RS-11-159, Quad Cities, Units 1 and 2 - Updated Final Safety Analysis Report (Ufsar), Revision 11, Chapter 07 - Instrumentation and Controls
| ML11305A056 | |
| Person / Time | |
|---|---|
| Site: | Quad Cities  |
| Issue date: | 10/19/2011 |
| From: | Exelon Generation Co, Exelon Nuclear |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| RS-11-159 | |
| Download: ML11305A056 (221) | |
Text
QUAD CITIES - UFSAR 7-i 7.0 INSTRUMENTATION AND CONTROLS TABLE OF CONTENTS
Page 7.0 INSTRUMENTATION AND CONTROLS.................................................................. 7.1-1
7.1 INTRODUCTION
.............................................................................................. 7.1-1 7.1.1 Identification of Systems...................................................... 7.1-1 7.1.1.1 Protective Systems........................................ 7.1-2 7.1.1.2 Safe Shutdown.............................................. 7.1-2 7.1.1.3 Display Instrumentation.............................. 7.1-2 7.1.1.4 Core and Vessel Instrumentation................ 7.1-3 7.1.1.5 Other Instrumentation................................. 7.1-3 7.1.2 Identification of Safety Criteria........................................... 7.1-3 7.1.2.1 Instrumentation Setpoints........................... 7.1-3 7.1.2.2 Single Failure Criteria............................... 7.1-3a 7.1.2.3 Instrument Line Design............................... 7.1-4 7.1.2.4 Qualification.................................................. 7.1-4 7.1.3 Other Control and Instrumentation.................................... 7.1-4
7.2 REACTOR PROTECTION (TRIP) SYSTEM.............................................. 7.2-1 7.2.1 Design Bases......................................................................... 7.2-1 7.2.2 System Description............................................................... 7.2-1 7.2.2.1 General.......................................................... 7.2-1 7.2.2.2 Power Sources............................................... 7.2-2 7.2.2.3 Instrumentation............................................ 7.2-2 7.2.2.4 Logic............................................................... 7.2-6 7.2.2.5 Initiating Signals and Circuits.................... 7.2-10 7.2.2.6 Scram Bypasses........................................... 7.2-15 7.2.2.7 Redundancy, Diversity, and Separation..... 7.2-21 7.2.2.8 Testability.................................................... 7.2-22 7.2.2.9 Environmental Considerations................... 7.2-27 7.2.2.10 Operational Considerations........................ 7.2-27 7.2.2.11 Anticipated Transient Without Scram....... 7.2-31 7.2.3 Analysis of Design Requirements Conformance................ 7.2-31 7.2.3.1 Single Failure Criterion.............................. 7.2-34 7.2.3.2 Quality of Components and Modules.......... 7.2-40 7.2.3.3 Channel Integrity........................................ 7.2-41 7.2.3.4 Channel Separation..................................... 7.2-42 7.2.3.5 Control and Protection System Interaction.................................................... 7.2-44 7.2.3.6 Capability for Test and Calibration............ 7.2-46 7.2.3.7 Establishment of Trip Setpoints................. 7.2-49 7.2.3.8 Access to Setpoint Adjustments, Calibration, and Test Points....................... 7.2-51 7.2.3.9 Identification of Protection Systems........... 7.2-52 7.2.3.10 System Repair.............................................. 7.2-52 7.2.4 References............................................................................ 7.2-55
QUAD CITIES - UFSAR TABLE OF CONTENTS (Continued)
Revision 11, October 2011 7-ii Page 7.3 ENGINEERED SAFETY FEATURE SYSTEMS INSTRUMENTATION AND CONTROL.................................................... 7.3-1 7.3.1 Emergency Core Cooling Systems Instrumentation and Control.................................................................................. 7.3-1 7.3.1.1 Core Spray System Instrumentation and Control........................................................... 7.3-1 7.3.1.2 RHR System LPCI Mode Instrumentation and Controls.................................................. 7.3-7 7.3.1.3 High Pressure Coolant Injection System Instrumentation and Control...................... 7.3-13 7.3.1.4 Automatic Depressurization System Instrumentation and Controls.................... 7.3-19 7.3.2 Primary Containment Isolation Systems........................... 7.3-25 7.3.2.1 Design Basis................................................. 7.3-25 7.3.2.2 Isolation Logic Description.......................... 7.3-25 7.3.2.3 Primary Containment Isolation System Instrumentation........................................... 7.3-33 7.3.2.4 Design Evaluation........................................ 7.3-36 7.3.2.5 Inspection and Testing ............................... 7.3-38 7.3.2.6 Conformance to IEEE-279........................... 7.3-38 7.3.3 Secondary Containment Isolation System......................... 7.3-43 7.3.4 References............................................................................ 7.3-44
7.4 SAFE SHUTDOWN..................................................................................... 7.4-1 7.4.1 Containment Cooling Mode of the Residual Heat Removal System................................................................... 7.4-1 7.4.2 Shutdown Outside the Control Room.................................. 7.4-1
7.5 DISPLAY INSTRUMENTATION .............................................................. 7.5-1 7.5.1 Post-Accident Monitors........................................................ 7.5-1 7.5.1.1 Description.................................................... 7.5-1 7.5.1.2 Analysis......................................................... 7.5-2 7.5.2 Process Computer................................................................. 7.5-4 7.5.2.1 Description.................................................... 7.5-4 7.5.2.2 Operator Functions....................................... 7.5-5 7.5.3 Safety Parameter Display System....................................... 7.5-6 7.5.3.1 Description.................................................... 7.5-7 7.5.3.2 Analysis......................................................... 7.5-8 7.5.4 Detailed Control Room Design Review................................ 7.5-9 7.5.5 References............................................................................ 7.5-10 QUAD CITIES - UFSAR TABLE OF CONTENTS (Continued) 7-iii Revision 11, October 2011 7.6 CORE AND VESSEL INSTRUMENTATION............................................ 7.6-1 7.6.1 Nuclear Instrumentation .................................................... 7.6-1 7.6.1.1 Design Bases ................................................ 7.6-1 7.6.1.2 General Description ..................................... 7.6-1 7.6.1.3 Source Range Monitoring Subsystem ......... 7.6-2 7.6.1.4 Intermediate Range Monitoring Subsystem..................................................... 7.6-5 7.6.1.5 Power Range Monitoring Subsystem .......... 7.6-7 7.6.2 Reactor Vessel Instrumentation ...................................... 7.6-15e 7.6.2.1 Design Bases and Design Features........... 7.6-15e 7.6.2.2 Description................................................... 7.6-16 7.6.2.3 Design Evaluation........................................ 7.6-19 7.6.2.4 Surveillance and Testing............................. 7.6-20 7.6.2.5 Analog Trip Instrumentation...................... 7.6-21 7.6.3 References............................................................................ 7.6-22
7.7 OTHER INSTRUMENTATION.................................................................. 7.7-1 7.7.1 Reactor Control Rod Control Systems................................. 7.7-1 7.7.1.1 Design Bases................................................. 7.7-1 7.7.1.2 Control Rod Adjustment Control (Reactor Manual Control System) .............................. 7.7-2 7.7.1.3 Design Evaluation......................................... 7.7-7 7.7.1.4 Inspection and Testing................................. 7.7-8 7.7.2 Rod Worth Minimizer........................................................... 7.7-8 7.7.2.1 Design Basis ................................................. 7.7-8 7.7.2.2 Description and Definitions ......................... 7.7-8 7.7.2.3 Design Evaluation ...................................... 7.7-15 7.7.2.4 Surveillance and Testing ............................ 7.7-15 7.7.3 Load Control Design............................................................ 7.7-16 7.7.3.1 Recirculation Flow Control System............ 7.7-17 7.7.3.2 Economic Generation Control System -
Abandoned.....................................................7.7-17 7.7.3.3 Failure Mode and Effects Analyses............ 7.7-18 7.7.3.4 Design Evaluation........................................ 7.7-19 7.7.3.5 Other Reactivity Control Systems.............. 7.7-19 7.7.4 Pressure Regulator and Turbine-Generator Controls ...... 7.7-20 7.7.4.1 Design Basis................................................. 7.7-20 7.7.4.2 System Description...................................... 7.7-20 7.7.4.3 Design Evaluation........................................ 7.7-21 7.7.5 Feedwater Level Control System ...................................... 7.7-22 7.7.5.1 Design Basis................................................. 7.7-22 7.7.5.2 System Description...................................... 7.7-22 7.7.5.3 Design Evaluation........................................ 7.7-24 7.7.6 Main Condenser, Condensate, and Condensate Demineralizer...................................................................... 7.7-25 7.7.6.1 Design Bases................................................ 7.7-25 7.7.6.2 System Description...................................... 7.7-25 7.7.6.3 Design Evaluation........................................ 7.7-25
QUAD CITIES - UFSAR TABLE OF CONTENTS (Continued) 7-iv Page 7.8 ANTICIPATED TRANSIENT WITHOUT SCRAM MITIGATION SYSTEM....................................................................................................... 7.8-1 7.8.1 Introduction.......................................................................... 7.8-1 7.8.2 Design Requirements........................................................... 7.8-1 7.8.3 Mitigation System Description............................................ 7.8-2 7.8.3.1 Recirculation Pump Trip.............................. 7.8-3 7.8.3.2 Alternate Rod Insertion ............................... 7.8-3 7.8.3.3 Alternate Rod Insertion Valves.................... 7.8-4 7.8.4 Design Evaluation................................................................ 7.8-4 7.8.5 References............................................................................. 7.8-6
QUAD CITIES - UFSAR TABLE OF CONTENTS (Continued) 7-v Revision 9, October 2007 7.0 INSTRUMENTATION AND CONTROLS LIST OF TABLES
Table 7.2-1 Analytical Limits for Reactor Protection Setpoints
7.3-1 Analytical Limits for Group Isolation Signals
7.4-1 Reactor Vessel Pressure and Level Indi cators Available Outside the Control Room
7.6-1 OPRM System Trips
7.7-1 EGC Console Top Plate Functions - Abandoned Equipment
7.7-2 EGC Status Indicators (Annunciators) - Abandoned Equipment
QUAD CITIES - UFSAR TABLE OF CONTENTS (Continued) 7-vi Revision 11, October 2011 7.0 INSTRUMENTATION AND CONTROLS LIST OF FIGURES
Figure 7.2-1 Reactor Protection System Power Supply 7.2-2 Use of Control and Instrumentation Definitions 7.2-3 Typical Logic Arrangement 7.2-4 Typical Logic Arrangement 7.2-5 Typical Logic Arrangement
7.3-1 Block Diagram: Primary Containment Isolation
7.6-1 Nuclear Instrumentation System Ranges and Overlaps 7.6-2 Block Diagram Nuclear Instrumentation System 7.6-3 SRM - Detector and Source Locations 7.6-4 IRM - Detector Locations 7.6-5 IRM - Response to Rod Withdrawal Error 7.6-6 IRM - Power Distribution During Rod Withdrawal Error 7.6-7 LPRM - Detector Locations 7.6-8 LPRM - Local Detector Locations 7.6-9 LPRM - Quadrant Symmetry 7.6-10 APRM - LPRM Assignments, Channels 1, 2, and 4 7.6-11 APRM - LPRM Assignments, Channels 3, 5, and 6
7.6-12 Illustrative APRM Scram and Rod Block Trip vs. Recirculation Flow 7.6-13 APRM Response During Flow-Induced Power Level Maneuvering 7.6-14 APRM Response During Control Rod - Induced Power Level Maneuvering 7.6-15 RBM - LPRM Input Assignment 7.6-16 RBM - High Flux Trip vs. Recirculation Flow 7.6-17 Block Diagram - OPRM Subsystem
7.7-1 Conditions which Prevent Control Rod Withdrawal 7.7-2 Deleted 7.7-2A Block Diagram - Rod Worth Minimizer 7.7-3 Deleted 7.7-3A Deleted 7.7-3B Reactor Pressure, Turbine Speed, and Recirculation Flow Control Systems 7.7-4 Deleted 7.7-5 Deleted 7.7-6 Deleted 7.7-7 Deleted
QUAD CITIES - UFSAR Revision 7, January 2003 7.1-1 7.0 INSTRUMENTATION AND CONTROLS
This chapter presents various plant ins trumentation and control systems including functions, design bases, system descriptions, design evaluations, and tests and inspections.
The information provided in this chapte r emphasizes instruments and associated equipment which constitute rea ctor protection and regulation systems. Particular attention is given to the instrumentation aspects of pr ocess systems, with the mechanical and nuclear design bases presented in the chapter/section which addresses the process system. Chapter 7 includes a discussion of the instrumentatio n and controls for systems of major safety significance and those that provide reacto r and turbine control. Discussions of instrumentation and controls for other syst ems are contained within the sections that address those systems.
7.1 INTRODUCTION
The equipment and evaluations presented in th is chapter are applicable to either unit.
Instrumentation and controls are provided to pe rform protective and regulating functions.
Protective systems, consisting of the reacto r protective circuitry and the instrumentation and controls for engineered safety features (E SFs) , normally perform the most important of the instrumentation and control safety functions.
[7.1-1]
The regulating instrumentation and controls provide the ability to regulate the unit from shutdown to full power and to monitor and ma intain key unit variables, such as reactor power, flow, pressure, level, temperature, and radioactivity levels within predetermined limits both at steady-state and during normal unit transients.
The inputs to the protective and regulating controls are provided by a diversity of instruments. The following sections in this c hapter provide descriptions of instrumentation and major components, evaluations of the in strumentation input adequacy, and analyses from both functional and reliability viewpoints.
7.1.1 Identification of Systems
Section 3.2 discusses the identification of safety-related instrumentation and control systems and equipment. The station's work control system data base also contains information on classifications of components.
[7.1-2]
The reactor protection and ESF systems su pplied by GE as the nuclear steam supply system (NSSS) supplier are:
[7.1-3]
B. Primary containment isolation system,
C. Emergency core cooling system, QUAD CITIES - UFSAR Revision 6, October 2001 7.1-2 7.1.1.1 Protective Systems
Protective systems include electrical and me chanical devices and circuitry required to initiate shutdown of the reactor and mitiga te the consequences of an accident when required. These include:
A. The reactor protection system (R PS) which acts to trip the reactor when parameters exceed preset limits (RPS is described in Section 7.2);
B. The anticipated transient without scram (ATWS) system which trips the recirculation pumps and provides an alte rnate method to scram the reactor in the unlikely event that the RPS fails to do so (ATWS mitigation is described in Section 7.8); and
Engineered safety feature (ESF) instrumentat ion and controls for em ergency core cooling and containment isolation functions which are addressed in Section 7.3 (other ESF systems are discussed in Section 6.0):
[7.1-4]
- a. Core spray,
- c. High pressure coolant injection (HPCI), and
- 2. Containment isolation systems:
- a. Primary containment isolation system (PCIS), and
- b. Secondary containment isolation.
7.1.1.2 Safe Shutdown
Section 7.4 includes a discussion of reacto r shutdown from outside the control room.
7.1.1.3 Display Instrumentation
Display instrumentation provides information used by the operator for normal operation and safe shutdown of the unit, including mo nitoring of post accident conditions.
Compliance with Regulatory Guide 1.97, Rev.
02, the safety parameters display system QUAD CITIES - UFSAR 7.1-3 Revision 8, October 2005 (SPDS), and the process computer are discussed in Section 7.5. A summary of the detailed control room design review (DCRDR) is also provided.
7.1.1.4 Core and Vessel Instrumentation
Section 7.6 describes additional instrumentatio n which provide both safety and non-safety functions, and which includes nuclear instrume ntation and reactor vessel instrumentation.
7.1.1.5 Other Instrumentation
Reactor and turbine generator ins trumentation and controls not e ssential for the safety of the plant are discussed in Section 7.7.
7.1.2 Identification of Safety Criteria
The design bases for the instrumentation and control systems include the safety criteria pertinent to each of the systems described.
The design basis for each of the systems is presented in the respective section which disc usses the system. The technical basis for the various protective functions is provided with the description of the protective system. A general discussion of Regulatory Guide compliance is provided in Section 1.8. Specific topics relevant to more than a single system are addressed in the following sections.
[7.1-5]
7.1.2.1 Instrumentation Setpoints
In the selection of the appropriate safety system setpoints, instrument error and accuracy are considered
[7.1-6]
The Technical Specification allowable values and the associated instrument setpoints have been established consistent with the methods described in Exelon's Instrument Setpoint Methodology (Nuclear Engineering Standard NES-EIC-20.04, "Analysis of Instrument Channel Setpoint Error and Instrument L oop Accuracy") or NEDC-31336P-A, "General Electric Instrument Setpoint Methodol ogy," dated September 1996 (for Nuclear Instrumentation System Functions only).
The allowable values associated with reactor vessel water level Functions in the Technical Specifications are referenced with respect to in strument zero. The top of active fuel is 360 inches above vessel zero and instrument zero is 503 inches above vessel zero. The allowable values associated with suppression chambe r water level Functions in the Technical Specifications are referenced to the bottom of the chamber.
QUAD CITIES - UFSAR 7.1-3a Revision 8, October 2005 7.1.2.2 Single Failure Criteria
The compliance of the reactor protection and emergency core cooling systems with, and the justification for all exceptions to IEEE 279-1968, Proposed Criteria for Nuclear Power Plant Protection Systems, are contained in GE Topical Report NEDO-10139, Compliance of Protection Systems to Industry Criteria: Ge neral Electric BWR Nuclea r Steam Supply System.
Compliance of the protection systems is presen ted in the sections providing the system details.
These systems typically employ one-out-o f-two-twice logic to allow the systems to accommodate single failures without jeopardizing functionality. The GE topical report is a generic report for an entire product line and these statements should be used concurrently with design requirements described in other sections of the UFSAR (such as Section 3.5 for Missile Protection, 3.6 for Pipe Break, etc.) that repr esent Quad Cities specific design requirements.
[7.1-7]
QUAD CITIES - UFSAR 7.1-4 7.1.2.3 Instrument Line Design
The normal design practice for static instrume nt piping is to provide high point vents and low point drains.
[7.1-8]
Instrument and cable separation are described in Section 8.3.1.7
7.1.2.4 Qualification
The qualification of instrumentation and contro ls is described in Sections 3.10 and 3.11.
Additional discussion of display instru mentation qualification and separation for Regulatory Guide 1.97 Category 1 variables is in Section 7.5.
[7.1-9]
7.1.3 Other Control and Instrumentation
Controls and instrumentation for the follo wing auxiliary and emergency systems are described in the sections that describe the systems:
[7.1-10]
System Section Reactor building heating and ventilation system 9.4.7 Reactor water cleanup system 5.4.8 Reactor core isolation cooling system 5.4.6 Fire protection system 9.5.1 Station service water system 9.2.2 Demineralized water makeup system 9.2.4 Service and instrument air systems 9.3.1 Communication systems 9.5.2 Spent fuel pool cooling and cleanup system 9.1.3 Fuel handling system 9.1.4 High radiation sampling system 9.3.2
QUAD CITIES - UF SAR Revision 9, October 2007 7.2-1 7.2 REACTOR PROTECTION (TRIP) SYSTEM
The reactor protection system (RPS) monitors reactor operation and initiates protective action in the event of a potentially unsafe co ndition that might cause reactor damage or subject plant personnel to a potentially hazardo us environment. Monitoring is performed by two separately powered RPS trip systems, bo th of whose outputs are needed to initiate protective action. Outputs from these system s initiate reactor scram (simultaneous rapid insertion of control rods into the reactor core).
[7.2-1]
Topics within this section include ho w RPS functions relate to IEEE-279-1968, Proposed IEEE Criteria for Nuclear Pow er Plant Protection Systems , as summarized from GE Topical Report NEDO-10139. The applicable IEEE-279-1968 paragraphs have been noted where
the discussion concerns this standard, althou gh conformance was not required. For more detailed information refer to the topical report.
7.2.1 Design Bases
The reactor protection system is designed to:
[7.2-2]
A. Prevent, in conjunction with the containment and containment isolation system, the release of radioactive materials in excess of the limits of 10 CFR 100 (or 10 CFR 50.67 as applicable) as a consequence of any of the design basis accidents (Chapter 15);
B. Prevent fuel damage following any single equipment malfunction or single operator error;
C. Function independently of othe r plant controls and instrumentation;
D. Function safely following any single component malfunction; and
E. Meet the requirements of IEEE-279, "Standard for Nuclear Power Plant Protection Systems," Sept. 13, 1966.
In order to meet its design requirements, the reactor protection system, under various conditions, initiates a reactor scram.
7.2.2 System Description
7.2.2.1 General
The RPS is classified as a safety-related sy stem. It includes the motor-generator (M-G) power supplies with associated control and indi cating equipment, certain sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. The process computer system and annunciators are not part of the RPS.
Scram signals received from the neutron moni toring system and the analog trip cabinets are discussed in Section 7.6.
[7.2-3]
QUAD CITIES - UFSAR Revision 6, October 2001 7.2-2 7.2.2.2 Power Sources
A simplified diagram of the RPS power distributio n and sources is shown on Figure 7.2-1.
The reactor protection system consists of two independent trip systems powered by independent electrical buses.
[7.2-4]
Power to each of the two reactor protection tri p system buses (A and B) is supplied by its own high-inertia (flywheel-equipped) ac M-G set (A and B). The station 125-V batteries supply dc power to the backup scram valve solenoids.
[7.2-5]
The RPS bus breakers are equipped with mec hanical interlocks to prevent both an M-G set and the reserve power source from simultan eously supplying power to a RPS bus. The normal feed for RPS bus A (M-G set A) is M CC 18-2(28-2). The normal feed for RPS bus B (M-G set B) is MCC 19-2(29-2). Either bus may be fed from the reserve feed from MCC 15-
2(25-2).
A key interlock system, consisting of two locking devices on the reserve power supply breakers that require the same key, prevents reserve power from supplying more than one RPS bus at a time. It prevents cross-connecti ng the independent buses and overloading the reserve power instrument transformer.
During a power loss to the M-G set, the high-inertia flywheel is designed to maintain generator output within 5% of rated values for at least one second to keep the RPS bus energized. The non-Class 1E RPS M-G sets are provided with relaying to trip on undervoltage and underfrequency conditions.
[7.2-6]
In addition, two Class 1E electrical protection assemblies (EPAs) are in series between each RPS power supply and its RPS bus breaker (see Fi gure 7.2-1). The EPAs protect the Class 1E components powered by the RPS buses from abnormal voltage and frequency conditions resulting from failures of the non-Class 1E po wer supplies (RPS M-G sets or reserve power supply). Each EPA includes a breaker and a ssociated monitoring module consisting of overvoltage, undervoltage, and underfrequency relays which trip the EPA breaker.
[7.2-7]
7.2.2.3 Instrumentation
A. Sensors
The reactor protection system receives the following inputs. Table 7.2-1 contains the analytical limits utilized in determining the RPS setpoints.
[7.2-8]
- 1. The purpose of the neutron monitoring system scram trip as it applies to IEEE-279-1968 General Functional Require ments (paragraph 4.1) is to protect the fuel against high heat generation rates.
Those portions of the neutron mo nitoring systems that provide a gross power protective function are:
A. Average power range monitor (A PRM) with either fixed scram or flow reference scram QUAD CITIES - UFSAR Revision 9, October 2007 7.2-3 B. Intermediate range monitor (IRM)
The portion of the neutron monitori ng system that provides a power oscillation protective function is the Oscillation Power Range Monitor (OPRM). Eight channels of IRM with re tractable detectors, six channels of APRM, and four channels of OPRM are prov ided. The APRM and OPRM receive input signals from local power rang e monitor (LPRM) detector assemblies containing detectors located at fixe d geometric coordinates and at four vertical elevations within the reactor core.
The neutron monitoring system instrumentation is described in Section 7.6.
- 2. The purpose of the reactor high pr essure scram trip is to limit the positive pressure effect on reactor power. This reactor scram trip is established to reduce the heat generation within th e reactor whenever the high-pressure setpoint is reached. In this way, the high pressure scram trip meets the
IEEE-279-1968 General Functional Requirements (paragraph 4.1).
[7.2-9]
The reactor high pressure scram works in conjunction with the pressure relief system in preventing reactor pr essure from exceeding the pressure safety limit. This high pressure scra m setting also protects the core from exceeding the thermal hydraulic safety limit as a result of pressure increases for some events that occur when the reactor is operating at less than rated power and flow. The reactor high pressure scram also provides backup protection to the high neutron flux scram.
Two locally mounted pressure tr ansmitters monitor the pressure and are arranged so that each pair provides input into the A & B trip systems.
The transmitter signal serves as an input to an analog trip unit for each channel, the contacts of which are used in the RPS trip logic. The analog
trip unit supplies a signal to the analog channel trip relays. The logic for these contacts is one-out-of-two-twice.
[7.2-10]
When the signal from the transmitter exceeds a preset value, the analog trip unit monitoring this signal tri ps to send a reactor vessel high pressure trip signal to the RPS. Ad ditional information on reactor vessel instrumentation can be found in section 7.6.
- 3. The purpose of the reactor vessel low water scram trip as it applies to the IEEE-279-1968 General Functional Require ments (paragraph 4.1), is to protect the reactor core by reducing fission heat generation in the core.
[7.2-11]
To meet this requirement, the re actor vessel low water level is monitored by four differential pressure tran smitters which sense the difference between the pressure due to a constant reference column of water and the QUAD CITIES - UFSAR Revision 7, January 2003 7.2-3a pressure due to the actual water level in the vessel.
The transmitter signal serves as an input to an analog trip unit for each channel, the contacts of which are used in the RPS trip logic. The analog
trip unit supplies a signal to the analog trip relays. The logic for these contacts is one-out-of-two-twice.
When the signal from the transmitter deviates from a preset value, the analog trip unit monitoring this signal trips to send a reactor vessel low water level signal to the respective RPS trip channel. Additional analog trip units and trip relays are provided for PCIS and HPCI. Additional information on reactor vessel instrument ation can be found in Section 7.6.
[7.2-12]
QUAD CITIES - UFSAR Revision 6, October 2001 7.2-4 4. The purpose of the turbine stop valve closure scram trip, as summarized by NEDO-10139 for the IEEE-279-1968 General Functional Requirements (paragraph 4.1), is to protect the rea ctor whenever it is sensed that its link to the heat sink is in the process of being removed.
[7.2-13]
To meet these requirements, the valve stem position of each turbine stop valve is monitored by limit switches. The limit switch allowable value is
less than or equal to 9.7% from the full-open position. In this way the trip
channel signals to the reactor prote ction system anticipate imminent closure of the stop valves. Each RPS trip logic receives inputs from two
stop valves. The logic arrangement is established to enhance frequent
testing of these valves without causing a trip of one RPS trip system for
each valve test. The logic arrangement to produce a reactor scram is
three-out-of-four stop valve closures rather than one-out-of-two twice.
- 5. The purpose of the turbine control valve fast-closure scram trip, as summarized by NEDO-10139 for the IEEE-279-1968 General Functional
Requirements (paragraph 4.1), is to pr otect the reactor whenever it senses that its link to the heat sink is in the process of being removed.
[7.2-14]
To meet the general functional requirements, the turbine control valve fast closure is monitored by pressu re switches connected between each fast-closure solenoid valve and its associated control valve disk dump port.
The electrohydraulic control (E HC) system compares generator stator current to the high pressure tu rbine exhaust (crossaround) pressure and operates these valves upon a mismatch indicative of a turbine
generator load rejection (see Section 10.4). These pressure switches on each fast-acting solenoid provide signals to both RPS trip systems.
The logic is a one-out-of-two-twice arrangement so that operation of
any solenoid causes a single system trip, and the operation of one or more solenoids in each trip system initiates a scram.
[7.2-15]
- 6. The purpose of the main steam line isolation valve closure scram trip, as it applies to IEEE-279-1968 General Functional Requirements (paragraph 4.1), is to protect the reactor whenever its lines to the heat
sink (turbine or condenser) is in the process of being removed.
[7.2-16]
The valve stem position of each of the eight main steam line isolation valves is monitored by limit switches. The limit switch allowable value is
less than or equal to 9.8% from the full open position.
Each RPS trip logic receives inpu t from both valves in two main steam lines. The logic arrangement is established to enhance frequent testing of
these valves without causing a trip of one RPS trip system for each valve
test. The logic arrangement to produce reactor scram is QUAD CITIES - UFSAR Revision 7, January 2003 7.2-5 three-out-of-four steam lines isol ated rather than a one-out-of-two twice arrangement.
- 7. The purpose of the scram dischar ge volume high water level scram trip, as it applies to IEEE-279-1968 General Functional Requirements (paragraph 4.1), is to assure that adequate volume remains to
accommodate the water discharged from the withdrawn control rod drives in the event that a reactor scram occurs.
[7.2-17]
Scram discharge volume (SDV) high water level inputs to the RPS are from two float-type and two different ial pressure-type level sensors on each of the SDVs. They are arrang ed such that a float-type and a differential pressure-type level se nsor for each channel are connected to each SDV. An actuation of any level switch causes a channel trip;
an actuation of two level switches, one in each trip system, causes a
scram. A scram is initiated when sufficient capacity remains in the
SDV to accommodate the displaceme nt of water for one scram.
[7.2-18]
- 8. The purpose of the primary containment (drywell) high pressure scram trip, as it applies to the IEEE-279-1968 General Functional Requirements (paragraph 4.1), is to detect an increase in the primary containment
gauge pressure and produce protective action.
[7.2-19]
Primary containment pressure is monitored by four non-indicating pressure switches which are mounted on instrument racks outside the
drywell in the reactor building. Each switch provides an input to one trip
channel. Pipes that terminate in the secondary containment (reactor building) connect the switches with the drywell interior. The switches are
grouped in pairs, physically separa ted, and electrically connected to the RPS so that no single event will pr event a scram due to drywell high pressure.
[7.2-20]
- 9. Deleted.
- 10. The turbine-generator cond enser vacuum is monitored by four nonindicating pressure switches which are mounted on instrument racks in the turbine building. Cables are routed from each switch
to the control room. Each switch provides an input to QUAD CITIES - UFSAR Revision 7, January 2003 7.2-6 one of the trip channels. The physical location of each switch is such that no single failure can prevent a scram due to a low
vacuum signal from the turbine-generator condenser.
- 11. Deleted.
[7.2-22]
B. Relays
Sensor trip channel and trip logic rela ys are fast-response, high-reliability relays. Power relays for interrupting the scram pilot valve solenoids are type CR105 magnetic contactors, made by GE.
The contactor has three main poles which are operated directly by the arma ture. Several auxiliary poles are also provided. The auxiliary poles are used for nonessential functions. Two main poles are used to break power to the scra m solenoids and the third main pole is used to seal-in the scram. The seal-in contact operates at the same time as the
scram contacts which operate the scram solenoids, since both are directly
operated by one mechanical unit (armat ure). Therefore, seal-in occurs simultaneously with scram actuation. All RPS relays are selected so that the
continuous load will not exceed 50% of their continuous duty ratings.
Component electrical characteristics are selected so that the system response time, from the opening of a sensor contact up to and including the opening of the
trip actuator contacts is less than 50 milliseconds. The time from the opening of
the trip actuator contacts until the contro l rods have inserted by 10% of their full stroke is no more than 700 milliseconds.
[7.2-23]
7.2.2.4 Logic
The complexity of the control and instrumentation systems necessitates the use of the
definitions below. These definitions are most ap propriate to safety-related systems. Figure 7.2-2 illustrates the use of the defined terms.
[7.2-24]
A. Trip System
A trip system is an interconnected arrangement of components making use of instrument channel outputs, trip logics, and trip actuators to accomplish a
trip function when appropriate logic is satisfied.
B. Trip A trip is the change of state of a bi stable device from one state to another.
A trip is generated by a trip channel, trip logic, or trip system, and represents recognition of an abnormal condition.
C. Trip Channel
A trip channel is an arrangement of components required to originate a single signal. The channel includes the sensor and wiring up to the point where the QUAD CITIES - UFSAR 7.2-7 Revision 8, October 2005 trip signal is generated. A channel lo ses its identity where channel trip signals are combined.
D. Trip Logic
A trip logic is an arrangement of comp onents designed to recognize specific combinations of signals from trip channels. A trip logic generates a trip signal by actuating a trip actuator.
E. Trip Actuator
A trip actuator is the mechanism that carries out the final action of a trip logic.
F. Trip Actuator Logic
A trip actuator logic is an arrangemen t of components designed to recognize specific combinations of signals from trip logics. This term is needed to clearly define portions of a complex trip syst em having more than one trip logic.
Because trip actuators are the mechanism by which trip logics generate trip signals, the use of the term trip actuator logic is appropriate. When tripped, a
trip actuator logic carries out the function of the trip system.
A typical logic arrangement of the system is illustrated in Figures 7.2-3 through 7.2-5. The reactor protection system is arranged as tw o separately powered trip systems. Each trip system has three trip logics, two of which are used to produce automatic trip signals. The remaining trip logic is used for a manual trip si gnal. Each of the two trip logics used for automatic trip signals receives input signals fr om at least one trip channel for each monitored variable. Thus, at least four independent tri p channels exist for each monitored variable.
The trip actuators associated with one trip logic provide inputs into each of the trip actuator logics for the associated trip system. Thus, eith er of the two automatic trip logics associated with one trip system can produce a trip system trip. The logic is a one-out-of-two
arrangement. To produce a scram, the trip act uator logics of both trip systems must be tripped. The overall logic of the RPS is therefor e, one-out-of-two-twice, since at least one of the two automatic trip logics in each of the tw o trip systems must actuate in order to cause an automatic RPS trip (scram).
The two RPS trip systems are called trip system A and trip system B. The automatic trip logics of trip system A are A1 and A2; the manual trip logic of trip system A is A3. Similarly, the trip logics for trip system B are B1, B2, and B3. The trip actuators associated with any particular trip logic are identified by the trip lo gic identity (such as trip actuators B2). The trip actuator logics associated with a trip system are identified with the trip system identity (such as trip actuator logic A). Trip channels are identified by the name of the monitored variable and the trip logic identity with which th e channel is associated (such as reactor vessel high pressure trip channel B1).
During operation, all sensor and trip contacts essential to safety are closed; trip channels, trip logics, and trip actuators are normally energized.
QUAD CITIES - UFSAR 7.2-8 Revision 8, October 2005 Each control rod has two scram valves, and either two individual scram solenoid pilot valves (SSPVs) or one SSPV with two solenoid coils, arrang ed functionally as shown in Figure 7.2-3.
Each SSPV is solenoid operated, with both SSP V solenoids normally energized. The SSPVs control the air supply to both scram valves for the associated control rod. With either SSPV solenoid energized, air pressure holds the scra m valves closed. The scram valves control the supply and discharge paths for control rod dr ive (CRD) water (refer to Section 4.6 for discussion of the CRD system).
One of the SSPV solenoids for each control rod is controlled by the reactor protection system (RPS) logic Channel A, the other valve by RPS logic Channel B. There are two DC solenoid-operated backup scram valves that provide a seco nd means of controlling the air supply to the scram valves for all control rods. The DC soleno id for each backup scram valve is normally de-energized. The backup scram valves are energize d to initiate a scram when both trip system A and trip system B are tripped.
[7.2-25] The functional arrangement of sensors and trip channels that make up a single trip logic is shown in Figure 7.2-4. Whenever a trip channe l sensor contact opens, its auxiliary relay de-energizes, causing contacts in the trip logic to open. The opening of contacts in the trip logic de-energizes its trip actuators. When de-energiz ed, the trip actuators open contacts in all the trip actuator logics for that trip system. This action results in de-energizing the scram pilot valve solenoids associated with that trip syst em (one scram pilot valve solenoid for each control rod). Unless the other scram pilot valve so lenoid for each rod is de-energized, the rods are not scrammed. If a trip then occurs in any of the trip logics of the other trip system, the remaining scram pilot valve solenoid for each ro d is de-energized, blocking the air supply and venting the air pressure from the scram valves. The scram valves then reposition allowing accumulator water to act on the CRD piston. T hus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume (SDV).
Figure 7.2-3 shows that when the solenoid for either backup scram valve is energized, the
backup scram valve vents the air supply for the s cram valves; this action initiates insertion of every control rod regardless of the action of the scram pilot valves.
A scram can also be manually initiated. Ther e are two scram buttons, one for trip logic A3 and one for trip logic B3. Depressing the s cram button on trip logic A3 de-energizes trip actuator A3 and opens corresponding contacts in trip actuator logics A. Only trip system A will trip. To effect a manual scram, the buttons for both trip logic A3 and trip logic B3 must be depressed. By operating the manual scram bu tton for one trip logic at a time, followed by a reset of that trip logic before actuating the ot her manual trip logic, each trip system can be tested for manual scram capability.
The trip system requires manual reset by the oper ator; however, in the event of concurrent trips of both trip systems A and B, manual re set is automatically inhibited for a minimum time delay of 10 seconds. The time delay ci rcuit prevents an incident such as has been experienced at another BWR plant where duri ng intermediate range monitoring (IRM) calibration, a full scram signal was initiated and then inhibited by actuation of the scram
reset switch prior to the inse rtion of all control rods.
[7.2-26]
To restore the RPS to normal operation following any single trip system trip or scram, the trip actuators must be manually reset. Reset is possi ble only if the conditions that caused the trip or scram have been cleared and is accomplished by operating switches in the main control
room. To reset the air dump system, the scra m must be reset and the SDV high level bypass switch must be placed in the bypass position. The SDV is addressed in Section 4.6.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-9 The IEEE-279-1968 requirement for Completion of Protective Action Once It Is Initiated (paragraph 4.16) is addressed by the RPS in the following ways:
[7.2-27]
For the reactor protection system trip logi c, actuators, and trip actuator logic, the interface of the RPS trip logic and the trip actuators assures that this design
requirement is accomplished. The trip actuat or is normally energized and is sealed-in by one of the power contacts to the trip logic string. Once the trip logic string has been open-circuited as a result of a proc ess sensor trip channel becoming tripped, the scram contactor seal-in contact opens. At this point in time, the completion of protection action is directed regardless of the state of the initiating process sensor trip channel.
The reactor protection system reset switch (when enabled) bypasses the seal-in contact to permit the RPS to be reset to its normally energized state when all process sensor trip channels are within thei r normal (untripped) range of operation.
In the event of concurrent trips of both trip systems A and B, manual reset is
automatically inhibited for a minimum time delay of 10 seconds. The time delay prevents reset prior to the insertion of all control rods.
This requirement applies to all of the following functions:
Neutron monitoring system scram trip
Reactor vessel high pressure scram trip
Reactor vessel low water level scram trip
Turbine stop valve closure scram trip
Turbine control valve fast closure scram trip
Main steam line isolation valve closure scram trip
Scram discharge volume high water level scram trip
Primary containment high pressure scram trip
Manual scram pushbuttons
The turbine stop valve closure and turbine control valve fast closure trip bypass function is
placed into effect only when the turbine first-stage pressure is at or below the setpoint value. For plant operation above this setpoi nt, the trip channels will initiate protective action once the scram contactors have de-e nergized and opened the seal-in contact associated with the RPS trip logic.
The scram discharge volume high water level trip bypass function is only required after a reactor scram when the discharge volume has accumulated water and must be drained.
Consequently, this bypass function permits comp letion of protective action once it is initiated and satisfies this design requirement.
The main steam line isolation valve closure trip bypass is in effect only when the reactor
mode switch is in the SHUTDOWN, REFUE L, or STARTUP/HOT STANDBY position.
QUAD CITIES - UFSAR Revision 9, October 2007 7.2-10 Completion of protective action is not influenc ed by the reactor mode switch, trip logic test switch, or the Neutron monitoring system trip bypass.
This design requirement is not applicable for the reactor protection system motor-generator sets and power distribution and reactor prot ection systems outputs to other systems.
7.2.2.5 Initiating Signals and Circuits
Table 7.2-1 lists the analytical limits utilized in determining the scram setpoints of the protection system. Figure 7.2-4 shows the scram functions in block form.
[7.2-28]
A. Neutron Monitoring System Hi gh Flux and Core Power Oscillations Four IRM channels and three APRM channels are connected to each of the two RPS trip systems. IRM and APRM trip logic is modified by the position of the mode switch as indicated in Table 7.2-1.
Two OPRM channels are connected to each of the two RPS trip systems. The OPRM trip logic is enabled (armed) manually by operator action or automatically during certain reactor core power and reactor recircu lation flow conditions.
Under certain circumstances, such as initia l startup or refueling, shorting links in the manual scram circuits may be removed to provide either coincident or non-coincident source range monitoring (SRM) trip capability. Shorting links will be removed from the RPS circuitry whenev er more than one control rod will be removed from fueled cells with the vesse l head less than fully tensioned. (For Example. During shutdown margin demo nstrations.) This requirement is not applicable during withdrawal of control ro ds controlled by the control rod removal Technical Specifications. Single rod with drawal with the shorting links installed and the head not tensioned is allowed pr ovided that the core loading has been verified to match an analyzed shutdown margin configuration and the one-rod-out
refueling interlock has been demonstrated op erable. Verification of the removal of the shorting links during these conditio ns will be performed within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of withdrawal of control rods and once pe r 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. Removing both shorting links in both manual scram circuits enables the nuclear instrument non-
coincident trips, allowing a single trip from any of the nuclear instruments to cause a scram. Coincident trips may be enabled by removing one shorting link in one scram channel and the shorting link for the opposite nuclear instrument channel in the other scram channel. Four SRM c hannels are provided with retractable detectors.
The neutron monitoring system is discussed in detail in Section 7.6.
B. Reactor High Pressure
High pressure within the reactor syst em poses a direct threat of rupture to the reactor coolant system pressure boundary.
A pressure increase while the reactor is operating compresses the steam voids and resu lts in a positive reactivity insertion causing increased core heat generation that could lead to a violation of the core thermal-hydraulic safety limit.
[7.2-29]
The reactor high pressure scram setti ng is chosen slightly above the reactor vessel maximum normal operating pressure to permit normal operation without spurious scrams, yet provide a wide margin to the pressure safety limit.
QUAD CITIES - UFSAR Revision 5, June 1999 7.2-11 C. Reactor Vessel Low Water Level
A low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. Should water level decrease too far, fuel
damage could result as steam forms around fuel rods.
[7.2-30]
The reactor vessel low water level scram setting prevents fuel damage following abnormal operational transie nts caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level.
Specifically, the scram setting is chosen far enough below normal operational levels to avoid spurious scrams but hi gh enough above the top of the active fuel to assure that enough water is av ailable to account for evaporation losses and displacements of coolant following the most severe abnormal operational transient involving a level decrease. (See Section 15.6.)
D. Turbine Stop Valve Closure
Closure of the turbine stop valves with the reactor at power can result in a significant addition of positive re activity to the core as the nuclear system pressure rise collapses steam voids.
[7.2-31]
The turbine stop valve closure scram, which initiates a scram earlier than either the neutron monitoring system or high re actor pressure, is required to provide a satisfactory margin below the core th ermal hydraulic safety limit for this category of abnormal operational transients.
The scram counteracts the addition of positive reactivity due to pressure increases by inserting negative rea ctivity with the control rods. (See Section 4.6.) Although the reactor high pressure scram, in conjunction with the pressure relief system, is adequat e to preclude overpressurizing the nuclear system, the turbine stop valv e closure scram provides additional margin to the pressure safety limit.
The turbine stop valve closure scram setting is selected to provide the earliest positive indication that the valves are closing. The trip logic was chosen both to identify those situations in which a reactor scram is
required for fuel protection and to a llow functional testing of this scram function.
E. Turbine Control Valve Fast Clos ure (Turbine Generator Load Rejection)
With the reactor and turbine-generato r at power, fast closure of the turbine control valves can result in a significant ad dition of positive reactivity to the core as nuclear system pressure rises.
The turbine control valve fast closure scram, which initiates a scram earlier than either the neutron monitoring system or reactor high pressure, is required to provide a satisfactory margin to the core thermal-hydraulic safety limit for this category of abnormal operational transient
- s. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. (See Section 4.6.) Although the reactor high pressure scram, in conjunction with the pressure relief system, is adequate to preclude QUAD CITIES - UFSAR Revision 10, October 2009 7.2-12 overpressurizing the nuclear system, th e turbine control valve fast closure scram provides additional margin to the pressure safety limit.
The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure. The trip logic was chosen
to identify those situations in whic h a reactor scram is required for fuel protection.
F. Main Steam Line Isolation Valve Closure
The automatic isolation of the main st eam lines on low pressure was provided to give protection against ra pid reactor depressurization and the resulting rapid cooldown of the vessel. Advantage was taken of the main steam line isolation
valve closure scram feature in the R UN mode to ensure that high power operation at low reactor pressures does no t occur, thus providing protection for the fuel cladding integrity safety limit.
[7.2-32]
In addition, the main steam line isolation valve closure scram in the RUN mode anticipates the pressure and flux trans ients which occur during normal or inadvertent isolation valve closure.
The main steam line isolation valve closure scram setting is selected to give the earliest positive indication that the va lves are closing. The trip logic allows functional testing of valve closure trip channels with one steam line isolated.
G. Scram Discharge Volume High Water Level
During normal operation, the scram discharge volume will be empty due to natural draining via normally open dr ain and vent valves. However, upon initiation of a reactor scram, these drain and vent valves are closed to retain the
control rod drive discharge water and limit the loss of reactor water inventory.
Due to the hydraulic design of the piping and the volume, the rate of change of water level is relatively slow and is a ssumed to be negligible in terms of its transient response influence on the sensor.
[7.2-33]
Should the SDV fill to the point where not enough space remains for the water displaced during a scram, control rod mo vement would be hindered in the event a scram were required.
[7.2-34]
The water level scram setpoint is set such that sufficient free volume remains to accommodate the water displaced during a scram.
H. Drywell High Pressure
A high pressure inside the drywell could indicate a loss of reactor coolant, requiring a scram of the reactor to minimi ze the possibility of fuel damage and to reduce the addition of energy from the co re to the coolant. The reactor vessel low water level scram also acts to scram the reactor for loss-of-coolant accidents. The drywell high pressure scram setting is se lected to be as low as possible without inducing spurious scrams or isolations.
[7.2-35]
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-13 I. Deleted.
J. Turbine-Generator Condenser Low Vacuum
The reactor is protected from the effe cts of a complete loss of vacuum in the turbine-generator condenser by closing the turbine stop valves and, ultimately, the turbine bypass valves. Closure of the turbine stop and bypass
valves causes a pressure transient, a neutron flux rise, and an increase in
surface heat flux similar to that caused by turbine stop valve closure. The turbine stop valve closure scram function is adequate to prevent the cladding safety limit from being exceeded in th e event of a turbine trip transient with bypass closure. The scram on condense r low vacuum reduces the severity by anticipating the transient and scrammin g the reactor at a slightly higher vacuum than the setpoints that close the turbine stop valves and bypass valves.
K. Electro-Hydraulic Control Low Fluid Pressure
The EHC Low Fluid pressure scram function is provided by the pressure switches that sense turbine control valve fast closure.
L. Manual Scram
Manual Scram Pushbuttons:
[7.2-37]
To provide the operator with means to shutdown the reactor independent of the automatic functioning of the RPS, two pushbuttons located in the
control room initiate a scram when bo th are actuated by the operator.
The IEEE-279-1968 General Functional Requirements (paragraph 4.1) are not applicable to RPS functions requiring inte rvention by the control room operator, however, the manual scram pushbutto ns do comply with the IEEE-279-1968 Manual Actuation (paragraph 4.17) design requirement. Failure of an automatic RPS function affects the automatic portions of the system but the manual A3 and
B3 trip logics will still be able to initia te protective action. The manual scram pushbuttons are implemented into the circuitry immediately QUAD CITIES - UFSAR Revision 5, June 1999 7.2-14 above the manual scram contactors in order to minimize the dependence of manual scram capability on other equipment.
[7.2-38]
Trip Logic Test Switch:
The General Functional Requirements of IEEE-279-1968 are not applicable to the trip logic test switch, howeve r, the IEEE-279-1968 Manual Actuation requirement is met as follows:
Operation of one test switch in the A trip system and one test switch in the B trip system will initiate a reactor scram. This provision serves as a backup to the
normal manual scram pushbuttons. Due to its electrical connection at the
beginning of the trip logic strings, it d oes not meet a strict interpretation in requiring operation of a minimum of equipm ent. However, due to its backup role to the more direct manual scram pushbutto ns, it is not necessary that these switches meet this requirement in a literal sense. Furthermore, failure of any
given test switch will not interfere with the automatic RPS functions in any
manner.
M. Reactor Mode Switch in SHUTDOWN
The General Functional Requirements of IEEE-279-1968 are addressed as follows for the reactor mode switch:
[7.2-39]
When the reactor mode switch has been placed in one of its four possible positions, it selects the particular sensors for the scram functions and the
appropriate bypasses for certain sensors.
In addition, the mode switch performs certain interlock functions that are not associated with the RPS. Among these interlock actions are restrictions on
control rod withdrawal and move ment of refueling equipment.
The mode switch consists of a si ngle manual actuator connected to distinct switch banks. Each bank is housed within a fire retardant cover. Contacts from each bank are wired to individual terminal boards by separate cable routing.
When the mode switch is set to a give n position, it enables those protective functions pertinent to that mode of oper ation to perform the necessary automatic protective action.
As a backup function to the reactor scram pushbuttons, movement of the mode switch to the SHUTDOWN position de-ene rgizes the manual A3 and B3 RPS trip logic strings to initiate reactor shutdown (IEEE-279-1968 Manual Actuation, paragraph 4.17). An operating bypass is placed around the mode switch
contacts, after the scram time delay is complete, to permit manual reset of the RPS when in the SHUTDOWN mode for an extended time. The RPS automatic
trip channels and trip logic are independen t of the A3 and B3 manual trip logic strings to provide assurance that the manual actuation will not interfere with the automatic protective channels.
This scram is not considered a prote ctive function because it is not required to protect the fuel or nuclear system process barrier, and it does not act to minimize the release of radioactive material from any barrier.
[7.2-40]
QUAD CITIES - UFSAR Revision 5, June 1999 7.2-15 N. IEEE-279-1968 General Functional Requi rements for Other Signals and Circuits
The RPS reset switch is under the ad ministrative control of the control room operator. Since the reset switch, throug h auxiliary delay contacts, is introduced in parallel with the trip actuator seal-i n contact, failure of the reset switch cannot prevent initiation of protective action when a sufficient number of trip channels are in the tripped condition.
Hence, the automatic initiation requirement for protective action is not invalidated by this reset switch.
[7.2-41]
The reactor protection system moto r-generator sets and power distribution comply since the RPS is a normally ener gized system, and a loss of power from both M-G sets will initiate reactor shutdo wn. Also, since the power source to the RPS trip logic is introduced at the beginning of the series string of individual trip channel outputs, the RPS power system does not interfere with the automatic
action requirements of the protection system.
The reactor protection system trip logi c, actuators, and trip actuator logic is arranged with four trip logic strings in the reactor protection system in a one-out-of-two-twice arrangement. Hence, the RPS trip logic and trip actuator circuitry comply with the design requirement.
The RPS provides output signals from is olated relay contacts to initiate control room annunciation, to process computer logging of trips as they occur, to actuate electrically operated valves to provid e for backup scram capability, and to actuate electrically operated valves to isolate the discharge volume drain and vent isolation valve. These individual outputs are isolated from the relay contacts used to accomplish the protecti ve actions to assure that the latter portions are capable of accomplishing the automatic protective action when
required.
O. IEEE-279-1968 Manual Actuation Require ments for Other Signals and Circuits
Since the reactor protection system rese t switch reset function does not initiate protective action, the design comp lies with this design requirement.
For the reactor protection system trip lo gic, actuators, and trip actuator logic, the trip actuator logic may be placed in a tri pped condition from either one of the two automatic trip logics, A1 or A2, or the manual trip logic A3 associated with one RPS trip system. This action can be acco mplished with the trip logic test switch, manual scram pushbutton, reactor mode sw itch, or with removable fuses in the RPS cabinets. As a result, the desi gn meets this design requirement.
The IEEE-279-1968 Manual Actuation desi gn requirement is not applicable to the RPS automatic trip functions, bypass functions, motor-generator sets and power distribution, or outputs to other systems.
7.2.2.6 Scram Bypasses
A number of scram bypasses are provided to account for the varying protection requirements depending on reacto r conditions and to allow for instrument service during reactor operations. Some bypasses are automatic, others are manual.
[7.2-42]
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-16 Where automatic bypasses are employed, the bypass is automatically removed when the conditions for bypass no longer exist. Othe r operating bypasses are manually installed and are under the administrative control of the con trol room operator. These controls meet the requirements of IEEE-279-1968 Operating Bypasse s (paragraph 4.12) for the following functions:
Neutron monitoring system scrams
Turbine stop valve closure scram
Turbine control valve fast closure scram
Main steam line isolation valve closure scram
Condenser low vacuum scram
Scram discharge volume high water level scram
Turbine stop valve closure and turbine control valve fast closure trip bypass
Main steam line isolation valve closure trip bypass
All manual bypass switches and the reactor mode switch are in the control room, under the
direct control of the control room operator.
Manual bypasses are controlled by mechanical, electrical, or administrative controls to ma intain trip function operability through other channels when one channel is bypassed. Trip functions which use inputs from fluid sensors
may also have individual sensors valved out-o f-service and returned to service under the administrative control of the operator. Trip functions which use limit switch or position switch inputs cannot be manually bypassed.
These administrative and design controls meet the requirements of IEEE-279-1968 Channe l Bypass or Removal from Operation (paragraph 4.11) and Access to Means for Bypa ssing (paragraph 4.14) for the applicable trip functions:
Neutron monitoring system scrams
Turbine stop valve closure and control valve fast closure scrams
Main steam isolation valve closure and condenser low vacuum scrams
Scram discharge volume high water level scram
Reactor vessel high pressure scram (bypass by valve isolation)
Reactor vessel low water level s cram (bypass by valve isolation)
Primary containment high pressure scram (bypass by valve isolation)
QUAD CITIES - UFSAR Revision 9, October 2007 7.2-17 If the ability to trip some part of the system has been bypassed, this fact is continuously indicated in the control room. The requirements of IEEE-279-1968 Indication of Bypass (paragraph 4.13) are met for bypasses involving these RPS trip functions:
Neutron monitoring system IRM, APRM, and OPRM scram Turbine stop valve closure and control valve fast closure, (Turbine Gen. Load Rejection) Main steam line isolation valve closure and condenser low vacuum scram Scram discharge volume high water level scram (if tripped) Reactor vessel high pressure scram (if tripped, also provides computer record) Reactor vessel low water level scram (if tripped, also provides computer record) Primary containment high pressure scram (if tripped, also provides computer record) Reactor mode switch (when cond itions for bypass are satisfied)
Reactor protection functions that are not applicable to the IEEE-279-1968 requirements are listed under the exceptions in Item I.
For short duration bypasses that are not a pe rmanently installed, the requirements of IEEE-279-1968 Indication of Bypass (paragraph 4.13) are met by Administrative Controls of the
bypass; i.e. Caution Card and/or Procedure.
[7.2-42a]
The scram bypasses are as follows:
A. Neutron Monitoring System
Bypasses for the neutron monitoring system channels are described in Section 7.6.
To meet the IEEE-279-1968 General Functional Requirements (paragraph 4.1) and Channel Bypass or Removal from Operat ion requirements (paragraph 4.11), a sufficient APRM and IRM channels are provided in the design to permit continuous
bypass of one APRM channel in each trip sy stem and continuous bypass of one IRM in each trip system. The remaining APRM and IRM channels in service are
adequate in number and in their spatial covera ge of the reactor core to comply with the requirements. Also, a sufficient number of OPRM channels (each channel consisting of two modules) have been provid ed to permit any one OPRM module in a given trip system to be manually bypassed, while still ensuring that the remaining operable OPRM channels comply with the IEEE 279 design requirements.
[7.2-43] In addition, when the reactor mode switch is in RUN, an IRM trip will not cause a scram unless the corresponding APRM has a downscale trip. The OPRMs can be manually enabled but are automatically enabl ed only during reactor power/flow map conditions of high power and low flow.
[7.2-44] B. Turbine Control Valve Fast Closure and Turbine Stop Valve Closure
To meet the IEEE-279-1968 General Functi onal Requirements (paragraph 4.1), the turbine control valve fast closure scram and turbine stop valve closure scram is
provided with a bypass to permit continue d reactor operation at low power levels when the turbine valves are closed.
[7.2-45]
QUAD CITIES - UFSAR Revision 6, October 2001 7.2-18 Closure of these valves from such a correspondingly low initial power level does not constitute a threat to the integrity of any barrier to the release of radioactive material.
[7.2-46]
Removal of this bypass is automatica lly accomplished as the reactor power and turbine first-stage pressure become elevated to the setpoint value. The setpoint for actuation of this bypass is determined from transient analysis considerations taking into account the resultant conse quences of a bypassed turbine RPS trip as a function of reactor operating power.
[7.2-47]
Two turbine first-stage pressure switch es are provided for each trip system to initiate the automatic bypass. The swi tches are arranged so that no single failure can prevent a turbine stop valve closure or turbine control valve fast closure scram.
[7.2-48]
C. Main Steam Line Isolation Valves Closure and Condenser Low Vacuum
The General Functional Requireme nts of IEEE-279-1968 (paragraph 4.1) for this function are addressed as follows:
[7.2-49]
The main steam line isolation valve closure trip bypass function is a manual bypass in that the reactor mode switch must be placed in SHUTDOWN, REFUEL, or STARTUP/HOT STANDBY position to obtain the trip bypass. This
bypass is provided to permit the RPS to be manually reset when the plant is
operating in one of the three aforementioned modes with the isolation valves
closed. These conditions exist during startups, maintenance and certain
reactivity tests during refueling.
D. Scram Discharge Volume High Water Level
A manual keylock switch located in th e control room permits the operator to bypass the SDV high water level scram if the mode switch is in SHUTDOWN or REFUEL. This bypass allows the operator to reset the RPS and air dump
system, so that the system is restored to operation while the operator drains the SDV (IEEE-279-1968 Operating Bypasses, paragraph 4.12). In addition
to allowing the scram relays to be reset, actuating the bypass initiates a
control rod block. Resetting the trip actuators opens the SDV vent and drain valves.
The IEEE-279-1968 General Functional Requirements (paragraph 4.1) for automatic response are not meaningfu l for the bypass channels, since the discharge volume high water level trip is bypassed by manual operation of a bypass switch and the reactor system mode switch. Administrative control must be applied to remove the bypass once the water has been drained from the
instrument volume associated with the discharge piping.
E. Reactor Mode Switch
A reactor mode switch is provided to select the necessary scram functions for various plant conditions. In addition to selecting scram functions from the proper sensors, the mode switch prov ides appropriate bypasses. The mode switch also interlocks such function s as control rod blocks and refueling equipment restrictions, which are not cons idered here as part of the RPS. The switch itself is designed to provide se paration between the two trip systems.
[7.2-50]
QUAD CITIES - UFSAR Revision 5, June 1999 7.2-19 The mode switch positions and their related scram/scram bypass functions are as follows:
- 1. SHUTDOWN ~ Initiates a reactor s cram; selects neutron monitoring system scram for low neutron flux level oper ation (enables the IRM high-high flux and selects the 15% power APRM high-high flux scram signals); bypasses main steam line isolation valve closure and condenser low vacuum scrams.
- 2. REFUEL ~ Selects neutron monitori ng system scram for low neutron flux level operation (enables the IRM high-high flux and selects the 15% power
APRM high-high flux scram signals), bypasses main steam line isolation
valve closure and condenser low vacuum scrams.
- 3. STARTUP/HOT STANDBY ~ Selects neutron monitoring system scram for low neutron flux level operation (enables the IRM high-high flux and selects the 15% power APRM high-high flux scram signals); bypasses main steam
line isolation valve closure and condenser low vacuum scrams.
- 4. RUN ~ Selects neutron monitoring system scram for power range operation (bypasses the IRM high-high flux scram when the companion APRM is not
downscale or inoperative, and selects the APRM flow-biased high-high flux setpoint).
The reactor mode switch complies with IEEE-279-1968 Channel Bypass or Removal from Operation (paragraph 4.11) in the following manner.
[7.2-51]
The use of four banks of contacts for the mode switch permits any RPS trip channel, which is connected into the mode sw itch, to be periodically tested in a manner that is independent of the mode switch itself. Consequently, for any stated position of the mode switch, a sufficient number of trip channels will
remain operable during the periodic test to fulfill this design requirement.
Movement of the mode switch handle from one position to another will
disconnect all redundant channels associat ed with the former position and will connect all redundant channels pertinent to the latter position. In this manner, the mode switch complies with this design requirement.
There are no operating bypasses that are imposed upon the RPS trip channels or RPS trip logic as the result of the posi tion of the mode switch itself (IEEE-279-1968 Operating Bypasses, paragraph 4.12).
The mode switch is under the adminis trative control of plant personnel. Since other controls must be operated or othe r sensors must be in an appropriate state to complete the operating bypass logic, the mode switch itself satisfies the
requirements of IEEE-279-1968 Access to Me ans for Bypassing (paragraph 4.14).
F. Manual Scram Pushbuttons
Since actuation of one manual scram pushbutton places its entire RPS trip system in a tripped condition, the autom atic trip channels are ignored until such time as the RPS is reset to its normally en ergized state. This particular result is in compliance with IEEE-279-1968 Channel Bypass or Removal from Operation (paragraph 4.11).
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-20 G. Trip Logic Test Switch
The test switch is connected into the RPS trip logic preceding all individual trip channel outputs. Consequently, operation of the test switch causes the entire trip logic string to become de-energized and places one RPS trip system in a tripped state. Hence, the test switch meets the IEEE-279-1968 Channel Bypass
or Removal from Operation (paragraph 4.11) design requirement.
The test switch does not fit the bypass definition, but since it is capable of removing the trip logic from operation by placing it in a tripped state, it is important that appropriate indication be gi ven to the operator. In this situation, the operator would receive annunciation that one RPS trip system is in a tripped
state, but no trip channels would be annunciated if they remained within their
setpoint limit. This combination would provide the operator with an indication that the test switch operation was proper.
In this way, the trip logic test switch meets the requirements of IEEE-279-1968 Indication of Bypass (paragraph 4.13).
H. Trip Bypass Features
The trip bypass features and their applicability to IEEE-279-1968 requirements are covered previously within the discussions for those specific trips.
I. Exceptions The requirements of IEEE-279-1968 Channel Bypass or Removal from Operation (paragraph 4.11) are not applicable for the following functions and equipment.
[7.2-51a]
Primary containment high pressure scram trip
Reactor protection system reset switch
Reactor protection system moto r-generator sets and power distribution
Reactor protection system trip lo gic, actuators, and trip actuator logic
Reactor protection systems outputs to other systems
The requirements of IEEE-279-1968 Operating Bypasses (paragraph 4.12) are not applicable to the following functions and equipment.
Reactor vessel high pressure scram trip
Reactor vessel lo w water level scram trip
Primary containment high pressure scram trip
Manual scram pushbuttons
Trip logic test switch QUAD CITIES - UFSAR Revision 7, January 2003 7.2-21 Reactor protection system reset switch
Reactor protection system moto r-generator sets and power distribution
Reactor protection system trip lo gic, actuators, and trip actuator logic
Reactor protection systems outputs to other systems
The requirements of IEEE-279-1968 Indication of Bypass (paragraph 4.13) are not applicable for the following functions and equipment.
Manual scram pushbuttons
Reactor protection system reset switch
Reactor protection system moto r-generator sets and power distribution
Reactor protection system trip lo gic, actuators, and trip actuator logic
Reactor protection systems outputs to other systems
The requirements of IEEE-279-1968 Access to Means for Bypassing (paragraph 4.14) are not applicable to the following functions and equipment.
Reactor vessel high pressure scram trip
Reactor vessel lo w water level scram trip
Primary containment high pressure scram trip
Manual scram pushbuttons
Trip logic test switch
Reactor protection system reset switch
Reactor protection system moto r-generator sets and power distribution
Reactor protection system trip lo gic, actuators, and trip actuator logic
Reactor protection systems outputs to other systems
7.2.2.7 Redundancy, Diversity, and Separation
Instrument piping that taps into the reacto r vessel is routed through the drywell wall and terminates inside the secondary containment (reactor building). Reactor vessel pressure and water level information is sensed from this piping by instruments mounted on instrument racks in the reactor building.
[7.2-52]
Valve position switches are mounted on valves from which position information is required.
The sensors for RPS signals from equipment in the turbine building are mounted locally in
the turbine building. The two M-G sets that supply power for the RPS QUAD CITIES - UFSAR Revision 5, June 1999 7.2-22 are located in the electrical equipment room in the service building in an area where they can be serviced during reactor operations. Po wer and sensor cables are routed to two RPS cabinets in the control room, where the logic circuitry of the system is formed. The trip logics of each trip system are isolated in separa te bays in each cabinet. The RPS, except for the RPS power supplies upstream of the EPAs , was designed using Class I equipment to assure a safe reactor shutdown duri ng and after seismic disturbances.
The scram pilot valve solenoids are powered fr om eight trip actuator logic circuits: four circuits from trip system A, and four from trip system B. The four circuits associated with any one trip system are run in separate conduits. One trip actuator logic circuit from each trip system may run in the same conduit; wiri ng for the two solenoids associated with any one control rod may run in the same conduit.
7.2.2.8 Testability
Provisions are made for timely verification t hat each active or passive component in the RPS is capable of performing its intended function as an individual component and/or in
conjunction with other components. In fulf illment of this general objective, tests are provided to verify that the follo wing specific conditions exist:
[7.2-53]
A. Each instrument channel functions independent of all others;
B. Sensing devices will respond to proc ess variables and provide channel trips at correct values;
C. Paralleled circuit elements can independently perform their intended function;
D. Series circuit elements are free from shorts that can nullify their function;
E. Redundant instrument or logic c hannels are free from interconnecting shorts that could violate independence in the event of a single malfunction;
F. No element of the system is omitted from the test if it can in any way impair operability of the system. If the test is done in parts, then the parts must be
overlapping to a sufficient degree to assure operability of the entire system;
and G. Each monitoring alarm or indication function is operable.
The reactor protection system can be tested duri ng reactor operation by five separate tests.
The first of these is the manual trip actuator test. By depressing the manual scram button for one trip system, the manual trip logic actuat ors are de-energized, opening contacts in the trip actuator logics. After resetting the fi rst trip system tested, the second trip system is tripped with the other manual scram button.
The total test verifies the ability to de-energize all eight groups of scram pilot valve solenoids by using the manual scram
pushbutton switches. Scram group indicator lig hts verify that the trip actuator contacts have opened.
The second test is the automatic trip actuator test which is accomplished by operating the keylocked test switches, one at a time, for each automatic trip logic. The switch de-energizes the trip actuators for that trip logic, causing the associated trip actuator contacts to open. The test verifies the ability of each trip logic to de-energize the trip QUAD CITIES - UFSAR Revision 7, January 2003 7.2-23 actuator logics associated with the parent tri p system. The actuator and contact action can be verified by observing the physic al position of these devices.
The third test includes calibration of the ne utron monitoring system and analog trip system by means of internal simulated inputs from ca libration signal units. Section 7.6 describes the calibration procedures. Likewise, the main steam line radiation monitoring system (Section 11.5) is calibrated using internal calibration signals.
[7.2-54]
The fourth test is the single rod scram test which verifies the capability of each rod to scram. It is accomplished by operating th e toggle switches on the protection system operations panel. Timing traces can be made for each rod scrammed.
The fifth test involves applying a test signal to each RPS trip channel in turn and observing that a trip logic trip results at the required trip po int. This test also verifies the electrical independence of the trip channel circuitry. For trip channels which are initiated by position switches, thermal switches, and radiation moni tors, the appropriate method of applying a test signal to the sensing instrument will be used. The test signals can be applied to the process sensing instruments (pressure and diffe rential pressure) through calibration taps.
The test is conducted as follows:
A. An instrument technician, following a pproved plant procedures , isolates specific instruments using the instrument valve (or instrument manifold valve) and a calibration set is attached to the instrument calibration taps which are arranged to avoid spilling of water (if the instruments are normally filled).
B. A calibration signal sufficient to a ctuate the sensor contacts is applied while reading the value of applied pressure on calibrated test equipment.
C. The trip point and reset point are comp ared to the required setpoint and the trip values are logged.
D. Adjustments are made to the trip se tting if necessary; and the adjustments are logged stating the measured "as-left" setpoint.
E. Communication with the control room is established during the test to verify the trip point as registered on control room in struments. The trip value is logged.
F. Proper protective relay operation is also verified by observation.
G. The calibration signal is then redu ced to zero, the test set is removed, the calibration taps plugged, and the sensors are valved into service in their operating positions.
H. The test is logged as complete.
Reactor protection system response times ar e first verified during routine surveillance testing. The elapsed times from sensor trip to each of the following events is measured:
A. Trip channel relay de-energized, and
B. Trip actuators de-energized.
QUAD CITIES - UFSAR Revision 9, October 2007 7.2-24 The EPAs are routinely tested to ensure proper operation. The testing includes calibration as well as a verification that the breakers will trip during conditions of undervoltage, underfrequency, and overvoltage.
[7.2-55]
Reactor protection system safety-related HFA relays had their coils replaced with General Electric Century Series coils. HFA rela ys are inspected on a sampling basis.
[7.2-56]
The following text discusses the applicability of the RPS functions to IEEE-279-1968
Capability of Sensor Checks (paragraph 4.9).
Neutron monitoring system scram trip
[7.2-57] During reactor operation in the RUN mode, the IRM detectors are stored below the reactor core in a low flux region.
Movement of the detectors into the core permits the operator to oversee the ins trument response from the different IRM channels and will confirm that th e instrumentation is operable.
In the power range of operation, the individual LPRM detectors respond to local neutron flux and provide the operator wi th an indication that these instrument channels are responding properly. The si x APRM channels may also be observed to respond to changes in the gross powe r level of the reactor to confirm their operation.
Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input, and each IRM instrument channel may be
calibrated by introducing an external sig nal source into the amplifier input.
Each OPRM module may be calibrate d with simulated signals introduced into the module utilizing the OPRM Maintenance Terminal.
During these tests, proper instrument response may be confirmed by observation of instrument lights in the control room and trip annunciators.
Reactor vessel high pressure scram trip One sensor may be valved out-of-service at a time to perform a periodic test of the trip channel. During this test, operation of the sensor, its contacts, and the
balance of the RPS trip channel may be confirmed.
Reactor vessel low water level scram trip Because of the one-out-of-two-twice co nfiguration of the RPS trip logic for this protective function, one level sensor may be removed from service to perform the periodic test on any trip channel.
Turbine stop valve closure scram trip The logic of the four RPS trips is as follows:
A1 (tripped) = Turbine stop valve 1 partially closed, and turbine stop valve 2 partially closed A2 (tripped) = Turbine stop valve 3 partially closed, and turbine stop valve 4 partially closed B1 (tripped) = Turbine stop valve 1 partially closed, and turbine stop valve 3 partially closed QUAD CITIES - UFSAR Revision 7, January 2003 7.2-25 B2 (tripped) = Turbine stop valve 2 partially closed, and turbine stop valve 4 partially closed
For any single stop valve closure test, two of the trip channels will be placed in a tripped condition, but none of the tri p logics will be tripped, and no RPS annunciation or computer trip channel logging will be evident. This
arrangement permits single valve testin g without corresponding tripping of the RPS, and the observation that no RPS trips result is a valid and necessary test
result.
At reduced power levels, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel
identification. These observations ar e another important test result that confirms proper RPS operation.
In sequence, each combination of single valve closures and dual valve closures is performed to confirm proper operation of all trip channels.
Turbine control valve fast closure scram trip
During any control valve fast-closure test, one RPS trip channel will be tripped and will produce both control room annuncia tion and computer record of the trip channel identification.
Main steam line isolation valve closure scram trip
[7.2-58]
For any single valve closure test, tw o of the trip channels will be placed in a tripped condition, but none of the tri p logics will be tripped, and no RPS annunciation or computer trip channel record will be evident. This arrangement permits single valve testing without co rresponding tripping of the RPS. The observation that no RPS trips result is a valid and necessary test result.
[7.2-59]
At reduced power levels, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel
identification. These observations ar e another important test result that confirms proper RPS operation.
In sequence, each combination of single valve closures in each of two main steam lines is performed to confirm proper operation of all eight trip channels.
These test results confirm that the valv e limit switches operate as the valves are manually closed.
Scram discharge volume high water level scram trip
During reactor operation, the discharge volume level sensors may be tested by using the instrument isolation valves in proper sequence in conjunction with quantities of demineralized water.
Primary containment high pressure scram trip
During reactor operation one pressure switch may be valved out-of-service at a time to perform periodic testing.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-26 Reactor mode switch
Operation of the mode switch may be verified by the operator during plant operation by performing certain sensor te sts to confirm proper RPS operation.
Movement of the mode switch from one position to another is not required for these tests since the connection of appropriate sensors to the RPS logic, as well
as disconnection of inappropriate sensors, may be confirmed from the sensor
tests.
Turbine stop valve closure and turbine control valve fast closure trip bypass
Testing of individual pressure switch es is permitted during plant operation by valving out-of-service one pressure switch at a time. A variable pressure source may then be introduced to the switch to confirm the setpoint value and switch operation.
Neutron monitoring system trip bypass
At any time, the operator may co nfirm proper operation of the neutron monitoring system bypass channels by pl acing the bypass switch for any given trip system into specific positions and introducing trip conditions into one neutron monitoring system trip channel at a time for that same trip system. A sequential combination of these operations will provide for complete verification of the neutron monitoring system bypass channels.
Scram discharge volume high water level trip bypass
During plant operation in the STARTUP/HOT STANDBY and RUN modes, imposition of this bypass function is inhi bited by the reactor mode switch. Under these circumstances, operation of the bypa ss switch should not produce a bypass condition for any single trip channel.
This fact can be determined from the control room annunciator, a visual inspection of the bypass relays, and the
process computer printout of any dischar ge volume high water level trip channel placed in a tripped condition prior to the bypass switch test.
Main steam line isolation valve closure trip bypass
Testing of the bypass circuit is possible in the SHUTDOWN, REFUEL, or STARTUP/HOT STANDBY positions of the mode switch. Confirmation that the
bypass is not in effect in the RUN mode may be made at operating conditions.
Reactor protection systems outputs to other systems
Output signals from the RPS have not been derived at the process sensor interface due to a lack of adequate isolation at this point. Rather, the outputs
have been obtained from the trip channel relays and trip actuator relays which
do provide adequate isolation of the signal source.
QUAD CITIES - UFSAR Revision 4, April 1997 7.2-27 Exceptions
This design requirement is not applicable to the following equipment:
Manual scram pushbuttons
Trip logic test switch
Reactor protection system reset switch
Reactor protection system moto r-generator sets and power distribution
Reactor protection system trip logic, actuators, and trip actuator logic
7.2.2.9 Environmental Considerations
The reactor protection system components which are located inside the primary containment and which must function in an environment resulting from a break of the
nuclear system process barrier inside the primary containment, are the temperature equalizing columns and condensing chambers.
Special precautions are taken to ensure their satisfactory operability after an accident.
The condensing chambers are addressed in the reactor vessel instrumentation portion of Section 7.6.
[7.2-60]
Sensing elements are equipped with enclosures so that they can withstand conditions that may result from a steam or water line break long enough to perform satisfactorily.
[7.2-61]
Wiring and cables for RPS instrumentation we re selected to avoid ex cessive deterioration from temperature and humidity during the desi gn life of the plant. Cables and connectors used inside the primary containment were desi gned for continuous operation at an ambient temperature of 150°F and a relative humidity of 99%.
Cables required to carry low-level signals currents of less than 1 mA or voltages of less than 100 mV were designed and installed to eliminat e, insofar as practical, electrostatic and electromagnetic pickup from power cables and other ac or dc fields. In these cases, ferromagnetic conduits or totally enclosed ferromagnetic trays are used.
7.2.2.10 Operational Considerations
The operational considerations of the RPS are as follows:
[7.2-62]
A. Indicators
Indication or annunciation is available for all parameters used by the RPS.
Each of the eight scram groups (A1-A4 and B1-B4) is provided with a normally-energized indicator light at the RPS cabinets and on the main control panel. The
scram group indicators extinguish when an actuator logic opens.
The data presented to the operator for all of the RPS functions comply with the IEEE-279-1968 Information Readout (parag raph 4.20) design requirement.
QUAD CITIES - UFSAR Revision 11, October 2011 7.2-28 Indications provided for the specific RPS functions and conformance to IEEE-279-1968 Identification of Protective Actions are discussed in Item F.
B. Annunciators
Whenever an RPS sensor trips, it lights a white annunciator window for that variable on the reactor control panel in the control room. The first trip system to trip also lights a red window to indicate which trip system tripped first. [7.2-63]
An RPS trip channel trip also sounds a horn, which can be silenced by the operator. The annunciator window light s remain illuminated until all sensors that tripped in a group of sensors monitoring the same variable are clear. When
all sensors in a group of sensors monitoring the same variable are clear, the
alarm window slow flashes. The alar m window slow flashing is a visual indication to the operator that all sensor s in that group of sensors are clear, and the operator may reset the window with the reset pushbutton. The red window is reset by a separate reset pushbutton.
The individual sensors that tripped in a group of sensors monitoring the same vari able may be identified by the position of the RPS relays (tripped or untripped). The location of the alarm windows on
the annunciator provides the operator with the means to quickly identify the cause of RPS trips and to evaluate the th reat to the fuel or nuclear system process barrier.
The control room annunciations for the RPS functions and equipment comply with the requirements of IEEE-279-1968 Information Readout (paragraph 4.20).
[7.2-64]
Annunciators provided for the spec ific RPS functions and conformance to IEEE-279-1968 are discussed in Item F.
C. Computer Alarms To provide the operator with th e ability to analyze an abnormal transient during which events occur too rapidly for direct operator comprehension, all RPS trips are monitored by the proce ss computer system and recorded in historical archives that may be retrieved later for review. These archives are described in detail in the process computer documentation.
[7.2-65] Computer inputs provided for the sp ecific RPS functions and conformance to IEEE-279-1968 are discussed in Item F.
D. Operator Controls
The reactor mode switch, which selects the proper interlocking for the operating or shutdown condition of the plant including the scram/scram bypass functions, is addressed in Section 7.2.2.6.
QUAD CITIES - UFSAR Revision 10, October 2009 7.2-29 Whenever either manual scram pushbutton is depressed, a red indicating light in the pushbutton is illuminated and a trip system trip occurs. When the trip
pushbuttons for both trip systems are depr essed, or the reactor mode switch is placed to the shutdown positi on, a reactor scram occurs.
[7.2-66]
E. Operable Trip Channels
To ensure that the RPS remains functional, the number of operable trip channels for the essential monitored variables should be maintained at or above the
minimums given in the Technical Specifications. The minimums apply to any
untripped trip system; a tripped trip syst em may have any number of inoperative trip channels. Because reactor protection requirements vary with the mode in which the reactor operates, the tables in the Technical Specifications show different functional requirements fo r the RUN, STARTUP/HOT STANDBY and REFUEL modes.
[7.2-67]
F. IEEE-279-1968 Identification of Protective Actions (paragraph 4.19)
The reactor protection system trip logi c, actuators, and trip actuator logic use four control room annunciators to identify the tripped portions of the RPS in
addition to the previously described trip channel annunciators:
[7.2-68]
A. A1 or A2 automatic trip logics tripped;
B. A3 manual trip logic tripped;
C. B1 or B2 automatic trip logics tripped; and
D. B3 manual trip logic tripped.
These same functions are connected through independent auxiliary contacts of the scram contactors to the process comp uter to provide a record of the relay operations. These methods may be used to identify the protective action for any of the RPS functions listed below.
Reactor vessel high pressure scram trip
Reactor vessel lo w water level scram trip
Scram discharge volume high water level scram trip
Primary containment high pressure scram trip
Manual scram pushbuttons
Turbine control valve fast closure scram trip
Protective actions for the remainin g RPS functions may be identified as described in the following text.
QUAD CITIES - UFSAR Revision 10, October 2009 7.2-30 Neutron monitoring system scram trip A common neutron monitoring syst em annunciator is provided in the control room to indicate the source of the RPS trip. The process computer provides
a record of the RPS A1, A2, B1, and B2 neutron monitoring system channel trips, as well as identification of individual IRM and APRM channel trips.
The Sequence of Events Recorder (SER) provides a record of the OPRM
system channel trips.
Each RPS trip system has one IRM upscale or inoperative annunciator and one APRM upscale or inoperative annunc iator in the control room. Two additional annunciators indicate any IRM downscale or any APRM
downscale. Each RPS trip system has an OPRM trip annunciator. Two
additional annunciators indicate any OPRM "alarm" or "trouble/inop" conditions.
Each instrument channel, whether IRM, APRM, or OPRM has control room panel lights indicating the status of the channel.
Turbine stop valve closure scram trip Partial or full closure of a particular set of two turbine stop valves will initiate a control room annunciator when the trip point has been exceeded.
This same condition will permit identification of the tripped channels in the
form of a record from the process comp uter or by visual observation of the relay contacts in the RPS panels.
Main steam line isolation valve closure scram trip Partial or full closure of any main steam line valve is indicated by valve position indicator lights in the control room. These indications are not a
part of the reactor protection system but they do provide the operator with valid information pertinent to the valve status.
Partial or full closure of two valves in a particular set of main steam lines will initiate a control room annunciator when the trip setpoint has been
exceeded. This same condition will perm it identification of the tripped trip channels in the form of a record from the process computer or visual inspection of the relay contacts at the RPS panels.
Reactor mode switch Identification of the mode sw itch in SHUTDOWN position scram trip is provided by the manual scram annunciators, their process computer trip
logic identification printout, and th e mode switch in SHUTDOWN position annunciator.
Reactor protection system reset switch Reset of the RPS is not a protective action; however, proper operation of the switch may be inferred from removal of annunciated conditions as the RPS returns to its normally energized state.
Reactor protection systems outputs to other systems The design of the RPS output networks complies with this design requirement.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-31 The RPS trip bypasses provide no protective action; therefore, one control room annunciator is provided to indicate the bypass condition. The RPS bypasses are
discussed in Section 7.2.2.6.
This design requirement is not applicable to the following equipment.
Trip logic test switch
Reactor protection system moto r-generator sets and power distribution
7.2.2.11 Anticipated Transient Without Scram
The alternate rod insertion (ARI) functions as an alternate means for reactor shutdown in the event that a required scram is not effecte d by the RPS. The anticipated transient without scram system includes ARI and is addressed in Section 7.8.
[7.2-69]
7.2.3 Analysis of Design Requirements Conformance
The reactor protection system is designed to provide protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the nuclear system process barrier. Chapter 15 identifies and evaluates events with respect to the fuel barrier and reactor coolant pressu re boundary (RCPB) integrity.
[7.2-70]
The scrams initiated by neutron monitoring sy stem variables, turbine stop valve closure, turbine control valve fast closure, main steam isolation valve closure, and reactor vessel low water level are sufficient to prevent fuel dama ge following abnormal operational transients.
Specifically, these scram functions initiate a scram in time to prevent the core from
exceeding the thermal-hydraulic safety limit during abnormal operational transients.
The scram initiated by reactor high pressure , in conjunction with the pressure relief system, is sufficient to prevent damage to the nuclear system process barrier as a result of internal pressure. For turbine-generator tri ps, the turbine stop valve closure scram and turbine control valve fast closure scram prov ide a greater margin to the nuclear system pressure safety limit than the high pressure scram. Chapter 15 identifies and evaluates accidents and abnormal operational events that could result in reactor vessel pressure increases.
The scrams initiated by the neutron monitoring system, main steam isolation valve closure, and reactor vessel low water level satisfactorily limit the radiological consequences of gross failure of the fuel or nuclear system process barriers. Chapter 15 evaluates failures of the fuel.
The scram discharge volume high water level scram, drywell high pressure scram, and manual scram provide protective functions not directly related to protecting the fuel or process barriers.
[7.2-71]
The following text discusses the system variabl e inputs to the RPS functions as they apply to IEEE-279-1968 Derivation of System Inputs (paragraph 4.8).
[7.2-72]
QUAD CITIES - UFSAR Revision 9, October 2007 7.2-32 Neutron monitoring system scram trip The measurement of neutron flux is an appropriate variable to determine the reactor power relative to the predetermined setpoint. Additional design details are available in General Electric NED Topical Report APED-5706. The OPRMs are auto-enabled in the operat ing region of potential thermal hydraulic instability based on reactor flow and powe r inputs from the transmitters in the reactor coolant recirculation lines via flow units and from the APRMs respectively.
Turbine stop valve closure scram trip The measurement of turbine stop valve position is an appropriate variable for this RPS protective function. The desired vari able is loss of the reactor heat sink.
However, stop valve closure is the logical variable to infer that the steam path has
been blocked between the reactor and the heat sink.
Turbine control valve fast closure scram trip Due to the normal throttling action of the turbine control valves with changes in the plant power level, measurement of con trol valve position is not an appropriate variable for this protective function.
The desired variable is "rapid loss of the reactor heat sink"; consequently, some meas urement of control valve closure rate is indicated. Protection system design practice has discouraged use of rate-sensing devices for protective purposes, and in this instance, it was determined that detection of
hydraulic actuator operation or hydraulic fluid pressure would be a more positive means of determining fast closure of the control valves.
These selected measurements are felt to be adequate and proper variables for the protective function taking into consider ation the reliability of the chosen sensors relative to other available sensors and th e difficulty in making direct measurement of control valve fast-closure rate.
Reactor vessel low water level scram trip Actual water level is the desired vari able, and the selected sensors monitor this variable directly. Thus, the chosen variable is the proper one to provide the
necessary protective function.
Reactor vessel high pressure scram trip For this protective function, selection of reactor vessel pressure is an appropriate variable to provide the required protective function.
Main steam line isolation valve closure scram trip The measurement of the main steam line isolation valve position is an appropriate variable for the reactor protection system. The desired variable is loss of the reactor heat sink, however, isolation valv e closure is the logical variable to infer that the steam path has been blocked between the reactor and the heat sink.
It should be noted that other valves in this steam path, such as turbine stop valves, etc., are also monitored by the reactor prot ection system to assure proper response of the reactor to path blockages downstream of the main steam line isolation valves.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-33 Scram discharge volume high water level scram trip
The measurement of discharge volume water level is an appropriate variable for this protective function. The desi red variable is "available volume" to accommodate a reactor scram. However, the measurement of consumed volume, by determining that the water level has ri sen to a fixed value, is sufficient to infer the amount of remaining available volume, since the total volume is a fixed, predetermined value.
Primary containment high pressure scram trip
The measurement of primary containment high pressure is an appropriate variable to detect an abnormal condition wi thin this boundary. High pressure within the primary containment could in dicate a break in the nuclear system process barrier and these sensors would respond to limit the consequences of
such a break.
Reactor mode switch
Since the mode switch is used to co nnect appropriate sensors into the RPS logic depending upon the operating state of the reactor, the selection of particular
contacts to perform this logic operation is an appropriate means for obtaining the desired function.
Turbine stop valve closure and turbine control valve fast closure trip bypass
Since the intent of this bypass is to permit continued reactor operation at low power levels when the turbine stop or control valves are closed, the selection of
turbine first-stage pressure is an appropriate variable for this bypass function.
In the power range of reactor operation, turbine first-stage pressure is
essentially linear with increasing reacto r power. Consequently, this variable provides the desired measurement of power level.
Neutron monitoring system trip bypass
Due to the requirement for operator actuation of the bypass function, this design requirement is satisfied by the four control room bypass switches.
Scram discharge volume high water level trip bypass
Due to the manual action required for this bypass function, this design requirement is satisfied by operator inte raction with a single bypass switch and the mode switch.
Main steam line isolation valve closure trip bypass
The instrumentation furnished for this bypass function complies with the design requirement.
QUAD CITIES - UFSAR 7.2-34 The main steam line isolation valve cl osure trip will result from valve closure whenever the reactor is operating in the RUN mode. This constraint has been
selected to permit manual reset of the RP S under specified conditions whenever the main steam line isolation valves are partially or fully closed.
Reactor protection systems outputs to other systems
Selection of specific outputs from the RPS to the annunciation and process computer systems has been based on the objective of monitoring the RPS
performance and providing meaningful information.
Exceptions
This design requirement is not applicable for the following equipment:
Manual scram pushbuttons
Trip logic test switch
Reactor protection system reset switch
Reactor protection system motor-generator sets and power distribution
Reactor protection system trip logi c, actuators, and trip actuator logic
7.2.3.1 Single Failure Criterion
In terms of protection system nomenclature, th e RPS is a one-out-of-two-twice logic system.
Theoretically, its reliability is slightly high er than a two-out-of-thr ee system and slightly lower than a one-out-of-two system. However, si nce the differences are slight, they can, in a practical sense, be neglected. The advantag e of the dual trip system arrangement is that it can be tested thoroughly during reacto r operation without causing a scram. This capability for a thorough testing program, wh ich contributes significantly to increased reliability, is not possible for a one-out-of-two system.
[7.2-73]
The use of an independent trip channel for each trip logic allows the system to sustain any trip channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or tri p channel failure will cause a single trip system trip and actuate alarms that identify the trip.
The failure of two or more sensors or trip channels would cause either a single trip system trip, if the failures were confined to one trip system, or a reactor scram, if the failu res occurred in different trip systems. Any intentional bypass, maintenance operation, calib ration operation, or test ~ all of which result in a single trip system trip ~ leaves at least two trip channels per monitored variable capable of initiating a scram by causing a trip of the remaining trip system. The resistance
to spurious scrams contributes to plant safe ty, because unnecessary cycling of the reactor through its operating modes would increase the probability of error or actual failure.
Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot valve solenoid for any control rod fails to de-energiz e when a scram is required.
QUAD CITIES - UFSAR Revision 9, October 2007 7.2-35 Failure of either RPS M-G set would result, at worst, in a single trip system trip (the de-energization of one of the two scram valve pilot solenoids on each CRD). Alternate power is
available to the RPS buses. A complete, sust ained loss of electrical power to both buses would result in a scram, delayed by the motor-generator set flywheel inertia, in about three seconds (see Section 7.2.2.2).
The following RPS functions meet the single-failure criterion of IEEE-279-1968 (paragraph 4.2). [7.2-74]
Neutron monitoring system scram trip
In order to simplify the description of the trip channel logic, the contact structure associated with IRM 11, APRM 1, and OPRM 1 for RPS relay A will be discussed as "IRM A", "APRM A", and "OPRM A" re spectively, and shall be described in detail. This discussion may then be re lated to the other trip channel in a similar manner. A. With the reactor mode switch in the SHUTDOWN, REFUEL, or STARTUP/HOT STANDBY position, IRM A upscale or inoperative (unless it is bypassed), or APRM A upscale or in operative (unless it is bypassed), or OPRM A automatic suppression function (ASF) trip (unless it is bypassed) will produce a channel trip of output relay A.
B. With the reactor mode switch in the RUN position, IRM A upscale or inoperative (unless it is bypassed) and APRM A downscale (unless it is bypassed), or APRM A upscale or inop erative (unless it is bypassed), or OPRM A ASF trip (unless it is bypassed) will produce a channel trip of output relay A. C. A trip of channel output relay A or a trip of channel output relay C (associated with IRM 13, APRM 3A, and OPRM 3) will produce a RPS A1 channel trip. Similarly, a trip of channel output relay E (IRM 12, APRM 2, OPRM 2) or relay G (IRM 14, APRM 3B, OPRM 7) will produce a RPS A2 channel trip. An A1 trip or an A2 trip will produce a trip for the "A" RPS trip system. Cables from individual LPRM and IR M detectors are grouped under the reactor vessel to correspond with the RPS trip channel designations and are run in conduit from the vessel pedestal area to the neutron monitoring system cabinets.
Reactor vessel high pressure scram trip
Two pressure transmitters are connecte d to each of two physically separated taps. The two pairs of transmitters are physically separated and each provides a
high pressure analog signal to a sepa rate analog trip cabinet in the Service Building Cable Spreading Room. From the analog trip cabinet, a contact is wired to the RPS cabinet in the Control Room. Wiring between the pressure
transmitters, analog trip cabinets, and RPS c abinets is run in metal conduits to maintain both physical separation and electrical isolation of the redundant
channel. The physical separation and the signal arrangement assure that no
single physical event can prevent a rea ctor high pressure scram demand from occurring.
QUAD CITIES - UFSAR Revision 6, October 2001 7.2-35a Reactor vessel low water level scram trip
The transmitters and analog trip units are arranged in pairs, in the same way as the RPS system high pressure switches.
Wiring from one level transmitter is run separately from the wiring associated with the other level transmitter on the same instrument line, and the wiring associated with level transmitters on QUAD CITIES - UFSAR 7.2-36 Revision 8, October 2005 one instrument line is separate from th e wiring associated with level transmitters on the other transmitter line. The physical separation and signal arrangement
assure that no single physical event c an prevent a scram due to reactor vessel low water level.
Turbine stop valve closure scram trip
Wiring from the limit switch junction bo x for each stop valve is run in two separate conduits, one for each contact of the lim it switch, to maintain the necessary electrical and physical separation.
Turbine control valve fast closure scram trip
The pressure switches are physically separated and one contact from each pressure switch is used in the RPS trip channels.
There is no single failure that will pr event proper operation of this protective function when it is required.
[7.2-75]
Main steam line isolation valve closure scram trip
Each main steam isolation valve has a limit switch junction box in close proximity to the valve. Wiring from the limit switch junction box on each valve to the control room
RPS relay panels is required to be run in tw o separate conduits, one for each contact of the limit switch, to maintain the necessary electrical and physical separation. One
contact from each limit switch is used with the RPS A trip system; the other contact is used with the RPS B trip system. Failure of any single limit switch will not prevent proper protection system oper ation when it is required.
[7.2-76]
The two relays associated with any one trip logic are located in one panel that is physically and electrically separated from the panel containing the other trip logic circuits.
Scram discharge volume high water level scram trip
Two of the four float-type switches are connected to the north bank and two are connected to the south bank, each with se parate process taps. Two differential pressure transmitters are also connected to each bank. Each of these has a separate process tap.
[7.2-77]
Wiring from each sensor to the contro l room relay cabinets is run in a separate conduit to maintain the electrical and ph ysical separation of the sensor trip channels, and a separate trip channel relay is provided for each pair of sensors. A
pair consists of one float-type and one dp sensor from opposite banks.
QUAD CITIES - UFSAR Revision 6, October 2001 7.2-37 Primary containment high pressure scram trip
One pressure switch is mounted on each pressure tap, and the redundant taps are physically separated from one another by the reactor vessel. Wiring from
each pressure switch is run in separate rigid conduit to the RPS cabinets in the control room to maintain both physical and electrical separation and isolation among the trip channels.
[7.2-78]
A separate trip channel output relay is provided for each pressure switch and each relay is physically separated fr om the others in the RPS cabinets.
Reactor mode switch
The reactor mode switch complies with the single-failure criterion. The mode switch has two physically separated banks operated by a single geared handle.
The A channel and B channel of RPS are separated by these two banks. The
channels of RPS are electrically isolated from one another. SQUG reviews of the panels these switches are located in, concluded panels are seismically adequate.
Consequently, mechanical damage to the Mo de Switch is not a credible event.
Therefore, no credible failures of this switch can disable the protective functions
of RPS.
Trip logic test switch
One switch is placed in each of th e four RPS trip logics with each switch consisting of a two-position keylock co nfiguration. The four switches are mounted in the RPS panels to achieve bo th physical separation and electrical isolation from the redundant test switches.
Reactor protection system reset switch
Each contact of the reset switch is wired to an individual auxiliary relay coil when contacts are used in the RPS trip logic.
Proper operation of the reset switch and its auxiliary relays can be ascertained during periodic tests of the RPS or whenever any particular channel is returned
from a tripped state to the normal untripped condition.
Since opening of the process sensor trip channels is the initiating event for reactor scram, failure of the reset switch will not prevent de-energization of the trip actuators during the time interval t hat the process actually exceeds the trip setpoint.
Turbine stop valve closure and turbine control valve fast closure trip bypass
Two pressure switches are mounted on each of two turbine first-stage pressure taps. Contacts from the pressure swi tches are routed in conduit to the RPS cabinets in the control room. Each pr essure switch contact is connected to a single bypass channel output relay. Th e logic configuration for the bypass is one-out-of-two-twice such that a single bypass channel is associated with a single trip channel for stop valve closure and with a single trip channel for control valve fast closure.
No single failure of this bypass circui try will interfere with the normal protective action of the RPS trip channel.
QUAD CITIES - UFSAR Revision 9, October 2007 7.2-38 Neutron monitoring system trip bypass
For any given bypass switch, the followi ng design provisions have been made to ensure that one and only one channel is bypassed at one time with a given
bypass switch:
A. The switch operator is a joystick type with four positions located at the quadrant extremes (i.e., 90, 180, 270, and 360 degrees) with the vertical
center being the off position. This sw itch type makes selection of bypass for one channel mutually exclusive from selection of any other channel associated with that same switch.
B. Contacts from the bypass switch are connected to auxiliary relays whose coils are energized when one and only one bypass is in effect.
C. Cabling associated with the bypass sw itch is run to separate terminal boards within the panel to achieve greater physical separation and electrical isolation.
Hence, any single failure of this bypass will not remove the necessary OPRM, APRM or IRM protection trip channel.
Scram discharge volume high water level trip bypass
The design of the bypass function requires manual operation of a bypass switch and the mode switch to establish four bypass channels. For the bypass switch, a
single operator connects to two separate blocks of switch contacts within the switch body, and wiring from contacts is routed to separate terminal strips.
One set of switch contacts, in conjuncti on with mode switch contacts, is used to energize two trip channel bypass relays when the bypass condition is desired. In
a similar fashion, the other set of bypass switch and mode switch contacts
energize two other trip channel bypass relays. Contacts from one relay are
connected in series with contacts from a relay in the other group to produce the RPS A1 trip channel bypass function. The trip channel bypass function for the
redundant RPS A2 trip channel is produced from series-connected contacts of the other two relays.
Consequently, it is necessary that four-out-of-four relays be energized in order to bypass the automatic RPS trip channels for th is protective function. There is no single failure of this bypass function that will satisfy the four-out-of-four condition necessary to establish the bypass condition. Hence, this function
complies with the single-failure criterion.
Main steam line isolation valve closure trip bypass
Two contacts from each bank of the mo de switch are each connected to individual bypass relays. Each contact energizes on e of four bypass relays whose contacts are connected into the RPS trip logic.
The relationship of these bypass relays to the RPS trip channels is on a one-to-one basis. Consequently, two particular bypass relays must be energized in
order to bypass the protective function and no single failure in the bypass
circuitry will interfere with the prot ective action of the trip channels.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-39 The following text discusses the remaining RPS functions as they apply to IEEE-279-1968 Single-Failure Criterion (paragraph 4.2).
Manual scram pushbuttons
Two manual scram pushbuttons have been located on one panel with approximately 6 inches separation to perm it the operator to initiate protective action with one motion of one hand. To provide testability during plant
operation without initiating protective action, the logic of the switches is
two-out-of-two in that both switches must be depressed (not necessarily simultaneously) to cause reactor scram.
The manual scram pushbuttons, with the reactor mode switch in the SHUTDOWN position, satisfies the single-failure criterion for manual scram.
These controls are backed up with the tri p logic test switches and various power supply circuit breakers.
On this basis, the reactor manual scram pushbuttons alone do not need to meet the single-failure criterion, but manual initiation of reactor scram in a aggregate
sense does comply with this design requirement.
Reactor protection system motor-generator sets and power distribution
The two RPS M-G sets, the auxiliary power source to permit M-G set maintenance, and the RPS power distribut ion panel need not comply with the single-failure criterion since loss of power at the interface produces a safe
condition for the reactor, and the presen ce of power does not interfere with normal protection action of the trip channels.
Reactor protection system trip logi c, actuators, and trip actuator logic
Those portions of the RPS downstream of the trip channels comply with the design requirement.
Any postulated single failure of a given trip logic will not affect the remaining three trip logics. Similarly, any single fa ilure of a trip actuator will not affect the remaining trip actuators, and any single fa ilure of one trip actuator logic will not affect the other trip actuator logic networks. The cabling associated with one trip logic is routed in conduit that is physically separated from similar cabling associated with the other trip logics. C abling from the trip actuator logic to the scram solenoid fuse panels is routed in individual conduits to comply with this design requirement. Since many indivi dual control rods are wired from any given scram solenoid fuse panel, indivi dual conduits are used to cable each control rod hydraulic control unit. Sinc e any individual control rod may fail to operate from either the A or B solenoid valves, wiring of these two solenoids for one control rod are routed together within a single conduit.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-40 Reactor protection systems outputs to other systems
The designated outputs from the RPS ar e designed so that no single failure in any portion of the RPS, including these output networks, can prevent proper protection system operation when it is required.
It is not necessary that the output ne tworks meet the single-failure criterion in terms of their purpose, but it is essential that the outputs not compromise the
single-failure performance of the RPS in terms of its protective function. This
latter objective has been accomplished in the design of these output functions.
7.2.3.2 Quality of Components and Modules
The RPS components and modules are specified to withstand the transient and steady state conditions of the environment (e.g., temperat ures, humidity, pressure and vibration). The station's work control system data base iden tifies the classification of components.
[7.2-79] The equipment for the following function s apply to the requirements of IEEE-279-1968 Quality of Components and Modules (paragraph 4.
- 3) in that they were chosen to meet the requirements of their intended functions.
[7.2-80]
Neutron monitoring system scram trip
Reactor vessel high pressure scram trip
Reactor vessel low water level scram trip
Turbine stop valve closure scram trip
Turbine control valve fast closure scram trip
Main steam line isolation valve closure scram trip
Scram discharge volume high water level scram trip
Primary containment high pressure scram trip
Manual scram pushbuttons
Reactor mode switch
Reactor protection system reset switch
Turbine stop valve closure and turbine control valve fast closure trip bypass
Neutron monitoring system trip bypass
Scram discharge volume high water level trip bypass
Main steam line isolation valve closure trip bypass QUAD CITIES - UFSAR 7.2-41 The remaining RPS equipment apply to the IEEE-279-1968 standard as indicated.
Reactor protection system motor-generator sets and power distribution
Cabling used within the RPS panels has been selected to be appropriate for RPS use. The RPS M-G sets have been chosen to provide low maintenance.
Reactor protection system trip logi c, actuators, and trip actuator logic
The RPS trip logic consists of seri es-connected relay contacts from the trip channel output relays. The RPS trip actuat or logic consists of relay contacts connected in a specific arrangement from the trip actuators. Within the RPS
panels in the control room, electrical circu its are fused. Individual control rod drive scram solenoids are fused at the scram solenoid fuse panels.
Reactor protection systems outputs to other systems
At the RPS interface with the output networks, isolated contacts of various RPS relays have been used to provide the signal source. These contacts are classified
as being a portion of the RPS component. The load device driven by these
contact outputs is not included in the RPS scope. The use of isolated contact
outputs from the RPS provides a large me asure of isolation and independence for this interface relative to the prot ective action portions of the RPS.
Trip logic test switch
This design requirement is not applicable to this RPS test function.
For each of the RPS functions, the original equipment was required to be certified by the vendor to meet the requirements listed in the purchase order, and for the intended application described for that function. These certifications, in conjunction with applicable field experience for those components in their particular applications, qualified the components. In this way, the functions meet the requirements of IEEE-279-1968
Equipment Qualification (paragraph 4.4)
In addition to the vendor qualification, qualification tests of the relay panels were
conducted to confirm their adequacy for this application.
For RPS outputs to other systems, the RPS cont act outputs from the designated relays were qualified during the relay and panel tests. Q ualification testing beyond this interface was not contemplated.
This design requirement is not applicable to the trip logic test switch function.
Refer to Section 3.11 for information on the current environmental qualification program.
7.2.3.3 Channel Integrity
Safe shutdown of the reactor during earthquake ground motion is assured by the design of the system as a Class 1 system and the fail-sa fe characteristics of the system. The system QUAD CITIES - UFSAR Revision 3, December 1995 7.2-42 fails only in a manner that causes a reactor scram when subjected to extremes of vibration and shock.
[7.2-81]
The following text discusses the RPS function s as they apply to the requirements of IEEE-279-1968 Channel Integrity (paragraph 4.5).
Except as otherwise noted, vendor certifica tion was required that the RPS components would perform in accordance with the requireme nts listed on the purchase specifications as well as in the intended applications.
[7.2-82]
Trip logic test switch
The trip logic test switch is not a tri p channel component; rather, it is an element in the individual RPS trip logic strings.
Reactor protection system reset switch
The RPS reset switch is not a trip c hannel component; rather, its auxiliary relays are elements in the individual RPS trip logic strings.
Reactor protection systems outputs to other systems
Selection of output signals from the RPS to other systems has been done in such a manner to ensure that the integrity of the protection system channels remains
intact and unchanged.
This design requirement is not applicable to the reactor protection system motor-generator sets and power distribution.
7.2.3.4 Channel Separation
Wiring for the RPS outside of the enclosures in the control room is run in enclosed conduits
throughout the plant and used for no other wi ring. The wires from duplicate sensors on a common process tap are run in separate condui ts. Wires for sensors of different variables in the same RPS trip logic may run in the same conduit. The RPS cables have channel
separation requirements which are maintained by the conduit system.
[7.2-83]
Low level signal cables are routed separate ly from all power cables with a minimum separation of 3 feet wherever practical. Wh ere the low level signal cable runs at right angles to a power cable, a separation distance of less than 3 feet may be used, based upon
the probable noise pickup relative to the allowable signal-to-noise ratio.
Except as otherwise noted in the following discussions, the RPS trip, reset, and bypass channels are physically separated and electrically isolated to meet the design requirements of IEEE-279-1968 Channel Independence (paragraph 4.6). Sections 7.2.2.7 and 7.2.3.1
discuss the specific separation methods used for these functions.
[7.2-84]
Manual scram pushbuttons
The manual scram pushbutton is not a channel component; nevertheless, the channels are separated in that the contacts from one switch are wired into the QUAD CITIES - UFSAR Revision 9, October 2007 7.2-43 A3 trip logic and the contacts of the second switch are wired into the B3 trip logic.
Trip logic test switch
While the test switch is not a trip channel component, it is imperative that its use in the RPS trip logic maintain the existing channel independent of the
automatic protective trip channels. The app lication of four test switches, one per trip logic, ensures that this de sign requirement is satisfied.
Neutron monitoring system trip bypass
The neutron monitoring bypass channels comply with this design requirement.
The bypass channel output to the individual OPRM, APRM or IRM trip channel is obtained from an isolated relay contact. This contact output is physically
separated and electrically connected with the other bypass channels in order to provide for one and only one bypass with in one RPS trip system at any given time; however, this cross connection does not invalidate the isolated contact from each relay to the neutron monitoring system trip channel.
Scram discharge volume high water level trip bypass
The bypass circuitry complies with th is design requirement. For operator convenience, a single switch has been selected for the bypass function. Factors considered in this selection were the number of bypass operations required in any given operating period and the expected duration of each bypass. Since the
bypass switch is used only to permit manual reset of the RPS and permit the
operator to drain the discharge volume following reactor scram, the switch will be used infrequently and for short time periods. These considerations suggest that a single switch is a better choice than multiple switches when viewed from the operator's standpoint.
Care has been taken to assure that sufficient physical separation and electrical isolation exists to assure that the bypa ss channels are satisfactorily independent.
Moreover, the conditions for bypass have been made quite stringent in order to provide additional margin.
Reactor protection systems outputs to other systems
Use of isolated relay contacts from the RPS relays assures that the RPS trip channels are maintained independent of one another. The design has considered
the effect of the output devices representi ng a potential point of common failure for all trip channels, and steps have been in corporated into the system to prevent this situation.
This design requirement is not app licable for the following equipment:
Reactor protection system motor-generator sets and power distribution
Reactor protection system trip logi c, actuators, and trip actuator logic QUAD CITIES - UFSAR Revision 9, October 2007 7.2-44 7.2.3.5 Control and Protection System Interaction
Trip channels providing inputs to the RPS ar e not used for automatic control of process systems; thus, the operations of protection and process systems are separated. Sensors, trip channels, and trip logics of the RPS are not used directly for automatic control of process systems. Therefore, failure in the co ntrols and instrumentation of process systems cannot induce failure of any portion of the protection system.
[7.2-85]
Reactor protection system inputs to annunc iators, recorders, and the computer are arranged so that no malfunction of the annunc iating, recording, or computing equipment can functionally disable the system. Signals directly from the RPS sensors are not used as inputs to annunciating or data logging equipm ent. RPS inputs are addressed in Section 7.2.2.5.
The following text discusses the RPS function s as they apply to the requirements of IEEE-279-1968 Control and Protection System Interaction (paragraph 4.7).
[7.2-86]
For the neutron monitoring system trip fun ction, the IRM, APRM, and OPRM trip channels comply with this design requirement. Within the IRM and APRM modules, prior to their output trip unit driving the RPS, analog outp uts are derived for use with control room meters, recorders, and the process computer. El ectrical isolation has been incorporated into the design at this interface to prevent any si gnal failure from influencing the protective output from the trip unit.
The trip channels for each of the remaining RP S trip functions comply with this design requirement. Each trip channel output relay uses two contacts within the RPS trip logic.
One additional contact from each relay is wired to a common control room annunciator.
Another contact from each relay is wired to the process computer. Sections 7.2.2.7 and 7.2.3.1 discuss the specific separation methods used for these functions. Other interactions
or interfaces with the RPS functions are described as follows:
Scram discharge volume high water level scram trip
Two additional level switches are conne cted to the process taps. One level switch produces a control rod withdrawal block in the reactor manual control circuitry.
The other level switch produces a contro l room alarm that the discharge volume is starting to fill. The only connection between these level switches with the four
protection system level switches is th rough the process medium at the taps.
Primary containment high pressure scram trip
One contact from each relay is wi red to the primary containment isolation system to initiate protective isolation functions.
QUAD CITIES - UFSAR Revision 2, December 1993 7.2-45 Manual scram pushbuttons
Since the manual scram pushbutton is used only in the A3 and B3 RPS trip logic strings, there is no interaction with the control systems.
Reactor mode switch
The reactor mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement.
Additional contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator.
No control functions are associated with the mode switch.
Trip logic test switch
Since this test switch is used only for the RPS and is located on the RPS panels, this design requirement is satisfied.
Reactor protection system reset switch
Switch contacts of the RPS reset switch are used only to control auxiliary relays, and contacts from the relays are used only in the trip actuator coil circuit.
Consequently, this RPS function has no in teraction with any other system in the plant.
Reactor protection system motor-generator sets and power distribution
The RPS M-G sets, power distribut ion panel, and cabling for the power distribution throughout the RPS cabinets have no interaction with any of the control systems of the plant.
Reactor protection system trip logi c, actuators, and trip actuator logic
The four RPS trip logic strings are tota lly separate from any other plant system.
The RPS trip actuators utilize the power contacts of the scram contactors to provide the trip actuators logic and the seal-in contact of the trip actuator, and
utilize auxiliary contacts for control r oom annunciation, the process computer inputs and initiation of the backup scram valves.
The trip actuator logic has no interaction with any other plant system, and the scram solenoids are physically separate and electrically isolated from the other portions of the control rod drive hydraulic control unit.
Turbine stop valve closure, turbine control valve fast closure, and main steam isolation valve closure trip bypass
Two output relay contacts are used in the RPS trip logic, and one additional contact from each relay is used to in itiate a control room annunciator for this bypass function.
Neutron monitoring system trip bypass
In practice, each bypass channel consists of multiple relay coils in parallel with contacts from these relays used for differe nt functions. From one relay, contact QUAD CITIES - UFSAR Revision 9, October 2007 7.2-46 outputs are used to provide an input to the process computer; from a second relay, contact outputs are used to provide control room annunciation of the bypass condition; and for a third relay, conta ct outputs are used to bypass the neutron monitoring system trip channels outputs.
A similar configuration exists for bypass of the OPRM subsystem trips. From one relay, a contact is used to bypass the OPRM trip input to the RPS logic; and fr om a second relay, contact outputs are used to provide bypass status input to the OPRM as well as to Main Control Room annunciator and indicating light logic.
Scram discharge volume high water level trip bypass For each trip channel bypass relay, four contacts are used in the bypass logic. One contact of each relay is also wired to a common annunciator in the control room and one contact of the A and B relays is wi red to the control ro d block circuitry to prevent rod withdrawal whenever the trip channel bypass is in effect.
Reactor protection systems outputs to other systems Each output network has been investigat ed to determine the effects of postulated failures and to verify that these failures will not produce a control action that will lead to a need for protective action and , at the same time, will not remove the protection system capability to prod uce the required protective action.
7.2.3.6 Capability for Test and Calibration
Calibration and test controls for the neutron monitoring system are located in the control room and are, because of their physical locati on, under the direct control of the control room operator. Calibration and test controls for pressure transmitters, pressure switches, level switches, and valve position switches are locate d on the switches themselves. These switches are located in the turbine building, reactor bu ilding, and primary containment. Calibration and test controls for the analog trip units associ ated with the transmitters are located on the Master Trip Units. The Master Trip Unit s are located in the Service Building Cable Spreading Room.
[7.2-87]
The following text discusses the RPS function s as they apply to the requirements of IEEE-279-1968 Capability for Test and Calibration (paragraph 4.10).
Neutron monitoring system scram trip The LPRMs provide inputs to the APRMs and must be calibrated before the APRMs. The LPRM gains are set using gain-adjustment-factors determined by
the process computer nuclear calculations involving the reactor heat balance and the relative local flux distributions prov ided by the traversing incore probe (TIP) system. [7.2-88]
The APRM gain-adjustment-factors are then determined using the reactor heat balance, and the gain of the APRM amplifiers are adjusted such that the APRMs
will reflect the fraction of power as calculated by the heat balance.
Each OPRM module may be calibrated with simulated signals introduced into the module utilizing the OPRM Maintenance Terminal. The maintenance terminal can also be used to perform manual testing of the OPRM modules. The OPRM automatically performs self-health tests and reports any detected failures of the individual hardware modules.
QUAD CITIES - UFSAR Revision 9, October 2007 7.2-46a Reactor vessel high pressure scram trip
Once a pressure sensor has been taken out-of-service, confirmation of the pressure setpoint can be made by use of a variable source of pressure or an
analog signal. As the setpoint is exceed ed, the control room operator will obtain annunciation of the trip and computer record of the trip channel identification.
[7.2-89]
QUAD CITIES - UFSAR Revision 2, December 1993 7.2-47 Reactor vessel low water level scram trip
During this calibration procedure, oper ation of the level sensor contacts can be confirmed relative to the indicated leve l scale reading of the instrument. The relationship between indicated level and reactor vessel actual water level is established by calibration of the instrument and the specific plant installation
detail. As a result, periodic calibration is accomplished relative to the indicated water level.
Turbine stop valve closure scram trip
During reactor shutdown, calibration of the setpoint of the turbine stop valve limit switch at a valve position of 10% cl osure is possible by physical observation of the valve stem.
Turbine control valve fast closure scram trip
During plant operation above the autom atic bypass setpoint, one control valve at a time may be slowly closed through the normal servo control loop. As the
control valve approaches the closed position , the fast-acting solenoid is tripped to cause rapid closure of the control valve for the remainder of its stroke. This
action causes the pressure switch input to the RPS to change to its tripped state
and provides a means of periodic testing of this interface.
Main steam line isolation valve closure scram trip
The main steam line isolation valve lim it switches are mounted such that they are not adjustable. Calibration is therefore not required.
[7.2-90]
During reactor shutdown, the main steam line isolation valve limit switch setpoint at a valve position of 10% closure, is verified by physical observation of the valve stem.
During plant operation, the operator can confirm limit switch operability during the periodic scram functional test.
Scram discharge volume high water level scram trip
The logic of the RPS permits the sensors to be removed from service one at a time and tested or calibrated.
[7.2-91]
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-48 Primary containment high pressure scram trip
Once a pressure switch has been prop erly valved out-of-service, testing of the pressure switch and its setpoint may be performed using a variable source of pressure. When the trip setpoint has b een exceeded, the control room operator will obtain an annunciation of the trip and a typed record of the trip channel
identification from the process computer.
Manual scram pushbuttons
During reactor operation, one manual pushbutton may be depressed to test the proper operation of this switch, and once the RPS has been reset, the other
switch may be depressed to test its operat ion. For each such operation, a control room annunciation will be initiated and the process computer will print the identification of the pertinent trip.
Reactor mode switch
Operation of the reactor mode switch from one position to another may be employed to confirm certain aspects of th e RPS trip channels during periodic test and calibration. During tests of the tri p channels, proper operation of the mode switch contacts may be easily verified by noting that certain sensors are connected into the RPS logic and that ot her sensors are disconnected from the RPS logic in an appropriate manner for th e given position of the mode switch.
Reactor protection system reset switch
Operation of the reset switch following a trip of one RPS trip system will confirm that the switch is performing its intended function. Operation of the reset switch following trip of both RPS trip systems will confirm that all portions of the
switch and relay logic are functioning properly since half of the control rods are
returned to a normal state for one actuation of the switch.
Reactor protection system trip logi c, actuators, and trip actuator logic
The trip logic test switch permits each individual trip logic, trip actuator, and trip actuator logic to be tested on a period ic basis. Testing of each process sensor of the protection system also affords an o pportunity to verify proper operation of these components.
Turbine stop valve closure and turbine control valve fast closure trip bypass
Administrative control is exercised to valve one pressure switch out-of-service for the periodic test. During this test, a variable pressure source may be introduced to operate the switch at the setpoint va lue. When the condition for bypass has been achieved on an individual sensor under test, the control room annunciator for this bypass function will be initiated. If the RPS trip channel associated with
this sensor had been in its tripped state, the process computer would log the
return to normal state for the RPS trip logic. When the plant is QUAD CITIES - UFSAR 7.2-49 operating above the setpoint, testing of the turbine stop valve and control valve closure trip channels will confirm that the bypass function is not in effect.
[7.2-92]
Neutron monitoring system trip bypass Due to the discrete nature of this bypass functi on, the term calibration is not meaningful. However, proper operation of the bypass switches and associated logic is possible by periodic testing of the possible combinations of bypass sw itch position and neutron monitoring system trip channel status.
[7.2-93]
Scram discharge volume high water level trip bypass In the STARTUP/HOT STANDBY and RUN modes of plant operation, the preceding procedure may be used to conf irm the trip channels are not bypassed as a result of operation of the bypass switch. In the SHUTDOWN and REFUEL modes
of plant operation, a similar procedure ma y be utilized to produce bypassing of all four trip channels. Due to the discreet nature of the bypass function, calibration is
not meaningful.
Main steam line isolation valve closure trip bypass Testing of the bypass circuit can only be accomplished when the mode switch is not in the RUN position. Hence, this test may be performed in the startup operating phase.
Since it can be confirmed that the bypa ss is not in effect when operating in the RUN mode, the suggested test is adequate to co nfirm proper bypass status during plant operation.
Reactor protection systems outputs to other systems The output functions provided to th e annunciator and process computer systems aid the operator in the RPS periodic testing pr ocess. There is no requirement for the output functions themselves to be subject to periodic testing since they represent an information source rather than a protective function.
Exceptions This design requirement is not applicable to the following equipment:
Trip logic test switch
Reactor protection system motor-generator sets and power distribution
7.2.3.7 Establishment of Trip Setpoints Initially, conservative trip setting s were selected so that they were far enough above or below normal operating levels that spurious scrams and operating inconvenience were avoided.
Analyses were performed using trip settings as pre liminary inputs or conditions to verify that the reactor fuel and nuclear system process ba rrier were protected in accordance with the system design intent. In all cases, the specif ic scram trip point was not selected solely on the value of the trip point that results in no damage to the fuel or QUAD CITIES - UFSAR Revision 9, October 2007 7.2-50 nuclear system process barrier but was selecte d based on operating experience and safety design basis constraints. The current meth odology used to established the Technical Specification allowable values and the associat ed instrument trip setpoints is described in Section 7.1.2.1.
[7.2-94]
Multiple setpoints are used where it is ne cessary to provide more restrictive reactor protection limits due to the mode of operation or operating conditions. The following text discusses the RPS functions as they apply to IEEE-279-1968 Multiple Setpoints (paragraph
4.15). [7.2-95]
Neutron monitoring system scram trip The trip setpoint of each IRM channel is established near the full scale mark for each range of IRM operation. As the op erator switches an IRM from one range to the next, the trip setpoint tracks the operat or's selection. With the reactor mode switch in STARTUP/HOT STANDBY, the IRM trips are enabled and the APRM
trips are fixed at the low power setpoint.
In the transition from STARTUP/HOT STANDBY to RUN mode of operation, the reactor mode switch is used to convert from IRM protection to APRM protection.
In RUN, the APRM trip setpoint is raised to a flow-biased value and the IRM trips are essentially bypassed (i.e., th e corresponding APRM must indicate downscale for the IRM trip to be recognized).
The OPRM does not have multiple setp oints to accommodate different operating conditions. However, the OPRM trip functi on is disabled unless manual action is taken to enable it or the OPRM automatically enables itself upon detection of entry into the high power, low core flow region of the power/flow operating map where there is a potential for instabilities. Each of these multiple setpoint provis ions is a portion of the reactor protection system and complies with the design requirements of IEEE-279.
Reactor mode switch Operation of the mode switch from on e position to another imposes different RPS trip channels into the RPS logic. This a ction does not influence the established setpoint of any given RPS trip channel, but merely connects one set of channels as another set are disconnected. Cons equently, the mode switch meets this design requirement.
Neutron monitoring system trip bypass Due to the different ranges of operat ion of the IRM and APRM systems, the four neutron monitoring system bypass swi tches are designated so that they correspond with those two different neutro n monitoring system equipments. For any given bypass switch, multiple setpoi nts are not provided in the design.
This design requirement is not applicable to the following functions and equipment: Reactor vessel high pressure scram trip Reactor vessel low water level scram trip Turbine stop valve closure scram trip Turbine control valve fast closure scram trip Main steam line isolation valve closure scram trip QUAD CITIES - UFSAR Revision 7, January 2003 7.2-51 Scram discharge volume high water level scram trip
Primary containment high pressure scram trip
Manual scram pushbuttons
Trip logic test switch
Reactor protection system reset switch
Reactor protection system motor-generator sets and power distribution
Reactor protection system trip logi c, actuators, and trip actuator logic
Turbine stop valve closure and turbine control valve fast closure trip bypass
Scram discharge volume high water level trip bypass
Main steam line isolation valve closure trip bypass
Reactor protection systems outputs to other systems
7.2.3.8 Access to Setpoint Adjustments, Calibration, and Test Points
Administrative controls are used as the bas is for assuring that access to Setpoint Adjustments, Calibrations, and Test Points are limited to qualified, plant personnel and
that permission of Operations is obtained to gain access.
[7.2-96]
The following text covers the RPS functions as they apply to the requirements of IEEE-279-1968 Access to Setpoint Adjustments, Calibration, and Test Points (paragraph 4.18).
[7.2-97]
Access to setpoints and calibration controls are under the administrative control of operating personnel for the following RPS functions.
Neutron monitoring system scram trip
Reactor vessel high pressure scram trip
Reactor vessel low water level scram trip
Primary containment high pressure scram trip
Turbine stop valve closure and turbine control valve fast closure trip bypass
Neutron monitoring system trip bypass QUAD CITIES - UFSAR Revision 5, June 1999 7.2-52 Access to the turbine stop valve closure scram trip and the main steam line isolation valve closure scram trip process limit switch inputs is not anticipated during reactor operation due to ambient environmental conditions. The reactor operator is permitted full access to the valve test controls for the turbine stop valve closure, main steam line isolation valve closure, and turbine control valve fast closure scram trip functions since motion of the valve
during this test produces a valid process sensor response.
This design requirement is not app licable to the following functions.
Scram discharge volume high water level scram trip
Manual scram pushbuttons
Reactor mode switch
Trip logic test switch
Reactor protection system reset switch
Reactor protection system motor-generator sets and power distribution
Reactor protection system trip logi c, actuators, and trip actuator logic
Scram discharge volume high water level trip bypass
Main steam line isolation valve closure trip bypass
Reactor protection system outputs to other systems
7.2.3.9 Identification of Protection Systems
The RPS and engineered safety equipment are physically identified per their function.
Identification of trays, conduits and junction boxes is by means of stencil or adhesive markers. Control room panels, local panels, and racks are identified by engraved nameplates. Electrical panels, junction boxes, and components of the RPS are prominently identified by nameplates. Circuits entering junction or pull boxes are marked inside the boxes. Wiring and cabling outside cabinets and panels are identified by color, tag or other conspicuous means.
[7.2-98]
In addition, the operators and instrument me chanics that work with and maintain this equipment are trained in its identification and use. Normal plant operating procedures require that the Shift Manager or Unit Supervis or on duty authorize the performance of all work on these RPS components. The station out-of-service card procedure is used whenever systems are taken out of service for maintenance.
7.2.3.10 System Repair
The design of the following components, functions, and systems complies with the
IEEE-279-1968 System Repair design requirement (paragraph 4.21).
[7.2-99]
QUAD CITIES - UFSAR Revision 6, October 2001 7.2-53 Reactor mode switch
Trip logic test switch
Reactor protection system reset switch
Reactor protection system motor-generator sets and power distribution
Reactor protection system trip logi c, actuators, and trip actuator logic
Neutron monitoring system trip bypass
Scram discharge volume high water level trip bypass
Main steam line isolation valve closure trip bypass
Conformance of other RPS functions to I EEE-279-1968 System Repair requirements are as follows:
Neutron monitoring system scram trip
Replacement of IRM and LPRM detecto rs must be accomplished during plant shutdown. Repair of the remaining porti ons of the neutron monitoring system may be accomplished during plant operat ion by appropriate bypassing of the defective trip channel output. The design of the system facilitates rapid
diagnosis and repair.
Reactor vessel high pressure scram trip
Due to the one-to-one relationship of pressure sensor and trip channel output relay, this design requirement is sa tisfied for this protective function.
[7.2-100]
Reactor vessel low water level scram trip
The one-to-one relationship between a level sensor and a trip channel output relay permits the plant personnel to id entify any component failure during operation of the plant. Provisions have been made to facilitate repair of the channel components during plant operation.
Turbine stop valve closure scram trip
Because of the inherent simplicity of the valve limit switch for the process sensor, and the relationship of one limit switch contact with one trip channel
output relay, the design of the system facilitates maintenance of this protective function.
During power operation, it may be ne cessary to reduce power in order to close more than one turbine stop valve in order to accomplish a specific RPS test. The sequence of tests should permit the operat or to determine a defective limit switch contact or trip channel output relay.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-54 Turbine control valve fast closure scram trip
Periodic tests of portions of this prot ective function during plant operation will likely require a temporary reduction in plant output and may be accomplished with the provisions for testing of the turbine equipment.
Main steam line isolation valve closure scram trip
Due to the inherent simplicity of the valve limit switch for the process sensor, and the relationship of one limit switch contact with one trip channel output
relay, the design of the system facilitates maintenance of this protective function.
During power operation, it may be ne cessary to reduce power in order to close valves in more than one main steam line. With this arrangement, a sequence of
valve tests will permit the operator to determine fully a defective component or isolate the difficulty to one of two limit switches in a given main steam line.
Scram discharge volume high water level scram trip
Because the water level measurement and its one-to-one relationship between a given level sensor and its associated trip channel output relay are inherently simple, the design facilitates maintenance of this protective function.
Primary containment high pressure scram trip
Due to the one-to-one relationship of pressure switch and trip channel output relay, this design requirement is sa tisfied by this protective function.
Manual scram pushbuttons
Due to the simplicity of the manual scram function, the design complies with this requirement.
Reactor protection systems outputs to other systems
The design of these networks facilitat es repair of the RPS by providing timely information readout and identification of failures for the operating personnel.
QUAD CITIES - UFSAR Revision 7, January 2003 7.2-55 7.2.4 References
- 2. General Electric Topical Re port NEDO-10139, "Compliance of Protection Systems to Industry Criteria: General Electric BWR Nuclear Steam Supply System," June, 1970.
- 3. General Electric Safety Evaluation Re port NEDO-31400A "Safety Evaluation for Eliminating the BWR Main Steam Isolation Valve Closure and Scram Function of the
Main Steam Line Radiation Monitor," October 1992.
- 5. EC 23949 (DCP 9900184), Unit 2 MSL Rad Monitor Scram and Group 1 Isolation Trip Function Removals.
(Sheet 1 of 2)
Revision 9, October 2007 QUAD CITIES - UFSAR
Table 7.2-1
ANALYTICAL LIMITS FOR REACTOR PROTECTION SETPOINTS
Initiating Conditions Analytical Limit [Note 1]
- 1. Reactor neutron
[Note 2] b. APRM fixed neutron flux-high < 125% c. APRM inoperative - d. APRM downscale with companion IRM high-high (RUN mode) APRM > 1% power IRM < 125/125 e. APRM high-high flux (bypassed in RUN mode)
< 20% power f. IRM high-high flux (bypassed in RUN mode with
APRM upscale) IRM < 125/125 APRM > 1% power g. IRM inoperative (bypassed in RUN mode with APRM
upscale) - APRM > 1% power h. SRM high flux (bypassed when shorting links
installed) 1 x 10 6 cps i. Flux oscillation
- 2. Reactor high pressure See UFSAR Table 7.6-1
< 1060 psig
- 3. Reactor low water level
> 0 inches
- 4. Turbine stop valve closure (RUN mode >38.5% RTP)
< 10% closure
- 5. Turbine control valve fast closure, valve trip system oil pressure low(RUN mode >38.5%
RTP) > 460 psig [Note 3]
- 6. MSIV closure (RUN mode)
< 10% closure (Sheet 2 of 2)
Revision 10, October 2009 QUAD CITIES - UFSAR
Table 7.2-1
ANALYTICAL LIMITS FOR REACTOR PROTECTION SETPOINTS
Initiating Conditions Analytical Limit [Note 1]
- 7. High scram discharge volume water level
< 40 gallons
- 8. Primary containment (drywell) high pressure
< 2.5 psig
- 9. Turbine condenser low vacuum
> 20 inches Hg
- 10. Mode switch in SHUTDOWN (auto reset after 10 seconds)
-
Note 1 Analytical Limit shown unless noted ot herwise. Consult Technical Specifications for associated 'Allowable Value'.
Note 2 W D is the percent of drive flow required to produce a rated core flow of 98 million lb/hr.
Note 3 Trip is indicative of turbine contro l valve fast closure (due to low EHC fluid pressure) as a result of fast acting valve actuation.
QUAD CITIES - UFSAR 7.3-1 Revision 7, January 2003 7.3 ENGINEERED SAFETY FEATURE SYSTEMS INSTRUMENTATION AND CONTROL
The engineered safety feature (ESF) systems ar e provided to mitigate the consequences of postulated accidents. The ESF systems des cribed in this section are not used during normal plant operations. These systems must , however, be operable as defined in the Technical Specifications.
[7.3-1]
The ESF systems addressed in this section include the following:
A. Emergency core cooling systems (ECCS):
- 1. Core spray system;
- 2. Low pressure coolant injection (LPCI) mode of the residual heat removal (RHR) system;
- 3. High pressure coolant injection (HPCI) system; and
B. Containment isolation systems:
- 1. Primary containment isolation system (PCIS); and
- 2. Secondary containment isolation.
7.3.1 Emergency Core Cooling Syst ems Instrumentation and Control
Refer to Section 6.3 for ECCS de sign bases and description.
7.3.1.1 Core Spray System Instrumentation and Control
The control system is arranged to provide two independent and separately isolated control and power circuits for the operation of the two independent, 100% capacity core spray loops. (Refer to Figure 6.3-5).
There are three primary initiation or permissi ve signals related to operation of the core spray system. These signals are generated by the following sensors:
[7.3-2]
A. Four independent low-low reacto r water level transmitters and trip units; B. Four independent high drywell pressure switches; and
C. Two low reactor pressure switches using different operating principles.
QUAD CITIES - UFSAR Revision 8, October 2005 7.3-2 The core spray initiation signal requires any one of the following logic combinations:
A. Low-low reactor water level (one-out-of-two-twice) co incident with low reactor pressure (one-out-of-two);
B. High drywell pressure (one-out-of-two-twice); or
C. Low-low reactor wate r level (two-out-of-two in the corresponding division) continuously for 9 minutes (analytical limit
). This signal is generated by the ADS system logic.
The core spray initiation signal starts the co re spray pumps, opens the suction valves (if closed), and closes the test bypass valves (if open).
The permissive signal which opens the core spray injection (discharge) valves, requires a (one-out-of-two) low reacto r pressure signal in addition to the core spray initiation signal.
With normal auxiliary ac power available the actions described above occur automatically without delay. A diesel generator start signal is also generated by ei ther a low-low reactor water level signal or high drywell pressure sig nal (both one-out-of-two-twice). If normal ac power is not available the pumps are started sequentially as described in Section 6.3.
7.3.1.1.1 Conformance to IEEE-279
The following is a point-by-point comparis on of the core spray system with the requirements of proposed IEEE Std 279-1968 whic h has been summarized from GE Topical Report, NEDO-10139.[1] For more detailed information refe r to the topical report. The GE topical report is a generic repo rt for an entire product line and these statements should be used concurrently with design requirements de scribed in other sections of the UFSAR (such as Section 3.5 for Missile Protection, 3.6 for Pi pe Break, etc.) that represent Quad Cities specific design requirements.
[7.3-3]
7.3.1.1.1.1 General Functional Requirement (IEEE-279, Paragraph 4.1)
The following summarizes the general fun ctional requirements of IEEE-279 and the provision of the core spray system in fulfillment of these requirements.
A. Auto-Initiation of Appropriate Action
Appropriate action for the core spray co ntrol system is defined as the activation of equipment for introducing low pressure water through the core spray sparger when reactor vessel level drops below a predetermined point or the drywell pressure increases above a predetermined value, and the vessel pressure is below a predetermined value lower than the pump shutoff head. This action occurs
automatically.
B. Precision
The sensory equipment positively init iates action before process variables go beyond precisely established limits. In the case of vessel level sensors, high drywell ambient temperature can introduce errors that will lower the trip point for starting of the core spray pumps.
Errors that result from drywell temperatures less than the te mperature that causes a high drywell pressure trip are not large enough to be objectionable from a safety point of view.
QUAD CITIES - UFSAR 7.3-3 Revision 7, January 2003 C. Reliability
Reliability of the control system is commensurate with the controlled equipment so that the overall system reliabilit y is not limited by the controls.
D. Action Over the Full Range of Environmental Conditions
Refer to Section 3.11 for information on the current environmental qualification program.
7.3.1.1.1.2 Single Failure Criterion (IEEE-279, paragraph 4.2)
The core spray system, comprised of two independ ent sets of controls for the two physically separate pumping systems, meets all credibl e aspects of the single failure criterion.
7.3.1.1.1.3 Quality of Components (IEEE-279, paragraph 4.3)
Components used in the core spray control sy stem have been carefully selected on the basis of suitability for the specific application. All of the sensors and logic relays are of the same types used in the reactor protection system (RPS) described in Section 7.2. Ratings have been selected with sufficient conservatism to in sure against significant deterioration during anticipated duty over th e lifetime of the plant.
7.3.1.1.1.4 Equipment Qualification (IEEE-279, paragraph 4.4)
No components of the core spray control sy stem are required to operate in the drywell environment with the exception of the temp erature compensating columns for the vessel level sensors. These columns are calibrated fo r a specific normal ambient temperature and can introduce nominal errors under steam leak (high drywell temperature) conditions (see paragraph 4.1). All other sensory equipment is located in the reactor building outside the drywell and is capable of accurate operatio n with wider swings in ambient temperature than results from normal or abnormal (lo ss of ventilation and LOCA) conditions.
All components used in the core spray con trol system have demonstrated reliable operation in similar nuclear power plant protection system or industrial applications.
Refer to Section 3.11 for information on the current environmental qualification program.
7.3.1.1.1.5 Channel Integrity (IEEE-279, paragraph 4.5)
The core spray control system is designed to tolerate the spectrum of failures listed under the general requirements and the single failure criteria. Each of the two core spray systems sensors are backed up by sensors from the other so neither system alone loses its integrity because of a failure or failures in its sensory equipment.
QUAD CITIES - UFSAR Revision 7, January 2003 7.3-4 The core spray system control backup has been achieved without compromising the integrity of the channel being backed up because it can be shown by analysis that complete destruction of a wireway (conduit) carrying wi res between the two relay cabinets cannot prevent operation of both core spray loops.
During a DBA, the control system environment does not differ significantly from normal.
7.3.1.1.1.6 Channel Independence (IEEE-279, paragraph 4.6)
Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and C sensor s for reactor vessel level are located on a stanchion adjacent to the Division I instrume nt rack, and the B and D sensors are located on a pair of stanchions adjacent to the Division II instrument rack. The A and C sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and D. Disabling of one or all sensors at one location does not disable the control
for either of the two core spray loops, or two separate divisions of LPCI.
Relay cabinets for core spray system A are in a separate physical division from that for core spray system B, and each division is complete in itself, with its own station battery control and instrument bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process ta ps to the final control element, and includes both control and motive power supplies.
7.3.1.1.1.7 Control and Protection Interaction (IEEE-279, paragraph 4.7)
The core spray system is strictly an off-on syst em, and no signal whose failure could cause need of core spray can also prevent core sp ray from starting. Annunciator circuits using contacts of sensor relays and basic relays cannot impair the operability of the core spray system control because of the electrical separa tion between controls of the two systems.
7.3.1.1.1.8 Derivation of System Inputs (IEEE-279, paragraph 4.8)
The inputs which start the core spray system are direct measures of the variables that indicate the need for low pressure core coo ling; such as reactor vessel low water, high drywell pressure, and reactor lo w pressure. Reactor vessel leve l is sensed by vessel water level transmitters and trip units. Drywell high pressure is sensed by nonindicating pressure switches on four separate sensing lines connected to two se parate penetrations.
Each sensing line has its own root valve, and each pressure switch has its own instrument valve. Two reactor vessel pressure switches for the low pressure injection valve opening permissive are on two separate instrument lines going through the drywell at two different general locations. These switches operate re lays whose contacts are connected in A or B logic for the core spray va lve opening permissives.
QUAD CITIES - UFSAR 7.3-5 7.3.1.1.1.9 Capability for Sensor Checks (IEEE-279, paragraph 4.9)
All sensors are of the pressure sensing type and are installed with calibration taps and instrument valves, to permit testing during normal plant operation or during shutdown.
7.3.1.1.1.10 Capability for Test and Calibration (IEEE-279, paragraph 4.10)
The core spray control system is capable of being completely tested during normal plant operation to verify that each element of th e system, active or passive, is capable of performing its intended function.
7.3.1.1.1.11 Channel Bypass or Removal fr om Operation (IEEE-279, paragraph 4.11)
Calibration of each sensor will introduce a si ngle instrument channel trip. This does not cause a protective function without coincident operation of a second channel. Removal of an instrument channel from service during calibrati on is brief and in compliance with special provision of IEEE-279, paragraph 4.11 for one-out-of-two-twice systems.
7.3.1.1.1.12 Operating Bypasses (IEEE-279, paragraph 4.12)
There are no operating bypasses for the core spray system.
7.3.1.1.1.13 Indication of Bypasses (IEEE-279, paragraph 4.13)
There are no automatic bypasses of any part of the core spray control system.
7.3.1.1.1.14 Access to Means for Bypassing (IEEE-279, paragraph 4.14)
Access to switchgear, motor co ntrol centers, and instrument valves is procedurally controlled.
7.3.1.1.1.15 Multiple Trip Settings (IEEE-279, paragraph 4.15)
Paragraph 4.15 of IEEE-279 is not applicable because all setpoints are fixed.
7.3.1.1.1.16 Completion of Protection Action Once Initiated (IEEE-279, paragraph 4.16)
The final control elements for the core spray sy stem are essentially bistable; that is, pump breakers stay closed without control power, and motor operated valves stay open once they QUAD CITIES - UFSAR Revision 7, January 2003 7.3-6 have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reac hed). In the event of an interruption in ac power, the control system will reset itself and recy cle on restoration of power. Thus protective action once initiated must go to completion or continue until terminated by deliberate operator action.
7.3.1.1.1.17 Manual Actuation (IEEE-279, paragraph 4.17)
Each piece of core spray actuation equipment (pum p, valve, breaker, and starter) is capable of individual manual initiation, electrically from th e control panel in the main control room and locally, if desired, by use of physical mechanisms. The valves have handwheels for manual
operation, and the switchgear is capable of having closing springs charged manually and the breaker closed by mechanical linkages on the switchgear.
In no event can failure of an automatic contro l circuit for one core spray loop disable the manual electrical control circuit fo r the other core spray loop.
Single electrical failures cannot disable manual electric control of the core spray function.
7.3.1.1.1.18 Access to Setpoint Adjustment (IEEE-279, paragraph 4.18)
Administrative controls are used as the basis fo r assuring that access to core spray Setpoint Adjustments, Calibrations, and Test Points are limited to qualified, plant personnel and that permission of Operations is obtained to gain access. The range of the drywell and reactor vessel pressure switches is not adjustable. Th e reactor vessel level transmitters have zero and span adjustments that are external to the trans mitters but require removal of the nameplate to gain access. Because of these restriction s, compliance with the access requirements of IEEE-279 is considered complete.
7.3.1.1.1.19 Identification of Protective Actions (IEEE-279, paragraph 4.19)
Protective actions (here interpreted to mean pi ckup of a single sensor relay) are directly indicated and identified by action of the sens or relay, which has an identification tag and a clear glass front window permitting convenient, vi sible verification of the relay position. Any one of the sensor relays also actuates an annunc iator, so that no single-channel trip (relay pickup) will go unnoticed. Either of these indica tions should be adequate, so this combination of annunciation and visible verification relay actuation fulfills the requirements of this criterion. In addition, indicator lights are provided to show pickup of sensor relays.
7.3.1.1.1.20 Information Readout (IEEE-279, paragraph 4.20)
The core spray control system is designed to provide the operator with accurate and timely information pertinent to its status. It does no t introduce signals into other systems that could cause anomalous indications confusing to the operator. There are many passive as well as
active elements of this energize-to-op erate system which are not continuously QUAD CITIES - UFSAR Revision 7, January 2003 7.3-7 monitored for operability. Examples are ci rcuits which are normally open and are not monitored for continuity on a continuous basis, pressure and level sensors, which, although continuously active, are not cont inuously exercised and verified as operable. However, ATS alarms provide warning for loss of power or gross failure of electronic card circuits associated with reactor vessel level sensors.
Verifying the operability of these components is accomplished by periodic testing and by proper selection of test periods to be compatible with the historically established reliability of the components tested. Sufficient information is provided on a continuous basis so that th e operator can have a high degree of confidence that the core spray function is available and operating properly.
7.3.1.1.1.21 System Repair (IEEE-279, paragraph 4.21)
The core spray control system is designed to avoid a need for repair rather than for fast replacement of components. Thus, reliability is built-in rather than approached by rapid return-to-service maintenance. All devices in the system are designed for a 40-year lifetime under the imposed duty cycles. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of shelf life than active life. However, all components are selected for continuous duty pl us thousands of cycles of operation, far beyond that anticipated in actual service. Th e pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts every 3 months.
7.3.1.1.2 Failure Mode and Effects-Analysis Summary
No single component cable, wireway, or cabine t failure can disable the core spray function.
Therefore, the core spray system is considered to have fully met the single failure criterion of IEEE-279.
7.3.1.2 RHR System LPCI Mode Instrumentation and Controls
The residual heat removal (RHR) system can be operated in any one of three modes: Low pressure coolant injection , containment coo ling, and reactor shutdown cooling. Low pressure coolant injection and containment coo ling are primarily safety functions. The LPCI mode instrumentation and control is descri bed in this section. Containment cooling is addressed in Section 6.2, and reacto r shutdown cooling in Section 5.4.
[7.3-4]
In general, LPCI operation involves restor ing and maintaining the water level in the reactor vessel at a sufficient level for ade quate cooling after a loss-of-coolant accident (LOCA). The LPCI initiation logic system operates in conjunction with HPCI, ADS and
core spray logic.
[7.3-5]
Initiation of LPCI occurs on signals indicating low-low reactor water level coincident with reactor low pressure, high dryw ell pressure, or low-low reacto r water level continuously for 9 minutes (analytical limit). Low-low reacto r water level and high drywell pressure are each detected by four independent level transmi tters and pressure switches connected in a one-out-of-two-twice logic.
Reactor low pressure is detecte d by two independent pressure switches, each of a different design principle.
The switches are connected in a one-out-of-two logic. Upon receipt of an initiation si gnal with normal ac power available the:
[7.3-6]
QUAD CITIES - UFSAR Revision 8, October 2005 7.3-8 1. Permissive becomes available to activate pumps and valves,
- 2. All four RHR pumps start,
- 3. RHR service water pumps stop (if running).
If normal ac power is not available, pumps ar e started sequentially as described in Section 6.3. For a description of LPCI's interaction wi th shutdown cooling refer to Section 6.3.
Prior to opening of the admission valves, it is necessary that sufficient information be available to determine if the break has occurre d in a recirculation loop, and if so, which loop. If neither loop is broken, a preselected l oop will be used for injection. This selection is necessary because LPCI injects through the recirculation loops.
The system makes the loop selection by compar ing the pressure in the five riser pipes on one recirculation loop with the pressure in the corresponding riser pipes on the other recirculation loop. A schematic of the instru ment arrangement is shown in Figure 6.3-12.
The unbroken recirculation loop will have a hi gher pressure than the broken loop. Two differential pressure instruments indicating a hi gher pressure in one loop than in the other (in a one-out-of-two-twice arrangement) caus e LPCI flow to be injected into the higher pressure loop.
The break detection logic arrangement is shown in Figure 6.3-13. As shown, the logic is actuated by high drywell pressure or low-low reactor water level.
7.3.1.2.1 Conformance with IEEE-279
The following is a point-by-point comparison of the LPCI system with the requirements of proposed IEEE Std 279-1968 which has been summarized from GE Topical Report, NEDO-
10139.[1] For more detailed informatio n, refer to the topical report.
The GE topical report is a generic report for an entire product line and these statements should be used concurrently with design requi rements described in other sections of the UFSAR (such as Section 3.5 for Missile Protection, 3.6 for Pipe Break, etc.) that represent Quad Cities specific design requirements.
[7.3-7]
The low pressure core cooling system consists of three loops: core spray system loop A, core spray system loop B, and the LPCI system. Th erefore, it should be made clear that the LPCI system by itself is not required to meet all the requirements of IEEE-279 since it is backed up by the two core spray systems. Th e following comparison is provided only to show the adequacy of the LPCI system design.
7.3.1.2.1.1 General Functional Requirement (IEEE-279, paragraph 4.1)
A. Auto-Initiation of Appropriate Action
Appropriate action for the LPCI control system is defined as the activation of equipment for introducing low pressu re water into the reactor via the recirculation line when reactor vessel leve l drops below a predetermined point, or the drywell pressure increases above a predetermined value and reactor vessel pressure is below the pump shutoff head. This action occurs automatically.
QUAD CITIES - UFSAR 7.3-9 Revision 7, January 2003 B. Precision
See Section 7.3.1.1.1.1 which applies equally to the LPCI and core spray systems.
Sensors which initiate the core spray system are the same sensors as used to
initiate the LPCI system. However, reacto r vessel low level initiation is provided by separate slave trip units and trip relays.
C. Reliability
Reliability of the control system is commensurate with the controlled equipment so that the overall system reliabilit y is not limited by the controls.
D. Action Over the Full Range of Environmental Conditions
Refer to Section 3.11 for information on the current environmental qualification program.
7.3.1.2.1.2 Single-Failure Criterion (IEEE-279, paragraph 4.2)
The LPCI system is a single system in that wa ter is injected into th e reactor via a single injection valve. Therefore, the LPCI system is not required (in itself) to meet the intent of the single-failure criterion. However, redund ancy in equipment and control logic circuitry is provided so that it is highly unlikely t hat the complete LPCI system can be rendered inoperative.
Two control logic circuits are provided. Control logic A is provided to initiate loop A pumps and valves and logic B is provided to initiate loop B equipment. This does not apply to the initiation of the injection valves.
Tolerance to single failures or events is provid ed in the control logic initiation circuitry so that these failures will be limited to the possible disabling of the initiation of only one loop (two of four pumps available).
The LPCI system is designed to detect the loca tion of a recirculation line break and select the unbroken loop for injection. The sensing ci rcuit for break detection and valve selection is arranged so that failure of a single devi ce or circuit to function on demand will not prevent selection of the correct loop for injection. Tolerance to the following single failures or events has been incorporated into th e loop selection control system design.
A. Single open circuit, B. Single relay failure to pickup, C. Single relay failure to dropout, D. Single instrument failure, and E. Single control power failure.
Reliability of the control system is compatible with and more reliable than the controlled equipment (injection valve). It should be ma de clear that those single failures which could cause improper loop selection (that is, selecte d short circuits which pickup specific relays) will not disable the core spray function. Theref ore it is concluded that failure of the loop selection scheme to fully comply with the single-failure criterion of IEEE-279 paragraph QUAD CITIES - UFSAR 7.3-10 4.2 does not constitute a violation of IEEE-279 insofar as the low pressure cooling function is concerned.
7.3.1.2.1.3 Quality of Components (IEEE-279, paragraph 4.3)
See Section 7.3.1.1.1.3 which also applies generally to the LPCI system.
7.3.1.2.1.4 Equipment Qualification (IEEE-279, paragraph 4.4)
See Section 7.3.1.1.1.4 which also applies to the LPCI system.
7.3.1.2.1.5 Channel Integrity (IEEE-279, paragraph 4.5)
The LPCI system initiation channels (low wa ter level or high drywell pressure) are designed to meet the single failure criteri on as discussed in Section 7.3.1.2.1.1 and 7.3.1.2.1.2 and thus satisfies the channel integrity objective of this paragraph.
The instrumentation provided for the loop sele ction logic does not initiate a protective action and therefore this paragraph does no t strictly apply to this instrumentation.
However, as previously described, redundancy in instrumentation and control logic circuits have been provided so that is extremely unlikely that a failure within this functional logic will prevent proper LPCI operation.
7.3.1.2.1.6 Channel Independence (IEEE-279, paragraph 4.6)
See Section 7.3.1.1.1.6 which also applies to the LPCI system. By definition (IEEE-279
paragraph 2.2) a channel loses its identity wh ere single action signals are combined.
Therefore, since instrument channels are combin ed into a pair of single logic channel trip systems this paragraph of IEEE-279 does not s trictly apply for the loop selection logic.
7.3.1.2.1.7 Control and Protection Interaction (IEEE-279, paragraph 4.2)
See Section 7.3.1.1.1.7 which also applies to the LPCI system.
7.3.1.2.1.8 Derivation of System Inputs (IEEE-279, paragraph 4.8)
See Section 7.3.1.1.1.8 which also applies to the LPCI system. The inputs provided to determine which loop should be used for LPCI injection are direct measures of the variables required to make this decision.
QUAD CITIES - UFSAR Revision 5, June 1999 7.3-11 7.3.1.2.1.9 Capability for Sensor Checks (IEEE-279, paragraph 4.9)
See Section 7.3.1.1.1.9 which also applies to the LPCI system.
7.3.1.2.1.10 Capability for Test and Calibration (IEEE-279, paragraph 4.11)
See Section 7.3.1.1.1.10 which also applies to th e LPCI system except as stated below. The only portion of the LPCI logic which cannot be tested with the reactor at full power is the recirculation pump trip portion of the loop selection logic.
7.3.1.2.1.11 Channel Bypass or Removal fr om Operation (IEEE-279, paragraph 4.11)
See Section 7.3.1.1.1.11 which also applies to the LPCI system.
7.3.1.2.1.12 Operating Bypasses (IEEE-279, paragraph 4.12)
A. Manual Bypasses
See Section 7.3.1.1.1.12 which also applies to the LPCI system.
B. Automatic Bypasses
The only automatic bypass of the LPCI system is the closure of the LPCI inboard injection valve on an isolation signal du ring the RHR shutdown cooling mode.
Indication of this is provided by an indicating light in the main control room.
7.3.1.2.1.13 Indication of Bypasses (IEEE-279, paragraph 4.13)
Indication of bypasses provided is as discussed in Section 7.3.1.2.1.12 above, and as
described in the core spray system Section 7.3.1.1.1.13.
7.3.1.2.1.14 Access to Means for Bypassing (IEEE-279, paragraph 4.14)
Access to switchgear, motor con trol center, and instrument valv es is controlled as discussed in Section 7.3.1.1.1.14. Access to other means of bypassing (that is, closure of pump suction valves by means of a keylock switch) are loca ted in the main control room and, therefore, under the administrative control of the operator.
QUAD CITIES - UFSAR 7.3-12 7.3.1.2.1.15 Multiple Trip Settings (IEEE-279, paragraph 4.15)
This is not applicable because all setpoints are fixed.
7.3.1.2.1.16 Completion of Protection Action Once Initiated (IEEE-279, paragraph 4.16)
See Section 7.3.1.1.1.16 which also applies to the LPCI system.
7.3.1.2.1.17 Manual Actuation (IEEE-279, paragraph 4.17)
Each piece of LPCI actuation equipment require d to operate (pumps and valves) is capable of manual initiation electrically from the control panel in the main control room.
7.3.1.2.1.18 Access to Setpoint Adjustments (IEEE-279, paragraph 4.18)
See Section 7.3.1.1.1.18 which also applies to the LPCI system.
7.3.1.2.1.19 Identification of Protective Actions (IEEE-279, paragraph 4.19)
See Section 7.3.1.1.1.19 which also applies to the LPCI system.
7.3.1.2.1.20 Information Readout (IEEE-279, paragraph 4.20)
Sufficient information is provided on a conti nuous basis so that the operator can have a high degree of confidence that the LPCI fun ction is available and/or operating properly.
7.3.1.2.1.21 System Repair (IEEE-279, paragraph 4.21)
See Section 7.3.1.1.1.21 which also applies to the LPCI system.
7.3.1.2.2 Failure Mode and Effects Summary
Since the LPCI system is by itself a single sy stem and, as such, vulnerable to single failures in common components, a detailed failure mode and effects analysis is not presented here.
The failure mode and effects analysis presente d for the core spray system applies to all portions of the system except the injection valv es and specific portions of the loop selection circuitry. As has been previously discussed, those single failures that could possibly disable the LPCI system will not directly affect the core spray system. The low QUAD CITIES - UFSAR 7.3-13 Revision 8, October 2005 pressure core cooling system is designed such that for any single failure the availability of the following will be maintained:
- 1. Two core spray loops, or
- 2. One core spray loop and two LPCI pumps.
7.3.1.3 High Pressure Coolant Injecti on System Instrumentation and Control
Automatic initiation of HPCI occurs on low-lo w reactor water level or high drywell pressure in the absence of the reactor vessel high wa ter level HPCI turbine trip signal. Low-low reactor water level is detected by four independent transmi tters. High drywell pressure is detected by four independent pr essure switches. All sensors are connected in one-out-of-two-twice logic arrays. The re actor high water level switches are connected in a two-out-of-two logic. When the initiation signal is received, the HPCI turbine and its required auxiliary equipment will start and the required valves will open automatically, with the exception of the steam supply valves 2301-4 & 5 and the turbine exhaust line vacuum
breaker valves 2399-40 & 41. These valves must always be opened manually from the control room switches after a manual closure or any valid isolation signal that has caused the valves to close. If the HPCI system sta rts due to a high drywell pressure signal and automatically turns off at reactor high level, then the system will automatically restart at reactor low low level.
[7.3-8]
In the event of a low water level in the condensate storage tank, or high level in the suppression pool, the pump suction valves from the suppression chamber open and the
suction valve from the condensate storage tank closes. The valves are interlocked to prevent the suction valve from the condensate storage tank from automatically opening whenever both suction valves from the suppression chamber are fully opened.
Automatic isolation of the HPCI system is discussed in Section 7.3.2.
Initiation for automatic trip of the HPCI turbin e occurs (whenever the turbine stop valve is not tripped) on high turbine exhaust pressure, low pump suction pressure, or high reactor water level. The low pump suction and high turbine exhaust pressure trips are blocked when a HPCI auto-initiation signal (reactor wate r low-low level or high drywell pressure) is present. High turbine exhaust pressure is detected by two redundant pressure switches connected in a one-out-of-two logic. Low pump suction pressure is detected by a single pressure switch. The low pump suction pressu re trip is delayed 2.5 seconds to eliminate short duration low suction transient trips.
High reactor water leve l is detected by two redundant level sensors connected in a two-out-of-two logic. The pump discharge is prevented from opening automatically when ever a turbine trip condition exists.
7.3.1.3.1 Conformance with IEEE-279
The following is a point-by-point comparison of the HPCI system with the requirements of IEEE Std 279-1968 which has been summarized from NEDO-10139.[1] The automatic depressurization system is provided to reduce reactor pressure in case the HPCI system is not sufficient to maintain the re actor water level. Therefore, it is clear that the HPCI system is not required to meet all the require ments of IEEE-279 since it is backed up by the independent automatic depressurization system.
The following comparison is provided only to show the adequacy of the HPCI system desi gn. For more detailed information refer to the topical report. The GE topical report is a generic report for an entire product line and these statements should be used concurrently with design requireme nts described in other sections of the UFSAR (such as Section 3.5 for Missile Protection, 3.6 for Pipe Break, etc.)
that represent Quad Cities specific design requirements.
[7.3-9]
QUAD CITIES - UFSAR 7.3-14 Revision 7, January 2003 7.3.1.3.1.1 General Functional Requirements (IEEE-279, paragraph 4.1)
A. Auto-Initiation of Appropriate Action
Appropriate action for the HPCI contro l system is defined as the activation of equipment for introducing high pressure water into the reactor via the feedwater line when reactor vessel level drops below a predetermined point, or the drywell pressure increases above a predetermi ned value. This action occurs automatically.
B. Precision
See Section 7.3.1.1.1.1 which applies equally to the HPCI and core spray systems. Sensors that initiate the HPCI system are the same type of sensor that initiates the core spray system.
C. Reliability
Reliability of the control system is co mpatible with the controlled equipment so that the overall system reliability is not limited by the controls.
D. Action Over the Full Range of Environmental Conditions
Refer to Section 3.11 for information on the current environmental qualification program.
7.3.1.3.1.2 Single-Failure Criterion (IEEE-279, paragraph 4.2)
The HPCI system by itself, is not required to meet the single-failure criterion. The control logic circuits for the HPCI system initiation and control are housed in a single relay cabinet. The relay cabinet and normal powe r source for the automatic depressurization system is independent of the HPCI system.
The HPCI initiation sensors and wiring up to the HPCI relay logic cabinet does, however, meet the single-failure criterion. Physical sepa ration of instrument lines is provided so that no single instrument rack destruction or single instrument line (pipe) failure can prevent HPCI initiation. Wiring separation between divisions also provides tolerance to single wireway destruction (including shorts, op ens, and grounds) in the accident detection portion of the control logic.
7.3.1.3.1.3 Quality of Components (IEEE-279, Paragraph 4.3)
See Section 7.3.1.1.1.3 which also applies generally to the HPCI system.
QUAD CITIES - UFSAR Revision 7, January 2003 7.3-15 7.3.1.3.1.4 Equipment Qualification (IEEE-279, paragraph 4.4)
No components of the HPCI control system are required to operate in the drywell environment except for the temperature compen sation columns of the vessel level sensors.
Errors introduced under steam leak (h igh drywell temperature and reactor depressurization) for HPCI initiation are neglig ible as discussed in Section 7.3.1.1.1.1(B).
The HPCI steam line isolation valve located insi de the drywell is a normally open valve and is therefore not required to operate ex cept under special (test) conditions.
Other process sensor equipment for HPCI initiati on is located in the reactor building and is capable of accurate operation in ambient temp erature conditions that result from abnormal (loss of ventilation and LOCA) conditions.
7.3.1.3.1.5 Channel Integrity (IEEE-279, paragraph 4.5)
The HPCI system instrument initiation c hannels meet the single-failure criterion as discussed in Section 7.3.1.3.1.2 above and thus satisfy the channel integrity objective of this paragraph.
By definition (IEEE-279, paragraph 2.2) a c hannel loses its identity where single-action signals are combined. Therefore, since instru ment channels are combined into a single trip system this paragraph of IEEE-279 does not strictly apply for the HPCI control system.
7.3.1.3.1.6 Channel Independence (IEEE-279, paragraph 4.6)
Channel independence for initiation sensors monitoring each variable is provided by electrical and mechanical separation. The A and C sensors for reactor vessel level are located on one local instrument rack identifi ed as Division I equipment and the B and D sensors are located on a second instrument rack widely separated from the first and identified as Division II equipment. The A and C sensors have a common pair of process
taps which are widely separated from the corresponding taps for sensors B and D.
Disabling of one or both sensors in one loca tion does not disable the control for HPCI initiation.
7.3.1.3.1.7 Control and Protection Interaction (IEEE-279, paragraph 4.7)
See Section 7.3.1.1.1.7 which also applies to the HPCI system.
7.3.1.3.1.8 Derivation of System Inputs (IEEE-279, paragraph 4.8)
The inputs that start the HPCI system are di rect measures of the variables that indicate need for high pressure core cooling; such as , reactor vessel low water level or high drywell pressure.
QUAD CITIES - UFSAR Revision 4, April 1997 7.3-16 7.3.1.3.1.9 Capability for Sensor Checks (IEEE-279, paragraph 4.9)
See Section 7.3.1.1.1.9 which also applies to the HPCI system.
7.3.1.3.1.10 Capability for Test and Calibration (IEEE-279, paragraph 4.10)
See Section 7.3.1.1.1.10 which also applies to the HPCI system.
7.3.1.3.1.11 Channel Bypass or Removal fr om Operation (IEEE-279, paragraph 4.11)
Calibration of a sensor which introduces a si ngle instrument channel trip will not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses as such in the HPCI system. Removal of a sensor from
operation during calibration does not prev ent the redundant instrument channel from functioning if accident conditions occur.
Removal of an instrument channel from service during calibration is brief.
7.3.1.3.1.12 Operating Bypasses (IEEE-279, paragraph 4.12)
Manual Bypasses
The HPCI system can be bypassed by placin g of the flow controller from AUTO to MANUAL operation in the main control room or adjusting AUTO operation. The controller is in the main control room and therefore und er the direct supervision of the control room operator.
Automatic Trips/Isolations
The following is a list of automatic fun ctions which can render the HPCI system inoperative:
[7.3-10]
A. HPCI steam line isolation signal.
B. The following signals will cause a HPCI turbine trip irrespective of an initiation:
- 1. Reactor vessel water level high.
- 3. Local manual trip lever.
C. The following signals will cause a HPCI turbine trip if an initiation signal is not present:
- 1. HPCI pump suction pressure low,
- 2. HPCI turbine exhaust pressure high.
QUAD CITIES - UFSAR Revision 7, January 2003 7.3-17 7.3.1.3.1.13 Indication of Bypasses (IEEE-279, paragraph 4.13)
Indication of bypasses provided is as previo usly discussed in Section 7.3.1.3.1.12 above.
7.3.1.3.1.14 Access to Means for Bypassing (IEEE-279, paragraph 4.14)
Access to switchgear, motor con trol centers, ATS cabinets, relays, and instrument valves is procedurally controlled.
7.3.1.3.1.15 Multiple Trip Settings (IEEE-279, paragraph 4.15)
This is not applicable because all setpoints are fixed.
7.3.1.3.1.16 Completion of Protective Acti on Once Initiated (IEEE-279, paragraph 4.16)
The final control elements for the HPCI syst em are essentially bistable, that is, motor operated valves stay open or closed once they have reached the desired position, even though their starter may drop out (which will o ccur when the limit switch is reached). In the case of pump starts, the auto initiation si gnal is electrically sealed-in, except for the turbine reset solenoid. The LOCA signal must be maintained long enough to latch the turbine reset cylinder.
[7.3-10a]
Thus a protective action once initiated (for exam ple, flow established) must go to completion or continue until terminated by deliberate operator action or automatically stopped on high vessel water level or system malfunction trip signals.
7.3.1.3.1.17 Manual Actuation (IEEE-279, paragraph 4.17)
Each piece of HPCI actuation equipment require d to operate (pumps and valves) is capable of manual initiation electrically from the contro l panel in the main control room. Failure of logic circuitry to initiate the HPCI system will not affect the manual control of equipment.
However, failures of active components or co ntrol circuit failures which produce a turbine trip may disable the manual actuation of the HPCI system. Failures of this type are
continuously monitored by alarms as discu ssed in previous sections and as such cannot realistically be expected to occur when HPCI operation is required.
7.3.1.3.1.18 Access to Setpoint Adjustments (IEEE-279, paragraph 4.18)
Section 7.3.1.1.1.18 also applies to the HPCI system.
[7.3-10b]
QUAD CITIES - UFSAR 7.3-18 Revision 7, January 2003 7.3.1.3.1.19 Identification of Protective Actions (IEEE-279, paragraph 4.19)
Protective actions (which are he re interpreted to mean pickup of a single sensor relay) are directly indicated and identified by action of the sensor relay which has an identification tag and a clear glass window front which permits convenient visible verification of the relay position. A sensor trip also actuates an annuncia tor so that no single channel trip (relay pickup) will go unnoticed. This combination of annunciation and visible relay actuation is considered to fulfill the requirements of this criterion.
7.3.1.3.1.20 Information Readout (IEEE-279, paragraph 4.20)
The HPCI control system is designed to prov ide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. There are many passive as
well as active elements of this energize-t o-operate system which are not continuously monitored for operability. For example, re lay circuits are normally open and are not monitored for continuity on a continuous bas is. Pressure and level sensors, although continuously active are not continuously exercise d and verified operable. Periodic testing is the means provided for verifying the operab ility of these components and by proper selection of test periods to be compatible with the historically established reliability of the components tested, complete and timely in dications are made available. Sufficient information is provided on a continuous basis so that the operator c an have a high degree of confidence that the HPCI function is available and/or operating properly.
7.3.1.3.1.21 System Repair (IEEE-279, paragraph 4.21)
See Section 7.3.1.1.1.21 which applies equally to the HPCI system.
In addition to the recognition of failed compon ents during test, components which fail in the direction so as to produce a trip conditio n are continuously monitored by alarm.
7.3.1.3.2 Failure Mode and Effects Analysis Summary
Since the HPCI system is by itself a single system, a detailed failure mode and effects analysis is not warranted as it is recognized t hat there are single failures that could disable the system.
As has been previously described, no single failure in the initiation instrumentation can prevent HPCI operation if required.
It is also mentioned again that those single failures that could possibly disable the HPCI system will in no way affect the ADS system and vice versa.
No instrumentation or equipment is shared by the ADS and HPCI systems. Reactor vessel water level sensors for HPCI initiation ar e associated with RPS and PCIS, and are QUAD CITIES - UFSAR 7.3-18a Revision 7, January 2003 separate from ADS. Level tr ansmitters for ADS initiation are associated with ATWS/ECCS and are separate from HPCI. Separate switches on the shared sensors are used for the two systems. Both physical and electrical separation are QUAD CITIES - UFSAR Revision 8, October 2005 7.3-19 maintained so that no single failure of the leve l-sensing equipment or wiring (shorts or opens) can, in fact, disable either HPCI or ADS.
Therefore, it is concluded that no single failure can disable both the HPCI and the ADS systems.
7.3.1.4 Automatic Depressurization System Instrumentation and Controls
The ADS system allows use of LPCI or core spra y as a backup to HPCI by depressurizing the reactor pressure vessel for small area breaks.
Reactor vessel depressuri zation is accomplished by blowdown through relief valves to vent steam to the suppression pool.
[7.3-11]
The ADS is initiated by instrumentation which monitors drywell pressu re and reactor water level. Automatic blowdown requires both that a drywell high pressure and reactor water level low-low signal persist for a two-minute period (analytical limit for initiation timer). In addition, the design prevents blowdown until the discharge pressure of at least one LPCI pump or one core spray pump exceeds 100 psig (analytical limit). This design provides direct assurance that the low pressure ECCS pu mps are operating prior to automatic depressurization.
[7.3-12]
Four instrument channels monitor each initiati ng parameter. Two of the four channels monitoring each parameter are assigned to one of the two logic divisions. The arrangement of these signals within each logic division is two-o ut-of-two (high pressure and low-low level) in coincidence with two-out-of-two (high pressure and low-low level). The trip in one of these coincidence signals is interlocked with, and pe rmits the starting of, a timer which delays actuation of the relief valves to permit operator intervention and to allow the HPCI to restore reactor water inventory. The ti me delay setting was chosen to be long enough so that the HPCI has time to start, yet not so long that core spray and LPCI systems are unable to adequately cool the fuel if the HPCI fails to start.
The automatic depressurization system is also initiated when low-low reactor water level is sensed continuously for a maximum of 9 minutes (analytical limit for actuation timer) and a low pressure pump is running as previously stat ed. This reactor water level sensing logic is two-out-of-two per division. The automatic depr essurization system also has a keylocked, administratively-controlled, manually-actuated inhibit switch that prevents blowdown irrespective of any initiation signal. Inside panel 901(2)-32, there is a second keylocked, administratively-controlled, manually-actuated inhibit switch.
[7.3-13]
For additional reliability, each pair of circuits is provided with power from separate dc buses.
The instruments in the reactor vessel water leve l circuit and drywell pressure circuit do not require electrical power to close or open the se nsors in the initiation circuits, but the logic circuitry requires 125 VDC power to operate. The single failure of one single switch in its respective circuit will not cause an ADS actuatio
- n. An additional power source is also available and is automatically switched ov er upon loss of the primary power source.
[7.3-13a]
7.3.1.4.1 Conformance With IEEE-279
The following is a point-by-point comparison of the automatic depressurization system (ADS) with the design requirements of IEEE Std 279-1968 which has been summarized from GE
Topical Report, NEDO-10139.[1] For more detailed information re fer to the topical report. The GE topical report is a generic re port for an entire product line and these statements should be used concurrently with design requirements des cribed in other sections of the UFSAR (such as Section 3.5 for Missile Protection, 3.6 for Pipe Br eak, etc.) that represent Quad Cities specific design requirements.
[7.3-14]
QUAD CITIES - UFSAR Revision 6, October 2001 7.3-20 7.3.1.4.1.1 General Functional Requirement (IEEE-279, paragraph 4.1)
A. Auto-Initiation of Appropriate Action
Appropriate action is defined as initiating the opening of a specified number of valves when loss of primary coolant is detected by reacto r vessel low level, persists for approximately two minutes , and is confirmed by high drywell pressure, provided that low pressure stand by core cooling equipment is available and operating or when reactor vessel lo w-low level is sensed for 9 minutes continuously (analytical limit). The ADS design accomplishes the appropriate action automatically.
B. Precision
The accuracy requirements for initia ting ADS (like those for the core spray system) are not such that precision of measurement is required. Precision provided by these instruments is ad equate to give positive automatic depressurization initiation before the ve ssel water level can go below a tolerable point. The ADS control design achieves the degree of precision necessary to insure appropriate initiation of the protective function when needed and
precludes inadvertent initiation under ex tremes of environment related errors in instrumentation.
C. Reliability
The reliability of the auto depressuriza tion control system is an estimated order of magnitude higher than the reliability of the actuated equipment (valves).
D. Action Over the Full Range of Envi ronmental Conditions: fire, accidents, missiles, etc.
The corresponding section for the core spray sy stem Section 7.3.1.1.1.2 applies here in all respects except fire and missiles. A single cabinet houses the redundant relays that energize all the auto depressurization valves in unison. However, the circuits to the ADS valves emerge from this cabinet in indepe ndent metal conduits and are carried through separate penetrations into the drywell. Se parate metal conduits are carried from the penetrations to the individual valves distributed among the four main steam lines.
In view of the fact that wiring for the relief valve solenoids must survive the LOCA environment for an appreciable time, (at least several minutes to perhaps an hour), cable has been selected which can easily tolerate this environment.
A destructive fire enveloping the control cabinet could disable all valve control circuits.
Such a fire is not considered credible from electrical sources because of the low current available in the circuits involved and the fire resistant nature of the devices and wiring within the cabinet. Thus external, non-electrica l fires are considered to be the only possible fire damage source.
Separate routing of the ADS conduits within the drywell reduces to a very low probability the possibility of missile damage to more t han one ADS conduit or damage to the pilot solenoid assembly of ADS valves. The HPCI system will provide backup for the ADS under all conditions unless the HPCI line is the source of the missile or jet in which case damage to a single ADS valve or conduit is considered credible.
QUAD CITIES - UFSAR 7.3-21 If a valve were rendered inoperable by a jet of water and/or steam associated with a pipe break (Section 3.6), the redundancy of the ADS system provides adequate protection for all possible break situations. This is true even for breaks in the feedwater line used for HPCI
injection which is the worst case, since the HPCI function could then be impaired or lost.
The situation leaves all but one relief valve and all low pressure ECCS operable. Since the plant has one extra relief valve, 100% automatic relie f capacity is left. If a single additional failure is added to this situation, the worst failure would be to fail one more relief valve arbitrarily. This leaves LPCI pumps, two co re spray loops and the ADS degraded by one valve. Since the postulated break is located in the feedwater line, which is connected to the reactor vessel above the core, th e relief capacity, degraded by one valve, is adequate to provide cooling protection.
Further, it should be noted that the situat ion described above woul d require an extremely unlikely combination of circumstances.
In light of the above, it is concluded that ADS fulfills the minimum requirement of IEEE-279 paragraph 4.1 without benefit of backup from HPCI.
7.3.1.4.1.2 Single Failure Criterion (IEEE-279, paragraph 4.2)
The single failure criterion of IEEE-279 is no t directly applicable to ADS because HPCI and ADS are diverse functional backups to each othe r insofar as depressurization is concerned.
However, ADS has been designed to accommodate all of the single failures listed under the core spray systems with the exception of a single wireway destruction as described in Section 7.3.1.1.1.5 or a single co ntrol cabinet section destruction.
It is not considered credible that any sing le event could occur within the automatic depressurization cabinet that could disable more than one valve.
Inadvertent operation of the automatic depressu rization system cannot result from failure or malfunction of any single component includin g single shorts or single opens. Only one valve can be opened by any single short.
7.3.1.4.1.3 Quality of Components (IEEE_279, paragraph 4.3)
See Section 7.3.1.1.1.3 which also applies to ADS.
7.3.1.4.1.4 Equipment Qualification (IEEE-279, paragraph 4.4)
See Section 7.3.1.1.1.4 which also applies to AD S insofar as the level sensors are concerned.
7.3.1.4.1.5 Channel Integrity (IEEE-279, paragraph 4.5)
See Section 7.3.1.1.1.5 which also applies to ADS.
QUAD CITIES - UFSAR Revision 7, January 2003 7.3-22 7.3.1.4.1.6 Channel Independence (IEEE-279, paragraph 4.6)
Channel independence for sensors exposed to ea ch variable is provided by electrical and mechanical separation. The A and C sensors for reactor vessel level are located on a stanchion adjacent to the Division I instrume nt rack, and the B and D sensors are located on a pair of stanchions adjacent to the Division II instrument rack. The A and C sensors have a common pair of process taps which ar e widely separated from the corresponding taps for sensors B and D. Disabling of one or both sensors in one location does not disable
the control for both of the automatic depressurization control channels.
There are two sensors of each type in one division mechanically and electrically
independent from those in the second division to initiate automatic depressurization.
Therefore, these sensors are redundant to each other. The logic for each trip channel is four-out-of-four. So, the overall ADS trip logic becomes one of two, four-out-of-four logics.
In addition to the sensors that initiate automatic depressurization there are ADS permissive sensors associated with the pump discharge pressure of the low pressure ECCS. An interlock is provided in each trip system in order to give reassurance that low pressure core coolant is available before ADS actually permits depressurization of the reactor vessel.
This interlock tends to degrade the reliabilit y of ADS but is so arranged that this degradation is reduced to a practical minimum.
Two pressure switches (twelve total) on the discharge of each core spray and each LPCI pump are connected through relays in redundant groups so that each ADS trip system is blocked from actuating unless at least one low pressure pump shows verified discharge pressure.
7.3.1.4.1.7 Control and Protection Interaction (IEEE-279, paragraph 4.7)
The automatic depressurization system is stri ctly an off-or-on system and no signal whose failure could cause need of automatic depressu rization can also prevent it from starting.
7.3.1.4.1.8 Derivation of System Inputs (IEEE-279, paragraph 4.8)
Inputs which start automatic depressurization system are direct measures of the variables that indicate the need for and acceptable co nditions for rapid depressurization of the reactor vessel (such as, reactor vessel low water verified by hi gh drywell pressure and at least one low pressure core cooling system de veloping adequate discharge pressure or when reactor vessel low-low level is sensed for 9 minutes continuously (analytical limit)).
7.3.1.4.1.9 Capability for Sensor Checks (IEEE-279, paragraph 4.9)
All sensors are of the pressure sensing type and are installed with calibration taps and instrument valves which allow for the applicat ion of a test pressure for calibration and/or functional tests during normal pl ant operation or during shutdown.
QUAD CITIES - UFSAR Revision 7, January 2003 7.3-23 7.3.1.4.1.10 Capability for Test and Calibration (IEEE-279, paragraph 4.10)
The automatic depressurization system is not tested in its entirety during actual plant operation but provisions are inco rporated so that operability of all elements of the system can be verified at periodic intervals.
7.3.1.4.1.11 Channel Bypass or Removal fr om Operation (IEEE-279, paragraph 4.11)
Calibration of each sensor will introduce a sing le instrument channel trip. This does not cause a protective action without the coincide nt trip of three other channels. Removal of an instrument channel from service during calibra tion is brief and does not significantly increase the probability of failure to operate.
There are no channel bypasses as such in ADS. Removal of a sensor from operatio n during calibration does not prevent the redundant trip circuit from functioning if acci dent conditions occur because they will be sensed by the redundant sensors. The manual reset switch can interrupt the automatic depressurization for a limited time. However, releasing either one of the two reset switches will allow automatic timing and action to re sume. The ADS inhibit switches will prevent blowdown if placed in the INHIBIT position. These switches are keylocked and
administratively-controlled.
7.3.1.4.1.12 Operating Bypasses (IEEE-279, paragraph 4.12)
See Section 7.3.1.4.1.11 which also generally a pplies to the ADS. Disabling of two selected sensors would also disable the auto depressuriza tion action and would result from selective shutting off of one or more sensor instrument va lves for each of the two sets of four sensors.
This mechanism of disabling the system is no t considered to be an operating bypass so no exception to IEEE-279 is taken.
7.3.1.4.1.13 Indication of Bypasses (IEEE-279, paragraph 4.13)
The ADS inhibit switches as well as the manual opening of the control power breakers can disable the automatic depressurization function. Placing either ADS inhibit switch in the INHIBIT position, or a control power loss, is annunciated. Disabling of sensors by deliberately shutting off instrument valves is not indicated, but such action is under the operator's procedural control and cannot be done without appropriate authorization.
7.3.1.4.1.14 Access to Means for Bypassing (IEEE-279, paragraph 4.14)
Instrument valves are administratively controlled and cannot be operated without permission of responsible authorized personnel.
Reset switches are on the control panel in the main control rooms. Control power breakers are in dc distribution cabinets which are normally locked and under administrative controls.
QUAD CITIES - UFSAR 7.3-24 7.3.1.4.15 Multiple Trip Settings (IEEE-279, paragraph 4.15)
Not applicable because all trip points are fixed.
7.3.1.4.1.16 Completion of Protection Action Once Initiated (IEEE-279, paragraph 4.16)
Each of the two trip systems for the automatic depressurization control seals in electrically and remains energized until manually rese t by one of the two reset switches.
7.3.1.4.1.17 Manual Actuation (IEEE-279, paragraph 4.17)
Each valve has its individual manual contro l switch which can operate the valve even though the automatic control relays cannot oper ate for any reason including loss of control power fuses. Each valve has its own fused sole noid power circuit which is coordinated with the breaker which provides power for ADS control. Manual control is therefore independent of automatic control.
7.3.1.4.1.18 Access to Setpoint Adjustments (IEEE-279, paragraph 4.18)
See Section 7.3.1.1.1.18 which also applied to ADS.
7.3.1.4.1.19 Identification of Protective Actions (IEEE-279, paragraph 4.19)
See Section 7.3.1.1.1.19 which also applies to ADS.
7.3.1.4.1.20 Information Readout (IEEE-279, paragraph 4.20)
The information provided to the operator pertinent to ADS status are as follows:
A. Annunciators,
B. Valve position lights for each valve, and
C. Reactor vessel level indication.
From the previous text it can be seen that c hange of state of any active component from its normal condition is called to the operator's atte ntion; therefore, the indication is considered to be complete and timely. Re fer to Section 5.2.2 for a discussion of the acoustic monitors.
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-25 7.3.1.4.1.21 System Repair (IEEE-279, paragraph 4.21)
As with core spray, ADS is designed to av oid the need for repair rather than for fast replacement of components. Thus reliability is built-in rather than approached by accelerated maintenance. All devices in the system are de signed for a 40-year lifetime under the duty cycles to be imposed. Since this duty cycle is composed completely of testing at infrequent intervals, the duration of active components other than sensors is more a matter of shelf life than active life. However, all instrument comp onents are selected for continuous duty plus thousands of cycles of operation (far beyond that anticipated in actual service). Recognition and location of a failed component is accomplished during periodic testing.
7.3.2 Primary Containment Isolation Systems
7.3.2.1 Design Basis
The objective of the primary containment isol ation system (PCIS) is to provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the primary containm ent. The PCIS system provides automatic isolation of appropriate pipelines which penetra te the primary containment whenever certain monitored variables exceed their preselected oper ational limits. To accomplish this objective, PCIS was designed using the following criteria:
[7.3-15]
A. Prevent the release of radioactive materials in excess of the limits in 10 CFR 100 (or 10 CFR 50.67 as applicable) as a result of the design basis accidents;
B. Function safely when required regardle ss of the failure of any single component; and C. Function independently of other plant controls and instrumentation.
7.3.2.2 Isolation Logic Description
The primary containment and reactor vessel isolat ion control system includes the sensors, trip channels, switches, and the remotely activated valve closing mechanisms associated with the valves which, when closed, isolate either the primary containment, the reactor vessel isolation valves, or both.
[7.3-16]
Power for the trip systems and trip logics for Gro ups 1, 2, 3, and the RHR shutdown cooling isolation are supplied from the same two electri cal busses that feed the reactor protection system (RPS). Refer to Section 7.2 for more information on RPS. The analog trip system (see section 7.6) logic that is part of the trip logic is supplied from separate essential service motor control centers. The trip logic for isolation Gro ups 4 and 5 are arranged differently. For these Groups, there are two trip systems per group wh ich has each trip system electrically supplied by separate 125 Vdc sources. Only one trip system is required to provide an automatic isolation for Group 4 and 5. Technical Specif ications preserve system effectiveness even during periods of maintenance and testing activi ties. The two series isolation valves are supplied from different sources. One valve is powered from a reliable ac bus and the other valve is powered by a dc bus. Series solenoid valves are typically powered from separate ac buses. The MSIVs (described in detail in Section 6.2.4.3) use ac and dc power and pneumatic
pressure accumulators in the control scheme. Power cables are run in conduits from QUAD CITIES - UFSAR 7.3-26 Revision 10, October 2009 appropriate electrical sources to the motor or so lenoid that operates each isolation valve.
The pneumatic control is provided to close the. MSIVs on loss of ac and dc power.
[7.3-17]
The PCIS logic is arranged as a dual logic channel system, similar to that of the reactor protection system. The overall logic of the sy stem is one-out-of-two-twice. Exceptions to this basic logic arrangement are explaine d in the individual logic descriptions.
During normal operation of the isolation co ntrol system for Groups 1, 2, 3, and RHR shutdown cooling - when isolation is not requi red - sensor and trip contacts (essential to safety) are closed; trip channels, trip logics, and trip actuators are normally energized.
Whenever a trip channel sensor contact opens, its auxiliary relay de-energizes, causing contacts in the trip logic to open. The opening of contacts in the trip logic de-energizes its trip actuators. When de-energized, the trip act uators open contacts in all the trip actuator logics for that channel. If a trip then occurs in any of the trip logics of the other trip channel, the trip actuator logics for the othe r channel are de-energized. With both trip channels tripped, appropriate contacts open or cl ose in the valve control circuitry to actuate the valve closing mechanism. Automatic isolation valves that are normally closed receive an isolation signal, as do those valves that are open. Once isolation is initiated, the valve continues to close, even if the condition t hat caused the isolation signal clears. The operator must operate switches in the control room to manually reset the isolation signal and reopen a valve which has been automatically closed.
The trip logic for the following RWCU isolation has only two instrument or initiating device channels.
A. SBLC Activation Interlock (not a containment isolation related signal) B. RWCU Area Temperature High Non-regenerative heat exchanger outlet temper ature high isolation is not a safety-related containment isolation, but a system isol ation signal and only has one sensor.
The two channel logic for the above RWCU (Group 3) trips is acceptable, because maintenance and surveillances associated with th is logic do not challenge safety systems.
The trip logic for isolation Groups 4 & 5 are diffe rent in the fact that there are two (2) trip systems per isolation group, and the logic structu re is normally de-energized. For Group 5, each trip system isolates both the Inboard and Outboard containment isolation valves.
Modification M04-1(2)-91-013B incorporated Regulatory Guide 1.75 and IEEE 384 criteria for the electrical, and where possible, the phys ical separation of trip channels for Group 4 only. For Group 4, one trip system isolates on ly the Inboard valve while the second trip system isolates the Outboard valves.
In addition, the valves associated with the Group 1, 2, 3, 4, and RHR shutdown cooling isolations, as described in Table 6.2-7, will no t automatically open when the isolation signal is reset.
[7.3-18]
A keylock bypass switch is provided to allow venting of the containment when an isolation signal is present. This switch provides control room annunciation when it is not in the
normal position.
Primary containment isolation functions are initiated by groups, according to the trip channel logic associated with each group.
Additionally, manual switches on the control panel in the control room are available for each isolation valve to back up all trip signals.
Figure 7.3-1 displays the various functions of the system and the signals that initiate their
operation.
[7.3-19]
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-27 There are five groups of isolation valves as follows:
[7.3-20]
Group 1 - this group includes the isolation valves for the:
- 1. Four main steam lines.
- 2. Main steam line drain.
- 3. Reactor water sample line.
Group 2 - included in this group are the isolation valves for:
- 1. Drywell equipment drain discharge.
- 2. Drywell floor drain discharge.
- 3. Traversing in-core probe tubes.
- 4. Drywell purge inlet.
- 5. Drywell main exhaust.
- 6. Suppression chamber exhaust valve bypass.
- 7. Suppression chamber purge inlet.
- 8. Suppression chamber main exhaust.
- 9. Drywell Nitrogen purge inlet.
- 10. Nitrogen Makeup.
- 11. Nitrogen makeup to Drywell.
- 12. Nitrogen makeup to Suppression chamber.
- 13. Drywell exhaust to standby gas treatment.
- 14. Main primary containment ve nt to reactor building exhaust system.
- 15. Drywell exhaust valve bypass.
- 16. Drywell oxygen analyzer sample.
- 17. Torus oxygen analyzer sample.
- 18. Oxygen analyzer return.
- 19. Drywell pneumatic suction.
- 20. RHR reactor shutdown cooling suction.
- 21. RHR reactor LPCI/shutdown c ooling injection (only when RHR is in operation in the shutdown cooling mode).
- 22. RHR discharge to radwaste.
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-28 Group 3 - included in this group are the isolation valves for:
Group 4 - included in this group are the isolation valves for:
- 1. HPCI steam line isolation.
- 2. HPCI turbine exhaust line vacuum breaker line isolation.
Group 5 - included in this group are the isolation valves for:
- 1. Reactor core isolation cooling (RCIC) steam line isolation.
In addition to the RHR shutdown cooling is olation received during a Group 2, the RHR shutdown cooling suction valves will close on a reactor high pressure condition.
In addition to the isolation valves liste d above, the reactor building floor drain and equipment drain pumps trip upon the receipt of a Group 2 isolation signal.
The analytical limits for the isolation signals ar e listed in Table 7.3-1. Table 6.2-7 shows the valves affected by the system.
[7.3-20a]
The isolation functions and trip settings used fo r the electrical control of isolation valves are discussed in the following paragraphs.
7.3.2.2.1 Low Reactor Vessel Water Level
A low reactor vessel water level could indicate that reactor c oolant is being lost through a breach in the nuclear system process barrier and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. There are two reactor vessel low water level isolation trip settings used to init iate the isolation of the primary containment and the reactor vessel.
[7.3-21]
The first reactor vessel low wate r level isolation trip setting, wh ich occurs at a higher water level than the second setting, initiates closure of all Group 2 and Group 3 isolation valves in major process pipelines. The main steam line isolation valves (Group 1) are left open to allow the removal of heat from the reactor core.
This setting which, coincidentally is the sa me as the reactor vesse l low water level scram setting, was selected to initiate isolation at th e earliest indication of a possible breach in the nuclear system process barrier yet far enou gh below normal operational levels to avoid spurious isolation.
The second and lower reactor vessel low (l ow-low) water level isolation trip setting completes the isolation of the primary contai nment and reactor vessel by closure of the Group 1 isolation valves.
This setting was selected to be low enough to prevent actuation of the ECCS during normal operation or during normally expected transients, yet high enough to complete its isolation in time for the operation of the ECCS to provide effective core cooling.
QUAD CITIES - UFSAR 7.3-29 Revision 10, October 2009 7.3.2.2.2 Main Steam Line High-High Radiation
For a discussion of this topi c, refer to Section 11.5.2.
[7.3-22]
7.3.2.2.3 Main Steam Line Space High Temperature
High temperature in the space where the main steam lines are located, outside of the primary containment, could indicate a breach in a main steam line. The automatic closure of Group 1 valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.
[7.3-23]
Due to a small section of RWCU piping in the space where the main steam lines are located, outside of the primary containment, two of the four main steam line high temperature switch channels (A and B) also provide an automatic isolation of Group 3 valves of the RWCU system. Additional Group 3 high temperature is olation of the RWCU system is discussed in UFSAR Section 7.3.2.2.14. Area leak detection allows isolation at lower power levels than would isolate on Reactor Water Level Low.
[7.3-24] The main steam line space high temperature tri p is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.
7.3.2.2.4 Main Steam Line High Flow
Main steam line high flow could indicate a break in a main steam line. The automatic
closure of the Group 1 valves prevents the exce ssive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.
[7.3-25]
The main steam line high flow trip setting was se lected high enough to permit testing of one main steam line for operability of the respecti ve MSIV at reduced power without causing an automatic isolation of the rest of the steam lines , yet low enough to perm it early detection of a steam line break (Reference Section 6.2.6.3.1).
7.3.2.2.5 Low Steam Pressure at Turbine Inlet
[7.3-26]
Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the reactor pressure regulator in which the turbine control valves or turbine bypass valves inadvertently fully open. This action causes rapid depressurization of the reactor. Also, in the event of a steam line br eak the vessel would rapidly depressurize. From even partial load operating conditions, the ra te of temperature decrease could exceed the allowable vessel temperature rate of change.
Such depressurization without adequate preventive action, could require thorough vessel analysis or core inspecti on prior to returning the reactor to power operation. In lieu of an analysis of the conditions following a rapid depressurization, the steam pressure at the tu rbine inlet is monitored. Steam pressure, upon falling below a preselected value with th e reactor in the RUN mode, initiates a time delay relay. If steam pressure remains below the preselected value during the delay time, an isolation of the Group 1 isolation valves is init iated. The low steam pressure isolation setting was selected far enough below normal turbine inle t pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure regulator malfunction. The total channel response time, from the time main steamline pressure drops to below the low pressure setpoint to QUAD CITIES - UFSAR Revision 6, October 2001 7.3-30 the time a Group I isolation is initiated, is not greater than 0.5 seconds (analytical limit).
Although this isolation function is not required to satisfy any of the safety design bases for this system, it is included here to make the isolation functions list complete.
7.3.2.2.6 Primary Containment (Drywell) High Pressure
[7.3-27]
High pressure in the drywell could indicate a breach of the nuclear system process barrier inside the drywell.
The automatic closure of various Group 2 valves prevents the release of significant amounts of radioactive material from the primary containment.
The primary containment high pressure isolat ion setting was selected to be as low as possible without inducing spurious isolation trips.
[7.3-28]
High Drywell pressure makes up half of the required trip for the HPCI vacuum breaker isolation (Group 4) logic. The logic for this Group 4 isolation is one-out-of-two-taken twice, on low reactor pressure and high drywell pressure. The HPCI turbine exhaust line isolation is not required on HPCI steam line break, but will isolate on indications of a large break LOCA inside the drywell.
[7.3-29]
7.3.2.2.7 Primary Containment (Drywell) High Radiation
High radiation in the drywell indicates an abno rmal situation due to a line break or other abnormal occurrence. To preclude the release of potentially highly contaminated material from the containment, this isolation signal automatically closes the Group 2 isolation valves.
7.3.2.2.8 Reactor Core Isolation Cooling Turbine Space High Temperature
High temperature in the vicinity of the RCI C turbine could indicate a break in the RCIC steam line. The automatic closure of the RCIC isolation valves prevents the excessive loss of reactor coolant and the release of signific ant amounts of radioactive material from the nuclear system process barrier. The high-tem perature isolation setting was selected far enough above anticipated normal RCIC system operational levels to avoid spurious operation, but low enough to provide timely detection of a RCIC turbine steam line break.
[7.3-30]
QUAD CITIES - UFSAR Revision 6, October 2001 7.3-31 7.3.2.2.9 Reactor Core Isolation Cooling Turbine High Steam Flow
A RCIC turbine high steam flow signal could indicate a break in the RCIC turbine steam line. The automatic closure of the RCIC isol ation valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. When RCIC tu rbine high steam flow is detected, the RCIC turbine steam line is isolated. The high steam flow trip setting was selected high enough to
avoid spurious isolation yet low enough to pr ovide timely detection of a RCIC turbine steam line break. A time-delay relay with a setting of 3 to 9 seconds (analytical limit) is used to prevent spurious isolations (on receipt of high steam flow) during turbine startup.
[7.3-31]
The logic arrangement used for this function is a one-out-of-two and is an exception to the usual logic arrangement because high steam fl ow is the alternate method of detecting an RCIC turbine steam line break.
7.3.2.2.10 Reactor Core Isolation C ooling Turbine Steam Line Low Pressure
The RCIC turbine steam line low pressure signal is used to automatically close the two
isolation valves in that line so that steam and radioactive gases will not escape from the RCIC turbine shaft seals into the reactor build ing after steam pressure has decreased to such a low value that the turbine cannot be oper ated. The isolation setpoint is chosen at a pressure below that at which the RCIC turbine c an operate effectively. A loss of pressure in the steam supply to the RCIC turbine could also indicate a steam line break. The low pressure signal therefore, backs up the other RCIC line break detection signals.
[7.3-32]
7.3.2.2.11 High Pressure Coolant Injection Turbine Space High Temperature
High temperature in the HPCI Room could indicate a HELB in the HPCI system and
causes a HPCI steam supply line Group 4 isolat ion. The automatic closure of the HPCI steam supply isolation valves prevents the exce ssive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. The high temperature isolation setting was selected far enough above ambient to avoid spurious isolations, but low enough to provide timely detection of a break.
[7.3-33]
The instrument sensors are located near the steam supply line and the turbine exhaust
rupture disc. The 2 instruments at each location are utilized for inputs to each trip
channel. Each trip channel will, therefore, dete ct smaller leaks at the 2 different locations or a larger leak, as indicated by an in crease in the overall room temperature.
The logic utilized for this Group 4 isolation is two-out-of-two in each trip channel. This logic provides the advantage that a single sp urious instrument trip will not isolate HPCI, and multiple failures (to trip) are required to prevent an isolation following a HELB accident. Utilizing this logic, instead of one-ou t-of-two-twice logic, is justified based on the redundancy of the HPCI High Room Temper ature and the HPCI High Steamline Flow trips.
QUAD CITIES - UFSAR Revision 6, October 2001 7.3-32 7.3.2.2.12 High Pressure Coolant Injection Turbine High Steam Flow
HPCI turbine high steam flow could indicate a break in the HPCI turbine steam lines. This
instrumentation senses high flow from taps insi de the drywell in order to monitor flow from any potential break outside the drywell. Br eaks in areas other than the HPCI Room are detectable. The automatic closure of the HP CI steam supply isolation valves prevents excessive loss of reactor coolant and the rele ase of significant amounts of radioactive materials from the nuclear system process barri er. A time delay relay with a setting of greater than or equal to 3 seconds and less than or equal to 9 seconds (analytical limit) is used to prevent spurious isolation during turbine startup.
The HPCI turbine high steam flow setting wa s selected high enough to avoid spurious isolation, yet low enough to prevent excessi ve inventory loss from the reactor vessel.
The instrumentation for each of the 2 trip channels include a transmitter and 2 trip units (one trip unit detects high steam flow or a br eak in the low pressure instrument sensing line, and the other trip unit detects a break in the high pressure instrument sensing line).
The use of one-out-of-one logic in each trip channel is justified based on the use of highly
reliable instrumentation (EQ qualified transmi tter with analog trips), redundancy of the 2 trip channels, and the redundancy with the HPCI room temperature trip.
7.3.2.2.13 High Pressure Coolant Injection Turbine Steam Line Low Pressure
Low reactor pressure, as measured in the HPCI turbine steam supply line, is used to isolate the HPCI steamline so that steam and radioa ctive gases will not escape from the reactor pressure vessel and/or containm ent through the HPCI system.
HPCI turbine seals would become ineffective at preventing leakage from the turbine casing at low steam pressures. The isolation setpoint is chosen at a pressure below where HPCI is needed to mitigate the consequences of a sm all or intermediate break LOCA and above the pressure where the turbine and turbine seals cease to function. The HPCI steam supply
line would be isolated by this instrumentation following a large break LOCA.
The use of two-out-of-two logic for each trip c hannel prevents an isolation in the event of a single, spurious instrument trip. Use of this lo gic, instead of one-out-of-two-twice logic, is justified by the use of high quality EQ qualif ied transmitters, analog trip instruments, and the redundancy of the two trip channels.
Low reactor pressure, as measured in the HP CI turbine steam supply line, also makes up half of the required trips for the HPCI vacuum breaker isolation logic.
The HPCI vacuum breaker isolation valves ar e not required to isolate or mitigate the consequences of a HPCI steam line break, but will isolate on indications of a large break LOCA inside the containment to prevent a radi ological release through the HPCI system.
The logic in each trip channel for this isolation is one-out-of-two, take n twice on low reactor pressure and high drywell pressure. The use of 4 instruments in each trip channel make this a highly reliable trip logic. All 4 ins truments measuring one of the two parameters would have to fail to prevent an isolation.
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-33 7.3.2.2.14 RWCU Piping Area High Temperature
Two RWCU Auto-Isolation Analog Trip System panels provide detection, alarm and isolation signals for RWCU pipe breaks. The main reason this instrumentation signal was provided is to isolate RWCU breaks at lowe r reactor power levels when re actor feedwater flow can make up reactor water level losses and prevent autom atic isolation on reactor water low level.
[7.3-34]
The trip logic employs a one-out-of-two taken on ce logic as there are only two trip channels.
Detection by any single RTD provides actuat ion of both the inboard and outboard RWCU isolation valves.
The area temperature trip settings are selecte d to insure the RWCU HELB analysis is bounded and environmental conditions are not more severe than the worse case accident previously analyzed.
7.3.2.2.15 Reactor Vessel Pressure High The reactor vessel pressure high function prov ides equipment protection to prevent an RHR intersystem LOCA scenario. This function isolat es the RHR shutdown cooling suction valves.
The pressure is sensed on the "B" recirculation loop suction line where RHR shutdown cooling takes it suction.
The isolation employs a one-out-of-two taken once trip logic since there are only two trip channels. Detection by any single sensor prov ides actuation of both inboard and outboard suction valves. The setpoint selected for this value assures that the pressure rating of the RHR shutdown cooling piping and components w ill not be exceeded when the suction valves are open. This function also serves as a pe rmissive for RHR to operate in the shutdown cooling lineup mode.
7.3.2.3 Primary Containment Isolation System Instrumentation
Sensors providing inputs to the primary cont ainment and reactor vessel isolation control system are dedicated to that function. Trip channels are physically and electrically separated to reduce the probability that a single physic al event will prevent isolation. Trip channel sensors for one monitored variable that are gr ouped near each other provide inputs to different isolation trip systems. The sensors are described in the following paragraphs.
[7.3-35]
A. Reactor vessel water level signals (PCI S isolation) are initiated from four level transmitters via four indicating- and four nonindicating analog trip switches that are part of the analog trip system. The transmitters sense the difference between
the pressure of a constant reference colu mn of water and the pressure due to the actual water level in the vessel. The four indicating switches are used to identify that water level has decreased to the low water level isolation setting. The four nonindicating switches are used to identi fy that water level has decreased to the low-low water level isolation settings. The four switches for each level setting are arranged in pairs; each switch in a pair provides a signal to a different isolation logic channel.
[7.3-36]
Two instrument sensing lines, attached to taps above and below the water level on the reactor vessel, are required for the di fferential pressure measurement for each pair of transmitters. The two pairs of sensing lines terminate outside the primary
containment and inside the reactor buildin g; they are physically separated from each other and tap off the reactor vesse l at widely separated points. This QUAD CITIES - UFSAR Revision 10, October 2009 7.3-34 arrangement assures that no single phys ical event can prevent isolation, if required. Cables from the level sensors are routed to the analog trip cabinets.
Temperature equalizing columns are used to reduce errors in level measurement that can occur with changes in reactor water temperature.
B. Main steam line radiation is monitored by four radiation monitors, which are described in Section 11.5.2
[7.3-37] C. High temperature in the vicinity of the main steam lines is detected by 16 bimetallic temperature switches located along the main steam lines between the
drywell wall and the turbine. The detectors are located or shielded so that they are sensitive only to air temperature and not the radiated heat from hot equipment.
[7.3-38]
D. High flow in each main steam line is sensed by four differential pressure transmitters that sense the pressure diffe rence across the flow restrictor in that line. Each transmitter provides an input signal to an indicating analog trip unit.
[7.3-39]
The logic is arranged as two trip syst ems, both of which must trip to initiate isolation. Each trip system has two trip lo gics, either of which can trip the parent trip system. Each trip logic receives an input from a high steam flow trip channel for each steam line.
E. Main steam line low pressure is sensed by four bourdon-tube pressure switches which sense pressure downstream of the outboard main steam isolation valves. The
sensing point is located as close to the turb ine stop valves as possible. The switches are arranged as two trip systems both of whic h must trip to initiate isolation. Each trip system receives inputs from two ma in steam line low pressure trip channels, either of which can trip the system.
[7.3-40]
F. Primary containment pressure is mo nitored by four nonindicating pressure switches which are mounted on instrument racks outside the drywell. Instrument sensing lines connect the pressure switches located in the reactor building to the drywell atmosphere. Cables are routed fr om the switches to the control room via the auxiliary electrical room. The switches are grouped in pairs, physically
separated, and electrically connected to th e isolation control system so that no single event will prevent isolation due to primary containment high pressure.
[7.3-41]
The containment pressure is also mo nitored by four additional nonindicating electronic pressure switches per division which were used to isolate the ACAD system under high drywell pressure conditio ns. The switches are grouped in pairs, physically separated and electrically conne cted to the isolation control system so that no single event will prevent the isolatio
- n. Each pair of switches is fed by a pressure transmitter which is pipe d to the drywell air space.
[7.3-42]
When the ACAD dilution air injection subsystem was abandoned, the ACAD isolation valves that the electronic pressu re switches isolated were abandoned in place and physically deactivated. Each pa ir of pressure switches will still cause a Drywell Hi Pressure annunciator in the con trol room to illuminate. However, the Group 6 isolation function is no longer active. Reference UFSAR Section 6.2.5.
G. Primary containment high radiatio n is monitored by two detector assemblies mounted in penetrations outside the drywell which feed two non-indicating
radiation switches, each with two contacts , mounted in racks in the control room.
Each switch is fed from a separate radiation sensor which is part of the QUAD CITIES - UFSAR Revision 10, October 2009 7.3-35 containment atmosphere monitoring (CAM) system. The switches are physically separated and electrically connected to the isolation control system.
[7.3-43] H. High temperatures in the vicinity of the RCIC turbine are sensed by four temperature switches arranged in a one-out-of-two-twice logic.
[7.3-44] I. High flow in the RCIC turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across a 90 o elbow installed in the RCIC turbine steam supply pipeline. The tripping of either channel initiates
isolation of the RCIC turbine steam line following a time delay of 3 to 9 seconds (analytical limit). This is an exception to the usual sensor requirement. The reason for the exception was given in the explanation of the RCIC turbine high
steam flow isolation function.
[7.3-45]
J. Low pressure in the RCIC steam line is sensed by four pressure switches upstream of the RCIC turbine line isolation valves. The switches are electrically
connected as a "1 of 2 twice" trip logic. Th e four pressure switches will actuate to energize only one trip system.
[7.3-46]
K. High temperature in the area of the HPCI turbine is sensed by four (4) temperature switches arranged in a two ou t-of-two logic in each of the two trip channels.
[7.3-47]
L. High flow in the HPCI turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across a 90 o elbow installed in the HPCI turbine steam pipeline. Each transmitter provides an input to two (2) trip units in the analog trip system. Ea ch trip unit controls one of the HPCI steam supply line isolation valves. This is an exception to the usual sensor
requirement. The reason for the exception was given in the explanation of the
HPCI turbine high steam flow isolation function.
[7.3-48]
M. Low pressure in the HPCI turbine steam line is sensed by four pressure transmitters monitoring upstream of th e isolation valves. Each transmitter provides input to a trip unit in the analog trip system. The trip units are
arranged in two trip systems (two trip units per trip system), with each trip system connected to one HPCI turbine stea m line valve. Both trip units in a trip system must activate to isolate a steam line valve.
[7.3-49]
N. The relay contacts in each trip channel are arranged in a 1-out-of-2-twice on high drywell pressure and low reactor pre ssure for the HPCI vacuum breaker isolation logic. Each trip channel closes 1 of the 2 steam supply or vacuum
breaker isolation valves.
O. RWCU Piping Area High Temperature is sensed by five RTDs per channel. Two RTDs are located in the RWCU Heat Exchanger room, one in the Phase
Separator Tank Area, and two in the "D" Heater Bay. The RTDs provide input
signals to analog trip units located in the reactor building. Any one of the five RTDs in each of the two channels can initiate an automatic isolation.
[7.3-50] P. Reactor vessel high pressure is sens ed by two pressure switches from two different taps on the "B" recirculation loop suction line piping. The pressure switches are electrically connected to a co mmon relay that provides contacts for both the inboard and outboard RHR shutdown cooling suction valves. The same pressure switches provide contacts to the logic controlling the 1(2)-1001-29A and B shutdown cooling injection valves. Th ese contacts provide logic input when pressure is below the shutdown cooling permissive pressure.
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-36 Sensor trip channel and trip logic relays are high reliability relays equivalent to type HFA relays made by GE. The relays are selected so that the continuous load will not exceed 50%
of their continuous duty rating.
[7.3-51]
The physical and electrical arrangement of the primary containment and reactor vessel isolation control system was selected so that no single physical event will prevent isolation.
The location of Group 1 and 2 valves inside and outside the primary containment provides assurance that the control system for at le ast one valve on any pipeline penetrating the primary containment will remain capable of automatic isolation.
Electrical cables for isolation valves in the same pipeline are routed separately. Motor operators for valves inside the primary contai nment are totally enclosed and those outside the primary containment have weatherproof-typ e enclosures. Solenoid valves, whether used for direct valve isolation or as air pilo ts, are equipped with watertight enclosures.
All cables and valve operators can function in the most unfavorable ambient conditions anticipated for normal operations. Temperatur e, pressure, humidity, and radiation are all considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Sh ielded cables are used where necessary to eliminate interference from magnetic fields.
Special consideration was given to isolat ion requirements during a LOCA inside the drywell. The PCIS components that are loca ted inside the primary containment that must operate during a LOCA are the cables, control mechanisms, and the valve operators for the isolation valves inside the drywell. Pr imary containment isolation system components located within the primary containment associated with design basis events during or after which they must perform mitigating fun ctions are covered by the Environmental Qualification Program Described in Section 3.11.
7.3.2.4 Design Evaluation
The primary containment isolation control sy stem, in conjunction with other safety systems, is designed to provide timely prot ection against the onset and consequences of accidents involving the gross release of radi oactive materials from the fuel and nuclear system process barriers. It is the objecti ve of Chapter 15 to identify and evaluate postulated events resulting in gross failure of the fuel barrier and the nuclear system process barrier. The consequences of such gross failures are described and evaluated in that chapter.
[7.3-52]
The design practice for Quad Cities Station is to select tentative isolation trip settings that are far enough above or below normal operating levels that spurious isolation and operating inconvenience are avoided. Analyses are perfor med to verify that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within acceptable bounds. The Tec hnical Specification allowable values and the associated instrument trip setpoints have been based on the methods prescribed in NES-
EIC-20.04.
Chapter 15 shows that the actions initiated by PCIS, in conjunction with other safety systems, are sufficient to prevent releases of radioactive material from exceeding the values given as guidance in applicable regulations.
RWCU High Area Temperature Isolation ins trumentation was installed to detect RWCU line breaks. Credit for these instruments is no t taken in any transient or accident analysis because this line break is bounded by larger MSL or recirculation breaks. Administrative controls are required to provide techni cal requirements for operability of this instrumentation to preclude reliance on manual trips during RWCU HELB scenarios.
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-37 This RWCU system isolation instrumentation miti gates the HELB to limit offsite releases and maintains HELB environmental condit ions within analyzed parameters.
Temperatures in the spaces occupied by va rious steam lines and steam-driven equipment outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to PCIS. Th e large number of temperature sensors and their dispersed arrangement near the steam lines requiring this type of break protection provides assurance that a significant break will be dete cted rapidly and accurately. One of the four groups of main steam line space temperature sw itches is located in the ventilation exhaust from the steam line space between the drywell wa ll and the secondary containment wall. This assures that abnormal air temperature increases are detected regardless of the location of a leak in that space.
Section 15.6 evaluates a gross breach in the ma in steam line outside the primary containment during operation at rated power. The eval uation shows that the main steam lines are automatically isolated in time to prevent a re lease of radioactive material in excess of the values given as guidance in applicable regulati ons and to prevent the loss of coolant from being great enough to allow uncovering of the co re. These results are true even if the longest closing time of the valve is assumed.
The shortest closure time of the main steam line isolation valves is 3 seconds. The transient resulting from a simultaneous closure of all ma in steam line isolation valves in 3 seconds during reactor operation at rated power is considerably less severe than the transient resulting from inadvertent closure of the turbin e stop valves (elapsed time approximately 0.1 seconds) coincident with failure of the turbine bypass system (see Section 15.2.3.1).
Because essential variables are monitored by trip channels arranged for physical and electrical independence, and because a dual tri p system arrangement is used to initiate closure of automatic isolation valves, no sing le failure, maintenance operation, calibration operation, or test can prevent th e system from initiating valve closure, for Groups 1, 2, 3, and the RHR shutdown cooling isolation. An analysis of the isolation control system shows that the system does not fail to respond to essential va riables as a result of single electrical failures such as short circuits, grounds, and open circuits.
These single failures result in a failure of only one trip system. Isolation is initiated upon a trip of the remaining trip system.
The Group 4 and 5 isolation circuits each contai ns two normally de-energized trip systems. These systems isolation valves remain open unless a line break in the respective HPCI or
RCIC system is sensed. The HPCI and RCIC logi c systems were not originally designed to meet single failure criteria because of the red undancy of the core cooling systems. The Group 4 and 5 dual trip systems do provide a level of redundancy and reliability for mitigation of a high energy line break. The three sensor fun ctions within the trip systems provide redundant methods of detecting a line break. The RCIC lo w steam supply pressure isolation is the only exception in that the instruments will only trip one trip system. This is acceptable as this function is considered an operational interl ock for turbine operation within the reactor building, and this low pressure isolation is only a backup to the other line break isolation detection instrument channels. The Group 4 isolation logic only has been updated by Modification M04-1(2)-91-013B to include the electrical and where possible physical
separation of the IEEE-384 and Regulatory Guide 1.75.
[7.3-52a]
The RWCU High Temperature Auto Isolation sy stem was added to eliminate the reliance on operator action for manual isolation for an RWCU HELB scenario described in GE SIL No. 604. The original licensing analysis for RW CU pipe breaks was found adverse to quality and a commitment was made to the NRC to prov ide a high area temperature based actuation for RWCU. This new isolation actuation was desi gned to meet the intent of the requirements as defined for a plant protection system and is consistent with IEEE 279-1968 criteria.
[7.3-53]
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-37a The reactor vessel pressure high function prov ides equipment protection to prevent an RHR intersystem LOCA scenario. No credit for this interlock is assumed in any accident or transient analysis.
The redundancy of trip channels provided for all essential variables provides a high probability that whenever an essential variable exceeds the isolation setting, the system will initiate isolation. In the unlikely event that all trip channels for one essential variable in one
trip system fail in such a way that a system tri p does not occur, the system could still respond properly as other monitored variables exceed thei r isolation settings. In addition, isolation of the process lines could be accomplished manually by the operator.
QUAD CITIES - UFSAR Revision 10, October 2009 7.3-38 The sensors, logic and circuitry used for pr imary containment isolation system are not used for any process systems, where the malfuncti on of these process systems will prevent a containment isolation, when an isolation is warranted.
The wall of the primary containment effective ly separates adverse primary containment environmental conditions which might otherwise affect both isolation valves in a pipeline.
Therefore, environmental conditions inside th e drywell will not affect the ability to isolate a given line. The previously discussed electri cal isolation of control circuitry prevents failures in one part of the control system from propagating to another part. See Section 8.3 for electrical distribution information. Ele ctrical transients have no significant effect on the functioning of the isolation control system.
Calibration and test adjustments for pressu re and level switches are located on the switches themselves. These switches are loca ted in the turbine building, reactor building, and cable spreading room. To gain access to th e adjustments on each switch, a cover plate, access plug, or sealing device must be remove d by personnel before any adjustment in trip settings can be effected. Calibration and maintenance of instruments are done in accordance with approved plant procedures wi th the approval of the shift engineer to reduce the probability that operational reliab ility will be degraded by operator error.
[7.3-54]
The various power supplies used for the isol ation system logic circuitry and for valve operation provide assurance t hat the required isolation can be accomplished in spite of power failures. If ac power for valves inside the primary containment is lost, dc power is available for operation of valves outside the primary containment. The main steam isolation valve control arrangement will not inhi bit the isolation function due to the loss of ac and/or dc power. Because both solenoid-ope rated pilot valves must be de-energized, loss of a single power supply will neither cause i nadvertent isolation nor prevent isolation if required. The logic circuitry for Groups 1, 2, 3, and the RHR shutdown cooling isolation is powered by separate reactor pr otection system (RPS) buses for separate divisions. The power supplies for the Group 4 isolation c hannels are: 1.) Division II 125 VDC with transfer to Division I on loss of power, and 2.) Division II 120 VAC. A loss of a single RPS bus power here results in a single trip system tri
- p. In no case does a loss of a single power supply prevent isolation.
7.3.2.5 Inspection and Testing
All parts of the PCIS are testable during reactor operation. Isolation valves can be tested to assure that they are capable of closing by operating manual switches in the control room and observing the position lights and any associated process effects. Testable check valve controls are designed to allow verification that valve disks are free to open and close. The trip channel and trip system responses can be functi onally tested by applying test signals to each trip channel and observing the trip system response. Testing of the main steam line
isolation valves is discussed in Section 6.2.6.3.
[7.3-55]
7.3.2.6 Conformance to IEEE-279
The following is a point-by-point comparison of the containment isolation control system with the Requirements of IEEE Std 279-1968 whic h has been summarized from GE Topical Report, NEDO-10139.[1] For more detailed informatio n refer to the topical report.
[7.3-56]
QUAD CITIES - UFSAR Revision 9, October 2007 7.3-39 7.3.2.6.1 General Functional Requirements (IEEE-279, paragraph 4.1)
A. Auto-Initiation of Appropriate Action
The control system action from sensor to final control signal to the valve actuator is capable of initiating appropriate action and of doing it in a time commensurate
with the need for valve closure. Total time, from the point where a process out-
of-limits condition is sensed to the ener gizing or de-energizing of appropriate valve actuators, is less than 200 millisecon ds (logic response time excluding sensor). The closure time of valves r anges upward from a minimum of 3 seconds for the main steam isolation valves, depending upon the urgency for isolation considering possible release of radioactivity.
Thus it can be seen that the control initiation time is at least an order of magnitude lower than the minimum
required valve closure time.
B. Precision
Accuracies of each of the sensing elements is sufficient to accomplish the isolation initiation within required limit s without interfering with normal plant operation.
C. Reliability
The reliability of the PCIS is compatible with and higher by at least an order of magnitude than the reliability of the actuated equipment (valves).
D. Action Over the Full Range of Environmental Conditions
The similar item listed under core spray (Section 7.3.1.1.1.1) applies here in all respects to all isolation control equipm ent, except the manual control switches for the HPCI and RCIC isolation valves.
Since both of the control switches for the redundant valves are in the same control panel in the main control room, it
is conceivable that destruction of this c abinet by fire or missile could affect the control of both valves in these two lines in such a way as to prevent them from closing. However, it is highly un likely that such an event could occur coincidentally with an independent event requiring system isolation such as a steam line break. Refer to Commonwealth Edison's, 10 CFR 50, Appendix R, Program and UFSAR, Section 3.5.
7.3.2.6.2 Single Failure Criterion (IEEE-279, paragraph 4.2)
The single failure criterion of IEEE-279 is fully complied with in the design of the PCIS.
7.3.2.6.3 Quality of Components and Modules (IEEE-279, paragraph 4.3)
See Section 7.3.1.1.1.3 which also applies to th e PCIS, with the exception that most of the isolation control is de-energize to trip, instead of energized to trip, and is thus more likely to call attention to the failures that may occu r in coil circuits, connections, or contacts.
QUAD CITIES - UFSAR Revision 5, June 1999 7.3-40 7.3.2.6.4 Equipment Qualifications (IEEE-279, paragraph 4.4)
See Section 7.3.1.1.1.4 which also applies to PCIS.
7.3.2.6.5 Channel Integrity (IEEE-279, paragraph 4.5)
See Section 7.3.1.1.1.5 which also applies to PCIS. However, the fail-safe design of the isolation control and operation of a grounded ac system makes it less likely to fail to operate.
7.3.2.6.6 Channel Independence (IEEE-279, paragraph 4.6)
Channel independence for sensors exposed to each process variable is provided by electrical and mechanical separation. Physical separation is maintained between redundant
elements of the redundant control systems where it will add to reliability of operation. The manual control switches for the HPCI and RCIC isolation valves are an exception to this objective, but they are sufficiently separated to give a high degree of reliability and meet a literal interpretation of paragraph 4.6 of IEEE-279.
7.3.2.6.7 Control and Protection Interaction (IEEE-279, paragraph 4.7)
The isolation control system is a strictly on-o ff system, and no signal whose failure could cause a need for isolation can also prevent it.
7.3.2.6.8 Derivation of System Inputs (IEEE-279, paragraph 4.8)
The inputs which initiate isolation valve cl osure are direct measures of variables that indicate a need for isolation (such as reacto r vessel low level, drywell high pressure, and pipe break detection). Pipe br eak detection utilizes methods of recognition of the presence of a material that has escaped from the pipe, rather than detecting actual physical changes in the pipe itself.
7.3.2.6.9 Capability for Sensor Checks (IEEE-279, paragraph 4.9)
The reactor vessel instruments can be checked one at a time by application of simulated signals. These include level, pressure, radiat ion, and flow. Temperature sensors along the main steam lines are not testable except du ring shutdown, but they are sufficient in number so that testing between refueling outage s is not necessary to achieve the reliability level required. Temperature sensors can be checked periodically by removing them and applying heat to the sensitive zone, and also by oven calibration, which requires removal from the circuit during calibration and replacement by calibrated units.
QUAD CITIES - UFSAR Revision 6, October 2001 7.3-41 7.3.2.6.10 Capability for Test and Calibration (IEEE-279, paragraph 4.10)
All active components of PCIS, with the exce ption of the main steam line high temperature sensors and the main steam line radiation sens ors, can be tested and calibrated during plant operation.
The radiation sensors can be cross-checked ag ainst their companions for verification of operability and since they are used with refere nce to background, they do not require actual sensitivity verification on a frequent basis.
7.3.2.6.11 Channel Bypass or Removal fr om Operation (IEEE-279, paragraph 4.11)
Calibration of each sensor will introduce a si ngle instrument channel trip, except in the case of the Unit 1 RWCU Automatic Isolatio n Area RTDs which can be placed in bypass during calibration. The introduction of a sing le instrument channel trip during calibration does not cause a protective function withou t the coincident trip of at least one other instrument channel, except in the case of the HPCI and RCIC where leak detection temperature sensors have one-out-of-two logic on differential temperature and where leak detection flow sensors have one-out-of-two logi
- c. The RWCU Automatic Isolation on Area Temperature Hi is also a one-out-of-two logic.
[7.3-57]
7.3.2.6.12 Operating Bypasses (IEEE-279, paragraph 4.12)
The only bypasses in PCIS are the main st eam line low-pressure bypass and the main steam line tunnel temperature switches. Th e main steam line low-pressure bypass is imposed by the mode switch when not in the r un mode. The mode switch cannot be left in this mode with neutron flux measuring power above 15% of rated power without imposing a scram. Therefore the bypass is considered to be removed in accordance with the intent of IEEE-279, although it is a manual action that removes it rather than an automatic one. In the case of the motor operated valves, autom atic or manual closure can be prevented by shutting off electric power. The MSIV stea m tunnel temperature bypass switches located on the main control board 901(2)-4 allow th e RWCU to continue to run during MSIV temperature switch calibration and testing.
7.3.2.6.13 Indication of Bypasses (IEEE-279, paragraph 4.13)
The bypass of the main steam line low-pressure isolation signal is not indicated directly in the control room except by the position of th e mode switch handle. This switch is under strict operator control. Its specific bypass functions are a matter of operator training and, as such, do not reasonably need to be brough t to the operator's attention each time he places the switch in startup mode. Since the bypass is not removed by any automatic action it is positively in effect any time the mo de switch is in position to impose it.
For bypass of the MSIV room area temperatur e switches, individual indicating lights are provided on a new RWCU isolation area te mperature monitoring panels. Annunciator indication is provided when the switches are placed in the bypass configuration.
QUAD CITIES - UFSAR Revision 6, October 2001 7.3-42 7.3.2.6.14 Access to Means for Bypassing (IEEE-279, paragraph 4.14)
The mode switch affects the main steam line low pressure PCIS function, and it is centrally located on the operators main control console.
Two handswitches, one for inboard isolation logi c and one for outboard isolation logic, are installed on the 901(2)-4 panels to allow by passing the MSIV room temperature relays contacts This is necessary to allow for RW CU operation during a shutdown when MSIV room temperature switches are removed from se rvice, and the RWCU system is required for outage related operation.
7.3.2.6.15 Multiple Trip Settings (IEEE-279, paragraph 4.15)
Paragraph 4.15 of IEEE-279 is not applicable because all setpoints are fixed.
7.3.2.6.16 Completion of Protection Action Once Initiated (IEEE-279, paragraph 4.16)
All isolation decisions are sealed-in downstream of the decision making logic, so valves go to the closed position, which ends protective a ction. Manual reset action is provided by a three-position reset switch, so that inboard valves can be reset independent of outboard valves.
7.3.2.6.17 Manual Actuation (IEEE-279, paragraph 4.17)
All isolation valves are capable of manual act uation independent of active components of the automatic actuation circuitry, with the ex ception of the motor starters for the motor operated valves.
7.3.2.6.18 Access to Setpoint Adjustments (IEEE-279, paragraph 4.18)
The discussion given in Section 7.3.1.1.1.18 is also applicable to PCIS.
7.3.2.6.19 Identification of Protective Actions (IEEE-279, paragraph 4.19)
The statements made in Section 7.3.1.1.1.19 are applicable to PCIS.
7.3.2.6.20 Information Readout (IEEE-279, paragraph 4.20)
The information presented to the operator are as follows:
A. Annunciation of each process variable which has reached a trip point,
B. Computer readout of trips on main steam line tunnel temperature or main steam line excess flow, QUAD CITIES - UFSAR Revision 6, October 2001 7.3-42a C. Control power failure annunciation on each channel, QUAD CITIES - UFSAR Revision 9, October 2007 7.3-43 D. Annunciation of steam leaks in each of the five systems monitored such as, main steam, reactor water cleanup, RHR, HPCI, and RCIC; and
E. Open and closed position lights for each isolation valve. This information is considered to fulfill the require ments for information readout.
7.3.2.6.21 System Repair (IEEE-279, paragraph 4.21)
Those components which are expected to hav e a moderate need for replacement are designed for convenient removal. Pressure sensors, vessel level sensors, etc. can be replaced in a reasonable length of time, but th ese devices are considered to be permanently installed although they have nonwelded conne ctions at the instrument, which will allow replacement.
7.3.3 Secondary Containment Isolation System
The objective of the secondary containment system , in conjunction with other systems, is to limit the release of radioactive materials to be below the limits in 10 CFR 100 (or 10 CFR 50.67 as applicable) as a result of the design basis acci dents. For more information on the design basis refer to Section 6.2.
[7.3-58]
The secondary containment isolation includes:
A. Closing the reactor building ventilation isolation valves;
B. Tripping the reactor building supply and exhaust fans; and
C. Starting the standby gas treatment system (SBGTS).
The initiating signals are:
A. Low reactor water level usin g a one-out-of-two-twice logic;
B. High drywell pressure usin g a one-out-of-two-twice logic;
C. High reactor building ventilation exhaus t radiation using a one-out-of-two logic;
D. High refuel floor radiation using a one-out-of-two logic;
E. Reactor building ventilation radiatio n monitors downscale using a two-out-of-two logic; F. Refuel floor radiation monitors do wnscale using a two-out-of-two logic; and
G. High drywell radiatio n using two-out-of-two logic.
The reactor building ventilation isolation and fan trip are actuated via auxiliary contacts from the SBGTS logic. See Section 6.5 for more information on SBGTS.
QUAD CITIES - UFSAR Revision 5, June 1999 7.3-44 7.3.4 References
- 1. General Electric Topical Report NEDO-10139, June 1970.
(Sheet 1 of 1)
Revision 10, October 2009 QUAD CITIES - UFSAR Table 7.3-1 ANALYTICAL LIMITS FOR GROUP ISOLATION SIGNALS Valve Isolation Group Isolation Signal Analytical Limit
[Note 1] Group 1 Reactor Low-Low Water Level >
-59 in. Steamline High Flow <
140% of rated flow Steamline Low Pressure >
785 psig in RUN mode Steam Tunnel High Temperature <200°F Group 2 Reactor Low Water Level >
0 in. Drywell High Pressure <
+2.5 psig Drywell High Radiation <
100 R/hr Group 3 Reactor Low Water Level >
0 in. Steam Tunnel High <200°F RWCU Area High Temperature <185°F Group 4 HPCI Steamline Low Pressure >
100 psig HPCI Steam Supply Valves
ONLY HPCI Steamline High Flow HPCI Area High Temperature
<300% rated flow
<170°F Group 4 HPCI Steamline Low Pressure >
100 psig
- HPCI Turbine Exhaust Vacuum Breaker Valves
ONLY Drywell Pressure High
- Signals existing simultaneously
<2.5 psig
- Group 5 RCIC Steamline Low Pressure >
50 psig RCIC Steamline High Flow <
300% rated flow RCIC Area High Temperature <170°F RHR Shutdown Cooling Reactor High Pressure [Note 2]
> 135 psig Note 1: Analytical Limit shown unless noted otherwise Note 2: Pressure sensed on Reacto r Recirculation loop B suction line
QUAD CITIES - UFSAR Revision 5, June 1999 7.4-17.4. SAFE SHUTDOWN The following section describes the instrume ntation and control system aspects of the containment cooling mode of the residual heat removal (RHR) system. This section also provides a description of shutdown outside the control room.
[7.4-1]
7.4.1 Containment Cooling Mode of the Residual Heat Removal System The containment cooling function is provided by the residual heat removal (RHR) system after the core is flooded. Suppression pool water can be recirculated through the heat exchangers for cooling. The cooled water can be used to spray the drywell and/or torus. For a complete description of the design basis, system functions and components, refer to Section 6.2
[7.4-2]
Containment cooling mode of RHR is init iated manually from the control room by alignment of the proper combination of valves , pumps, and heat exchangers. No automatic start function is provided. When a LPCI init iation signal is present, the use of the containment cooling permissive switch is re quired for containment cooling valve alignment and the RHRSW permissive switch is required to start RHRSW.
However, in order to initiate or maintain containment cooling, the following conditions must be met or the signal bypassed by use of the containment cooling 2/3 level and ECCS initiation bypass switch:
A. Reactor water level inside the core shroud must be at least 2/3 core height. This parameter is measured by one level transmitter per division.
B. Reactor water level inside the annulus is above the ECCS initiation setpoint.
This parameter is measured by two level switches per division arranged in one-out-of-two twice logic.
C. Drywell pressure is below the ECCS in itiation setpoint. This parameter is measured by two pressure switches per di vision arranged in one-out-of-two twice logic.
Additionally, to initiate or maintain drywell and/or torus spray the following condition must also be met:
A. Drywell pressure is above the low limit setpoint. This parameter is measured by two pressure switches per division arr anged in one-out-of-two twice logic.
This additional condition does not have a by pass switch. Once containment cooling has been placed in operation, if any of the preced ing requirement do not co ntinue to be either met or bypassed, the associated valves will close to allow full LPCI flow.
7.4.2 Shutdown Outside the Control Room In the unlikely event that the control room becomes uninhabitable, provisions have been made to permit shutdown of the reactor outside of the control room. A number of QUAD CITIES - UFSAR Revision 5, June 1999 7.4-2 automatic features incorporated in the plant desi gn allow the reactor to be brought to a safe shutdown condition. The following description outlines a course of action which achieves a safe and orderly cold shutdown condition.
Alternate action sequences are possible.
[7.4-3]
Immediately prior to control room evacuation, the operator actuates the reactor manual scram switches on the control panel to insert all control rods, and observes the control rod position indicators on the display panel. The control rods may also be inserted from outside the main control room by several methods.
One method is to manually trip both reactor protection system (RPS) moto r-generator (M-G) sets by op ening the power supply circuit breakers at the 480 V motor control centers in the turbine building. The position of the
scram valves for the individual control rod driv es can be verified in the reactor building at the control rod drive modules. Table 7.4-1 lists key parameters available outside the control room and their locations.
Reactor vessel pressure and water level are in dicated locally in the reactor building on instrument racks 2201(2)-5 and 2201(2)-6 and other racks as indicated in Table 7.4-1. The
steam pressure regulator will continue to aut omatically regulate reactor pressure by allowing steam flow through the main turbin e and its bypass system to the condenser.
Decay heat from the reactor will continue to be dissipated to the condenser through the turbine system until the turbine generator trips. At which time the turbine bypass valves will open and dump steam directly to the main condenser. Steam dumping to the
condenser continues until the amount of decay he at being generated with in the core is not sufficient to maintain reactor pressure. Ther mal losses from the reactor system, combined with the normal steam flow to the turbine gland seals and air ejector, will eventually exceed the decay heat and result in a gradual cooldown and depressurization of the reactor to approximately 850 psig at which time th e main steam isolation valves will close automatically.
The operator will continue reactor vessel depr essurization and cooldown by remote-manual actuation of the relief valves resulting in blow down to the suppression pool. The number of valves, and the opening frequency and durati on, will be determined by monitoring the reactor pressure at instrument rack 2201(2)-5 to insure that the vessel cooldown rate does not exceed 100~F per hour. Remote-manual act uation of the relief valves is accomplished by closing the contacts on the relief valve con trollers which are also located on instrument rack 2201(2)-5.
While the reactor is blown down to the suppr ession pool, one RHR pump, heat exchanger, and RHR service water pump may be placed in service to cool the suppression pool water and prepare for shutdown. The equipment, mo tor-operated valves, pumps, etc., may be actuated manually in the reactor building and at appropriate breakers at the 480-V motor control centers and 4160-V switchgear as required. Once the reactor has been depressurized to approximately 50 psig, the RHR system is placed in the shutdown cooling mode and reactor cooldown will continue.
The required communications for accomplishing this shutdown can be maintained outside the control room using remote phone equi pment, sound powered telephones, two-way radios, etc. (see Section 9.5.2). During the en tire shutdown process, no re-entry into the main control room is required. Instrument ation outside the control room enables the operator to monitor the reactor vessel level, pressure, and temperature during cooldown.
Therefore, a safe operational shutdown of the reactor from a normal operating condition to a cold shutdown condition can be accomplishe d without access to the main control room.
(Sheet 1 of 1)
QUAD CITIES - UFSAR
Table 7.4-1
REACTOR VESSEL PRESSURE AND LEVEL INDICATORS AVAILABLE OUTSIDE THE CONTROL ROOM
Variable Monitored Location Reactor Pressure Rack 2201(2)-5,6 Reactor Pressure Panel 2201(2)-70A Reactor Pressure Panel 2201(2)-70B Reactor level Rack 2201(2)-5,6 Reactor level Rack 2201(2)-7,8 Reactor level Panel 2201(2)-73 A,B
QUAD CITIES - UFSAR Revision 9, October 2007 7.6-1 7.6 CORE AND VESSEL INSTRUMENTATION
This section describes core and vessel ins trumentation system. Included are nuclear instrumentation systems and vessel instrumentatio
- n. Refueling interlocks are described in Section 9.1.
7.6.1 Nuclear Instrumentation
7.6.1.1 Design Bases
The nuclear instrumentation is designed to:
[7.6-1]
A. Provide the operator with the inform ation required for optimum, safe operation of the reactor core; and
B. Provide inputs to the reactor protecti on system (RPS) and the rod block circuitry to assure that the local power density, power oscillations and bulk power level do not exceed preset limits.
In order to meet the design requirements, the nuclear instrumentation must:
A. Detect, measure, and indicate neutro n flux from the source range level through the power range level;
B. Annunciate an alarm on component failures; and
C. When reactor power is in the power range:
- 1. Indicate local neutron flux;
- 2. Compute and indicate average reactor power; and
- 3. Detect and suppress core power oscillations.
Specific design requirements are listed for each nuclear instrumentation subsystem.
7.6.1.2 General Description
The nuclear instrumentation uses three types of neutron monitors. The neutron flux level for operation in the region of subcritical to an intermediate flux level at which the reactor is critical is monitored by the source range moni tor (SRM). The intermediate range monitor (IRM) is used from a neutron flux of just above criticality to approximately 10% of full power (refer to Figure 7.6-1). From about 3%
power to full power operation, the local power range monitor (LPRM) is used. The detectors for the SRM and IRM subsystems are
withdrawn from the core during power range op eration. The detectors for the power range are fixed in place. An in-depth report coveri ng the incore neutron monitoring system is documented in topical report APED-5706, Revision 1 (April 1969).
QUAD CITIES - UFSAR Revision 9, October 2007 7.6-2 During operation in the power range, the LPRM signals are used by separate subsystems:
- 1. LPRM flux level is indicated, and a high flux alarm is annunciated if the level reaches a preselected point.
- 2. The average power range monitors (APRMs) average the outputs of selected LPRMs in such a manner that indication of average reactor power is provided.
The APRM generates scram signals on high-high APRM flux level.
- 3. During control rod motion, the average of a set of LPRMs adjacent to the selected control rod is used by the Rod Block Mo nitor (RBM) to limit increases in local power.
- 4. The OPRMs utilize LPRM signals to detect and alarm core power instabilities that have the potential of occurring in th e high power / low flow portion of the operating domain. The OPRMs are desi gned to automatically suppress the detected oscillations prior to exceeding the MCPR safety limit by providing a Reactor Protection system (RPS) trip function.
Figure 7.6-2 presents a block diagram of the various nuclear instrumentation ranges as
they are functionally assembled.
A traversing incore probe (TIP) may be inserted in the core to obtain an axial neutron flux distribution at each LPRM detector location.
The information obtained from the TIP is used to calibrate the LPRM system and to provid e a relative flux distribution for the core to the process computer.
7.6.1.3 Source Range Monitoring Subsystem
7.6.1.3.1 Design Bases
In order to meet the general design requireme nt to provide the nuclear information needed for knowledgeable and efficient reactor startup and low flux level operation, the SRM must:
A. Provide a minimum signal-to-noise ratio of 3:1 and a minimum count rate of 3 cps with all control rods inserted prior to initial power operation. (For the original core, this included the contri bution of neutron-emitting sources - see 7.6.1.3.2);
B. Show a measurable increase in output signal from at least one detector before the neutron flux multiplication exceeds a factor of 2000 during the most limiting startup control rod withdrawal condition; and
C. Provide a signal overlap of at least on e half ( 1/2) decade to the IRM signal with the SRM detectors in the fully-inserted position.
QUAD CITIES - UFSAR Revision 6, October 2001 7.6-2a 7.6.1.3.2 System Description
The SRM subsystem is used to provide the ne cessary information for reactor startup from subcritical to an intermediate flux level and fo r refueling operations. The system consists of four miniature fission chambers which are operated in the pulse counting mode. These detectors have a nominal sensitivity of 2 x 10
^-3^ cps/nv (nv is neutrons per square centimeter per second) and are located radially in the core as shown in Figure 7.6-3. The QUAD CITIES - UFSAR Revision 9, October 2007 7.6-3 detectors are attached to drive mechanisms whic h can position the chambers from the fully-inserted location (approximately core center) to a position approximately 2 feet below the reactor core.
[7.6-2]
The detector drive system consists of a dete ctor drive, a flexible drive shaft, a motor module, and a drive tube for each detector.
The drive is mounted through an adapter to the instrumentation nozzle well below the vessel in a location that does not interfere with the control rod operation and maintenance. The driv e tube is a long hollow tube which acts as a guide. A long, slender shuttle tube is mounted on the upper end of the drive tube. This
combination tube, housing the fission chamber detector assembly, is driven up and down inside the dry tube.
[7.6-3]
A flexible drive shaft transmits power to the gearbox of the detector drive assembly from the motor module located approximately 20 feet away. Four limit switches provide detector position information and also interlock the motor power circuits to establish insert and retract limits.
Seven neutron-emitting antimony-beryllium so urces were located radially within the reactor core as indicated in Figure 7.6-3. Th ese sources were designed to provide at least three cps in each SRM channel with the rea ctor in the cold, xenon-free, fully-shutdown condition prior to initial power operation.
This requirement conti nued to be met during routine reactor operation by reactivation of the radioactive source (Sb-124) through capture of reactor neutrons. These sources have been removed, since photoneutron production is high enough to provide the required ne utron flux without these sources.
The SRM detector assembly consists of a fission chamber attached to a low-loss quartz fiber insulated transmission cable terminated with a connector. The detector cable is connected below the reactor vessel to a triple-shielded cable which carries the detector electrical output to the monitor circuitry. The output of the four SRM detectors is amplified and the signal is conditioned. The resulting signal, proportional to the logarithm of the counts per second occurring in the detector is continuous ly displayed to the reactor operator on log count rate meters. The time derivative of this signal is formed and displayed to the reactor operator on four reactor period meters whic h have an inverse scale and indicate the period in seconds. A recorder is available to the oper ator to allow recording of two of the four log count rate signals by switch selection.
Annunciators are activated under various conditions, for example, short reacto r period or high count rate.
Each of the four SRM channels initiates a rod block (see Section 7.7.) with the mode switch in STARTUP/HOT STANDBY or REFUEL under the following conditions:
A. SRM detectors not fully inserted into the reactor core with the SRM count level below 163 cps (allowable value);
B. SRM count level high, greater than 2.8x 10 5 cps (allowable value); or
C. SRM channel inoperative.
The SRM detector position rod block is actuat ed by a position indicator on the retract mechanism. The SRM channel inoperative rod bloc k is effective whenever the high voltage supply drops below a preset level, one of the channel modules is not plugged in, or the
channel is not in its OPERATE mode. A rod bloc k signal from any one of the four channels prevents rod withdrawal.
QUAD CITIES - UFSAR Revision 6, October 2001 7.6-4 Any one of the four SRM channels may be bypa ssed by operation of a bypass switch on the control panel. An automatic bypass of the SRM channel detector positi on rod block occurs when the count rate is greater than 100 cps.
Reactor startup is begun with the unbypassed SR M chambers fully inserted. Withdrawal of control rods increases the reactivity of the reactor core and hence, the multiplication of source neutrons. Although the removal of a gi ven individual control rod may not show as a measurable increase on all chambers, the approa ch to criticality through distributed control rod withdrawal will be indicated by an appreci able increase in the count rate. Both the log count rate meters and the period meters provid e indication of the approach to criticality, criticality and, with further withdrawal of con trol rods, supercriticality.
After sufficient rod withdrawal to obtain a useful reactor period (on the order of 60 - 90 seconds) the reactor power is allowed to increase exponentially.
The SRM chambers may be withdrawn from the fully-inserted position when the count rate is greater than 100 cps on the chamber to be wi thdrawn. To continue the reactor startup, withdrawal of the SRM detectors must be gradual, maintaining the SRM count levels between the low level (100 cps) and high level (10 5 cps) rod block set points. Each SRM chamber can be withdrawn individually, and it may be stopped at any intermediate point in its travel. Withdrawn SRMs which are selecte d will be automatically inserted on a reactor scram. [7.6-4]
The useful range of the SRM channels is from 10 10 6 cps, which corresponds to a flux range of 10 4 - 5 x 10 8 nv. [7.6-5]
7.6.1.3.3 Design Evaluation
The number and location of the SRM detectors and neutron-emitting sources have been analytically and experimentally determined to be sufficient to result in a count rate of 3 cps with all rods inserted in the cold, xenon-free condition prior to initial power operation.
Verification of conformance to the minimum count rate was made at the time of fuel loading. The sources are not necessary followi ng extended power operation. The detector sensitivity and monitor electronic characte ristics have been chosen to guarantee a minimum signal to noise ratio of 3:1.
The primary safety function of the SRM system is to verify that an adequate neutron flux background exists during an approach to cri ticality. The number of SRM channels was selected to permit positive de tection of an approach to criti cality performed by withdrawing control rods in the region most remote from chambers. In this worst case, the nearest unbypassed SRM channel would show a factor of 1.1 signal increase at the time criticality is achieved.
Since the SRM detectors can be retracted as rea ctor startup is continued, a large overlap of indication is possible during transition from th e SRM to the IRM. Figure 7.6-1 depicts the overlap between the two monitoring subsyste ms. Even with the SRM detectors fully inserted, an overlap of approximately one deca de is provided. The SRM/IRM detector range overlap reduces the uncertainty in the neutron level indication during the transition from the SRM to the IRM. The Technical Specificat ions allow for the verification of SRM and IRM overlap prior to fully withdrawing the SRMs.
[7.6-5a] The detector is designed to function in the en vironment in which it is to be located.
Any SRM component or power supply failure is annunciated. Failure of any SRM channel
during low flux operations with the mode switch in REFUEL or STARTUP/HOT QUAD CITIES - UFSAR 7.6-5 Revision 9, October 2007 STANDBY will initiate a rod block, thus prev enting control rod withdrawal. The bypass switch arrangement permits only one SRM channel to be bypassed, guaranteeing the required detection capability during source range reactor operation.
The SRM detector position rod block assures t hat reactivity insertion will not be made under very low flux level conditions unless the SRM detectors are inserted to the optimum position for flux detection. Ad ministrative controls exist to ensure that at least two SRMs are fully inserted and operable prior to control rod withdrawal for startup.
[7.6-6]
7.6.1.4 Intermediate Range Monitoring Subsystem
7.6.1.4.1 Design Basis
The intermediate range monitoring (IRM) subsystem is designed to:
[7.6-7]
A. Detect and indicate neutron flux le vel in a range between the SRM detection capability and the power range instrume ntation capability (approximately 10 8 - 10 12 nv); and
B. Generate trip signals to prevent fuel damage from a single operator error or a single equipment malfunction.
7.6.1.4.2 System Description
The IRM subsystem is composed of eight miniature fission chambers located radially in the
core as shown in Figure 7.6-4. The figure also shows the assignment of IRM detectors to each RPS logic channel. The assignment is ma de to provide coverage of each quadrant of the reactor core with one detector in each c hannel bypassed. The detectors are attached to drive mechanisms which can position them from the fully-inserted location (approximately core center) to a position approximately 2 f eet below the reactor core. The drive systems are identical to those used in the SRM subsys tem and the detectors are similar, except for the range of measurement. The detectors are not withdrawn from their fully inserted position until the mode switch has been turned to the RUN position. Withdrawn
previously-selected IRMs will be in serted automatically on a scram.
[7.6-8]
The output of each fission chamber is proce ssed through a wide-band amplifier to a voltage variance circuit (Campbelling or root mean square technique)
[1] and a signal conditioner to produce an output which is linearly proportional to the reaction rate in the chamber. This output is provided to a trip unit and is used to drive one channel in one of four recorders.
[7.6-9]
The IRM subsystem can detect flux levels from the upper end of the SRM range to approximately 1.5 x 10 13 nv (34% of full power).
A neutron flux of 5 x 10 7 nv (upper source range) will prov ide a signal of approximately 0.1 full scale on the lowest IRM range.
In order to handle the wide range of IRM dete ction, the IRM equipment is provided with a remote range switch which selects various rang es of attenuation of the detector signal. As QUAD CITIES - UFSAR 7.6-6 the neutron flux level changes during reactor startup, the operator manually up-ranges the IRM.
The IRM subsystem provides trip signals for bo th the RPS and the rod block circuitry; all the trips but one, as described in the followi ng, are effective only with the mode selector switch in the REFUEL or STARTUP/HOT STANDBY positions.
Each IRM detector provides a trip signal to the RPS scram logic circuitry under the following conditions:
A. IRM high-high flux level,
B. IRM channel inoperative, and
C. IRM channel high flux level or inop erative with its companion APRM downscale in the RUN mode.
In order for a scram to occur, a scram trip si gnal must be received in both RPS logic channels. The scram-initiating high-high leve l trips provide automatic shutdown capability for operation from just critical to the lower portion of the power range.
When the reactor mode switch is in REFUEL or STARTUP/HOT STANDBY, the IRM
subsystem provides a rod block signal to the rod block circuitry under the following conditions:
A. IRM high flux level,
B. IRM inoperative,
C. IRM downscale on any range but the lowest, and
D. IRM detectors not fully inserted into the core.
Any one of the eight IRM channels can initiate a rod block.
Any one IRM detector channel in each RPS logic channel may be manually bypassed, making ineffective the scram and rod block asso ciated with that individual IRM channel.
7.6.1.4.3 Design Evaluation
The number and location of the IRM detectors have been analytically and experimentally determined to provide sufficient intermediate range flux level information under the worst permitted bypass and chamber failure conditions. Figure 7.6-1 shows the range capability of the IRM channels. The ability of the monitor output to provide an accurate
measurement of the detector reaction rate over the flux range of interest has been verified by experimentation with the root mean square technique
[1]. Intermediate range monitor channel redundancy includes a margin which allo ws for component failure, and also allows continued reactor operation with one IRM bypa ssed in each RPS logic channel. The scaling arrangement in the IRM subsystem assures that for all unbypassed IRM channels, the
scram and rod block trips are no more than a fa ctor of 10 above the IRM level at that time. This assures that, should scram or rod block action be needed due to rapid or unintentional
neutron flux increases, the trip signal will be generated before the flux QUAD CITIES - UFSAR 7.6-7 increases by a factor greater than 10, thus prov iding a conservative margin to fuel damage.
A range of rod withdrawal accidents has been analyzed. The most severe case involves all initial conditions in which the reactor is just subcritical and the IRM subsystem is not yet onscale. This condition exists at the thr ee-quarter rod density illustrated in Figure 7.6-5 (rod density is the total notches inserted in th e core divided by the number of notches which would be inserted when all rods are fully in serted). Full withdrawal of the control rod indicated will result in the power distribution in dicated in Figure 7.6-6; it should be noted that this is an out of sequence rod which wo uld normally be blocked by the rod worth minimizer (see Section 7.7). Figure 7.6-5 indi cates the location of rod withdrawn and the distance to the IRM chambers in the two RP S logic channels which will initiate a scram with the IRM channels nearest to the withdrawn rod bypassed.
[7.6-10]
Comparison of the power distribution shown in Figure 7.6-6 indicates that the ratio of the resultant neutron flux at the farthest dete ctor to the neutron flux peak is 2.2 x 10
-4. Because the trip of the IRM channel associated with this detector is set to operate at a flux of less than 6 x 10 8 nv (rod blocked if not set on proper range) the flux in the power peak is less than 2.7 x 10 12 nv. At this flux level, the power at the peak is limited to 7.7% of rated average power; hence, it will be within therma l limits, even if the recirculation pumps are shut down.
[7.6-11]
The overlap between the IRM and the power r ange monitoring subsystem is sufficient to guarantee a safe transition between the instru mentation ranges (Figure 7.6-1). Overlap between the SRM and IRM ranges is discussed in Section 7.6.1.3.
The IRM detector position rod bl ock is effective during period s of reactor operation when the IRM is required for flux level indication.
The IRM detectors are chosen with characterist ics which permit reliable performance in the reactor environment.
IRM failures are annunciated, and during low flux level reactor operation, result in a RPS single logic channel trip and rod block. Thus, fu rther insertion of reactivity is prevented, and a reactor scram would be initiated by any condition resulting in a trip of the other RPS logic channel.
7.6.1.5 Power Range Monitoring Subsystem
7.6.1.5.1 Local Power Range Monitoring Subsystem
7.6.1.5.1.1 Design Basis
In order for the power range monitoring subsystem to meet the general design requirements for power range flux monitoring and to prevent excessive local and bulk power densities, the local power range monitoring (LPRM) subsystem must:
A. Continuously monitor over its design range the local neutron flux, and alarm on excessive conditions; QUAD CITIES - UFSAR Revision 7, January 2003 7.6-8 B. Permit evaluation of the critical co re parameters (fuel thermal limits) to an accuracy consistent with core de sign and established limits; and
C. Permit demonstration of compliance wi th the critical core parameters (critical power ratio) with a speed and ease cons istent with efficient operation of the plant.
7.6.1.5.1.2 System Description
The LPRM subsystem output signals are used to demonstrate that the core is operating within the established limits on peak powe r density and minimum critical power ratio (MCPR). This system provides the info rmation needed for evaluating the detailed characteristics of the power distribution or for other technical evaluations. The LPRM subsystem provides input to the average po wer range monitoring (APRM) subsystem, Oscillation Power Range Monitoring (OPRM) subsystem and rod block monitor (RBM) subsystem which are described below.
[7.6-12]
The LPRM subsystem, which uses dc measuremen t techniques, consists of miniature fission chambers located within the reactor core, ele ctronic signal conditioni ng equipment located in the control room, and a TIP calibration system.
Each LPRM has a high neutron flux level alarm and a common annunciator located on the control board.
Figures 7.6-7 and 7.6-8 indicate the core loca tion of the LPRM strings. Each LPRM string consists of four miniature fission chambers wh ich are spaced vertically at 3-foot intervals.
The top and bottom chambers are located 1.5 feet from the core boundaries, thereby providing uniform core coverage in the axial dire ction. Also included in each detector string is a calibration tube which accepts the TIP us ed to measure the axial flux distribution and calibrate the LPRM subsystem (see Figure 7.6-8).
Figure 7.6-9 illustrates that, due to the equiva lence of locations resulting from symmetry, the LPRM subsystem monitors all unique location s within the central region of the core when the core is operated with quadr ant symmetric control rod patterns.
The LPRM flux amplifiers are calibrated using data from the TIP calibration system, heat
balance data and some analytical data. The basic process involves:
A. Running the TIP system and accumulating axial profile data;
B. Normalizing the axial profile data;
C. Determining for each detector elevat ion the average nodal heat flux in four adjacent fuel nodes at detector elevations; and
D. Adjusting flux amplifiers until meter readings are proportional to heat flux.
These calculations are performed using the pr ocess computer (see Section 7.5.2). When calibrated, the LPRM signals are proportional to the average nodal power in the four adjacent fuel nodes at the detector elevation.
The LPRM amplifier signals adjacent to a control rod selected are displaye d to the reactor operator on 16 centrally-located meters on the 901(2)-5 panel. This directs the attention of the operator to the local power level prior QUAD CITIES - UFSAR 7.6-9 to and during rod motion. These signals are also used by the RBM. When rods near the core periphery are selected, two or three dete ctor strings may be used. When rods on the core periphery are selected, the RBM system is bypassed. In both previous cases, the readings are zeroed on the corresponding unused meters. The operator may view any desired region of the core by selecting of the control rod in the area of interest. A selected set of LPRM signals is used as an input to each of the six APRM channels.
[7.6-12a]
7.6.1.5.1.3 Design Evaluation
The number and location of LPRM detectors pr ovides the capability of determining local heat flux in all unique locations in the central region of the core. Although each unique
location in each core quadrant is not spec ifically monitored, the quadrant symmetry (illustrated in Figure 7.6-9) effectively provid es knowledge of the flux level throughout the core. [7.6-13]
The previously described method of calibration using the TIP provides a method of
correlating LPRM measurements with local thermal conditions; thus, the LPRM
measurements are a valid representation of local thermal conditions.
Each individual LPRM channel will annunciate an alarm upon detection of a flux level
exceeding a preset limit. Thus the operator receives warning of local high or low flux conditions or LPRM component failure.
The LPRM detectors are selected with characte ristics which guarantee reliable operation in the reactor environment; reactor temperatur e, pressure, neutron and gamma flux, and detector electrical requireme nts were considered in detector selection.
The use of the LPRM signals in the RBM provid es a positive assurance that local thermal peaks which could cause fuel damage will be prevented.
7.6.1.5.2 Average Power Range Monitoring Subsystem
7.6.1.5.2.1 Design Basis
The APRM subsystem must continuously indicate core average flux level and initiate trips to prevent excessive average power density.
In order to fulfill its design requirement, the APRM subsystem must:
A. Initiate trip signals which scram th e reactor automatically before the neutron flux level exceeds specified values;
B. Initiate a rod block trip signal, ther eby preventing core average power increases to excessive levels with re duced recirculation flow (the rod block trip setpoint will be lower than the scram setpoint);
C. Provide a continuous indication and record of the bulk thermal power of the reactor in the power range; QUAD CITIES - UFSAR 7.6-10 D. During the worst permitted bypass and chamber failure conditions, generate a scram signal during neutron flux leve l transients before fuel damage has occurred; and
E. Continue to perform its function fo llowing any single component failure within the subsystem. In order that the APRM satisfy this requirement, there must be two operable APRMs in each RPS logic channel. In a practical sense, this
requirement results in three APRM channe ls for each bus to permit bypassing for calibration and maintenance during operation.
7.6.1.5.2.2 System Description
The APRM subsystem consists of electronic e quipment which averages the output signals from selected groups of LPRM flux amplifiers. Figures 7.6-10 and 7.6-11 illustrate the
APRM subsystem for the reactor. As shown on these figures, the system consists of six channels. Each of these channels averages th e output signals from either 20 or 21 LPRM flux amplifiers.
Three of the APRM channels provide trip inputs to one RPS logic channel, and the other
three APRM channels feed the other logic channel (see Section 7.2).
Each APRM channel provides a scram trip sig nal to RPS and a rod block trip under the following conditions:
[7.6-14]
A. High neutron flux (flow referenced and fixed level) (rod block only),
B. High-high neutron flux (flow refe renced and fixed level) (scram only),
C. APRM channel inoperative,
D. APRM channel reading downscale with the mode switch in RUN. (rod block only). (Refer to 7.2 and 7.7 for a further description of mode switch interlocks).
In order for a scram to occur, a scram trip si gnal must be received by both RPS logic channels. Any one of the six APRM channels can initiate a rod block.
Switches located on the main control panel re actor console allow the operator to bypass the trips from one of the APRM channels in each of the RPS logic channels; the bypass is
effective for both the scram and rod block trip signals.
The rod block set point is automatically varied with recirculation flow (with mode switch in RUN) as shown in Figure 7.6-12. The slope of the trip vs. flow relationship is determined
by the characteristic bulk power vs. flow rela tionship of the reactor which was determined experimentally. The absolute magnitude of the trip set point was established to prevent
operation significantly above the flow control characteristic that includes the point 100%
flow and 100% power.
The APRM channel output signals are continuous ly displayed on recorders located on the control board. The output signals are adjust ed so that the meter deflections indicate percent of rated bulk thermal power. Bulk th ermal power is determined using heat balance techniques. Adjustment of the APRM channel readings is not possible from the QUAD CITIES - UFSAR Revision 6, October 2001 7.6-11 control board and does not affect the output signals of the LPRM amplifiers which are averaged in the APRM channel.
If an LPRM used to provide input to an AP RM channel fails, the operator can manually bypass this invalid input. The APRM channel th en properly averages the inputs from the remaining LPRM channels. If the number of bypassed LPRMs used as inputs to an APRM
channel exceeds a preset number, the APRM in strument inoperative alarm is actuated.
This feature assures that the APRM system w ill adequately perform its safety function of terminating average neutron flux level transient s through scram initiation. In addition to the automatic input monitoring, administrative controls require at least 50% of all LPRMs and at least 2 LPRMs per level for an APRM to be operable. The "too-few" input alarm feature also automatically provides a high de gree of assurance that the APRM system will be capable of preventing fuel damage due to rod withdrawal errors.
The readout equipment for the APRM system is located in the control room. The APRM outputs are displayed on continuous recorders shared with the IRM channels. Also located on the control board are the bypass switches described previously. Outputs from the reactor recirculation flow sensors are used to provide the reference flow information.
Amplifiers are used to average the signals from the LPRM detectors in each of the six
APRM channels. Other equipment is used to automatically vary the upscale rod block and scram trip points with recirculation pump drive flow (which is indicative of bulk core flow) as necessary to meet the design criteria. This equipment is located in the control room.
The flow-dependent bias which determines trip le vel is subject to both positive and negative errors originating in the flow monitoring e quipment. However, the equipment limits the trip bias so that the trip level can never exc eed the intended level for 100% flow regardless of the magnitude of positive errors in flow si gnal. Negative errors are in the conservative direction.
7.6.1.5.2.3 Design Evaluation
As shown in Figures 7.6-10 and 7.6-11, the LPRM inputs to the APRM channels provide a
wide sampling of local flux levels on which to base an average power level measurement.
The fact that three APRM channels are provided for each RPS logic channel assures that at least two independent average power measur ements will be available under the worst permitted bypass or failure conditions.
The six APRM channels provide continuous indications of core average power level based on different samplings of local flux levels. The APRM provides valid average power measurem ents during typical rod or flow induced power level maneuvering as shown by Figures 7.6-13 and 7.6-14, which are the results of
analysis.
Using a plant heat balance technique, the APRM measurements are calculated such that indications are within +
2% of the thermal power when the power level is greater than or equal to 25 percent of rated; this calibration is maintained by procedure.
The effectiveness of the APRM high flux scram signals in preventing fuel damage following a single component failure or a single operational error is evaluated in each section of this report where system failures are analyzed. In all such failures, no fuel damage occurs.
Since only two APRM channels in each RP S logic channel are required for effective detection of bulk power level transients, the sa me effectiveness is attained even under the worst permitted bypass conditions.
QUAD CITIES - UFSAR 7.6-12 The APRM rod block setpoint is set lower than the scram setpoint; thus, reactivity additions due to rod withdrawal errors are te rminated well before fuel damage limits are approached.
The APRM component failures which result in upscale, downscale, or instrument
inoperative conditions are annunciated. Th e reduction of LPRM inputs for any APRM channel below a preset number gives an alarm, rod block, and a logic channel trip. These features warn of loss of APRM capability.
7.6.1.5.3 Rod Block Monitor
7.6.1.5.3.1 Design Basis
The RBM is designed to initiate a rod bloc k under the worst permitted bypass and chamber failure conditions to prevent local fuel damage during the worst single rod withdrawal error starting from any permitted power and flow condition.
7.6.1.5.3.2 System Description
The system uses the signals from the LPRM s trings adjacent to the selected control rod (Figure 7.6-15) and the recirculation flow sensor
- s. The signals from the A and C levels are averaged in one channel and the signals from the B and D levels are used in the second channel. The RBM output is automatically adjust ed upon rod selection so that its output is equal to the reading of a preselected APRM c hannel. This gain setting is held until a new control rod is selected. An in-depth descriptio n of the RBM system is given in topical report APED 5706, "In-Core Neutron Monitoring System for General Electric Boiling Water Reactors," Revision 1, April 1969.
Two RBM channels are provided; either c hannel, independently, will prevent rod withdrawal under the following conditions:
A. High neutron flux (flow referenced);
B. One of the two channels inoperative; and
C. Channel reading downscale with the mode switch in RUN.
One of the two RBM channels may be manually bypassed.
The RBM trip setpoint varies linearly with recirculation flow as does the APRM rod block setpoint, with a value that may be adjusted (Figure 7.6-16). However, the 100% flow intercept depends on the power-flow characteri stic along which the reactor is operating.
For the exact setpoints see the current core op erating limits report. The function of the system is to alert the operator that the lo cal power has increased by an indicated amount and require that the operator consider this c hange before proceeding to the next level. For power increases, the block must be manually rese t by the actuation of a single switch. For power decreases, the trip is re set to the lower level automatically. The RBM is bypassed below 30%.
[7.6-15]
QUAD CITIES - UFSAR Revision 10, October 2009 7.6-13 7.6.1.5.3.3 Design Evaluation
Since the RBM utilizes the signals for the LPRMs, it is capable of determining the approach
of local thermal flux conditions which could resu lt in local fuel damage. The fact that either RBM channel can, independently, initiate a rod block, provides assurance that a rod withdrawal error will be terminated even with one RBM channel bypassed.
[7.6-16]
The effectiveness of the RBM to prevent local fuel damage as a result of a single rod withdrawal error has been analytically determin ed on a fuel cycle specific basis. Results from cycle specific analyses determine the appr opriate RBM setpoint needed to assure the design basis function. Depending on the cycl e specific analysis results, rod withdrawal error events may achieve acceptable results with no control rod blocking by the RBM. For these specific cycles, the RBM setpoint as des cribed in the core operating limits report, is raised such that an APRM rod block will occur prior to the high trip RBM rod block. The initial condition is conservatively defined su ch that the reactor is operating at maximum permitted power with MCPR and peak power density at the steady-state limits in a region adjacent to a fully-inserted con trol rod; no credit is taken fo r the action of the rod worth minimizer (see Section 7.7). The response of the least responsive RBM channel is
calculated as a function of rod withdrawal di stance. The MCPR and peak power density are also calculated as a function of rod position.
[7.6-17]
7.6.1.5.4 Traversing Incore Probe
The TIP system includes five TIP machines, each of which has the following components:
[7.6-18]
A. One traversing incore probe,
B. One cable drive mechanism,
C. One 10-position indexing mechanism, and
D. Nine guide tubes (one to a common core location).
The system allows calibration of LPRM signal s by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. For beginning of cycle startup testing, all TIP machines are re quired to be operable for the first TIP set /
LPRM calibration. TIP set design basis info rmation is addressed in Section 7.6.3, Reference 3. The guide tubes inside the reacto r are divided into groups. Each group has its own associated TIP machine.
A TIP machine uses a fission chamber attached to a flexible drive cable, which is driven
from its lead shielded storage chamber outsid e the primary containment by a pinion gear box assembly. The flexible cable is contained by guide tubes that continue into the reactor core. The guide tubes are specially prepared to provide a durable, low-friction surface and are a part of the LPRM detector assembly. The indexing mechanism allows the use of a
single detector in any one of the nine different tube paths. A tenth tube is available as a spare. The Unit 1 control system includes five Auto mated TIP Control Units (ATCUs) that provide both manual and automatic operation. The TI P signals are amplified and displayed on the ATCU screens. The ATCUs provide the TIP sc an data to the process computer. A single ATCU can be set as a master ATCU to initiate a full TIP set scan.
QUAD CITIES - UFSAR Revision 10, October 2009 7.6-14 The Unit 2 control system includes five Dr ive Control Units (DCUs) that provide both manual and semiautomatic operation. The TI P signals are amplified and displayed on a meter and input via the DCUs to the process co mputer. Core position versus neutron flux is recorded on an x-y plotter.
For Unit 1, the cable drive mechanism contains the drive motor, the cable takeup reel, and a position encoder to provide position indica tion to the ATCU for positioning the TIP at specific locations along the guide tube. For Unit 2, the cable drive mechanism contains the drive motor, the cable takeup reel, and analog probe position indicator for the recorder, and a counter to provide digital pulses to the co ntrol unit for positioning the TIP at specific locations along the guide tube.
The cable drive mechanism inserts and withdr aws the TIP and its cable from the reactor and provides detector position indication sig nals. The drive mechanism consists of a motor and drive gear box which drives the cable in the manner of a rack and pinion. A two-speed motor provides a high speed for insertion and withdrawal and a low speed for scanning the reactor core.
For Unit 1, the encoder is driven directly from the output shaft of the cable drive motor.
The encoder and a flux amplifier output are used to plot neutron flux versus incore position of the TIP. The ATCU utilizes the position encoder data to position the TIP in the guide tube with a linear position accuracy of plus-or-minus one inch. The ATCU can control TIP positions at the top of the core, for initiation of scan, and at the bottom of the core, for changing to fast withdrawal speed.
For Unit 2, the analog position indicator and the counter (digital) are also driven directly from the output shaft of the cable drive mo tor. The analog position signal from a potentiometer and a flux amplifier output are used to plot neutron flux versus incore position of the TIP. The DCU control logic utiliz es the digital counter output to position the TIP in the guide tube with a linear position accuracy of plus-or-minus one inch. The DCU can control TIP positions at the top of the core , for initiation of scan, and at the bottom of the core, for changing to fast withdrawal speed.
A position limit switch provides an electrical interlock release when the probe is withdrawn clear of the indexing mechanism to allow the TIP to be indexed to the next guide tube location. The limit switch is actuated when the end of the TIP passes a switch in the guide
tube in use. The cable drive motor includes an ac voltage-operated brake to prevent coasting of the TIP after a desire d incore position is reached.
Each 10-position indexing mechanism function s as a circular transfer machine with nine usable indexing points. Eight of these location s are for the guide tubes associated with that particular TIP machine. The final location is for the guide tube common to all the TIP
machines. Indexing to a particular tube loca tion is accomplished manually at the control panel by means of a position selector swi tch which energizes the electrically-actuated rotating mechanism. The tube transfer mec hanism is part of the indexing mechanism and consists of a fixed circular plate containing 10 holes on the reactor side of the primary containment which mates to a rotating single-h ole plate. The rotating plate aligns and mechanically locks with each fixed hole positi on in succession. The indexing mechanism is actuated by a motor-operated rotating drive.
Electrical interlocks prevent the indexing mechanism from changing positions until the probe cable has been completely retracted
beyond the transfer point. Additional electri cal interlocks prevent the cable drive motor from moving the cable until the transfer mec hanism has indexed to the preselected guide tube location.
QUAD CITIES - UFSAR Revision 10, October 2009 7.6-15 A valve system is provided with a valve on each guide tube entering the primary containment. These valves are closed except when the TIP system is in operation. A ball valve, manual valve and a cable-shearing va lve are mounted in the guide tubing just outside of the primary containment. A valve is also provided for gas purge line to the indexing mechanisms. A guide tube ball valve opens only when the TIP is being inserted.
The shear valve is used only if a containment isolation occurs when the TIP is beyond the
ball valve and cannot be withdrawn. The shear valve, which is controlled by a manually-operated keylock switch, can cut the cable and close off the guide tube. The shear valves are actuated by detonation squibs. The conti nuity of the squib circuit is monitored by indicator lights in the control room. An additional manual ball valve is installed between
the automatic ball valve and the drywell penetration.
The guide tube ball valve is normally de-energized and in the closed position. When the TIP starts forward the valve is energized and opens. As it opens it actuates a set of contacts which gives a signal light indicati on at the TIP control panel and bypasses an inhibit limit which automatically stops TIP mo tion if the ball valve does not open on command. A Group II containment isolation sig nal initiates TIP drive withdrawal. Once the probe is retracted to the IN SHIELD position, then the ball valve will close. Ball valve position is displayed in the control room and loss of power to the shear valve circuitry and the actuation of any shear valve are both annunciated.
[7.6-19] The entire TIP system including its controls is not safety-related, except for the tubing and valves on the outside of each primary containment penetration, which are mechanically safety-related through the outermost valve.
The TIP tubing does not directly communicate with the reactor vessel or the containment air space. Thus the TIP system response to a PCIS Group 2 initiation does not require a safety system design. Refer to Section 6.2.4.5 for a detailed discussion of the TIP system response to a containment isolation.
7.6.1.5.5 Oscillation Power Range Monitoring (OPRM) Subsystem
The Oscillation Power Range Monitoring (O PRM) subsystem is a microprocessor-based monitoring and protection system, which will:
- detect a thermal-hydraulic instability,
- provide an alarm on detection of an oscillation (based on period based algorithm only), and
- initiate an Automatic Suppression Function (ASF) trip to suppress an oscillation prior to exceeding fuel safety limits.
The subsystem design, technical details, equipment qualification, and validation are
discussed in Reference 4. The NRC has accept ed the above reference and has also issued a safety evaluation report (Reference 5).
7.6.1.5.5.1 Design Basis
7.6.1.5.5.1.1 Safety Design Bases
Boiling water reactor cores may exhibit thermal-hydraulic instabilities in certain portions of the core power and flow operating doma in. General Design Criterion 10 (GDC 10) requires that the reactor core be designed with appropriate margin to assure that acceptable fuel design limits will not be exceed ed during any condition of normal operation including the effects of anticipated operat ional occurrences. GDC 12 requires assurance that power oscillations which can result in conditions exceeding specified acceptable fuel QUAD CITIES - UFSAR Revision 10, October 2009 7.6-15a design limits are either not possible or can be reliably and readily detected and suppressed.
The OPRM is provided to meet the require ments of these GDCs by adding a detect and suppress feature to the Reactor Protection System.
7.6.1.5.5.1.2 Power Generation Design Bases
The power generation design basis of OPRM co nsists of assuring that spurious scrams do not occur. This objective is accomplished in part by establishing an exclusion region, as discussed below in Section 7.6.1.5.5.2, where the thermal-hydraulic oscillations are not
postulated to occur.
7.6.1.5.5.2 System Description
Detailed description of OPRM subsystem design and physical arrangements are provided in the Generic Topical Report (Reference 4).
Basic and station specific information is summarized here.
The OPRM subsystem consists of 4 OPRM trip channels, each channel consisting of two OPRM modules. Each OPRM module receives input from a group of LPRMs combined into localized monitoring cells. It also receives input from the Average Power Range Monitor (APRM) power and Reactor Recirculation flow signals to automatically enable the trip function of the OPRM module. A block diagram showing the relationship of OPRM with
other nuclear instrumentation is shown in Fi gure 7.6-2. A block diagram showing the OPRM subsystem interconnections is shown in Figure 7.6-17.
The OPRMs are capable of detecting thermal-hy draulic instabilities within the reactor core.
The OPRMs are designed to provide an al arm and initiate an automatic suppression function (ASF) trip to suppress oscillations prio r to exceeding the MCPR safety limit. The OPRMs are auto enabled at the specified rea ctor recirculation flow and reactor power setpoints. The ASF outputs initiate an ASF trip through the RPS based on the existing plant trip logic and configuration. The OP RM System provides annunciator windows, SER messages and indicating lights for pre-trip cond itions and other alarm functions such as Trip, Alarm, Trouble, Inop, Bypass and Trip E nabled to be displayed in the Main Control Room (MCR).
Each OPRM subassembly includes a signal processing module, Automatic Suppression Function (ASF) Trip Relay Assembly, OPRM Annunciator Relay Assembly, two Digital Isolation Blocks (DIBs) and Enable and Bypass Selector Switches.
The OPRM trip circuits may be bypassed by a selector switch. The bypass is accomplished through hardwired bypass of ASF trip relay cont act by a selector switch actuated auxiliary relay contact and through actuation of OPRM logic circuits and software. The bypass condition of the OPRM module is indicated by the sequence of events monitor and by indicating lights. The OPRMs may be manua lly enabled by a selector switch for any recirculation flow and reactor power levels.
A. Modes of Operation
The OPRM has two modes of operation, oper ate and test. In the operate mode, it performs all of its normal trip and alarm f unctions as well as broadcasting status information to fiber optic output ports. The test mode is utilized for test, calibration, setpoint adjustment and downloading of the event buffer. In the test mode, the
OPRM's trip output is bypassed and the OPRM module is considered inoperable.
QUAD CITIES - UFSAR Revision 10, October 2009 7.6-15b Entry into the test mode is controlled by a key switch and is annunciated in the control room.
B. Event Buffer
When a trip occurs, data immediately prior to and following the trip is captured in an event buffer. This buffer may be download ed to aid in the analysis of the trip.
The event buffer can also be captured and downloaded at any time for non-trip analysis by placing the OPRM in the test mode.
C. Maintenance Terminal
A portable maintenance terminal is utilized for system testing, calibration, and data
collection. It is connected to the OPRM via fiber optic cables. This maintains isolation between the safety related OPRM and the non-safety related maintenance terminal.
With the OPRM in its operate mode, the maintenance terminal may only be used to
collect data, which is broadcast by the OPRM at fixed intervals. Communications in this mode are one way, namely OPRM to maintenance terminal, via the fiber optic connections. The OPRM will not respond to commands from the maintenance
terminal when in the operate mode. Thus, the maintenance terminal cannot affect
OPRM operation.
In the OPRM test mode, bi-directional, fiber optic communications are established between the OPRM and its maintenance terminal. In this mode, commands may be
seen from the maintenance terminal to the OPRM to perform such actions as
altering the OPRM configuration and setpoi nts, downloading event buffers and error logs, and testing various OPRM functions.
Additional conventional test cables may be connected between the maintenance termi nal and a test port on the OPRM to provide simulated analog signals for use in calibration and testing. To access this
test port, a shorting plug must be remove d from the OPRM. Removal of the shorting plug causes the OPRM module to become inoperable and is annunciated in the
control room.
D. Power Supply
Power supplies for the OPRMs are the same as those for the APRM and LPRM
Group channels. These power supplies pr ovide the required voltage sources for OPRM signal processing modules, DI Bs, ASF Trip Relay Assemblies, OPRM Annunciator Relay Assemblies, the new flow units, analog isolators and the existing APRM, RBM and LPRM channels.
E. Physical Arrangement The OPRM signal processing modules are installed in APRM and LPRM Pages of the Power Range Neutron Monitoring Syst em (PRNMS) Panel (see Figure 7.6-17).
Selector switches required for the manual enable functions are installed in the PRNMS panel. Bypass selector switches are installed in the 901(2)-5 panel.
Indicating lights for the enable and bypass functions are installed in the 901(2)-5
panel. Automatic Suppression Function (ASF) Trip Relay Assemblies, OPRM Annunciator Relay Assemblies, Analog Isolators, Digital Isolation Blocks, and
manual enable switches are installed in the PRNMS Panel.
QUAD CITIES - UFSAR Revision 9, October 2007 7.6-15c F. Exclusion Region The OPRM is required to be operable in order to detect and suppress neutron flux oscillations in the event of thermal-hydraulic instability. As described in Reference 4, the region of anticipated oscillation is defined by reactor thermal power (RTP) 30% and core flow <60% of rated core flow. The station specific region of anticipated oscillation is defined by RTP 25% and core flow <60% of rated core flow to reflect changes in rated output fo llowing extended power uprate (EPU) implementation. It is not necessary fo r the OPRM to be operable with reactor thermal power <25%.
G. Algorithm Reference 4 describes three separate al gorithms for detecting stability related oscillations: the period based detection algorithm, the amplitude based algorithm, and the growth rate algorithm. The OPRM System hardware implements these algorithms in microprocessor-based modules.
These modules execute the algorithms based on LPRM inputs and generate alarms and trips based on these calculations.
These trips result in tripping the Rea ctor Protection System (RPS) when the appropriate RPS trip logic is satisfied. On ly the period based detection algorithm is used in the safety analysis. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations.
H. Trip Function The OPRMs are designed to provide an alarm (based on period-based algorithm only) and initiate an automatic suppression function (ASF) trip to suppress oscillations prior to exceeding the MCPR safety limit. The OPRMs are auto enabled at the specified reactor recirculation flow and reactor power setpoints. The OPRM initiates an ASF trip through the RPS based on the existing plant trip logic and configuration. The OPRMs provide alarm for pre-trip conditions and other alarm functions such as Trouble, Inop, and Trip Enabled to be displayed in the main control room. Table 7.6-1 lists the OPRM trip functions and setpoints.
I. Alternate Backup Method At times when OPRM channels may be inoper able, and until they can be restored to operable status, an alternate method of de tecting and suppressing thermal hydraulic instability oscillations can be used. This al ternate method is described in Reference
- 6. It consists of increased operator awareness and monitoring for neutron flux oscillations when operating in the region where oscillations are possible. If indications of oscillation, as described in Reference 6, are observed by the operator, the operator will take the actions described by procedures, which include initiating a manual scram of the reactor.
J. Component Qualification Considerations The OPRM devices are designated Class 1E , Seismic Category I and are qualified to the applicable portions of IEEE-381 and IEEE-344.
QUAD CITIES - UFSAR Revision 9, October 2007 7.6-15d K. Single Failure Considerations Since the OPRMs perform a protective fun ction, they are required to withstand a single failure. To ensure acceptable defe nse against single random failures, the combination of architecture, wiring practice s and use of isolation devices is applied to provide required redundancy, isolation and physical independence.
There is an OPRM channel associated with each of the four RPS trip system divisions. OPRMs in each RPS division are electrically isolated and physically separated from OPRMs in other RPS divisions. Within each OPRM channel there are two OPRM modules. The use of two OPRM modules per channel provides redundancy against an OPRM hardware failure in the same channel. The redundant OPRM modules in the same RPS division share the same Class 1E power supplies as those used by the safety-related APRM modules in that RPS division.
However, each OPRM module is electrically isolated from the companion module in the same channel.
Common software failures do not lend the mselves well to single failure analyses.
System reliability and safety requirements are examined in the description of the software design process and quality assu rance considerations as discussed in Reference 4.
L. Redundancy, Diversity, and Separation Since the OPRM's operation is based on interface with PRNMS and RPS, the redundancy, diversity and separation requirements are the same as the requirements for these systems. The LPRM analog signals, which are locally wired, are provided to OPRMs with the same red undancy and separation as provided to the APRMs and LPRM groups. However, unlike the APRM logic where the output of APRMs 3 and 4 is shared between two different RPS divisions, there is a sufficient number of OPRMs such that the outputs of two OPRMs are assigned to the trip logic of a single RPS division. This configur ation provides the required redundancy and maintains channel separation requirements. The assignment of OPRMs and existing APRMs for each RPS division is as follows:
RPS Division OPRM APRM A1 1,3 1,3 A2 2,7 2,3 B1 5,8 4,5 B2 4,6 4,6 7.6.1.5.5.3 Design Evaluation The OPRM subsystem is designed to alarm when a stability-related thermal-hydraulic oscillation is detected (based on period-based algorithm only), and to initiate an ASF trip when the oscillations are large enough to threat en fuel safety limits. The system settings assure adequate trip sensitivity while providin g adequate margin to avoid inadvertent trips and spurious alarms. The OPRM system fun ctions meet the requirements of GDC 12, and hence, acceptably address the related requi rements of GDC 10 for ensuring reactor QUAD CITIES - UFSAR Revision 9, January 2007 7.6-15e safety in the event of power instabilities.
The OPRM software development methodology is consistent with the guidance provided in Re gulatory Guide 1.152, which endorses IEEE Std 7-4.3.2-1993 for ensuring software quality. The OPRM design assures high reliability as it is governed by Quality Assurance requireme nts and applicable industry standards. The system performs self-health tests on a continuous basis.
Reference 6 describes the licensing basis and methodology that demonstrates the adequacy of the hardware and software to meet the functional requirements.
7.6.2 Reactor Vessel Instrumentation
The following section describes instrumentation associated with the reactor pressure vessel.
This includes those instruments which measur e vessel water level, reactor pressure, vessel metal temperature, and head flange leakage.
7.6.2.1 Design Bases and Design Features
A. Design Bases
The reactor vessel instrumentation is desi gned to fulfill a number of requirements pertaining to the vessel itself or the re actor core. The instrumentation must:
[7.6-20a]
- 1. Provide the operator with sufficient information in the control room to protect the vessel from undue stresses;
- 2. Provide information which can be used to assure that the reactor core remains covered with water and that th e separators are not flooded;
- 3. Provide redundant, reliable inputs to the reactor protection system to shut the reactor down when fuel damage limits are approached; and
- 4. Provide a method of detecting leak age from the reactor vessel head flange.
B. Design Features
- 1. Provide inputs to ECCS and ATWS to assure initiating and interlocking signals occur as required; and
- 2. Provide signals to operate the reactor relief valves.
QUAD CITIES - UFSAR Revision 7, January 2003 7.6-16 7.6.2.2 Description
The reactor vessel instrumentation system pr ovides sensing, indication and alarms of various reactor parameters to the operators and inputs these signals to various control and protective systems. For details of reacto r vessel instrumentation refer to P&IDs M-35, Sheet 1; M-35, Sheet 2; M-35, Sheet 3; M-77, Sheet 1; M-77, Sheet 2; and M-77, Sheet 3.
The parameters monitored by this instrument ation system and addressed in this section are:
A. Reactor vessel temperature,
B. Reactor vessel pressure,
C. Reactor vessel level,
D. Reactor feedwater flow,
E. Reactor steam flow, and
F. Reactor vessel flange leak detection.
The instruments described in the section may have, depending on their functions, various classifications. The classification of all ins truments are listed in the station's work control system data base. Those instruments designated as post-accident monitors are described in Section 7.5.
7.6.2.2.1 Reactor Vessel Temperature
Thermocouples are attached to the reactor ve ssel to measure the temperature at a number of points. These points were chosen to prov ide data representative of thick, thin, and transitional sections of the vessel. The data obtained from this instrumentation provides
the basis for controlling the rate of heating or cooling the vessel so that the stress set up between sections of the reactor vessel is held within allowable limits. The stress is
computed from the temperature difference betw een the various points. The temperatures of the various vessel locations are recorded on a multipoint recorder. The thermocouples are copper constantan, insulated with braided gla ss, and clad with stainless steel. They are positioned under pads attached to the reactor vessel.
[7.6-21]
7.6.2.2.2 Reactor Vessel Pressure
Reactor vessel pressure is both indicated and recorded in the control room and is indicated in the plant at two separate instrument racks on the mezzanine floor of the reactor
building. Additionally, reactor pressure is mo nitored to provide control signals for the RPS high pressure trip, the core spray and low pr essure coolant injection (LPCI) low pressure emergency core cooling system (ECCS) injecti on permissive and LPCI loop select logic, automatic relief valve operatio n, and anticipated transient without scram (ATWS) system operation.
[7.6-22]
QUAD CITIES - UFSAR Revision 7, January 2003 7.6-17 The reactor pressure inputs to the RPS are from pressure transmitters/analog trip units.
The pressure is tapped off the vessel through two sensor lines on opposite sides of the reactor vessel. The sensor lines are extended outside the drywell to separate instrument racks. The pressure sensors are grouped on the two independent sensing lines so that a
single event will not jeopardize the ability of the RPS to initiate a scram.
Core spray and LPCI reactor vessel low pre ssure ECCS injection permissive pressure switches and ATWS pressure transmitters are grouped into separate divisions and connected to the same two sensing lines used for the RPS pressure sensors. The ATWS pressure transmitters are mounted locally on the reactor building mezzanine floor.
Two additional separate instrument lines, attach ed to the same taps on opposite sides of the reactor vessel, are also extended outside the drywell to separate instrument racks.
These lines are used for the separate division s of the LPCI loop select logic and for control room indication.
A. Automatic relief valve control, core spray and LPCI injection permissive, and LPCI loop select signals are derived from bourdon-tube pressure switches.
Anticipated Transient Without Scram si gnals and Reactor Protection System Signals are developed from diaphrag m operated pressure transmitters.
B. Two divisions of reactor pressure indi cators and/or recorders in the control room receive signals from both bourdo n-tube and diaphragm transmitters.
The logic and sequencing, bypasses and interloc ks, actuated devices, and system design bases of the systems to which these instrument s connect, are discussed in their respective UFSAR instrumentation and control or sy stem functional description sections:
A. Emergency core cooling systems (HPCI, LPCI 7.3.1, 6.3 mode of RHR, ADS,and core spray)
B. Reactor protection system 7.2, 4.6
C. Anticipated transient without scram 7.8, 15.8
D. Safety relief valve 5.4
7.6.2.2.3 Reactor Vessel Water Level
Reactor vessel water level is in dicated and recorded in the control room which is measured by differential pressure transmitters. Level is also indicated locally on two separate racks on the reactor building mezzanine floor and two separate racks on the reactor building ground floor, which is measured by differe ntial pressure indicators and differential pressure transmitters.
[7.6-23] Reactor vessel water level provides ECCS initia tion signals by non-indicating differential pressure transmitters, which also provide tri p functions in the Anticipated Transient Without Scram (ATWS) system. The water leve l is also monitored by level transmitters coupled to the same sensing lines to provid e (ATS) signals for the RPS, PCIS and HPCI systems. In addition, reactor water level is sensed by redundant level transmitters that provide inputs to the analog trip instrumentation (Section 7.6.2.5).
QUAD CITIES - UFSAR Revision 7, January 2003 7.6-18 Level instruments provide inputs to other systems and are described in sections listed below:
A. Reactor Protection System 7.2 B. Anticipated Transient Without Scram 7.8
C. Emergency core cooling system 7.3.1, 6.3
D. Diesel start 8.3
E. Reactor core isolation cooling 5.4 F. Primary Containment Isolation System 7.3.2
G. Feed pump and turbine trip 7.7, 10.2, 10.4
In response to NRC NUREG-0737 and Generic Le tter 84-23, the Yarway columns inside the drywell have been replaced with two condensate pots per loop and the reference legs were rerouted through new drywell penetrations to minimize the amount of piping inside the drywell. This modification was performed to address concerns with potential reference leg flashing due to elevated temperatures wi thin the containment following an accident.
In response to NRC IN 93-27 and Bulletin 93-03, a Reactor Vessel Level Instrumentation System (RVLIS) Backfill Subsystem was installe
- d. This subsystem of RVLIS establishes a deaerated water barrier that prevents non-co ndensable gases in the condensate pot from diffusing into the reference leg water.
The Backfill Subsystem also maintains the condensate pot water level when non-condensabl e gases have built up in the condensate pot steam space. The Backfill Subsystem take s water from the CRD drivewater header, regulates the flow at 4-6 lbm/hr, and injects th e water into the reference legs on the inboard side of the drywell penetration root valve. On ly one reference leg from a single condensate pot is equipped with Backfill injection to av oid excessive thermal hydraulic and thermal stress to the condensate pot and reactor nozzle.
The sensors and transmitters are grouped so t hat a single event will not jeopardize the ability of the RPS to initiate a scram.
The water level in the reactor is controlled by the reactor feedwater level control system.
The primary level sensors for feedwater level co ntrol are on separate condensing chambers than those for RPS level functions. The sensor s are calibrated in a range which is sensitive to minor level changes. An isolated third re actor water level signal input is used to increase the feedwater level signal reliability fr om sensor failures. A majority based value is determined from the three level inputs and used to control feedwater flow. The feedwater control system is discussed in Section 7.7.
Two other redundant transmitters for the two-thirds core height containment cooling permissive interlock use the same condensing chambers as the feedwater control system (Sections 7.4 and 5.4).
QUAD CITIES - UFSAR Revision 7, January 2003 7.6-18a In addition to level indicators provided on the sensing lines described above, a separate level transmitter (with a reference leg conden sing chamber connected to the reactor head) provides (non-ESF) control room indication of level in the upper-most part of the vessel.
This would be used, for example, when filling the vessel prior to head removal.
Diverse types of sensors are provided for the various ESF sensors. The transmitters currently in use are provided fr om various instrument vendors.
QUAD CITIES - UFSAR Revision 11, October 2011 7.6-19 7.6.2.2.4 Reactor Feedwater Flow
Reactor feedwater flow is monitored by flow transmitters coupled to flow nozzles in the feedwater lines. See Section 7.7 for a further discussion of the reactor feedwater flow control (level control) system.
[7.6-24]
In addition to the flow nozzles, feedwater fl ow is also monitored by the Cameron Leading Edge Flow Meter (LEFM) CheckPlus System. The LEFM CheckPlus System consists of an electronics cabinet and spool pieces installed in each of the three feedwater supply lines.
Each spool piece contains ultrasonic flow transducers, pressure tap for pressure transmitters and RTDs (resistance temperatur e detector) that feed signals back to the electronics cabinet. The LEFM CheckPlus System is only used for feedwater flow measurement and does not provide input to any control system.
7.6.2.2.5 Reactor Steam Flow
Reactor steam flow is monitored by flow transmi tters coupled to the flow restrictors in each main steam line. Individual steam flows are us ed by the feed water level control system to determine total steam flow (section 7.7.5). Hi gh main steam line flow (indicative of a main steam line break) is used as an input to the primary containment isolation system isolation valve control (Section 7.3.2).
[7.6-25]
7.6.2.2.6 Reactor Vessel Flange Leak Detection
Integrity of the seal between the reactor vessel body and head is continuously monitored at the drain line that is connected to the flange fa ce between the two large concentric O-rings.
The drain line is normally closed. Leakag e from the reactor vessel through the inner O-ring collects in a level-switch chamber and annunc iates an alarm. Pressure buildup is also annunciated. A solenoid-operated valve permit s draining the leak system piping so a measurement of the severity of this leak can be made as the chamber refills.
7.6.2.3 Design Evaluation
Reactor vessel temperature and pressure are se nsed and indicated in the control room to provide the operator with the information re quired to prevent excessive vessel stresses.
Both the vessel temperature sensors and pressu re sensors are provided in quantities which allow a margin for sensor failures. Pressure sensors used for control room indication and recording have a history of reliable performance.
[7.6-26]
Thermocouples on the reactor ve ssel were particularly important during the first few cycles of heating and cooling of the reactor vessel.
Once a good record was obtained and analyzed, the limiting rates of temperature change were re lated to the temperature observations from a relatively few thermocouples and from bulk coolant temperature. Redundant thermocouples are installed to ensure that th e operator always has adequate information to operate the reactor safely. The thermocoup les meet the requirements of USAS-C96.1.
Reactor vessel water level is measured to prov ide information which can be used to assure that the core is covered and that the separators are not flooded. The use of the level signals in the RPS, ECCS, and the feedwater control syst ems assures that either the proper level is maintained, or that the reactor will be shut down automatically.
QUAD CITIES - UFSAR Revision 9, October 2007 7.6-20 Tests have been conducted to determine the st ability of the vessel level instrumentation in the presence of rapidly decaying pressures.
These tests were conducted at 1500 psig on a standard temperature-compensated head chamber.
A series of test runs, starting at 1500 psig, verified the level instrumentation assembly could withstand a depressurization rate of 200 psi/s for the first 3 seconds. At this point, the surface of the water started simmering.
Thereafter, the rate was 100 psi/s. Thus, the pressure was dropped rapidly without
interfering with the stability of the constant head chamber level and the accuracy of the connected level instrumentation.
Redundant level indicating sensors and tr ansmitters are provided, and there are a sufficient number of sensing lines so that plugging of a line will not cause a failure to
scram. The arrangement provides assurance t hat vital protection functions will occur, if necessary, in spite of a failure in the system.
The feedwater control system level sensors ar e independent of the RPS level sensors. A failure in the level control which causes the wa ter level to exceed set limits will in no way influence the level signals feeding the RPS. Feedwater control system failures are
discussed in Section 15.1 and 15.6.
Protection against reactor vessel overfill is prov ided by reactor high water level trip signals.
Protective actions automatically initiated by reactor high water level include: closure of the main turbine stop valves (which scrams the reactor and trips the main turbine),
tripping the feedwater pumps, and tripping the HPCI and RCIC systems. These trips protect steam handling equipment from damage du e to gross water intrusion. In addition, the high water level trip also serves to mainta in fuel thermal margins during the feedwater controller failure event (as discussed in Section 15.1.2). Redundant logic is used to prevent a single channel from causing inadvertent trips.
In addition to reactor vessel wa ter level, reactor pressure is sensed for core protection purposes. A damaging core power transient resu lting from a reactor vessel pressure rise is prevented through the control actions initiated by the reactor pressure signal. The four pressure sensors used by the RPS are arranged so that a plugged line or any other single failure will not prevent a reactor s cram initiated by high pressure.
The reactor vessel flange leak detection syst em gives immediate qualitative information about a leak sensed by a pressure buildup.
These sensors' sensitivities are such that degradation of the seal is noted long befo re excessive leakage occurs. Quantitative information as to the leak rate gives the op erator the information necessary for a prudent evaluation of repair urgency.
7.6.2.4 Surveillance and Testing
All reactor vessel instrumentation inputs to RPS and ECCS are derived from pressure or differential pressure measurements. The sens ing devices are piped so that they may be individually actuated with a known signal du ring shutdown or operation to initiate a protection system single logic channel trip. Th e level switches have indicators so that the readings can be compared to check for nonconformity.
[7.6-27]
During equilibrium conditions, either hot or cold, thermocouples monitor an approximately uniform temperature; this informat ion is used to detect abnormalities.
QUAD CITIES - UFSAR Revision 7, January 2003 7.6-21 The reactor feedwater system control scheme is a dynamic system and malfunctions become self-evident. The system can at all time s be cross-compared with the other level measurements.
7.6.2.5 Analog Trip Instrumentation
The analog trip instrumentation system consis ts of an analog sensor (transmitter) and master/slave trip unit setup which ultimately driv es a trip relay. The use of these types of instruments, including calibration intervals, is described in Genera l Electric Topical Report NEDO-21617-A.
[2] The instruments in this system meet the EQ requirements of 10 CFR 50.49. [7.6-28]
The power feeds to the transmitters and trip uni ts were selected so that when power is available to an ECCS pump, power will also be available to the controlling trip unit.
[7.6-29]
Physical location of the components and cable routing is such that divisional separation criteria is maintained.
[2] [7.6-30]
The analog trip instruments serve as a part of other systems (see the appropriate system sections):
A. Reactor protection system Section 7.2
B. Primary containment isolation system Section 7.3
C. High pressure coolant injection/core spray Sections 6.3, 7.3
D. Residual heat removal Sections 5.4, 6.3, 7.3 E. Reactor Core Isolation Cooling Section 5.4 F. Feed Pump and Turbine Trip Sections 7.7, 10.2, 10.4 G. Anticipated transient without scram Section 7.8
QUAD CITIES - UFSAR Revision 9, October 2007 7.6-22 7.6.3 References
- 1. DuBridge, R.A., et al., "Reactor Contro l Systems Based on Counting and Campbelling Techniques, Full Range Instrumentation Development Program, Final Progress Report," AEC Research and De velopment Report, U.S. Atomic Energy Commission Contract AT (04-3)-189, Project Agreement 22 GEAP-4900 (July (1965).
- 2. "Analog Transmitter/Trip Unit Systems for Engineered Safeguard Sensor Trip Units," G.E. Topical Report, NEDO-21617-A, December 1978.
Safety Analysis for ATRIUM-9B Fuel Rev. 1, September 1996", Siemens Power Corporation, EMF-96-037. 4. CENPD-400-P, Rev. 01, Generic Topica l Report for the ABB Option III Oscillation Power Range Monitor.
- 5. C. Thadani to L. A. England, "Acceptanc e for Referencing of Topical Reports NEDO-31960 and NEDO-31960, Supplement 1, BWR Owners' Group Long-Term Stability Solutions Licensing Methodology," (TAC No. M75928) dated July 12, 1993 (SER attached).
- 6. NEDO-32465, Licensing Topical Report, BW R Owners' Group Reactor Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications.
Revision 9, October 2007 QUAD CITIES - UFSAR Table 7.6-1 OPRM SYSTEM TRIPS TRIP FUNCTION TRIP SETPOINT CONFIRMATION COUNT SETPOINT ACTION OPRM Alarm N/A 17* Annunciator OPRM Trip ** ** Annunciator, Automatic Suppression Function (ASF) trip signal to RPS OPRM Bypass Selector Switch Contact N/A Annunciator OPRM Trouble\Inop OPRM Annunciator Relays N/A Annunciator System Enable Nominal Setpoints: 25% thermal power
< 60% recirculation drive flow N/A Annunciator
- Initial Value - can be varied to meet operating needs ** Refer to cycle specific values in COLR QUAD CITIES - UFSAR 7.7-1 7.7 OTHER INSTRUMENTATION
This section discusses instrumentation and control systems whose functions are not
essential for the safety of the plant. These systems include the following:
A. Reactor control rod control systems including:
- 1. Control rod adjustment control,
- 2. Rod block interlocks,
- 3. Rod position indication system (RPIS), and
- 4. Control room indicators and alarms.
B. Rod worth minimizer (RWM);
C. Recirculation flow control and economic generation control;
D. Pressure regulator and turbine generator controls;
E. Feedwater (reactor level) controls; and
F. Condenser, condensate, and condensate demineralizer controls.
7.7.1 Reactor Control Rod Control Systems
7.7.1.1 Design Bases
The reactor control rod control system, in conj unction with the recirculation flow control system discussed in Sections 7.7.3 and 5.4.1, is designed to:
[7.7-1]
A. Provide capability to co ntrol reactor power level;
B. Provide capability to control the powe r distribution within the reactor core;
C. Prevent a single component malfunction or single operator error from causing damage to the reactor or reactor coolant system;
D. Prevent a malfunction from interfering with reactor protective functions; and
E. Provide the reactivity control cap ability required to prevent fuel damage by meeting the specific core characteristic s, parameters, and limitations described in Sections 4.2, 4.3, and 4.4.
QUAD CITIES - UFSAR 7.7-2 7.7.1.2 Control Rod Adjustment Con trol (Reactor Manual Control System)
7.7.1.2.1 Control Rod Adjustment Control
Withdrawing a control rod increases core rea ctivity, causing reactor power to increase until the increased boiling, void formation, and fuel temperature balance the change in reactivity caused by the rod withdrawal. An increased boiling rate tends to raise reactor vessel pressure, causing the pressure regulator to op en the turbine control valves to maintain a constant turbine inlet pressure. When a con trol rod is inserted, the converse effect takes place. [7.7-2]
The hydraulic portion of the control rod drive system is described and evaluated in Section 4.6. Each control rod has its own drive, includ ing separate control and scram devices. Each rod is electrically and hydraulically independ ent of the others, except that a common discharge volume is used for scram operation.
Each rod has an individual pressure source for scram operation. Rod position is mechanica lly controlled by the design of the rod drive piston and collet assembly.
Scram operation of all rods is completely in dependent of the circuitry involved in rod positioning during normal operation. Scram operation is described in Section 7.2.
Electrical power for the rea ctor manual control system (RMCS) is received from an instrument bus which is fed from an emergenc y ac bus. The control rod drive system is actuated, for normal operation, by energizi ng solenoid-operated valves which direct the drive water to insert or withdraw the rod.
Control rods are operated one at a time and are withdrawn in preplanned symmetrical patterns. The allowable patterns have been chosen such that control rod worths will
remain below the fuel damage limits, and powe r distribution in the core will be properly balanced. The rod selected for withdrawal is el ectrically controlled so that withdrawal is not more than 6 inches - one notch - at a ti me. The one notch withdrawal restriction may be overridden by the operator by si multaneously manipulating two switches.
7.7.1.2.2 Rod Block Interlocks
Protection is afforded to prevent inadvertent control rod movement (rod block). Refer to Figure 7.7-1.
With the mode switch in SHUTDOWN, no con trol rod can be withdrawn. This enforces compliance with the intent of the shutdown mode.
The circuitry is arranged to initiate a rod bloc k regardless of the position of the mode switch for the following conditions:
[7.7-3]
A. Any average power range monitor (APRM) upscale rod block alarm - the purpose of this rod block function is to avoid conditions that would require reactor protection system action if a llowed to proceed. The APRM upscale rod block alarm setting is selected to initia te a rod block before the APRM high neutron flux scram setting is reached.
The APRM system is also recirculation flow referenced in the RUN mode to initiate trip signals to inhibit rod QUAD CITIES - UFSAR Revision 9, October 2007 7.7-3 withdrawal to prevent operating the reactor at excessive power levels with reduced recirculation flow. B. Any APRM inoperative alarm - this assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or properly bypassed. C. Either rod block monitor (RBM) upscale alarm - this function is provided to stop the erroneous withdrawal of a control ro d so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of
radioactive material released from the nuc lear system, the trip setting is selected so that no local fuel damage results fr om a single control rod withdrawal error during power range operation. The RBM system is also recirculation flow
referenced and operates when power is above 30%. D. Either RBM inoperative alarm - this assures that no control rod is withdrawn unless the RBM channels are in serv ice or properly bypassed.
E. Neutron monitoring system recirculati on flow unit either upscale or downscale (inoperative) alarm - this assures that no control rod is withdrawn unless the recirculation flow units, which are nece ssary for the proper operation of the RBMs, are operable.
F. Neutron monitoring system recircu lation flow unit comparator alarm or inoperative - this assures that no con trol rod is withdrawn unless the difference between the outputs of the flow units is within limits and the comparator is in service.
G. Scram discharge volume high water le vel - this assures that no control rod is withdrawn unless enough capacity is ava ilable in the scram discharge volume to accommodate a scram. The setting is sele cted to initiate a rod block prior to the scram signal that is initiated on scram discharge volume high water level.
H. Scram discharge volume high wate r level scram trip bypassed - this assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service.
I. RWM rod insert block and rod withdrawal block - the purpose of these functions is to reinforce procedural controls that limit the reactivity worth of control rods under low power conditions. The rod block settings are based on the allowable control rod worth limits established for the design basis rod drop accident.
Adherence to prescribed con trol rod patterns is the normal method by which this reactivity restriction is observed.
J. Rod position indication system inoper ative - this assures that no control rod is moved unless the rod position information system is in proper operation.
K. Rod movement timer switch malfunction.
L. Rod select power switch in OFF positi on when movement timer switch is in the HOME or START position above 30% co re thermal power as indicated by APRMs. Below 30% power, the rod out permit light remains on, but no rod withdrawal is possible without a rod selected.
With the mode switch in RUN, the followi ng conditions initiate a rod block:
QUAD CITIES - UFSAR 7.7-4 A. Any APRM downscale alarm - this a ssures that no control rod is withdrawn during power range operation unle ss the average power range neutron monitoring channels are operating prop erly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN
mode.
B. Either RBM downscale alarm - this assures that no control rod is withdrawn during power range operation unless th e RBM channels are operating properly or are correctly bypassed. Unbypassed RBM s must be on scale during reactor operations in the RUN mode.
With the mode switch in STARTUP/HOT ST ANDBY or REFUEL the following conditions initiate a rod block:
[7.7-4]
A. Any source range monitor (SRM) dete ctor not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges - this assures that no control rod is
withdrawn unless all SRM detectors are pr operly inserted when they must be relied upon to provide the operator wi th neutron flux level information.
B. Any SRM upscale level alarm - this assures that no control rod is withdrawn unless the SRM detectors are properly re tracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is
designed to detect and measure neutron flux.
C. Any SRM inoperative alarm - this assures that no control rod is withdrawn during low neutron flux level operat ions without having proper neutron monitoring capability available, in t hat all SRM channels are in service or properly bypassed.
D. Any intermediate range monitor (IRM) detector not fully inserted into the core -
this assures that no control rod is wi thdrawn during low neutron flux level operations unless proper neutron monitoring capability is available, in that all IRM detectors are properly located.
E. Any IRM upscale alarm - this assure s that no control rod is withdrawn unless the intermediate range neutron monitori ng equipment is properly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions re quiring reactor protection system action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.
F. Any IRM downscale alarm except when range switch is on the lowest range -
this assures that no control rod is wi thdrawn during low neutron flux level operations unless the neutron flux is bein g properly monitored. This rod block prevents the continuation of a reactor st artup if the operator upranges the IRM too far for the existing flux level; thus, the rod block ensures that the
intermediate range monitor is onscale if control rods are to be withdrawn.
G. Any IRM inoperative alarm - this assures that no control rod is withdrawn during low neutron flux level operatio ns unless proper neutron monitoring capability is available in that all IR M channels are in service or properly bypassed.
QUAD CITIES - UFSAR Revision 9, October 2007 7.7-5 H. Mode switch in STARTUP/HOT STAN DBY and the refueling platform over the reactor - this assures that no control rod is withdrawn when fuel is being loaded into the reactor.
I. Fuel on any refueling hoist and the refueling platform over the reactor - this assures that no control rod is withdraw n when fuel is being loaded into the reactor.
J. Selection of a second control rod when one control rod is already withdrawn while the mode switch is in REFUEL - this assures that no more than one
control rod is withdrawn during co ntrol rod and/or control rod drive maintenance.
To permit continued power operation during the repair or calibration of equipment for selected functions which provide rod block in terlocks, a limited number of manual bypasses are permitted as follows:
[7.7-5] A. One SRM channel, B. Two IRM channels, C. Two APRM channels, and D. One RBM channel.
IRM and APRM reactor protection system and rod block bypasses are initiated using joystick switches in the control room. There is one IRM bypass switch and one APRM
bypass switch for each reactor protection logic channel. Each of the two IRM bypass switches can be positioned to bypass the trip and rod block functions for one of four IRM channels, and each of the two APRM bypass switches can be positioned to bypass the trip
and rod block functions for one of three APRM channels. A light in the control room
indicates the bypassed condition.
The bypass circuits are separated such that only one IRM and one APRM can be bypassed in a single reactor protection logic channel at the same time. Actuation of all four bypass switches would bypass a total of four neutro n monitoring instruments - one IRM and one APRM bypass in each reactor protection channel and the corresponding IRM and APRM bypasses in the rod block channels. Under th ese circumstances, no other IRM or APRM bypass is possible without first removing an existing bypass. This bypass restriction ensures that adequate monitoring of the core is maintained.
The SRM detector position rod block is aut omatically bypassed as the neutron flux increases beyond a preset low level count rate (100 cps) on the SRM instrumentation. The bypass allows the detector to be withdrawn, as a reactor startup is continued, until the low level count rate is reached. An automatic by pass of the entire SRM rod block circuit occurs when all IRM range switches reach range eight or above.
[7.7-6]
An automatic bypass of the RBM rod block o ccurs whenever the power level is below a preselected level, or whenever a peripheral co ntrol rod is selected. Either of these two conditions indicates that local fuel damage is not threatened, and that RBM action is not required.
With the exception of OPRM, the same neutro n monitoring equipment (APRM, IRM, SRM, and RBM) that is used in the reactor protection system is also used in the rod block circuitry. One half of the total QUAD CITIES - UFSAR Revision 9, October 2007 7.7-6 number of APRMs, IRMs, SRMs, and RBMs provides inputs to one of the rod block logic circuits, and the remaining half provides inpu ts to the other logic circuit. One neutron monitoring system recirculation flow unit provid es a rod block signal to one logic circuit; the remaining flow unit provides an input to the ot her logic circuit. The flow unit comparator provides trip signals to each flow unit trip ci rcuit. In addition to the arrangement just described, both RBM trip channels provide inpu t signals into a separate circuit for the nonannunciating rod block control. Scram disc harge volume high water level signals are provided as inputs into one of the two rod bloc k logic circuits. Both rod block logic circuits sense when the high water level scram trip fo r the scram discharge volume is bypassed.
The rod withdrawal block from the RWM trip affects a separate circuit that trips the nonannunciating rod block control. The rod inse rt block from the RWM function prevents energizing the insert bus for both notch insertion and continuous insertion.
The APRM and RBM rod block settings are varied as a function of recirculation flow.
Analyses (Section 15.4) show that the APRM or RBM settings selected are sufficient to avoid both reactor protection system action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to in dicate that a detector is not fully inserted.
Additional detail on all the neutron monitoring system trip channels is available in Section 7.6.
The rod block from scram discharge volume hi gh water level utilizes a thermal-type level sensor installed in each scram discharge instrument volume.
[7.7-7]
An additional thermal-type level sensor is installed on each scram discharge volume to provide an alarm in the control room on high level in the discharge volume as a warning to
the operator. This indication has no aut omatic actuation or block functions.
7.7.1.2.3 Rod Position Indication System
Control rod position information is obtained fr om the rod position indication system (RPIS), which utilizes reed switches in the control rod dr ive that open or close as a magnet attached to the rod drive piston passes during rod move ment. Reed switches are provided at each 3-inch increment of piston travel. Since a notch is 6 inches, indication is available for each
half-notch of rod travel.
A reed switch is also provided at a location that is beyond the limits of normal rod movement. If the rod drive piston moves to these overtravel positions, an alarm is sounded in the control room. The overtravel alarm provid es a means to verify that the drive-to-rod coupling is intact, because with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel positi on. Coupling integrity can be checked by attempting to withdraw the driv e to the overtravel position.
7.7.1.2.4 Control Room Indicators and Alarms
The following control room indicators and al arms are provided to allow the operator to know the status of the control rod system and the control circuitry:
[7.7-8]
QUAD CITIES - UFSAR 7.7-7 A. Rod position,
B. Withdraw bus energized,
C. Insert bus energized,
D. Withdrawal permissive,
E. Rod drift,
F. Notch override,
G. Stabilizer valve selector switch position,
H. Settle bus energized,
I. Rod drive flow control valves' position,
J. Rod drive water pressure control valve position,
K. Drive water pump low suction pressure (alarm only),
L. Drive water filter high differential pressure (alarm only),
M. Charging water (to accumulator) low pressure (alarm only),
N. Control rod drive temperature,
O. Scram discharge volume not drained (alarm only),
P. Scram valve pilot air header low pressure,
Q. Rod worth minimizer conditio ns are displayed (Section 7.7.2),
R. Nuclear instrumentation system trips are displayed (Section 7.6), and
S. Scram discharge volume high level (alarm only).
7.7.1.3 Design Evaluation
The circuitry described for the reactor manual control system is completely independent of the circuitry controlling the scram valves. Th is separation of the scram and normal rod control functions prevents failures in the rea ctor manual control circuitry from affecting the scram circuitry. The scram circuitry is discusse d in Section 7.2, Reactor Protection System.
Because each control rod is controlled as an in dividual unit, a failure that results in the energization of any of the insert or withdraw so lenoid valves can affect only one control rod.
The effectiveness of a reactor scram is not impaired by the malfunctioning of any one
control rod. It can be concluded that no sing le failure in the reactor manual control system can result in the prevention of a reactor scram and that the repair, adjustment, or maintenance of reactor manual control system components does not affect the scram circuitry. Design criteria concerning the possi bility of a failure to scram are covered under Section 7.8, Anticipated Trans ient Without Scram (ATWS).
[7.7-9]
QUAD CITIES - UFSAR 7.7-8 7.7.1.4 Inspection and Testing
The reactor manual control system can be ro utinely checked for proper operation by manipulating control rods using the various me thods of control. The system allows for detailed testing and calibration using standar d test and calibration procedures for the various components of the rea ctor manual control circuitry.
Routine inspection of the RPIS includes observ ation of the control rod display once per shift during power operation and during control rod withdrawal for proper control rod position indication.
[7.7-10]
7.7.2 Rod Worth Minimizer
7.7.2.1 Design Basis
The design basis of the RWM is to serve as a backup to procedural control to limit control rod worths during startup and low power operation so that in the event of a control rod drop from the reactor core, the reacti vity addition rate will not lead to damage of the primary coolant system or to significant fuel damage.
Operating procedures are the primary defense against high worth control rod patterns. Pr eplanned, normal rod patterns result in low individual rod worths. The RWM is not intended to replace a nuclear engineer's selection of control patterns, but is simply to monitor and reinforce good operating procedures to limit deviations from these patterns. In performing this function, it should cause minimum
interference with desired operation.
[7.7-11]
7.7.2.2 Description and Definitions
7.7.2.2.1 Definitions
Sequence Step
Steps are the sequential subdivisions of an oper ating sequence. Each step consists of an array of rods and a set of insert and withdraw limits that apply to each rod in the array.
The steps are numbered in the order they are to be followed when going up in power. The withdraw limit of the array specified in a step is the same as the insert limit of that array in the nearest higher step in the sequence containing that array.
Sequence Array
An array or group consists of a list of contro l rods. (Both "group" and "array" are used to describe a unique list of control rods. The me anings are equivalent.) All control rods are assigned to one and only one array. Rods can only be assigned to an array during the
sequence load procedure. An array can be moved any number of times within a sequence and at any step. The sequence may optionally contain an array with rods which are to be termed "out of service." Rods within this ou t of service array should be fully inserted and are blocked from movement if selected.
QUAD CITIES - UFSAR Revision 4, April 1997 7.7-9 Operating Sequence
An operating sequence is a sequence of rod move ments to be followed by the plant operator when withdrawing or inserting control rods.
The sequence can be printed out or viewed at the operators RWM screen at any time. A se quence consists of an ordered list of sequence steps each containing a list of rods (array) and the position the rods should be moved to, from the current position, at that step. Th e sequence is enforced in reverse order when coming down in power.
Latched Step
The latched step is the step within the operat ing sequence compatible at a given time with the existing distribution of control rod posi tions. The current control rod pattern is compared to the loaded sequence and the total number of errors calculated at each step.
The latched step is the step with the least num ber of total errors. If this criteria yields more than one step, then the lowest step within this list is defined as the latched step. The
RWM will latch at any other step within this lis t if that step contains the selected rod.
Notch Position
A notch position of a control rod is defined as any even number 00 - 48. Physically these numbers correspond to notches located 6 inches apart on the control rod drive mechanism.
A control rod in movement passes through th e odd numbers but can only be mechanically latched at an even numbered position. An odd position is not even transmitted
electronically to the RWM. A control rod no t latched at an even position, unless selected and driving, will be considered to have an invalid position.
Shutdown Margin Test Sequence
The shutdown margin test sequence consists of any step of any two or more control rods.
One rod of the step may be fully withdraw n and the other will have a specified axial position limit. A shutdown margin sequence may be loaded into the RWM, or the RWM
may be bypassed for the shutdown margin test.
Selection Error
A selection error is defined as the selection of a control rod inconsistent with the loaded sequence in the RWM.
Insertion Error
An insertion error is defined as the insertion of a control rod inconsistent with the loaded operation sequence in the RWM. For example, if the operator is withdrawing control rods exactly according to procedures and has withdr awn several of the rods which are defined to be in Group 4, the insertion of any withdrawn ro d of Group 4 at that time is not considered an insertion error even though it may be a de viation from planned procedures. However, if the operator were to insert a rod which is defi ned in a lower numbered group, that action is inconsistent with the operating sequence and is an insertion error. This definition is independent of how far the rod is inserted.
QUAD CITIES - UFSAR Revision 3, December 1995 7.7-10 Withdrawal Error
A withdrawal error is defined si milarly to an insertion error.
For example, if several rods in Group 4 are not withdrawn, the withdrawal of a rod from any group higher than 4 is a withdrawal error, regardless of how far the rod is moved.
Low Power Setpoint
Above 10% power, the objectives of the RWM are satisfied with no constraints on rod patterns. This is due largely to the advantag eous effects of high initial power level on the consequences of a reactivity insertion accident. Therefore, core average power level derived from feedwater and steam flow signals is used to remove RWM rod bl ock constraints above the low power setpoint (LPSP) (10% power), unless they have been manually enabled above 10% power by the operator.
[7.7-12]
Insert Block, Permissive
An insert block is interlocked with the reacto r manual control system in such a manner as to permit or inhibit the insertion of the sele cted control rod. An insert block is imposed when a rod has moved one or more notches beyond the limits allowed in the sequence. The
following conditions will cause rod movement insert blocks:
A. Selection and driving in of a rod not within the currently latched step;
B. Selection of a rod deemed to be an in sert error (It may be po ssible to remove this insert block by declaring the rod inoperabl e and inserting it fully using the "Out Of Service" function from the RWM screen.
It also may be allowed to remove the insert block by using the "Alternate Limit" function from the RWM screen if the
insert rod is at the correct alternate limit);
C. Selection of an improper rod when atte mpting to recover from an insert error;
D. Selection of any rod other than a with draw error rod when a ttempting to recover from a withdraw error;
E. Various other rod selections when implementing special modes such as "Rod Test"; or
F. System initialization or hardware errors.
Withdraw Block, Permissive
A withdraw block is interlocked with the re actor manual control system in such a manner as to permit or inhibit the withdrawal of th e selected control rod. A withdraw block is imposed when a rod has moved so as to violat e the sequence. The following conditions will cause rod movement withdraw blocks:
A. Selection and driving out of a rod not within the currently latched step;
B. Selection of any rod when attempting to recover from a withdraw error;
C. Selection of any rod except the rods with insert errors when attempting to recover from an insert error; QUAD CITIES - UFSAR 7.7-11 Revision 11, October 2011 D. Various other rod selections when implementing special modes such as "Rod Test"; or
E. System initialization or hardware errors.
Alternate Control Rod Limit
In addition to the insert and withdraw limits specified in the loaded sequence, an alternate control rod limit may be selecte d for any rod. The alternate control rod limit for a rod is defined as being one notch position less than the position limit for that rod at that step.
The only exception to this rule is that the al ternate position to the limit of 00 is 02.
Out of Service Rod
An out of service (OOS) rod is a rod which is "pinned" at 00 with no movement or alternate limits allowed. A control rod which can not be fully inserted may be declared OOS although more restrictive rules apply to rods incapable of insertion.
Placing a rod OOS effectively removes the rod from its associated array.
The rod is ignored during the latch procedure and will not be considered as an insert or wi thdraw error during other rod movements. Rods may be taken OOS in one of two ways: in clusion in a out of service array defined by the sequence builder, or through use of the RWM screen function "Place Rod Out Of
Service." A control rod which has been declar ed OOS is not allowed to be moved in any direction.
Substituted Rod Position
A substitute rod position can be entered thro ugh the RWM screen for rods whose positions are undefined. A substitute value can not be en tered for any rod with a "good" position (00, 02, 04, 46, 48, etc.,). A rod with a position that cannot be determined may have a substitute value entered if all attempts by the RWM fail in locating its position. When a substitute rod's position becomes known, the substitute va lue is replaced automatically with the good value and the operator is notified. A maximum of 10 rods may have substitute values
entered. If a substitute rod is selected and driven, the entered substitute value will be discarded and a new substitute value en tered if the new position is bad.
System Mode System mode is selected by a two-position switch in the control room. This switch is used by the operator to bypass the RWM system, if necessary, to remedy hardware problems.
The two positions are labeled NORMAL - BYPASS.
Operational State - Computer Ready
This status applies only when selected syst em mode is normal. The RWM program will determine if it can latch and verify a sequence.
If the RWM program is able to complete all of its diagnostics and has a valid sequence loaded, it signals a ready state through an indicating light.
QUAD CITIES - UFSAR Revision 11, October 2011 7.7-12 Rod Test Function
The rod test function is a special case of the normal mode and is selected through the operator interface. When in this mode, on e rod may be fully withdrawn and reinserted , only if all other rods are fully inserted. Move ment of a control rod is blocked when selected if any other rod is not fully inserted. If placed in this mode with more than one rod withdrawn past the fully inserted position, a ll rod movements are blocked until the rod test mode is exited.
Control Rod Position
The control rod position is the axial position of a control rod in the core. Valid control rod positions are 00 - 48, even numbers only.
Control Rod Condition
The condition of a control rod describes the va lidity of the control rod position. A control rod may be one or more of the following:
A. Normal,
B. Bad,
C. Substituted,
D. Out of service,
E. Alternate enabled,
F. Selected,
G. Drifting,
H. Insert error, or
I. Withdraw error.
Rod Drift A rod drift is indicated if control rod odd-notch ed position is detected without being driven by the control rod drive (CRD) system. Rod dr ift is detected by the RPIS and sent to the RWM as a digital input.
Analyzed Rod Position Sequence
The analyzed rod position sequence is a set of rules designed to minimize rod worth and reduce peak fuel enthalpy below limits in the event of a rod drop accident. These rules are to be followed to the LPSP of 10%
rated core thermal power (RCTP).
[7.7-12a]
QUAD CITIES - UFSAR 7.7-13 Revision 11, October 2011 7.7.2.2.2 System Components The RWM function is provided by a computer program running on the redundant process computer system as well as a dedicated red undant data acquisition system (DAS). The component interconnections are shown on the block diagram, Figure 7.7-2A.
A. Redundant digital computers PPC-A and PPC-B.
B. Redundant DAS components.
C. Graphic display and control panel switch.
D. Relays interfacing with Reactor Manual Co ntrol System to provide rod blocks.
The block diagram illustrates the role of the digital computers in the RWM process.
Software to effect the RWM function resides bo th on the PPC components as well as on the DAS components.
7.7.2.2.3 Arrangement
The RWM function consists of a computer pr ogram running on redundant process computers as well as a computer program running on a redundant DAS system. The DAS and process computer communicate using a redundant ethe rnet link dedicated to that application.
The color graphics monitor is located on the reactor controls section of the main control board (901-5) in the control room. A touch s creen system is used as the operator input device. Touching certain areas of the screen e nables certain actions. The only other control located on the main control board is a bypass sw itch used to disable the rod block ability of the RWM.
The DAS obtains inputs from the Rod Position Indication System (RPIS), Reactor Manual Control System (RMCS), and other plant instru mentation. Outputs from the DAS are used to drive relays that interface with RMCS to provide insert and withdraw rod blocks when required.
QUAD CITIES - UFSAR 7.7-14 Revision 11, October 2011 7.7.2.2.4 Features The operator is presented with a display on th e graphics monitor to represent the following conditions:
A. Rod step number, position, limits,
B. Insertion error rod identification,
C. Withdraw error rod identification, and
D. Current position of all control rods.
A two-position selector switch with normal and bypass positions on the operator's panel determines the mode of operation. In the normal mode, the active PPC will perform the
function of the RWM. In the bypass mode, the rod blocks will be bypassed by a relay
contact. The RWM will receive a signal that it is in bypass mode. The RWM program will continue to display current rod positions and pe rform a subset of its normal functions, but will not provide rod blocks or alarms when errors are detected.
The withdraw/insert permissive is achieved by sets of output relays driven by digital outputs from the DAS. The output relays are arranged in a one out of two taken twice logic to provide reliability and redundancy. This logi c is used in other plant logic including the reactor trip system and w ill not be described here.
QUAD CITIES - UFSAR Revision 11, October 2011 7.7-15 7.7.2.3 Design Evaluation
During normal operation in any sequence, wi th the operator withdrawing and inserting control rods according to the predetermined procedures, the RWM will neither block, nor noticeably delay rod movement.
During such operation there will be no alarms except for equipment malfunctions, i.e., control rod drift or input/output errors.
If the core power level exceeds the low power setpoint, the RWM will not inhibit the selection, insertion, or withdrawal of any control rod, but will only annunciate errors unless blocks have been enabled to full power by the operator.
When the reactor is operating below the low po wer setpoint or with blocks enabled to full power by the operator, the RWM will block moveme nt of a selected control rod in the latched step upon violation of either the insert of with draw limit by one notch. The adherence to the loaded sequence, when in the normal mode, can only be suspended when the operator selects one of the special modes provided for testing co nditions. Bypassing the RWM will also disable the rod block functions of the RWM.
The control room operator interactions with the RWM program are primarily through the touch screen. Any other PPC screen in the con trol room may also be used for this function, providing a means for the operator to control the RWM in the event of a failure of the provided touch screen. All information necessary for ro d movement will be available on the screen.
Different colors are used for quick recognition of an abnormal situation.
The primary screen will normally be displayed on the touch screen and will be the default screen displayed when that screen is starte
- d. Other screens may be displayed at the discretion of the operator.
7.7.2.4 Surveillance and Testing
Detailed on-demand system diagnostic routines are provided to test the computer and the control rod interlock networks.
The Technical Specifications, through surve illance requirements, impose the following verifications and testing to be performed on the RWM: verifications to ensure the correct control rod sequence is loaded into RWM; verifica tions on the bypassing of control rods and the position of those rods to be bypassed; functio nal testing to verify the rod block and selection error functions, and the verification of the aut omatic bypass setpoint. Consult the Technical Specifications for the frequency and deta ils on the RWM surveillance requirements.
[7.7-13]
QUAD CITIES - UFSAR 7.7-16 Revision 11, October 2011 7.7.3 Load Control Design
Load control of a BWR power plant differs from a conventional fossil fuel power plant due primarily to the sensitivity of boiling to pressu re variations. In the conventional plant, the turbine control valves are controlled by the speed/load governor responding directly to system frequency and load demand via the go vernor setpoint. The resulting pressure changes in the boiler cause a pressure regulato r to adjust the firing rate of the boiler furnace to match the steaming rate with the turbine steam flow.
[7.7-14]
In the nuclear boiler, power, hence steaming rate, is directly affected by the steam volume in the reactor core. In turn, the steam volume is sensitive to pressure variations. If the BWR turbine were controlled as in the conventi onal plant, opening the control valves would cause reactor vessel pressure to decrease, whic h would cause the steam volume in the core to increase, which in turn would cause the neu tron flux (fission power) to decrease; exactly the opposite effect desired. Conversely, clos ing the control valves would cause the reactor power to increase rather than decrease. The greater the rate of change of pressure, the greater the short-term change in neutron flux.
However, the difference in the neutron flux between two steady-state pressure levels (e.g., 1000 and 1020 psia) is small, providing only the operating pressure is changed.
The heat addition rate of the BWR boiler c an be changed much faster than that of a conventional boiler, but even so, it cannot be c hanged fast enough to cope with the effect of a rapid pressure change on reactor power. A control scheme was adopted which placed the turbine control valves under control of a high performance pressure regulator (refer to Section 7.7.4). The steam generation rate in the reactor must first be changed before the pressure regulator will react to change the turbine steam flow.
This load control scheme is made up of two control systems, a turbine control system which is supplied with the turbine, and a recirculation flow control system which is supplied with the reactor. Figure 7.7-3B is a diagram of the plant load control scheme, and shows the basic features in the power operating mode. Reactor pressure and turbine-generator controls are addressed in Section 7.7.4. Ad ditional turbine controls are addressed in Section 10.2.
In addition to the two control systems named above, an economic generation control (EGC) system was originally included in the control scheme for load control. This system is abandoned.
QUAD CITIES - UFSAR 7.7-17 Revision 11, October 2011 7.7.3.1 Recirculation Flow Control System
Reactor power may be varied over a range of approximately 40% by varying recirculation flow rate. As recirculation flow rate is in creased, steam voids are removed from the core faster, thus reducing the existing void accumula tion. A positive reacti vity insertion occurs by increasing the moderation of neutrons, re sulting in a reactor power increase. The positive reactivity input is balanced by the negative reactivity effects of higher fuel temperature and new void formation.
[7.7-15] Speed of the reactor recirculation pumps is vari ed to change the recirculation flow. A block diagram of the recirculation flow control system is shown on Figure 7.7-3B. An Adjustable Speed Drive (ASD) varies the frequency of the voltage supply to the pump motors to give the desired pump speed (see Section 5.4.1.2).
To change reactor power, a demand signal from the operator is applied to the master co ntroller. A signal from the master controller adjusts the setpoint of the controller for each ASD. The recirculating pump motor adjusts its speed in accordance with the frequency of the ASD output voltage. Individual loop controllers can be placed in manual so that in dividual speed setpoints can be sent to the respective ASD. The speed demand from the ma ster or individual controls is used directly at the ASD and actual speed is not used as a bi as to the demand signal. This is considered "open loop"control.
The ASD includes programmed settings to limit the recirculation pump speed to ensure the MCPR limit is not exceeded during a transie nt. The ASD setpoints are specified in the Core Operating Limits Report. The Te chnical Requirements Manual requires these setpoints to be verified every 24 months.
[7.7-16]
7.7.3.1.1 Reactor Recirculation Control System (RRCS)
The RRCS digital control system (DCS) provid es system control and information to the operator. It monitors and determines jet pump flows, loop flows and total core flow. Key parameters related to core flow and the Re actor Recirculation System's operation are processed and displayed at the Operator Station in the Main Control Room. All recirculation pump speed control logic and oper ator interfaces are provided by the RRCS.
Included in the RRCS logic are the control interlocks, core flow runbacks, alarms, and trending.
A digital controller for RRCS is within the common feedwater (FWLC) and recirculation control (RRCS) cabinet are used for communi cation with the common FWLC and RRFC equipment, such as the Operator Station (OS) and the Engineering Workplace (EW).
Separate gateway computers for the FWLC and RRCS systems are used for supporting data transfer to a local area network (LAN) and transient recording of data.
7.7.3.2 Economic Generation Control System - Abandoned
System is abandoned in place.
[7.7-17] [7.7-18]
QUAD CITIES - UFSAR 7.7-18 Revision 11, October 2011 7.7.3.3. Failure Mode and Effects Analyses
The failure Modes and Affects Analysis (FM EA) and reliability analysis of the digital Reactor Recirculation Control System (RRCS) are provided in Westinghouse report P03-342, Revision 2. The effects of the original plant design failures bound any possible failures existing in the RRCS. The digital RRCS has self checking ability and designed failure
responses are programmed for loss of input sig nals, parameters out of specified range, failure of internal self-checks, power supply failures, and other failures to minimize the affect of these failures and to prevent plant tr ansients. The parameters that determine the worst case recirculation flow re lated accident are based on the settings, limits, and rate of change limits of the MG Set scoop tube position er, not the control functions and algorithms in the RRCS controller.
7.7.3.3.1 Section Deleted
7.7.3.3.2. Load Demand Error Signal Failures - Function Not Available
Load following and Automatic Flow Contro l are no longer a plant control option.
7.7.3.3.3. Section Deleted
QUAD CITIES - UFSAR 7.7-19 Revision 11, October 2011 7.7.3.4. Design Evaluation
The recirculation flow control arrangement contri butes to the stable response of the reactor.
The stability of the unit is discussed in Secti on 4.3. Chapter 4 describes reactor thermal margins under the flow control mode. Figure 4.4-1 depicts typical reactor power-flow behavior lines: with flow and power initially at any point on the curve, a flow change will cause the power to change along the path indicated by the curve. Malfunction of the flow
controller can cause either a recirculation flow in crease (insertion of positive reactivity) or a decrease (high power to flow ratio). Inadvertent recirculation flow increases are less severe than the transient caused by starting a recircu lation pump in a cold loop, and inadvertent recirculation flow decreases are less severe t han a trip of one or two recirculation pumps.
These malfunctions are discussed in Chapter 15.
[7.7-19]
The recirculation flow control system has a l oop selection network which is controlled by differential pressure(p) instrumentation in the low pressure coolant injection (LPCI) break detection system. See Section 6.3.
The p instrument trip points are selected such that the instruments null (essentially zero differential) when the reactor recirculation pumps are delivering rated flow. This will optimize the setting of the instruments should there be even a slight difference in the loss coefficient of the jet pump assemblies.
The trip setpoints for these instruments will remain the same regardless of the number of
recirculation loops in operation. During one pump operation, a reactor pressure permissive will prevent the loop selection network until re actor pressure has dropped to approximately 900 psig (allowable value is specified in the Te chnical Specifications). This requirement adjusts the selection time to allow for pump coastdown and thus optimize sensitivity and still ensure that the network is not delayed unne cessarily. Stopping the recirculation pump is necessary to eliminate the possibility of breaks being masked by the operating recirculation pump pressure. Thus, the low re actor pressure permissive allows the same trip point setting regardless of the number of recirculation loops in operation.
The trip setpoint is set at about 0.75 psi (allowable value is specified in the Technical
Specifications). The only requirement is that any positive p would result in the selection of Loop A, any negative p would result in the selection of Loop B.
7.7.3.5 Other Reactivity Control Systems
The standby liquid control system is discussed in Section 9.3.5.
QUAD CITIES - UFSAR 7.7-20 Revision 11, October 2011 7.7.4 Pressure Regulator and Turbine-Generator Controls
7.7.4.1 Design Basis
The pressure regulator and turbine-genera tor controls are integrally connected to accomplish the functions of controlling reactor pressure and turbine speed. Specifically, reactor pressure must be prevented from in creasing to too high a value during load maneuvers, and turbine speed must be mainta ined below design limitations. The system must result in stable response for all anticipated maneuvering rates.
[7.7-20]
7.7.4.2 System Description
Control and supervisory equipment for the tu rbine-generator are arranged for remote operation from the turbine-generator control pane l board or console in the control room. In addition, turbine oil pressure and steam extracti on pressure are transmitted to receivers on the panel board. Normally, the pressure regula tor controls turbine control valve position to maintain constant reactor pressure. The ab ility of the plant to follow system load is accomplished by adjusting the reactor power leve l, either by regulating the reactor coolant recirculation system flow or by moving the control rods. A block diagram of the turbine control system is shown on Figure 7.7-3B.
However, the turbine speed control can overri de the pressure regulator, and the turbine control valves will close when an increase in sy stem frequency or a loss of generator load causes the speed of the turbine to increase. In the event that the reactor is delivering more
steam than the turbine control valves will pass, the excess steam will be bypassed directly
to the main condenser automatically by pressure-controlled bypass valves.
The total capacity of the bypass valves is equal to 33.3% of the rated reactor flow. Load rejection in excess of the bypass valves' capaci ty, which occurs due to generator or tie line breaker trips, will cause the reactor to scram.
The pressure regulator and turbine-generato r controls utilize a triple modular redundant (TMR) design with a separate turbine con troller, pressure controller and overspeed protection module. Each controller / module consists of three (3) separate processors, utilizing a software-implemented fault-tole rance (SIFT) technology that allows the controller to remain on-line if one of the processors fails.
The TMR turbine controller is tasked with turbine control and protection, the TMR pressure controller performs the steam bypass and pressure control functions and the TMR protection module provides a second level of overspeed protection. The turbine controller and pressure controller communicate over re dundant unit data highways to coordinate turbine and pressure control requirements.
The protection module functions independent from the turbine and pressure controllers with dedicated speed sensor inputs.
The separate TMR system for control of the turbine bypass valves and control of the turbine
allows the two functions to maintain indepe ndence from a control hardware and software standpoint. For critical functions, the con trollers utilize triple-redundant process sensors and will continue operation if one of the proc ess sensors fail. The pressure controller is designed to continue operation even if two (2) of the three (3) sensors fail.
QUAD CITIES - UFSAR 7.7-21 Revision 11, October 2011 The maximum combined flow limit (MCFL) function of the control system limits the combined steam flow through the turbine control and bypass valves to a value of at least 110% of rated reactor steam flow but not more than 125%. The low MCFL value is
important for slow power increase events and defines the amount that steam flow can increase before the plant will begin to pressu rize. The upper MCFL value is intended to prevent a Group I isolation on main steam line high flow.
Normally, the bypass valves are held closed and the pressure regulator controls the turbine control valves. All the steam production is norm ally used to make electrical power. If the speed control or load limit reduces the steam flow to the turbine, the bypass valves will open to pass steam directly to the main condense r, to maintain a constant system pressure.
If steam flow exceeds the combined capacity of the turbine control valves and the bypass valves, system pressure will rise and scram the reactor. A rapid reduction of electrical load will initiate a reactor scram as described in Section 7.2.
The turbine stop valves are equipped with limit switches which open when the valve has
moved from its fully opened position. These sw itches provide a scram signal to the reactor protection system, anticipating the resulting re actor high pressure condition. The turbine stop valve scram signal is discussed in Section 7.2.2.5.
To protect the turbine, the following conditions initiate closure of the four turbine stop valves (see Section 10.2):
A. High reactor vessel water level,
B. Low lube oil or bearing oil pressure,
C. Overspeed,
D. Excessive thrust bearing wear,
E. Generator electrical faults,
F. Remote and local manual trips,
G. Vacuum trip,
H. Low EHC hydraulic pressure,
I. Loss of feedback signal trip,
J. High water level in moisture separator, K. Loss of stator cooling without runback, and
L. High vibration trip when enabled.
7.7.4.3 Design Evaluation
The pressure regulator and turbine-generator de sign is such that the system provides a stable response to normal maneuvering transie nts. Section 4.3 evaluates the stability of the overall boiling water reactor cycle, incl uding the pressure and turbine control.
QUAD CITIES - UFSAR 7.7-22 Revision 11, October 2011 The bypass valves are capable of responding to the maximum closure rate of the turbine admission valves such that reactor steam flow is not significantly affected until the magnitude of the load rejection exceeds the ca pacity of the bypass valves. Load rejections in excess of bypass valve capacity may cause the reactor to scram due to high pressure, high neutron flux, or rapid electrical load redu ction. If power is greater than the bypass capability, any condition causing the turbine st op valves to close, will directly initiate a scram before reactor pressu re or neutron flux have risen to the trip level.
The pressure regulator or controller can be a ssumed to fail in either of two ways: opening the turbine control valves or the bypass valves, or closing them. These malfunctions are
discussed in Chapter 15; in either case, fuel damage does not occur. The triple modular redundant design reduces the probability that pressure regulator malfunction will cause operational problems.
7.7.5 Feedwater Level Control System
7.7.5.1 Design Basis
The feedwater control system is designed to regulate feedwater flow to the reactor vessel such that reactor vessel water level is mainta ined to an operator controlled setpoint. There are two basic modes of operation: single-element and three-element control.
[7.7-21]
7.7.5.2 System Description
7.7.5.2.1 Description of Single-Element Control
Single-element control is a mode of operation which controls feedwater flow based only on reactor water level deviations. The actual meas ured level is compared to the level set on the controller. The regulating valve is adjusted by a signal proportional to the level error signal. Feedwater and steam flow signals hav e no effect under single-element control.
Single-element control is used during plant start-up conditions or when at low reactor power. The operator can select single-eleme nt control at anytime. The feedwater level control digital control system (DCS) can autom atically choose single-element control when appropriate.
7.7.5.2.2 Description of Three-Element Control
Another feedwater control mode is three-element control. In this control mode, the level of the water in the reactor is controlled by a f eedwater controller which receives inputs from reactor vessel water level, feedwater flow, and steam flow transmitters.
During steady-state operation, feedwater fl ow exactly matches steam flow and the water level is maintained. A change in steam flow is immediately sensed and the system adjusts the opening of the feedwater control valves to balance the two flows and maintain level.
QUAD CITIES - UFSAR 7.7-23 Revision 11, October 2011 7.7.5.2.3 Control Signal Inputs
Reactor vessel level signals used by the feedwa ter level control system are indicated and/or recorded in the control room. Level sens ors are described in Section 7.6.2.2.3.
Feedwater flow is monitored by flow transmitte rs coupled to flow nozzles in the feedwater lines. The total feedwater flow is the summation of the signals from the three feedwater
lines. [7.7-22]
Steam flow is monitored by four flow transmitte rs coupled to four flow restrictors in the steam lines. The level control system calculat es total steam flow by using the average of the valid input signals and multiplying by four.
A straight sum of the flows method can be selected by the operator for testing purposes.
Reactor vessel majority water level, total feed water flow, and total steam flow are displayed and recorded in the control room. High and low reactor vessel water level are annunciated in the control room. High water level will c ause the feedwater pumps to trip, to prevent overfill. A low water level can cause initiation of the level scram function by RPS.
[7.7-23]
Three level signal inputs are used by the con trol system and a majority based value is used to control feedwater flow. The feedwater valves fail "as is," and the valves may be switched to manual control in the event of failure.
Each reactor feedwater pump has recirculation controls which pass feedwater back to the condenser when individual feed pump flow is below minimum flow required to cool the pumps. A staggered pump tripping logic is used for low suction based trips. A low-low suction pressure will trip all feed pumps simultaneously.
To enable the feedwater system to make maxi mum contribution to reactor core cooling in the event of small breaks, the reactor feedwate r pumps are flow limited to protect against a potential pump runout when the rated capacity of the pumps is exceeded. The level control
system limits total feedwater flow to a value dependent on the number of feed pumps
running. This protection is referred to as feed pump runout protection (FPRP). See Section 10.4 for further discussion of the feedwater system.
7.7.5.2.4 Digital Control System
All inputs and outputs to the feedwater leve l control are processed by a digital control system (DCS). The digital control system prov ides the analog signal filtering, conversions, and setpoints. The digital control logic and control algorithms are contained in the DCS software.
QUAD CITIES - UFSAR 7.7-24 Revision 11, October 2011 Manual pushbotton stations are provided on the main control panels for controlling the level setpoint, mode of control, and for taking manual control of individual flow regulating valves. A DCS Operator Station is provided in the Main Control Room to provide feedwater level DCS graphic displays and operator interf ace. The operator can acknowledge system alarms, control the system logic, adjust th e level setpoint, change control options, and position the regulating valves from the DCS Operator Station.
7.7.5.2.5 Supported System Requirements
The following are output functions of the feed water level control to other plant systems:
- Reactor Recirculation system runback logic
- Feed Pump logic for low suction pre ssure conditions (Section 10.4.7)
- Condensate Booster Pump Minimum Flow control
- Stand-by Condensate Booster Pump Au to Start logic (Section 7.7.6.2)
- Hydrogen Addition (total steam flow signal)
- Plant Process Computer
7.7.5.3 Design Evaluation
Key feedwater system parameters are re corded and, upon abnormal conditions, annunciated in the control room; the operator c an monitor system operation continuously.
Feedwater level control signals are redund ant, and equipment design is reliable, minimizing the possibility that malfunctions w ill result in level control difficulties.
The feedwater level control system is design ed to maintain water level at an operator controlled setpoint which is typically at th e mid-point of the feedwater level control instrument range of 0 to 60". Proper control of reactor water level will prevent inadvertent RPS trips and main feed pump trips from a level that is too low or too high.
Feedwater control system malfunctions could re sult in maximum or zero feedwater flow.
These malfunctions are discussed in Sections 15.5 and 15.6. In either case, fuel failure does
not occur.
The instrumentation for control of the feedwater system is separate from reactor protection system instrumentation, thereby limiting the co nsequences of sensor malfunctions. Reactor overfill protection will trip the feedwater pumps. This function is not performed by the
feedwater level control system.
QUAD CITIES - UFSAR Revision 11, October 2011 7.7-25 7.7.6 Main Condenser, Condensate, and Condensate Demineralizer
7.7.6.1 Design Bases
The main condenser, condensate, and conden sate demineralizer systems' control is designed to provide indications of major system trouble. Main condenser sensors must
provide inputs to the reactor protection system to anticipate loss of the main heat sink and to protect against condenser overpressure. Th e condensate system controls must ensure adequate cooling to the condensate pumps.
[7.7-24]
7.7.6.2 System Description
The condensate pumps take suction from th e main condenser hotwell. The discharge passes through the steam jet air ejector in ter- and aftercondensers, the gland seal condensers, and the off-gas condensers. Th e flow then passes through the condensate demineralizers and then to the suction of the condensate booster pumps. The condensate
and condensate booster pumps are run with a common motor. The discharge of the booster pump passes through the low pressure feedwater heater strings and then to the suction of the feedwater pumps.
When a condensate/condensate booster pump is in standby, detection of low pressure at the condensate booster pump discharge header starts the standby condensate/condensate booster pump. In addition, if any of the running pumps trip, a pump in standby will autostart. An air-operated control valve, loca ted on the discharge header of the condensate booster pump recirculates condensate back to the condenser during plant startup.
Minimum cooling flow through the condensate pumps, air ejector condensers, gland seal condenser, and off-gas condenser is maintained by the feedwater pump minimum flow
valves. [7.7-25]
Conductivity of condensate both upstream and downstream of the demineralizers is measured, recorded, and actuates an alarm on high conductivity. The upstream
conductivity sample point is on the influent header common to all of the demineralizers.
[7.7-26]
Main condenser hotwell level is indicated lo cally, recorded in the control room, and is automatically or manually controlled by either making up to or returning condensate from, the condensate storage tank. Vacuum swi tches monitoring condenser vacuum provide scram signals to protect the reactor from loss of the main heat sink; protection for the condenser itself is assured by closure of th e turbine stop and bypass valves as condenser absolute pressure increases above a preset value.
7.7.6.3 Design Evaluation
Indication of key parameters from the main condenser, condensate system, and condensate demineralizer system are provided in the control room. The operator is kept cognizant of the conditions of the systems. Abnormal co nditions are annunciated, so that the operator may take appropriate action. The reactor is protected from loss of the main heat sink by main condenser low vacuum scram signals; the vacuum sensors meet the design
requirements established for all reactor prote ction system functions (Section 7.2). To protect the condenser from overpressure, a de crease of condenser vacuum below the scram set point will initiate closure of the turbine stop valves and bypass valves.
(Sheet 1 of 1)
Revision 8, October 2005 QUAD CITIES - UFSAR
TABLE 7.7-1
EGC CONSOLE TOP PLATE FUNCTIONS - ABANDONED EQUIPMENT
Pushbutton Switches Purpose TRIP Used to remove unit from local program control or remote automatic control.
Flashing light in switch indicates control is automati cally tripped. Depressing TRIP pushbutton will change to steady light. Manual trip will cause steady light only. AUTO Used to permit remote automatic control by Raise-Lower impulses from the Sy stem Power Supply Office.
Light in switch indicates AUTO control is selected. LOWER PROGRAM Used to lower genera tion under local program control.
Light in switch indicates selection. RAISE PROGRAM Used to raise genera tion under local program control.
Light in switch indicates selection. PRIMARY PULSE Used to select Ra ise-Lower control impulses from primary telemetering channe
- l. Light in upper half indicates selection. Light in lower half indicates
pulsing. BACKUP PULSE Used to select Ra ise-Lower control impulses from backup telemetering channel.
Light in upper half indicates selection. Light in lower half indicates
incoming pulsing. LAMP TEST Used to illuminate lamps to test for defective ones.
Setters HIGH LIMIT Establishes unit MW generation high (raise) regulating limit. LOW LIMIT Establishes unit MW generation low (lower) regulating limit. RATE OF CHANGE LIMIT Establishes maximum ramp rate in MW/min for unit.
(Sheet 1 of 1)
Revision 8, October 2005 QUAD CITIES - UFSAR
TABLE 7.7-2
EGC STATUS INDICATORS (ANNUNCIATORS) - ABANDONED EQUIPMENT
Indicator Description ACT FAIL Electrohydraulic control system interface unit or governor motor actuator failure. HIGH LIMIT Unit generation equals or exceeds HIGH LIMIT setting.LOW LIMIT Unit generation equa ls or exceeds LOW LIMIT setting. RAISE OUTPUT Raise impulse from electrohydraulic control system interface unit or governor mo tor actuator to generating unit control system. LOWER OUTPUT Lower impulse from electrohydraulic control system interface unit or governor mo tor actuator to generating unit control system. RAISE INPUT Raise input pulse to controller.
LOWER INPUT Lower input pulse to controller.
EXT TRIP Interlocks in trip circuits from contacts provided elsewhere in the boiler, turbine or generator control
system. EXT BLOCK Control action suspended by contacts provided elsewhere in the boiler, turbine or generator control
systems. DECREASE RATE LIMIT Control action to de crease generation limited at second rate by controller (not used). INCREASE RATE LIMIT Control action to in crease generation limited at second rate by controller (not used). Signal Light RESERVE EMERGENCY Signal light initiated manually by Load Dispatcher in System Power Supply Office to indicate system generation deficiency.
QUAD CITIES - UFSAR Revision 11, October 2011 7.8-1 7.8 ANTICIPATED TRANSIENT WI THOUT SCRAM MITIGATION SYSTEM
7.8.1 Introduction
This section discusses the anticipated transie nt without scram (ATWS) mitigation system.
Related topics and systems include the standby liquid control system (SBLC), discussed in Section 9.3.5; the control rod drive (CRD) sy stem, Section 4.6; the reactor recirculation system, Section 5.4; the reactor protection sy stem (RPS), Section 7.2; the residual heat removal (RHR) system (suppression pool coolin g mode), Section 5.4; and the ATWS accident analyses, Section 15.8. For diagram of Nucl ear Boiler Recirculation Pump Trip ATWS piping refer to P&IDs M-35, Sheet 3 and M-77, Sheet 3.
An anticipated transient without scram is a po stulated operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) accompanied by a failure of the reactor protection system to shut down the reactor. Even though the reactor protection system has been shown to be highly reliable, it is postulated that a common mode failure in either the electrical or mechanical portion of the system is possible.
[7.8-1]
Since a normal scram is assumed to be unava ilable for reducing the reactor power, and since the transient event is one in which powe r reduction is necessary, another method of reducing power is needed. Two automatic ATWS functions are provided: recirculation pump trip (RPT), which mitigates the short-term effects, and alternate rod insertion (ARI), which mitigates long-term effects. Should bo th the RPS and ARI fail to insert the control rods, the standby liquid control system would be manually initiated to control reactivity.
[7.8-2]
The trip of the reactor recirculation pumps c auses a quick reduction in core flow which increases core void generation, thus introduci ng negative reactivity and decreasing reactor power. The quick power reduction brings rea ctor pressure, neutron flux, and fuel surface heat flux down rapidly enough to limit the peak pressure, clad oxidation and peak fuel enthalpy so that neither reactor coolant pressu re boundary breach nor fuel failure occur.
An analysis was performed which considered the trip of the adjustable speed drive (ASD) controller and feed breaker trip.
Alternate rod insertion (ARI) is a means of control rod insertion which is motivated mechanically by the normal hydraulic contro l units and control rod drives, but which utilizes totally separate and diverse logic fr om RPS. Alternate rod insertion energizes valves which cause the scram valve pilot air head er to bleed down. Although this type of rod insertion does not eliminate the short-te rm consequences of the assumed failure of normal scram action, it does reduce the lo ng-term consequences. The most significant long-term consequences involve containmen t limits, particularly suppression pool temperature.
[7.8-3]
7.8.2 Design Requirements
The ATWS rule (10 CFR 50.62) requires the fo llowing three elements to mitigate ATWS events: [7.8-4]
- 1. Recirculation pump automatic trip equipment;
- 2. An alternate rod insertion system, di verse from RPS, with redundant scram air header exhaust valves; and QUAD CITIES - UFSAR Revision 10, October 2009 7.8-2 3. A standby liquid control system t hat meets minimum flow and concentration requirements.
The RPT portion of the ATWS mitigation system is designed to perform its function in a
reliable manner, and to conform to the stand ard NRC approved Monticello tripping logic design[1]. [7.8-5]
The overall requirements for the ARI portion of the ATWS mitigation system are:
[7.8-6]
A. The system should be diverse from RPS;
B. The system shall be designed so that any component whose single failure can cause insertion of all control rods shall be highly reliable;
C. The system should be testable in service;
D. The system should be designed so that, as much as possible, no single component failure can prevent total mitigation action; and
E. All hardware should be of high quality and environmentally qualified.
For an ATWS (per 10 CFR 50.62), the standby li quid control system must be capable of injecting into the reactor pressu re vessel a borated water soluti on equivalent in reactivity control to injecting 86 gal/min of 13 Wt. % sodium pentaborate at natural B 10 concentration into a 251-inch ID reactor vessel for a given core design. The specific requirements of flow rate and concentration for Quad Cities Station are addressed in Section 9.3.5.
[7.8-7]
7.8.3 Mitigation System Description
All of the anticipated transients, which require mitigation in the unlikely event of an ATWS, quickly reach at least one of two cond itions which are readily sensed and from which mitigating actions may be initiated.
These conditions are high reactor vessel pressure and low-low re actor water level.
[7.8-8]
The ATWS mitigation system consists of rea ctor pressure and reacto r water level sensors and trip units, logic, power supplies, and instru mentation to automatically initiate RPT and ARI. The reactor dome pressure automatic act uation setpoint of 1250 psig (analytical limit) was chosen to be slightly above the relief va lve setpoint. The low-low reactor water level automatic actuation point of -59 inches (analytic al limit) is consistent with that level at which the recirculation pumps trip, and high pressure coolant injection and reactor core isolation cooling are initiated. The allowable values for the pressure and level actuations are included in the Technical Specifications.
Certain manual actions are required of the oper ator. Suppression pool cooling and standby liquid control must be initiated manually as required by emergency operating procedures.
The following subsections describe the capab ility and requirements for manual initiation of RPT and ARI. Alarms and indications are available to the operator to allow manual actions
within the time limits. In addition to the alarms and indications which are initiated by
RPS scram logic, other annunciator windows a ctuate when the reactor water level or reactor pressure reach the ATWS setpoints.
Therefore, during an ATWS event, the operator is alerted that an ATWS event has occurred and then has sufficient time to perform the required manual actions.
[7.8-9]
QUAD CITIES - UFSAR Revision 11, October 2011 7.8-3 7.8.3.1 Recirculation Pump Trip
The ATWS mitigation system automatically init iates a RPT of both recirculation pump ASD controllers and feed breakers on a two-out-of-t wo trip logic in either of two channels upon either continuous low-low rea ctor water level for approximatel y 9 seconds or high reactor pressure. The performance characteristics are:
[7.8-10]
Logic Delay for Trip (Sec) (Including dynamic response <= 0.53 of the sensors and trip logic action of the ASD units.)
Pump Inertial Constant (JN/ft, Sec) <= 3.0
Manual RPT is achieved by a manual trip of ei ther the ASD emergency stops or ASD feed breakers. The breaker control switches are lo cated at panel 901(2)-4 and at the switchgear breakers, and the emergency stop pushbuttons are on 901(2)-4, at the ASD control panel, and at the 1(2)-2201(2)-25A/B panels. Manual RPT should be performed within 5 minutes of receiving the following alarms if automatic RPT does not occur:
[7.8-11]
High Torus Water Average Temperature Alarm
High Reactor Dome Pressure Alarm
Reactor Low-Low Water Level Alarm
7.8.3.2 Alternate Rod Insertion
The ATWS mitigation system logic automatica lly energizes the ARI valves when the ATWS reactor vessel high pressure trip setpoint is reached, the ATWS low-low reactor water level trip setpoint is reached, or the manual switches are actuated.
[7.8-12]
Two manual initiation pushbutton switches ar e provided in the control room at panel 901(2)-5 for each division of ARI logic. Fa ilure of automatic initiation cannot prevent manual initiation. In order to avoid an inadvertent manual initiation of ARI , the two
initiation switches per division must first be armed by rotating a collar integral to each pushbutton. Once armed and then depressed, the pair of switches associated with a division will activate the ARI trip function.
[7.8-13]
Manual ARI should be initiated within 5 minutes of reaching any of the following alarm
conditions:
High Torus Water Average Temperature Alarm
[7.8-14] High Reactor Dome Pressure Alarm
Reactor Low-Low Water Level Alarm
Control Rod Drive Position Indication - Not inserted after scram annunciation QUAD CITIES - UFSAR Revision 11, October 2011 7.8-4 7.8.3.3 Alternate Rod Insertion Valves
Upon ATWS initiation (automatic or manual), the ARI solenoid valves as shown in P&ID M-41, Sheet 2 are energized to block the instru ment air supply to the scram air header and to depressurize the scram air header by ventin g air to atmosphere. Depressurization of the scram air header causes the scram valves to open resulting in the drives scramming. All
ARI valves are normally de-energized. Th e ARI valving system operates as follows:
[7.8-15]
A. There are two sets (2 divisions) of valves installed on the scram air header. Each division has sufficient capacity to acco mplish rod insertion. Each division of valves consists of the following three valves:
- 1. Two ARI valves are simply normally closed valves that open when energized to depressurize the scram air header.
- 2. One ARI valve is a three-way valve installed in the scram air header supply line. This valve is normally positioned to allow air to be supplied to the
scram air header. When energized, this valve repositions to close off the
supply air and vent the scram air header to the atmosphere.
B. Once actuated, the ARI valves remain energized between 35.9 and 37.8 seconds to ensure the scram air header is ade quately depressurized. The timer setting for the seal-in is based on the fact that fu ll rod insertion could be prevented if the ARI automatic reset occurs in less than 35.
9 seconds. After this delay, if the initiation signal has cleared, the ARI valves are de-energized. If the initiation
signal is still present after the delay, the ARI valves remain energized until the
initiation signal clears.
[7.8-16]
7.8.4 Design Evaluation
The sensors, trip units, and actuation relays (w ith the exception of the RPT reactor low-low water level trip time delay and the ARI reset circuitry) are common to both RPT and ARI.
Thus, the automatic initiations occur concurre ntly (except for the RPT low-low water level time delay) at identical setpoints. Therefore, the following design analyses dealing with the inputs, the logic, and logic power supp ly apply equally to ARI and RPT.
[7.8-17]
The RPT is modeled after the NRC-approved Monticello tripping logic design with the addition of a time delay (of approximately 9 se conds) for the low-low water level trip. The time delay for RPT on low-low water le vel has an insignificant affect on ATWS consequences and is desirable to avoid making the consequences of a postulated loss-of-coolant accident (LOCA) more severe. The final tripping devices are the ASD emergency stop and feed breaker.
[7.8-18]
The ARI function requires control rod start of motion within 34.6 seconds and full insertion within 38.6 seconds of ARI actuation. Test re sults indicate that all scram inlet and outlet valves are open within 30 seconds. Section 7.8.3.3 describes the seal-in and reset time delay of the ARI values. Based on the N RC-approved General Electric Company Topical Report NEDE-31096-P-A[1], ARI achieves the design objectives. The most limiting of these objectives (pressure suppression pool temper ature) requires full rod insertion within approximately 60 seconds.
[7.8-19]
The ARI design is safety-related and segreg ated into two electrical divisions: namely Division I and Division II which are maintained separate.
[7.8-20]
QUAD CITIES - UFSAR Revision 7, January 2003 7.8-5 The ARI system utilizes valves which are norma lly de-energized but which are energized to perform their safety functions. The ARI valves are powered from dc sources. This is in contrast to the RPS which employs ac-powered valves which are de-energized to initiate a scram.
The ARI system uses an analog transmitter/trip unit configuration. The transmitters are separate from sensors used for the RPS. In addition, the trip units utilized are separate from the process instruments used for the RPS.
[7.8-21]
The ARI trip setting for reactor pressure is 1250 psig (analytical limit) and for reactor vessel water level is -59 inches (analytical lim it) with respect to re actor level instrument zero. The RPS trip setting for reactor pressure is 1060 psig (analytical limit) and for vessel level is 0 inches (analytical limit) with respect to reactor level instrument zero. Therefore, the automatic setpoints for ARI actuation have been selected such that they will not pre-empt the RPS scram function. The allowable va lues for the pressure and level actuations are included in the Technical Specifications.
[7.8-22]
For each actuation parameter (e.g., low-low wate r level) the logic is arranged in a two-out-of-two configuration per division. This allows individual sensors, trip units, etc., to be tested or calibrated during plant operat ion without initiating the ARI system.
[7.8-23] Reactor vessel water level sensors that drive th e ATWS functions (ARI and RPT) are shared and also drive various actuation and trip functi ons that receive level signals. See sections 7.6.2.2.3, "Reactor Vessel Water Level" and 7.
6.2.5, "Analog Trip Instrumentation". In addition, the ATWS channel A and B sensors pr ovide input to the plant process computer and to the main control room narrow range level instrumentation.
QUAD CITIES - UFSAR 7.8-6 7.8.5 References
- 1. General Electric Licensing Topical Report, "Anticipated Transients Without Scram; Responses to NRC ATWS Rule 10 CFR 50.62," NEDE-31096-P-A, February 1987.
480 VAC AT TURBINE BLDG MCC 18-2 (28-2)C M APS MG A G iA-i (2A-i)EPA 1A-2 (2A-2)EPA r~(RPS 1 A 480 VAC ATTURBINEBLDG MCC 19-2 (29-2)0)M RPSMGB G 10-1 (20-1)EPA 1B-2 (2B-2)EPA B MECH.NTL RPS QUAD CITIES STATION UNITS 1&2 REACTOR PROTECTIONSYSTEMPOWERSUPPLY
.S.(2AB-2)1 AB-1 EPA (2AB-1)1AB-3 REG (2AB-3)RESERVE INSTR.&RPS TRANSFORMER RESERVE INSTRUMENT
&RPSBUS________120/240-15.2 (25-2)FIGURE 7.2-1 TRIP SYSTEM TRIP SYSTEM LOGIC TYPICAL PROTECTION SYSTEM (CONTROL AND INSTRUMENTATION PORTIONS)ELECTRICAL RELAY/SOLENOID MECHANICAL CONNECTION ELECTRICAL CONNECTION ELECTRICAL CONTACTS (SHOWN CLOSED)VALVE~~~1 CHANNEL t~HANNEL PROTECTIVE 0 ru~rl C z (f2 ru 0~r1 0 z H-4 z H H H-4 0 z'C 1-CI,~t)H 0 z DEVICE SENSOR~~_-1 TRIP SIGNAL'-TRIP SIGNAL TRIP SIGNAL LEGEND:
S.S a,AVERAGETHERMAL NEUTRON FLUX (nv)03 CO-~cD (4.I I FULLY INSERTED RETRACTI0 N-~F 1-F STARTUP I HEATING POWER.IIIIIIII R 03 C, PERCENT POWER C,,:~~>-U~~~,~~I~-U~~D-U m~,>-4 c~
.~}I+/-I+I+I+k+I+I+I+I+I+~~
J+i+i+i+i+i+i+i+i+i+i+i+i~
~+I+I+I+I+I+I+I~I+I+I+I+I+I+i+
+I+I+I+I+I+I+I~I+I+I+I+i+I+i+
+I+/-I+/-I-F~+I+I+I+I+I+i+I+k-F-I+/-I+
+I+I+I+I+I+I+f+I+I+I+I+I+
+I+/-I~I+I~I~I+I+I+I+I+
+I+l+I+I+I+I+f+I+
+I+I~I+I+X~SOURCERANGEMONITOR DETECTORS A-NEUTRON-EMITTINGSOURCES (NO LONGER INSTALLED)
.QUAD CITIES STATION UNITS 1&2 SRM-DETECTOR AND SOURCE LOCATIONSFIGURE7.6-3
+1+1+1+1++I+I~I~I+I+I~I+I+
-x-$+i+I+I+I+I+I+I+I+I+
+I+I+I+I~I~I+I~I~I+I+I+I+
+I+I+I+I~I~I+I+I~I+I+I+I+
+I+I+I+I+I~I~I+I+I~I+I+I+I+I+
+I+I+I+I+I+I+I+I+I+I+I+I+I+I+
+I+I+I+I+I+I~I+I+I~I+I+I+I+I+
+I+I+I+I+I+I+I+I+I+I+I+I+I+I+
+I+I+'+I+I~I~I+I+I~I+I+I+I+I+
+I+I+I+I+I+I+I+I+I+I+I+l+
+I+I+I+I+I+I+I+I+I+I+I+I
-x-+I+I+I+I+I+I+I+I+I+I+
+I+I~I~I+l+I+I+I+
+1+1+1+1+*-INTERMEDIATE RANGE MONITORING CHANNELS 4 REACTOR PROTECTION SYSTEM LOGIC CHANNEL A-INTERMEDIATE RANGE MONITORING CHANNELS 4 REACTOR PROTECTION SYSTEM LOGIC CHANNEL B QUADCITIESSTATION UNITS 1&2 IRM-DETECTOR LOCATIONS S SFIGURE7.6-4
+1+1+1+1+1+1+1+1+1+1.+1+1+1-+1+1-______+1+1-+/-~+1+1+/-1-H:~g~--5.-:-;~:~
-+-+1+1+1+1+1+1 I~+?~+~+1+1+1+1+1+1+1+1+1+1+1+lIIfj~I+)+)~+1+1 QUAD CITIES STATiON IJNITSI&2 IRM-RESPONSE TO ROD WITHDRAWAL ERROR FIGURE 7.6-5 i~fli 2 flFC.1993-+k~i+1+1+1+1+/-~j+~+I+1+1+1+1+~1-.+1+1++1+1+1+1++M~1+/-YW11HORAWN cONTROl.11005 CONOINON 1)REACTO11JIJST SUBCR~UCAL 2~O$E~RM RYPASSE)IN EACH REACTOR PROTECfl0t4 SYSTEM LO(~C CHANNEL OUT OcSEOUENCE FULLY WITHDRAWN 1RM BYPASSED COREAVERAGEFLUX
.100.0 10.0>(110 T 0.1 1 001 C)C-4 0,001_____________________________________________________________________________________468 10 12 16 DISTANCE (feet)S QUAD CITIES STATION UNITS 1&2 IRM-POWER DISTRIBUTION DURING ROD WITHDRAWAL ERROR FIGURE 7~6-6
+.-+1++1+-.----+1++1+-.-+1+
+1+-.--+1+
+1+-.-+1+++1+14-1+1+1+1+1+-.-1+1+1+1+-.-1+1+
1+1+-.-1+1+1+1+-.-1+1+
1+1+-.-+1++1+1-.-I+1+1 1+1+1 1+1+1 1+1+1-.-1+1+1 1+1+1-.-1+1+1 1+1+1-.-I+1+1 I+1+1-.-I+1+1 1+1+1 I+1+1+1+1+1
+1+1+1+1.S.+1+1-.-+1+1+1+1-.----+1+1+1+1-.-+1+1
+1+1-.---+1+1+1+1-.-+1+1+1+1-.--+1+1+1+1-.-+1+1
+1+1+-.+1++1+-.-+1++1++1++1++1++1+-.-+1+
+1+-.-+1+
+1+-.-+1++++1+-.-+1++1++1+
+1++1++1+-.-+1+
+1+-.-+1+
+1+-.+++-.+1+1-.+1+1-I+1+
+++++
+NOTE: EACH LOCATION REPRESENTS ASTRINGOF FOUR DETECTORS SPACED 3FEETAPART.
QUADCITIESSTATION UNITS 1&2 LPRM-DETECTORLOCATIONSFIGURE7.6-7
~oooooc D00000C D00000c D00000C 000000C 000000C D00000C J00000t D00000c)00000C)00000c)00000c)00000C)00000C 000000 TUBE CHAMBER~ooo~IP CALIBRATION TUBE DO~OO)00000C)00000C D00000C)00000C)00000C D00000C D00000C QUAD CITIES STATION UNITS 1&2 LPRM~LOCAL DETECTOR LOCATIONS CONTROL ROD BLADES N I...FIGURE7.6-8
.I QUADRANT 1 1 QUADRANT 2~I+/-I+/-I+l+I+I+I--I+I+I+I+I+I+f
+I+I+I+I+I+I+I--l+I+I+l+i+l+i+
+I+'+'+I+I+I+I+I+I+'+I+I+I+I+
--.--.--.-4-.--.--.--.-I II 1+111111111
~'21~1 12 111 112111 112+0-0-0-0-0-0 ~+l+I+I+I+I+I+l+/-I+l3+l+I3+I+I3+I~
--.--.--.---.-0--0-.-0-._
~~+I+I+l+l+l+I-~l+l3+I+I3+I+I3
-.--.--.---.-0---.-0-.-0
+I+I+I+I+l+I~~I2+l1+I2+ll+l2+I1
--0-0-0-0-0-0 H+I+I+I+I+l-1+13+1+13+1
~-.--.---.-0-.-0-.
~+l+I+I+l-12+11+12 II----0-0-0/"/QUADRANT 3 QUADRANT 4ILLUSTRATIONOF MONITORINGCOVERAGEASSUMINGQUADRANT SYMMETRIC OPERATION 02EQUIVALENTDATAROTATEDFROMQUADRANT 1 03EQUIVALENTDATAROTATEDFROMQUADRANT2 0 EQUIVALENT DATAROTATEDFROMQUADRANT3UNMONITOREDPERIPHERALASSEMBLIES
.QUAD CITIES STATIONUNITSI&2 LPRM-QUADRANT SYMMETRYFIGURE7.6-9 I+I+I+i~+I+I+
~+Ij~fI+L+I+/-
8~+.-+I+I+T+I+I+I+/-1D+/-+/-~1 I+T+1+13+1+/-I+o~a+1+/-18+I I+/-~2+I+I2+I+~2+I+/-L+
+8Ic+l+I+I+1A+I+I+
I+~d-I+BIC+l+~+1+1+I I I I+/-1l+/-Ij~2O+I+/-I 2+I+/-D~2+/-J+L+I+/-B~24++/-~+/-I+T+/-l+~+/-I+/-AI8+/-I+I+I+/-T+/-
I I I I+~~I+/-I1+/-'+~4+/-l+/-L+/-l+/-fI+/-I~++DIA+l+I+I+i0+I+I+I+01A+I+I+
I I+15+I+/-0I7+/-I+/-Ia+/-I+/-BI9+/-I+/-I1o+I+/-DII+
-.-~+/-I+/-I 1+/-I+~I 2+I+I 3+I+j 4+I+L+/--.-S+I+l+1A+l+I+l+ic+l+
~I~5-LPRMSTRINGS PROVIDING INPUT TO CHANNELS 1, 2,4 C 2 UPPER RIGHT NUMBER LPRM STRING IDENTIFICATION S-UPPER LEFT LETTER LPRM CHAMBER USED AS INPUT FOR CHANNEL 1 LOWER LEFT LETTER LPRM CHAMBER USED ASINPUTFOR CHANNEL 4 A LOWER RIGHT LETTER LPRM CHAMBER USED ASINPUTFOR CHANNEL 2QUADCITIESSTATIONUNITSI&2 APRM~LPRM ASSIGNMENTS, CHANNELS 1,2.4.I+
++
+
++12++1++DI18+-5-+~iB++
+SFIGURE7.6-10
+12+-.---1+1+I+/-D~+I+~F-1+112+-.-1+1++B16+-,-+1+~-.--+139+1-.-1+/-1+1~+Al4+1-.-+T+I 1+I+1+I+i~+I+I+l+~+I+l+
I I I I~++BIC++/-120+-.-+1+l+L8+I 1+/-1+1 I+B~2+I I+/-i~I+~2+I+/-L+I+A~3+
+DV+I+I+l+~f+/-I2+I+/-D~+I+/-L4+
+I+I~I~I+l+
I I I I'b~+/-+DIA++/-17+/--.-+1++AI1+-.-+BIC+'+/-~+/-'1+1+1l+/-D18+/-I-,-I+T+I1+12+/-1-.-1+1+1+AL5+l+I1+I+CL++~IC+I+/-I+/-I+/-DlA++/-I9+I+BI10+I+I11+
-.-+/-l+/-IPID+/-l+/-I+/-
+C13+1+14+I-.+/-DIA+I+I+I
~'+I~-LPRMSTRINGS PROVIDING INPUT TO CHANNELS 3,5,6 2 UPPER RIGHT NUMBER LPRMSTRINGIDENTIFICATION C.-UPPERLEFTLETTER LPRM CHAMBER USED ASINPUTFOR CHANNEL 5 LOWERLEFTLETTER LPRM CHAMBER USED AS INPUT FOR CHANNEL 3 D A LOWER RIGHT LETTER LPRM CHAMBER USED ASINPUTFOR CHANNEL 6++32-.+1++T++118+-.-+1+++QUADCITIES STATION UNITS 1&2 APRM-LPRMASSIGNMENTS,CHANNELS 3,5,6+++
+
++...+1+1 FIGURE 7.6-11 00%100%110%REVISION 7 JANUARY 2003 QUAD CITIES STATION UNITS I&2 ILLUSTRATIVE APRM SCRAM AND ROD BLOCK TRIPS VS.RECIRCULATION FLOW 130%120%110%100%00%
80%
10%60%
50%
40%30%20%C I Scram Trip (AL)10%-R-Rod Block Trip (AL)Core Power vs Flow Response (Typical)0%20%30%40%50%60%10%80%RECIRCULATION FLOW (%of rated)FIGURE 7.6-12 0 20 40 60 80 TOTAL FLOW[%RATED]100QUADCITIES STATION UNITS 1&2APRMRESPONSEDURINGFLOW-INDUCED POWER LEVEL MANEUVERING S S S w a: w a: a: a: w C a-LU a: C 100 80 60 40 20 0 100 80 60 40 20 0FIGURE7.6-13
-J I-2 CD 2 w~40 0~0 20 40 60 80 100 CORE POWER[%RATED]QUAD CITIES STATION UNITS 1&2 APRM RESPONSE DURING CONTROL ROD4NDUCED POWER LEVEL MANEUVERING 100 80.S.100 80 60 40 20 0 20 0FIGURE7.6-14 NOTE: ASSIGNMENT IS AUTOMATICALLY INIATIATED UPON ROD SELECTION+1++1+1+1+-.--.-1+1+1+1+1+1+1+1+-.--.-+1+1+1+1+1+
~I~I+I+I+I+
-.--.---.-+1+1+1+1+1+
~I~I+I+I+I+-.--.--0-+1+1+1+1+1+
~I+I+I+I+~--0---0-+1+1+1+1++1+1-0-+1+1+r1+/-~-')---+/-T+/-I-id*I+LT+/-t+1+1-.-+1+1+1+1-0-+1+1+1+-0-+1++/-1+/-+1*-_~0)L_+1+-0-+1++1+-0-+1++/-1+1+
+1+-.-+1++1+-0-+1+~T+/-I-RBM AUTOMATICALLY BYPASSED (READING ZERO)0-TYPICAL RODYIELDINGTWO LPRM STRINGS AS INPUTS 0-TYPICAL ROD YIELDING THREE LPRM STRINGSASINPUTS-TYPICAL ROD YIELDING FOUR LPRM STRINGSASINPUTSQUADCITIES STATION UNITS 1&2 RBM-LPRM INPUT ASSIGNMENT 900++.S.FIGURE7.6-15 10 50 40 3020304050 10 70 SO 90 100 FLOW(%OF RATED)QUADCITIES STATION UNITS 1&2RBM-HIGHFLUX TRW VS.RECIRCULATION FLOW 120 110 100 90 Ui 1-.~So a: 0 a: Ui 0 a....70 ItOFIGURE7.6-16