Forwards Addl Info Re Status & Formal Responses to 19 Draft SER Open Items,Per 840313 Review Meeting W/Instrumentation & Control Sys Branch.Responses Will Be Incorporated Into Future FSAR Amend

ML20083N565
Person / Time
Site:	Millstone
Issue date:	04/02/1984
From:	Counsil W NORTHEAST NUCLEAR ENERGY CO., NORTHEAST UTILITIES
To:	Youngblood B Office of Nuclear Reactor Regulation
References
RTR-NUREG-0737, RTR-NUREG-737, TASK-2.F.1, TASK-TM B11091, IEB-79-27, NUDOCS 8404190225
Download: ML20083N565 (148)
v • d • e

Text

. .. .. . . . . , _ .. _. .

General Offices

• Selden Street. Berlin, Connecticut 3 sY

.o os ..re. .o . cm.a"'

5a vs cowa=' HARTFORD, CONNECTICUT 06141-0270

"' (203) 666-6911 L L J ",0.  !".', *E". "7.'c'.~.~.

April 2,1984 Docket No. 50-423 B11091 Director of Nuclear Reactor Regulation Mr. B. 3. Youngblood, Chief Licensing Branch No.1 Division of Licensing U.S. Nuclear Regulatory Commission Washington, D.C. 20555 References (1) B. 3. Youngblood to W. G. Counsil, Draf t SER for Millstone Nuclear Power Station, Unit 3, dated December 20,1983.

Dear Mr. Youngblood:

Millstone Nuclear Power Station, Unit 3 NRC - Instrumentation and Control Systems Branch (ICSB)

Review Meeting, March 13,1984 A meeting was held between the NRC ICSB and Northeast Nuclear Energy Company (NNECO) in Bethesda, Maryland on March 13, 1984 to discuss nineteen (19) Draf t SER open items contained in Reference (1). During the meeting each of the nineteen items was discussed. A status of each open item was noted as defined by one of the following three categories:

Closed - No further NNECO input or action is needed to resolve the NRC concern.

Confirmatory - NNECO must provide the requested information on the Millstone 3 docket, either by a letter or FSAR amendment.

Open - No resolution possible at this time, NNECO to address.

Attachment I provides the status of those Draf t SER Open Items. It was agreed that NNECO will transmit a letter to the NRC providing a written response on each of those Draft SER open items by April 4,1984. NNECO also agreed to provide all additional information as committed to in confirmatory items as the information becomes available. The attached responses to the open items (Attachment II) formalize the above commitment given orally at the meeting.

The responses will be incorporated into the FSAR in a future amendment.

8404190225 040402 PDR ADOCK 05000423 M

kJ E PDR I

If you have any concerns related to the information contained herein or any questions related to our responses, please contact our Licensing representative directly.

Very truly yours, NORTHEAST NUCLEAR ENERGY COMPANY ET AL By Ncrtheast Nuclear Energy Company, their Agent W. C.' Counsil ~CWidfk.

Senior Vice President STATE OF CONNECTICUT)

) ss. Berlin COUNTY OF HARTFORD )

Then personally appeared before me' W. G. Counsil, who being duly sworn, did state that he is Senior Vice President of Northeast Nuclear Energy Company, Applicant herein, that he is authorized to execute and file the foregoing information in the name and on behalf of the Applicants herein and that the statements contained in said information are true and correct to the best of his knowledge and belief. _

\

)p*ufjd E ptary Publi b

.'].

4 Wy Commission Expires March 31,1988 '

3"'1 L hame . - . _ ___m ___ _ _ __ __

ATTACHMENTI Status of the NRC-ICSB Draft SER Open Items Discussed at the Meeting with the NRC-ICSB March 13,198te Item No. Description Status ICSB-1 Design Modification for Automatic Reactor Trip Open using Shunt Trip Coll Attachment.

ICSB-2 Conformance with Branch Technical Closed Position ICSB-26 ICSB '+ Containment Isolation for the Main Steam Closed Lines to the Turbine of the AFW Pump.

ICSB-5 Letdown Line Relief Valve Closed ICSB-6 Non-Class 1E Control Signals to Class 1E Open Control Circuits ICSB-8 Feedwater Isolation and Control Valves Closed and 23 ICSB-9 BOP Instrumentation and Control System Testing Confirmatory Capability ICSB-10 Remote Shutdown Capability Closed ICSB-11 IE Bulletin 79-27 Concerns Confirmatory ICSB-12 Bypass and Inoperable Status Panel Closed.

ICSB-13 NUREG-0737 Item II.F.1 Accident Closed Monitoring Instrumentation Position (4), (5),

and (6).'

ICSB-16 RHR System Isolation Valve Interlocks - Closed ICSB-17 Isolation of Low-pressure Systems from Closed the High Pressure .

ICSB-18 ~ RCS Over-pressure Protection Closed ICSB-19 . Reactor Coolant System Loop Isolation Yalve Open Interlocks ICSB-21 Control System Failure caused by High-energy Open Line Breaks.

l t

Item No. Description Status ICSB-22 Freeze Protection for Instrument Sensing Closed Lines.

ICSB-24 Hydrogen Recombiner System Closed Summary - Closed - 13 Confirmatory - 2 Open - 4 i

e i

ATTACHMENT 11 Responses to the DRAFT SER Open Items Item No.

ICSB-1 ICSB-2 ICSB-4 ICSB-5 ICSB-6 ICSB-8 and 23 ICSB-9 ICSB-10 ICSB-11 ICSB-12 ICSB-13 ICSB-16 ICSB-17 ICSB-18 ICSB-19 ICSB-21 ICSB-22 ICSB-24 t

O w______

Open items Instrumentation and Control Systems Branch ICSB-1 Design Modification for Automatic Reactor Trip Using Shunt Coil Trip Attachment (Draf t SE" Section 7.2.2.4)

The Westinghouse Owners Group (WOG) has submitted a generic design modification to provide automatic reactor trip system (RTS) actuation of the breaker shunt trip attachments in response to Salem ATWS events. The stali has reviewed and accepted the generic design modification and has identified additional information required on a plant specific basis. The applicant has not however, provided a response to Generic Letter 33-28 which established the requirements for this modification. The resolution of this matter will be addressed in a supplement to this report. This is an open item.

Response (3/84)

On August 10, 1983, the NRC issued the Final Safety Evaluation Report (SER) on the Westinghouse Owners' Group (WOG) generic design modification to provide automatic reactor trip system actuation of the breaker shunt trip attachments.

~1ne SER endorsed the generic design, but listed thirteen items that must be addressed on a utility-specific basis prior to implementation of the shunt trip modification. The generic design has been evaluated to determine the applicability to Millstone 3 plant. The WOG generic modification for the automatic shunt trip actuation of the reactor trip system breakers will be incorporated to Millstone 3 design. The NRC Staff requested that NNECO to provide the specific information package to close this item.

Status (3/84)

Open.

ICSBl. 1

Open Items Instrumentation and Control Systems Branch ICSB-2 Conformance With Branch Technical Position ICSB-26 (Draf t SER Section 7.2.2.7)

Branch Technical Position ICSB-26," Requirements for reactor protection system anticipatory trip", applies to the entire reactor protection system (RPS) from the sensors to the final actuated device. For sensors located in nonseismic areas the installation (including circuit routing) and design should be such that the effects of credible faults (i.e., grounding, shorting, application of high voltage, or electromagnetic interference) or f ailures in these areas could not be propagated back to the RPS and degrade the RPS performance or reliability. There are three groups of RPS related cables which are routed in the turbine building:

1. Turbine trip cause reactor trip input cables

2. Reactor trip to trip the turbine output cables

3. Turbine first stage pressure input to RPS interlock circuits.

The staff requested the applicant to demonstrate that his design is in conformance with BTP ICSB-26 or that exceptions are suitably justified. This is an open item.

Response (3/84)

A discussion of the reactor trip on turbine trip and the turbine trip on reactor trip was provided at the ICSB meeting. Included in the discussion was a _

' description of the routing and separation for these trip circuits including the routing within the turbine building (a non-seismic structure). Layout drawings showing the rating and separation for the following three groups of RPS related -

' cables which are routed in the turbine building were provided:

1. Reactor trip on turbine trip (input cables).

2. Turbine trip on reactor trip (output cables). >

3. Turbine first stange pressure input to RPS interlock circuits.

'FSAR Section 7.2 will be revised to indicate 'the conformance with ~ the BTP ICSB-26.

Status (3/84)

Closed.-

..ICSB2 , 4 4 - a -- -- . _ _ - - - - -

F Open items Instrumentation and Control Systems Branch ICSB-4 Containment Isolation For the Main Steam Lines to the Turbine of the AFW Pump (Draf t SER Section 7.3.3.6 General Design Criteria 57 requires that each line that penetrates primary reactor containment and is neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere shall have at least one containment isolation valve which shall be either automatic, or locked closed, or capable of remote manual operation. The main steam lines to the turbine of the AFW pump have a motor operated check stop valve in parallel with an air-operated bypass valve, both of which are remote manually operated. The staff is concerned that the bypass valves (AOV34A, B, & D) are not supplied power from a Class IE power source. Therefore, isolation of the bypass valves cannot be assured. This is an open item.

Response (3/84)

The 1/4 - inch bypass line and bypass valves (AOV 64 A, B, D) around the stop

- check valves will be eliminated. Pre-warming the three-inch turbine steam supply piping during scheduled (monthly) pump / turbine testing is not required.

FSAR Section 6.2 4 will be revised to state that a class IE power source is supplied to containment isolation valves -(where applicable) to assure proper isolation of these valves.

Status (3/84)

Closed.

g ICSB4.- 1

-e ,

.' L'_..-

Open items Instrumentation and Control Systems Branch ICSB-5 Letdown Line Relief Valve (Draf t SER Section 7.3.3.7)

The staff raised a concern that the relief valve located on the letdown line would relieve primary coolant to the reactor drain tank in the event the isolation valve inside containment did not close on a containment isolation signal or if the outside containment isolation valve f ailed closed. The applicant has not responded to this concern. This is an open item.

Response (3/84)

The failure of inside containment isolation valve 3CHS*CV8160 to close upon demand of a safety signal presupposes a single random failure which may result in reactor coolant discharging to the pressurizer relief tank (PRT) via relief valve 3CHS*RV8117. Such discharge would be dependent upon the upstream isolation valves f ailing to close (3RCS*LCB459 and 460, and 3CHS*SV8149A, B and C and 3CHS*CV8160). Containment isolation is accomplished by the automatic closure of outside containment isolation valve 3CHS*CV8152 which receives the same safety signal as 3CHS*CV8160.

' The upstream isolation valves close automatically upon pressurizer low level (level transmitters 3RCS*LT459,' 460 and 461). Additionally, as the valves are air-operated, fall closed, the letdown line would be isolated upon' loss of instrument air.

. In the 'very unlikely event that the upstream letdown isolation valves should not be isolated, however, the letdown flow rate via the relief valve to the PRT would be limited by the letdown orifices, and would not ' exceed the normal letdown

- flow rate. ' Following closure of isolation valve 3CHS*CV8152,' the pressure in the letdown line upstream of valve 3CHS*CV8152 would increase to that of the relief valve setpoint (600 psi nominal). This increase in presswe results in decreased ' letdown : flow. This assumes no corresponding' increase in RCS

pressure. - Should the initiating event result-in increased RCS pressure, say, to the ' pressurizer safety' valve setpoint, the inlet pressure to the orifice (s) would increase.'In any event, the combined effect of increasing the pressure upstream and downstream of the . orifice (s) would result in a letdown flow rate only

. approaching that of the normal letdown flow rate.'-

. Flow :into the Pressurizer Relief Tank via relief valve 3CHS*RV81 can.-be detected by: -

.(a) . High temperature alarm from TI-1251ocated in the relief valve discharger 1

piping. .

-(b) Tank level iridicator LI-470 and high alarm.

(c). Tank temperature indicator TI-468 and high alarm.

The lcas.of coolant through the unisolated, letdown line does not affect the

. reactor. coolant system heat removal capability, nor. would it significantly af fect '

ICSB5'- 1

_m

Open Items Instrumentation and Control Systems Branch the amount of coolant within the system (even if safety injection had not been

. initiated). Consequently, core integrity is maintained and 10CFR50, Appendix K limits are not exceeded. The radiological effects external to the containment for letdown routed to the PRT would be trivial and bounded by effects analyzed for a break in the letdown line outside containment. The radiological effects

- external to the containment have been calculated for letdown spilling outside the containment (see Section 15.6.2). The analyses show that for 30 minutes of unisolated letdown flow, the resulting doses are only a small fraction of 10CFR100 limits.

Status (3/84)

Closed.

ICSB5 - 2

Open Items Instrumentation and Control Systems Branch ICSB-6 Non-Class IE Control Signals to Class IE Control Circuits (Draf t SER Section 7.3.3.11)

The staf f requested the applicant to provide a list of non-Class IE control signals that are used as inputs to Class IE control circuits and justification that these non-Class IE signals are either bypassed by the ESF actuation signal, or that the non-Class IE signal can only act to the safe direction and therefore would not degrade safety systems. This is an open item.

Response (3/84)

The justification of the use of non-class IE signals as input to class IE control circuits will be' provided at a later date.

Status (3/34)

Open.

k ICSB6 - _ _ _ _ - _ - - _ _ _ _ - _ . - -

Open Items Instrumentation and Control Systems Branch ICSB-3 / Feedwater Isolation and Control Valves (Draf t SER Section 7.3.3.13)

The staff requested detailed schematic drawings for feedwater isolation valves and feedwater control valves. The applicant stated that detailed drawings will not be available until March 1934. This is an open item. ,

Response (3/84)

A discussiori of the feedwater isolation valves and feedwater control valves was provided using schematics during the ICSB meeting.

Status (3/84)

Closed.

ICSB8 - 1 n

Open Items Instrumentation and Control Systems Branch ICSB-9 BOP instrumentation and Control System Testing Capability (Draf t SER Section 7.3.3.15)

! The FSAR Sections 7.2.2.2.3 and 7.3.2.2.5 describe the capability for testing the reactor trip system and the engineered safety feature system. Most of the descriptions are based on NSSS scope of supply equipment. It is not clear whether all the BOP instrumentation and control systems satisfy the same criteria. The staff cited an example on the refueling water storage tank (RWST) level measurement which is a BOP design. The low-low loop signal from one-out-of-two level switches will automatically stop the residual heat removal pump. The empty tank signal from one-out-of-two level switches will automatically stop the quench spray pumps. The testing of these actuation logic circuits are not discussed in the FSAR and they are not tested by the same method as NSSS ESF instrument systems. The staff requested that the applicant performs a thorough evaluation on the BOP safety related instrumentation and control systems with respect to testing capabilities, identify any instrument channels which cannot be tested as described in Sections 7.2.2.2.3 and 7.3.2.2.5, and to justify that the design is in conformance with the testing requirements of GDC-21. This is.an open item.

Response (3/84)

See revised FSAR Section 7.3 Status (3/84)

Confirmatory.

ICSB9 - 1 l-

u1217912srt8r 03/21/84 246 MNPS-3 FSAR 7.3 ENGINEERED SAFETY FEATURES SYSTEM 1.9 In addition to the requirements for a reactor trip for anticipated 1.10 abnormal transients, the facility is provided with adequate 1.11 instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features. The 1.13 occurrente of a limiting fault, such as a loss-of-coolant accident or a steam line break, requires a reactor trip plus actuation of one or 1.14 more of the engineered safety features in order to prevent or mitigate damage to the core and reactor coolant system component and 1.15 ensure containment integrity.

In order to accomplish these design objectives, the engineered safety 1.16 features system has proper and timely initiating signals which are to 1.17 be supplied by the sensors, transmitters, and logic components making up the various instrumentation channels of the engineered safety 1.18 features actuation system.

7.3.1 Description 1.20 The engineered safety features actuation system (ESFAS) uses selected 1.21 plant parameters, determines whether or not predetermined sa'fety 1.23 limits ate being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of primary or 1.24 secondary system -boundary ruptures (Class III or IV faults). Once 1.25 the required logic combination is completed, the system sends actuatio.. signals to the appropriate engineered safety features 1.26 components. The ESFAS meets the requirements of Criteria 13, 20, 27, 1.27 28, and 38 of the 1971 General Design Criteria (GDC).

7.3.1.1 System Description 1.29 The ESFAS is a functionally defined system described in this section. 1.30 The equipment which provides the actuation functions identified in 1.32 Section 7.3.1.1.1 is listed and discussed in this section (WCAP-7013, 1.33 1973; WCAP-7488-L, 1971; WCAP-7705, 1976):

1. Process Instrumentation and Control System (WCAP-7013, 1.35 1973).

2. Solid State Logic Protection System (WCAP-7488-L, 1971). 1.36

3. Engineered Safety Features Test Cabinet (WCAP-7705, 1976). 1.37 4.

Manual Actuation Circuits. 1.38

5. Emergency Generator Load Sequence Control Logic 1.39-Description 24-9.4 (NUSCo., 25212-28723) (Section 1.7 - 1.40 Logic Diagram Package).

The ESFAS consists of two discrete portions of circuitry: (1) an 1.42 analog portion consisting of three to four redundant channels per 1.43 parameter or variable to monitor various plant parameters such as the reactor coolant system and steam system pressures, temperatures and 1.44 ,

Amendment 8 7.3-1 May 1984

u1217912srt8r 03/21/84 246 MNPS-3 FSAR flows and containment pressures; and (2) a digital portion consisting of two redundant logic trains which receive inputs from the analog 1.45 protection channels and perform the logic needed to actuate the 1.46 engineered safety features. Each digital train is capable of 1.47 actuating the engineered safety features (ESF) equipment required.

Two channels of pressure switches are provided on the refueling water 1.48 storage tank (RWsT) to perform ESF functions. The intent is that any 1.49 single failure within the ESFAS shall not prevent system action when required.

The redundant concept is applied to both the analog and logic 1.50 portions of the system. Separation of redundant analog channels 1.51 begins at the process sensors and is maintained in the field wiring, containment vessel penetrations and analog protection racks 1.52 terminating at the redundant safeguards logic racks. The design 1.53 meets the requirements of Criteria 20, 21, 22, 23, and 24 of the 1971 GDC.

The variables are sensed by the analog circuitry as discussed in 1.54 WCAP-7013 (1973) and in Section 7.2. The outputs from the analog 1.55 channels are combined into actuation logic as shown on Figure 7.2-1, Sheets 5, 6, 7, and 8. Tables 7.3-1 and 7.3-2 give additional 1.57 information pertaining to logic and function.

The interlocks associated with the ESFAS are outlined in Table 7.3-3. 1.58 These interlocks satisfy the functional requirements discussed in 1.59 Section 7.1.2.

Manual actuation from the control board of containment isolation 1.60 Phase A is provided by operation of either one of the redundant 2.1 momentary containment isolation Phase A. controls. The separate 2.2 trains are thereby linked by mechanical means in a fashion similar to that shown on Figure 7.1-3. Also on the control board is a manual 2.3 actuation of safety injection by one of the redundant controls and a manual actuation of containment isolation Phase B by either of the 2.4 two sets of controls.

Manual controls are also provided to switch from the injection to the 2.5 recirculation phase after a loss-of-coolant accident. 2.6 7.3.1.1.1 Function Initiation 2.8 The specific functions which rely on the ESFAS for initiation are: 2.9

1. A reactor trip, provided one has not'already been generated 2.12 by the reactor trip system.

2. Charging pumps, safety injection pumps, residual heat 2.13 removal pumps, and associated valving which provide emergency makeup water to the cold legs of the reactor 2.14 coolant system following a loss-of-coolant accident (Table 7.3-4 and NUSco. Logic Description 24-9.4 provided in 2.15 Logic Description Package, Section 1.7).

Amendment 8 7.3-2 May 1984

u12179122r8r 03/21/84 '

245 MNPS-3 FSAR

3. Those pumps which serve as part of the heat sink for 2.16 containment cooling (e.g., service water and component cooling water pumps) (NUSCo. Logic Description 24-9.4). 2.17

4. Motor-driven and steam-driven auxiliary feedwater pumps 2.18 (NUSCo. Logic Description 24-9.4).

5. Phase A containment isolation, whose function is to prevent 2.19 fission product release. (Isolation of all lines not 2.20 essential to reactor protection.) (Table 7.3-5). 2.21

6. Steam line isolation to prevent the continuous, uncontrolled 2.22 blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown (Table 7.3-6). 2.23

7. Main feedwater line isolation, as required, to prevent or 2.24 mitigate the effect of excessive cooldown (Table 7.3-7). 2.25

~

8. Start the emergency generators to assure backup supply cf 2.26 power to emergency and supporting systems components.

9. Isolate the control room intake ducts and pressurize the 2.27 control room to meet control room occupancy requirements.

(Table 7.3-8). 2.28

10. Containment depressurization actuation (CDA) which performs 2.29 the following fanctions:

a. Initiates containment spray to reduce containment 2.31 pressure and temperature following a loss-of-coolant or main steam line break accident inside of containment 2.32 (Table 7.3-9).

b. Initiates Phase B containment isolation which isolates 2.33 the conta4nment following a loss of reactor coolant accident, or a main steam or feedwater line break 2.34 within containment to limit radioactive releases.

(Phase B isolation, together with Phase A isolation, 2.35 results in isolation of all but safety injection and spray lines penetrating the containment.) 2.36 (Table 7.3-10).

11. Emergency generator load sequencing is initiated when an LOP 2.38 signal exists (NUSco. Logic Description 24-9.4). The 2.39 emergency generator performs its sequencing function when an LOP signal exists.

7.3.1.1.2 Analog Circuitry 2.42 The process analog sensors and racks for the ESFAS are covered i*n 2.43 WCAP-7013 (1973). Discussed in this report are the parameters to be 2.45 measured, including pressures, flows, tank and vessel water levels, and temperatures, as well as the measurement and signal transmission 2.46 considerations. These latter considerations include the 2.47 Amendment 8 7.3-3' May 1984

u1317912sra8r 03/21/84 246 MNPS-3 FSAR transmitters, orifices and flow elements, resistance temperature detectors, as well as automatic calculations, signal conditioning, 2.48 and location and mounting of the devices.

The sensors monitoring the primary system are located as shown on the 2.49 piping flow diagrams in Chapter 5, reactor coolant system. The 2.51 secondary system sensor locatio.ts are shown on the steam system flow diagrams given in Chapter 10.

7.3.1.1.3 Digital Circuitry 2.53 The ESF logic racks are discussed in detail in WCAP-7488-L (1971). 2.54 The description includes the considerations and provisions for 2.56 physical and electrical separation, as well as details of the 2.57 circuitry. WCAP-7488-L (1971) also covers certain aspects of online 2.58 test provisions, provisions for test points, considerations for the 2.59 instrument power source, considerations for accomplishing physical 2.60 separations. The outputs from the analog channels are cembined into 3.1 actuation logic as shown on Sheets 5 (T ), 6 (Pressurizer 3.2 [

Pressure), 7 (Steam Flow Pressure and Differential Pressure), 8 (Engineered Safety Features Actuation), and 14 (Auxiliary Feedwater) 3.3 on Figure 7.2-1.

To facilitate engineered safety features actuation testing, four 3.4 cabinets (two per train) are provided which enable operation, to the 3.5 maximum practical extent, of safety features loads on a group-by-group basis until actuation of ell devices has been checked. Final 3.7 actuation testing is discussed-in detail in Section 7.3.2.

7.3.1.1.4 Final Actuation Circuitry 3.9 '

~

The outputs of the solid state logic protection system (the slave 3.10 relays) are energized to actuate, as are most final actuators and 3.11 actuated devices. Th3se devices are listed as follows: 3.13

1. Safety injection system pump and valve actuators. See 3.16 Chapter 6 for flow diagrams and additional information.

2. Containment isolation .(Phase A - "T" signal isolates all 3.17 nonessential proq s's lines on receipt of safety injection 3.18 signalt Phase,B * "P" signal isolates remaining process lines (which do not include safety injection lines) on 3.19 receipt of 2/4 hi-3 containment pressure signal). For 3.20 further information, see Section 6.2.4.

3. Service water pump and valve actuations (Chapter 9). 3.21

4. Auxiliary feed pumps start (Chapter 10). 3.22

5. Diesel start (Chapter 8). ,

3.23

6. Feedwater isolation (Chapter 10). 3.24 Amendment 8 7.3-4 May,1984 ,

u1217912src8r 03/21/84 246 l MNPS-3 FSAR t

7. Ventilation isolation valve and damper actuators 3.25 l (Chapter 6). j

8. Steam line isolation valve actr.itors (Chapter 10). 3.26 1

9. Quench spray and recirculation containment pumps and valve 3.27 actuators (Chapter 6).

1 7.3.1.1.5 ESF and Essential Auxiliary Support Systems 3.30 1

Engineered Safety Features System 3.32 Systems that comprise the ESF for Millstone 3 are listed in 3.34 I Table 7.3-11. Their function and operation following ESFAS 3.36 I initiation are summarized in this section. Additional information on 3.37 I these systems can be found in the referenced sections.

Emergency Core Cooling System 3.40 The emergency core cooling system (ECCS) is described in Section 6.3 3.42 and is shown on Figure 6.3-1. Development of the SIS and CDA is 3.44 shown on Figure 7.2-1 (Sheet 8 of 19).

The low pressure safety injection system, high pressure safety 3.45 injection system, charging pumps in the chemical and volume control 3.46 1 system, containment recirculation system. and residual heat removal l system perform the function of core cooling for both normal plant 3.47 cooldown and emergency core cooling.

When a safety injection signal (SIS) occurs, the injection mode of 3.48 operation is automatically initiated. The charging pumps are started 3.49 and lined up to take suction from-the RWST and discharge to the reactor coolant cold leg. 3.50 The component interlocks used in different modes of system operation 3.51 follow.

1. The SIS is interlocked with the following components and 3.53 initiates the indicated actions

a. Charging pumps start on SIS. 3.55

b. RWST suction valves to charging pumps open on SIS. 3.56

c. Charging pumps to RCS cold leg injection headers 3.57 parallel 1 solation valves open on SIS.

d. Normal charging path valves close on SIS. 3.58

e. Charging pump miniflow valves close on SIS. 3.59

f. Safety injection pumps start on SIS. 3.60

g. The RHS pumps start on SIS. 4.1

-Amendment 8 7.3-5 May 1984 l

u1217912sra8r 03/21/84 _

246 MNPS-3 FSAR'

h. Any closed accumulator isd1'ation valves open. 4.2

i. Vclume control tank (VCT) outlet isolation valves close 4.3 on SIS. _

2. Switchover from injection mode to recirculation involves the 4.6 following interlbcks:

a. The residual heat removal system (RHS) pumps are 4.8 stopped automatically when one of the two low-low level switches sense a low-low level in the RWST. 4.9

b. Interlocks are provided to assure isolation of the RHS 4.11 and proper alignment of the containment recirculation system for core cooling. 4.12'

c. The safety injection pump and charging pump 4.13 recirculation suction isolation valves can be opened provided that the safety injection pump miniflow lines 4.14 have been isolated.

s

d. After approximately 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />, cold leg recirculation is 4.15 terminated and hot leg recirculation is initiated.

This' is done_ to terminate any -boiling in the core 4.16 should the break be in one of the RCS cold legs, and to prevent boron precipitation. 4.17 A. 'RHS Pump Interlock from Injection to Recirculation ~4.20 The details of achieving cold leg recirculation following safety 4.22 injection are given in Section 6.3.2 and in Table 6.3-7. 4.23 Figure 7.6-3 shows the logic which is used to automatically control 4.25 RHS pumps. -

B. Sequenced Safeguard Signals 4.28 A sequenced safeguard signal is generated byfthe emergency generator 4.30 LOAD SEQUENCE for the safety injection pump, RHS pump,- or charging 4.31 pump whenever the signals listed with'the associated pumps exist.

1. Safety Injection Pump s 4.35

. SIS or SIS.and LOP 4.37

. CDA or CDA-and LOP , 4.38 s

~

. . SIS recirculation mode then' LOP 4.40

.CDASecirculationmodethenLOP 4:.41 q.

.*a s

s

, Amendment 8" 17.3-6 May 1984 y

a

u82'17912sra8r 03/21/84 246 HNPS-3 FSAR

, 2. - Residual Heat Removal Pumps 4.44

. SIS or SIS'and LOP 4.46

. CDA or CDA and LOP 4.47

3. Charging Pumps 4.51

. SIS or SIS and LOP 4.53

. CDA or CDA and LOP 4.54

. SIS recirculation mode and then LOP 4.55

. CDA recirculation mode and then LOP 4.57 C. Component Controls 4.60

1. Residual Heat Remova'l System Pumps 5.2 The RHS pumps have manual controls on the main control board 5.4 and at the switchgear. An annunciator is alarmed in the 5.6 control room when LOCAL control'is selected. The pumps are 5.7 started automatically.on receipt of a sequenced safeguard signal. When a safety. injection signal. exists, the pumps 5.8 are stopped automatically on low-low RWST level,:and low-low level is alarmed -in. the- control room. Ammeters- and 5.10 indicator lights are located on the main' control board and-at the swi'tchgear_for the RHS pumps. ESF status lights on 5.11 the main control board indicate when' the RHS pumps are running. RHS pump AUTO. trip and overcurrent-is alarmed in 5.12 the control room.

Bypass and inoperable alarms.are provided in accordance'with 5.13

^

C Regulatory Guide 1.47.

Analysis- 5.15

-IEEE: Standard 279-1971, Paragraph 4.2 : 5.17

~

[- A.

There are-two residualEheat; removal pumps-powered from ;5.19

- separate emergency buses. -No: single failure l ati the '5~.-21

. system level 'will prevent l operation.of at'least:one -

' residual' heat !removal syste'm train.z~

. -  : B. IEEE Standard 279-1971, Paragraph 4.4 5.24 Equipment qualifications'are: discussed-in! Sections 3.10 5.26 '

Land.3.11.- J

,+-. . - .

n 1

1

~

\ ,*iAmendment 8 <

7.3-7-c [May71984 d ,. , I

" 4 g j _ g

u1217912sra8r 03/21/84 246 HNPS-3 FSAR C. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: 5.30 One train of the residual heat removal system at a time 5.32 is taken out of service and periodically- tested in accordance with the Technical Specifications in 5.33 Chapter 16. '

This testing will consist of manually starting the pump 5.35 during normal surveillance of the system or the breaker for the pump will be racked out. Once the pump is 5.37 running or the breaker is racked out, the AUTO start and tripping is verified using the emergency generator 5.38 load sequencer with safety signals generated internally or externally to the sequencer. 5.39 5.40 During the. instrument functional test, the 5.41 instrumentation setpoints and their operability are checked. The test to verify the automatic response of 5.42 the system is performed during each refueling period.

Correct settings of temperature and flow 5.43 instrumentation are verified by applying a simulated signal.

D. 'IEEE Standard 279-1971, Paragraph 4.13: 5.46 A RHR pump low pressure safety injection system Train A 5.48 bypass annunciator is alarmed in the control room when any of the following conditions exist for Train A cnr B: 5.49

. Residual heat removal-pump control switch in pull .5.52 to lock.

. Loss'of control power. 5.53 Circuit b'reaker racked out.

~

. 5.54 E. -IEEE Standard 279-1971,' Paragraph 4.16: 5.57 Once a safety signal is received, the residual heat 5.59 removal- system will go to completion. Deliberate 6.1' operator action is re' quired to-stop the RHR pumps. .The 6.2 safety signal must be reset and manual controls used.

F. IEEE Standard 279-1971, Paragraph 4.'17: a6. 5 The residual. heat removal pumps have manual controls on 6.7 the main . control -board and at the -switchgear. A 6.9

-REMOTE / LOCAL ~ control transfer switch at the switchgear.

is alarmed in the~ control room when ' LOCAL is selected. 6.10.

7.3-8I

~

Amendment 8 .May'1984 e

u1217912sra8r 03/21/84 246 MNPS-3 FSAR

2. Safety Injection Pumps 6.13 ,

l The safety injection pumps have manual controls on the main 6.15 control board and at the switchgear. An annunciator is '.17 alarmed in the control room when LOCAL control is selected. .

The pumps are started automatically on receipt of a 6.18  ;

sequenced safeguard signal. Ammeters and indicator lights o.19 are located on ,the main control board and at the switchgear for the safety injection pumps. ESF status lights on the 6.21 main control board indicate when a safety injection pump is running. Safety injection pump AUTO Trip or overcurrent is 6.22 alarmed in the control-room. Bypass and inoperable alarms 6.23 are provided in accordance with Regulatory Guide 1.47.

Indicators on the main control board monitor safety 6.24 injection pump discharge flow.

Analysis 6.26 A. IEEE Standard 279-1971, Paragraph 4.2: 6.28 There are two safety injection pumps powered from 6.30 separate e'mergency buses. No single failure at the 6.31 system' level will prevent safety injection.

'B. IEEE-Standard 279-1971,' Paragraph 4.4: 6.35 Equipment qualifications are dicussed in Sections 3.10 6.37 and'3.11.- .-

C'. IEEE Standard 279-1971, Paragraph 4.13: 6.41.

A bypass and inoperable' annunciator.in the control room 6.43 is alarmed when any of the following conditions exists for Train A or B: 6.44

.- Safety' injection pump control switch in. pull.to 6.47-lock.

6.48

~

.- Loss of control power or breaker racked out.

. Bypass pushbutton depressed. 6.49-D. 'IEEE Standar'd 279-1971f,: Paragraph 4.17: ' 6 '. 52 :

The- safety injection pumps have manual controls on the '6.54 mainc. control -board, and at- the :switchgear.. AL 6.55 REMOTE / LOCAL contro1' transfer switch at the'switchgear is alarmed in the~ control = room when-LOCAL is' selectedi

. E. IEEE-Standard 279-1971; Pargaraphs 4.9.and 4.103- 6.59-1

~

One train' at a Jtime' -is.'

1 taken' out of service and 7 .1 ' '

2 periodically-tested;in-accordance with; the = Technical .

_ . 4 Specifications in Chapter 116. z7 . 2 -

Amend'ent m 8 '7.3 May_ -1984 ~

' ' ~

u. ,

S ,

. - .- -. .- . _ ~ . . . . ~ _ _ = . _. . _ . _ . ~ . - .

u1217912sra8r 03/21/S4 246 MNPS-3 FSAR This testing will consist of manually starting the pump 7.4 during normal surveillance of the system or the breaker for the pump will be racked out. Once the pump is 7.6 running or the breaker is racked'out, the AUTO start and tripping is verified using the emergency generator 7.7 i load sequencer with safety signals generated internally or externally to the sequencer. ) 7.8 7.9 1

During the in'strument functional test, the 7.10 instrumentation setpoints and their operability are checked. The test to verify the automatic response of 7.11 the system is performed during each refueling period.

Correct settings of temperature and flow 7.12 instrumentation are verified by applying a simulated signal.

3. Charging Pumps 7.15 Normally, one charging pump is running. During a loss-of- 7.18 coolant accident (LOCA), two charging pumps operate as part of 'the safety injection system. The third pump is a swing 7.20 pump with a breaker cubicle on each emergency _ bus that is normally. empty. The swing pump uses the breaker of the pump 7.21 which-is not in service. Mechanical and keylock. switches 7.22 preventf the_ pump from being placed on Train A and Train B?

emergency buses.at the.same time. 7.23 On as loss-of-power (LOP) signal'the charging pump,that is 7.24' running is not stripped from the emergency' bus; . therefore, the pump starts- immediately when_ power is' restored. The 7.26

. pumps are_ started automatically on receipt cof' a sequenced-safeguard signal.

IManual controls are provided on the main control board and 7.27

. at the switchgear- for the . charging pumps. - An annunciator is : 7.28 '

._ alarmed -on the main' control- board when localicontrol is 7.-29 selected. ESF status' lights indicate when a ~ charging _ pump 7.30; ,

is_ running, kmneter andi indicator: lights -are -located at the switchgear 7.31--

Land.ontthe; main: control board.

Bypass and~ inoperable alarms are~provided'in.accordance with 7.'32

-Regulatory Guide 1'.47.

.c

Each charging , rump -has; an-_ auxiliary lube-oil pump _with a;.7.33 ~

~ local STOP-AUTO control switch. -An: annunciator. is alarmed.;7.34.

on :the- main control.-boardJ when--STOP -is selected. -The 47.35-iauxiliary-lube-oil pumps will starteautomatically:when._ AUTO

. -:is selected on low lube oil-pressure, or when thetassociated' 7.36 o cha'rging pumpJis1 stopped' . The auxiliary lube-oil: punip - will .7.37; ,

1. ' Amendment 8. 713-10. .May-1984

~ ,

,. - ~

/ -  %

~ "i +

j e ~ -

we g <

v * #* -

u1217912srt8r 03/21/84 246 MNPS-3 FSAR stop automatically when AUTO is selected and lube-oil pressure is above a predetermined pressure and the 7.38 associated charging pump is started.

Analysis 7.40 A. IEEE Standard 279-1971, Paragraph 4.2: 7.42 There are three charging pumps, 3CHS*P3A, B, and C. 7.44 The C pump is a swing pump. Normally, two charging 7.47 pumps (3CHS*P3A and B) have their breakers racked in and one of the two is running. In the event that the A 7.48 or B pump fails, its breaker is racked out and racked into the C pump cubicle (Train A or B). Mechanical and 7.49 electrical interlocks prevent the C pump from being connected to two bures at the same time.

Power is supplied. to the charging pumps from two 7.50 separate emergency buses. No single failure at the 7.51 system level will prevent charging pump safety injection.

B. IEEE Standard 279-1971, Paragraph 4.4: 7.54 Equipment qualifications are dicussed in Sections 3.10 7.56 and 3.11.

C. IEEE~ Standard 279-1971, Paragraph 4.13: 7.60 A bypass and inoperable annunciator in the control room B.2 is. alarmed when any of the-following conditions exists for Train A or B: 8.3

. Charging pump A, B, or C control switch in pull to 8.6 lock or loss of control power or breaker racked out.

. Charging pump cub'icle-ventilation system bypassed. -8.7

.. Auxiliary' building. filter system fan control 8.8 switch in pull.to lock.

'.' Auxiliary building filter . system fan loss of 8.9

control power or breaker racked out.

.. Bypassed pushbutton -depressed for charging pumps 1 8.10 safety injection.

D. IEEE' Standard 279-1971, Paragraph 4.16: 8.13

-Once t a' safety signal is initiated, the charging pumps 8.15 ago' to completion.

Deliberate ' operator. action 'isi 8.16 crequired to. stop a charging pump. The safety signal 8.17 must be reset and the ynnnp stopped by manual . controls. -

Amendment'8 7.3-11L_ .May'1984

u1287912sra87 03/21/84 246 MNPS-3 FSAR E. IEEE Standard 279-1971, Paragraph 4.17: 8.21 The charging pumps have manual controls on the main 8.23 '

control board and at the switchgear. A REMOTE / LOCAL 8.24

control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.

F. IEEE Standard 279-1971, Paragraph 4.10: 8.28 One charging pump at a time can be taken out of service 8.30 and periodically tested in accordance with the Technical Specifications in Chapter 16. 8.31 This testing will consist of manually starting the pump F.33 during normal surveillance of the system or the breaker for the pump will be racked out. Once the pump is 8.35 running or the breaker is racked out, the AUTO start and tripping is verified using the emergency generator 8.36 load sequencer with safety signals generated internally or externally to the sequencer. _

8.37 8.38 During the instrument functional. test, the 8.39 instrumentation setpoints and their operability are checked. The test to verify the automatic response of _8.40-

, the system is performed during each ' refueling period.

Correct settings of temperature and flow 8.41 instrumentation are~ verified by applying a simulated signal.

^

4. Refueling Water Storage Tank to Charging Pump Valve 8.44

~

Redundant -RWST to charging pump' valves have manual controls 8.46.

and indicator lights on the main control board and at the auxiliary.' shutdown panel. REMOTE / LOCAL transfer switches 8.49 are on the transfer switch panels. .An annunciator; is 8.s0 alarmed in the control room when LOCAL control.is selected.

ESF status' lights indicate when the valves are .open. Open 8.52 i and closed valve positions are monitored by the plant computer. The valves open automatically on receipt of an 8.53 SIS or when the volume-control tank level is low-low.

' Analysis '8.55

.A. 'IEEE Standard 279-1971, Paragraph 4.2: 8.57 The RWST to charging ~ pump' valves are redundant and 8.59-

. powered from separate emergency buses._ No: single _ 9.1

/ failure at the system level will_ prevent charging pump safety injection.

f

-Amendment [8' i7.3-12 May 1984 I F h

• M 1 h T

• u1217912sra8r 03/21/84 246 4 MNPS-3 FSAR B. IEEE Standard 279-1971, Paragraph 4.4: 9.4 Equipment qualifications are discussed in Sections 3.10 9.6  ;

and 3.11.

C. 'IEEE Standard 279-1971, Paragraph 4.13: 9.10  !

The charging pump high pressure safety injection bypass 9.12 annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B): 9.13 i . Circuit breaker for valve open. 9.16 4

. Loss of control power to valve. 9.17

. Valve motor thermal overload. 9.18 D. IEEE Standard 279-1971, Paragraph 4.16: 9.21 Once an SIS is initiated, the RWST to charging pump 9.23 valves go to the fully open position. Deliberate 9.25 operator action is required to close the valves. The 9.26 SIS must be reset and the valves closed by manual controls.

E. IEEE. Standard 279-1971, Paragraph 4.17: 9.29

.The RWST to charging pump valves have manual controls 9.31

> on the main control board and at the auxiliary. shutdown panel. .The REMOTE / LOCAL' control transfer switches on 9.33 the transfer switch panels are-alarmed in the control 4

room whenever LOCAL.is~ selected. 9.34' F2. IEEE' Standard'279-1971, Paragraph 4.10: 9.37 i _The. kWST valves are periodically tested in'accordance 9.39 with the Technical Specifications in Chapter 16. Refer 9.41;

j. ,

to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

I '

5. Volume Control Tank Outlet Isolation Valves 9.44

!~

Redundant.' volume control' tank (VCT) outlet isolation valves 9.46 have manual- controls and indicatorL lights- on the main-control ; board- <and lon' the auxiliary shutdown panel. . 9.47

REMOTE / LOCAL transfer

switches are on the ; transfer switch 9 . <49

. panel. - An annunciatorfis alarmed in the control room when' 9.50 LOCAL control is' selected. ESF statustlightssindicate wheni 9.51 the:. valves are' closed. LAn annunciator is alarmed in the 9.52 e ~ control room when-a VCT outlet isolation valve is closed.

Open and close - valve-positions are monitored.by the plant- 9.53

computer. :The: valves close' automatically on~ receipt hof Lan -9.54:

SIS ::or VCT'; low-low level signal,"provided the associated RWST(to.theLeharging pump' valve is open.1 - 9.55

~

Amen'dment-8 7.3-13 , ' =May 1984

. 's _

i

- -e-r ev-r-- s m --, w -,- ,, ,

u1217912sra8r 03/21/84 246 MNPS-3 FSAR Analysis 9.57 A. IEEE Standard 279-1971, Paragraph 4.2: 9.59 The 7CT outlet isolation valves are redundant and 10.1 powered fron. e2parate emergency buses. No single 10.3 failure at the system level will prevent VCT outlet isolation.

B. IEEE Standard 279-1971, Paragraph 4.4: 10.6 Equipment qualifications are discussed in Sections 3.10 10.8 and 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 10.12 A charging pump high pressure safety injection bypass 10.14 annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B): 10.15

. Circuit breaker for valve open. 10.18

. Loss of control power to valve. 10.19

. Valve motor thermal overload. 10.20 D. IEEE Standard 279-1971, Paragraph 4.16: 10.23 Once an SIS or VCT low-low level signal is received, 10.'25 the VCT outlet isolation valves go fully closed. The 10.27 SIS must be- reset and the VCT low-low level signal cleared and the valves opened by manual controls.

E. IEEE Standard 279-1971, Paragraph 4.17: 10.30 The VCT outlet isolation valves have manual controls on 10.32 the main control board and at the . auxiliary' shutdown panel. The REMOTE / LOCAL control transfer switches on 10.34 the transfer switch panels are alarmed in- the control room whenever LOCAL is selected. 10.35 F. IEEE Standard 279-1971, Paragraph 4.10: 10.38 The VCT isolation _ valves are periodically tested in 10.40 accordance with .the Technical . Specifications in Chapter 16. Refer to Sections 7.3.1.2 and 7.3.2'for_ 10.42

' testing of engineered safety actuation system.

6. Charging Pump to Reactor Cold Leg Isolation-Valves 10.45

-Redundant charging pump to reactor cold leg isolation valves -10.47 have manual- controls and indicator- lights on the main control board. Open and . closed valve = positions are 10.50 monitored by the plant' computer. ESF status lights indicate 10.51 Amendment 8' 7.3 ,May_1984 p ,

.u1217912sra8r 03/21/84 246

.HNPS-3 FSAR when the valves are open. An annunciator is alarmed in the 10.52 control room when an isolation valve is open. The valves 10.53 open automatically on receipt of an SIS.

Analysis 10.55 A. IEEE Standard 279-1971, Paragraph 4.2: 10.57 The charging pump to reactor cold leg isolation valves 10.59 are redundant and powered from separate emergency buses. No single failure at the system level will 11.1 prevent charging pump safety injection.

B. IEEE Standard 279-1971, Paragraph 4.4: 11.4 Equipment qualifications are discussed in Sections 3.10 11.6 and 3.11.

C. IEEE Standard 279-1971,' Paragraph 4.13: 11.10 The charging pump high pressure safety injection bypass 11.12 annunciator is alarmed in the control room whenever any of the'following conditions exist (Train A or B): 11.13

. Circuit breaker for valve open. 11.16

. Loss of control power to. valve. 11.17

. Valve motor thermal: overload. 11.18 D. IEEE Standard 279-1971, Paragraph 4.16: 11.21 Once.an SIS is initiated, the charging pump to cold leg 11.23 isolation valves go-to fully open. . Deliberate operator 11.25 action is_ required to'close the valves. The SIS must 11.26 be reset and the valves closed by manual-controls.

E. 'IEEE Standard 179-1971,-Paragraph 4.173 -11.29 lThe charging pump. to -cold leg ~ isolation valves have 11.31 manual controls on the main control board.

.F. IEEE Standard 279-1971,: Paragraph 4.10: 11.35

~.The'chargingpumpstoreactorcoldlegisolationvalves~kl.37 are periodically Ltested in <accordance1 1with .the

-Technical > . Specifications- in Ch. apter:16. Refer to 11.40 Sections 7.3.1.2'and 7.3.2 for -testing of engineered safety. actuation system. '

~

17 Ch'arging Pump to Reactor qpolant System' Isolation Valves 11.43 n

. Redundant .. charging pump to reactor coolant system isolation 11.45

. valves (normal-charging flow path) have manual controls and'-11.47 Amendment 8 7.3-15 -May 1984 u

.-- *_. U

u1217912sra8r 03/21/84 246 MNPS-3 FSAR indicator lights on the main control board. Open and close 11.48 valve positions are monitored by the plant computer. ESF 11.49 status lights indicate when the valves are closed. The 11.50 valven close automatically on receipt of an SIS.

Analysis 11.52 A. IEEE Standard 279-1971, Paragraph 4.2: 11.54 The chargihg pump to reactor coolant system isolation 11.56 valves are redundant and powered from separate emergency buses. No single failure at the system level 11.58 will prevent isolation of normal charging, to reactor coolant system.

B. IEEE Standard 279-1971, Paragraph 4.4: 12.1 Equipment qualifications are discussed in Sections 3.10 12.3 and 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 12.7 Ihe charging pump high pressure safety injectio'n bypass 12.9 annunciator is alarmed in the control room whenever any of the_following conditions exist (Train A or B): 12.10

. _ Circuit breaker for valve open. 12.13

. Loss of control power to valve. 12.14

. Valve motor thermal overload. 12.15, D. IEEE Standard 279-1971, Paragraph 4.16: 12.18

.Once 'an SIS'is initiated, the charging pump to reactor 12.20 coolant isolation valves go to the fully closed. .

position. Deliberate operator action is required to 12.22 open the valves. The SIS must be reset and the valves 12.23

.. opened by manual controls.

E. IEEE Standard 279-1971, Paragraph 4.17: 12.26~

The charging pump to reactor coolant isolation valves 12.28 have manual controls'on the main control board and- at the auxiliary shutdown panel. The REMOTE / LOCAL control 112.31:

transfer switches on the transfer switch panels are

. alarmed in the control room whenever LOCAL is selected. 12.32' '

J F.- 'IEEE Standard 279-1971, Paragraph 4.10: 12.35 1 The_ RWST valves'are periodically tested.in accordance l12.37

~

with the Technical Specifications in Chapter 16. Refer 12.39 to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

Amendment'8- 7.3-16 -May 1984 2 _.. __ l.[_

u1217912sra8r 03/21/84 246 MNPS-3 FSAR

8. Charging Pump Miniflow Isolation Valves (Train B) 12.42 The miniflow isolation valve for each charging pump has 12.44 manual contrcls and indicator lights on the main control board and at the auxiliary shutdown panel. REMOTE / LOCAL 12.47 control transfer switches are on a transfer switch panel.

An annunciator is alarmed in the control room when LOCAL 12.48 control is selected. An annunciator is alarmed in the 12.49 control room when a valve is closed. ESF status lights 12.50 indicate when a valve is closed. Open and closed positions 12.51 are monitored by the plant computer. The valves close 12.52 "

automatically on receipt of an SIS.

9. Charging Pump Miniflow Isolation Valve (Train A) 12.55 The charging pump combined miniflow isolation valve has 12.57 manual control and indicator lights on the main control board. An annunciator alarms in the control room when the 12.59 valve is closed. An ESF status light indicates when the 12.60 valve is closed. The valve is closed automatically on 13.1 receipt of an SIS.

Analysis 13.3 A. IEEE Standard 279-1971, Paragraph 4.2: 13.5 There are three Train B minflow isolation valves and 13.7 I

one combined Train A miniflow isolation valve. The 13.9 Train A and Train B valves are powered from separate emergency buses. No single failure at the system level 13.10 will prevent charging pump miniflow isolation.

B. IEEE Standard 279-1971,- Paragraph 4.4: 13.13 4

Equipment qualifications are discussed in Sections 3.10 13.15 and 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 13.19 The charging pump high pressure safety injection bypass 13.21 annunciator.is alarmed in the control room whenever any of the following conditions exist (Train A or B): 13.22

. Circuit breaker'for valve open. 13.25

. Loss of control power to valve. 13.26-Valve motor thermal overload. 13.27

~

D. IEEE Standard 279-1971, Paragraph 4.16: 13.30 Once an SIS is initiated; the charging pump to miniflow 13.32 isolation valves' go Lto the fully closed position.

Deliberate operator action is required .to open the 13.34 Amendment 8 7.3-17 May 1984

u1217912sra87 03/21/84 246 MNPS-3 FSAR

, valves. The SIS must be reset and the valves closed by 13.35 manual controls.

E. IEEE Standard 279-1971, Paragraph 4.17: 13.38 The Train B charging pump miniflow isolation valves 13.40 have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE / LOCAL control 13.43 transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected. 13.44 F. IEEE Standard 279-1971, Paragraph 4.10: 13.47 The charging pump miniflow isolation valves are 13.49 periodically tested in accordance with the Technical Specifications in Chapter 16. Refer to 13.52 Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

10. Accumulator Isolation Valves 13.55 Two accumulator isolation valves are powered from the 13.57 Train A emergency bus; the other two are powered from the Train B emergency bus. Each valve has manual controls and 13.60 indicator lights on the main control board and at the auxiliary shutdown panel. An annunciator is alarmed in the 14.1 control room when LOCAL control is selected. ESF status 14.2 lights indicate when a valve is closed. An annunciator is 14.3 alarmed in the control room when a valve is closed. Open 14.4

'and close positions are monitored by the plant computer.

The valves open automatically on receipt of an SIS and will 14.5 open automatically on a high pressurizer pressure signal provided the associated control switch is in the AUTO -14.6 position.

Analysis 14.8 A. IEEE. Standard 279-1971, Partagraph 4.2: 14.10 The Train A and B- accumulator isolation valves are 14.12 powered from separate . emergency buses. . No single. 14.14

-failure at the system level.will prevent charging pump miniflow isolation.

B. IEEE Standard 279-1971,_ Paragraph 4.42 14.17-Equipment' qualifications are discussed in Sections 3.10 14.19 and 3.11.

A Amendment 8 : - - 7 . 3 -18 May 1984 ~

u1217912sra8r .03/21/64 246 MMPS-3 FSAR C. IEEE Standard 279-1971, Paragraph 4.13: 14.23 The accumulator tank low pressure safety injection 14.25 bypass annunciator is alarmed in the centrol room whenever an accumulator isolation valve is not fully 14.26 open.

D. IEEE Standard 279-1971, Paragraph 4.16: 14.30 Once an SIS is initiated, the accumulator isolation 14.32 valves;go to the fully open position. Deliberate 14.34 operator action is required to close a valve. The SIS 14.35 must be reset and the valves closed by manual controls.

E. IEEE Standard 279-1971, Paragraph 4.17: 14.38 The accumulator isolation valves have manual controls 14.40 on the main control board and at the auxiliary shutdown panel. The REMOTE / LOCAL control transfer switches on 14.42 the transfer switch panels are alarmed in the control room whenever LOCAL is selected

. 14.43 F.- IEEE Standard 279-1971, Paragraph 4.10: 14.46 The' . accumulator isolation valves are periodically 14.48 tested in accordance with the Technical . Specifications in Chapter 16. -Refer to Sections 7.3.1.2 and 7.3.2'for 14.51 testing of engineered safety actuation-system.

Containment Depressurization System. -14.54-The- containment depressurization systems' - design is described in 14.56 Section 6.2.2 and the -flow diagrams . are shown on' Figures 6.2-37 and 14.57

. 6.2-38. The containment. depressurization systems -consist of the 14.59.

quench spray system and,the containment recirculation; spray system. 14.60' The containment depressurization systems operate only subsequent to a 15.1 design basis accident -(DBA). During normal unit , operation,- the 15.2.

motor-operated fvalves in the containment recirculation ~ pump suction lines and' discharge headers are open. To ensure proper position? of '15.4 these~ valves,- the.-CDA -signal- actuates the valves to-open,and to

[ soverride a::possible close-test ' position. The: ? motor-operated 15.6: - j

~ isolation ' valves'in the quench spray system are closed during normal:

-unit' operation.;~The isolation valves in the quench sprayf discharge 15.7

' headers' and; in Lthe outlet .line .of the refueling water chemical

' addition l tank:open upon'receiptlof a CDA signal. ,The solenoid.fpilot-L15.9 air-operated . valves .in the suction line--from zthe .RWST.'to-the~

- refueling water recirculation -pumps 'close -on a' safety,; injection 15.101 signal '(SIS), .thus isolating : the. nonsafety related portion of the suction piping downsteam of the:second~ isolation valve.- 115.11' The; quench spray, pumps are started automatically on receipt of.a CDA :15.12

~ signal.- On receiptIof.a CDA signal combined with a LOP signal, the-l15.13'

' ' quench sprayf pumps are sequenced on by the' emergency generator load -15.14'-

m 9AmendmentL8 #7.3-19 ' Hay 1984 n-

, L  ;

> c ,

k

~- ..y - + , , y , , - - . , , - , . , , . - -

u1217912sra8r 03/21/84 246 MNPS-3 FSAR sequencer. The quench spray pumps are stopped automatically on 15.15 receipt of a RWST empty signal. -

The containment recirculation pumps are sequenced on automatically by 15.16 the emergency generator load sequencer following receipt of a CDA 15.18 signal or a CDA combined with a LOP signal.

a A. Containment Recirculation System Instrumentation 15.21 The following . instrumentation is provided in the control room to 15.23 monitor the system performance.

-1. Redundant level indicators for the containment sump. One 15.27 level channel is recorded.

2. Containment recirculation pump discharge pressure 15.28 indicators.

3. Containment recirculation.. pump seal head tank low level 15.29 alarm which detects seal water leakage or seal failure.

4. Containment recirculation cooler shell outlet temperature. 15.30 J

5. Redundant containment sump temperature indicators. 15.31 d

-6. Containment recirculation cooler outlet flow indicators. 15.32

7. . Containment recirculation pump flow indicators. 15.33

8. Containment recirculation pump low discharge pressure 15.34

. annunciators interlocked with pump running signal.

A pressure transmitter in the common test line from the RWST and a 15.36 pressure transmitter in. the discharge -line of each containment 15.37

- recirculation pump are utilized by the plant computer to monitor pump differential pressure and verify performance of the containment. 15.38 recirculation pumps.

Analysis 15.41

-A. IEEE' Standard 279-1971, Paragraph 4.2: - 15.42 The containment -recirculation- system is divided into two.'15.441 separate, redundant mechanical and electrical trains. This 15.46 provides-. redundancy; to prevent a. failure.of a~an active.or'

^

l passive component from-impairing the system capability to >15.47

. supply water for the containment depressurization-' system.

B. -IEEE Standar'd 279-1971, Paragraph.4.4

15.50

- Equipment .- ' qualifications are discussed-in' Sections 3.10 andl 15.52

-3.11. .

' ~

m.

Amendmenti8 7.3-20 _May'1984 m -

+._.gr#' p ,r g., 't 4 ~ e- --p p

-. . . - - . - - _ _ . - . -. - --- . _~ - - - - -

ul217912sra8r 03/21/84 246 MNPS-3 FSAR C. IEEE Standard 279-1971, Paragraph 4.13: 15.56 The containment recirculation system bypass annunciator is 15.58 alarmed in the control room whenever any of the following conditions exist (Train A and B): 15.59 i isolation recirculation pump loss of 16.2 Containme.nt control power or breaker racked out.

. Containment recirculation pump control switch in pull 16.3 to lock.

. Service water system bypassed. 16.4

. Containment recirculation pump area air conditioning 16.5 unit'- loss of control-power or circuit breaker open.

. Service water valve to reactor plant component cooling 16.6 water heat exchanger not fully. closed and circuit

' breaker open or loss of control power. 16.7

. Service " water- valve to containment recirculation 16.8 coolers =not fully open and loss of control- power or circuit breaker open. 16.9

. Service water outlet  : valve for. containment 16.10 recirculation coolers not fully open.

.- Service water valve to turbine plant component cooling 16.11 heat exchangers not fully closed and loss of power. or-circuit breaker open. 16.12

. Service water valves to reactor plant component cooling 16.13 heat exchangers-in TEST (No-No Equip).

. Service ' water- inlet' valves for- containment 16.14.

recirculation coolers in TEST-(No-No Equip).

. Service water valves to turbine plant component cooling 16.15 water heat exchangers in TEST'(No-No Equip).

. Recirculation' spray headerEisolation val've: fully open .16.16 and loss of power ~or circuit breaker open.

-. . Cross-connect valveE to low pressure' safety. injection 16.17 system not fully closed.

.' Recirculation -spray _ pump 1suctionLvalve not fully'open 16.18 and loss of power ^or circuit breaker open.

.H Manual bypass pushbutton depressed. ~16.19

- Amenchnent 8 ;7.3-21. ,

May_1984' s

m __f

u1217912sra8r 03/21/84 246 MNPS-3 FSAR D. IEEE Standard 279-1971, Paragraph 4.16: 16.'22 Once a CDA signal is received, the containment recirculation 16.24 pumps are started automatically. Deliberate operater action 16.25 is required to stop the pumps.

E. IEEE Standard 279-1971, Paragraph 4.10: 16.29 The containmen't recirculation system is periodically tested 16.31 in accordance with the Technical Specifications in 16.32 Chapter 16.

The operability of the containment recirculation system 16.34 controls and indications is verified during the instrument

functional test. Also, during this test the instrumentation 16.36 setpoints and their operability are checked. The test to 16.37 verify the automatic response of the system is performed during each refueling period. Correct settings of 16.38 temperature, flow, and level instrumentation are verified by applying a simulated signal.

F. IEEE Standard 279-1971, Paragraph 4.17: 16.41 Controls and indicators are provided in the control room for 16.43 manual operation of the containment recirculation system.

REMOTE / LOCAL control selector switches are provided for the 16.45 containment recirculation pumps outside the control room at 16.46 the- switchgear. An annunciator is alarmed in the control 16.47 room when LOCAL control is selected.

Switchover from the injection -to recirculation phase for the 16.49 recirculation system is described in Section 6.3. Logic for the RWST 16.50 signals is found in Section 6.3.5.4.

• B. Quench Spray System, Instrumentation 16.53 The following instrumentation is provided in the control room.to 16.55 monitor the quench spray system. -

1. Quench . spray pump discharge flow indicators and low flow 16.58 annunciators.

2. RWST (level indication and level alarms). 16.59 "3. . Temperature indicators are -provided on the main control 16.60 board for the RWST, the refueling water. . recirculation -pump suction, and the-refueling water coolers outlet. .High and 17.2 low RWST temperature-is alarmed on the main control board.

'4.- The refueling' water recirculation pumps and the associated 17.3 coolers operate only during' normal unit operation. One 17.4

/ refueling water recirculation pump-is normally running with the other in standby. The standby pump is start,ed' on a 17.5 predetermined RWST high. temperature signal. Both pumps are 17.6 4

Amendment'8 [7i3-22 May 1984 1

- u1217912sra8r 03/21/84 246 MNPS-3 FSAR stopped by a low temperature signal - RWST temperature or

, refueling water recirculation pump suction line temperature. 17.7 The objective of the instrumentation associated with the 17.8 refueling water recirculation pumps is to maintain the temperature of the refueling water within design limits. 17.9 i'

5. The refueling water chemical addition tank is provided wita 17.10 t level and tempe,rature indicators on the main control board. 17.11 Low level and low temperature are alarmed on the main 17.12 control board.

Analysis 17.15 i

j A. IEEE Standard 279-1971, Paragraph 4.2: 17.16 The quench spray system is. divided into two separate, 17.18 redundant mechanical and electrical trains. This dual 17.20 concept provides redundancy to prevent a failure of an active component or a passive component at the system level 17.21 to supply water for the containment depressurization system.

B. IEEE Standard 279-1971, Paragraph 4.4: 17.24 4

Equipment qualifications are discussed in Sections 3.10 and 17.26 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 17.30 The quench spray pump bypass annunciator is alarmed in the 17.32 control room wheneve'r'any of the following conditions exist

.(Train A and B): 17.33

. Quench spray pump in pull to lock. 17.36

. Chemical , addition- tank' outlet valve loss of control 17.37

. power or circuit breaker open.

.. Quench spray header . isolation valve-lossaof control 17.38 power or circuit breaker open.

. Quench spray ; pump ' loss of control power or breaker 17.39' racked out.

. Quench -spray. pump -area air conditioning unit loss.ofcf17.40

-control powerfor circuit breaker open.

. Manual ~ bypass pushbutton depressed. 17.41:

5- D. IEEE~ Standard 279-1971,. Paragraph 4.17: 17.44 The quench; spray. pumps have manual controls cn1 the main 17.46-control board and atf;the: auxiliary shutdown panel. The 17.48-REMOTE / LOCAL control transfer swtiches on the ! transfer

~

. Amendment'8 .7l3423 May 1984' r

N

u1217912srd8r 03/21/84 246 MNPS-3 FSAR switch panel are alarmed in the control room whenever L, '7 ' P .49 is selected.

E. IEEE Standard 279-1971, Paragraph 4.10: 17.52 The quench spray pumps are periodically tested in accordance 17.54 with the Technical Specifications in Chapter 16.

The operabilit'y of the quench spray system controls and 17.57

~ indications.is verified during the instrument functional test. Also, during this test the instrumentation setpoints 17.58 and their operability are checked. The test to verify the 17.59 automatic response of the system is performed during each refueling period. Correct settings of temperature, flow, 17.60 and level instrumentation are verified by applying a simulated signal The testing and calibration of the level switches used for 18.1 the detection of the RWST level is accomplished by taking one logic Train ,(A or B) out of service for a short 18.2 duration. The testing of the RWST level used for ; tripping 18.3 of the quench spray pumps will'be used as an example. The 18.4 circuit breakers are first put in the. trip. position and racked out one. train at a time; or the quench spray cumps will be started manually.. The level switches for the train 18.6 under test are then isolated at the manifold valve.in the

~-

safeguard building. A simulated pressure signal is then 18.7 injected Linto the transmitter which will simulate level in- . .

the RWST. This signal will energize an rutput relay located ~ 18.8. -

in the quench spray pump switchgear. Gntacts from this 18.9.

output relay, which are used to trip the pump breaker,. will b'e monitored .for closing and opening. If the' quench spray .18.10 pumps are started -manually, the -- . output relay will automatically -stop; the quench spray pumps at the proper 18.11.

.setpoint. Contacts which open and close valves will also be '18.13 monitored by position .lightsa. ' associated .with these particular, valves. Verification that the test pressure 18.14

. connections have been-removed and manifold valves have been-

. reopened is . accomplished i by - the: use of alarms,- - valve -18.15 position; lights, and;adminstrative procedures.

Testing- and- . inspections- of 3 th'e.. containment ~ heat . removal and :18.17>

depressurization systems are: described.in Section 6.2.2.4. 18.18-E Containment Isolation System. .

-18.21

.. The .initiat' ion Lsignals. for. the containmentfisolation system are a l18.23 part:of the engineered safety features actuation. system. . Penetration 18.26

- types fand -containmentgisolation valve arrangements.are described in-4 detail-in Section 6.2.4.'

n .

The' safety function'of the containment > isolation' system is to isolate'L18.27.

.--? automatically appropriate lines penetrating.the containment? structure 18.28~

.m s

. Amendment;8- 7~.3 -May 1984 p-. y,.

~

u1217912sra8r 03/21/84 246 MNPS-3 FSAR in order to limit the uncontrolled release pf radioactive materials to the environment, following an accident. 18.29 Analysis 18.32 A. IEEE Standard 279-1971, Paragraph 4.2: 18.33 Containment isolation valves are-located inside and outside 18.35 of the containment structure, ensuring containment integrity. The containment isolation system provides two 18.38 barriers between the atmosphere outside the containment structure and 1) the aumosphere inside the containment 18.39 structure, 2 )the reactor. coolant system, and 3) the systems connected to Items 1 or 2 as a result of or subsequent to a 18.40 DBA signal provided by safety injection, containment isolation Phase A (CDA), containment isolation Phase B 18.41 (CIB), feedwater isolation (FWI), or steam link isolation (SLI). 18.42 These signals will open or close containment structure 18.43 penetrations for_ESF systems which function to mitigate the consequences.of an accident. 18.44 Containment isolation valves are actuated by solenoid- 18.45 operated air pilot valves or by motor-operators. Valves 18.46 controlled by solenoid-operated air pilot valves are designed to fail in the closed position upon loss of power or instrument air. Operators for. motor-operated valves are 18.48 designed for 'a = t closure so as to ensure containment isolation a shortest possible. time. Motor-operated 18.50 vales. fail "as .is" position. Torque and limit 18.51 switches t .;; proper valve setting.

B. IEEE Standard 279-1971, Paragraph 4.4: 18.54 Equipment qualifications are discussed in Sections 3.10 and 18.56 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 18.60 A -containment isolation Phase A bypass annunciator .s i 19.2 alarmed in the control room whenever any of the _following-conditions. exist (Train A or B): 19.3

.. ~ Reactor coolant pump seal water return valve - loss of 19.6. ,

. power. or circuit breaker. open' orc motor. thermal "

overload.

. Reactor coolant' pump seal water' return valve'in TEST 19.7 '

(No-No Equip).

. Manual. bypass pushbutton depressed. 19.8 i

Amendment 8 7.3-25 LMay 1984-

I u1217912sra8r 03/21/84 246

!sMPS-3 FSAR A containment isolation Phase E bypass annunciator is 19.10 alarmed in the control room whenever any of the following conditions exist (Train A or B): 19.11

. Reactor plant component cooling isolation valve - loss 19.13 of power or circuit breaker open or motor the rmal overload. 19.14

. Manual bypass pushbutton depressed. 19.15 D. IEEE Standard 279-1971, Paragraph 4.16: 19.18 Any automatic containment isolation action, once initiated, will 19.20 go to completion. The return to normal operating conditions 19.22 requires deliberate operator action.

E. IEEE Standard 279-1971, Paragraph 4.17: 19.25 The ' operator has the means for manual initiation of the 19.27 ,

containment isolation system independent of automatic actuation. Manual controls and visual indication for the 19.30 containment isolation valves are described in Section 7.5.

F. IEEE Standard 279-1971, Paragraph 4.10: 19.33 Containment isolation valves are tested to ensure they are 19.35 capable of closing by operating manual switches in -the control room and by observing the position lights. Periodic 19.38 testing during. normal operation is performed on all containment isolation valves except those where the test would interrupt or upset normal operation. Testing of these 19.40 valves- is -performed during refueling shutdowns (Table 7.3-12).

4 Refer to Section 6.2.4.4 for testing and inspection 19.41 procedures of containment isolation valves in various

. systems. Table 6.2-66 lists design, operating, 'and 19.42 functional parameters of all containment isolation valves.

The design bases for the controls of the containment isolation system '19.44 are:

1. Physical' and electrical separation between-controls of the 19.46 redundant containment isolation valves is provided to prevent electrical faults =or. physical damage to one of-_the 19.47 containment _ isolation valve controls from affecting the, controls of the redundant valve. 19.48

2. The controls of the containment isolation system- are 19.49:

designed to withstand seismic loads and to operate _in adverse -environmental. conditions in accordance -with- 19.50 requirements -described' in Sections 3.10 and- 3.11, respectively.

. Amendment 8L 7.3-26 May 1984-r -

u1217912sra8r 03/21/84 246 MNPS-3 FSAR Status lights monitoring the status of containment isolation valves 19.52 enable the operator, during emergency conditions, to make sure all 19.54 isolation valves are in the required position, or to take corrective action if necessary.

Combustible Gas Control System in Containment (HCS) 19.57 The combustible gas control system is described in Section 6.2.5 and 19.59 its flow diagram is shown on Figure 6.2-48. 19.60 The hydrogen recombiner system is utilized in the long term following 20.2 a DBA and, therefore, is safety related (QA Category I). Each of the 20.4 redundant trains in the hydrogen recombiner system is completely instrumented to ensure the system performs its safety function following any single failure.

A hydrogen analyzer is permanently installed in each train to provide 20.5 the capability of analyzing the hydrogen content in the gas being 20.6 drawn from the containment atmosphere or in the gas being returned to the containment atmosphere. 20.7 A temperature controller senses the electric preheater discharge gas 20.8 temperature and controls the heating element to maintain the 350 F 20.9 gas temperature required to minimize the possibility of halogen gas inhibiting the recombiner. Flow, temperature, and pressure 20.10 indication is provided at each hydrogen recombiner blower discharge.

Temperature indication is provided at the discharge of each electric 20.11 preheater, recirculator, and inside a pressure indicator and is 20.12 provided at discharge of each hydrogen recombiner.

Each set of instrumentation and controls requiring electric power is 20.13 supplied from an independent source. 120V ac power is supplied from 20.14 the 120V ac vital buses and 125V de power from the 125V de buses.

Analysis 20.17 A. IEEE Standard 279-1971, Paragraph 4.2: 20.18 Combustible gas control is maintained by the DBA hydrogen 20.20 recombiner system-which monitors the hydrogen concentration within the containment and maintains this concentration at a 20.22 safe level in the long term following a design basis LOCA.

The DBA hydrogen recombiner system has two redundant 20.23 100 percent capacity trains to maintain the hydrogen in the containment atmosphere at a safe concentration following a 20.24 DBA. Each of the redundant trains is fully instrumented and 20.25 electric power is supplied from independent Class IE emergency buses to ensure the system performs its safety 20.26 function.

No single. failure at the system level will pr vent the 20.27 hydrogen recombiner system to process and ma'.ntain the hydrogen concentration -in the containment atme;phere below 20.28 Amendment 8 7.3-27 May 1984

__ _ . _ _ . . - ,_ =___ . _ _ _ __ . .. _.

u1217912sra8r 03/21/84 246 MNPS-3 FSAR the limits specified in Regulatory Guide 1.7 following a DBA.

j B. IEEE Standard 279-1971, Paragraph 4.4: 20.31 Equipment qualifications are discussed in Section 3.10 and 20.33 3.11.

C. IEEE Standard 2'79-1971, Paragraph 4.13: 20.37 A DBA hydrogen recombiner system bypassed annunciator is 20.39 alarmed in the control room whenever any of the following conditions exists (Train A or B): 20.40

. Recomb'iner building inlet and outlet ventilation damper 20.43 loss of power.

. Manual bypass pushbutton depressed. 20.44 D. IEEE Standard 279-1971, Paragraph 4.16: 20.47

^

~

The'DBA hydrogen recombiner system is manually initiated and 20.49

< monitored locally in the hydrogen recombiner building.

After the initial heatup of the system, the system operates 20.51' automatically with common alarms located in the control room '20.52

'to alert the operator of a'melfunction.

E. -IEEE Standard 279-1971, Paragraph 4.17: 20.55

'The DBA hydrogen recombiner system operating parameters are- 20.57 monitored, indicated, and controlled locally. In - addition, 20.59 recombiner bypassed and' common ' trouble alarms are annunciated in the control room. Indicators and a recorder- 20.60 l (Channel A only) for hydrogen gas concentration are located

.q

. on the main control boards. The system ' bypass. pushbutton -21.1  !

and loss of control power to the system cubicle ventilation damoers are monitored by the plant computer. 21.2"

~

F. -IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: '21.5

' One ' :recombiner ' train at a time can' be taken out L of service 21.7 and-periodically tested in -accordance withi the ' Technical-l Specifications 'in Chapter 16. Testing of 'the system,is 121.10' accomplished by placing. each subsystem into normal operation. Temperature, flow, pressure; indicators, and the' 21;11 ,

temperature controller are tested at the same time as the system as described- in',Section 6.2.5.4.

The hydrogen 21.13 analyzer is tested, byLinjecting- sample gases, to verify i zero and span calibration.

-Amendment'8 '7.3-28 May 1984 d '

u1217912sre8r 03/21/84 246 MNPS-3 FSAR 4

l Supplementary Leak Collection and Release System 21.16

~ The supplementary leak collection and release system (SLCRS) is 21.18 described in Section 6.2.3; its flow diagram is shown on 21.19 Figure 6.2-46.

l The. SLCRS consist of two exhaust fans, each supplied from a separate 21.21 emergency bus, two filter banks, and the associated ductwork and 21.22 dampers. . .

The SLCRS exhausts, creates, and maintains a partial vacuum of 21.23 1/4-inch water gage in the enclosure building and contiguous 21.24 l- buildings upon receipt of an.5IS signal or when manually started.

!= Following a LOCA, the SIS. signal 1) opens the.5LCRS Train A and B 21.25

-filter bank inlet and 2) starts the SLCRS Train A and B exhaust fans 21.26 l 'High differential pressure across the roughing filter, high 21.27 efficiency particulate air (HEPA) filter, carbon adsorber, and HEPA 21.28

filter of each filter bank is alarmed in the control room.

-The filtered' exhaust is monitored for radiation (Section 11.5) prior 21.29

'to discharge to atmosphere via the Millstone 1 stack. 21.30 Analysis- 21.33 2 A .' IEEE Standard 279-1971, Paragraph 4.2: 21.34 ,

The supplementary leak collection and release system is 21.36 .

! divided into two ' separate, redundant mechanical and electrical ~ trains. This dual train concept provides 21.39

! sufficient redundancy. to' prevent a single failure from impairing the- system capability 'to maintain a negative.-21.40

= pressure of 0.25 inches.in the enclosure building. ..

B '. - 'IEEE Standard'279-1971, Paragraph 4.4: 21.43

' . Equipment qualifications are discussed in Section 3.10 and 21.45 l- '3.11.

~

l- C. IEEE Standard-279-1971c Paragraph-4.13:

_- 21. 49.

~ .

[

.The supplementary leak collection; and release bypassed 1 21.51

<; -annunciator is alarmed:in. control 1 room whenever any.-of Lthe'

following conditions exists (Train A'or B)

. ^ 21. 52--

~

.. JSLCRS -fan . control switch 'in pull to lock position. . 121.55 i 4

.; SLCRS fan loss Lof power _ or . circuit breaker open.- .21.56?

,"2~, .:  ? Manual bypass pushbutton-depressed. 21.57.

'E ,

'M

- kneNdment8: 17.3-29 May 1984

- - r

.- .' f

• _ _._ , m__,. - ,, . . . . . . ,, , .. .- a a -

r- . . u a- - , . - =- e ,.

l u1217912sra8r 03/21/84 246 MNPS-3 FSAR D. IEEE Standard 279-1971, Paragraph 4.16: 21.60 Once an SIS is received, the SLCRS exhausts, creates, and 22.2 meintains a partial vacuum of 0.25 inches. Deliberate 22.4 operator action is required to release the SLCRS from maintaining this vacuum.

E. IEEE Standard 279-1971, Paragraph 4.10: 22.7 The SLCRS is periodically tested in accordance with the 22.9 Technical Specifications in Chapter 16.

Fans, air operated dampers, and controls for the 22.11 supplementary leak collection system are tested by automatically starting or. a simulated SIS signal and 22.12 allowing them to reach rated speed with all dampers in the operating position before being shut down. During the test, 22.14 the instrumentation setpoints and their operability are checked.

Auxiliary Feedwater System 22.17 The auxiliary feedwater system which, except for some SSPS initiation 22.19 signals, is in the balance-of-plant and is described in 22.20 Section 10.4.9. The safety related portions of the auxiliary 22.22 feedwater system are shown on Figure 10.4-9. The auxiliary feedwater 22.23 system meets all the requirements of IEEE Standard 279-1971.

One turbine-driven auxiliary feedwater pump and two motor-driven 22.24 pumps are provided. Each motor-driven pump has half the capacity of 22.25 the turbine-driven pump. Power is supplied to the motor-driven pumps 22.26 from separate emergency buses. Steam supply to the turbine-driven 22.27 pump is shown on Figure 10.3-1. A branch line from three main steam 22.28 lines (A,B,D) is connected into a common header to supply steam to the turbine. A normally closed air-operated valve is installed in 22.29 each branch line (A,B,D). Each air-operated valve is controlled by 22.30 two solenoid-operated valves connected in series in the air supply line. The solenoid-operated valves are supplied power from separate 22.31 emergency buses. Loss of power to either solenoid-operated valve 22.32 will vent air to open the associated air-operated valve. A motor- 22.33 operated stop check' valve is installed in each line. These valves 22.34 are normally in the cpen position. Power for each of the motor- 22.35 operated stop check valves is supplied from an emergency bus.

During normal operation, the operability of all valves in the 22.36 auxiliary feedwater system is verified by remote manual action. The 22.38 three air-operated valves are exercised similarly by isolating the steam supply to the turbine-driven auxiliary feedwater pump by 22.39 closing the motor-operated stop check valves in the steam lines.

In the auxiliary feedwater system, the motor-driven pumps are 22.40 initiated automatically by the following signals: (These signals 22.41 also close the blowdown isolation and sample line valves for all steam generators.)

Amendment 8 7.3-30 May 1984

u1217912sra8r 03/21/84 246 MNPS-3 FSAR

. -Safety injection or c^ontainment depressurization (from solid 22.43 state protection system).

i

. Two out of four (2/4) low-low level in any steam generator 22.44 (from solid state protection system).

. Emergency bus loss of power 22.45

The motor-driven pumps are also started manually. 22.47

' Starting . the turbine-driven pump as well as closing the blowdown 22.48 isolation and sample valves is initiated automatically by a loss of 22.49 power or a 2/4 Low-Low level signal in 2/4 steam generators (from solid state protection system). 22.50 The turbine-driven pump is also started manually. 22.51 Indication. and controls required for the auxiliary feedwater system 22.52 in the event of inaccessibility of the control. room are provided _ on. 22.53

the auxiliary shutdown panel' described in Section 7.4. Table 7.5-1 22.54 is a list of indications provided on the main control board. The 22.55 solenoid-operated modulating valves in the' auxiliary feedwater supply line to each steam generator are manually-operated from 'the- main 22.56 control board or from the auxiliary shutdown panel.

The motor-operated valves in'the auxiliary feedwater lines-from the. 22.57 4

motor-driven Eauxiliary feedwater pumps. discharge are' manually- 22.58 operated from the main' control board or from the-auxiliary shutdown

, panel. The valves associated with any one auxiliary feedwater~ line 22.59 are powered from different emergency buses. The valves.are normally 22.60

. open so that loss'of power to.one emergency bus does not prevent the isolation or control of auxiliary feedwater to.a' steam generator. An' 23.2

' air-operated valve is provided between each steam generator auxiliary

. feedwater pump; suction and the condensate storage tank:to allow' pump 23.3-suction to be-ta' ken.from tank. _.The condensate storage tank . suction 23.4 valves for the motor-driven pumps can 'be_ operated from:the main'

~

control ~ board or from the' auxiliary shutdown _ panel.- The condensate -23.61

. storage tank suction-valve for the turbine-driven auxiliary feedwater pump can be operated from the main control board only. .These valves 23.8-are normally -closed and fail closed. on loss of! control air or 1

. electric. power.

- Steam., generator ' auxiliary :feedwater _ pump suction ~ and discharge 23.9 t

pressure is . indicated in the controlJroom and; monitored by the :' plant 23.10 computer. fFlow tin each steam generator auxiliary feedwater supply 23.11 line is-indicated by flow indicators in'the control room and on the- 23.12 auxiliary ishutdown panel. 'The. correct operation of a pressure loop ~ 23.13

- is verified in. conjunction - with the steam generator auxiliary.

feedwater' pump test- described in Section 10.4.9.4. . The steam 23.15-generator auxiliary feedwater pumps are operated during this test..

Redundant ? demineralized water storage tank (DWST) level transmitters 23N16

- with redundant-level' indicators are provided_ on -the ' main _ control 23.17 board and on the auxiliary shutdown panel. :Leveltis recorded for one' 23.18 i

Amendment 8 7.3-31 .May 1984:

.u1217912sraSr .

03/21/84 246 MPJS-3 FSAR v

channel and-the other channel provides high, low, and low-low level annunciation on the main control board. 23.19 The DWST temperature is maintained 'above a minimum temperature 23.20 automatically by a demineralized water storage tank electric heater 23.21 and-circulating pump. Low temperature is alarmed on the main control 23.22

' board. _f Power- for 'each train is supplied from a separate emergency bus. 23.23 Failure of any train does_not degra.de system capability to supply 23.24 sufficient feedwater to the steam generators'. -

i <

. Testing of actuated devices and Trsociated, control.is' performed 23.25 periodically to -ensure reliability and' performance. Bypass 23.26 indication ..is provided in-ihe'c'ontrol room and is isolated such that it- does not degrade. the protection function of ,the' auxiliary 23.27 feedwater system. ;g -

Analysis" ,

, s -

23.30

- A. -IEEE Standard 279-1971,_ Paragraph 4.2: 23.31 There are two motor-driven auxiliary feedwater pumps with 23.33 power supplied frors separate emergency buses.- The motor ~ 23.35 driven pumps'.each' supplyauxiliaryjeedwatertotwosteam generators. -

A turbine-drive'n auxiliary feedwater, pump' supplies; auxiliary 23.36-E feedwater to all four -steam generatorr; The., turbine 'is 23.37

. supplied ,' steam from "three separate steamy generators s (3RCS*SG1A, B, or D). 6ch- steam supply : l'inevto' the 23;38' auxiliary _ feedpump turbine hasi an' air-operated valve c + norinally- closed and a motor-opirated ' val ~ve ' hormally open.; 23.39-Each : air-operated -valve hastwo, solenoidnvalves',. each '23.40

' supplied power,'from sep'arate emergency'dc? be.ses.k (Loss 'of. 23.41-l power- to. e'ither solenoid valve will- vent

• ab. from'the-associated air-operated valve and-cause it to open'.' Twol of~ 23.42' the normally open motor-operated valves are p'owered from the 1 Train A emergency bus and the. other is ' powered? from.. the '23.43-cTrain-B emergency, bus.. :No single 4 fail'ure atLthe system : 23.44 level willE pre ent -the auxiliary ~ feedwater f Kunp's' f rom f -

. supplying auxiliary feedwaterito-the sicam generators.. }' 23.45

, , . / /:' M' ,;

'Eachlauxiliary feedwater line_fromia. motor-driven' pump hasca: 123.46L normally)open solenoid valve that fa'11s-open.:and._a'fmotor 23.47-

-operated valve normally.-'open that fails as ,islane16ss_of '

~

power.- The' valves are powered- from1 seperate ,, emergency 23.48:

~

1 buses;- the; motor-operated valve..~is power'ed from tee,same electrical train as' - then motor-drivenl' pump. No s' ingle : S 23.50

failureL prevents the

? control 'of au'xiliacy feedwater flow lfrom a motor-operated driven pump,to a steamfgenerstor...' 23.51; 8 -

,y

>p..

w .

-d ' , tr ~.

Each auxiliary -feedwaterfline,from the turbine-driven pump;L23.52 q 23.53

, v. ,

'has'two.normally open: solenoid valves thatTfail2 open.,:.7;The . -

A ..

fame'nchmentl8 7 7.3-32_ May 1984'

" h m

v v

u1217912sroSr ~ 03/21/84 246 MNPS-3 FSAR r

valves are powered from separate emergency buses. No single 23.54 failure will prevent the control of auxiliary feedwater flow to a steam generator.

Each auxiliary feedwater line to a steam generator has a 23.55 Train A and Train B feedwater flow transmitter'and indicator 23.56 powered from separate power supplies. Two Train A and two 23.57 Train B auxiliary feedwater flow indicators, one for each steam generator, are on the main control board and on the 23.58 auxiliary shutdown panel. No single failure will prevent at 23.59 least two auxiliary feedwater flow indicators from indicating at the main control board and at the auxiliary 23.60 shutdown panels. There is a Train A and Train B steam 24.1 generator level indicator for each steam generator on the main control board and at the' auxiliary shutdown panel that 24.2 can be used as backup indication for the flow indicators.

There are two trains of DWST level indicators on the main 24.3 control board and at the auxiliary shutdown panel. The 24.4 Train A level is recorded on the main control board. The 24.5 trains are powered from separate buses. No single failure 24.6 will prevent DWST level indication on the main control board or at the auxiliary shutdown panel.

No single failure at the system level will prevent auxiliary 24.7 feedwater from being supplied to the steam generators.

B. IEEE Standard 279-1971 Paragraph 4.4: 24.10 Equipment qualifications are discussed in Sections 3.10 and 24.12 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 24.16 The motor-driven auxiliary feedwater system bypass (Train A) 24.18 annunciator is alarmed in the control room whenever any of 24.19 the following conditions exist

. Any auxiliary feedwater control and isolation valve for 24.22 motor-driven pumps not fully open.

. . Auxiliary feedwater pump ventilation system bypassed. 24.23

. Either feedpump motor loss of control power or breaker 24.24 racked out.

. ' Motor control switch in pull to lock position. . 24.25

. Manual bypass pushbutton depressed. 24.26 The auxiliary turbine-driven feedpump bypass (Train B) 24.28 annunciator is alarmed in the control room whenever any of the following conditions exist: 24.29 Amendment 8 7.3-33 May 1984 M..._x.-__. _ _ . _ _ _ _ _ _ _ . - ..-_. _. _ - _ - . . _ - - - . _ _ _ . - _ - - - .- - . - - _ - - - . _ . _ _

u1217912'sra8r 03/21/84 ,

246 MNPS-3 FSAR

. Any auxiliary feedwater control and isolation valve for 24.31 i turbine-driven pump not fully open.

. 3 MSS *MOV17A, B. or D not fully open. 24.32

. ' Auxiliary feedwater pump ventilati6n system bypassed. 24.33

. Turbine-driven auxiliary feedwater pump manually 24.34 L tripped.

. Manual bypass pushbutton depressed. 24.35 D. IEEE Standard 279-1971 Paragraph 4.16: 24.38 Once an auxiliary feedwater pump start signal is received, 24.40 the auxiliary feedwater pumps go- to completion and- run.

Deliberate operator action must be taken to stop an 24.42 auxiliary feedwater pump. The AUTO start signal must be. 24.43 cleared and the pumps stopped by manual controls. An 24.44 exception is that the motor-driven pumps are stopped automatically by low suction pressure, low ~ lube oil pressure, and" are stopped automatically by. electrical 24.45 protection trips. The turbine-driven. auxiliary feedwater 24.46 pump is stopped automatically by low suction pressure, low lube oil pressure,.and overspeed. 24.47 E. IEEE Standard 279-1971, Paragraph 4.17: 24.50 The motor-driven auxiliary feedwater. pumps have. manual 24.52 controls on the main. control board and at the switchgear.

REMOTE / LOCAL control transfer switches at~the switchgear are L24.54 alarmed in the control room when LOCAL is selected. 24.55

The; turbine-driven auxiliary feedwater pump' steam supply -24.56 valves have manual controls on the main control board and at _

thefauxiliary shutdown panel. REMOTE / LOCAL-control transfer. 24.58 switches on the transfer switch panels'are alarmed ~ in the

-control room when LOCAL is selected.- -24.59 The turbine-driven auxiliary -feedwater pump speed changer ~ 24.60 has manual controls cn1 the main control: board. . REMOTE / LOCAL 25.'1 control transfer switches-on the transfer switch panels'are alarmed in~the control room when LOCAL ~is selected. 25.2' 1 The auxiliary feedwater ' control and isolation valves have :25.3 manual controls on' the' main' control -board and atL~the

' shutdown panels.: REMOTE / LOCAL control. transfer switches on '25.5-the~ transfer switch panels are< alarmed in the control.: room

~

when LOCAL is' selected. -25.6

< 'F.. IEEE Standard 279-1971, Paragraph 4.10:- ;25.8 During 'the . . instrument- functional: test, the: instrumentation' 25.10 - -

-setponts=and their operability are -ch~ecked.' -The~.testL'to-'25'.12

Amendment-8; 7.3 -

.May 1984

c. s

. +

+ , , .-a,. -, e ,m-s

u1217912sra8r 03/21/84 246 MNPS-3 FSAR verify the automatic response of the system is performed I l during each refueling period. Correct settings of 25.13 l 1

temperature, flow, and level instrumentation are verified by applying a simulated signal.

One motor-driven feedwater pump at a time is taken out of 25.14 service and periodically tested in accordance with the Technical Specifications in Chapter 16. 25.15 This testing will consist of manually starting the pump 25.16 during normal surveillance of the system or the breaker for the pump will be racked out. Once the pump is running or 25.18 the breaker is racked out, the AUTO start and trapping is l verified using the emergency generator load sequencer with 25.19

, safety signals generated internally or externally to the sequencer. 25.20 25.21 f

Refer to Section 10.4.9.4 for testing of turbine-driven 25.22 auxiliary feedwater pump.

The auxiliary feedwater control and isolation valves are 25.23 l- periodically tested in accordance with the Technical .

Specifications .in Chapter 16. The valves are operated 25.25 manually with controls-on the main control board and at the auxiliary shutdown panel.

The steam supply- valves for the turbine-driven pump are 25.26

. periodically _ tested in.-accordance with the Technical Specifications.in Chapter-16. 25.27

, G. IEEE Standard'279-1971, Paragraphs-4.9 and 4.10: 25.30 U f

The DWST-.. level transmittersk auxiliary _ feedwater_ flow 125.32

! transmitters, and . auxiliary feedpump'. ,suctionE pressure

[ ' transmitters are periodically tested in.accordance with.the '25.34-Technical'Specificationszin: -Chapter 16. The transmitters -25.35

'and pressure . switches ~fareJtested'by" injecting a simulated

_ signal.into the instrumentation) loop.

25.36 ESF: Filtration Syst'em- 25'.39 Thel'ESFLjfiltration's'ystem consists offthe auxiliary buildingJfilter- 25.41-

system _(ABFS) which

is described':in1 5ecti'on 9.4.3L'and3 :its' flow: 25.43 diagram'isfshown on Figure 9.4-2.'

"The ~ ABFS consistsJ'of:-twojABFS: exhaust fans, each' supplied from a .25.45-

- separate: emergency bus,.two main filter banks, Land ~ the Dassociated; 25.46 ductworkiand dampers. ,

- The.ifoll wing areas lare_ exhausted by thelABFS:- _ 2

.5.47

.- . Waste [ disposal building:f ' -

25.49

,, . n: .

Amendment n 8, .x ' :- 7 '. 3-3 5 , ~-

iHay'1984E

. . 2-n ;. .

• ' r s:

~

'[ __

r r ._ .

e v. , 4 ~, , , ,

u1217912sre8r 03/21/84 246 MHPS-3 FSAR

. Auxiliary building 25.50

. Containment purge air system 25.51

. Charging pump and component cooling water pump area 25.52 Exhaust from the areas can be directed through the auxiliary building 25.54 filters or bypassed to atmosphere. Both paths of exhaust are 25.55 provided with redundant air-operated dampers with solenoid pilot valves. With the exception of the filter inlet from the charging 25.56 pump and component cooling water pump area, the redundant dampers are 25.57 i

in series a'nd fail closed on loss of power or air.

The filter inlet dampers from the cha~ging r pump and component cooling 25.58 water area are in parallel and fail open on loss of power or air. 25.59 Normally, the exhaust from.the areas is bypassed to the atmosphere. 25.60 However, the exhaust from any or all of the areas can be manually 26.1 i directed through the filters. On receipt of a SIS or LOP signal, 26.2 filter inlet dampers from the charging pump and component cooling water. pump area are opened automatically. All other inlet dampers 26.4 and filter bypass to atmosphere dampers are closed on receipt of 3 SIS, or by manual operation, the Train A filter inlet and exhaust fan 26.5 i discharge dampers open and start the Train A filter exhaust fan.

Train B is then on standby. The safeguard signal is initiated by a 26.7

SIS or'CDA signal. During LOP, the exhaust fans are sequenced in 26.8 accordance with the emergency generator load sequence. The standby 26.9

-filter train is started automatically on a low air flow signal from the operating train.

During refueling and in the event of high radiation from one of the 26.10

-areas exhausted by the ABFS, the exhaust flows.are-manually diverted . 26.11

!- to the auxiliary building filter bank.

The fuel building ~ filter banks are normally bypassed by the 26.12 unfiltered exhaust fan. During refueling and'in the event 'of high 26.13 radiation, the fuel building exhaust is manually diverted.to the fuel building filter bank. 'Either Train A or Train B is operated with the -26.15 other train.in standby.

-The . auxiliary building and fuel building filter ~ banks have. manual 26.16 controls-located on the main heating and -ventilation panel in the~ 26.17 control' room and at the switchgear. iREMOTE/ LOCAL control selector _ 26.18 4

switches. are provided.at the switchgear. An annunciator- is alarmed -26.19 in the ' control' room- when LOCAL control is selected.

~

, Thigh ' differentia 1' pressure across the pref'lter, i carbon adsorber, 26.20

' ~

!and/or'HEPA filter of'each filter bank

~

is' alarmed in the- control 26.21-

-- room . .

t a:

a AmendmentL8 27.3-36' , May 1984' 0  :

w

u1217912sra87 03/21/84 24o MMPS-3 FSAR Analysis 26.24 A. IEEE Standard 219-1971, Paragraph 4.2: 26.25 There are two redundant ESF filtration Trains (A and B). 26.27 The equipment in Train A is supplied from one emergency bus 26.29 and Train B. equipment is supplied from a separate emergency 26.30 bus. No single failure at the system level will prevent the 26.31 ESF filtration system from filtering the air system during an accident. .

26.32 B. IEEE Standard 279-1971, Paragraph 4.4: 26.35 Equipment qualifications are discussed in Sections 3.10 and 26.37 3 .11 '.

C. IEEE Standard 279-1971, Paragraph 4.13: 26.41 A charging pump high pressure safety injection system bypass 26.43 annunciator is alarmed in the control room whenever any of-the following conditions exist (Train A or B): 26.44

. Auxiliary building filter system fan in pull to lock 26.47 position.

. ' Auxiliary building filter . system fan loss of control 26.48 power or breaker racked out.

. Auxiliary building filter system fan outlet damper loss 26.49 of power or circuit breaker open.

D. IEEE Standard 279-1971, Paragraph 4.16: '26.52 Once initiated by a safety signal, the ESF filtration = system 26.54 willigo to completion. Return to normal operation requres 26.56 deliberate operator action by resetting safety signals and

-using manual controls..

E. IEEE Standard-279-1971, Paragraph 4.17

26'.59 LThe-' auxiliary building and fuel building l filter banks have 27.1' manual controls-located on the main heating and~ ventilation:

panel in- 'the -control- room. and' at the switchgear. 27.2 REMOTE / LOCAL control-selector. switches are provided- at .the; 27.4 switchgear. An annunciator is alarmed in the control: room 27.5

when LOCAL control.is selected.

F. IEEE Standard 279-1971, Paragraph 4.10: 727.8-

, The .ESF filtration . system -is ' periodically' tested- in 27.10.

accordance with the.Technica1LSpecifications in Chapter 16; A s During 'the' instrument functional test,.the instrumentation -27.~12 setpoints areichecked. cThe operability of the controls and 27.13 Amendment'8' 7.3-37 .May 1984

u1217912sre8r 03/21/84 246 MMPS-3 FSAR I

1 indication is verified whpn the' system is in test. The test 27.14 s

to verify the auxiliary response of the system is performed during each refueling period. Correct settings of 27.15 temperature and flow instrumentation are verified by applying a simulated signal. AUTO start is verified using 27.16 the emergency load sequencer with safety signals generated internally or externally to the sequencer. 27.17 Essential Auxiliary Support Systems 27.19 Auxiliary support systems that are required to function upon 27.21 initiation of ESFAS :are listed in Table 7.3-11. A summary 27.23 description of these systems are provided in this section.

- Additional details can be found in the referenced sections. 27.24 Service Water System 27.27 ,

The service water system is described in Section 9.2.1 and its flow 27.29 diagram is shown on Figure 9.2-1. For the purpose of instrumentation 27.31 and control application, a recapitulation of the system design follows.

1Nna service water headers, each supplied by two service water pumps, 27.32 are provided. -The power for the two-train design is supplied from 27.33 two separate emergency buses as shown on Figure 8.1-1. Either of the 27.34 two redundant service water system trains has the capability to ~

. supply sufficient- quantities -of cooling water. to the required 27.35 -

. equipment'for safe shutdown.' -For the emergency mode- of-' operation, 27.36 the supply:-lines to s the nonsafety related equipment are isolated by.

au.tomatic-closure.of isolation valves. A LOP, CDA, or service -water 27.38' low header pressure signal automatically' closes isolation valves in' the supply line; to. the turbine. plant. component cooling heat 27.39:

'exchangers. -A LOP or CDA signal also automatically closes' isolation 27.40'

~ valves in the supply. lines to the circulating water pumps' lube water 27.411 and chemical Lfeed chlorination system. In addition to.thoseJelosed' 27.42?

^

on a LOP or-CDA signal,' the :CDA signal automatically : closes the-

- isolation valves' in the supply lines to the reactor' plant component .27.43. .

' cooling heat'exchangers'and automatically opens supply valves to 'the

~

l

containment recirculationtcoolers'. A LOP,' SIS,'or CDA signal causes 27.45 automatic opening'of the air-operated valvcs in the outlet lines-from-U .the diesel engine coolers. A LOPisignal. starts service water booster 27.47

, pumps that supply _the -HCC.'and rod ! control area air-conditioning

< units.

1 Continuous . radiation mon'itoring is provided in the service. water 27.48'

- discharge-~ headers .(Section 11.5)' . Following -a' DBA,- scontinuous 27.49

- i radiation monitoring -(Section:11.5).is provided~in-the discharge of-eachntrain of containment' recirculation . coolers. Each containment .27.51-recirculation _ cooler has-airemotely-operated valve'in its supply and

- discha'rge :line . On-a_high radiation alarm, the operator.can isolate 27.52 Lthe.affected containment recirculation cooler' train.

Control' switches' andl> indicating lights for the' service vater pump 27.'33

, moters are provided on;the main control' board and atithe switchgear. 27.54

~

-Amendment'8 7.3-38 AMay 1984- ,

y,

'i

u1217912sra8r 03/21/64 246 MNPS-3 FSAR 1

l REMOTE / LOCAL control selector switches and LEAD / FOLLOW pump selector 27.55 )

switches are located at the switchgear. An annunciator is alarmed in 27.57 )

the control room when LOCAL control is selected. One service water 27.58 i pump in each train is started manually. The standby pump is started 27.59 automatically by a pressure switch detecting low discharge pressure in the associated header. The action of these pressure switches is 28.1 blocked by a LOP signal. '

The service water pumps are operated in the following manner under 28.2 the indicated accident conditions:

1. LOCA with offsite power available. All pumps that are 28.5 operating prior to the accident continue to operate.

2. LOCA coincident with loss of offsite power. Two pumps, one 28.7 on each emergency bus, start automatically in accordance with' the emergency generator loading sequence. Should one 28.8 of the two service water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a 28.-9 time delay.

3. Loss-of-offsite power. Two pumps, one of each emergency 28.11 bus, start automatically in accordance with the emergency generator loading sequence. Should one of the two service 28.12 water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a time delay. 28.13 The service water system is also a cooling source for the control 28.15 building chilled water system. A three-way valve in the chiller 28.16 condenser outlet- line and a temperature controller in the booster pump discharge line provide temperature control for the chilled water 28.17 system condenser by means of a controlled bypass from the three-way

~

valve.to the booster pump suction. 28.18 The control building chilled water system service water booster pumps 28.19 are interlocked to start and stop with the associated control 28.20 building chilled water pump. Pressure in the service water headers 28.21 is indicated in the control room. For reliability purposes, correct 28.22 operation of the pressure measuring loop in the service water header is verified during operation of the service water system by valving 28.23 the pressure -transmitter out of service and applying a simulated 28.24 signal. Similarly,.the header low pressure annunciation is also 28.25 verified during normal operation. These tests verify correct 28.26 operation of the loops and of the indications provided in the control room.

Service - water discharge ' flow indicators and high'/ low flow 28.27 annunciators are provided on the main control ~ board for the containment recirculation coolers and reactor plant component cooling 28.28 heat exchangers. High/ low service water outlet flow annunciators are 28.29 provided for the diesel engine jacket water coolers.

Correct operation of flow measuring loops is verified by valving the 28.30 flow transmitter out of service and applying a simulated signal. 28.31 Amendment 8 7.3-39 May 1984

u1217912sraBr. 03/21/84 246 MNPS-3 FSAR The - operability of the service water system controls and indications 28.32 common for both normal and emergency mode of operation is verified by 28.33 -

'their normal use. Instrumentation provided for the containment 28.34 recirculation coolers is tested in conjection with the containment recirculation system test. 28.35 Bypass indication is provided in the control room for the service 28.36 water system.

Analysis 28.39 A. -IEEE Standard 279-1971, Paragraph 4.2: 28.40 There are two redundant service water trains (A and B) and 28.42 there are two service water pumps in each train. Normally 28.44 one pump in each train is running with the other in standby.

The pumps in Train A are supplied from one emergency bus and 28.45 Train B pumps are supplied from a separate emergency bus. 28.46 No single failure at the system level will pre' vent the 28.47 service water pumps from supplying service water.

B. IEEE Standard 279-1971,-Paragraph 4.4: 28.51 Equipment qualifications are discussed in Sections 3.10 and 28.53 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 28.57 A bypass annunciator is alarmed in the conttol room whenever 28.59 any of the following conditions exist (Train A or B):

. Service watern pump loss of control power or breaker 29.2 racked out or control switch in pull-to lock .and the

.other pump in the same train with loss of control power- 29.3 aor breaker racked out or control switch in pull to lock.

. Service water- pump a'rea air conditioning unit circuit 29.4' breaker open or loss of control power.

l Service water,= pump area' air conditioning unit control 29.5

- switch in pullito' lock.

J. Manual bypass pushbutton depressed. 29.6 s D. IEEE= Standard 279-1971, Paragraph 4.16:: 29.9

-Once'.a: safety signal is - initi~ated, the lead service water - 29.11-pumpiin~each Train'(A and B) will start. In the event that 29.13 the~ leadLpump. does not: start,.the; follow pump will start one-half second later. 'To stop a running service ~ water pump 29.14

~

requires deliberate operator action; the-safety signals'must be reset and manual controls used to stop the pump.. 29.15 w.

+

~ Amendment 8 :7.3-40 May 1984 F f S - t y , ~sn - , , , , y

u1217912sra8r 03/21/84 246 MNPS-3 FSAR E. IEEE Standard 279-1971, Paragraph 4.17: 29.18 The service water pumps have manual controls located on the 29.20 main control board and at the switchgear. REMOTE / LOCAL 29.22 control selector switches at the switchgear are alarmed in the control room when LOCAL control is selected. 25.23 i

F. IEEE Standard 279-1971, Paragraph 4.10: 29.26 One service water pump at a time can be taken out of service 29.28 and periodically tested in accordance with the Technical Specifications in Chapter 16. 29.29 This testing vill consist of manually starting the pump 29.31 during normal surveillance of the system or the breaker for F the . pump will be racked out. Once the pump is running or 29.33 the breaker is racked out, the AUTO start and tripping is vgrified using the emergency generator load sequencer with 29.34 safety. signals aenerated internally or externally to the sequencer. 29.35

'29.36 During the instrument: functional test, the instrumentation 29.37 setpoints and their operability are . checked.- The 29.38

. operability of the controls and indications is verified when the system is in test. The test to verify the automatic 29.39

-response of the system is performed during each refueling period. Correct settings of temperature 'and flow 29.40 instrumentation are verified by applying a simulated signal.

Reactor Plant Component Cooling Water-System 29.43 t The- reactor plant component cooling water system design is~ described 29.45 in:Section 9.2.2.1'and-the. flow diagram is,shown on Figure 9.2-2. 29.'46 Manual' controls and indicating lights for.the reactor plant component 29.48 cooling water pumps _are provided in the control room _and at the 29.49-

'switchgear. REMOTE / LOCAL'-control selector [ switches are'provided at; 29.50-the switchgear; an annunciator.is' alarmed in'the control room when 29.511 LOCAL control is selected.' Normally,'two pumps are1 operating with 29.52 the third pump on stand-by in Train B. Three pump motor breakers areL 29.53-supplied for four breaker' cubicles - two for each: train.. L The Jnunps 29.54 -

for < Trains-A and -.. B - are normally racked linto their respective.

cubicles,, with' the -third pump breaker racked cinto. its Train B 29.55 cubicle.,EThe. third pump may be operated on Train A-by first racking 29.56l Eits breaker' out. of ' Train.B .and lthen racking it intotthe; Train'A. 29.5.7

cubicle. An electricalJinterlock prevents simultaneousioperation of 29.58

' two LpumpsL'on the'Esame . train.- A keylock switchfis providedLwhich 29.59 allows the third pump to operate on one train or the'other,- but not

on 'both at once. Motor.overcurrent and' auto trip are alarmed in the -29.60 control rooma Status lights and bypass _ indication are ;provided in 30.1 the control room. Power to: Trains A and B reactor plant component. 30.2.

' cooling water pump motors.is supplied from separate emergency buses.

.o 3 -Amendment 8 27.3-41 ,

'May'1984 1

- 6 m

ul217912srO8r 03/21/84 246 MMPS-3 FSAR The reactor plant component cooling pumps are started automatically 30.3 by an SIS or LOP signal. The pumps are sequenced on by the emergency 30.4 generetor load sequencer when an LOP signal exists.

Redundant level switches located on the surge tank for the reactor 30.5 plant component cooling water system are set to detect a sudden drop 30.6 in reactor plant component cooling water system surge tank level, which would result from a rupture of nonsafety-related system piping. 30.7 These level switches automatically close isolation valves, thus 30.8 isolating the system's safety-related portions from the nonsafety- 30.9 related.

All supply lines to reactor plant component cooling water users, both 30.10 safety-related and nonsafety-related, are provided with flow 30.11 indicators and high flow alarms in the control room. Flow is 30.12 totalled by the plant computer. Remote temperature indicators and 30.13 high temperature alarms are provided in the suction lines of each reactor plant component cooling pump. Each compartment of the 30.15 reactor plant component cooling water surge tank is provided with a level sensing channel. The makeup to the surge tank is automatically 30.16 controlled by level in the compartment. The level in each 30.17 compartment is indicated, and low and high level extremes are alarmed in the control room.

A radiation monitor is utilized to monitor Train A or Train B outlet 30.18 from the reactor plant component cooling water heat exchangers. 30.19 Indication and alarm are provided locally; and indication, recording, 30.20 and alarm are provided in the. control room (Section 11.5). 30.21 The containment isolation valves in the reactor plant component 30.22 cooling water lines serving the equipment inside the containment 30.23 structure are closed automatically on receipt of a CIB signal.

Trains A and B cross-connect valves inside the containment are closed 30.24 automatically on receipt of an SIS or surge tank low-low-low level 30.25 signal. ,

Following a LOP or CIA signal, the cooling water source for the 30.26 nonsafety-related components inside the containment structure is 30.27 .

automatically transferred from the chilled water system to the reactor plant component cooling water sys'em. 30.28' ESF status lights are provided in the control room for the reactor 30.29

~

plant component cooling water _ system valves that receive a safety 30.30 signal. Reactor plant component cooling water system bypass alarms 30.31 are provided on the main control board.

Amendment 8 7.3-42 May 1984

-u1217912sra87 03/21/84 246 MNPS-3 FSAR A. Analysis of Reactor Plant Component Cooling Water System 30.34 Analysis 30.36 A. IEEE Standard 279-1971, Paragraph 4.2: 30.38 The reactor plant component cooling water system is divided 30.40 into two separate, redundant mechanical and electrical trains. The system is normally cross-connected; the cross- 30.43 connect valves ,are closed automatically by an SIS supplied or surge tank low-low-low level signal. The cross-connect 30.45 valves are air-operated and fail close on loss of air or loss of power to the associated solenoid valve. No single 30.47 failure at the system level will prevent the system from supplying reactor plant component cooling water for at least 30.48 one train.

B. IEEE Standard 279-1971, Paragraph 4.4: 30.51 Equipment qualifications are discussed in Sections 3.10 and 30.53 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 30.57 A reactor plant component cooling system bypass annunciator 30.59 is alarmed-in the control room whenever any of the following 30.60 conditions exist (Train A or B):

. -Reactor plant. component cooling pump (A or B) control 31.3 1 switch.in pull to lock or circuit breaker racked out or loss of control power and reactor -plant component 31.4 cooling pump (C) control' switch in pull .to lock or circuit breaker racked out or loss of control power. 31.5

. containment isolation valve not fully open. - 31. 6 -

. Service water system bypassed. 31.7

. Reactor plant component cooling heat. exchanger service 31.8

~ water supply valve not fully open.

. Manual bypass'pushbutton depressed. 31.9' D. IEEE Standard-279-1971, Paragraph 4.16: 31.12 Once~an SISLi5' received,'the-reactor plant component _ cooling 31.14

' pumps are started automat * '.ly. -When _a LOP exists, the 31.16

~

pumps are: automaticalli Started by the emergency generatorr

load

sequencer. ' Deliberate operator action _must be taken to 31.17

- stop a pump. The ' SIS and LOP _must be' reset and' manual .31.18 control used to stop a pump.

The-' containment-. air ' recirculation cooling / coil' supply:and 31.19

. return valves'are opened . automatically by- a LOP orf CIA

Amendment 8 -

7.3-43' May 1984-

.1 e

u1217912sra8r 03/21/84 246 MNPS-3 FSAR signal. The LOP and CIA must be reset to close the valves 31.21 manually. The valves close automatically on reactor plant 31.22 component cooling water surge tank low-low-low level. The 31'.23 surge tank low-low-low level signal must be cleared and the CLOSE/ AUTO pushbutton depressed before the valves can be 31.24 ,

opened automatically or manually.  !

The nonsafety header supply and return isolation valves 31.25  :

close automatically on receipt of a CIA or reactor plant component cooling surge tank low-low-low level signal. The 31.27 ,

CIA must be reset and the surge tank low-low-low level signal cleared and manual controls used to open the valves.

The reactor plant component cooling cross-connect valves 31.28 close automatically on receipt of.a SIS or reactor plant component cooling surge tank low-low-low level signal. The 31.30 SIS must be reset and the surge tank low-low-low level signal cleared and manual controls used to open the valves.

The containment isolation valves close automatically on 31.31 receipt of a CIB signal. The CDA signal must be reset and 31.32 manual controls used to open the valves.

The reactor plant component cooling heat exchanger service 31.33 water supply valves close automatically on receipt of a CDA signal. The CDA signal must be reset and manual controls 31.35 used to open the valves.

E. IEEE Standard 279-1971, Paragraph 4.10: 31.38 The reactor plant component cooling system is periodically 31.40 tested in accordance with the Technical Specifications in 31.41 Chapter 16.

The operability of the reactor plant component cooling water 31.43 system. controls and indications is verified during .the instrument' functional test. Also, during this test the 31.45 instrumentation setpoints and their operability are checked.

-The test' to. verify the automatic response of the system is 31.46 performed during each refueling period. Correct settingslof 31.47 temperature, flow, and level instrumentation-are verified by applying a simulated signal.

F. IEEE Standard 279-1971, Paragraph.4.17: 31.50 Controls and indicators are provided in the control room for 31.52 manual operation of the reactor plant -component cooling-water system. REMOTE / LOCAL,~ control selectorfswitches are 31.55 provided for the reactor plant component cooling water pumps outside the control room at the switchgear. Annunciator is 31.57 alarmed in the control room when LOCAL control is selected.

' Amendment1 8 7.3-44: May 1984'

u1217912srt8r 03/21/84 246 MNPS-3 FSAR

' Chilled Water 31.59 Description of instrumentation and controls is provided in 32.1 Section 9.4.1.5.

Electrical 32.5 Description of the onsite electrical system is found in FSAR 32.7 Section S.3.

Emergency Generator Load Sequencer 32.11 The emergency generator loading sequencer (EGLS) is a solid-state 32.13 digital system which provides relay contact outputs to shed loads, 32.15 block manual starts, 'and sequentially load the plant safety buses during emergency conditions. The primary purpose of the EGLS is to 32.16 automatically control the loading of the safety buses when a loss of offsite power has occurred and the buses are being reenergized by the 32.17 emergency diesel generator.

The EGLS accepts bus undervoltage (BUV), SIS, containment '32.18 depressurization (CDA), recirculation (RECIRC), auxiliary reserve 32.19 breaker (AR BKR) status, and diesel generator breaker (DG BKR) status input signals in the form of contact closures and will provide a 32.20

-predetermined sequence of outputs.

The overall sequencing system is comprised of two EGLS cabinets, 32.21 which are identical except for markings.

The EGLS has seven operating modes. Five of these modes are for 32.23

~

plant emergency conditions which involve a loss of offsite power.

The other-two are for plant emergency conditions which do not involve 32.24 a loss'of offsite' power. The modes, in terms of which EGLS inputs 32.25 are activated, are as follows.

1. SIS only 32.27

2. CDA only or SIS and CDA 32.28

3. LOP only '32.29

4. SIS and LOP .32.30

5. CDA and LOP or SIS and CDA and LOP 32.31

6. SIS, RECIRC, and LOP ~32.32

7. CDA or SIS and CDA, RECIRC, and LOP- 32.33

~

The modes are prioritized such that a CDAl mode will always take :32.35 precedence over,a SIS mode when both inputs are present and such that 32.36 a LOP; mode'will always-take precedence over a non-LOP mode, s

Amendmentlk '

7.3-45 May-1984 n

I

.ul217912sra8r 03/21/84 246 MNPS-3 FSAR

'In each of the LOP operating modes, the EGLS first recognizes a loss 32.37 of power on the plant safety buses and immediately generates LOP and 32.38 manual start block (MSB) output signals to plant safety equipment.

These signals effectively strip the bus and temporarily inhibit the 32.39 operator from restarting any loads. This allows the diesel generator 32.40 time to start, achieve proper voltage and frequency and, via the DG BKR, be connected to tr.e plant safety bus without incurring adverse 32.41 loading conditions. Upon receiving a signal confirming that the DG 32.42 BKR has closed, the EGLS will begin generating time sequenced safeguard sequencer start (SSS) and manual trip block (MTB) signalc 32.43 to plant equipment. The SSS and MTB signals, once initiated, are 32.44 maintained until the EGLS is reset or a change in operating mode occurs. The EGLS automatically terminates individual LOP signals 32.45 associated with the loads being started and terminates the remaining 32.46 LOP signals and MSB signals automatically, 40 seconds after the DG BKR has closed. Should a SIS or CDA input occur without a LOP, the 32.47 appropriate .SSS and MTB signals are generated immediately without time sequencing, and the LOP and MSB outputs remain reset. The MTB 32.49

, signal inhibits the operator from retripping loads once they have been automatically started.

LOP outputs also are generated for plant equipment which does not 32.50 have an associated EGLS SSS output signal. In some . cases, the LOP 32.51 outputs are terminated at the end of the 40-second period. In other 32.52 cases, the LOP outputs are not terminated until the EGLS is manually reset. In some of the cases, the LOP outputs are also generated by a 32.53 SIS only or CDA only input.

The EGLS also provides trip _ outputs to the AR BKRs. The AR--BKR trip 32.55 output _is' generated by either a SIS or CDA input, but only if the AR BKRs -are..already open. The output response of the EGLS, except for 32.56 the AR BKR trip' signal and two specific loads, to a SIS or CDA input, Jis delayed approximately 5 seconds if the AR'BKRs are open. .The AR 32'.58 BKR tripfsignal remains' reset and the EGLS response delay;is bypassed if:the AR'BKRs-are closed when a SIS or CDA input occurs. 32.59

~

Initiation. of the RECIRC and LOP. operating modes differs from the 32.60-

otherLLOP. operating modes in as much as ;that during _ recirculation, ,33.1 the SIS' or CDA. input must have occurred and been-reset prior to the *

' loss:of power. -Otherwise,_even thoughethe RECIRC input isi present, 33.2 the EGLS 'will. respond in a SIS and LOP. or CDA' and LOPS operating mode. ~33.3 t

Internal memories, which must; be': manually..resett . retain ;the 33.4'

~information necessaryf to , allow the EGLSLto differentiate between 33.5

.RECIRC and non-RECIRC~ operating modes.

-Station LOE fand' sequence'r LOP memories, which also'must.be manually L33.6 reset, are used to retain'information_concerning the-initial loss of'133.7 power" and.~reenergization of1 the bus by'the diesel generator. .Two' L33.8

' memories.Jare employed ; to prevent .the T EGLS. sfran responding 'to voltage! _ dips : appearing onthe bus- during : loading. : 33.9

~

transient' Normallyi3 the EGLS would'not. respond.to'a second Dloss 'of power' if; 33.10'

'both' memoriesihad not been reset,1but. circuitry in the EGLS provides 33.11 La 3-second window between the sequencer LOP. test and ' station. LOP 1 c

! Amendment 8- 7.3-46 -

May-1984

~

.' , g

+ ' E

u1217912srt8r 03/21/84 246 MNPS-3 FSAR reset during which the EGLS will respond to a second or subsequent 33.12 LOP occurring during reset procedures.

Analysis 33.15 A. IEEE Standard 279-1971, Paragraph 4.2 33.16 The emergency generator load sequencers are divided into two 33.18 separate, redundant mechanical and electrical trains. No 33.20 signal failure at the system level will prevent the' system

from sequentially loading the plant safety buses during emergency conditions. 33.21 i

B. IEEE Standard 279-1971, Paragraph 4.4: 33.24 Equipment qualifications are discussed in Sections 3.10 and 33.26 3.11.

4 C. IEEE Standard 279-1971, Paragraph 4.13: 33.30 An emergency generator load sequencer bypass annunciator 33.32 will alarm in the control room whenever any of the following conditions exist (Train A or B): 33.33

. System is .fm manual Test 2. 33.36 d

. -Control-power not available. 33.37 i . Manual bypass pushbutton depressed. 33.38 D. IEEE Standard 279-1971, Paragraph 4.10: 33.41 The emergency . generator load sequencer is tested 33.43

periodically in accordance with the Technical Specifications in Chapter 16. ,

33.44

-The following is a description of the various test modes that will be 33.47 ,

.used to verify-the operability of the EGLS.

Auto Test '33.49

.The auto test circuit'(ATC) is an EGLS subsystem that is contained 33.50 within the sequencer panel.. The ATC is designed to run continuously 33.52 having 45 separate test states. Each test state is 10 m see in. 33.53 duration with actual testing being performed during the last 1 m' see

.of each. test state. An exception to this is three test states where E33.55

.the test state . timer is interrupted long enough to verify the operability of the normal frequency clocks.

33.56 The ATC verifies two basic types of EGLS responses. -First, that no 33.58

. outputs occur when no Auto Test Inputs:(ATIs) are applied. Second, 33.f9 that the proper outputs occur when ATIs are applied..

Amendment Si I7.3-47 May 1984

u1217912sra8r 03/21/84 246 MNPS-3 FSAR Each odd numbered test state is used to verify that the proper output 33.60 patterns occur when various combinations of ATIs are injected into 34.1 j the. front _end (input buffers) of the sequencer logic. Conversely, 34.2 each even numbered test state verifies that no outputs occur when no ATIs are applied. The even test states also verify that the EGLS was 34.3 reset following the last odd numbered test.

i For each -test, the ATC makes the assumption that the sequencer will 34.4 i fail. At the start of each test, a delayed EGLS fault signal is 34.5 generated. This, in effect, leaves the sequencer with 990jysec in G4T6"~

L which to properly respond in order to reset the fault delay timer. A 34.8 successful fault delay reset will allow the ATC to begin the next

test state. If a; fault is detected, the ATC steps testing the EGLS 34.9 and . provides main board annunciation. The ATC display on the EGLS 34.10 front panel indicates the specific test

state where the fault occured.

s The input and output relays are never actuated by the ATC and, hence, 34.11 are not verified as operable by the ATC. . The input relays will be 34.12 tested- for system operability during the EGLS integrated test. This 34.13 test will be performed at each refueling cycle. The output relays 34.14

. will be tested quarterly by starting all the individual loads through the sequencer, utilizing the output relays. In addition, if a real 34.16 plant input' is received by the EGLS requiring action, the ATC is automatically faulted to prevent it from interfering with EGLS 34.17 operation.

In summation, the ATC verifies, on a continuing basis, all critical 34.18 electrical paths in which a failure would prevent the EGLS from 34.19 performing 'its complete safety function. The ATC will be used to 34.20 satisfy the monthly' actuation logic su'rveillance requirement.

Auto Test Test 34.22

, An auto test-Ltest panel is supplied with the EGLS system as test 34.23

- equipment that will be used on ~ a ' quarterly basis' to verify the 34.24

operability of the-ATC.

The. auto test test panel has the ability to simulate an EGLS failure 34.26 for ATC operational verification (the ability of the ATC to identify 34.27 This is accomplished by creating auto test outputs 34.28 a' failure).

(ATos) when they should not occur or by inhibiting :ATos when they.

should occur. Every auto test fault circuit can be verified using 34.30 the: auto test test panel.

Manual Test Features 34.32 Mode 1 34.34 f

.The : manual test features' provide a'means to simulate EGLS inputs and 34.36 verify response to those inputs. . When initiated, Manual. Test 1 34.38 inhibits all: sequencer outputs except MSas.. Each individual load, 34.39

- however , _ may be selectively _. unblocked using. its associated-2 TEST / INHIBIT switchi 1.e., placing the switch ~into the. TEST position. 34.40 Amendment 8 -7.3-48 May 1984:

4,. _r 2._# -d _ ,-_ L. - _ - . _

u1217912srt8r 03/21/84 246 MNPS-3 FSAR This allows the option of testing tne EGLS logic including sequence 34.41 times or additionally testing sele 34.42 starting the loads. The latter provi,cted des the output relay means to(s) by actually satisfy the 34.43 r requirement of periodically testing safety-related loads.

The inputs to the EGLS are provided by front panel pushbuttons for 34.44 LOP, SIS, CDA, and RECIRC. These inputs can be applied at any time 34.45 and in any order during a test to obtain any mode of operation desired. A DG breaker pushbutton is not provided; rather, a 34.46 simulated DG breaker closure is automatically generated 9 seconds after the LOP pushbutton is pressed. 34.47 Testing the EGLS using Manual Test 1 does not remove the sequencer 34.48 from service. If at any time during testing a real input is 34.49 received, the EGLS resets itself to normal operation responding to the input signal regardless of the TEST / INHIBIT switch positions. 34.50 Mode 2 34.53 Manual Test 2 is identical to Manual Test 1 except that the EGLS is 34.55 not reset when a real input signal is received. Rather, the EGLS 34.57 responds to the input-condition taking into account the individual load TEST / INHIBIT switches. Manual Test 2 provides the ability to 34.58 perform integrated systems testing, inhibiting loads that are not ,

desirable to operate. 34.59 l EGLS Integrated Test 35.1 This is a factory duplicated test that will be performed each 35.2 refueling to. verify system operation by actuating the input relays- 35.4 and monitoring 'the output relays for proper response. One contact 35.5 from each relay in the EGLS cabinet is monitored by a data logger that documents all inputs and outputs and the time that ieach relay 35.6 operated relative to the beginning of the test. The tests that will 35.7 be included within the EGLS integrated test are listed below.

3 LOP CDA RECIRC only 35.10 >

SIS and LOP SIS followed by CDA 35.11 CDA and LOP LOP followed by CDA 35.12 SIS RECIRC and LOP LOP followed by SIS 35.13 CDA RECIRC and LOP LOP followed by SIS RECIRC 35.14 SIS only LOP followed by CDA RECIRC 35.15 CDA only ~ SIS and DG breaker without LOP 35.16 SIS RECIRC only SIS - followed by LOP. 35.17 Emergency Generator Fuel Oil System 35.22 The emergency 'generat'or fuel oil system design and description are 35.24 given in Section 9.5.4 and the flow diagram is shown on Figure 9.5-2.- 35.27 Each of the two emergency generator fuel oil storage tanks is 35.28

-provided with fuel oil level indication locally and on the emergency 35.29 4

generator panel. A low fuel oil level is alarmed on the emergency 35.30 Amendment 8- 7.3-49 May 1984

l 246 03/21/84 u1217912sra8r MNPS-3 FSAR generator panel. Fuel oil moisture content will be tested as 35.31 discussed in Section 9.5.4. 35.32 two emergency generator fuel oilstop day the tanks is provided associated 35.33 Each of the with level switches to automatically start and in a LEAD-FOLLOW emergency generator fuel oil transfer pumps oil transfer 35.34 35.35 arrangement. The LEAD-FOLLOW emergency generator oil transfer pump is 35.36 fueltank are p.

pumps for each 35.37 The selected " lead" emergency generator fuelassociated If the " lead" emergency 35.23 level switch in the started when its level.

day tank reaches a predeterminedpump fails to start and the o~il level generator fuel oil transfer " follow" emergency generator fuel oil 35.39 continues to decrease, the transfer pump is started when the fuel oil level At this reaches level, the 35.41 low level fa predetermined low level switch setting. alarm transfer is on pumps the stop emergency 35.42 The emergency generator fuel oil In addition to 35.43 malfunction.

automatically at a predetermined day control, tank high remote level.

manual pump controls 35.44

.the level switches for pump provided on the emergency generator panel.

generator day tank level 35.45 At a- predetermined level, an emergency alarm on the emergency generator 35.46' 35.47 switch actuates a Low-Low levelA panel.

highonlevel' to alarm switch the the is actuated emergency 35.48at a prede generator fuel oil day tank level generator panel.

generator fuel' oil day tank is 35.49 Fuel . oil level in each emergency the main control 35.50 indicated'on the emergency generator panel and on

~

board. 35.51 the in-line emergency generator fuel oily 35.52 To annunciate fouling on strainers,' differential pressure alarms are provided on the emergenc

-generator panel. 35.53 pressure fuel oil day tank, and 35.54 Fuel- oil transfer pump discharge storage tank. levels are monitored by the plant computer.

in the: 35.55 emergency f generator = panel trouble annunciator is alarmed panel. 35.56 Jus control room when any. alarm exists on the emergency' generator tested in conjunction with the 35.57

. Level controls and ' indicators are The frequency of this 35.58 diesel- engine test described in Section 8.3. ,

test is given in Chapter 16. . 36.1 Emergency Diesel Engine Cooling Water System water system is described in 36.3

~

The emergency diesel engine cooling 36.4 Section 9.5.5 and its flow diagram'is.shown on Figure-9.5-3.

36.6 engine cooling water system has lowApressure,.

low level, 36.8-LThe emergency diesel

~

high temperature, and low temperature alarm switches.

alarm switch is on.the overhead ~ expansion tank.

~

4 May 1984 7.3 amendman 8

a#,. Aa. # & A . - ~ _-- J4: J i.-- 4 4 ,A a-. m-w - & w a

.u1217912srt8r 03/21/84 246 MNPS-3 FSAR Annunciators on the emergency generator panels alarm when the 36.9 following conditions exist:

I . Emergency diesel generator jacket coolant pressure low. 36.11 5 . Emergency diesel generator jacket cooling temperature high. 36.12

. Emergency diese.1 generator jacket coolant temperature low. 36.13

. Emergency diesel generator fresh water expansion tank level 36.14

-low.

A trouble alarm for each emergency diesel generator panel on the main 36.16 control board is alarmed whenever the associated panel has an alarm 36.17 on it.

f Temperature regulating valves controlled by temperature controllers 36.18 maintain the engine cooling water at a preset temperature when the 36.19 engine is running.

! An electric heater controlled by a temperature controller has a local 36.20 AUTO /OFF control switchi The heater is energized when the standby 36.21 jacket coolirg pump is running and jacket coolant temperature is less than a preset temperature and the control switch is in AUTO. The 36.23 i heater is deenergized automatically when the standby jacket coolant pump is stopped or the jacket coolant temperature is greater than a 36.24 j preset _ temperature. The heater is deenergized manually by placing 36.25 control switch in the OFF position.

The standby jacket coolant pump has a local START /STOP/ AUTO control 36.26 switch. The pump is started automatically when engine speed is less .36.27 4

than a preset speed and the control switch is. AUTO or stopped when 36.28 engine speed is above a preset speed. The pump can be stopped or 36.29 started manually with the control switch.

i-

^

Emergency Gene ator Starting Air System _ 36.32

{ '

The emergency generator starting _ air system is described in 36.34

Section 9.5.6 and its flow diagram is shown on' Figure 9.5-3. 36.35 There are two air compressors and separate, air systems for each 36.37 diesel generator. 'Each air compressor is. equipped with a manual '36.38-

~

control switch and indicator lights, located on the motor control t center. A pressure switch on the -air receiver ' tank automatically 36.39 starts and stops each compressor. The switch is set to start'the 36.40 compressor when the tank pressure drops below the low setpoint

- pressure of 375 psig 'and to stop the compressor when the pressure .36.41 reaches the high setpoint pressure of 425 psig. Relief valves'on the 36.42 receiver tanks and at each compressor discharge-are set at 450 psig '

to protect the system from overpressurization. '1he compressor motor 36.44 is also; protected against thermal overload. (

oIf' 'the receiver tank pressure drops to the low-low setpoint pressure 36.45 of 350 psig, the condition' actuates an alarm on' the respective 36.46 Amendment 8 -7.3-51 May 1984

+u- -n g - - , , , - , ,..p ww e - pn -~ y--m- ,m- .-v r ,-

n, n v.-s

_;._. = _ . . . _. - - . . _ - . . . . - - - _

1 u1217912sra8r 03/21/84 246 MNPS-3 FSAR l emergency generator panel and the emergency generator trouble alarm 1 on the main control board. Each receiver tank is also provided with 36.47 a local pressure indicator.

l l' A control air system is connected to the starting air system 36.48 (Figure 9.5-3) to provide a source of air for operation of different 36.49 components in the jacket coolant temperature control system and the l shutdown control system. Refer to Section 9.5.6.5 for a discussion 36.50 l

< of ~ components supplied by air. -

l

, Emergency Diesel Engine Lubrication System 36.53

The emergency diesel engine lubrication system is descriced in 36.55

] Section 9.5.7 and its flow diagram is shown on Figure 9.5-3, 36.56 1-i A low lubricating oil level alarm is provided to alert personnel when 36.58 the lubricating oil level in the sump falls below the manufacturer's 36.59 recommended minimum level.

A high-pressure alarm is provided to alert personnel when the 36.60

, pressure in the crankcase exceeds the manufacturer's recommended 37.1 I

high-pressure limit. .

A high-level alarm switch is provided to alert personnel when the oil 37.2 level in the separate rocker arm lubricating oil- tank exceeds the 37.3 manufacturer's recommended maximum.

A. low-pressure alarm is provided to alert personnel.when the rocker 37.4 arm lubricating oil. pressure falls below the manufacturer's 37.5 recommended minimum.

Actuation of the low lube oil pressure switch will energize an 37.6 annunciator and give an alarm that'the lubricating oil pressure ~has 37.7 reached a dangerously low level. Actuation of any two of these low 37.8 lube oil' pressure switches will shut-down the' engine.

-High- and low-temperature alarms are provided to alert personnel when 37.9 i the oil temperature rises above or falls below the operating range' 37.10 recommended by the manufacturer.

-The following annunciators .are on each emergency generator level 37.11 panel

-.- , Moisture detector circulating pump motor thermal overload or 37.13 loss.of. control power.

. Lube oil moisture content high. 37.14

. Rocker arm lube oil pressure low. 37.15

. Crankcase pressure high.- 37.16

. Lube oil sump temperature low. '37.17' 7.3-52 Amendment ~ 8 May-1984 w

u1217912src8r 03/21/84 246 MNPS-3 FSAR

. Lube oil sump level low. . 37.18

. Lube oil temperature high. 37.19

. Rocker arm reservoir level high. ,

37.20

. Lube oil pressure low. 37.21

' An emergency generator l'ocal panel trouble annunciator for each panel 37.23 is located on the main control board and is alarmed whenever a 37.24 respective local panel annunciator is alarmed.

The prelube oil filter pump has a local STOP/ START control switch and 37.25 the motor has thermal overload protection. The rocker arm prelube 37.27 oil pump - has a local STOP/ START control switch and a remote STOP/ START control switch on the main control board. The motor has 37.29 thermal overload protection.

The emergency. generator prelube oil heater has a local 0FF/ AUTO 37.30 control switch. When in AUTO, the heater is automatically energized 37.31 when the following conditions exists r

. Emergency generator speed below a preset setpoint. 37.33

. Lube oil. temperature below a preset temperature. 37.34

. Prelube oil filter pump running. , 37.35 The emergency generator prelube oil heater is deenergized when any of 37.37

. the above conditions is not met or when the control switch is in OFF. 37.38 Emergency Generator Combustion Air Intake and Exhaust System 37.41 The emergency generator combustion air intake and exhaust system is 37.43 described in Section 1 5.8 and its flow diagram is shown on 37.44 Figure 9.5-3.

The -combustion air intake and exhaust sytem is available when the 37.46 diesel engine is started.

When air ~ lis drawn in through the. filter and silencer, a manometer 37.47 measures pressure. drop.

Green .(running) and red (stopped) status lights are provided in the 37.48 main control room for the diesel engine.

Annunciation is provided in the local and main control board for high 37.49 pressure drop across tre filter.

A recor' der is provided for high opacity in exhaust gases. '37.50 A : pressure indicator is provided locally for inlet pressure to the 37.51 diesel.

Amendment 8 7.3-53 May 1984

. - - - . . - . - _ . ~. .- _- . . . - . - -

u1217912src8r 03/21/84 24G MNPS-3 FSAR t

4 An - exhaust pyrometer is provided, complete with multi-circuit 37.52

~ selector switch and thermocouples for each exhaust, turbocharger 37.53 nozzle, and common exhaust.

! Analysis 37.56 A. IEEE Standard 279-1971, Paragraph 4.2: 37.57 l

~

! The emergency generator fuel oil system is divided into two 37.59 l separate, redundant mechanical and electrical trains. This 38.1

, dual train concept provides sufficient redundancy to prevent l a single failure from impairing the systems capability to 38.2 supply fuel oil to at least one of the diesel engines.

Each emergency generator has the following associated 38.3 l l, systems: emergency diesel generator engine cooling water 2

system, starting air system, engine lubrication system, and 38.4-

. combustion air intake and exhaust system. The electrical 38.5 l equipment for these associated systems is supplied frem  ;

separate emergency buses. The electrical equipment is not 38.6  :

safety grade and is disconnected from the emergency buses automatically by a SIS, CDA, or LOP signal to prevent 38.7 ,

degrading the emergency buses. The equipment is not 38.8 required for emergency generator operation. Each emergency 38.9 generator and its associated system' are completely independent and separate.from aach other. No single failure 38.10  ;

at the system level can prevent the emergency generators from providing powerito at least one emergency bus. 38.11 B. IEEE Standard 279-1971, Paragraph 4.4: 38.14  ;

~i-Equipment qualifications are discussed in Sections 3.10 and 38.16 3.11. Exceptions to equipment qualifications are: 38.17' 1  !

l '. Emergency generator air compressors. 38.20 t .- Emergency generator standby jacket coolant pump and 38.21 heater.

.. Prelube oil filter pump and heater. 38.22

. Rocker arm'prelube oil pump.. 38.23 C.; IEEE Standard 279-1971, Paragraph 4.13: 38.26 '

> An' emergency diesel generator system bypass annunciator is 38.28  ;

alarmed in the control room whenever any of theE following conditions exist 38.29

. Emergency generator breaker racked out or . loss of 38.32 control power. .

. Emergency generator air compressor loss of control 38.33 ,

power or motor thermal overload.

' Amendment 4 7.3-54 May 1984

u1217912srt8r 03/21/84 246 MNPS-3 FSAR

. Emergency generator crankcase vacuum pump loss of 38.34 control power or motor thermal overload.

. Emergency generator auxiliary fuel oil pump loss of 38.35 control power or motor thermal overload.

. Remote voltage switch in MANUAL. 38.36

. Local voltage mode switch in MANUAL. 38.37

. Manual bypass pushbutton depressed. 38.38 D. IEEE Standard 279-1971, Paragraph 4.16: 38.41 Once a LOP, SIS, or CDA signal is received, the emerJency 38.43

, generator will attempt to start. If not started in 38.45 10 seconds,. the start signal is blocked and a " diesel not ready for AUTO start" annunciator will alarm in the control 38.47 room and at the emergency generator local panel. An 38.48 emergency diesel reset pushbutton in the control room or at the emergency generator panel must be depressed and the engine will attempt to start again. Once started, 38.50 deliberate operator action must be taken to stop the emergency generator.

E. IEEE Standard 279-1971, Paragraph 4.10: 38.53 The emergency generator is periodically tested in accordance 38.55 with the Technical Specifications in Chapter 16.

The operability of the emergency generator system controls 38.57 and indications is verified during the instrument functional test. Also, during this test the instrumentation setpoints 38.59 and their operability are checked. Correct settings of 38.60 temperature, pressure, and level instrumentation are verified by applying a simulated signal. The operability of 39.1 the prelube oil filter pump, rocker arm prelube oil pumps, standby jacket coolant pump, and air compressors is verified 39.2 by normal operation when the emergency generator is not running.

F. IEEE Standard 279-1971, Paragraph 4.17: 39.5 Manual controls and indication are on the main control baord 39.7 and at the emergency generator panels for manual operation of the emergency generators. '

39.8 Air-Conditioning, Heating, Cooling, and Ventilation systems 39.12 The safety-related (QA Category I) air-conditioning, heating, 39.14 cooling, and ventilation systems are listed in Table 3.2-1. 39.15 The system designs, flow diagrams, and instrumentation applications 39.17 are given in section 9.4. The design bases for the control ar.J 39.13 Amendment 8 7.3-55 May 1984

._ _ . _ - - _ _ _ _ _ _ _ _ - _ _ _ _ _ _ - _ _ _ _ _ _ _ - _ - _ _ - - _ - _ _ _ _ _ ~

u1217912srC8r 03/21/84 246 MNPS-3 FSAR instrumentation of the safety-related air-conditioning, heating, I cooling; and ventilation systems adhere to the following: 39.19

1. Automatic operation during normal and accident conditions. 39.21

]

2. Manual controls and indication cf the status of all 39.22 components in the control room.

3. Automatic cont'rols as well as manual centrols of redundant 39.73 components are independent and electrically and physically 39.24 separated.

4. Failure of an operating component and/or start of the 29.25 redundant component is annunciated in the control room.

5. Redundant motors and motor-operated dampers have power 39.26 supplied from separate emergency buses. Each redundant air- 39.27 operated damper, with solenoid pilot valve, has power supplied from the separate de bus. The dampers are designed 39.2S to fail in the position of greater safety on loss of air and/or power supply.

The safety objective of the instrumentation and control for safety- 39.30 related air-conditioning, heating, cooling, and ventilation systems 39.31 is to maintain the temperatures within the specific areas they serve, within the design limits required, during normal and accident 39.32 conditions. The control room and instrument rack and computer rooms 39.33 are automatically isolated from the outside atmosphere on receiving a 39.34 control buildino isolation (CBI) signal. A CBI signal is generated 39.35 whenever any one of the following conditions exist

. Outside atmosphere radiation hi-hi. 39.37

. Containment pressure hi-1, 2 out of 3 (2/3) hi. 39.38

. Outside atmosphere chlorine hi. 39.39

. Manual SIS. 39.40

. Manual CSI. 39.41 A differential pressure indicator witti a scale division from zero to 39.43 0.25 in wg is provided in the control room to enable the operator to 39.44 determine that the pressure in the control room is being maintained slightly above the atmospheric pressure following an accident. 39.45 Where high efficiency particulate air (HEPA) filters or carbon 39.46 adsorbers are provided in the system, differential pressure alarms 39.47 are provided to alert the operator to excessive differential pressure across the filter or adsarber and to indicate that changeover to the 39.48 standby train should be made.

Amendment 8 7.3-56 May 1984

246 03/21/84 u1217912src8r MNPS-3 FSAR 39.51 control Building Isolation ~

logic receives automatic 39.53 The control building fromisolation (CBI)monitor per train and one 39.55 one chlorine isolation signalsmonitor per train located in the intake ventilation is to 39.56 the radiation A containment hi-1 pressure signal (2/3 logic) control building.

also utilized as an input to the CBI logic.

can be manually initiated from CBI 39.57 A CBI signal (Train A' or B) main heating and 39.58 pushbuttons on the main control board or from theA CBI is also initiated 39.59 by a ventilation panel in the control room.

manual SIS initiation.

A control room pressurization signal is autcmatically initiated 39.60 60 seconds after a CBI signal is received.

located in auxiliary relay panels AR4 40.1 The CBI logic relays are The panels are in the instrument rack 40.2 40.3 (Train room.

A) and ARS (Train B).The output relays have test pushbuttons the 40.4 in the a panels.

The CBI K1 relays are interlocked with the controls Thefor CSI K2 40.5 isolation valves and the chilled water pump. outlet valves.

ventilation storage tanks' 40.6 relays are interlocked Uith the airarrangement allowsthe This for40.7 testing the v and chilled water pumps for each Train (Acontrol air storage or B),40.8 and for te 40.9 The room.

logic relays are energized to isolate and pressurize th board. 40.12 Analysis 40.13 A. IEEE Standard 279-1971, Paragraph 4.1:

40.15 A CBI signal is automatically initiated on receipt of a high 40.16 radiation, high chlorine, or containment hi-1 pressure high.

40.18 An exception is the chlorine monitors which are not safety .

grade qualified (see Item C, Equipment Qualification).

40.21 B. IEEE Standard 279-1971, Paragraph 4.2:

40.23 The CBI has redundant120 andVseparate trains supplied ac and separate 125 V defrom 40.26 separateAnsafety-relatedexception isHowever,that theachlorine CBI monitors are nots buses.

supplied from safety-related buses. No 40.28 is initiated on loss of power to the chlorine monitors.

single failure will prevent a CBI at the system level.

40.31 C. IEEE Standard 279-1971, Paragraph 4.3:

40.33 Equipment qualifications are discussed in Sections 3.10 and 3.11.

_ _ _ _ _ _ _ _ - - - - - - - - - - - - --uw---r -_ -

u1217912sra8r 03/21/84 246 miPS-3 FSAR An exception to equipment qualifications is that the 40.35 chlorine monitors for CBI are not safety grade qualified. A 40.36 safety grade isolator in the output of the monitors prevents degrading the safety grade CBI circuits. Upon the 40.37 occurrence of a seismic event, the control room ventilation will be put into the recirculation mode manually. An 40.38 evaluation will be made to determine if chlorine leakage is present. If chlorine leakage exists, control room 40.39 pressurization will be manually initiated.

D. IEEE Standard 279-1971, Paragraph 4.8: 40.42 The radiation monitors, chlorine monitors, and containment 40.44 pressure transmitters all derive signals that are direct measures of the variable being monitored. 40.45 E. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: 40.49 Testing of the automatic CBI signals from the chlorine 40.51 monitor, radiation monitor, and containment hi-1 pressure signal (2/3 logic) will be performed by testing each signal 40.52 for each train.

The test for the chlorine monitors will consist of 40.54 verifying, every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, that power is available and no trouble alarms exist at each unit. 40.55 Every 90 days each probe of the monitor will be checked and 40.56 calibrated with a sample gas. The alarm setpoint and trip 40.57 function will be verified with a probe simulator and a step change function check by inserting each probe with a 40.58 chlorine concentration.

At each refueling, a CBI actuation will be tested including 40.59 a test of the pressurization system using a known chlorine sample. 40.60 The inlet ventilation radiation monitors will be calibrated 41.1 on a refueling basis using solid point calibration sources and a fixed geometry. 41.2 on a monthly basis, an analog channel operational test 41.3 verifies the alarm setpoint will be performed.

The individual signals shall automatically close the CBI 41.4 valves and activate the pressurization system with. a 60-second time delsy. 41.5 Once it has been verified that the CBI signal performed its 41.6 function, and before pressurization of the control room, the 41.7 operator will reset the system with the manual CBI reset pushbuttons.

Amendment 8 7.3-58 liay 1984

u1217912srt8r 03/21/84 245 MNPS-3 FSAR l

i Testing the containment hi-1 pressure (2/3 logic) will be 41.8 accomplished in accordance with Section 7.3.2.2.5. '

F. IEEE Standard 279-1971, Paragraph 4.13: 41.11 Bypass and inoperative alarms on the main centrol board for 41.13 i . CBI Train A and B are in accordance with Regulatory l Guide 1.47. A ,CBI_ bypass annunciator is alarmed on the main 41.16 i* control board whenever any of- the following conditions

,' exist:

s

. CBI bypass pushbutton depressed. 41.18 j .-

. Loss of control power to CBI logic relays. 41.19 G. IEEE Standard 279-1971, Paragraph 4.16

41.22 i

l A CBI initiated on the system level will go to completion 41.24 I- with the following exceptions control room pressurization is delayed 60 seconds after a CBI signal is initiated. The 41.26 3 CBI signal can be reset manually on the main control board

-and prevent dontrol room pressurization before the time l

delay expires. 41.27 After a CBI has gone to completion, deliberate. operator 41.28 action is required to return to operation. The CBI signal 41.29 i must be manually reset. The ventilation isolation valves 41.30

. must be manually opened and the _ air storage tank . outlet valves are manually closed.

3 H. IEEE Standard 279-1971,. Paragraph 4.17: 41.33 l A CSI:. signal can be initiated manually with pushbuttons on 41.35 l the main heating and ventilation panel and on the main i ' control boards A manual SIS signal also initiates a CBI 41.38 signal. No single failure within the manual, automatic, or 41.39

! common portions of the CSI' system 'will prevent a CBI F

_ initiation. -

i -

I I. ,IEEE Standard 279-1971, Paragraph 4.18: , 41.'42 The CBI radiation monitor setpoints are administrative 1y 41.44 controlled. The setpoint cannot be changed at the monitor 41.46

-until a. permissive =-has been granted by a- key at the radiation monitoring panel in.' the control room. -

The 41.48 permissive key is a&ninistratively controlled.

The chlorine monitor -setpoint ajdustments are in a local 41.49 control unit that is adminstratively controlled.

J." IEEE Standard 279-1971, Paragraph 4.19: .41.52 Migh chlorine,is alarmed on the main heating and ventilation 41.54 .

L panel in the control. room. High radiation is alarmed on the 41.56

- Amendment 8' 7.3-59 May 1984 ,

M 9- '

iP'"

i w <$+-u: an- = wy 9ge. gaw-* S ap s ie- -- -. r J--W- p---e e- $ -p-=++ 1w-+-g-1 -9*W --t_-

- - . -.- - _- _ - = - _ . _ - . . -. -. - - . . - - . - . - -

u1217912src8r 03/21/84 246 i

'MNPS-3 FSAR' i

, . main control board and on the radiation monitoring system '

console in the control room. An ESF status light indicates 41.57 on the main control board when a CBI signal exists. Hi-1 41.58 4 containment pressure high is alarmed on the main control I

^

board by any channel. Indicator lights on the main control 41.59 board indicate each channel that is alarmed and each is monitored for high pressure by the plant computer. 41.60 Charging Pumps Cooling. System 42.3 l The charging pumps cooling system is a supporting system for the 42.5 i charging pumps and is required to operate during normal unit 42.7 ,

4 operation and following a LOCA and/or loss-of power. The system 42.8 [

design and description are given in Section 9.2.2.4 and its flow  ;

l diagram is shown on Figure 9.2-5. ,

i-Control, switches and indicator lights for the charging pump cooling 42.9 pumps are provided on the main control board and on the auxiliary 42.10  ;

shutdown panel. REMOTE / LOCAL control selector switches' ara located 42.11 i on the transfer switch panels in the vicinity of the < auxiliary 42.12  ;

shutdown panel. An annunciator is alarmed in the control room when 42.13

~

I i local control is selected. For normal unit operation, one of the two 42.14 l 4

pumps is required to operate. This pump is started manually and the 42.15

} other pump is placed on standby. The pump in standby is 42.16  !

i automatically started on low pressure by a pressure switch in the '

l pump's discharge header.

i Following a loss-of-power and/or on receipt of an SIS signal, the 42.17  !

l redundant isolation valves in 'the charging pumps cooling pumps 42.18 discharge header crossover, and in the charging pumps coolers outlet crossover automatically close, thus providing the two independent 42.19

flow paths required during these modes of operation. Each charging 42.20 pump's cooling pump motor's power supply is from a separate emergency.

bus, and the motors start automatically on loss-of-power and/or on an 42.21

j. SIS. The air-solenoid, pilot-operated isolation valves are supplied 42.22 ,

j.

from separate de' buses and on loss of air'and/or loss-of-power fail '42.23 I closed. '

l

! The charging pumps. cooling surge tank .is divided into two 42.24 i

- compartments .with each compartment serving one ' charging pump's 42.25

, cooling pump, thus providing redundancy'in the fluid system design.

Instrumentation is provided to monitor and control water level in 42.26 each compartment of the surge tank at all times. The reactor plant 42.27 component cooling water system automatically provides normal makeup l- to each surge tank compartment.

During the operational. system test, the instrumentation setpoints and 42.28 their operability are checked and' adjusted. The operability .of the 42.29 charging pumps cooling system controls and indications is ver!.fied by their normal use. The test to verify the automatic response of the 42.30 system is performed during each refueling period. Correct settings. 42.31' i of temperature,. flow, and . level instrumentation are , verified by applying a simulated signal. -Pressure transmitters in the suction 42.32.

Amendment-8 .7.3-60 M'ya 1984- ,

. r

..-... _ , , ~ , . - . , _ . .. . - - - - - . . _ . _ , ~ . - . -

u1217912src8r 03/21/84 246 MNPS-3 FSAR and discharge of each cooling pump are monitored by the plant computer to determine pump performance. 42.33 ESF status lights are provided on the main control board to indicate 42.34 charging pumps cooling pump and crossover valve status. 42.35 Analysis 42.3C A. IEEE' Standard 2'79-1971, Paragraph 4.2: 42.39 The charging pumps cooling system is normally cross- 42.41 connected at the discharge and suction of the cooling pumps.

On receipt of a SIS or LOP signal, the cross-connect valves 42.43 are closed automatically to separate Train A from Train B. 42.44 There are four normally open, air-operated, cross-connected 42.45 valves that fail closed on loss of air or loss of power to the solenoid valves. Solenoid valves control air to the 42.47 -

cross-connect valves; two are powered from the Train A emergency de bus and two are powered from the Train B 42.48 emergency de bus.

A temperature dontrol valve for each charging pump cooler is 42.49 controlled by a temperature indicating controller and a safety-related solenoid valve powered from an emergency de 42.50 bus. The temperature control valve opens to the heat 42.51 exchanger on loss of air, loss of power to the solenoid valve, or when the charging pump cooler outlet temperature 42.52 is greater than a predetermined setpoint. The solenoid 42.53 valves are powered from separate buses.

The charging pumps cooling pumps are p'owered from separate 42.54 emergency buses. Normally, one pump is running and the 42.55 other on standby. On receipt of an SIS or LOP signal, both 42.56 pumps are started automatically.

No single failure at the system level can prevent cooling 42.57 water from being supplied to at least one charging pump.

B. IEEE Standard 279-1971, Paragraph 4.4: 42.60 Equipment qualifications are discussed in Sections 3.10 and 43.2 3.11.

C. IEEE. Standard 279-1971, Paragraph 4.13: 43.6

. A charging pump high pressure safety injection bypass 43.8 annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or 8): 13.9

. Charging pumps cooling control switch in pull to lock 43.12 position.

. Charging pumps cooling pump loss of control power. 43.13 Amendment 8 _7.3-61 May 1984'

+

=.=_

u1217912srt8r 03/21/84 246 MNPS-3 FSAR 3

. Charging pumps cooling pump motor thermal overload. 43.14 D. IEEE Standard 279-1971, Paragraph 4.16: 43.17 Once an SIS or LOP signal is received, the charging pumps 43.19 cooling pumps are started and the cross-connect valves are closed. Deliberate operator action must be taken to open 43.22 the valves or stop a pump. The SIS and LOP signals must be 43.23 reset and manual control used by the operator.

E. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: 43.26 The charging pumps cooling system is periodically tested in 43.28 accordance with the Technical Specifications in Chapter 16, 43.29 The operability of the charging pumps cooling system 43.31 controls and indicators is verified during the instrument functional test. Also, during this test the instrumentation ~ 43.33 setpoints and their operability are checked. The test to 43.34 verify the automatic response- of the system is peformed during each refueling period. Correct settings of 43.35 temocrature, flow, and level instrumentation are verified by applying a simulated signal.

F. IEEE Standard 279-1971, Paragraph 4.17: 43.38

~

Controls and indicators are provided in the control room for 43.40 manual operation of the charging pumps cooling system.

REMOTE / LOCAL control selector switches are provided at the 43.42 transfer switch panels outside the control room, and manual 43.43 controls and indication ,are on the auxiliary shutdown panelt. An annunciator is alarmed in the control room when 43.-44 local control is selected.

Safety Injection Pumps Cooling System 43.47 The safety injection pumps cooling system is a supporting system for 43.49 the safety injection pumps.and is' required to' operate only- following 43.50 a LOCA.

The system design and description are given in Section 9.2.2.5, and 43.52 the: flow diagram is shown on Figure 9.2-4. The power supply for each 43.54 train of the - two-train system is from a separate emergency bus.

The starting, of. the safety- injection pumps- cooling pumps is 43.55

, interlocked with the starting of the safety injection pumps;. i.e., 43.56 when a safety injection pump is started for testing purposes or due

~

to.a SIS, its associated cooling pump is started automatically. The 43.58 safety injection . cooling pumps surge tank is' divided into two compartments, with each compartment serving a ~ separate pump, thus- 43.59 providing~ redundancy in'the fluid system design. Instrumentation'is 43.60

>provided to monitor and maintain water level in~each compartment ,of-

~

_the . surge --tank. The component: cooling water system automatically-.44.1 provides normal makeup to each surge tank compartment.

.Amenddent:81 17.3-62i May_1984' -

.- - ~. . A

u1217912srt8r 03/21/84 246 MNPS-3 FSAR During the operational system test, the instrumentation setpoints and 44.2 their operability are checked and adjusted.

The operability of the safety injection pumps cooling system ec.:trols 44.3 and indications are verified during the safety injection system test 44.4 Section 6.3.4. Correct settings of temperature, pressure, and level 44.5 instrumentation are verified by applying a simulated signal.

Pressure transmitters in the suction and discharge of each cooling 44.6 pump are monitored by the plant computer to determine pump 44.7 performance.

ESF status lights are provided on the main control board to indicate .44.8 status of the safety injection pumps cooling pumps. 44.9

-Analysis 44.12 A. IEEE Standard 279-1971, Paragraph 4.2: 44.13 The safety injection pumps cooling system is divided into 44.15 two mechanical and electrical trains. The safety injection 44.17 pumps cooling pumps are powered from separate emergency buses. No single failure at the system level can prevent 44.18 the safety injection pumps cooling system from supplying cooling water to at least one safety injection pump. 44.19 B. IEEE Standard 279-1971, Paragraph 4.4: 44.22 Equipment qualifications are discussed in Sections 3.10 and 44.24 3.11.

C. IEEE Standard 279-1971, Paragraph 4.13: 44.28 A safety injection pump high pressure safety injection 44.30 bypass annunciator is alarmed in the control ~ room whenever any of the following conditions exist (Train A or B): 41.31

. Safety injection pump cooling pump circuit breaker 44.34 open.

. Safety injection pump cooling pump loss of control 44.35 power.

. Safety injection pump cooling pump motor thermal 44.36 overload.

D. IEEE Standard 279-1971, Paragraph 4.16: 44.39 Once a safety injection pump is started, the cooling pump 44.41 starts automatically. Deliberate operator action must be 44.43 taken. to stop .a cooling pump. The associated safety 44.44

' injection pumps must be stopped and manual controls used to stop the cooling pump.

Amendment 8 7.3-63 May 1984

u1217912sra8r 03/21/84 246 MNPS-3 FSAR E. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: 44.47

~

The safety injection pumps cooling system is periodically 44.49 tested in accordance with the Technical Specifications in 44.50 Chapter 16.

The operability of the safety injection pumps cooling system 44.52 controls and in,dicators is verified during the instrument functional test. Also, during this test the instrumentation 44.54 setpoints and their operability are checked. The test to 44.55 verify the automatic response of the system is peformed during each refueling period. Correct settings of 44.56 temperature, flow, and level instrumentation are verified by applying a simulated signal.

F. IEEE Standard 279-1971, Paragraph 4.17: 44.59 Controls and indicators are provided in the control room for 45.1 manual operation of the safety injection pumps cooling system. 45.2 7.3.1.2 Design Bases Information 45.6 The functional diagrams presented on Figure 7.2-1, Sheets 5, 6, 7, 45.7 and 8, provide a graphic outline of the functional logic associated 45.9 with requirements for the ESFAS. Requirements for the ESF system are 45.10 given in Chapter 6. Given below is the design bases information 45.11 required in IEEE Standard 279-1971.

7.3.1.2.1 Generating Station Conditions 45.13 The following is a summary of those generating station condit' ions 45.14 requiring protective action.

1. Primary System'g 45.18

a. Rupture in small pipes or cracks in large pipes. 45.20

b. Rupture' of a reactor -coolant pipe (LOCA) . 45.21

~

c. Steam generator tube rupture. 45.23

2. Secondary System: 45.26

a. Minor secondary system pipe breaks resulting in steam 45.28

' release rates equivalent to a single dump, relief, or safety valve. 45.29

b. Rupture of a major steam pipe. ,

45.31 Auendment 8 ,;7.3-64 May 1984

u1217912sra8r 03/21/84 246 MNPS-3 FSAR

3. Control Building Isolation: 45.34

a. Outside atomosphere chlorine high -

d ,. 45.36 y

b. Intake radiation high-high. 45.37

c. Containmen,t Pressure high (hi-1). '45.38 7.3.1.2.2 Generating Station Variables 45.42 The following list summarizes the generating station variables 45.43 required to be monitored for the automatic initiation of safety 45.46 injection during each accident identified in the preceding section.

Post-accident monitoring requirements'are given in Table 7.5-1. 45.47

1. Primary System Accidents: 45.50

a. Pressurizer pressure. 45.52

b. Containment pressure (not required for steam generator 45.53 tube rupture).

2. Secondary System Accidents: 45.57

a. Pressurizer pressure. 45.59

b. Steam line pressures and pressure rate. 45.60

c. Containment pressure. 46.2

3. Control Building: 46.5

a. Chlorine high. 46.7

b. Radiation high-high. 46.8

c. Containment pressure hi-1. 46.9 7.3.1.2.3 Spatially Dependent Variables 46.13-The only variable sensed by the ESFAS which has spatial dependence is 46.14 reactor-coolant temperature. The effect on the measurement is 46.16 negated by taking multiple _ samples from the reactor coolant hot- leg and averaging these. samples by mixing the resistance temperature 46.17 detect.or bypass loop.

7.3.1.2.4 Limits, Margins, and Setpointr 46.19 Prudent operational limits, available margins, add setpoints before 46.20 onset of unsafe conditions requiring procective action are discussed 46.21 in Chapters 15 and 16.

( -

JAmendment 8 7.3-65 May.1984

u1217912sr08r 03/21/04 246 MNPS-3 FSAR I

7.3.1.2.5 Abnormal Events .

46.24 The malfunctions, accidents, or other unusual events which could 46.25 physically damage protection system components or could cause 46.27 environmental changes are as follows. t

1. Loss-of-coolant accident (Chapter 15) 46.29

2. Secondary system accidents (Chapter 15) 46.30

3. Earthquakes (Chapters 2 and 3) 46.31

4. Fire (Section 9.5.1) 46.32

5. Explosion (Hydrogen buildup inside containment) 46.33 (Section 15.4)

6. Missiles (Section 3.5) 4'6.34

7. Flood (Chapters 2 and 3) 46.35

8. LOP (Chapter 8) 46.36

9. Chlorine (Control room habitability) (Section 2.2.3.1) 46.37 7.3.1.2.6 Minimum Performance Requirements 46.40 Minimum performance requirements are as follows. 46.41

1. System Response Times <46.45 The ESFAS response time is defined as the interval required' 46".47 for the ESF sequence to the point. in time that the appropriate variable (s) exceed setpoints. The response time 46.50 includes sensor / process (analog) and logic (digital) delay plus the time delay. associated with tripping open the .46.51 reactor-irip breakers and control and latching mechanisms, although the ESF actuation signal occurs before or 46.52

. simultaneously with ESF sequence initiation (Figure 7.2-1, Sheet 8). The values listed herein are maximum allowable 46.53 times consistent -with zthe -safety analyses' =and. Jare systematically verified during plant preoperational startup 46.54 tests. These maximum delay times thus include s11 46.55 compensation and therefore require that'any such network be-aligned and operating during verification testing. 46.56

-The NESFAS is always capable of having response time tests 46'.57-performed.using the same methods as those tests performed

. during -the preoperational test program or following significant component changes. Maximum allowable; time 46.58 delays .in generating the . actuation.: signal for loss-of-coolant protection are a._ . Pressurizer pressure 2.0. seconds 46.60'

-Amendment 8- 7.3-66 'May 1984

u1217912sraBr 03/21/84 246 MNPS-3 FSAR Maximum allowable time delays in generating the actuation 47.3 signal for steam line break protection are:

a. Steam line pressure 2.0 seconds 47.5 t

b. Steam line pressure rate 2.0 seconds 47.7

c. High containment pressure 1.5 seconds 47.10 for closing main steam 47.11 line stop valves 47.12

d. Actuatien signals for 2.0 seconds 47.16 auxiliary feed pumps 47.17 Maximum allowable time delays in generating the actuation 47.21 signal for CBI:

a. Chlorine -

' 4 seconds 47.23

b. Radiation (later) seconds 47.25

c. Containment pressure Assumed to be 47.28 instantaneous 47.29

2. System accuracies: 47.34 Accuracies required for generating the required actuation 47.36 signals for loss-of-coolant protection are:

a. Pressuricer pressure 14 psi 47.41 (uncompensated) 47.42 Accuracies required in generating the required- action 47.46 signals for a steam break protection are gi'ren:

a. Steam line pressure 4 percent of 47.49 span 47.50

b. Steam line pressure rate 5 percent 47.54 psi /sec 47.55

c. Containment pressure signal 1.8 percent of 47_.59 full scale 47.60 Accuracies required :for . generating the required actuation 4S.4 for CBIt',

.a. ~ Chlorine. 13 percent of 48.7 full scale 48.8

b. ' Radiation !10 percent'at 48.12 center scale 48.13

. Amendment 8. 7.3 May 1954-

u1217912sra8r 03/21/84 246' MHPS-3 FSAR 1

c. Containment pressure 11.8 percentaof 48.17 full scale 48.18  !

3. Ranges of sensed variables to be accommodated until 48.22 conclusion of protective action is assured.

l Ranges required in generating the required actuation signals 48.24 for loss-of-coo,lant protection are given:

a. Pressurizer pressure 1,700 to 2,500 48.27 psig 48.28

b. Containment pressure O to 60 psig 48.31 Ranges required in generating the required actuation signals 48.34 for steam line break protection are given:

a. T 530 to 630*F 48.36

b. Steam line pressure (from 0 to 1,200 psig 48.39 which steam line pressure 48.40 rate ris derived) 48.41

c. Containment pressure O to 60 psia 48.44 Ranges required in generating the required signals for CBI: 48.47 4

a. Chlorine 0-10 ppm 48.49

b. Radiation 10-8erci/cc- 259e +

10 % ci/cc O-7+

c. Containment pressure 60 psia 48.56 7.3.1.3 Final System Drawings 48.60-The schematic diagrams for the systems discussed in this section are 49.1 listed in Section 1.7 and are submitted in support of this 49.3 application.

7.3.2 ' Analysis 49.6 Failure mode and effects. analyses have~been performed on ESF systems- 49.7 equipment-within:the-Westinghouse-scope of supply (WCAP-8584). The 49.10 Millstone .ESF systems, although not identical, have been designed to -

equivalent safety design criteria.

' Analyses of the, instrumentation and control systems used to initiate 49.11 the operation of- the ESF systems and their essential auxiliary 49.12-supporting systems. have been made. For- balance-of plant safety- 49.13 systems, the assurance :that safety-related instrumentation and-control . fulfill their : functions .(assuming a ~ single ' failure) is. 49.14~

achieved by the use of redundant channels,.-trains, _ components; 1 and

'pyiersupplieswith-the_ appropriate _separationprovidedbetweenthem.-.49.15

, 2 -

Amendment 8 ' 7.3-68 May 19841

,c _

.= - -

l u1217912srt8r 03/21/84 246 l MNPS-3 FSAR Detailed documentation in the form of the failure modes and effects 49.16

, analysis or fault tree analyses (based on actual wiring diagrams and 49.17 components of the plant) are presented in a separate report described in Section 7.3.2.1. The analyses were made to assure that each 49.18 system satisfies the applicable design criteria and will perform as intended during all plant operations and accident conditions for 49.19 which its function is required.

The ESF and essential supporting sys'tems are designed so that a loss 49.20 of plant instrument air, the loss of cooling water to vital 49.22 equipment, a plant load rejection, or a turbine trip will not prevent 49.23 the completion of the safety function under postulated accidents and 49.24 failures. Evaluation of the individual and combined capabilities of 49.25 the ESF and supporting systems can be found in Chapters 6 and 15. 49.26 7.3.2.1 Failure Modes and-Effects Analysis 49.28 The systematic, organized, analytical procedure for identifying the 49.29 possible modes of failure and evaluating their consequences is called 49.31 a failure modes and effects analysis (FMEA). Its purpose is to 49.32 demonstrate and verify how the General Design criteria (GDC) and IEEE Standard 279-1971 reqdirements are satisfied. FMEAs that are 49.34 performed on-the Class IE electric power and instrumentation and control portions of the safety-related auxiliary supporting systems 49.35 also determine if they will meet the single failure. criteria.

'The FMEA is produced in the form of a computerized tabulation that 49.36 identifies the component, its failure mode, the method of failure 49.37 detection, and its effect on the safety-related- system. This 49.38-tabulation' is derived from the fault tree analysis (FTA).

Figure 7.3-1 shows a typical page from a FMEA.' 49.39 The FTA is a technique by which-failures that can contribute to an. 49.40 undesired event are. systematically and deductively organized from a 49.41 top ' event.down to subordinate events. It:is pictorially represented 49.42

.by rectangular blocks connected via flow lines te logic gates, all placed together in a tree-shaped configuration. 49.43 The FTA identifies all failure modes that are significant to the 49.44 failure of;the safety-related system,. -the failure paths from the 49.45

. failed items up through the. fault tree to a single. top failure event, and any _ single failures. that may result in .the . failure of the ' system- 49.46 to perform -its intended safety function. It also provides a visual 49.47 display of how the: system can-malfunction. See Figure 7.3-2 for an 49.48

_ example:of a_ computer-plotted fault tree diagram.

When 'the event- ' blocks; and logic ~ gates have been assigned unique 49.49 computer readable codes, the FTA can be processed and printed out as 49.50 a standard format, auditable permanent trecord tabulation called the FMEA. The FMEAs for the systems listedn in Table 7.3-11 -are in ~a 49.51

-report titled Failure Modes and Effects Analysis, submitted as part 49.52 of the documentation provided in Section 1.7.4.

L l .

Amendment 8 ' _7 . 3-6 9 May 1984 g w .* w y e ge - e-- - -c e

u1217912sra8r 03/21/84 246 MNPS-3 FSAR 7.3.2.2 Compliance with Standards and Design Criteria 49.54 Discussion of the GDC is provided in various sections of Chapter 7 49.55 where a particular GDC is applicable. Applicable GDCs include 49.57 Criteria 13, 20, 21, 22, 23, 24, 25, 27, 28, 35, 37, 38, 40, 43, and 46 of the 1971 GDC. compliance with certain IEEE Standards is 49.58 presented in Sections 7.1.2.7, 7.1.2.9, 7.1.2.10, and 7.1.2.11.

Compliance with Regulatory Guide 1.22 is discussed in 49.59 Section 7.1.2.5. The discussion given below shows that the ESFAS 49.60

. complies with IEEE Standard 279-1971 (Institute of Electrical and Electronics Engineers, Inc. 1971). 50.1 7.3.2.2.1 Single Failure Criteria 50.3 The discussion presented in Section 7.2.2.2.3 is applicable to the 50.4 ESFAS with the following exception.

In the.ESF, a loss of instrument power will call for actuation of ESF 50.6 equipment _ controlled by the specific bistable that lost power 50.7 (containment spray excepted). The actuated equipment must have power 50.8 to comply. The power supply for the protection systems is discussed 50.9 in Section 7.6 and in Chapter 8. 'For containment spray, the final 50.10 bistables are energized to trip t'o avoid spurious actuation. In 50.11 addition, manual containment spray requires a simultaneous actuation of two manual controls. This is considered acceptable because spray 50.12 actuation on hi-3 containment pressure signal provides automatic initiation of the system via protection channels. Moreover, two sets 50.14 (two switches per_ set) of . containment spray manual initiation switches are provided to meet the requirements of IEEE Standard 279- 50.15 1971. Also, it is possible for all ESF equipment (valves, pumps, 50.16 etc) to be individually manually actuated from the control board. 50.17

-Herce, a third mode of containment spray initiation is available. 50.18

-The design meets the requirements of Criteria 21 and 23 of the 1971 50.19 GDC. ,

t I 7.3.2.2.2 : Equipment' Quaiification 50.21 Equipment' qualifications are discussed in' Sections- 3.10 and 3.11. 50.22

[7.3.2.2.3 . Channel Independence- 50.25 The discussion-presented in~Section 7.2.2.2.3 is applicable. The ESF 50.27 slave relay outputs from'the solid state logic- protection cabinets 50.29

.are redundant, and the actuation, signals associated with each train-are' energized up to and including ~the-final actuators by the separate 50.30 ac power supplies which power-the logic; trains.

l 7.3.2.2.43l Control and Protection System Interaction- 50.32 L The fdiscussions presented in Section 7.2.2.2.3 are -applicable. - 50.23 l

t I

h

, Amendment 8- -7.3-70  : May ' 1984 '

.u1217912sra8r 03/21/84 246 MNPS-3 FSAR 7.3.2.2.5 Capability for Sensor Checks and Equipment Test 50.38 Calibration The discussions of system testability in Section 7.2.2.2.3 are 50.41 applicable to the sensor, analog circuitry, and logic trains of the 50.42 ESFAS.

The following discussions cover those areas in which the testing 50.44 provisions differ from those for the reactor trip system. 50.45 Testing of Engineered Safety Features Actuation Systems 50.48 The ESFASs are tested to provide assurance that the systems will 50.50 operate as designed and will be available to function properly in the 50.51 unlikely event of an accident. The testing program meets the 50.53 requirements of Criteria 21, 37, 40, and 43 of' the 1971 GDC and Regulatory Guide 1.22 as discussed in Section 7.1.2.8. The tests 50.55 described in Section 7.3.2.2.3 and further discussed in Section' 6.3.4 meet the requirements on testing of the ECCS as stated in GDC 37, 50.56 except for the operation of those components that will cause an actual safety injection. The test, as described, demonstrates the 50.58 performance of the full" operational sequence that brings the system into operation, the tranfer between normal and emergency power 50.59 sources, and the operation of associated cooling water systems. The 51.1 safety injection and residual heat removal pumps are started and operated and their performance verified in a separate test discussed 51.2

~

in Section 6.3.4. When the pump tests are considered in conjunction 51.3 with the ECCS test, the requirements of GDC 37 on testing of the ECCS 51.4 are met as closely as possible without causing an actual safety injection.

l The system ' design, as described in Sections 6.3.4, 7.2.2.2.3, and 51.5 7.3.2.3.3, provides .' complete periodic testability during reactor 51.6 l operation of all logic and components associated with the ECCS. This 51.7 l design meets the requirgments of Regulatory Guide 1.22 as discussed.

l in the above sections. The program is as follows: 51.8 l

1. Prior .to initial plant operations, ESF system tests are 51.10 conducted.

~

2. S'ubsequent to initial startup, ESF system tests are 51.11

. conducted during each regularly scheduled refueling- outage.

h 3. During online operation of- the reactor, .all of the ESF' 51.12 analog and logic circuitry can be fully tested. In 51.13 addition, essentially all of the ESF final actuators can be fully tested. The' remaining few. final actuators, whose 51.14 l operation is not compatible.with online plant operation, can

be' checked by means of continuity testing. 51.15

(- .. .

l 4 .- During normal operation, the operability of testable final 51.16-L ' actuation devices of the ESF systemscan be tested by manual 51.17 L initia, tion from the control. room .or, as indicated in 3 t

- Am'endment' 8 '7.3-71 'May 1984 ~

'~

u1217912srt8r 03/21/84 246 MNPS-3 FSAR above, by actuation of the solid state protection system slave relays from the ESF test cabinets. 51.18 Performance Test Acceptability Standard for the Safety Injection 51.20 Signal and For the Automatic Signal for Containment 51.21 Depressurization Actuatica Generation During reactor operati.on the basis for ESFAS acceptability will be 51.23 the successful completion of the overlapping tests performed on the 51.24 initiating system and the ESFAS (Figure 7.3-3). Checks of process 51.26 indications verify operability of the sensors. Analog checks and 51.27 tests verify the operability of the analog circuitry from the input of these circuits through to and including the logic input relays 51.2S except for the input relays associated with the containment spray function which are tested during the solid state logic testing. 51.29 Solid state logic testing also checks the digital signal path from 51.30 and including logic input relay contacts through the logic matrices 51.31 and master relays and perform continuity tests on the coils of the output slave relays; final actuator testing operates the output slave 51.32 relays and verifies operability of those devices which require safeguards actuation and which can be tested without causing plant 51.33 upset. A continuity " check is performed on the actuators of the 51.34 untestable devices. Operation of the final devices is confirmed by 51.35 control board indication and visual observation that the appropriate pump breakers close and automatic valves shall have completed their 51.36 travel.

4 The basis for acceptability for the ESF interlocks will be control 51.37 board indication of proper receipt of the signal upon introducing the 51.38 required input at the appropriate 'setpoint.

Maintenance checks (performed during regularly scheduled refueling 51.39 outages), such as resistance to ground of signal cables in radiation 51.40 environments are based on qualification test data which identifies what constitutes. acceptable radiation, thermal, etc, degradation. 51.41 Frequency of Performance of Engineered Safety Features Actuation 51.44 Tests During reactor operation', complete system testing (excluding sensors 51.46 or those devices whose' operation would' cause- plant upset) is 51.48 -

performed periodically as s'pecified in the Technical Specifications.

Testing, including the sensors,.is.also . performed during scheduled 51.49

- plant shutdown for refueling.

Engineered Safety Features Actuation Test Description 51.52 The following sectionsLdescribe the testing circuitry and procedures 51.54-for the'online_ portion of.the; testing program. The guidelines used 51.56

' ' in developing ~the circuitry and procedures are:

1. The_ test procedures 'must not involve .the potential for 51.58 damage:to any plant equipment.

T

- Amendment 18 .7.3-72 May 1984

u1217912srs8r 03/21/84 246 MHPS-3 FSAR

2. The test procedures must minimize the potential for 51.59 accidental tripping.

3. The provisions for online testing must minimize complication 51.60 of engineered safety features actuation circuits so that 52.1 their reliability is not degraded.

Description of Initiation Circuitry - 52.4 Several '

systems, as listed in 7.3.1.1.1, comprise the total 52.6 engineered safety features system, the majority of which may be 52.7 initiated by differenc. process conditions and be reset independently of each other.

The remaining functions are initiated by a common signal (safety 52.9 injection) which in turn may be generated by different process 52.10 conditions.

In addition, operation of all other vital auxiliary support systems, 52.11 suchias auxiliary feedwater, component cooling, and service water, is 52.12 initiated by the safety injection signal.

The output of each~of the initiation circuits consists of a master 52.13 relay .which drives slave relays .for contact multiplication as 52.14 required. The logic, master, and slave relays are mounted in the 52.15

~

solid state logic protection cabinets designated Train A and Train B, 52.16 respectively, for the redundant counterparts. The master and slave 52.17.-

relay circuits-operate various pump- and fan- circuit breakers or' starters,. motor-operated valve contactors, solenoid-operated valves, 52.18 emergency generator star, ting,' etc.

Analog Testing -52.21 Analog' testing .is identical to that used for' reactor trip circuitry 52.23 and is' described in Section.7.2.2.2.3. .

An -exceptioni to this is containment spray, which is energized to -52.25 actuate 2/4 and revertsLto 2/3 when one-channel is in test.- ,

152.26 52.29-

~

Solid State Logic Testing -

' Except ,for containment spray: channels, solid' state?lo'gicitesting is 52.31'

.the'=sameisas:,thatJ.~ discussed in 'Sectionc 7.2.2.2.3. c.During logic- 52.33

~

testing: of :onef train,_ the cother train can initiate.the. required-

. engineered. safety features function.

~

3 - For. c additional (details,, ?see : ' 52. 34. ' ,e i ,

WCAP-7488-LL(1971).. .

- c

)_ , .

. w

c. Actuator Testing -

-52.37;

~

UAt - thisi . point,7. testing; of the initiation' ciircuits through ' operation ' 52.39-

?of:the' master-. relay.;and its contacts:to the' coils of the slave' relays :52.40

.The; ESFAS? logic slave relaysLin the SSPS .52.42

~

1 hash been -accomplished. -

t m output' cabinets. arf subjected to coil continuity; tests' by_the:= output '.

--relay;ftester Lin.the)SSPS' cabinets. Slave > relays,(K601; K602,.etc.)i252.44 ry

- 4 i -

^

l'- .

s s , 94- ,

l1 L' _L _ . I _.- ci

_ 1 k __ ' . _ _. __

~

b

1 246 u1217912sra8r 03/21/84 MNPS-3 FSAR l

coils by j do not operate because of reduced voltage applied to their the mode selector switch'(TEST / OPERATE). A multiple position master 52.46 and relay selector switch chooses different master relays 52.47 1 corresponding slave relays to which the coil continuity is applied. 52.48 j

.The master relay selector switch is returned to "0FF" before the mode 52.50 selector switch is placed back in the " OPERATE" mode. However, ,

failure to do so will not result in defeat of the protective 52.51 I function.. The ESFAS slave relays are activated during testing by the online test cabinet so that overlap testing is maintained.

The ESFAS final actuation device or actuated equipment testing is 52.52 These 52.54 performed from the engineered the safeguards solid state test protection logic cabinets. system cabinets are located near two 52.55 equipment. There is one test' cabinet provided for each of the protection Trains A and B. Each cabinet contains individual test 52.567 To prevent 5 2. 5. .

switches necessary to actuate ,the ~s lave of relays.

the type that must be accidental actuation, test switches are Assignments 52.59 rotated and then depressed to operate the slave relays.

of contacts of the slave. relays for actuation of various final devices or actuators has been made such that groups of devices or 52.60 actuated equipment can be operated individually during plant. In the 53.2 operation without causing plant upset or equipment damage.

- unlikely event that an SIS is initiated during the test of the final device that is actuated by this test, the device will already be in 53.3 its safeguards position.

During this last procedure, .close communication between the main 53.4 control room ' operator and the -operator at the test panel is '53.5 maintained. ~ Prior to the energizing of a slave relay, the operator 53.6 in the main control room assures that plant. conditions wil,1 permit 53.7 After 53.8 I ' operation of the equipment that will be . actuated by the relay.

the tester has energized the slave relay, the main control room 53.9 operator- observes .that all equipment has operated as' indicated by

~ on .the

-appropriate indicating lamps, monitor lamps and annunciators control board,- and records all operations. He then' resets all 53.11 devices and prepares for operation of the next slave . relay actuated i~ equipment.

53.12 By means of the procedure outlined above, all ESF exceptions devices actuated noted by in 53.13 initiation circuits, with- .the ESFAS Section 7.1.2.5 under a . discussion' of Regulatory Guide 1.22-are operated by the automatic circuitry.

53.16

. Actuator Blocking and continuity Test Circuits' These. few final 1 actuation devices that cannot be designed tohave be: 53.18 53.21 actuated lduring plant operation:(discussed in Section 7.1.2.5) been assigned to slave relays for' which ' additional test' circuitry upon has 53.22 been provided to individually block actuation to a final' device' Operation of '53.23 operation of the associated slave relay during testing. of these slave relays, including contact (operations,'.and . continuity 53.24-the: electrical- circuits associated with the: final. devices' control

-are-checked in. lieu of. actuation-operation. The circuits provide for153.25

. monitoring .of the slave relay. contacts,- the' devices' control circuit.

7.3-74' 'May 1984:

- Amendment.8

. . .-_ _-. _ - =-- - - - -

i u1217912sra8r 03/21/84 246 MNPS-3 FSAR cabling, control- voltage, and the devices' actuation solenoids. 53.26 Interlocking prevents blocking the output from more than one output 53.27 relay in a protection train at a time. Interlocking between trains 53.28 is also provided to prevent continuity testing the both trains simultaneously, therefore the redundant device associated with the 53.29 protection train not under test will be available if event protection action is required. If an accident occurs during testing, the 53.31 automatic actuation circuitry will override testing as noted above.

One exception to this is that if the accident occurs while testing a 53.32 slave relay whose output must be blocked, thase few final actuation 53.33 devic'es associated with this slave relay will not be overridden; however, the redundant devices in the other train would be 53.34 operational and would perform the required safety function.

Actuation devices to be blocked are identified in Section 7.1.2.5. 53.35

^

The continuity' test circuits for these components that cannot be 53.36 actuated online are verified by test lights on the safeguards test 53.37 cabine ts.

The- typical schemes for blocking operation of selected protection 53.38 function actuator circuits are shown on Figure 7.3-4 as details A and 53.39 t B. The schemes operate as explained below and are duplicated for 53.40 each safeguards train.

Detail A- shows the circuit for contact closure for protection: -53.41 function actuation. Under normal plant operation and equipment not 53.42 under test, the test lamps "DS*" for the various circuits will be energized. Typical circuit path will be through the normally closed 53.44 test- relay contact "K8*" and'through test lamp connections 1 to 3. 53.45 Coils "X1" and "X2" will be capable of being energized for protection 53.46

• function actuation upon closure of solid state logic output relay 53.47 contacts "K*." Coil "X1" or "X2" is typical for a breaker closing 53.48 auxiliary coil, motor starter master coil, coil of a solenoid valve, 53.49 auxiliary relay, etc. When the contacts "K8*" are~ . opened to block 53.50 energizing of coil "X1".and "X2," the white lamp is deenergized, and the slave relay "K*" may be energized to perform continuity. testing. 53.51 To verify operability of the blocking in both' blocking and restoring 53.52 normal service, open the blocking ralay contact in series -.with lamp 53.53 connections - thel t.est lamp should be deenergized; close the. block relay contact in series with the lamp connections - the test lamp 53.54

'should now be energized, which verifies that the circuit is not in its normal, i.e., operable condition. 53.55-l-

[ Detail B shows' the circuit. for contact opening for protection 53.56' l ' function actuation. Under normal plant operation and equipment not 53.57

(: under-' test, the white test lamps "DS*" for the various circuits will be energized,1and the green test lamp "DS*" will be deenergized.. 53.58 Typical- circuit -path for . white lamp "DS*" will .be through the -53.59 normally closed solid state logic output relay centact "K*"

and 53.60 through test . lamp connections 1 to 3. Coils "Y1" and."Y2" will be 5 4 . '.

^

capable of being deenergized for protection function actuation upon opening of- solid state' logic output relay contacts "K*." Coil "Y2" 54.3 is- typical for a: solenoid valve coil, auxiliary relay, etc.- When the 54.4 ccontacter"KS*"- are ; closed to block.deenergizing-of coils."Y1" and Amendment 8 7.3 May 1984.

_ _ _ - - _ _ u

ul217912sra8r 03/21/84 245 MNPS-3 FSAR "Y2," the green test lamp is energized and the slave relay "K*" may 54.5 be energized to verify operation (opening of its contacts). To 54.6 verify operability of the blocking relay in both blocking and restoring normal service, close the blocking relay contact to the 54.7 green lamp - the green test lamp should now be energized also; cpen this blocking relay contact - the green test lamp should be 54.3 deenergized, which verifies that the circuit is now in its normal, i.e., operable position.. 54.9 Time Required for Testing 54.12 It is estimated that analog testing can be performed at a rate of 54.14 several channels per hour. Logic testing of both Trains A and B can 54.15 be performed in less than 30 minutes. Testing of actuated components 54.17 (including those which can only be partially tested) will be a function of control room operator availability. It is expected to 54.19 require several shifts to accomplish these tests. During this 54.20 procedure, automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay 54.21 whose outputs must be blocked and then only while blocked. It is 54.22 anticipated that continuity testing associated with a blocked slave relay could take sevsral minutes. During this time, the redundant 54.23 devices in the other train would be functional.

Summary of Online Testing Capabilities 54.26

~

The procedures described provide . capability for checking completely 54.28 from the process signal to the. logic cabinets and from there to the 54.29 "

individual pump and fan circuit breakers or starters, valve 54.31 contactors, pilot solenoid valves, etc, including all field cabling 54.32 actually_used in the circuitry called upon to operate for an accident

. condition. For those few devices whose operation could adversely 54.33 affect plant or equipment operation, the same procedure provides for 54.34 checking from the process signal to the logic rack. To check the 54.35-fiani actuation devicq, a continuity test of the' individual control

l. circuits is performed.

-The procedures require testing at various locations: 54.36-

1. Analog testing and verification of bistable setpoint are 54.38 l accomplished 'at process analog racks. Verification of 54.39 l bistable . relay - operation Lis done at the main control room :

. status lights.

t. 2. Logic testing through operation of the master relays and low 54.40

'. voltage application to slave relays is done at the logic 54.41-rack test panel.

[ 3. Testing of pumps, fans, land valves is done at a test panel 54^.42 located in the vicinity of the logic-. racks in combination '5 4.43 l

with the control. room operator.

,7.3-76~

~

,  : Amendment 8 .May 1984

, - , . . _ _ .-. ..- ._a. . - -,

u1217912sra8r 03/21/84 246 MNPS-3 FSAR

~

4. Continuity testing for those circuits that cannot be 54.44 operated is done at the same test panel mentioned in 3 above.

The reactor coolant pump essential service isolation valves consist 54.46 of the isolation valves for the component cooling water return and 54.47 the seal water return header.

The main reason _for not testing these valves periodically is that the 54.48 reactor coolant pumps may be damaged. Although pump damage from this 54.49 type of test would not result in a situation which endangers the health and safety of the public, it could result in unnecessary 54.50 shutdown of the reactor for an extended period of time while the reactor coolant pump or certain of its parts could be replaced. 54.51 Testing During Shutdown 54.54 ECCS tests will_ be performed periodiIcally in accordance with the 54.56 Technical Specifications with the reactor coolant system isolated 54.57 from the ECCS by closing the appropriate valve. A test SIS will then 54.58 be applied to' initiate operation of active components (pumps _ and valves) of the ECCS. This is in compliance with criterion 37 of the 54.59 1971 GDC.

Containment spray system tests will be performed periodically. The 55.1 pump tests will be performed with the isolation valves in the spray supply lines at the containment and spray additive tank blocked 55.2 closed and the valves will be tested periodically with the pumps shutdown.

Periodic Maintenance Inspections 55.5 The maintenance procedures which follow will be accomplished in 55.7 accordance with applicable plant procedures. The frequency will 55.9

, depend on the operating conditions and requirements of the reactor-power plant. If any degradation of equipment operation is noted,. 55.10 either mechanically or electrically, remedial action is taken to repair, replace, or readjust. the equipment. Optimum operating 55.12 performance must be achieved at ill times.

-Typical maintenance procedures include the following. ,55'.13

1. . Check cleanliness of all exterior and' interior surfaces. 55.15'

2. Check all fuses for corrosion. 55.16 3.- Inspect for loose or broken control knobs and burned out 55.17 indicator lamps.

H4. Inspect for moisture and condition of cables and wiring. 55.18

5. Mechanically check all' connectors:and terminal boards for 55.19 looseness,; poor connection, or corrosion.- ,

Amendment 8 7.3-77 May 1984

- , - -. -- - - .- .- =-

u1217912sra8r 03/21/84 246 MNPS-3 FSAR

6. Inspect the components of each assembly for signs of 55.20 overheating or component deterioration.

7. Perform complete system operating check. 55.21 The bal'ance of the requirments listed in Institutue of Electrical and 55.23 Electronic Engineers, Inc. (1976) (Paragraphs 4.11 through 4.22) are 55.24 discussed in Section 7,.2.2.2.1. Paragraph 4.20 receives special 55.25 attention in Section 7.5. -

7.3.2.2.6 Manual Resets and Blocking Features 55.27 a

The manual reset feature associated with containment spray actuation 55.28 is provided in the desien of the solid state protection system design 55.30 p for two basic purposes First, the feature permits the cperator to start an interruption procedure of automatic containment spray in the 55.31 event of false initiation of an actuate signal. Second, although 55.32

spray system performance is automatic, the reset feature enables the operator to start a manual takeover of the system to handle 55.33 unexpected events which can be better dealt with by operator appraisalofchangingcynditionsfollowinganaccident. 55.34 It is most important to note that manual control of the spray system 55.35 does not occur, once actuation has begun, by just resetting the 55.36 associated logic devices alone. Components will seal in (latch) so 55.37 that removal of the actuate signal, in itself, will neither cancel or prevent completion of protective action or provide the operator with 55.38 manual override of the automatic system by this single action. In 55.40 order to take . complete control of the system to interrupt its automatic performance, the operator must deliberately unlatch relays. 55.41 '

which have " sealed in".the initial actuate signals in the associated motor control center, in addition to tripping the pump motor circuit 55.42 breakers, if stopping the pumps is desirable or necessary.

. The manual reset (eature. associated with containment spray, 55.43

[ therefore, does not perform a bypass function. It is merely the 65.44 first of several manual operations required to take control-from the automatic system.or interrupt its completion should such an action be 55.45 considered necessary.

i,

~

In the event .that the operator anticipates system actuation and .55.46 erroneously concludes that it is undesirable or unnecessary and- 55.47 imposes a standing reset condition in one train (by operating and

- holding the corresponding reset . switch at the time the_ initiate 55.48 signal = is transmitted) the other. train will automatically carry the protective action- to . completion. In the event' that the reset 55.50 condition 'is . imposed " simultaneously in both trains'at the time the

. initiate signals are generated, the automatic . sequential' completion 55.51

! of system -action is interrupted and control has been taken by_the operator. Manual takeover will be maintained, even though the reset- 55.53-

-switches _are released, if Lthe original initiate. signal exists. 55.54-

Should the. initiate signal then. clear and return again, automatic 55.55 L system actuation will repeat.

l s Amendment 8 7.3 .May 1984 g ,-,.n , , e r-,- - - , .n-- ,.

u1217912sra8r 03/21/84 246 MHPS-3 FSAR Note'also that any time delays imposed on the system action are to be 55.56 applied .af ter the initiating signals are latched. Delay of actuate 55.58 signals for fluid systems lineup, load sequencing, etc, do not provide the coerator time to interrupt automatic completion, with 55.59

. manual reset alone, as would be the case if time delay was imposed prior to sealing of the initial actuate signal. 55.60 The manual block features associated with pressurizer and steam line 56.1 SISs provide the operator with the means to block initiation of 56.2 safety injection during plant startup. These block features meet the 56.3 requirements of Paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require 56.4 the protection system to be functional.

7.3.2.2.7' Manual Initiation of Protection Actions (Regulatory 56.8 Guide 1.62)

There are- four individual main steam stop valve ' momentary control 56.11 switches (one per loop) mounted on the control board. Each switch 56.14 when actuated,- will. isolate one - of the main' steam lines. In 56.15 addition, there will be two system level switches. Operating either 56.16 switch will actuate all four main steam line isolation and bypass valves at the system level.'

Manual.' initiation of switchover to. recirculation is in compliance 56.17 with Section 4.17 of IEEE Standard 279-1971 with the following 56.18 comment;

- Manual initiation of either one:of two redundant safety injection 56.19

. actuation main control board mounted switches provides for actuation 56.20 of -the: components-required for reactor protection and mitigation of

- adverse consequences of the postulated accident, . including delayed 56.21 actuation:.of sequenced started emergency electrical loads as well as components providing switchover from the safety-injection mode to the 56.22 cold Eleg recirculation mode following 'a loss of primary coolant 56.23 accident. Therefore'. once safety injection- is- initiated,. . those 56.24 components of the ECCS (Section 6.3)'which are realigned.as part of 56.251

-the semi-automatic switchover, go to completion on low refueling storage tank water level without any manual action.- Manual operation- 56.26

-of other components or manual verification of proper position as part

!~ of. e'mergency procedures is'not precluded nor otherwise in conflict -56'.27 with _the_ above~ described ~ compliance. to_ paragraph 4.17 of IEEE-

- Standard' 279-1971 of the. semi-automatic switchover. circuits. 56.28

-No exception fto_the' requirements of.IEEE Standard 279-1971 has been 56.291

- taken'in'_the; manual initiation circuit of safety injection.7 Although 56.31 Paragraph 4.17 'of _IEEE Standard 1279-1971 . requires' that a single

- failure-within common portions of_the _ protective _ systems -shall not_.56.32 defeat: 'the protective action' by manual or -automatic means,1the 1 standard does notLspecifically ' preclude the. sharing..of initiated; 56.33

. circuitry; logic between automatic and manual functions.

- Itais?true 56.34" that1the: manual' safety injection?init'iation functions associated with

. one actuation. train 1(e.g.,-TrainfA): shares portions;of the' automatic'~56.35.

- initiationfcircuitry logic of~the samellogic' train ( however, alsingle

~

, Amen'ds.entf8 7.3-79~ May-1984

__a n

u1217912sra8r 03/21/84 246 MNPS-3 FSAR failure in shared functions does not defeat the protective action of 56.36 the redundant actuation train (e.g., Train B). A single failure in- 56.37 shared functions does not defeat the protective action of the safety function. It is further noted that the sharing of the logic by 56.38 manual and automatic initiation is consistent with the system level 56.39 action requirements of the IEEE Standard 279-1971, Paragraph 4.17 and consistent with the minimization of complexity. 56.40 7.3.2.3 Further Conside' rations 56.42 ,

7.3.2.3.1 Instrument Air and Component Cooling 56.43 In addition to the considerations given above, a loss of instrument 56.44 air or loss'of component cooling water to vital equipment has been 56.45 i

considered. Neither the loss of instrument air nor the loss of 56.47 cooling water (assuming no other accident conditions) can cause safety limits as given in Chapter 16 to be exceeded. Likewise, loss 56.49 of either one of the two will not adversely affect the core or the reactor coolant system nor will it prevent an orderly shutdown if 56.50 this is necessary. Furthermore, all pneumatically-operated valves 56.51 and controls will assume a preferred operating position upon loss of instrument air. It is slso noted that for conservatism during the 56.53 accident analysis (Chapter 15), credit is not taken for the 4

instrument air systems nor for any control system benefit. 56.54 l The design does not provide any circuitry which will directly trip 56.55

.the reactor coolant pwqps on a loss o'f component cooling water. 56.56 Normally, indication in the control room is provided whenever 56.57 component cooling water is lost. The reactor coolant pumps can run 56.58 about 10 minutes 'after a loss of component cooling water. This 56.59 provides adequate time for the operator to correct the. problem or trip the plant if necessary.

7.3.2.4 Summary 57.1 The effectiveness of the ESFAS is evaluated in Chapter 15, based on 57.2 the ability of the system to contain the effects:of Condition III and 57.3 IV faults, including loss-of-coolant and steam break accidents. The 57.5 ESFAS- parameters are based upen the component performance l- specifications which are given by the manufacturer or verified by 57.6 test for each -component. . Appropriate factors to account for 57.7 p -uncertainties- in the data are factored into the constants '

o

' characterizing the system. -

The ESFAS must detect Condition III and IV faults and generate 57.8 signals which actuate the ESF. The system -must sense- the accident 57.9 -

condition and generate the signal. actuating the protection function reliably and within a time determined by, and consistent 'with, the 57.10 accident' analyses in Chapter 15.

Much longer times are associated with the actuation of the mechanical 57.11 and fluid system equipment associated with engineered safety. 57.12 features. .This includes the time required for switching, bringing 57.13 4

' Amendment 8 -

7;3-80 May-1984

,,-ww . .%., - , , , , - -

.,y v- , ,

w-

)

u1217912sra8r 03/21/84 246 MHPS-3 FSAR pumps and other equipment to speed and the time required for them to 57.14 take load.

Operating procedures require that the complete ESFAS normally be 57.15 operable. However, redundance of system components is such that the 57.16 system operability assumed for the safety analyses can still be met 57.17 with certain instrumentation channels out of service. Channels that 57.18 are out of service a,re to be placed in the tripped mode or bypass mode in the case of containment spray.

7.3.2.4.1 Loss-of-Coolant Protection 57.20 By analysis of LOCAs and in system tests, it has been verified that 57.21 er. cept for very small coolant system breaks which can be protected .57.23 against by the charging pumps followed by an orderly shutdown, the effects of various LOCAs are reliably detected by low pressurizer 57.24 pressure signal; the ECCS is actuated in time to prevent or limit core damage.

For large coolant system breaks, the passive accumulators inject 57.25 first because of the rapid pressure drop. This protects the reactor 57.26 during the unavoidabls delay associated with actuating the active ECCS phase. '

t High containment pressure also actuates the ECCS. Therefore, 57.28 emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break; that is, the 57.29

.ESFAS detects the leakage of the coolant into the containment. The 57.30 generation time of the actuation signal of about 1.5 second, after  ;

detectio,n of the consequences of the accident, is adequate. 57.31 Containment spray will provide additional emergency cooling of 57.32 containment and also limit fission product release upon sensing 57.33 elevated containment pressure (hi-3) to mitigate the effects of a

[

L LOCA. ,

The delay time between detection of the accident condition and the- 57.34 generation of the actuation signal for these systems is assumed to be 57.35 about 1.0 second, well within the capability of the protection system equipment. However, this time is short compared to that required for 57.36

.startup of the fluid systems.

The analyses in~ Chapter 15 show that the diverse methods of detecting 57.37 the accident condition and the time for generation of the signals. by 57.38 the protection systems are adequate to provide reliable and timely 57.39

' protection against the effects of loss-of-coolant.

, 7.3.2.4.2 Steam Line Break 7totection 57.41 The ECCS is 'also actuated in order to protect against a steam line 57.42 break. About 2.0 seconds elapses. between sensing low steam line 57.44 pressure and generation of the actuation signal. . Analysis of steam 57.45 break. accidents assuming this' delay for signal generation shows that the. ECCS_ is actuated for; a steam line break in time to limit or 57.46 r.

Amendment 8 7.3-81 May 1984

u1217912srt8r 03/21/84 246 MNPS-3 FSAR prevent further core damage for steam line break cases. There is a 57.47

' reactor trip but the core reactivity is further reduced by the highly borated water injected by the ECCS. 57.48 Additional protection against the effects of steam line break is 57.49 provided by feedwater isolation which occurs upon actuation of the 57.50 emergency core cooling system. Feedwater line isolation is 57.51 initiated in order to p,revent excessive cooldown of the reactor vessel and thus protect the reactor coolant system boundary. 57.52 Additional protection against a steam break accident is provided by 57.53 closure of all steam line isolation valves in order to prevent 57.54 uncontrolled blowdown of all steam generators. The generation of the 57.55 protection system signal (about 2.0 seconds) is again short compared to the time to trip the fast acting steam line isolation valves which 57.56

, are designed to close in less than approximately 5 seconds.

In addition to actuation of the ESF, the effect of a steam line break 57.57 accident also generates a signal resulting in a reactor trip on 57.58 overpower or following ECCS actuation. However, the core reactivity 57.59 is further reduced by the highly borated-water injected by the ECCS.

The analyses in Chapter 15 of the steam break accidents and an 57.60 evaluation of the protection system instrumentation and channel 58.1 design shows that the ESFAS are effective in preventing or mitigating

.the effects of a steam break accident. 58.2 7.3.3 References for Section 7.3 58.4 IEEE Standard 279-1971. The Institute of Electrical and Electronics 58.6 Engineers, Inc. IEEE Standard Criteria for Protection System for Nuclear Power Generating Stations. 58.7

-NUSCo. No. 25212-28723. Emergency Generator Load Sequence Control 58.10 Logic Description 24-9 4.. Northeast Utilities Service 3 Company, 58.11 Millstone Nuclear Power Station - Unit 3.

WCAP-7013, 1973. Reid, Process J. B. Instrumentation forf 58.14 Westinghouse Nuclear Steam Supply System-(4 Loop -Plant using WCID 7300 Series Process Instrumentation). 58.15 WCAP-7488-L (Proprietary) and WCAP-7672, 1971 (Non-Proprietar'y) 1971. 58.16 WCAP-7705, Revision 2. (Information only; i.e., not a generic 58.18 topical WCAP)-1976. Swogger, J. W. Testing of Engineered ~ Safety 58.20 Features Actuation System.

Amendment'8 7.3-82 .May 1984 ,

l Open Items Instrumentation and Control Systems Branch ICSB-10 Remote Shutdown Capability (Draf t SER Section 7.4.2.3)

In the FSAR Section 7.4.1.3, the applicant states that the design basis for control room. evacuation does not consider a single failure. The staff finds the applicant's design basis for remote shutdown capability unacceptable. The FSAR Table 7.4-1, " Instruments and . Controls Outside Control Room For Cold Shutdown" has not identified the transfer switches whether from train A equipmen_t or from train B equipment. The staff requested the applicant to clarify the design criteria for remote shutdown station, and provide detailed layout drawings for transfer switch panels and the auxiliary shutdown panel. The applicant should also address the isolation, separation, qualification, and transfer / override provisions of the remote shutdown station in Section 7.4 of the FSAR. Detailed schematics related to remote shutdown operation should be provided for staff review. This is an open item.

Response (3/84)

. See revised FSAR Section 7.4.-

Status (3/84)

Closed.

+

4

'J,

' ~

.-ICSB10 -~l'

s. _-. - - _,

u1217912str_8s 03/07/S4 246 HNPS-3 FSAR 7.4.1.5 other Considerations 1.10

1. Additional shutdown air compressors are powered from Class 1.12 IE buses and are provided to increase availability of normal 1.13 controls and minimize operator actions.

2. Other equipment supplied from Class IE buses to minimize 1.14 impact on nonsafety equipment in containment include:

a. Containment recirculation coolers 1.16

b. CRDM air cooling fans 1.17

3. Loss of instrument air does not prevent the operation of the 1.19 minimum systems necessary for hot standby or cold shutdown 1.20 described in Section 7.4.1.

7.4.2 Analysis 1.23 Hot shutdown is a stable plant condition, automatically reached 1.24 following a reactor trip from power. The plant design features also 1.26 permit the achievement of cold shutdown as referred to in Section 7.4.1.2 and described in Section 5.4.7. In the unlikely event that 1.28 access to the control room is restricted, the plant can be safely kept at a hot standby by the use of the monitoring indicators and the 1.29 controls listed in Sections 7.4.1.1 and 7.4.1.2, and described in 1.30 Section 7.4.1.3, until the control room can be re-entered.

Cold shutdown conditions can be achieved from outside the control 1.31 room through the use of suitable procedures and by virtue of local 1.32 control of the equipment listed in.Section 7.4.1.2, in conjunction with the instrumentation and controls provided on the auxiliary 1.33 shutdown panel (ASP) (Table 7.4-1). The layout o.f the ASP is 1.34 provided in the ESK series drawings, listed in Section 1.7.

The design basis for the ASP is as follows: 1.36

1. The design of the system to provide redundant safety grade 1.39 capability to achieve and maintain a safe shutdown condition from location (s) remote from the control room is as follows: 1.40 Panels and associated equipment used in control room 1.43 evacuation are located at elevation 4 feet-6 inches in the control building. Also located at elevation 4 feet-6 inches 1.46 is the emergency switchgear for each train, along with two 1.47 y.;

transfer switch panels (TSP) and the ASP.

Controls which are located on the TSP and ASP are listed in 1.48 Table 7.4-1. Most pumps have their controls located at 1.49 their respective emergency switchgear.

Two rooms are provided to separate the redundant emergency 1.50 ssitchgear and the transfer switch panels. The ASP panel is 1.51 located in the purple switchgear room (Train B) and the two Amendment 8 7.4-6 May 1984

u1217912sraGs 03/07/84 246 MMPS-3 FSAR Trains (A and B) of the ASP are separated by a non-train 1.52lg.7 panel. 1.53

2. All controls and instrumentation required for the reactor 1.55 hot and cold shutdown from ASP are decoupled from those no rmally used in the main control room in order to ensure 1.57 that the control room evacuation event does not defeat the operation of equipment and controls necessary for remote 1.58 shutdown in case of failure of equipment in the main control room. 1.59

3. The ASP is provided with a communication network to 1.60 important plant locations which include locations of equipment required for reactor shutdown. The control room 2.2 and cable spreading room can be isolated from the system by controls at the ASP.

4. The following design criteria are applicable to the 2.3 instrumentation and centrol devices located on the ASP:

ANSI C37.90 1978 2.5 IEEE 279 1971 2.6 IEEE 308 1974 2.7 IEEE 323 1974 2.8 IEEE 344 1975 2.9 IEEE 338 1971 2.10 IEEE 379 1972 2.11 IEEE 384 1974 2.12 IEEE 420 1974 2.13 NUREG-0588 Dec. 1979 2.14 RG 1.75 Feb. 1974 2.15

5. Redundant instrumentation and controls (Train A and B) are 2.18 provided on the auxiliary shutdown panel and are listed in 2.19 Table 7.4-1.

6. There are no cases in which transfer from the main control 2.20 room to the auxiliary shutdown panel requires a jumper or 2.21 equipment to be received.

7. The design is such that transfer of equipment from the main 2.22 control room to the alternate shutdown area will not change 2.23 the status of the equipment.

q -?

8. Loss of offsite power will not negate shutdown capability 2.24 from the remote shutdown area. 2.25

9. The design is such that access to the remote shutdown 2.26 stations at the ASP, the TSPs and the 4 kV switchgear 2.27 requires keys for operation of equipment. Access to these 2.28 areas is under administrative control.

Each cabinet located at the remote shutdown area (TSPs, ASP) 2.30 has door limit switches mounted on the front and rear doors 2.31 .

Amendment 8 7.4-7 May 1984 l

u1217912sra8s 03/07/84 246 HNPS-3 FSAR which annunciate in the main control room whenever personnel gain access to the equipment. Also, each transfer switch '2.32 mounted on the TSPs is annunciated in the main control room  ; is - 7 whenever local control of assigned equipment has been taken 2.33 8

over.

-10. The ASP is located such that it can be safely occupied 2.35 during a remote shutdown event. Ventilation temperature 2.36 control and radiation protection are provided to allow continuous occupancy.

11. The design requirements for compliance with Appendix R, 2.37 l 10CFR50, are explained in the Millstone 3 Fire Protection 2.36 '

-Evaluation Report. 2.39 l f .,

l _.

The controls available on' the ASP provide the capabilities of 2.41

_ achieving and maintaining a safe shutdown when the main control room 2.42 l_

is inaccessible. The controls necessary for immediate operator 2.43

j. ~ action to establish a stable plant condition are available on the ASP

[

or; in adjacent- emergency switchgear rooms. The controls provide a 2.45

means of sustaining the capability for boration, letdown, residual

> heat removal, natural circulation, continuing reactor coolant pump 2.46

seal injection and for thermal barrier cooling water flow, and 2.47 I' depressurization The _ instrumentation and control functions which are required to be 2.48 aligned for maintaining safe shutdown of the reactor that are 2.49 discussed above are the minimum number of instrumentation and control functions..

Proper operation of other nonsafety related systems will allow a more 2.50 normal shutdown to be made and maintained by preventing a _ transient '2;51 (Section 7.7). <

_In' considering more restrictive conditions than.those-discussed in 2.52 Section 7.4, certain accidents and transients _are postulated, in the- 2.54

. Chapter 15.0 safety analyses which take credit for safe shutdown when 2.55

~

the protection systems reactor trip terminates the transients and the ~

engineered safety _ features system mitigates the consequences of the 2.56 accident. In these transient's, in general, no credit. is_.taken for 2.57

'the.' control system operation 'should. such operation mitigate-the.

consequences of a transient.} Should such operation not mitigate the 2.59 consequences of ._a transient; no penalties are taken in the analyses for incorrect control system actions over and above. the incorrect 2.60 action _of~the control system,.'whose equipment failure was' assumed to 3.1 have: initiated the transient. These analys'es .in Chapter 15.0 .show :3.2-that safety is 'not adversely affected when such transients include the followingr i L.1 ' Inadvertent-boron dilution-3.4~

^3.5 2.. Loss of normal feedwater

3. ' Loss of external . electrical: load ~and/or turbine trip ' 3.6 -

7.4-8' May 1984' Amendment.8

u1217912sr18s 03/07/84 246 MNPS-3 FSAR

4. Loss of ac power to the station auxiliaries (station 3.7 blackout) -

The results of the analysis which determined the applicability of the 3.9 nuclear steam supply system safe shutdown systems to the NRC General 3.10 Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other industry standards are presented in Table 7.1-1. 3.11 The functions considered and listed below include both safety-related 3.12 and nonsafety-related equipment.

~

1. Reactor trip system 3.14

2. Engineered safety features actuation system 3.15

3. Safety-related display instrumentation for post-accident 3.16 monitoring

4. Main control board 3.17

5. Auxiliary shutdown station 3.18

6. Residual heat removal 3.20

7. Instrument power supply 3.21

8. Control systems- ,

3.22 Amendment 8l o7.4-9 May 1984

-u1217912sra7cc 02/08/84 245 MNPS-3 FSAR 1.7 TABLE 7.4-1 1.9 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN 1.12 ASP Section 1 ASP Section 3 1.15 Safety-Related Instruments on ASP Electrical Electrical 1.16 Train A Train B 1.17 Description (Orange) (Purple) 1.18 RHR Heat Exchanger Outlet (0-800 gpm) 3CCP*F167A2 3CCP*FI67B2 1.20 Cooling Flow 1.21 Boric Acid Tank SA Level (0-100%) 3CHS*LIl02A 3CHS*LIl04A 1.23 Boric Acid Tank SB Level (0-100%) 3CHS"LIl05A 3CHS*LIl06A 1.25 Stm Gen 1 Level (0-100%) 3FWS*LI501A 3FWS*LI519A 1.27 Stm Gen 2 Level- (0-100%) 3FWS*LI529A 3FWS*LISO2A 1.29 Stm Gen 3 Level (0-100%) 3FWS*LIS03A 3FWS*LI537A 1.31 3FWS*LI548A 3FWS*LI504A 1.33 y

[

l Stm Gen 4 Level (0-100%)

RCS Pressure (0-3000 psig) 3RCS*PI405B 3RCS*PI403B. 1.35 Demin Water Storage Tank (0-100%) 3FWA*LI20A2 3FWA*LI20B2 1.50 Level 1.51 Stm Gen 1 Aux Fdwtr Flow (0-350 gpm) '3FWA*FI51A2 Note 1 1.53 Stm Gen 2 Aux Fdwtr Flow (0-350 gpm) Note 1 3FWA*FI33B2 1.55 i

Stm Gen 3 Aux Fdwtr Flow (0-350 gpm)- Note 1 3FWA*FI33C2 1.57 Stm Gen 4 Aux Fdwtr Flow (0-350 gpm) 3FWA*FI51D2 Note 1 1.59

~

Refueling Water Storage (0-100%) 3QSS*LI930A .3QSS*LI931A 2.1 Tank Level

~

2.2 l

i RC Loop 1 Hot Leg Temp (0-700*F) 3RCS*TI413C ~ Note 2 2.4

^ '

l .

-RC Loop 2 Hot Leg Temp -(0-700*F)' 3RCS*TI423C Note 2 2.6

. . -. n RC Loop 3 Hot Leg Temp! (0-700'r) '3RCS*TI43IC- . Note 2 2.6

/, .

RC Loop 4 Not Leg Temp (0-700*F) 3RCS*TI443C Note 2 2.10 RC Loop'1 Cold Leg Temp (0-700*F) Note 2.. 3RCS*TI413D 2.12

~RC Loop 2 Cold Leg Temp -(0-700*F) Note 2 ~ 3RCS*TI423D 2.14-RC Loop'3 Cold Leg Temp i

-- (0-700 *F) Note 2' 3RCS*TI433D 2.16 Amendment 7 of 9 / Makch 1984 5 ,

e 4 ,-

4 , - - . - ~ . 4 .

u1217912sro7cc 02/08/84 245 MNPS-3 FSAR TABLE 7.4-1 (Cont)

ASP Section 1 ASP Section 3 Electrical Electrical Train A Train B Description (Orange) (Purple)

RC Loop 4 Cold Leg Temp (0-700*F) Note 2 3RCS*TI443D 2.18 Pressurizer Level (0-100%) 3RCS*LI459C RCS*LI460C 2.20 Pressurizer Pressure (1700- 3RCS*PI455B 3RCS*PI456B 2.22 2500 psig) 2.23 Stm Gen 1 Pressure (0-1300 psig) 3 MSS *PI514B 3 MSS *PI515B 2.25 Stm Gen 2 Pressure (0-1300 psig) OMSS*PI524B 3 MSS *PI525B 2.27 Stm Gen 3 Pressure (0-1300 psig) 3 MSS *PI534B 3 MSS *PI535B 2.29 Stm Gen 4 Pressure (0-1300 psig) 3 MSS *PI544B 3 MSS *PI545B 2.31 A

2.33

• Emer 4.16 kV Bus 34C (0-5250V) VM2-3 ENS *SWG-A Note 3 2.34 S, Train A 2.36 Emer 4.16 kV Bus 34D (0-5250V) Note 3 VM2-3 ENS *5WG-B Train B 2.37 Containment Pressure (0-60 psia) 3LMS*PI937A 3LMS*PI936A 2.39 Safety-Related Equipment with Control 2.41 Switches on ASP 2.42 Description 2.44 Aux Fdwtr Control Valve (Throttling) 3FWA*HV31A 3FWA*HV31B 2.46 Aux Fdwtr Control valve (Throttling) 3FWA*HV31D 3FWA*HV31C 2.48 Aux Fdwtr Control valve (Throttling) 3FWA*HV32A 3FWA*HV32B 2.50 Aux Fdwtr Control Valve (Throttling) 3FWA*HV32D 3FWA*HV32C 2.52 Aux Fdwtr Control Valve (Throttling) 3FWA*HV36B 3FWA*HV36A 2.54 Aux Fdwtr Control Valve (Throttling) 3FWA*HV36C 3FWA*HV36D 2.56 Aux Fdwtr Isolation Valve 3FWA*MOV35B 3FWA*MOV35A 2.58 Atut Fdwtr Isolation Valve 3FWA*MOV35C 3FWA*MOV35D 2.60 Aux Fdwtr Pump Alt Suction Valve 3FWA*A0V23A 3FWA*A0V23B 3.3 Amendment 7 - 2 of 9 March 1984

u1217912sra7cc' 02/08/84 245 MNPS-3 FSAR TABLE 7.4-1 (Cont)

ASP Section 1 ASP Section 3 Electrical Electrical Train A Train B Description (Orange) (Purple)

Turbine Driven Aux Fdwtr Pump Stm 3 MSS *A0V31A 3 MSS *A0V31B 3.6 Supply Valve 3.7 Turbine Driven Aux Fdwtr Pump Stm Note 4 3 MSS *A0V31D 3.9 Supply Valve 3.10

, Main Stm Pressure Relieving 3 MSS *MOV18A 3 MSS *MOV18B 3.12 Valve Isol Valve 3.13 g Main Stm Pressure Relieving 3 MSS *MOV18C 3 MSS *MOV18D 3.15 Valve Isol Valve 3.16

! Main Stm Pressure Relieving 3 MSS *MOV74B 3 MSS *MOV74A 3.18 Valve Bypass Valve 3.19 Main Stm Pressure Relieving 3 MSS *MOV7'4D 3 MSS *MOV74C 3.21 Valve Bypass Valve 3.22 ,4

t. Y Pressurizer Power: Relief Valve - 3RCS*PCV455A 3RCS*PCV456 3.24 Pressurizer Relief Isol Valve 3RCS*MV8000B 3RCS*MV8000A 3.26

/ Pressurizer Aux Spray Valve .3RCS*AV8145 Note 5 3.28 c

Reactor-Vessel Head Vent Isol' Valve-3RCS*SV8095A 3RCS*SV8095B 3.30

~

Reactor Vessel Head Vent Isol Valve- '3RCS*SV8096A 3RCS*SV8096B- 3.32 Reactor Vessel to Excess Letdown Valve.'3RCS*MV8098 Note 6 3.34 Reactor Vessel to Pressurizer Relief 3RCS*HCV442A 3RCS*HCV442B' 3.36 Tank Letdown Valve 3.37 Pressurizer Level. Control Valve

~

3RCS*LCV459 Note 7 3.39 -

Pressurizer Level. Control Valve 3RCS*LCV4f? Note 7. 3.41 Letdown Orifice Isol Valve- 3CHS* W ?iN tiote 8 3.43 Letdown Orifice Isol Valve 3CHS*M'81498 liote 8, 3.45 Letdown Orifice Isol Valve 3CHS*AV8149C Note 8 3.47 Letdown to CVT/GWS Divert Valve 3CHS*LCV112A- Note 9. . 3.49 .

, 'Vol Control' Tank Outlet I'ol s '3CHS*LCV1128 3CHS*LCV112C. b51

' Amendment'7-3'of 9 March-1984

, _ ,< a

'n- J l;

, .=. -- . . . .

+

u1217912sro7tc 02/08/84 245

. MNPS-3 FSAR l TABLE 7.4-1 (Cont)

ASP Section 1 ASP Section 3 Electrical Electrical Train A Train B Description (Orange) (Purple)

. Valve 3.52 RWST to Charging Pump Suction 3CHS*LCV112D 3CHS*LCV112E 3.54 Valve 3.55 Charging System to RCS Isol Valve 3CHS*AV8147 3CHS*AV8146 3.57 Boric Acid Gravity Feed Valve 3CHS*MV8507A 3CHS*MV8507B 3.59 Charging Header Isol Valve 3CHS*MV8438A 3CHS*MV8438B 4.1 Charging Header Isol Valve 3CHS*HV8438C Note 10 4.3 Charging Pump A Recirc Valve Note 11 3CHS*MV8111A 4.5 Charging Pump B Recirc Valve Note 11 3CHSxr N8111B 4.7 y

/

O Charging Pump C Recirc Valve Note 11 3CHS*MV8111C 4.9 LPSI to Charging Pumps Suction Valve 3CHS*MV8468A ~ 3CHS*MV8468B 4.11 Charging Header Flow Control Valve 3CHS*HVC190A 3CHS*HCV190B 4.13 Charging Header Isol Bypass Valve 3CHS*MV8116 Note 12 4.15-

-Charging Pump to RCS Isol. Valve- 3CHS*MV8105 3CHS*MV8106 4.17 Charging Pump Miniflow Control Valve 3CHS*MV8511A "3CHS*MV8511B 4.19 i RHS Heat Exchanger Component Cooling 3CCP*FV66A- 3CCP*FV66B 4.21 ,.

1 Water Outlet valve 4.22 RHS to Cold Leg Isol Valve 3SIL*MV8809A 3SIL*MV8809B 4.24 RWST'to RHR Pump Suction Valve 3SIL*MV8812A. 3SIL*MV8812B 4.26 Safety Injection' Accumulator Tank 3SIL*MV8808A 3SIL*MOV8808B 4.28 Isol Valve 4.29

~ Safety' Injection Accumulator Tank 3SIL*MV8808C. '3SIL*MOV8308D 4.31 Isol Valve 4.32 Safety Injection AccumulatorLTenk-l' :3SIL*SV8875A- 3SIL*SV8875E 4.35

. Nitrogen. Supply '4.36

-Safety Injection: Accumulator Tank 2 3SIL*SV8875B 3SIL*SV8875F '4.39

-Amendment 7 4 of 9' March 1984

u1217912 era 7ac 02/08/84 245 MNPS-3 FSAR TABLE 7.4-1 (Cont)

ASP Section 1 ASP Section 3 Electrical Electrical Tr.ain A Train B Description (Orar.ge) (Purple)

Nitrogen Supply 4.40 Safety Injection Accumulator Tank 3 3SIL*SV8875C 3SIL*SV8875G 4.42 Nitrogen Supply 4.43 Safety Injection Accumulator Tank 4 3SIL*SV8875D 3SIL*SV8875H 4.45 Nitrogen Supply- 4.46 Safety Injection Accumulator Vent 3SIL*HCV943A 3SIL*HCV943B 4.48 Control 4.49 RHS Inlet Isol valve 3RHS*MV8701A 3RHS*MV8701B 4.51 RHS Inlet Isol Valve 3RHS*MV8701C 3RHS*MVB702B 4.53 RHS Inlet Isol Valve 3RHS*MV8702A 3RHS*MV6702C 4.55 k

Charging Pump Cooling Pump 3CCE*P1A 3CCE*PIB 4.57 [F Pressurizer Heater Backup 3RCS*H1A 3RCS*H1B 4.59 (Group A) (Group B) 4.60 Cold Shutdown Air. Compressor 3IAS-C2A 3IAS-C2B 5.2 Air Conditioning Unit for SI, QS, 5.5 and RHR Pump Area 3HVQ* ACUS 1A 3HVQ* ACUS 1B 5.6 Safety-Related Miscellaneous Controls 5.9 Main Stm Line Safety Injection Train A Train B- 5.11 Block / Reset 5.12

. Pressurizer Pressure Safety Injection Train A Train B 5.14 Block / Reset 5.15 Sequencer LOP Reset. Train'A Train B- ~5.17 Sequencer LOP Reset Light Train A Train B 5.19 RCS Cold Overpressure Mitigating Train A Train B 5.22 Arm / Block '5.23 Amendment 7 5,of 9 March 1984

u1217912cro7cc 02/08/84 245 MNPS-3 FSAR TABLE 7.4-1 (Cont)

Nonsafety-Related Instruments on 5.35 ASP Section 2/Non-Train 5.36 Description Mark No. 5.38 Reserve Instrument Air (0-150 psig) 3IAS-PI73B 5.40 Header Pressure 5.41 NIS-Source Range Count Rate 3NMS-NI31C 5.43 NIS-Source Range Count Rate 3NMS-NI32C 5.45 RHR Heat Exchanger A (50-400'F) 3RHS-TI604 5.47 Outlet Temp 5.48 NIS-Intermediate Range 3NMI-NI35C 5.50 Count Rate 5.51 NIS-Intermediate Range 3NMI-NI36C 5.53 Count Rate 5.54 Condensate Storage Tank (0-100%) 3CNS-LI15A 6.7 Level 6.8 Volume Control Tank Level (0-100%) 3CHS-LI112A 6.10 ,)

Letdown Flow (0-200 gpm) 3CHS-FI132A 6.12 4 Regenerative Heat (100-600*F) 3CHS-TI126A 6.14 Exchanger Outlet Temp 6.15 l .

IUIR Loop B Outlet Temp (50-400*F) 3RHS-TI605 6.17 RCP 1 Seal Water Flow. (0-15 gpm)' 3CHS-FI145C 6.19

. RCP 2 Seal Water Flow (0-15 gpm) 3CH3-FI144C 6.21

[

l RCP 3 Seal Water Flow (0-15 gpm) 3CHS-FI143C 6.23 l RCP 4 Seal Water Flow (0-15 gpm) ~ 3CHS-FI142C 6.25 L

Equipment with Nonsafety-Related 6.27 Controls ASP Section 2/Non-Train 6.28 i Description 6.30:

. Excess Letdown Flow Control Valve 3CHS*HCV123. 6.32 RHR Letdown Flow Control Valve 3CHS*HCV128 6.34 Amendment 7' 6 ofL9. March'1984 t

s _ -

m . _ _ , ,

u1217912srs7cc 02/08/84 245 MNPS-3 FSAR TABLE 7.4-1 (Cont)

Description Mark No.

Charging Flow Control Valve 3CHS*FCV121 6.36 Low Pressure Letdown Control Valve 3CHS*PCV131 6.38 RCP Seal Water Supply Control Valve 3CHS*HCV182 6.40 RHR Heat Exchanger A outlet 3RHS*HCV606 6.42 Flow Control 6.43 RHR Heat Exchanger A Bypass 3RHS*FCV618 6.45 Control 6.46 RHR Heat Exchanger A Component 3CCP*FV66A 6.48 Cooling Flow Control 6.49 RHR Heat Exchanger B Component 3CCP*FV66B 6.51 Cooling Flow Control 6.52 RHR Heat Exchanger B Outlet 3RHS*dCV607 6.54 Flow Control 6.55 4

+

RHR Heat Exchanger B Bypass 3RHS*FCV619 6.57 $

Flow Control 6.58 Main Stm Pressure Relieving Valve 3 MSS *PV20A 6.60 Main Stm Pressure Relieving Valve 3MSSAPV20B 7.2 Main Stm Pressure Relieving Valve 3 MSS *PV20C 7.4 Main Stm Pressure Relieving Valve' 3 MSS *PV20D 7.6 Miscellaneous Controls ASP Section 2/Non-Train- 7.8 White Indicator Light (Steam Line Safety Injection Blocked, Train A) 7.10 White Indicator Light (Steam Line Safety Injection Blocked, Train B) .7.12 White Indicator Light (Pressurizer Safety Injection Blocked,. Train A) _ 7.14 White Indicator Light (Pressurizer Safety Injection Blocked, Train B) 7.16 Amendment 7 7 of 9 March 1984

,' u1217912sra7tc 02/08/84 245

. MNPS-3 FSAR e

TABLE 7.4-1 (Cont)

Safety-Related Controls on 7.25 4160V Emergency Switchgear 7.26 Motor-Driven Aux Fdwtr Pumps 3FWA* PIA, Train A 7.28 3FWA*P1B, Train B 7.29 Charging Pumps 3CHS*P3A, Train A 7.31 3CHS*P3B, Train B 7.32 3CHS*P3C, Swing Pump 7.33 A

Service Water Pumps 35WP*P1A, Train A 7.35 ,

35WP*P1C, Train A 7.36 qi 35WP*PIB, Train B 7.37 35WP*P1D, Train B 7.38 Reactor Plant Component Cooling Pumps 3CCP* PIA, Train A 7.40 3CCP*P1B, Train B 7.41 3CCP*PIC, Swing Pump 7.42 Control Building Chilled Water Pumps 3HVK* PIA, Train A 7.44 3HVK*P1B, Train B 7.45 RHR Pumps 3RHS*P1A, Train A 7.47 3RHS*P1B, Train B 7.48 I

t Amendment 7 8 of 9 March 1984

.' u1217912sro7cc 02/08/84 245

, , , MNPS-3 FSAR

't TABLE 7.4-1 (Cont)

NOTES: 7.52

1. There is one auxiliary feedwater flow indicator per steam 7.54 generator on the ASP - two are Train A and two are Train B. 7.55

2. The RC loop hot leg temperature indicators are Train A; the cold 7.56 leg temperature indicators are Train B.

3. There is one emergency bus volt meter for each emergency bus 7.57 .

(Trains A and B) on the ASP.

4. There are three steam supply valves for the turbine-driven 7.58 auxiliary feedwater pump - one is Train A and two are Train B 7.59 4

.y

5. The pressurizer auxiliary spray valve is Train A only. 7.60 f

/

6. There is no Train B reactor vessel to the excess letdown valve. 8.1

' 7. 3RCS*LCV459 and 460 are in series; both are Train A letdown 8.2 valves.

8. The three letdown orifice isolation valves are all Train.A. 8.3

9. 3CHS*LCV112A is Train A; 3CHS*A0V71 up stream of 3CHS*LCV112A is 8.4 non-train and can be controlled from the main board or gaseous 8.5 waste panel.

10. 3CHS*MV8438C is Train A only; it-is the charging header cross 8.6 connect valve. ,

11. 3CHS*MV8111A, B, and C - charging pump recirculation valves are 8.7 all Train B.

-3CHS*MV8110 is the Train A common recirculation valve and can be 8.9 operated from the main control board; it is normally OPEN. 8.10

12. The charging header. isolation bypass valve is Train A only. 8.12 s

Amendment 7 9 of 9 March 1984

. - . . . _ ~ - _ _ . . . . . .. . - - .

.s h

Open items Instrumentation and Control Systems Branch c i ICSB-ll IE Bulletin 79-27 Concerns (Draf t SER Section 7.5.2.1) i  :

The staff requested that the applicant review the adequacy of emergency operating procedures to be used by control room operators to attain safe 4 .- shutdown on loss of any Class IE or non-Class IE bus supplying power to

- safety-or non safety-related instrument and control systems. This issue was addressed for operating reactors through IE Bulletin 79-27. In FSAR Amendment i- No. 5, the applicant responded that Millstone Unit 3 can achieve a cold shutdown condition without the use of any non-class IE power. All the equipment required to achieve a cold shutdown is redundant and is powered from redundant Class IE buses, which satisfies the single failure criterion. However, the staff pointed out that loss of a single instrument bus could affect the interlock circuits to isolate both trains of Residual Heat Removal system, therefore, the applicant's response did not adequately address the concerns identified in IE Bulletin 79-27 The staff requested that the applicant re-evaluate his response to resolve this

i. concern. Additional information is required to address items requested in IE Bulletin 79-27. This is an open item.-

Response (3/84) i Refer to'the revised response to Question 420.1. The NRC Staff requested to -

provide additional information on the testing procedure for RHR isolation valves.

Status (3/84)

Confirmatory.

y.

J w - < -

) -

--4

~.'[.- ,

f p $ ,.&__

_m ,

ICSBil;-?1 ,

~

~ + -

c-

.c ,

f; , 4 k~.~1 _.2 ._ _ m .._...m .

MNPS-3 FSAR I NRC Letter: May 31, 1983 Question Q420.1 (Section 7.5)

Provide response to IE Bulletin 79-27 concerns. (An event requiring operator action concurrent with failure of important instrumentation upon which these operator actions should be based.)

Response

k ._ ApyITeant has reviewed the Class 1E and non-Class 1E bus power supply to safety and nonsafety related instrumentation and control systems which could affect the ability to achieve a cold shutdown I condition.

Millstone Unit 3 can achieve a cold shutdown condition without the use of any non-Class 1E power. The station is designed in compliance with Regulatory Guides 1.139 and 1.53. Since all the equipment required to achieve a cold shutdown is redundant and is powered from redundant Class 1E buses, the single failure criteria is satisfied.

Loss-of power on Class 1E or loss of power on non-Class 1E buses is annunciated on the main control board. Plant procedures will be developed to meet the operational concerns of,IE Bulletin 79-27.

s

( g  %- mmer 'n '

~.

Revision 1 Q420.1-1 November 1983

5,4 . g.a e , .. n L = - A 1

f l uSE P.T 'A'

Response

The applicant has reviewed the class IE and non-class IE bus power supply to safety and non-safety related instrumentation and control systems which could

, affect the ability to achieve a cold shutdown condition.

Millstone Unit 3 can achieve a cold shutdown condition without the use of any non-class IE power. The station is designed in compliance with Regulatory 7

Guides 1.139 and 1.53. Since all the equipment required to achieve a cold

shutdown is redundant and is powered from redundant class IE buses, the single failure criteria is satisfied.

An exception to the above single failure criteria on redundant buses are the Residual Heat Removal (RHR) isolation valves.

d --

An event that could be postulated to occur in the system that could render the 4 system inoperable is that a loss of ofIsite power coincident with a loss of a diesel

generator which powers one of the suction valves in each RHR trains. This loss of power could prevent system operation even though that system is available from the train that has not experienced a diesel failure. The system is designed

. with three valves in series on the suction side of each pump. Two of these valves are powered from the same diesel that powers the pump, and are located inside is the containment structure. The third valve is located outside of the containment l in the ESF building, and is powered from the diesel of the opposite train.

The system as designed complies to all the requirements for isolating the

! _ Reactor Coolant System (RCS) from the RHR system during normal plant operation when the RCS pressure is greater than 750 psig. However, if we impose the criteria that we must consider a loss of power, then we must consider

, the loss of the suction valve in the active train.

If the event as described above were to occur, the following operator action ,

would have to be taken to put the RHR into service af ter the RCS pressure has been reduced to 425 psig. The valve in the ESF building must be manually

[. opened.. To accomplish this, the key which opens the padlock on the handwheel of the valve without power must be obtained from the shift supervisor in the main control room. After obtaining the key, the breaker for the affected valve s

should be racked open and the padlock removed from the handwheel. The valve

- can . now be opened _ by ~ using the - handwheel. . Af ter this is accomplished the control room operator can open the valves located inside containment from the ~

i - main control board and start the RHR pump on.the active train. If the system E' rpressure ' subsequently l increases to' above a 750 psig the valve inside the

containment would automatically close and isolate the system.

In addition, plant pocedures. will be developed to meet these operational concerns.-

t 5

4;

+

] O 4

' , .__ r ... . .- . a .. . . . . . ._ . , , _ , - - - . _ _ , . , , , _ - m a...,

Open Items Instrumentation and Control Systems Branch ICSB-12 Bypass and Inoperable Status Panel (Draf t SER Section 7.5.2.2)

The FSAR Section 1.8 states that Millstone 3 design is in conformance with R. G.

1.47, Bypassed and inoperable status indication for nuclear power plant safety systems. During the review, the staff reviewed design drawings which contain information of the bypass and inoperable status panel. However, there is no information in the FSAR to describe the system. The staff requested that the applicant provides the descriptive information in Section 7.5 of the FSAR to demonstrate conformance with R. G.1.47. This is an open item.

Response (3/84)

See revised FSAR Section 7.5.

Status (3/84)

= Closed.

.1 ICSB12 .l~

w _ : .- . _ .

. . . _ . _ - _ _ _ - _ _ _ _ _ . . .m_ . __ __ _ ._ _ _ . . . _

~

u1217912src8u 03/05/84 241 MNPS-3 FSAR s

7.5.2 Analysis 1.11 Analyses for compliance with the requirements of this section are 1.12 i j_ addressed in Table 7.5-1. Further information is provided in the 1.14 Millstone 3 Design Basis Response to Regulatory Guide 1.97, Revision 2, 1.15 as referenced in Section 1.7.

7.5.3 Compliance with other Regulatory Requirements 1.17 1 1.- Compliance with Regulatory Guide 1.47 for ' bypassed and 1.19 L inoperable status design philosophy is described below.

a. An indicator of bypass is provided for each protection 1.22 system. " Bypass" includes any deliberate action which 1.23 renders a protection system inoperable.

b. The indicator is at the system level, not the channel or 1.24 i t component level. (Quench spray is a system. A quench 1.26 spray pump is a component.) There is a separate indicator 1.27 [

for each train.

1

c. The indicator is operated automatically only by actions 1.28 which meet all these criteria:

. The action is deliberate. (Component failure may be 1.31 indicated by component failure indicators but should not operate the system bypass indicator. It is not 1.32

.the intent of the indicator to show operator errors ,

i or component failures.)

The action is expected to occur more often than once 9- iif -t l'.33

~

a year. .This "more often than once a year" criterion '1.34 should be _ interpreted liberally. If an accessible, 1.35 permanently installed electrical control device will bypass a safety system, assume that it will be used 1.36 4

more than once a year.

Devices within the containment are not accessible. -1.38 i

. .The action .is expected when the protection system 1.40 must be operable. (Bypass of source range flux. trip 1.41 during normal power operation should not,- for example, be indicated on the system bypass indicator. 1.42

.It may be indicated'on a channel or component status ~1.43 3

, indicator.)

i

. The action renders the system inoperable, not merelyl 1.44 j potentially inoperable. (If, for example, redundant, 1.45

. parallel, 100 percent valves are' provided for the discharge line of a spray pump, the system bypass 1.46 1

indicator should not. be-actuated by the closing of 4 only one of those. valves. Valve closing may be 1,47

indicated on' a component status indicator. If both 1.48 valves have been deliberately moved from' the "open" Amendment 8' 7.5-2 May 1984'

---

l_-___----___. _____a'*=_.a---

u1217912src8u'.

03/05/84 241 MNPS-3 FSAR position, the system bypass indicator should be operated. If, on the other hand, each valve carried 1.49 only 50 percent flow, the system would be inoperable if either was not open. That inoperability should be 1.51 indicated at the system level. Also, if a system is 1.52 put in the " Trip" mode during test, there should be no operation of the system bypass indicator. Such a 1.53 test may be indicated on a channel status indicator.  :

If a channel is put into bypass mode for test and 1.54 sufficient redundant channels remain capable of l operating the protection system and not more than one 1.55 channel at a time is expected to be tested, the channel bypass should not be indicated at the system 1.56

, level. If an actuation signal will override the 1.57 I bypass, the system bypass indicator should not be operated. ,

. Some deliberate action has been taken place in t$he 1.58 protection system or a necessary supporting system. .

(For example, if the cooling water inlet valve for a 1.59  ;

recirculation spray heat exchanger is deliberately ,

closed, the system bypass indicator for the 1.60 i recirculation spray system should be operated.)  !

c. The bypass indicators are separate from other plant 2.2 indicators and grouped in a logical fashion.

l 8- T '

d. A capability is provided to operatie each bypass indicator 2.3 l manually. This lets the operator provide bypass 2.4 indication for an event that renders a safety system i inoperable but does not automatically operate the system 2.5 bypass indicator. .

e. . There is not any capability to -defeat an automatic 2.6 [

operation-of a bypass indicator. (Audible alarms may be 2.7 l silenced.)  ;

I

f. The' bypass indicators are accompanied by audible alarm. 2.8 I l-

' immediate -operator action is required as a: result of 2.9

~

g. . .No I any system bypass. indication. i I

h. The indication system is mechanically and electrically 2.10 ,

isolated from the safety system to avoid degradation of

~

the~ safety' system. No fault in the indicator system'can 2.12:

. impair'the ability of the safety system to perform its safety-related function. . The bypass indicators are not 2.13 "

. considered safety-relatedt i.e., they need not be designed to ' safety system criteria such as IEEE-279. 2.14

1. In accordance With IEE-279,. Paragraph 4.20, the operator 2.15 must be able to determine why a system level -bypass is indicated. This information is provided by the plant ;2.17 computer.

- Amendment 8 7.5-3 May 1984 w .- -+w s. r-, -

p- ,-,m- . - - - , - - -~ ~---y,-.,g , , - - - . , n+-,

~

. u1217912src8u 03/05/84 241

. , MNPS-3 FSAR u .

j. Service water system inoperative and diesel generator 2.18 inoperative indicators are provided. These support 2.19 systems are unique. They are important enough to warrant 2.20 bypass indicators, but these indicators are differentiated from saftey system bypass indicators by color. 2.21

k. System design meets the recommendations of ICES-21 as 2.22  ;

follows:

. Each safety system has a Train A (orange) and Train B 2.24 (purple) bypass indicator. The indicators are 2.25 grouped together by train on the main contol board. l Support systems have white bypass indicators and are 2.26 ,!

arranged together with the associated train of bypass indicators.  ;

. Millstone 3 has no., shared safety systems'. 2.27 .f 8 ~

I

. Means by which the operator can cancel erroneous 2.2S j bypassed indications are not provided. ,

. The bypass indication systems does not perform 2.29 functions essential to safety. No operator action'is 2.30 '

required based solely on the bypass indication. i

. The indication system has no effect on plant safety 2.31 ,

systems.

. The bypass indicating and annunciating function can 2.32 be tested during normal plant operation.

2. Compliance - with Regulatory Guide 1.75 for separation criteria 2.34 is described in Section 1.8 and the separate report on 2.35 Regulatory Guide 1.97.

3. Compliance with Regulatory Guide 1.105 for instrument spans and 2.36 setpoints is described in Sections 1.8, 7.1 and the separate 2.37 report on Regulatory Guide 1.'97.

4. The safety parameter display system (SPDS) and the emergency 2.38 response facilities (ERF) requirements are currently being 2.39 finalized. This information will be provided in a future 2.40 amendment.

Amendment 8 7.5-4 May 1984

Open items Instrumentation and Control Systems Branch ICSB-13 NUREG-0737 Item II.F.1 Accident Monitoring Instrumentation Position (4), (5), and (6) (Draf t SER Section 7.5.2.4)

Position (4), (5), and (6) of this action plan item require installation of the extended range containment pressure monitors, containment water level

. monitors, and containment hydrogen concentration monitors. Table 7.5-1 of the FSAR indicated that information on these parameters will be provided later. This is an open item.

Response (3/84)

Refer to the revised FSAR Table 7.5-1.

Status (3/84)

Closed.

3 9

ICSB13 - 1

j. . .

u-- ..: -- _ _ _ _ -

O.* .c gg

IWIPS-3 FSAfl ,

v., I

'i*

TABLE 7.5-1 (Cont) '4o<<

1 Type / Quallrication slumber Indicator implementation  %!

Mkr_ table llanee/ Status Catseerst Enviropeental Seismic of Channels Device Data Tl Containment .0-105 A1, 81, c1 4.eee -le.eee- -6 e -6ee.c Core i ad 9." t hydrogen  % g A 2a"* WQ,

• 3' concentration f. ,

10 ~' - 31 Yes Yes 2 per reactor 2 meter Core load M Routron flanc displays {3 j 1255 Centalement -estee A1, 32, C2 'Yes Yes 2 per plant 2 meters Core load .T [

- water level o (msopo g 1 recorder 1l~r (wide range).

82 D2 Yes Yes I per valve 1 pair or Iights Complete .  :

Basin steaalIne Open/ closed per valve  !

lastation volve '

Open/ closed D2 Yes Yes 1 per valve 1 pair or Iights Complete i IInin steselino per valve r hypass volve 83 slo slo 1/ rod 1 position Comp!eto f CentreI red pasitten 0-228 steps Iight/ rod i t

0-3500 psig A1, C1 Yes Yes 2 per plant 2 meters Core load RCS pressure 1 recorder (ou*mnded range)

C1 Yes Yes 2 per plant 2 a.eters Core load Containeont pressure 0-200 psis 1 dual recorder (outended range)

C2 Yes Yes 1 per va lve 1 pair of lights Complete Containment laslation Open/ closed per va lve  :

velve status ,

~

C2, E2 Yes Yes 2 per plant 2 recorders, CRT, Complete  ;

Ieydregon recombiner .7.1x10 pci/cc-digital display i cut >Icte ventilation 7.1p Cl/cc meter i radiation Yes Yes 1 per plant CRT Complete Turtaine driven auxiliary feedwater 10fici/cc-10 y Cl/cc C2, E2

.puep steen exneest t:

redsstion C2, E2 Yes Yes 1 per plant I recorder, CRT, Complete  !

Ventilation vent 10"5y UCI/cc 10 Cl/cc- digital display (extended range) meter i r

Supolementary leak .10[yCi/cc- C2, E2 Yes Yes 1 per plant 1 recorder Complets collection (extended 10 W Cl/cc range) t ,

i 2 or 6 , i f

Open items Instrumentation and Control Systems Branch

. ICSB-16 RHR System Isolation Valve Interlock (Draf t SER Section 7.6.2.1)

There are several inconsistencies in the FSAR description of the RHR valve interlocks. Section 7.6.2.1 states that the pressure limit is 700 psig, but in Section 5.4.7.2.4 states that the limit is 750 psig. Figure 7.6-1 shows additional interlocks on valve open circuits that is neither mentioned in Section 7.6.2.1 nor in Section 5.4.7.2.4. The applicant has not addressed the requirements of Branch Technical Position ICSB-3 for using diverse pressure transmitters. This is an open item.

Response (3/84)

Refer to revised FSAR Sections 7.6.2.1, 7.3, 6.3.2.1, 6.3.2.8 and Figure 6.3-% (1 of 1).

Status (3/84)

Closed.

T ,.

I

-ICSB16i 21-c . - _ _ _ _ _ .._ .. __ . _ -

~

a '. .

,,,.,-:. _-._ iann

. . ..- . _r .

c. .: a

.  :.2 . .: ~ .: .

narc.;t. ;;:_- -

cc. at ec r :r ;;;

d.  !) c : :. . charc;n~ rock ;wer elece - 5:5

e. E r . r g ; r. - cur c.iniflow .61ves cicLe cn S!2

f. Safety injectio:. pumps stcrt on SIS

g. The RHS pumps start on 515

h. Any cleced accumulatt: inclation valves open

1. Vcluse ccntrol tan; (VCT) cutlet isolation valves close on 5 5

2. Switchover from injection mode to recirculation involves the following interlocks:

a

a. The residual heat removal system (RHS) pumps are a stopped automatically when one of the two lowjfTvel X fua 4

%r M ansmitter 6 8at6 a Low-Low level in the EWST.

A g

b. Interlocks 'cre provided to assure isolaticn of the EHS and proper alignment of the containment recirculatien system for core cooling.

j c. The safety injecticn pur.p and chargir.g pump recirculation suction isolation valves can be opened prec ded that the safety injecticn pur.p m:niflt, 1:nes hav been isclated.

d. After approximately 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />, cold leg recirculaticn is t erminat ed and het leg recirculaticn ir :n:tiated.

Th;s la cene ir terminato any b cl. ;r.c in t!.e core v.culd the cre d be n one of the F.CE ccid Icgr and ic prevCht b o r c T. pteCapitation.

A. EHS Pump Interlock frcn Injection to Recirculation

!nc details of achiev:ng crld leg recirculatien following safety

n]ection are gicen in Ecction 6.3.2 and in Tab'e 6.3-7 q Figure 7.6-3 shows the logic which is used to automatically control EMS pumps.

B. Sequenced Safeguard Signals C

requenced .4 nr-

;g.al it car.arited by the e rr r ae: - < -

4 IE ;'?.?JCE f t: *-

cafety ;rgett:en purp '.H S puq  :: - n r c;:.;

pu.p whenaver +

.als lirted w;tn tne associcte; purcs t

. -

, , < . .  ; - :.( .

3

1,

.. j.

e ,,

4 _ _ _ _ - _ -

I,n n

nn

.,, h- . -

'E-1 '

1 /

l 3

e-D s

)  ?

'- } - no

., 1 --

";~'

. Q ; . ,

3 - . . ,..- _. 1 :r. . -

. . . . .~ . ..r . . .

..,.-=....

,1

.t i- tw.s- , ,:.,.6 a , ,. g . . ,

_. r j

7,,... . .

grs , . . . . . . . . .

n .w a .ms. .r . .t, v- . . .

-. a

&. -3 '* ., - *

y ,

g *- . . . - . .,

j.

. . u

• • =

• * *

• N.:. L . . .e 1.

tv ,,

,

• a o . ,...

l.. .

e m -._ .J. -.

m .= ,

Z .

= x ~-:x .. . -%

t*  ;.e;>'  ;

..u' . .r.4.m e.e . j ******.

e 4

i -

a . .'- ,.=

d---.,

4 .-

i m';a ,;

4 .

_- ~ . - I_

t ....- g N-r:r ** .... --

• • • • t..t

'~ ' ' ,'<

- . PWp (Qi.Q". f %

s4 g. .t;.;." . I4.+= .

3.= i - .

.. .y

.. . ..e .

+ ~. 6 w.3r e=J.*,. . . ,, ~A. sa >  :, .. .,

~ ~.. ,~ ~ .,~.=..~.. ~.*. ~.

e ,1., ,

4, .,f*. . -

g

• T . . . , .. . r ~

.(d,, es. .t.. ("* % - 9 . -g4  : ,

~-..-.4.. - ~ -= -.

~~."._, -Y"' .y. g . . q.~,,,, . !..... . .-./ m .- -. ..-

_ , ., 4 ,*

4_ s e . -. m .

...~ *-- .~ +

,~....

..~e pn-', .,

e hy

.:T . ,',.!,. ,

-y ~

- A . - * "'.N..- -*.. ,

":*;.. s t .

L a. ..

s- .

. . * * * * * ** * - .~ . .--. " . . ..

+

g.y i g,. -...%."

i ' *

-~+ 1 ._,3 ,,

. A . .

A ,/,/,.

y4/

.t y . ... . . a . 4 ,i

, . . . A,..

e ,

. . =+-e

~-

t .,

T-""5.i..,."..".".***......

-va , .j:.,., . . . .a-t - . w.v. .

.:. y 9 .. - nu.,.,,,,, . . .u. 4 7 ... . . . .

.........s.. ........-....

.. +- -

. . g. , *, a..> c g . .

n.10n 4 . . - ,*.m . .-.

e a ..

-- a. . . - . . - , . . . ~ . . - . . . .

e q ,ric .a.q g s, , .q. .u a. .

m ..

u.*... 4 jg, - -==,, . . . .aw ,

. .....,4 ,

t g

..+..\..M,.,. . .

.< + _ + -

a.a .' .c

.... +

. . -=-= =- .--+ -~ =-. *+. ~ ..~ . .-. .

w

. o =* , m* t .,

. . . , r -. = = ~.. .

...,. 3t' , P* s 4 -.v.\ ., .. e . * ,

.. s * ;.'

.. % + ,' ~.~.~-a-~=.<..=..---

= = - "

~'" ,. : :

.. ,-..n. ..~..

', c

. . ." , - , .c=

. . . .. .*-e- . .

9 4.f- ;a t A, .g k

. .h4. .. - -

\_ .

T .d- . . .,

.... ~. ., ..-.. ..

j .,,g .3.. .

8 4 .. $ -- . _ - . - * - < es,

-. t ' . .w.

t

& .a3..y.e.w e 4.e.. . 4.. '.11,

. - - au

..,,,.3-

.,.e.e.

-, . s,i.w ., e,~ n e' v .s er a e

s

,g ,, , ,j.. . . . . . . ,t

. . . . . . . . , . .. . . . . i i

.c,. . .

g

. .- -. . ~ . .

. . - . t

. . , . *.eg. .

g .'.---b-  %. 6$.

[

'i *

, ,. 6 e .=

, ( . * * it &  ! e

.=.p

. u. .

. , , s. ]

I I

I se . ..

4 y : -p

.- .~3...- ~

.a,s. 2. g.,

I f,s j {g.s

. .e i,, 4

.A w .ie,-.

s, . u Is y, *, . . . ~ .e.

• * - ~ r e .- g .a e p r , ,

• • b . 6

.= -> e I

l,

.y

.* _. -c r.. a. ,,g.

. l I

.. F*

, , , .,5-:_

a r..-

f0 h e > b I. [A LOCA. ever assum n; a s;ngle fa;_ure in :he emergen:; power syster su:b 14 tr.t fa;__r: cf :ne d;eral : start.

. 2.:._ I;;;r: 3rd ;n:: er:2:;;r :;rgrtes

!ne :r::ess :1: d;t; rim _ f .e E::5 are :ntwr Or F;;ure .1-;. Tne p;; n; Er.d ;nstr;nents:::: ;agrams ass ::ated witr :ne E2:3 are sa:wn n F :;u r t :-  ;,;-1~ :nd .;-;. F e r tine r.: des;;n :n: :perat;ng parare:ers f:r :n ::m;:ne r .: :f :ne I 03 are giver. ir. Tctle 6.2-1.

The codes and ::andards :: wnich the individual c mponents of tne ECCS are designed are listed in Table 3.2-1.

The ecmpenent interlocks used in different modes cf system operation are listed bele -:

1. The safety injection signal (SIS) is interlocked with the ~

felieving =cmpenents and initiates the indicated action:

a. Charging pumps start en SIS

b. RWST suction valves to charging pumps cpen on SIS 4

c. Charging pumps to .RCS cold leg injection headers parallel isolation valves open on SIS

-d. Nermal charging path valves close en SIS

e. Chargir.g pump miniflow valves close en SIS f Safe:y injection pumps start on SIS

g. The RHR pumps start en SIS

h. Any closed accumulator isolation valves open-

1. Volur.e centrcl tank (VCT) cutlet isolation valves close on 5:5

2. ' Switch:ver from in;eetien mode to recirculation involves the following interl::ksi

a. The RHS " .p s gre g cpped automatically when o f k >(

4ve:ne@ow el v - - --4GLJETM a ' low-low level in j (

RWST. {dg[g4.

b. Interlocks are previded to assure isclation of the RMS and proper alignment of the containment recirculation system fer ccre eeeling.

c. The :afety injection pump and charging pump re:treulatien suction isolati:n valves can be -opened pr:vided that.the safety injection pump miniflow lines nave ceen isciated.

I E'. 3 - 3'

(

' i

I n .. , - . ., .. v, . . ,

-- .- w .

\.

_m .. . . . , , . __

s t

s y .A ) }.('L 6

. ~ .__ .

tv. 4 w,

cy c - .: w- .

.+ .- - < . .,

- ~

. ...c.

, ~. . ... e.... . c .-

c m ...~._ c_1 _ e

.-.,. .., , . .. ..g.....n.. .

, . . , ~,

.e . . . . .' . . ; r..~.. .....~.

c ~.~...' ~. . . '.e *c w= k" c,'-,~..

.- . *~... . . .. . * . ..'..A

... ~

....r.. . ~... ._, .. . . .. .., .. . _m,.... . . . , . . . .

.c. . .....

a.

.e,, -...s.,

. s...w..w .+. - y G. . u . . ..

ke Tne RWST~.dw bMkA

• 'b"%Au prot e ctic:: po..M

.-- locic a.-ckimic*d Ohcf'wh - fm. '. :6 d,+nn~h with each leva'

-hw &-t mcirc---h- saparate process c er.t r e l

m. . c on set. Four RWST level trans.itters *Prmb* :dM4 zD' sie.ncls.

L'e- h 10 "O TT

• e p *" d 4 " { * * " 9 ' 1 * ' d o * *' A ' '* 4 *'

• 4 l e '.* a ' "" k a " r e '

l _

le d -h r r.v.i 'de- M = _'. -- ....7"-m'e

-# w *' ' C e, 1. . A w *bu +1

'_m Waa d.

\ h,,n 1 S M..M et

.......v m%

6 %yM.q.M.% W g * " . %. j

• Tom A' , , g, gp ,. -* __^^ j g^-7+&L brQ m,, -

( K ew d Lue Out Of ,54rtr tM':T::':::n w-f.t! IC" P ~. N'.rttTDn

- *_ m.d .+..

-  %,e .iC  % Utili?.ed '.:. '.

,n a .1, .,.... .i.e m ,.

,. .. e CrLo_ra* s. ,t . t o e n c,,J,. ,. .s. -

3 m n1

,.L..,,.,-

to b.rlee .h .e. .... .p a. . 1,.

cm,r

.ww -- -

-.s.. .

. . .. - . . . -w

t. s.,,. .. . .

n u s . j G. ....v.s ...,r.

...+w .. . %.. .. c. +. e. y.

m...

. 4.

w .> t a' 3 -....:

..w q. e a . y- . . . i. *. o. 5 t -sy '" *. ' .. . .

C .. ,. y. ,. o eay - aw. e. A =. ,. *y. ".,, ti. 't y.e.

~

Tha lev 'ou . EWs~. e .' a ". e .'

- +.m....'

.. .'s e.. ' s o a . .. .rF +4 u *c *....* ' . . . ....C..o-...- y

+r ,,,,+.,. .L. ... ... ...

-~r.e. . .e .w,. ... n.

+e- .,3..'. . ..

...n. e. r.'..e.,

• v .........P .4 . . ,..

- . * * * + + + -

• .~.o.

c

. /.r* ..*

s.**. . . - * .

- . .-.-(.. . *. ***T.

.. . . - .- - a.

p -*.t .s. .

....... eg ..a..n.g. .w :

... i- .e..

,. g e..., p. s..

. .e. . g .,.. .- .m ., . . t

~.v i

~.-. m.

a<.......g,,

n.

.g ,. .. . .n . ~

po s [re.v g.e ;. .y.* *a. .v v e.o..,*,..

y ... . - .e v.

m. ... .s as . n

.9. *n

. -k '. ( ,. . ~;

s . "r'..'

r. *..,r,.

e. .q c. g ,g .. g,.g *. .= w- 3 p.w,+ . . . . .J4 at . .

3 ....4

. . . + . k g ,. ,, .. c,....,,e... 6,. .

.r.,,

.. ~..a.*..r..*'.'.'..s.A.*..**

...ww.u.w.,

+,,e y ..

,,.e

.y . +.. * .: ., - .. . .e . .

e. u w n . . .. , u, es b. ,. C ~. .. .-, .n.. .t . e. e..

. v ... . ,

. . 4 4'

. . yo. .Law. . ,, ,.. m. ,. ,. 4 ..,4 .o. - . . . . -. y 3.-..... ..- s +, ... .er.. ...Au

. n... c. y ~s.

.,g . 7 9. m. ...3r.

. .A

, ,.f.

,..-. '..e. .s4-

.r,y y- .i.*.-,e. .',J a u . -d .' g .

..,,,A.

..b .. ,,.

y. ...4.w.

S . ... *.... O. e.. +C e. a.. c

+..r a .; & ,, p .

2 ..w, y L. ...y. n e. ..6...,c'.,. w ......'.3' ar.-

A ,, , . ..

w.....g.,--

• y, r'. g -y L;. .y o. eZ .. ...op J o. g . .'.Aw

.. .,s. .

+..p,..'.~.$v...u. , ' . r.

- ..*. . s.. e

. . y f' w- .

• G,o . *-. ~. :. . y w* .

, ** c..+. ,, i *,

e e .. p A . .. ,.. t .* L..-.

s . L

• ft { e

. ~ y

c. s +. L. g, .a .. ..w..- .s . e. , I o. . .,

ye w.

. . ,.v.. .i 4 ...=re..v.-. . . , ,

4 . *..s. 5 g . C ,, ,, e .4* c. . ' * . * &_*'r."*.

.e , (

• s_2 ".#. *.' .o.

j ,3,(,

.., .. u..u . . . .. . . . . - . , . . . . ... . . . . .

.t . .,,. ..

o. ,...=.. ......,..;

.y.

• • . . C r. v . : .. 3 ,=. .c..**.o 's 1 . .

.r,, .., ,

wy....-

.tp . *., . . s.s. 1.C y. , y e a

• y v.a , r ,, e c. ....w.. ..e.., v. s.- . .- . .

.. ,. .,.e. . '

. ~. . . . . ..... ...~y .

a- . . . . . .

1

-@ .;~ &-~p'., sb .V4 o. .%.

,,,c..* . 1

&g..,.,. .e ,,. e. . , .. . , _

".k . .

e, ww .

. r

. , 4 , ,. - . . . . . .-- . . ... ,,. . ,

p.

. w. . <#....

j

}

n . .

.e n. . .

6 E,

- . _ - - - - - - - - - - - - - - - - - - - __m___._ _ _ . . . _ _ _ _ _ _ _

+

.r- ,

e .

,,,\: :: : :n.a

.-_ ^THE7 T r: L.'E t_ 'T"  ; ' 'r

_ 7FETi

~.;..  : . .

L.... _

.c r- . :.;r- _

-.:.;- e <;_ , - .at;: . c tu t;:- :.;.

~

.; I t:1cJC. at; .E e N T 7 4 . . i! ! L ;; ^" 15.ve_

. t.2.. 205:: 1pt;;r The residual heat removal system (RHS) isolation valver are ncrm:.lly closed and are only cpened for residual heat removal after system pressure is reduced to apprer.imately 425 psig.

TM 7.H 5 valver tre r: :v;de c eith red (0FErD and green ( C;.05 E r i

., ; t .

: inc;.c c i:n;: 1.; ;: . a lentec tt the r..,.* lech centrol switch fc:

e s t:. valve. 7:.e c e 21gr. s are powerec by va,1ve control pcuer and actuated by valve motor cperator limit switches.

There are three motor-operated valves in series.in each of the two RHS pump suction lines ~from the reactor coolant system (RCS) hot l legs. Two valves.in series located close to the containment walls, g,

one inside containment and one outside' containment, are provided with interlocks. The interlock features provided for the isolation valves are identical for both trains and are shown on Figure 7.6-1.

Each of the two valves is interlocked so that it cannot be opened unless the RCS pressure is below approximately 425 psig. This interloch prevents the valve from being opened when the ECS pressure plus the RHS pump pressure would be above the RHS system design pretsure.

A second pressure interlock is provided ently increasesto close the valv[e to above 76 6 automatically psic. Thece if"nterl the RCS k E$:~epe$cpr ssurg g eog?nt and diverse l M frld / /#wi r y**r

• h & o em iik w ne m f$ d.are y edfdWA.

The third valve in each train is located inside the centcinment and is cperated by a keylock centrol switch. He interlocks are provided.

7.6.2.2 Analysis Essed on tF0 se pe definitions presented in IEEE Standard 279-1971

.d 2.' i - 19' ; , ::.ece criteria do not apply to the RHS iscl tion valve interlerkc: nowever. in erder to meet NRC requirements and because of i a pcssible teverity cf the consequences of loss of function, the requirements of IEEE Standard 279-1971 will be applied with the following commentsi

1. For the purpose of applying IEEE Standard 279-1971, te this circu::, the ic11owing def;nitions will be used.

a. Trotection System Ira .

. . v e : in series in each line and all crn< u :: the:r r. erle:k:n; and :lecu:e c:rcuitr l

? . s -u Apr:1 19E3

/

u

Open items Ir.strumentation and Control Systems Branch ICSB-17 Isolation of Low Pressure Systems From the High Pressure RCS (Draf t SER Section 7.6.2.2)

General Design Criteria 15 requires that reactor coolant system and associated auxiliary, control and protection system shall be designed with suf ficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation including anticipated operational occurrences. The staff requested that the applicant identify all points of interface between the Reactor Coolant System (RCS) and systems whose design pressure is less than that of the RCS and for each interface to discuss the degree of conformance to the requirements of Branch Technical Position ICSB No. 3 and how the associated interlock circuits conform to the requirements of IEEE 279. This o an open item.

Response (3/84)

A review was conducted to identify low-prasure system interfaces with the R CS. Interface points which consist of passive pressure boundary barriers (reactor coolant pump thermal barriers and seals, manually operated normally closed valves), or lines designed to be exposed to the RCS at full pressure (PORV discharge lines) were not considered; such boundaries are designed with sufficient margin to assure that the design conditions of the reactor coolant pressure bomdary are not exceeded during any condition of normal operation.

The remaining interface points, and a description of their isolation provisions are provided below:

a) Residual Heat Removal System Suction Lines - The isolation valve arrangement for these two lines is shown in Figtre 5.4-5. Each line has three motor-operated isolation valves in series. The valves areinterlocked to prevent opening and to automatically close at RCS pressures which are high enough to damage the RHR system. These interlocks are described in Sections 5.4.7.2.4 and 7.6.2 of the FSAR. The outermost isolation valve in each suction line is on a different safety-related power train, than the two innermost isolation valves. Valve position indication for all six valves is provided at the main control board.

The RCS pressure boundary is located at the second valve from the RCS (MV8701 A, 8702B) during normal operation. The two valves just outside containment (MV8701B, 8702A) provide additional assurance of containment isolation during power operation.

During shutdown cooling, overpressure protection of the RHR system is provided by relief valves on the suction lines (RV870A, B) and administrative controls. The relief valves are designed to protect the RHR system from the inadvertent start of two charging pumps, on two high pressure safety injection pumps. Should RCS pressure increase above RHR design pressure, despite the relief valves, the RHR suction valves will automatically close.

ICSB17 - 1

Open items Instrumentation and Control Systems Branch b) Reactor Coolant System Letdown Line - The letdown line isolation valve arrangement consists of two series valves (LCV-459, 460) at the RCS (Figure 5.1-1, Sheet 2) two series valves at the containment penetration (CV-8152, 8160) and three parallel valves at the letdown orifices (SV-8149A, B, C) (Figure 9.3-3, Sheet 1).

All of these valves are air-operated and are designed to f ail-closed on loss of air or loss of electrical signal. Valve position indication is provided in the control room. The two containment isolation valve control circuits are on separate emergency power trains.

Although the piping between the two containment isolation valves is of a lower design pressure than RCS pressure, a relief valve, which discharges to the pressurizer relief tank (RV-8117), protects this section of piping from overpressure, should the downstream isolation valve (CV-8152) close while the upstream valves remain open. The CVCS letdown orifices restrict letdown line flow so that relief valve capacity is not exceeded.

c) Excess Letdown Lines - These lines contain two different types of isolation valve arrangements, as shown on Figures 3.1-1, Sheet 3 rnd Figure 9.3-7, Sheet 1:

1) One line is connected to the reactor vessel head vent system, downstream of valves SV-8095A,B and SV-8096A,B. These valves provide the primary means of isolating the RCS from downstream piping. Additional isolation capability is provided by downstream series valves MV-8098 and HCV-123. As can be seen from Figures 3.1-1, Sheet 3 and 9.3-7, Sheet 1, four series normally closed valves must be opened to allow communication of fluid pressure between the RCS, and the low pressure portion of the excess letdown line. These consist of two f ail-closed solenoid valves which are operated by emergency power on the head vent system, a motor-operated valve actuated by emergency power (MV-8098), and a f ail-closed, air-operated valve actuated by a nonsafety grade control circuit. All of these valves have handswitches and position indication in the control room.

2) There are four drain line connections for excess letdown on the RCS cold legs (Figwe 5.1-1, Sheet 3). Each of these has a normally closed, f ail-closed isolation valve (AV-8037 A, B, C, DJ. These are headered together, and f urther isolated from the low presswe portion of excess letdown piping by normally closed, f ail-closed, series valves AV-8!53 and HCV-123. AV-8153 is controlled by a safety grade control circuit, and HCV-123 by a nonsafety grade control circuit.

All of the isolation valves have position indication and hand switches in the control room.

d) Sample System - The sample system is connected to the RCS at the hot legs, the cold legs, and the pressurizer liquid and vapor spaces (Figwe 9.3-2, Sheet 2). The low pressure portion of the sampling system is normally ICSB17 - 2

Open Items Instrumentation and Control Systems Branch isolated from RCS presstre by a normally closed, f ail-closed solenoid valve, and a back pressure actuated pressure regulating valve. The solenoid valve is actuated by a non-saf ety grade power source, an'd is controlled at the sample panel.

Additional overpressure protection is provided by a flow restricting orifice upstream of the pressure regulating valve, and a relief valve downstream of the pressure regulating valve. Finally, additional isolation capability is provided for each sample line by two series, normally open, f ail-closed, solenoid valves. These valves are powered by diverse safety-related power supplies and have handswitches and position indication in the control room.

They are located between the normally closed solenoid valve and the pressure regulating valve, e) Charging Line Connection - The CVCS charging line connects to the RCS at the loop 1 and loop 4 cold legs, and at the auxiliary spray line at the pressurizer (Figure 9.3-8, Sheet 1). The charging line downstream of the charging pumps is designed to the same pressure as the RCS, and normally operates at a slightly greater pressure than the RCS.

The boundary between the RCS cold legs and the CVCS charging lines consists of two series check valves on each line (V-31, 32 on loop 1; V-147, 148 on loop 4). The boundary between the CVCS and the pressurizer consists of a check valve (V-175) in series with a normally closed, f ail closed air operated valve (AV-8145). AV-8145 has main control board indication, and control, and its control circuit is connected to a safety-related train.

Additional motor operated, air operated, and check valves are available in the charging line, to provide f urther assurance of isolation when required.

f) ECCS Discharge Line Connections - The ECCS discharge lines connect to RCS at the f ollowing locations:

a) Interf ace between the LPSI/HPSI systems and the RCS cold legs (f otr points).

b) Interf ace between the charging pumps and the RCS cold legs (four points).

c) Interface between HPSI/LPSI systems and the RCS hot legs (four points).

These interf ace points are shown on Figure 5.1-1, Sheets 1 and 2. At least two series check valves separate the RCS from the ECCS at the above points. A leakage detection line is connected between the check valves to allow periodic monitoring of any leakage past the check valve closest to the RCS. The leakage detection lines are headered together and discharge to the Reactor Plant Gaseous Drains System (Figure ' 6.3-2, Sheet 1).

ICSB17 - 3

Open items Instrumentation and Control Systems Branch Isolation between the high and low pressure portions of the leakage detection line is achieved by two series, normally closed, fail closed air operated valves (CV8871, 896te). These valves have hand switches and position indication in the control room. The control signal for each valve comes from a separate safety related train, and both valves close automatically on a CIA.

We consider the isolation provisions between the RCS and connected lower pressure systems discussed in this response to meet or exceed the intent of BTP ICSB 3.

Status (3/84)

Closed

! ICSB17 - 4

---

._-__--_a

Open Items Instrumentation and Control Systems Branch ICSB-18 RCS Overpressure Protection (Draft SER Section 7.6.2.3)

The reactor coolant system overpressure protection during low temperature operation is provided by the automatic opening of two pressurizer power operated relief valves (PORV). The actuation logic for PORY continuously monitors RCS temperature and pressure conditions. When pressure exceeds the programmed limit, an alarm will alert the operator to manually arm the system by a switch located on the main control board. During the design review, the staff raised a concern that a single failure could preclude the automatic actuation for all modes of operation including low temperature operation. The applicant noted that the design has not been finalized. This is an open item.

-Response(/ 3 84)

The design of pressurizer PORV control and block valves was discussed at the ICSB' meeting. The discussion focused on the possibility that a single failure

~

could preclude the automatic actuation logic for all modes of operation including  !

low temperature operation. The electrical schematics for Pressurizer PORY control and the block valves control were provided to'the NRC Staff review and-the Staff accepted the schematic used to preclude the above concern.

Status (3/84) -

4 Closed.-

N.

n,. -

s w ,

3 , q

. .i y 1: ,

.~

7l ,

n  % ,

f-

,, i '

/ E- -4

, s

~'

1, ci n _1. .

4. , . 'c,3

- ( .:

er

, 4,,( "*

I

..ICSB18 f 1 ? . 1

'n ' ,. i'GJt '; / 'assf '%

,  ?

-) NY  ;- 0y

Open Items Instrumentation and Control Systems Branch ICSB-19 Reactor Coolant System Loop Isolation Valve Interlocks (Draf t SER Section 7.6.' *i The FSAR Section 7.6.5 describes the reactor coolant system loop isolation valve interlocks. The description is incomplete and additional information is required to clarify that the design is in conformance with IEEE-279 requirements. This is an open item.

Response (3/84)

~ A discussion of the reactor coolant loop isolation valve interlocks was provided during the ICSB meeting. The applicant has determined to use the option of N-1

-loop operation for -Millstone 3 and appropriate changes to the FSAR will be submitted to the NRC for review when finalized.

Status (3/84) *

' Open.

O

^

.ICSB19 - 1 L._-- 9m

Open Items Instrumentation and Control Systems Branch ICSB-21 Control System Failure Caused By High-Energy Line Breaks (Draf t SER Section 7.2.2.2)

Operating reactor licensees were informed by IE information Notice 79-22, that if certain non safety-grade control equipment were subjected to the adverse environment of a high energy line break, it may impact the safety analyses and 1, the adequacy of the protection f tnctions performed by the safety-grade equipment. The staff has requested a review to determine whether the harsh

, environment associated with high-energy line breaks might catse control system malf unction and result in a consequence more severe than those of the FSAR Chapter 15 analyses or beyond the capability of operators or saf ety systems.

f The applicant has not provided a response to this open item.

~

Response (3/84)

) The attached response to Question 420.3 was provided and discussed at the ICSB meeting. The staff requested to revise and modify the response to consider

-effects of harsh environment associated with high-energy line breaks on PORV control system.

Status (3/84)

- Open. -

t J

t u 1

4-9

+%. e i

b ~

.( -

-.s-e

-t 9

q  % J '-

n. $

_ (,

[

h

- > ~

., '. -.~ +

t -

,e f, ,

.,m

, . .* + . = g

~

y } ', -

• ~

H

+ .< [ ~

m

-gICSB21:-.14 , y ,

,, . , ~ _- 5 .- s .

- . . gc

~

_ .; [J._

. . _ 2

MHPS-3 FSAR NRC Letter: May 31, 1983 Question Q420.3 (Section 7.7)

Provide response to IE Information Notice 79-22 concerns. (Control system malfunction due to a high energy break inside or outside of containment.)

Response

Steam Generator Power Operated Relief Valve Control System During normal plant operation, steam generator relief is accomplished by 3 MSS *PV20. This valve is controlled by nonsafety-related instrumentation which will automatically modulate the valve. Should these nonsafety-related ccntrols malfunction, result,ing in high steam generator pressure, the main steam safety valves will relieve the pressure. Safety-related analog indication is available in the control room to alert the operator to take manual control of the main steam pressure relief bypass valve (3 MSS *MOV74), which is safety-related. Should a malfunction result in low steam generator pressure, there is safety-related analog indication in the control room to alert the operator to manually close the main steam pressure relief isolation valve (3 MSS *MOVIS), which is safety-related. In addition, excessive low steam line pressure will result in main steam isolation and SIS.

Pressurizer Power Operated Relief Valve Control System Should a malfunction of the nonsafety-related elements in the autematic control circuit of the pressurizer PORVs result in high or low pressurizer pressure, there is safety-related instrumentation in the control rcom to alert the operator of the condition so that the operator can then manually control the PCRVs using the safety-related control switch on the main control board.

Main Feedwater Control System As discussed in FSAR Section 10.4.7.3, a malfunction in the nonsafety-related portion of the feedwater system could lead to one of two possible events: high water level inventory within a steam generator or low water level within a steam generator. For either case, level is monitored by fully qualified safety-related instrumentation which initiates protective action to fully qualified safety-related equipment. Therefore, no nonsafety-related failure could impact the protective functions performed by the safety-related equipment.

Automatic Rod control System

'}

h Westinghouse- WCAP-8976 provides a failure modes and effects analysis of the solid state, full length rod control system (FLRCS).

Attachment Q420.3-1 is an abstract which summarizes the WCAP, concluding that the design of the FLRCS will perform its intended.

bt" i. E -f f /W D A D'D I NS EET M Revisica 1 Q420.3-1 January 1984

MNPS-3 FSAR 4 _,- . . _ . _ - - . - . . . . -

--~~

Q_

reactivity control function accounting for failure of single active N, ' [

' ~

components.

(u-l l

Revision 1 Q420.3-2 January 1984

~'

MNPS-3 FSAR

_ ,n ~. _

((

' ~~

ATTACHMENT Q420.3-1 ) i I The full length rod control system (FLRCS) controls the power to the rod drive mechanisms for rod movement in response to signals received from -the reactor control system, or from signals generated through reactor operator action. Rod movement is used to control reactivity I of the reactor during plant operation. The FLRCS is designed to }

perform its reactivity control function in conjuncticn with the l reactor control and protection system to maintain the reactor core

/c with design safety limits.

.By the use of a failure mode and effects analysis, it is shown that ,

f the FLRCS will perform its reactivity control functions considering '

the loss of single active components. That is, sufficient fault limiting control circuits are provided which block control rod movement and/or indicate presence of a fault condition.at the control

j. board. Reactor operator action or automatic reactor trip will thus j mitigate the consequences of potential failure of the FLRCS. The' analysis also qualitatively demonstrates the reliability of the FLCRS

(- to perform its intended function.

~ _ _ . - __ _ -

,/

1 i

1 t

o O p t

.-g_

' Revision 1 , il ofil' January;1984E

' ~ -

V

. h4 ss nT 'A' STEAMLINE BREAK C0' INCIDENT WITH CONTROL R00 WITHDRAWAL ,

INTRODUCTION During a high energy line break (such as a steamline rupture), certain sensors used in control systems could be exposed to an adverse environment. If the equipment is not qualified for the adverse environment, a control system malfunction may occur.

The automatic rod control system is one of the control systems that could malfunction. The rod control system relies on measurements of T,yg, nuclear power, and turbine impulse pressure to determine if control rod motion is required. A small steamline rupture may occur outside of containment in the vicinity of the turbine impulse pressure transmitters, or inside containment in the vicinity of the excore detectors, thus exposing equipment used in rod control to an adverse environment. If the associated cabling and connections are not properly qualified, then the ' potential for steam impinging on this equipment and causing a control system malfunction must be addressed. One type of resultant malfunction,may i~nitiate the withdrawa~1 of'~the control rods coincident with the steamline break. . .

An analysis was made of steamline break with coincident withdrawal of the control rods to address the rod control system malfunction due to an adverse environment.

4 0

56110:1.D/020784 ,

. AVAILABLE PROTECTION The following functions provide protection during this rod withdrawal type of .

transient:

Reactor Trip

! - Power range neutron flux instrumentation actuates a reactor trip if two i

out.of four-channels exceed an overpower setpoint.

- A reactor trip is actuated if any two out of four AT channels exceed the overpower AT setpoint. . -

- A high pressurizer pressure reactor trip is actuated from any two out of l

four pressure channels which are set at a fixed point. This set pressure

~

is less than the set pressure for the pressurizer safety valves.

1 presmi eef l

- A high(pFHTUI, water level reactor trip is actuated from any two out of ,

three level channels when the reactor power is above approximately 10 percent (Permissive 7). ,

- A reactor trip is actuated subsequent to SIS actuation. SI may be actuated as a result of the steam line break.

RCCA Withdrawal Blocks

- High neutron flux'(one out of four power. range)

- Overpower AT (two out of four) -

0vertemperature aT ;(two out of four) v The following functions provide protection' for the steam line break:

1 5611Q:~10/0207841 .

. . . .x .w m zg;

, - , , , .. .... . , . . . -.._,s-,-. - ..,, .-

,. Safety Injection

- Two out of four low pressurizer pressure signals

- Two out of three low steamline pressure signals in any one loop Feedwater Isolation Sustained high feedwater flow would cause additional cooldown. Therefore, in addition to the normal control action, which will close the main feedwater valves following a reactor trip, an SI signal will rapidly close all feedwater control valves and backup feedwater isolation valves, trip the main feedwater pumps, and close the feedwater pump discharge valves.

Steam Line= Isolation

- Safety injection system actuation derived from two out of three low steamline pressure signal in any one loop (above Permissive-11)

- . . . .. 3 .

- Two out of three high negative steam pressure rate in any one loop (belcw ,

Permissive-11) .  !

All of the above functions may be actuated by a SLB/RCCA withdrawal transient.

. ANALYSIS OF EFFECTS AND CONSEQUENCES

- Method of Analysis

~

l This ' transient is analyzed by the LOFTRAN code . -This code simulates the neutron kinetics, RCS, pressurizer, pressurizer relief and safety valves, pressurizer spray, steam generator, and steam generator safety _ valves. The code computes pertinent plant variables, including temperatures, pressures, - '

' and power level. .

1. - Burnett, T. W. T., et al. , "LOFTRAN Code Description," WCAP-7907, June 1972. Also supplementary information in letter from T. M. Anderson, JNS-TMA-1802, May 26, 1978 and .NS-TMA-1824, June 16, -1978.

56110:1D/020784- .-

x .ma

A detailed thannal and hydraulic digital-computer code, THINC, has baan used to determine if DNB ix: curs for the core conditions computed by the LOFTRAN code.

The following assumptions were made for this transient.

a. Initial conditions of maximum core power and reactor coolant average temperature _ and minimum reactor coolant pressure, resulting in the minimum initial margin to DNB are used.

b. End-of-life shutdown margin and equilibrium xenon conditions. The most

' reactive RCCA stuck in its fully withdrawn position is assumed for conditions following reactor trip.

c. A negative moderator coefficient corresponding to the end-of-life unrodded core is used. This maximizes the reactivity insertion caused by. the cooldown during the steam line break.

d. Minimum capability for injection of boron (2,000 ppm) solution corresponding to the most restrictive single failure in the safety, injection system. The emergency core cooling system consists of three systems: 1) the passive accumulators, 2) the residual heat removal system, and 3) the safety injection system. Only the safety injection system is modeled for this analysis. ,

e. The reactor trip on overpower AT and overtemperature AT are assumed to be

. actuated at a conservative value. The AT trips include all adverse .

instrumentation and setpoint errors; the delays for trip actuation are l _. . assumed to.be,the maximum values., ,.

- _, . .s. ..<_.. ., , . . .

f. The RCCA' trip insertion characteristic is based on the assumption that the ..

highest worth assembly is stuck in.its fully withdrawn position.

g. The break size assumed for this transient is 1,72 feet 2 (.43 ft2 per S.G . ) . This is the largest. break size for which a low steamline pressure signal will _ not occur prior 'to the reactor trip on OPAT. Prior t!o the

'5611Q:1D/021084 y -

, g, ,

eventual steamlina isolation on low steamline pressure, this break is fed by all four steam generators. Following steamline isolation the break will be fed from one steam generator causing an'assymetric transient.

h. In computing the steam flow during a steamline break, the . Moody Curve for fL/D=0 is used.

Results i

The calculated. sequence of events for the SLB/RCCA withdrawal transient is shown on Table 1.

Figures 1 and 2 show the RCS transient and core heat $

flux following the steamline rupture with coincident RCCA withdrawal.

The steamline break affects the turbine impulse transmitters and causes the control rods to withdraw at the initiation of the transient. This causes an increase in reactor power and core heat flux to the point at which the

- overpower delta-T trip setpoint is reached. This' increase in core power generates a reactor trip which terminates the most a'dverse part of the transient. The steamline break causes an increased heat removal and ~

consequent decrease in primary pressure simultaneous with the increase in reactor. power. Secondary pressure also decreases until the low steamline pressure setpoint is reached initiating steamline and feedwater isolation.

Because of the lower RCS pressure coincident with the increase in reactor

~

power, the minimum DN8R may be more adverse than the Rod Withdrawal at Power

, transient analyzed in the FSAR. Thus, the steamline break with . coincident RCCA. withdrawal . is. analyzed to ensure that the FSAR is limiting. The most limiting part of this transient pertinent to this study is immediately prior to reactor trip; for this reason the analysis is terminated.at 50 seconds. ,

The modeling of Engineered Safeguards Features (SI, SLI,-FWI) is not needed since they will not be generated prior to reactor trip. The return to power following reactor trip and steamline isolation.is bounded by the transient for e

56110:10/021084 a-

the larger break presented in the FSAR. Tha FSAR analysis assumed a larger break size and initial conditions corresponding to no-load temperatures (i.e.,

less stored energy in the RCS and reactor fuel).

Margin to Critical Heat Flux A DNB analysis was performed for this transient. The DNBR was found to be greater than the limit value at all times.

CONCLUSIONS The analysis demonstrates that the DNBR does not decrease below the limit value and no fuel or clad damage is predictea. Additionally, no system overpressurization is expected, thus all applicable safety criteria are met.

Furthermore, t'he results are bounded by the accident analyses currently presented in the FSAR. Prior to reactor trip, this transient is bounded by -.

the uncontrolled Rod Withdrawal at Power event. As stated in the results, ~

this transient is bounded by the large steamline break analysis in the FSAR after reactor trip. There is therefore adequate protection on the Millstone 3 plant to ensure plant safety for this transient.

o 5

=

% A L

,&

• b I

{ '. s: I!( L- t .e 5 t *

• e 8 % 8iE # w '- 1 * 'r ** * * ' * * * * - - '* '* ~* - .

i .

e 56110:10/020784-n ,

u .

4 TABLE 1 TIME SEQUENCE OF EVENTS OF THE STEAM LINE BREAK WITH A COINCIDENT CONTROL ROD WITHDRAWAL Event Time (sec) ' )

Steam line ruptures 0.

Ovbrpower delta-T reactor trip setpoint reached 8.6 Rods begin to fall . . 10.6 -

Low steam line pressure setpoint reached 23.5 Steam line isolation occurs 30.5 Feedwater isolation occurs 30.5 O _

• wL nr 6  % s e

W G

e e

-~

w

.5 9

e 9

4 O e- r- - ,-- - ,-

O 2.0000  ;  ;  :

. ~

1.7500 - - "

5 e E 1.5000 - -

E 10 -

"J W .75000 - -

ME .50000 - -

.2,000 - .

t  : -

0. 0 . - -

' 2.0000  :  :

1.7500 - -

w -

1.5000 -

S g - -

[B W

1.2500 - -

1.0000 -

W .75000 - -

-gg ,50000 .

.25000.- - -

~

0. 8 -

2500.O

, 2250.0 --

~~

k ' 2000. 0 - -

1750.0 - -

~

e 1500.0 - -

U "

1250.0 - - -

g 1000.00 g g g a o o *

• 6 gi .

• S

. d. ~

TIME (SEC)

FIGURE 1 NUCLEAR POWER, CORE HEAT FLUX, AND RCS PRESSURE FOR THE 5ILLSTONE 3 SLB/RCCA WITHDRAWAL TRANSIENT

. l J

O 4 g,.

1 600.00 i  :

g w

w 575.00 - -

550.00 - -

( "

~~

w c 525.00 - '

Eu 500.00 - - 1 wI 475.00 - -

! .50.00 - -

,,,.00 - .

400.00 600.00 -

575.00 - -

}- 550.00 - - w "

- c - 5a5.00 - - .

i o 500.00 - - -

w

-9 475.00 - - "

> 450.00 - -

"" - l 425.00 - - .

400.00  : ,' l l

l l

1100.0.  ;  :

I w 1000.00 -

< s e 300.00 - - -

0- 800.00 - - -

E$

~~

700.00 - -

-<x e 600.00 - - -

W

,500.00 - -

400.00 - - -

e

' r r-

- - 300.00 , -

e e S

o 8

o o

o o

o .

!. .* & 5 e o o

g d. m m e I- -

TIME (SEC) r I

i FIGURE 2 .

CORE Tavg, REACTOR VESSEL-INLET TEMPERATURE, AND SG PRESSURE FOR THE. MILLSTONE 3 SLB/RCCA WITHDRAWAL TRANSIENT i

l

,,-. --,-c. . , , - . , - . - , - , . , , - . . .-.,y- _, , ., . _ . y .-,,,_,,, .._,,m,,-.-,.. ..,..,,---.--,-.--,--I

Open Items Instrumentation and Control Systems Branch ICSB-22 Freeze Protection for Instrument Sensing Lines (Draf t SER Section 7.7.2.3)

The instrument sensing lines that can be exposed to freezing temperature only provided _ an _ environmental control systems (heating and ventilation or heat tracing) to protect the lines from freezing during extremely cold weather. The environment associated with safety related sensing lines should be monitored and alarmed so that appropriate corrective action can be taken to prevent loss of or damage to the lines from freezing in the event of loss of the environmental control system. The staff requested the applicant to document the freeze protection system design in Section 7.7 of the FSAR. This is an open item.

Response (3/84)

For Millstone 3 the environmental control system as it applies to instrument sensing lines is the freeze protection (electrical heat . tracing) system. Refer to FSAR section 7.6.9 for the description of -the heat tracing of safety related system. The Millstone 3 freeze protection system meets the requirements of Regulatory Guide 1.151 as listed in Position C.5.a, C.5.b, C.5.c and C.5.d.

,Sa) Instrument sensing lines that_can be exposed to' freezing temperatures and

~t hat contain or can be expected to contain a condensable mixture or fluid-that can freeze should be provided an environmental control system

-(heating and ventilation' or heat tracing) to protect the lines from freezing during extremely cold weather."

This requirement is met for Millstone 3 instrument sensing. lines.

-5b) "The environment associated with those instrument sensing lines in a. that are safety related should be monitored and alarmed so that appropriate corrective action can be'taken to prevent loss of or damage to the lines from freezing in the event of loss of the environment control system."

All ' safety-related instrument sensing . lines: 'with L freeze protection are.

tem'perature monitored and alarmed.

' Sc) "The environment. control system recommended in a., and forf which b. -

applies,' should be electrically independent.of the monitoring and alarm

. system so that a single failure in either system, including their power

~

sources, does not affect the capability of the other system."

Because' two separate heat ; tracing and monitoring systems each with an independent; power source are employed ifor each safety-related . instrument sensing line .with freeze protection, a single failure in any of the two systems -

.will not affect the capability of the other system. -

15d)- "The environment control'and monitoring: systems of:a. and b. should _be-C : designed to standards commensurate-with their'importance to safety _ and with administrative controls that are implemented to address events or conditions that could render the systems inoperable."

~

J ICSB22 - 1

< a: -

Open Items Instrumentation and Control Systems Branch The design of the freeze protection _ system is such that safety-related instrument sensing lines requiring freeze protection are provided with two

- independent heat tracing systems. Each heat tracing system has its own temperature monitoring system. Administrative controls include periodic surveillance to insure that the heat tracing systems are properly operating.

Status (3/84)

Closed.

D e .,

.ICSB-11.- 1

._m

Open Items Instrumentation and Control Systems Branch ICSB-23 Feedwater Isolation Valve Schematic (Draf t SER Section 7.3.2.3)

- Refer to ICSB-8.

l'

~

I L.

,ICSB23' 1~ .

k

_ y.

I Open Items Instrumentation and Control Systems Branch ICSB-24 Hydrogen Recombiner System (Draf t SER Section 7.3.2.4)

The DBA hydrogen recombiner system controls the building of hydrogen gas inside the containment. The DBA hydrogen recombiner system consists of hydrogen monitors and hydrogen recombiners. The applicant has not completed the design on this system. The staff will review this design later.

Response (3/84)

The DBA hydrogen recombiner system is described in the FSAR Sections 6.2.5 and 7.3.1.1.5. Millstone Unit 3 Containment Hydrogen Monitoring System is designed as Category 1 (class IE) with dual redundant trains (train A & train B).

This system addresses the requirements set forth in NUREG-0737, Item 11 F.1 (6).

Each train contains stand alone analyzer and control cabinets which analyzes, monitors, alarms and trends containment hydrogen concentration.

The Containment Hydrogen Monitoring System will sample Hydrogen sources on an automatic / manual basis selectable from the control cabinet located in Hydrogen Recombiner Building Control Area.

Withdrawal of the samples from existing hydrogen recombiner lines, measurement of hydrogen concentration and return of the total sample to the containment are the basic functional assignments of the hydrogen analyzer cabinet.

Periodic calibration of the hydrogen monitoring system is automatically performed upon command from the hydrogen analyzer control cabinet. The mixture of hydrogen and nitrogen gases is used for the calibration.

Hydrogen Analyzer control concentration will be measured and converted to an analog signal (0-10% H2 ) for display on the digital panel meter, mounted on the control cabinet.

/ The system will have analog output for display (2 meters), recording (train A only) and alarming in the Main Control Board. Input is also provided to the plant computer.

Attached sketch shows the location and general arrangements for Hydrogen Monitoring System.

Status (3/84) j Closed.

ICSB24 - 1

V*

l 1 TRAIN A l  ;

~'

TRAIN B SIMILAR

.- ( ETRATION #'S AND LINEt%*5 MAIN CONTROL ROOM l

l(EXISTING) w */. H HI & HI MI GEN.

! Meter / 4 H2 AN g RECORDER atgpy L__ _ _ _ _ . _ _ _ _ __

INSIDE  ?; INSIDE H 2 CONTAINMENT RECOMBI N ER BUILDI NG H2 ANALYZER ZONE HR-01 p P 5~l ~~-

.qI ~ 2ANALYZER 1 P m T-H Co m purag, CONTROL

' l M ~ ' " ~l CABIN ET l gyPegg t____ _a u_ __a l

l' H2 RECOMBINER BLD.

BY 5 &W CONTROL AREA

' ZONE HR-02 ,

. 3HC5-OO2-2-2(A3 -

H \ *4 ;q rTO H 2 R ECOM B IN ER 4 4 -

>q l 3H C5, R BN RI A

• • %5P-750 61-2fA-)

Z 1,1 ##

l f J L 355P-750-62-2( A-)]

w2 62 Aa r, r, r, O FROM H2RECOMBINER

>He5.R.NR,A ,

sa5-OO2.,-2( A ) _

113 l

l H2ANALYZER CABINET-72"H x 24"D x 31"W - 750 LBS.

H2AN ALYZ ER ONT ROL CABINET- 70"H x 30" D x 26"W - 465 L B5, I

NUSCO SPEC. N0: SP-EE-141 R EV. O g

• NORTHEAST UTILITIES SE W MILLSTONE UNIT 3

• CONTAlQMENT HYDROGEN MONITORING SYSTEM

• KKB D*4 **" ""

o.n io.24-85 w ,, m

... mn mm s e, e - v.. SK-NRB-102583

- - - - - -_ _ , - . , - a, . ., ._, , ., -, , r,,m.., ,-,n,. , , . - . - - . , . , , , , . , , . - - m, ,.