ML13134A083

From kanterella
Jump to navigation Jump to search
Updated Final Safety Analysis Report, Revision 15, Chapter 7 - Instrumentation and Controls
ML13134A083
Person / Time
Site: Seabrook NextEra Energy icon.png
Issue date: 04/26/2013
From:
NextEra Energy Seabrook
To:
Office of Nuclear Reactor Regulation
References
SBK-L-13062
Download: ML13134A083 (319)
v  d  e


Text

S EABROOK S TATION U PDATED F INAL S AFETY A NALYSIS R EPORT C HAPTER 7 INSTRUMENTATION AND CONTROLS

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 1

7.1 INTRODUCTION

This chapter presents the various plant instrumentation and control systems by relating the functional performance requirements, design bases, system descriptions, design evaluations, and test and inspections for each. The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection system as defined in IEEE Standard 279-1971 "IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations." The primary purpose of the instrumentation and control systems is to provide automatic protection and exercise proper control against unsafe and improper reactor operation during steady-state and transient power operations (ANS Conditions I, II, III) and to provide initiating signals to mitigate the consequences of faulted condition (ANS Condition IV). ANS conditions are discussed in Chapter 15. Consequently, the information presented in this chapter emphasizes those instrumentation and control systems which are central to assuring that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public.

It is shown that the applicable criteria and codes, such as General Design Criteria and IEEE Standards, which are concerned with the safe generation of nuclear power are met by these instrumentation and control systems. (See Tabl e 7.1-1 for a listing of applicable criteria.) Review of Section 8.3, Onsite Power Systems, serves as necessary and sufficient background for evaluating the electrical integrity of plant instrumentation systems. Figure 8.3-2, Figure 8.3-3 and Figure 8.3-4 provide an overview of the distribution system with emphasis on vital and nonvital instrument buses and elec trical separation divisions.

Definitions Terminology used in this chapter is based on the definitions given in IEEE Standard 279-1971. In addition, the following definitions apply: a. Degree of Redundancy - The difference between the number of channels monitoring a variable and the number of channels which, when tripped, will cause an automatic system trip. b. Minimum Degree of Redundancy - The degree of redundancy below which operation is prohibited, or otherwise rest ricted by the Technical Specifications. c. Cold Shutdown Condition - When the reactor is sub-critical by at least 1 percent k/k and Tavg is 200F. T avg is defined as the aver age temperature across the reactor vessel, as measured by the hot and cold leg temperature detectors.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 2 d. Hot Shutdown Condition - When the reactor is sub-critical, by an amount greater than or equal to the margin as specified in the applicable Technical Specification, and T avg is greater than or equal to the temperature as specified in the applicable Technical Specification. e. Phase A Containment Isolation - Closure of all nonessent ial process lines which penetrate Containment, initiated by the safety injection signal. f. Phase B Containment Isolation - Closure of remaining process lines, initiated by containment Hi-3 pressure signal (process lines do not include Engineered Safety Features lines). g. Single Failure - Any single event within the protection system which results in a loss of proper protective action at the system level when required. Single failure includes single credible malfunctions or events that cause a number of consequential component, module or channel failures.

h. DNBR - (Departure from Nucleate Boiling Ratio) - The ratio of th e critical heat flux (defined as the transition from nucleate boiling to film boiling) to the actual local heat flux. i. System Response Times:
1. Reactor Trip System Response Time The time interval from when the monitored parameter exceeds its trip setpoint at the channel sensor until loss of statio nary gripper coil voltage. 2. Engineered Safety Features Actuation System Response Time The time interval from when the monitored parameter exceeds its ESF actuation setpoint at the channel sens or until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.). Times shall include diesel generator starting and sequence loading delays where applicable.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 3 j. Reproducibility - This definition is taken from Scientific Apparatus Manufactures Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology: "The closen ess of agreement among repeated measurements of the output for the same value of input, under normal operating conditions over a period of time, approaching from both directions." It includes drift, due to environmental effects, hysteresis, long-term drift, and repeatability. Long-term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long-term drift may be eliminated from this definition. Reproducibility, in most cases, is a part of the definition of accuracy (see below).

k. Accuracy - This definition is derived from Scientific Apparatus Manufactures Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology. An accuracy statem ent for a device falls under Note 2 of the SAMA definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditi ons: "Reference accuracy includes conformity, hysteresi s and repeatability." To adequately define the accuracy of a system, the term reproducibilty is useful as it covers normal operating conditions. The following term s, "trip accuracy" and "indicated accuracy" etc., will then include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to anothe r value established by testing, conformity may be eliminated, and the term reproducibility may be substituted for accuracy. l. Normal Operating Conditions - These conditions cover all normal process temperature and pressure changes. Also included are ambient temperature changes around the transmitter and racks. Not included are accuracies under "post-accident" conditions. m. Readout Devices - For consistency, the final device of a complete channel is considered a readout device. This includes indicators, recorders, isolators (nonadjustable), and controllers. n. Channel Accuracy - This definition includes accuracy of primary element, transmitter and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field-mounted hardware. Rack environmen tal effects are included in the next two definitions to avoid duplication due to dual inputs. o. Indicated and/or Recorded Accuracy - This definition includes channel accuracy, accuracy of readout devices and rack environmental effects.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 4 p. Trip Accuracy - This definition includes compar ator accuracy, channel accuracy, for each input, and rack environmental effects. This is the tolerance expressed in process terms (or percent of span) within which the complete channel must perform its intended trip function. The term "actuation accuracy" may be used where the word "trip" might cause confusion (for example, when starting pumps and other equipment). q. Control Accuracy - This definition includes ch annel accuracy, accuracy of readout devices (isolator, c ontroller), and rack environmental effects. Where an isolator separates control and protection si gnals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. It is simply defined as the accuracy of the control signal in percent of the span of that signal. This will then include gain changes where the control span is different from the span of the measured variable. Where controllers are involved, the control span is the input span of the controller. No error is included for the time in which the system is in a nonsteady-state condition. 7.1.1 Identification of Sa fety-Related Systems 7.1.1.1 Safety-Related Systems The Nuclear Steam Supply System (NSSS) and the Balance-of-Plant (BOP) instrumentation discussed in Chapter 7 are those required to function to achieve the system responses assumed in the safety evaluations, and those needed to shutdown the plant safely, and are identified in this

section. a. Reactor Trip System The Reactor Trip System is a functionally defined system provided by the NSSS, and is described in Section 7.2. The equipment which provides the trip functions is identified and discussed in Section 7.2. Design bases for the Reactor Trip System are given in Subsection 7.1.2.1. Figure 7.1-1 includes a single line diagram of this system. b. Engineered Safety Features Actuation System The Engineered Safety Features Actuation System (ESFAS) is a functionally defined system provided by the NSSS and is described in Section 7.3. The equipment which provides the actuation f unctions is identified and discussed in Section 7.3. Design bases for the Engineer ed Safety Features Actuation System are given in Subsection 7.1.2.1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 5 c. Engineered Safety Feature Systems The Engineered Safety Feature Systems that perform prot ective actions after activation by ESFAS or the operator are listed below. All systems except the ECCS are BOP provided. 1. Containment Spray System (Subsection 6.2.2)

2. Containment Isolation System (Subsection 6.2.4)
3. Combustible Gas Control System (Subsection 6.2.5)
4. Emergency Core Cooling System (Section 6.3)
5. Habitability Systems (Section 6.4)
6. Fission Product Removal and Control Systems (Section 6.5)
7. Emergency Feedwater System (Section 6.8). d. Instrumentation and Control Power Supply System Design bases for the Instrumentation and Control Power Supply System which is BOP provided are given in Subsection 7.1.2.1.

Further description of this system is provided in Section 8.3. e. Other Auxiliary Supporting Systems Auxiliary Supporting Systems are those systems that, upon receipt of actuation signals, must function to support and enable the operation of protection systems. Actuation signals for these systems are provided from the Engineered Safety Features Actuation System. All systems except the Chemical and Volume Control System are BOP provided. The auxiliary systems are: 1. Fuel Storage and Handling Systems (Section 9.1) 2. Station Service Water System (Subsection 9.2.1) 3. Cooling System for Reacto r Auxiliaries (Subsection 9.2.2) 4. Ultimate Heat Sink (Subsection 9.2.5) 5. Reactor Makeup Water System (Subsection 9.2.7) 6. Chemical and Volume Control System (Subsection 9.3.4)

7. Air Conditioning, Heating, Cooling and Ventilation Systems (Section 9.4). 8. Normal and Emergency Electrical Power Systems (Section 8.3)
9. Diesel Generator Mechanical Systems (Section 9.5)

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 6 f. Other Systems for Safety These are systems, safety-related and nonnuclear safety, which operate to reduce the probability of occurrence of specific accidents, maintain the plant within the envelope of operating condi tions postulated in the ac cident analyses, or are required to assure full protection capability. These systems are: Systems items 1, 5, 7, 8, 9, 10, 11 and 12 are BOP supplied, systems items 3 and 6 are NSSS supplied, and systems items 2, 4, and 13 are partially NSSS and BOP supplied. 1. Safety-related display instrumentation (Section 7.5) 2. Accumulator isolation valv e controls (Section 7.6) 3. Reactor Coolant System pressure control during low temperature operation (Section 7.6) 4. Residual Heat Removal System interlocks (Section 7.6)

5. Protection against spurious valve actuation (Section 7.6) 6. Switchover from injection to recirculation (Section 7.6) 7. Isolation of nonessential components in PCCW system (Section 7.6) 8. Bypass and inoperable status indication system (Section 7.1) 9. Area radiation and airborne radioactivity monitoring instrumentation (Subsection 12.3.4) 10. High energy line break sensing system (Section 7.6)
11. ATWS Mitigation System (Section 7.6)
12. Turbine Trip System (Section 7.3)
13. Steam Blowdown System Isolation on emergency feed pump start (Section 10.4.8 and 6.8) 7.1.1.2 Safety-Related Display Instrumentation Display instrumentation (Section 7.5, Table 7.5-1) provides the operator with information to enable monitoring the results of Engineered Safety Features actions following a Condition III or IV event. Section 7.5, Table 7.5-1 and Table 7.5-2 list instrumentation and controls provided to maintain the plant in a hot sh utdown condition, or to proceed to cold shutdown under normal operating conditions following condition III and IV events. The accident monitoring instrumentation for the safety-related systems includes position indication lights and indicators for the vital parameters in the systems listed in Subsection 7.1.1.1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 7 7.1.1.3 Instrumentation and Control System Designs All systems discussed in Chapter 7 have defi nitive functional requirements developed on the basis of the Westinghouse NSSS design. Figure 7.2-1, Figure 7.2-2, Figure 7.2-3, Figure 7.2-4, Figure 7.2-5, Figure 7.2-6, Figure 7.2-7, Figure 7.2-8, Figure 7.2-9, Figure 7.2-10, Figure 7.2-11, Figure 7.2-12, Figure 7.2-13, Figure 7.2-14, and Figure 7.2-15 define scope interface. Regardless of the supplier, the functional requirements necessary to assure plant safety and proper control are clearly delineated. 7.1.1.4 Plant Comparison System functions for all systems discussed in Chapter 7 are similar to those discussed in the comparisons provided in Section 1.3. 7.1.2 Identification of Safety Criteria Subsection 7.1.2.1 presents design bases for the systems given in Subsection 7.1.1.1. Design bases for nonsafety-related systems are provided in the sections which describe the systems.

Conservative considerations for instrument errors are included in the accident analyses presented in Chapter 15. Functional requirements, devel oped on the basis of the results of the accident analyses, which have utilized conservative assumptions and parameters, are used in designing these systems, and a preoperational testing program verifies the adequacy of the design.

Accuracies are discussed in Sections 7.2, 7.3 and 7.5. The documents listed in Table 7.1-1 were considered in the design of the systems given in Subsection 7.1.1. In general, the scope of these documents is given in the document itself. This determines the systems or parts of systems to which the document is applicable. A discussion of compliance with each document for systems in its scope is provided in the referenced sections given in Table 7.1-1 for each criterion. Because some documents were issued after design and testing had been completed, the equipment documentation may not meet the format requirements of some standards. Justification for any exceptions taken to each document for systems in its scope is provided in the referenced sections. 7.1.2.1 Design Bases

a. Reactor Trip System The Reactor Trip System acts to limit the consequences of Condition II events (faults of moderate frequency), such as loss of feedwater flow, by at most, a shutdown of the reactor and turbine, with the plant capable of returning to operation after corrective action. The Reactor Trip System features impose a limiting boundary region to plant operation which ensures that the reactor safety limits are not exceeded during Condition II, III and IV events, and that these events can be accommodated without developing into more severe conditions.

Reactor trip setpoints are given in the Technical Specifications.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 8 The design requirements for the Reactor Trip System are derived by analyses of plant operating and fault conditions where automatic rapi d control rod insertion is necessary to prevent or limit core or reactor coolant boundary damage. The design bases addressed in IEEE Standard 279-1971 are discussed in Subsection 7.2.1. The design limits for the Reactor Trip System are: 1. Minimum DNBR shall not be less than the safety analysis limit value as a result of any anticipated transient or malfunction (Condition II faults). 2. Power density shall not exceed th e rated linear power density for Condition II faults. See Chapter 4 for fuel design limits. 3. The stress limit of the Reactor Coolant System for the various conditions shall be as specified in Chapter 5. 4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius as a result of any Condition III fault (10 CFR 20, Standard for Protection Against Radiation). 5. For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety (10 CFR 100, Reactor Site Criteria). b. Engineered Safety Features Actuation System The Engineered Safety Features Actuation System acts to limit the consequences of Condition II and III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the Safety Injection System

). The Engineered Safety Features Actuation System acts to mitigate Condition IV events (limiting faults, which include the potential for significant release of radioactive material). The design bases for the Engineered Safety Features Actuation System are derived from the design bases given in Chapter 6 for the Engineered Safety Features. Design bases requirements of IEEE Standard 279-1971 are addressed in Subsection 7.3.1.2. General design requirements implemented are given below.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 9 1. Automatic Actuation Requirements The primary functional requirement of the Engineered Safety Features Actuation System is to receive input signals (information) from the various on-going processes within the reactor plant and Containment and to automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the Engineered Safety Features System. The performance objectives of these systems are outlined in Chapter 6. The functional diagrams presented in Figure 7.2-5, Figure 7.2-6, Figure 7.2-7 and Figure 7.2-8, depict the functions (or parameters) associated with the Engineered Safety Features Actuation Systems. 2. Manual Actuation Requirements The Engineered Safety Features Actuation System has provisions in the main control room for manually initia ting the functions of the Engineered Safety Features System, at the system level. c. Instrumentation and Control Power Supply System The Instrumentation and Control Power Supply System provides continuous, reliable, regulated single-phase AC power to all instrumentation and control equipment required for plant safety. Details of this system and the design bases are provided in Section 8.3. d. Emergency Power Design bases and system description for the emergency power supply are provided in Chapter 8.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 10 e. Interlocks Interlocks are discussed in Section 7.2, Section 7.3, Section 7.6 and Section 7.7.

The protection (P) interlocks are given on Table 7.2-2 and Table 7.3-2. The safety analyses demonstrate that even under conservative critical conditions for either postulated or hypothetical accidents, the protective systems ensure that the NSSS will be put into and maintained in a safe state following an ANS Condition II, III or IV accident, commensurate with applicable Technical Specifications and pertinent ANS criteria. Therefore, the protective systems have been designed to meet IEEE Standard 279-1971 and are enti rely redundant and separate, including all permissives and blocks. All blocks of a protective function would be required to function in accordance with Ge neral Design Criteria 20, 21 and 22 and paragraphs 4.11, 4.12, and 4.13 of IEEE Stan dard 279-1971. Control interlocks (C) are identified on Table 7.7-1. Because control interlocks are not safety-related, they have not been specifically designed to meet the requirements of IEEE Protection System Standards.

f. Bypasses Bypasses are designed to meet the requirements of IEEE Standard 279-1971, paragraphs 4.11, 4.12, 4.13 and 4.14. A discu ssion of bypasses provided is given in Sections 7.2 and 7.3. g. Equipment Protection The criteria for equipment protection are given in Chapter 3. Equipment related to safe operation of the plant is designed, constructed and installed to protect it from damage. This is accomplished by designing to accepted standards and using

criteria aimed at providing reliable instrumentation which is available under varying conditions. As an example, certain equipment is seismically qualified in accordance with IEEE Standard 344-1975.

During construction, independence and separation are achieved, as requi red by IEEE Standard 279-1971, IEEE

Standard 384-1974 and Regulatory Guide 1.75, consistent with Attachment C to AEC letter dated Dec. 14, 1973 (Appendix 8A), either by barriers, physical separation, or demonstration test and anal ysis. This serves to protect against complete destruction of a system by fires, missiles or other natural hazards.

h. Diversity Functional diversity has been designed into the system. Functional diversity is discussed in Reference 1. The extent of diverse system variables has been evaluated for a wide variety of postulated accidents. Generally, two or more diverse protection functions would automatically terminate an accident before unacceptable consequences could occur.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 11 For example, there are automatic reactor trips based upon neutron flux measurements, reactor coolant loop temperature measurements, pressurizer pressure and level measurements, and reactor coolant pump underfrequency and undervoltage measurements, as well as trips which are initiated manually, and by initiation of a safety injection signal. Regarding the Engineered Safety Features Actuation System for a loss-of-coolant accident, a safety injection signal can be obtained manually or by automatic initiation from two diverse parameter measurements. 1. Low pressurizer pressure

2. High containment pressure (Hi-1) For a steam line break accident, a safety injection signal can be obtained manually or by automatic initiation from three diverse parameter measurements.
1. Low compensated steamline pressure
2. For a steamline break inside Containment, high containment pressure (Hi-2) provides an additional parame ter for generation of the signal. 3. Low pressurizer pressure All of the above sets of signals are redundant and physically separated and meet the requirements of IEEE Standard 279-1971. The seismic and environmental qualification for protection system sensors and channels is discussed in Sec tions 3.10 and 3.11, respectively. i. Bistable Trip Setpoints Three values applicable to reactor trip a nd engineered safety features actuation are specified:
1. Safety limit
2. Allowable value 3. Nominal value. The safety limit is the value assumed in the accident analysis and is the least conservative value. The reactor trip setpoint limits specified in the Technical Specifications are the nominal values at which the reactor trips are set for each parameter. The setpoints have been selected to ensure that the reactor core and Reactor Coolant System are prevented from exceeding their safety limits during normal operation and design basis anticipated operational occurrences, and to assist the Engineered Safety Features Actuation System in mitigating the consequences of accidents.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 12 The methodology to derive the nominal tr ip setpoints is ba sed upon statistically combining all of the uncertainties in the channels and applying this total uncertainty with margin in the conservative direction. Inherent to the determination of the trip setpoints is the determination of the magnitudes of the

channel uncertainties. Sensors and other instrumentati on used in these channels are expected to be capable of operating within the allowances of these uncertainty magnitudes. To accommodate the instrument drift assumed to occur between operational tests and the accuracy to which setpoints can be measured and calibrated, allowable values for the reactor trip setpoints have also been specified in the Technical Specifications. Operation with setpoints less conservative than the nominal trip setpoint, but within the allowable value, is acceptable since an allowance has been made in the selection of that setpoi nt to accommodate this error without exceeding the value used in the safety analysis. A further discussion on setpoints is found in Subsection 7.2.2.2a. Range selection for the instrumentation c overs the expected range of the process variable being monitored consistent with its application.

The design of the Reactor Protection and Engineered Safety Features Systems is such that the bistable trip setpoints do not require process transmitters to operate within 3 percent of the high and low end of their calibrated span or range. Functional requirements established for every ch annel in the Reactor Protection and Engineered Safety Features Systems stipulate the maximum allowable errors on accuracy, linearity, and reproducibility. The protection channels have the capability for, and are tested to ascertain that the characteristics throughout the entire span in all aspects are acceptable and meet functional requirement specifications. As a result, no protection channel operates normally within 3 percent of the limits of its specified span. The specific functional requirements for response time, setpoint, and operating span are based on the results and

evaluation of safety studies carried out usi ng data pertinent to the plant. Emphasis is placed on establishing adequate performance requirements under both normal and faulted conditions. This includes consideration of process transmitters margins such that even under a highly improbable situation of full power operation at the limits of the operating map (as defined by the high and low pressure reactor trip, T overpower and overtemperature trip lines (DNB protection) and the steam generator safety valve pressure setpoint), adequate instrument response is availa ble to ensure plant safety.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 13 Setpoints for safety-related BOP bistable instruments are determined using the same methodology which Westinghouse used for the protection system setpoints. This methodology complies with the me thodology outlined in Regulatory Guide 1.105 (Rev 1), as supplemented by the in formation presented in ISA Standard S67.04 (Draft F). This methodology is applied to the determination of set points for all safety-related (Class 1E) bistable instruments, as distinct from the wording of Regulatory Guide 1.105, "instruments in systems important to sa fety." This distinction is beneficial to the safety of Seabrook Station because it provides a tangible and controllable distinction between those setpoints whic h require special at tention and those which do not, while still insuring adequate safety consistent with the definition of "Class 1E" as stated in IEEE Std. 308. Error allowances used in setpoint determination are support ed by qualification testing, consistent with the postulate d service conditions for the required protective function. Time limits for the environmental qualification of safety-related instruments are one year post-accident, or as specified in the equipment qualification files. j. Safety-Related System Motor Selections Refer to Subsection 8.3.1.1i. k. Design Bases for Other Systems The design bases for the instrumentation and control of the safety-related systems designed and/or built by other than Westinghouse, as identified in Subsection 7.1.1, are:

1. Adequate control and monitoring instrumentation are provided for these systems as described in the applicable Updated FSAR se ctions, during all modes of operation includi ng post-accident conditions. 2. The sensors, impulse lines, actuat ing devices, wiring, interlocks and bypasses in actuation and monitoring circuits performing the safety functions satisfy the functional requirements of IEEE Standard 279-1971, and separation requirements as di scussed in Subsections 7.1.2.2 and 8.3.1.4. 3. The instrumentation and controls for both the safety-related and nonsafety-related portions of the systems are compatible with their environment as defined in Se ction 3.11. The safety-related instrumentation and control equipment has been qualified seismically and environmentally as described in Sections 3.10 and 3.11, respectively.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 14 7.1.2.2 Independence of Redundant Safety-related Systems The safety-related systems in Subsection 7.1.1.1 are designed to meet the independence and separation requirements of Criterion 22 of the 1971 General Design Criteria and paragraph 4.6 of IEEE Standard 279-1971. The administrative re sponsibility and control provided during the design and construction is discussed in Chapter 17, Quality Assurance.

The electrical power supply, instrumentation, and control cable s for redundant circuits of a nuclear plant have physical separation to preser ve the redundancy and to ensure that no single credible event will prevent accomplishment of the associated function due to electrical cable damage. Detailed information pertaining to electrical cable system separation requirements for safety-related systems is give in Subsection 8.3.1.4. Critical circuits and functions include power, control and analog instrumentation associated with the operation of the Reactor Trip System or Engineered Safety Features Actuation System. Credible events shall include, but not be limited t o, the effects of short circuits, pipe rupture, missiles, fire, etc., and are cons idered in the basic plant design.

Control board details are given in Subsection 7.1.2.2b. In the control board, separa tion of redundant circuits is maintained as described in Subsection 7.1.2.2a.

a. General
1. Independence of Redundant Instrument Sensing Lines The independence of instruments a nd their sensing lines required for a system safety function is maintained through redundancy, physical separation and/or diversity in accordance with IEEE Standard 279-1971.

Sensing lines penetrating the primary Containment satisfy the requirements of Regulatory Guide 1.141 and the intent of Regulatory Guide 1.11. 2. Design Criteria and Bases for the Installation of Electrical Cable for Safety-Related Systems The design criteria and bases for the installation of cables for preserving the independence of redundant reacto r protection system s and engineered safety features systems with respect to cable derating, cable raceway fill, cable routing, sharing of raceways by safety-related cables with

nonsafety-related cables, and cable tray markings are the same as that presented in Subsection 8.3.1.4. 3. Spacing of Wiring and Components in Control Boards, Panels and Relay Racks Criteria for spacing of wiring and components in control boards, panels and relay racks are desc ribed in Subsection 7.1.2.2b.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 15 4. Physical Separation Criteria (a) The physical separation criteria for redundant safety-related system sensors, sensing lines, wireways, cables and components on racks within Westinghouse NSSS and BOP scope meet recommendations contained in Regulatory Guide 1.75 with the following comments: (1) The Westinghouse design of the protection system relies on the provisions of IEEE St andard 384-1974 relative to overcurrent devices to prevent malfunctions in one circuit from causing unacceptable influences on the functioning of the protection system. The protection system uses redundant instrumentation channe ls and actuation trains and incorporates physical a nd electrical separation to prevent faults in one channe l from degrading any other protection channel. (2) Separation recommendations for redundant instrumentation racks are not the same as t hose given in Regulatory Guide 1.75, Revision 2, for the control bo ards because of different functional requirements. Ma in control boards contain redundant circuits that are required to be physically separated from each other. However, since there are no redundant circuits which share a single compartment of an NSSS protection instrumentation rack and since these redundant protection instrument ation racks are physically separated from each other, the physical separation specified for the main control board does not apply. However, redundant, isolated control signal cables leaving the protection racks are brought into close proximity elsewhere in the plant, such as the control board. It could be postulated that electrical faults, or interference, at these locations might be propagated into all redundant racks and degrade protection circuits because of the close proximity of protection and control wiring within each rack.

Regulatory Guide 1.75 (Regulatory Position C.4) and IEEE Standard 384-1974 (Section 4.5(3)) provide the option to demonstrate by tests that the absence of physical separation

could not significantly reduce the availability of Class 1E circuits.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 16 Westinghouse test programs have demonstrated that Class 1E protection systems (nuclear instrumentation system, solid-state protection system and 7300 process control system) are not degraded by non-Class 1E circuits sharing the same enclosure. Conformance to the requirements of IEEE Standard 279-1971 and Regulatory Guide 1.75 has

been established and accepted by the NRC based on the following which is applicable to these systems at the

Seabrook site. Tests conducted on the as-built designs of the nuclear instrumentation system and solid-state protection system

were reported and accepted by the NRC in support of the

Diablo Canyon application (Docket Nos. 50-275 and 50-323) [See Reference 5].

Westinghouse considers these programs as applicable to all plants, including Seabrook.

Westinghouse tests on the 7300 Process Control System were covered in a report entitled, "Westinghouse 7300 Series Process Control System Noise Tests," subsequently

reissued as Reference 2. In a letter dated April 20, 1977 (Reference 3) the NRC accepted the report in which the

applicability of the Seabr ook plant is established. (3) The physical separation criteria for instrument cabinets within Westinghouse NSSS scope meet the recommendations contained in Section 5.7 of IEEE

Standard 384-1974. (b) The physical separation crit eria for redundant safety-related sensing lines meet the recommendations contained in Regulatory Guide 1.151, with the following comments. Redundant safety-related instrument sensing lines are not routed in the same area where they would be subject to external forces such as those due to jet impingement or pipe whip caused by an accident. All components located in seismi c areas are reviewed to ensure that they will not produce seismically-generated missiles that could damage safety-related components. The maximum feasible physical separation is maintained in areas where the redundant safety-related sensing lines are not subject to external forces caused by an accident.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 17 b. Specific Systems Independence is maintained throughout the system, extending from the sensor through to the devices actuated by the prot ective function. Physical separation or barriers are used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant protection channel set. Redundant analog equipment is separated by locating modules in different protection rack

sets. Each redundant channel set is energized from a separate AC power feed. There are four separate process anal og sets. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, containment penetrations and analog protec tion cabinets to the redundant trains in the logic racks. Redundant analog channels are separated by locating modules in different cabinets. Nonprotection system outputs are through qualified isolators

and are appropriately separated. The Solid-State Protection System input cabinets are divided into four isolated compartments, each serving one of the four redundant input channels. Horizontal 1/8-inch thick solid steel barriers coated with fire-retardant paint separate the compartments. Four, 1/8-inch thick solid steel wireways coated with fire-retardant paint enter the input cabinets vertically, each in its own quadrant. The wireway for a particular compartment is open only into that compartment so that flame could not propagate to affect other channels. Test (Reference 5) and analysis are used to address separation in the common area at the bottom of the input cabinets where the cables enter from the field raceways. In the Nuclear Instrumentation System, Process Systems, and where redundant channel instrumentation is physically adjacent, there are no wireways, or cable penetrations which would permit, for example, a fire resulting from electrical failure in one channel to propagate into redundant channels in the logic racks.

Redundant analog channels are separate d by locating modules in different cabinets. Since all equipment within any cabinet is associated with a single protection set and the cabinets are protected from external fa ults by isolators, there is no requirement for separati on of wiring and components within the cabinet. Independence of the logic trains is discussed in Sections 7.2 and 7.3. Two reactor trip breakers are actuated by two separate logic matrices to interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 18 1. Reactor Trip System (a) Separate routing is maintained for the four basic Reactor Trip System channel sets analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets is maintained from sensors to instrument cabinets to logic system input cabinets. (b) Separate routing of the redundant reactor trip signals from the redundant logic system cabinets is maintained, and, in addition, they are separated (by spatial se paration or by provision of barriers or by separate cable trays or wireways) from the four analog channel sets. 2. Engineered Safety Features Actuation System (a) Separate routing is maintained fo r the four basic sets of Engineered Safety Features Actuation System analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets is maintained from sensors to instrument cabinets to logic system input cabinets. (b) Separate routing of the Engineered Safety Features actuation signals from the redundant logic system cabinets is maintained. In addition, they are separated by spatial separation or by provisions

of barriers or by separate cable trays or wireways from the four analog channel sets. (c) Separate routing of control and power circuits associated with the operation of Engineered Safety Features equipment is required to retain redundancies provided in the system design and power supplies. 3. Instrumentation and Control Power Supply System The separation criteria presented above also apply to the power supplies for the load centers and buses distributing power to redundant components and to the control of these power supplies. Reactor Trip System and Engineered Safety Features Actuation System analog circuits may be routed in the same wireways provided circuits have the same power supply and channel se t identified (I, II , III or IV).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 19 4. Main Control Board (MCB)

The MCB is a hard-wired walk-in U-shaped duplex control board designed in accordance with IEEE 420. It contains a combination of Class 1E and non-Class 1E control and information devices necessary for remote operation of the unit. Arrangement of the controls within the MCB is system oriented. Within systems, it is train and/or loop oriented. Overall arrangements, besides providing for the separation requirements, are coordinated to assure safe and efficient operation. The front panels of the MCB contain the controls and inform ation displays for the engineered safeguards, reactivity, turbine, heat cycle equipment, cooling water, ultimate heat sink and the electrical power distribution systems. The rear panels of the MCB contain the controls and instrumentation displays for the secondary support systems. The separation criteria are discussed in Subsection 7.1.2.2a. The covered wireways, formed from solid or punched sheet steel, and the conduits above or below each board-mounted device, comply with the separation criteria required by IEEE Standards. The MCB wiring is color-coded NEC-type SIS copper conductor with flame-retardant

insulation, rated and qualified per IPCEA, UL, or IEEE standards. Nonmetallic components, such as terminal blocks, wire cleats, cable ties, receptacles, indicating light lenses, nameplates, etc., are furnished of materials meeting the nonflammability requirements of UL standards. The separation criteria within the M CB are given in Table 8.3-10 and were based on analysis and testing as permitted by Subsection 4.3.3 of IEEE 420. This analysis and testing are documented in References 1 and 2 of Subsection 8.3.4. Each component is clea rly identified with a distinctively colored permanent tag. Colored nameplates are employed on the exterior

surfaces of the MCB to identify the component's function (see Subsection 7.1.2.3).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 20 c. Fire Protection For electrical equipment within the NSSS scope of supply, Westinghouse specifies noncombustible or fire retardant material and conducts vendor-supplied specification reviews of this equipment, which includes assurance that materials will not be used which may ignite or explode from an electrical spark, flame, or from heating, or will independently support combustion. These reviews also include assurance of conservative current-carrying capacities of all instrument cabinet wiring, which precludes electrical fires resulting from excessive overcurrent (I 2R) losses. For example, wiring used for instrument cabinet construction has teflon or tefzel insula tion and is adequate ly sized, based on current carrying capacities set forth by th e National Electric Code. In addition, fire retardant paint is used on protection rack or cabinet construction to retard fire or heat propagation from rack to r ack. Braided sheathed material is noncombustible. Subsections 8.3.1 and 8.3.2 describe desi gn aspects used for BOP electrical equipment in the prevention of fires in cable system, including separation between redundant trains and voltage levels, cable material selection and cable sizing. Details of the Plant Fire Protection System are provided in Subsection 9.5.1. 7.1.2.3 Physical Identification of Safety-Related Equipment There are four separate protection sets identifiab le with process equipment associated with the Reactor Trip and Engineered Safeguards Actuation Systems. A protection set may be comprised of more than a single process equipment cabinet. The color coding of each process equipment rack instrument nameplate coincides with the co lor code established for the protection set of which it is a part. At the logi c racks, the protection set color coding for redundant channels is clearly maintained until the ch annel loses its identity in th e redundant logic trains. The color-coded nameplates describe d below provide identification of equipment associated with protective functions and thei r channel set association: Protection Set Color Coding I RED II WHITE III BLUE IV YELLOW S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 21 The safety-related instrumentation and control system equipment throughout the plant is identified with colored tags or nameplates. The colored tags are consistent with the color coding of cables as defined in Subsec tion 8.3.1.3, and with the protection set nameplates as identified above. Equipment Nameplate Color Train A or Channel 1 Red Train B or Channel 2 White Channel 3 Blue Channel 4 Yellow

Accident Monitoring Instrumentation Orange (see Section 7.5 for additional clarification)

Nonsafety-Related Black Remote Safe Shutdown Purple The equipment nameplate colors described above represent the color assigned to identify each separation group. In the original nameplate design, the nameplat e background color was used to identify the separation group. As a result of labeling improvements, including the addition of bar codes, redesign of the background color was required. Newer nameplates may use different methods, such as black letters on a white bac kground with a border color that identifies the separation group. In this way, the same basic separation group color is ma intained for different nameplate styles. All noncabinet-mounted protective equipment and component s are provided with an identification tag or nameplate. Small electrical components such as relays have nameplates on the enclosure which houses them. All cables are numbered with identification tags. All cable trays and conduits are identified using permanent markings (see Subsection 8.3.1.4). The purpose of such markings is to facilitate cable routing identification. Positive permanent identification of cables is made at all terminations. There are also identification nameplates on the input panels of the Solid-State Logic Protection System. Instrument sensing lines comply with the identification and color coding requirements of Regulatory Guide 1.151, with the following exceptions and as described in Section 1.8: a. Instrument sensing lines for a nuclear safety-related instrument are not color coded to identify its channel.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 22 b. Instrument sensing lines are tagged with unique line numbers at the instrument side of the root valve, on the process side of the instrument shut-off valve, and on each side of an obstacle when the tubing runs through the obstacle, such as a wall or floor. Redundant safety-related lines are installed using engineered design packages to ensure that the separation criteria are met. 7.1.2.4 Conformance to Criteria A listing of applicable criteria and the Updated FSAR sections where conformance is discussed is given in Table 7.1-1. 7.1.2.5 Conformance to Regulatory Guide 1.22 Periodic testing of the Reactor Trip and Engineered Safety Features Actuation Systems, as described in Subsections 7.2.2 and 7.2.3, comp lies with Regulatory Guide 1.22, "Periodic Testing of Protection System Actu ation Functions," as described in this chapter and in Section

1.8. Where

the ability of a system to respond to a bona fide accident signal is intentionally bypassed to perform a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room for the train in test. Test ci rcuitry does not allow two trains to be tested at the same time so that extension of the bypass condition to the redundant system is prevented. The actuation logic for the Reactor Trip and Engineered Safety Features Actuation System is tested as described in Sections 7.2 and 7.3. As recommended by Regulatory Guide 1.22, where actuated equipment is not tested during reactor operation it has been determined that: a. There is no practicable system that would permit operation of the equipment without adversely affecting the safe ty or operability of the plant; b. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation; and c. The equipment can routinely be tested when the reactor is shutdown. The list of equipment that cannot be tested at full power so as not to damage equipment or upset

plant operation is as follows: a. Manual actuation switches (reactor trip containment isolation phase A, containment spray actuation, a nd safety injection actuation) b. Turbine trips (initi ation and detection) c. Main steam line isolation valves (close) d. Main feedwater isolation valves (close)

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 23 e. Feedwater control valves (close) f. Main feedwater pump trip solenoids

g. Reactor coolant pump component cooling water isolation valves (close)
h. Reactor coolant pump seal water return valves (close) i. Charging header to cold leg isolation valves
j. Accumulator isolation valves (open).
k. Charging and letdown isolation valves (close)
l. Letdown heat exchanger component coo ling water outlet isolation valve (close) m. Reactor coolant pump trip (underfrequency)
n. Chemical and Volume Control System TK-1 outlet isolation valves (close) o. Refueling Water Storage Tank TK-8 to charging isolation valves (open)

The justifications for not testing the above 15 items at full power are discussed below. a. Manual Actuation Switches These would cause initiati on of their protection system function at power causing equipment damage or plant upset. It should be noted that the reactor trip function that is derived from the automatic safety injection signal is tested at power as follows: The analog signals, from which the automatic safety injection signal is derived, are tested at power in the same manner as the other an alog signals as described in Subsection 7.2.2.2c. The processing of thes e signals in the So lid-State Protection System (SSPS) wherein their channel orientation converts to a logic train orientation is tested at power by the built-in semi-automatic test provisions of the SSPS. The reactor trip breakers are tested at power as discussed in Subsection 7.2.2.2c.

b. Turbine There is no practicable system design that would permit actual tripping of the turbine without adversely affecting the operability of the plant. The reactor trip functions that receive input from the turbine trip signal are tested prior to startup:

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 24 c. Closing the Main Steam Line Isolation Valves Main steam isolation valves are routinely tested by full closure during refueling outages. Testing of the main steam isolatio n valves by full closure at power is not practical. As the plant power is increased, the coolant average temperature is programmed to increase. If the valves are closed under these elevated temperature conditions, the steam pressure transient would unnecessarily operate the steam generator relief valves and possibly the steam generator safety valves. The steam pressure transient produced would cause shrinkage in the steam generator level, which would cause the reactor to trip on low-low steam generator water level. Testing during operation will decrease the operating life of the valve. Based on the above identified problems incurred with peri odic testing by full closure of the main steam isolation valv es at power and since (1) no practical system design will permit full closure of these valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate the activated equipment is acceptably low due to testing up to final actuation, including partial stroke exercising, and (3) these valves will be routinely tested during refueling outages, the proposed resolution meets the guidelines of Section D.4 of Regulatory Guide 1.22. d. Closing the Feedwater Isolation Valve The feedwater isolation valves are routinely tested during refueling outages.

Periodic testing of these feed water isolation valves by closing them completely at power would induce steam generator water level transients and oscillations which would trip the reactor. These transients conditions would be caused by perturbing the feedwater flow and pressure conditi ons necessary for proper operation of the variable-speed feedwater pump control system and the steam generator water level control system. Any operation whic h induces perturbations in the main feedwater flow, whether deliberate or otherwise, generally leads to a reactor trip and should be avoided. Based on these identified problems incurred with periodic testing of the feedwater isolation valves at power and since (1) no practical system design will permit operation of these valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate the activated equipment is acceptably low due to testing up to final actuation, and (3)

these valves will be routinely tested during refueling outages, the proposed resolution meets the guidelines of Section D.4 of Regulatory Guide 1.22.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 25 e. Closing the Feedwater Control Valves These valves are routinely tested during refueling outages. To close them at power would adversely affect the operability of the plant. The verification of operability of feedwater control valves at power is assured by confirmation of proper operation of the steam generator water level system.

The actual actuation function of the solenoids, which provides the closi ng function, is periodically tested at power as discussed in Subsec tion 7.3.2.2e. The operability of the slave relay which actuates the solenoid, which is the actuating device, is verified during this test. Although the actual closing of these control valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could de feat the protective function. It is

noted that the solenoids work on the de-energize-to-actuate principle, so that the

feedwater control valves will fail closed upon either the loss of el ectrical power to the solenoids or loss of air pressure. Based on the above, the testing of the isolating function of feedwater control valves meets the guidelines of Section D.4 of Regulatory Guide 1.22. f. Main Feedwater Pump Trip Solenoids No practical system design will permit full trip function testing the feedwater pumps without adversely affecting the safe ty and operability of the plant. At power, tripping of these pumps would introduce a steam generator level transient, resulting in unnecessary trip of the plant from low-low steam generator level.

Hence, the complete trip functions will be routinely tested during refueling outages and/or as required by Technical Specifications. However, the high

pressure and low pressure stop valves of the feedwater turbines can be tested during power operation. A 2-way solenoid valve is included on each stop valve assembly. When energized, this allows each stop valve to be test stroked with the turbine in service to ensure that the st op valve stem is not stuck. The LP stop valves are only partially closed. A limit switch de-energizes the solenoid valve at test position. Hence, the stop valve will move up and down through the limit

switch deadband, as long as the operator holds his finger on the test push button.

The HP stop valves are tested for fully closed operation if the equipment operating condition permits.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 26 g. RCP Motor Component Cooling Wa ter Isolation Valves (Close)

Component cooling water supply and return containment isolation valves are routinely tested during refueling outages. Testing of these valves while the reactor coolant pumps are operating intr oduces an unnecessary risk of costly damage to all the reactor coolant pumps. Loss of component cooling water to these pumps is of economic consideration only, as the reactor coolant pumps are not required to perform a ny safety-related function. The reactor coolant pumps will not seize due to complete loss of component cooling. Information from the pump manufacturer indicates that the bearing babbitt would eventually break down but not rapidly enough to overcome the inertia of the flywheel. If the pumps are not stopped within 3 to 10 minutes after component cooling water is isolated, pump damage could be incurred. Additional containment penetrations and containment isolation valves introduce additional unnecessary potential pathways for radioactive leakage following a postulated accident. Also, since the component cooling water flow rates and temperatures are about equal during both plant power operation and plant

refueling, periodic tests of these valves during a refueling outage would duplicate accident conditions. Additionally, the possibility of failure of containment isolation is remote because an additional failure of the low-pressure fluid system in addition to failure of both isolation va lves would have to occur to open a path through the Containment. Based on the above described potential reactor coolant pump damage incurred with periodic testing of the component cooling water containment isolation valves at power, the duplication of at-power operating condition during refueling outages, and since (1) no practical system design will permit operation of these valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate the activated equipment is acceptably low due to testing up to final actuation, and (3) these valves will be routinely tested during refueling outages when the reactor coolant pumps are not operating, the proposed resolution meets the guidelines of Section D.4 of Regulatory Guide 1.22.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 27 h. Seal Water Return Valves (Close)

Seal return line isolation valves are routinely tested during refueling outages.

Closure of these valves during operation would cause the safety valve to lift, with the possibility of valve chat ter. Valve chatter would damage this relief valve.

Testing of these valves at power would cause equipment damage. Therefore, these valves will be tested during scheduled refueling outages. As above, additional containment penetrations and containment isolation valves introduce additional unnecessary potential pathways for radioactive release following a postulated accident. Thus, the guidelines of Section D.4 of Regulatory Guide 1.22 are met. i. Charging Header to Cold Leg Isolation Valves The opening of these valves during the test of the actuating protection channel would adversely affect the operability of the plant.

The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation and the valves are r outinely tested during refueling outages. j. Accumulator Isolation Valves (Open)

The position of the accumul ator isolation valves is controlled by the Technical Specifications. The specifications require these valves to be open and power removed. Since the valves are maintained in actuated position, online testing of valve actuation is not required. Based on the above, testing of the accumulator isolation valves meets the guidelines of Regulatory Guide 1.22 sin ce (1) no practical system design will permit operation of these valves without adversely affecting the Technical Specifications, (2) the probability that the protection system will fail to initiate the activated equipment is acceptably low due to the valve being maintained open when RCS pressure is above 1000 psig and testing will be performed up to final actuation device, and (3) these valves will be routinely operated during the plant heatup and cooldown cycles. k. Charging and Letdown Isolation Valves (Close)

Charging and letdown isolation valves are routinely tested during refueling outages. Closure of these valves during power operation may damage plant equipment due to thermal cycling of mechanical joints and charging nozzles. The probability that the protection system will fail to close these valves is acceptably low due to testing up to final actuation.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 28 l. Letdown Heat Exchanger Component Cooling Water Outlet Isolation Valve (Close) The letdown heat exchanger component cooling water outlet isolation valve is routinely tested during refueling outages. Closure of this valve causes thermal cycling which may cause damage to plant equipment. The probability that the protection system will fail to close this valve is acceptably low due to testing up to final actuation. m. Reactor Coolant Pump Trip (Underfrequency)

There is no practical system design that would permit reactor coolant pump trip on underfrequency without adversely affecti ng the safety and operability of the plant. This function is provided to assure that in the even t of decaying grid frequency and subsequent loss of power, the pumps have enough inertia to supply coolant flow on coastdown to cool th e core. Refer to Subsection 7.2.1.1(4), Reactor Coolant Low Flow Trips, for additional discussion of this function. n. Chemical and Volume Control System TK-1 Outlet Isolation Valves (Close)

Chemical and Volume Control System TK

-1 outlet isolation valves are routinely tested during refueling outages. Closure of these valves during power operation may damage plant equipment due to pressure or temperature swings on the seal flow to the reactor coolant pumps or momentary loss of seal cooling flow. The probability that the protection system will fail to close these valves is acceptably low due to testing up to th e final actuation device. o. Refueling Water Storage Tank TK-8 to Charging Pump Isolation Valves (Open)

Refueling Water Storage Tank TK-8 to charging pump isolation valves are routinely tested during refueling outages. Opening of these valves during power operation may damage plant equipment due to pressure or temperature swings on the seal flow to the reactor coolant pumps or momentary loss of seal cooling flow. The probability that the protection system will fail to open these valves is acceptably low due to testing up to the final actuation device. 7.1.2.6 Conformance to Regulatory Guide 1.47 The bypass indication system which does not perfor m functions essential to public health and safety during an accident is designed to meet paragraph 4.13 of IEEE Standard 279-1971 and the intent of Regulatory Guide 1.47.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 29 Automatic indication of the bypassed and inoperable status of safety systems is provided on the Video Alarm System (VAS). The VAS continuously monitors the status of selected components. When a bypass or inoperable condition is detected which results in either redundant train being inoperable, an audible alarm is sounded and an incoming alarm at the system (train) level is displayed on the VAS. The VAS also provides an overall system level alarm if both of the redundant trains are bypassed or made inoperable. When the bypass or inoperable condition affects only one channel of the protection system then only a channel level (not a system level) VAS alarm will be provided. The VAS alarm will be provided for the first condition if multiple, administratively controlled, conditions exist concurrently as part of a procedure which results in the bypass of a safety function. Once activated, the automatically initiated system level indication will remain on until the actuating condition is cleared and the VAS reset. In addition to the automatic VAS display, manua l bypassed and inoperable status indication is provided on the main control board for those systems whose complexity increases the possibility of having frequent inoperable conditions that are not monitored by the automatic system.

Indication is provided at the system level on a per train basis.

Activation of an indicator on the bypassed and inoperable status panel is performed through manual actuation of its corresponding pushbutton. An exception to this is the system level indication associated with the diesel

generator. These indicators are initiated automati cally. The bypassed and inoperable status pushbuttons are also monitored by the VAS. The VAS and the manual bypass and inoperable status indicators will automatically indicate the dependent auxiliary and safety systems that are made inoperable by a bypassed or inoperable safety system.

The design of the bypass indication system allows testing during normal operation.

The following rules are used to develop the system design, which satisfies Regulatory Guide 1.47: a. System and component testing that can render a system inoperable must be scheduled more frequently than once/year to be input to the bypass and inoperable status alarm. b. If a component is redundant within a redundant train, it will not be alarmed when bypassed or made inoperable. c. If a component is positioned by procedure after an accident, and given that the accident analysis does not reflect the consequences of that component out of position prior to the accident, it will alarm when out of normal position.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 30 d. If a component is required to change state upon receipt of the safeguard signal, testing of that component would involve placing it in a position required for the accident. If an accident should occur while returning the component to its normal position, the safeguards signal will reposition it automatically. Input to the system bypassed and inoperable status alarm is not provided in this case. The following lists the various systems provided with system level bypassed and inoperable status indication.

System Containment Building Spray (CBS) Primary Component Cooling Water (CC)

Chemical and Volume Control (CS)

Feedwater (FW)

Residual Heat Removal (RH)

Safety Injection (SI)

Service Water (SW)

Main Steam (MS) (Auto Only)

Diesel Generators (DG) 7.1.2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 The principles described in IEEE Standard 379-1972 were used in the design of the Westinghouse Protection System. The system complie s with the intent of this standard and the additional guidance of Regulatory Guide 1.53 although the formal analyses have not been documented exactly as outlined.

See Subsection 7.2.2.2c(11) for a discussion of excep tions to the single failure criterion while a channel is bypassed for maintenance or testing.

Westinghouse has gone beyond the re quired analyses and has performed a fault tree analysis, Reference 1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 31 The referenced topical report provides details of the analyses of the protection systems previously made to show conformance with single failure criterion set forth in paragraph 4.2 of IEEE Standard 279-1971. The interpretation of single failure criterion provided by IEEE

Standard 379-1972 does not indicate substantial differences with the Westinghouse interpretation of the criterion except in the methods used to confirm design reliabil ity. Established design criteria in conjunction with sound engineering practices form the bases for the Westinghouse protection systems. The Reactor Trip and Engineered Safety Features Actuation Systems are each redundant safety systems. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems. The design of the BOP 1E systems complies w ith IEEE 379-1972 and the additional guidance of Regulatory Guide 1.53. 7.1.2.8 Conformance to Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is di scussed in Section 8.1 and Subsection 8.3.1.2. 7.1.2.9 Conformance to IEEE Standard 317-1972 Conformance to this IEEE standa rd is discussed in Section 8.1. 7.1.2.10 Conformance to IEEE Standard 336-1971 The installation and preoperational testing of Class 1E systems and related Class 1E electrical power, instrumentation and control equipment conforms or will conform to the requirements of IEEE Standard 336-1971. The quality assurance program for design, procurement and installation is described in Chapter 17 and the preoperational test procedures for each system are described in Chapter 14. 7.1.2.11 Conformance to IEEE Standard 338-1975 The periodic testing of the Reactor Trip System and the Engineered Safety Features Actuation System conforms to the requirements of IEEE Standard 338-1975, with the following comments: a. The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests at frequent intervals, or as determined by probabilistic risk/reliability evaluations, demonstrate this capability. Overall protection systems response time shall be verified. Sensors will be verified adequate for this design by; (1) historical records based on acceptable response time tests (power interrupt te sts), (2) in-place, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications. The Nuclear Instrumentation System detectors are excluded since they exhibit response time characteristics such that delays attributable to them are negligible in the overall channel response time required for safety.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 32 The measurement of response time at the time intervals in the Technical Specification provides assurance that the prot ective and engineered safety features action function associated with each channel is completed within the time limit assumed in the accident analyses. b. The periodic time interval discussed in IEEE Standard 338-1975, and specified in the plant Technical Specifications, is conservatively selected to ensure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. If any protection channel appears to be marginal, or requires more frequent adjustments due to plant condition changes, the time interval will be decreased to accommodate the situation until the marginal performance is resolved. c. The test interval discussed in IEEE Standard 338-1975 is developed primarily on past operating experience and modified, if necessary, to assure that system and subsystem protection is reliably provided. Analytic methods for determining reliability are not used to determine test interval. d. Nonroutine tests, such as operational tests performed when one of the redundant channels is inoperable, may require the use of temporary jumpers, lifted leads, or other circuit modifications. e. See Subsection 7.2.2.2c(11) for a discussi on of exceptions to the single failure criterion while a channel is bypassed for maintenance or testing.

Based on the scope definition give in IEEE Standard 338-1975, no other systems described in Chapter 7 are required to comply with this standard.

For detailed discussions regarding the testing of the non-NSSS ESF and 1E power systems, refer to Sections 7.3 and 8.3, respectively. 7.1.2.12 Conformance to Regulatory Guide 1.151 The recommendations of ISA Standard S67.02, 1980, as endorsed by Regulatory Guide 1.151, have been followed for the design and installation of safety-related instrume nt sensing lines, with the exceptions and clarifications listed below. See Subsections 1.8, 7.1.2.2, 7.1.2.1, 7.1.2.3 and 7.7.2 for discussions of specific sections. 1. The instrumentation defined as Categor y 1 in UFSAR Section 7.5 is the only instrumentation considered to be required to monitor safety-related systems. 2. In clarification of paragraph 5.2.2 (2) of ISA S67.02, where instrument tubing penetrates a shield wall, measures have been taken to reduce potential personnel exposure for radiation "streaming" from radioactive sources unless the radiation from piping nearby would be the larger source of exposure. These measures have included:

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 33 a. Locating penetration high enough to eliminate a concern from a radiation protection standpoint b. Locating some penetrations to avoid a direct streaming path from the source of radiation c. When the above two methods were not used, apply radiation absorbing penetration sealant. 3. The sensing lines from safety-related HVAC ductwork are designed to the same safety class as the ductwork, and are inst alled to the requirements of ANSI B31.1 Seismic Category I. 4. The sealed sensing lines for containmen t pressure, wide range reactor coolant pressure and the Reactor Vessel Level Indication System (RVLIS) are Safety Class 2 and installed to requirements of ANSI B31.1, Seismic Category I, rather than ASME Class 2 Seismic Category I, as recommended by Regulatory Position C.2.b or ISA S67.02, Section 4.1. The s ealed, fluid-filled, instrumentation systems are in accordance with the standard Westinghouse design. The containment penetration sleeve is part of the BOP scope and is ASME Class 2. 5. Common instrument taps are used for re dundant sensors for pr essurizer pressure and RCS flow (high pressure tap only). This is in conformance with the standard

Westinghouse design. 6. An evaluation has been performed of those instrument lines which were downgraded in accordance with the provisions of this regulatory guide from ASME Class 2 or 3 to ANSI B31.1. This evaluation was done to determine if the

failure of any of these lines would affect the safety function of the associated system. Where a passive failure of the instrument line would adversely affect the safety function of the system, an in spection of the line has been done to equivalent quality assurance requirements of ANS Safety Class 2 lines. Also, the lines have been installed to Seismic Category I criteria. Hence, a passive failure

of one of these lines is not postulated to occur. 7. Commercial grade dedication may be used, where applicable, instead of the requirements of ISA-S67.02 Sections 4.2.2 and 8.2 for components installed in accordance with ANSI B31.1 Seismic Category I. 8. See Subsection 7.2.2.2c(11) for a discussi on of exceptions to the single failure criterion while a channel is bypassed, i.e., removed from service, for maintenance

or testing.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Introduction Revision 11 Section 7.1 Page 34 7.1.3 References

1. Gangloff, W. C. and Loftus, W. D., "A n Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," WCAP-7706-L, July 1971 (Proprietary) and WCAP-7706, July 1 971. (Nonproprietary). 2. Marasco, F. W. and Siroky, R. M., "Westinghouse 7300 Series Process Control System Noise Tests," WCAP-8892-A, June 1977. 3. Letter dated April 20, 1977 from R. L. Tedesco (NRC) to C. Eicheldinger (Westinghouse). 4. Katz, D.N., "Solid State Logic Protection System Description" WCAP-7488-L, January 1971 (Proprietary) 5. "Westinghouse Protection Systems No ise Tests," WCAP-12358, October 1975.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 1 7.2 REACTOR TRIP SYSTEM

7.2.1 Description

7.2.1.1 System Description The Reactor Trip System automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating region is defined by several considerations such as mechanical/hydraulic limitations on equipment, and heat transfer phenomena. Therefore, the Reactor Trip System keeps surveillance on process variables which are directly related to equipment mechanical limitations, such as pressure, pressurizer water level (to prevent water discharge through safety valves, and

uncovering heaters), and also on variables which directly affect the heat transfer capability of the reactor (e.g., flow and reactor coolant temperatures). Still other parameters utilized in the Reactor Trip Systems are calculated from various process variables. In any event, whenever a direct process or calculated variable exceeds a setpoint, the reactor will be shutdown to protect against either gross damage to fuel cladding or loss of system integrity which could lead to release of radioactive fission products into the Containment. The following systems and equipment make up the Reactor Trip System (see References 1, 2 and 3 for additional background information). a. Process Instrumentation System

b. Nuclear Instrumentation System
c. Solid-State Protection System
d. Reactor Trip Switchgear
e. Manual Actuation Circuit The Reactor Trip System consists of sensors, connected to signal processing circuitry consisting of two to four redundant channels, that monitor various plant parameters, and digital circuitry, consisting of two redundant logic trains which receive inputs from th e signal processing channels to complete the logic necessary to automatically open the reactor trip breakers.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 2 Each logic train is capable of opening a separate and independent reactor trip breaker, RTA and RTB, respectively. The two trip breakers in series connect three-phase AC power from the rod drive motor generator sets to the rod drive power cabinets, as shown on Figure 7.2-2. During plant power operation, a DC under voltage coil on each reactor trip breaker holds a trip plunger out against its spring, allowing the power to be available at the rod control power supply cabinets. For reactor trip, removal of DC voltage to the undervoltage trip attachment releases the trip plunger and trips open the breaker. In addition, removal of DC voltage de-energizes the shunt trip auxiliary relay which causes the shunt trip coil to be energized to provide diverse tripping of the breaker. When either of the trip breakers opens, power is interrupted to the rod drive power supply, and the control rods fall, by gravity, into the core. The rods cannot be withdrawn until the trip breakers are manually rese

t. The trip breakers ca nnot be reset until the abnormal conditions which initiated the trip ar e corrected. Bypass breakers BYA and BYB are provided to permit testing of the trip breakers, as di scussed in Subsection 7.2.2.2c. a. Functional Performance Requirements The Reactor Trip System automatically initiates reactor trips: 1. Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II) 2. To limit core damage for in frequent faults (Condition III) 3. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting

fault conditions (Condition IV). The Reactor Trip System initiates a turbine trip signal whenever reactor trip is initiated to prevent excessive reactor system cooldown which could result in reactivity insertion, reduced DNB ratio margin, and unnecessary safety injection actuation. This function is assumed in the accident analyses but it is not classi fied as a protective function. The Reactor Trip System provides for manual initiation of reactor trip by operator action. b. Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the Reactor Trip System reaches a preset level. To ensure a reliable system, high quality design, components, manufacturing, quality control and testi ng are used. In addition to redundant channels and trains, the design approach provides a Reactor Trip System which monitors numerous system variables, therefore providing a large amount of protection system functional diversity. The extent of this diversity has been evaluated for a wide variety of pos tulated accidents (see Chapter 15).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 3 Table 7.2-1 provides a list of reacto r trips which are described below. 1. Nuclear Overpower Trips The specific trip functions generated are as follows: (a) Power Range High Neutron Flux Trip The power range high neutron flux trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint. There are two bistables, each with its own trip setting used for a high and a low range trip setting.

The high trip setting provides protection during normal power operation and is always active. The low trip setting, that provide s protection during startup, can be manually bypassed when two out of the four power range channels read above approximately 10 percent power (P-10). Three out of the four channels below 10 percent automatically reinstates the trip function. Refer to Table 7.2-2 for a listing of all protection system interlocks. (b) Intermediate Range High Neutron Flux Trip The intermediate range high neut ron flux trip circuit trips the reactor when one out of the two intermediate range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if two out of four power range channels are above approximately 10 percent power (P-10). Three out of the four power range channels below this value automatically reinstate the intermediate range high neutron flux trip. The intermediate rang e channels (including detectors) are separate from the power range channels. The intermediate

range channels can be individu ally bypassed at the nuclear instrumentation racks to permit channel testing during plant

shutdown or prior to startup. This bypass action is annunciated on

the control board.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 4 (c) Source Range High Neutron Flux Trip The source range high neutron flux trip circuit trips the reactor when one of the two source range channels exceeds the trip setpoint. This trip, which pr ovides protection during reactor startup and plant shutdown, can by manually bypassed when one of the two intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip function can also be reinstated below P-10 by an administrative action requiring ma nual actuation of two control board-mounted switches. Each switch will reinstate the trip

function in one of th e two protection logic trains. The source range trip point is set between th e P-6 setpoint (source range cutoff power level) and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant

shutdown or prior to startup. This bypass action is annunciated on

the control board. (d) Power Range High Positive Neutron Flux Rate Trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of four power range channels. This trip provides DNB protection against rod ejection accidents of low worth from mid-power and is always active. Figure 7.2-3 shows the logic for all of the nuclear overpower and rate trips. (See Reference 2 for additional information.) 2. Core Thermal Overpower Trips The specific trip functions generated are as follows: (a) Overtemperature T Trip This trip protects the core against low DNBR and trips the reactor on coincidence as listed in Table 7.2-1 with one set of temperature measurements per loop. The setpoint for this trip is continuously calculated by analog circuitry for each loop by solving the following equation:

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 5 IfP'PKT'S 1 1 T S 1 S 1KKT S 1 1 S 1 S 1T 1 3 6 5 421 o 3 2 1 Where: T = Measured T by RTD instrumentation 1 , 2 = Time constants utilized in lead/lag controller for T 3 = Time constant utilized in the lag compensator for T T c = Indicated T at rated thermal power K 1 = Preset bias K 2 = Preset gain which compensates for piping and instrument time delay S 1 S 1 5 4 = The function generated by the lead/lag controller for T avg dynamic compensation 4 , 5 = Preset time constant which compensates for instrument time delay T = Average temperature, F 6 = Time constant utilized in the measured T avg lag compensator T' = Indicated Tavg at rated thermal power K 3 = Preset gain which compensates for the effect of pressure on the DNB limits P = Pressurizer pressure, psig P' = Nominal RCS operating pressure S = Laplace transform operator, sec

-1 f 1 (I) = A function of the indicated difference between top and bottom detectors of the power-range nuclear ion chambers, with gains to be selected based on incore to excore calibrations.

A separate long ion chamber unit supplies the flux signal for each Overtemperature T trip channel.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 6 Increases in I beyond a pre-defined deadband result in decrease in trip setpoint. Refer to Figure 7.2-16. The required one pressurizer pressure parameter per loop is obtained from four pressure instruments on the pressurizer. Figure 7.2-5 shows the logic for Overtemperature T trip function.

b) Overpower T Trip This trip protects against ex cessive power (fuel rod rating protection) and trips the reactor on coincidence as listed in Table 7.2-1, with one set of temperature measurements per loop.

The setpoint for each channel is continuously calculated using the following equation: IfT" S 1 1TKT S 1 1 S 1 SKKT S 1 1 S 1 S 1T 2 6 6 6 7 754o 3 2 1 Where: T = Measured T by RTD instrumentation 1 , 2 = Time constants utilized in lead/lag controller for T 3 = Time constant utilized in the lag compensator for T T o = Indicated T at rated thermal power K 4 = Preset bias K 5 = A constant which compensates for instrument time delay 7 = Time constant utilized in rate-lag controller for Tavg 6 = Time constant utilized in the measured T avg lag compensator K 6 = A constant which compensates fo r the change in density flow and heat capacity of the water with temperature T = Average temperature F T" = Indicated Tavg at rated thermal power S = Laplace transform operator, sec

-1 S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 7 f 2 (I) = A function of the indicated difference between top and bottom detectors of the power-range nuclear ion chambers, with gains to be selected based on measured instrument response during plant startup tests. A separate long ion chamber unit supplies the flux signal for each Over power T trip channel. Increases in I beyond a pre-defined deadband result in a decrease in the trip setpoint.

Refer to Figure 7.2-16. The source of temperature and flux information is identical to that of the Overtemperature T trip and the resultant T setpoint is compared to the same T. Figure 7.2-5 shows the logic for this trip function. 3. Reactor Coolant System Pressurizer Pressure and Water Level Trips The specific trip functions generated are as follows: (a) Pressurizer Low Pressure Trip The purpose of this trip is to protect against low pressure which could lead to DNB. The parameter being sensed is reactor coolant pressure as measured in the pressu rizer. Above P-7, the reactor is tripped when the pressurizer pressure measurements (compensated for rate of change) fall below preset limits. This trip is blocked

below P-7. The trip logic and inte rlocks are given in Table 7.2-1. The trip logic is shown on Figure 7.2-6. (b) Pressurizer High Pressure Trip The purpose of this trip is to protect the Reactor Coolant System against system overpressure. The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate bistables are used for the trip. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits on coincidence as listed in Table 7.2-

1. There are no interlocks or permissives associated with this trip function. The logic for this trip is shown on Figure 7.2-6.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 8 (c) Pressurizer High Water Level Trip This trip is provided as a backup to the high pre ssurizer pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is bl ocked below P-7. The coincidence logic and interlocks of pressuri zer high water level signals are given in Table 7.2-1. The trip logic for this func tion is shown on Figure 7.2-6. 4. Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss-of-coolant flow situation. Figure 7.2-5 shows the logic for these trips. The means of sensing the loss-of-coolant flow are as follows:

(a) Low Reactor Coolant Flow The parameter sensed is reactor coolant flow. Three differential pressure measurements at a piping elbow tap in each reactor coolant loop are used for the flow measurement. The basic function of this device is to provide information as to whether or

not a reduction in flow has occu rred. An output signal from two out of three bistables in a loop wo uld indicate a low flow in that loop. The coincidence logic and interlocks are given in

Table 7.2-1. (b) Reactor Coolant Pump Undervoltage Trip This trip is required in order to protect against low flow which can result from loss of voltage to at least one reactor coolant pump motor on each bus (e.g., from plant blackout or reactor coolant pump breakers opening). There is one undervoltage sensing relay connected for each pump at the motor side of each react or coolant pump breaker. These relays provide an output signal when the motor voltage goes below a preset level. Signals from these relays are time-delayed to prevent spurious trips caused by short-term voltage perturbations. Channel response time includes cons ideration of the bus voltage decay time due to generated Electro-Motive Force (EMF) from motors connected to the bus as the motors coast down. The

coincidence logic and interlocks are given in Table 7.2-1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 9 (c) Reactor Coolant Pump Underfrequency Trip This trip protects against low flow resulting from pump underfrequency, such as a major power grid frequency disturbance. The function of this trip is to trip the reactor in event of a decaying bus frequency condition. Subsection 8.2.3 provides additional details for the maximum credible frequency decay rate.

There is one underfrequency sensing relay for each reactor coolant pump motor. Underfrequency signals from two motors (one from each bus), time delayed to prevent spurious trips caused by short-term frequency perturbations, will trip the reactor if the

power level is above P-7. (For an evaluation of under frequency transients, see Chapter 15.) 5. Steam Generator Trip The specific trip function generated is the low-low steam generator water level trip. This trip protects the reactor from loss of heat sink. This trip is actuated on two out of four low-low water le vel signals occurring in any steam generator.

The level channels, which have c ondensate pots common to both steam flow transmitters and level transmitters, are lag compensated to prevent spurious trips caused by short-term pressure waves which are generated

during rapid closure of the turbine control valves. The logic is shown on Figure 7.2-7 (see Reference 1 for additional information).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 10 6. Reactor Trip on a Turbine Trip (anticipatory) The reactor trip on a turbine trip is actuated by two out of three logic from emergency trip fluid pressure signals or by all closed signals from the turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9. The reactor on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public.

This trip is included as part of good engineering prac tice and prudent design. No credit is taken in any of the safety analyses (Chapter 15) for this trip. The turbine provides anticipatory trips to the Reactor Protection System from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its

setpoint. One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip. The contacts are closed

during plant operation and open to cause reactor trip when the turbine is tripped. No power is provided to the protection system from the contacts; they merely serve to interrupt power to cause reactor trip. This design

functions in a de-energize-to-trip fashion to cause a plant trip if power is interrupted in the trip circuitry. This ensures that the protection system will in no way be degraded by this anticipatory trip because seismic design considerations do not form part of the design bases for anticipatory trip sensors. (The reactor protection system cabinets which receive the inputs from the anticipatory trip sensors are, of course, seismically qualified as discussed in Section 3.10.) The SSPS input circuits in nonseismic structures are routed in conduit to maintain train separation and to prevent the application of fault voltages greater than the maximum credible fault voltages. The electrical and physi cal independence of the connecting cabling conforms to Regulatory Guide 1.75. The anticipatory trips thus meet IEEE 279-1971, including redundancy, separation, single failure, etc.

Seismic qualification of the cont acts sensors is not required. The logic for this trip is shown on Figure 7.2-15. 7. Safety Injection Signal Actuation Trip A reactor trip occurs when the Safety Injection System is actuated. The means of actuation the Safety Injection System are described in Section 7.3. This trip protects the core against a loss of reactor coolant or a steam

line rupture.

Figure 7.2-8 shows the logic for this trip.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 11 8. Manual Trip The manual trip consists of two switches with two outputs on each switch. One output is used to actuate the Train A reactor trip breaker, the other output actuates the Train B reactor trip breaker. Operating a manual trip switch removes the voltage from the unde rvoltage trip coil and energizes the shunt trip coil on each breaker. There are no interlocks which can block this trip. Figure 7.2-3 shows the manual trip logic. The design conforms to Regulatory Guide 1.62, as shown on Figure 7.1-2. 9. General Warning Alarm Reactor Trip Each of the two trains of the Solid-State Protection System is continuously monitored by the general warning alarm reactor trip subsystem. The

warning circuits are actuated if unde sirable train conditi ons are set up by improper alignment of testing systems, circuit malfunction or failure, etc.,

as listed below. A trouble condition in a logic train is annunciated in the control room. However, if any one of the conditions exists in Train A at the same time any one of the conditions exists in Train B, the general warning alarm circuits will automatically trip the reactor. (a) Loss of either of two 48-volt DC or either of two 15-volt DC power supplies (b) Printed circuit card improperly inserted (c) Input error inhibit swit ch in the INHIBIT position (d) Slave relay tester mode selector in TEST position (e) Multiplexing selector switch in INHIBIT position (f) Train bypass breaker racked in and closed (g) Permissive or memory test switch not in OFF position (h) Logic function test switch not in OFF position (i) Loss of power to sl ave relay output cabinet.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 12 c. Reactor Trip Interlocks

1. Power Escalation Permissives The overpower protection provid ed by the out-of-core nuclear instrumentation consists of three discrete, but overlapping, ranges.

Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manua lly blocked by the operator. A one of two intermediate range permissive signal (P-6) is required prior to source range level trip blocking and detector high voltage cutoff. Source range level trips are automatic ally reactivated and high voltage restored when both intermediate range channels are below the permissive (P-6) setpoint. There are two manual reset switches for administratively reactivating the source range level tr ip and detector high voltage when between the permissive P-6 and P-10 se tpoints, if required. Source range level trip block and high voltage cutoff are always maintained when above the permissive P-10 setpoint. The intermediate range level trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two of four power range channels. Four individual blocking switches are provided so that the low range power range trip and intermediate range trip can be indepe ndently blocked (one switch for each train). These trips are automatically reactivated when any three of the four power range channels are below the permissive (P-10) setpoint, thus ensuring automatic activation to more restrictive trip protection. The development of permissive P-6 and P-10 is shown on Figure 7.2-4. All of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels. See Table 7.2-2 for the list of protection system interlocks. 2. Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip at low power (below approximately 10 percent of full power) on a low reactor coolant flow in more than one loop, reactor coolant pump under voltage, reactor coolant pump

underfrequency, pressurizer low pressure, or pressurizer high water level. See Figure 7.2-5 and Figure 7.2-6 for permissive applications. The low power signal is derived from three out of four power ra nge neutron flux signals below the setpoint in coincidence with two out of two turbine impulse chamber pressure signals below the setpoint (low plant load). See Figure 7.2-4 and Figure 7.2-15 for the derivation of P-7.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 13 The P-8 interlock blocks a reactor trip when the plant is below approximately 50 percent of full power, on a low reactor coolant flow in

any one loop. The block action (abs ence of the P-8 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor will be allowed to operate with one inactive loop and trip will not occur until two loops are indicating low flow. See Figure 7.

2-4 for derivation of P-8, and

Figure 7.2-5 for applicable logic. The P-9 interlock blocks a reactor trip when the plant is below approximately 45 percent of full power on a turbine trip. The turbine trip is sensed by either: (1) all turbine ma in stop valves closed or (2) two out of three low trip fluid pressure. The block action (absence of P-9 interlock signal) occurs when three of four neutron flux power range signals are below the setpoint. Thus, below the P-9 setpoint, the reactor will be allowed to operate with the turbine tripped. See Figure 7.2-4 for the

derivation of P-9 and Figure 7.2-15 for applicable logic.

See Table 7.2-2 for the list of protection system blocks. d. Coolant Temperature Sensor Arrangement The hot and cold leg temperature signals required for input to the protection and control functions are obtained using thermowell-mounted RTDs installed in each reactor coolant loop. The hot leg temperature measurement in each loop is accomplished using three fast-response dual-element narrow-range RTDs mounted in thermowells. Two of the three thermowells of each loop are located within the existing hot leg scoops.

A third thermowell is mounted in the RCS process stream. On loops A, B, and D, this thermowell is mounted in an independent boss offset approximately 30 from the unused scoop location. On loop C the boss has been positioned approximately 12 inches upstream of the scoop location at approximately 105. The two reused flow scoops have been modified by machining a flow hole in the end of the scoop to facilitate the flow of water through the leading edge of the scoop, past the thermowell and back into the pipe flow stream.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 14 The temperature measured by each of the three thermowell-mounted RTDs, of each loop, is different due to hot leg temperature streaming. This temperature varies as a function of thermal power, core configuration and core age. Therefore, these signals are electronically averaged to generate a hot leg average temperature. If the active element of the dual-element RTD should fail, the second spare element will be wired into the processing cabinets. If the entire RTD has failed (i.e., the spare element is also inoperable), operation with two RTDs is acceptable. Provisions have been incorporated into the process

electronics to allow for operation with only two RTDs in service. The two operable RTD measurements can be biased to compensate for the loss of the third. The cold leg temperature measurement in each loop is accomplished by one fast-response dual-element narrow-range RTD. The original cold leg RTD bypass penetration nozzle has been modified to accept a thermowell. Temperature streaming in the cold leg is minimal due to the mixing action of the reactor coolant pump. Therefore, only a single temperature measurement is required in each cold leg. e. Pressurizer Water Level Reference Leg Arrangement The design of the pressurizer water level instrumentation employs the usual tank level arrangement using differential pressu re between an upper and a lower tap on a column of water. A reference leg c onnected to the upper tap is kept full of water by condensation of steam at the top of the leg. f. Process Monitoring Process monitoring is performed by two instrumentation systems: the Process Instrumentation System and the Nuclear Instrumentation System. Process Instrumentation System incl udes those analog and trip actuating devices (and their interconnection into systems) which measure voltage, frequency, valve position, temperature, pressure , fluid flow, and fluid level as in tanks or vessels. "Process" instrumentation specifically excludes nuclear and radiation measurements. The process instrumentation includes the field transmitters or process sensors, power suppl ies, indicators, recorders, alarm actuating devices, controllers, signal c onditioning devices, etc., which are necessary for day-to-day operation of the Nuclear Steam Supply System as well as bistables for monitoring

the plant and providing initia tion of protective functions upon approach to unsafe plant conditions.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 15 The primary function of nuclear instrume ntation is to protect the reactor by monitoring the neutron flux and generating appropriate trips and alarms for various phases of reactor operating and shutdown conditions. It also provides a secondary control function and indicates reactor status during startup and power operation. The Nuclear Instrumentation System uses information from three separate types of instrumentation channe ls to provide three discrete protection levels. Each range of instrumentation (source, intermediate, and power) provides the necessary overpower reac tor trip protection required during operation in that range. The overlap of instrument range s provides reliable continuous protection beginning with source level through the intermediate and low power level. As the reactor power increases, the overpower protection level is increased by administrative procedures after satisfactory higher range instrumentation operation is obtained. Automatic reset to more restrictive trip protection is provided when reducing power. Various types of neutron detectors, with appropriate solid-state electronic circuitry, are used to monitor the leakage neutron flux from a completely shutdown condition to 120 per cent of full power. The pow er range channels are capable of recording overpower excursions up to 200 percent of full power. The

neutron flux covers a wide range between these extremes. Therefore, monitoring with several ranges of instrumentation is necessary. The lowest range ("source" range) covers six decades of leakage neutron flux.

The lowest observed count rate depends on the strength of the neutron sources in the core and the core multiplication associated with the shutdown reactivity. This

is generally greater than two counts per second. The next range ("intermediate" range) covers eight decades. Detectors and instrumentation are chosen to provide overlap between the higher portion of the source range and the lower portion of the power range. The highest range of instrumentation ("power" range) covers approximately two decades of the total instrumentation range. This is a linear range that overlaps with the higher portion of the intermediate range. The system described above provides control room indication and recording of signals proportional to reactor neutron flux during core loading, shutdown, startup and power operation, as well as during su bsequent refueling. Startup-rate indication for the source and intermediate range channels is provided at the control board. Reactor trip, rod stop, control and alarm signals are transmitted to the Reactor Control and Protection System for automatic plant control. Equipment failures and test status information are annunciated in the control room.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 16 Trip actuating devices combine the process measuring, conditioning, and output functions into one device such as a pressure switch, limit switch, control switch, electrical relay, etc. Analog channel refers to signal processing equipment that provides interface with process measuri ng sensors; signal processing; limit checking; and output functions in one piece of equipment such as the Process

Protection and Nuclear Instrumentation System cabinets. See References 1 and 2 for additional background information on the process and nuclear instrumentation. g. Solid-State Protection System The logic portion consists of the Solid-State Protection System (SSPS). The SSPS takes binary inputs (voltage/no voltage) from the process and nuclear instrument channels corresponding to conditions (normal/abnormal) of plant parameters. The SSPS combines these si gnals in the required logic combination

and generates a trip signal (no voltage) to the under voltage-trip attachment and shunt trip auxiliary re lay coils (shunt trip coils are actually en ergized to trip, see Subsection 7.2.1.1) of the reactor trip circuit breakers when the necessary combination of signals occur. The system also provides annuncia tor, status light and computer input signals which indicate the condition of bistable input signals, partial trip and full trip functions a nd the status of th e various blocking, permissive and actuation functions. In addition, the system includes means for semi-automatic testing of the logic circuits. See Reference 3 for additional background information. h. Isolation Amplifiers In certain applications, Westinghouse considers it advantageous to employ control signals derived from indivi dual protection chan nels through isol ation amplifiers contained in the protection channel, as permitted by IEEE Standard 279-1971. In all of these cases, analog signals derived from protection channels for nonprotective functions are obtained through isolation amplifiers located in the analog racks. By definiti on, nonprotective functions include those signals used for control, remote process indication, and computer monitoring. Refer to Subsection 7.1.2.2a for discussion of electrical separati on of control and protection functions. (See Reference 5 for isolation amplifier qualification-type tests.) i. Energy Supply and Environmental Variations The energy supply for the Reactor Trip System including the voltage and frequency variations, is described in Section 7.6 and Chapter 8. The environmental variations, throughout which the system will perform, are given in

Section 3.11 and Chapter 8.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 17 j. Setpoints The setpoints that require trip action ar e given in the Technical Specifications. A detailed discussion on setpoints is found in Subsection 7.1.2.1i. k. Seismic Design The seismic design considerations for the Reactor Trip System are given in Section 3.10. This design meets the requirements of Criterion 2 of the 1971 General Design Criteria (GDC). 7.2.1.2 Design Bases Information The information given below presents the design bases information requested by Section 3 of IEEE Standard 279-1971. Functional diagrams are presented in Figure 7.2-1, Figure 7.2-2, Figure 7.2-3, Figure 7.2-4, Figure 7.2-5, Figure 7.2-6, Figure 7.2-7, Figure 7.2-8, Figure 7.2-9, Figure 7.2-10, Figure 7.2-11, Fi gure 7.2-12, Figure 7.2-13, Fi gure 7.2-14 and Figure 7.2-15. a. Generating Station Conditions The following are the generating station conditions requiring reactor trip: 1. DNBR approaching the safety analysis limit value. 2. Power density (kilowatts per foot) approaching rated value for Condition II faults (see Chapter 4 for fuel design limits) 3. Reactor Coolant System overpressure creating stresses approaching the limits specified in Chapter 5. b. Generating Station Variables The following are variables required to be monitored in order to provide reactor trips. (See Table 7.2-1).

1. Neutron flux
2. Reactor coolant temperature
3. Reactor coolant system pressure (pressurizer pressure) 4. Pressurizer water level 5. Reactor coolant flow
6. Reactor coolant pump operational status (voltage and frequency) 7. Steam generator water level
8. Turbine-generator operational status (trip fluid pressure and stop valve position).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 18 c. Spatially Dependent Variables The following variables are spatially dependent: 1. Reactor coolant temperature: See Subsection 7.3.1.2 for a discussion of this variable spatial dependence. 2. Neutron flux: See Subsection 4.3.2.

2 for a discussion of this variable spatial dependence. d. Limits, Margins and Set Points The parameter values that will require reactor trip are give n in the Technical Specifications and in Chapter 15, Accident Analyses. Chapter 15 proves that the setpoints in the Technical Specifications and Core Operating Limits Report are conservative. The setpoints for the various functions in the Reactor Trip System have been analytically determined so that the prescribed operational limits will prevent fuel rod clad damage and loss of integrity of the Reactor Coolant System as a result of any ANS Condition II incident (anticipated malfunction). As such, during any ANS Condition II incident, the Reactor Trip System limits the following parameters to: 1. Minimum DNBR = the safety analysis limit value.

2. Maximum system pressure = 2750 psia
3. Fuel rod maximum linear power to the fuel design linear power limit for protection against fuel centerline melting. The accident analyses described in Chapter 15 demonstrate that the function requirements as specified for the Reactor Trip System are adequate to meet the above considerations, even assuming, for conservatism, adverse combination of instrument errors (refer to Table 15.0-4). A discussion of the safety limits associated with the reactor core and Reactor Coolant System, plus the limiting safety system setpoints, are presented in the Technical Specifications and Core Operating Limits Report. e. Abnormal Events The malfunctions, accidents or othe r unusual events which could physically damage reactor trip system components or could cause environmental changes are as follows: 1. Earthquakes (see Sections 2.5 and 3.7)
2. Fire (see Section 9.5)

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 19 3. Explosion (hydrogen buildup inside Containment) (see Section 6.2) 4. Missiles (see Section 3.5) 5. Flood (see Sections 2.4 and 3.4)

6. Wind and tornadoes (see Section 3.3)
7. Lightning (see Section 2.3). The Reactor Trip System fulfills the requirements of IEEE Standard 279-1971 to provide automatic protection and to provide initiating signals to mitigate the consequences of faulted conditions.

The Reactor Trip System relies upon provisions made by the owner and operato r of the plant to provide protection against destruction of the system from fires, explosions, missiles, floods, wind, lightning and tornadoes (see each item above). f. Minimum Performance Requirements

1. Reactor Trip System Response Times Reactor Trip System response time is defined in Section 7.1. Typical maximum allowable time delays in generating the reactor trip signal are tabulated in Table 7.2-3. See Subsection 7.1.2.11 for a discussion of periodic response time verification capabilities. 2. Reactor Trip Accuracies Accuracy is defined in Section 7.1.

Reactor trip accuracies are tabulated in Table 7.2-3. An additional discussion on accuracy is found in Subsection 7.1.2.1i. 3. Protection System Ranges Typical Protection System ranges are tabulated in Table 7.2-3. Range selection for the instrumentation covers the expected range of the process variable being monitored during power operation. Limiting setpoints are at least 3 percent from the end of the instrument span.

7.2.2 Analyses

7.2.2.1 Failure Mode and Effects Analyses An analysis of the Reactor Trip System has been performed. Results of this study and a fault tree analysis are presented in Reference 4.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 20 7.2.2.2 Evaluation of Design Limits While most setpoints used in the Reactor Protection System are fixed, there are variable setpoints, most notably the Overtemperature T and Overpower T setpoints. All setpoints in the Reactor Trip System have been selected on the basis of engineering design or safety studies. The capability of the Reactor Trip System to prevent loss of integrity of the fuel cladding and/or reactor coolant system pressure boundary during Condition II, III, and IV transients is demonstrated in Chapter 15. These accident analyses are carried out using those setpoints determined from results of the engineering design studies. Setpoint limits are presented in the Technical Specifications. A discussion of the intent for each of the various reactor trips and the accident analyses (where appropriate) which use this trip is presented below. It should be noted that the selection of trip setpoints provide for margin before protection action is actually required to allow for uncertainties and instrument errors. The design meets the requirements of Criteria 10 and 20 of the 1971 GDC. a. Trip Setpoint Discussion It has been pointed out previously that below a DNBR equal to the safety analysis limit value there is likely to be significant local fuel cladding failure. The DNBR

existing at any point in the core for a gi ven core design can be determined as a function of the core inlet temperature, power output, operating pressure and flow. Consequently, core safety limits in terms of a DNBR equal to the safety analysis limit value for the hot channel can be developed as a function of core T, T avg and pressure for a specified flow as illustrated by the solid lines in Figure 15.0-1. Also shown as solid lines in Figure 15.0-1 are the loci of conditions equivalent to 118 percent of power as a function of T and T avg representing the overpower (kW/ft) limit on the fuel. The dashed lines indicate the maximum permissible setpoint (T) as a function of T avg and pressure for the overtemperature and overpower reactor trip. Actual setpoint constants in the equation representing the dashed lines are as given in the Technical Specifications. These values are conservative to allow for instrument errors. The design meets the requirements of Criteria 10, 15, 20 and 29 of the 1971 GDC. DNBR is not a directly measurable quantit y; however, the process variables that determine DNBR are sensed and evaluated. Small isolated changes in various process variables may not individually result in violation of a core safety limit; whereas the combined variation, over sufficient time, may cause the overpower or overtemperature safety limit to be exceed ed. The design concept of the Reactor Trip System recognizes this situation by providing reactor trips associated with individual process variables in addition to the overpower/overtemperature safety limit trips.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 21 Process variable trips prevent reactor operation whenever a change in the monitored value is such that a core or system safety limit is in danger of being exceeded should operation continue. Basically, the high pressure, low pressure and Overpower/Overtemperature T trips provide sufficien t protection for slow transients as opposed to such trips as lo w flow or high flux which will trip the reactor for rapid changes in flow or flux, respectively, that would result in fuel damage before actuation of the slower responding T trips could be affected. Therefore, the Reactor Trip System has been designed to provide protection for fuel cladding and reactor coolant system pressure boundary integrity where: (1) a rapid change in a single variable or factor will quickly result in exceeding a core or a system safety limit, and (2) a slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded. Overall, the Reactor Trip System offers diverse and comprehensive protection against fuel cladding failure and/or loss of reactor coolant system integrity for Condition II,III, and IV accidents. This is demonstrated by Table 7.2-4 which lists the various trips of the Reactor Trip System, the appropriate accident in the safety analyses in which the trip could be utilized and the corresponding limiting safety system setting Technical Specification. It should be noted that the Reactor Trip System automatically provides core protection during nonstandard operating confi guration, i.e., operation with a loop out of service. Although operating with a loop out of service over an extended time is considered to be an unlikely event and is not allowed by the plant operating license, no protection system setpoi nts would need to be reset. This is because the nominal value of the power (P-8) interlock setpoint restricts the power so that DNB ratios less than the safety analysis limit value will not be realized during any Condition II transients occurring during this mode of operation. This restricted power is considerably below the boundary of permissible values as defined by the core safety limits for operation with a loop out of service. Thus, the P-8 interloc k acts essentially as a high nuclear power reactor trip when operating w ith one loop not in service. The design meets the requirement s of Criterion 21 of the 1971 GDC. Preoperational testing is performed on reactor trip system components and systems to determine equipment readiness for startup. This testing serves as a further evaluation of the system design. Analyses of the results of Conditions I, II, III and IV events, including considerations of instrumentation installed to mitigate their consequences, are presented in Chapter 15. The instrumentation installed to mitigate the consequences of load rejection and tu rbine trip is given in Section 7.7.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 22 b. Reactor Coolant Flow Measurement The elbow taps used on each loop in the primary coolant system are instrument devices that indicate the status of the reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. The correlation between flow and elbow tap signal is given by the following equation:

2 o o w wPP where P o is the pressure differential at the reference flow w o , and P is the pressure differential at the corresponding flow , w. The full flow reference point is established during initial plant startup. The low flow trip is then established by extrapolating along the correlation curve. The expected absolute accuracy of the channel is within +/-10 percent of full flow and field results have shown the repeatability of the trip point to be within +/-1 percent. c. Evaluation of Compliance to Applicable Codes and Standards The Reactor Trip System meets the criteria of the General Design Criteria as indicated. The Reactor Trip System meets the requirements of Section 4 of IEEE Standard 279-1971, as indicated below. 1. General Functional Requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset level. Functional performance requirements are given in Subsection 7.2.1.1a.

Subsection 7.2.1.2d presents a discussion of limits, margins and levels;

Subsection 7.2.1.2e discusses unusua l (abnormal) events; and Subsection 7.2.1.2f presents minimum performance requirements. 2. Single Failure Criterion The protection system is designed to provide two, three, or four instrumentation channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective action at the system level when required. Loss of input power, the most likely mode of failure, to a channel or logic train will result in a signal calling for a trip. This design meets the requirements of Criterion 23 of the 1971 GDC.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 23 To prevent the occurrences of common mode failures, such additional measures as functional diversity, physic al separation, and testing as well as administrative control during de sign, production, installation and operation are employed, as discussed in Reference 4. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC. 3. Quality of Components and Modules For a discussion on the quality of the components and modules used in the Reactor Trip System, refer to Chapter 17. The quality assurance applied conforms to Criterion 1 of the 1971 GDC. 4. Equipment Qualification For a discussion of the type tests and/or analyses made to verify the performance requirements, refer to Section 3.11. The tests results demonstrate that the design meets the requirements of Criterion 4 of the 1971 GDC. 5. Channel Integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of condition relating to environment, energy supply, malfunction, and accidents. The energy supply for the Reactor Trip System is described in Chapter 8. The environmental variations throughout which the system will perform are given in Section 3.11.

6. Independence Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters.

Separation of wiring is achieved usi ng separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel.

Redundant analog equipment is separated by locating modules in different

protection cabinets. Ea ch redundant protection ch annel set is energized from a separate AC power feed. This design meets the requirements of Criterion 21 of the 1971 GDC. Two reactor trip breakers, which are actuated by two separate logic matrices, interrupt power to the control rod mechanisms. The breaker main contacts are connected in series with the power supply so that

opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core. See

Figure 7.1-1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 24 The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse protection variable. Generally, two or more diverse protection functions would terminate reactor operation before intolerable

consequences could occur. This design meets the requirements of Criterion 22 of the 1971 GDC. 7. Control and Protection System Interaction The protection system is designed to be independent of the control system.

In certain applications the cont rol signals and other nonprotective functions are derived from individual protective channels through isolation amplifiers. The isolation amplifiers are classified as part of the protection system and are located in the anal og protective racks. Nonprotective functions include those signals used for control, remote process indication, and computer monitoring. The isolation amplifiers are designed so that a short circuit, open circuit, or the application of credible fault voltages from within the cabinets on the isolated out put portion of the circuit (i.e., the nonprotective side of the circuit) will not affect the input (protective) side

of the circuit. The signals obtained through the isolation amplifiers are never returned to the protective racks. This design meets the requirement of Criterion 24 of the 1971 GDC and paragraph 4.7 of IEEE Standard

279-1971. The results of applying various malfunction conditions on the output portion of the isolation amplifiers show that no significa nt disturbance to the isolation amplifier input signal occurred. See Subsection 7.2.2.2c(11) for a di scussion of exceptions to the single failure criterion while a channel is bypassed for ma intenance or testing and Subsection 7.2.2.3 for a discussi on of specific cont rol and protection interactions. 8. Derivation of System Inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trip s are listed in Subsection 7.2.1.2b.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 25 9. Capability for Sensor Checks The operational availability of each system input sensor and that portion of the channel related to indica tion during reactor operation is accomplished by channel checks. Channel checks provide qualitative cross checking between channels that bear a known relationship to each other and that have read-outs available. Channel checks are discussed in Technical Specification 3/4.3 and Table 4.3-1 of the Technical Specifications. 10. Capability For Testing The Reactor Trip System is capable of being tested during power operation. Where only parts of the system are tested at any one time, the design is capable of providing the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22 as discussed in Subsection 7.1.2.5. The protection system is designed to permit periodic testing of the process monitoring portion of the Reactor Trip System during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channe ls associated with the function to be tested must be in the normal (untripped) mode in order to avoid spurious trips. Setpoints are referenced in the Standard Instrument Schedule and Technical Specifications. Bypass Test Instrumentation (BTI) features have been added to selected Process and Nuclear Instrumentation System channels to permit periodic testing with the monitoring portion of the channel in bypass rather than in trip. This eliminates the potential for a reactor trip caused by spurious actuation of a redundant channel when a channe l is in trip for testing. (a) Analog Channel Operational Tests Analog Channel Operational Tests (ACOTs) are performed on the Process and Nuclear Instrumentation Systems between channel calibrations to detect process monitoring failures which are not detectable by channel checks.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 26 Process Instrumentation Channel Operational Tests The analog channels of the Process Instrumentation System are tested by individually introducing simulated input signals into the analog channels and observing th e tripping of the appropriate output bistables. When a channel with a normally energized SSPS input relay is tested in trip, the output to the l ogic circuitry is interrupted by a test switch which, when thrown, de-energizes the associated logic input and insert s a proving lamp in the bistable output. BTI is connected downstream of the channel test card, thus enabling the bypass of the entire analog channel for surveillance testing or maintenance.

If BTI is not used, interruption of the bistable output to the logic circuitry for any cause (test, maintenance, or removal from service) will cause that portion of the logic circuitry to be actuated (partial trip) accompanied by a partial trip alarm and channel status light actuation in the control room. If BTI is used, the logic circuitry will not be actuated. Each channel contains those switches, test points, etc., necessary to test the channel. See References 1 and 2 additional non-BTI background information. The following Process Instrumentation System analog channel periodic tests are performed:

(1) T avg and T protection channel testing (2) Pressurizer pressure protection channel testing (3) Pressurizer water level protection channel testing (4) Steam generator water level protection channel testing (5) Reactor coolant low flow protection channels testing. Nuclear Instrumentation Analog Channels Operational Tests S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 27 The power range analog channels of the Nuclear Instrumentation System are tested either by superimposing a test signal on the actual detector signal being received by the channel at the time of testing or by injecting a test signal in place of the actual detector signal. The output of the bistable is not placed in a tripped

condition prior to testing. Also , since the power range channel logic is two out of four, bypass of this reactor trip function is not required but has been provided to minimize the potential for spurious trips. BTI is connected to the power, intermediate, and

source range channel output, thus enabling the bypass of the entire analog channel for surveillance testing or maintenance.

To test a power range channel, a "TEST-OPERATE" switch is provided to require deliberate ope rator action, operation of which will initiate an alarm in the control room. If BTI is not used, bistable operation is tested by increasing the test signal to its trip

setpoint and verifying bistable relay operation by control board annunciator and trip status lights.

It should be noted that if the test signal is superimposed on the detector signal a valid trip signal would cause the channel under test to trip at a lower actual reactor power level. A reactor trip would occur when a second bistable trips.

If BTI is used, the logic circuitr y will not be actuated and bistable operation will be indicated at the nuclear instrumentation cabinet.

The trip of a second channel will not result in a reactor trip. A nuclear instrumentation system channel which can cause a reactor trip through one of tw o protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel

during the short period that it is undergoing test. These bypasses are indicated by status lights or a VAS alarm in the control room. The following Nuclear Instrumentation System periodic tests are performed: (1) Testing at plant shutdown Source range testing Intermediate range testing Power range testing S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 28 (2) Testing between P-6 and P-10 permissive power levels Intermediate range testing Power range testing (3) Testing above P-10 permissive power level Power range testing (with exception of the low power setpoint) Any deviations noted during the performance of these tests are investigated and corrected in accordance with the established calibration and trouble-shooting procedures provided in the plant techni cal manual for the Nuclear Instrumentation System. C ontrol and protection trip settings are indicated in the standard instrument schedule. For additional background information on the Nuclear Instrumentation System, see Reference 2. (b) Trip Actuating Device Operational Testing A trip actuating device operational test is performed in trip by exercising the monitored component/system or introducing simulated input signals into the instrumentation channel and

observing actuation of the appropriate SSPS logic circuitry (partial trip) accompanied by a partial trip alarm and channel status light

actuation in the control room. The reactor coolant pump (RCP) undervoltage (UV) and underfre quency (UF) channels have Bypass Test Instrumentation (BTI) features which provide for testing the field contact without de-energizing the UV or UF time delay relays or actuating the SSPS.

The following trip actuating device periodic tests are performed: (1) Reactor coolant pump unde rfrequency and undervoltage protection channel testing. (2) Turbine-generator trip fl uid pressure and stop valve position testing.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 29 (c) Channel Calibration Channel calibrations are performed at the refueling frequency. The channel calibration is a complete check of the instrument channel, including the required sensor, alarm, interlock, display, and trip functions. Overlap of the mon itoring and logic portions of the Reactor Trip System is verified fo r the channels which were tested in bypass. Calibration of instrument channe ls with resistance temperature detector (RTD) or thermocouple sensors may consist of an in-place assessment of sensor behavior and normal calibration of the remaining adjustable devices in the channel. The channel calibration may be performed by means of any series of sequential, overlapping calibrations or total channel steps so that the entire channel is calibrated. (d) Solid-State Protection System Logic Testing The Reactor Trip System logic trai ns are part of the Solid-State Protection System (SSPS) and ar e designed to be capable of complete testing at power. After the individual process monitoring channel testing is complete, the logic matrices are tested from the Train A and Train B logic rack test panels. During this test, all of the logic inputs are actuated automatically in all combinations of trip and nontrip logic. Trip logic is not maintained sufficiently long enough to permit opening of the reactor trip breakers. The

reactor trip undervolta ge coils are "pulsed" in order to check continuity. During logic testing of one train, the other train can initiate any required protectiv e functions. Annunciation is provided in the control room to i ndicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Logic testing can be performed in less than 30 minutes. This design complies with the testing requirements of IEEE Standard 279-1971 and IEEE Standard 338-1975 discussed in Subsection 7.1.2.11. The permissive and block interlocks associated with the Reactor Trip System and Engineered Safety Features Actuation System are given on Table 7.2-2 and Table 7.3-2 and designated protection or "P" interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standard 279-1971 and 338-1975.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 30 Testing of all protection system interlocks is provided by the logic testing and semi-automatic testing capabilities of the Solid-State Protection System. In the Solid-State Protection System, the undervoltage trip attachment and shunt trip auxiliary relay coils (Reactor Trip) and master relays (Engineered Safeguards Features Actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock sign als. For example, reactor trip on low flow (2 out of 4 loops showing 2 out of 3 low flow) is

tested to verify operability of the trip above P-7 and nontrip below P-7 (see Figure 7.2-5). Interlock testing may be performed at

power. Testing of the logic trains of the Reactor Trip System includes a logic matrix check and may include a check of the input relays. The following sequence is used to test the system: (1) Check of Input Relays When the process instrumentation system and nuclear instrumentation system channels are tested in trip, each channel bistable is placed in a trip mode causing one input relay in Train A and one in Train B to de-energize. A

refueling frequency has been justified for the testing of normally energized input relays (Reference 7). All input relays are tested at refueling intervals. A contact of each relay is connected to a universal logic printed circuit card.

This card performs both the re actor trip and monitoring functions. Each reactor trip input relay contact causes a status lamp on the control board to operate and provides an input to the Video Alarm System (VAS). Either the Train A or Train B input relay operation will light the status lamp and provide the VAS alarm. Each train contains a multiplexing test switch. During a process or nuclear instrumentation system test, this switch (in either train) is in the A + B position. The A + B position alternately allows information to be transmitted from the two trains to the c ontrol board. A steady status lamp and annunciator indicates that input rela ys in both trains have been de-energized. A flashing lamp means that the input relays into the two tr ains did not both de-energize.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 31 Trip actuating device or associated auxiliary relay contact inputs to the SSPS, such as reactor coolant pump bus underfrequency relays, operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for bistable input relays. Actuation of the input relays provides the overlap between the testing of the SSPS and the testing of those systems supplying the inputs to the SS PS. Test indications are status lamps and VAS alarms on the control board. Inputs to the SSPS are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor when two out of four channels trip becomes a

one-out-of-three trip when one channel is placed in the trip mode or reverts to two-out-of-three when the channel is tested in bypass. Both trains of the SSPS remain in service

during this portion of the test. (2) Check of Logic Matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train. At the completion of the logic matrix tests, the input error is veri fied removed and returned to normal by the performance of continuity checks of the input inhibit error circuit. The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and nontrip combinations are checked. Pulses from the tester are

applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor

trip breaker undervoltage trip attachment and shunt trip auxiliary relay coils to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 32 Test indications that are provi ded are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester to

indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from

the train not being tested. The testing capability meets the requirements of Criterion 21 of the 1971 GDC. (e) Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers thereby eliminating the need to bypass them

during this testing. The following procedure describes the method used for testing the trip breakers: (1) With bypass breaker 52/BYA racked out, manually close and trip it to verify its operation. (2) Rack in and close 52/BYA. Manually trip 52/RTA through a protection system logic matrix while at the same time operating the "Auto Shunt Trip Block" push button on the automatic shunt trip

panel. This verifies operation of the Undervoltage Trip Attachment (UVTA) when the breaker trips. After reclosing RTA, trip it again by operation of the "Auto Shunt Trip Te st" push- button on the automatic shunt trip panel. This is to verify tripping of the breaker through the shunt trip device. (3) Reset 52/RTA. (4) Trip and rack out 52/BYA.

(5) Repeat above steps to test trip breaker 52/RTB using bypass breaker 52/BYB.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 33 If an event requiring a reactor trips occurs during the testing of the reactor trip breaker, the bypass breaker 52/BYA would receive an undervoltage trip signal from the B train SSPS. 52/BYA also receives a shunt trip signal from the A train manual trip switch output. Similarly the bypass breaker 52/BYB would receive an undervoltage trip signal from the A train SSPS a nd a shunt trip signal from the B train manual trip switch output. Auxiliary contacts of the bypass breakers are connected into the general warning alarm logic of their respective

trains so that if either train is placed in test or if an attempt is made to close the bypass breaker while the bypass

breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically trip. The Train A and Train B general warning alarm logics operate separate VAS alarms in the control room. The two

bypass breakers also operate separate VAS alarms.

Bypassing of a protection trai n with either the bypass breaker or with the test switches will result in audible and

visual indications. The complete Reactor Trip System is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation

channel failure, Technical Sp ecification 3/4.3 defining the minimum number of opera ble channels, has been formulated. This Technical Specification also defines the required restriction to operation in the event that the channel operability requirements cannot be met.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 34 11. Channel Bypass or Removal from Operation The protection system is designed to permit periodic testing of the Reactor Trip System during reactor power oper ation without initia ting a protective action unless a trip condition actually exists. Protective action is prevented by the coincidence logic re quired for reactor trip and the Bypass Test Instrumentation provided for most channels. IEEE Standard

279-1971, Paragraph 4.11, provides an exception to the single failure criterion for one-out-of-two systems during channel bypass where acceptable reliability of operation can be demonstrated. WCAP-10271 and its supplements and revisions, Reference 7, demonstrate acceptable protection system reliability for one-out-of-two systems when channels are bypassed for maintenance and testing. WCAP-10271 also demonstrates acceptable protection system reliability for certain two-out-of-three and two-out-of-four systems during channel bypass for maintenance and testing. WCAP-10271, Supplement 2, Revision 1, concludes that the rationale for the single failure exception for one-out-of-two systems is equally applicable to two-out-of-three and two-out-of-four systems where acceptable reliability of operation can be demonstrated.

This exception is applicable to the following protection system functions:

Functions with two-out-of-three logic RCS Flow Lo Reactor Trip

Pressurizer Pressure Lo P-11 Pressurizer Level Hi Reactor Trip Steam Generator Pressure Lo/Rate Hi Safety Injection/Main Steam Isolation Containment Pressure Hi-1/Hi-2 Safety Injection/Main Steam Isolation Functions with two-out-of-four logi c which have a control/protection interaction Pressurizer Pressure Lo/Hi Reactor Trip Pressurizer Pressure Lo-Lo Safety Injection Steam Generator Level Lo Reactor Trip/Emergency Feedwater Actuation Steam Generator Level Hi Turbine Trip/Feedwater Isolation S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 35 The NRC has accepted the generic approach of bypassing channels for the performance of maintenance and testing in the safety evaluations which are attached to WCAP-10271. In th e NRC Safety Evaluation related to Amendment No. 36 to the Seabrook Station Operating License, Reference 9, the NRC stated that the generic analyses used in WCAP-10271 and its supplements are applicable to Seabrook Station. Channel bypass for testing and maintenance, using permanent test equipment which avoids the lifting of leads and/or the installation of jumpers, was accepted in the safety evaluation for Amendment No. 36. 12. Operating Bypasses Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of th e bypass of a protective function are considered part of the protective system and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service. 13. Indication of Bypasses Indication of bypass for the reactor protection system is provided by status lights or by VAS alarms. Bypass of a reactor trip breaker, the protection system output, or a monitoring channel is alarmed for each train or protection set on the VAS. 14. Access to Means for Bypassing The design provides for administrative control of access to the means for manually bypassing channels or protective functions. 15. Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes nece ssary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 36 16. Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator. 17. Manual Initiation Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective f unctions. Manual actuation relies on the operation of a minimum of equipment.

18. Access The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, and test points. 19. Identification of Protective Actions Protective channel identification is discussed in Subsection 7.1.2.3.

Indication is discussed in Item 20 below. 20. Information Read-Out The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will be either indicated or recorded for every channel, including all neutron flux power range currents (top detector, bottom detector, algebrai c difference and average of bottom and top detector currents). Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified down to the channel level. Alarms and annunciators are also used to alert the opera tor of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm. 21. System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or module. Refer to the discussion in Item 10 above.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 37 7.2.2.3 Specific Control and Protection Interactions

a. Neutron Flux Four power range neutron flux channels are provided for overpower protection.

An isolated auctioneered high signal is derived by auction eering of the four channels for automatic rod c ontrol. If any channel fails in such a way to produce a low output, that channel is incapable of proper overpower protection but will not cause control rod movement because of the auctioneer. Two out of four overpower trip logic will ensure an overpower trip if needed even with an

independent failure in another channel. In addition, channel deviation signals in the control system will give an alarm if any neutron flux channel deviates significantly from the average of the flux signals. Also, the control system will re spond only to rapid ch anges in indicated neutron flux; slow changes or drifts are compensated by the temperature control signals. Finally, an overpower signal from any nuclear power range channel will block manual and automatic rod withdrawal. The set point fo r this rod stop is below the reactor trip setpoint. b. Coolant Temperature The accuracy of the resistance temperature detector (RTD) loop temperature measurements is demonstrated during plant startup tests by comparing temperature measurement from all loop RTDs with one another as well as with the temperature measurements obtained from the wide-range RTDs located in the hot leg and cold leg piping of each loop. The linearity of the T measurements obtained from the hot leg and cold leg l oop RTDs as a function of plant power is also checked during plant startup tests. The absolute value of T versus plant power is not important, per se, as far as reactor protection is concerned. Reactor trip system setpoints are based upon percentages of the indicated T at nominal full power rather than on absolute values of T. This is done to account for loop differences which are inherent. The percent T scheme is relative, not absolute, and therefore provides better protective action without the expense of accuracy. For this reason, the linearity of the T signals as a function of power is of importance rather than the absolute values of the T. Reactor control is based upon signals derived from protection system channels after isolation by isolation amplifiers so that no feedback effect can perturb the protection channels.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 38 The Tavg (rod) control system is based on average Tavg. Margins to DNB have been analyzed based on the uncertainties for average Tavg. These uncertainties have been appropriately determined such that the deviation from the highest loop Tavg to the average Tavg has been explicitly addressed and will not result in a loss of analyzed DNB margin. A spurious low average temperature measurement from any loop temperature control channel will cause the Average Tavg input signal to the control system to decrease. This will result in a demand for rod withdrawal (due to Average Tavg / Tref mismatch) and a demand for reduction in charging flow (due to pressurizer level program signal mismatch). The e ffect of the charging flow change is bounded by analysis in Section 15.6, Decrease in Reactor Coolan t Inventory. If this failure were to occur when the control rods are fully withdrawn there would

be no rod withdrawal. If this failure were to occur when the rods were not fully withdrawn a rod withdrawal and subsequent power increase would occur. This event is bounded by the analysis in Sec tion 15.4.2, Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power. A spurious high average temperature measurement from any loop temperature control channel will cause the Average Tavg input signal to the control system to increase. This will result in a demand for rod insertion (safe direction) due to Average Tavg / Tref mismatch. Channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the average value. Alarms for an approach to Overpower or Overtemperature T reactor trip are also provided if any two of the four Overtemperature or Overpower T channels indicate an adverse condition. c. Pressurizer Pressure The pressurizer pressure protection ch annel signals are used for high and low pressure protection and as inputs to the Overtemperature T trip protection function. Isolated output signals from these channels are used for pressure control. These are used to control pressurizer spray and heaters and

power-operated relief valves. Pressurize r pressure is sensed by fast response pressure transmitters. A spurious high pressure signal from one channel can cause decreasing pressure by actuation of either spray or relief valves. Additional redundancy is provided in the low pressurizer pressure reactor trip and in the logic for safety injection to ensure low pressure protection.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 39 Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2500 psia and an accumulation of 3 percent. Note that no credit is taken for the relief capability provided by the power-operated relief valves during this surge. d. Pressurizer Water Level Three pressurizer water level channels are used for reactor trip. Isolated signals from these channels are used for pressurize r water level control. A failure in the level control system could fill or empty the pressurizer at a slow rate (on the order of half an hour or more). The high water level trip setpoint provides sufficient margin so that the undesirable condition of disc harging liquid coolant thr ough the safety valves is avoided. Even at full power conditions, which would produce the worst thermal expansion rates, a failure of the water le vel control would not lead to any liquid discharge through the safety va lves. This is due to th e automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve setpoint. For control failures which tend to empty the pressurizer, two out of four logic for safety injection actuation on low pressure ensures that the protection system can withstand an independent failu re in another channel. In addition, ample time and alarms exist to alert the operator of the need for appropriate action. e. Steam Generator Water Level The basic function of the reactor protection circuits associated with low-low steam generator water level is to preserve the steam generator heat sink for removal of long-term residual heat. Should a complete loss of feedwater occur, the reactor would be tripped on low-low steam generator water level. In addition, redundant emergency feedwater pumps are pr ovided to supply feedwater in order to maintain residual heat removal after trip. This reactor trip acts before the steam generators are dry. This reduces the required capacity, increases the time interval before emergency feedwater pumps are required, and minimizes the thermal transient on the Reactor Coolant System and steam generators. Therefore, a low-low steam generator water level reactor trip circuit is provided for each steam generator to ensure that sufficient initial thermal capacity is available in the steam generator at the start of the transient. Two-out-of-four low-low steam generator water level trip logic ensures a reactor trip if needed even with an independent failure in another channel used for control and when degraded by an additional

second postulated random failure.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 40 A spurious low signal from the feedwater flow channel being used for control would cause an increase in feedwater flow. The mismatch between steam flow and feedwater flow produced by the spurious signal would actuate alarms to alert the operator of the situation in time for manual correction. If the condition continues, a two-out-of-four high-high steam generator water level signal in any loop, independent of the indicated feedwater flow, will cause feedwater isolation and trip the turbine. The turbine trip will result in a subsequent reactor trip if power is above the P-9 setpoint. The high-high steam generator water level trip is an equipment protective trip preventing excessive moisture carryover which could damage the turbine blading. In addition, the three element feedwater controller incorporates reset action on the level error signal, so that with expected controller settings a rapid increase or decrease in the flow signal would cause only a small change in level before the controller would compensate for the level error. A slow change in the feedwater

signal would have no effect at all. A spurious low or high steam flow signal would have the same effect as high or low feedwater signal, discussed above. A spurious high steam generator water level signal from the protection channel used for control will tend to close the feedwater valve. A spurious low steam generator water level signal will tend to open the feedwater valve. Before a reactor trip would occur, two-out-of-four channels in a loop would have to indicate a low-low water level. Any slow drift in the water level signal will permit the operator to respond to the level alarms and take corrective action. Automatic protection is provided in case the spurious high level reduces feedwater flow sufficiently to cause low-low level in the steam generator.

Automatic protection is also provided in case the spurious low level signal increases feedwater flow sufficiently to cause high level in the steam generator. A turbine trip and feedwater isolation would occur on two-out-of-four high-high steam generator water level in any loop. 7.2.2.4 Additional Postulated Accidents Loss of plant instrument air or loss of compone nt cooling water is discussed in Subsection 7.3.2.3. Load rejection and turbine trip are discussed in further detail in Section 7.7.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 41 The control interlocks, called rod stops, that are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal are di scussed in Subsection 7.7.1.4a and listed on Table 7.7-1. Excessively high powe r operation (which is prevented by blocking of automatic rod withdrawal), if allowed to continue, might lead to a safety limit (as given in the Technical Specification) being reached. Before such a limit is reached, protection will be available from the Reactor Trip System. At the power levels of the rod block setpoints, safety limits have not been reached; therefore, these rod withdrawal stops do not come under the scope of safety-related systems, and are considered as control systems. 7.2.3 Tests and Inspections The Reactor Trip System meets the testing requirements of IEEE Standard 338-1975, as discussed in Subsection 7.1.2.11. The testability of the system is discussed in Subsection 7.2.2.2c. The test intervals are specified in th e Technical Specifications.

All active devices will be tested at the operational test frequency unless a lower frequency is justified. Passive devices will be checked at the same frequency where practicable (Reference 6). References 7 and 8 document the operational test frequency and justify channel calibration frequency for testing of the normally energized SSPS input and RCP UV/UF time delay re lays for channels which are tested in bypass. All components will be tested at the channel calibration frequency. Written test procedures and documentation, conforming to the requirements of IEEE Standard 338-1975, will be available for audit by responsible personnel. Periodic testing complies with Regulatory Guide 1.22, as discussed in Subsections 7.1.2.5 and 7.2.2.2c. All active components can be tested at the operational test frequenc

y. A lower testing frequency may be justified if adequate reliability is assured. Passive components will be tested at the operational test frequency where practicable.

7.2.4 References

1. Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam Supply Systems," WCAP-7913, January 1973. (Addition background information only) 2. Lipchak, J. B., "Nuclear Instrumentation System," WCAP-8255, January 1974. (Additional background information only) 3. Katz, D. N., "Solid State Logic Prot ection System Description," WCAP-7488-L, January 1971 (Proprietary) and WCAP-7672, June 1971 (Nonproprietary). (Additional background information only) 4. Gangloff, W. C. and Loftus, W. D., "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transi ents," WCAP-7706-L, February 1971 (Proprietary) and WCAP-7706, July 1971 (Nonproprietary). 5. Marasco, F. W. and Siroky, R. M., "Westinghouse 7300 Series Process Control Noise Tests," WCAP-8892-A, June 1977.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Reactor Trip System Revision 12 Section 7.2 Page 42 6. "Overlap Testing Requirements," NAESCo Engineering Evaluation 95-22, September 1995. 7. "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," WCAP-10271-P-A, May 1986; Supplement 1, May 1986; and Supplement 2, Revision 1, June 1990. 8. "Risk/Reliability Evaluation of SSPS Input Relays and Timers in the Bypass Test Scheme," NAESCo Engineering Evaluation 95-20, August 1995. 9. "Safety Evaluation by the Office of Nuclear Reactor Regulation Related to Amendment No. 36 to Facility Operati ng License No. NPF-86," April 10, 1995.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 1 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary Engineered Safety Features (ESF). The occurrence of a limiting fault, such as a loss-of-coolant accident or a steam line break, requires a reactor trip plus actuation of one or more of the Engineered Safety Features to prevent or mitigate damage to the core and reactor coolant system components, and ensure containment integrity. To accomplish these design objectives, the Engineered Safety Features System has proper and timely initiating signals which are to be supplied by the sensors, transmitters and logic components making up the various instrumentation ch annels of the Engineered Safety Features Actuation System.

7.3.1 Description

The Engineered Safety Features Actuation System uses selected plant parameters, determines whether or not predetermined safety limits are being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures (Class III or IV faults). Once the required logic combin ation is completed, the system sends actuation signals to the appropriate engineered safety features components. The Engineered Safety Features Actuation System meets the requirements of Criteria 13, 20, and 38 of the 1971 General Design Criteria (GDC). 7.3.1.1 System Description The Engineered Safety Features Actuation System is a functionally defined system described in this section. The equipment which provides the actuation functions identified in Subsection 7.3.1.1a is listed below and discussed in this section. Fo r additional background information refer to References 1, 2 and 3 and Sections 11.5 and 12.3.4. Process Instrumentation System (Reference 1) Radiation Monitoring System (Sections 11.5 and 12.3.4) Solid-State Protection System (Reference 2) Engineered Safety Features Test Cabinet (Reference 3)

Manual Actuation Circuits The Engineered Safety Features Actuation System consists of sensors, connected to signal processing circuitry consisting of two to four redundant channels that monitor various plant parameters, and digital circuitr y consisting of two redundant logi c trains which receive inputs from the signal processing channels to complete the logic needed to actuate the Engineered Safety Features.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 2 Each of the two logic trains is capable of actuating the Engineered Safety Features equipment required. The intent is that any single failure within the Engineered Safety Features Actuation System shall not prevent system action when required.

The redundant concept is applied to both the monitoring and logic portions of the system.

Separation of redundant monitoring channels begins at the process sensors and is maintained in the field wiring, containment vesse l penetrations and electronics termina ting at the redundant safeguards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23 and 24 of the 1971 GDC.

The variables are sensed by the monitoring por tion as discussed in Reference 1 and in Sections 7.2, 11.5 and 12.3.4. The outputs from the monitoring portion are combined into actuation logic as shown on Figure 7.2-5, Figure 7.2-6, Figure 7.2-7 and Figure 7.2-8.

Table 7.3-1 gives additional informati on pertaining to logic and function. The interlocks associated with the Engineered Safety Features Actuation System are outlined in Table 7.3-2. These interlocks satisfy the functional requirements disc ussed in Subsection 7.1.2.

Manual actuation from the control board of containment isolation Phase A is provided by operation of either one of the redundant momentary containment isolation Phase A controls. Each manual actuation switch actuates the equipment in its respective train. In a similar manner, manual actuation of containment spray and containment isolation Phase B is initiated from the control board, except that two switches must be operated for each train. Also on the control board, are manual actuation switches for safety injection. Each of these controls are dual train switches, which will actuate both Train A and Train B equipment.

Manual controls are also provided to switch from the injection to the recirculation phase after a loss-of-coolant accident.

The transfer from the injection to the recirculation phase is initiated automatically and completed manually by operator action from the main cont rol board. Protection logic is provided to automatically open the two recirculation sump isolation valves on a 2/4 RWST Lo-Lo level in conjunction with initiation of an "S" signal (see Figure 7.6-4, sh.1, and Figure 7.6-4, sh.2). This aligns the two RHR pumps to take suction from the containment sump and to deliver directly to the RCS without stopping the RHR pumps. The charging/safety injection pumps will continue to take suction from the RWST, during the above automatic action, until manual operator action is initiated to align these pumps in series with the RHR pumps. The Safety Injection System will be aligned for cold leg recirculation after the completion of the required manual actions.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 3 Refer to Subsections 6.3.2.8 and 7.6.5 for additional discussions of recirculation initiation. a. Function Initiation The specific functions which rely on the Engineered Safety Features Actuation System for initiation are: 1. A reactor trip, provided one has not already been generated the by Reactor Trip System (see Figure 7.2-2). 2. Opening of cold leg injection isolat ion valves for injection of borated water by charging and safety injection pumps into the cold legs of the Reactor Coolant System. 3. Start of charging pumps, safety injection pumps, residual heat removal pumps and actuation of associated valving to provide emergency makeup water to the cold legs of the Reactor Coolant System following a loss-of-coolant accident. 4. The start of the containment enclosure emergency exhaust filter fans and the filtration system designed to function following a LOCA to maintain a negative pressure within the enclosure by exhausting air and in-leakage to the plant unit vent (see Drawing NHY-503515). 5. Start of motor-driven and turbine-driven emergency feedwater pumps, and actuation of associated valves to provide secondary heat removal (see Figure 7.2-14). 6. Phase A containment isolation, whos e function is to prevent fission product release (isolation of all lines not essential to reactor protection).

See Figure 7.2-8. 7. Steam line isolation to prevent th e continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown (see Figure 7.2-8). 8. Isolation of the nonnuclear parts of the Component Cooling Water and Service Water Systems (see Drawings NHY-503273 and NHY-503965). 9. Automatic opening of the isolation valves in the cooling water discharge lines of the residual heat removal heat exchangers (see Drawing NHY-503271). 10. Main feedwater line isolation as required to prevent or mitigate the effect of excessive cooldown (see Figure 7.2-13, sh.1). 11. Start of the emergency diesels to assure backup supply of power to emergency and supporting systems components (see Figure 7.2-8).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 4 12. The start of emergency cleanup filter system, designed to clean up a portion of recirculated air and meet control room occupancy requirements following a loss-of-coolant accident (see Drawing NHY-503242). 13. Containment spray actuation which performs the following functions: (a) Initiates containment spray to reduce containment pressure and temperature following a loss-of-coolant or steam line break accident inside of Containment (see Figure 7.2-8). (b) Initiation of Phase B containment isolation which isolates the Containment following a loss of reactor coolant accident, or a steam or feedwater line break within containment to limit radioactive releases. (Phase B isolation together with Phase A isolation results in isolation of a ll but Engineered Safety Features lines penetrating the Containment.) See Figure 7.2-8. (c) Opens the isolation valves in the cooling water discharge lines for the containment spray heat exchangers (see Drawing NHY-503271). 14. Switchover of the RHR and containment spray system pump suction from the RWST to the containment sump (see Figure 7.6-4, sh.1 and sh.2). 15. Start of containment structure re circulating filter fans (see Drawing NHY-503204). 16. Containment Ventilation Is olation (see Figure 7.2-8). b. Process Monitoring Process monitoring is performed by the Process Instrumentation and Radiation Data Management Systems. The mon itoring sensors and signal processing circuits for the Engineered Safety Features Actuation System are covered in Reference 1 and Sections 11.5 and 12.3.4. The parameters to be measured including pressures, flows, tank and vessel water levels, ra diation levels, and temperatures, as well as the measuremen t and signal transmission considerations, are discussed. These latter considerations include the sensors, transmitters, orifices and flow elements, resistance temperature detectors, as well as automatic calculations, signal conditi oning and location and mounting of the devices. The sensors monitoring the primary system are located as shown on the piping flow diagrams in Chapter 5, Reactor Coolant System. The secondary system sensor locations are shown on the steam system flow diagrams given in Chapter 10.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 5 Containment pressure is sensed by four physically separated differential pressure transmitters connected to containment atmosphere by a filled and sealed hydraulic transmission system. These transmitters are mounted on seismically qualified supports outside of Containment. The distance from penetration to transmitter is kept to a minimum, and separation is maintained. This arrangement, together with the pressure sensors external to the Containment, forms a double barrier and conforms to GDC 56 and Regulatory Guide 1.141, as well as the intent of Regulatory Guide 1.11. Radiation sensors are located as shown in Sections 11.5 and 12.3.4. c. Logic Circuitry The Engineered Safety Features Actuation System logic and actuation functions are performed by the Solid-State Protection System (SSPS) which is discussed in detail in Reference 2. The description includes the considerations and provisions for physical and electrical separation as well as details of the circuitry. Reference 2 also covers certain aspects of online test provisions, provisions for test points, considerations for the instrument power source and considerations for accomplishing physical separation. The outputs from the analog channels are combined into actuation logic as shown on Figure 7.2-5 (T avg), Figure 7.2-6 (Pressurizer Pressure), Figure 7.2-7 (Steam Line Pressure and Steam Line Pressure Rate), Figure 7.2-8 (Engineered Safety Features Actuation), and Figure 7.2-14 (Emergency Feedwater Pumps Startup). To facilitate Engineered Safety Features Actuation testing, four cabinets (two per train) are provided which enable operation, to the maximum practical extent, of safety features loads on a group by group basis until actuation of all devices has been checked. Final actua tion testing is di scussed in detail in Subsection 7.3.2. d. Final Actuation Circuitry The outputs of the Solid-State Protection System (the slave relays) are energized to actuate, as are most final actuators and actuated devices. These devices are listed as follows: 1. Safety injection system pump and valve actuators. See Chapter 6 for flow diagrams and additional information. 2. Containment isolation (Phase A - "T" signal isolates all nonessential process lines on receipt of safety injection signal; Phase B - "P" signal isolates remaining process lines (whi ch do not include Engineered Safety Features lines) on receipt of 2/4 Hi-3 containment pressure signal). For further information, see Subsection 6.2.4.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 6 3. Component cooling water system and service water system valve actuators (see Subsection 9.2.2) 4. Emergency feed pumps st art (see Subsection 6.8.5) 5. Diesel start (see Section 8.3)

6. Feedwater isolati on (see Section 10.4)
7. Containment air purge isolat ion valves (see Section 6.2) 8. Steam line isolation valve actuators (see Section 10.3) 9. Containment spray pump and valv e actuators (see Section 6.2)
10. Control room emergency cleanup filter system fans and dampers (see Subsection 9.4.1) 11. Containment recirculation fans and dampers (see Subsection 9.4.5) 12. Containment enclosure emergency cleanup filter system fans and dampers (see Subsection 9.4.6). If an accident is assumed to occur coin cident with a loss of offsite power, the Engineered Safety Features loads must be sequenced onto the diesel generators to prevent overloading the diesel generator. This sequence is discussed in Section 8.3. The design meets the requirements of Criterion 35 of the 1971 GDC. e. Support Systems The following systems are required for s upport of the Engineered Safety Features: 1. Service Water - Heat Removal (see Subsection 9.2.1) 2. Primary Component Cooling Water System - Heat Removal (see Subsection 9.2.2) 3. Electrical Power Distribution Systems (see Chapter 8)
4. Heating, ventilation and air conditioning system for the ESF equipment locations (see Section 9.4) 5. Diesel generator and associated dies el fuel storage a nd transfer systems (see Section 9.5).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 7 7.3.1.2 Design Bases Information The functional diagrams presented in Figure 7.2-5, Figure 7.2-6, Figure 7.2-7 and Figure 7.2-8 provide a graphic outline of the functional logic associated with requirements for the Engineered Safety Features Actuation System. Requirements for the Engineered Safety Features System are given in Chapter 6. Given below is the design bases information required in IEEE Standard 279-1971, Reference 4. a. Generating Station Conditions The following is a summary of those generating station conditions requiring protective action: 1. Primary System (a) Rupture in small pipes or cracks in large pipes (b) Rupture of a reactor coolant pipe (loss-of-coolant accident) (c) Inadvertent opening of a pressu rizer relief or safety valve (d) Steam generator tube rupture (e) Dropped fuel assembly. 2. Secondary System (a) Minor secondary system pipe breaks resulting in steam release rates equivalent to a single dump, relief or safety valve (b) Rupture of a major steam pipe.

(c) Loss of feedwater b. Generating Station Variables The following list summarizes the generating station variables required to be monitored for the automatic initiation of ESF during each accident identified in the preceding section. Post-accident monitoring requirements are given in Table 7.5-1.

1. Primary System Accidents (a) Pressurizer pressure (b) Containment pressure and radiation (not required for steam generator tube rupture) (c) Reactor coolant temperature (monitored by the operator; its automatic protective action is to stop feed flow) (d) Refueling water storage tank level S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 8 (e) Containment airborne activity and area radiation 2. Secondary System Accidents (a) Pressurizer pressure (b) Steam line pressures and steam line pressure rates (c) Containment pressure (d) Refueling water storage tank level (e) Steam generator level c. Spatially Dependent Variables The variables sensed by the Engineered Safety Features Actuation System which have spatial dependence are reactor coolant hot leg temperature and containment manipulator crane area radiation. The sp atial dependence of the reactor coolant hot leg temperature is accounted for by taking three temperatures from the RCS hot leg and electronically averaging the signals to generate a hot leg average temperature. The spatial dependence of the radiation field associated with a fuel handling accident is considered in the placement of the radiation sensors on the containment manipulator crane. In this location, the sensors are close as possible to a dropped fuel assembly while remain ing above water leve l in the refueling canal. d. Limits, Margins and Setpoints Prudent operation limits, available margin s and setpoints before onset of unsafe conditions requiring protective action are discussed in Chapter 15 and the Technical Specifications. e. Abnormal Events The malfunctions, accidents, or other unusual events which could physically damage protection system components or could cause environmental changes are as follows: 1. Loss-of-coolant accid ent (see Section 15.6) 2. Steam line breaks (see Section 15.1)
3. Earthquakes (see Sections 2.5 and 3.7)
4. Fire (see Subsection 9.5.1)
5. Explosion (hydrogen buildup inside Containment) (see Section 6.2) 6. Missiles (see Section 3.5)
7. Flood (see Sections 2.4 and 3.4)

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 9 8. Wind and Tornadoes (see Section 3.3) 9. Lightning (see Section 2.3) f. Minimum Performance Requirements Minimum performance requirements are as follows: 1. System Response Times The ESFAS response time is defined as the interval required for the ESF sequence to be initiated subsequent to the time that the appropriate variable(s) exceed this setpoint(s). The ESF sequence is initiated by the output of the ESFAS which is by the ope ration of the dry contacts of the

slave relays (600 and 700 series rela ys) in the output cabinets of the Solid-State Protection System. The response times listed below include the interval of time which will elapse between the time the parameter as sensed by the sensor exceeds the safety setpoint and the time the solid-state protection system slave re lay dry contacts are operated. These values (as listed below) are maximum allowable values consistent with the safety analyses and the Technical Specifications and are systematically verified during plant pre operational startup tests. For the overall ESF response time, refer to the Technical Requirements Manual. In a similar manner for the overall reactor trip system instrumentation response time, refer to the Technical Requirements Manual. These maximum delay times thus include all compensation and therefore require that any such network be aligned and operating during verification testing. The Engineered Safeguards Actuation System is always capable of having response time tests performed using the same methods as those tests performed during the preoperational test program or following significant component changes. Typical maximum allowable time delays in generating the actuation signal for loss-of-coolant protection are: (a) Pressurizer pressure 2.0 seconds Typical maximum allowable time de lays in generating the actuation signal for steamline break protection are:

(a) Steam line pressure rate

1.0 second

(b) Steam line pressure

1.0 second

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 10 (c) Reactor Coolant System T avg including 4 seconds for RTD sensor response time and 2 seconds for electronic delay

6.0 seconds

(d) High containment pressure for closing main steamline stop valves

1.5 seconds

(e) Actuation signals for emergency feed pumps

2.0 seconds

(f) Refueling water storage tank levels for recirculation actuation

1.0 second

2. System Accuracies Typical accuracies required in genera ting the required actuation signals for loss-of-coolant protection are: (a) Pressurizer pressure (uncompensated) +/-12.63 percent of span Typical accuracies required in genera ting the required actuation signals for steam line break protection are:

(a) Steam line pressure

+/-12.5 percent of span (b) Steam line pressure rate

+/-1.8 percent of span (c) T avg +/-5.0 percent of span (d) Containment pressure signal +/-2.5 percent of span (e) Refueling water storage tank level +/-2.75 percent of span S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 11 3. Range of Sensed Variables Ranges of sensed variables to be accommodated until conclusion of protective action is assured. Typical ranges required in generating the required actuation signals for loss-of-coolant protection are: (a) Pressurizer pressure 1600 to 2500 psig (b) Containment pressure 0 to 60 psig (c) Refueling water storage tank level 0 to 140 inches (suppressed range) Typical ranges needed to generate the required actuation signals for steam line break protection are:

(a) T avg 530 to 630 F (b) Steam line pressure 0 to 1300 psig (c) Containment pressure 0 to 60 psig (d) Refueling water storage tank level 0 to 140 inches (suppressed range)

7.3.2 Analysis

7.3.2.1 Failure Mode Effects Analysis Failure mode and effects analyses have been performed, Reference 5, on ESF systems equipment within the Westinghouse scope of supply. The Seabrook ESF sy stems, although not identical, have been designed to equiva lent safety design criteria. 7.3.2.2 Compliance with Standards and Design Criteria Discussion of the General Design Criteria (GDC) is provided in various sections of Chapter 7 where a particular GDC is applicable. Applicable GDCs include Criteria 13, 20, 21, 22, 23, 24, 35, 37, 38, 40, 43 and 46 of the 1971 GDC. Compliance with ce rtain IEEE Standards is presented in Subsections 7.1.2.6, 7.1.2.7, 7.1.2.10 and 7.1.2.11. Compliance with Regulatory Guide 1.22 is discussed in Subsection 7.1.2.5. The discussion given below shows the Engineered Safety Features Actuation System complies with IEEE Standard 279-1971, Reference 4.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 12 a. Single Failure Criteria The discussion presented in Subsection 7.2.2.2c is applicable to the Engineered Safety Features Actuation System, with the following exception. In the Engineered Safety Features Actuation System, a loss of instrument power will call for actuation of Engineered Safety Features equipment controlled by the specific bistable that lost power (containment pressure Hi-3 and RWST level low excepted). The actuated equipment that does not fail to the actuated condition must have power to comply. The power supply for the protection systems is discussed in Chapter 8. For containment pressure Hi-3 and RWST level low, the final bistables are energized to trip to avoid spurious actuation. In addition, manual containment spray requires simultaneous actuation of two manual controls. This is considered accep table because spray actuation on High-3 containment pressure signal provides automatic initiation of the system via protection channels. Moreover, two sets (two switches per set) of containment spray manual initiation switches are provided to meet the requirements of IEEE

Standard 279-1971. Also it is possible for all Engineered Safety Features equipment (valves, pumps, etc.) to be individually manually actuated from the control board. Hence, a third mode of containment spray initiation is available. The design meets the requirements of Criteria 21 and 23 of the 1971 GDC. b. Equipment Qualification Equipment qualifications are di scussed in Sections 3.10 and 3.11. c. Channel Independence The discussion presented in Subsection 7.2.2.2c is applicable. The Engineered Safety Features Actuation System slave relay outputs from the solid-state logic protection cabinets are redunda nt, and the actuations asso ciated with each train are energized up to and including the final actuators by the separate AC power supplies which power the logic trains. d. Control and Protection System Interaction The discussions presented in Subsection 7.2.2.2c are applicable. e. Capability for Sensor Checks and Equipment Test and Calibration The discussions of system testability in Subsection 7.2.2.2c are applicable to the sensors, signal processing, and logic trai ns of the Engineered Safety Features Actuation System.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 13 The following discussions cover those areas in which the tes ting provisions differ from those for the Reactor Trip System. 1. Testing of Engineered Safety Features Actuation Systems The Engineered Safety Features Actuation Systems are tested to provide assurance that the systems will operate as designed and will be available to function properly in the unlikely event of an accident. The testing program meets the requirements of Criteria 21, 37, 40 and 43 of the 1971 GDC and Regulatory Guide 1.22 as discussed in Subsection 3.1.4 and 7.1.2.5. The tests described in Subsection 7.2.2.2c and further discussed in Subsection 6.3.4 meet the requirements on testing of the Emergency Core Cooling System as stated in GDC 37 except for the operation of those components that will cause an actual safety injection or are not compatible with plant operation. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and emergency power sources and the operation of associated cooling water systems. The safety injection and residual heat removal pumps ar e started and operated and their performance verified in a separate test discussed in Subsection 6.3.4.

When the pump tests are considered in conjunction with the emergency core cooling system test, the requirements of GDC 37 on testing of the Emergency Core Cooling System are met as closely as possible without causing an actual safety injection. Testing as described in Subsections 6.3.4 and 7.2.2.2c provides complete periodic testability durin g reactor operation of all logic and components associated with the Emergency Core Cooling System. This design meets the requirements of Regulatory Guide 1.22 as discussed in the above sections. The program is as follows: (a) Prior to initial plant operations, Engineered Safety Features System tests will be conducted. (b) Subsequent to initial startup, Engineered Safety Features System tests will be conducted during each regularly scheduled refueling outage.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 14 (c) During online operation of the reacto r, all of the Engineered Safety Features Actuation System monitoring and logic circuitry will be fully tested. All active components will be tested at the operational test frequency. A lower testing frequency may be justified if adequate reliability is assured. Passive components will be tested at the operational test frequency where practicable. All components will be tested at the channel calibration frequency. In addition, essentially all of the Engi neered Safety Features actuated equipment, with the exceptions listed in Section 7.1.2.5, will be fully tested. The remaining actuated equipment whose operation is not compatible with continued online plant operation will be checked by means of continuity check of associated testable

actuation devices or overlapping testing. (d) During normal operation, the operability of testable final actuation devices of the Engineered Safety Features Systems will be tested by manual initiation from the control room. 2. Performance Test Acceptability Standard for the "S" (Safety Injection Signal) and for the "P" (the Automatic Demand Signal for Containment Spray Actuation) Actua tion Signals Generation The basis for Engineered Safety Features Actuation Systems acceptability will be the successful completion of overlapping tests (see Figure 7.3-1). Channel checks of process indications verify operability of the sensors and the associated signal processing equipment. Channel operational tests performed with the channel in trip verify the operability of the channels from the signal processing equipmen t input through to and including the logic input relays. Bypass Test Instrumentation (BTI) permits the testing of the Process Instrumentation System channels in bypass instead of in trip. Channel operational tests performed with the Process Instrumentation channel in bypass verify the operability of the cha nnel from its input to the output of the signal processing equipment. I nput relays for functions tested in bypass, except for the input relays associated with containment pressure Hi-3 and RWST level low, are test ed at the refueling frequency. The input relays associated with the containment pressu re Hi-3 function are tested during the solid-state logic testing. The input relays associated with RWST level low are tested during the operational test.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 15 Solid-state logic testing also checks the digital signal path from the input to the logic matrices to the inputs to the slave relays. Logic testing includes continuity tests on the coils of the output slave relays. Final actuator testing operates the output slave relays and verifies operability of those devices which require Engineer ed Safety Features Actuation and which can be tested without causing plant upset. A continuity check is performed on the testable actuation devices of the untestable devices.

Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves have completed their travel. The basis for acceptability for the Engineered Safety Features interlocks is control board indication of proper receipt of the signal upon introducing

the required input at th e appropriate setpoint. 3. Frequency of Performance of Engineered Safety Features Actuation Tests Test frequencies are specified in the Technical Specifications. References 6 and 7 document the ope rational test frequency and justify channel calibration frequency te sting of the SSPS input relays. 4. Engineered Safety Features Actuation Test Description The following sections describe the te sting circuitry and procedures for the online portion of the testing program. The guidelines used in developing the circuitry and procedures are: (a) The test procedures must not involve the potential for damage to any plant equipment. (b) The test procedures must minimize the potential for accidental tripping. (c) The provisions for online testing must minimize complication of Engineered Safety Features Actuation circuits so that their reliability is not degraded. (d) The active components are tested at the operational test frequency unless the channel calibration frequency is justified. The passive components are tested at the ope rational test frequency where practicable. (e) All active and passive compone nts required for each protective function will be tested at th e channel calibration frequency.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 16 5. Description of Initiation Circuitry Several systems which provide the specific functions listed in Subsection 7.3.1.1a compose the Engineered Safety Features Actuation Systems, the majority of which ma y be initiated by different process conditions and be reset independently of each other. The remaining functions are in itiated by a common signal (safety injection) which in turn may be generated by different process conditions. In addition, operation of all other vita l auxiliary support systems, such as component cooling and service water, is initiated by the safety injection

signal. The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in the Solid-State Protection System cabinets designated Train A, and Train B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor-operated valve contactors, solenoid-operated valves, emer gency generator starting, etc. 6. Process Monitoring Testing Process Monitoring testing is identical to that used for reactor trip circuitry and is described in Subsection 7.2.2.2c. Exceptions to this are containment pressure Hi-3 and Refueling Water Storage Tank (RWST) level low, which are energized to actuate channels.

A test point for the containment pressure Hi-3 channels is provided to permit continuity testing of comparat or trip switch BTI relay contacts, wiring between the comparator and the Solid-State Protection System (SSPS) input relay, and the input rela y coil during operational testing. The RWST level low input relays are test ed as part of the operational test. 7. Solid-State Logic Testing Except for containment pressure Hi-3 channels, logic testing is the same as that discussed in Subsection 7.2.2.2c and 7.2.3. The containment pressure Hi-3 channels have special test switches which are used to energize the input relays as part of th e logic test. During logic testing of one train, the other train can initiate the required engineered safety features function.

For additional details, see Reference 2.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 17 8. Actuator Testing At this point, testing of the initia tion circuits through operation of the master relay and its contacts to the coils of the slave relays, with the exception of the normally energized SSPS input relays for channels tested in bypass, has been accomplished.

The Engineered Safety Features Actuation System (ESFAS) logic slave relays in the solid-state protection system output cabinets are subjected to coil continuity tests by the output relay tester in the SSPS cabinets. Slave relays (K601, K602, etc.) do not

operate because of reduced voltage applied to their coils by the mode selector switch (TEST/OPERATE). A multiple position master relay selector switch selects the master re lays and corresponding slave relays to which the coil continuity test voltage applied. The master relay selector switch is returned to "OFF" before the mode selector switch is placed back in the "OPERATE" mode. However, failure to do so will not result in defeat of the protective function. Th e ESFAS slave relays are activated during testing by the online test cabinet, so that overlap testing is maintained. The engineered safety features actua tion system final actuation device or actuated equipment testing is performed from the engineered safeguards test cabinets. These cabinets are located near the solid-state logic protection system equipment. There is one set of test cabinets provided for each of the two protection Trains A and B. Each set of cabinets

contains individual test switches necessa ry to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be

rotated and then depressed to operate the slave relays. Assignments of contacts of the slave relays for actuation of various final devices or actuators have been made so that groups of devices or actuated equipment, can be operated individu ally during plan t operation without causing plant upset or equipment damage. In the unlikely event that a safety injection signal is initiated during the test of the fi nal device that is actuated by this test, the device will al ready be in its safeguards position. During this last procedure, close communication between the main control room operator and the tester at the test cabinet is required. Prior to the energizing of a slave relay, the operator in the main control room assures that plant conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the main control room operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps and annunciators on the control board and records all operations. He then resets all devices and prepares for operation of the next slave-relay actuated equipment.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 18 By means of the procedure outlined a bove, all engineered safety features devices actuated by engineered safety features actuation systems initiation circuits, with the exceptions noted in Subsection 7.1.2.5 under a discussion of Regulatory Guide 1.22 are operated by the automatic circuitry. 9. Actuator Blocking and Continuity Test Circuits Those few final actuation devices th at cannot be designed to be actuated during plant operation (discussed in Subsection 7.1.2.5) have been assigned to slave relays for which additional test circuitry has been

provided to individually block actuati on to a final device upon operation of the associated slave relay during testing. Except for the main steam isolation valve (MSIV) operation of these slave relays, including contact operations, and continuity of the electrical circuits associated with the final devices' control are checked in lie u of actual operation. The circuits provide for monitoring of the slave relay contacts, the devices' control

circuit cabling, control voltage and the devices' actuation solenoids. The MSIVs are controlled by a solid-state logic that is not compatible with the standard SSPS test circuitry. The MSIVs are blocked from actuation during slave relay testing by a special SSPS test circuit that sends a signal to the MSIV logic cabinets to block the final MSIV logic gate. A light on the MSIV logic test panel on the MCB is illuminated to indicate that the MSIV closing logic is blocked. Operation of the slave relay will test all the MSIV logic up to the final gate and illuminate a light on the MSIV logic test panel to indicate a satisfact ory test. After slave relay testing the SSPS block signal is removed, returning the MSIV logic cabinets to their normal condition. The final logic gate, MSIV logic cabinet output relay and MSIV actuating solenoid are tested by partial stroke exercising of the MSIVs. This overlapping test of the MSIV logic with MSIV exercising provides a complete test of the MSIVs. Interlocking prevents blocking the output from more than one output relay in a protection train at a time. Interl ocking between trains is also provided to prevent continuity testing in both trains simultaneously; therefore, the redundant device associated with the prot ection train not under test will be available in the event protection action is required. If an accident occurs during testing, the automatic actuation circuitry will override testing as noted above. One exception to this is that if the accident occurs while testing a slave relay whose output mu st be blocked, those few final actuation devices associated with this slave relay will not be actuated;

however, the redundant devi ces in the other train would be operational and would perform the required safety f unction. Actuation devices to be blocked are identified in Subsections 7.1.2.5a through j.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 19 The continuity test circuits for these components that cannot be actuated on line are verified by proving lights on the safeguards test cabinet. The charging and letdown isolation valves (described in Subsection 7.1.2.5k) are blocked by administrative controls. If an accident occurs while testing, the redundant equipment in the other train would be operational and would perform the required safety function. The letdown heat exchanger compone nt cooling water outlet isolation valve (described in Subsection 7.1.2.5l) is blocked by administrative controls. If an acci dent occurs while testing, the valve will be immediately closed by manual action, removing the nonessential heat load from the Component Cooling Water System. The Chemical and Volume Control System TK-1 outlet isolation valves (described in Subsection 7.1.2.5n) are blocked by administrative controls.

If an accident occurs while testing, the redundant equipment in the other train would be operational and would perform the required safety function. The Refueling Water Storage Tank TK-8 to charging pump isolation valves (described in Subsection 7.1.2.5o) are blocked by administrative controls. If an accident occurs while testing, the redundant equipment in the other train would be operational and would perform the required safety function. The typical schemes for blocking operation of selected protection function actuator circuits are shown in Figure 7.3-2 as details A and B. The schemes operate as expl ained below and are duplicated for each safeguards train.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 20 Detail A shows the circuit for cont act closure for protection function actuation. Under normal plant operation, and equipment not under test, the test lamps "DS*" for the various circuits will be energized. Typical circuit path will be through the normally closed test relay contact "K8*" and through test lamp connections 1 to 3. Coils "X1" and "X2" will be capable of being energized for protection function actuation upon closure of solid-state logic output relay contact s "K*." Coil "X1" is typical for a motor control center starter coil, "X2" coil is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a solenoid valve, auxiliary relay, etc. When the contacts "K8*" are opened to block energizing of coil "X1" or "X2," the white lamp is de-energized and the slave relay "K*" may be energized to perform continuity testing. To veri fy operability of the blocking relay in both blocking and restoring normal service, open the blocking relay contact in series with lamp terminal 1 - the test lamp should be de-energized; close the blocking relay contact in series with the lamp terminal 1 - the test lamp should now be energized, which verifies that the circuit is now in its norma l, i.e., operable condition. Detail B shows the circuit for co ntact opening for protection function actuation. Under normal plant operation, and equipment not under test, for 125V DC actuation devices the white test lamps "DS*" for the various circuits will be energized, and green test lamp "DS*" will be de-energized. Typical circuit path for white lamp "DS*" will be through the normally closed solid-state logic output relay contact "K*" and through test lamp connections 3 to 1. Coil "Y2" will be capable of being de-energized for protection function actuation upon opening of solid-state logic output relay contact "K*." Coil "Y2" is typical for a solenoid valve coil, auxiliary relay, etc. When the contact "K8*" is closed to block de-energizing of coil "Y2," the green test lamp is energized and the slave relay "K*" may be energized to verify operation (opening of its contacts).

To verify operability of the blocking relay in both blocking and restoring normal service, close the blocking relay contact to the green lamp - the green test lamp should now be ener gized also; open th is blocking relay contact - the green test lamp should now be de-energized, which verifies that the circuit is now in its normal, i.e., operable position.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 21 10. Time Required for Testing Analog testing can be performed at a rate of several channels per hour. Logic testing of both Trains A and B can be performed in less than 30 minutes each. Testing of actuated components (including those which can only be partially tested) is a function of control room operator availability. It requires several shifts to accomplish these tests. During this procedure automatic actuation circuitry overrides testing, except for those few devices associated with a single slave relay whose outputs must be blocked and tested only while blocked. Continuity testing associated with a blocked slave relay takes several minutes. During this time the

redundant devices in the othe r trains are functional. 11. Summary of Online Testing Capabilities The design described above provides capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan ci rcuit breakers or starter, valve contactors, pilot

solenoid valves, etc., in cluding all field cabling actually used in the circuitry called upon to operate for an accident condition. All passive and

active components are tested at the refueling frequency. All active components are tested at the operati onal test frequency except for the normally energized SSPS input relays where refueling frequency testing has been justified (Reference 7).

For those few devices whose operation could adversely affect plant or equipment operation (see Subsection 7.1.2.5), the same procedur e provides for checking from the process signal to the logic rack. To check the final actuation device a continuity or overlapping blocked logic/manual exercise test of the individual control ci rcuits is performed. The procedures require te sting at various locations. (a) Monitoring circuit testing and veri fication of bistable setpoint are accomplished at the signal processing circuits. Verification of bistable relay operation is done at the main control room status lights or at the bistable output if the SSPS input relay is not tested during the operational test. (b) Logic testing through operation of the master relays and low voltage application to slave relays is done at the SSPS logic rack test panel. (c) Testing of pumps, fans and valves is done at the test panel located in the vicinity of the SSPS logi c racks in combination with the control room operator.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 22 (d) Continuity or overlapping blocked logic/manual exercise testing for those circuits that cannot be operated is done at the same test panel mentioned in (c) above. 12. Testing During Shutdown Engineered Safety Features Actuation Systems tests will be performed periodically in accordance with th e Technical Specifications with the Reactor Coolant System isolated from the Emergency Core Cooling System by closing the appropriate valves and other valve alignments as required to prevent unacceptable actions. A test safety injection signal will then be applied to initiate operation of active components (pumps and valves) of the Engineered Safety Features. This is in compliance with Criteria 37, 40 and 43 of the 1971 GDC. 13. Periodic Mainte nance Inspections The maintenance inspections which follow will be accomplished per applicable plant programs and procedures. The frequency will depend on

the operating conditions and requirements of the reactor power plant. Typically maintenance inspections occu r during preventive and corrective maintenance activities. If any degradation of equipment operation is noted, either mechanically or electrically, remedial action is taken to repair, replace, or readjust the equipment. Typical maintenance inspections include the following: (a) Check cleanliness of exte rior and interior surfaces (b) Check fuses for corrosion (c) Inspect for loose or broken c ontrol knobs and burned out indicator lamps (d) Inspect for moisture and condition of cables and wiring (e) Mechanically check connectors and terminal boards for looseness, poor connection, dirt or corrosion (f) Inspect the components of an a ssembly for signs of overheating or component deterioration (g) Perform complete system operating check. The balance of the requirements listed in Reference 4 (Paragraphs 4.11 through 4.22) are discussed in Subsection 7.2.2.2a. Paragraph 4.20 receives special atte ntion in Section 7.5.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 23 f. Manual Resets a nd Blocking Features The manual reset and block control associated with safety injection actuation is provided to permit manual control of com ponents actuated by the safety injection signal and to prevent automatic re-actuation of safety injection once it is blocked. Manual reset and block cannot be performed until sufficient time has elapsed after safety injection actuation to permit the actuated equipment to perform the required functions. Subsequent automatic safety injection actuations will be blocked if the reactor trip interlock (P-4) is present. A status light is illuminated to indicate when automatic safety injection actuation is blocked. The automatic safety injection block circuit is returned to normal when the reactor is not tripped. Subsequent manual safety injection actuations are not blocked if the automatic signal has been cleared by operation of the automatic block circuit or clearing of the condition that resulted in an automatic actuation. The manual reset feature associated with ESF actuation is provided in the standard design of the Westinghouse Solid-State Protection System design for two basic purposes. First, the feature permits the operator to start an interruption procedure of automatic ESF in event of false initiation of an actuate signal. Second, although ESF performance is automatic, the reset feature enables the operator to start a manual takeover of the system to handle unexpected events that can be better dealt with by operator appraisal of changi ng conditions following an accident. It is most important to note that manual control of the ESF system does not occur, once actuation has begun, by just resetting the associated logic devices alone. Components will seal in (latch) or complete the protective action before reset of the actuate signal is credible so that removal of the actuate signal, in itself, will neither cancel nor prevent completion of pr otective action or provide the operator with manual override of the automatic system by this single action. In order to take complete control of the system to interrupt its automatic performance, the operator must take deliberate action to individually operate or realign affected equipment. The manual reset feature associated w ith ESF, therefore, does not perform a bypass function. It is merely the first of several manual operations required to take control from the automatic system or interrupt its completion should such an action be considered necessary.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 24 In the event that the operator anticipates system actuation and erroneously concludes that it is undesirable or unnecessary and imposes a standing reset condition in one train (by operating and holding the correspondi ng reset switch at the time the initiate signal is transmitted) the other train will automatically carry the protective action to completion. In the event that the reset condition is imposed simultaneously in both trains at the time the initiate signals are generated, the automatic sequential completion of system action is interrupted and control has been taken by the operator. Manual takeover will be maintained, even though the reset switches are released, if the original initiate signal exists. Should the initiate signal then clear and return again, automatic system actuation will repeat. Note also that any time delays imposed on the system action are to be applied after the initiating signals are latched. Delay of actuate signals for fluid systems

lineup, load sequencing, valve stroke time etc., do not provide the operator time to interrupt automatic completion, with manual reset alone, as would be the case if time delay was imposed prior to sealing of the initial actuate signal. The manual block features associated with pressurizer and steam line safety injection signals provide the operator with the means to block initiation of safety injection during plant startup. These block features meet the requirement of Paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditi ons require the protection system to be functional. g. Manual Initiation of Protective Actions (Regulatory Guide 1.62)

There are four individual main steam stop valve momentary control switches (one per loop) mounted on the control board. Each switch when actuated, will close one of the main steam line isolation valv es. In addition, there are two system level switches. Operating either switch will actuate all four main steam line isolation valves on the system level.

Manual initiation of switchover to recirculation is in compliance with Section 4.17 of IEEE Standard 279-1971, with the following comment:

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 25 Manual initiation of either one of two redundant safety injection actuation main control board-mounted switches provide s for actuation of the components required for reactor protection and mitigation of adverse consequences of the postulated accident, includi ng delayed actuation of sequenced started emergency electrical loads as well as components providing switchover from the safety injection mode to the cold leg recirculation mode (see Subsection 7.6.5) following a loss of primary coolant accident. Therefore, once safety injection is initiated, those components of the Emergency Core Cooling System (see Section 6.3) that are realigned as part of the semi-automatic switchover, go to completion on low refueling storage tank water level without any manual action. Manual operation of other components or manual verification of proper position as part of emergency procedures is not precluded nor otherwise in conf lict with the above described compliance to Paragraph 4.17 of IEEE Standard 279-1971 of the semi-automatic switchover circuits. No exception to the requirements of IEEE Standard 279-1971 has been taken in the manual initiation circuit of safety injection. Although Paragraph 4.17 of IEEE Standard 279-1971 requires that a single failure within common portions of the protective system shall not defeat the protective action by manual or automatic means, the standard does not specifically preclude the sharing of initiated circuitry logic between automatic and manual functions. It is true that the manual safety injection initiation functions associated with one actuation train (e.g., Train A) shares portions of the automatic initiation circuitry logic of the same logic train;

however, a single failure in shared functi ons does not defeat the protective action of the redundant actuation train (e.g., Trai n B). A single failure in shared functions does not defeat the protective actio n of the safety func tion. It is further noted that the sharing of the logic by manual and automatic initiation is consistent with the system level action requirements of the IEEE Standard 279-1971, Paragraph 4.17 and consistent with the minimization of complexity.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 26 7.3.2.3 Further Considerations

a. In addition to the considerations given above, a loss of instrument air or loss of component cooling water to vital equipm ent has been considered. Neither the loss of instrument air nor the loss of cooling water (assuming no other accident conditions) can cause safety limits as give n in the Technical Specifications to be exceeded. Likewise, loss of either one of the two will not adversely affect the core or the Reactor Coolant System, nor will it prevent an orderly shutdown if this is necessary. Furthermore, all pneumati cally operated valves and controls will assume a preferred operating position upon loss of instrument air.

High pressure gas backup is provided for certain ai r-operated valves where functioning is required immediately after a loss of the compressed air system. Backup supply sizing is based on the assumption that within four hour s, either the plant air system can be started manually on the diesel generator bus, or local manual control will be established. It is also noted, that for conservatism during the accident analysis (Chapter 15), credit is not taken for the nonsafety compressed air systems nor for any control system benefit. b. The design does not provide any circuitry which will directly trip the reactor coolant pumps on a loss of component cooling water. Indication and alarm in the control room are provided whenever compone nt cooling water is lost. The reactor coolant pumps can run for a minimum of 10 minutes after a loss of component

cooling water. This provides adequate time for the operator to correct the problem or trip the plant, if necessary. c. In regard to the Emergency Feedwater System, there is one motor-driven pump and one turbine-driven pump. The motor-driven pump is initiated from Train B logic, and the turbine-driven pump is initiated from Train A or B logic. The motor-driven and turbine-driven pumps are initiated automatically by the following signals: 1. Safety injection (from Solid-State Protection System) or

2. 2/4 low-low level in any steam generator (from Solid-State Protection System) or 3. Loss of offsite power
4. ATWS Mitigation System (see Subsection 7.6.12) These pumps can also be started manually.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 27 In addition, the startup feedwater pump (SUFP) which is a pump additional to the emergency feed pumps is started automatically on the trip of both main feedwater pumps if the SUFP is aligned to Bus 4. This automatic start signal is blocked by an SI or steam generator hi-hi level signal. When the SUFP is aligned to Bus E5, it will be manually started only. (See Subsections 6.8, 8.3.1.1.b.9.(a) and 10.4.12). d. Safety function instrumentation can be divided into two general classifications: actuation instrumentation and control instrumentation. Actuation instrumentation performs f unctions that are considered protective functions (i.e., reactor trip and Engineered Safety Features Actuation) or are necessary to provide esse ntial auxiliary f unctions (cooling tower actuation, isolation of the nonsafety component cooli ng water piping). This instrumentation is designed to meet the requiremen ts of IEEE 279 and, typically, has the following features: 1. Dedicated indicator in the control room, except for Refueling Water Storage Tank (RWST) level. 2. Alarm on actuation of a specific safety function.

3. Indicator lights on the MCB, VAS alarm, channel indication at the instrument cabinets to alert the operator to a channel in the trip condition and to identify the specific channel; this indication is not applicable to functions that only have one sensing instrument. 4. Indication to monitor the performance of the actuated equipment. 5. Capability to perform the surveillance tests specified in the Technical Specifications (see Subsection 7.2.2.2c). These tests can be performed

without interfering with normal plant operation or the use of jury-rigs or lifted leads. The design conforms with the guidance of Regulatory Guides 1.22 and 1.118. Control instrumentation performs functions associated with the control of auxiliary supporting features in response to changes in a measured variable (start of cooling fans to maintain environmental conditions, operation of valves to meet minimum flow conditions for a pump). These control functions only affect the

operation of one of the redundant safety tr ains; the other trai n is available to perform the safety function if one train fails. This instrumentation satisfies the functional requirements of IEEE 279; meets the separation requirements as discussed in Subsections 7.1.2.2 and 8.3.1.4; and typically has the following features: 1. Control room or local indication to monitor the controlled variable S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 28 2. Independent alarm if the controlled variable exceeds the expected control band 3. Capability to perform pe riodic calibration and functional tests. These tests can be performed without interfering with normal plant operation of the use of jury-rigs or lifted leads. e. The design of the turbine trip on reactor trip (P-4) function meets the Westinghouse interface criter ia as the GE supplied turb ine trip circuits are not environmentally or seismically qualified but are as reliable as reasonably achievable and they conform to the maximum extent practicable to the following sections of IEEE Std-279-1971: 1. 4.2, "Single Failure Criterion".

2. 4.3, "Quality of Components and Modules."
3. 4.5, "Channel Integrity," with the exception that some of the components are not designed to be functional following a seismic event. A seismic event that damages the mechanical trip solenoid circuit such that it cannot energize the solenoid would probably also result in de-energization of the electrical trip solenoid that will trip the turbine. 4. 4.6, "Channel Independence," with the exception that the turbine trip circuits are independent but are not separated. 5. 4.10, "Capability for Test and Calibration". Different contacts on the reactor trip breaker auxiliary switches are used to provide the P-4 signals whic h are input to the turbine trip circuits or the SSPS. See Section 10.2 and Table 7.3-2 for additi onal discussion of the turbine trip and P-4 functions.

7.3.2.4 Summary The effectiveness of the Engineered Safety Features Actuation System is evaluated in Chapters 6 and 15, based on the ability of the system to contain the effects of Condition III and IV faults, including loss of coolant, steam line break and fuel handling accidents. The engineered safety features actuation system parameters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing system.

The Engineered Safety Features Actuation System must detect Condition III and IV faults and generate signals which actuate the Engineered Safety Features. The system must sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by and consistent with the accident analyses in Chapters 6 and 15.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 29 Much longer times are associated with the actuation of the mechanical and fluid system equipment associated with Engineered Safety Features. This includes the time required for switching, bringing pumps and other equipment to speed and the time required for them to take load. Operating procedures require that the complete Engineered Safety Features Actuation System normally be operable. However, redundancy of system components is such that the system operability assumed for the safety analyses can still be met with certain instrumentation channels out of service. Channels that are out of service are to be placed in the tripped mode or the bypass mode for containment pressure Hi-3 and RWST level low. a. Loss-of-Coolant Protection By analysis of loss-of-coolant accident and in system tests it has been verified that except for very small coolant system breaks which can be protected against by the charging pumps followed by an orderl y shutdown, the effects of various loss-of-coolant accidents are reliably de tected by the low pressurizer pressure signal; the Emergency Core Cooling System is actuated in time to prevent or limit core damage. For large coolant system breaks, the passive accumulators inject first because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating the active emergency core cooling system phase. High containment pressure also actuates the Emergency Core Cooling System. Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break; that is, the Engineered Safety Features Actuation System detects the leakage of the coolant into the Containment. The generation time of th e actuation signal of about 1.5 second, after detection of the consequences of the accident, is adequate. Containment spray will provide additional emergency cooling of Containment and also limit fission product release upon sensing elevated containment pressure (Hi-3) to mitigate the effects of a loss-of-coolant accident. The delay time between detection of the accident condition and the generation of the actuation signal for these systems is assumed to be about 1.0 second, which is well within the capability of the protection system equipment. However, this time

is short compared to that required for startup of the fluid systems. The analyses in Chapters 6 and 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of loss of coolant.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 30 b. Steam Line Break Protection The Emergency Core Cooling System is also actuated to protect against a steam line break. About 1.0 second elapses between sensing low steam line pressure (as well as high steam pressure rate) and gene ration of the actuation signal. Analysis of steam line break accidents assuming this delay for signal generation shows that the Emergency Core Cooling System is actuated for a steam line break in time to limit or prevent further core damage for steam line break cases. Additional protection against the effects of steam line break is provided by feedwater isolation which occurs upon actuation of the Emergency Core Cooling System. Feedwater line isolation is initia ted to prevent excessive cooldown of the reactor vessel and thus protect the reactor coolant system boundary. Additional protection against a steamline break accident is provided by closure of all steam line isolation valves to prevent uncontrolled blowdown of all steam generators. The generation of the prot ection system signal (about 2.0 seconds) is again short compared to the time to trip the fast-acting steam line isolation valves

which are designed to close in less than approximately 5 seconds. In addition to actuation of the Engineered Safety Features, the effect of a steam line break accident also generates a signal resulting in a reactor trip on overpower or following emergency core cooling sy stem actuation. However, the core reactivity is further reduced by the hi ghly borated water injected by the Emergency Core Cooling System. The analyses in Chapter 6 and 15 of the steam break accidents and an evaluation of the protection system instrumentation and channel design shows that the Engineered Safety Features Actuation Systems are effective in preventing or mitigating the effects of a steam break accident. 7.3.3 Electric Hydrogen Recombiner For a discussion on this system, refer to Subsection 6.2.5. The hydrogen recombiners are not automatically actuated.

7.3.4 References

1. Reid, J.B., "Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant Using W CID 7300 Series Process Instrumentation," WCAP-7913, January 1973. 2. Katz, D.N., "Solid State Logic Protection System Description," WCAP-7488-L, January 1971 (Proprietary) and WC AP-7672, June 1971 (Nonproprietary). 3. Swogger, J.W., "Testing of Engineered Safety Features Actuation System," WCAP-7705, Revision 2, January 1976. (Information only; i.e., not a generic topical WCAP.)

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Engineered Safety Features Actuation System Revision 9 Section 7.3 Page 31 4. The Institute of Electrical and Electr onics Engineers, Inc., "IEEE Standard: Criteria for Protection System for Nucl ear Power Generating Stations," IEEE Standard 279-1971. 5. Eggleston, F.T., Rawlins, D.H., and Pe trow, J.R., "Failure Mode and Effects Analysis (FMEA) of the Engineered Safeguard Features Actuation System," WCAP-8584 (Proprietary) and WCAP

-8760 (Nonproprietary

), April 1976. 6. "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," WCAP-10271-P-A, May 1986, and Supplement 2, Revision 1, June 1990. 7. "Risk/Reliability Evaluation of SSPS Input Relays and Timers in the Bypass Test Scheme," NAESCo Engineering Evaluation 95-20, August 1995.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 1 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The purpose of this section is to outline the cap ability for a safe shutdow n as required by General Design Criteria 19, Appendix A to 10 CFR Part 50. The functions necessary for initiation of safe shutdown are available from equipment that is associated with the major systems in both the primary and secondary portions of the plant systems. This equipment is normally aligned to serve a variety of operational f unctions, including startup and shutdown as well as protective functions. There are no identifiable safe shutdown systems, per se. However, prescribed procedures for securing and maintaining the plant in a safe condition can be instituted by appropriate alignment of selected systems. The discussion of these systems, together with the applicable codes, criteria and guidelines are fou nd in other sections of the Updated FSAR. In addition, the shutdown functions associated with the Engineered Safety Features under postulated limiting fault situations are discussed in Chapter 6 and Section 7.3.

Discussion of the functions required and the equipm ent design bases for the fire scenario are not included in this section. A complete discussion describing shutdown capabilities in the event of fire is provided in the 10 CFR 50 Appendix R report "Fire Protection of Safe Shutdown Capability." The functions discussed in this section are the minimum required for maintaining safe shutdown of the reactor under nonaccident conditions. These functions: a. Provide adequate capability for controlling reactivity b. Provide an adequate heat sink so that design and safety limits are not exceeded c. Provide a path to achieve the cold shutdown condition. 7.4.1 Capabilities Required for Safe Shutdown The list provided below identifies the functions required for achieving and maintaining a safe shutdown. The determination of equipment and systems required for safe shutdown is based on

providing these functions: a. Decay Heat Removal b. Reactor Coolant Inventory and Pressure Control

c. Negative Reactivity Addition Control
d. Electrical Power Supply
e. Plant Cooling
f. Process Monitoring
g. HVAC
h. Sampling.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 2 7.4.2 Safe Shutdown Control Locations The main control room is the primary station fo r safe shutdown control of the plant. In the extremely unlikely event that the main control room becomes uninhabitable, the plant may be brought to and maintained in a hot standby condition using alternate control provisions outside the main control room and subsequently attain cold shutdown. Safe shutdown, remote from the main control room, can be accomplished by taking control of the plant from the following remote safe shutdown (RSS) locations. These are the minimum number of centralized locations from which hot standby (including emergency diesel startup and control) can be maintained on a unit basis: a. RSS Control Panels - MM-CP-108A and B b. Diesel Generator Local Control Pane ls - DG-CP-75A (DG-1A) and DG-CP-76A (DG-1B) c. MCCs, distribution panels, and switchgear in Switchgear Room A and Switchgear Room B d. RSS Disable Panels - MM-CP-450A and B e. RSS Auxiliary Control Panels - MM-CP-915A and B f. In addition, a limited number of manual operations will be performed locally (such as manual valve operations) to achieve and maintain cold shutdown. 7.4.3 Control Room Evacuation The main control room is designed to be available at all times. It is neve rtheless postulated that main control room evacuation may be required in the event that control room habitability is compromised or insufficient controls and/or instrumentation are available due to a fire. In either case, transfer of control from the main control room to the RSS locations will be accomplished by procedure. Discussion of the actions required for evacuation of the main control room for a fire is contained in the Appendix R report.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 3 7.4.4 Initial Operator Actions Prior to evacuating the main control room, the operator will trip the reactor, the main steam isolation valves, and the reactor coolant pumps, thus establishing a hot standby condition. It should be noted however, that the capability exists outside the main control room to accomplish these functions. In the time interval required for the operators to evacuate the main control room and staff the RSS locations, decay heat removal is accomplished automatically by the steam

generator safety valves. No other function is required initially to maintain a decay heat sink for the reactor. Upon arrival at the RSS locations the operators will, as dictated by the abnormal operating procedures, transfer control of safe shutdown equipment to the RSS locations by means of key-locked REMOTE-LOCAL selector switches. Access to the keys required for operation of the RSS location controls is administra tively controlled and will be available when the main control room is evacuated. Initially, control and monitoring of vital plant parameters for the functions listed in Subsection 7.4.5 will be performed by the minimum onsite operati ng crew. Hence, indications and controls for all pumps, fans, and critical valves, which may be operated initially by a limited number of operators, have been consolidated into a minimal number of locations. Equipment that was operating prior to transfer to the RSS locations will continue to operate during and after the transfer. 7.4.5 Systems and Equipment to Support Safe Shutdown Functions Redundant safety-grade equipment is available to support safe shutdown functions. Control and monitoring capability is provided both in the main control room and RSS locations, unless stated otherwise. Further details fo r each of the safe shutdown functions are provided below. 7.4.5.1 Decay Heat Removal Decay heat transfer is made possible by natural circulation in the RCS. It will be monitored by T hot , T cold , and RCS pressure indication. RCS temperature is controlled by the steam generator atmospheric relief valves (ARVs). Steam generator water inventory is controlled by operating the emergency feed pump(s) and associated emergency feedwater flow control valves for each steam generator. Long-term plant cooldown is provided by the RHR system which transfers decay heat from the RCS to the Primary Component Cooling Water (PCCW) System.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 4 7.4.5.2 Reactor Coolant Inventory and Pressure Control Operation of portions of the Chemical and Volume Control System (CVCS) to compensate for RCS leakage and cooldown volume shrink is accomplished using a centrifugal charging pump and a borated water supply. The charging flow pa th, while in hot standby, is either through the seal injection flow path or the high head injection flow path. Additionally, the normal charging flow to the RCS is isolated. This can be accomplished by temporarily stopping the charging pump to prevent overfill of the pressurizer. It can also be accom plished by the use of one of two functionally redundant (but non-credited for an RSS shutdown) valves (CS-V-142 or CS-V-143).

For cooldown, charging will be re-aligned to establish flow via the RCP seals to provide flow control capability to prevent charging pump cavitation. This is due to the limited flow capability from boric acid tanks (BATs), which are the required borated water sources during cooldown until expended. RCS inventory will be monitore d through pressurizer le vel. The source of borated water for the charging flow will be from the boric acid tanks (BAT) and/or the refueling

water storage tank (RWST) with the volume control tank (VCT) isolated. The pressurizer power-operated relief valves (PORVs) and pressurizer heaters, if available, are used for RCS pressure control.

Following the initiation of plant cooldown and depressurization from the RSS locations for a remote shutdown without a fire, the solid-st ate protection system output cabinets are de-energized to prevent ESF actuation. This removes automatic actuation signals from ESF equipment. If ESF equipment is needed dur ing the plant cooldown, the SSPS output cabinets can be re-energized to provide the automatic actuation signals to the ESF equipment that was not transferred to the RSS control. During the cooldown process, the safety injection accumulators are isolated or their cover gas vented. The safety injection pumps and one charging pump are disabled as part of the standard operating procedure for any shutdown to avoid low temperature over pressurization (LTOP) of the reactor vessel. 7.4.5.3 Negative Reactivity Addition Control Reactivity for hot standby at normal operating temper ature is provided by insertion of the control rods. Operation of the boration portion of the CVCS to assure sufficient shutdown margin for a plant cooldown and to maintain cold shutdown is accomplished by operating a single centrifugal charging pump taking suction fr om the boric acid tanks. During cooldown, the borated source must be the BAT volume until expended to at least the point that the volume injected or a boron sample demonstrates that sufficient shutdown margin for cold shutdown has been achieved, at which time the RWST may be aligned. The credited path for boration is gravity feed with the RWST isolated. The boric acid transfer pumps can be used, if available.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 5 7.4.5.4 Electrical Power Supply Emergency electric power (EDE system) controls and instruments which are required for RSS are provided at RSS locations. The EDE system, which includes the diesel generators, emergency buses, inverters, batteries, and their associated equipment, is designed to provide electric power to equipment required for safe shutdown. The diesel generator units start automatically following a loss of offsite power or on a safety injection (SI) signal. Manual contro l of diesel startup is provided locally at the diesel generators as well as in the control room. Upon loss of offsite power, selected loads connected to the emergency electric power system are tripped by unde rvoltage relays. If di esel generator control has been transferred to the RSS locations, the operators will have to manually close the diesel generator breakers to energize the emergency buses.

Those loads that do not have their control transferred to the RSS locations will be automatically sequenced onto the diesel by the EPS. The loads that have been transferred to the RSS locations must be manually loaded on to the diesel generato

r. Manual loading will be coordinated with the operator at the diesel gene rator to prevent overloading. 7.4.5.5 Plant Cooling System Operation of at least one service water/PCCW train is required to maintain equipment cooling and for subsequent RHR operation.

Intake tunnel failure that results in the complete loss of the seawater supply to the service water pumps or failure of nonseismic service water piping large enough to prevent adequate cooling of safety systems will result in automatic actuation of the cooling tower on low service water pump discharg e pressure. The TA signal is also generated when the Cooling Tower is providing the cooling water to the station, and a loss of offsite power event occurs. Intake tunnel failure with subseque nt cooling tower actuation is only applicable to safe shutdown from the main control room. RSS does not require cooling tower actuation. If the cooling towers are actuated there are manual acti ons required at the tower to detect a loss of inventory due to pipe or valve failure and to manually close th e spray header bypass valve to start flow into the spray header after the basin is heated suffici ently to prevent icing. Cooling tower actuation, loss of offsite power, or safety injection, isolates the nonseismic SW piping to ensure adequate flow to the safety users. 7.4.5.6 Process Monitoring Monitoring of various vital plant parameters relied on to achieve and verify safe shutdown is available from redundant instrumentation in the main control room and the RSS locations. This instrumentation is listed in Table 7.4-1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 6 7.4.5.7 HVAC Operation of the ventilation/cooling systems for the diesel-generator building, primary component cooling water pump area, Emergency Feedwater Pumphouse, Service Water Pumphouse, switchgear rooms and containment enclosure area is required to maintain the long-term operability of the equi pment within these heat generating areas and keep temperatures below equipment limitations. The equipment function and safety evaluations for these systems are explained in the various subsections of Section 9.4.

7.4.5.8 Sampling Capability to obtain grab samples of the RCS is available to determine boron concentration for the cooldown. The boron concentration in the RHR system will also be verified prior to system initiation. Valves operated for sampling are not consider ed active unless they serve other safety functions such as containment isolation. 7.4.6 Design Basis and Analysis Hot standby is a stable plant condition, automatically reached follo wing a plant trip. Seabrook is a hot standby safe shutdown design basis plant per UFSAR Subsection 5.4.7.2.i. The hot standby and hot shutdown conditions can be maintained safely for an extended period of time.

The plant can be safely kept at hot standby, hot shutdown or brought to cold shutdown, by use of the equipment listed in Table 7.4-1. The required indicators and controls are provided in the main control room and the RSS locations. Co mmunications between th e various RSS control locations are provided to coordinate actions and monitoring of the plant parameters in the performance of RSS procedures. The RSS equipment, with the exception of the pressurizer heaters and the indication at the RSS locations, is redundant and safety-grade and meets the applicable requirements of IEEE 279-1971, 323-1974 and 344-1975. It should be noted however, that for plant cooldown initiated shortly after reactor s hutdown, the pressurizer heaters are not required to bring the reactor to a cold shutdown condition. Failure of a single component will not prevent safe shutdown from the main control room or the RSS locations. The quality group classification of equipment required for safety-grade shutdown is in compliance with guidelines set forth in Subsec tion 3.2.2. The pressurizer heaters meet the requirements of NUREG-0737, Item II.E.3.1. Control provisions at the RSS loca tions consist of selector switches that isolate the main control room and transfer control to the RSS locations, and control switches to perform the manual control functions (the MSIVs only have selector switches that al so close the MSIVs when local control is selected). Jumpers, lifted leads or te mporary circuits are not required. Selecting local control for any component initiates an alarm in the main control room, turns off the MCB indicating lights and isolates all automatic functions, interlocks and main control room controls for that component, with the following exceptions:

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 7 Equipment Interlock/Control Device Function 1. EPA-FN-47A EPA-FN-47B EPA-DP-373 EPA-DP-374

These are inlet and exhaust damper position interlocks which prevent the fans from starting

or trip fans when the dampers are closed.

2. PAH-FN-42A PAH-FN-42B PAH-DP-43A PAH-DP-44A PAH-DP-43B PAH-DP-44B These are inlet and exhaust damper position interlocks which prevent the fans from starting or trip the fans when the dampers are closed. 3. SW-P-41A

SW-P-41B

SW-P-41C

SW-P-41D SW-V-2*

SW-V-54**

SW-V-29*

SW-V-25**

SW-V-22*

SW-V-54**

SW-V-31*

SW-V-25**

  • These are service water pump discharge valve position interlocks which prevent pumps from starting unless valves ar e closed. Coordinated fuses are provided to prevent degradation of the remote shutdown circuits due to faults in the

control room indication circuit. **These are cooling tower pump discharge valve position interlocks which prevent pumps from starting unless valves are closed. 4. MS-V-395 MS-V-393 MS-V-394 These are turbine-driven emergency feedwater steam supply valve interloc ks that are required for timed sequential opening to assure proper

condensate drainage.

In addition to the above interlocks and control devices, all RSS equipment has electrical protective devices (i.e., overcurrent relays, undervoltage relays, motor overloads) which remain in the circuit when the "LOCAL" position of the selector sw itch is selected. The indication of bypass of systems required fo r safe shutdown is discussed in Subsection 7.1.2.6. Instrumentation at the RSS locations is independent of the main control room instrumentation. It is activated continuously so that its availability can be monitored. Provisions have been made for testing instrumentation channels during power operation. The RSS instrumentation will be available following all natural phenomena. The RSS controls can be tested during plant shutdowns.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 8 Portions of the instrument air system may be used for the RHR air-operated valves necessary for safe shutdown. Normal operation of the RHR system uses instrume nt air for the control of the RHR heat exchanger outlet and bypass valves. Should the instrument air system be unavailable, the RHR heat exchanger bypass valve will fail to the closed position and the RHR heat exchanger outlet valve will fail to the full-open position. This failure mode provides full RHR flow through the RHR heat exchanger. Analysis of system startup and operation under these conditions has shown that an acceptable cooldown rate of less than 50F/hr will result. Therefore, plant operation at hot standby and cooldown to cold shutdown can be accomplished without the use of the instrument air system.

Safety grade backup air supplies have been provided to components which must remain operable for safe shutdown. Refer to Updated FSAR Section 9.3 for further discussion. The station Service Water System is explaine d in Subsection 9.2.1. The safety evaluation is presented in Subsection 9.2.1.3. The Primary Component Cooling Water System is explained in Subsection 9.2.2 and the safety evaluation is presented in detail in Subsection 9.2.2.3. The selection of instrumentation and controls for safe shutdown has included consideration of the event consequences that might jeopard ize safe shutdown conditions. The event consequences that are germane are those that woul d tend to degrade the capa bilities for boration, adequate supply for emergency feedwater, and residual heat removal.

The results of the analyses are presented in Chapter 15. Of these, the following events will produce the most severe conse quences that are pertinent: 1. Uncontrolled boron dilu tion (see Subsection 15.4.6) 2. Loss of normal feedwater (see Subsection 15.2.7) 3. Loss of external electri cal load and/or turbine trip (see Subsections 15.2.2 and 15.2.3) 4. Loss of nonemergency AC power to th e station auxiliaries (Loss of Offsite Power). See Subsection 15.2.6. It is shown by these analyses, that safety is not adversely affected by these events, assuming the equipment indicated in Subsection 7.4.7 is available in the main control room to control and/or monitor shutdown. These available systems will allow maintenance of hot standby and cooldown to cold shutdown even during the even ts listed above which would tend toward a return to criticality or a loss of heat sink. In the unlikely event that the main control room is uninhabitable, alternat e control provisions are provided at the RSS locations. Safety is not adversely affected by Event 1, uncontrolled boron dilution (see Subsection 15.4.6). Events 2, 3 and 4 do not have an adverse effect since the remote safe shutdown equipment can be powered by emergency power, and a plant trip initiated by main control room evacuation will put the plant in a safe condition.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Systems Required for Safe Shutdown Revision 15 Section 7.4 Page 9 The results of the analysis which determined the applicability of the NRC General Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides , and other industry standards, to the equipment required for safe shutdown, are presented in Table 7.1-1.

Technical Specification (T/S) 3/4.3.

3.5 requires

surveillance testing of selected equipment used for safe shutdown from outside the control room at Remote Safe Shutdown (RSS) locations. The required equipment is listed in Table 3.3-9.

The selection criteri a for the Transfer Switch/Control Circuit portion of the table is the primary equipment which has remote/local selector switches and is required to perform the reac tor coolant system inventory and pressure control, reactivity control and decay heat removal functions to achieve and maintain hot standby. Redundant, safety grade equipment is provided for GDC 19 shutdown. Seabrook is a hot standby safe shutdown design basis plant (see UFSAR Section 5.4.7.2.i). Support equipment, and equipment required only to achieve and main tain cold shutdown, are not required to be included in the T/S table. Process monitoring instruments also have surveillance requirements. 7.4.7 Equipment Required for Safe Shutdown The equipment required to accomplish safe shutdown functions is listed in Table 7.4-1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 1 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION

7.5.1 Introduction

Display instrumentation is provided in the main control room to enable the operator to monitor plant status under all operating conditions and to take any necessary manual actions. This display instrumentation consists of analog and digital indicators, recorders, status lamps, indicating lights, Video Alarm System (VAS) alarms, video displays and annunciators. Display instrumentation is also provided in the Technica l Support Center (TSC) and the Emergency Operations Facility (EOF) to support the functions to be performed by the personne l in the TSC/EOF.

7.5.2 Definitions

a. Design Basis Accident Events Those events postulated in the plant safe ty analyses, any one of which may occur during the lifetime of the plant, and those events not expected to occur, but postulated in the plant safety analyses because their consequences would include the potential for release of significant amounts of radioactive material to the environs. These events are listed in Updated FSAR Chapter 15 as Conditions III and IV occurrences. Excluded are those events (defined as "normal" and "anticipated operational occurrences" in 10 CFR 50) expected to occur more

frequently than once during the lifetime of the plant. b. Task Analysis Process of identifying and examining tasks that must be performed by the control room operating crew when interacting with the plant systems.

7.5.3 Discussion

An Accident Monitoring Instrumentation (AMI) list, Table 7.5-1, has been developed to define the instrumentation required by the operator for design basis accident events. The AMI enables the operator to monitor safety functions, take any manual actions required to support the accomplishment of safety functions and determin e the effect of manual actions during and following a design basis accident event. The AMI also enables the operator to maintain the plant in a hot shutdown condition, or to proceed to cold shutdown. Details are provided in Subsection

7.5.4. Table

7.5-2 lists additional information available to the operator for monitoring conditions in the reactor, the Reactor Coolant System, the containment and key process systems throughout all normal operating conditions of the plant, including anticipated operational occurrences.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 2 Status lamp arrays are used to indicate both a demand for a protective function/ESF actuation and the appropriate valve position and equipment status for ESF actuations. These arrays are functionally arranged on the control board to enable the operator to quickly and accurately monitor system status. Status lamp arrays are provided to monitor bistable trips for the following safety functions: Reactor Trip Safety Injection Containment Isolation Steam Line Isolation Feedwater Line Isolation To monitor valve position, actuated equipment status and emergency power availability, status lamp arrays are provided for the following: Cold Leg Injection Cold Leg Recirculation Hot Leg Recirculation Containment Isolation, Phase A Containment Isolation, Phase B Main Steam and Feedwater Isolation Cooling Tower Actuation Diesel Generator Status Emergency Power Sequencer A computer-based Video Alarm System (VAS) is provided to alert the operator when various process limits are exceeded. The incoming alarms are prioritized to allow the operators to focus on high priority alarms during major plant upsets. Three levels of priority have been established. Incoming alarms are also broken down into primary and secondary sides; primary side alarms are displayed on the alarm displays in main control board Sections A and D, while secondary side alarms are displayed on the alarm displays in Sections F and I.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 3 An alarm suppression scheme is normally active on the VAS computer software to minimize the number of alarms that the opera tors must respond to during routine and transient plant operation.

Two types of alarm suppression are provided: one based on m ode of plant operation and the other for selected plant transient events. Only alarms that are expected and do not represent an abnormal plant condition for a mode or event ar e suppressed. If required, the capability for operators to deactivate mode a nd/or event alarm suppression is available through the main control board VAS workstations. An alarm horn silence switch has been provided at the Unit Supervisor's desk in the Control Room. This switch allows the Unit Supervisor to disable the main control board alarm audibles during periods of high alarm activity. When activated, this switch will reduce Control Room noise levels and the repetitive operator actions required to silence alarms. An amber lamp mounted next to the switch indicates when the alarm horn audibles have been silenced. Various dynamic displays are provided to serve the needs of the operating crew. These displays supplement those described above. Video displays are provided in the Technical Support Center (TSC) and Emergency Operations Facility (EOF) to support the functions to be performed by the personnel in the TSC/EOF.

The computer system consists of two host computers, each of which is fed from a separate uninterruptible power supply. An automatic failover scheme is provided. The remainder of the system is configured so that system peripherals can be manually aligned to the available UPS.

Annunciators back up the VAS should a complete Computer System failure occur. The annunciators also have a limited "First Out" capab ility to assist the operator in determining the cause of a reactor trip or safety injection. A limited set of essential parameters is monitored for the following: Reactor Trip Signals ESF Actuation Signals Certain Technical Spec ification Deviations Important Systems The annunciators are powered from instrumentati on power sources that ar e independent of the power sources for the VAS. Bypassed/inoperable condition of safety systems is displayed on the VAS and on status lamp arrays on the MCB - one per train. Refer to Subsection 7.1.2.6 for a complete discussion of compliance with Regulatory Guide 1.47.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 4 7.5.4 Accident Monitoring Instrumentation 7.5.4.1 Compliance with Regulatory Guide 1.97 Regulatory Guide 1.97, Revision 3 endorses, subj ect to certain clarifications, ANSI/ANS 4.5-1980, "Criteria for Accident Monitoring Functions in Light-Water-Cooled Nuclear Reactors." The guidance provided in Regulatory Guide 1.97 and ANS 4.5, with certain exceptions, and NUREG-0737 has been used in selecting the Seabrook Accident Monitoring Instrumentation (AMI).

The exceptions to the guidance provided in Regulatory Guide 1.97 and ANSI/ANS 4.5 are: a. Not all the variables recommended by Regulatory Guide 1.97, Table 3 have been included in the AMI List. Specific deviations and the associated justifications are provided in Appendix 7A. b. Not all the AMI characteristics recommended by Regulatory Guide 1.97, Table 3 have been met. Specific deviations and the associated justifications are provided in Appendix 7A. c. The determination of performance requirements for AMI did not follow the guidance of Regulatory Guide 1.97, Section C.2.4 in that: 1. Required accuracy of measurement was not determined in procuring the instrumentation. Instead, the accuracy of the as-procured instrumentation was determined and then reviewed for acceptability. Further details are provided in Subsection 7.5.4.4e.5. 2. Except for meteorological monitoring instrumentation, response characteristics (time) have not been determined for instrumentation channels that provide monitoring functions only. The response time for these channels is similar to the response time determined for ESF actuation channels since similar hardware is used. Therefore, determination of the response time for each channel is not necessary. See

Subsection 2.3.3.3a for a description of the meteorological monitoring system. 7.5.4.2 Description of Variable Types The accident monitoring variables are classified into five types (A, B, C, D or E) according to the monitoring function they perform. A definition of each type is provided in the following

subsections.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 5 a. Type A Variables Type A variables for Seabrook Station are those variables to be monitored that provide the primary information for the control room operators to take specific preplanned manual actions for which no automatic control is provided. These actions are required for safety systems to accomplish their safety function for design basis accident events. Actions taken as a result of equipment failures, e.g., the "Response Not Obtained" column in the Emergency Response Procedures (ERPs), are excluded. b. Type B Variables Type B variables provide the most direct indication to monitor the accomplishment of the critical safety functions (CSFs). CSFs are those safety functions that are essential to prevent a direct and immediate threat to the health and safety of the public. The accomplishment of these functions ensures the

integrity of the physical barrier s against radiation releases. The six CSFs for Seabrook are:

1. Subcriticality 2. Containment Integrity (including radioactive effluent control) 3. Heat Sink
4. Core Cooling
5. RCS Integrity
6. RCS Inventory c. Type C Variables Type C variables provide the most direct indication of the potential for or the actual breach of the barriers to fission product releases. Th ese barriers are: fuel cladding, primary coolant pressure boundary, and Containment. d. Type D Variables Type D variables are those variables that provide information to indicate the operation of individual safety systems and nonsafety systems used in the mitigation of design basis accidents. e. Type E Variables Type E variables are those variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and continually assessing such releases.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 6 7.5.4.3 Development of Accident Monitoring Instrument List As part of the Detailed Control Room Design Review (DCRDR), a task analysis was performed on the ERPs to identify the needed instrumentation and controls to support the execution of these procedures. For each instrument needed, a determination of the variable type was made based on its use in the ERPs and the definitions for each variable type. The task analysis included the ERP contingency guidelines (ECAs); instrumentation used only to support the execution of the ECAs is not considered AMI. For each variable, a determination is made whethe r it is a key variable or backup variable in accordance with the following criteria.

Key variables are those variables that provide the primary information required to permit the control room operating crew to: a. Perform the diagnosis specified in the ERPs for design basis accidents b. Take any manual action required to mitigate the consequences of an accident c. Monitor the operation of safety systems. Primary information is information that is essential for the direct accomplishment of the specified safety functions.

Backup variables are those variables that also provide inform ation in addition to the key variables to assist the control room operating staff in: a. Performing the diagnosis specified in the emergency operating procedures for design basis accidents b. Taking any manual actions required to mitigate the consequences of an accident c. Monitoring the status of individual components and ESF demand signals

d. Resolving instrument ambiguity. Variables are then assigned a design category using the following matrix:

Design Category Variable Type Key Variables Backup Variables A 1 3 B 1 3 C 1 3 S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 7 Design Category Variable Type Key Variables Backup Variables D 2 for safety systems 3 3 for nonsafety systems 3 E 3 3 The AMI list contains the instrumentation classified as Design Category 1 and 2, the instrumentation identified to monitor the performance of safety systems (Type D, Design Category 2) and Design Category 3 instrumentation included in Regulatory Guide 1.97, Table 3, Revision 3. 7.5.4.4 Design and Qualification Criteria

a. Discussion The AMI are assigned design categories as discussed in Subsection 7.5.4.3. The design and qualifications criteria for each design category are provided in the following subsections. b. Design Category 1 - Design and Qualification Criteria
1. Equipment Qualification Design Category 1 instrumentation is environmentally qualified in accordance with IEEE 323-1974 and associated daughter standards. This instrumentation is seismically qualified in accordance with IEEE 344-1975. Further details on the methods used and compliance with associated regulations a nd Regulatory Guides are provided in Sections 3.10 and 3.11 of the Updated FSAR.
2. Redundancy No single failure within the AMI, its auxiliary supporting features, or its power sources concurrent with the failures that are a condition or result of a specific accident, will prevent the operators from being presented the information necessary to determine the safety status of the plant and to bring the plant to and maintain it in a safe condition following the accident. The electrical independence and physical separation of redundant channels is discussed in Sections 8.3 and 7.1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 8 Where failure of one accident monitoring channel results in information ambiguity (i.e., the redunda nt displays disagree) th at could lead operators to defeat or fail to accomplish a required safety function, backup information is provided to allow the operators to deduce the actual conditions in the plant. This is accomplished by providing additional independent channels of information of the same variable (an identical channel) or by providing an independent channel to monitor a different variable that bears a known relationship to the multiple channels (a diverse channel). Information on redundant/d iverse channel availability is included in the operator training program. For systems having redundant component s, single channel monitoring of the redundant parts of the system is provided. Verifying the proper

functioning of one the redundant parts of the system is sufficient to monitor the accomplishment of the safety function. 3. Power Source Design Category 1 instrumentation is powered from safety-related power sources. Where momentary power interruption is not tolerable, uninterruptible power sources are used.

4. Availability The Design Category 1 instrumentation channels will be available prior to an accident except for testing and maintenance as provided in Paragraph

4.11 of IEEE Standard 279-1971 or as specified in the Technical Specifications. 5. Quality Assurance Quality Assurance for Design Category 1 instrumentation is provided in accordance with the QA Program described in Chapter 17 of the Updated FSAR. Conformance to appropriate re gulatory guides is discussed both in Chapter 17 and Section 1.8 of the Updated FSAR. 6. Display and Recording Indication: For design Category 1 variables, continuous, redundant indication is provided. This indication meets the applicable requirements for design Category I instrumentation.

Recording: Recording of instrumentation readout information is provided for at least one of the redundant channels.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 9 Trend Indication: Where direct and immediate trend or transient information is essential for operator information or action, this information is available from multiple displays such as: Dedicated recorders, or Dedicated ratemeters, or Video display (via the plant computer) available on demand, or Plasma displays - available on demand by use of dedicated function push buttons. For trend display channels, at least one of the display devices meets the applicable requirements for design Category 1 instrumentation. 7. Identification Type A, B, C, & D instrumentatio n displays provided for operator use during accident conditions are identified by an orange nameplate containing black lettering. 8. Interfaces The transmission of signals to the accident monitoring equipment from protection equipment is through isolation devices, which are classified as part of the protection system. No credible failure at the output of an isolation device will prevent the associated protection channel from meeting the minimum performance requirements considered in the design bases. Examples of credible failures include short circuits, open ci rcuits, grounds, a nd the application of the maximum credible AC or DC potential (140V DC or 129V AC).

Refer to Updated FSAR Subsecti on 7.2.2.2c.7 for further discussion. c. Design Category 2 - Design and Qualification Criteria

1. Equipment Qualification Design Category 2 instrumentation is environmentally qualified in accordance with IEEE 323-1974 and associated daughter standards. Further details on the methods used and compliance with associated

regulations and Regulatory Guides are provided in Section 3.10. 2. Power Source Design Category 2 instrumentation is powered from highly reliable power sources, very often Class 1E. Where momentary power interruption is not tolerable, uninterruptible power sources are used.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 10 3. Quality Assurance Quality Assurance for Design Category 2 instrumentation is provided by United Engineers and Constructors for the design, procurement and installation phases. Their QA Program contains the measures necessary to insure that the instrumentation has b een properly specified, procured and installed. This program contains the applicable elements of 10 CFR 50, Appendix B. Quality Assurance for the testing phase is provided by the standard testing procedures of the NHY Startup and Test Department. Auditable records are available for each Design Category 2 instrument. Quality Assurance during the operational phase is provided under the FPLE Seabrook Operational Quality Assurance Program (OQAP). Further details are provided in Section 17.2. 4. Display and Recording Indication For Design Category 2 instruments, either display on demand or continuous indication is provided.

Recording Effluent radioactivity and area radiation variables are recorded. Trend Indication Where direct and immediate trend or transient information is essential for operator information or action, trend indication is provided. This indication consists of either dedi cated recorders or video displays. 5. Identification Types A, B and C instrumentation displays provided for operator use during accident conditions are identified by an orange nameplate containing black lettering. 6. Channel Availability Design Category 2 instrumentation channels will be available prior to an accident as provided in the plant administrative procedures. 7. Interfaces Same as Design Category 1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 11 d. Design Category 3 - Design and Qualification Criteria

1. Quality Assurance This instrumentation is of high-quality commercial grade and is selected to withstand the expected plant service environment. 2. Display and Recording Indication The information display can be either continuous or available on demand.

Recording Effluent radioactivity variables and meteorological variables are recorded. Trend Indication Where direct and immediate trend or transient information is essential for operation information or action, trend information is provided. Trend information may be from a dedicated recorder or available on demand from the plant computer system. e. Design and Qualification Criteria Applicable to Design Categories 1, 2, and 3

1. Range The range of the read-outs extends over the maximum expected range of the variable being measured. Where two or more instruments are needed to cover a particular range, overlapping of the instrument spans is

provided. 2. Servicing, Testing, and Calibration Means are provided for checking, with a high degree of confidence, the operational availability of each sensor during reactor operation. This may be accomplished in various ways, for example: By perturbing the monitoring variable; or By introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or By cross-checking between channels that bear a known relationship to each other and that have read-outs available. The AMI is designed to permit any channel to be maintained when required during power operation.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Safety-Related Display Instrumentation Revision 9 Section 7.5 Page 12 3. Human Factors The AMI is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules. The AMI is designed to minimize the development of conditions that cause meters, annunciators, recorders, etc., to give anomalous indications

potentially confusing to the operator. The displays are functionally arranged on the control board to provide the operator with ready understanding and interpretation of plant conditions. Comparisons between duplicate information channels or between functionally related channels will enable the operator to readily identify a malfunction in a particular channel. In accordance with the guidance provi ded in NUREG-0737, an integrated effort for both the Detailed Control Room Design Review (DCRDR) and the AMI review was undertaken. The resu lts of this effort identified the instrumentation needed by the opera ting crew during the course of an accident or in the recovery phase. The DCRDR reviewed the adequacy of these instrumentation displays fo r use by the operating crews against human factors criteria. The AMI review determined the adequacy of instrumentation channels against the design criteria stated in this

subsection. Changes made after the completion of the DCRDR will be subjected to human factors review. 4. Direct Measurement To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. Indirect measurements are generally used to provide backup information only. 5. Instrument Accuracy The plant-specific background documents prepared for the ERPs verify and document that the installed AMI has sufficient accuracy to support the ERPs. The accuracy of the AMI is addressed as part of the Operator Training Program.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 1 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

7.6.1 Instrumentation

and Control System For a description of the instrumentation and control power supply system, see Section 8.3. For a description of the remote safe shutdo wn control features, see Section 7.4. 7.6.2 Residual Heat Removal Isolation Valves 7.6.2.1 Description The Residual Heat Removal System (RHRS) isolation valves are normally closed, and are only opened for residual heat removal after system pressure is reduced to approximately 362 psig and system temperature has been reduced to approximately 350 F (Subsection 5.4.7). The residual heat removal valv es are provided with red (ope n) and green (closed) position indication and power available lights located above the control switch for each valve at the MCB and the RSS panels. There are two motor-operated valves in series in each of the two RHR pump suction lines from the RCS hot legs. The two valves nearest the RCS (RC-V22 a nd V87) are designated as the inner isolation valves, while the two valves nearest the RHR pumps (RC-V23 and V88) are designated as the outer isolation valves. Reactor Coolant System wide range pressure signals for the valve interlocks are derived from transmitters which are located outside of Containment. The transmitter associated with the interlocks for the inner isolation valves is diverse from the transmitter used for outer isolation valves' interlocks. Otherwise, the interlock features provided for the outer isolation valves, shown on Figure 7.6-1 are identical to thos e provided for the inner isolation valves, shown on Figur e 7.6-2, Figure 5.4-7, sh.1 and sh.2.

Each valve is interlocked so that it cannot be opened unless the RCS pressure is below that which could result in the RHR system design pressure being exceeded. (This includes the effects of instrument uncertainty and bi stable deadband.) Refer to the Station Technical Specifications.

This interlock prevents the valve from being opened when the RCS pressure would be above the RHR system design pressure.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 2 7.6.2.2 Analysis Based on the scope definitions presented in References 1 and 2, these criter ia do not apply to the residual heat removal isolation valve interlocks; however, in order to meet NRC requirements and because of the possible severi ty of the consequences of loss of function, the requirements of IEEE Standard 279-1971 will be applied with the following comments: a. For the purpose of applying IEEE Standard 279-1971 to this circuit, the following definitions will be used: 1. Protection System The two valves in series in each line and all components of their interlocking circuits. 2. Protective Action The maintenance of Residual Heat Removal System isolation from the Reactor Coolant System when Reactor Coolant System pressures are above the preset value. b. IEEE Standard 279-1971, paragraph 4.10: The above mentioned pressure interlock signals and logic will be tested on line to the maximum extent possible without adversely affecting safety. This test will includ e the analog signal through to the train signal which activates the slave relay (which provides the final output signal to the valve control circui t). This is done in the best interests of safety since an actual actuation to permit opening the valve could potentially leave only one remaining valve to isolate the low pressure Residual Heat Removal System from the Reactor Coolant System. c. IEEE Standard 279-1971, paragraph 4.15: This requirement does not apply, as the setpoints are independent of mo de of operation and are not changed. Environmental qualification of the valves and wiring is discussed in Section 3.11. 7.6.3 Refueling Interlocks Electrical interlocks (i.e., limit switches), as discussed in Subsection 9.1.4.3, are provided for minimizing the possibility of damage to th e fuel during fuel handling operations.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 3 7.6.4 Accumulator Motor-Operated Valves The design of the signals to the accumulator isolation valves meets the following criteria established in previous NRC positions on this matter: a. Automatic opening of the accumulator valves when (a) the primary coolant system pressure exceeds a preselected value (specified in the Technical Specifications) or (b) a safety injection signal has been initiated. Both signals shall be provided to the valves. b. Use of a safety injection ("S") signal to automatically remove (override) any bypass features that are provide d to allow an isolation valv e to be closed for short periods of time when the Reactor Coolant System is at pressure (in accordance with the provisions of the Technical Specifications). As a result of the confirmatory "S" signal, isolation of an accumulator with the reactor at pressure is acceptable (see Drawing NHY-503907). c. During plant operation, these valves are normally open, and the motor control center supplying power to the operators is de-energized. The functional block diagram for these valves is shown on Figure 7.6-3. The valves and control logic are further discussed in Subsections 6.3.2.2 and 6.3.5. The Safety Injection System accumulator discharge isolation valves are motor-operated, normally open valves which are controlled from the main control board. These valves are interlocked so that: a. They open automatically on receipt of an "S" signal with the main control board switch in either the "AUTO" or "CLOSE" position. b. They open automatically whenever the Reactor Coolant System pressure is above the safety injection unbloc k pressure (P-11) spec ified in the Technical Specifications only when the main control board switch is in the "AUTO" position. c. They cannot be closed as l ong as an "S" signal is present. The four main control board switches for these valves provide a "spring return to AUTO" from the open position and a "maintain CLOSE" position.

The "maintain CLOSE" position is required to provide an administratively controlled manual block of the automatic opening of the valve at pressure above the safety injection unblock pressure (P-11). The manual block or "maintain CLOSE" position is required when performing a periodic check-valve leakage test when the react or is at pressure. The maximum permissible time that an accumulator valve can be closed when the reactor is at pressure is specified in the Technical Specifications.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 4 Administrative control is required to ensure that any accumulator valve, which has been closed at pressures above the safety injection unblock pressure, is returned to the "OPEN" position. During plant shutdown, the accumulator valves are closed. To prevent an inadvertent opening of these valves during the shutdow n period, whenever accumulator pressure is greater than 100 psig, power to the accumulator valve motor circuit is turned "OFF" by a separate control switch regulating power to the motor control center, which is administratively controlled. Administrative control is again required to ensure that these motor control centers are energized during the pre-startup procedures. The four accumulator motor-operated isolation valves are provided with red (open) and green (closed) position-indicating lights located above the control switch on the MCB and at the remote shutdown panels. A monitor light that goes "on" for each isolation valve when the valve is full open, is provided in an array of monitor lights also located at th e MCB. An alarm is actuated by the motor operator limit switch whenever the isolation valve is not fully opened, coincident with pressurizer pressure greater than a set value. This alarm remains a high priority on the VAS until the isolation valve is reopened. "Control switch in close position" alarm is also available. Control power availability to each of the valves is indicated by a monitoring light at the MCB. Thus, the design of this system meets the requirements of Branch Technical Position ICSB-4 (NUREG-0800, Appendix 7-A). 7.6.5 Switchover from Injection to Recirculation The details of achieving cold leg recirculat ion following safety injection are given in Subsection 6.3.2.8 and on Table 6.3-7. Figure 7.6-4 and Figure 7.6-5 show the logic which is used to automatically open the containment sump isolation valves. Four narrow-range level sensors are provided for measurement of RWST level. 7.6.6 Interlocks for RCS Pressure Cont rol during Low Temperature Operation 7.6.6.1 Design and Function The basic function of the RCS pressure control during low temperature ope ration is discussed in Subsection 5.2.2. As noted in Subsection 5.2.2, this pressure control includes automatic actuation logic for two pre ssurizer power-operated relief valves (PORVs).

The function of this actuation logic is to continuously monitor RCS temperature and pressure conditions, with the actuation logic only unblocked when plant operation is at a temperature below the Reference Nil Ductility Temperature (RNDT). The monitore d RCS pressure signals are derived from wide-range pressure transmitters located outside of Containment. The monitored system temperature signals are processed to generate the reference pressure limit program, which is compared to the actual monitored RCS pressure. This comparison will provide an actuation signal to an actuation device which will cause the PORV to automatically open, if necessary, to prevent pressure conditions from exceeding allowable limits. See Figure 7.6-6 for the block diagram showing the interlocks for RCS pressure control during low temperature operation.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 5 As shown on this figure, the generating stati on variables required for this interlock are channelized as follows: a. Protection Set I

1. Wide range RCS temperature from hot legs 2. Wide range RCS pressure. b. Protection Set II Wide range RCS temperature from cold legs
c. Protection Set IV Wide range RCS pressure The wide-range temperature signals, as inputs to Protection Sets I and II, continuously monitor RCS temperature conditions whenever plant operation is at a temperature below the RNDT. In Protection Set I, the existing RCS hot leg wide-range temperature channels will continuously supply analog input through an isol ator to two auction eering devices, which are located in the Process Control Group No. 1. The lowest reading as selected by one auctioneer is input to a f unction generator which calculates the reference pressure limit program, considering the plant's a llowable pressure and temperature limits. Also available from Protecti on Set I, is the wide-range RCS pressure signal which is sent through an isolatio n device to Control Group 1. The reference pressure from the function generator is compared to the actual RCS pressure monitored by the wide-range pressure channel. The error signal derived from the difference between the reference pressure and the actual measured pressure will first annunciate a main control board alarm whenever the actual measured pressure approaches, within a predetermined amount, the reference pressure. On a further increase in measured pressure, the error signal will generate an actuation signal. The actuation signal available from the auxiliary relay rack will control PORV "A" whenever a temperature-dependent permissive signal from the lowest auctioneering temperature in Process Control Group 1 is present. The two auctioneering devices men tioned above select the lowest temperature. One low temperature is for use as a permissive, the other for use in the reference pressure limit program. The temperature-dependent permissive to the PORVs actuation device effectively disarms (blocks) the actuation signal at temperatures greater than the range of concern. This will prevent unnecessary system actuation when at normal RCS operating conditions as a result of a failu re in the process sensors.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 6 The monitored generating station variables that generate the actuation signal for the "B" PORV are processed in a similar manner. In the case of PORV "B", the reference temperature is generated in Process Control Group 4 from the lowest auctioneered wide-range cold leg temperature, which is a separate auctioneering circuit from the circuit used for the PORV "A" permissive. The auctioneering device derives its input from th e RCS wide-range temperature in Protection Set II. The actual measured pressure signal is available from Protection Set IV. Therefore, the generating station variables used for PORV "B" are derived from a protection set that is independent of the sets from which generating station variables used for PORV "A" are derived. The error signal derivation itself used for the actuation signals is available from the control group. Upon receipt of the actuation signal, the actuation device will automatically cause the PORV to open. Upon sufficient RCS inventory letdown, the operating RCS pressure will decrease, clearing the actuation signal. Removal of this signal causes the PORV to close. 7.6.6.2 Analysis of Interlock Many criteria presented in IEEE 279-1971 and IEEE 388-1975 standards do not apply to the interlocks for RCS pressure control during low temperature operation, because the interlocks do not perform a protective function but rather provide automatic pressure control at low temperatures as a backup to the operator. However, although IEEE 279 criteria do not apply, some advantages of the dependability and benefits of an IEEE 279 design have accrued by including selected elements as noted above in the protection sets and by organizing the control of the two PORVs into dual channels, wherever practical, either of which can accomplish the RCS pressure control function.

The design of the low temperature interlocks for RCS pressure control is such that pertinent features include: a. No credible failure at the output of the protection set racks, after the output leaves the racks to interface with the interlocks, will prevent the associated protection system channel from performing its prot ective function, becaus e such outputs that leave the racks go through an isola tion device as shown in Figure 7.6-6. No single random failure in either channel of the control system will defeat required actuation of both PORVs. It is noted that the lowest of four wide-range temperatures in each channel is derived twice by the two lowest auctioneering temperature circuits. One of these circuits is used to generate the reference pressure limit program for one PORV; the other of these auctioneering circuits is used as a permissive for the redundant PORV. A failure high of either auctioneering circuit in a given channel will not defeat operation of both PORVs.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 7 b. Testing capability for elements of the interlocks within (not external to) the protection system is consistent with the testing principles and methods discussed in Subsection 7.2.2. An alarm is provided in the control room when there is low auctioneered RCS temperature (below RNDT) coincident with a closed position of the motor-operated (MOV) pressurizer relief isolation valve. This MOV is in the same fluid path as the PORV, with separate MOV and alarms used with the second PORV. c. A loss of offsite power will not defeat the provisions for an electrical power source for the interlocks, because these provisions are through onsite power which is described in Section 8.3. In addition, associated with each motor-operated isolation valve for each PORV is a pressure interlock that opens the isolation valves on a high pressurizer pressure

signal. 7.6.7 Fire Protection Instrumentation and Detection System These systems are discussed in Subsection 9.5.1 and in the report, "Seabrook Station Fire Protection Program Evaluation and Comparison to Branch Technical Position APCSB 9.5.1, Appendix A." 7.6.8 Isolation of NNS Components in Primary Component Cooling Water System A head tank is provided for each PCCW loop. The tank instrumentation is identical for both the loops. PCCW supply to nonessential (NNS) compone nts is isolated on th e head tank isolation signal. Isolation of the NNS portion of the PCCW system from its safety-related portion is accomplished in two phases. The first phase is the isolation of the waste processing building heat loads which are isolated either on a safeguard "T" signal (containment isolation phase-A) or upon a head tank low le vel isolation signal (see Drawing NHY-503273). The latter signal is indicative of a possible break in the NSS porti on of the PCCW loop. The head tank isolation signal is generated using a two-out-of-three logic from the head tank level measurements in each tank (see Drawing NHY-503278). The second phase of PCCW isolation is the isolation of the loads in the Containment. These are isolated on either a safeguard "P" signal (containment

isolation phase-B) or a low-low level in the PCCW head tank (see Drawing NHY-503268). The system is designed single failure-proof at the system level and meets the requirements of IEEE 279-1971. The sensors, activation logic components, and the soleno id valves are all classified as Class 1E equipment. The environmental qualifi cation of the Class 1E components is discussed in Section 3.11. 7.6.9 Protection Against Spurious Valve Actuation

a. For the motor-operated valves listed be low, protection against spurious actuation is provided by removal of motor and cont rol power by de-energizing their Motor Control Centers (MCC 522 and MCC 622).

Control of the breakers supplying power to these MCCs is provided in the main control room.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 8 Valve Function 1. RH-V14 and -V26 Residual Heat Removal Cold Leg Injection Valves 2. RH-V32 and -V70 Residual Heat Removal Hot Leg Injection Valves

3. SI-V3, -V17, -V32 and -V47 Safety Injection Accumulator Isolation Valves 4. SI-V114 Safety Injection Cold Leg Isolation Valves
5. SI-V102 and -V77 Safety Injection Pump to Hot Leg Isolation Valves For all these valves, redundant valve posit ion indication lights are provided at the Main Control Board (MCB), powered by different sources and actuated by different limit switches. "Control Power Available" indication is provided at the MCB for these valves. b. SI-V93 (Safety injection pumps discharge to refueling water storage tank) is protected against spurious actuation by providing a nonreversing contactor in series with the normal reversing contactor. Control of this extra contactor is provided through a separate key-locked selector switch on the MCB. Position indication is from the normal valve control circuit (see Drawing NHY-503901). SI-V93 cannot be operated until the applicable interlocks are satisfied, the control switch for SI-V93 has been placed in "open" or "close," the key-locked selector switch has been unlocked and placed in "on." c. Other safety-related motor-operated valves have power removed for reasons other than to prevent a single failure from preventing a safety function (BTP EICSB

18). These valves are provided with control room position indication that is independent of the motor-operator power s upply. Position indi cation is available when power is removed from the motor operator. 7.6.10 High Energy Line Break Sensing System On the basis of Standard Review Plan Subs ections 3.6.1 and 3.6.2, types and locations of line breaks are postulated that would result in severe environmental conditions at the location of safety grade equipment. To mitigate the effects of such harsh environmental conditions, affected lines are isolated automatically by high energy line break (HELB) signals which are generated by redundant fast response thermocoupl es strategically located near postulated line breaks in PAB and containment enclosure areas. On a predetermined high temperature (on a per train basis) at any one of the locations described, a HELB signal is automatically generated which closes the following valves:

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 9 a) The steam generator blowdown containment isolation valves b) The auxiliary steam isolation valves c) The letdown line containment isolation valves.

Refer to Subsections 9.3.4.5o, 10.4.8.6a, and 10.4.11.2 for further details. 7.6.11 Shutdown Monitor The shutdown monitor measures the count rate from a neutron counting instrument. It performs a statistical time average of the neutron count rate and displays this average in the source range from 0.1 counts per second (cps) to 10 4 cps. It also provides an alarm output to indicate a decrease in reactor shutdown ma rgin when the neutron count rate increases by an amount equal to the preset alarm ratio. The shutdown monitor alarm setpoint is continuously recalculated and automatically reduced as the reactor is shut down and the neutron flux is reduced. When the neutron count rate achieves steady value and then eventually increases, the alarm setpoint remains at its lowest value unless it is manually reset. An alarm will occur when the time averaged neutron count rate increases due to a reactivity addition to a valu e equal to the preset alarm setpoint. The response time for the alarm de pends on the initial count rate and the rate of change of neutron flux. The preset alarm ratio is chosen to ensure an early alarm will occur during an inadvertent boron diluti on event. Analysis of inadvertent boron dilution events is discussed in Subsection 15.4.6. There are two redundant alarm channels. The alarm from one shutdown monitor channel is annunciated on the VAS and the alarm for the other channel is annunciated on a hardwired alarm on the main control board. Each shutdown monitor channel receives an input signal from an independent source range neutron flux monitoring channel.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 10 7.6.12 ATWS Mitigation System Generic analyses of Anticipated Transients Without Scram (ATWS) events for NSSS designs similar to Seabrook Station have determined that acceptable consequences would result provided the turbine trips and emergency feedwater are initiated in a timely fashion (References 3 and 4). Seabrook's licensed power level exceeds the power level assumed in the generic ATWS analysis. As a result, acceptable ATWS consequences were confirmed by explicit transient analyses at Seabrook's licensed power level. The most severe ATWS scenarios were those in which there is complete loss of normal feedwater. These include loss of normal feedwater and loss of load caused by a loss of main condenser vacuum, which results in a loss of both feedwater pumps. The primary safety concern for these two transients is the potential for high pressures within the Reactor Coolant System (RCS). If a common mode failure in the protection system incapacitates Emergency Feedwater (EFW) flow initiation and/or turbine trip in addition to prohibiting a scram, then an alternate method of providing EFW flow and a turbine trip is required to maintain the RCS pressure below 3200 psig. This is th e pressure corresponding to the ASME Boiler and Pressure Vessel Code Level C service limit stress criteria. The ATWS Mitigation System (AMS) provides an alternative means for automatically tripping the turbine and actuating Emergency Feedwater (EFW) flow apart from the protection system in the event of a loss of normal feedwater and/or a loss of load ATWS. The system design complies with the generic functional requirements established by References 5 and 6. Quality Assurance procedures for the AMS comply with the requirements of Reference 7. The AMS actuation signal is initiated on low-low-low steam generator level, on three-out-of-four steam generators (one sensor for each steam generator). The setpoint is lower than the low-low steam generator level reactor trip/EFW actuation setpoint, and a time delay is added to the actuation signal in order to permit the protection system to actua te prior to AMS actuation. The maximum time delay is limited by the response time requirement from the ATWS analysis. A permissive (C-20) is provided which will permit an AMS actuation when both turbine impulse pressure transmitters indicate more than the setpoint. The analyses (Reference 4) show that the AMS is not required to actuate at or below 70 percent reactor power to limit peak Reactor Coolant System pressure; however, in order to limit the amount of RCS voiding to that previously predicted in Reference 4, the C-20 setpoint is set to a nominal 20% reactor power to ensure that AMSAC is armed whenever reactor power is greater than or equal to 40 percent. The C-20 permissive is maintained following a turbine trip from above the C-20 setpoint long enough to allow the AMS to perform its function, if necessary. In the event of a turbine trip below the P-9 setpoint the AMSAC will not be armed; however, based on the analysis in reference 8, AMSAC is not required below the P-9 setpoint since the amount of RCS voiding is less than that predicted at 100% power with AMSAC.

The AMS actuation signal is maintained after an initiation, long enough so that the EFW turbine steam supply valve will go to its full open position and latch in. Once the AMS is initiated, separate deliberate manual actions are required to secure EFW flow and to reset the turbine. Figure 7.6-7 shows the logic for the system.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS All Other Systems Required for Safety Revision 12 Section 7.6 Page 11 The AMS is not safety related or seismically qualified. The system shares narrow-range steam generator level and turbine impulse pressure sensors with the protection system; however, the AMS inputs are isolated from the protection system. The AMS bistables and logic network are of a different design and manufacturer than the protection system and are physically located in a separate cabinet. The logic cabinet is powered from a non-Class 1E 125V DC power source which is capable of providing uninterrupted power during a loss of offsite power. The outputs of the AMS are electrically isolated from the safety-related EFW pump circuit by relays in the isolation relay cabinet. The system has been designe d so that a single failure will not result in an inadvertent actuation. The system may be bypassed to allow testing at power.

7.6.13 References

1. The Institute of Electrica l and Electronic Engineers, Inc., "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Standard 279-1971. 2. The Institute of Electrical and Elec tronic Engineers, Inc., "IEEE Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," IEEE Standard 338-1975. 3. "Westinghouse Anticipated Transien ts Without Trip Analysis," WCAP-8330, August 1974. 4. NS-TMA-2182, Anderson, T.M. "Anticipated Transients Without Scram for Westinghouse Plants," December 1979. 5. "AMSAC" Generic Design Package," WCAP-10858-P-A, Revision 1, July 1987. 6. ATWS Final Rule - Code of Federal Regulations 10 CFR 50.62 and Supplementary Information Package, "R eduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water- Cooled-Nuclear Power Plants." 7. "Quality Assurance Guidance for ATWS Equipment That Is Not Safety-Related," Generic Letter 85-06; April 16, 1985. 8. Westinghouse Technical Bulletin ESBU-TB-97-08, "AMSAC C-20 Interlock Permissive," November 1997.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 1 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY The general design objectives of the plant control systems are: To establish and maintain power equilibrium between primary and secondary systems during steady-state unit operation; To constrain operational transients so as to preclude unit trip and re-establish steady-state unit operation; To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and ensures the capability for the operator to assume manual control of the system.

7.7.1 Description

The plant control systems described in this section perform th e following functions: 1. Reactor Control System

a. Enables the nuclear plant to accept a step-load increase of 10 percent or decrease of 15 percent and a ramp increase or decrease of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or pressurizer relief actuation, subject to possible xenon limitations. b. Maintains reactor coolant average temperature (T avg) within prescribed limits by creating the bank demand signals for movi ng groups of full-le ngth road cluster control assemblies during normal operati on and operational transients. The T avg control also supplies a signal to pressurizer water level control, and steam dump control. 2. Rod Control System Provides for reactor power modulation by manual or automatic control of full length control rod banks in a preselected sequence and for manual operation of individual banks. 3. Systems for Monitoring and Indicating
a. Provide alarms to alert the operator if the required core reactivity shutdown margin is not available due to excessive control rod insertion. b. Display control rod position. c. Provide alarms to alert the operator in the event of control rod deviation exceeding a preset limit.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 2 4. Plant Control System Interlocks

a. Prevent further withdrawal of the control banks when signal limits are approached that predict the approach of a DNBR limit or kW/ft limit. b. Inhibit automatic turbine load change as required by the Nuclear Steam Supply System. 5. Pressurizer Pressure Control Maintains or restores the pressurizer pressure to the design pressure 50 psi (which is well within reactor trip and relief and safety valve actuation setpoint limits) following normal operational transients that induce pressure changes by control (manual or automatic) of heaters and spray in the pressurizer. Provides steam relief by controlling

the power-operated relief valves. 6. Pressurizer Water Level Control Establishes, maintains, and restores pressurizer water level within specified limits as a function of the average coolant temperature.

Changes in level are caused by coolant density changes induced by lo ading, operational, and unlo ading transients. Level changes are produced by means of charging flow control (manual or automatic) as well as by manual selection of modulate letdown valv es. Maintaining coolant level in the pressurizer within prescribed limits by actuating the charging and letdown system thus provides control of the reactor coolant water inventory. 7. Steam Generator Water Level Control

a. Establishes and maintains the steam generator water level to within predetermined physical limits during normal operating transients. b. Restores the steam generator water level to within predetermined limits at unit trip conditions. Regulates the feedwater flow ra te so that under oper ational transients the heat sink for the Reactor Coolant System is maintained. 8. Steam Dump Control
a. Permits the nuclear plant to accept a sudden loss of load without incurring reactor trip. Steam is dumped to the condenser and/or the atmosphere as necessary to accommodate excess power generation in the reactor during turbine load

reduction transients. b. Insures that stored energy and residual heat are removed following a reactor trip to bring the plant to equilibrium no load conditions without actuation of the steam generator safety valves. c. Maintains the plant at no load conditions and permits a manually controlled cooldown of the plant.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 3 9. Incore Instrumentation Provides information on the neut ron flux distribution and on the core outlet temperatures at selected core locations. 7.7.1.1 Reactor Control System The Reactor Control System enables the nuclear plant to follow load changes automatically, including the acceptance of step load increase of 10 percent or decreases of 15 percent and ramp increases or decreases of 5 percent per minute with in the load range of 15 percent to 100 percent, without reactor trip, steam dump, or pressure relief (subject to possible xenon limitations). The system is also capable of restoring coolant average temperature to within the programmed temperature deadband following a change in load. Manual control rod operation may be performed at any time. The Reactor Control System controls the reactor coolant average temperature by regulation of control rod bank position. The reactor coolant loop average temperatures are determined from three hot leg and one cold leg measurements in each reactor coolant loop. There is an average coolant temperature (T avg) computed for each loop, where:

3TTT T 2TT TH3H2H1 hot cold hot AVG The error between the programmed reference temperature (based on turbine impulse chamber pressure) and the average of the T avg measured temperatures (w hich is processed through a lead-lag compensation unit) from each of the reactor coolant loops constitutes the primary control signal as shown in general on Figure 7.7-1 and in more detail on the functional diagrams shown in Figure 7.2-9. The system is capable of restoring coolant average temperature to the programmed value following a change in load. The programmed coolant temperature increases linearly with turbine load from zero power to full power condition. The T avg also supplies a signal to pressurizer level control and steam dump control and rod insertion limit monitoring. The temperature channels needed to derive the temperature input signals for the Reactor Control System are fed from protection channels via isolation amplifiers. An additional control input signal is derived from the reactor power versus turbine load mismatch signal. This additional control input signal improves system performance by enhancing response and reducing transient peaks.

The core axial power distribution is controlled during load follow maneuvers by changing (a manual operator action) the boron concentration in the Reactor Coolant System. The control board displays (Subsection 7.7.1.3a) indicate the need for an adjustment in the axial power distribution. Adding boron to the reactor coolant will reduce T avg and cause the rods (through the Rod Control System) to move toward the top of the core. This action will reduce power peaks in the bottom of the core. Likewise, removing boron from the reactor coolant will move the rods further into the core to control pow er peaks in the top of the core.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 4 7.7.1.2 Rod Control System The full-length rod control system receives rod speed and direction signals from the T avg control system. The rod speed demand signal varies over the corresponding range of 3.75 to 45 inches per minute (6 to 72 steps/minute) depending on the magnitude of the input signal. Manual control is provided to move a control bank in or out at a pres cribed fixed speed. When the turbine load reaches approximately 15 percent of rated load, the operator may select the "AUTOMATIC" mode, and rod motion is then controlled by the reactor control systems. A permissive interlock C-5 (see Table 7.7-1) derived from measurements of turbine impulse chamber pressure prevents automatic withdrawal when the turbine load is below 15 percent. In the "AUTOMATIC" mode, the rods are again withdrawn (or inserted) in a predetermined programmed sequence by the automatic programming with the control interlocks (see Table 7.7-1).

The shutdown banks are always in the fully withdrawn position during normal operation, and are moved to this position at a constant speed by manual control prior to criticality. A reactor trip signal causes them to fall by gravity into the core. There are four shutdown banks.

The control banks are the only rods that can be manipulated under automatic control. Each control bank is divided into two groups to obtain smaller incremental reactivity changes per step.

All Rod Cluster Control Asse mblies in a group are electrically paralleled to move simultaneously. There is indivi dual position indication for each Rod Cluster Control Assembly. Power to rod drive mechanisms is supplied by two motor-generator sets operating from two separate 480-volt, three-phase buses. Each gene rator is the synchronous type and is driven by a 200-Hp induction motor. The AC power is dist ributed to the rod cont rol power cabinets through the two series connected reactor trip breakers.

The variable speed rod drive programmer provi des the ability to insert small amounts of reactivity at low speed to accomplish fine control of reactor coolant average temperature about a small temperature deadband, as well as furnishing control at high speed. A summary of the rod cluster control assembly sequencing characteristics is given below. a. Two groups within the same bank are stepped so that the relative position of the groups will not differ by more than one step. b. The control banks are programmed so that withdrawal of the banks is sequenced in the following order: cont rol bank A, control bank B, control bank C, and control bank D. The programmed inse rtion sequence is the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) is the first control bank inserted.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 5 c. The control bank withdrawals are programmed so that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank which continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence con tinues until the unit reaches the desired power level. The control bank in sertion sequence is the opposite. d. Overlap between successive control banks is adjustable between 0 to 50 percent (0 to 115 steps,) with an accuracy of 1 step. e. Rod speeds for either the shutdown banks or manual operation of the control banks can be controlled between a minimum of 6 steps per minute and a maximum of 72 (+0,-0) steps per minute. Credible rod control equipment malfunctions whic h could potentially cause inadvertent positive reactivity insertions due to inadvertent rod withdrawal, incorrect overlap or malpositioning of the rods are the following: Failures in the manual rod controls: 1. Rod Motion Control Switch (In-Hold-Out)

2. Bank Selector Switch Failures in the overlap and bank sequence program control: 1. Logic Cabinet Systems
2. Power Supply Systems a. Failure in the Manual Rod Controls
1. Rod Motion Control Switch (In-Hold Out) Failure The Rod Motion Control Switch is a th ree position lever switch. The three positions are "In," "Hold" and "Out." These positions are effective when the bank selector switch is in manual. Failure of the rod motion control switch (contacts failing short or activated relay failures) would have the potential, in the worst case, to produce positive reactivity insertion by rod withdrawal when the bank selector switch is in the manual position or in a position which selects one of the banks. When the bank selector switch is in the automatic position the rods would obey the automatic commands, and failures in the rod motion control

switch would have no effect on the rod motion regardless of whether the rod motion control switch is in "In," "Hold" or "Out."

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 6 In the case where the bank selector switch is selecting a bank, and a failure occurs in the rod motion switch that would command the bank "Out" even when the rod motion control switch wa s in an "In" or "Hold" position, the selected bank could inadvertently withdraw. This failure is bounded in the safety analysis (Chapter 15) by the uncontrolled bank withdrawal subcritical and at power transients.

A reactivity insertion of up to 75 pcm/sec is assumed in the analysis due to rod movement. This value of reactivity insertion rate is consistent with the withdrawal of two banks. Failure that can cause more than one group of four mechanisms to be moved at one time within a power cabinet is not a credible event, because the circuit arrangement for the movable and lift coils would cause the current available to the mechanisms to divide equally between coils in the two groups (in a power supply). The drive mechanism is designed so that it will not operate on half current. A second feature in this scenario would be the multiplexing failure detection circuit included in each power

cabinet. This circuit would stop rod withdrawal (or insertion). The second case considered in the potential for inadvertent reactivity insertion due to possible failures is when the selector switch is in the manual position. Such a case could produce with a failure in the rod

motion control switch, a scenario wh ere the rods could inadvertently withdraw in a programmed sequence.

The overlap and bank sequence are programmed when the selection is in either automatic or manual. This

scenario is also bounded by the reactivity values assumed in the SAR accident analysis. In this case, the operator can trip the reactor, or the protection system would trip the reactor via Power Range Neutron Flux-High, or Overtemperature T. 2. Bank Selector Switch Failure A failure of the bank selector switc h produces no consequences when the "In-Hold-Out" manual switch is in the "Hold" position. This is due to the following design feature: The bank selector switch is series wired with the "In-Hold-Out" lever switch for manual and individual control rod operation. With the "In-Hold-Out" lever sw itch in the "Hold" position, the bank selector switch can be positioned without rod movement.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 7 b. Failures in the Overlap and Bank Sequence Program Control The rod control system design prevents the movement of the groups out of sequence, as well as limiting the rate of reactivity insertion. The main feature that performs the function of preventing malpositioning produced by groups out of sequence is included in the block supervisory memory buffer and control. This circuitry accepts and stores the external ly generated command signals. In the event of out-of-sequence input command to the rods while they are in movement, this circuit will inhibit the buffer memory from accepting the command. If a change of signal command appears, this circuit would stop the system after allowing the slave cyclers to finish th eir current sequenci ng. Failure of the components related to this system will also produce rod deviation alarm and insertion limit alarm (see Subsection 7.7.1.3). Failures within the system such as

failures of supervisory logic cards, pulse r cards, etc., will also cause an urgent alarm. An urgent alarm will be followed by the following actions: - Automatic de-energizing of the lift coil and reduced current energizing of the stationary gripper coils and movable gripper coils - Activation of the alarm light (urgen t failure) on the power suppler cabinet front panel - Activation of rod control urgent failure annunciation window on the plant annunciator. The urgent alarm is produced in general by:

- Regulation failure detector

- Phase failure detector

- Logic error detector

- Multiplexing error detector - Interlock failure detector.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 8 1. Logic Cabinet Failures The Rod Control System is designed to limit the rod speed control signal output to a value that causes the pulser (logic cabinet) to drive the control rod driving mechanism at 72 steps per minute. If a failure should occur in the pulses or the Reactor Control System, the highest stepping rate possible is 77 steps per minute, wh ich corresponds to one step every 780-milliseconds. A commanded stepping rate higher than 77 steps per minute would result in "GO" pulses entering a slave cycler while it is sequencing its mechanisms through a 780-millisecond step. This condition stops the control bank motion automatically and alarms are activated locally and in the control room. It also causes the affected slave cycler to reflect further "GO" pulses until it is reset. Failures that cause the 780-millisecond step sequence time to shorten will not result in higher rod speeds since th e stopping rate is proportional to the pulsing rate. Simultaneous failures in the pulser or Rod Control System and in the clock circuits that determine the 780-millisecond stepping sequence could result in higher CRDM speed; however, in the unlikely event of these simultaneously multiple failures, the maximum CRDM operation speed would be no more than approximately 100 steps per minute due to mechanical limitation. This speed has been verified by tests

conducted on the CRDMs. Surveillance testing of the Reactor Control System and the Rod Control System is performed at periodic intervals to detect failures that could lead to an increase in rod speed. Relative to failures causing movement of the rods out of sequence, no single failure was discovered (WCA P 8976) that would cause a rapid uncontrolled withdrawal of Control Bank D (taken as worst case) when operating in the automatic bank overlap control mode with the reactor at near full-power output. The analysis revealed that many of the failures postulated were in a safe direction and that rod movement is blocked by the rod urgent alarm.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 9 2. Power Supply System Failures Analysis of the power cabinet disclosed no single component failures that would cause the uncontrolle d withdrawal of a group of rods serviced by the power cabinet. The analysis subs tantiates that the design of a power cabinet is "fail-preferred" in regard to a rod withdrawal accident if a component fails. The end re sults of the failure are either that of blocking rod movement, or that of dropping an i ndividual rod or r ods, or a group of rods. No failure within the power cabinet which could cause erroneous drive mechanism operation will remain undetected. Sufficient alarm

monitoring (including "urgent" alarm) is provided in the design of the power cabinet for fault detection of those failures which could cause erroneous operation of a group of mechanisms. As noted in the foregoing, diverse monitoring systems are available for detection of failures that

cause the erroneous operation of an individual control rod drive mechanism. In summary, no single failure within the Rod Control System can cause either reactivity insertions or malpositioning of the control rods, resulting in core thermal conditions not bounded by analyses contained in Chapter 15. 7.7.1.3 Plant Control Signals for Monitoring and Indicating

a. Monitoring Functions Provided by the Nuclear Instrumentation System The power range channels are important because of their use in monitoring power distribution in the core within specified safe limits. They are used to measure power level, axial flux imbalance and radial flux imbalance. These channels are

capable of recording overpower excursions up to 200 percent of full power. Suitable alarms are derived from th ese signals as described below. Basic power range signals are: 1. Total current from a power range detector (four such signals from separate detectors); these detectors are vertical and have a total active length of 10 feet. 2. Current from the upper half of each power range detector (four signals). 3. Current from the lower half of each power range detector (four signals).

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 10 Derived from these basic signals are the following (includi ng standard signal processing for calibration): 1. Indicated nuclear power (four signals) 2. Indicated axial flux imbalance (I), derived from upper half flux minus lower half flux (four signals) Alarm functions derived are as follows: 1. Deviation (maximum minus minimum of four) in indicated nuclear power 2. Upper radial tilt (maximum to av erage of four) on upper-half currents 3. Lower radial tilt (maximum to average of four) on lower-half currents. Nuclear power (SR, IR and PR) is continuously recorded on the control board.

Indicators are provided on the control boa rd for nuclear power and for axial flux imbalance. The axial flux difference (AFD) monitor alarms are derived from the plant process computer which determines the one minute values of the excore detector outputs to monitor in the reactor core and alerts the operator where I alarm conditions exist. Two types of alarm messages are output. An alarm message is output immediately upon determining a I outside any of the acceptable spaces as defined in Technical Specification Bases. Additional background information on the Nuclear Instrumentation System can be found in Reference 1.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 11 b. Rod Position Monitoring of Full Length Rods Two separate systems are provided to se nse and display cont rol rod position as described below: 1. Digital Rod Position Indication System The digital rod position indication system measures the actual position of each full-length rod using a detector which consists of discrete coils mounted concentrically with the rod dr ive pressure housing. The coils are located axially along the pressure housing and magnetically sense the entry and presence of the rod drive shaft through its centerline. For each detector, the coils are inte rlaced into two data ch annels, and are connected to the containment electronics (Data A and B) by separate multi-conductor cables. By employing two separate channels of information, the digital rod position indication system can continue to function (at reduced accuracy) when one channel fails. Multiplexing is used to transmit the digital position signals from the containment electronics to the control board display unit. The control board display unit contains a column of light-emitting diodes (LEDs) for each rod. At any given time, the one LED illuminated in each column shows the position for that pa rticular rod. Since shutdown rods are always fully withdrawn with th e plant at power, their position is displayed to 4 steps only from rod bottom to 18 steps and from 210 steps to 228 steps. All intermediate positions of the rod are represented by a single "transition" LED. Each rod of the control banks has its position displayed to 4 steps throughout its range of travel. Included in the system is a rod at bottom signal for each rod that operates a local alarm. Also a control room annunciator is actuated when any control rod in a withdrawn bank is at bottom. 2. Demand Position System The demand position system counts pulses generated in the rod drive control system to provide a digital readout of the demanded bank position. The demand position and digital rod position indication systems are separate systems, but safety criteria were not involved in the separation, which was a result only of operational requirements. Operating procedures require the reactor operator to compare the demand and indicated (actual) readings from the rod position indication system to verify operation of the Rod Control System.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 12 c. Control Bank Rod Insertion Monitoring When the reactor is critical, the normal indication of reactivity status in the core is the position of the control bank in relati on to reactor power (as indicated by the reactor coolant system loop T) and coolant average temperature. These parameters are used to calculate insertion limits for the control banks. Two alarms are provided for each control bank: 1. The "low" alarm alerts the operator of an approach to the rod insertion limits requiring boron addition by following normal procedures with the Chemical and Volume Control System. 2. The "low-low" alarm alerts the operator to take immediate action to add boron to the Reactor Coolant System by any one of several alternate methods. The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin following reactor trip, provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection, and limits rod insertion so that acceptable nuclear peaking factors are maintained.

Since the amount of shutdow n reactivity required for design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be decreased (the rods must be withdrawn further) with increasing power. Two parameters whic h are proportional to power are used as inputs to the insertion monitor. These are the T between the hot leg and the cold leg, which is a direct func tion of reactor power, and T avg , which is programmed as a function of power. The rod insertion m onitor uses parameters for each control rod bank as follows:

Z LL = A(T)auct + B(T avg)average + C Where: Z LL = Maximum permissible insertion limit for affected control bank (T)auct = Highest T of all loops (T avg)average = Average T avg of all loops A, B, C = Constants chosen to maintain A LL actual limit based on physics calculations The control rod bank demand position (Z) is compared to Z LL as follows:

If Z - Z LL D a low alarm is actuated If Z - Z LL E a low-low alarm is actuated S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 13 Since an auctioneered high value of T is chosen, a conservatively high representation of power is used in the insertion limit calculation. Actuation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity situ ation. Administrative procedur es require the operator to add boron through the Chemical and Volume Control System. Actuation of the low-low alarm requires the operator to initiate emergency boration procedures. The value for "E" is chosen so that the low-low alarm would normally be actuated before the insertion limit is reached. The value for "D" is chosen to allow the operator to follow normal boration procedures. Figure 7.7-2 shows a block diagram representation of the control rod bank insertion monitor. The monitor is shown in more detail on the functional diagrams shown in Figure 7.2-9. In addition to the rod insertion monitor for the control banks, the plant computer, which monitors individual rod positions, provides an alarm that is associated with the rod deviation alarm discussed in S ubsection 7.7.1.3d to warn the operator if any shutdown Rod Cluster Control Assembly leaves the fully withdrawn position. Rod insertion limits are established by: 1. Establishing the allowed rod reactivity insertion at full power consistent with the purposes given above 2. Establishing the differential reactivity worth of the control rods when moved in normal sequence 3. Establishing the change in reactivity with power leve l by relating power level to rod position 4. Linearizing the resultant limit curve. All key nuclear parameters in this procedure are measured as part of the initial and periodic physics testing program. Any unexpected change in the position of the control bank under automatic control, or a change in coolant temperature under manual control, provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, samples are taken periodically of coolant boron concentration. Variations in concentration during core life provide an additional check on the reactivity status of the reactor, including core depletion. d. Rod Deviation Alarm A rod deviation function is performed as part of the Digital Rod Position Indication System, where an alarm is generated if a preset limit is exceeded as a result of a comparison of any control rod against the other rods in a bank. The deviation alarm of a shutdown rod is based on a preset insertion limit being exceeded.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 14 The demanded and measured rod position signals are also monitored by the plant computer which provides a visual printout and an audible alarm whenever an individual rod position signal deviates from the other rods in the bank by a preset limit. The alarm can be set with appropriate allowance for instrument error and within sufficiently narrow limits to preclude exceeding core design hot channel factors. Figure 7.7-3 is a block diagram of the rod deviation comparator and alarm system implemented by the plant computer. Additionally, the DRPI system contains rod deviation circuitry that detects and alarms the following conditions: 1. When any 2 rods within the same control bank are misaligned by a preset distance ( 12 steps) and 2. When any shutdown rod is below the full-out position by a preset distance (18 steps). e. Rod Bottom Alarm A rod bottom signal for the control rods in the digital rod position system is used to operate a control relay, which generates a rod drop alarm. 7.7.1.4 Plant Control System Interlocks The listing of the plant control system interlocks, along with the descripti on of their derivations and functions, is presented in Table 7.7-1. It is noted that the designation numbers for these

interlocks are preceded by "C." The development of these lo gic functions is shown in the functional diagrams (Figure 7.2-4, Figure 7.2-5, Figure 7.2-9, Figure 7.2-10, and Figure 7.2-15.) a. Rod Stops Rod stops are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal initiated by either a control system malfunction or operator violation of administrative procedures. Rod stops are the C-1, C-2, C-5 and C-11 control interlocks identified in Table 7.7-1.

b. Turbine Loading Stop An interlock (C-16) is provided to limit turbine loading during a rapid return to power transient when a reduction in reactor coolant temperature is used to

increase reactor power (through the negative moderato r coefficient). This interlock limits the drop in coolant temperature to exceed cooldown accident limits and preserves satisfactory steam generator operating conditions. Subsequent automatic turbine loading can begin after the interlock has been cleared by an increase in coolant temperature which is accomplished by reducing the boron concentrati on in the coolant.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 15 7.7.1.5 Pressurizer Pressure Control The reactor coolant system pressure is controlled by using either the heaters (in the water region) or the spray (in the steam region) of the pressurizer plus steam relief for large transients. The electrical immersion heaters are located near the bottom of the pressurizer. A portion of the heater group is proportionally controlled to correct small pressure variations. These variations are caused by heat losses, including heat losses due to a small continuous spray. The remaining (backup) heaters are turned on when the pressurizer pressure controlled signal demands approximately 100 percent proportional heater power. The pressurizer heaters are controlled from nonr edundant pressurizer pressure and level signals through contacts developed in the nonsafety-relate d auxiliary relay racks.

Two groups of backup heaters are supplied from the redundant onsite power supplies.

Equipment associated with the pressurizer heater power circuits inside Containment have been qualified as Class 1E components up to the po int of the pressurize r heater connection. The spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure controller spray demand signa l is above a given setpoint. The spray rate increases proportionally with increasing spray demand signal until it reaches a maximum value.

Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

Power-operated relief valves operation may prev ent unnecessary challenge s to the pressurizer safety valves during some positive pressure transients. See UFSAR Subsection 5.2.2 for a discussion of the overpressure protec tion provided by the safety valves. Each pressurizer relief line consists of a motor-operated and a sole noid-operated valve in series. These valves are manually operable from either the main control board or the remote safe shutdown panel. Valve control point is switch selectable fr om the RSS panel. A block diagram of the Pressurizer Pressu re Control System is shown on Figure 7.7-4. 7.7.1.6 Pressurizer Water Level Control The pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density of the reactor coolant adjusts to the various temperatures, the steam water interface moves to absorb the variations with relatively small pressure disturbances.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 16 The water inventory in the Reactor Coolant System is maintained by the Chemical and Volume Control System. During normal plant operation, th e charging flow varies to produce the flow demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant average temperature. The pressurizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes. To control pressurizer water level during startup and shutdown operations, the charging flow is manually regulated from the main control room. The letdown line isolation valves are closed on low pressurizer level. A block diagram of the Pressurizer Water Level Control System is shown on Figure 7.7-5. 7.7.1.7 Steam Generator Water Level Control Each steam generator is equipped with a three element feedwater flow controller which is planned to operate with a constant level setpoint. The three-element feedwater controller regulates the feedwater valve by continuously comparing the feed water flow signal, the water level signal, the constant setpoint and the pressure compensated steam flow signal. The feedwater pump speed is varied to maintain a programmed pressure differential between the steam header and the feed header. The speed controller continuously compares the actual P with a programmed P ref which is a linear function of steam flow. Continued delivery of feedwater to the steam generators is required as a sink for the heat stored and generated in the reactor following a reactor trip and turbine trip.

An override signal closes all feedwater valves when the average coolant temperature is below a given temperature and th e reactor has tripped, on steam generator high-high level or safety injection. Manual overri de of the Feedwater Control System is available at all times. Block diagrams of the Steam Generator Water Level Control System and the Main Feedwater Pump Speed Control System are s hown in Figure 7.7-6 and Figure 7.7-7. 7.7.1.8 Steam Dump Control The Steam Dump System is designed to accept a 50 percent loss of net load without tripping the reactor.

The automatic Steam Dump System is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the Reactor Coolant System. By bypassing main steam directly to the condenser and/or the atmosphere, an artificial load is thereby maintained on the primary system. The Rod Control System can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions. The nominal steam dump design steam flow capacity is 40 percent of full load steam flow at full load steam pressure.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 17 If the difference between the reference T avg (T ref) based on turbine impulse chamber pressure and the lead/lag compensated average T avg exceeds a predetermined amount, and the interlock mentioned below is satisfied, a demand signal will actuate the steam dump to maintain the reactor coolant system temperature within control range until a new equilibrium condition is reached. To prevent actuation of steam dump on small load perturbations, an independent load rejection sensing circuit is provided. This circuit senses the rate of decrease in the turbine load as detected by the turbine impulse chamber pressure. It is provided to unblock the dump valves when the rate of load rejection exceeds a preset value corresponding to a 15 percent step load decrease or a sustained ramp load decrease of 5 percent/minute.

A block diagram of the Steam Dump Control System is shown on Figure 7.7-8. a. Load Rejection Steam Dump Controller This circuit prevents large increases in reactor coolant temperature following a large, sudden load decrease. The error si gnal is a difference be tween the lead/lag compensated average T avg and the reference T avg as based on turbine impulse chamber pressure. The T avg signal is the same as that used in the Reactor Coolant System. The lead/lag compensation for the T avg signal is to compensate for lags in the plant thermal respons e and in valve positioning. Following a sudden load decrease, T ref is immediately decreased and T avg tends to increase, thus generating an immediate demand signal for steam dump. Since control rods are available, in this situation, steam dump terminates as the error comes within the maneuvering capability of the control rods. b. Plant Trip Steam Dump Controller Following a reactor trip, the load rejection steam dump controller is defeated and the plant trip steam dump controller becomes active. Since control rods are not available in this situation, the demand signal is the error signal between the lead/lag compensated average T avg. When the error signal exceeds a predetermined setpoint the dump valves are tripped open in a prescribed sequence. As the error signal reduces in magnitude indicating that the reactor coolant system T avg is being reduced toward the reference no-load value, the dump valves are modulated by the plant tr ip controller to re gulate the rate of removal of decay heat and thus gradually establish the equilibrium hot shutdown condition.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 18 c. Steam Header Pressure Controller Residual heat removal is maintained by the steam generator pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers which are used during the init ial transient followi ng turbine reactor trip on load rejection. 7.7.1.9 Incore Instrumentation The Incore Instrumentation System consists of 58 detector assemblies, each containing five fixed detectors, one Type K thermocouple and a calibration tube for the movable neutron detector, each detector assembly being at a fixed core location. Replacement detector assemblies replicate the design of the original assemblies that affect the performance of the fixed detectors. The calibration tubes do not exit the detector assemblies and cannot be accessed by the movable system. Per the original system design there are six movable miniature neutron detectors which can be positioned at the center of selected fuel assemblies, anywhere along the length of the fuel assembly vertical axis. The movable miniature neutron detector portion of this system may be in an installed layed-up condition and may not be immediately available for use. If the moveable miniature neutron detector portion of the system is layed up, manual actions will be taken to reactivate it. The basic system for insertion of these movable detectors, if used, is shown in Figure 7.7-9. Operation with less than the design number of incore detectors or incore thermocouples is permitted provided that the minimum functionality requirements for each system are met. Additional discussion of the incore instrumentation and use of the core exit thermocouples for accident monitoring instrumentation is provided in Subsections 4.4.6.1 and 7.5. a. Detector Assembly The detector assembly consisting of a seamless inconel housing, or housing tube; a seamless inconel calibration tube; five axially-spaced, fixed, self-powered platinum detectors plus a Type K thermocouple provides a dry path into the reactor core for a remotely driven miniature neutron flux detector. Replacement detector assemblies do not have a functional path for the movable system. The

self-powered fixed detectors are spirally wrapped around the calibration tube.

Each fixed detector provides a signal proportional to the local power density within selected fuel assemblies. During reactor operation, the retractable detector assemblies are stationary.

They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal table is provided for the retraction operation.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 19 b. Movable Neutron Flux Detector Drive System Miniature movable fission chamber detectors can be remotely positioned in selectable calibration tube to provide flux mapping of the core. The stainless steel detector shell is welded to the leading end of helical wrap drive cable and to stainless steel sheathed coaxial cable. The retractable detector assemblies, into which the miniature detectors are driven, are pushed into the r eactor core through guide tubes which extend from the bottom of the reactor vessel down through the concrete shield area and then up to a thim ble seal table. Their distribution over the core is nearly uniform with about the same number of detector assemblies located in each quadrant. The drive system for the insertion of the movable miniature detectors consists of drive mechanisms, five and ten path transfer devices, as shown in Figure 7.7-9. The drive system pushes helical wrap drive cables into the core with the miniature detectors attached to the leading ends of the cables and small diameter sheathed coaxial cables. Each drive assembly consists of a gear motor which pushes a helical wrap drive cable a nd a detector through a sele cted calibration tube by means of the five and ten path transfer devices and includes a storage device that accommodates its radiated portion of the drive cable. Through a combination of movable detectors all the selectable calibration tubes may be utilized for a flux map. Manual isolation valves or tube caps for the layed-up condition (one for each thimble) are provided for closing the calibration tubes. When closed, the valves or caps form a 2500-psig barrier. Thes e isolation devices are not designed to isolate a calibration tube while a detector/drive cable is inserted into the

calibration tube. The detector/drive cable must be retracted to a position above the isolation valve prior to closing the valve or instal ling the tube cap. c. Control and Readout Description The control and readout system provides means for inserting the movable miniature neutron detectors into the reactor core and withdrawing the detectors while plotting neutron flux versus detector position. The control system is located in the computer room. Limit switches in each transfer device provide feedback of path selection operation. Each gear box drives a resolver for position feedback. One five-path transfer is provided for each drive unit to insert the detector in one of five functional modes of operation. One ten-path transfer is also provided for each drive unit that is then used to route a detector into any one of up to ten selectable paths. A common path is provided to permit cross calibration of the detectors.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 20 The control room contains the necessary equipment for control, position indication, and flux recording for each detector. A "flux-mapping" consists, briefly, of selecting flux thimbles in given fuel assemblies at various core quadrant locations. The detectors are driven to the top of the core and stopped automatically. An x-y plot (position versus flux level) is initiated with the slow wit hdrawal of the detectors through the core from top to a point below the bottom. In a similar manner, other core locations are selected and plotted. Each detector provides axial flux distribution data along the center of a fuel assembly. Various radial positions of detectors are then compared to obtain a flux map for a region of the core. The number and location of these detector assemblies have been chosen to permit measurement of local to average peaking factors to an accuracy of 5 percent (95 percent confidence). Measured nuclear peaking factors will be increased by 5 percent to allow for this accuracy. If the measured power peaking is larger than acceptable, reduced power capability will be indicated. Operating plant experience has demonstrated the adequacy of the movable incore instrumentation in meeting the design bases stated. d. Fixed Incore Detectors The Fixed Incore Detector System uses platinum self-powered detectors to provide information on the gamma and neutron flux levels in the same 58 instrumented assembly locations within the reactor core. From this information in conjunction with analytical predictions of the fluxes, the incore three-dimensional power distribution can be inferred. Once the power distribution has been inferred, the maximu m local power peaking and hot channel factors can be derived and compared to established limits in a manner similar to the method used with the Movable Incore Detector System. The Fixed Incore Detector Data Acquisi tion System (FIDDAS) collects and stores the 290 detector signals. The hardware used to generate the signal consists of two trains. Each train contains 145 detector and compensator lead inputs into a multiplexer. The multiplexer performs the compensation subtraction and voltage generation. Each multiplexer performs an analog-to-digital data conversion, and the resultant value (signal) is then sent to the main plant computer. The 290 incore instrumentation signals are saved once per minute as a data record on the main plant computer. The FIDDAS data can be processed by off-line software to infer the measured three-dimensional power distributio n and corresponding peaking factors.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 21 References 2 and 4 demonstrated that the Fixed Incore Detector System is acceptable for performing power distribution surveillance compliance. e. Thermocouples Type K thermocouples are part of the combination fixed/movable detector assembly as described in Subsection 7.7.1.9a and thus enter th e reactor vessel through the bottom head. During operation, the thermocouples are located at the exit-flow end of the instrumentation thimble in the fuel assemblies. Each thermocouple measures the temperature of the fluid in the instrumentation guide tube that is heated by conduction from the bulk core fluid and by gamma heating of the components in the guide tube. The thermocouples are sealed at the seal table along with the electrical leads from the fixed neutron flux detectors. Thermocouple readings are displayed on the MCB, Inadequate Core Cooling (ICC) monitor, and the Main Plant Computer System. The information is used as part of the ICC monitor and for monitoring core temperature distribution. Further discussion of this ICC monitor is provided in Subsection 4.4.6.5.

7.7.2 Analysis

The plant control systems are designed to assure high reliability in any anticipated operational occurrences. Equipment used in these systems is designed and constructed with a high level of reliability. Conformance to Ge neral Design Criterion 13 for instrumentation and control is as indicated in Table 7.1-1. Instruments including sensing and sample lines are protected from freezing by being (1) located in an area with a heating system; (2) located in an enclosure with a heated tank; or (3) provided with heat tracing. The environmental monitoring and control system satisfy the requirements of Regulatory guide 1.151.

Proper positioning of the control rods is monitored in the control room by bank arrangements of the individual position columns for each Rod Cluster Control Assembly. A rod deviation alarm alerts the operator of a deviat ion of one Rod Cluster Control Assembly from the other rods in that bank position. There are also insertion limit monitors with visual and audible annunciation. A rod bottom alarm signal is provided to the control room for each full length Rod Cluster Control Assembly. Four excore long ion chambe rs also detect asymme trical flux distribution indicative of rod misalignment.

Overall reactivity control is achieved by the combination of solubl e boron and Rod Cluster Control Assemblies. Long-term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short-term reactivity control for power changes is accomplished by the plant control system which automatically moves Rod Cluster Control Assemblies. This system uses input signals including neutron flux, coolant temperature, and turbine load.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 22 The axial core power distribution is controlled by moving the c ontrol rods through changes in reactor coolant system boron c oncentration. Adding boron causes the rods to move out, thereby reducing the amount of power in the bottom of the core, allowing power to redistribute toward the top of the core. Reducing the boron concentration causes the rods to move into the core, thereby reducing the power in the top of the core; the result redistributes power towards the bottom of the core. The plant control systems will prevent an undesirable condition in the operation of the plant that, if reached, will be protected by reactor trip. The description and analysis of this protection is covered in Section 7.2. Worst-case failure modes of the plant control systems are postulated in the analysis of off-design operational transients and accidents covered in Chapter 15, such as the following: a. Uncontrolled rod cluster control assembly withdrawal from a sub-critical condition b. Uncontrolled rod cluster control assembly withdrawal at power c. Rod cluster control assembly misalignment d. Loss of external electrical load and/or turbine trip e. Loss of all AC power to the st ation auxiliaries (Station Blackout) f. Excessive heat removal due to feedwater system malfunctions g. Excessive load increase incident

h. Accidental depressurization of the Reactor Coolant System. These analyses show that a reactor trip setpoint is reached in time to protect the health and safety of the public under those postulated incidents and that the resulting coolant temperatures produce a DNBR well above the limiting value of 1.30. Thus, there will be no cladding damage and no release of fission products to the Reactor Coolant System under the assumption of these postulated worst-case failure mode s of the plant control system. 7.7.2.1 Separation of Protection and Control System In some cases, it is advantageous to employ c ontrol signals derived from individual protection channels through isolation amplifiers contained in the protection channel. As such, a failure in the control circuitry does not adversely affect th e protection channel. Test results have shown that a short circuit or the application (credible fault voltage from within the cabinets) of 118V AC or 140V DC on the isolated ou tput portion of the circuit (nonpr otection side of the circuit) will not affect the input (protection) side of the circuit. Table 7.1-1 indicates the conformance to General Design Criterion 24.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 23 Where a single random failure can cause a control system action that results in a generating

station condition requiring protective action and can also preven t proper action of a protection system channel designed to protect against the condition, the remain ing redundant protection channels are capable of providi ng the protective action even wh en degraded by a second random failure. This meets the applicable requireme nts of Section 4.7 of IEEE Standard 279-1971. 7.7.2.2 Response Considerations of Reactivity Reactor shutdown with control rods is completely independent of the control functions since the trip breakers interrupt power to the full-length rod drive mechanisms regardless of existing control signals. The design is such that the system can withstand accidental withdrawal of control groups or unplanned dilution of soluble boron without exceeding acceptable fuel design limits. The design meets the requirements of the 1971 General Design Criteria 25. No single electrical or mechanical failure in the Rod Control System could cause the accidental withdrawal of a single Rod Cluster Control Assembly from th e partially inserted bank at full power operation. The operator could deliberately withdraw a single Rod Cluster Control Assembly in the control bank; this feature is necessary in order to retrieve a rod, should one be accidentally dropped. In the extremely unlikely event of simultaneous electrical failures which could result in single rod cluster control assembly withdrawal, rod deviation would be displayed on the plant annunciator, and the individual ro d position readouts woul d indicate the relative positions of the rods in the bank. Withdrawal of a single Rod Cluster Control Assembly by operator action, whether deliberate or by a combinat ion of errors, would result in activation of the same alarm and the same visual indications.

Each bank of control and shutdown rods in the system is divided into two groups (group 1 and group 2) of up to 4 to 5 mechanisms each. Th e rods comprising a group operate in parallel through multiplexing thyristors. The two groups in a bank move sequentially so that the first group is always within one step of the second gr oup in the bank. The gr oup 1 and group 2 power circuits are installed in different cabinets as shown in Figure 7.7-14, which also shows that one group is always within one step ( inch) of the other group. A de finite schedule of actuation or deactuation of the stationary gripper, movable gripper, and lift coils of a mechanism is required to withdraw the Rod Cluster Control Assembly attached to the mechanism. Since the four stationary gripper, movable gripper, and lift coils associated with the Rod Cluster Control Assemblies of a rod group are driven in paralle l, any single failure which could cause rod withdrawal would affect a minimum of one group of Rod Cluster Control Assemblies.

Mechanical failures are in the direction of insertion, or immobility. Figure 7.7-15 is provided for a discussion of design features that ensure that no single electrical failure could cause the accidental withdrawal of a single Rod Cluster Control Assembly from the partially inserted bank at full power operation.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 24 Figure 7.7-15 shows the typical para llel connections on the lift, m ovable and stationary coils for a group of rods. Since single failures in the stationary or movable circuits will re sult in dropping or preventing rod (or rods) motion, the discussion of single failure will be addressed to the lift coil circuits. (1) Due to the method of wiring the pulse transformers which fire the lift coil multiplex thyristors, three of the four thyristors in a rod group could remain turned off when required to fire, if for example, the ga te signal lead failed open at point X

1. Upon "up" demand, one rod in group 1 and 4 rods in group 2 woul d withdraw. A second failure at point X 2 in the group 2 circuit is required to withdraw one Rod Cluster Control Assembly; (2) timing circuit failures will affect the four mechanisms of a group or the eight mechanisms of the bank and will not cause a single rod withdrawal; (3) more than two simultaneous component failures are required (other than the open wire failure s) to allow withdraw al of a single rod. The identified multiple failure involving the least number of components consists of open circuit failure of the proper two out of sixteen wires connected to the gate of the lift coil thyristors. The probability of open wire (or terminal) failure is 0.016x10

-6 per hour by MIL-HDB-217A. These wire failures would have to be accompanied by failure, or disregard, of the indications mentioned above. The probability of this occurrence is therefore too low to have any significance. Concerning the human element, to erroneously w ithdraw a single Rod Cluster Control Assembly, the operator would have to improperly set the bank selector switch, th e lift coil disconnect switches, and the in-hold out switch. In addition, the three indications would have to be disregarded or ineffective. Such series of errors would require a complete lack of understanding and administrative control. A probability number ca nnot be assigned to a series of errors such as these. The Rod Position Indication System provides direct visual displays of each control rod assembly position. The plant computer alarms for deviation of rods from their banks. In addition, a rod insertion limit monitor provides an audible and visual alarm to warn the operator of an approach to an abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to follow emergency boration procedur es. The facility reactivity control systems are such that acceptable fuel damage limits will not be exceeded even in the event of a single malfunction of either system. An important feature of the Control Rod System is that insertion is provided by gravity fall of the rods.

In all analyses involving reactor trip, the single , highest worth Rod Cluster Control Assembly is postulated to remain untripped in its full out position.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 25 One means of detecting a stuck control rod assembly is available from the actual rod position information displayed on the control board. The control board position read-outs, one for each full length rod, give the pl ant operator the actual position of the rod in steps. The indications are grouped by banks (e.g., control bank A, control bank B, etc.) to indicate to the operator the deviation of one rod with respect to other rods in a bank. This serves as a means to identify rod deviation. The plant computer monitors the actual position of all rods. Should a rod be misaligned from the other rods in that bank by more than 15 inches, the rod deviation alarm is actuated. Misaligned Rod Cluster Control Assemblies are also detected and alarmed in the control room via the flux tilt monitoring system which is independent of the plant computer. Isolated signals derived from the Nuclear Instrumentation System are compared with one another to determine if a preset amount of deviation of average power level has occurred. Should such a deviation occur, the comparator output will operate a bistable unit to actuate a control board annunciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod. Using individual rod position read-outs, the operator can determine the deviating control rod and take corrective action. The desi gn of the plant control systems meets the requirements of the 1971 General Design Criteria 23. Refer to Section 4.3 for additional information on response considerations due to reactivity. 7.7.2.3 Step Load Changes without Steam Dump The plant control system restores equilibrium conditions, without a trip, following a plus 10 percent or minus 15 percent change in load demand, over th e 15 to 100 percent power range for automatic control. Steam dump is blocked for load decrease less than or equal to 15 percent. A load demand greater than full power is prohibited by the turbine control load limit devices. The plant control system minimizes the reactor coolant average temperat ure deviation during the transient within a given value and restores average temperature to the programmed setpoint.

Excessive pressurizer pressure variations are prevented by using spray and heaters and power-operated relief valves in the pressurizer. The control system must limit nuclear power overshoot to acceptable values following a 10 percent increase in load to 100 percent. 7.7.2.4 Loading and Unloading Ramp loading and unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range under automatic contro l without tripping the plant.

The function of the control system is to maintain the coolant average temp erature as a function of turbine-generator load.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 26 The coolant average temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase.

Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer heaters limit the resulting system pressure decrea se. The pressurizer water level is programmed so that the water level is above the setpoint for h eater cut out during th e loading and unloading transients. The primary concern during loading is to limit the overshoot in nuclear power and to provide sufficient margin in the Overtemperature T setpoint. The automatic load controls are designed to adjust the unit generation to match load requirements within the limits of the unit capability and licensed rating. During rapid loading transients, a drop in reactor coolant temperature is sometimes used to increase core power. This

mode of operation is applied when the control ro ds are not inserted deep ly enough into the core to supply all the reactivity requirements of the rapid load increase (the boron control system is relatively ineffective for rapid power changes). The reduction in temperature is initiated by continued turbine loading past the point where the control rods are completely withdrawn from the core. The temperature drop is recovered and nominal conditions rest ored by a boron dilution operation. Excessive drops in coolant temperature are preven ted by interlock C-16. This interlock circuit monitors the auctioneered low coolant temperature indications and the programmed reference temperature which is a function of turbine impulse pressure and causes a turbine loading stop when the decreased temperature reaches the setpoints.

The core axial power distribution is controlled during the reduced temperatur e return to power by placing the control rods in the manual mode when the operating limits are approached. Placing the rods in manual will stop further changes in , and it will also initiate the required drop in coolant temperature. Normally power di stribution control is no t required during a rapid power increase and the rods will proceed, under the automatic Rod Control System, to the top of the core. The bite positi on is re-established at the end of the transient by decreasing the coolant boron concentration. 7.7.2.5 Load Rejection Furnished by Steam Dump System When a load rejection occurs, if the difference between the required temperature setpoint of the Reactor Coolant System and the actual average temperature exceeds a predetermined amount, a signal will actuate the steam dump to maintain the reactor coolant system temperature within control range until a new equilibrium condition is reached. The reactor power is reduced at a rate consistent with the capability of the Rod Control System. Reduction of the reactor power is automatic. The steam dump flow reduction is as fast as Rod Cluster Control Assemblies are capable of inserting negative reactivity.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 27 The Rod Control System can then reduce the reactor coolant temperature to a new equilibrium value without causing overtempera ture and/or overpressure conditions. The nominal steam dump steam flow capacity is 40 percent of full load steam flow at full-load steam pressure. The steam dump flow reduces proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value. The dump valves are modulated by the reactor coolant average temperature signal. The required number of steam dump valves can be tripped qu ickly to stroke full open or modulate, depending upon the magnitude of the temperature error signal resulting from loss of load. 7.7.2.6 Turbine-Generator Trip with Reactor Trip Whenever the turbine-generator unit trips at an operating power level above the P-9 setpoint, the reactor also trips. The unit is operated with a programmed average temperature as a function of load, with the full load average temperature signif icantly greater than the equivalent saturation pressure of the steam generator safety valve setpoint. The thermal capacity of the Reactor Coolant System is greater than that of the secondary system, and because the full load average temperature is greater than the no load temperature, a heat sink is required to remove heat stored in the reactor coolant to prevent actuation of steam generator safety valves for a trip from full power. This heat sink is provided by the comb ination of controlled release of steam to the condenser and by makeup of feedwater to the steam generators. The Steam Dump System is controlled from the reactor coolant average temperature signal whose setpoint values are programmed as a function of turbine load. Actuation of the steam dump is rapid to prevent actuati on of the steam generator safety valves. With the dump valves open, the average coolant temperature starts to reduce quickly to the no load setpoint. A direct feedback of temperature acts to proportionally close the valves to minimize the total amount of steam which is bypassed.

The feedwater flow is cut off following reactor trip when the average coolant temperature decreases below a given temperature or when the steam generator water level reaches a given high level. Additional feedwater makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam header pressure controller (manually selected) which controls the amount of steam flow to the condensers. This contro ller operates a portion of the same steam dump valves to the condenser s which are used during the initial transient following turbine and reactor trip.

S EABROOK STATION UFSAR INSTRUMENTATION AND C ONTROLS Control Systems Not Required for Safety Revision 14 Section 7.7 Page 28 The pressurizer pressure and level fall rapidly during the transient because of coolant contraction. The pressurizer water level is programmed so that the level following the turbine and reactor trip is above the heaters. However, if the heaters become uncovered following the trip, they are turned off and the Chemical and Volume Control System will provide full charging flow to restore water level in the pressurizer. Heaters are then turned on to restore pressurizer pressure to normal. The Steam Dump and Feedwater Control Systems are designed to prevent the average coolant temperature from falling below the programmed no-load temperature following the trip to ensure adequate reactivity shutdown margin.

7.7.3 References

1. Lipchak, J.B. and Stokes, R.A., "Nuclear Instrumentation System," WCAP-8255, January 1974 (for background information only). 2. Gorski, Joseph P., "Seabrook Station Un it 1 Fixed Incore Detector System Analysis," YAEC-1855PA, October 1992. 3. Shopsky, W.E., "Failure Mode and Effects Analysis (FMEA) of the Solid State Full Length Rod Control System," WCAP-8976. 4. Gorski, Joseph P., "Seabrook Station Fixed Incore Detector System Extended Operation," YAEC 1931, February 1996.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-1 APPENDIX 7A DEVIATIONS AND JUSTIFICATIONS List Of Deviations And Variables Deviation Number Variable Page 1 Steam Generator Pressure 7A-3 2 Pressurizer Level 7A-4 3 RWST Level 7A-5 4 Containment Hydrogen Concentration 7A-6 5 RCS Soluble Boron Concentration 7A-7 6 RCS Hot Leg Water Temperature 7A-8 7 RCS Cold Leg Water Temperature 7A-9 8 Radiation Level in Circulating Primary Coolant 7A-10 9 Effluent Radioactivity - Noble Gases (Inside buildings or areas where penetrations or hatches are located) 7A-11 10 Accumulator Tank Level 7A-12 11 Accumulator Tank Pressure 7A-13 12 Pressurizer Relief Tank Temperature (Quench Tank) 7A-14 13 Containment Spray Flow 7A-15 14 Containment Atmosphere Temperature 7A-16 15 Containment Sump Water Temperature 7A-17 16 Makeup Flow-In 7A-18 17 Letdown Flow-Out 7A-19 18 Volume Control Tank Level 7A-20 19 Component Cooling Water Temperature 7A-21 Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-2 List Of Deviations And Variables Deviation Number Variable Page 20 High-Level Radioactive Liquid Tank Level 7A-22 21 Dissolved Oxygen in Primary Coolant (Grab Sample) 7A-23 22 RHR Heat Exchanger Outlet Temperature 7A-24 23 Containment Drainage Sump Water Level 7A-25 24 (Not Used) 7A-26 25 Heat Removal by the Containment Fan Heat Removal System 7A-27 26 Radioactive Gas Holdup Tank Pressure 7A-28 27 Boric Acid Charging Flow (Emergency Boration Flow) 7A-29 28 Wind Direction 7A-30 29 Wind Speed 7A-31 30 Control Room Temperature 7A-32 Deviations And Justifications Appendix 7A contains a listing of all Accident Monitoring Instrum entation (AMI) variables that have deviations from the design criteria stated in Subsection 7.5.4.4 or the recommendations in Regulatory Guide 1.97. The "Data Table" headings in Appendix 7A refer to Table 7.5-1 items. AMI variables not included in Appendix 7A have no deviations from the above criteria.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-3 Deviation No. 1 Variable Data Table Item No. Steam Generator Pressure A2, D18 Deviation From Regulatory Guide 1.97 Guidance The range deviates from the recommended range for Type D variable. Actual range is 0-1300 psig, versus 0-1425 psig recommended (based on 20 percent margin above lowest safety valve setpoint-1185 psig). Justification The range of the installed instruments extends beyond the lowest safety valve setting with a margin of approximately 10 percent. This range envelops the highest safety valve setting (1255 psig). Therefore, the existing range is adequate to monitor the expected steam generator

pressures. In addition to these instruments, nonqualified main steam pressure indication with a range of 0-1500 psig for each steam generator is available at the MCB. This envelops the recommended range of 0-1425 psig. The transmitters are MS-PT-3001, 3002, 3003, 3004.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-4 Deviation No. 2 Variable Data Table Item No. Pressurizer Level A5, D12 Deviation From Regulatory Guide 1.97 Guidance Actual range is 61.75"-581.25" above the bottom reference versus a recommended range from the bottom to the top. Justification This range covers from approximately 10 percent to 94 percent of the pressurizer volume and is sufficient for the required monitoring function.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-5 Deviation No. 3 Variable Data Table Item No. RWST Level A6 Deviation From Regulatory Guide 1.97 Guidance The actual range starts at 22,000 gallons versus the recommended range starting at the bottom of the tank. Justification The indicated range measures the usable volume of the RWST and is adequate for the required monitoring function.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-6 Deviation No. 4 Variable Data Table Item No. Containment Hydrogen Concentration C10 Deviation From Regulatory Guide 1.97 Guidance

1. Continuous indication is not provided since the hydrogen analyzer is normally isolated from the Containment. 2. Containment hydrogen concentration is classi fied as a Design Category 3 variable as opposed to Design Category 1 in Regulatory Guide 1.97. Justification
1. The hydrogen analyzer is normally in the "Standby" mode to preclude a long warm-up time. The analyzer can be operational within 30 minutes of the initiation of an SI signal. Since hydrogen buildup is a slow process and sufficient time is available to put the analyzer into operation, continuous indica tion is not required during power operation. 2. The Nuclear Regulatory Commission (NRC) is amending its regulations for combustible gas control systems. The revised regulatory requirements and guidance are addressed within the NRC Notice of Availability published on September 25, 2003 (68 FR 55416), Technical Specification Task Force (TSTF) Standard Technical Specification Change Traveler TSTF-447, "Elimination of Hydrogen Recombiners and Change to Hydrogen and Oxygen Monitors," and the documentation associated with the 10 CFR 50.44 rulemaking. The amended regulations concluded that the hydrogen release from a design basis LOCA is not risk significant and therefore the Regulatory Guide 1.97 design requirements for hydrogen monitoring can be relaxed from Category 1 to Category 3 as defined in Regulatory Guide 1.97.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-7 Deviation No. 5 Variable Data Table Item No. RCS Soluble Boron Concentration B3 Deviation From Regulatory Guide 1.97 Guidance This variable is not considered AMI. Justification Under accident conditions, determination of boron concentration will be made by analysis of samples obtained via the post-accident sample panel. Analysis capability is available to envelop the recommended range of 0-6000 ppm boron. The Seabrook-specific ERPs do not require that the operating crew monitor this variable with online instrumentation; therefore, it is not

considered AMI.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-8 Deviation No. 6 Variable Data Table Item No. RCS Hot Leg Water Temperature B5 Deviations From Regulator Guide 1.97 Guidance All four channels (indication and recording) are powered from the same power supply. Justification The hot leg RTDs provide the primary temperature measurement for each hot leg. Diverse measurement is provided by the core exit thermocouples. The core exit thermocouples are

redundant, thereby assuring the availability of this indication in the event UPS-I-1A is lost.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-9 Deviation No. 7 Variable Data Table Item No. RCS Cold Leg Water Temperature B4, B6 Deviation From Regulatory Guide 1.97 Guidance All channels (indication and recording) are powered from the same power supply. Justification The cold leg RTDs provide the primary temperature measurement for each cold leg. Diverse measurement is provided by the steam generator pressure channels. The Westinghouse Nuclear Steam Supply System is designed so that the cold leg temperature approximates the saturation temperature corresponding to secondary pressure. It has been confirmed that there would be only a small variance between the actual cold leg temperature and the saturation temperature corresponding to steamline pressure during cooldown to cold shutdown.

1 This correlation has been verified during actual plant operations. The steam generator pressure channels (Item No. A2) are redundant, thereby assuring the availability of this indication in the event power to the cold leg RTDs is lost.

1. Letter from J. J. Sheppard, Westinghouse Owner's Group to D. G. Eisenhut, U.S. Nuclear Regulatory Commission, OG-94 (revised), dated June 14, 1983.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-10 Deviation No. 8 Variable Data Table Item No. Radiation Level in Circulating Primary Coolant C2 Deviation From Regulatory Guide 1.97 Guidance This variable is not considered AMI. Justification The post-accident sampling system and analysis will be used to obtain measurements of the radiation levels in the primary coolant loops to satisfy ERP requirements. The Seabrook-specific ERPs do not require that the operating crew monitor this variable with online instrumentation;

therefore, it is not considered AMI.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-11 Deviation No. 9 Variable Data Table Item No. Effluent Radioactivity - Noble Gases (Inside buildings or areas where penetrations or hatches are located)

C13 Deviation From Regulatory Guide 1.97 Guidance The installed range, 10 1 to 10 6 CPM (corresponding to 6x10

-4 to 10 1 Ci/cc), does not envelope the recommended range (10

-6 to 10 3 Ci/cc). This variable is classified as Design Category 3 instead of Design Category 2 as recommended in Regulatory Guide 1.97.

Justification The containment structure and all penetration/hatch areas are surrounded by the Containment Enclosure Building. The exhaust from the Containment Enclosure Building is monitored for gross activity. The Containment Enclosure Building exhaust is routed to the main plant vent stack, where it is monitored (10 10 5 Ci/cc) prior to discharge. The Main Plant Vent Stack Monitor (Table 7.5-1, Item E7) monitors all releases to the atmosphere that may result from design basis accident events. The Containment Enclosure

Monitor is a backup to the Main Plant Vent Stack Monitor to assist the operators in identifying the source of the release. Both the Main Plant Vent Stack Monitor and the Containment Enclosure Monitor provide indication of containment breach, which is the purpose, identified in

Regulatory Guide 1.97. Backup Type C variable s are considered to be Design Category 3.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-12 Deviation No. 10 Variable Data Table Item No. Accumulator Tank Level D3 Deviation From Regulatory Guide 1.97 Guidance This variable is not considered AMI. Justification The primary function of these indications is to assure adequate volume in the accumulators prior to any transient requiring injection. This indication, in conjunction with accumulator tank pressure and outlet isolation valve position indication, will ensure that these accumulators are capable of performing their safety function which is to inject water into the cold legs upon major depressurization of the RCS. Assuming that the isolation valves are open, there is no action that the operating crew can take in an accident situation if these accumulators do not perform their intended safety function.

Therefore, this instrumentation does not have to be designed for accident-monitoring service. The only operator action relative to the accumulators in an accident situation is to isolate them. The instrumentation used to make this determination is RCS hot leg temperature and RCS subcooling. If RCS subcooling is greater than 80F and RCS hot leg temperature is less than

400F, then the operator is directed to isolate the accumulator. This action occurs whether or not the accumulator has discharged. The successful completion of this step requires monitoring the

position of the isolation valves. If an isolation valve fails to fully close, then the operator is directed to vent the unisolated accumulator by opening the vent valves. An open vent valve is sufficient to determine successful completion of this step. The Seabrook-specific ERPs do not require that the operating crew monitor accumulator level in an emergency; therefore, it is not considered AMI.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-13 Deviation No. 11 Variable Data Table Item No. Accumulator Tank Pressure D4 Deviation From Regulatory Guide 1.97 Guidance The accumulator tank pressure range deviates from the recommended range of 0 to 750 psig. Justification The actual range of 0 to 700 psig is adequate to monitor the expected values of accumulator pressure. At the maximum allowable value, the indicator reading will be slightly less than

95 percent of full scale.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-14 Deviation No. 12 Variable Data Table Item No. Pressurizer Relief Tank (Quench Tank) Temperature D15 Deviation From Regulatory Guide 1.97 Guidance The actual range (50-350F) deviates from the recommended range (50-750 F). Position This range adequately monitors the maximum Pressurizer Relief Tank (PRT) saturation temperature (338 F at the rupture disk pressure of 100 psig) during any accident that lifts the pressurizer relief valves.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-15 Deviation No. 13 Variable Data Table Item No. Containment Spray Flow D23 (a) Containment Spray Pump Suction Pressure (b) Containment Spray Pump Discharge Pressure Deviation From Regulatory Guide 1.97 Guidance A direct indication of containm ent spray flow is not provided. Justification Containment spray pump head can be determined from the containment spray pump suction and discharge pressure indications provided side by side on the MCB. The operating crews are trained in the use of this instrumentation to verify proper operation of the Containment Spray System. Quantitative determination of flow is not required to support the Seabrook-specific

ERPs.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-16 Deviation No. 14 Variable Data Table Item No. Containment Atmosphere Temperature D25 Deviation From Regulatory Guide 1.97 Guidance The range of the Containment Air Temperature Monitoring System is 50ºF to 420ºF versus the recommended range of 40ºF to 400ºF. Justification The minimum containment air temperature will be greater than 50F when this instrumentation is required to function (during and/or after an accident). Therefore, the range of this instrumentation is adequate for its intended monitoring function.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-17 Deviation No. 15 Variable Data Table Item No. Containment Sump Water Temperature D26 Deviation From Regulatory Guide 1.97 Guidance Containment sump water temperature is monitored at the inlet to the containment spray heat exchanger. Justification The net positive suction head (NPSH) calculations for the Containment Building Spray (CBS) and Residual Heat Removal (RHR) pumps assume saturation conditions in the containment sump (Seabrook UFSAR, Subsection 6.2.2.2 and 6.3.2.2). Saturation conditions result in the maximum possible sump temperature. There is no containment sump water temperature limit for RHR or CBS pump starting or operation; therefore, the temperature sensor for monitoring system performance can be located outside of the containment. The instrument located on the containment spray piping at the inlet to each CBS pump (which is located upstream of the heat exchanger) is not required for emergency response. Its function is to provide the temperature required for containment energy balance calculations and for monitoring containment spray heat exchanger performance.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-18 Deviation No. 16 Variable Data Table Item No. Makeup Flow-In D27 Deviation From Regulator Guide 1.97 Guidance Makeup flow-in is classified as a Design Category 3 variable as opposed to Design Category 2 in Regulatory Guide 1.97. Justification Normal charging and letdown is not required in the mitigation of design basis accidents. It is classified as a nonsafety system and is used to assist in recovery if it can be placed in service.

Therefore, the monitoring of charging fl ow is classified as Design Category 3.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-19 Deviation No. 17 Variable Data Table Item No. Letdown Flow-Out D28 Deviation From Regulatory Guide 1.97 Guidance "Letdown flow-out" is classified as a Desi gn Category 3 variable as opposed to Design Category 2 in Regulatory Guide 1.97. Justification Normal charging and letdown is not required in the mitigation of design basis accidents. It is classified as a nonsafety system and is used to assist in recovery if it can be placed in service.

Therefore, the monitoring of letdown fl ow is classified as Design Category 3.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-20 Deviation No. 18 Variable Data Table Item No. Volume Control Tank Level D29 Deviation From Regulatory Guide 1.97 Guidance

1. Volume control tank level is classified as a Design Category 3 variable as opposed to Design Category 2 in Regulatory Guide 1.97. 2. The range of this measurement is 0 inches - 80 inches versus a recommended range of top to bottom (141 inches total). Justification
1. Normal charging and letdown are not required in the mitigation of design basis accidents. If charging and letdown can be re-established, then they will be used to assist in the recovery. Therefore, the volume control tank level is not required for accident-monitoring service. It will be used only if charging and letdown are re-established. Therefore, the monitoring of Volume Control Tank Level is

classified as Design Category 3. 2. The level channel monitors the straight shell portion of the tank only. The hemispherical heads are not monitored, since the volume to level ratio is not linear. The range of this channel is acceptable for the intended monitoring

functions.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-21 Deviation No. 19 Variable Data Table Item No. Component Cooling Water Temperature D30 Deviation From Regulatory Guide 1.97 Guidance The actual range (0 F-175F) deviates from the recommended range (40 F-200 F). Justification The maximum design temperature for component cooling water under accident conditions is 120F. The actual range envelops this temperature with substantial margin. Therefore, this instrumentation is adequate for the required monitoring function.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-22 Deviation No. 20 Variable Data Table Item No. High-Level Radioactive Liquid Tank Level D33 Deviation From Regulatory Guide 1.97 Guidance The range of this measurement is (0-14 feet) versus a recommended range of top to bottom of the tank (18 feet total). Justification The range covers the top 14 feet of these tanks. The bottom section of the tank is hemispherical. The volume-to-level ratio is not linear in this region; therefore, is not in the span of the instrument. The range is acceptable for the intended monitoring function.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-23 Deviation No. 21 Variable Data Table Item No. Dissolved Oxygen in Primary Coolant (Grab Sample)

E18 Deviation From Regulatory Guide 1.97 Guidance The 0 2 concentration in the Primary Coolant System is not analyzed. Justification NUREG-0737, Item II.B.3, Criterion (4) states that measuring 0 2 concentration is recommended but not mandatory. In NHY letter from J. DeVincentis to G. W. Knighton, SBN-648, dated April 16, 1984, the clarification on Criterion (4) pr ovided by the NRC staff to NHY was restated as follows: NRC Criterion (4) Clarification The determination of dissolved oxygen can be satisfied by analyzing a post-accident gas sample from the Reactor Coolant System for dissolved hydrogen. If the reactor coolant dissolved

hydrogen concentration is greater than 10 cc/kg, the NRC considers the dissolved oxygen level

to be less than 100 ppb. If the post-accident dissolved hydrogen level is less than 10 cc/kg, the NRC will require NHY to provide justification that no damage to plant systems has occurred prior to plant startup, but considers the analysis requirement for oxygen satisfied. The NHY

response was as follows:

NHY Response The amount of dissolved gases in the reactor coolant will be determined by extracting a gaseous sample from the post-accident sampling panel using a shielded syringe if necessary. This sample will be analyzed for hydrogen and gamma spectrum only. This has been accepted in the Safety Evaluation Report, Supplement 3, Section 9.3.4.3.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-24 Deviation No. 22 Variable Data Table Item No. RHR Heat Exchanger Outlet Temperature D2 Deviation From Regulatory Guide 1.97 Guidance The lower end of the temperature range extends down to 50F as opposed to a recommended lower end of 40 F. Justification The RHR heat exchangers are cooled by the Component Cooling Water System. The normal operating temperature is 85F, automatic temperature control is provided by a safety-related temperature control loop. VAS alarms are provided should the temperature of the component cooling water drop below 65F. This allows sufficient time for corrective action before the component cooling water temperature drops to 60F, which is the minimum temperature for this system. Thus, the installed range is adequate since it will remain on-scale at all times.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-25 Deviation No. 23 Variable Data Table Item No. Containment Drainage Sump Water Level B12A Deviation From Regulatory Guide 1.97 Guidance This variable is not considered AMI. Justification Containment drainage sump water level instrumentation is provided that meets the guidance in Regulatory Guide 1.45, Reactor Coolant Pressure Boundary Leakage Detection System and NUREG-0737, Item II.F.l. The purpose of these instruments is to detect abnormal leakage into the Containment when the leakage rate is insufficient to actuate the Engineered Safety Features (Condition II events). The Seabrook-specific ERPs do not require that the operating crew monitor this variable during a design basis accident event; therefore, it is not considered AMI.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-26 Deviation No. 24:

Not used.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-27 Deviation No. 25 Variable Data Table Item No. Heat Removal by the Containment Fan Heat Removal System D24 Deviation From Regulatory Guide 1.97 Guidance This variable is not considered AMI. Justification Operation of the containment fan/coolers is not required for the mitigation of design basis accident events. The Seabrook-specific ERPs do not require that the operating crew monitor this variable in an emergency; therefore, it is not considered AMI.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-28 Deviation No. 26 Variable Data Table Item No. Radioactive Gas Holdup Tank Pressure D34 Deviation From Regulatory Guide 1.97 Guidance This variable is not considered AMI. Justification Holdup of radioactive gas for decay is provided by carbon delay beds instead of pressurized storage tanks. Therefore, this variable is not applicable.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-29 Deviation No. 27 Variable Data Table Item No. Boric Acid Charging Flow (Emergency Boration Flow)

D6 Deviation From Regulatory Guide 1.97 Guidance Boric acid charging flow is classified as a Design Category 3 variable as opposed to Design Category 2 in Regulatory Guide 1.97. Justification Emergency boration is not required in the mitigation of design basis accidents. The RWST provides the required volume of borated water for all design basis accidents. Emergency boration may be used to assist in the recovery, if available. Therefore, the monitoring of emergency boration flow is classified as Design Category 3.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-30 Deviation No. 28 Variable Data Table Item No. Wind Direction E15 Deviation From Regulatory Guide 1.97 Guidance The primary tower wind direction sensors meet: (i) the recommended damping ratio of greater than or equal to 0.4, and (ii) the recommended delay distance of less than or equal to 2 meters.

The overall monitoring system does not meet the above requirements due to an electronic filter with a time constant of approximately 3 seconds on the sensor output. Justification Damping ratio and delay distance characterize the system's response to sudden changes in the wind. These system characteristics are important when attempting to characterize atmospheric

turbulence (stability) as a function of fluctuations in the wind. However, Seabrook Station dose assessment techniques characterize atmospheric stability as a function of lapse rate (vertical temperature difference, Item No. E17). The wind direction monitoring system is only utilized to derive average wind direction values for dose assessment purposes and the system's damping

ratio and delay distance do not significantly affect these values.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-31 Deviation No. 29 Variable Data Table Item No. Wind Speed E16 Deviation From Regulatory Guide 1.97 Guidance The primary tower wind speed sensors meet the recommended distance constant of less than or equal to 2 meters. The overall monitoring system does not meet the above requirement due to an electronic filter with a time constant of approximately 3 seconds on the sensor output. Justification The distance constant characterizes the system's response to sudden changes in the wind. This system characteristic is important when attempting to characterize atmospheric turbulence (stability) as a function of fluctuations in the wind. However, Seabrook Station dose assessment techniques characterize atmospheric stability as a function of lapse rate (vertical temperature difference, Item No. E17). The wind speed monitoring system is only utilized to derive average wind speed values and the system's distance constant does not significantly affect these values.

Seabrook Station I NSTRUMENTATION AND C ONTROLS Deviations Of AMI Variables From Reg. Guide 1.97/UFSAR Subsection 7.5.4.4 Design Criteria Regulatory Guide 1.97, Revision 3 Review Revision 10 Appendix 7A Page 7A-32 Deviation No. 30 Variable Data Table Item No. Control Room Temperature A9, D35j Deviation From Regulatory Guide 1.97 Guidance A deviation is taken to the requirement to provide Design Category 1, Type A AMI for this variable. Justification Pre-planned manual operator actions are assumed to maintain control room cooling capability on failure in the safety or non-safety related control room cooling subsystem. Since manual actions are required, control room temperature would be classified as Type A, Design Category 1 variable to comply with the requirements of Regulatory Position C.1.2 of Regulatory Guide 1.97. The basis for this deviation credits the operating crew's awareness of the control room environment and indication of control room cooling system performance via Design Category 3, Type D indicator CBA-TI-8617. Since the control room is continuously manned, high temperature conditions will be detected by the operating crew as a change in control room comfort level. Control room temperature conditions would then be confirmed using indicator CBA-TI-8617 with the necessary manual actions initiated to start the redundant safety related cooling system if necessary. Since credit can be taken for operator awareness of the environmental conditions in the control room, deviation from Regulatory Guide 1.97 guidance is acceptable for this variable.

S EABROOK S TATION U PDATED F INAL S AFETY A NALYSIS R EPORT C HAPTER 7 INSTRUMENTATION AND CONTROLS T ABLES S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.1-1 Revision:

Sheet: 8 1 of 7 TABLE 7.1-1 LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In

1. General Design Criteria (GDC), Appendix A to 10 CFR Part 50 GDC 1 Quality Standards and Records 3.1, 7.2.2.2 GDC 2 Design Bases for Protection Against Natural Phenomena 3.1, 7.2.1.1k, 7.2.1.2e GDC 3 Fire Protection 3.1, 7.1.2.2c GDC 4 Environmental and Missile Design Bases 3.1, 7.2.2.2 GDC 5 Sharing of Structures, Systems, and Components 3.1 GDC 10 Reactor Design 3.1, 7.2.2.2 GDC 12 Suppression of Reactor Power Oscillations 3.1 GDC 13 Instrumentation and Control 3.1, 7.3.1, 7.3.2, 7.4, 7.7.2 GDC 15 Reactor Coolant System Design 3.1, 7.2.2.2 GDC 17 Electric Power Systems 3.1, 8.3.1 GDC 19 Control Room 3.1, 7.4 GDC 20 Protection System Functions 3.1, 7.2.2.2, 7.3.1, 7.3.2 GDC 21 Protection System Reliability and Testability 3.1, 7.2.2.2, 7.3.1, 7.3.2 GDC 22 Protection System Independence 3.1, 7.1.2.2, 7.2.2.2, 7.3.1, 7.3.2 GDC 23 Protection System Failure Modes 3.1, 7.2.2.2, 7.3.1, 7.3.2, 7.7.2.2 GDC 24 Separation of Protection and Control Systems 3.1, 7.2.2.2, 7.3.1, 7.3.2,7.7.2.1 GDC 25 Protection System Requirements for Reactivity Control Malfunctions 3.1, 7.7.2.2 GDC 26 Reactivity Control System Redundancy and Capability 3.1 GDC 27 Combined Reactivity Control Systems Capability 3.1 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.1-1 Revision:

Sheet: 8 2 of 7 Criteria Title Conformance Discussed In GDC 28 Reactivity Limits 3.1 GDC 29 Protection Against Anticipated Operational Occurrences 3.1, 7.2.2.2 GDC 33 Reactor Coolant Makeup 3.1 GDC 34 Residual Heat Removal 3.1, 7.4 GDC 35 Emergency Core Cooling 3.1, 7.3.1, 7.3.2, 7.4 GDC 37 Testing of Emergency Core Cooling System 3.1, 7.3.2 GDC 38 Containment Heat Removal 3.1, 7.3.1, 7.3.2, 7.4 GDC 40 Testing of Containment Heat Removal System 3.1, 7.3.2 GDC 41 Containment Atmosphere Cleanup 3.1, 6.5.1 GDC 43 Testing of Containment Atmosphere Cleanup Systems 3.1, 7.3.2 GDC 44 Cooling Water 3.1 GDC 46 Testing of Cooling Water System 3.1, 7.3.2 GDC 50 Containment Design Basis 3.1 GDC 54 Piping Systems Penetrating Containment 3.1 GDC 55 Reactor Coolant Pressure B oundary Penetrating Containment 3.1 GDC 56 Primary Containment Isolation 3.1, 7.3.1.1 GDC 57 Closed Systems Isolation Valves 3.1 2. Institute of Electrical and Elect ronics Engineers (IEEE) Standards:

IEEE Std 279-1971 (ANSI N42.7-1972) Criteria for Protection Systems for Nuclear Power Generating Stations 7.1, 7.2, 7.3, 7.6, 7.4 IEEE Std 308-1974 Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations 8.1, 8.3 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.1-1 Revision:

Sheet: 8 3 of 7 Criteria Title Conformance Discussed In IEEE Std 317-1972 Electric Penetration Assemblies in Containmen t Structures for Nuclear Power Generating Stations 8.1, 7.1.2.9 IEEE Std 323-1974 IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations 3.11, 1.8, (RG 1.89) IEEE Std 334-1971 Type Tests of Continuous-Duty Class I Moto rs Installed Inside the Containment of Nuclear Power Generating Stations 1.8, (RG 1.40)

IEEE Std 336-1971 (ANSI N45.2.4-1972) Installation, Inspection and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations 7.1.2.10 IEEE Std 338-1975 Criteria for the Periodic Tes ting of Nuclear Powe r Generating Station Protection Systems 7.1.2.11 IEEE Std 344-1975 (ANSI N41.7) Guide for Seismic Qualification of Class I Electrical Equipment for Nuclear Power Generating Stations 3.10 IEEE Std 379-1972 (ANSI N41.2) Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems 7.1.2.7 IEEE Std 381-1977 Type Tests of Class IE M odules Used in Nuclear Power Generating Stations 3.11 IEEE Std 382-1972 Type Test of Cla ss I Electric Valve Operators 3.11 IEEE Std 383-1974 Standard for Type Test of Class IE Electroni c Cables, Field Splices and Connections for Nuclear Power Generating Stations 3.11 IEEE Std 384-1974 (ANSI N41.14) Criteria for Separation of Class IE Equipment and Circuits 7.1.2.2a IEEE Std 420-1973 Trial Use Guide for Class IE Control Switchboards for Nuclear Power Generating Stations 7.1.2.2b S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.1-1 Revision:

Sheet: 8 4 of 7 Criteria Title Conformance Discussed In

3. Regulatory Guides (RG)

RG 1.6 Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution System 8.3 RG 1.7 Control of Combustible Gas Concentrations in Containment Following a Loss-of-Coolant Accident 1.8 RG 1.11 Instrument Lines Penetrating Primary Reactor Containment 1.8, 6.2.4.1d, 6.2.4.2m, 7.3.1.1b, 7.1.2.2a RG 1.12 Instrumentation for Earthquakes 1.8 RG 1.22 Periodic Testing of Protection System Actuation Functions 1.8, 7.1.2.5, 7.3.2.2e, 7.4 RG 1.29 Seismic Design Classification 1.8 RG 1.30 Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment 1.8, Chapter 17 RG 1.32 Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants 1.8, 8.1 RG 1.40 Qualification Tests of Continuous Duty Motors Installed Inside the Containment of Water Cool ed Nuclear Power Plants 1.8, 3.1 RG 1.45 Reactor Coolant Pressure B oundary Leakage Detection Systems 1.8 RG 1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems 1.8, 7.1.2.6, 7.4 RG 1.53 Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems 7.1.2.7, 1.8, 7.4 RG 1.62 Manual Initiation of Protection Actions 1.8, 7.3.2.2g, 7.2, 7.4, 7.6 RG 1.63 Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants 1.8, 8.1 RG 1.67 Installation of Overpressure Protection Devices 1.8 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.1-1 Revision:

Sheet: 8 5 of 7 Criteria Title Conformance Discussed In RG 1.68 Preoperational and Initial Startup Test Programs for Water-Cooled Power Reactors 1.8, 14.2.6, 7.4 RG 1.70 Standard Format and Content in Safety Analysis Reports for Nuclear Power Plants, Rev. 3.

1.8 RG 1.73 Qualification Test of Electric Valve Operators Installed Inside the Containment 1.8, 8.1 RG 1.75 Physical Independence of Electric Systems 1.8, 7.1.2.2a, 8.1, 7.4 RG 1.78 Assumptions for Evaluating the Habitability of a Nuclear Power Plant Control Room during a Postulated Hazardous Chemical Release 1.8 RG 1.80 Preoperational Testing of Instrument Air 1.8 RG 1.89 Qualification of Class IE Equipment for Nuclear Power Plants 1.8, 3.11 RG 1.95 Protection of Nuclear Power Plant Control Room Operators Against an Accidental Chlorine Release 1.8 RG 1.96 Design of Main Steam Isolation Valve Leakage Control System for Boiling Water Reactor Nuclear Power Plants Not Applicable RG 1.97 Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident 1.8, 7.5 RG 1.100 Seismic Qualification of Electric Equipment for Nuclear Power Plants 1.8, 3.10 RG 1.105 Instrument Spans and Setpoints 1.8, 7.1.2.1 RG 1.106 Thermal Overload Protection for Electric Motors on Motor-Operated Valves 1.8, 8.1 RG 1.108 Periodic Testing of Diesel Generators Used as Onsite Electric Power System t Nuclear Power Plants 1.8, 8.1 RG 1.118 Periodic Testing of Electric Power and Protection Systems 1.8, 7.1.2.1 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.1-1 Revision:

Sheet: 8 6 of 7 Criteria Title Conformance Discussed In RG 1.120 Fire Protection Guidelines for Nuclear Power Plants 1.8 RG 1.141 Containment Isolation Provisions for Fluid Systems 1.8, 6.2.4.1d, 6.2.4.2m, ,.1.2.2a, 7.3.1.1b RG 1.151 Instrument Sensing Lines 1.8, 3.2.2.2, 7.1.2.2, 7.1.2.3, 7.1.2.12, 7.7 4. Branch Technical Positions (BTP) EICSB BTP EICSB 1 Backfitting of the Protection and Emergency Power Systems of Nuclear 7.0, 8.0 BTP EICSB 3 Isolation of Low Pressure Systems from the High Pressure Reactor Coolant System 7.6.2 BTP EICSB 4 Requirements on Motor-Operated Valves in the ECCS Accumulator Lines 7.6.4 BTP EICSB 5 Scram Breaker Test Requirements -Technical Specifications 7.2.2.2c (Item 10),NUREG 1386 (Technical Specifications Seabrook Station, Unit 1) BTP EICSB 9 Definition and Use of "Channel Calibration" - Technical Specifications NUREG 1386 (Technical Specifications Seabrook Station, Unit 1) BTP EICSB 10 Electrical and Mechanical Equipment Seismic Qualification Program 3.10 BTP EICSB 12 Protection System Trip Poin t changes for Operation with Reactor Coolant Pumps Out of Service 7.2.2.2a NUREG 1386 (Technical Specifications Seabrook Station, Unit 1) BTP EICSB 13 Design Criteria for Auxiliary Feedwater Systems 7.3.2.3 BTP EICSB 14 Spurious Withdrawals of Single Control Rods in Pressurized Water Reactors 7.7.2.2, 15.2.1, 15.2.2, 15.3.6 BTP EICSB 15 Reactor Coolant Pump Breaker Qualification 3.10, 7.1.2.5, 7.2.1.1b BTP EICSB 16 Control Element Assembly (CEA) Interlocks in Combustion Engineering Reactors Not Applicable S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.1-1 Revision:

Sheet: 8 7 of 7 Criteria Title Conformance Discussed In BTP EICSB 18 Application of the Single Failure Criteria to Manually-Controlled Electrically-Operated Valves 7.6.9 BTP EICSB 19 Acceptability of Design Cr iteria for Hydrogen Mixing and Drywell Vacuum Relief Systems Not Applicable BTP EICSB 20 Design of Instrumentation and Controls Provided to Accomplish Changeover from Injection to Recirculation Mode 7.6.5, 6.3.2.2b, 6.3-7 BTP EICSB 21 Guidance for Application of Reg. Guide 1.47 7.1.2.6 BTP EICSB 22 Guidance for Application of Reg. Guide 1.22 7.1.2.5 BTP EICSB 23 Qualification of Safety-Related Display Instrumentation for Post-Accident Condition Monitoring and Safe Shutdown 7.5 BTP EICSB 24 Testing of Reactor Trip System and Engineered Safety Feature Actuation System Sensor Response Times 7.1.2.11 BTP EICSB 25 Guidance for the Interpretation of General Design Criterion 37 for Testing the Operability of the Emergency Core Cooling System as a Whole 3.1 BTP EICSB 26 Requirements for Reactor Protection System Anticipatory Trips 7.2.1.1b BTP EICSB 27 Design Criteria for Thermal Overload Protection for Motors of Motor-Operated Valves 8.3.1 5. Federal Regulations 10 CFR 50.62 Requirements for Reduction of Risk From Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power

Plants 7.6.12 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-1 Revision:

Sheet: 9 1 of 2 TABLE 7.2-1 LIST OF REACTOR TRIPS Reactor Trip Coincidence Logic Interlocks Comments 1. High neutron flux (Power Range) 2/4 Manual block of low setting permitted by P-10 High and low setting; manual block and automatic reset of low setting by P10 2. Intermediate range neutron flux 1/2 Manual block permitted by P-10 Manual block and automatic reset 3. Source range neutron flux 1/2 Manual block permitted by P-6, interlocked with

P-10 Manual block and automatic reset.

Automatic block above P-10 4. Power range high positive neutron flux rate 2/4 No interlocks

5. Deleted
6. Overtemperature T (Lead/lag compensated) 2/4 No interlocks
7. Overpower T (Lead/lag compensated) 2/4 No interlocks 8. Pressurizer low pressure (Lead/lag compensated) 2/4 Interlocked with P-7 Blocked below P-7 9. Pressurizer high pressure 2/4 No interlocks 10. Pressurizer high water level 2/3 Interlocked with P-7 Blocked below P-7 2/3 in any loop Interlocked with P-8 Low flow in one loop will cause a reactor trip when above P-8 11. Low reactor cool ant flow 2/3 in any loop Interlocked with P-7 Low flow in two loops will cause a

reactor trip when above P-7.

Blocked below P-7. 12. Reactor coolant pump undervoltage 1/2 on both buses Interlocked with P-7 Low voltage on 1/2 pump motors on both

buses will cause a reactor trip.

Reactor trip blocked below P-7. 13. Reactor coolant pump under- frequency 1/2 on both Interlocked with P-7 Underfrequency on 1/2 pump motors on

both buses will trip all reactor coolant pump breakers and cause reactor trip; reactor trip blocked below P-7. 14. Low-low steam generator water level 2/4 in any loop No interlocks

15. Safety injection signal None No interloc ks (See Section 7.3 for Engineered Safety Features actuation conditions) 16. Turbine trip (Anticipatory) a) Low trip fluid pressure 2/3 Interlocked with P-9 Blocked below P-9 b) Turbine stop valve close 4/4 Interlocked with P-9 Blocked below P-9 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-1 Revision:

Sheet: 9 2 of 2 Reactor Trip Coincidence Logic Interlocks Comments 17. Manual 1/2 No interlock 18. General Warning 2/2 No interlock Ge neral warning alarm on both trains of the Solid-State Protection System at the same time will cause a reactor trip.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-2 Revision:

Sheet: 8 1 of 1 TABLE 7.2-2 I POWER ESCALATION PERMISSIVES Designation Derivation Function II Power Escalation Permissives P-6 Presence of P-6: 1/2 neutron flux (intermediate range) above setpoint Absence of P-6: 2/2 neutron flux (intermediate range) below setpoint Allows manual block of source range reactor trip

Defeats the block of source range reactor trip Presence of P-10: 2/4 neutron flux (power range) above set point Allows manual block of power range (low

setpoint) reactor trip Allows manual block of inter-mediate range reactor trip and intermediate range rod stops (C-1)

Blocks source range reactor trip P-10 Absence of P-10: 3/4 neutron flux (power range) below set point Input to P-7 Defeats the block of power range (low setpoint)

reactor trip Defeats the block of inter-mediate range reactor trip and intermediate range rod stops (C-1)

II Blocks Of Reactor Trips P-7 Absence of P-7: 3/4 neutron flux (power range) below set point (from P-10) and 2/2 turbine impulse chamber pressure below setpoint (from P-13)

Blocks reactor trip on:

Low reactor coolant flow in more than one loop, undervoltage, underfrequency, pressurizer low pressure, and pressurizer high level P-8 Absence of P-8: 3/4 neutron flux (power range) below setpoint Blocks reactor trip on low reactor coolant flow in a single loop P-9 Absence of P-9: 3/4 neutron flux (power range) below setpoint Blocks reactor trip on turbine trip Presence of P-11: 2/3 pressurizer pressure below setpoint Allows manual block of safety injection and steam line isolation actuation on low pressurizer pressure signal. With this manual block active, steamline isolation on high rate of decrease in steamline pressure is allowed.

P-11 Absence of P-11: 2/3 pressurizer pressure above setpoint Defeats manual block of safety safety injection and steamline isolation on low pressurizer

pressure.

Defeats steamline isolation actuation on high rate of decrease in steamline pressure.

Defeats (opens) all accumulator isolation valves. P-13 Absence of P-13: 2/2 turbine impulse chamber pressure below setpoint Input to P-7

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-3 Revision:

Sheet: 10 1 of 2 TABLE 7.2-3 REACTOR TRIP SYSTEM INSTRUMENTATION Reactor Trip Signal Typical Range Typical Trip Accuracy Typical Time Response (sec)

1. Power range high neutron flux 1 to 120 percent full power +/-6.0 percent of span 0.5 2. Intermediate range high neutron flux 8 decades of neut ron flux overlapping source range by 2 decades

+/-9.8 percent of span +/-1 percent of span from 10

-4 to 50 percent full power (1) N/A 3. Source range high neutron flux 6 decades of neutron flux (1 to 10 6 counts/sec) +/-11.5 percent of span (1) N/A 4. Power range high positive neutron flux rate +15 percent of full power +/-1.4 percent of span (1) 0.65 5. Deleted

6. Overtemperature T: T H 530 to 650 F T C 510 to 630 F T AV 530 to 630 F P PRZR 1600 to 2500 psig F 1 (I) -60 to +60 T Setpoint 0 to 100 F +/-5.1 percent of span 6.0
7. Overpower T T H 530 to 650 F T C 510 to 630 F T AV 530 to 630 F T Setpoint 0 to 100 F F 2 (I) -60 to +60 +/-5.5 percent of span 6.0 8. Pressurizer low pressure 1600 to 2500 psig +/-2.14 percent of span (compensated signal) 2.0 (1) Reproducibility (see definitions in Section 7.1)

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-3 Revision:

Sheet: 10 2 of 2 Reactor Trip Signal Typical Range Typical Trip Accuracy Typical Time Response (sec)

9. Pressurizer high pressure 1600 to 2500 psig +/-2.14 percent of span (noncompensated signal) 2.0 10. Pressurizer high water level Entire cylindrical portion of pressurizer (distance between taps) +/-4.59 percent of span N/A 11. Low reactor coolant flow 0 to 120 percent rate d flow +/-2.6 percent of span within range of 70 percent to 100 percent of full flow (1) 1.0 12. Reactor coolant pump bus undervoltage 61 to 87 percent nominal bus voltage +/-10.5 percent of span 1.5 13. Reactor coolant pump underfrequency 44 to 61 Hz +/-1.0 percent of span 0.6 14. Low-low steam generator water level 0 - 100% N. R. Span +/-19.6 percent of span (2) 2.0 15. Turbine Trip 150 to 3000 psig +/-3.3 percent of span N/A (1) Reproducibility (see definitions in Section 7.1) (2) Bounding Uncertainty

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-4 Revision:

Sheet: 9 1 of 3 TABLE 7.2-4 REACTOR TRIP CORRELATION Trip (a) Accident (b) Tech Spec (c) 1. Power Range High Neutron Flux Trip (Low Setpoint) 1. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Subcritical Condition (15.4.1) 2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.1.2) 3. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection) (15.4.8) 2.2.1 Table 2.2-1 2. Power Range High Neutron Flux Trip (High Setpoint) 1. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Subcritical Condition (15.4.1) 2. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 3. Excessive Heat Removal Due to Feedwater System Malfunctions (15.1.2) 4. Excessive Load Increase Incident (15.1.3) 5. Accidental Depressurization of the Main Steam System (15.1.4) 6. Major Secondary System Pipe Ruptures (15.1.5)

7. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection) (15.4.8) 2.2.1 Table 2.2-1 3. Intermediate Range High Neutron Flux Trip 1. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Subcritical Condition (15.4.1)

See Note (d) 2.2.1 Table 2.2-1 4. Source Range High Neutron Flux Trip 1. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Subcritical Condition (15.4.1)

See Note (d) 2.2.1 Table 2.2-1 5. Power Range High Positive Neutron Flux Rate

Trip 1. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection) (15.4.8) 2. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Subcritical Condition (15.4.1) 2.2.1 Table 2.2-1 6. Deleted

(a) Trips are listed in order of discussion in Section 7.2. (b) References refer to accident an alyses presented in Chapter 15. (c) References refer to Technical Specifications.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-4 Revision:

Sheet: 9 2 of 3 (d) A Technical Specification is not required because this trip is not assumed to function in the accident analyses. 7. Overtemperature T Trip 1. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 2. Uncontrolled Boron Dilution (15.4.6) 3. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3) 4. Excessive Heat Removal Due to Feedwater System Malfunctions (15.1.2) 5. Excessive Load Increase Incident (15.1.3)

6. Accidental Depressuriza tion of the Reactor Coolant System (15.6.1) 7. Accidental Depressurization of the Main Steam System (15.1.4) 8. Steam Generator Tube Rupture (15.6.3)
9. Feedwater System Pipe Break (15.2.8) 2.2.1 Table 2.2-1
8. Overpower T Trip 1. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.1.2) 3. Excessive Load Increase Incident (15.1.3)
4. Accidental Depressurization of the Main Steam System (15.1.4) 5. Major Secondary System Pipe Ruptures (15.1.5)
6. Rod Cluster Control Assembly Misoperation (15.4.3) 2.2.1 Table 2.2-1 9. Pressurizer Low Pressure Trip 1. Accidental Depressuriza tion of the Reactor Coolant System (15.6.1) 2. Loss-of-Coolant Accidents Resulting from a Spectrum of Postulated Piping Breaks w ithin the Reactor Coolant Pressure Boundary (15.6.5) 3. Major Reactor Coolant System Pipe Ruptures (LOCA)

(15.6.5) 4. Steam Generator Tube Rupture (15.6.3)

5. Inadvertent Operation of Emergency Core Cooling System during Power Operation (15.5.1) 2.2.1 Table 2.2-1 10. Pressurizer High Pressure Trip 1. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 2. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3) 3. Feedwater System Pipe Break (15.2.8) 2.2.1 Table 2.2-1 11. Pressurizer High Water Level Trip 1. Uncontrolled Rod Cluster Control Assembly Bank at Power (15.4.2) 2. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3) 2.2.1 Table 2.2-1 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.2-4 Revision:

Sheet: 9 3 of 3 12. Low Reactor Coolant Flow 1. Partial Loss of Forced R eactor Coolant Flow (15.3.1) 2. Loss of Offsite Power to the Station Auxiliaries (Station Blackout) (15.2.6) 3. Complete Loss of Forced R eactor Coolant Flow (15.3.2) 4. Reactor Coolant Pump Shaft Seizure, (Locked Rotor)

(15.3.3) 5. Reactor Coolant Pump Shaft Seizure (Locked Rotor) Followed by Loss of Offsite Power (15.3.4) 6. Startup of an Inactive Reactor Coolant Pump at an Incorrect Temperature (15.4.4) 2.2.1 Table 2.2-1 13. Reactor Coolant Undervoltage Trip 1. Complete Loss of Forced Reactor Coolant Flow (15.3.2) 2.2.1 Table 2.2-1 14. Reactor Coolant Underfrequency Trip 1. Complete Loss of Forced Reactor Coolant Flow (15.3.2) 2.2.1 Table 2.2-1 15. Low-low Steam Generator Water

Level Trip 1. Loss of Normal Feedwater Flow (15.2.7) 2. Loss of External Load (15.2.2)

3. Loss of Nonemergency AC Power to the Plant Auxiliaries (Loss of Offsite Power) (15.2.6) 4. Feedwater System Pipe Break (15.2.8) 2.2.1 Table 2.2-1 16. Reactor Trip on Turbine Trip 1. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3) 2. Loss of Offsite Power to the Station Auxiliaries (Station Blackout) (15.2.6)

See Note (d) 2.2.1 Table 2.2-1 See Note (d) 2.2.1 Table 2.2-1 17. Safety Injection Signal Actuation

Trip 1. Accidental Depressurization of the Main Steam System (15.1.4) 2. Loss of Nonemergency AC Power to the Plant Auxiliaries (Loss of Offsite Power) (15.2.6) 3. Feedwater System Pipebreak (15.2.8) 4. Loss-of-Coolant Accidents Resulting from a Spectrum of Postulated Piping Breaks W ithin the Reactor Coolant Pressure Boundary (15.6.5) 5. Steam Generator Tube Rupture (15.6.3)

6. Steam System Piping Failure (15.1.5)

See Note (e) 18. Manual Trip Available for all Accidents (Chapter 15) See Note (d)

(d) A Technical Specification is not required because this trip is not assumed to function in the accident analyses. (e) Accident assumes that the reactor is tripped at end-of-life (EOL) which is the worst initial condition for this case.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.3-1 Revision:

Sheet: 8 1 of 2 TABLE 7.3-1 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION No. Functional Unit No. of Channels No. of Channels To Trip

1. Safety Injection
a. Manual 2 1 b. Containment Pressure-Hi-1 3 2 c. Low Steamline Pressure (Lead-Lag compensated)
  • 12 (3/steam line) 2 in any one steam line d. Pressurizer Low Pressure*

4 2 2. Containment Spray

a. Manual
    • 2 1 with 2 coincident switches b. Containment Pressure-Hi-3 4 2 3. Containment Isolation
a. Phase "A" Isolation
1) Manual Initiation 2 1 2) Safety Injection See item number 1
b. Phase "B" Isolation
1) Manual Initiation of Containment Spray 2 1 with 2 coincident switches 2) Containment Pressure-Hi-3 4 2 c. Containment Ventilation Isolation
1) Manual Initiation of Phase "A" Isolation See item number 3a 2) Safety Injection Radioactivity High See item number 1
3) Containment Online Purge 2 1 4) Manipulator Crane High Radiation 2 1
  • Permissible bypass if reactor c oolant pressure less than P-11.
    • Manual actuation of a train of containment spray is accomp lished by actuating either of two sets (two switches per set). Both switches in a set must be actuated to obtain a manually initiated spray signal for the respective train. The sets are wired to meet separa tion and single failure requirements of IEEE Standard 279-1971. Simultaneous operation of two switches is desirable to prevent inadvertent spray actuation.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.3-1 Revision:

Sheet: 8 2 of 2 No. Functional Unit No. of Channels No. of Channels To Trip

4. Steam Line Isolation
a. Low Steamline Pressure 3/steam line 2 in any one steam line b. Containment Pressure-Hi-2 3 2 c. Steam Generator Pressure - Negative - High 3/steam line 2 in any one steam line d. Manual
1) Individual 1/loop 1/loop 2) System 2 1 5. Feedwater Line Isolation
a. Safety Injection See Item No. 1
b. Steam Generator Level High-High on any Steam Generator (P-14) 4/Steam Gen. 2/Steam Gen. c. Low T avg Coincident with Reactor Trip (P4) (see Table 7.3-2) 1/loop any two loops 6. Emergency Feedwater
a. Manual
1) Motor-Driven Pump 1 1 2) Turbine-Driven Pump 2 1 b. Steam gen. water level low-low 4/Steam Gen. 2/Steam Gen. c. Safety Injection See item No. 1 d. Loss of Offsite Power Start Motor-Driven Pump and Turbine-Driven Pump 2/bus 2/bus 7. Automatic Switchover to Containment Sump
a. RWST Level - low-low coincident with safety injection 4 2 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.3-2 Revision:

Sheet: 8 1 of 1 TABLE 7.3-2 INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM Designation Input Function Performed Actuates turbine trip (independent of the SSPS, see Section 7.2.1.1 and 7.3.2.3 Closes main and bypass feedwater valves on T avg below setpoint Prevents opening of main and bypass feedwater valves which were closed by safety injection or High-High steam generator water level Allows manual block of the automatic reactuation of safety injection Reactor Trip Used in the control of steam dump valves (Figure 7.2-10)

P-4 Reactor not tripped Defeats the block which is preventing automatic reactuation of safety injection Allows manual block of safety injection actuation on low pressurizer pressure signal 2/3 Pressurizer pressure below setpoint Allows manual block of safety injection actuation and steamline isolation on low compensated steamline pressure signal, and allows steamline isolation on high steamline negative pressure rate P-11 2/3 Pressurizer pressure above setpoint Defeats manual block of safety injection actuation Blocks steam dump 2/4 T avg below setpoint Allows manual bypass of steam dump block for the cooldown valves only P-12 3/4 T avg above setpoint Defeats the manual bypass of steam dump block Closes all feedwater control valves and isolation valves Trips all main feedwater pumps P-14 2/4 Steam Generator water level above setpoint on any steam generator* Actuates turbine trip

  • The level channels, which have condensate pots common to both steam flow transmitters and level transmitters, are lag compensated to prevent spurious trips caused by short-term pressure waves which are generated during rapid closure of the turbine control valves.

SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 1 of 13 TABLE 7.4-1 EQUIPMENT REQU IRED FOR SAFE SHUTDOWN Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local a. Decay Heat Removal: MS-V-393 CP-108A MS-V-394 CP-108B Emergency Feedwater Pump (FW-P-37A) MS-V-395 CP-108A & B Emergency Feedwater Pump FW-P-37B Bus E6 FW-V-346 CP-108A Emergency Feedwater Recirc. Valves FW-V-347 CP-108B SG A EFW Control Valve FW-FV-4214A CP-108A & CP-450A SG A EFW Control Valve FW-FV-4214B CP-108B & CP-450B SG B EFW Control Valve FW-FV-4224A CP-108A & CP-450A SG B EFW Control Valve FW-FV-4224B CP-108B & CP-450B SG C EFW Control Valve FW-FV-4234A CP-108A & CP-450A SG C EFW Control Valve FW-FV-4234B CP-108B & CP-450B SG D EFW Control Valve FW-FV-4244A CP-108A & CP-450A SG D EFW Control Valve FW-FV-4244B CP-108B & CP-450B FW-FI-4214-5 X SG A EFW Flow FW-FI-4214-2 X FW-FI-4224-5 X SG B EFW Flow FW-FI-4224-2 X SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 2 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local FW-FI-4234-5 X SG C EFW Flow FW-FI-4234-2 X FW-FI-4244-5 X SG D EFW Flow FW-FI-4244-2 X RC Loop 1 Hot Leg Temp. RC-TI-9406 X RC Loop 1 Hot Leg Temp. RC-TI-413A X RC Loop 4 Hot Leg Temp. RC-TI-9407 X RC Loop 2 Hot Leg Temp. RC-TI-423A X RC Loop 1 Cold Leg Temp. RC-TI-9410 X RC Loop 1 Cold Leg Temp. RC-TI-413B X RC Loop 4 Cold Leg Temp. RC-TI-9411 X RC Loop 2 Cold Leg Temp. RC-TI-423B X SG A Atmos. Relief Valve MS-PV-3001 CP-108A/Distr. Panel 113B/CP-915A SG B Atmos. Relief Valve MS-PV-3002 CP-108B/Distr. Panel 113A/CP-915B SG C Atmos. Relief Valve MS-PV-3003 CP-108A/Distr.Panel 113B/CP-915A SG D Atmos. Relief Valve MS-PV-3004 CP-108B/Distr.Panel 113A/CP-915B FW-PI-4208 X EFW Pump Suction Pressure (for CST Level) FW-PI-4209 X SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 3 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local FW-LI-4252 X CST Level FW-LI-4257 X CST Inventory CO-LIS-4052 X MS Isol. Valves MS-V-86, 88, 90, 92 CP-108A MS Isol. Valves MS-V-86, 88, 90, 92 CP-108B FW-LI-4310 X SG A Wide-Range Level FW-LI-501 X FW-LI-4320 X SG B Wide-Range Level FW-LI-502 X FW-LI-4330 X SG C Wide-Range Level FW-LI-503 X FW-LI-4340 X SG D Wide-Range Level FW-LI-504 X MS-PI-3173 X SG A Pressure FW-PI-514A X MS-PI-3174 X SG B Pressure FW-PI-525A X MS-PI-3178 X SG C Pressure FW-PI-534A X MS-PI-3179 X SG D Pressure FW-PI-545A X SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 4 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local SG Blowdown Isol. Valves SB-V-9, 10, 11, 12 Distr. Panels 112A and B Spent Fuel Pool Pump SF-P-10A (7) MCC-E512 Spent Fuel Pool Pump SF-P-10B (7) MCC-E612 Spent Fuel Pool Pump SF-P-10C (7) MCC-E512 or MCC-E612 b. Reactor Coolant (RC) Inventory and Pressure Control: Charging Pump CS-P-2A Bus E5 Charging Pump CS-P-2B Bus E6 Charging Flow Isol. Valve CS-V-142 (8) CP-108A Charging Flow Isol. Valve CS-V-143 (8) CP-108B Charging Pump Suction from RWST CS-LCV-112D CP-108A Charging Pump Suction from RWST CS-LCV-112E CP-108B Charging Pump Discharge Valve CS-V-210 Local Charging Pump Discharge Valve CS-V-220 Local Charging Pump Bypass Valve CS-V-219 Local Charging Pump Bypass Valve CS-V-221 Local Pressurizer Relief Valves (PORV) RC-PCV-456A CP-108A and CP-450A Pressurizer Relief Valves (PORV) RC-PCV-456B CP-108B and CP-450B PORV Block Valve RC-V-122 CP-108A PORV Block Valve RC-V-124 CP-108B SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 5 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local Pressurizer Pressure RC-PI-7336 X RCS Pressure RC-PI-405-1, 2 X Pressurizer Pressure RC-PI-7335 X RCS Pressure RC-PI-403-1, 2 X RC-LI-7334 X Pressurizer Level RC-LI-459A X Pressurizer Level RC-LI-7333 X RC-LI-460A X CS-LI-7446 X Boric Acid Tank Level (TK-4A) CS-LI-102 X CS-LI-7464 X Boric Acid Tank Level (TK-4B) CS-LI-106 X High Pressure Injection SI-V-138 CP-108A and CP-915A High Pressure Injection SI-V-139 CP-108B and CP-915B VCT Disch. Isol. Valve CS-LCV-112B CP-108A VCT Disch. Isol. Valve CS-LCV-112C CP-108B RC Normal Letdown Isol. RC-LCV-459 Distr. Panel PP-122B RC Normal Letdown Isol. RC-LCV-460 Distr. Panel PP-122B RC Excess Letdown Isol. CS-V-175 (1) Distr. Panel PP-1111B RC Excess Letdown Isol. CS-V-176 (1) Distr. Panel PP-1111B SI Accum. TK-9A Isol. Vlv. SI-V-3 CP-108A SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 6 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local SI Accum. TK-9B Isol. Vlv. SI-V-17 CP-108B SI Accum. TK-9C Isol. Vlv. SI-V-32 CP-108A SI Accum. TK-9D Isol. Vlv. SI-V-47 CP-108B SI Accum. TK-9A Vent Vlvs. SI-FV-2475, 2476 CP-108B SI Accum. TK-9B Vent Vlvs. SI-FV-2482, 2483 CP-108A SI Accum. TK-9C Vent Vlvs. SI-FV-2477, 2486 CP-108B SI Accum. TK-9D Vent Vlvs. SI-FV-2495, 2496 CP-108A Bus E52 Feeder Breaker to MCC E522 AW9 CP-108A Bus E62 Feeder Breaker to MCC E622 AW0 CP-108B c. Reactivity Monitoring and Control:

Neutron Flux Indicators/ Monitors (Excore)

Intermediate Range Flux NI-NI-6690-2 X Intermediate Range Flux NI-NI-6690-3 X Source Range Flux NI-NI-6690-4 X Intermediate Range Flux NI-NI-6691-2 X Intermediate Range Flux NI-NI-6691-3 X Source Range Flux NI-NI-6691-4 X Shutdown Monitor NI-NM-6690-1 X Shutdown Monitor NI-NM-6691-1 X Boric Acid Trans. Pump CS-P-3A MCC E512 SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 7 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local Boric Acid Trans. Pump CS-P-3B MCC E612 BA to Chg. Pump Isol. Valve CS-V-426 MCC E612 Gravity Feed Boration Vlv. CS-V-423 Local Gravity Feed Boration Vlv. CS-V-431 Local Gravity Feed Boration Vlv. CS-V-437 Local Gravity Feed Boration Vlv. CS-V-439 Local Gravity Feed Boration Vlv. CS-V-442 Local Gravity Feed Boration Vlv. CS-V-410 Local Gravity Feed Boration Vlv. CS-V-416 Local Gravity Feed Boration Vlv. CS-V-1207 Local Reactor Trip Breakers CP-CP-111 Local d. Service Water (SW): Service Water Pump SW-P-41A Bus E5 Service Water Pump SW-P-41B Bus E6 Service Water Pump SW-P-41C Bus E5 Service Water Pump SW-P-41D Bus E6 DG Hx Discharge SW-V-16 Distr. Panel PP-113A DG Hx Discharge SW-V-18 Distr. Panel PP-113B SCCW Heat Exchanger Inlet Valve SW-V-4 CP-108A SCCW Heat Exchanger Inlet Valve SW-V-5 CP-108B SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 8 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local SW Pump Disch. Valve (see note below) SW-V-2 N/A SW Pump Disch. Valve (see note below) SW-V-22 N/A SW Pump Disch. Valve (see note below) SW-V-29 N/A SW Pump Disch. Valve (see note below) SW-V-31 N/A Cooling Tower Pump SW-P-110A Bus E5 Cooling Tower Pump SW-P-110B Bus E6 CT Pump Disch Valve SW-V54 CP-108A CT Pump Disch Valve SW-V25 CP-108B CT FAN SW-FN-51A Bus E5 CT FAN SW-FN-51B CP-108B CT Spray Bypass Recirc Valve SW-V139 Local CT Spray Bypass Recirc Valve SW-V140 Local Note: Automatic control from pump start circuitry only. e. Primary Component Cooling (PCCW):

PCCW Pump CC-P-11A Bus E5 PCCW Pump CC-P-11B Bus E6 PCCW Pump CC-P-11C Bus E5 PCCW Pump CC-P-11D Bus E6 CC-TV-2171-1 CP-108A PCCW Loop A Temp. CV CC-TV-2171-2 SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 9 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local Thermal Barrier Cooling Pump CC-P-322A (2) CP-108A Thermal Barrier Cooling Pump CC-P-322B (2) CP-108B CC-TV-2271-1 CP-108B PCCW Loop B Temp. CV CC-TV-2271-2 CC-TI-2171-1 X PCCW Loop A Temp. CC-TI-2197 X CC-TI-2271-1 X PCCW Loop B Temp. CC-TI-2297 X RHR Hx E-9A Outlet Valve CC-V-145 Local RHR Hx E-9B Outlet Valve CC-V-272 Local f. HVAC: Emerg. Switchgear Area Supply Fans CBA-FN-19, 32 MCC E515,621 Emerg. Switchgear Area Return Fans CBA-FN-20, 33 MCC E521,621 CBA-FN-21A MCC E521 Battery Room Exhaust Fan A CBA-DP-21A MCC E521 CBA-FN-21B MCC E621 Battery Room Exhaust Fan B CBA-DP-21B MCC E621 Train A Mech. Rm. Intake Damper CBA-DP-24A Local Train A Mech. Rm. Recirc. Damper CBA-DP-24B Local Train A Mech. Rm. Exhaust Damper CBA-DP-24C Local SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 10 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local Train B Mech. Rm. Intake Damper CBA-DP-24D Local Train B Mech. Rm. Recirc. Damper CBA-DP-24E Local Train B Mech. Rm. Exhaust Damper CBA-DP-24F Local DG Room Supply Fans DAH-FN-25A, B MCC E521,621 DG Room Exhaust Fans DAH-FN-26A, B MCC E521,621 DG Room Exhaust Dampers DAH-DP-16A, B MCC E521,621 Contn. Encl. Fans EAH-FN-5A, B CP-108A,B Contn. Encl. Fans EAH-FN-31A, B MCC E512,612 Emerg. Feed Pumphouse Fans EPA-FN-47A, B MCC E512,612 Emerg. Feed Pumphouse Dampers EPA-DP-373, 374 MCC E512,612 PAB PCC Pump Area Supply Fans PAH-FN-42A, B MCC E512,612 PAB PCC Pump Area Supply Dampers PAH-DP-43A, B MCC E512,612 PAB PCC Pump Area Exhaust Dampers PAH-DP-357, 358 MCC E512,612 SW Pumphouse Area Supply Fans SWA-FN-40A, B CP-108A,B

H 2 Analyzer and Electrical Room Fans EAH-FN-174A, B MCC E515,615 g. Residual Heat Removal (RHR):

RHR Pump RH-P-8A Bus E5 RHR Pump RH-P-8B Bus E6 RHR System Valve RC-V-88 CP-108A RHR System Valve RC-V-23 CP-108A SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 11 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local RHR System Valve RC-V-22 CP-108B RHR System Valve RC-V-87 CP-108B RHR Hx Bypass Valve RH-FCV-618 (3) Distr. Panel PP-112A RHR Hx Bypass Valve RH-FCV-619 (3) Distr. Panel PP-112B RHR Hx Valve RH-HCV-606 (3) Distr. Panel PP-112A RHR Hx Valve RH-HCV-607 (3) Distr. Panel PP-112B RHR Pump Recirculation RH-FCV-610 (9) Local RHR Pump Recirculation RH-FCV-611 (9) Local RHR Suction From RWST(Loop A) CBS-V-2 (10) Local RHR Suction From RWST (Loop B) CBS-V-5 (10) Local h. Sampling: RC-FV-2832 CP-108A RCS Sampling (Loop #1) RC-FV-2894 CP-108A RC-FV-2833 CP-108B RCS Sampling (Loop #3) RC-FV-2896 CP-108B RHR Local Sample Valves RH-V-8 (4) Local SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 12 of 13 Instrumentation Location Description Device RSS Control Location MCB CP108A CP108B Local RH-V-44 (4) Local i. Solid State Protection System (SSPS): SSPS Output Train A MM-CP-12 Distr. Panel PP-1A SSPS Output Train B MM-CP-13 Distr. Panel PP-1B j. Electrical Power Supply:

Diesel Generator A DG-1A Local (6) Diesel Generator B DG-1B Local (6) Electrical Distribution Equipment A EDE (5) Local Electrical Distribution Equipment B EDE (5) Local Notes (1) Normally closed (passive) valves. (2) These pumps provide a desired function, but not a required function, for safe shutdown. (3) Modulation of these valves is not required, but repositioning is required based on desired minimization of system transients. (4) These Manual sample valves are not considered active. Station abnormal procedures provide guidance to obtain grab samples via operation of these valves as a backup to using RH-V-16 and RH-V-17 for this purpose. (5) To simplify Table 7.4.1, specific equipment/tag numbers for electrical distribution equipment (EDE) will only be listed where an operator action is required to make the equipment perform its safe shutdown function. The only EDE equipment in this category are the feeder breakers for MCC E522 & E622 (see Item b, Reactor Coolant (RC) Inventory and Pressure Control). These MCCs are normally de-energized while the plant is at 100% power but must be energized during safe shutdown to provide power to various valves. All of the other EDE equipment is normally in its safe shutdown position or any required actions are automatically initiated. The circuit breaker or motor starter required to operate individual loads is considered part of the line item for the load itself.

SEABROOK STATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.4-1 Revision:

Sheet: 15 13 of 13 (6) To simplify Table 7.4.1, specific equipment/tag numbers for the diesel generators (DG) will only be listed where an operator action is required to make the equipment perform its safe shutdown function. The only DG equipment in this category is the manual action required to close the DG circuit breakers to energize the emergency buses if control has been transferred to the RSS locations. The DG-1A & -1B entry is considered to represent the DG circuit breakers. All of the other DG equipment is normally in its safe shutdown position or any required actions are automatically initiated. (7) These pumps provide a heat removal safety function, but not a required safe shutdown function. (8) These valves provide an ECCS isolation function, but not a required safe shutdown function, for isolation of the normal CS path. (9) These valves provide a pump protection function, but not a required safe shutdown function. (10) These valves provide an ECCS and long term cooling (beyond RSS shutdown) desired isolation function, but not a required safe shutdown function.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 1 of 37 TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER PLANT-SPECIFIC TYPE A VARIABLES A1 Degrees of Subcooling RC-PT-403, RC-PT-405 IC-TE-1 through 58***

200 F subcooling to 35 F superheat(from B10) Link 1 +300 F subcooling to 50 F superheat Yes Vital UPS RC-TI-9424A RC-TI-9424B RC-XX-7315-1,2&3(4) RC-XX-7315-4(4) Available Through Data Link A2 Steam Generator Pressure From atmospheric pressure to 20% above the lowest safety valve setting (1425 psig) (from D18) 1 0-1300 psig* Yes Vital UPS FW-PT-514 SG-A FW-PT-515 PI-514A PI-515A XR-501 A0730 A0733 FW-PT-524 SG-B FW-PT-525 PI-524A PI-525A XR-502 A0740 A0743 FW-PT-534 SG-C FW-PT-535 PI-534A PI-535A XR-503 A0723 A0750 FW-PT-544 SG-D FW-PT-545 PI-544A PI-545A XR-504 A0753 A0720 A3 Core Exit Temperature IC-TE-1 through 58***

200 F to 2300 F (from B8) 1 0-2300 F* Yes Vital UPS RC-TI-9423A RC-TI-9423B RC-XX-7315-1,2&3(4) RC-XX-7315-4(4) RC-XX-7315-1,2&3(4)** RC-XX-7315-4(4) Available Through Data Link A4 Steam Generator Level From tube sheet to separators (from D17) 1 Yes Vital UPS FW-LT-519 (NR) SG-A FW-LT-501 (WR) LI-519 (NR) LI-501 (WR) LR-519(5) XR-501 A0734 A0737 FW-LT-529 (NR) SG-B FW-LT-502 (WR) LI-529 (NR) LI-502 (WR) LR-529(5) XR-502 A0744 A0747 FW-LT-537 (NR) SG-C FW-LT-503 (WR)

Taps 453.25" and

581" above bottom reference

for narrow range Taps 22" and

581" above bottom reference

for wide range. LI-537 (NR) LI-503 (WR) LR-539(5)(3) XR-503 A0756 A0757 FW-LT-548 (NR) SG-D FW-LT-504 (WR) LI-548 (NR) LI-504 (WR) LR-549(5)(3) XR-504 A0725 A0727 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 2 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER PLANT-SPECIFIC TYPE A VARIABLES A5 Pressurizer Level RC-LT-459 RC-LT-460 Bottom to top (from D12) 1 Taps 6" from the top and bottom of

the straight shell

portion of the

pressurizer* Yes Vital UPS LI-459A LI-460A LR-459**(2) LR-460 A0332 A0333 ITEM NUMBER SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES PLANT-SPECIFIC TYPE A VARIABLES A1 Degrees of Subcooling 1 Yes Yes Yes N/A *** Operation with less than the design number of core-exit thermocouples is permitt ed provided that the minimum functionality requirements are met. See Subsections 4.4.6.1 and 7.7.1.9. A2 Steam Generator Pressure 1 Yes Yes Yes Yes**

  • See Deviation No. 1 in Appendix 7A. ** Trending required based on use as a Type D variable. A3 Core Exit Temperature 1 Yes Yes Yes N/A
  • Sensors are type K thermocouples that are calibrated to 1650 F. ** Individual sensor temperatures and spatial displays are provided on RC-XX-7315-1,2&3(4) and RC-XX-7315-4(4). *** Operation with less than the design number of core-exit thermocouples is permitted provided that the minimum functionality requirements are met. See Subsections 4.4.6.1 and 7.7.1.9. A4 Steam Generator Level 1 Yes Yes Yes N/A The WR steam generator level measurement taps cover the range from near the tube she et to above the separators. A5 Pressurizer Level 1 Yes Yes Yes Yes
  • See Deviation No. 2 in Appendix 7A. ** The input signal to LR-459 is selectable to any one of the pressurizer level channels.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 3 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER A6 RWST Level Storage Tank Level Top to bottom (from D9) 1 22,000 to

  • 485,500 gal Yes Vital UPS CBS-LT-2380 CBS-LT-2383 LI-2380 LI-2383 LR-2384 LR-2385 A0912 A0913 A7 RCS Pressure 0 to 3000 psig (from B11 and B7) 1 0-3000 psig Yes Vital UPS RC-PT-403 RC-PT-405 PI-403-1&2

PI-405-1&2 PR-403 PR-405(2) A0350 A0349 A8 DELETED A9 Control Room Temperature* A10 Containment Sump Isolation Valve Position CBS-ZS-2306-2 CBS-ZS-2307-1 (Plant Specific) Open - Not Open Yes* Vital UPS ZL-2306** ZL-2307 REACTIVITY CONTROL B1 Neutron Flux 10-6% to 100% full power 1 10 200% Full Power Yes Vital UPS NI-NE-6690 NI-NE-6691 -1 to +7 DPM (Rate) NI-6690-2 NI-6691-2 A1019 A1022 NI-6690-1 NI-6691-1 A1018 A1021 B2 Control Rod Position CP-U-7338 Full in or not full in 3 0-228 Steps (Full in to fully withdrawn) N/A N/A UI-7338 I0036 through I0092 B3 RCS Soluble Boron Concentration (Grab Sample) 0 to 6000 ppm 3 0-6000 ppm N/A N/A B4 RCS Cold Leg Water Temperature 50 F to 400 F 3 See B6 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 4 of 37 ITEM NUMBER VARIABLE SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES A6 RWST Level Tank Level 1 Yes Yes Yes N/A

  • See Deviation No. 3 in Appendix 7A. A7 RCS Pressure 1 Yes Yes Yes Yes A8 DELETED A9 Control Room Temperature
  • See Deviation No. 30 in Appendix 7A A10 Containment Sump Isolation Valve Position 1 Yes Yes Yes N/A
  • The redundancy provision is met on a systems basis. ** The key indications of containment sump isolation valve position are the status lamp arrays arranged on a functional basis. A tile is provided for each containment sump isolation valve.

REACTIVITY CONTROL B1 Neutron Flux 1 Yes Yes Yes Yes B2 Control Rod Position 3 N/A N/A N/A N/A

  • Control rod position inputs to the computer are available but are not listed here B3 RCS Soluble Boron Concentration 3 N/A N/A Yes N/A
  • See Deviation No. 5 in Appendix 7A.

B4 RCS Cold Leg Water Temperature See B6 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 5 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER B5 RCS Hot Leg Water Temperature 50 F to 700 F 1 32-700 F NO* Vital UPS RC-TE-413A RC-TE-423A RC-TE-433A RC-TE-443A TI-413A TI-423A TI-433A(1) TI-443A(1) TR-413A TR-413A TR-433A(2) TR-433A(2) A0339 A0340 A0341 A0342 B6 RCS Cold Leg Water Temperature 50 F to 700 F 1 32-700 F NO* Vital UPS RC-TE-413B RC-TE-423B RC-TE-433B RC-TE-443B TI-413B TI-423B TI-433B(1) TI-443B(1) TR-413B TR-413B TR-433B(2)** TR-433B(2)** A0343 A0344 A0345 A0346 B7 RCS Pressure 0-3000 psig 1 See A7 B8 Core Exit Temperature 200 F to 2300 F 3 See A3 B9 Reactor Coolant Inv. -Reactor Vessel Full Range Level (RCPs not running) Bottom of hot leg to top of vessel; Void trending 1 0-120% Yes(Full range; bottom to top of

vessel) Vital UPS RC-LT-1311 RC-LT-1321 RC-LI-1311 RC-LI-1321 RC-XX-7315-1,2&3(4) RC-XX-7315-4(4) Available Through Data Link -Reactor Vessel Dynamic Head (RCPs running) RC-LT-1312 RC-LT-1322 0-120% (dynamic

head range;

indicates normalized

core dp) RC-LI-1312 RC-LI-1322 RC-XX-7315-1,2&3(4) RC-XX-7315-4(4) Available Through Data Link B10 Degrees of Subcooling 200 F subcooling to 35 F superheat 2 See A1 RCS INTEGRITY B11 RCS Pressure 0 to 3000 psig 1 See A7 B12 Containment Drainage Sump Water Level, Narrow Range* Top to Bottom (Sump) 2 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 6 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES CORE COOLING B5 RCS Hot Leg Water Temperature 1 Yes Yes Yes Yes

  • All Channels powered from UPS-I-A. See Deviation No. 6 in Appendix 7A. B6 RCS Cold Leg Water Temperature 1 Yes Yes Yes Yes
  • All channels powered from UPS-I-B See Deviation No. 7 in Appendix 7A. B7 RCS Pressure See A7
  • RC-TR-433B procured to Class 1E requirements due to circuit interaction considerations B8 Core Exit Temperature See A3 B9 Reactor Coolant 1 Yes Yes Yes N/A 100% equals top of vessel or normal core dP Inventory with four reactor coolant pumps running. B10 Degrees of Subcooling See A1

RCS INTEGRITY B11 RCS Pressure See A7 B12A Containment Drainage Sump Water Level, Narrow Range*

  • See Deviation No. 23 in Appendix 7A.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 7 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER B12B Containment Building Level, Wide Range (plant-specific) 4" to 8'4" above base elevation Yes CBS-LIT-2384 CBS-LIT-2385 1 Vital UPS

& EMERG MCC L I-2384 LI-2385 LR-2384 LR-2385 A0930 A0931 CONTAINMENT INTEGRITY B13 Containment Pressure 0 to design pressure (52 psig) 1 0-60 psig Yes Vital UPS SI-PT-934, SI-PT-935 PI-934 PI-935 PR-934 PR-935 A0500 A0501 B14 Containment Isolation Valve Position Closed-not closed 1 Closed- not closed Yes* Vital** DC See UFSAR Subsection 6.2.4 and Table 6.2-83 for complete information on the design of the Containment Isolation System and the listing of individual containment isolation valves. B15 Containment Pressure -5 psig to design pressure (52 psig) 1 See C11 SI-PT-2576 SI-PT-2577 B16 Containment Enclosure Negative Pressure 0-1.0 in WCNEG Yes Vital UPS PDI-5782 PDI-5789 A3778 EAH-PDT-5782 EAH-PDT-5789 LITs powered from emergency MCCs. Remainder of loops powered from vital UPS.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 8 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES B12B Containment Building Level, Wide Range 1 Yes Yes Yes N/A CONTAINMENT INTEGRITY B13 Containment Pressure 1 Yes Yes Yes Yes B14 Containment Isolation Valve Position 1 Yes Yes Yes N/A

  • The redundancy provision for containment isolation valves is met on a systems basis. ** The primary indications of containment isolation valve position are status lamp arrays arranged on a functional basis. A tile is provided for each valve closed on either a Phase A or Phase B containment isolation signal. Valve position indicating lights are also provided with each valve control switch.

B15 Containment Pressure See C11 B16 Containment Enclosure Negative Pressure 1 Yes Yes Yes N/A S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 9 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER FUEL CLADDING C1 Core Exit Temperature 200 F to 2300 F 1 See A3 C2 Radioactive Concentration or Radiation Level in Circulating Primary Coolant* 1/2 Tech Spec limit to 100 times Tech Spec limit

(50 to 10 4Ci/gm) 1 C3 Analysis of Primary Coolant (Gamma Spectrum) 10 Ci/m1 to 10 Ci/m1 or TID-14844 source term in coolant volume 3 See E18 RCS BOUNDARY C4 RCS Pressure 0 to 3000 psig 1 See A7 C5 Containment Pressure

-5 psig to design pressure (52 psig) 1 See C11 C6A Containment Drainage Sump Water Level, Narrow-Range Top to bottom of sump 2 See B12A C6B Containment Recirculation Sump Water Level, Wide-Range Wide-Range (plant-specific) 1 See B12B C7 Containment Area Radiation 1 R/hr to 10 4 R/hr 3 See E1 C8 Effluent Radioactivity Noble Gas Effluent from Condenser Air Removal System Exhaust 10-6 Ci/cc to 10-2 Ci/cc 3 See E7 CONTAINMENT C9 RCS Pressure 0-3000 psig 1 See A7 C10 Containment Hydrogen Concentration 0 to 10% volume (capable of operating from -5 psig to maximum design

pressure 52 psig)

(from C10) 1 0-10% H 2-5 psig to 60 psig operating capability Yes Vital UPS&

EMERG MCC CGC-AIT-5828A CGC-AIT-5828B AI-5828A* AI-5828B* AR-5828A A1445 A1446 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 10 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES FUEL CLADDING C1 Core Exit Temperature See A3 C2 Radioactive Concentration or Radiation Level in Circulating Primary Coolant*

  • See Deviation No. 8 in Appendix 7A.

C3 Analysis of Primary Coolant (gamma spectrum) See E18 RCS BOUNDARY C4 RCS Pressure See A7 C5 Containment Pressure See C11 C6A Containment Drainage Sump Water Level, Narrow-Range See B12A C6B Containment Recirculation Sump Water level, Wide

Range See B12B C7 Containment Area Radiation See E1 C8 Effluent Radioactivity Noble Gas Effluent from Condenser Air Removal System Exhaust See E7 CONTAINMENT C9 RCS Pressure See B7 C10 Containment Hydrogen Concentration 3* Yes Yes Yes N/A

  • See Deviation No. 4 in Appendix 7A.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 11 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER C11 Containment Pressure -5 psig pressure to 3 times design pressure for concrete(-5 to 156 psig) 1 (-)5-0-160 psig Yes Vital UPS SI-PT-2576 SI-PT-2577 PI-2576 PI-2577 PR-934 PR-935 A0516 A0517 C12 Containment Effluent Radioactivity-Noble Gases from Identified Release Points 10-6 Ci/cc to 10-2 Ci/cc 2 See E7 C13 Effluent Radioactivity activity Noble Gases (inside buildings or areas where penetrations or hatches

are located) 10-6 Ci/cc to 10 3 Ci/cc 2 10 1-10 6 cpm* (corresponds to6 10-4 Ci/cc to 10 Ci/cc) N/A Emerg.

MCC RM-6566 1-MM-CP-295 Available Through Data Link TYPE D VARIABLES, SYSTEM OPERATION RHR D1 RHR System Flow 0 to 110% design flow (4950 gpm) 2 0-5000 gpm N/A Vital UPS RH-FT-618 RH-FT-619 FI-618 FI-619 A0950 A0952 D2 RHR Heat Exchanger Outlet Temperature 40 F to 350 F 2 50-400 F* N/A Vital UPS RH-TE-604 RH-TE-605 TR-612 TR-613 A0954 A0955 SAFETY INJECTION D3 Accumulator Tank Level 10% to 90% volume 2 D4 Accumulator Tank Pressure SI-PT-960 SI-PT-962 SI-PT-964 SI-PT-966 0 to 750 psig 2 0-700 psig* N/A Non-Vital UPS PI-960 PI-962 PI-964 PI-966 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 12 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES C11 Containment Pressure 1 Yes Yes Yes N/A C12 Containment Effluent Radioactivity-Noble Gases from Identified Release Points See E7 C13 Effluent Radioactivity Noble Gases (inside buildings or

areas where penetrations or

hatches are located) 3* N/A N/A Yes N/A

  • See Deviation No. 9 in Appendix 7A.

TYPE D VARIABLES, SYSTEM OPERATION RHR D1 RHR System Flow 2 Yes N/A Yes N/A D2 RHR Heat Exchanger Outlet Temperature 2 Yes N/A Yes N/A

  • See Deviation No. 22 in Appendix 7A.

SAFETY INJECTION D3 Accumulator Tank Level*

  • See Deviation No. 10 in Appendix 7A. D4 Accumulator Tank Pressure 2 2 Yes N/A Yes N/A
  • See Deviation No. 11 in Appendix 7A.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 13 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D4A Accumulator Vent Valve Position Open/Closed N/A Vital DC SI-ZS-2475 SI-ZS-2476 SI-ZS-2482 SI-ZS-2483 SI-ZS-2477 SI-ZS-2486 SI-ZS-2495 SI-ZS-2496 CS-2475-1 CS-2476 CS-2482-1

CS-2483 CS-2477-1

CS-2486 CS-2495-1

CS-2496 D7361 D7362 D7364 D7365 D7366 D7367 D7368 D7369 D5 Accumulator Isolation Valve Position Closed or open 2 Open/Closed Open/Closed N/A Vital UPS SI-ZS-2403-1 SI-ZS-2413-1 SI-ZS-2423-1 SI-ZS-2433-1 Open/Closed Open/Closed ZL-2403-1 ZL-2413-1 ZL-2423-1 ZL-2433-1 D6 Boric Acid Charging Flow 0 to 110% design (0 to 85 gpm) 2 0-150 gpm N/A Vital UPS CS-FT-183 (Emergency Boration Flow)

FI-183A D7 Flow in HPI System 0 to 110% design (0 to 605 gpm) 2 0-800 gpm N/A Vital UPS SI-FT-918 SI-FT-922 (0 to 715 gpm) 0-1000 gpm FI-918 FI-922 A0512 A0514 SI-FT-917 (CS pump)

FI-917 A0510 D8 Flow in LPI System 0 to 110% design 2 See D1 D9 Refueling Water Storage Tank Level Top to bottom 2 See A6 RCS D10 Reactor Coolant Pump Status Moto r current 3 0-400 amps N/A N/A RC-AM-7300 RC-AM-7304 RC-AM-7306 RC-AM-7308 (330 FLA) AM-7300 AM-7304 AM-7306 AM-7308 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 14 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES D4A Accumulator Vent Valve Position 2 Yes N/A Yes N/A D5 Accumulator Isolation Valve Position 2 Yes N/A Yes N/A D6 Boric Acid Charging Flow 3 N/A N/A Yes N/A

  • See Dev. No. 27 in Appendix 7A. D7 Flow in HPI System 2 Yes N/A Yes N/A D8 Flow in LPI System See D1 D9 Refueling Water Storage Tank Level See A6 D10 Reactor Coolant Pump Status 3 N/A N/A Yes N/A

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 15 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D11 Primary System Safety Relief Valve Positions (including PORV and code safety valves)

Closed-not closed 2 Closed-not closed N/A RC-PCV-456A RC-PCV-456B Vital DC CS-456-A1 CS-456-B1 D4495 D4496 VB-YE-6832-1 VB-YE-6832-2 Emerg MCC YM-6832-1 YM-6832-2 D5791 D12 Pressurizer Level Top to bottom 1 See A5 D13 Pressurizer Heat er Status, Power Monitor Electrical current 2 0-480 kW N/A

  • A0386 A0387 A0388 A0389 D14 Pressurizer Relief Tank (Quench Tank) Level Top to bottom 3 0-100" W.C N/A N/A RC-LT-470 LI-470 A0347 D15 Pressurizer Relief Tank (Quench Tank) Temperature RC-TE-468 50 F to 750 F 3 50-350 F* N/A N/A TI-468 A0376 D16 Pressurizer Relief Tank (Quench Tank) Pressure RC-PT-469 0 to design pressure 3

(0-100 psig) 0-100 psig N/A N/A PI-469 A0348 SECONDARY D17 Steam Generator Level From tube sheet to separators 1 See A4 D18 Steam Generator Pressure From atmospheric pressure to 20% above the lowest safety valve setting

(1425 psig) 2 See A2 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 16 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES D11 Primary System Safety Relief Valve Positions(including PORV and code safety valves) 2 Yes Yes Yes N/A Stem-mounted limit switches provide position indication for the PORVs. Acoustic Monitoring System Monitors status of both the PORVs and the safeties.

D12 Pressurizer Level See A5 D13 Pressurizer Heater Status, Power Monitor 2 Yes N/A Yes N/A

  • Watts transducer powered by sensing circuit D14 Pressurizer Relief Tank(Quench Tank) Level 3 N/A N/A Yes N/A D15 Pressurizer Relief Tank(Quench Tank)

Temperature 3 N/A N/A Yes N/A

  • See Deviation No. 12 in Appendix 7A.

D16 Pressurizer Relief Tank(Quench Tank) Pressure 3 N/A N/A Yes N/A SECONDARY D17 Steam Generator Level See A4 D18 Steam Generator Pressure See A2

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 17 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D19 Safety-Relief Valve Position or Main Steam Flow Closed-not closed 2 Closed-not closed N/A Emerg MCC VB-YE-6820 (SG #4) VB-YE-6821 (SG #3)

VB-YE-6822 (SG #2)

VB-YE-6823 (SG #1)

YM-6820 YM-6821 YM-6822 YM-6823 D5788 D20 Main Feedwater Flow 0 to 110% design flow (0-4.2x10 6 lb/hr) 3 0-5x10 6 Lb/hr per SG N/A N/A FW-FT-510 (SG #1) FW-FT-520 (SG #2)

FW-FT-530 (SG #3)

FW-FT-540 (SG #4) FI-510A FI-520A FI-530A FI-540A FR-510 FR-520 FR-530 FR-540 A0728 A0738 A0748 A0718 EMERGENCY FEEDWATER D21 Auxiliary or Emergency Feedwater Flow 0 to 110% design flow (0 to 390 gpm) 2 0-600 gpm N/A Vital UPS FW-FT-4214-2 (SG #1) FW-FT-4224-2 (SG #2)

FW-FT-4234-2 (SG #3)

FW-FT-4244-2 (SG #4)

FI-4214-2 FI-4224-2

FI-4234-2

FI-4244-2 FR-4214 FR-4224 FR-4214 FR-4224 A0795 A0796 A0797 A0798 D22 Condensate Storage Tank Water Level Plant specific FW-LT-4252 FW-LT-4257 1 (10.36-408.7) x10 3 gallons Yes Vital UPS LI-4252 LI-4257 A0704 A0706 CONTAINMENT COOLING D23 Containment Spray Flow 0 to 110% design flow (3400 gpm) 2 Containment Spray Pump Suction Pressure CBS-PT-2312 CBS-PT-2314 0-60 psig* N/A Non-Vital UPS Containment Spray Pump Discharge Pressure PI-2312 PI-2314 A0922 A0924 CBS-PT-2313 CBS-PT-2315 0-500 psig* N/A Non-Vital UPS PI-2313 PI-2315 A0923 A0925 D24 Heat Removal by the Containment Fan Heat Removal System* Plant-specific 2

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 18 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES D19 Safety-Relief Valve Position or Main Steam Flow 2 Yes N/A Yes N/A Acoustic Monitoring System Monitors position of the SG safeties. D20 Main Feedwater Flow 3 N/A N/A Yes N/A EMERGENCY FEEDWATER D21 Auxiliary or Emergency Feedwater Flow 2 Yes N/A Yes N/A D22 Condensate Storage Tank Water Level 1 Yes Yes Yes N/A

  • CST Level is sensed at the EFW pump suction.

CONTAINMENT COOLING D23 Containment Spray Flow Containment Spray Pump Suction Pressure 2 Yes N/A Yes N/A

  • See Deviation No. 13 in Appendix 7A.

Containment Spray Pump Discharge Pressure 2 Yes N/A Yes N/A D24 Heat Removal by the Containment Fan Heat Removal System*

  • See Deviation No. 25 in Appendix 7A.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 19 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D25 Containment Atmosphere Temperature RC-TE-1313 40 F to 400 F 2 50-420 F* N/A Vital UPS RC-XX-7315-1,2&3(4) Available Through Data Link D26 Containment Sump Water Temperature*

50 F to 250 F 2 32-1599 F N/A Non-Vital UPS A0091 A0092 CBS-TE-2378 & 2379 CHEMICAL AND VOLUME CONTROL D27 Makeup Flow-in 0 to 110% design flow 2 0-200 gpm N/A N/A CS-FT-121 (150 gpm) FI-121A A0622 D28 Letdown Flow-out 0 to 110% design flow 2 0-200 gpm N/A N/A CS-FT-132 (135 gpm) FI-132 A0620 D29 Volume Control Tank Level Top to bottom (141") 2 0-80"* N/A N/A CS-LT-185 CS-LT-112 LI-185 LI-112 LR-185 A0624 COOLING WATER D30 Component Cooling Water Temperature to ESF 40 F to 200 F 2 0-175 F* N/A Vital UPS CC-TE-2171 CC-TE-2271 TI-2171-1 TI-2271-1 A0271 A0269 D31 Component Cooling Water Flow to ESF System 0 to 110% design flow (11,500 gpm) 2 0-13,000 gpm N/A Non-Vital UPS CC-FT-2103 CC-FT-2203 FI-2103 FI-2203 A0273 A0272 D31a RHR and CBS Heat Exchanger PCCW Outlet Valves CC-V266 CC-V272 CC-V137 CC-V145 Closed/Open N/A Emerg. MCC CS-2245 CS-2244 CS-2145 CS-2144 D7823 D7824 D7821 D7822 D32 Cooling Tower Sump Level 0-50 FT N/A Vital UPS SW-LT-6129 SW-LT-6139 LI-6129 LI-6139 LR-6129 A1537

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 20 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES D25 Containment Atmosphere Temperature 2 Yes N/A Yes N/A

  • See Deviation No. 14 in Appendix 7A.

D26 Containment Sump Water Temperature*

2 Yes N/A Yes N/A

  • See Deviation No. 15 in Appendix 7A.

CHEMICAL AND VOLUME CONTROL D27 Makeup Flow-In 3* N/A N/A Yes N/A

  • See Deviation No. 16 in Appendix 7A. D28 Letdown Flow-Out 3* N/A N/A Yes N/A
  • See Deviation No. 17 in Appendix 7A. D29 Volume Control Tank Level 3* N/A N/A Yes N/A
  • See Deviation No. 18 in Appendix 7A. COOLING WATER D30 Component Cooling Water Temperature to ESF 2 Yes N/A Yes N/A
  • See Deviation No. 19 in Appendix 7A. D31 Component Cooling Water Flow to ESF System 2 Yes N/A Yes N/A D31a RHR and CBS Heat Exchanger PCCW Outlet Valves 2 Yes N/A Yes N/A D32 Cooling Tower Sump Level 2 Yes N/A Yes N/A

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 21 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D32a Service Water Flow to DG Heat Exchanger 0-3500 gpm N/A Non- Vital UPS FI-6181 SW-FT-6181 SW-FT-6191 Vital UPS FI-6191 D32b Cooling Tower Pump Discharge Temperature 0-150 F N/A Non-Vital UPS SW-TE-6184 SW-TE-6194 TI-6184 TI-6194 A1503 A1505 RADWASTE D33 High-Level Radioactive Liquid (Floor Drain) Tank Level Top to bottom (18 feet) 3 0-14 FT* N/A N/A WL-LT-1462 (TK-59A) WL-LT-1466 (TK-59B)

LI-1462 LI-1466 A1285 D34 Radioactive Gas Holdup Tank Pressure* 0 to 150% design pressure 3 VENTILATION D35 Emergency Ventilation Damper Position Open-closed status 2 Closed-not closed N/A Vital UPS Emerg. MCC PAH-DP-35A PAH-DP-35B PAH-DP-36A PAH-DP-36B EAH-DP-30A EAH-DP-30B CAH-DP-34A CAH-DP-34B CAH-DP-34C CAH-DP-34D

CBA-DP-53A

CBA-DP-53B

CBA-DP-27A

CBA-DP-27B

CBA-DP-28 CBA-DP-1058 ZL-5370-3 ZL-5371-3 ZL-5370-4 ZL-5371-4 ZL-5780-2 ZL-5784-2 ZL-5630-2 ZL-5631-2 ZL-5634 ZL-5635 CS-5331 CS-5329 CS-5318 CS-5320 ZL-5332 ZL-1058 D5142 D5147 D5148 D5149 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 22 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D35a Fan Status: Control Room Makeup Air Fans Running/ not Running N/A Emerg.

MCC CBA-FN-27A CBA-FN-27B CBA-FN-16A

CBA-FN-16B

CBA-FN-15 CS-5328 CS-5330 ZL-5365 ZL-5320-2 ZL-5310 D7034 D7035 D7017 D7006 D7036 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES D32a Service Water Flow to DG Heat Exchanger 2 Yes N/A Yes N/A D32b Cooling Tower Pump Discharge Temperature 2 Yes N/A Yes N/A RADWASTE D33 High-Level Radioactive Liquid (floor drain) Tank Level 3 N/A N/A Yes N/A

  • See Deviation No. 20 in Appendix 7A. D34 Tank Pressure*
  • See Deviation No. 26 in Appendix 7A.

VENTILATION D35 Emergency Ventilation Damper Position 2 Yes N/A Yes N/A D35a Fan Status: Control Room Makeup Air Fans 2 Yes N/A Yes N/A

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 23 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D35b Containment Enclosure Temperature 30-220 F N/A Vital UPS MM-TE-1002A MM-TE-1002B RC-XX-7315-1,2&3(4) RC-XX-7315-4(4) Available Through Data Link D35c Primary Auxiliary Building Temperature 30-220 F N/A Vital UPS MM-TE-1003A MM-TE-1003B RC-XX-7315-1,2&3(4) RC-XX-7315-4(4) Available Through Data Link D35d Diesel Generator Building Temperature 0-200 F N/A Non-Vital UPS DAH-TE-5688 DAH-TE-5689 TI-5688 TI-5689 D6975 D6977 D6979 D35e Service Water Pumphouse Temperature 0-140 F* N/A N/A SWA-TSHL 5612 SWA-TSHL 5608 SWA-TSHL 5609 D35f Cooling Tower Switchgear Area Temperature 0-140 F* N/A N/A SWA-TSHL 5699 SWA-TSHL 5693 SWA-TSHL 5696 D6993 D6989 D6991 D35g Emergency Feedwater Pumphouse Temperature 0-140 F* N/A N/A EPA-TSH-5434 D7980 D35h Control Building Temperature 30-110 F* N/A N/A CBA-TSHL-5180 CBA-TSHL-5181 CBA-TSHL-5182 CBA-TSHL-5580 CBA-TSHL-5581 D7022 D7023 D7026 D7027 D7028 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 24 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER D35i Containment Enclosure Emergency Exhaust Fan Discharge Flow 0-4000 ACFM N/A Non-Vital UPS EAH-FIT-5791 FR-5791 FR-5791 A3777 D35j Control Building Temperature CBA-TE-8630 CBA-TE-8631 30°-110°F N/A N/A N/A N/A A0176 (B6543)

A0177 (B6686)

ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES D35b Containment Enclosure Temperature 2 Yes N/A Yes N/A D35c Primary Auxiliary Building Temperature 2 Yes N/A Yes N/A D35d Diesel Generator Building Temperature 2 Yes N/A Yes N/A D35e Service Water Pumphouse Temperature 2 Yes N/A Yes N/A

  • High Temperature alarm provided D35f Cooling Tower Switchgear Area Temperature 2 Yes N/A Yes N/A
  • High Temperature alarm provided D35g Emergency Feedwater Pumphouse Temperature 2 Yes N/A Yes N/A
  • High Temperature alarm provided D35h Control Building Temperature 2 Yes N/A Yes N/A
  • High Temperature alarm provided D35i Containment Enclosure Emergency Exhaust Fan Discharge Flow 2 Yes N/A Yes N/A D35j Control Building Temperature 3 No N/A Yes N/A
  • High Temperature alarm provided

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 25 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER POWER SUPPLIES D36 Status of Standby Power 4160 Emergency Bus Availability Plant-specific 2 0-5000V N/A N/A EDE-VTR-9708 EDE-VTR-9718 VM-9708 VM-9718 A2306 A2309 480 Emergency Bus Availability Plant-specific 2 0-600V N/A N/A EDE-VTR-9784-1,-2,-3 EDE-VTR-9785-1,-2,-3,-4 VM-9784 VM-9785 125V DC Plant-specific 2 0-150V DC N/A Vital UPS EDE-VTR-9750 EDE-VTR-9752 EDE-VTR-9754 EDE-VTR-9756 VM-9750 VM-9752 VM-9754 VM-9756 A2052 A2055 A2058 A2061 120V AC Vital Bus Voltage Plant-specific 2 0-150V N/A N/A Vital Bus 1A Vital Bus 1B Vital Bus 1C Vital Bus 1D Vital Bus 1E Vital Bus 1F A1816 A1817 A1818 A1819 A4851 A4852 Emergency Diesel Generator Plant-specific 2 VM 0-5000V N/A Emerg. EDE-VTR-9700-1 (DG A) EDE-FTR-9700-3 EDE-ATR-9700-1 EDE-WTR-9700-3 FM 55-65 Hz AM 0-2000 amp WM 0-9000 KW MCC VM-9700-1 FM-9700-3 AM-9700-1 WM-9700-3 XR-9700A XR-9700B XR-9700A XR-9700B A2712 A2713 A2714 A2715 EDE-VTR-9710-1 (DG B) EDE-FTR-9710-3 EDE-ATR-9710-1 EDE-WTR-9710-3 VM-9710-1 FM-9710-3 AM-9710-1 WM-9710-3 XR-9710A XR-9710B XR-9710A XR-9710B A2732 A2733 A2734 A2735 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 26 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES D36 Status of Standby Power 4160 Emergency Bus Availability 2 Yes N/A Yes N/A 480 Emergency Bus Availability 2 Yes N/A Yes N/A 125V DC 2 Yes N/A Yes N/A 120V AC 2 Yes N/A Yes N/A Emergency Diesel Generator 2 Yes N/A Yes N/A

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 27 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER COMBUSTIBLE GAS CONTROL D37 Hydrogen Recombiner:

Heater Power 0-100 KW N/A Emerg. MCC Wattmeter on MCB-G(rear)

TYPE E VARIABLES, RELEASE ASSESSMENT CONTAINMENT RADIATION E1 Containment Area Radiation 1 R/hr to 10 7 R/hr 1 1 to 10 8 R/hr Yes Vital UPS RM-RE-6576 A RM-RE-6576 B RK-6576A RI-6576A RK-6576B RI-6576B RR-6576A RR-6576B Available Through Data Link AREA RADIATION E2 Radiation Exposure Rate (inside buildings or areas where access is required to service equipment important to safety) 10-1 R/hr to 10 4 R/hr 3 10-2 to10 4 R/hr N/A N/A 1-MM-CP-295 1-MM-CP-295 Available Through Data Link RM-RE-6508-1, -2 (PAB High Range)

RM-RE-6563-1, -2 (PAB High Range)

RM-RE-6517-1, -2 (RHR Pump vault 1&2 High Range)

RM-RE-6518 (Spent Fuel High Range)

NOBLE GASES E3 Containment or Purge Effluent 10

-6 Ci/cc to10 5 Ci/cc (not needed if effluent

discharges through common plant vent) 0 to 110% flow 2 See E7 E4 Reactor Shield Building Annulus 10

-6 Ci/cc to10 4 Ci/cc (not needed if effluent

discharges through common plant vent) 0 to 110% flow 2 See E7

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 28 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES COMBUSTIBLE GAS CONTROL D37 Hydrogen Recombiner: Heater Power 2 Yes N/A Yes N/A TYPE E VARIABLES, RELEASE ASSESSMENT CONTAINMENT RADIATION E1 Containment Area Radiation 1 Yes Yes Yes N/A AREA RADIATION E2 Radiation Exposure Rate (inside buildings or areas where access is required to service equipment important to safety) 3 N/A N/A Yes N/A The high-range monitors have been installed to monitor the entrances to the PAB and RHR pump vault. The spent fuel pool area is also monitored with a high- range detector. Individual cubicles are not monitored. Portable instruments will be used for entry into high radiation areas (real or suspected).

NOBLE GASES E3 Containment or Purge Effluent See E7 Discharge through plant vent stack.

E4 Reactor Shield Building Annulus See E7 Discharges through plant vent stack.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 29 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER E5 Auxiliary Building (including any building containing primary system gases, e.g., waste gas decay tank) 10-6 Ci/cc to 10 3 Ci/cc (not needed if effluent

discharges through common plant vent) 0 to 110% flow 2 See E7 E6 Condenser Air Removal System Exhaust 10-6 Ci/cc to 10 5 Ci/cc (not needed if effluent discharges through common plant vent) 0 to 110% flow 2 See E7 E7 Common Plant Vent or Multipurpose Vent Discharging Any 10-6 Ci/cc to 10 4 Ci/cc 2 10

-7 to 10 5 Ci/cc N/A Emerg.

MCC RR-6528-1 Available of Above Releases (if containment purge is included)

RM-RE-6528-1, -2, -3 RM-FT-6577-1, -2 0 to 110% flow

(0 to 2x10 5 scfm) 2 0 to 3.5x 10 5 scfm RK-6528 1-MM-CP-295 RR-6528-2 Through Data Link E8 Vent From Steam Generator Safety Relief Valves or Atmospheric Dump Valves 2 1 to 10 5 mr/hr* N/A Emerg. MCC RM-RE-6481-1,2; 6482-1, 2 10-1 Ci/cc to 10 3 Ci/cc (Duration of releases in seconds and mass of steam per unit time) 1-MM-CP-295 1-MM-CP-295 Available Through Data Link Safety/Relief Valve Position YE-6820 YE-6821 YE-6822 YE-6823 See D19 E9 All Other Identified Plant Release Points*

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 30 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES E5 Auxiliary Building(including any building containing primary system gases, e.g.,

waste gas decay tank) See E7 Discharges through plant vent stack. E6 Condenser Air Removal System Exhaust See E7 Discharges through plant vent stack. E7 Common Plant Vent or Multipurpose Vent Discharging Any of Above Releases (if containment purge

is included) 2 Yes N/A Yes Yes Flow element provides a signal to the radiation monitors to permit the radiation monitors to calculate the microcuries per cubic centimeter flowing in the duct and microcuries per second released through the plant vent stack. E8 Vent from Steam Generator Safety Relief Valves or Atmospheric Dump Valves 2 Yes N/A Yes Yes

  • Correlation from mr/hr to Ci/cc is included in the procedure for offsite dose assessment. Direct readout in Ci/cc is not required to support this procedure. The safety/relief valve position monitors can be used to determine the existence of flow through these valves. E9 All Other Identified Plant Release Points*
  • None Identified.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 31 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER PARTICULATES AND HALOGENS E10 All Identified Plant Release Points (except steam generator safety relief valves or atmospheric steam dump valves and condenser air removal 10-3 Ci/cc to 10 2 Ci/cc 3 10

-3 Ci/cc to 1 0 2 Ci/cc N/A N/A N/A N/A N/A system exhaust). Sampling with Onsite Analysis Capability.

RM-SKD-53-2 0 to 110% flow

(0 to 2x10 5 scfm) 0 to 3.5x 10 5 scfm N/A N/A 1-MM-CP-295 1-MM-CP-295 Available Through Data Link E12 Airborne Radiohalogens and Particulates (portable sampling with onsite analysis capability) Air Samplers: Low Volume High Volume Personnel Continuous air

Monitor 10-9 Ci/cc to 10

-3 Ci/cc 3 10

-9 Ci/cc to 10-3Ci/cc N/A N/A N/A E13 Plant and Environs 10

-3 R/Hr to 3 0-1 R/Hr N/A N/A N/A N/A N/A Radiation (portable 10 4 R/Hr photons beta/gamma instrumentation) 10

-3 rads/hr to 0-1.000 R/Hr N/A N/A N/A N/A Ion Chamber 10 4 rads/hr, beta gamma (Low Range) radiations and low- Up to 10,000 N/A N/A N/A N/A Ion Chamber energy photons R/Hr gamma (Mid Range) 0-50,000 CPM N/A N/A N/A N/A Ion Chamber beta/gamma (High Range) 0-200 MR/Hr N/A N/A N/A N/A Geiger Mueller beta/gamma Detector 0-500,000 CPM N/A N/A N/A N/A Geiger Mueller alpha Detector 0.001-10 R/Hr N/A N/A N/A N/A Alpha Scintillation neutron Tele-detector Rate Detector E14 Plant and Environs Radioactivity(portable instrumentation) (Isotopic analysis) 3 Multichannel gamma-ray spectrometer N/A N/A N/A N/A N/A

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 32 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES PARTICULATES AND HALOGENS E10 All Identified Plant Release Points (except steam generator safety relief valves or atmospheric steam dump

valves and condenser air removal system exhaust).

Sampling with Onsite analysis Capability. 3 N/A N/A Yes N/A E12 Airborne Radiohalogens and Particulates (portable sampling with on-site analysis capability) 3 N/A N/A Yes N/A E13 Plant and Environs Radiation (portable instrumentation) 3 N/A N/A Yes N/A E14 Plant and Environs activity (portable instrumentation) 3 N/A N/A Yes N/A Function provided by gamma spectroscopy system located in the Counting Room. Portable air sampler used to obtain the air samples.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 33 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER PARTICULATES AND HALOGENS METEOROLOGY E15 Wind Direction43 feet above grade209 feet above grade 0 to 360 (+/-5 accuracy with a deflection of 10).Starting speed less than 0.4 mps (1.0 mph) Damping ratio greater than or equal to 0.4,delay

distance less than or equal to 2 meters.

3 30-540* Accuracy: +/-5 Threshold:

< 1 mph Damping Ratio: 0.4** Delay Distance:

2 meters** N/A N/A Computer Computer A1630 A1627 E16 Wind Speed 43 feet above grade 209 feet above grade 0 to 22 mps (50 mph). +/-0.2 mps (0.5 mph) accuracy for speeds less than 2 mps (5 mph),

10% for speeds in excess of 2 mps (5 mph), with a

starting threshold of less than 0.4 mps (1.0 mph)

and a distance constant not to exceed 2 meters. 3 0-100 mph Accuracy: .5 mph @ < 5 mph 10% @ > 5 mph Threshold: 1 mph Distance Constant: < 2 meters* N/A N/A Computer Computer A1628 A1626 E17 Estimation of Atmospheric Stability150-43 feet (delta-T) 209-43 feet (delta-T)

Based on vertical Temperature difference from primary meteorological system, -5 C to 10 C (-9 F to 18F) and +/-0.15 C accuracy per 50-meter intervals (+/-0.3F accuracy per 164-foot intervals) or analogous range for alternative stability estimate.

3 -10 F to 18 F Accuracy: +/-0.2 F N/A N/A Computer Computer A1632 A1631 S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 34 of 37 ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES E15 Wind Direction 3 N/A N/A Yes Yes Communication with the National Weather Service is available by telephone ** Range of 0-540 selected to minimize recorder pen travel for northerly wind directions. See Deviation No. 28 in Appendix 7A. E16 Wind Speed 3 N/A N/A Yes Yes

  • Communication with the National Weather Service is available by telephone. See Deviation No. 29 in Appendix 7A. E17 Estimation of Atmospheric Stability 3 N/A N/A Yes Yes Communication with the National Weather Service is available by telephone.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 35 of 37 DISPLAY MCR ITEM NUMBER VARIABLE/SENSOR R.G. 1.97 RECOMMENDED RANGE R.G. 1.97 DESIGN CATEGORY ACTUAL RANGE REDUNDANCY POWER SUPPLY VARIABLE TREND INDICATION TSC, EOF COMPUTER ACCIDENT SAMPLING CAPABILITY E18 Primary Coolant and Sump Grab sample 3 N/A N/A N/A N/A N/A Gross Activity 1 Ci/ml to 10 Ci/ml 1 Ci/ml to 10 Ci/ml Gamma Spectrum (Isotopic Analysis) Isotopic Analysis Boron Content 0 to 6000 ppm 0 to 6000 ppm Chloride Content 0 to 20 ppm 0 to 20 ppm Dissolved Hydrogen 0 to 2000cc (STP)/KG 0 to 2000cc (STP)/KG Dissolved Oxygen 0 to 20 ppm

  • pH 1 to 13 1 to 13 E19 Containment Air Grab sample 3 N/A N/A N/A N/A N/A Hydrogen Content 0 to 10% 0 to 10%

Oxygen Content 0 to 30% 0 to 30%

Gamma Spectrum (Isotopic analysis) (Isotopic analysis)

ITEM NUMBER VARIABLE CATEGORY SB DESIGN CATEGORY ENVIRONMENTAL QUALIFICATION SEISMIC QUAL. QA TRENDING REMARKS/NOTES ACCIDENT SAMPLING CAPABILITY E18 Primary Coolant and Sump 3 N/A N/A Yes N/A

  • See Deviation No. 21 in Appendix 7A. E19 Containment Air 3 N/A N/A Yes N/A S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 36 of 37 LIST DATA TABLE LEGEND AND NOTES Abbreviations: EOF Emergency Operations Facility MCC Motor Control Center MCR Main Control Room TSC Technical Support Center UPS Uninterruptible Power Supply G. Under the "Seismic Qualification" column:

"Yes" means that the instrumentation has been seismically qualified in accordance w ith the criteria stated in Subsection 7.5.6. For Design Category 2 and 3 instruments, "N/A" is en tered since there are no specific provisions for seismic qualification. Explanatory Notes:

A. Under the "Actual Range" column:

The calibrated range of the sensor is listed unless otherwise noted. H. Under the "QA" column:

Yes" means the instrumentation meets the QA requirements detailed in the Design Criteria section for the applicable design Category. B. Under the "Redundancy" column:

"Yes" means redundant fully qualified displays are available in the MCR. For Design Category 2 and 3 instrumentation, this column is marked "N/A" since there are no redundancy requirements for this instrumentation. I. Under the "Trending" column:

Yes" means that trend or transient information is required for operator informa tion or action based on our review of the plant-specific emergency response procedures and is available. "N/A" means that trend or transient information is not required for operator information or action based on our review of the plant-specific emergency response procedures. C. Under the "Power Supply" column:

The type of power supply for the instrumentation channels is listed. Since there are no specific provisions for the power supply for Design Category 3 instrumentation, "N/A" is marked in this column. J. Under the "Remarks/Notes" column: For each item number, any column entry with an asterisk is explained in the "Remarks/Notes" column. D. Under the "Display" column: The tag number of the available MCR display instrumentation is listed. For the TSC/EOF, display will be via CRTs video displays driven by the Main Plant Computer System (MPCS). Where an analog input to the MPCS is provided, its corresponding analog input number is specified. Where a digital input is provided, its corresponding digital input number is specified.

E. Under the "SB Category" column: The plant-specific design category for this instrumentation as determined from the review described in Subsection 7.5.4, is listed.

F. Under the "Environmental Qualification" column:

"Yes" means the instrumentation is included in the environmental qualification program. The appropriate requirements for each instrument are determined as part of this program. For Design Category 3 instrumentation, "N/A" is entered since there are no specific provisions for environmental qualifications.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-1 Revision:

Sheet: 15 37 of 37 FOOTNOTES (1) MCB indicator provides non redundant backup indication; MCB indicator is non Class 1E. (2) MCB recorder provides second trend display channel. MCB recorder is non Class 1E.

(3) MCB recorders LR-539 and LR-549 receive signals from transmittersLT-539 and LT-549, respectively. (4) Train A Plasma Display (RC-XX-7315-1,2&3) is installed fully qualified; Train B Plasma Display (RC-XX-7315-4) is essentially similar to seismically qualified display. Each ICCM cabinet (MM-CP-486A & 486B) has a local one-line display that is the fully qualified alternate display for ICCM variables. (5) MCB recorder provides backup historical recording. (Immediate trend or transient information not required for these channels.) MCB recorder is non Class 1E.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-2 Revision:

Sheet: 10 1 of 6 TABLE 7.5-2 CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORM AL OPERATION INCLUDING OPERATIONAL OCCURENCES Parameter No. of Channels Available Range Indicated Accuracy (1) Indication Location Notes Nuclear Instrumentation 1. Source Range a. Count rate 2 1 to 10 6 counts/sec +/-7% of the linear full scale analog voltage Both channels

indicated and

recorded Control Board One eight-input recorder is provided for the two SR channels, two IR channels and four PR channels. b. Startup rate 2 -1.5 to +5.0 decades/ min

+/-7% of the

linear full scale analog voltage Both channels

indicated Control Board 2. Intermediate Range a. Current 2 10-11 to 10-3 +/-7% of the linear full scale analog voltage and +/-3% of the

linear full scale voltage in the

range of 10

-4 to 10-3 amps Both channels

indicated and

recorded Control Board b. Startup rate 2 -1.5 to +5.0 decades/ min

+/-7% of the

linear full scale analog voltage Both channels

indicated Control Board (1) These values are typical accuracies. Specific accuracies are accounted fo r in EOPs and supporting calculations.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-2 Revision:

Sheet: 10 2 of 6 Parameter No. of Channels Available Range Indicated Accuracy (1) Indication Location Notes 3. Power Range a. Uncalibrated ion chamber current(top and bottom uncompensated ion chambers) 4 0 to 120% of full power current +/-1% of full power current All 8 current signals

indicated.

NIS racks in control room

b. Average flux of the top and bottom ion chamber (% full

power) 4 0 to 120% of full power +/-3% of full

power for indication

+/-2% for recording All 4 channels

indicated and

recorded. Control Board c. Flux difference of the top and bottom ion chambers 4 -30 to 30% +/-4% All 4 channels indicated. Control Board Reactor Coolant System 1. T average (measured) 1/loop 530-630 F +/-4.4 F All channels

indicated Control Board Accuracy for one channel indication.

Higher accuracy (to 2.22F) is obtained by averaging multiple T avg indicators

2. T(measured) 1/loop 0 to 150% of full power T +/-4% of full

power T All channels

indicated

One channel is

selected for recording Control Board a. T cold or T hot(measured, wide range) 1-T hot' 1-T cold per loop 0 to 700 F +/-2.7% 4 T hot channels are recorded on 2 - two

pen recorders.

4 T cold channels are recorded on 2 - two

pen recorders. Control Board S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-2 Revision:

Sheet: 10 3 of 6 Parameter No. of Channels Available Range Indicated Accuracy (1) Indication Location Notes 3. Overpower T Setpoint 1/loop 0 to 150% of full power T +/-4% of full power T All channels

indicated One

channel is selected

for recording. Control Board 4. Overtemperature T Setpoint 1/loop 0 to 150% of full power T +/-4% of full

power T All channels

indicated One

channel is selected

for recording. Control Board 5. Pressurizer Pressure 4 1600 to 2500 psig +/-26 psi All channels indicated. One

channel is selected

for recording/control. Control Board 6. Pressurizer Level 3 Entire distance between taps +/-5.0 of span All channels indicated

One channel

dedicated recorder

One channel is

selected for recording/control. Control Board Two pen recorder used, second pen records reference level signal 7. Primary Coolant Flow 3/loop 0 to 120% of nominal flow 2.1% (2) All channels indicated Control Board 8. Reactor Coolant Pump Motor Current 1/loop 0 to 400 AC amps +/-1.6% All channels indicated Control Board One channel for each pump (2) Flow measurement uncertainty from calorimetric and flow normalization.

S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-2 Revision:

Sheet: 10 4 of 6 Parameter No. of Channels Available Range Indicated Accuracy (1) Indication Location Notes 9. System Pressure Wide Range 2 0 to 3000 psig +/-2.8% All channels indicated and recorded. Control Board Reactor Control System 1. Rod Speed 1 5 to 75 steps/min. +/-2% The one channel is indicated Control Board 2. Average T avg 1 530 to 630 F +/-4 F The one channel is

indicated Control Board Any one of the T avg channels into the summer may be bypassed

3. Treference 1 530 to 630 F +/-4 F The one channel is

indicated Control Board 4. Control Rod Position If system not available, borate and sample accordingly. a. Number of steps of demanded rod withdrawal 1/group 0 to 230 steps +/-1 step Each group is indicated during rod motion Control Board These signals are used in conjunction with the measured position signals (4b) to detect deviation of any individual rod from the demanded position. A deviation will actuate an alarm and annunciator. b. Full length rod measured position 1 for each 0 to 228 steps +/-4 steps Each rod position indicated. Control Board S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-2 Revision:

Sheet: 10 5 of 6 Parameter No. of Channels Available Range Indicated Accuracy (1) Indication Location Notes 5. Control Rod Bank Demanded Position 4 0 to 230 steps +/-2.5% of total All 4 control rod bank positions are recorded along with the low-low limit alarm for each bank. Control Board 1. One channel for each control bank 2. An alarm and annunciator is actuated when the last rod control bank to be

withdrawn reaches the withdrawal limit, when any rod control bank reaches the low insertion limit, and when any rod

control bank reaches the low-low insertion limit. Containment System 1. Containment Pressure 1 4 2 12 to 18 psia 0 to 60 psig

-5 to 160 psig +/-0.21 psia

+/-2.8%

+/-3.45% All 7 channels

indicated and 4 are

recorded. Control Board Narrow range (12 to 18 psia) indication is used for compliance with Tech Spec limits. Feedwater And Steam Systems 1. Emergency Feedwater Flow 1/feed line 0 to 600 gpm +/-22.5 gpm All channels indicated and

recorded. Control Board One channel to measure the flow to each steam generator. 2. Steam Generator Level (narrow range) 4/steam generator 0 to 100% +/-3.5% of P level (hot) All channels

indicated One channel has dedicated

recorder. The channels used for

control are recorded. Control Board 3. Steam Generator Level (wide range) 1/steam generator 0 to 100% +/-3.7% of level(hot) All channels recorded Control Board S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.5-2 Revision:

Sheet: 10 6 of 6 Parameter No. of Channels Available Range Indicated Accuracy (1) Indication Location Notes 4. Steam Generator Level Signal +7 to -5 feet +/-4%

The one channel is indicated.

5. Main Feedwater Flow 2/steam generator 0 to 5x10 6 lbs/hr +/-5% All channels indicated The channels used for

control are recorded. Control Board 6. Magnitude of Signal Controlling Main and Bypass Feedwater Control Valves 1/main 1/bypass 0 to 100% of valve opening

+/-1.5% All channels indicated Control Board 1. One channel for each main and bypass feedwater control valve

2. OPEN/CLOSED indication is provided in the control room for each main and bypass feed water control valve 7. Steam Flow 2/steam generator 0 to 5x10 6 lbs/hr +/-5.5% All channels indicated The channels used for

control are recorded. Control Board Accuracy is equipment capability; however, absolute accuracy depends on

applicant calibration against feedwater

flow. 8. Steam Line Pressure 3/loop 0 to 1300 psig +/-3.4% All channels indicated and 1 is

recorded. Control Board 9. Steam Dump Demand 1 0-100% of steam dump valves open

+/-1.5% The one channel is indicated Control Board OPEN/CLOSED indication is provided in the control room for each steam dump valve 10. Turbine Impulse Chamber Pressure 2 0 to 860 psig +/-3.5% Both channels indicated. Control Board OPEN/CLOSED indication is provided in the control room for each turbine stop valve S EABROOK S TATION UFSAR INSTRUMENTATION AND CONTROLS TABLE 7.7-1 Revision:

Sheet: 12 1 of 1 TABLE 7.7-1 PLANT CONTROL SYSTEM Designation Derivation Function C-1 1/2 Neutron flux (intermediate range) above setpoint Blocks automatic and manual control rod withdrawal C-2 1/4 Neutron flux (power range) above setpoint Blocks automatic and manual control rod

withdrawal Blocks automatic control rod withdrawal C-5 1/1 Turbine impulse chamber pressure below setpoint Prevents automatic control (rod-out) when turbine load is below 15 percent C-7A 1/1 Time derivative (absolute value) of turbine impulse chamber pressure (decrease only) above setpoint Makes steam dump valves available for either tripping or modulation C-9 Any condenser pressure above setpoint, orAll circulation water pump breakers open Blocks steam dump to condenser C-11 1/1 Bank D control rod position above setpoint Blocks automatic rod withdrawal C-16 Reduce limit in coolant temperature above normal setpoint Stops automatic turbine loading until condition clears P-4 Reactor trip Blocks steam dump control via load rejection T avg controller Makes steam dump valves available for either tripping or modulation Limits main feedwater pump speed to a predetermined value. Absence of P-4 Blocks steam dump control via plant trip T avg controller

S EABROOK S TATION U PDATED F INAL S AFETY A NALYSIS R EPORT C HAPTER 7 INSTRUMENTATION AND CONTROLS F IGURES Control BoardSwitchesTrain B IVIII II I IV III II I I IIIIIIVIIIIIIIVMasterand Slave RelaysActuate Train B SafeguardsTo Rod Drive Mechanisims RodControl SystemComputerDemuxSolid State LogicSolid State LogicActuateTrain ASafeguardsRodControlM-G SetsControl BoardDemux CabinetMasterandSlave RelaysControl BoardSwitchesTrain AInputLogicOutputIsolationControlBoardMonitoringInputRelaysComputerMonitoring"OR" CableIsolationInputLogicOutputProtectionSystemTrain AProtectionSystemTrain BContainment WallProcessSensorsRadiation Monitoring SystemNuclear Instrumentation System Process Instrumentation SystemBistablesTrip Bkr BBypassBrk B UV UV UV UVTripBkr ASTA STABypass Brk ASignalProcessingChannelChannelChannelChannel SHTRSHTRG:\Word\Images_P\UFSAR\711.ds4 Protection System Block Diagram S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.1-1

MechanicalLink and BarrierMechanicalLink andBarrierMechanicalLink andBarrierMain ControlBoardMain ControlBoardMain ControlBoardMain ControlBoardMomentaryMomentaryMomentaryMomentaryMomentaryMomentaryReset ReactorTrip (A)Reset ReactorTrip (B)Trip (A)Trip (B)Reset (A)Reset (B)Trip (A)Trip (B)Reactor Trip (A)and Shunt CoilTo (A) Reactor Trip SWGRReactor Trip (A) and Undervoltage Coil to (A) LogicCabinet SSPSReactor Trip (B)and Shunt Coil To (B) ReactorTrip SWGRReactor Trip (B) and UndervoltageCoil to (B) Logic Cabinet SSPSG:\Images_P\UFSAR\712.ds4 Reactor Trip/Engineered Safety Features Actuation Mechanical Linkage S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.1-2

Index and Symbols with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-1 See 1-NHY-509041

Reactor Trip Signals with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-2 See 1-NHY-509042

Nuclear Instrumentation and Manual Trip Signals with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-3 See 1-NHY-509043

Nuclear Instrumentation Perm issives and Blocks with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-4 See 1-NHY-509044

Reactor Coolant Trip Signals with Functional Diagrams

[2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Rev. 12 Figure 7.2-5 Sh. 1 of 2 See 1-NHY-509045 Sh.1 Reactor Coolant Trip Signals with Functional Diagrams

[2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Rev. 12 Figure 7.2-5 Sh. 2 of 2 See 1-NHY-509045 Sh.2

Reactor Coolant Pressurizer Signals with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-6 See 1-NHY-509046

Feedwater Steam Generator Trip Signals with Functional Diagrams [2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-7 Sh. 1 of 2 See 1-NHY-509047 Sh.1 Feedwater Steam Generator Trip Signals with Functional Diagrams [2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-7 Sh. 2 of 2 See 1-NHY-509047 Sh.2

Safeguards Actuation Signals with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-8 See 1-NHY-509048

Rod Control and Blocks with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-9 See 1-NHY-509049

Main Steam Dump Control with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-10 See 1-NHY-509050

Reactor Coolant Pressurizer Pressure and Level Control with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-11 See 1-NHY-509051

Reactor Coolant Pressurizer Heater Control with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-12 See 1-NHY-509052

Feedwater Control and Isolation with Functional Diagrams

[2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-13 Sh. 1 of 2 See 1-NHY-509053 Feedwater Control and Isolation with Functional Diagrams

[2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-13 Sh. 2 of 2 See 1-NHY-509054

Emergency Feedwater Pumps Startup with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-14 See 1-NHY-509055

Feedwater Turbine Trip/Runback with Functional Diagrams S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Rev. 12 Figure 7.2-15 See 1-NHY-509056

C B 2 B 1 A 2 A 1 I A 1 , A 2 - Limit of F ( I) Deadband B 1 , B 2 - Slope of Ramp: Determines Rate at Which Function-Reaches its Maximum Value Once Deadband is Exceeded C - Magnitude of Maximum Value The Function May Attain- Neutron Flux Difference Between Upper and Lower Long Ion Chambers If ( )G:\Word\Images_P\UFSAR\7216.ds4 Setpoint Reduction Function for Overpower and Overtemperature T Trips S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.2-16

ActuatorsActuatorsSlaveRelay SlaveRelay SlaveRelaySlaveRelayMotorStartersMotorStartersBreaker PumpMotorsMotor OperValvesSolenoidValvesMotor OperValvesSolenoidValves SlaveRelay MasterRelayLogicCircuitInputRelayBistableSignalProcessingSensorProcess Instrumentation System SSPSRedundant SSPS TrainFinal Device or Actuator TestingMaster Relay TestingLogic TestingIndicationOperational TestingChannel CheckChannel CalibrationG:\Images_P\UFSAR\731.ds4 Typical Engineered Safety Features Test Circuits S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.3-1

G:\Images_P\UFSAR\732.ds4Contact Location Scheme 1 2 3 4 5 WTest Light DS*

Dev 3Illuminated Pushbutton Switchwith 28V Lamp No. 327(Except as Noted)Rear of Panel 1 5 4Key 3 2General Notes:*1. Circuitry and Hardware for Redundant Protection Trains "A" and "B" Test Cabinets Are Duplicate Except As Noted A - Train "A" Only B - Train "B" Only2. In Details A & B the Symbol

  • Reprensents the Suffix Numbers of the Device Referenced. Example: K* SPS Relay, K601, K602, etc. K (0) Operating Coil K (R) Reset Coil S* STC Test Switch S802, S834, etc. K8* STC Relay, K811, K817, etc. DS* STC Light, DS8009, DS8077, etc.3. Detail A" & B" Type Circuits Are Detailed on the Schematics, "Detail B" circuits will be Substituted For "Detail A" Circuits Where Required.Location LegendSPS Solid State Protection SystemSTC Safeguards Test Cabinet X Swgr, MCC, Auxiliary Relay Rack, etc.ASC Auxiliary Safeguards Cabinet(x)120 VAC (SPS)

SPSSTCJ801 L21 L22 STCJ801 SPS(N)K*(0)K*

(R)J802K8*S*ResetJ802120 VACS821 X STC(1)K8*STC(2)SPS K*SPS STC X X1 X2125 VDC X STCSTC SPS SPS STC X W W V 1(3)(4)3 DS *2 1 3 DS

  • 2K8*(5)(6)K*(7)(8)All Varistors

Are GEV130LA20ATyp. Terminal NumbersL21L22 S*Rest K8*S821J802 SPSSTCJ801 K*

(0)K*

(R)Y2125 VDCSTC X(12)(10)W G V 1 3 DS *2K8*V 1 3 DS *2 SPS SPS STC STC K*(11)Typ. TerminalNumbers (9)XAll Varistors AreGEV130LA20ADetail A Typical Protection Actuation Circuit Blocking Schemes(Contact Closure For Actuations)*Details A And B Of This Figure Are Not To Be Confused With Alpha Designation Of Logic Trains A and BDetail B Typical Protection Actuation Circuit Blocking Schemes(Contact Opening For Actuation)

Engineered Safeguards Test Cabinet (Index, Notes and Legend) S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.3-2

G:\Images_P\USFAR\761.ds4 ANDOPENNORM CLOSEMain Control BoardSpring Return To Norm From Open PT405Close ValvesClosest To RHROpen ValvesClosest To RHR** Prevent Open SetpointLO To HI HeadCrossover Valve ClosedRCS Pressure, HI**

NOTE:Logic For Valves In Each Fluid System Train Is IdenticalPT - Pressure Transmitter Located Outside Containment Logic Diagram for Outer RHRS Isolation Valve (RC-V23 and V88) S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-1

G:\Word\Images_P\USFAR\762.ds4 ANDOPENNORM CLOSEMain Control BoardSpring Return To Norm From Open PT403Close ValvesClosest To RCSOpen ValvesClosest To RCS** Prevent Open SetpointLO To HI HeadCrossover Valve ClosedRCS Pressure, HI**

NOTE:Logic For Valves In Each Fluid System Train Is IdenticalPT - Pressure Transmitter Located Outside Containment Logic Diagram for Inner RHRS Isolation Valve (RC-V22 and V87) S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-2

G:\Word\Images_P\USFAR\763.ds4 ORSafetyInjectionSignal ANDSafety InjectionSignalSafety Injection System Unblock PressureSignal (RCS Pressure)*

OPEN AUTO CLOSEControl Board Switch Maintain Close, Spring Return From Open To Auto ANDOpenCloseAccumulator IsolationValve* This Interlock Indicates The Method Of Applying Automatic Opening Of The Valve, Whenever The RCS Pressure Exceeds A Limit. This Signal Automatically Occurs At RCS Pressures Above The SI Unblock Pressure Used To Derive P-11.

Functional Block Diagram of Accumulator Isolation Valve S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-3

G:\Word\Images_P\USFAR\764.ds4InitiateECCS/CBS Recirc.Signal(Cont. OnFig 7.6-4 Sh.2)2/4 AND"S" SignalCS Reset LB-930E: RWST Tank Level LO-LOLB-931ELB-932ELB-933ERWST Level Channel Bistables1) Normally De-Energized2) De-Energized on Loss of Power

3) Trip Signal Provided When Energized4) Energized on LO-LO Level Set Point Safety Injection System Recirculation Sump and RHR Suction Isolation Valves [2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-4 Sh. 1 of 2

G:\Word\Images_P\UFSAR\7642.ds4Interlock TableValveInterLock WithRHR Inner ISO ValveRHR Outer ISO ValveTrain A BRC-V23RC-V88RC-V87RC-V22 CBS-V8CBS-V14Applicable ValveDescriptionSump to RHR Pump P-8ASump to RHR Pump P-8B CBS-V8CBS-V14Prot System:ECCS/CBSRecirc.Signal(FromFig. 7.6-4 Sh.1)Main Control BoardSpring Return To Auto From CloseCLOSEAUTOOPEN OR AND OR OR AND ANDOpen ValveClose ValveRHR Outer Iso.Valve ClosedRHR InnerIso. ValveClosed Safety Injection System Recirculation Sump and RHR Suction Isolation Valves [2 Sheets]

S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-4 Sh. 2 of 2

Refueling Water Storage Tank (RWST) Level Sensor Installation S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-5

Diagram Showing Generating Plant Variable Processing for Low Temperature Interlocks for RCS Pressure Control S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-6

ATWS Mitigation System Actuation Logic S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.6-7

AVERAGETEMPERATUREUNIT LOOP 1 T AVG = T H + T C 2 THOT LEG TCOLD LEG THOT LEG TCOLD LEGAVERAGETEMPERATUREUNIT LOOP 2 T AVG = T H + T C 2 THOT LEG TCOLD LEG THOT LEG TCOLD LEGAVERAGETEMPERATUREUNIT LOOP 3 T AVG = T H + T C 2AVERAGETEMPERATUREUNIT LOOP 4 T AVG = T H + T C 2SUMMING UNITAVERAGE T AVG LEAD-LAGCOMPENSATION UNITAVERAGE TAVGTO STEAMDUMP SYSTEMTO PRESSURIZERLEVELPROGRAMMERNUCLEAR POWER SIGNALTURBINE LOADSIGNALPOWERMISMATCHCOMPENSATION UNITTURBINE LOAD SIGNALAVERAGETEMPERATUREPROGRAMMERROD SPEED UNITSEQUENTIAL RODCONTROL UNIT(AUTOMATICCONTROL)PERMISSIVE CIRCUIT(ROD INTERLOCK)CONTROL RODACTUATORCONTROL RODDRIVE MECHANISMMANUALRODCONTROLREACTOR TRIPBREAKER 1REACTOR TRIPBREAKER 2 ROD DRIVEPOWER REDUNDANTTRIP SIGNALNOTES:1.TEMPERATURES AREMEASURED AT STEAMGENERATORS INLET AND OUTLET.2.PRESSURE ISMEASURED AT THE PRESSURIZER.3.THOT LEG IS THEAVERAGE OF THREE HOT LEG RTDs.G:\Work UFSAR_NATIVE\Drawings\771.vsd Simplified Block Diagram of Reactor Control System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-1

~ !"#~ $%&# &"% '#'(& %(% Control Rod Bank Insertion Monitor S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Rev. 12 Figure 7.7-2

Rod Deviation Comparator S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-3

Block Diagram of Pressurizer Pressure Control System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-4

LEVELPROGRAMMERPID CONTROLLERPI CONTROLLERREMOTE MANUALCONTROLPRESSURIZER WATERLEVEL SIGNALHEATERCONTROLCHARGINGFLOW SIGNALCHARGING FLOW CONTROLVALVE POSITIONAVERAGE TAVGG:\WORK UFSAR_NATIVE\DRAWINGS\775 Block Diagram of Pressurizer Level Control System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-5

Block Diagram of Steam Generator Water Level Control System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-6

Block Diagram of Main Feedwater Pump Speed Control System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Rev. 12 Figure 7.7-7

G:\Work UFSAR_NATIVE\drawings\778.ds4Steam Dump Control in Manual(Steam Pressure Control)Turbine Impulse Stage Pressure P-4ReactorTripRate/LagCompensationLoad RejectionBistable TAvgNo-LoadLead/LagCompensationAverage TAvgReference TAvgDefeat LoadRejection SteamDump Control;Allow Plant TripSteam Dump ControlSteamHeaderPressureSetPressurePlant TripControllerBistablesBistablesLoad RejectionControllerLoad RejectionControl OrPlant TripControlTrip Open Steam Dump ValvesAuto (TAvgControl Modulate CondenserDump ValvesManual (Steam Pessure Control)Air Supply ToDump Valves PIControllerLoad RejectionControl OrPlant TripControl (-)(-)(+)(+)(-)NOTE: For Blocking, Unblocking Signal To Condenser Steam Dump Valves See Figure 7.2.10 Block Diagram of Steam Dump Control System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-8

Basic Flux-Mapping System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Rev. 13 Figure 7.7-9 007_Figure 07-09 Jan. 7, 2010

  • Detector assemblies also contain five fixed gamma and neutron flux detectors connected to the Fixed Incore Detector Data Acquisition System (FIDDAS) and one core exit thermocouple connected to the Inadequate Core Cooling (ICC) monitor.
    • Calibration tubes and interconnecting tubing may be disconnected from the isolation valves and plugged.
      • Replacement detector assemblies do not have a functional path for the movable system.

G:\Images_P\USFAR.7714.ds4ReactorControlSystemPulserMasterCycler SlaveCycler 1 BDSlaveCycler 2 BD PowerCabinet1 BD PowerCabinet2 BDLife CoilDisconnectSwitchesControl Bank DGroup 1Control Bank DGroup 2BankSelector Bank OverlapManual SwitchMultiplex Circuits tt/2OffOffLiftingLiftingGroup 1Group 2Normal Sequencing of Groups Within Bank 1 NOTE:Only Cabinets 1BDAnd 2BD Shown. For

More Complete Diagram Including Power Cabinets 1AC, 2AC, And SCD.

See FP 54022 Simplified Block Diagram - Rod Control System S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-14

~~ABC A B C A B CABCLift CoilsMultiplexThyristorControlBank DGroup 1Power Cabinet 1BD120 VACLife CoilDisconnect Switches X 1MultiplexThyristorsControlBank D Group 2Power Cabinet

2 BD120 VACLife CoilDisconnectSwitchesLift Coils X 2MovableGripper CoilsStationaryGripperCoilsG:\Word\Images_P\UFSAR\7715.ds4 Control Bank D - Partial Simplified Schematic Diagram of Power Cabinets 1BD and 2BD S EABROOK S TATION UPDATED F INAL SAFETY ANALYSIS R EPORT Figure 7.7-15

Retrieved from "https://kanterella.com/w/index.php?title=ML13134A083&oldid=1391398"