Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Controls

ML16357A523
Person / Time
Site:	Byron, Braidwood
Issue date:	12/15/2016
From:	Exelon Generation Co
To:	Office of Nuclear Material Safety and Safeguards, Office of Nuclear Reactor Regulation
Shared Package
ML16357A264	List: ML16357A507 ML16357A508 ML16357A509 ML16357A521 ML16357A523 ML16357A524 ML16357A526 ML16357A529 ML16357A530 ML16357A532 ML16357A533 ML16357A534 ML16357A535 ML16357A536 ML16357A537 ML16357A540 ML16357A545 ML16357A549 ML16357A579 ML16357A580 ML16357A583 ML16357A584 ML16357A591 ML16357A592 ML16357A593 ML17086A588 ML17086A589 ML17086A590 ML17086A591 ML17086A592 ML17086A593 ML17086A595 ML17086A596 ML17086A597 ML17086A598 ML17086A599 ML17086A600 ML17086A601 ML17094A865 ML17095A852 ML17095A866 RS-16-248, Braidwood Nuclear Station, Amendment 27 to Fire Protection Report, Chapter 3.0, Guidelines of BTP Cmeb 9.5-1 RS-16-248, Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Technical Requirements Manual RS-16-248, Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Technical Specifications Bases RS-16-248, Byron Nuclear Station, Amendment 27 to Fire Protection Report, Chapter 3.0, Guidelines of BTP Cmeb 9.5-1 RS-16-248, Byron Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Technical Specifications Bases RS-16-248, Byron/Braidwood Nuclear Stations, Amendment 27 to Fire Protection Report, Chapter 4.0, Fire Protection Program RS-16-248, Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Appendix B - Construct Material Standards and Quality Control Procedures RS-16-248, Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Appendix C - Deleted RS-16-248, Byron/Braidwood Nuclear Stations, Revision 16 to Updated Final Safety Analysis Report, Appendix D - Computer Programs ... further results
References
RS-16-248
Download: ML16357A523 (374)
v • d • e

Text

B/B-UFSAR 7.4-1 REVISION 9 - DECEMBER 2002 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels that are associated with the major systems in both the pr imary and secondary of the nuclear steam supply system. These ch annels are normally aligned to serve a variety of operational functions, including startup and shutdown as well as protectiv e functions. There are no identifiable safe shutdown systems per se. Howe ver, prescribed procedures for securing and maintaining the pla nt in a safe c ondition can be instituted by appropriate alig nment of selected systems in the nuclear steam supply system. The disc ussion of these systems together with the applicable c odes, criteria a nd guidelines is found in other sections of the Byron/Bra idwood Updated Final Safety Analysis Report.

In addition, alignm ent is initiated during the safety in jection mode by the engineered safety features actuation system by m eans of the final actuation circuitry discussed in t he subsections u nder 7.3.1.1. This final actuation circuitry co nsists of the dry contacts of the slave relays and their assoc iated output circuits in the solid state protection system (SSPS) and t he field wiring up to the inputs of the actuation devices.

For the description of the actuation devices and the actuated equipment, refer to the appropriate subsections in Chapters 6.0, 9.0, and 10.0 as identified in the subsections under 7.3.1.1. For example, Subsection 7.3.1.1.4 refers to 10 (a through j) key functions initi ated by the final SSPS actuation c ircuitry. For the d erivation of the logic functions that generate ESFAS, refer to Tabl es 7.3-1, 7.3-2, and 7.3-3, as well as Dr awings 108D685. F ollowing the safety injection mode, and fo llowing a LOCA, realignm ent of certain fluid system ECCS eq uipment occurs for c old leg recirculation.

For the description of this phase of shutdown follow ing a LOCA, refer to Subsection 6.3.2.8. For the description of hot leg recirculation realignment following a LOCA, refer to Table 6.3-7.

Systems and instrumentation which may be used for post-fire safe shutdown are discussed in Section 2.4 of the Fire Protection Report.

The instrumentation and control functions which are required to be aligned for maintaining safe shutdown of the reactor that are discussed in this section are the minimum number under nonaccident conditions.

These functions will permit the necessary operation that will:

a. prevent the reactor from achieving criticality in violation of the technic al specifications, and

b. provide an adequate heat sink such that design and safety limits are not exceeded.

7.4.1 Description

The designation of sys tems that can be used for safe shutdown depends on identifying t hose systems which p rovide the following capabilities for maintai ning a safe shutdown:

B/B-UFSAR 7.4-2 REVISION 9 - DECEMBER 2002 a. boration, b. adequate supply for auxiliary feedwater, and

c. residual heat removal.

These systems are identified in the following subsections together with the associated i nstrumentation and controls provisions. The ident ification of t he monitoring indicators (Subsection 7.4.1.1) and controls (Subsection 7.

4.1.2) includes those necessary for main taining hot standby.

The plant can be maintained safely at hot standby for an extended period of time from outside the control room.

The Technical Specifications place no time limit on m aintenance of hot st andby following a control room evacuatio

n. The procedure for maintenance of hot standby following cont rol room evacuation is included in the procedures written by the operat ing staff. These procedures are available for review at the site.

The plant is placed in hot (shutdown) standby by initiating a reactor trip. T his may be done by opera tor action at the main control room (MCR), at t he reactor trip switchgear l ocation, or by tripping the turbine locally or in the MCR.

The equipment and serv ices and approximate time required for a cold shutdown are identified in Subsection 7.4.1.4.

7.4.1.1 Monitori ng Indicators The characteristics of these indicators, which are provided outside as well as in side the c ontrol room, are described in Section 7.5. The necessary indicators are liste d in Table 7.4-1.

B/B-UFSAR 7.4-3 7.4.1.2 Controls 7.4.1.2.1 General Considerations

a. The turbine is tripped (note that this can be accomplished at the turb ine as well as in the control room).

b. The reactor is tripped (note that this can be accomplished at the reac tor trip switchgear as well as in the control room).

c. All automatic sy stems continue functioning (discussed in Sections 7.2 and 7.7).

d. For equipment having con trols outside the control room (which duplicate the functions inside the control room), the contr ols are provided with a selector switch which tr ansfers control of the switchgear from the control room to a local station.

Placing the local selector switch in the local operating position gives an annunciating alarm in the control room and turns o ff the indic ating lights on the control room panel.

7.4.1.2.2 Pumps and Fans The following pumps and fans are available f or safe shutdown.

Equipment considered necessary for safe shutdown is powered from ESF buses. Control is provided at t he main control board and locally as shown.

ESF MCB Local Equipment Power Control Control Auxiliary Feedwater Pumps Yes Yes Yes Centrifugal Charging Pumps Yes Yes Yes Boric Acid Transfer Pumps No Yes Yes Essential Serv. Water Pump Yes Yes Yes Component Cooling Water Pump Yes Yes Yes Reactor Containm ent Fan Coolers Yes Yes Yes Control Room V entilation Unit including Control Room Air Inlet Dampers Yes Yes Yes Primary Water Ma keup Pumps No Yes Yes 7.4.1.2.3 Diesel Generators These units start auto matically following a loss of normal a-c power or receipt of a safety injection.

B/B-UFSAR 7.4-4 REVISION 13 - DECEMBER 2010 7.4.1.2.4 Valves and Heaters The following valves and heaters are available f or safe shut-down. Valves re quired for safe shutdown are powered from ESF buses. Control is avail able from the main control board and locally as shown.

ESF MCB Local Equipment Power Control Control Charging Flow Control Valve No Yes Yes Letdown Orifice Isolation Valves No Yes Yes

Aux. Feedwater Control Valves Yes Yes Yes Main Steam Dump Valves No Yes No Power-Operated Atmospheric Steam Relief Yes Yes Yes Pressurizer Heater Control No Yes Yes Emergency Boration Isolation Valve No Yes Yes

Self-Activated Atmospheric Steam Safety Valves N/A N/A N/A The remote shutdown pane ls, except the one f or Train B of the control room ventilati on (VC) system, are located at plant elevation 383 feet 0 inch in t he radwaste control area. The remote shutdown pane l for Train B of the VC system is located at plant elevation 364 feet 0 inch at colum n/row 23/M in the auxiliary building.

The main control room panels and the remote shutdown panels are located in separate ph ysical locations, on separate elevations, with separate ventilation syst ems and multiple communication systems, and with lighted ac cess routes between the three locations. Therefore, no single credible ev ent which will cause evacuation of the ma in control room will also cause the remote shutdown panels to be in operable or inaccessible.

The remote shutdown pa nels are provided with the necessary instrumentation and co ntrols for prompt shutdown to the hot standby condition and the ability to maintain the unit in a safe condition pursuant to NRC Gene ral Design Criterion 19. See Section 2.4 of the F ire Protection Report fo r available post fire remote shutdown controls and instrumentation.

7.4.1.3 Control Room Evacuation

It is noted that the instrumen tation and controls listed in Subsections 7.4.1.1 and 7.4.1.2 which are used to achieve and maintain a safe shutdown are ava ilable in the ev ent an evacuation of the control room is required. See Sectio n 2.4 of the Fire Protection Report fo r available post fire remote shutdown controls and instrumenta tion. These c ontrols and instrumentation channels together with the equip ment identified in Subsection 7.4.1.4 identify the p otential capability fo r cold shutdown of B/B-UFSAR 7.4-4a REVISION 13 - DECEMBER 2010 the reactor subsequent to a cont rol room evacuation through the use of suitable procedur es. The design basis for control room evacuation does not cons ider a concurrent co ndition II, III, or IV event, nor a single failure.

B/B-UFSAR 7.4-5 7.4.1.4 Equipment and System s Available for Cold Shutdown

a. Reactor coolant pump (see Su bsection 5.4.1).

b. Auxiliary feedwater pumps (see Subsect ion 10.4.9).

c. Boric acid t ransfer pump (see Subsection 9.3.4).

d. Charging pumps (see Subsection 9.3.4).

e. Essential service water pumps (see Sub section 9.2.1).

f. Reactor containment fan coolers (see Subsection 6.2.2). g. Control room ventilati on (see Subsection 9.4.1).

h. Component cooling pu mps (see Sub section 9.2.2).

i. Residual heat removal pu mps (see Subsection 5.4.7) (see Note).

j. Certain motor co ntrol center and swi tchgear sections.

k. Controlled steam release and feedwater supply (see Section 7.7 and Subs ection 10.4.7).

1. Boration capability (see Subsection 9.3.4).

m. Nuclear instru mentation system (source range or intermediate range) (see Sec tions 7.2 and 7.7) (see Note). n. Reactor coolant inventory control (charging and letdown) (see Subsection 9.3.4).

o. Pressurizer pressure con trol including opening control for pressurizer relief valves (heaters a nd spray) (see Subsection 5.2.2) (see Note).

Note The following equipment is associated with i nstrumentation and controls which may requi re some modification in order that their functions may be performed f rom outside the control room:

a. Residual heat removal pumps.

b. Nuclear instru mentation system (source range or intermediate range).

c. Pressurizer pressure con trol including opening control for pressurizer relief valve s (heaters a nd spray).

B/B-UFSAR 7.4-6 REVISION 7 - DECEMBER 1998 d. Safety injection signal circuit (must be defeated).

e. Accumulator isolatio n valves (closed).

Note that the reacto r plant design does not preclude attaining the cold shutdown condition from out side the control room. An assessment of plant cond itions can be made on the long-term basis (a week or more) to es tablish procedures for making the necessary physical modifications to instru mentation and co ntrol equipment in order to attain cold shutdown. During such time the plant could be safely maintained at hot shutdown condition.

The plant can be taken to cold shutdown from l ocations outside the control room. T his will be demonstr ated in Start-Up Test 2.63.35, "Shutdown From Outside the Control Ro om." This Start-Up Test will satisfy the requirem ents of Regulato ry Guide 1.68.2.

The actions required for thi s operation are as follows:

a. The reactor will be tripped.

b. Shift Manager will go to the technical support center.

c. Turbine trip and closure of the governor valves, stop valves, reheat stop valves, and intercept valves will be verified.

d. Actuation of safety injection will be checked.

e. The shutdown pan el will be manned.

f. Local control will be es tablished at the shutdown panel.

g. Auxiliary feedwa ter will be verified.

h. A decreasing RCS average tem perature will be verified.

i. Pressurizer pressure a nd level will be verified.

j. Steam generator leve ls will be verified.

k. Shutdown boron concentration will be established.

l. Intermediate range f lux will be verified.

m. Stable plant conditi ons will be verified.

n. One RCFC (minimum) will be verified to be running.

o. All CRDM exhaust fans will be verified to be running.

p. One RCP (minimum) will be verified to be running.

B/B-UFSAR 7.4-7 REVISION 7 - DECEMBER 1998 q. Steam will be dumped manually, using the steam generator PORVs to cool the plant.

r. Charging pump suction will be switched to the RWST.

s. Letdown flow will be red uced by selection of the 45 gpm orifice block valve.

t. VCT level will be monitored.

u. Steam generator level will be maintained.

v. Pressurizer level will be verified.

w. Pressurizer heaters will be turned off a nd auxiliary spray will be used to reduce RCS pressure.

x. Safety injection will be blocked.

y. The accumulator isolation valves will be closed as RCS pressure is reduced to below 1000 psig.

z. RCS pressure and temperature will be reduced to conditions for RH initiation.

aa. Temporary air regulators will be install ed for local control of the RH throttle valves.

bb. An additional co mponent cooling pump will be started.

cc. The component coolin g outlet isolation valve from the RH heat exchanger will be opened.

dd. A RH pump will be started.

ee. RH boron concentrati on will be established.

ff. The RH pump will be stopped.

gg. The RH pump suction will be switched to the hot legs.

hh. The RH pump will be started.

ii. The RH throttle valves w ill be used to control the cooldown.

The required equipment and instrumentation is located at the shutdown panel (383-N-23) except as follows:

a. The reactor trip switc hgear is located in the auxiliary building 451 elevation.

B/B-UFSAR 7.4-8 REVISION 13 - DECEMBER 2010 b. The turbine trip verific ation will occur on the turbine deck 451 elevation.

c. Charging pump suction will be switched by the use of jumpers at the M CCs for the valves.

d. Safety injection will be blocked by the use of jumpers in the auxil iary electric room.

e. Groups C and D pressurizer h eaters will be deenergized at the 4 80V feed breakers.

f. The accumulator isolation valves will be closed by the use of jumpers at the MCCs for the valves.

g. The RH throttle valves w ill be controlled locally.

h. The RH pump will be started and stopped at the 4160V switchgear.

i The component coolin g outlet isolation valve from the RH heat exchanger will be opened by the use of a jumper at the valve MCC.

j. The RH pump suction will be switched to RCS hot leg by the use of ju mpers at valves MCCs.

k. Train B components of the VC System will be operated as required from the rem ote shutdown panel at elevation 364 feet 0 inch of the auxiliary building.

Note that Train A components of the VC System are on the shutdown panel at el evation 383 feet 0 inch (N-23). All equipment and instru mentation required f or cold shutdown is accessible. Keys, jum pers, self-contained e mergency breathing apparatus, and other equipment is available at the shutdown panel.

7.4.2 Analysis

Hot standby is a stable plant co ndition, automat ically reached following a plant shutdown. The hot standby c ondition can be maintained safely for an extended period of time. In the unlikely event that access to the control room is restricted, the plant can be safely kept at hot standby until the control room can be reentered by the use of the monitoring indicators and the controls listed in Sub sections 7.4.1.1 and 7.4.1.2. These indicators and c ontrols are provided out side as well as inside the control room. See Section 2.4 of the Fi re Protection Report for available post fire remote shutd own controls and instrumentation.

Safety analyses for in dividual systems and components listed previously in this s ection are discussed in their respective UFSAR sections. For example, an analysis of loss of cooling B/B-UFSAR 7.4-8a REVISION 7 - DECEMBER 1998 water to vital equipment is pres ented with the safety analysis for the essential service water system in Subs ection 9.2.1.2.3.

This system is redunda nt and designed to accommodate single failure. The safety analysis for the component cooling water system is presented in Subsection 9.2.2.

4. This system is redundant and designed to accommodate single failure. Thus, complete loss of either essential service water or component cooling water is not a credible event.

B/B-UFSAR 7.4-9 REVISION 7 - DECEMBER 1998 Furthermore, all equipment which is relied upon to place the unit in a safe shutdown condition and which requires cooling water to operate is redundant so that loss of c ooling water to a single piece of equipment will still leave its redund ant counterpart in operable condition.

Instrumentation and cont rols duplicated at e ither the remote shutdown panels or on local pane ls are designed to maintain separation and i solation of redundant ch annels, assure access to appropriate controls at either location in the event of emergencies, and to prevent un due loss of reliability.

For instrumentation and controls mounted locally which duplicate instrumentation and cont rols mounted in the main control room, separation is maintained through out the station cable tray and conduit system and t he local control panels where the instrumentation and cont rols are located.

A discussion of the cable tray and c onduit system is contained in Subsection 8.3.1.4.

Local control panels m aintain the separa tion of redundant instruments and controls by the use of internal physical barriers in panels which cont ain redundant systems or by the use of separate control panels for re dundant systems.

The remote shutdown panel at elev ation 383 feet 0 i nches is of the first design with three sect ions; two sections for the two redundant ESF trains and one section for the non-s afety-related trains and all separated by internal physical b arriers. The remote shutdown panel for Train B of the VC Syst em at elevation 364 feet 0 inches is of the second design with c omponents of one division with adequate separation or b arriers between the one division of Class 1E components and the non-safe ty related compo nents and wiring.

Normal control of equi pment and systems whic h have duplicated local controls and instrumentation is ac complished in the main control room. In th e event of a main contro l room evacuation, local control functions are established at l ocal control panels which are located in controlled access areas of the station.

Access, location, and communications for the remote shutdown panel are discussed in Subsection 7.4.1.

For control circuits, local control is establi shed by use of selector switches provided on the local con trol panels which transf er control from the main control room to the local control panel.

A selector switch is provided for each circuit.

For the remote s hutdown panel, switching to local control causes an annunciator alarm to sound in the main control room. A d iscussion of the selector switches as applied to the remote shutd own panel is c ontained in Subsection 7.4.1.2.1.d.

Local control p anel instrumentation such as analog indicators require no transfer as th ey are normally energized and operating.

Reliability of instrumen ts and control which locally duplicate instruments and controls in the main control room is maximized by using the same stand ards for design, procurement, and installation as are us ed for main control room equipment.

B/B-UFSAR 7.4-9a REVISION 7 - DECEMBER 1998 The safety evaluation of the mai ntenance of shutdown with these systems and associated i nstrumentation and c ontrols has included consideration of the accident co nsequences that might jeopardize safe shutdown conditions.

The accident cons equences that are

B/B-UFSAR 7.4-10 REVISION 13 - DECEMBER 2010 germane are those that w ould tend to degrade the capabilities for boration, adequate supply for auxiliary feedwate r, and residual heat removal.

The results of the accident anal ysis are presented in Chapter 15.0. Of these, the fol lowing produce t he most severe consequences that are pertinent:

a. uncontrolled boron dilution,

b. loss of norm al feedwater, c. loss of external electri cal load and/or turbine trip, and d. loss of nonemergency a-c power to the station auxiliaries.

It will be shown by these analys es that safety is not adversely affected by these incidents with the associated assumptions being that the instrumentation and c ontrols indicated in Subsections 7.4.1.1 and 7.4.1.2 are available to control and/or monitor shutdown. See Section 2.4 of the Fire P rotection Report for available post fire remo te shutdown controls a nd instrumentation.

These available syst ems will allow a mai ntenance of hot standby even under the a ccident conditions listed above, which would tend toward a return to c riticality or a loss of heat sink.

The results of the analysis which determined the applicability to the nuclear steam supply system safe shutdown systems of the NRC General Design Crite ria, IEEE 279-1971, applicable NRC regulations, and other i ndustry standards are presented in Table 7.1-1. The functions co nsidered and listed be low include both safety-related and non-s afety-related equipment:

a. reactor trip system, b. engineered safety fe atures actuation system, c. safety-related displ ay instrumentation for postaccident monitoring,

d. main control board, e. remote s hutdown panel, f. residual heat removal,

g. instrument power supply, and

h. control systems.

For discussions addressi ng how these require ments are satisfied, see Table 7.1-1.

B/B-UFSAR 7.4-11 REVISION 9 - DECEMBER 2002 TABLE 7.4-1 REMOTE SHUTDOWN MONITORI NG INSTRUMENTATION

INSTRUMENT READOUT LOCATION TOTAL NO. OF CHANNELS

1. Intermediate Ran ge Neutron Flux PL06J 2 2. Source Range N eutron Flux PL06J 2 3. Reactor Coolant Temp erature - Wide Range a. Hot Leg b. Cold Leg PL05J PL05J 1/loop 1/loop 4. Pressurizer Pressure PL06J 1 5. Pressurizer Level PL06J 2 6. Steam Generator Pressure PL04J/PL05J 1/stm gen

7. Steam Generator Level PL04J 1/stm gen

8. RHR Temperature LOCAL 2 9. Auxiliary Feedwater Flow Rate PL04J/PL05J 2/stm gen

B/B-UFSAR 7.5-1 7.5 SAFETY-RELATED D ISPLAY INSTRUMENTATION (Regulatory Guide 1.97)

7.5.1 Description

Table 7.5-1 lists the information readouts p rovided to the operator to enable him to perf orm required manual safety functions, and to de termine the effect of manual actions taken following a reactor trip due to a Condition II, III, or IV event, as defined in Chapter 15.0. Table 7.5-1 lists the i nformation readouts required to maintain the plant in a hot standby condition or to proceed to cold shutdown within the limits of the technical specifications. Rea ctivity control af ter Condition II and III faults resulting in a reactor trip or a safety injection will be maintained by administrative sam pling of the reactor coolant for boron to ensure that the concentration is sufficient to maintain the reactor subcritical.

Table 7.5-2 lists the information available to the operator for monitoring conditions in the reactor, the reactor coolant system, and in the containment a nd process systems t hroughout all normal operating conditions of the plant, inc luding anticipated operational occurrences.

All safety function ac tuations are initiated automatically so that no decision or manu al action of controls is required by plant operations perso nnel. All events that automatically initiate auxiliary feedwater req uire the operator to manually terminate the flow to preven t steam generato r overfill.

Intelligence of the sy stem responses is provided to the operator by control room instrumentation so that faults in the actuation of safety equipment can be diagnosed.

The following main control board devices indicate this intelligence:

a. Three indicating lights are provided for each pump control switch.

They indicate pump stopped, pump automatic trip, and pump run ning. Two indicating lights are provided for each valve c ontrol switch.

They indicate valve closed and valve open, and both lights are on when the valve is in the intermediate position.

b. Status lights -

A light in the s tatus light grouping is provided to indicate that a channel of instrumentation that can ini tiate a safety function has been actuated.

c. Monitor lights - A light in the monitor light grouping is provided for each pump (running) and for each valve (open, closed) that is an engineered safety feature (ESF). The assignment of a component to a light grouping is determined by th at component's operation as follows:

B/B-UFSAR 7.5-2 Group 1 Group 1 lights monit or those compone nts whose status is essential for advance readiness to actuate the engineered safety fe atures. These lights should all be dark during n ormal operation.

Group 2 Group 2 lights monitor t hose engineered safety features components which must actuate during the injection phase of an accide nt. These l ights should all light for an accident.

Some of these lights may be lit during normal operation, for in stance component cooling, centrifugal charging, and essential service water pumps and fans running.

Group 3 Group 3 monitors those valve s required to close for containment isolation Phase A. They a re separated to show pairs of re dundant valves subject to closure by the A and B trains. These l ights should all light for an accident. Some of these lights may be lit during normal operation, fo r instance sample line isolation valves. Group 4 Group 4 monitors those compo nents which must be changed to achieve the cold leg reci rculation mode.

The transition from injectio n mode to cold leg recirculation is done manually by the plant operators.

This group is used as a guide, realigning 18 valves and restarting the R HR pumps until a ll lights in this group are lit. Some of the lights m ay be lit during normal operation or nonaccid ent cooldowns, such as centrifugal charging and RHR pump lights.

Group 5 Group 5 monitors those compo nents which must be changed to achieve the hot leg recir culation mode.

The transition from co ld leg recirculation to hot leg recirculation mode is done manually by the plant operators. This group is us ed as a guide, realigning eight valves and checking th at the RHR p umps continue running until all lights in th is group are l it. Some of the lights may be l it during normal operation or nonaccident cooldowns, such as centrifugal charging and RHR pump lights.

B/B-UFSAR 7.5-3 Group 6 Group 6 monitors tho se components wh ich actuate on a high-high or a high-high-high containment pressure signal, including the co ntainment spray system components, containment isolation Phase B components, and the main steam isolation valves.

In nonaccident conditions, these lights wil l usually be all dark except during sy stem testing or isol ation of a steam generator.

Additional infor mation pertaining to the monitor lights is as follows:

1. A mechanism for testing light bu lbs is provided in each light group.

2. Group 1 is dark for no rmal operations. Groups 2 and 6 are lit for accide nt conditions as defined above, and in some ins tances may have several lights lit during vari ous normal operations.

3. When a monitor light is energize d, the statement written on the window is true.

Since all the lights in a particular grouping operate in the same mann er, a component fail ure is readily apparent.

d. Pump motor amm eters - provided for engineered safety feature pump motors supplied from 4160-volt buses.

No credit is taken f or the annunciat or and computer systems as an information display since they a re not designed as engineered safety features. Howe ver, this does n ot preclude their availability as a useful dia gnostic tool in a postincident review. 7.5.2 Analyses The indicator channels (see Table 7.5-1) requi red to enable the operator to take the correct a ction during t he course of a Condition II, III, or IV accident or during postaccident recovery were designed to the criteria listed in Subsec tion 7.5.3.

The indicators in Table 7.5-1 are used f or the operational monitoring of the plant and are thus under surveillance by the operator during normal p lant operation.

The indicators are functionally arranged on the control board to provide the operator with ready understanding and int erpretation of plant conditions.

Comparisons between dupl icate information ch annels or between functionally related c hannels will enable th e operator to readily identify a malfunction in a particular c hannel. The range of the readouts extends over the maximum expected range of the variable being measured.

The combined in dicated accuracies are within the errors used in the saf ety analyses, as s hown in Table 7.5-1.

B/B-UFSAR 7.5-4 The readouts identified in Table 7.5-1 were se lected on the basis of sufficiency and a vailability during a nd subsequent to an accident for which they are necessary. Thus the occurrence of an accident does not render the i nformation required for that accident unavailable, and the st atus and reliability of the necessary information are known to the operator before, during, and after an accident.

7.5.3 Design

Criteria

7.5.3.1 Scope The scope of IEEE 279-1971 cov ers protection systems that initiate automatic prote ctive actions. Therefor e, in the absence of applicable industry standards for the pos taccident monitoring system (PAMS), the following criteria we re developed using applicable secti ons of IEEE 279-1971 as a model.

The environmental and seismi c qualification of equipment including these sensors is covered in Se ctions 3.10 and 3.11.

The following criteria e stablish requirements for the functional performance and reliability of t he safety-rela ted PAMS for nuclear reactors produci ng steam for electri c power generation.

For purposes of these criteria, the nuclear power generating station safety-related PAMS encompasses those electric and mechanical devices and circuitry which provide information needed to: a. enable the ope rator to take the corr ect manual action during the course of a Condition II, I II, or IV fault or during recovery from a Condition II, III or IV fault; and

b. maintain safe shutdown.

7.5.3.2 Definitions The definitions in this section establish th e meanings of words in the context of their use in t hese criteria.

Channel - An arrangement of components and mod ules as required to generate a single information si gnal to monitor a generating station condition.

Components - Items from which the system is assembled (for example, resistors, capa citors, wires, connect ors, transistors, tubes, switches, springs, etc.).

Module - Any assembly of inter connected components which constitutes an identifiable devi ce, instrument, or piece of equipment. A module c an be disconnected, remo ved as a unit, and replaced with a spare. It h as definable performance characteristics which

B/B-UFSAR 7.5-5 REVISION 1 - DECEMBER 1989 permit it to be tested as a unit. A mod ule could be a card or other subassembly of a larger device, pr ovided it meets the requirements of this definition.

Postaccident Mon itoring Function - A postaccident monitoring function consists of the sensi ng of one or more variables associated with a particular gen erating station cond ition, signal processing, and the pres entation of visual inf ormation (including recorded information) to the operator.

Monitoring System - Where not otherwise qualified, the words "monitoring system" refer to the nuclear power generating station postaccident monitoring system as defined in Table 7.5-1.

Type Test - Tests made on one or mor e units to verif y adequacy of design.

7.5.3.3 Requirements 7.5.3.3.1 General Func tional Requirements The nuclear power generating sta tion PAMS shall function with precision and reliability to con tinuously display the appropriate monitored variables. This requi rement shall apply for the full range of conditions and performance enumerated.

7.5.3.3.2 Information Readout One of the channels used to moni tor each parameter shall also be recorded to provide a historical rec ord of the b ehavior of the parameters. The equipme nt used to record in formation need not be redundant nor meet the single-failure criterion.

7.5.3.3.3 Single-F ailure Criterion Any single failure wit hin the PAMS shall not result in the loss of the monitoring fu nction. ("Single fa ilure" includes such events as the shorting or open-circuiting of interconnecting signal or power cables.

It also includes single credible malfunctions or events that cause a numb er of consequential component, module, or channel failures. For example, the overheating of an amplifier mo dule is a sing le failure even though several transistor failures result.

Mechanical damage to a mode switch wo uld be a "single failure" although several channels might b ecome involved.)

7.5.3.3.4 Quality of C omponents and Modules Components and m odules are of a quality that is consistent with minimum maintenance requ irements and low failu re rates. Quality levels are achieved through the specific ation of requirements known to promote high quality, s uch as requireme nts for design, for the derating of co mponents, for manufact uring, quality control, inspection, c alibration, and test.

B/B-UFSAR 7.5-6 7.5.3.3.5 Equipment Qualification Type test data or re asonable engineering ext rapolation based on test data shall be a vailable to veri fy that PAMS equipment shall meet, on a continuing basis, t he performance requirements determined to be necessa ry for achieving the s ystem requirements.

Qualification of recorders s hall verify operability only following (not during) a seismic event.

Accelerating forces associated with the pen during the shake period can cause an ink blur of the record d uring this period, a nd in some cases a mechanical loosening of the pens might be encountered. The qualification testing program is discussed in Section 3.10.

7.5.3.3.6 Channel Integrity All PAMS channels are designed to maintain neces sary functional capability including accuracy and rang e, under extremes of conditions (as appli cable) relating to environment, energy supply, and malfunctions.

7.5.3.3.7 Channel Independence Channels (exclusive of recorders as clar ified in Subsection 7.5.3.3.2) that provide signals for the same monitoring function are independent and phys ically separated to ac complish decoupling of the effects of unsafe environmental factors, electric transients, and physical accident consequences documented in the design basis, and to reduce the likeliho od of interactions between channels during maintenance operations or in the event of channel malfunction.

Malfunctions, accidents, and other unusual events include, for ex ample, fire, exp losions, missiles, lightning, ear thquakes, etc.

7.5.3.3.8 Power Source The PAMS display instrumentati on is capable of operating independent of offsite p ower availability.

7.5.3.3.9 Postaccident Monitoring System and Control System Interaction

1. Classification of Equipment

Any equipment that is used for both postacci dent monitoring and control functions is classified as p art of the PAMS.

2. Isolation Devices The transmission of signals from the postaccident monitoring equipment for control or monitor ing is through i solation devices which are classified as part of the PAMS and meet all the requirements of this UFSAR. No credible failure at the output of an isolation device prevents the associa ted PAMS channel from

B/B-UFSAR 7.5-7 REVISION 8 - DECEMBER 2000 meeting the minimum perf ormance requirements considered in the design bases. E xamples of credible fail ures include short circuits, open circuits, grounds, and the application of the maximum credible a-c or d-c potential (t ypically 130-Vdc or 118-Vac). A failure in an isolation dev ice is evaluated in the same manner as a failure of ot her equipment in the PAMS.

7.5.3.3.10 Derivation of System Inputs Inputs to the monitori ng system are derived fr om signals that are direct measures of the desired varia bles. In many cases, the channels listed also bear a known relationship to each other during normal pl ant operation.

7.5.3.3.11 Capability for Sensor Checks Means are provided for checking, with a high degree of confidence, the operational avai lability of each system input sensor during re actor operation.

7.5.3.3.12 Capability f or Verifying Operability Means are available for verifying the operability of the monitoring system ch annels. Identificat ion of malfunctions is adequately identified by cross-checking between duplicate redundant channels or cross-checking between channel s that bear a known relationship to each oth er during normal p lant operation.

7.5.3.3.13 Channel Bypass or Removal from Operation (RG 1.47)

The system is designed to permit any one channel to be maintained when required during p ower operation. Durin g such operation the active parts of the sy stem need not themselv es continue to meet the single-failure cri terion. As such, monitoring systems comprised of two redundant chann els are permitted to violate the single-failure criteri on during channel bypa ss provided that acceptable reliabili ty of operation can be otherwise demonstrated. T he bypass time interval allowed for a maintenance operation is specified in Te chnical Specification 3.3.3.

Bypass indication may be app lied administratively or automatically.

7.5.3.3.14 Access to Means of Bypassing The design permits t he administrative contro l of the means for manually bypassing channels.

7.5.3.3.15 Access to Setpoint Adj ustments, Calibrat ion, and Test Points The design permits t he administrative contro l of access to all setpoint adjustments, module cal ibration adjustments, and test points.

B/B-UFSAR 7.5-8 7.5.3.3.16 Identification of Monitoring Functions Displays are indicated a nd identified down to the channel level.

7.5.3.3.17 System Repair The system is designed to facili tate the recogni tion, location, replacement, repair, or adjustment of malfun ctioning components or modules.

7.5.3.3.18 Identification In order to provide assu rance that the requireme nts given in this UFSAR can be applied dur ing the design, construction, maintenance, and operation of the plant, the postaccident monitoring system equi pment (for example, inte rconnecting wiring, components, modules, etc.), is identified distinctively to distinguish between redu ndant portions of the monitoring system.

Installed items of equ ipment, components, or modules mounted in assemblies that are clea rly identified as being in the monitoring system do not themselves require identification.

B/B-UFSAR 7.5-9 REVISION 9 - DECEMBER 2002 TABLE 7.5-1

MAIN CONTROL BOARD IND ICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR (CON DITION II, III AND IV EVENTS)*

1. Wide Range Thot and Tcold ______________

____________

a. Minimum Requirement A minimum of two Thot and two Tcold indicator channels. The T hot channels must be on separate power s upply from the Tcold channels. Capability of recordi ng either Thot or Tcold in one non-isolated lo op must be provided.

b. Range - 0 to 700

°F. Indicated Purpose Accuracy 1. Maintain the

+/- 8% of plant in a safe full range shutdown condition

2. Ensure proper

+/- 8% of cooldown rate full range

3. Ensure proper

+/- 8% of relationship between full range system pressure and temperature.

2. Pressurize r Water Level

a. Minimum Re quirement Two channels on sepa rate power supplies with one channel recorded.

b. Range - entire d istance between taps.

• Station specific indicated accuracies found in calculation BRW-99-0017-1/

BYR-99-010.

B/B-UFSAR 7.5-10 TABLE 7.5-1 (Cont'd)

c. Purpose Accuracy 1. Maintain proper Sufficient accuracy reactor coolant to indicate water inventory level is above pressurizer heaters and below 100% of span.

(about +/- 25% of span)

2. Determine return Same as above of water level to pressurizer folllowing steam break and steam generator tube ruptures.

3. System Wide Range Pressure

a. Minimum Requirement Two channels on sepa rate power supplies with one channel recorded.

b. Range - 0 to 3000 psi.

c. Purpose Accuracy 1. Ensure proper

+/- 8% of relationship between full system pressure and range temperature.

4. Containm ent Pressure

a. Minimum Requirement Two channels on sepa rate power supplies.

Means must be provided to record one of th e channels follo wing a high energy line break inside containment

b. Range - 0 to 115% of containment design pressure

c. Purpose Accuracy 1. Monitor containment

+/- 4% of conditions following full primary or secondary scale system break inside containment.

B/B-UFSAR 7.5-11 TABLE 7.5-1 (Cont'd)

5. Steamlin e Pressure

a. Minimum Requirement Two channels per steamline on separate power supplies with one channel per steamline recorded.

b. Range - 0 to 1300 psig.

c. Purpose Accuracy 1. Needed to determine

+/- 4% of type of accident that full has occurred and the scale proper recovery procedure to use

2. Determine that

+/- 4% of plant is in a full safe shutdown scale condition.

6. Steam Genera tor Water Level (narrow or wide range)

a. Minimum Requirement Two narrow range channels pe r steam generator on separate power supplies with one channel recorded for each steam generator. Although the requirement i dentifies two narrow range cha nnels, the intent of the requirement is also satisfied by on e narrow range a nd one wide range channel, either of whi ch must be recorded.

b. Range - 0 to 100% of span for both wide or narrow range.

c. Purpose Accuracy 1. Maintain adequate Narrow range:

heat sink sufficient following an accident accuracy to indicate that water level is between 0 and 100% of span

2. Needed in recovery procedure following steam generator tube rupture

B/B-UFSAR 7.5-12 REVISION 2 - DECEMBER 1990 TABLE 7.5-1 (Cont'd)

3. Ensure that steam generator tubes are covered following a LOCA.

7. Refueling Water Storage Tank Level

a. Minimum Requirement Two channels on sepa rate power supplies.

Means must be provided to record one of the channels following a safety injection signal.

b. Range - 0 to 100% of span. Time Needed c. Purpose Accuracy After Accident

1. Determine when to +/- 3% of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> perform the neces- level span cessary manual actions following switchover from the injection phase to the recirculation phase of safety injection after a LOCA.

B/B-UFSAR

7.5-13

REVISION 9 - DECEMBER 2002 TABLE 7.5-2 CONTROL ROOM INDICATOR AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATION NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES NUCLEAR INSTRUMENTATION

1. Source Range a. Count rate 2 1 to 10 6 counts/ +/-7% of the linear Both channels Control One recorder is sec full scale analog indicated. Either board used to record any voltage may be selected of the 8 nuclear recording. channels (2 source range, 2 intermediate range and 4 power range)

b. Count Rate** 2 0.1 to 10 5 counts/ +/-2% of the linear Both channels Control Source range (Post sec full scale analog indicated. Both board indication Accident voltage channels may be provided by Post Neutron selected recording Accident Neutron Monitors) on plant computer. Monitoring Instrumentation allowed for satisfying Technical Specification 3.9.3 in Mode 6.

Does not provide startup rate indication.

• Includes channel accuracy and environmental effects. Indicated accuracies provided by NSSS vendor (historical).

• • Channel indication may be used during Mode 6 to satisfy Technical Specification 3.9.3.

B/B-UFSAR

7.5-13a

REVISION 10 -

DECEMBER 2004 TABLE 7.5-2 (Cont'd)

CONTROL ROOM INDICATOR AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATION NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES NUCLEAR INSTRUMENTATION c. Startup rate 2 -0.5 to 5.0

+/-7% of the linear Both channels Control decades/min full scale analog indicated. board voltage

2. Intermediate Range a. Flux level 2 8 decades of

+/-7% of the linear Both channels Control neutron flux full scale analog indicated. Either board (corresponds voltage and

+/-3% of may be selected to 0 to full the linear full for recording scale analog scale voltage in using the voltage) over- the range of 10

-4 recorder in Item 1 lapping the to 10

-3 amps above. source range (10 to 10 2% RTP at Byron) by 2 decades

• Includes channel accuracy and environmental effects.

B/B-UFSAR

7.5-14

REVISION 8 - DECEMBER 2000 TABLE 7.5-2 (Cont'd)

NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES b.Startup rate 2 -0.5 to 5.0

+/-7% of the linear Both channels Control decades/min full scale analog indicated board voltage 3. Power Range A.Uncalibrated 4 0 to 120% of

+/-1 of full power All 8 current NIS racks ion chamber full power current signals indicated. in control current (top current room and bottom uncompensated ion chambers) b.Calibrated ion 4 0 to 125% of

+/-2% full power All 8 current Control chamber current full power current signals recorded board (top and bottom current (four recorders).

uncompensated Recorder 1 - upper ion chambers) currents for two diagonally opposed detectors.

Recorder 2 - upper currents for remaining detectors.

Recorder 3 - lower currents for two diagonally opposed detectors. Recorder 4 - lower currents for remaining detectors.

B/B-UFSAR 7.5-15 TABLE 7.5-2 (Cont'd)

NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES c.Upper and lower 4 -60 to +60%

+/-3% of full Diagonally opposed Control ion chamber power channels may be board current difference selected for recording at the same time using recorder in Item 1.

d. Average flux of 4 0 to 120% of

+/-3% full All 4 channels Control the top and full power power for indicated. Any 2 board bottom ion indication of the four channels chamber +/-2% for recording may be recorded using recorder in Item 1 above e.Average flux of 4 0 to 200% of

+/-2 of full power All 4 channels Control the top and full power to 120% recorded board bottom ion

+/-6% of full chambers power to 200% f.Flux difference 4 -30 to 30%

+/-4% All 4 channels Control of the top and indicated. board bottom ion chambers REACTOR COOLANT SYSTEM

1. Taverage 1/loop 530° - 630°F +/-4°F All channels Control (measured) indicated. board

B/B-UFSAR

7.5

-16 REVISION 8 -

DECEMBER 2000 TABLE 7.5-2 (Cont'd)

NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 2. T(measured) 1/loop 0 to 150% of

+/-4% of full All channels Control full power power T indicated. One board T channel is selected for recording

a. Tcold or T hot 1-Thot 0 to 700°F +/-4% One Thot channel Control and one Tcold board channel for each loop is recorded. (measured, 1-Tcold Each loop has a wide range) per loop separate recorder. 3. Overpower T 1/loop 0 to 150% of

+/-4% full All channels Control Setpoint full power T power T indicated. One board channel is selected for recording.

4. Overtemperature 1/loop 0 to 150% of

+/-4% power All channels Control T Setpoint full power T T indicated. One board channel is selected for recording.

5. Pressurizer 4 1700 to 2500

+/-28 psi All channels indicated Control Pressure psig board

6. Pressurizer 3 Entire distance +/-3.5% P All channels indicated Control Level recorded along Level between taps level at One channel board with reference level 2250 psia is selected signal for recording.

B/B-UFSAR

7.5-17 REVI SION 10 - DECEMBER 2004 TABLE 7.5-2 (Cont'd)

NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 7. Primary Coolant 3/loop 0 to 110% of Repeatability of All channels indicated Control Flow rated flow +4.5% of full board flow

8. Reactor Coolant 1/loop 0-1200A

+/-2.3% All channels indicated Control One channel for each pump Pump Motor Current board

9. System Pressure 2 0 to 3000 psig

+/-4% All channels indicated Control Wide Range and recorded. board REACTOR CONTROL SYSTEM

1. Demanded Rod 1 0 to 100% of

+/-2% The one channel is Control Speed rated speed indicated. board

2. Auctioneered 1 530° to 630°F +/-4°F The one channel Control Any one of the Tavg T avg is recorded. board channel into the auctioneer may be bypassed

3. Treference 1 530° to 630°F +/-4°F The one channel is Control recorded. board

4. Control Rod If system not available, Position borate and sample accordingly a. Number of steps 1/group 0 to 231 steps

+/-1 step Each group is Control These signals are used of demanded rod indicated during board in conjunction with the withdrawal rod motion. measured position signals (4c) to detect deviation of any individual rod from the demanded position. A deviation will actuate an alarm and annunciator.

B/B-UFSAR 7.5-18 TABLE 7.5-2 (Cont'd)

NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES b. Full length 1 for 0 to 228 steps

+/-4 steps Each rod position Control rod measured each is indicated board position 5. Full length Control 4 0 to 230 steps

+/-2.5% of total All 4 control rod Control 1. One channel for each Rod Bank Demanded bank travel bank positions are board control bank. Position recorded along with 2. An alarm and aunnunciator the low-low limit is actuated when alarm for each bank. the last rod control bank to be withdrawn reaches the withdrawal limit, when any rod control bank reaches the low insertion limit and when any rod control bank reaches the low-low insertion limit

CONTAINMENT SYSTEM

1. Containment 4 0 to 60 psig

+/-3% All 4 channels Control Pressure indicated and 1 board is recorded.

FEEDWATER AND STEAM SYSTEMS 1. Auxiliary Feedwater 1/feed 0 to 250

+/-4% All channels Control Two feed lines per steam Flow line indicated. board generator. One each from Trains A and B.

B/B-UFSAR

7.5

-19 REVISION 11 - DECEMBER 2006 TABLE 7.5-2 (Cont'd)

NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 2. Steam Generator 4/steam +7 to -5 feet

+/-4% of P level All channels indicated. Control Level (narrow generator from nominal (hot) The channels used for board range) full load level control are recorded.

3. Steam Generator 1/steam +7 to -41 ft +5% of level All channels Control Level (wide range) generator from nominal (cold) recorded board full load level

4. Deleted

5. Main Feedwater 2/steam 0 to 120% of

+/-5% All channels indicated. Control Flow generator maximum The channels used for board calculated flow controls are recorded

6. Magnitude of 1/main 0 to 100% of

+/-1.5% All channels Control 1. One channel for each Signal Controlling 1/bypass valve opening indicated. board. main and bypass Main and Bypass Feedwater Control Valves feed-water control valve 2. OPEN/SHUT indication is provided in the control room for each main and bypass feed-water control valve

B/B-UFSAR 7.5-20 TABLE 7.5-2 (Cont'd)

NUMBER OF CHANNELS INDICATED INDICATOR/ PARAMETER AVAILABLE RANGE ACCURACY* RECORDER LOCATION NOTES 7. Steam Flow 2/steam 0 to 120% of

+/-5.5% All channels indicated. Control Accuracy is equipment generator maximum The channels used for board capability; however, calculated flow control are recorded. absolute accuracy depends on applicant calibration against feedwater flow.

8. Steamline 3/loop 0 to 1300 psig

+/-4% All channels indicated Control Pressure and 1 is board recorded

9. Steam Dump 1 0-100% of steam

+/-1.5% The one channel is Control OPEN/SHUT indication is Modulate Signal dump valves open indicated. board provided in the control room for each steam dump valve

10. Turbine Impulse 2 0 to 120% of

+/-3.5% Both channels Control OPEN/SHUT indication is Chamber Pressure maximum calculated indicated. board provided in the control turbine load room for each turbine stop valve

B/B-UFSAR 7.6-1 REVISION 4 - DECEMBER 1992 7.6 OTHER SAFETY-RELATED INSTRUMENTATION SYSTEMS

7.6.1 Description

See Subsections 7.6.3 th rough 7.6.6 for descript ions of all other instrumentation systems required for saf ety not previously addressed.

Additional descriptions for the fire detecti on and protection systems and the process and effluent radiologi cal monitors are found in Subsection 9.5.1 and Section 11.5 respectively.

7.6.2 Analysis

See Subsections 7.6.3 through 7.6.6 for anal yses of all other instrumentation systems required for saf ety not previously addressed.

7.6.3 Instrumentation

and Co ntrol Power Supply System For a complete descripti on and analysis of the instrumentation and control power supply syste m, see Subsect ion 8.3.1.1.2.

7.6.4 Residual

Heat Re moval Isolation Valves 7.6.4.1 Description The normally closed resi dual heat removal system (RHR) isolation valves 8701A/B and 8702A/B are opened on ly for resid ual heat removal after system pre ssure/temperature has be en reduced to the cooldown setpoint. Their posi tion is indicated at the main control board (MCB) by lights monitoring val ve limit switches.

There are two motor-operated val ves in series in each of the two RHR pump suction lines f rom the RCS hot legs.

The valves are interlo cked by diverse pressu re instruments as shown on Figures 7.6-1 and 7.6-2 so that they ca nnot be opened unless the RCS p ressure is below approxi mately 360 psig. This interlock prevents t he valve from being opened when the RCS pressure plus the RHR pump pressure would be a bove the RHR system design pressure. An alarm is pr ovided to alert the operator that an RCS-RHR series isol ation valve(s) is not fu lly closed and that double isolation from the RCS to RHR is not being maintained.

The logic inputs are from Limito rque limit swi tches and the hot leg wide-range pressure transmitters (see Su bsection 5.4.7.2.3).

B/B-UFSAR 7.6-1a REVISION 3 - DECEMBER 1991 7.6.4.2 Analysis In order to meet NRC requirements and because of the possible severity of the conseq uences of loss of function, the requirements of IEEE 279-1971 have been applied with the following comments:

1. IEEE 279-1971, Paragraph 4.10: The above mentioned pressure interlock signals a nd logic are periodically tested. This is done in the interests of

B/B-UFSAR 7.6-2 safety, since an act ual actuation to permit opening the valve could potentially le ave only one remaining valve to isolate the low-pre ssure residual heat removal system from the reactor coolant system.

2. IEEE 279-1971, paragraph 4.15: This r equirement does not apply, as the setpoi nts are independent of mode of operation and are not changed.

Environmental qualif ication of the valves an d wiring is discussed in Section 3.11.

7.6.5 Refueling

Interlocks Electrical interlocks as discuss ed in Subsection 9.1.4.3.1 are provided to minimize the possibility of damage to the fuel during fuel handling operations.

7.6.6 Accumulator

Motor-Operated Valves The control circuit for these valves is show n on Figure 7.6-3.

The valves and contr ol circuits are fu rther discussed in Subsections 6.3.2 and 6.3.5.

The safety injection system accumulator discharge isolation valves are motor-ope rated, normally op en valves which are controlled from the main control board.

These valves are inter locked such that:

a. They open automatically on receipt of an "S" signal with the main control board switch in either the "AUTO" or "CLOSE" position.

b. They open automatically whenever the reactor coolant system pressure is a bove the safety injection unblock pressure (P-11) specified in the technical specifications and the main control board switch is in the "AUTO" position.

c. They cannot be closed as long as an "S" signal is present. The four main control bo ard position switche s for these valves provide a "spring return to auto" from the open position and a "maintain position" from the closed position.

The "maintain closed" position is requir ed to provide an administratively control led manual block of the automatic opening of the valve at pressure above the saf ety injection unblock pressure (P-11). The manual blo ck or "maintain closed" position is required when perfo rming periodic check valve leakage testing

B/B-UFSAR 7.6-3 REVISION 8 - DECEMBER 2000 when the reactor is at pressure.

The maximum permissible time that an accumulator va lve can be closed when the reactor is at pressure is specified in Techn ical Specification 3.5.1.

During plant shu tdown, the accum ulator valves are in a closed position.

When the RCS pressure is above t he SI unblock pr essure, an alarm sounds in the main c ontrol room for any accumulator isolation valve not fully open as indicated by the val ve stem limit switch.

7.6.7 Switchover

from Inject ion to Recirculation The details of achieving cold leg recirculation following safety injection are given in Subsection 6.3.2.8 and on Table 6.3-7.

Figure 7.6-5 sho ws the logic which is used to open the sump valves automatically. T he semiautomatic transfer signal for this switchover is shown in Figure 7.6-4 and is u sed for closing the charging pump miniflow m otor-operated valves as well (see Figure 7.6-6).

7.6.8 Reactor

Coolant System L oop Isolation Va lve Interlocks 7.6.8.1 Description The purpose of these int erlocks is to ensure t hat an accidental startup of an unborated and/or cold, iso lated reactor coolant loop results only in a relatively slow react ivity insertion rate.

The interlocks are req uired to perform a pro tective function.

Interlocks are provided to:

a. Prevent the opening of a hot leg loop stop valve unless the cold leg stop valve in th e same loop is fully closed.

b. Prevent the star ting of a reactor coolant pump unless: 1. The cold leg loop stop valve in the same loop is fully closed and the loop bypass valve is fully open, or 2. Both the hot leg loop stop valve and cold leg loop stop valve are fully open.

c. Prevent the opening of a col d leg stop valve unless:

1. The hot leg loop stop va lve in the same loop is open.

2. The bypass valve in the loop is open.

B/B-UFSAR 7.6-3a REVISION 5 - DECEMBER 1994 3. Minimum flow has exist ed through the relief line for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.

4. The cold leg tem perature is within ~20

°F of the highest cold leg temperature in the other loops and the hot leg temper ature is within ~20

°F of the highest hot leg temperat ure in the other loops.

The interlocks are a p art of the reactor protection system and include the followin g redundancy:

a. Two independent limit switches to in dicate that a valve is fully open.

b. Two independent limit switches to in dicate that a valve is fully closed.

c. Two differential pressure sw itches in ea ch line which bypasses a cold leg loop sto p valve to determine that flow exists in the line.

Flow through the line indicates:

1. The valves in the line are open.

2. The pump in the isol ated loop is running.

The interlocks meet the IEEE-279

-1971 criteria a nd, therefore, cannot be negated by a single failure. The interlock on hot leg temperatures is a ba ckup for the interlock on cold leg temperatures. Thus, the single fail ure criterion applies to the combination and not to each separately.

Figure 7.6-9 shows a r eactor coolant loop with loop isolation valves and also shows the cold leg loop isolation valve bypass line. 7.6.9 Interlocks For RCS P ressure Control During Low Temperature Operation The basic function of the RC S pressure contr ol during low temperature operation is discussed in Subsec tion 5.2.2.11. As noted in Subsection 5.2.2.11 this pressure control includes manually armed

B/B-UFSAR 7.6-4 REVISION 12 - DECEMBER 2008 semiautomatic actuation logic for two pressuri zer power operated relief valves (PORVs

). The function of this actuation logic is to continuously monitor RCS temperature and pr essure conditions, with the actuation logic only unblocked by t he manual ARM position on the PORV c ontrol switch when pla nt operation is at a temperature below the Technical Specificatio n requirement of 350°F. The monitored s ystem temperature sign als are processed to generate the reference pressure limit progra m which is compared to the measured pressure.

The function of this a ctuation logic is to continuously monitor RCS temperature and pres sure conditions, com pare them with the reference nil ductility temperature (RNDT) a nd pressure limits, as shown in Pressure Temperature Limits Report (PTLR) Figure 3.1 and Table 3.1, and g enerate a signal to open the PORV if the pressure conditions exceed allowable limits.

The actuation logic will function only if the PORV hand switch is in the manual ARM position. See Figure 7.6-10 for the block diagram showing the interlocks for RCS p ressure control duri ng low temperature operation.

As shown in this figure, the sta tion variables r equired for this interlock are channeli zed as follows:

a. Protection Set I

1. wide range RCS temp erature from hot legs and

2. wide range RCS syst em pressure (PT 407).

b. Protection Set II

1. wide range RCS temp erature from cold legs.

c. Protection Set IV

1. wide range RCS syst em pressure (PT 406).

The wide range temperatu re signals, as inputs to the Protection Sets I and II, continuously monitor RCS temperature conditions whenever plant operation is at a temperature b elow the RNDT. In Protection Set I, the existing RCS hot leg wide rang e temperature channels supply through an isolation dev ice continuous analog input to an auctioneering device, wh ich is located in the process rack of control rack Group 1. The lowest reading is selected and input to a function generator wh ich calculates t he reference pressure limit program c onsidering the plant's allowable pressure and temperature limits.

Also available from Protection Set I is the wide range RCS system pressure signal wh ich is sent through an isolation device to control rack Group

1. The reference pressure from the function gen erator is compar ed to the actual RCS system pressure mo nitored by the wide range pressure channel. The error si gnal derived from the difference between the reference pressure and the actual me asured pressure, will first annunciate a main board alarm whenever the actual measured pressure approaches, within a pr edetermined amount, the reference pressure. On a further increase in measured pre ssure, the error signal will generate an annunciated actu ation signal. The actuation signal availab le from control rack Group 1 will control PORV "A" whenever a manually arm ed permissive signal from control B/B-UFSAR 7.6-5 REVISION 1 - DECEMBER 1989 Group 4 is present. The manually armed permissive to the PORVs actuation device is a signal which is turned on only when the MCB four-position PORV contr ol switch is placed in the ARM position.

When it is in the AU TO position (normal operating conditions) the actuation signal is at a temperature greater than the range of concern. This will prevent unne cessary system a ctuation when at normal RCS opera ting conditions as a r esult of a failure in the process sensors.

The PORV control switch is placed in the ARM position when the low auctioneered RCS temperature signal reaches a low setpoint value which is indicated by an annunciated actua tion signal. The monitored generating station variables that generate the actuation signal for the "B" P ORV are processed in a similar manner. In the case of PORV "B", the reference temperature is generated in control rack Group 4 from the low est auctioneered wide range cold leg temperature, the auc tioneering device deriving its inputs from the RCS wide range temperature in Protection Set II, and the actual measur ed pressure signal is available from Protection set IV.

Therefore, the generating station variables used for PORV "B" are deri ved from protection sets that are independent of the set from which generating station variables used for PORV "A" are derived. The error signal derivation itself used for the actuat ion signals is available from the control group.

Upon receipt of the actuation signal and with the PORV control switch in the ARM position, the actuation device will automatically cause the PORV to open.

Upon sufficient RCS inventory letdown, t he operating RCS pre ssure will decrease, clearing the actuation signal. Removal of t his signal causes the PORV to close.

7.6.9.1 Analysis of Interlock Many criteria presented in IEEE 279-1971 and IEEE 338-1971 standards do not apply to the in terlocks for RCS pressure control during low tempe rature operation, because the interlocks do not perform a protective function but rather provide automatic pressure control at low temp eratures as a back up to the operator.

However, although IE EE 279-1971 criteria do not apply, some advantages of the dependability and benefits of an IEEE 279-1971 design have occurred by including the pressu re and temperature signal elements as noted above in the pr otection sets and by organizing the c ontrol of the two PORVs (either of which can accomplish the RCS p ressure control function) into dual channels wherever practical. E ither of the two PORVs can accomplish the RCS pressure con trol function.

The design of the low temperature interlocks for RCS pressure control includes the following features:

a. No credible si ngle failure at the output of the protection set racks, af ter the output leaves the racks B/B-UFSAR 7.6-6 REVISION 9 - DECEMBER 2002 to interface with the in terlocks, will prevent the associated protectio n system channel from performing its protective funct ion because such outputs that leave the racks go throu gh an isolation device as shown in Figure 7.6-10 and because the re are no shared components bet ween channels.

b. Testing capabili ty for elements of the interlocks within (not external to) the Protection System is consistent with the testing principl es and methods discussed in Sub section 7.2.2.2.3.

It should be noted that there is an annunciator which pro vides an alarm when there is low auctio neered RCS tem perature (below RNDT) coincident with a closed position of the motor operated (MOV) pressurizer r elief block valve. This MOV is in the same fluid pat h as the PORV, with a separate MOV used and al armed associated with the second PORV.

c. A loss of offsite power will not defeat the provisions for an electrical power sour ce for the interlocks because these provis ions are through onsite power which is described in Section 8.3.

7.6.10 Instrumentat ion for Mitigating Consequences of Inadvertent Boron Dilution 7.6.10.1 Description Instrumentation is p rovided to mitigate the consequences of inadvertent addition of unborated, primary grade water into the reactor coolant system.

The primary indication of a potentia l boron dilution transient in Modes 3, 4 and 5 is an increase in V CT volume as measured by redundant VCT level chan nels. These channel s alarm in the main control room on high VCT level at 70%. In add ition, alarm inputs from Train A and Train B source range flux doubl ing, and CV112A control valve not in VCT positio n, are available to alert the operators to the potential of a boron dilution t ransient. A boron dilution t ransient can be admini stratively terminated by aligning the CVCS valves to the RWST to inject borat ed water into the reactor (reference N RC Docket Nos. STN 50-456, STN 50-457, STN 50-454, and STN 50-455, Subj ect: Request for Technical Specifications Change, Removal of the Au tomatic Actuation Features of the Boron Diluti on Protection System).

7.6.10.2 Analysis The analysis of effe cts and consequences of inadvertent boron dilution transient is co vered in Subsection 15.4.6.

B/B-UFSAR 7.6-7 7.6.10.3 Qualification Qualification of the i nstrumentation is disc ussed in Sections 3.10 and 3.11.

7.6.11 Charging Pump Mi niflow Valve Interlocks Two solenoid actuated charging pump miniflow control valves (CV8114 and CV8116) are provided with actuation logic to isolate the miniflow lines f or the centrifugal charging pumps (see Subsection 6.3.2.2) on low RCS press ure in conju nction with an "S" signal. These val ves open to protect the pumps should the RCS pressure increase above their "open" set point with an "S" signal present (see Figures 7.6-7 and 7.6-8). In addition to the solenoid actuated charging pump miniflow control valves, two motor-operated charging pump miniflow valves (CV8110 and CV8111) are also provided to isolate t he miniflow lines at the time of switchover from safety i njection to cold leg r ecirculation. This isolation is automat ic when the refueling water storage tank (RWST) water level d rops to the low-low setp oint in conjunction with an "S" signal (see Figures 7.6-4 and 7.6-6). In all four miniflow valves (2 that are solenoid actuate d and 2 that are motor-operated), the " S" signal logic retains the "S" signal by retentive memory logic which can be reset at the control board.

7.6.12 References

1. The Institute of Ele ctrical and Electron ic Engineers, Inc., "IEEE Standard:

Criteria for Protection Systems for Nuclear Power Generating Stati ons", IEEE 279-1971.

2. The Institute of Ele ctrical and Electron ic Engineers, Inc., "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protect ion System", IEEE 338-1971.

B/B-UFSAR 7.7-35 TABLE 7.7-1 PLANT CONTROL SY STEM INTERLOCKS DESIGNATION DERIVATION FUNCTION C-1 1/2 Neutron flux Blocks automatic and (intermediate manu al control rod range) above withdrawal setpoint C-2 1/4 Neutron flux Bloc ks automatic and (power range) manu al control rod above setpoint withdrawal C-3 2/4 Overtemperature Bloc ks automatic and T above manual control rod setpoint withdrawal Actuates turbine runback via load reference

Defeats remote load dispatching (if remote load dispatching is used) C-4 2/4 Overpower T Blocks automatic and above setpoint manu al control rod withdrawal Actuates turbine runback via load reference Defeats remote load dispatching (if remote load dispatching is used)

C-5 1/1 Turbine Defe ats remote load impulse chamber dispat ching (if remote load pressure below disp atching is used) setpoint Blocks automatic control rod withdrawal C-7 1/1 Time derivative Makes steam dump valves (absolute available for either value) of turbine tripping or modulation impulse chamber pressure (decrease only) above setpoint

B/B-UFSAR 7.7-36 REVISION 4 - DECEMBER 1992 TABLE 7.7-1 (Cont'd)

DESIGNATION DERIVATION FUNCTION C-8 Turbine trip Prov ides turbine trip indication C-9 Any condenser Blocks steam dump to pressure above condenser setpoint

or

All circulation water pump breakers open C-11 1/1 Bank D control rod Blocks automatic rod position above setpointwithdrawal C-14 2/2 Steam generator Closes the feedwater level above control valve(s) in the setpoint (optional) affected steam generator only C-16 1/1 Auctioneered Stop s turbine loading low Tavg - Tref (not used) below setpoint or 1/1 Auctioneered Defeats remote load low Tavg below dispat ching (is remote setpoint load dispatching is used)

c -u 0 Cl (/) 0 H <:: ., ::0 -u H[D mo, z ::0 ::0 0 H ., )> )> )> ., H OH HOH G) 0 OoCl c (/) ::;: ::EzO ::0 )>o 0--<rn Cl "o o ::or OOo '" 'o :._, (f) A I H-<0 <Sl )>H _, (/) H C( 0 _,)> G) (/) z <:: ::0 H )> (/) <:: ::0 Cl -u 0 ::0 _, POWER CABINET REACTOR 1 BD CONTROL SYSTEM OVATION ( LOGIC DISCC CABINET SWITC MANUAL SWITCH -' BANK SELECTOR . MULTIPLEX POWER CIRCUITS CABINET 2 BD I'" 1

• 1 (( I I I [LIFTING } GROUP -----i t/2 I--(OFF I I I

} ll GROUP 2 ------OFF NORNAL SEQUENCING OF GROUPS WITHIN BANK CONTROL BANK D GROUP 1 OIL NNECT HES CONTROL BANK D GROUP 2 1 NOTE: ONLY CABINETS 1 BD AND 2BD SHOWN. FOR MORE COMPLETE DIAGRAM INCLUDING POWER CABINETS 1AC, 2AC, AND SCD. SEE REF.1 IN SECTION 7.7.3. 0 f"T] (") Al f"T] f"T] ;;:: < rn .__. f"T] (/) Al >--< 0 NZ <Sl (J) (J)

CD c ::::0 -u )> 0 1-i 0 =E (/) l'T1 CD 0 1-i 0-< o:::as:::

., ::::0 1-i 0 zZ cO 1--1 ., )> ............

zo 1-i G) ICD ::::0 c (/) )> zo ::::0 )> 1-i N:rj CD l'T1 '10 l'T1 =E 12:>0 r :-..i =<!o ,g -...J 0 :A I )>0 ::::o-< 0 ...... z IS) )> (/) 1-i )> z fTl )> cs:: §6 (/) -l 1-i 1-i z )> (/) 0 1-i s::: z -I ::::0 (/) l'T1 ...... -u 121> 0 N ::::0 -I t "I ---LIHING} ll I. t/21 I I l OFF GROUP I I 11 LI FTI NG } GROUP 2 ll I ---------OFF NORMAL SEQUENCING OF GROUPS WiTHIN BANK I MOTE: ONLY CABINETS IBD AND 2BD SHOWN. FOR MORE COMPLETE DIAGRAM INCLUDING POWER INETS IAC. 2AC. AND SCD. SH REF. I IN SECTION 7.7.3 0 rTJ 0 :;;o rTJ rTJ OJ 1--1 rTJ (/) :;;o 1--1 0 NZ ___. ___. (j) (j)

Inputs to logics 2&3 SGA Level 3%< RPS SGB Level 3%< RPS Logics 2 & 3 similar to logic 1 Logic 3 Logic 2 Initiate auxiliary FW pumps and related components Div.11 M2148.43611*90 SGC Level 3%< RPS SGD Level 3%< RPS REVISION 15 DECEMBER 2014 r ARM system """"\ above C-20 \ C-20 C-20 >30% >30% Logic 1 Inhibit system for test Cont. switch normal Initiate auxiliary FW pumps and related components Div.12 Trip main turbine (emergency trip) BYRON/BRAIDWOOD STATIONS UPDATED FINAL SAFETY ANALYSIS REPORT FIGURE 7.7-12 ATWS MITIGATION SYSTEM SIMPLIFIED LOGIC DIAGRAM