reduction in feedwater flow and prevent that channel from tripping.

A reactor trip on low-low water level, independent of indicated feedwater flow, will ensure a reactor trip if needed.

In addition, the three-element feedwater controller incorporates reset on level, such that with expected controller settings a rapid increase in the flow signal would cause only a small decrease in level before the controller reopened the feedwater valve.

A slow increase in the feedwater signal would have no effect at all.

A spurious low steam flow signal would have the same effect as a high feedwater signal, discussed above.

A spurious high water level signal from the protection channel used for control will tend to close the feedwater valve. This level channel is independent of the level and flow channels used for reactor trip on low flow coincident with low level. (Low feedwater flow trip.)

1. A rapid increase in the level signal will completely stop feedwater flow and lead to an actuation of a reactor trip on low feedwater flow.

2. A slow drift in the level signal may not actuate a low feedwater signal. Since the level decrease is slow, the operator has time to respond to low level alarms. Since only one steam generator is affected, automatic protection is not mandatory and reactor trip on two-out-of-three low-low level is acceptable.

7.2.4.2.9 Steam Line Pressure Three pressure channels per steam line are used for steam line break protection. These are combined with other signals as shown in Table 7.2-1.

7.2.4.2.10 Operating Environment Temperature in the control room and adjoining equipment room is maintained for personnel comfort at nominal 75°F. Protective equipment in this space is designed to operate within design tolerance over this temperature range.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 38 of 82 Design specifications for this equipment specify no loss of protective function over the temperature range from 40oF to 120oF. Thus, there is a wide margin between design limits and the normal operating environment for control room equipment.

Within containment, the normal operating temperature for protective equipment except out-of-core neutron detectors will be maintained below 120°F. Protective instrumentation is designed for continuous operation within design tolerance in this environment. Out-of-core neutron detectors are designed for continuous operation at 135°F, and the normal operating temperature will be maintained below this value. The detectors will withstand operation at 175oF for short durations (8 hr.). Process instrumentation in containment which is vital to plant protection is designed to survive the post-accident environment long enough to perform their protective function.

Qualification testing has been performed on various safety systems such as process instrumentation, nuclear instrumentation and relay racks. This testing involved demonstrating operation of safety functions at elevated ambient temperatures to 120oF for control room equipment and in full post-accident environment for required equipment in containment. Detailed results of some of these tests are proprietary to the suppliers, but are on file at the suppliers and available for audit by qualified parties.

See Section 7.5 for additional information on environmental qualification.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 39 of 82 7.3 CONTROL SYSTEMS 7.3.1 Design Basis The reactor automatic control system is designed to reduce nuclear plant transients for design load perturbations, such that reactor trips will not occur because of them.

Overall reactivity control is achieved by the combined use of chemical shim and Rod Cluster Control Assemblies (RCCA). Long-term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short-power changes are accomplished by moving RCCAs.

The function of the reactor control system is to provide automatic control of the RCC Assemblies during power operation of the reactor. The system uses input signals including neutron flux, coolant temperature, and turbine load. The Chemical and Volume Control System (Chapter 9) supplements the reactor control system by the addition and removal of varying amounts of boric acid solution.

When the reactor is critical, the best indication of the reactivity status of the core is the position of the control rod groups in relation to power and average coolant temperature. There is a direct relationship between control rod position and power and it is this relationship which establishes the lower insertion limit calculated by the rod insertion limit monitor which is described in Sub-Chapter 7.2.

Any unexpected change in the position of the control group under automatic control, or a change in coolant temperature under manual control provides a direct and immediate indication of a change in the reactivity status of the core. In addition, periodic samples are taken to determine the coolant boron concentration whose variation during core life provides a further check on the reactivity status of the reactor including core depletion.

The reactor control system is designed to enable the reactor to follow load changes automatically when the output is above approximately 15 percent of nominal power. Control rod positioning may be performed automatically, when plant output is above this value, and manually at any time.

The operator is able to select any single bank of rods for manual operation. This is accomplished with a multi-position switch so that he may not select more than one bank. He may also select automatic reactor control, in which case the control banks can be moved only in their normal sequence with program overlap. As one-bank reaches 128 steps, the next bank begins to withdraw.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 40 of 82 The system enables the nuclear unit to accept a ramp load increase of 1 percent per minute within the load range of 20 percent to 100 percent without reactor trip subject to possible xenon oscillations. The system enables the nuclear unit to accept a 10 percent load decrease at rates up to 200 percent per minute within the load range of 25 percent to 100 percent without steam dumps or reactor trip subject to possible xenon oscillations. The system enables the nuclear unit to accept a rapid load decrease of up to 40 percent, at a maximum rate of 200 percent per minute, in combination with steam dump actuation without a reactor trip subject to xenon oscillations and depending upon combined effects of full power Tavg and fuel burnup. Between 40 % and 25%,

administrative controls limit the decrease to approximately 2% per minute (or bypass AMSAC) to avoid an AMSAC actuation.

The control system is capable of restoring coolant average temperature to within the programmed temperature deadband, following a scheduled or unexpected change in load.

The pressurizer water level is programmed as a function of auctioneered coolant average temperature. This minimizes the demands on the chemical and volume control and waste disposal systems resulting from coolant density changes during loading and unloading.

Following a reactor and turbine trip, sensible heat stored in the reactor coolant is removed without actuating the steam generator safety valves by means of controlled steam dump to the condensers and by injection of feedwater into the steam generators. Reactor coolant system temperature is reduced to the no load condition and is maintained by steam dump to the condenser which removes residual heat.

7.3.2 System Design The reactor control system is designed to provide stable system control over the full range of automatic operation throughout core life without requiring operator adjustment of setpoints other than normal calibration.

A simplified block diagram of the reactor control system is shown in Figure 7.3-1 and is functionally identical for Westinghouse plants. The reactor control system controls the reactor coolant average temperature by regulating control rod bank positions. The programmed coolant average temperature increases linearly from zero to the full power condition.

The reactor control system will also initially compensate for reactivity changes caused by fuel depletion and/or xenon transients. Long-term compensation for these two effects is periodically made by adjustments of the boron concentration. This permits the control rod banks to be returned to their normal operating ranges.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 41 of 82 The reactor coolant loop average temperatures are determined from hot leg and cold leg measurements in each reactor coolant loop. The error between the programmed average temperature and the highest of the measured average temperatures from each of the reactor coolant loops constitutes the primary control signal (see Figure 7.3-1). An additional control input signal is derived from the reactor power vs. turbine 1st stage pressure signal. This additional control input signal improves system performance by enhancing response and reducing transient peaks.

From these input signals, the rod command signals are derived. The rod speed command signal varies over the corresponding range of 3.75 to 45 inches per minute depending on the magnitude and the rate of change of the input signals. The rod direction command signal is determined by the positive or negative value of the temperature difference signal. The rod speed and rod direction command signals are fed to the rod control system.

7.3.2.1 Rod Cluster Control Assembly Arrangements The original design provided 61-Rod Cluster Control Assemblies (RCCAs) of which 53 were full-length and eight were part-length rods. The part-length RCCA are no longer used and the rods themselves have been removed. The Unit 1 and Unit 2 part-length Control Rod Drive Mechanisms (CRDMs) have been eliminated. The full-length rods are divided into four shutdown banks which use 24 RCCAs and four control banks containing the remaining 29 RCCAs. The control banks are the only rods that can be manipulated under automatic control. The control rods are divided into groups to obtain smaller incremental reactivity changes per step. All RCCAs in a group are electrically paralleled to move simultaneously. There is an individual position indication for each RCC Assembly. The drive mechanisms for the RCCAs are described in Section 3.2.1 for Unit 1 and Section 3.2.3 for Unit 2.

7.3.2.2 Rod Control For a detailed description of the rod control and position indication systems, see References 5 and 6.

7.3.2.3 Primary System Pressure Control The reactor coolant system pressure is maintained at constant value by the pressurizer using either the heaters (in the water region) or the spray (in the steam region). Two main groups of electrical immersion heaters are located near the bottom of the pressurizer: Proportional heaters, which are used to control small pressure variations due to heat losses, including those due to a small continuous spray in the pressurizer, and backup heaters which are turned on when the pressurizer pressure controller signal is below a given value.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 42 of 82 A spray nozzle is located in the upper portion of the pressurizer cavity. Spray is initiated when the pressure controller signal is above a given set point, and spray rate increases proportionally with increasing pressure. Steam is condensed by the spray, which will return the pressurizer pressure to its Program Value. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

Three pressurizer power relief valves limit system pressure for large load reduction transients.

Three spring-loaded safety valves limit system pressure should a complete loss of load occur without direct reactor trip or steam dump actuation.

7.3.2.4 Pressurizer Level Control The water inventory in the Reactor Coolant System is maintained by the Chemical and Volume Control System. During normal plant operation, the pressurizer level is controlled by the charging-flow controller which controls the charging flow control valve or the positive displacement charging-pump speed to produce the flow demanded by the pressurizer-level controller. The pressurizer water level is programmed as a function of coolant average temperature. The pressurizer water level decreases when load is reduced. This is the result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes. To permit manual control of pressurizer level during startup and shutdown operations, the charging flow can be manually regulated from the control room.

7.3.2.5 Secondary System Control The secondary system includes the steam from the steam generators and the condensate and feedwater systems.

7.3.2.6 Steam Dump The steam dump system is designed to relieve steam from the steam generators to the condenser thus reducing the sensible heat in the primary system in the event of net load reduction not exceeding 40 percent.

The positive displacement charging pumps are not currently used for plant operations.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 43 of 82 The steam dump design capacity is approximately 26 percent to 39 percent of full load steam flow, depending upon the full load steam pressure. All steam dump steam flows to the main condensers via the steam lines.

When a load rejection occurs, if the difference between the required temperature set point of the Reactor Coolant System and the actual average temperature exceeds a predetermined amount, a signal will actuate the steam dump to maintain the Reactor Coolant System temperature within control range until a new equilibrium condition is reached.

The steam dump flow reduces proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value.

The purpose of the steam dump system is to reduce reactor coolant system transients following substantial turbine load reductions by bypassing main steam directly to the condensers, thereby maintaining an artificial load on the steam generators. The control rod system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions.

The required number of steam dump valves stroke full open or modulate, depending upon the magnitude of the temperature error signal resulting from loss of load. The dump valves modulate closed as the reactor coolant average temperature mismatch signal decreases.

Following a reactor and turbine trip, decay heat and sensible heat stored in the reactor coolant are removed without actuating the steam generator safety valves by means of controlled steam dump to the condensers and by injection of auxiliary feedwater to the steam generators. Reactor Coolant System temperature is thus reduced to the no load conditions and maintained by use of this steam dump control.

7.3.2.7 Steam Generator Water Level Control Each steam generator is equipped with a three-element feedwater controller, which maintains a programmed water level as a function of load on the secondary side of the steam generator. The three-element feedwater controller regulates the feedwater valve by continuously comparing the feedwater flow signal, the water level signal and the pressure compensated steam flow signal.

Continued delivery of auxiliary feedwater to the steam generators is required as a sink for the heat stored and generated in the reactor coolant following a reactor trip and turbine trip. An override

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 44 of 82 signal closes the main feedwater valves when the average coolant temperature is below a given temperature.

Following a turbine trip, the feedwater regulating valves are closed and auxiliary feedwater is initiated. This provides a heat sink. Subsequently, the operator remotely controls auxiliary feedwater to maintain steam generator water level.

7.3.2.8 Turbine Control The turbine control system is designed to regulate the steam flow to the turbine as a function of load or speed.

7.3.2.9 Secondary System Description The general arrangement of the main steam, condensate and feedwater system is discussed in Chapter 10.

7.3.2.10 Secondary System Evaluation All equipment is designed with highly reliable components. Maximum use is made of solid state components in the electronic instruments. Spring loaded diaphragm control valves are employed to fail safe on loss of air or power. All instrumentation and controls, where possible, are installed outside of the containment structure and in locations accessible for inspection and maintenance.

Automatic control instruments in selected systems are provided with backup manual control through transfer switches. Alarms are provided to warn of abnormal conditions.

7.3.3 System Design Evaluation 7.3.3.1 Unit Stability The rod control system is designed to limit the amplitude and the frequency of continuous oscillation of coolant average temperature about the control system setpoint within acceptable values. Continuous oscillation can be induced by the introduction of a feedback control loop with an effective loop gain which is either too large or too small with respect to the process transient response, i.e., instability induced by the control system itself. Because stability is more difficult to maintain at low power under automatic control, no provision is made to provide automatic control below 15 percent of full power.

The control system is designed to operate as a stable system over the full range of automatic control throughout core life.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 45 of 82 7.3.3.2 Load Changes without Steam Dump A typical power control requirement is to restore equilibrium conditions, without a trip, following a maximum of 1 percent per minute ramp load increase, 5 percent per minute continuous ramp load decrease, or a 10 percent load decrease at a maximum rate of 200 percent per minute, over the 15 to 100 percent power range for automatic control. The design must necessarily be based on conservative conditions and a greater transient capability is expected for actual operating conditions. A unit load demand greater than 100% of turbine-generator rating is prohibited by the turbine control load limit devices. The reactor core demand of greater than 100% licensed power is limited by overpower/overtemperature T reactor trips described in Section 7.2.2.

The function of the control system is to minimize the reactor coolant average temperature deviation during the transient within a given value and to restore average temperature to the programmed setpoint within a given time. Excessive pressurizer pressure variations are prevented by the use of spray and heaters in the pressurizer.

The margin between the overtemperature T set point and the measured T is of primary concern for the step load changes. This margin is influenced by nuclear flux, pressurizer pressure, reactor coolant temperature, and temperature rise across the core.

7.3.3.3 Loading and Unloading Ramp loading and unloading of 5%/minute can be accepted over the 15 to 100 percent power range under automatic control without tripping the plant. The only exception is that the unloading between 40% and 25% is limited to 2%/min by administrative controls (or AMSAC is bypassed) to avoid an AMSAC actuation. The function of the control system is to maintain the reactor coolant average temperature and pressure as functions of turbine-generator load. The minimum control rod speed provides a sufficient reactivity insertion rate to compensate for the reactivity changes resulting from the moderator and fuel temperature changes.

The reactor coolant average temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase.

Conversely as the reactor coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from contraction. The pressurizer heaters limit the resulting system pressure decrease. The pressurizer level is programmed so that the water level is above the set point at which the heaters cut out during the loading and unloading transients. The primary concern during loading is to limit the overshoot in reactor coolant average temperature and to provide sufficient margin in the overtemperature T setpoint.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 46 of 82 The automatic load controls are designed to safely adjust the unit generation to match load requirements within the limits of the unit capability and licensed rating.

7.3.3.4 Loss of Load with Steam Dump The reactor control system is designed to accept a net load reduction not exceeding 50% without reactor trip or turbine trip being actuated for load losses. The automatic steam dump system is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the reactor coolant system. The reactor power is reduced at a rate consistent with the capability of the rod control system. Reduction of the reactor power is automatic down to 15 percent of full power. The steam dump load rejection rate is comparable to the Rod Cluster Control Assemblies (RCCA) capability of inserting negative reactivity.

The pressurizer relief valves might be actuated for the most adverse conditions, e.g., the most negative Doppler coefficient, and the minimum incremental rod worth. The relief capacity of the power operated relief valves is sized large enough to limit the system pressure to prevent actuation of high pressure reactor trip for the above conditions.

However, revisions made to Steam Generator water level trip setpoints, due to reference leg heat-up concerns, can result in reactor trip during large load rejection transients.

7.3.3.5 Turbine-Generator Trip with Reactor Trip Whenever the turbine-generator unit trips at an operating level above approximately 31 percent power (above P-8) the reactor also trips. The unit is operated with a programmed average temperature as a function of load, with the full load average temperature significantly greater than the saturation temperature corresponding to the steam generator pressure at the safety valve setpoint. The thermal capacity of the reactor coolant system is greater than that of the secondary system, and because the full load average temperature is greater than the no load steam temperature, a heat sink is required to remove heat stored in the reactor coolant to prevent actuation of steam generator safety valves for a trip from full power. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of cold auxiliary feedwater to the steam generators.

The steam dump system is controlled from the reactor coolant average temperature signal whose setpoint values are reset upon trip to the no load value. Actuation of the steam dump must be rapid to prevent actuation of the steam generator safety valves. With the dump valves open the average coolant temperature starts to reduce quickly to the no load set point. A direct feedback of

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 47 of 82 temperature acts to proportionally close the valves to minimize the total amount of steam, which is bypassed.

Following the turbine trip, the steam voids in the steam generator will collapse and auxiliary feedwater will provide sufficient flow to restore water level in the downcomer. The operator reduces the flow when the average reactor coolant temperature decreases below a given temperature value or when the steam generator water level reaches a given high level.

Additional makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam header pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers, which are used during the initial transient following turbine and reactor trip.

The pressurizer pressure and level fall rapidly during the transient because of reactor coolant contraction. The pressurizer level program will increase charging rate to compensate. If level approaches too close to the heaters, power to them is cut off. In addition, letdown is isolated to accelerate level recovery through charging. Once level permits, heaters are energized to restore normal pressurizer pressure.

The steam dump system is designed to prevent the average coolant temperature from falling below the programmed no load temperature following the trip to ensure adequate reactivity shutdown margin.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 48 of 82 7.4 NUCLEAR INSTRUMENTATION 7.4.1 Application of Design Criteria The Nuclear Instrumentation System uses information from three separate types of instrumentation channels to provide three discrete protection levels. Each range of instrumentation (source, intermediate, and power) provides the necessary overpower reactor trip protection required during operation in that range. The overlap of instrument ranges provides reliable continuous protection beginning with source level through the intermediate and low power level. As the reactor power increases, the overpower protection level is increased by administrative procedures after satisfactory higher range instrumentation operation is obtained. Automatic reset to core restrictive trip protection is provided when reducing power.

Various types of neutron detectors, with appropriate solid-state electronic circuitry, are used to monitor the leakage neutron flux from a completely shutdown condition to 120 percent of full power.

Because of the wide range of neutron flux, monitoring with several ranges of instrumentation is necessary. The lowest range ("source" range) covers six decades of leakage neutron flux. The next range ("Intermediate" range) covers eight decades. Detectors and instrumentation are chosen to provide overlap between the higher portion of the source range and the lower portion of the intermediate range. The highest range of instrumentation ("power" range) covers approximately two decades of the total instrumentation range. This is a linear range that overlaps with the higher portion of the intermediate range. The power range channels are capable of recording overpower excursions up to 200 percent of full power.

The system described above provides control room indication and recording of signals proportional to reactor neutron flux during core loading, shutdown, startup and power operation, as well as during subsequent refueling. Start-up-rate indication for the source and intermediate range channels is provided at the control board. Reactor trip and rod stop control and alarm signals are transmitted to the Reactor Control and Protection System for automatic plant control.

7.4.2 Nuclear Instrumentation Systems Design and Evaluation A comprehensive discussion of the Nuclear Instrumentation System (NIS), covering design bases and a detailed description of the system, can be found in Reference 7. In addition, two neutron flux monitoring channels have been added to Units 1 and 2 for indication purposes only. Both channels have been qualified for post-accident monitoring. Wide range, source range and wide

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 49 of 82 range startup rate flux indication is provided by both channels in the control room and one channel also provides source range flux indication on a local shutdown indication panel. The neutron flux monitoring channels that were added perform none of the tripping or protective functions described in Section 7.2.2. Both channels can be configured to provide backup monitoring for the Source Range channels during shutdown conditions.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 50 of 82 7.5 ENGINEERED SAFETY FEATURES INSTRUMENTATION 7.5.1 Design Bases The engineered safety features instrumentation measures temperatures, pressures, flows and levels in the reactor coolant system, main steam system, reactor containment and auxiliary systems. The instrumentation provides input to the Engineered Safety Features Actuation System (ESFAS) and monitors its operation. Process variables required on a continuous basis for the start-up, operation, and shutdown of the unit are indicated, recorded and controlled from the control room. The quantity and types of process instrumentation provided ensure safe and orderly operation of all systems and processes over the full operating range of the plant.

Certain controls and indicators, which require a minimum of operator attention, or are only in use intermittently, are located on local control panels near the equipment to be controlled. Monitoring of the alarms of such control systems is provided in the control room. Design criteria for redundancy, separation and diversity are similar to those used for the protection system, Sub-Chapter 7.2.

The active engineered safety features systems are actuated by redundant logic and coincidence networks similar to those used for reactor protection. Each network actuates a device that operates the associated engineered safety features equipment, motor starters and valve operators. The channels are designed to combine redundant sensors, independent channel circuitry, and coincident trip logic. Where possible, different but related parameter measurements are utilized. This ensures a safe and reliable system in which a single failure will not defeat the intended function. The action initiating sensors, bistables and logic for the Engineered Safety Features Actuation System (ESFAS) are shown in the 98000 series logic diagrams, and the 99000 series functional diagrams.

Figure 7.5-1 in Section 7.5 shows the arrangement for the Containment Pressure Protection logic.

The Engineered Safety Features Actuation System (ESFAS) actuates (depending on the severity of the condition) the Safety Injection System, Containment Isolation, Containment Spray System, Containment Air Recirculation Fans, Control Room Ventilation Isolation, Steam Line Isolation, Feedwater Isolation, Auxiliary Feedwater pumps, Turbine Trip, Reactor Trip, Essential Service Water Pumps, and the Diesel Generators.

Availability of control power to the engineered safety features trip channels is continuously monitored. In general, the loss of instrument power to the sensors, instruments, or logic devices in the engineered safety features instrumentation, places that channel in the trip mode. Exceptions

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 51 of 82 are the containment spray initiating channels and the Main Steam Isolation Valve initiating channels, which require instrument power for actuation.

The passive accumulators of the Emergency Core Cooling System do not require signal or power sources to perform their functions. The actuation of the active portion of the Emergency Core Cooling System (ECCS) is from signals described in Table 7.2-1. Containment spray operation is initiated by containment High-High pressure. Containment Spray Actuation Signal logic (CSAS) is shown on the 98000 series logic diagrams. The containment pressure is sensed by four independent pressure detectors, which are combined in a two-out-of-four logic network. The output signal provides two independent channels for containment spray actuation via the two logic trains. Each CSAS train initiates operation of the two containment spray pumps with their associated valving.

In the event of CSAS, the containment spray pumps would be operated from the normal source of power. If this is not available, or subsequently becomes unavailable, the supply buses would automatically be switched to the emergency diesel generators.

Each spray system isolation valve is opened automatically on a CSAS. Containment isolation backup is provided by check valves in the spray system piping.

The spray pump motor starting circuits and spray valve control circuits are provided with manual control switches in the control room. Each pump and isolation valve have test features to permit periodic operability testing of components and circuitry without causing interruption of the spray initiating system or inadvertent spray into the containment building.

The logic which initiates containment isolation can be found in the 98000 series logic diagrams.

There are four independent containment pressure detectors. Three of the pressure detectors are combined in a two-out-of-three logic to provide the signal for containment isolation for non-essential process lines if the high-pressure set point is reached. This actuates the safeguards system, including Phase A containment isolation and safety injection. All four pressure detectors are combined in a two-out-of-four logic to provide the Phase B Containment Isolation signal for all penetrations (including those open to the containment atmosphere), except those required for operation of the engineered safety features, if the high-high pressure set point is reached. This initiates Phase B containment isolation, steam line isolation and containment spray.

A list of isolation valves is provided in Table 5.4-1. Air operated isolation valves will automatically go to their engineered safety features position on loss of control air.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 52 of 82 Isolation valves are tested as described in Section 5.4. The power supply to the containment isolation system is the engineered safeguard electrical supply as described by Chapter 8.

Manual actuation of each channel may be accomplished from central control or local switches.

Individual valve control switches are located in the control room for isolation valve testing. The switches have a spring return to the neutral position, to allow automatic operation to occur.

Each valve has test features to permit periodic testing of components and circuitry without causing interruption of the containment isolation initiating signal.

The containment isolation signals provide the means of isolating the various pipes passing through the containment walls as required to prevent the release of radioactivity to the outside environment in the event of an accident. The signals for actuation of the containment isolation are given in Table 7.2-1.

7.5.2 System Design 7.5.2.1 Engineered Safety Features Actuation System Description The Engineered Safety Features actuation circuitry and hardware layout are designed to maintain channel isolation up to and including the bistable operated logic relay similar to that of the reactor protection circuitry as discussed in Sub-Chapter 7.2. See References 4 and 22 for a description of the solid state protection system instrumentation and Table 7.5-1 for listing of RPS and ESFAS process instrumentation.

7.5.2.2 Engineered Safety Features and Associated System Actuation Table 7.2-1 includes the engineered safety features and associated systems actuation signals.

7.5.2.3 Engineered Safety Features Vital Functions The engineered safety features actuation system automatically performs the following vital functions:

a. Starts operation of the Safety Injection System upon:

1. Low pressurizer pressure

2. High Containment pressure

3. High differential pressure between steam lines

4. Low steam line pressure

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 53 of 82

b. The Safety Injection Signal will also:

1. Initiate Phase "A" containment isolation (A) and containment ventilation isolation (CVI)

2. Initiate main feedwater isolation

3. Actuate the auxiliary feedwater system

4. Start the diesel generators

5. Isolate Control Room Ventilation

6. Initiate Reactor Trip

7. Actuate an Essential Service Water Pump

c. Closes the steam generator main steam stop valves on: High-High containment pressure or low steam line pressure or high steam line flow coincident with low-low Tavg.

d. Initiates the Containment Spray System and a Phase "B" containment isolation (B) on a hi-hi containment pressure signal.

e. Initiate Containment Air Recirculation/Hydrogen Skimmer Systems on a containment pressure high signal.

7.5.2.4 Reset Capability To allow for post incident recovery flexibility as well as recovery from spurious actuation, push buttons are provided to reset the following actuating signals:

a. Safety Injection

b. Phase "A" Containment Isolation

c. Containment Ventilation Isolation

d. Phase "B" Containment Isolation

e. Containment Spray

f. Feedwater Isolation Each of these reset push buttons has an alarm to indicate that it has been pushed and a sealed cover to prevent its inadvertent use.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 54 of 82 7.5.2.5 Engineered Safety Features Instrumentation Calibration and Test The engineered safety features actuation channels are designed with sufficient redundancy to provide the capability for channel calibration and test during power operation. Removal of one actuation channel for test is accomplished by either placing that channel in a tripped mode; i.e., a two-out-of-three logic matrix becomes a one-out-of-two logic, or using bypass capability where a two-out-of-four logic matrix becomes a two-out-of-three logic. Testing does not trip the system unless a trip condition occurs in redundant channels.

Containment spray actuation channels (from containment pressure) are tested by removing a channel from service. Since 2/4 logic is used, 2/3 logic remains active during testing.

Separate logic circuits exist in each of the two trains of the ESFAS circuitry. Each output of the logic circuits, as described in Topical Report WCAP-7672 (Reference 4), consists of a master relay which drives slave relays for contact multiplication as required. The logic master and slave relays are mounted in cabinets designated Train A and Train B respectively for redundancy.

Separate safeguards test cabinets (STC) provide the capability to check the circuitry from the slave relays to the final elements for the Train A and Train B engineered safety features. Each cabinet contains the necessary switches for testing all slave relays.

Engineered safety features circuitry from slave relays to the final elements is primarily tested when the unit is not at power operation either by use of the STC features or by some independent method.

The STC has the capability to test slave relays in one of two ways depending on whether the actuation of attached final elements such as valves or pumps is likely to disrupt the plant. Where no disruption is likely, manageable groups of slave relays may be tested in a manner called a "Go Test" that causes equipment actuation. Where disruption is likely, slave relay action can be checked by electrical continuity in a manner called a "Block Test" that cannot cause equipment actuation.

By design, the impact of Go Tests on the plant is minimized due to the equipment assignments to each slave relay. Equipment assignment to slave relays was intended to avoid undesirable effects on the plant from combined equipment actuation. Inadvertent initiation of a Go Test will be avoided by requiring a two-step switch action.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 55 of 82 Performance of a Go Test will require close communication between the main control room operator and the operator at the test panel. Plant conditions before the test and proper equipment actuation after the test require checking.

An annunciator is provided for the STC to indicate when a safeguards actuation circuit is blocked.

To assure continuous protection, redundant safeguards actuation circuits will not be permitted to be simultaneously tested.

The STC has the capability to extend the test capabilities beyond those described in Topical Report WCAP-7672.

7.5.2.6 Feedwater Isolation Any safety injection signal will isolate the main feedwater lines by closing the flow control and isolation valves and tripping the main feedwater pumps. The trip of the main feedwater pumps will initiate closing of the pumps' discharge valves.

7.5.2.7 Main Steam Isolation Protection against a steam line break is provided by safety injection actuation, feedwater isolation

- to prevent excessive cooldown of the primary side, and main steam isolation - to prevent the uncontrolled blowdown of more than one steam generator. Closure of the steam line isolation valves is initiated by the signals previously described in section 7.5.2 and included in Table 7.2-1 as part of an automatic actuation system designed to meet the requirements for protective systems as described in sections 7.2.1 and 7.5.2. Main steam isolation may also be initiated manually from the control room.

7.5.2.8 Engineered Safety Features Instrumentation The following describes the instrumentation, which ensures monitoring of the Engineered Safety Features.

7.5.2.9 Ice Condenser Instrumentation The ice condenser instrumentation serves to monitor the operation of the equipment and the ice bed status by providing to the operator the control room information listed below. These features are informative but are not required for proper ESF action. Ice Condenser Instrumentation monitors the following:

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 56 of 82

a. Temperature Measurements

b. Door Position Indications

c. Expansion Tank Level

d. Isolation Valves Indicator Lights See Section 5.3.5.1.5 for additional information 7.5.2.10 Containment Pressure Lower volume containment pressure is monitored by four taps, each connected to a pressure sensor. As shown on Figure 7.5-1, each sensor provides an analog signal to its associated bistables, which will trip at preset signal values. These tripped bistables provide input to the protection logic circuits, which in turn trip, the relays to actuate the safeguards systems.

Three of the four transmitters connected to the lower volume have two bistables, the first of which is set to trip at the Hi containment pressure value. When two of the three bistables are tripped, the logic circuits produce a safety injection signal which initiates the actions discussed earlier in Sub-Chapter 7.5 under ESF Vital Functions. These first bistables are normally energized and become de-energized when tripped. Thus, a loss of power to two or more channels will produce a trip and actuates the safeguards system. However, the loss of one channel will neither cause nor prevent the above actions.

The fourth transmitter has only one bistable associated with it. This bistable, along with the second bistables associated with the other three channels, is set to trip at the hi-hi containment pressure value.

When two of the four bistables are tripped, the logic circuits will initiate the containment spray and steam line isolation, and also initiates Phase B isolation. The bistables in this second set are normally de-energized and become energized when tripped. Thus, a momentary loss of power or a voltage dip will not cause a spurious trip, which would actuate the hi-hi containment signal. It should be noted that for containment spray the logic changes from 2/4 to 2/3 when a channel is placed on test.

Each channel is supplied with electrical power from one of the vital instrument buses. A blackout or momentary loss of station power will not cause any interruption in the power supplied to the instruments. The vital instrument busses are described in Chapter 8.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 57 of 82 The pressure in the upper volume of the containment is monitored by 4 sensors connected to 2 taps. Two of these sensors provide narrow range indication and the other two provide wide range indication. All of these signals are indicated and recorded in the main control room, but are not required to perform any safety function.

7.5.2.11 Containment Radiation Radiation monitors (the containment area monitor, the containment air particulate monitor and the containment noble gas monitor) will close containment ventilation purge valves when any monitor reaches its high radiation setpoint. For details of these monitors, refer to Sub-Chapter 11.3.

7.5.2.12 Refueling Water Storage Tank Level Level instrumentation on the refueling water storage tank consists of two channels. Each channel provides a low level trip of its train's residual heat removal pump. In addition, one channel provides a remote indication and alarm of high and low tank. The second channel provides a remote recorded indication of minimum allowable tank level and low-low level as well as alarming these conditions.

7.5.2.13 Emergency Core Cooling System Pumps Discharge Pressure These channels clearly show that the ECCS pumps are operating. The transmitters are outside the containment. Indicators are on the main control boards.

7.5.2.14 Pump Energization All pump motor power feed breakers indicate that they have closed by energizing indicating lights on the control board.

7.5.2.15 Valve Position All engineered safety features remote operated valves, including those for which independent control power lockout has been provided, have position indication on the control board to show proper positioning of the valves. Air-operated and solenoid-operated valves move in the preferred direction with the loss of air or power. After a loss of power to the motors, motor-operated valves remain in the same position as they were prior to the loss of power.

7.5.2.16 Containment Water Level Instrumentation The containment water level monitoring system consists of two redundant lower range channels and two redundant upper range channels.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 58 of 82 The lower range channels indicate the water level in the containment sump. One of the lower range channels also has a high and low alarm.

The upper range channels indicate the water level in the containment. There is a five-inch overlap between the lower and the upper range channels. The total system can measure a level resulting from over 600,000 gallons of water in the containment. The upper range level transmitters are located above the maximum postulated flood-up level and transmit signals to the control room.

The system is designed to operate during accident and post-accident environments.

In addition, two redundant level switches to indicate containment water level necessary for recirculation and two redundant level switches to indicate containment water level just below flood level are provided in containment. Indicating lights, for each level switch, are provided on the RHR Panel in the main control room.

7.5.2.17 Containment Recirculation Sump Water Level Instrumentation The Containment Recirculation Sump Water Level instruments provide indication of excessive fouling or blockage of the recirculation sump strainers. Indicating lights are provided in the control room. A white indicating light will illuminate when the water level increases above the setpoint.

A red indicating light will illuminate when the level subsequently drops below the setpoint, indicating possible recirculation sump blockage. An audible alarm will also sound when the red indicating light is illuminated.

7.5.2.18 Other Instrumentation In addition to the above, the following local instrumentation is available:

a. Residual heat removal pumps discharge pressure

b. Residual heat exchanger exit temperature

c. Containment spray test lines total flow

d. Safety injection test line pressure and flow.

7.5.2.19 Instrumentation Used During Loss-of-Coolant Accident Instruments which are designed to function for various periods of time following the major loss-of-coolant accident are those which govern the operation of engineered safety features. Narrow range reactor coolant loop temperature, pressurizer pressure and level, narrow range steam generator level and main steam flow sensors are located inside the containment.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 59 of 82 Of these, the pressurizer pressure sensors are the only transmitters inside containment, which may be required to actuate ESF during a postulated loss-of-coolant accident.

All of the above sensors have been designed and qualified to perform their intended function(s) under postulated accident conditions.

It should be emphasized, however, that for the large loss-of-coolant incidents the initial suppression of the transient is independent of any detection or actuation signal because the water level will be restored to the core by the passive accumulator system.

All pumps used for safety injection and containment spray are located outside the containment.

The operation of the equipment can be verified by instrumentation that reads in the control room.

This instrumentation will not be affected by the accident.

Depending upon the magnitude of the loss-of-coolant incident, information relative to the pressure of the Reactor Coolant System will be useful to the operator to determine which pumps will be used for recirculation in the event of a small break. The discharge pressure of the charging pumps, as read on instrumentation outside the containment, will serve this purpose. The containment water level and refueling water tank instrumentation will also provide information for evaluating the conditions necessary to initiate the recirculation mode of operation. See Chapter 6 for further details.

The refueling water storage tank level instrumentation provides additional information to determine the relative size of a reactor coolant leak. Core recirculation and containment spray recirculation (if necessary) is manually initiated before the refueling water storage tank is empty.

See Sub-Chapter 6.2 for further details.

Considerations have been given to all the instrumentation and information that will be necessary for the recovery time following a loss-of-coolant incident. Instrumentation external to the reactor containment such as radioactivity monitoring equipment will not be affected by this postulated incident and will be available to the operator.

7.5.3 System Evaluation Redundant instrumentation has been provided for all inputs to the protective systems and vital control circuits. Where wide process variable ranges and precise control are required, both wide range and narrow range instrumentation is provided. Instrumentation components are selected from standard commercially available products with proven operating reliability. The instrument

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 60 of 82 power electrical and electronic instrumentation required for safe and reliable operation is supplied from the four instrument buses.

The engineered safety features initiation, control and power supply systems are designed so that no single fault in components, units, channels or sensors will prevent engineered safety features operation. The timing of initiation and start-up of the engineered safety features is such as to provide conservative protection.

The wiring is grouped so that no single fault or failure, including either an open or short circuit, will negate engineered safety features operation. Wiring for redundant circuits is protected and routed independently so that damage to any one path will not prevent the protective action. Sensors are piped so that blockage or failure of any one connection does not prevent engineered safety features operation.

The detailed design incorporates the following characteristics in order to counteract faults resulting in loss of power:

a. All redundant components are powered from separate buses;

b. The 250 volt d c and 120 volt a c power buses used, are discussed in detail in Chapter 8;

c. The 4160 volt and 600 volt systems are discussed in Chapter 8;

d. The starting and loading of diesel generators is described in Chapter 8;

e. Whenever practical, on loss of power, components of the engineered safety features system have been designed to assume the position called for under emergency conditions.

7.5.3.1 Pressurizer Pressure Credible accident conditions requiring emergency core cooling would involve pressurizer pressure. The present design for emergency core cooling is accomplished by the safety injection system (SIS) actuation from this primary system variable. Actuation is initiated by a low pressurizer pressure signal as described in Table 7.2-1. To prevent a spurious signal from falsely actuating the SIS, two-out-of-three redundant measuring channels must sense pressurizer pressure below setpoint to cause actuation.

Pressurizer pressure is sensed by fast response pressure transmitters.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 61 of 82 Instrument delays are small in comparison with the computed lag in pressurizer pressure, which lags behind the reactor coolant pressure during blowdown.

The response times assumed by the accident analysis are listed in Tables 7.2-6 and 7.2-7.

A safety injection block switch is provided to permit the primary system to be depressurized and its water level lowered for maintenance, if required, and refueling operations without actuation of the Safety Injection System. This manual block switch is interlocked with pressurizer pressure in such a way that the blocking action will automatically be removed as operating pressure is approached. If two-out-of-three pressure signals are above this preset pressure, blocking action cannot be initiated. The block condition will be annunciated in the control room.

7.5.3.2 Steam Generator Water Level Control The successful operation of the active engineered safety features involves only actuation control functions, with one exception. This exception is the steam generator level control function using the auxiliary feedwater pumps. This level control function involves remote manual positioning of auxiliary feedwater flow control valves in order to maintain proper steam generator water level.

Steam generator water level indication and controls are located in the control room and at a Hot Shutdown Panel located in the other unit's control room.

7.5.3.3 Motor and Valve Control For starting pump motors, the control relays are energized to energize the closing coil on the circuit breaker or the motor starter. When motor starters are used the starter operating coil will be supplied by power from the same source as the motor. When circuit breakers are used for motor control the circuit breaker closing and trip coils will be supplied by power from a 250 volt dc battery bus described in Chapter 8.

For valve motor control, the control relay causes the coil of the main contactor for the actuating circuit to be energized.

Air actuated containment isolation valves are spring loaded to close upon loss of air pressure.

7.5.3.4 Environmental Capability The engineered safety features instrumentation and equipment inside the containment is designed to operate under the credible accident environments of a steam-air mixture and radiation.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 62 of 82 Table 7.5-2 lists the equipment both inside and outside containment exposed to harsh environments which is required for post-accident operation and indicates whether each is an initiation and/or long-term recirculation time span required component.

Failure of the equipment identified in Table 7.5-2 after the specified time will not increase the severity or consequence of the accident.

The reactor protection control and instrumentation equipment and electrical equipment for engineered safety features located in the auxiliary building will operate in a normal ambient environment following a postulated accident.

A "type" or "similar component" environmental testing program has been completed on the equipment exposed to harsh environment and used for engineered safety features. The current results of this testing are presented in response submittals to Inspection and Enforcement Bulletin 79-01B, "Environmental Qualification of Class 1E Equipment".

Figure 7.5-2 and Figures 7.5-3A1 and 7.5-3B1 give the Chapter 14 accident analysis envelope required for predicted in-containment post-LOCA and in-containment Main Steam Line Break (MSLB) conditions, respectively. Outside containment equipment locations and associated environments are discussed in Sub-Chapter 14.4.

1 Note that the temperature transient in Figure 7.5-3B represented Units 1 and 2 for in-containment equipment qualifications for MSLB conditions until Unit 1 was returned to Normal Operating Pressure/Normal Operating Temperature (NOP/NOT) conditions. Figure 7.5-3A applies to Unit 1 for equipment qualification for MSLB following NOP/NOT implementation. Safety-related equipment inside Unit 1 containment was evaluated during the transition to NOP/NOT and found to be qualified to Figure 7.5-3A conditions.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 63 of 82 7.6 IN-CORE INSTRUMENTATION 7.6.1 Design Basis The in-core instrumentation is designed to yield information on the neutron flux distribution and fuel assembly outlet temperatures at selected core locations. Using the information thus obtained, it is possible to confirm the reactor core design parameters. The system provides means for acquiring data only, and performs no operational plant control.

7.6.2 System Design 7.6.2.1 General The in-core instrumentation system consists of thermocouples, positioned to measure fuel assembly coolant outlet temperature at preselected locations; and flux thimbles, which run the length of selected fuel assemblies to measure the neutron flux distribution within the reactor core.

The design provides up to 65 thermocouples two of which are used for half-loop operation in addition to normal and accident conditions and provides for 58 flux thimbles (Note: For Unit 1, a blind seal has been installed in the flux thimble guide at core location L-13. Therefore, only 57 useable thimble tubes are available). The high pressure seals for the thermocouples and flux thimbles are shown on Figure 7.6-1.

The experimental data obtained from the in-core temperature and flux distribution instrumentation system in conjunction with previously determined analytical information, can be used to determine the fission power distribution in the core at any time throughout core life. This method is more accurate than using calculational techniques alone. Once the fission power distribution has been established, the maximum power output is primarily determined by thermal power distribution and the thermal and hydraulic limitations, which determine the maximum core capability.

The in-core instrumentation provides information, which may be used to calculate; the coolant enthalpy distribution, the fuel burnup distribution and the coolant margin to saturation, and estimate the coolant flow distribution. The in-core thermocouples can be used in detecting inadequate core cooling.

Both radial and azimuthal power symmetry distributions may be evaluated via the comparison of detector and thermocouple information from one core quadrant with similar data from the other three quadrants.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 64 of 82 In addition the axial power distribution can be monitored by comparing the relative neutron flux density at a particular core elevation with the total flux averaged over the core's total height.

7.6.2.2 Thermocouples Chromel-alumel thermocouples are threaded into guide tubes that penetrate the reactor vessel head through seal assemblies, and terminate in the upper core support assembly above the exit flow end of the fuel assemblies. The thermocouples are enclosed in stainless steel sheaths within the guide tubes. The support of the guide tubes in the upper core support assembly is addressed in Chapter

3. These thermocouples are divided into two (2) electrically independent channels. Thermocouple readings are monitored by the Plant Process Computer (PPC) with backup indication for a maximum of 60 thermocouples provided by recorders for each channel. The recorders are located in the control room and have manual and automatic point selection. Two of the thermocouples are used for monitoring reactor coolant temperature during half-loop operation. In addition the thermocouples supply temperature signals to the subcooling margin monitors as described in Chapter 4.

7.6.2.3 Movable Miniature Flux Detectors 7.6.2.3.1 Mechanical Configuration Miniature neutron flux detectors, remotely positioned in the core, provide remote readout for flux mapping and axial power distribution monitoring. The basic system for their insertion is shown in Figures 7.6-2 and 7.6-3. Retractable thimbles, into which the detectors are driven, are pushed into the core through conduits that extend from the bottom of the reactor vessel down through the concrete shield area, then to a thimble seal table.

The thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier between the reactor water pressure and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal line.

During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during the refueling to avoid interference within the core. A space above the seal line is provided for the retraction operation.

The drive system for the insertion of the miniature detectors consists of six combinations of drive assembles, five-path rotary transfer devices, and ten-path rotary transfer devices, as shown in Figure 7.6-2. The drive system pushes hollow helical-wrap drive cables into the core. Miniature detectors are attached to the leading ends of the cables and small diameter sheathed coaxial cables threaded through the hollow centers back to the ends of the drive cables. Each drive assembly

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 65 of 82 consists of a gear motor, which pushes a helical-wrap drive cable and detector through a selective thimble path by means of a special drive box, which includes a storage device that accommodates the total cable length. Further information on mechanical design and support is provided in Chapter 3.

7.6.2.3.2 Control and Readout Description The control and readout system provides means to rapidly transverse the miniature neutron detectors to and from the reactor core at seventy-two feet per minute, and to traverse the reactor core at twelve feet per minute, while plotting the thermal neutron flux versus detector position.

The control system consists of two sections: one physically mounted with the drive units, and the other contained in the control room. Limit switches in each tubing run provide signals to the path display to indicate the active detector path during the flux mapping operation. Each gear box drives an encoder for position indication. One five-path group path selector is provided for each drive unit to route the detector into one of the flux thimble groups or to storage. A ten-path rotary transfer assembly is used to route a detector into any one of up to ten selectable thimbles. Manually operated isolation valves on each thimble allow free passage of the detector and drive cable when open. When closed, these valves prevent steam leakage from the core in case of a thimble rupture.

Provision is made to separately route each detector into a common flux thimble to permit cross calibration of the detectors.

The control room contains the necessary equipment for control, position indication and flux recording. Panels are provided to indicate the position of the detectors, and for plotting the flux level versus the detector position. Additional panels are provided for such features as drive motor controls, core path selector switches, plotting and gain controls. A "flux-mapping" operation consists of selecting (by panel switches) flux thimbles in given fuel assemblies at various core locations. The detectors are driven to the top of the core and stopped automatically. An x-y plot (position vs. flux level) is initiated with the slow withdrawal of the detectors through the core from top to a point below the bottom. In a similar manner, other core locations are selected and plotted.

Each detector provides axial flux distribution data along the center of a fuel assembly. Various radial positions of detectors are then compared to obtain a flux map for a region of the core.

7.6.3 System Evaluation The in-core thermocouples monitor the fuel assembly exit temperatures for use in sensing the core radial power distribution. They have the advantage of providing rapid data, which is easily converted to power by determining the enthalpy rise in the instrumented fuel assemblies. When

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 66 of 82 used in conjunction with the movable detector system, the thermocouple data may be normalized to the in-core detector data to reduce the uncertainty associated with the thermocouple measurement, thus providing accurate radial measurements for on-line monitoring. The thermocouple system can be used by the operator to verify dropped rod and rod out of alignment conditions.

The data obtained from the in-core detector instrumentation system in conjunction with previously determined analytical information can be used to determine the 3-D power distribution in the core at any time throughout core life. Hot channel factors FQ and FH obtained from the flux map can be compared with design hot channel factors as required by the Technical Specifications. The allowable power level (APL) which is calculated using the measured FQ is used to determine the power level at which the reactor can be operated.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 67 of 82 7.7 OPERATING CONTROL STATIONS 7.7.1 Application of Design Criteria Each unit of the plant is equipped with a separate control room, which contains those controls and instrumentation necessary for operation of that unit under normal, and accident conditions.

The control room is continuously occupied by the operating personnel under all operating and accident conditions, unless the control room should become uninhabitable. This case is discussed in Section 7.7.10.

Sufficient shielding, distance, and containment integrity are provided to assure that control room personnel shall not be subject to doses under postulated accident conditions during occupancy of the control room which would exceed 5 rem TEDE as stated in 10 CFR 50.67. The control room ventilation system is discussed in Chapter 9.

Hot shutdown control is provided for as discussed in Section 7.7.8.

Fire hazards in the control room are limited by its method of construction and outfitting as discussed in Section 7.7.6 and by the Control Room Fire Protection System as described in Section 9.8.1.

7.7.2 General Layout Each unit has a control room for the centralized control of the unit during startup, normal, shutdown, and emergency operations and local stations for control of the Waste Disposal System and miscellaneous non-critical systems. The control station design and layout is such that all controls, instrumentation displays and alarms required for the safe operation and shutdown of each unit are readily available to the operators.

7.7.3 Design Basis The plant is equipped with a control room for each unit, which contains the control, and instrumentation for the safe operation of the unit during normal and accident conditions.

The control rooms are continuously occupied during all normal and design basis accident conditions by operating personnel unless the control room becomes uninhabitable.

Safe occupancy of the control room during abnormal conditions is provided for in the design of the auxiliary building. Adequate shielding is used to maintain tolerable radiation levels in the control room under accident conditions. The control room is provided with a radiation detector

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 68 of 82 and appropriate alarm. Provisions are made for the control room air to be recirculated through filters. Emergency lighting is provided.

The main control panel for each unit is an enclosed, walk-in, vertical front panel located in the unit's control room. The power supplies, amplifiers, logic cabinets, etc. are located within or behind the control panels. Access to these areas is under the supervision of the operator.

The control panels are designed functionally. Consideration is given to the fact that certain systems require more attention from the operator. The reactor-turbine control systems are prominently located in the central section of the panels.

The design provides the necessary controls to start, operate, and shutdown the unit with sufficient information display and alarm monitoring to ensure safe and reliable operation under normal and accident conditions.

Special emphasis is given to maintaining control during accident conditions. The layout of the engineered safety features section of the control board is designed to minimize the time required for the operator to evaluate the system performance under accident conditions. Any deviations from predetermined conditions are alarmed so that corrective action may be taken by the operator.

Alarms and annunciators in the control room provide the operators warning of abnormal plant conditions which might lead to damage of components, fuel or other unsafe conditions. Other displays and recorders are provided for indication of routine plant operating conditions and for the maintenance of records. Indicators and alarms for process and area radiation monitors are located in the control rooms.

A process computer is used to provide supplementary information to the operator, and to effectively assist in the operation of the nuclear steam supply system. The design includes adequate instrumentation to provide the operator with sufficient information for proper and safe operation at all times, irrespective of the availability of the computer system.

The computer system obtains data by scanning analog and digital sensors. It logs data, sequentially logs trip and post trip data, and alarms various off-normal conditions. Monitoring programs are also included for surveillance of reactor control and protection system operations, and for nuclear process calculations.

Computer readout and input facilities are located in the control room.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 69 of 82 Annunciators are provided:

1. to light a back lighted legend window or

2. which are displayed as individual windows, with legend, on a Touch Screen Video Display Unit (VDU) or

3. from Digital Control System (DCS) operator Human Machine Interface (HMI) screens and

4. sound an audible alarm when an off-normal condition occurs.

Each annunciator must be individually acknowledged for off-normal indication and again when the indication returns to normal. The annunciator window flashes to aid the operator in identifying an off-normal annunciator and continues to flash until the operator acknowledges the condition.

The annunciator windows are functionally grouped and are located on control panels such that the annunciators are close to the controls of the indicated systems. The audible alarms for the annunciators can be temporarily silenced as a group by a single pushbutton, with accompanying timer and reset button. The use of the pushbutton is administratively controlled for use in conjunction with the emergency procedures only. This feature improves operator communication at a critical time when continual distracting annunciator alarm sounds are likely to occur.

The Annunciator System is primarily powered from the 250 volt station batteries. Certain sub components of this System are supplied from the battery-backed Former TSC inverters and the Critical Control Room Power (CCRP), which is backed up by the 250 volt station batteries. Each annunciator logic section has 250/125 volt dc power supplies which provide power to operate the annunciators in each section and provides 125 volts dc for field contacts. No metallic connection between the 250 volt station battery and the 125 volt power supply exists.

A ground detector, which operates an annunciator, is provided that monitors 125 volt dc source for field contacts.

In addition to the annunciator, a 256 point sequence of events monitor is provided which produces a record of a sequence of events of certain critical functions to aid in analyzing unit operation. The event monitor is capable of resolving the correct sequence of events with only one millisecond time difference. The sequence of events monitor is supplied from the Critical Control Room Power Inverter.

A unit oscillograph is provided for each unit, which continually monitors certain electrical quantities and critical events. On operation of certain events, the oscillograph will begin printing

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 70 of 82 a record of these quantities, which occurred 8 milliseconds before the initiating device, operated and continue to record these quantities for a predetermined time. The oscillograph is powered from the 250 Vdc station battery.

7.7.4 Control Room Lighting Lighting fixtures are used for the control room lighting. The normal source of power for these lights is from the normal lighting transformers. In the event of failure of the normal source, the lights are transferred to the standby lighting transformer by means of an automatic throwover switch.

The control room emergency lighting fixtures are interspersed among the normal lighting fixtures to provide uniform illumination. This set of lights is normally deenergized but is energized on failure of both the normal and standby lighting sources. The source of power for the emergency lights is the 250 volt station batteries.

Test facilities are provided for periodic testing of the normal-to-standby throwover switch and for the emergency lighting system.

Areas which are required for safe shutdown of the plant are provided with their own independent emergency lighting system. This system consists of a complete integral lead-acid type battery and lamps with fully automatic charging, control and test facilities.

7.7.5 Plant Communications The public address system is arranged to permit paging in specific areas of either unit or the entire plant.

The public address system is also used as an evacuation alarm in case of emergency. A sufficient number of stations are provided to alert all in-plant personnel. In addition, strobe lights are provided in high noise areas.

The power supply for paging and evacuation components in each unit is supplied from the Critical Control Room Power Inverter to assure operation of the system during loss of station a-c power.

The plant is provided with a telephone system, independent of the public address system. The receivers are located in the offices, control rooms and most of the paging stations throughout the plant. The telephone system normally receives its power from the 12 kV off-site plant service.

Standby power is also available from the station auxiliary power system. A telephone system battery is provided for approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of continued operation if both its normal and standby

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 71 of 82 ac power sources are lost. In addition a portable radio system is provided for use by the plant fire brigade and plant operations personnel at the local shutdown panels. This system provides communication in all parts of turbine room, auxiliary building and the containment instrument rooms.

The system consists of fifteen trunked channels divided between two separate repeater / antenna subsystems. Eight trunked channels are housed in one subsystem; seven trunked channels and one conventional channel (used primarily for alerting personal pagers) are housed in a second subsystem. However, only four transmitters at each subsystem will be operating at any time to limit the RF power level being transmitted. Both subsystems are powered by separate uninterruptible power supplies. The radio system also consists of fixed handsets, which are located in various parts of the plant. Each handset is hard-wired back to one or both repeater/antenna subsystems. The network for the handsets is shared between both subsystems. Conductors carrying signals from both subsystems are not kept separate 7.7.6 Fire Prevention Design Fire hazards in the control room are limited by the following:

a. The control room construction consists of non-combustible materials.

b. Control cables are of single or multi-conductor construction with insulation rated at 600 V with overall flame retardant jacket. Jute fillers are not used. There is no high pressure fluid piped into the control room, the necessary pressure information being transmitted by low pressure air or electrical signals.

c. Furniture used in the control room is of metal construction.

d. Combustible supplies, such as logs, records, procedures and manuals, are limited to the amounts required for current operation.

e. All areas of the control room are readily accessible for fire extinguishing.

f. Adequate fire extinguishers are provided.

g. The control room is occupied at all times by a qualified person who has been trained in fire extinguishing techniques.

Therefore, a fire, if started, would be of such a small magnitude that it could be extinguished by the operator using a hand fire extinguisher. The resulting smoke and vapors would be removed by the ventilation system.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 72 of 82 For additional details of the control room fire protection system, refer to Section 9.8.1.

7.7.7 Control Room Availability The two unit control rooms are located in the Auxiliary Building, which is a Seismic Class I structure. The control rooms are provided with concrete shielding adequate for safe occupancy during all normal and accident conditions. The control room structure provides protection from missiles.

Each control room is air-conditioned by two independent air conditioning - ventilation systems.

Each system has 100% capacity and consists of Seismic Class I air handling units connected to redundant emergency water supply systems and to separate diesel generators. For additional description, see Chapter 9.

The control rooms are specifically designed to permit the operators to carry out their duties under any credible accident conditions.

7.7.8 Hot Shutdown Control A hot shutdown control station for each unit is provided in the rear of the other unit's control room.

This control station is a totally-enclosed panel which provides for the operator's supervision and control of those systems and equipment required to maintain the reactor in a hot shutdown condition for an extended period of time.

The instrumentation and equipment control listed below are provided at each Hot Shutdown Panel:

1. Steam Generator Level Indication

2. Steam Generator Pressure Indication

3. Pressurizer Level Indication

4. Pressurizer Pressure Indication

5. Motor Driven Auxiliary Feedwater Pumps

6. Turbine Driven Auxiliary Feedwater Pump

7. Centrifugal Charging Pumps

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 73 of 82

8. Boric Acid Transfer Pumps

9. Essential Service Water Pumps and Strainers

10. Non-Essential Service Water Pumps

11. Component Cooling Water Pumps

12. Control Air Compressor

13. Wattmeters for Each Diesel Generator

14. Charging Flow Control Valves

15. Emergency Boration Valve

16. Letdown Orifice Isolation Valves

17. Auxiliary Feedwater Valves

18. Steam Generator Atmospheric Relief Valves

19. Backup Pressurizer Heater Groups

20. Communications

21. Non-Essential Service Water Pump Discharge Valves

22. Pressurizer Backup Heater Control

23. Non-Essential Service Water Pump Strainer

24. Reactor Trip Indication

25. Auxiliary Feedwater Flow

26. Main Feedwater Flow

27. Letdown Heat Exchanger flow

28. Emergency Boron Flow The hot shutdown panel contains transfer switches. The switches allow transfer of control for specific equipment (e.g., motor driven auxiliary feedwater pumps) and are normally in the remote (i.e., control room) position. With a switch in the local position, an annunciator is alarmed in the control room, and operation of a specific device from the hot shutdown panel is allowed.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 74 of 82 7.7.9 Auxiliary Control Stations Certain auxiliary systems, such as the water treatment plant for makeup water, are controlled locally. Provision for monitoring the operation of such systems, however, is generally provided in both main control rooms. Local control panels are provided for systems and components, which do not require full time operator attendance or are not used on a continuous basis. Examples of such systems are the Waste Disposal System and the Turbine Generator Hydrogen Cooling System. In these cases, however, appropriate alarms are located in the Control Room and are activated to alert the operators of equipment malfunction or approach to unsafe conditions.

7.7.10 Local Shutdown and Cooldown Station A local shutdown and cooldown capability is provided for emergency shutdown of the unit in the event that the Control Room becomes uninhabitable.

Critical instrumentation are provided at local shutdown panels. These instrument's circuits are switched or isolated to provide independence from faulted areas and are provided with a local power supply independent of the control room.

The operation of required equipment, valves, pumps, etc. is one of local manual action. Emergency procedures identify the equipment needed to affect shutdown and the steps necessary to provide local control.

7.7.11 References for Sections 7.0 - 7.7

1. J. B. Lipchak, R. Bartholomew, "Test Report - Nuclear Instrumentation System Isolation Amplifier", WCAP-7819, December 1971.

2. I. Garber, "Test Report of Isolation Amplifiers," WCAP-7685, June 1971.

3. T. W. T. Burnett, "Reactor Protection System Diversity in W PWR's", WCAP-7306, April 1969.

4. D. N. Katz, "Solid State Protection System Description", WCAP-7672, June 1971.

5. A. Blanchard, D. N. Katz, "Solid State Rod Control System-Full Length", WCAP-7778, December 1971.

6. A. Blanchard, "Rod Position Indication System" WCAP-7571, March 1971 (release).

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 75 of 82

7. J. B. Lipchak, R.A. Stokes, Topical Report-Nuclear Instrumentation System, WCAP-7669, April 1971.

8. E. L. Vogeding, "Seismic Testing of Electrical and Control Equipment", WCAP-7817, December 1971.

9. L. M. Potochnik, "Seismic Testing of Electrical and Control Equipment, (Low Seismic Plants)" WCAP-7817, Supplement 2, December 1971.

10. E. L. Vogeding, "Seismic Testing of Electrical and Control Equipment", (W Solid State Protection System)", WCAP-7817, December 1971.

11. R.C. Cobb, "Rod Insertion Limits Computer," W/AEP1-1156, W/AEP 2-0524, March 22, 1996.

12. Acceptability of SPEC 200 MICRO for use in Safety Systems of Nuclear Power Generating Stations, Foxboro QOAAE01, March 1988.

13. Report on the Conformance of SPEC 200 MICRO Software Validation and Verification, Foxboro QOAAE03, October 1988.

14. Report on Methodology used to demonstrate compliance of SPEC 200 MICRO Application Configuration for Specific Project, Foxboro QOAAE04, June 1988.

15. Engineering Control Package (ECP), ECP 12-O0-36, Revision 3; "Post Accident Monitoring Instrumentation".

16. D.N. Katz, "Solid State Protection System Description", WCAP-7488-L, January 1971.

17. Condition Report No. P-00-03357

18. I. Garber, "Test Report of Isolation Amplifiers," WCAP-7508-P-A, May, 1975.

19. R. Goldberg (Westinghouse) Letter to S. Colvis (AEP)s AEP-96-083 "Transmittal of SECL-96-078, May 24, 1996.

20. R.L. Jansen, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System", WCAP-10271-P-A, May 1986.

21. AEP:NRC: 3054-15, Donald C. Cook Nuclear Plant Units 1 and 2, Response to Nuclear Regulatory Commission Generic Letter 2003-01: Control Room Habitability

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 76 of 82

22. T.J. Gruber and M.L. Ryan, "Westinghouse SSPS Board Replacement Licensing Summary Report", WCAP-17867-P-A, October 2014

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 77 of 82 7.8 POST ACCIDENT MONITORING INSTRUMENTATION 7.8.1 R.G. 1.97 Display Instrumentation Table 7.8-1 lists the display instrumentation provided to the operator to enable him to perform required manual safety functions and to assess plant and environs conditions during and following an accident.

The display instrumentation is listed by variable types A, B, C, D, and E. in the table. The information in the table is based on Regulatory Guide 1.97, Revision 3.

Equipment that is upgraded to meet the requirements of Regulatory Guide 1.97 is seismically qualified in accordance with IEEE 344-1975 unless justified on a case specific basis.

Type "A" variables are those variables that provide the primary information required to permit the control room operator to take specific manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for design basis events. Primary information is information that is essential for the direct accomplishment of the specific safety functions; it does not include those variables that are associated with contingency actions that may also be identified in written procedures. Note: These variables are plant-specific and based on review of the D. C. Cook Nuclear Plant Emergency Operating Procedures (EOPs).

Type "B" variables are those variables that provide information to indicate whether safety functions are being accomplished. Plant safety functions are (1) reactivity control, (2) core cooling, (3) maintaining reactor coolant system integrity, and (4) maintaining containment integrity (including radioactive effluent control).

Type "C" variables are those variables that provide information to indicate the potential for being breached or the actual breach of the barriers to fission product release. The barriers are (1) fuel cladding, (2) primary coolant pressure boundary, and (3) containment.

Type "D" variables are those variables that provide information to indicate the operation of individual safety systems and other systems important to safety. These variables are to help the operator make appropriate decisions in using the individual systems important to safety in mitigating the consequences of an accident.

Type "E" variables are those variables as required for use in determining the magnitude of the release of radioactive materials and continuing assessing such release.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 78 of 82 In some instances, the type "B" through "E" variables are duplicated by the type "A" variable listing. In these instances, reference back to type "A" variable is made because the requirements for type "A" variables are the most stringent.

The parameter, number of channels, range, display location and purpose for each of the variables is listed in the table.

Sufficient duplication of information is provided to ensure that the minimum information required is available. The information is part of the operational monitoring of the plant that is under operator surveillance during normal plant operation. This information is functionally arranged on control boards to provide the operator with ready understanding and interpretation of plant conditions.

The sensors, displays and equipment status that are provided to develop the necessary information to enable the required manual functions to be performed during and following an accident, have been environmentally and seismically qualified, as necessary, to meet their intended function.

The range of the Post Accident Monitoring instrumentation extends over the maximum expected range of the variables being measured.

Table 3.3.3-1 in the Technical Specifications provides details of the minimum number of channels of post-accident monitoring instrumentation that are required.

7.8.2 Post-Accident Containment Hydrogen Monitoring The Post-Accident Containment Hydrogen Monitoring System (PACHMS) is capable of continuously measuring the concentration of hydrogen in the containment atmosphere following a significant beyond design-basis accident for accident mitigation, including emergency planning.

PACHMS is comprised of two sampling-analyzing-control trains. Each train has two subsystems

- the hydrogen analyzer panels and the remote control panels. These trains are shown schematically in Figure 7.8-1. Each train is supplied power from a separate Class 1E power supply.

The PACHMS can take samples from nine locations within the reactor containment building (seven in the upper compartment, and two in the lower compartment). After analysis the sample is returned to the containment.

These provide representative sampling of the containment atmosphere for hydrogen. The location of each area sampled is shown in Figures 7.8-4, 7.8-5 and 7.8-6. The hydrogen sample locations (ports) are identified as ESR-1 to ESR-9 and are located at:

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 79 of 82 Sample No./Compartment Location ESR-1(U) Steam Generator No. 4 Outside Enclosure Wall ESR-2(U) East Recombiner Area ESR-3(L) Lower Containment - East ESR-4(L) Lower Containment - West ESR-5(U) Containment Dome - East ESR-6(U) Containment Dome - West ESR-7(U) Steam Generator No. 3 Outside Enclosure Wall ESR-8(U) West Recombiner Area ESR-9(U) Top of Containment Dome - Center (U) - Upper Containment Compartment (L) - Lower Containment Compartment Each sampling line penetrates the containment wall independently, and utilizes two in-series containment isolation valves. The motive force for the containment isolation valves in the PACHMS is normally provided from the control air system. A backup system is provided for the purpose of supplying the valves in the event the normal supply is lost. The sample lines then header together into a line to the PACHMS hydrogen analyzer panels. The sampling configuration is shown in Figure 7.8-3.

Four sampling lines are associated with the Train 'A' hydrogen analyzer and five sampling lines are associated with the Train 'B' hydrogen analyzer. Such an arrangement assures that failure of a single electrical train would not result in closure of all PACHMS CIVs with a resultant loss of hydrogen monitoring capability. PACHMS operation requires that the two air-operated CIVs in each sample inlet line and the air operated CIV in the return line be opened at the same time. The control switches for the PACHMS are of the spring return type to prevent inadvertent valve opening. For the operator to obtain a sample, one switch is used to operate the two CIVs on the sampling inlet line, and one switch to operate the CIV in the return line. It should be noted that, prior to reset of the containment isolation signal each PACHMS CIV is capable of being closed on a containment isolation signal from either a Train 'A' or a Train 'B' containment isolation signal.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 80 of 82 In addition, the PACHMS CIVs are designed to fail closed on loss of air. Failure of the control circuits would also normally cause the valve to close. However, since the PACHMS is fully capable of withstanding exposure to containment design pressure, the hypothetical failure of the PACHMS CIVs to close would not constitute a threat to containment integrity.

Each hydrogen analyzer panel consists of the hydrogen analyzer, associated calibration gas systems, sample pump to transport the containment air sample to the analyzer and back to the containment, and auxiliary components. The hydrogen analyzer panels for each unit are located outside the containment wall in the "controlled access" area on elevation 612' of the Auxiliary Building.

The hydrogen analyzer equipment is mounted in rigidly constructed, enclosed cabinets with penetrations at the top for the sample inlet and outlet lines, calibration and reagent gases, and electrical penetrations. The hydrogen analyzer panels are environmentally and seismically qualified to IEEE 323-1974 and IEEE 344-1975, respectively.

The hydrogen analyzer operates on the principle of thermal conductivity. The instrument has a dual range scale -- 0 to 10 percent and 0 to 30 percent hydrogen by volume.

The calibration (hydrogen) and reagent (oxygen) gas cylinders for the calibration and operation, respectively, of the hydrogen analyzers are located on elevation 587' in each unit's main steam accessway room of the Auxiliary Building. This area was selected to facilitate gas cylinder replacement from a "low-radiation" and easily accessible area during post-accident conditions. All calibration and reagent gas piping and manual shut-off valves are stainless steel and Seismic Class I.

The hydrogen analyzer panels also contain the necessary instrumentation and controls for local calibration of the instrument during routine non-accident periods. The following "local" alarms are provided at the hydrogen analyzer panels to indicate the status of various components:

1. Low Sample Flow to Hydrogen Analyzer

2. Low Calibration (Hydrogen) Gas Pressure

3. Low Reagent (Oxygen) Gas Pressure

4. Low Hydrogen Analyzer Compartment Temperature

5. Hydrogen Analyzer Thermal Conductivity Cell Failure

6. High Hydrogen Concentration

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 81 of 82 Each of these alarms in turn annunciates a common Hydrogen Monitoring System Abnormal alarm in the unit control room and at the hydrogen analyzer remote control panel.

The four remote control panels, two per unit, were designed to operate all the necessary post-accident hydrogen monitoring instrumentation and controls from a remote, "low-radiation" area.

This location is below the spent fuel pool in the spray additive tank room (SATR) on elevation 587' of the Auxiliary Building.

Figure 7.8-2 details the arrangement of the Units No. 1 and 2 remote control panels in the SATR.

The remote control panels are designed and installed in accordance with Seismic Class I criteria.

The panels are rigidly constructed, enclosed cabinets with three penetrations at the top for electrical conduit. Each remote control panel contains a dual range hydrogen concentration indicator -- 0 to 10 percent and 0 - 30 percent hydrogen (by volume), a recorder to provide a permanent record of the hydrogen concentration, and the necessary instrumentation and controls for "remote" calibration of the hydrogen analyzers from the SATR.

The remote control panels also contain the control switches for operating the containment hydrogen sample isolation valves and the control switches for the solenoid-operated isolation valves on the sample inlet and outlet lines connected to the hydrogen analyzer panels. The control panel also contains a containment isolation valve selector switching station. Selection of the containment isolation valves for a particular sample can be done manually or automatically via the use of the selector switching station. The selector switching station is an integral part of the hydrogen concentration recorder.

Hydrogen concentration indicators for each hydrogen analyzer remote control panel train are provided on the "Containment Isolation Valves" panel in each unit's main control room. These indicators are dual range instruments having 0 to 10 percent and 0 to 30 percent hydrogen concentration scales.

The Post Accident Containment Hydrogen Monitoring System, including the Hydrogen analyzer and control room indication, is sufficiently accurate and useful to allow the plant operator to adequately assess the Hydrogen concentration within the containment following a significant beyond design-basis accident.

7.8.3 References for Section 7.8

1. AEP to NRC letter AEP: NRC: 0773AB, Regulatory Guide 1.97, Revision 3 dated October 05, 1988.

UFSAR Revision 31.0 INDIANA MICHIGAN POWER Revised: 30.0 D. C. COOK NUCLEAR PLANT Chapter: 7 UPDATED FINAL SAFETY ANALYSIS REPORT Page: 82 of 82

2. NRC to AEP letter N91015, Inspection Report 315-316/91-16 Licensing Activities dated August 22, 1991.

ML22340A198

Text

Navigation menu

Search