Redacted - Updated Final Safety Analysis Report (UFSAR) Part 2 - November 2015

ML16083A453
Person / Time
Site:	Pilgrim
Issue date:	11/30/2015
From:	Entergy Nuclear Operations
To:	Booma Venkataraman Plant Licensing Branch 1
Ventkataraman V, DORL/LPLI-I, 415-2934
Shared Package
ML16083A494	List: ML16083A448 ML16083A453 ML16083A461 ML16083A464 ML16083A469 ML16083A471
References
CAC MF7229
Download: ML16083A453 (876)
v • d • e

Text

PNPS-FSAR 7.3 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM 7.3.1 Safety Objective To provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barrier, the Primary Containment and Reactor Vessel Isolation Control System initiates automatic isolation of appropriate pipelines which penetrate the primary containment whenever monitored variables exceed preselected operational limits.

A gross failure of the fuel barrier would allow the escape of fission products from the fuel. A gross failure of the nuclear system process barrier could allow the escape of gross amounts of reactor coolant. The loss of coolant could lead to overheating and failure of the fuel. For a gross failure of the fuel, the Primary Containment and Reactor Vessel Isolation Control System initiates isolation of the reactor vessel to contain released fission products. For a gross breach in the nuclear system process barrier outside the primary containment, the Isolation Control System acts to interpose additional barriers (isolation valve closure) between the reactor and the breach, thus stopping the release of radioactive materials and conserving reactor coolant. For gross breaches in the nuclear system process barrier inside the primary containment, the Primary Containment and Reactor Vessel Isolation Control System acts to close off release routes through the primary containment barrier, thus trapping the radioactive material coming through the breach inside the primary containment.

7.3.2 Definitions See FSAR Section 5.2.3.5.1 for the primary containment isolation valve classes.

7.3.3 Safety Design Bases

1. To limit the uncontrolled release of radioactive materials to the environs, the Primary Containment and Reactor Vessel Isolation Control System shall, with precision and reliability, initiate timely isolation of penetrations through the primary containment structure which could otherwise allow the uncontrolled release of radioactive materials whenever the values of monitored variables exceed preselected operational limits.

2. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, the Primary Containment and Reactor Vessel Isolation Control Systems shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.

3. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, an adequate number of sensors shall be 7.3-1 Rev. 30 - Nov. 2015

PNPS-FSAR provided for monitoring essential variables that have spatial dependence.

4. To provide assurance that conditions indicative of a gross failure of the nuclear system process barrier are detected with sufficient timeliness and precision to fulfill safety design basis 1, the Primary Containment and Reactor Vessel Isolation Control System inputs shall be derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.

5. The time required for closure of the main steam line isolation valves shall be short, so that the release of radioactive material and the loss of coolant as a result of a breach of a steam line outside the primary containment are minimal.

6. The time required for closure of the main steam isolation valves shall not be so short that inadvertent isolation of steam lines causes excessive fuel damage or excessive nuclear system pressure. This basis ensures that the main steam isolation valve closure speed is compatible with the ability of the Reactor Protection System (RPS), and Pressure Relief System to protect the fuel and nuclear system process barrier.

7. To provide assurance that closure of Class A and Class B automatic isolation valves is initiated, when required, with sufficient reliability to fulfill safety design basis 1, the following safety design bases shall be specified for the systems controlling Class A and Class B automatic isolation valves:

a. No single failure within the Isolation Control System shall prevent isolation action when required to satisfy safety design basis 1

b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall not impair the functional ability of the Isolation Control System to respond correctly to essential monitored variables

c. The system shall be designed for a high probability that, when any essential monitored variable exceeds the isolation setpoint, the event shall either result in automatic isolation or shall not impair the ability of the system to respond correctly as other monitored variables exceed their trip points

d. Where a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more Isolation Control System channels designed to provide protection against the unsafe condition, the remaining portions of the Isolation Control 7.3-2 Rev. 30 - Nov. 2015

PNPS-FSAR System shall meet the requirements of safety design bases 1, 2, 3, and 7a

e. The power supplies for the Primary Containment and Reactor Vessel Isolation Control System shall be arranged so that loss of one supply cannot prevent automatic isolation when required

f. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Return to normal operation after isolation action shall require deliberate operator action

g. There shall be sufficient electrical and physical separation between trip channels monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly

h. Earthquake ground motions shall not impair the ability of the Primary Containment and Reactor Vessel Isolation Control System to initiate automatic isolation. See Section 7.1.6

8. To assure that the timely isolation of main steam lines is accomplished, when required, with extraordinary reliability, the following safety design bases are specified:

a. The motive force for achieving valve closure for one of the two tandem mounted isolation valves in an individual steam line shall be derived from a different energy source than that for the other valve

b. At least one of the isolation valves in each of the steam lines shall not rely on continuity of any variety of electrical power for the motive force to achieve closure

9. To reduce the probability that the operational reliability and precision of the Primary Containment and Reactor Vessel Isolation Control System will be degraded by operator error, the following safety design bases are specified for Class A and Class B automatic isolation valves:

a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables shall be under the control of the control room operator or other supervisory personnel

b. The means for bypassing channels, logics, or system components shall be under the control of 7.3-3 Rev. 30 - Nov. 2015

PNPS-FSAR the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact will be continuously indicated in the control room

10. To provide the operator with means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier, it shall be possible for the control room operator to manually initiate isolation of the primary containment and reactor vessel.

11. To provide the operator with the means to assess the condition of the primary containment and Reactor Vessel Isolation Control System, and to identify conditions indicative of a gross failure of the nuclear system process barrier, the following bases shall be specified:

a. The Primary Containment and Reactor Vessel Isolation Control System shall be designed to provide the operator with information pertinent to the status of the system

b. Means shall be provided for prompt identification of channel and trip system responses

12. It shall be possible to check the operational availability of each essential channel, logic, and trip system during reactor operation.

7.3.4 Description 7.3.4.1 Identification The primary containment and reactor vessel isolation control system includes the sensors, channels, switches, and remotely activated valve closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment or reactor vessel, or both. It should be noted that the control systems for those Class A and B isolation valves which close by automatic action pursuant to the safety design bases are the main subjects of this section. However, Class C remotely operated isolation valves are included because they add to the operator's ability to effect manual isolation. Testable check valves are also included because they provide the operator with an ability to check that the valve disk can respond to reverse flow. The primary containment and reactor vessel isolation control system is designed to comply with the intent of IEEE-279 and the Commission's Proposed General Design Criteria. Refer to Appendix F and Appendix J for additional details.

7.3.4.2 Power Supply The power for the channels and logics of the isolation control system is supplied from the RPS motor generator sets, the station batteries and the unit preferred power system. Isolation valves 7.3-4 Rev. 30 - Nov. 2015

PNPS-FSAR receive power from standby power sources. Power for the operation of two valves in a pipeline is fed from different sources. In most cases one valve is powered from an ac bus of appropriate voltage, and the other valve is powered by dc from the station batteries.

The main steam isolation valves, described in detail later, use ac, dc, and pneumatic pressure in the control scheme. Table 5.2-4 lists the power supply for each isolation valve.

7.3.4.3 Physical Arrangement Table 5.2-4 lists the pipelines that penetrate the primary containment and indicates the types and locations of the isolation valves installed in each pipeline. Figure 4.3-2 (BECo M252) identifies some of these pipelines. Pipelines which penetrate the primary containment and directly communicate with the reactor vessel generally have two Class A isolation valves, one inside the primary containment and one outside the primary containment. Pipelines which penetrate the primary containment and which communicate with the primary containment free space, but which do not communicate directly with the reactor vessel, generally have two Class B isolation valves located outside the primary containment. Class A and Class B automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the nuclear system process barrier. Process pipelines that penetrate the primary containment, but do not communicate directly with the reactor vessel, the primary containment free space, or the environs, have at least one Class C isolation valve located outside the primary containment which may close either by process action (reverse flow) or by remote manual operation. Table 5.2-4 presents information about all piping penetrations in the primary containment. Only the controls for the automatic isolation valves are discussed in this part of the safety analysis report. The valves, which are the subject of this text, are specifically identified in the detailed descriptions which follow.

Power cables are run in conduits or trays from appropriate electrical sources to the motor or solenoid involved in the operation of each isolation valve. The control arrangement for the main steam line isolation valves includes pneumatic piping and an accumulator for those valves for which air is considered the emergency source of motive power for closing. Pressure and water level sensors are mounted on instrument racks in either the reactor building or the turbine building. Valve position switches are mounted on the valve for which position is to be indicated.

Switches are enclosed in cases to protect them from environmental conditions. Cables from each sensor are routed in conduits and cable trays to the control room. All signals transmitted to the control room are electrical; no pipe from the nuclear system or the primary containment penetrates the control room. Pipes used to transmit level information from the reactor vessel to sensing instruments terminate inside the secondary containment (reactor building). The sensor cables and power supply cables are routed to cabinets in the cable spreading room and control room where the logic arrangement of the system is formed.

7.3-5 Rev. 30 - Nov. 2015

PNPS-FSAR To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control systems required for the automatic closure of Class A and Class B valves are designed as Class 1 equipment as described in Section 12 and Appendix C. This meets safety design basis 7h.

7.3.4.4 Logic The basic logic arrangement for essential trip functions is one in which an automatic isolation valve is controlled by two trip systems. Where many isolation valves close on the same signal, two trip systems control the entire group. Where just one or two valves must close in response to a special signal, two trip systems may be formed from the instruments provided to sense the special condition.

Valves that respond to the signals from common trip systems are identified in the detailed descriptions of isolation functions.

Each trip system has a pair of logics. Each logic receives input signals from at least one channel for each monitored variable.

Thus, two channels are required for each essential monitored variable to provide independent inputs to the logic of one trip system. A total of four channels for each essential monitored variable is required for the logics of both trip systems. This description is not applicable to the HPCI and RCIC steam supply low pressure isolation logics. These logics provide an operational interlock and are not intended to perform a primary containment isolation function. Figures 7.3-2 and 7.3-3 illustrate typical isolation control arrangements for motor-operated valves and for the main steam line isolation valves.

The actuators associated with one logic pair provide inputs into each of the actuator logics for that trip system. Thus, either of the two logics associated with one trip system can produce a trip system trip. The logic is a 1-out-of-m arrangement, where m may be 2 or more.

To initiate valve closure, the actuator logics of both trip systems must be tripped. The overall logic of the system could be termed one-out-of-two taken twice.

The basic logic arrangement just described does not apply to Class C isolation valves and testable check valves. Exceptions to the basic logic arrangement are made in several instances for certain Class A and Class B isolation valves as described below.

7.3.4.5 Operation During normal operation of the station, when isolation is not required, sensor and trip contacts essential to safety are closed; channels, and trip logics are normally energized. Whenever a channel sensor contact opens, its auxiliary relay deenergizes, causing contacts in the trip logic to open. The opening of contacts in the logic deenergizes its actuator. When deenergized, the actuator trip relay opens a contact in an actuator logic. If a trip then occurs in either of the logic pairs of the other trip system, another actuator logic is deenergized. With both trip systems 7.3-6 Rev. 30 - Nov. 2015

PNPS-FSAR tripped, appropriate contacts open or close in valve control circuitry to actuate the valve closing mechanism. Automatic isolation valves that are normally closed receive the isolation signal as well as those valves that are open. This fail safe logic is not applicable to the HPCI and RCIC systems since these systems may be required to perform a safety function during a loss of AC power. HPCI and RCIC isolation logics are therefore DC powered and energize to actuate. Additionally, RHR isolation (Group III) is not entirely fail-safe since it must perform its safety function during a loss of AC power and therefore isolation logic is DC powered and energize to actuate. The control system for each Class A isolation valve is designed to provide closure of the valve in time to prevent uncovering the fuel as a result of a break in the pipeline which the valve isolates. The control systems for Class A and Class B isolation valves are designed to provide closure of the valves with sufficient rapidity to restrict the release of radioactive material to the environs below the guideline values of applicable regulations.

All automatic Class A and Class B valves and remotely operable Class C valves can be closed by manipulating switches in the control room, thus providing the operator with means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier. This meets safety design basis 10.

Once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate switches in the control room to reopen a valve which has been automatically closed. Unless manual override features are provided in the manual control circuitry, the operator cannot reopen the valve until the conditions which initiated isolation have cleared. This is the equivalent of a manual reset and meets safety design basis 7f.

A trip of an isolation trip system channel is annunciated in the control room so that the operator is immediately informed of the condition. The response of isolation valves is indicated by "open-closed" lights. All motor-operated Class A and Class B isolation valves whose primary function is to isolate, have two sets of "open-closed" lights. One set is located near the manual control switches for controlling each valve from the control room panel. A second set is located in a separate central isolation valve position display in the control room. The positions of air-operated isolation valves are displayed in the same manner as motor-operated valves.

Inputs to annunciators, indicators, and the computer are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system. Signals directly from the isolation control system sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the primary containment and reactor vessel isolation control system satisfies safety design bases 11a and 11b.

7.3-7 Rev. 30 - Nov. 2015

PNPS-FSAR The control room indication provided to assess the condition of the isolation control system satisfies IEEE-279 paragraphs 4.19 and 4.20 in the following manner:

1. Identification of Protection Actions (IEEE-279 paragraph 4.19)

Protective actions (here interpreted to mean dropout of a single sensor relay) are directly indicated and identified by action of the sensor relay. The relay has an identification tag and a clear glass front window that permits convenient visible verification of the relay position. Any one of the sensor relays also actuates an annunciator, so that no single channel "trip" (relay dropout) will go unnoticed. Either of these indications (annunciation and visible verification relay actuation) fulfills the requirements of this criterion

2. Information Readout (IEEE-279 paragraph 4.20)

The information presented to the operator by the primary containment and reactor vessel isolation control system are:

a. Annunciation of each process variable which has reached a trip point

b. Relay position for trips on main steam line tunnel temperature or main steam line excess flow

c. Control power failure annunciation on each channel

d. Annunciation of steam leaks in each of the five systems monitored, i.e., main steam, reactor water cleanup, residual heat removal (RHR), high pressure coolant injection (HPCI), and reactor core isolation coolant (RCIC)

e. Open and closed position lights for each isolation valve

f. Drywell pressure and temperature indicators

g. Torus water temperature

h. Torus water level Additional information is available to the operator for monitoring reactor vessel pressure, reactor vessel water level, neutron flux, and control rod positions 7.3.4.6 Isolation Valve Closing Devices and Circuits Table 7.3-1 itemizes the type of closing device provided for each isolation valve intended for use in automatic or remote manual isolation of the primary containment or reactor vessel. To meet the requirement that automatic Class A valves be fully closed in time to prevent the reactor vessel water level from falling below the top of the active fuel as a result of a break of the pipeline which the valve isolates, the valve closing mechanisms are designed to give 7.3-8 Rev. 30 - Nov. 2015

PNPS-FSAR the closing rates specified on Table 7.3-1. In many cases a "standard" closing rate is adequate to meet isolation requirements.

Because of the relatively long time required for fission products to reach the containment atmosphere following a break in the nuclear system process barrier inside the primary containment, a "standard" closure rate is adequate for the automatic closing devices on Class B isolation valves.

Motor operators for Class A and Class B isolation valves are selected with capabilities suitable to the physical and environmental requirements of service. The required valve closing rates were considered in designing motor operators. Appropriate torque and limit switches are used to ensure proper valve seating.

Handwheels, which are automatically disengaged from the motor operator when the motor is energized, are provided for local manual operation.

Direct solenoid operated isolation valves and solenoid air pilot valves are chosen with electrical and mechanical characteristics which make them suitable for the service for which they are intended. Appropriate watertight or weathertight housings are used to ensure proper operation under accident conditions.

Closure of the isolation valve in the pneumatic supply line to the drywell is annunciated to alert the operator as to the loss of air condition.

The main steam isolation valves are spring closing, pneumatic, piston operated valves designed to close upon loss of pneumatic pressure to the valve operator. This is a fail safe design. The control arrangement is shown on Figures 7.3-3 and 7.3-4. Closure time for the valves is adjusted between 3 and 5 sec. Each valve is piloted by two, three-way, packless, direct acting, solenoid-operated pilot valves: one powered by AC, the other by DC. An accumulator is located close to each isolation valve to provide pneumatic pressure for valve operation to preclude challenges to ECCS due to inadvertent air loss during operation.

The valve pilot system and the pneumatic pipe lines are arranged so that, when one or both solenoid-operated pilot valves are energized, normal air supply provides pneumatic pressure to the air-operated pilot valve to direct air pressure to the main valve pneumatic operator. This overcomes the closing force exerted by the spring.

When both pilots are deenergized, as would be the result of both trip systems tripping or placing the manual switch in the closed position, the path through which air pressure acts is switched so that the opposite side of the valve operator is pressurized, thus assisting the spring in closing the valve. In the event of air supply failure, the loss of air pressure will cause the air operated pilot valve to move by spring force to the position resulting in main valve closure. Main valve closure is then effected by means of the air stored in the accumulator and by the spring.

Air pressure, acting alone, and the force exerted by the spring, acting alone, are each capable of independently closing the valve.

The isolation valves inside the primary containment (inboard) are 7.3-9 Rev. 30 - Nov. 2015

PNPS-FSAR designed to close under either pneumatic pressure or spring force with the vented side of the piston operator at the containment peak accident pressure. The outboard valve is exactly the same design, although it will be subjected only to atmospheric pressures. The accumulator volume was chosen to provide enough pressure to close the valve when the pneumatic supply to the accumulator has failed.

The supply line to the accumulator is large enough to make up pressure to the accumulator at a rate faster than the valve operation bleeds pressure from the accumulator during valve opening or closing.

A separate, single, solenoid-operated pilot valve with an independent test switch is included to allow manual testing of each isolation valve from the control room. The testing arrangement is designed to give a slow closure of the isolation valve being tested to avoid rapid changes in steam flow and nuclear system pressure.

Slow closure of a valve during testing requires 50 to 60 seconds.

The valve mechanical design is discussed further in Section 4.6, Main Steam Line Isolation Valves (MSIVs).

Four additional keylock switches (one for each logic channel) are provided to facilitate testing of the MSIV pilot valve logic circuits.

7.3.4.7 Isolation Functions and Settings The isolation allowable setpoints of the Primary Containment and Reactor Vessel Isolation Control System are listed on Table 7.3-2.

The functions that initiate automatic isolation are itemized on Table 7.3-1 in terms of the pipelines that penetrate the primary containment. This latter table includes all pipelines of concern for isolation purposes. Although this section is concerned with the electrical control systems that initiate isolation to prevent direct release of radioactive material from the primary containment or nuclear system process barrier, the additional information given on Table 7.3-1 can be used to assess the overall (electrical and mechanical) isolation effectiveness of each system having pipelines which penetrate the primary containment. Isolation functions and trip settings used for the electrical control of isolation valves in fulfillment of the previously stated safety design bases are discussed in the following paragraphs. The role each isolation function plays in initiating isolation of barrier valves or groups of valves is illustrated in the functional control diagrams on Figures 7.3-5 and 7.3-6.

1. Reactor Vessel Low Water Level A low water level in the reactor vessel could indicate that either reactor coolant is being lost through a breach in the nuclear system process barrier, or that the normal supply of reactor feedwater has been lost and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Reactor vessel low water level initiates closure of various Class A and Class B valves. The closure of Class A valves is intended to either isolate a breach in any of the 7.3-10 Rev. 30 - Nov. 2015

PNPS-FSAR pipelines in which valves are closed or conserve reactor coolant by closing off process lines. The closure of Class B valves is intended to prevent the escape of radioactive materials from the primary containment through process lines which are in communication with the primary containment free space.

Two reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel. See Table 7.3-1, Signals A and B. The first reactor vessel low water level isolation trip setting, which occurs at a higher water level than the second setting, initiates closure of all Class A and Class B valves in major process pipelines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core. The second and lower reactor vessel low water level isolation trip setting completes the isolation of the primary containment and reactor vessel by initiating closure of the main steam isolation valves, and any other Class A or Class B valves that must be shut to isolate minor process lines.

The first low water level setting, which is coincidentally the same as the reactor vessel low water level scram setting, was selected to initiate isolation at the earliest indication of a possible breach in the nuclear system process barrier, yet far enough below normal operational levels to avoid spurious isolation.

Isolation of the following pipelines is initiated when reactor vessel low water level falls to this first setting.

Torus Vacuum Breakers Traversing incore probe RHR reactor shutdown cooling suction Reactor water sample lines Drywell equipment drain sump discharge Drywell floor drain sump discharge Reactor water cleanup Drywell purge inlet and makeup gas*, **

Drywell main exhaust Suppression chamber exhaust valve bypass*, **

Suppression chamber purge inlet and makeup gas*, **

Suppression chamber main exhaust 7.3-11 Rev. 30 - Nov. 2015

PNPS-FSAR Drywell exhaust valve bypass*, **

RHR-LPCI supply RHR to Radwaste Containment atmosphere sampling lines

• Containment makeup and ventilation valves are also provided for use following an accident condition. These are remote manual operated. Refer to Section 5.4.3.

• • The reactor water low level isolation signal can be by-passed. These valves may be opened anytime provided the low-low water level signal is not present.

The second and lower of the reactor vessel low water level isolation settings was selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram, and high enough to complete isolation in time for the operation of CSCS in the event of a large break in the nuclear system process barrier.

This second low water level setting is low enough that partial losses of feedwater supply would not unnecessarily initiate full isolation of the reactor, thereby disrupting normal shutdown or recovery procedures. Isolation of the following pipelines is initiated when the reactor vessel water level falls into this second setting.

All four main steam lines:

Main steam line drain Reactor water sample line A high water level in the reactor vessel indicates that the reactor is overfilled and the steam lines are in danger of being flooded with water. The high water level isolation signal is to protect against rapid depressurization due to a malfunction of the pressure regulator system during start-up when pressure is below 782 psig.

This high water level isolation is not functional when the mode switch is in the run position. The reactor high water level initiates isolation of:

All four main steam lines:

Main steam line drain Reactor water sample line Reactor vessel high water level also shuts down the RCIC and HPCI turbines. Refer to Sections 4.7 and 7.4, respectively.

2. Deleted 7.3-12 Rev. 30 - Nov. 2015

PNPS-FSAR

3. Main Steam Line Space High Temperature High temperature in the space in which the main steam lines are located outside of the primary containment could indicate a breach in a main steam line. The automatic closure of various Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperatures occur in the main steam line space, the following pipelines are isolated. (See Table 7.3-1, Signal D):

All four main steam lines Main steam line drain Reactor water sample line The main steam line space high temperature trip is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

4. Main Steam Line High Flow Main steam line high flow could indicate a break in a main steam line. The automatic closure of various Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of main steam line high flow, the following pipelines are isolated:

All four main steam lines Main steam line drain Reactor water sample line The main steam line high flow trip setting is selected high enough to permit the isolation of one main steam line for test at rated power without causing an automatic isolation of the rest of the steam lines, yet low enough to permit early detection of a steam line break. See Table 7.3-1, Signal D.

5. Low Steam Presssure at Turbine Inlet Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves open fully. See Table 7.3-1, Signal P.

The termal stresses associated with excessive depressurization could result in a significant increase in the nuclear system process barrier's lifetime fatigue usage factor. Also, excessive depressurization would permit sufficient level swell to trap water in the main steamline between the in-board MSIVs and the SRVs, requiring SRVs to discharge either liquid or 7.3-13 Rev. 30 - Nov. 2015

PNPS-FSAR two-phase flow. SRVs are only designed for saturated steam with less than 1% moisture.

A rapid depressurization of the reactor vessel while the reactor is near full power could also result in undesirable differential pressures across the channel around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventative action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid excessive depressurization, the steam pressure at the turbine inlet is monitored and upon falling below a preselected value with the reactor in the RUN mode initiates isolation of the following pipelines:

All four main steam lines Main steam drain line Reactor water sample line The low steam pressure isolation setting is selected far enough below normal turbine inlet pressures to avoid spurious isolation yet high enough to provide timely detection of a pressure regulator malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.

An evaluation that demonstrates the adequacy of the isolation setting of 750 psig is included in Reference 1. The actual analytical limit is calculated to be 782 psig.

6. Primary Containment (drywell) High Pressure High pressure in the drywell could indicate a breach of the nuclear system process barrier inside the drywell. The automatic closure of various Class B valves prevents the release of significant amounts of radioactive material from the primary containment. Upon detection of a high drywell pressure, the following pipelines are isolated. See Table 7.3-1, Signal F.

Torus Vacuum Breakers Traversing incore probe RHR shutdown cooling suction Reactor water sample lines Drywell equipment drain sump discharge Drywell floor drain sump discharge Drywell purge inlet and makeup gas*, **

7.3-14 Rev. 30 - Nov. 2015

PNPS-FSAR Drywell main exhaust Suppression chamber exhaust valve bypass*, **

Suppression chamber purge inlet and makeup gas*, **

Suppression chamber main exhaust Drywell exhaust valve bypass*, **

RHR-LPCI supply RHR to Radwaste Containment atmosphere sampling lines The primary containment high pressure isolation setting is selected to be as low as possible without inducing spurious isolation trips. See Table 7.3-1, Signal F.

• Containment makeup and ventilation valves are also provided for use following an accident condition. These are remote manual operated. Refer to Section 5.4.3.

• • The reactor water low level isolation signal can be by-passed. These valves may be opened anytime provided the low-low water level signal is not present.

7. RCIC System Equipment Space High Temperature High temperature in the vicinity of the RCIC System equipment could indicate a break in the RCIC steam line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.

When high temperature occurs near the RCIC System equipment, the RCIC turbine steam line is isolated. The high temperature isolation setting is selected far enough above anticipated normal RCIC system operational levels to avoid spurious operation but low enough to provide timely detection of a RCIC turbine steam line break. See Table 7.3-1, Signal K.

8. RCIC Turbine High Steam Flow RCIC turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant, and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RCIC system turbine high steam flow, the RCIC system turbine steam line is isolated. The high steam flow trip setting is selected high enough to avoid spurious isolation yet low enough to provide timely detection of a RCIC turbine steam line break. See Table 7.3-1, Signal K.

7.3-15 Rev. 30 - Nov. 2015

PNPS-FSAR The logic arrangement used for this function is shown on Figure 7.3-7 and is an exception to the usual logic requirement because high steam flow is the second method of detecting a RCIC turbine steam line break.

9. RCIC Turbine Steam Line Low Pressure RCIC turbine steam line low pressure is used to automatically close the two isolation valves in the RCIC turbine steam line, so that steam and radioactive gases will not escape from the RCIC turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that at which the RCIC turbine can operate effectively. This isolation is an operational interlock not required for safety. See Table 5.2-4, Signal K.

10. HPCI System Equipment Space High Temperature High temperature in the vicinity of the HPCI system equipment could indicate a break in the HPCI system turbine steam line.

The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs near the HPCI system equipment, the HPCI system turbine steam supply line is isolated. The high temperature isolation setting is selected far enough above anticipated normal HPCI system operational levels to avoid spurious isolation, but low enough to provide timely detection of a HPCI turbine steam line break. See Table 5.2-4, Signal L.

11. HPCI Turbine High Steam Flow HPCI turbine high steam flow could indicate a break in the HPCI turbine steam line. The automatic closure of certain class A valves prevents the excessive loss of reactor coolant, and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of HPCI turbine high steam flow the HPCI turbine steam line is isolated. The high steam flow trip setting is selected high enough to avoid spurious isolation, yet low enough to provide timely detection of a HPCI turbine steam line break. See Table 5.2-4, Signal L.

The logic arrangement used for this function, shown on Figure 7.3-7, is an exception to the usual logic requirement, because high steam flow is the second method of detecting a HPCI turbine steam line break.

12. Low Reactor Vessel Pressure Low reactor vessel pressure is used to automatically close the two isolation valves in the HPCI turbine steam line, so that steam and radioactive gases will not escape from the HPCI 7.3-16 Rev. 30 - Nov. 2015

PNPS-FSAR turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that where the HPCI turbine can operate efficiently. This isolation is an operational interlock not required for safety. See Table 5.2-4, Signal AA.

13. Reactor Water Cleanup System Space High Temperature High temperature in the vicinity of the reactor water cleanup (RWCU) equipment and piping could indicate a break in a RWCU line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs near the RWCU equipment, the RWCU system is isolated. The high temperature isolation setting is selected far enough above anticipated normal system operational levels to avoid spurious isolation, yet low enough to provide timely detection of a line break. See Table 5.2-4, Signal J.

14. Reactor Water Cleanup System High Flow RWCU high flow could indicate a break in a RWCU line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant, and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RWCU high flow, the RWCU line is isolated. The high flow trip setting and time delay setting were selected high enough to avoid spurious isolation, yet low enough to provide timely detection of line break. See Table 5.2-4, Signal J.

15. High Reactor Vessel Pressure High reactor vessel pressure is used to automatically close the two isolation valves in the RHR pumps' shutdown cooling suction piping and the two isolation valves in the shutdown cooling head spray line so that the RHR low pressure piping will not be threatened by overpressurization. The isolation setpoint is chosen at a pressure below where the RHR piping could be overpressurized and the maximum differential pressure associated with the suction isolation valves is not exceeded.

The RHR inboard injection valve control circuit uses the negation of this signal as a permissive for the shutdown cooling mode. See Table 5.2-4, Signal U.

16. Low Reactor Vessel Pressure AND High Drywell Pressure Low reactor vessel pressure AND high drywell pressure are used to automatically close the two isolation valves in the HPCI turbine exhaust vacuum breaker line. The low reactor vessel pressure isolation setpoint was chosen to coincide with the pressure at which the HPCI system would trip. See Table 5.2-4, Signal N.

7.3-17 Rev. 30 - Nov. 2015

PNPS-FSAR 7.3.4.8 Instrumentation Sensors providing inputs to the Primary Containment and Reactor Vessel Isolation Control System are not used for the automatic control of process systems, thus separating the functional control of protection systems and process systems. Channels are physically and electrically separated to assure that a single physical event cannot prevent isolation. Channels for one monitored variable that are grouped near to each other provide inputs to different isolation trip systems. Figures 7.3-2, 7.3-3, and 7.3-7 through 7.3-12 illustrate typical arrangements of channels, logics, and valve closing mechanism circuitry for Isolation Control Systems. Figures 7.3-5 and 7.3-6 illustrate in detail the functional arrangement of channels used to initiate isolation of various groups of valves.

Table 7.3-2 lists instrument characteristics. Figures 7.3-14 through 7.3-24 illustrate how the many different channels and logics are typically combined to form the Isolation Control System. On Figures 7.3-14 through 7.3-24, the key contacts and relays have been consistently identified so that tracing the action of the isolation control circuitry from sensor through valve control is possible.

Not all isolation valve controls are illustrated on Figures 7.3-14 through 7.3-24; however, sufficient illustration of typical controls is given that the general arrangement for any isolation valve control circuit is included.

1. Reactor vessel low water level signals are initiated from four differential pressure transmitters which sense the difference between the pressure due to a constant reference column of water, and the pressure due to the actual water level in the vessel. An analog trip unit actuated by each of the four transmitters is used to indicate that water level has decreased to the first and higher low water level isolation setting; another analog trip unit actuated by each of the four transmitters is used to indicate that water level has decreased to the second and lower of the two low water level isolation settings. Reactor vessel high water level signals are initiated from analog trip units activated from the same transmitters. The four transmitters and respective trip units for each level setting are arranged in pairs; each transmitter/trip unit in a pair provides a signal to a different trip system. Two pipelines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The two pairs of pipelines terminate outside the primary containment in the Reactor Building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The reactor vessel low water level transmitters sense level from these pipes. This arrangement assures that no single physical event can prevent isolation when required. Cables from the level sensors are routed to the analog trip cabinets in the Cable Spreading Room. Level instrumentation sensing lines inside the drywell have been designed with a minimum vertical drop to reduce error due to high drywell temperature.

2. Deleted.

7.3-18 Rev. 30 - Nov. 2015

PNPS-FSAR

3. High temperature in the vicinity of the main steam lines is detected by bimetallic temperature switches located in the main steam line tunnel ventilation exhaust duct and in the turbine basement area. The detectors are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment. An additional temperature sensor is located near each set of four detectors for remote temperature readout and alarm. The temperature sensors activate an alarm at high temperature and upon loss of power, operate to give the alarm condition. The main steam line space temperature detection system is designed to detect leakage greater than 10 gal/min in the main steam tunnel and 150 gal/min in the condenser compartment. Figure 7.3-8 illustrates in general terms the instruments used to detect high temperatures in the main steam line space. Figure 7.3-9 illustrates how temperature switches are combined to form a typical single channel. A total of four main steam line space high temperature channels are provided. Each main steam line isolation logic receives an input signal from one main steam line space high temperature channel. See Section 7.3.4.8.1.

4. High flow in each main steam line is sensed by four differential pressure transmitters which sense the pressure difference across the flow restrictor in that line. Figure 7.3-10 illustrates the general arrangement of instruments used to sense the flow in a single main steam line. Figure 7.3-11 illustrates how the 16 differential pressure transmitters and respective trip units are combined to form four channels.

Each main steam line isolation logic receives an input signal from one main steam line high flow channel.

5. Main steam line low pressure is sensed by four pressure transmitters which sense pressure downstream of the outboard main steam isolation valves. The sensing point is located at the header that connects the four steam lines upstream to the turbine stop valves. Each transmitter and respective trip unit is part of an independent channel. Each channel provides a signal to one isolation logic.

6. Primary containment pressure is monitored by four non-indicating pressure transmitters which are mounted on instrument racks outside the drywell. Pipes that terminate in the reactor building connect the transmitters with the drywell interior. Cables are routed from the transmitter to the analog trip cabinets. The transmitters and respective trip units are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event will prevent isolation due to primary containment high pressure.

7. High temperature in the vicinity of the RCIC equipment is sensed by two sets of four bimetallic temperature switches.

Each set is arranged as two trip systems. Figure 7.3-7 illustrates how temperature switches are combined to form a typical temperature channel. Each trip system receives input 7.3-19 Rev. 30 - Nov. 2015

PNPS-FSAR signals from two temperature trip channels. Both trip channels in either one of two trip systems must trip to initiate isolation. An additional temperature sensor is located near each set of four detectors for remote temperature read out and alarm. Figure 7.3-8 illustrates in general terms the instruments used to detect high RCIC area temperatures. See Section 7.3.4.8.1.

8. High flow in the RCIC turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the RCIC turbine steam supply pipeline. The arrangement is illustrated on Figure 7.3-

12. The tripping of either trip channel initiates isolation of the RCIC turbine steam line. This exception to the usual channel arrangement is because high steam flow is the second method of detecting a steam line break, high RCIC equipment space temperature being the first.

9. Low pressure in the RCIC turbine steam line is sensed by four pressure switches from the RCIC turbine steam line upstream of the isolation valves. The four switches are arranged in a one-out-of-two taken twice logic in a single trip system.

This trip is not considered a PCIS function. The logic is one-out-of-two taken twice to preclude inadvertent system isolation due to instrument failure, and to insure isolation even if a single instrument fails.

10. High temperature in the vicinity of the HPCI equipment is sensed by two sets of four bimetallic temperature switches.

Each set is arranged as two trip systems. Figure 7.3-7 illustrates how temperature switches are combined to form a typical temperature channel. Each trip system receives input signals from two temperature trip channels. Both trip channels in either one of two trip systems must trip to initiate isolation. An additional temperature sensor is located near each set of four detectors for remote temperature read out and alarm. Figure 7.3-8 illustrates in general terms the instruments used to detect high HPCI area temperature.

See Section 7.3.4.8.1.

11. High flow in the HPCI turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the HPCI turbine steam pipeline. The arrangement is illustrated on Figure 7.3-12.

The tripping of either switch initiates isolation of the HPCI turbine steam line. This exception to the usual sensor arrangement is because high steam flow is the second method of detecting a steam line break, high HPCI equipment space temperature being the first.

12. High temperature in the spaces occupied by the RHR (shutdown cooling) and piping outside the primary containment is sensed by temperature detectors that provide readout and activate alarms only, indicating possible pipe breaks.

7.3-20 Rev. 30 - Nov. 2015

PNPS-FSAR A typical arrangement is shown on Figure 7.3-8. Automatic isolation on high temperature is not required since the reactor vessel low water level isolation function is adequate in preventing the release of significant amounts of radioactive material in the event that either of these two systems suffers a breach.

13. High temperature in the vicinity of the RWCU system is sensed by four sets of two bimetallic temperature switches. A set of two temperature switches is installed in each of the four areas to be monitored; each set is a one-out-of-two trip system and capable of initiating isolation.

14. High flow in the RWCU system supply line is sensed by two differential pressure switches which monitor the pressure difference across an elbow installed in the RWCU system supply line. The arrangement of the differential pressure switches is similar to that shown on Figure 7.3-12. The tripping of either switch initiates isolation of the RWCU system.

15. Reactor high pressure is sensed by two pressure transmitters which monitor reactor pressure at the steam portion of the reactor vessel. These transmitters provide analog signals to the rosemount analog trip units which are used to automatically isolate the shutdown cooling. These switches are also used as a permissive in the Group III isolation of the RHR injection inboard valves.

16. Low reactor pressure is sensed by four pressure transmitters which are mounted on instrument racks outside the drywell.

The transmitters provide electrical signals to analog trip units located in the cable spreading room. The tripping of either the "A" or "B" division of these trip units will initiate isolation of the HPCI steam line, HPCI pump suction line, and turbine exhaust drain pot line. When in conjunction with the high drywell pressure, the HPCI turbine exhaust vacuum breaker line will also isolate.

Channel and logic relays are high reliability relays equal to type GP and EGP relays made by Agastat and HFA and CR120A relays made by the General Electric Company. The relays are selected so that the continuous load will not exceed 50 percent of the continuous duty rating.

7.3.4.8.1 High Temperature Sensors The location, spatial independence, and resistance to spurious tripping of the high temperature sensors in the main steamline, HPCI turbine steamline and RCIC turbine steamline are detailed in this section.

Table 7.3-3 lists the areas outside the primary containment where main steam, HPCI, and RCIC steam lines are routed. This table also lists the leak detection sensors, summarizes the physical separation of sensors, and specifies the set points at which isolation of the respecting steam line would be initiated.

7.3-21 Rev. 30 - Nov. 2015

PNPS-FSAR Potential leak sources and rates which would initiate isolation are as follows:

7.3-22 Rev. 30 - Nov. 2015

PNPS-FSAR Main Steam Tunnel This area contains feedwater, cleanup, and main steam piping.

Isolation of the main steam lines will be initiated at ventilation exhaust temperatures from the main steam tunnel of 160F to 170F, which would result from steam leaks equivalent to 10 gal/min and greater. The feedwater and cleanup systems normally operate at approximately 1,000 psig with 400F water. Leakage of about 40 gal/min from either of these water systems would cause an area temperature increase and initiation of main steam isolation. If ventilation exhaust temperatures did not decrease following main steam line isolation, then the presence of leakage from another system would be suspected and further actions taken to identify the source of the suspected leak.

Condenser Compartment Leak This area contains main steam piping, extraction steam piping, and feedwater piping. Temperature sensors are provided in the main ventilation exhaust from this area to isolate the main steam lines at temperatures of 140F to 150F. This would correspond to steam leaks of approximately 150 gal/min or greater.

HPCI Turbine Area This area contains only HPCI system components. Isolation of the HPCI steam line will be initiated at ventilation exhaust temperatures of 160F to 170F. This would result from a steam leak equivalent to approximately 10 gal/min or greater.

HPCI Valve Station Area This area contains both HPCI and RHR system piping. Isolation of the HPCI steam line will be initiated at ventilation exhaust temperatures of 160F to 170F. This would result from a steam leak equivalent to approximately 10 gal/min or greater. The RHR system piping contains water sufficiently hot to flash and increase ventilation exhaust temperatures to the leak detection setpoint only when operating in the shutdown cooling mode. Therefore, RHR Leakage would not cause isolation of the HPCI system when it is required to be operable. The shutdown cooling mode of RHR operation does not operate above a reactor pressure of about 75 psig, while the HPCI system does not operate below a pressure of about 50 psig.

RCIC Turbine Area This area contains RCIC system components only. Isolation of the RCIC steam line will be initiated at space temperatures of 160F to 170F, which would result from a steam leak equivalent to approximately 10 gal/min or greater.

RCIC Valve Station Area This area contains RCIC piping and various cold water lines associated with other systems. Isolation of the RCIC steam line 7.3-23 Rev. 30 - Nov. 2015

PNPS-FSAR will be initiated at a space temperature of 190F to 200F, which would result from a steam leak of approximately 10 gal/min. A leak from the other piping in this area would be cold water and would not cause an area temperature increase and spurious isolation of the RCIC steam line.

Torus Compartment Area This area contains both HPCI and RCIC steam lines in addition to the "cold" water lines associated with other systems. The HPCI and RCIC steam lines are separated by a minimum distance of approximately 65 ft.

Protection against the continued spurious isolation of either the HPCI or RCIC steam supply line due to leakage in the torus compartment is provided by establishing a temperature differential between the initiation setpoints of the temperature switches in the torus compartment ventilation exhaust ducts in combination with operating procedures.

Analytical limits are listed in Table 7.3-2 for the sensors associated with the RCIC steam line and trip settings of 190F to 200F are specified for those associated with the HPCI steam line.

This difference in trip settings allows preferential isolation of the RCIC steam line in the event of a small leak, and permits the HPCI system to remain operable.

Isolation of the RCIC system due to steam line leakage:

a. If the leak occurs in the RCIC system piping, the RCIC steam line temperature would decrease and thus prevent HPCI system Isolation at the higher exhaust duct temperature

b. If the leak occurs in the HPCI system piping, the HPCI steam line temperature would continue to increase and isolate the HPCI system. The operator would subsequently return the RCIC system to service Simultaneous isolation of HPCI and RCIC system steam supply lines could be postulated to occur as a result of a large RCIC system leak in the immediate vicinity of the exhaust plenum from the torus compartment, resulting in a rapid temperature increase to the HPCI analytical limit before the RCIC system steam line isolation valves were completely closed. However, analysis indicates that high RCIC steam flow would isolate the RCIC steam line before the HPCI temperature setpoint was reached.

Distinguishing between an RCIC and an HPCI steam line leak, assuming both lines were simultaneously isolated, would be possible by opening each line in succession and observing the temperature effect on the local sensors. The nonleaking system could then be returned to service. The temporary isolation of both the RCIC and HPCI steam supply lines as a result of a steam leak within the torus compartment is acceptable since neither system would be required to perform its function of providing coolant makeup to the reactor 7.3-24 Rev. 30 - Nov. 2015

PNPS-FSAR vessel. The isolation of the leaking steam line would limit coolant losses from the reactor vessel without disrupting normal plant operation. The specified settings will initiate RCIC isolation upon steam leaks of approximately 40 gal/min and greater.

7.3.4.9 Environmental Capabilities The physical and electrical arrangement of the Primary Containment and Reactor Vessel Isolation Control System was selected so that no single physical event will prevent isolation. The location of Class A and Class B valves inside and outside the primary containment provides assurance that the control system for at least one valve on any pipeline penetrating the primary containment will remain capable of automatic isolation. Electrical cables for isolation valves in the same pipeline are routed separately. Motor operators for valves inside the primary containment are of the totally enclosed type; those outside the primary containment have weatherproof type enclosures. Solenoid valves, whether used for direct valve isolation or as an air pilot, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation resistant insulation.

Shielded cables are used where necessary to eliminate interference from electromagnetic fields.

Special consideration has been given to isolation requirements during a loss of coolant accident inside the drywell. Components of the Primary Containment and Reactor Vessel Isolation Control System that are located inside the primary containment and that must operate during a loss of coolant accident are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a loss of coolant accident environment.

Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the Isolation Control System only after completion of environmental testing under loss of coolant accident conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.

Verification that the isolation equipment has been designed, built, and installed in conformance to the specified criteria is accomplished through quality control and performance tests in the vendor's shop or after installation at the station before startup, during startup, and thereafter during the service life of the equipment.

Control is also exercised through review of equipment design during bid review and by approval of vendor's drawings during the fabrication stage. Purchase specifications require extensive control of materials and of the fabrication procedure.

7.3-25 Rev. 30 - Nov. 2015

PNPS-FSAR 7.3.5 Safety Evaluation The Primary Containment and Reactor Vessel Isolation Control System, in conjunction with other protection systems, is designed to provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barriers. It is the objective of Section 14, Station Safety Analysis, to identify and evaluate postulated events resulting in gross failure of the fuel barrier and the nuclear systems process barrier. The consequences of such gross failures are described and evaluated in that section.

Tentative trip settings are selected that are far enough above or below normal operating levels that spurious isolation and operating inconvenience are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within acceptable bounds by those trip settings. Trip setting selection is based on operating experience and constrained by the safety design basis and the safety analyses.

Section 14 shows that the actions initiated by the Primary Containment and Reactor Vessel Isolation Control System, in conjunction with other safety systems, are sufficient to prevent releases of radioactive material from exceeding the guide values of published regulations. Because the actions of the system are effective in restricting the uncontrolled release of radioactive materials under accident situations, the Primary Containment and Reactor Vessel Isolation Control System meets the precision and timeliness requirements of safety design basis 1.

Because the Primary Containment and Reactor Vessel Isolation Control System met the precision and timeliness requirements of safety design basis 1 using instruments with the characteristics described on Table 7.3-2, it is concluded that safety design basis 2 was met.

Temperatures in the spaces occupied by various steam lines outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to the primary containment and reactor vessel isolation control system. The large number of temperature sensors and their dispersed arrangement near the steam lines requiring this type of break protection provide assurance that a significant break will be detected rapidly and accurately. One of the two groups of four temperature switches is located in the ventilation exhaust from the steam line tunnel between the drywell and the secondary containment ventilation barrier and the other group of four temperature switches is located in the ventilation exhaust from the turbine basement area. This assures that abnormal air temperature increases are detected regardless of leak location in that space. It is concluded that the number of sensors provided for steam line break detection satisfies safety design basis 3.

Because the Primary Containment and Reactor Vessel Isolation Control System meets the timeliness and precision requirements of safety design basis 1 by monitoring variables that are true, direct 7.3-26 Rev. 30 - Nov. 2015

PNPS-FSAR measures of operational conditions, it is concluded that safety design basis 4 is satisfied.

Section 14 evaluates a gross breach in a main steam line outside the primary containment during operation at full power. The evaluation shows that the main steam lines are automatically isolated in time to prevent a release of radioactive material in excess of the guide values of published regulations and to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed. The time required for automatic closure of the main steam isolation valves meets the requirements of safety design basis 5.

The shortest closure time of which the main steam valves are capable is 3 sec. The transient resulting from a simultaneous closure of all main steam isolation valves in 3 sec during reactor operation at full power is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in a small fraction of 1 sec) coincident with failure of the turbine bypass system.

The RPS is capable of accommodating the transient resulting from the inadvertent closure of the main steam line isolation valve. This conclusion is substantiated by Section 14. This meets safety design basis 6.

The items of safety design bases 7, 8, and 9 must be fulfilled for the Primary Containment and Reactor Vessel Isolation Control System to meet the design reliability requirements of safety design basis

1. It has already been shown that safety design bases 7f and 7h have been met. The remainder of the reliability requirement is met by a combination of logic arrangement, sensor redundancy, wiring scheme, physical isolation, power supply arrangement, and environmental capabilities. These subjects are discussed in the following paragraphs.

Because essential variables are monitored by four channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from achieving isolation. An analysis of the Isolation Control System shows that the system does not fail to respond to essential variables as a result of single electrical failures such as short circuits, ground, and open circuits. A single trip system trip is the result of these failures. Isolation is initiated upon a trip of the remaining trip system. For some of the exceptions to the usual logic arrangement, a single failure could result in inadvertent isolation of a pipeline. With respect to the release of radioactive material from the nuclear system process barrier, such inadvertent valve closures are in the safe direction and do not pose any safety problems.

HPCI, RCIC, and RHR primary containment isolation logics are single failure proof with an energize to actuate design. Any single failure can only affect closure of one of two containment isolation valves. This meets Safety Design Bases 7a and 7b.

7.3-27 Rev. 30 - Nov. 2015

PNPS-FSAR The redundancy of channels provided for all essential variables provides a high probability that whenever an essential variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all channels for one essential variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings. This meets Safety Design Basis 7c.

The sensors, circuitry, and logics used in the primary containment and reactor vessel isolation control system are not used in the control of any process system. Thus, malfunction and failures in the controls of process systems have no direct effect on the isolation control system. This meets Safety Design Basis 7d.

The various power supplies used for the isolation system logic circuitry and for valve operation provide assurance that the required isolation can be effected in spite of power failures. If AC for valves inside the primary containment is lost, DC is available for operation of valves outside the primary containment.

The main steam isolation valve control arrangement is resistant to both AC and DC power failures. Because both solenoid-operated pilot valves must be deenergized, loss of a single power supply will neither cause inadvertent isolation nor prevent isolation if required.

The logic circuitry for each channel is powered from the separate sources available from the reactor protection system buses, the uninterruptible AC power supply, or the 125V DC buses (for HPCI, RCIC, and RHR). A loss of power here results in a single trip system trip. In no case does a loss of a single power supply prevent isolation when required. This meets Safety Design Basis 7e.

All instruments, valve closing mechanisms, and cables of the isolation control system can operate under the most unfavorable environmental conditions associated with normal operation. The discussion of the effects of rapid nuclear system depressurization on level measurement given in Section 7.2, Reactor Protection System, is equally applicable to the reactor vessel low water level transmitters used in the primary containment and reactor vessel isolation control system. The temperature, pressure, differential pressure, and level switches, transmitters, trip units, cables, and valve closing mechanisms used were selected with ratings that make them suitable for use in the environment in which they must operate.

The special considerations (treated in the description portion of this section) made for the environmental conditions resulting from a loss of coolant accident inside the drywell are adequate to ensure operability of essential isolation components located inside the drywell.

The wall of the primary containment effectively separates adverse environmental conditions which might otherwise affect both isolation valves in a pipeline. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given pipeline. The 7.3-28 Rev. 30 - Nov. 2015

PNPS-FSAR previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part. Electrical transients have no significant effect on the functioning of the isolation control system. It is concluded that safety design basis 7g is satisfied.

The design of the main steam isolation valves meets the requirement of safety design basis 8a in that the motive force for closing each main steam line isolation valve is derived from both a source of pneumatic pressure and the energy stored in a spring. Either energy source is capable, alone, of closing the valve. None of the valves relies on continuity of any sort of electrical power to achieve closure in response to essential safety signals. Total loss of the power used to control the valves would result in closure. This meets safety design basis 8b.

Calibration and test controls for pressure and temperature switches, transmitter and analog trip units are located on the devices themselves. These devices are located in the turbine building and reactor building. To gain access to the setting controls on each device, a cover plate, access plug, or sealing device must be removed by operations personnel before any adjustment in trip settings can be effected. The location of calibration and test controls in areas under the control of the control room operator or other supervisory personnel reduces the probability that operational reliability will be degraded by operator error. This meets safety design basis 9a. Because no manual bypasses are provided in the isolation control system, safety design basis 9b is met.

Because safety design bases 7, 8, and 9 have been met, it can be concluded that the Primary Containment and Reactor Vessel Isolation Control System satisfies the reliability requirement of safety design bases 10, 11a, and 11b as shown in the description of the system. The following section on inspection and testing of the system demonstrates that safety design basis 12 is satisfied.

It is concluded that all safety design bases are met.

7.3.6 Inspection and Testing All essential parts of the primary containment and reactor vessel isolation control system are testable during reactor operation.

Isolation valves can be tested to assure that they are capable of closing by operating manual switches in the control room and observing the position lights and any associated process effects.

Testing of the main steam line isolation valves is discussed in Section 4.6, Main Steam Line Isolation Valves.

7.3.7 Nuclear Safety Requirements for Plant Operation Table 7.3-4 presents the operational nuclear safety requirements for the primary containment and reactor vessel isolation control system for boiling water reactor (BWR) operating states C, D, E, and F as proposed for initial plant operation.

7.3-29 Rev. 30 - Nov. 2015

PNPS-FSAR The entries on Table 7.3-4 represent an extension of the stationwide BWR systems analysis of Appendix G to the components of the Primary Containment and Reactor Vessel Isolation Control System. The following referenced portions of this safety analysis report provide important information justifying the entries on Table 7.3-4:

Reference Information Provided

1. Preceding parts of Description of primary Section 7.3 containment and reactor vessel isolation control system hardware; isolation control system sensor setpoints

2. Station Safety Analysis, Analysis verifying response of Section 14 isolation control system to transients and accidents

3. Station Nuclear Safety Identifies conditions and events Operational analysis, for which isolation control Appendix G system action is required

4. Jacobs, I.M., Guidelines Describes methods used to for Determining Safe Test establish allowable repair Intervals and Repair times Times for Engineering Safeguards, General Electric Company, Atomic Power Equipment Department, April 1969, (APED-5736)

Each detailed requirement on Table 7.3-4 is referenced, where possible, to the most significant condition originating the need for the requirement by identifying a matrix block on Table G.5-3. The matrix block references, given in parentheses beneath the detailed requirements in the "minimum required for action" columns on Table 7.3-4 are coded as follows:

Example of Matrix

Reference:

F21-73

° ° °

---

F - BWR operating state F

---

Event (row 21)

-- Isolation Control System (column 73)

In most cases, the basis for an operational nuclear safety requirement is clear from the information provided by the previously noted references. The Isolation Control System requirements in operating states C, D, E, and F result from considerations for the main steam line break accident, the loss of coolant accident, or lesser cases of these two design basis accidents. In general, the requirements for the isolation functions are applicable only when the nuclear system is pressurized, because only under this condition are pipe breaks postulated. In addition, operability of the various 7.3-30 Rev. 30 - Nov. 2015

PNPS-FSAR isolation components is necessary only when the associated lines are unisolated. The following paragraphs give additional information about some of the less obvious operational nuclear safety requirements.

The requirements of items 7.3.1, 7.3.2, and 7.3.4 of Table 7.3-4 are applicable only when any of the affected lines are unisolated. The requirement for the main steam line low pressure isolation function, item 7.3.6 on Table 7.3-4, is applicable only in operating State F and only when the mode switch is in RUN. If the mode switch is not in RUN, this isolation function is bypassed; operating State F is the only state in which the RUN position is utilized as part of planned operation.

The surveillance test and calibration frequencies for the instrumentation of the Primary Containment and Reactor Vessel Isolation Control System are selected on the same basis as for the Reactor Protection System. See Section 7.2.6. The Radiation Monitoring Systems are treated in Section 7.12.

The surveillance test frequencies for the automatic isolation valves of the Primary Containment and Reactor Vessel Isolation Control System are contained in the Technical Specifications referenced in Appendix B. The frequencies are based upon the need to prevent the uncovering of the core following pipe breaks outside the primary containment, the need to contain released fission products following pipe breaks inside the primary containment, the reliability of the valves, and the potential service experience of the valves. The valves of the system are highly reliable and have low service requirements; many of the valves are normally closed. Successful passing of the surveillance tests for the valves essential to reactor vessel isolation requires that they close within specified closure times.

The full system test at each refueling outage (state A) requires that each initiating function for isolation be tested to demonstrate that all the automatic valves associated with an initiating function actually close upon receipt of the isolation signal.

7.3.8 Current Technical Specifications The current limiting conditions for operation, surveillance requirements, and their bases are contained in the Technical Specifications referenced in Appendix B.

7.3.9 References

1. NEDO-31296, "Safety Evaluation of MSIV Low Turbine Inlet Pressure Isolation Setpoint Change for Pilgrim Nuclear Power Station," General Electric Company, May 1986.

7.3-31 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4 CORE STANDBY COOLING SYSTEMS CONTROL AND INSTRUMENTATION 7.4.1 Safety Objective The controls and instrumentation for the Core Standby Cooling Systems (CSCS) initiate appropriate responses from the various cooling systems so that the fuel is adequately cooled under abnormal or accident conditions. The cooling provided by the systems restricts the release of radioactive materials from the fuel by limiting the extent of fuel damage following situations in which reactor coolant is lost from the nuclear system.

Even after the reactor is shut down from power operation by the full insertion of all control rods, heat continues to be generated in the fuel as radioactive fission products decay. An excessive loss of reactor coolant would allow the fuel temperature to rise, cladding to melt, and fission products in the fuel to be released. If the temperatures in the reactor rose to a sufficiently high value, a metal (zirconium)-water reaction could occur this would release energy. Such a reaction would increase the pressure inside the nuclear system and the primary containment. This could threaten the integrity of the barriers which are relied upon to prevent the uncontrolled release of radioactive materials. The controls and instrumentation for CSCS prevent such a sequence of events by actuating core cooling systems in time to limit fuel temperatures to acceptable levels.

7.4.2 Safety Design Bases

1. With precision and reliability, controls and instrumentation shall automatically initiate and control the CSCS to allow removal of heat from the reactor core in time to prevent fuel clad melting, so that fuel and core deformation do not limit effective cooling of the core.

2. With precision and reliability, controls and instrumentation shall initiate and control the CSCS with sufficient timeliness to prevent more than a small fraction of the core from heating to a temperature at which a gross release of fission products could occur.

3. To meet the precision requirements of safety design bases 1 and 2, the controls and instrumentation for the CSCS shall respond to conditions that indicate the potential inadequacy of core cooling, regardless of the physical location of the defect causing the inadequacy.

4. To place limits on the degree to which safety is dependent on operator judgement in time of stress, the following safety design bases are specified:

7.4-1 Rev. 30 - Nov. 2015

PNPS-FSAR

a. Appropriate responses of the CSCS shall be initiated automatically by control systems when positive precise action is immediately required so that no decision or manipulation of controls beyond the capacity of operations personnel is demanded

b. Readout of the responses of the CSCS shall be provided to the operator by control room instrumentation so that faults in the actuation of safety equipment can be diagnosed

c. Facilities for manual actuation of the CSCS shall be provided in the control room so that operator action is possible, yet reserved for the remedy of a deficiency in the automatic actuation of the safety equipment, or for control over the long term effects of an abnormal or accident condition

5. To meet the reliability requirements of safety design bases 1 and 2, the following safety design bases are specified:

a. No single failure, maintenance, calibration, or test operation shall prevent the integrated operations of the CSCS from providing adequate core cooling

b. No equipment protective device which causes interruption of performance or availability of the CSCS shall be automatic, unless there is a high probability that continued use would make complete failure imminent. Instead, such protective devices shall indicate off standard conditions for operator decision and action

c. The power supplies for the controls and instrumentation for the CSCS shall be chosen so that core cooling can be accomplished concurrently with a loss of offsite ac power

d. The physical events that accompany a loss of coolant accident shall not interfere with the ability of the CSCS controls and instrumentation to function properly

e. Earthquake loading shall not impair the ability of essential CSCS controls and instrumentation to function properly. See Section 7.1.6

6. To provide the operator with the means to verify the availability of the CSCS, it is possible to test the responses of the controls and instrumentation to conditions representative of transient or accident situations.

7.4-2 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.3 Description 7.4.3.1 Identification The controls and instrumentation for the CSCS are identified as that equipment required for the initiation and control of the following:

High Pressure Coolant Injection System (HPCI)

Automatic Depressurization System (ADS)

Core Spray System Low Pressure Coolant Injection (LPCI), an operating mode of the Residual Heat Removal System The equipment involved in the control of these systems includes automatic injection valves, turbine driven pump controls, electric motor driven pump controls, relief valve controls, and the sensors, trip units, contacts, and relays that make up sensory logic channels.

Testable check valves and certain automatic isolation valves are described in Section 7.3.

To assure the functional capabilities of the CSCS during and after earthquake loading, the controls and instrumentation for each of the systems are designed as Class I seismic design equipment as described in Appendix C. This satisfies safety design basis 5e.

The CSCS initiations and control instrumentations can be conveniently divided into two parts, the Incident Detections Circuitry (IDC) and the control instrumentation. The IDC includes those channels which detect a need for CSCS operation and the corresponding trip systems which initiate the proper response of CSCS. The control instrumentation includes the balance of CSCS instrumentation which is utilized in control and testing.

The CSCS is designed to comply with intent of IEEE-279 and the Commission's proposed General Design Criteria. Appendices F and J give additional details.

7.4.3.2 High Pressure Coolant Injection System Control and Instrumentation 7.4.3.2.1 Identification and Physical Arrangement When actuated, the HPCI pumps water from either the condensate storage tank or the suppression chamber to the reactor vessel via the feedwater pipelines. The HPCI includes one turbine, one turbine- driven pump, one dc motor driven auxiliary oil pump, one gland seal condenser, one dc condensate pump, one gland seal condenser dc blower, automatic valves, control devices for this equipment, sensors, and logic circuitry. The arrangement of equipment and control devices is shown on Figures 7.4-1 and 7.4-2.

7.4-3 Rev. 30 - Nov. 2015

PNPS-FSAR Pressure and level switches/transmitters used in the HPCI are located on racks in the reactor building. The only operating component for the HPCI that is located inside the primary containment is one of the two HPCI turbine steam supply pipeline isolation valves. The rest of the HPCI control and instrumentation components are located outside the primary containment. Cables connect the sensors to control circuitry in the control room. Although the system is arranged to allow a full flow functional test of the system during normal reactor power operation, the test controls are arranged so that the system can operate automatically to fulfill its safety function regardless of the test being conducted. Some testing may temporarily disable the automatic realignment feature, during which periods HPCI would not be available as a CSCS.

7.4.3.2.2 HPCI Initiation Signals and Logic Either reactor vessel low-low water level or primary containment (drywell) high pressure can automatically start the HPCI as indicated on Figures 7.4-3, 7.4-4, and 7.4-5 (see Drawings M1J22-5, M1J23-4, and M1J24-4). Reactor vessel low water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.

The logic scheme used for initiating the HPCI system is a single trip system containing two decision making logic circuits as shown on Figure 7.4-6. Each decision making logic is made up of two series parallel paths. One decision making logic actuates upon receipt of a low-low water level signal. The other actuates upon receipt of a high drywell pressure signal. Either decision making logic can start the HPCI. The HPCI trip system is dc powered.

Instrument analytical limit trip settings used in the plant safety analysis are listed on Table 7.4-1. The actual plant setting is determined in the referenced design basis calculation and has adequate margin to account for the total instrument uncertainty. The reactor vessel low water level setting for HPCI initiation is conservatively selected above the active fuel to start the HPCI in time to prevent fuel damage during abnormal operational transients. The water level setting is far enough below normal levels that spurious HPCI startups are avoided. The primary containment high pressure setting is selected to be as low as possible without inducing spurious HPCI startup.

7.4-4 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.3.2.3 HPCI Initiating Instrumentation Reactor vessel low-low water level is monitored by four analog transmitters that sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual height of water in the vessel. Two pipelines, attached to taps above and below the water level in the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The two pairs of pipelines terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. These same pipelines are also used for pressure and water level instruments for other systems. The level transmitters for HPCI are arranged in pairs, each pair sensing level from one pair of pipelines. Either pair sensing low-low water level can initiate the HPCI system. This arrangement assures that no single event can prevent HPCI initiation from reactor vessel low-low water level. Minimizing the vertical drop of the reference legs inside the drywell optimized the accuracy of level measurements.

Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell but inside the reactor building. Pipes that terminate in the reactor building allow the transmitters to communicate with the drywell interior. The transmitters are grouped in pairs similar to the level sensors and electrically connected so that no single event can prevent the initiation of HPCI due to primary containment high pressure.

7.4.3.2.4 HPCI Turbine and Turbine Auxiliaries Control The HPCI controls automatically start HPCI upon receipt of an initiation signal and bring the system to its design flow rate within 90 sec. The controls then function to provide design makeup water flow to the reactor vessel until vessel water level is restored to high level or until reactor pressure falls below the HPCI operating range.

HPCI will automatically restart if vessel level decreases to the low vessel level setpoint with reactor pressure within the HPCI operating range. If HPCI trips on low reactor pressure, the system will not automatically restart unless the trip is reset using the remote manual reset switches. HPCI controls are arranged to allow for remote manual startup in two different ways:

1. Manual initiation via a single pushbutton switch located on panel C903. Depressing the switch initiates a timed sequence which starts and runs the system in the full-flow injection mode.

2. Manual startup by manipulation of individual control switches on panel C903 actuates the various pumps and valves required to start and run the system. This method requires the operator to actuate each component in a prescribed sequence.

Controls are also provided on panel C903 to allow plant operators to operate and shutdown the system.

7.4-5 Rev. 30 - Nov. 2015

PNPS-FSAR The HPCI turbine is functionally controlled as shown on Figure 7.4-5. A control governor receives a HPCI flow signal and adjusts the turbine steam control valve so that design HPCI pump discharge flow rate is obtained. Manual control of the governor is possible in the test mode, but the governor automatically returns to automatic control upon receipt of a HPCI initiation signal. Figure 7.4-5 shows the various modes of turbine control. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the HPCI pump discharge pipeline. The governor controls the pressure applied to the hydraulic operator of the turbine control valve which, in turn, controls the steam flow to the turbine. Hydraulic pressure is supplied for both the turbine control valve and the turbine stop valve by the dc powered oil pump during startup, and then by the shaft driven hydraulic oil pump when the turbine speed is adequate.

Upon receipt of an initiation signal, the auxiliary oil pump starts, providing hydraulic pressure for the turbine stop valve and turbine control valve hydraulic operator. Because there is no flow in HPCI, the flow signal will run the control governor to high speed. The turbine governor system is equipped with a ramp generator which, upon initiation of the turbine start, will control the acceleration rate up to a speed relative to the flow controller output signal. Turbine speed is limited to the maximum output of the flow controller (50 Ma) and is equivalent to the maximum turbine speed required to maintain design flow. As hydraulic oil pressure is developed, the turbine stop valve and the turbine control valve open simultaneously, and the turbine accelerates toward the speed setting of the control governor.

As HPCI flow increases, the flow signal adjusts the control governor setting so that design flow is maintained.

The turbine is automatically shut down by tripping the turbine stop valve closed if any of the following conditions are detected:

Turbine overspeed High turbine exhaust pressure Low pump suction pressure Reactor vessel high water level HPCI automatic isolation signal 7.4-6 Rev. 30 - Nov. 2015

PNPS-FSAR Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust pipeline. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service. A turbine trip is initiated for these conditions so that if the cause(s) of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so far that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical-hydraulic device. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown.

One pressure switch is used to detect low HPCI pump suction pressure.

High water level in the reactor vessel indicates that HPCI has performed satisfactorily in providing makeup water to the reactor vessel. The reactor vessel high water level setting which trips the turbine is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Two level transmitters that sense differential pressure are arranged to require that their respective trip units trip (coincidence) to initiate a turbine shutdown. A single failure in either level transmitter/trip unit would prevent automatic shutdown of the HPCI turbine upon reaching high water level in the vessel. However, prior to reaching reactor vessel high water level, alarms would alert operating personnel to the approaching high level condition. Operator action could then be taken to manually control flow rate, and/or shut down the systems prior to flooding the steam lines. HPCI automatic isolation signals are described in Section 7.3.

The control scheme for the turbine auxiliary oil pump is shown on Figure 7.4-4 (BECo M1J 23-4). The controls are arranged for automatic or manual control. Upon receipt of a HPCI initiation signal, the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft driven oil pump begins to supply hydraulic pressure.

After about 1/2 min during an automatic turbine startup, the pressure supplied by the shaft driven oil pump is sufficient, and the auxiliary oil pump automatically stops upon receipt of a high oil pressure signal. Should the shaft driven oil pump malfunction, causing oil pressure to drop, the auxiliary oil pump restarts.

Operation of the gland seal condenser components - gland seal condenser condensate pump (DC), gland seal condenser blower (DC), and gland seal condenser water level instrumentation - prevents outleakage from the turbine shaft seals. Startup of this equipment is automatic, as shown on Figures 7.4-4 and 7.4-5.

7.4-7 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.3.2.5 HPCI Valve Control All automatic valves in the HPCI system are equipped with remote manual test capability, so that the entire system can be operated from the main control room. Motor operated valves are provided with appropriate limit or torque switches to turn off the motors when the full open or full closed positions are reached. Valves that are automatically closed on isolation or turbine trip signals are equipped with manual reset devices, so that they cannot be reopened without operator action.

The reset devices are located in the main control room. All essential components of the HPCI control operate from DC power sources.

To assure that the HPCI can be brought to design flow rate within 90 seconds from the receipt of the initiation signal, the following design operating times against full reactor pressure for essential HPCI valves are provided by the valve operation mechanisms:

HPCI turbine steam admission (MO2301-3) 90 sec HPCI pump discharge valve (MO2301-8) 40 sec HPCI pump minimum flow bypass valve 20 sec The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. Because the two HPCI steam supply line isolation valves (MO-2301-4,5) are normally open, and because they are intended to isolate the HPCI steam line in the event of a break in that line, the operating time requirements for them are based on isolation specifications. These are described in Section 7.3. A normally closed dc motor-operated isolation valve is located in the turbine steam supply pipeline just upstream of the turbine stop valve. The control scheme for this valve is shown on Figure 7.4-4. Upon receipt of a HPCI initiation signal this valve opens and remains open until closed by operator action from the main control room.

Two normally open isolation valves are provided in the steam supply line to the turbine. The valve inside the drywell is controlled by an AC motor. The valve outside the drywell is controlled by a DC motor.

The control diagram is shown on Figure 7.4-3. Although they are normally open, a HPCI initiating signal opens them if they are closed.

The inboard isolation valve has the capability of being jogged open to allow controlled pressurization of the HPCI steam line. These isolation valves automatically close upon receipt of a HPCI turbine steam line high flow signal, or low reactor pressure signal, or high steam line space temperature. To ensure proper isolation of the HPCI turbine, the turbine exhaust line drain pot isolation valves (CV-9068 A

& B) are also closed upon receipt of either of these signals. The instrumentation for isolation is described in Section 7.3.

Two normally open isolation valves are provided in the turbine exhaust vacuum breaker line. These valves are controlled by AC motors. The control design is shown on Figure 7.4-3. These isolation valves automatically close upon receipt of a high drywell pressure signal coincident with low reactor pressure. A keylock switch provides the capability to bypass the automatic isolation signals which will permit manual operation of the valves via their control switches.

7.4-8 Rev. 30 - Nov. 2015

PNPS-FSAR Three pump suction valves are provided in the HPCI. One valve lines up pump suction from the condensate storage tank, the other two from the suppression pool. The condensate storage tank is the preferred source.

All three valves are operated by DC motors. The control arrangement is shown on Figure 7.4-5. Although the condensate storage tank suction valve is normally open, a HPCI initiation signal opens it if it is closed. If the water level in the condensate storage tank falls below the minimum level, the suppression pool suction valves automatically open after a time delay. When the suppression pool valves are both fully open, the condensate storage tank suction valve automatically closes. Two pressure switches are used to detect the condensate storage tank low water level condition. Either switch can cause the suppression pool suction valves to open. The suppression pool suction valves also automatically open and the condensate storage tank suction valve closes if a high water level is detected in the suppression pool.

Two level switches monitor the suppression pool water level. Either switch can initiate opening of the suppression pool suction valves.

Time delay is introduced into the suppression pool suction valve opening circuits to prevent false/transient signals from initiating suction transfer. If open, the suppression pool suction valves automatically close upon receipt of the signals that initiate HPCI steam line isolation.

The consequences of a single failure in the circuitry, which automatically transfers suction from the condensate storage tanks to the suppression pool, are as follows: The HPCI system is not required by design to be single failure proof. The HPCI circuitry automatically initiates transfer of the HPCI suction from the condensate storage tank to the suppression pool as a result of either a condensate tank low level condition or a suppression pool high level condition. Two sensors monitor the condensate low level condition and two sensors monitor the suppression pool high level condition. The proper operation of any one of these sensors initiates transfer of HPCI suction to the pool.

Loss of power to the transfer circuitry also opens the HPCI suction valves to the suppression pool. Premature transfer of the HPCI suction from the condensate tank to the suppression pool due to single failures such as described above do not interfere with the ability of the HPCI system to perform its intended function.

Two DC motor-operated HPCI pump discharge valves in the pump discharge pipeline are provided. The control schemes for these two valves are shown on Figure 7.4-3 (Drawing M1J22-5) and 7.4-4 (Drawing M1J23-4).

Both valves are arranged to open upon receipt of the HPCI initiation signal. The valves remain open upon receipt of a turbine trip signal until closed by operator action in the main control room. Discharge valve MO2301-9 must be open for HPCI to be considered operable. See Section 6.6.

7.4-9 Rev. 30 - Nov. 2015

PNPS-FSAR To prevent the turbine pump from being damaged by overheating at reduced HPCI pump discharge flow, a pump discharge minimum flow bypass is provided to route the water discharged from the pump back to the suppression pool. The bypass is controlled by an automatic, DC motor-operated valve whose control scheme is shown on Figure 7.4-3 (Drawing M1J22-5). At HPCI high flow, the valve is closed; at low flow, the valve is opened. Flow switches that measure the pressure difference across a flow element in the HPCI pump discharge pipeline provide the signals used for flow indication. There is also an interlock provided to shut the minimum flow bypass whenever the turbine is tripped or isolation occurs. This prevents draining the condensate storage tank into the suppression pool.

To prevent the HPCI steam supply pipeline from filling up with water and cooling, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The control scheme is shown on Figure 7.4-4.

The controls position valves so that during normal operation, steam line drainage is routed to the main condenser. Upon receipt of a HPCI initiation signal, the drainage path is isolated. The water level in the steam line drain condensate pot is controlled by a level switch and an air operated valve which opens to allow condensate to flow out of the pot.

During test operation, the HPCI pump discharge is routed to the condensate storage tank. Two DC motor-operated valves are installed in the pump discharge to the condensate storage tank. The piping arrangement is shown on Figure 7.4-1 (Drawing M243). The control scheme for the two valves is shown on Figure 7.4-3 (Drawing M1J22-5).

Upon receipt of an HPCI initiation signal, the valves close and remain closed. Some testing may temporarily disable the automatic realignment feature, during which periods HPCI would not be available as a CSCS.

The control scheme for one HPCI test return isolation valve uses seal-in contacts in the opening and closing circuit. The upstream HPCI test return isolation valve is a throttle valve used for system control during testing and will automatically operate in the closed direction while a system initiation signal remains present. The automatic closing cycle of this HPCI test return isolation valve is terminated if either the system initiation signal clears or the test return isolation valve reaches the full closed position. The valves are interlocked closed if either of the suppression pool suction valves are open. As designed, the HPCI test return isolation valves meet the requirements and intent of IEEE 279 regarding completion of protective actions once an initiation signal is received. Numerous indications pertinent to the operation and condition of the HPCI are available to the main control room operator. Figures 7.4-1, 7.4-2, and 7.4-4 (Drawings M243, M244, and M1J23-4) show the various indications provided.

7.4.3.2.6 HPCI Environmental Considerations The only HPCI control component located inside the primary containment that must remain functional in the environment resulting from a loss of coolant accident (LOCA) is the control mechanism for the inboard isolation valve on the HPCI turbine steam line. The environmental capabilities of this valve are discussed in Section 7.3. The HPCI control and instrumentation equipment located outside the primary containment is selected in consideration of the normal and accident environments in which it must operate.

7.4-10 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.3.3 Automatic Depressurization System Control and Instrumentation 7.4.3.3.1 Identification and Physical Arrangement Four automatically controlled relief valves are installed on the main steam lines inside the primary containment. The valves are dual purpose in that they relieve pressure by inherent mechanical (overpressure) action or by action of an electric pneumatic control system. The relief by mechanical action is initiated inherently by an overpressure condition in the nuclear system. The depressurization by automatic action of the control system is employed to reduce nuclear system pressure so that the core spray and LPCI systems can inject water into the reactor vessel during a LOCA when the HPCI is inoperable. The automatic control and instrumentation equipment for the automatic depressurization mode of relief valve operation is described in this section.

The control system, which is functionally illustrated on Figure 7.3-6 (Drawing M1A 15-7), consists physically of pressure and water level sensors arranged in trip systems that control a solenoid operated pilot valve. The solenoid operated pilot valve controls the pneumatic pressure applied to a diaphragm actuator which controls the relief valve directly. An accumulator is included with the control equipment for each relief valve to store pneumatic energy for relief valve operation. The accumulators are sized to provide sufficient air/nitrogen for a minimum of twenty pilot actuations following failure of the normal air/nitrogen supply to the accumulator. Cables from the sensors lead to the control room where the logic arrangements are formed in cabinets. The electrical control circuitry is powered by DC in the following manner: the equipment of ADS Logic A is placed on Battery A without automatic transfer. The equipment of ADS Logic B is on Battery B with an automatic transfer to Battery A upon loss of Battery B. Therefore, loss of any battery affects only one 120 second timing circuit. Electrical elements in the control system energize to cause opening of the relief valve. Each solenoid operated pilot valve is powered by DC from either station battery through sensing relays.

7.4.3.3.2 Automatic Depressurization System Initiating Signals and Logic Two initiation signals are used for the Automatic Depressurization System:

1. Reactor vessel low-low water level

2. Primary containment (drywell) high pressure 7.4-11 Rev. 30 - Nov. 2015

PNPS-FSAR When low-low water level is sensed, a high drywell pressure bypass timer (0 to 30 minute adjustable) is initiated. If drywell high pressure is not sensed before the selected time has elapsed, and if the low-low water level signal is still present, the ADS valves will be signaled to open without high drywell pressure (See Figure 7.3-6, Drawing M1R 4-10). After these conditions are satisfied, there is a 120 second time delay to permit the HPCI to restore water level before the relief valves are actuated. Reactor vessel low water level indicates that the fuel is in danger of becoming overheated. This low water level condition would normally not be sustained unless the HPCI failed.

Primary containment high pressure indicates that a breach in the nuclear system process barrier may have occurred inside the drywell.

The bypass arrangement increases the range of events over which ADS will respond. Events such as a break external to the drywell or a stuck open SRV do not necessarily cause a High Drywell Pressure Signal.

After receipt of both initiation signals, and after an approximate 2 min delay provided by timers, the solenoid operated pilot air valve for each ADS valve is energized provided that at least one LPCI or core spray pump is affirmed to be running at rated speed. An interlock is provided in each trip system in order to give reassurance that low pressure core coolant is available before the ADS actually permits depressurization of the reactor vessel. These pressure permissive interlocks are designed to meet the requirements of single failure and separation. Two pressure switches on the discharge of each core spray and each LPCI pump (12 total) are connected through relays in redundant groups so that each ADS trip system is blocked from actuating unless at least one low pressure pump shows verified discharge pressure. These pressure switch relay circuits are monitored continuously during normal station operation so that if any pressure switch circuit gives a false signal of the presence of pressure in the low pressure systems, an annunciator immediately alerts the operator so that the malfunction can be corrected. Once the blowdown has started, seal in contacts around the low pressure pump permissive continues the blowdown, even if all low pressure pumps are lost.

Keylocked switches have been added to permit plant operators to disable the automatic logic. This manual action will be displayed on the control panels by indicating lights and it will be annunciated. These switches allow the operator to inhibit ADS per the instructions in the Emergency Operating Procedures.

Energization of the solenoid operated pilot valves allows pneumatic pressure from the accumulator to act on the diaphragm actuator. The diaphragm actuator is an integral part of the relief valve and expands to hold the relief valve open. Lights in the main control room inform the main control room operator whenever the solenoid operated pilot valve is energized, indicating that the relief valve is open or being opened.

7.4-12 Rev. 30 - Nov. 2015

PNPS-FSAR A two position switch is provided in the main control room for the remote control of each relief valve. The two positions are "open" and "auto". In the "open" position the switch energizes the solenoid-operated pilot valve, which allows pneumatic pressure to be applied to the diaphragm actuator of the relief valve. This allows the main control room operator to take manual action independent of the automatic system. Appropriate numbers of relief valves can be manually opened in this manner to provide a controlled nuclear system cooldown under conditions where the normal heat sink is not available. In "auto" position, the valve is controlled by the ADS logic.

Manual reset circuits are provided for the reactor vessel low-low water level and drywell high pressure initiating signals. By manually resetting these signals both the delay and the high drywell pressure bypass timers are recycled. The operator can use the reset switches to delay or prevent automatic opening of the relief valves, or he can use the ADS inhibit keylock switches to prevent relief valve opening if such delay or prevention is prudent. Manual actuation on one ADS "Reset" button recycles both the display the timer and bypass timer for one of the two trip systems. The second "Reset" button resets the second set of timers and the delay timers must be reset in order for the operator to delay automatic activation of these valves.

The logic scheme used for initiating the ADS system is a single trip system containing two trip system logics as shown on Figure 7.4-6. Each trip system logic can initiate automatic depressurizations when the logic in that trip system is satisfied. Each trip system logic includes a timer that delays the opening of the relief valves. This allows time for the HPCI to restore water level before the relief valves are actuated. Each logic channel also contains a bypass timer, which allows automatic depressurization with low-low water level only, after a predetermined time has passed. An annunciator indicates that the bypass timer is running and that a low-low water level signal is present. The ADS trip system is dc powered.

A manual "inhibit" switch in each of the two trip system logics allows the operator to prevent automatic depressurization. This switch is key-locked in the "normal" position to prevent inadvertent operation.

An indicator light for each switch is illuminated when the switch is in the "inhibit" position. An annunciator in the control room alarms when either switch is in the "inhibit" position. The inhibit switch does not break the seal-in logic and will not terminate an ADS blowdown once it has begun.

Instrument specifications and allowable trip settings used in the plant safety analysis are listed on Table 7.4-2. The wiring for the trip systems is routed in separate conduits to reduce the probability that a single event will prevent automatic opening of a relief valve. Pump discharge pressure switches are used to sense that the core spray and LPCI pumps are running.

7.4-13 Rev. 30 - Nov. 2015

PNPS-FSAR The reactor vessel low-low water level initiation setting for the automatic depressurization system is selected to open the relief valves to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the core spray and LPCI systems following a LOCA in which the other makeup systems, Feedwater, RCIC, HPCI fail to maintain vessel water level. The primary containment high pressure setting is selected to be as low as possible without inducing spurious initiation of the ADS.

7.4.3.3.3 Automatic Depressurization System Initiating Instrumentation The pressure and level analog trip units used to initiate the ADS are common to each relief valve control circuitry. Reactor vessel low water level is detected by four transmitters that measure differential pressure. Primary containment high pressure is detected by four pressure transmitters.

Two timers, one for each of the two trip system logics, (See Figure 7.4-6), are used in the control circuitry for each relief valve. The delay time setting before the ADS is actuated is chosen to be long enough so that the HPCI has time to start, yet not so long that the core spray system and LPCI are unable to adequately cool the fuel if the HPCI fails to start. An alarm in the main control room is annunciated every time either of the timers is timing. Resetting the ADS initiating trips - reactor vessel low-low water level and primary containment high pressure - recycles the timers.

Four additional timers (0 to 30 minutes adjustable), one for each channel of the two dual-channel trip system logics, provide bypasses of the high drywell pressure system initiation signal. These bypasses permit automatic system initiation without high drywell pressure. The delay-time setting can be chosen to be long enough to prevent blowdown on temporary reductions in water level but not so long as to permit the water level to become dangerously low. An alarm in the control room annunciates when any one of the high drywell pressure bypass timers is timing. The timers are reset automatically whenever the water level rises above the low-low setpoint. The bypass timers are also reset manually whenever the reset pushbuttons, one in each of the two trip system logics, are depressed.

7.4-14 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.3.3.4 Automatic Depressurization System Alarms A dual temperature element is installed in the relief valve discharge piping approximately 4.5 to 6 feet from the valve body. This temperature element located near the valve discharge provides a means to detect relatively small amounts of steam leakage from either the first and second stage pilot valves or main stage in the three-stage safety relief valve. Similarly, this temperature element is used to detect pilot or main stage leakage from a two-stage safety relief valve. This discharge piping temperature element is connected to a multipoint recorder in the main control room to provide a means of detecting and monitoring relief valve discharge temperature during station operation. When the temperature in any relief valve discharge pipeline exceeds a preset value, an alarm is sounded in the main control room. The alarm setting is selected far enough above normal rated power temperatures to avoid spurious alarms, yet low enough to give early indication of relief valve leakage.

Additional dual temperature elements are installed in the following locations:

(1) discharge piping thermowell approximately 16 to 22 ft from the valve body, (2) valve body internal thermowell in proximity to the first stage pilot seat, (3-stage SRVs only)

(3) valve body internal thermowell in proximity to the second stage pilot seat, (3-stage SRVs only)

(4) mounted external to pilot assembly to detect bellows assembly leakage. (3-stage SRVs only)

The additional temperature elements in the discharge piping and valve body are connected to the plant computer and a local recorder and are used to diagnose and evaluate leakage from the associated safety relief valve. The dual temperature element installed to detect bellows assembly leakage is connected to the plant computer and when the temperature exceeds a preset value, an alarm is sounded in the main control room. The bellows temperature detector and alarm are applicable only to 3-Stage SRVs and not required for 2-Stage SRVs.

Safety relief valve leakage monitoring requirements are specified in FSAR Appendix B.

7.4-15 Rev. 30 - Nov. 2015

PNPS-FSAR Additionally available are individual valve displays (acoustic monitors) located in the control room. These displays provide a means of determining the status of each of the four relief valves, RV-203-3A, B, C, and D, and also the status of the safety valves RV-203-4A and B.

The open/close indication is made possible by the installation of acoustic transducers on the discharge piping of the relief valves RV-203-3A, B, C, and D, and on the bodies of the code safety valves RV-203-4A and B. When the valves are open, indication is provided by means of indicating lights on the safety and relief valve monitors. An audible alarm will also sound if any of the valves open. There are 10 indicating lights for each relief valve, which illuminate sequentially to give an indication of valve opening as indicated by noise and vibration induced by the steam flow through the valve.

Panels, located outside the control room, are also available to remotely operate the relief valves.

7.4.3.3.5 Automatic Depressurization System Environmental Considerations The signal cables, solenoid valves, and relief valve operators are the only items of the control and instrumentation equipment of the ADS that are located inside the primary containment and must remain functional in the environment resulting from a LOCA. These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of these items. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate.

7.4-16 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.3.4 Core Spray System Control and Instrumentation 7.4.3.4.1 Identification and Physical Arrangement The core spray systems consist of two independent spray loops as illustrated on Figure 7.4-8. Each loop is capable of supplying sufficient cooling water to the reactor vessel to cool the core adequately following a design basis LOCA. The two spray loops are physically and electrically separated so that no single physical event makes both loops inoperable. Each loop includes one ac motor driven pump, appropriate valves, and the piping to route water from the suppression pool to the reactor vessel. The controls and instrumentation for the core spray systems include the sensors, relays, wiring, and valve operating mechanisms used to start, operate, and test each system. Except for the check valves 9A and 9B in each spray loop, which is inside the primary containment, the sensors and valve closing mechanisms for the core spray systems are located in the Reactor Building. Cables from the sensors are routed to the main control room where the control circuitry is assembled in electrical panels. Each core spray pump is powered from a different ac bus which is capable of receiving standby power. The power supply for automatic valves in each loop is from the same source as that used for the core spray pump in that loop. Control power for each of the core spray loops comes from separate dc buses. The electrical equipment in the main control room for one core spray loop is located in a separate cabinet from that used for the electrical equipment for the other loop.

Two initiating functions are used for the core spray system: reactor vessel low-low water level coincident with reactor low pressure and primary containment (drywell) high pressure. Either initiation signal can start the systems.

7.4.3.4.2 Core Spray System Initiating Signals and Logic The control scheme for the core spray system is illustrated on Figure 7.4-9. Allowable trip settings used in the current plant safety analysis are given on Table 7.4-3. The overall operation of a system following the receipt of an initiating signal is as follows:

1. Test bypass valves are closed and interlocked to prevent opening

2. The core spray pump in both spray loops starts 1/3 sec after power becomes available to the pump

3. When reactor vessel pressure drops to a preselected value, valves open in the pump discharge lines allowing water to be sprayed over the core 7.4-17 Rev. 30 - Nov. 2015

PNPS-FSAR Two initiating functions are used for the core spray system: reactor vessel low-low water level coincident with reactor low pressure and primary containment (drywell) high pressure. Either initiation signal can start the systems.

Reactor vessel low-low water level indicates that the core is in danger of being overheated due to the loss of coolant. Drywell high pressure indicates that a breach of the nuclear system process barrier has occurred inside the drywell. The reactor vessel low-low water level and primary containment high pressure settings and the instruments that provide the initiating signals are selected and arranged so as to assure proper system operation without inducing spurious system startups.

The core spray system can be initiated by low-low water level alone, without reactor low pressure or high drywell pressure, after a selected time delay (0 to 30 minutes adjustable). The timing function starts when the low-low water level setpoint is reached. The timers are reset automatically if the water level rises above the setpoint before the selected time has elapsed. The timers are also reset manually when the ADS reset pushbuttons, one in each of the two ADS trip systems, are depressed.

Keylocked switches have been installed to permit blockage of the drywell high pressure initiation signal. These switches are primarily for use under post-LOCA conditions to permit shutdown of the applicable core spray pump motor without affecting the reactor vessel low water level initiation signal.

The scheme used for initiating each core spray system is a trip system containing decision making logic circuits. A typical core spray system trip actuation logic is shown on Figure 7.4-6. The decision making logic in a trip system can initiate core spray equipment in one core spray loop. The trip systems are powered by reliable independent dc buses.

7.4.3.4.3 Core Spray System Pump Control The control arrangements for the core spray pumps are shown on Figure 7.4-9. Each pump can be manually controlled by a main control room remote switch or the automatic control system. A pressure transmitter on the discharge pipeline from each core spray pump provides a signal in the main control room to indicate the successful startup of a pump.

If a core spray initiation signal is received the core spray pumps start 1/3 sec after the bus is energized. The core spray pump motors are provided with overload protection. Overload relays are applied so as to maintain power as long as possible without immediate damage to the motors or emergency power system.

Loss of voltage trips are provided with time delays sufficient to permit automatic transfer from the unit auxiliary transformer source to the startup transformer source (preferred offsite) without tripping the pump power supply breaker open.

7.4-18 Rev. 30 - Nov. 2015

PNPS-FSAR Calibration and testing of the overload trip relays provided for these motors is accomplished by passing a test current through these protective devices to verify set points and relay actuation. This test current is measured with field standard ammeters. Current or voltage is measured with field standard ammeters and voltmeters.

The motors are protected by long time induction overcurrent relay elements and by low-set and high-set instantaneous overcurrent elements for overload and phase faults and by ground sensor relays for ground faults.

The long time, high-set and ground sensor elements are set in general accordance with recommendations in the IEEE Induction Motor Protection Guide No. 288, November 1968. The setting of the low-set element is not covered in the Guide.

The long time element is set at 115 percent to 125 percent of rated motor current with a time delay set about twice rated motor starting time. The long time element is used for overcurrent annunciation and in series with the low-set instantaneous element, set at about twice rated motor current, it is used to trip the motor circuit breaker for overload protection. This design permits continued motor operation under emergency loading conditions while alerting the operator to a nominal overload condition.

The high-set instantaneous element provides short circuit protection and is set at about ten times rated motor current which is compatible with system minimum phase fault current capacity. This set point is higher than rated locked rotor current with a margin for inrush current and current asymmetry.

The ground sensor relays are instantaneous relays operating from ground sensor current transformers. The relay setting typically provides a 30 to 1 margin of maximum ground fault current to relay pickup when operating from any of the station service transformer sources. This setting is high enough to prevent relay pickup for ground faults when operating on the diesel generator source.

Flow measuring instrumentation is provided in each of the core spray pump discharge lines. The instrumentation provides flow indication in the main control room.

7.4.3.4.4 Core Spray System Valve Control Except where specified otherwise, the remainder of the description of the core spray refers to one spray system. The second core spray system is identical. The control arrangements for the various automatic valves in the core spray system are indicated on Figure 7.4-9 (BECo M1K1-8). All motor-operated valves are equipped with limit and torque switches to turn off the valve motor when the valve reaches the limits of movement. Each automatic valve can be operated from the main control room.

7.4-19 Rev. 30 - Nov. 2015

PNPS-FSAR Upon receipt of an initiation signal the test bypass valve is interlocked shut. The core spray pump discharge valves are automatically opened when nuclear system pressure drops to a preselected value; the setting is selected low enough so that the low pressure portions of the core spray system are not overpressurized, yet high enough to open the valves in time to provide adequate cooling for the fuel. Two pressure transmitters are used to monitor nuclear system pressure. The trip unit associated with either of these transmitters can initiate opening of the discharge valves. The full stroke design time of the pump discharge valves is selected to be rapid enough to assure proper delivery of water to the reactor vessel in a design basis accident. The full stroke design operating times are as follows:

Test bypass valve 16 sec Pump suction valve 120 sec Pump discharge valves 22 sec 7.4.3.4.5 Core Spray System Alarms and Indications Core spray system pressure between the two pump discharge valves is monitored by a pressure switch to permit detection of leakage from the nuclear system into the core spray system outside the primary containment. A detection system is also provided to continuously confirm the integrity of the core spray piping between the inside of the reactor vessel and the core shroud. A differential pressure switch measures the pressure difference between the top of the core support plate and the inside of the core spray sparger pipe just outside the reactor vessel. If the core spray sparger piping is sound, this pressure difference will be the small drop across the core resulting from inter-channel leakage. If integrity is lost, this pressure drop will also include the steam separator pressure drop. An increase in the normal pressure drop initiates an alarm in the main control room.

Pressure in each core spray pump suction and discharge is monitored by a pressure indicator which permits determination of suction head and pump performance.

7.4.3.4.6 Core Spray System Environmental Considerations There are no control and instrumentation components for the core spray system that are located inside the primary containment and that must operate in the environment resulting from a LOCA. All components of the core spray system that are required for system operation are outside the drywell and are selected in consideration of the normal and accident environments in which they must operate.

7.4.3.5 Low Pressure Coolant Injection Control and Instrumentation 7.4.3.5.1 Identification and Physical Arrangement Low pressure coolant injection (LPCI) is an operating mode of the residual heat removal system (RHR). Because the LPCI system is designed to provide cooling water to the reactor vessel following the design basis LOCA, the controls and instrumentation for it are discussed here. Section 4.8 describes the RHR in detail.

7.4-20 Rev. 30 - Nov. 2015

PNPS-FSAR Figure 7.4-10 shows the entire RHR system including the equipment used for LPCI operation. The following list of equipment itemizes essential components for which control or instrumentation is required to operate in the LPCI mode:

Four RHR pumps Pump suction valves (from suppression pool)

LPCI-to-recirculation loop injection valves Recirculation loop valves The instrumentation for LPCI operation provides inputs to the control circuitry for other valves in the RHR System. This is necessary to ensure that the water pumped from the suppression pool by the pumps is routed directly to a reactor recirculation loop. These interlocking features are described in this section. The actions of the reactor recirculation loop valves are described in this section because these actions are accomplished to facilitate LPCI operation.

LPCI operation uses two identical pump subsystems, each subsystem with two pumps in parallel. The two subsystems are arranged to discharge water into different reactor recirculation loops. A cross connection exists between the pump discharge lines of each subsystem. Figure 7.4-10 (BECo M241) shows the locations of instruments, control equipment, and LPCI components relative to the primary containment. Except for the LPCI check valves 1001-68A, 1001-68B and the reactor recirculation loop pumps and valves, the components pertinent to LPCI operation are located outside the primary containment.

The power for the RHR system pumps is supplied from ac buses that can receive standby ac power. Each pair of pumps in each subsystem receives its power from a different bus. Motive power for the injection valves on both sides used during LPCI operation comes from a common bus which can be automatically connected to either of two alternate standby power sources. Control power for the LPCI components comes from the dc buses. Redundant trip systems are powered from different dc busses. The use of common buses for some of the LPCI components is acceptable because the core spray systems and LPCI operation are arranged independently to accomplish the same objective:

provide adequate cooling for the fuel at low nuclear system pressure following a design basis accident.

LPCI is arranged for both automatic operation and remote manual operation from the main control room. The equipment provided for manual operation of the system allows the operator to take action independent of the automatic controls in the event of a LOCA.

7.4-21 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.3.5.2 LPCI Initiating Signals and Logic The overall operating sequence for LPCI following the receipt of an initiation signal is as follows:

1. If the preferred (offsite) ac power is available, one pump in each subsystem starts after an approximate 5 sec delay. The second pump in each subsystem starts after an approximate 10 sec time delay, taking suction from the suppression pool. The valves in the suction paths to the suppression pool are maintained open so that no automatic action is required to line up suction

2. If the preferred source of ac power is not available, one pump in each subsystem starts after an approximate 5 sec delay after the standby power source is operating. The second pump in each subsystem starts after an approximate 10 sec time delay

3. If the accident has not resulted from rupture of a reactor recirculation line, the LPCI instrumentation selects loop B for water injection

4. If the accident has resulted from rupture of one of the reactor recirculation lines, the LPCI instrumentation identifies the damaged loop

5. The recirculation pump discharge valve in the undamaged reactor recirculation loop automatically closes and recirculation pumps are tripped

6. Valves in the LPCI system respond automatically so that the water pumped from the suppression chamber is routed to the undamaged loop

7. When nuclear system pressure has dropped to a predetermined value, the LPCI injection valves to the undamaged recirculation loop automatically open, allowing the LPCI pumps to inject water into the pressure vessel

8. The LPCI system then delivers water to the reactor vessel via that recirculation loop to restore water level and provide core cooling Figure 7.4-10 shows the locations of sensors. Figures 7.4-11, 7.4-12, and 7.4-13 show the functional use of each sensor in the control circuitry for the various LPCI components. Instrument analytical limit settings used in the current plant safety analysis are given on Table 7.4-4. The actual plant setting is determined in the referenced design basis calculation and has adequate margin to account for the total instrument uncertainty.

7.4-22 Rev. 30 - Nov. 2015

PNPS-FSAR Two automatic initiation functions are provided for the LPCI: reactor vessel low-low water level coincident with low reactor pressure and primary containment (drywell) high pressure. Reactor vessel low water level indicates that the fuel is in danger of being overheated because of an insufficient coolant inventory. Primary containment high pressure is indicative of a break of the nuclear system process barrier inside the drywell.

LPCI can be initiated by low-low water level alone, without reactor low pressure or high drywell pressure after a selected time delay (0 to 30 minutes adjustable). The timing functions start when the low-low water level is reached. The timers are reset automatically if the water level rises above the setpoint before the selected time delay has elapsed. The timers are also reset manually when the ADS reset pushbuttons, one in each of the two ADS trip systems, are depressed.

The instruments used to detect reactor vessel low-low water level coincident with low reactor pressure and primary containment high pressure are the same ones used to initiate the other CSCS. Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset. The seal-in feature is shown on Figure 7.4-11.

Keylocked control switches have been installed to permit blockage of the drywell high pressure initiation signal. These switches are primarily for use under post-LOCA conditions to permit shutdown of the applicable RHR pump motors without affecting the reactor vessel low water level initiation signal.

The scheme used for initiating the LPCI system and the recirculation loop selection logic is a trip system containing two decision making logics. A typical LPCI trip system is shown on Figure 7.4-6. Either of the two decision making logics can initiate the LPCI. The trip system is powered by dc buses.

7.4.3.5.3 LPCI Pump Control The functional control arrangement for the pumps is shown on Figure 7.4-11. If the preferred offsite AC source is available, the four main system pumps start in the timed sequence described above. If the preferred (offsite) ac source is not available, the four main system pumps automatically start in a timed sequence (described above) when the standby ac power source becomes available.

Only three of the four RHR pumps are required to provide adequate flow to restore reactor vessel water level for the design basis LOCA. The time delays are provided by timers which are set as given in the Technical Specifications referenced in Appendix B.

Pressure indicators installed in the pump discharge pipelines upstream of the pump discharge check valves; provide indication of proper pump operation following an initiation signal. A low pressure in a pump discharge pipeline indicates pump failure. The locations of the pressure indicators relative to the discharge check valves prevent the discharge pressure from an operating pump from concealing a pump failure.

7.4-23 Rev. 30 - Nov. 2015

PNPS-FSAR To prevent RHR pump damage due to overheating at no flow, the control circuitry prevents a pump from starting unless a suction path is lined up. Limit switches on suction valves provide indications that a suction lineup is in effect. If suction valves change from their fully open position during RHR pump operation, the limit switches trip the pump power supply breaker open.

The RHR pump motors are provided with overload protection. The overload relays are applied so as to maintain power on the motor as long as possible without harm to the motor or immediate damage to the ac power system. Loss of voltage trips are provided with time delays sufficient to permit automatic transfer from the unit auxiliary source to the preferred source without tripping the pump power supply breaker open. See Section 7.4.3.4.3 for a description of calibration and testing.

The reactor recirculation pumps are tripped automatically upon a LOCA.

If only one of the two recirculation pumps is running, it is tripped by the LPCI initiation logic. Both pumps are automatically tripped by the low reactor water level. When a recirculation pump trip signal is initiated, the power supply breaker for the drive motors of the recirculation pump motor generators sets is tripped open.

7.4.3.5.4 LPCI Valve Control The automatic valves controlled by the LPCI control circuitry are equipped with limit and torque switches which stop the valve operating mechanisms whenever the valves reach the limits of travel. Seal-in and interlock features are provided to prevent improper valve positioning during automatic LPCI operation. The operating mechanisms for the valves are selected to meet times required by the LPCI operational objectives. The design time required for the valves pertinent to LPCI operation to travel from the fully closed to the fully open positions, or vice versa, is as follows:

LPCI injection valves 30 sec Reactor recirculation loop valves 35 sec Containment spray valves* 45 sec Residual heat removal system test 30 sec line isolation valves*

• Normally closed The pump suction valves to the suppression pool are normally open. Two separate operator actions are required in the main control room to shut these valves. Upon receipt of an LPCI initiation signal, RHR shutdown cooling mode valves and the RHR test line valves automatically close.

By closing these valves, the pump suction and discharge is properly routed. Also included in this set of valves are the valves which, if not closed, would permit the pumps to take suction from the reactor recirculation system, a lineup that is used during normal shutdown cooling system operation. All valve motors are protected by overload alarms.

7.4-24 Rev. 30 - Nov. 2015

PNPS-FSAR The LPCI is designed for automatic operation following a break in one of the reactor recirculation loops. The LPCI logic is required to open the injection valve to the unbroken recirculation loop and close the recirculation pump discharge valve in the unbroken recirculation loop.

The control scheme for the LPCI-to-recirculation loop injection valves is shown on Figure 7.4-11 (Drawing M1H1-70BC).

The purpose of the injection valve control circuitry is to identify and direct LPCI flow to the undamaged recirculation loop. This is done by comparing the absolute pressure of the two recirculation loops. The broken loop is indicated by a lower pressure than the unbroken loop.

The loop with the higher pressure is then used for LPCI injection.

Four indicating type differential pressure switches are used in the control circuitry for the injection valves. The differential pressure switches detect the pressure difference between corresponding risers supplying the jet pumps from each recirculation loop. The switches are connected in such a way that a one-out-of-two taken twice logic is used to positively identify a broken recirculation loop. The differential pressure switch setting is selected to give the earliest valid indication of a break in a recirculation loop.

Upon receipt of either a reactor low-low level or a high drywell pressure signal the LPCI logic senses the recirculation pump operation by means of differential pressure between the suction and discharge of each pump. Four differential pressure switches are provided across each recirculation pump. The four sensors in each loop are arranged in a one-out-of-two taken twice logic. A time delay relay provides 1/2 second for the logic to detect if one recirculation pump is running.

If the logic senses that one pump is not running, the operating pump is tripped off. Stopping this pump is necessary to eliminate the possibility of breaks being masked by the operating recirculation pump pressure. If pump stoppage is initiated, there is next a requirement that reactor vessel pressure drop to a specified value before the logic will continue. This adjusts the selection time to optimize sensitivity and still ensure that the LPCI action is not unnecessarily delayed.

There are four separate reactor pressure sensors arranged in a one-out-of-two taken twice logic. After satisfaction of this pressure requirement, or if both recirculation pumps were initially running, a time delay of about 2 seconds is provided to remove initial perturbations and allow momentum effects to stabilize. Loop selection is then initiated by means of the differential pressure switches between the corresponding recirculation loop risers. See Figure 7.4-

15. If, after approximately a half second delay, the pressure in Loop A is not indicating greater than Loop B, the circuit provides a signal to shut the Loop B recirculation pump discharge valve and opens the LPCI injection valve to Loop B. If recirculation Loop A pressure indicates higher than Loop B, the recirculation pump discharge valve in Loop A is ordered shut and the LPCI injection valve to Loop A is signaled open. The injection valves do not open however, until reactor vessel pressure decreases to a value which approximates the discharge head of the LPCI system.LPCI flow then enters the vessel when the check valve opens due to LPCI pressure being higher than reactor pressure.

The sensing circuit for break detection and valve selection is arranged so that failure of a single device will not prevent correct selection of the loop for injection.

A timer cancels the LPCI signals to the injection valves after a delay time long enough to permit satisfactory operation of the LPCI system.

7.4-25 Rev. 30 - Nov. 2015

PNPS-FSAR The cancellation of the signals allows the operator to divert the water for other post-accident purposes. Cancellation of the signals does not cause the injection valves to move.

The manual controls in the main control room allow the operator to open an LPCI injection valve only if either nuclear system pressure is low or the other injection valve in the same pipeline is closed. These restrictions prevent overpressurization of the RHR piping. The same pressure transmitter/trip unit combination used for the automatic opening of the valves is used in the manual circuit. Limit switches on both injection valves in each side provide valve position signals.

To protect the pumps from overheating at low flow rates, a minimum flow bypass pipeline, which routes water from the pump discharge to the suppression pool, is provided for each pair of pumps. A single motor-operated valve controls the condition of each bypass pipeline. The minimum flow bypass valve automatically opens upon sensing low flow in both injection lines. Figure 7.4-10 shows the location of the two flow indicating differential pressure switches on the LPCI injection flow elements.

Figures 7.9-2,3,4 shows the control arrangement for the recirculation loop valves. If a recirculation loop has been damaged, the recirculation pump discharge valve in the undamaged recirculation loop automatically closes upon the receipt of an LPCI injection signal. The valves in the damaged recirculation loop are left open to allow continued depressurization of the nuclear system so that the LPCI and core spray systems can inject water into the reactor vessel as soon as possible.

The same arrangement of differential pressure switches that is used in the LPCI injection valve circuitry to identify a damaged recirculation loop is used in the recirculation loop valve control circuitry. The manual control circuitry for the recirculation loop valves is interlocked to prevent valve opening whenever an LPCI initiation signal is present.

The valves that allow the diversion of water for containment spray cooling are automatically closed upon receipt of an LPCI initiation signal. The manual controls for these valves are interlocked so that opening the valves by manual action is not possible unless both primary containment (drywell) pressure is high, which indicates the need for containment spray cooling, and reactor vessel water level inside the core shroud is above the level equivalent to 2/3 the core height. Four transmitters are used to monitor drywell pressure for the set of valves in each subsystem. The trip setting is selected to be as low as possible yet provide indication of abnormally high drywell pressure.

The drywell pressure trip units associated with these transmitters are arranged in a one-out-of-two taken twice logic arrangement. A single level transmitter/trip unit combination is used to monitor water level inside the core shroud for the set of valves in each subsystem. A keylock switch in the main control room allows a manual override of the 2/3 core height permissive contact for the containment cooling valves.

Sufficient temperature, flow, pressure, and valve position indications are available in the main control room for the operator to accurately assess the LPCI operation. Valves have indications of full open and full closed positions. Pumps have indications for pump running and 7.4-26 Rev. 30 - Nov. 2015

PNPS-FSAR pump stopped. Alarm and indication devices are shown on Figures 7.4-10 and 7.4-13.

7.4.3.5.5 LPCI Environmental Considerations The only control components pertinent to LPCI operation that are located inside the primary containment and that must remain functional in the environment resulting from a LOCA are the cables and valve closing mechanisms for the recirculation loop valves. The cables and valve operators are selected with environmental capabilities that assure valve closure under the environmental conditions resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of this equipment. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate.

7.4.4 Safety Evaluation In Section 14, Station Safety Analysis, and Section 6, Core Standby Cooling Systems, the individual and combined capabilities of the standby cooling systems are evaluated. The control equipment characteristics and trip settings described in these sections were considered in the analysis of CSCS performance. For the entire range of nuclear process system break sizes the cooling systems are effective both in preventing fuel clad melting and in preventing more than a small fraction of the reactor core from reaching the temperature at which a gross release of fission products can occur. This conclusion is valid even with significant failures in individual cooling systems because of the overlapping capabilities of the CSCS. The controls and instrumentation for the CSCS satisfy the precision and timeliness requirements of safety design bases 1 and 2.

Safety design basis 3 requires that instrumentation for the CSCS responds to the potential inadequacy of core cooling regardless of the location of a breach in the nuclear system process barrier. The reactor vessel low water level initiating function, which alone can actuate HPCI, LPCI, and core spray, meets this safety design basis because a breach in the nuclear system process barrier inside or outside the primary containment is sensed by the low water level detectors.

7.4-27 Rev. 30 - Nov. 2015

PNPS-FSAR Because of the isolation responses of the Primary Containment and Reactor Vessel Isolation Control system to a breach of the nuclear system outside the primary containment, the use of the reactor vessel low water level signal as the only Standby Cooling System initiating function that is completely independent of breach location is satisfactory. The other major initiating function, primary containment high pressure, is provided because the Primary Containment and Reactor Vessel Isolation Control system may not be able to isolate all nuclear system breaches inside the primary containment. The primary containment high pressure initiating signal for the CSCS provides a second reliable method for sensing losses of coolant that cannot necessarily be stopped by isolation valve action. This second initiating function is independent of the physical location of the breach within the drywell. The method used to initiate the ADS, which employs reactor vessel low water level and primary containment high pressure in coincidence, requires that the nuclear system breach be inside the drywell because of the required primary containment high pressure signal. This control arrangement is satisfactory in view of the automatic isolation of the reactor vessel by the Primary Containment and Reactor Vessel Isolation Control System for breaches outside the primary containment and because the ADS is required only if the HPCI fails. Thus, safety design basis 3 is satisfied.

An evaluation of CSCS controls shows that no operator action beyond the reasonable capability of the operator is required to initiate the correct responses of the CSCS. The alarms and indications provided to the operator in the main control room allow interpretation of any situation requiring CSCS operations and verify the response of each system. Manual controls are illustrated on functional control diagrams. The main control room operator can manually initiate every essential operation of the CSCS. The degree to which safety is dependent on operator judgement and response has been appropriately limited by the design of CSCS control equipment and safety design bases 4a, 4b, and 4c are therefore satisfied.

The redundancy provided in the design of the control equipment for the CSCS is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the CSCS is similar to that provided by the dual trip system arrangement of the RPS. No failure of a single initiating sensor can prevent the start of the cooling systems. The numbers of control components provided in the design for individual cooling system components is consistent with the need for the controlled equipment. An evaluation of the control schemes for each CSCS component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation the redundancy of components and cooling systems was considered. The functional control diagrams provided with the descriptions of cooling systems controls were used in assessing the functional effects of instrumentation failures. In the course of the evaluation, protection devices which can interrupt the planned operation of cooling system components were investigated for the results of their normal protective action as well as malfunction on core cooling effectiveness. The only protection devices that can act to interrupt planned CSCS operation are those that must act to prevent complete failure of the component or system.

Examples of such devices are the HPCI turbine overspeed trip, HPCI steam line break isolation trip, pump trips on low suction pressure, 7.4-28 Rev. 30 - Nov. 2015

PNPS-FSAR and automatically controlled minimum flow bypass valves for pumps. In every case the action of a protective device cannot prevent other redundant cooling systems from providing adequate cooling to the core.

The locations of controls where operation of CSCS components can be adjusted or interrupted have been surveyed. Controls are located in areas under the surveillance of operations personnel. Local control switches are of the keylock type and main control room override of local switches is provided. Other controls are located in the main control room and are under the supervision of control room personnel.

The environmental capabilities of instrumentation for the CSCS are discussed in the descriptions of the individual systems. Components which are located inside the primary containment and which are essential to standby cooling system performance are designed to operate in the environment resulting from a LOCA.

Special consideration has been given to the performance of reactor vessel water level, pressure sensors, reference legs, and condensing chambers during rapid depressurization of the nuclear system. The discussion of this consideration is included in Section 7.2, Reactor Protection System, and is equally applicable to the instrumentation for the CSCS.

Indication of reactor water is provided by redundant mechanical indicators mounted on local instrument racks.

It is concluded from the previous paragraphs and the description of control equipment that safety design bases 5a through 5d are satisfied.

The testing capabilities of the CSCS, which are discussed in Section 7.4.5, satisfy safety design basis 6.

7.4.5 Inspection and Testing Components required for HPCI, LPCI, and core spray are designed to allow functional testing during normal power operation. Overall testing of these systems is described in Section 6. During overall functional tests the operability of the valves, pumps, turbines, and their control instrumentation can be checked. The relief valves are tested during shutdown periods.

Logic circuitry used in the controls for the CSCS can be individually checked by applying test or calibration signals to the sensors and observing trip system responses. Valve and pump operation from manual switches verifies the ability of breakers and valve closing mechanisms to operate. The automatic control circuitry for the CSCS is arranged to restore each of the cooling systems to normal operation if a LOCA occurs during a test operation.

7.4-29 Rev. 30 - Nov. 2015

PNPS-FSAR 7.4.6 Nuclear Safety Requirements for Plant Operation The CSCS initiation and control instrumentation has been broken down into the incident detection circuitry (IDC) and control instrumentation. The CSCS control instrumentation is not critical for the initiation of the CSCS, only for operational control of those systems. Since the control instrumentation for the CSCS is checked each time the mechanical operation of the CSCS is functionally checked, (see Section 6), only the initiation circuitry, IDC, will be examined for operational requirements in this section.

Table 7.4-5 presents the nuclear safety requirements for the incident detection circuitry for each BWR operating state. The entries on Table 7.4-5 represent an extension of the stationwide BWR systems analysis of Appendix G to the components of the incident detection circuitry. The following referenced portions of the safety analysis report provide important information justifying the entries on Table 7.4-5:

Reference Information Provided

1. Section 7.4 Description of incident detection circuitry hardware; incident detection system sensor setpoints

2. Station Safety Analysis, Analysis verifying performance of Section 14 the incident detection circuitry in transients and accidents

3. Station Nuclear Identifies conditions and events for Safety Operational which incident detection circuitry Analysis, Appendix G action is required

4. Jacobs, I.M. Guidelines Describes methods used to establish for Determining Safe allowable repair times for protection Test Intervals and systems Repair Times for Engineered Safeguards General Electric Company, Atomic Power Equipment Department, APED-5736, April 1969 Each detailed requirement on Table 7.4-5 is referenced, where possible, to the most significant condition originating the need for the requirements by identifying a matrix block on one of the six matrices 3 of Table G.5-3. The matrix block references are given in parentheses beneath the detailed requirements in the "minimum required for action" columns of Table 7.4-5 and are coded as follows:

7.4-30 Rev. 30 - Nov. 2015

PNPS-FSAR Example of Matrix

Reference:

Example of Matrix

Reference:

F39-92

---

F - BWR operating state F,

---

Event (Row 39)

--- Incident Detection Circuitry (Column 92)

In most cases, the basis for an operational nuclear safety requirement is clear from the information provided by the previously noted references. The incident detection circuitry (IDC) requirements in states C, D, E, and F result from considerations for the LOCA or lesser cases of this design basis accident. There are no requirements on the IDC in states A and B. Manual start is shown on Table 7.4-5 to indicate the need for the CSCS in these states, but none of the IDC components are required to assure the manual start capability.

There is one HPCI trip system and one ADS trip system. These two systems function as a pair to satisfy the single failure criterion whenever the nuclear system is pressurized above 150 psig. The safety analysis takes no credit for operation of the HPCI below 150 psig vessel pressure. Even if the HPCI is inoperable when reactor pressure is above 104 psig and below 150 psig, reactor pressure can be brought in to the shutdown cooling range by turbine bypass to the condenser or by limited use of safety relief valves which are required to be operable above 104 psig. It should be noted that the core spray and LPCI systems are capable of providing substantial flow to the reactor vessel at vessel pressure of 150 psig and above.

The vessel pressure for incipient flow to the vessel is in excess of 200 psig for both the Core Spray and LPCI systems. Below 104 psig, the low pressure CSCS can deliver 100 percent of design flow and no requirements are made upon the HPCI and ADS trip systems.

There are two LPCI trip systems and two core spray trip systems.

These trip systems must be operable anytime the nuclear system is pressurized. They must be operable above 104 psig, because they would be required any time the ADS system was actuated.

The operable LPCI and CSS pump discharge pressure channels required in the ADS trip system must be in operable low pressure pump cooling paths. A low pressure pump cooling path includes an RHR or CSS pump and the corresponding piping and equipment required to complete a core cooling path.

7.4.7 Current Technical Specifications The current limiting conditions for operation, surveillance requirements, and their bases are contained in the Technical Specifications referenced in Appendix B.

7.4-31 Rev. 30 - Nov. 2015

PNPS-FSAR 7.10 FEEDWATER CONTROL SYSTEM 7.10.1 Power Generation Objective The objective of the Feedwater Control System is to maintain a preestablished water level in the reactor vessel during planned operation.

7.10.2 Power Generation Design Bases The Feedwater Control System shall regulate the feedwater flow so that the proper water level in the reactor vessel is maintained according to the requirements of the steam separators over the entire operating range of the reactor.

The feedwater flow shall also provide sufficient subcooled water to the reactor vessel during power operation to maintain normal operating temperatures.

7.10.3 Description The feedwater control system, during planned operation, automatically regulates feedwater flow into the reactor vessel. The system is capable of being manually operated.

The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel. During automatic operation, these three measurements are used for controlling feedwater flow.

The optimum reactor vessel water level is determined by the requirements of the steam separators which limit the water carryover with the steam going to the turbines and limit the steam carryunder with the water returning to the core. For optimum limitation of carryover and carryunder, the steam separators require a decrease in reactor vessel water level as a function of an increase in reactor power level. The water level in the reactor vessel is maintained within %2 in of the optimum level. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow regulation is achieved by adjusting the feedwater control valves to deliver the required feedwater flow to the reactor vessel (see Figure 7.10-1, Drawing M1P 2-7).

7.10.3.1 Reactor Vessel Water Level Measurement Reactor vessel water level is measured by two identical, independent sensing systems. A differential pressure transmitter senses the difference between the pressure due to a constant reference column of water and the pressure due to the variable height of water in the reactor vessel. This differential pressure transmitter is installed on differential pressure taps that serve other systems (see Section 7.8, Reactor Vessel Instrumentation). The differential pressure signal is fed into a proportional amplifier which converts the level signal from 4-20MA to 10-50MA for indication and control. The 7.10-1 Rev. 30 - Nov. 2015

PNPS-FSAR reactor vessel water level and pressure from each sensing system are indicated in the main control room. The level signal from either sensing system can be selected by the operator as the signal to be used for feedwater flow control. The water level and the reactor vessel pressure are continually recorded in the main control room.

Each level sensing analog instrumentation system is equipped with a bistable device that provides a signal to trip the feedwater pumps and alarm at the main control room when extreme high water level is detected. A coincident detection of both systems is required for initiation of the automatic backup trip protection of the feedwater pumps. A bypass of this function is provided.

7.10.3.2 Steam Flow Measurement The steam flow is measured across each main steam line flow restrictor by a differential pressure transmitter. A pressure transmitter, multiplier/divider, and proportional amplifier correct the steam flow signal for density to produce an accurate steam flow signal.

The corrected steam flow rate from each main steam line is indicated in the main control room. The steam flow signals are added by a summer to produce a total steam flow signal for indication and feedwater flow control. The total steam flow is recorded in the main control room.

7.10.3.3 Feedwater Flow Measurement Feedwater flow is measured in each feedwater line on the reactor side of the control valves. A flow element in each feedwater line is provided for flow measurement. The pressure difference across the flow element is sensed by a differential pressure transmitter.

Corrections to the feedwater signal are made for water density variations due to temperature changes. These corrections are made by an input from a temperature element through a millivolt/current transmitter and multiplier/divider. The feedwater signal is then linearized by a square root extractor to produce a mass flow rate signal.

A summer is used to add the flow signals from the feedwater lines.

The output from the summer is the total corrected feedwater mass flow rate signal. This signal is used for indication and feedwater flow control. The total feedwater flow is recorded in the main control room.

7.10.3.4 Feedwater Control Signal The feedwater control signal adjusts the feedwater control valves.

The components which are manually operated or automatically function to produce the feedwater control signal are the following:

Level Controller 7.10-2 Rev. 30 - Nov. 2015

PNPS-FSAR During automatic operation of the feedwater control system, the level controller output is the feedwater control signal. During manual operation the level controller output signal is blocked.

The level controller automatically establishes its setpoint, proportional to the total steam flow signals, at the optimum reactor vessel water level. The level controller receives a three-element control input signal (described in paragraph 7.10.3.4.1) which represents reactor vessel water level. The output from the level controller, resulting from comparison of the setpoint to the signal representing reactor vessel water level, regulates the feedwater flow so that the reactor vessel water level meets the setpoint requirement.

Manual/Automatic Transfer Station (one for each feedwater control valve)

The manual/automatic transfer station is a manual controller with a transfer switch. While the feedwater control valves are being controlled by the level controller, the transfer switch is positioned so that the manual controller potentiometer is bypassed and the level controller signal goes through the manual/automatic transfer station to a feedwater control valve. During startup or when manual control may be desirable, the level controller signal is blocked by the transfer switch and the feedwater control signal is transmitted and controlled at the manual/automatic transfer station by the operator.

7.10.3.4.1 Automatic Operation The ability of the Feedwater Control System to maintain reactor vessel water level within a small margin of optimum water level during plant load changes is accomplished by the three element control signal. The three element control signal is the signal fed to the level controller representing reactor vessel water level.

Operations determine the optimum water level to be maintained. This is accomplished by adjusting the level controller setpoint.

The three element control signal is obtained as follows: The total steam flow signal and the total feedwater flow signal are fed into a proportional amplifier. The output from this amplifier reflects the mismatch between its input signals and is designated as the steam flow/feedwater flow error signal. If steam flow is greater than feedwater flow, the amplifier output is increased from its normal value until steam and feedwater flows are equal. The reverse is also true. This amplifier output is fed to a second proportional amplifier which also receives the reactor vessel water level signal.

The addition of the reactor vessel water level signal to the steam flow/feedwater flow error signal results in the three element control signal which is fed to the level controller. A lead lag network is provided to improve system response. Its output is fed to the level controller during three element control.

The feedwater control signal is adjusted by the level controller according to the requirements of the three element control signal 7.10-3 Rev. 30 - Nov. 2015

PNPS-FSAR and the total steam flow signal so that the required reactor vessel water level is maintained.

7.10.3.4.2 Optional Operating Modes Optional methods of Feedwater Control System operation are available, and are used during ascension to power. A one element signal (reactor vessel water level) is used to replace the three element control signal to the level controller. At high power level when steam flow and feedwater flow signals are large, anticipatory action is effective. At low loads (0-40 percent), single element control is recommended since steam flow measurement signal-to-noise ratio is prohibitive and it has no useful anticipatory action.

Manual/automatic transfer stations can be individually operated to transmit feedwater control signals to each of the feedwater control valves.

7.10.3.5 Feedwater Valve Control During normal power operation feedwater is delivered to the reactor vessel through two feedwater valves arranged in parallel. Another valve, the low flow valve, is used exclusively for plant startup and is manually controlled at the manual loading station. The feedwater pumps are powered by constant speed AC motors. The feedwater valves are air operated.

The feedwater control signal is fed to both Feedwater Regulating Valve (FRV) Electronic Positioner/Controllers. For each FRV, an electronic module installed outside of the Condenser Bay provides a signal to a stepper motor/encoder driving a high capacity pneumatic module that directly controls the air supply to the double-acting piston type pneumatic actuator. A displacement sensor mounted on the actuator provides the valve stem position feedback to the electronic module. The FRV is a stacked disk type throttle valve with a characterized trim that optimizes the control of the feed flow over the full operating range.

Protection is provided against overfilling the vessel when in the flow control mode by separate contacts on reactor water level alarm units. These can be set anywhere throughout the control normal reactor water level range. High water level is annunciated by alarm contacts on the reactor level recorder, and reactor feed pump trip alarm units. Siince the high level trip uses 2 out of 2 taken once logic, failure of onee channel to indicate high, does not cause the reactor feed pump trrip. For this reason, this trip is not used in transient analysis begginning with Cycle 21.

The level controller and its associated manual/balance/auto switching that provide for normal manual or automatic control are located in the control room. The manual/auto stations for the valves are also located in the control room.

Each feedwater regulating valve will pneumatically lock-up in the as-is position in the event of a control signal failure, instrument air supply failure, or electronic controller fault condition when in the normal operating mode.

7.10-4 Rev. 30 - Nov. 2015

PNPS-FSAR 7.10.3.6 Feedwater Pump Trip The reactor feedwater pump breakers will be tripped on high-high reactor pressure for events that are indicative of an ATWS event.

The trip occurs from the feedwater pump trip logic in the ATWS panels as described in 3.9.3.3 7.10.4 Inspection and Testing All Feedwater Flow Control System components can be tested and inspected according to manufacturers' recommendations. This can be done prior to plant operation and during scheduled shutdowns.

Reactor vessel water level indications from the two water level sensing systems can be compared during normal operations to detect instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect inconsistencies in their signals. The level controller can be tested while the feedwater control system is being controlled by the manual/automatic transfer stations.

7.10-5 Rev. 30 - Nov. 2015

PNPS-FSAR Figure 7.10-1 has been removed.

Please refer to BECo Controlled Drawing M1P 2-7.

1 of 1 Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS Section Title Volume Section 1 Introduction and Summary 1 1.1 Project Identification 1 1.2 Definitions 1 1.3 Methods of Technical Presentation 1 1.4 Classification of BWR Systems, Criteria, 1 and Requirements for Safety Evaluation 1.5 Principal Design Criteria 1 1.6 Station Description 1 1.7 Comparison of Principal Design Characteristics 1 1.8 Summary of Radiation Effects 1 1.9 Station Management 1 1.10 Quality Assurance Program 1 1.11 Station Research, Development, and Further Information Requirements and Resolutions Summary 1 Section 2 Station Site and Environs 1 2.1 Introduction 1 2.2 Site Description 1 2.3 Meteorology 1 2.4 Hydrology 1 2.5 Geology and Seismology 1 2.6 Environs Radiation Surveillance Program 1 Section 3 Reactor 1 3.1 Summary Description 1 3.2 Fuel Mechanical Design 1 3.3 Reactor Vessel Internals Mechanical Design 1 3.4 Reactivity Control Mechanical Design 1 3.5 Control Rod Drive Housing Supports 1 3.6 Nuclear Design 1 3.7 Thermal and Hydraulic Design 1 3.8 Standby Liquid Control System 1 3.9 Recirculation Pump Trip, Alternate Rod Insertion, and Feedwater Pump Trip Systems 1 Section 4 Reactor Coolant System 2 4.1 Summary Description 2 4.2 Reactor Vessel and Appurtenances Mechanical Design 2 4.3 Recirculation System 2 4.4 Nuclear System Pressure Relief System 2 4.5 Main Steam Line Flow Restrictor 2 Summ T of C-i Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS (Cont)

Section Title Volume 4.6 Main Steam Line Isolation Valves 2 4.7 Reactor Core Isolation Cooling System 2 4.8 Residual Heat Removal System 2 4.9 Reactor Water Cleanup System 2 4.10 Nuclear System Leakage Rate Limits 2 4.11 Main Steam Lines and Feedwater Piping 2 Section 5 Containment 2 5.1 Summary Descriptions 2 5.2 Primary Containment System 2 5.3 Secondary Containment System 2 5.4 Control of Combustible Gas Concentrations in Containment 2 Section 6 Core Standby Cooling Systems 2 6.1 Safety Objective 2 6.2 Safety Design Bases 2 6.3 Summary Description - Core Standby Cooling Systems 2 6.4 Description 2 6.5 Safety Evaluation 2 6.6 Inspection and Testing 2 6.7 The Nuclear Safety Requirements for Plant Operation 2 6.8 Current Technical Specifications 2 Section 7 Control and Instrumentation 3 7.1 Summary Description 3 7.2 Reactor Protection System 3 7.3 Primary Containment and Reactor Vessel Isolation Control System 3 7.4 Core Standby Cooling Systems Control and Instrumentation 3 7.5 Neutron Monitoring System 3 7.6 Refueling Interlocks 3 7.7 Reactor Manual Control System 3 7.8 Reactor Vessel Instrumentation 3 7.9 Recirculation Flow Control System 3 7.10 Feedwater Control System 3 7.11 Turbine Generator Control System 3 7.12 Process Radiation Monitoring 3 7.13 Area Radiation Monitoring System 3 7.14 Environs Radiation Monitors 3 7.15 Health Physics and Laboratory Analysis Radiation Monitors 3 Summ T of C-ii Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS (Cont)

Section Title Volume 7.16 Process Computer System 3 7.17 Nuclear System Stability Analysis for Initial Core 3 7.18 Reactor Building Isolation and Control System 3 7.19 RHR Service Water System (SSW, RBCCW) 3 7.20 Equipment Area Cooling System 3 7.21 Meteorological Instrumentation 3 Section 8 Electrical Power System 4 8.1 Summary Description 4 8.2 Unit and Preferred AC Power Sources 4 8.3 Secondary AC Power Source 4 8.4 Auxiliary Power Distribution System 4 8.5 Standby AC Power Source 4 8.6 125 and 250 Volt DC Power Systems 4 8.7 24 Volt DC Power System 4 8.8 120 Volt AC Power Systems 4 8.9 Cable Installation Criteria 4 8.10 Blackout AC Power Source 4 Section 9 Radioactive Waste Systems 4 9.1 Summary Description 4 9.2 Liquid Radwaste System 4 9.3 Solid Radwaste System 4 9.4 Gaseous Radwaste System 4 9.5 Trash Compaction and Decontamination Facilities 4 Section 10 Auxiliary Systems 4 10.1 Summary Description 4 10.2 New Fuel Storage 4 10.3 Spent Fuel Storage 4 10.4 Fuel Pool Cooling and Cleanup System 4 10.5 Reactor Building Closed Cooling Water System 4 10.6 Turbine Building Closed Cooling Water System 4 10.7 Salt Service Water System 4 10.8 Fire Protection System 4 10.9 HVAC Systems 4 10.10 Makeup Water Treatment System 4 10.11 Instrument and Service Air Systems 4 10.12 Potable and Sanitary Water System 4 10.13 Equipment and Floor Drainage Systems 4 10.14 Process Sampling Systems 4 10.15 Communications Systems 4 10.16 Station Lighting System 4 10.17 Main Control Room Environmental Control System 4 10.18 Equipment Area Cooling System 4 10.19 Post Accident Sampling System 4 Summ T of C-iii Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS (Cont)

Section Title Volume 10.20 Crack Arrest Verification System 4 10.21 Hydrogen Water Chemistry Extended Test System 4 10.22 Electrolytic Hydrogen Water Chemistry System 4 10.23 Mitigation Monitoring System 4 Section 11 Power Conversion Systems 4 11.1 Summary Description 4 11.2 Turbine-Generator 4 11.3 Main Condenser 4 11.4 Main Condenser Gas Removal and Turbine Sealing Systems 4 11.5 Turbine Bypass System 4 11.6 Circulating Water System 4 11.7 Condensate Demineralizer System 4 11.8 Condensate and Feedwater System 4 11.9 Condensate Storage System 4 Section 12 Structures and Shielding 4 12.1 Summary Description 4 12.2 Structural Design 4 12.3 Shielding and Radiation Protection 4 12.4 Radioactive Materials Safety 4 Section 13 Conduct of Operations 5 13.1 Introduction and Summary 5 13.2 Organization and Responsibilities 5 13.3 Training 5 13.4 Preoperational Test Program 5 13.5 Reactor Startup and Power Test Program 5 13.6 Station Procedures 5 13.7 Records 5 13.8 Operational Review and Audits 5 Section 14 Station Safety Analysis 5 14.1 Introduction 5 14.2 Reactor Limits 5 14.3 Method of Approach 5 14.4 Abnormal Operational Transients 5 14.5 Postulated Design Basis Accidents 5 14.6 Special Events 5 14.7 References 5 Summ T of C-iv Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS (Cont)

Section Title Volume Appendix A Pressure Integrity of Piping and Equipment Pressure Parts 5 A.1 Scope 5 A.2 Classification of Piping and Equipment Pressure Parts 5 A.3 Design Requirements 5 A.4 Materials 5 A.5 Fabrication and Installation Requirements 5 A.6 Testing and Inspection Requirements 5 A.7 Final Cleaning and Protection 5 A.8 F1, F2, F3, and F4 Fabrication and Erection Schedule 5 A.9 M1, M2, and M3 Material Schedules 5 A.10 T1, T2, T3, T4, and T5 Inspection and Testing Schedules 5 Appendix B Technical Specifications 5 B.1 Technical Specifications 5 B.2 Technical Specifications Relocated to the FSAR 5 B.3 Relocated Technical Specifications and Related 5 Bases 5 B.4 References 5 Appendix C Structural Loading Criteria 5 C.1 Scope 5 C.2 Concrete and Steel Structures 5 C.3 Components 5 Appendix D Quality Assurance Program 5 D.1 General 5 D.2 Program Organization and Responsibility 5 D.3 Quality Surveillance and Auditing 5 D.4 Quality Controls and Assurance Measures 5 D.5 QC-QA Documentation and Records 5 D.6 Project Communications 5 Attachment D.I General Electric Quality System for BWR Nuclear Steam Supply Projects 5 Attachment D.II Bechtel Quality Assurance Program, Pilgrim Nuclear Power Station 5 Attachment D.III Site Handling and Storage of Nuclear Steam Supply System Equipment, Pilgrim Nuclear Power Station 5 Summ T of C-v Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS (Cont)

Section Title Volume Appendix E Stack Release Limit Calculations for Pilgrim Station Site 5 E.1 Analytical Model 5 E.2 Verification of Analytical Model 5 E.3 Stack Release Limit Calculations for Pilgrim Station Site 5 E.4 Building Exhaust Vent Release 5 E.5 Summary 5 E.6 References 5 Appendix F Comparison of Pilgrim Nuclear Power Station with the Proposed General Design Criteria Published by the AEC for Public Comment in The Federal Register July 11, 1967 6 F.1 Summary Description 6 F.2 Criteria Conformance 6 Appendix G Station Nuclear Safety Operation Analysis Supporting Nuclear Safety Requirements for Plant Operation 6 G.1 Analytical Objective 6 G.2 Bases for Selecting Operation Requirements for Plant Operation 6 G.3 Bases for Selecting Surveillance Test Frequencies for Nuclear Safety Systems and Engineered Safeguards for Plant Operation 6 G.4 Method of Analysis 6 G.5 Analysis and Results 6 G.6 Conclusion 6 Appendix H Tornado Criteria for Nuclear Power Plants 6 H.0 Foreword 6 H.1 Introduction 6 H.2 Characteristics of Tornadoes 6 H.3 Tornado Probability 6 H.4 Wind Loading 6 H.5 Pressure Differential 6 H.6 Water Loss 6 H.7 Tornado Missiles 6 H.8 References 6 Summ T of C-vi Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS (Cont)

Appendix I Site Investigation of the Seabreezes 6 I.1 Introduction 6 I.2 Results and Conclusions 6 Section Title Volume I.3 Discussion 6 I.4 Data and Calculations 6 I.5 References 6 Appendix J Station Research, Development, and Further Information Requirements and Resolution 6 J.1 Resolution of ACRS Concerns 6 J.2 Areas Specified in the ACRS Construction Permit Letter for Pilgrim Nuclear Power Station 6 J.3 Areas Specified in the AEC Staff Construction Permit - Safety Evaluation Report for Pilgrim Nuclear Power Station 6 J.4 Areas Specified in Recent, Related ACRS Construction and Operating Permit Letters 6 J.5 Summary Conclusions 6 J.6 References 6 Appendix K Inservice Inspection Program 6 K.1 General 6 K.2 Inspection Program Development 6 K.3 Inspection Program Implementation 6 K.4 Reference Base Examinations 6 K.5 Documentation and Records 6 Appendix L Containment Report 7 L.1 Introduction and Summary 7 L.2 Basis for Containment Design 7 L.3 Containment System Design 7 L.4 Initial Overload and Leakage Rate Test 7 L.5 Manufacturer's Data Report for Nuclear Vessels 7 Appendix M Reactor Pressure Vessel Design Report 7 M.1 Introduction to the Report 7 M.2 Summary 7 Appendix N Emergency Plan 7 Summ T of C-vii Rev. 30 - Nov. 2015

PNPS-FSAR

SUMMARY

TABLE OF CONTENTS (Cont)

Section Title Volume Appendix O Analysis of the Consequences of High Energy Piping Failures Outside The Primary Containment 7 O.1 Introduction 7 O.2 Analysis Assumptions 7 O.3 Analysis Approach 7 O.4 Structural Loading Analytical Technique 7 O.5 Jet and Fluid Forces Analytical Techniques 7 O.6 Detailed System Analyses 7 O.7 Environmental Qualification of Electrical Equipment 7 Appendix P Deleted 7 Appendix Q Supplemental Reload Submittal 7 Q.1 Introduction 7 Appendix R Initial Core Station Safety Analysis 7 R.1 Introduction 7 R.2 Analyses of Abnormal Operational Transients (Initial Core) 7 R.3 Analysis of Design Basis Accidents (Initial Core) 7 R.4 Special Events (Initial Core) 7 R.5 Analytical Methods (Initial Core) 7 R.6 Evaluation Using Standard NRC Approach (Initial Core) 7 Appendix S License Renewal Commitments 7 S.1 Supplement for Renewed Operating License 7 S.2 Aging Management programs and Activities 7 Transients (Initial Core) 7 S.3 Evaluation of Time-Limited Aging Analyses 7 S.4 References 7 Summ T of C-viii Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number VOLUME 4 Summ T of C-i..........................................30 Summ T of C-ii.........................................30 Summ T of C-iii........................................30 Summ T of C-iv.........................................30 Summ T of C-v..........................................30 Summ T of C-vi.........................................30 Summ T of C-vii........................................30 Summ T of C-viii.......................................30 List of Effective Pages Vol. 4 (1 thru 10).............30 SECTION 8 8-i....................................................30 8-ii...................................................30 8-iii..................................................30 8-iv...................................................30 8-v....................................................30 8.1-1..................................................21 8.1-2..................................................21 F8.1-1 (1 of 1)........................................11 F8.1-2 (1 of 1).........................................0 8.2 Pages 1-9..........................................30 T8.2-1 (1 of 1)........................................25 F8.2-1 Refer to E1 ....................................17 F8.2-2 Refer to E6 ....................................17 8.3 Pages 1-4..........................................28 EP4 - 1 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number 8.4 Pages 1-9..........................................29 T8.4-1 (1 of 1)........................................26 T8.4-2 (1 of 1)........................................26 T8.4-3 (Pages 1 - 3)...................................26 T8.4-4 (Pages 1 - 2)...................................26 F8.4-1 Refer to E7 ....................................17 F8.4-2 Refer to E9 ....................................17 F8.4-3 Refer to E10 ...................................17 F8.4-4 Refer to E11 ...................................17 F8.4-5 Refer to E12....................................17 8.5 Pages 1-12.........................................26 T8.5-1 (Pages 1 - 3)...................................26 T8.5-2 (1 of 1)........................................26 T8.5-2A (1 of 1).......................................26 T8.5-3 (1 of 1)........................................27 T8.5-4 (1 of 1)........................................26 F8.5-1 Refer to M223 ..................................17 8.6 Pages 1-9..........................................30 T8.6-1 (1 of 1)........................................26 T8.6-2 (Pages 1 - 2)...................................26 F8.6-1 Refer to E13 ...................................17 8.7-1...................................................0 8.7-2...................................................0 F8.7-1 Refer to E14 ...................................17 8.8 Pages 1-5..........................................30 8.9 Pages 1-8..........................................28 T8.9-1 (1 of 1).........................................0 F8.9-1 (1 of 1).........................................0 8.10-1.................................................23 8.10-2.................................................23 T8.10-1 (1 of 1).......................................10 T8.10-2 (1 of 1).......................................10 EP4 - 2 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number SECTION 9 9-i....................................................29 9-ii...................................................29 9-iii..................................................29 9-iv...................................................29 9.1-1..................................................24 9.2-1..................................................27 9.2-2..................................................27 9.2-3..................................................27 9.2-4..................................................27 9.2-5..................................................27 9.2-6..................................................27 9.2-7..................................................27 T9.2-1 (1 of 2)........................................25 T9.2-1 (2 of 2)........................................25 F9.2-1 (deleted).......................................25 F9.2-2 Refer to M232 ..................................25 F9.2-3 Refer to M233 ..................................25 F9.2-4 Refer to M234 ..................................25 F9.2-5 Refer to M217 ..................................25 9.3-1..................................................25 9.3-2..................................................25 9.3-2a.................................................22 9.3-3..................................................25 9.3-3a.................................................25 9.3-4..................................................25 9.3-5..................................................25 9.3-6..................................................23 9.3-7..................................................23 F9.3-1 Refer to M235 ..................................17 9.4-1..................................................21 9.4-2..................................................24 9.4-2a.................................................24 9.4-2b.................................................24 9.4-3..................................................24 9.4-4..................................................24 9.4-4a.................................................24 9.4-5..................................................24 9.4-5a.................................................24 9.4-6..................................................23 9.4-6a.................................................23 EP4 - 3 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number 9.4-6b.................................................22 9.4-7..................................................23 9.4-8...................................................2 9.4-9..................................................23 9.4-10..................................................7 9.4-11..................................................2 T9.4-1 (1 of 1)........................................24 T9.4-2 (1 of 1)........................................24 T9.4-3 (1 of 1).........................................0 T9.4-4 (1 of 1).........................................7 T9.4-5 (1 of 1)........................................23 T9.4-6 (1 of 3)........................................21 T9.4-6 (2 of 3)........................................21 T9.4-6 (3 of 3)........................................22 F9.4-1 Refer to M254 ..................................17 F9.4-2 (1 of 1).........................................0 F9.4-3 Refer to M29 ...................................17 F9.4-4 (deleted).......................................15 F9.4-5 (1 of 1)........................................24 9.5 Pages 1-3..........................................26 SECTION 10 10-i...................................................30 10-ii..................................................30 10-iii.................................................30 10-iv..................................................30 10-v...................................................30 10-vi..................................................30 10-vii.................................................30 10-viii................................................30 10-ix..................................................30 10-x...................................................30 10.1-1.................................................25 10.2 Pages 1-3.........................................30 10.3 Pages 1-14........................................30 F10.3-1 (1 of 1).......................................18 F10.3-2 (1 of 1).......................................18 F10.3-3 (1 of 1).......................................18 F10.3-4 (1 of 1).......................................27 F10.3-5 (1 of 1).......................................27 F10.3-6 (1 of 1).......................................18 EP4 - 4 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number F10.3-7 (1 of 1).......................................27 10.4-1.................................................23 10.4-1a................................................23 10.4-2.................................................21 10.4-3.................................................23 T10.4-1 (1 of 1).......................................19 F10.4-1 Refer to M231 .................................17 10.5-1.................................................11 10.5-2.................................................11 10.5-3.................................................22 10.5-3a................................................22 10.5-4.................................................22 10.5-5.................................................23 T10.5-1 (1 of 1).......................................23 T10.5-2 (1 of 1).......................................24 F10.5-1 Refer to M-215 ................................17 10.6 Pages 1-3.........................................29 T10.6-1 (Pages 1 - 2)..................................26 T10.6-2 (Pages 1 - 2)..................................26 F10.6-1 Refer to M216 .................................17 10.7 Pages 1-8.........................................29 F10.7-1 Refer to M212 .................................17 10.8 Pages 1-16........................................30 T10.8-1 (1 of 3).......................................21 T10.8-1 (2 of 3).......................................22 T10.8-1 (3 of 3).......................................19 T10.8-2 (1 of 2).......................................16 T10.8-2 (2 of 2).......................................13 F10.8-1 Refer to M218..................................26 10.9-1.................................................27 10.9-2.................................................27 10.9-3.................................................27 EP4 - 5 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number 10.9-4.................................................27 10.9-5 (Pages 1 - 2)...................................27 10.9-6.................................................27 10.9-7.................................................27 10.9-8.................................................27 10.9-9.................................................27 10.9-10................................................27 10.9-11................................................27 10.9-12................................................27 T10.9-1 (Pages 1 - 2)..................................27 T10.9-2 (Pages 1 - 2)..................................29 F10.9-1 Refer to M236 .................................17 F10.9-2 Refer to M237 .................................17 F10.9-3 Refer to M289 .................................17 F10.9-4 Refer to M288 .................................17 F10.9-5 Refer to M290 .................................17 F10.9-6 Refer to M292 .................................17 10.10 Pages 1-3........................................30 F10.10-1 Refer to M224 and M225........................17 10.11 Pages 1-4........................................30 F10.11-1 Refer to M220 ................................30 10.12-1.................................................0 10.13 Pages 1-3........................................30 10.14-1.................................................4 T10.14-1 (1 of 4)......................................13 T10.14-1 (2 of 4).......................................7 T10.14-1 (3 of 4).......................................9 T10.14-1 (4 of 4).......................................9 F10.14-1 Refer to M228, M229 and M230..................17 10.15 Pages 1-5........................................29 10.16-1................................................22 10.16-1a...............................................22 10.16-2................................................16 EP4 - 6 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number 10.17 Pages 1-5........................................26 F10.17-1 Refer to M287 ................................17 10.18 Pages 1 - 4......................................26 10.19-1................................................25 10.19-1a...............................................25 10.19-2................................................21 10.19-3................................................25 F10.19-1 Refer to M239 ................................17 10.20 Pages 1 - 2......................................26 F10.20-1 Refer to M256 ................................21 10.21 Pages 1-6........................................30 T10.21-1 (1 of 1)......................................26 F10.21-1 (1 of 1)......................................26 F10.21-2 Refer to M257 ................................21 F10.21-3 Refer to M258 ................................21 F10.21-4 Refer to M260 ................................21 10.22-1................................................21 10.22-2................................................21 10.22-3................................................21 10.22-4................................................22 10.22-5................................................22 10.22-6................................................22 10.22-7................................................22 10.22-8................................................22 10.22-9................................................22 10.22-10...............................................21 10.22-11...............................................21 10.22-12...............................................21 10.22-13...............................................21 10.22-14...............................................21 10.22-15...............................................21 10.22-16...............................................24 F10.22-1 Refer to M269 ................................21 10.23 Pages 1-2........................................26 EP4 - 7 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number SECTION 11 11-i...................................................29 11-ii..................................................29 11-iii.................................................29 11.1-1..................................................4 11.2-1..................................................4 11.2-2..................................................0 11.2-3.................................................21 11.2-4.................................................21 11.3-1..................................................0 11.3-2..................................................0 11.4-1.................................................21 11.4-2.................................................21 11.4-2a................................................24 F11.4-1 Refer to M210..................................17 11.5-1..................................................0 F11.5-1 Refer to M203..................................17 11.6-1.................................................22 11.6-2.................................................21 11.6-3.................................................29 F11.6-1 Refer to M211 .................................17 11.7-1.................................................25 F11.7-1 Refer to M213 .................................17 F11.7-2 Refer to M214..................................17 11.8 Pages 1-2.........................................29 F11.8-1 Refer to M207 .................................17 F11.8-2 Refer to M208 .................................17 11.9-1 ................................................28 F11.9-1 Refer to M209 .................................17 SECTION 12 12-i...................................................30 12-ii..................................................30 12-iii.................................................30 EP4 - 8 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number 12-iv..................................................30 12-v...................................................30 12-vi..................................................30 12-vii.................................................30 12.1-1..................................................0 F12.1-1 Refer to M11...................................17 F12.1-2 Refer to M12...................................17 F12.1-3 Refer to M13...................................17 F12.1-4 Refer to M14 ..................................17 F12.1-5 Refer to M15...................................17 F12.1-6 Refer to M16...................................17 F12.1-7 Refer to M17...................................17 F12.1-8 Refer to M18...................................17 F12.1-9 Refer to M19...................................17 F12.1-10 Refer to M20..................................17 F12.1-11 Refer to M21..................................17 F12.1-12 Refer to M22..................................17 F12.1-13 Refer to M23..................................17 F12.1-14 Refer to M24..................................17 F12.1-15 Refer to M25..................................17 F12.1-16 Refer to M26..................................17 12.2 Pages 1-24........................................30 T12.2-1 (1 of 3)........................................0 T12.2-1 (2 of 3)........................................0 T12.2-1 (3 of 3).......................................21 T12.2-2 (1 of 1).......................................21 T12.2-3 (1 of 1).......................................21 T12.2-4 (1 of 1).......................................21 T12.2-5 (1 of 1)........................................2 T12.2-6 (1 of 3)........................................0 T12.2-6 (2 of 3)........................................0 T12.2-6 (3 of 3)........................................0 F12.2-1 (deleted).......................................4 F12.2-2 Refer to M27 ..................................17 F12.2-3 Refer to M28 ..................................17 F12.2-4 (1 of 1)........................................0 F12.2-5 Refer to C4 ...................................17 F12.2-6 (1 of 1)........................................0 F12.2-7 (1 of 1)........................................0 F12.2-8 (1 of 1)........................................0 F12.2-9 (1 of 1)........................................0 EP4 - 9 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF EFFECTIVE PAGES

• • VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**VOLUME 4**

Page, Table (T), or Revision Figure (F) Number F12.2-10 (1 of 1).......................................0 F12.2-11 (1 of 1).......................................0 F12.2-12 (1 of 1).......................................0 12.3 Pages 1-7.........................................26 F12.3-1 Refer to A100 .................................26 F12.3-2 Refer to A101 .................................26 F12.3-3 Refer to A102 .................................26 F12.3-4 Refer to A103 .................................26 F12.3-5 Refer to A104 .................................26 F12.3-6 Refer to A106 .................................26 F12.3-7 Refer to A107 .................................26 F12.3-8 Refer to A108 .................................26 F12.3-9 Refer to A109 .................................26 F12.3-10 Refer to A110 ................................26 F12.3-11 Refer to A111 ................................26 12.4 Pages 1-7.........................................30 T12.4-1 (deleted) ................................ 26 EP4 - 10 of 10 Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 8 ELECTRICAL POWER SYSTEM TABLE OF CONTENTS Section Title Page 8.1

SUMMARY

DESCRIPTION 8.1-1 8.2 UNIT AND PREFERRED AC POWER SOURCES 8.2-1 8.2.1 Unit AC Power Source 8.2-1 8.2.1.1 Power Generation Objective 8.2-1 8.2.1.2 Safety Design Basis 8.2-1 8.2.1.3 Power Generation Design Basis 8.2-1 8.2.1.4 Description 8.2-1 8.2.1.5 Inspection and Testing 8.2-2 8.2.2 Preferred AC Power Source 8.2-2 8.2.2.1 Power Generation Objective 8.2-2 8.2.2.2 Safety Design Basis 8.2-2 8.2.2.3 Power Generation Design Basis 8.2-3 8.2.2.4 Description 8.2-3 8.2.2.5 (Deleted) 8.2-5 8.2.2.6 Safety Evaluation 8.2-5 8.2.2.6.1 General 8.2-5 8.2.2.6.2 Analytical Studies 8.2-5 8.2.2.6.3 Single Failure Analysis 8.2-8 8.2.2.6.4 Conclusions 8.2-9 8.2.2.7 Inspection and Testing 8.2-9 8.2.2.8 Proposed Nuclear Safety Requirements for Initial Plant Operation 8.2-9 8.3 SECONDARY AC POWER SOURCE 8.3-1 8.3.1 Power Generation Objective 8.3-1 8.3.2 Safety Design Basis 8.3-1 8.3.3 Description 8.3-1 8.3.4 Safety Evaluation 8.3-2 8.3.5 Inspection and Testing 8.3-4 8.4 AUXILIARY POWER DISTRIBUTION SYSTEM 8.4-1 8.4.1 Safety Objective 8.4-1 8.4.2 Power Generation Objective 8.4-1 8.4.3 Safety Design Basis 8.4-1 8.4.4 Power Generation Design Basis 8.4-1 8.4.5 Description 8.4-1 8.4.5.1 Arrangement of Auxiliary Buses 8.4-1 8.4.5.2 System Components 8.4-4 8.4.6 Safety Evaluation 8.4-5 8.4.7 Inspection and Testing 8.4-9 8.4.8 Proposed Nuclear Safety Requirements for Initial Plant Operation 8.4-9 8-i Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 8.5 STANDBY AC POWER SOURCE 8.5-1 8.5.1 Safety Objective 8.5-1 8.5.2 Safety Design Basis 8.5-1 8.5.3 Description 8.5-2 8.5.4 Safety Evaluation 8.5-6 8.5.5 Inspection and Testing 8.5-9 8.5.6 Proposed Nuclear Safety Requirements for Initial Plant Operation 8.5-9 8.5.7 Current Operational Nuclear Safety Requirements 8.5-12 8.6 125V AND 250V DC POWER SYSTEMS 8.6-1 8.6.1 Safety Objective 8.6-1 8.6.2 Safety Design Basis 8.6-1 8.6.3 Description 8.6-1 8.6.4 Safety Evaluation 8.6-4 8.6.5 Inspection and Testing 8.6-6 8.6.6 Proposed Nuclear Safety Requirements for Initial Plant Operation 8.6-6 8.6.7 Current Operational Nuclear Safety Requirements 8.6-9 8.7 24V DC POWER SYSTEM 8.7-1 8.7.1 Power Generation Objective 8.7-1 8.7.2 Power Generation Design Basis 8.7-1 8.7.3 Description 8.7-1 8.7.4 Inspection and Testing 8.7-2 8.8 120V AC POWER SYSTEMS 8.8-1 8.8.1 Safety Objective 8.8-1 8.8.2 Power Generation Objective 8.8-1 8.8.3 Safety Design Basis 8.8-1 8.8.4 Power Generator Design Basis 8.8-2 8.8.5 Description 8.8-2 8.8.6 Inspection's Testing 8.8-4 8.9 CABLE INSTALLATION CRITERIA 8.9-1 8.9.1 General Design Criteria 8.9-1 8.9.2 Specific System Wiring Criteria 8.9-2 8.9.3 Physical Separation and Protection Design Criteria 8.9-4 8.9.4 Installation Evaluation 8.9-6 8.9.5 Cable Protection and Process Instrumentation Location Criteria 8.9-6 8-ii Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 8.10 BLACKOUT AC POWER SOURCE 8.10-1 8.10.1 Power Generation Objective 8.10-1 8.10.2 Power Generation Design Basis 8.10-1 8.10.3 Description 8.10-1 8.10.4 Inspection and Testing 8.10-2 8-iii Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 8 LIST OF TABLES Table Title 8.2-1 List of Major Electrical Equipment Unit and Preferred AC Power Sources 8.4-1 List of Major Loads Auxiliary Power System 8.4-2 List of Major Electrical Equipment Auxiliary Power System 8.4-3 Periodic Tests of Auxiliary Power Systems 8.4-4 Principal Design Criteria For MCC (B17, B18, B20) Enclosures 8.5-1 Diesel Generator Emergency Loads Standby AC Power System 8.5-2 Standby Diesel Generator System Typical Timing and Sequential Loading of Diesel Generators 8.5-2A Standby Diesel Generator System Typical Timing and Sequential Loading of Diesel Generators 8.5-3 Standby AC Power Source Equipment List 8.5-4 Emergency Diesel Generator Maximum Allowable Loading (kW)

Between Major Inspections or Overhauls 8.6-1 List of Major Electrical Equipment - 125/250V DC Power Systems 8.6-2 Principal Design Criteria for MCC (D7, D8, D9) Enclosures 8.9-1 Cable Separation Requirements in Missile Zones 8.10-1 List of Major Loads Blackout AC Power Source 8.10-2 Blackout AC Power Source Equipment List 8-iv Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 8 LIST OF FIGURES Figure Title 8.1-1 Station Transmission System, One Line Diagram (Drawing E1 SH3) 8.1-2 Electrical Diagram Symbols 8.2-1 Single Line Diagram-Station (Drawing E1 SH1) 8.2-2 Single Line Meter and Relay Diagram-Main Generator and Auxiliary Transformers (Drawing E6 SH1) 8.4-1 Single Line Meters and Relay Diagram-4,160V System (Drawing E7) 8.4-2 Single Line Meter and Relay Diagram - 480V System - Load Centers and Motor Control Centers B10 and B20 (Drawing E9) 8.4-3 Single Line Diagram - 480V System - Motor Control Centers B14, B15, B17, and B18 (Drawing E10) 8.4-4 Single Line Diagram - 480V System - Motor Control Centers B13, B22, B23, B25, and B26 (Drawing E11) 8.4-5 Single Line Diagram - 480V System - Motor Control Centers B16, B19, and B21 (Drawing E12) 8.5-1 Diesel Oil Storage and Transfer System, Piping and Instrumentation Diagram (Drawing M223) 8.6-1 Single Line Relay and Meter Diagram - 125V and 250V DC Systems (Drawing E13) 8.7-1 Single Line Diagram - 120V Instrument AC, Vital and Reactor Protection AC Systems, 24V DC Neutron Monitoring System (Drawing E14) 8.9-1 Drywell Electrical Penetration Groupings 8-v Rev. 30 - Nov. 2015

PNPS-FSAR 8.2 UNIT AND PREFERRED AC POWER SOURCES 8.2.1 Unit AC Power Source 8.2.1.1 Power Generation Objective The station main generator, while supplying power to the 345 kV transmission system through the main transformer, also supplies through the unit auxiliary transformer, the unit source of AC power necessary for all station auxiliaries during power operation.

The main and unit auxiliary transformers can provide alternate access to the 345 kV supply following loss of the startup transformer.

8.2.1.2 Not used.

8.2.1.3 Power Generation Design Basis

1. The unit AC power source is capable of supplying all loads during power operation.

2. The main transformer is capable of transmitting the station output to the 345 kV switchyard.

8.2.1.4 Description The station main generator provides power through the isolated phase bus at 24 kV to both the main transformer and the unit auxiliary transformer. The generator voltage is stepped up through the main transformer to 345 kV and power flows into the ring bus in the switchyard to the New England power grid over the two 345 kV transmission lines connected to the ring bus. The generator voltage is reduced through the unit auxiliary transformer to 4,160 V, and power flows into the auxiliary power distribution system as described in Section 8.4.

Table 8.2-1 provides detailed electrical ratings of equipment discussed in Section 8.2. Figure 8.2-1 (Drawing E1 SH1) illustrates the power flow and connection from the main generator to the 345 kV switchyard and station service system.

The main generator stator core and the rotor conductors are hydrogen cooled. Excitation is from a self-excited, shaft-driven alternator with stationary rectifier banks to accomplish the AC to DC conversion. The generator is grounded through a grounding transformer with a secondary resistor.

See Figure 8.2-2 (Drawing E6 SH1) for details of the excitation and protective relay systems for the generator.

Bolted flexible connectors located at the main transformer and main generator are included to isolate the main generator from the main transformer and unit auxiliary transformer with sufficient clearance to permit operation of the main transformer and unit transformer from the 345 kV system with 8.2-1 Rev. 30 - Nov. 2015

PNPS-FSAR the generator disconnected. Special provisions have been included for personnel access and rapid removal of the connections to facilitate energization of the station auxiliary busses using this alternate access to the 345 kV source.

The main transformer 345 kV high voltage winding is connected in grounded wye to the 345 kV ring bus in the switchyard. The low voltage 22.8 kV winding is connected in delta.

The unit auxiliary transformer 23 kV high voltage winding is connected in delta. The two 4.16 kV low voltage windings, X and Y, are each connected in resistance grounded wye. The X winding feeds four 250 MVA switchgear buses and the Y winding feeds two 350 MVA switchgear buses. These buses are in the auxiliary power distribution system and are described in Section 8.4.

8.2.1.5 Inspection and Testing Inspection and testing at vendor factories and initial system tests were conducted to insure that all components were operational within their design capability.

8.2.2 Preferred AC Power Source 8.2.2.1 Power Generation Objective The preferred AC power source provides a source of offsite AC power to the entire Auxiliary Power Distribution System adequate for the startup, operation, or shutdown of the station.

8.2.2.2 Safety Design Basis

1. The preferred AC power source is capable of supplying all emergency loads of the auxiliary power distribution system necessary for the safe shutdown of the reactor, as a result of anticipated operational occurrences or postulated accidents.

2. The availability of the preferred AC power source is continuously monitored and indication of the operational status is provided in the main control room.

3. The preferred AC power source is automatically connected to the emergency service buses in the event that the unit power source is lost.

4. The preferred and unit AC power sources are as independent as possible within the constraints of the transmission system development.

5. The preferred AC power source is not synchronized with the secondary AC power source.

6. The preferred AC power source is designed to be available following a loss of all onsite AC power supplies and secondary AC power source, to assure that fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded.

8.2-2 Rev. 30 - Nov. 2015

PNPS-FSAR 8.2.2.3 Power Generation Design Basis

1. The preferred AC power source is capable of supplying all loads during normal station startup.

2. The preferred AC power source is capable of supplying all loads during normal station shutdown.

3. The preferred AC power source is capable of supplying all loads during normal station operation.

8.2.2.4 Description The station is connected to the New England power grid through a 345 kV ring bus located in a switchyard adjacent to the station.

Refer to Figure 8.1-1. The 345 kV ring bus is connected to the following:

1. Station main transformer, described in Section 8.2.1

2. One 345 kV transmission line to the Canal Station ring bus of the Canal Generating Company of NSTAR, Sandwich, Massachusetts, and to the Auburn Street Station of National Grid

3. Station startup transformer (preferred AC power source)

4. One 345 kV transmission line to the breaker and half scheme Carver Station of NSTAR Company, Carver, Massachusetts The Canal, Auburn Street, and Carver Stations are in turn connected to the New England power grid and the NSTAR system by separate 345 kV lines.

Offsite AC power for station startup and shutdown is obtained from the 345 kV ring bus through the startup transformer to the station auxiliary power distribution system. The two 345 kV transmission lines are individually or jointly capable of supplying power to the startup transformer.

The startup transformer supplies power to the station auxiliary power distribution system whenever the main generator is offline. After the main generator has been synchronized to the 345 kV system and has been partially loaded, the auxiliary power distribution system is manually transferred from the startup transformer to the unit AC power source (unit auxiliary transformer).

Automatic fast transfer capability is provided in the design to restore the preferred AC power source (startup transformer) to the auxiliary power distribution system in the event that the unit AC power source is lost for any reason. The diesel generator load shedding logic will also be actuated (See Section 8.5.4), immediately upon the fast transfer of the safety related buses A5 and A6 to the Startup Transformer, in the presence of a LOCA signal, when the startup transformer secondary voltage is below the degraded voltage alarm reset setpoint.

8.2-3 Rev. 30 - Nov. 2015

PNPS-FSAR Should power be interrupted to the preferred AC power source (startup transformer) due to a double 345 kV line fault, it will be automatically restored when the line breakers reclose after the fault is cleared and the lines are re-energized.

This automatic reclosure is designed to prevent both 345 kV breakers from reclosing at the same time.

The breaker controls for the preferred AC power source are interlocked to prevent interconnection with the secondary AC power source. The preferred AC power source may be synchronized and interconnected with the unit AC power source to permit live source transfer following synchronization of the main generator. Procedural restrictions back up the breaker interlocks and assure that interconnection of the preferred AC power and unit AC power sources occur only for a short period of time.

The transmission system is protected in accordance with normal utility practice using carrier relaying on the lines and high speed differential protection on the transformers. The 345 kV switchyard breakers will be controlled directly from the main control room. Breaker position, 345 kV transmission line voltages and other parameters are monitored in the main control room.

The startup transformer 345 kV high voltage winding is connected in grounded wye. The tertiary winding is connected in delta. The two 4.16 kV low voltage windings, X and Y, are connected in resistance grounded wye. The X winding feeds four 250 MVA switchgear buses through 2,000 amp breakers and the Y winding feeds two 350 MVA switchgear buses through 3,000 amp breakers. These buses are in the auxiliary power distribution system and are described in Section 8.4.

The four circuit breakers are SF6 type and each rated at 345 kV, 2,000 amp, three-phase, 40,000 amp interrupting rating, and are installed in the ring bus to separate the four connections to the bus. Disconnect switches are provided on each side of each circuit breaker, for each transmission line, and for each transformer.

The two 345 kV lines, as well as those with which they interconnect, are designed to equal or exceed the requirements for heavy loading districts, Grade B construction, consisting of 4 lb/ft2 wind on 1/2 in radial ice on cable, and 6.4 lb/ft2 wind on 1.5 faces of the tower and with the National Electrical Safety Code overload factors. The two transmission lines are designed to equal or exceed the requirement for traverse hurricane wind of 25 lb/ft2 on bare cable at 60F and 40 lb/ft2 on 1.5 faces of the tower with an overload factor of 1.25. The lightning performance design goal for the lines is to achieve no more than one outage per 100 mi-yr.

The transmission lines run adjacent to each other for a distance of approximately 8 mi and then diverge at the Snake Hill Road Tap. A tap from one line (342) is made at approximately 5 mi from Pilgrim switchyard (Jordan Road Tap) that runs northwesterly approximately 26 mi to the Auburn Street Station of National Grid.

8.2-4 Rev. 30 - Nov. 2015

PNPS-FSAR At Snake Hill Road Tap the two lines diverge, one line (342) running southerly approximately 13 mi to Canal Station; the other line (355) running westerly and northwesterly approximately 13.5 mi to the Carver Station of NSTAR.

The height of the towers supporting the two 345 kV transmission lines varies from 110 ft. to 160 ft. The separation provided between the two nearest conductors on these common towers is 23 ft.

Commercial communication antennas are mounted on some transmission towers slightly raising the overall height of these towers above what is described herein.

The tower structures are analyzed and acceptable to the applicable state and federal structural codes and standards.

The largest dimension of the antennas is well below adjacent conductors spacing of 23 ft. and therefore, their structural failure will not contact two conductors and provide a shorting out of transmission.

8.2.2.5. Deleted 8.2.2.6 Safety Evaluation 8.2.2.6.1 General The 345 kV transmission and ring bus are arranged so that failure of either line will not result in the loss of the main generator, the other 345 kV line, or the startup transformer.

Either transmission line will be capable of carrying the full station output and of supplying the startup transformer. The startup transformer rating is large enough that the emergency service loads are simultaneously connected and started under accident conditions.

A high degree of reliability in the transmission system is provided so that the station output is available to the New England power grid and so that a power source is available to the startup transformer. To provide maximum security in the switching station, a ring bus design is used with the generator transformer, transmission line, startup transformer, and the second transmission line alternating around the ring, in that order. Therefore, both the generator and startup transformers have direct connections to both transmission lines. The failure of any single breaker will not cause the loss of both 345 kV transmission lines.

8.2.2.6.2 Analytical Studies The transmission system is analytically studied to determine its behavior when various system components are assumed to be low or out of service and the design provides protection against single contingency type of failures. This is a continuing procedure which takes place as the system is modified and expanded to meet load growth requirements.

8.2-5 Rev. 30 - Nov. 2015

PNPS-FSAR The following analytical studies were performed to substantiate that the loss of Pilgrim Station or any other generating unit in the system would not affect the offsite power.

1. Load Flow Digital computer analysis of transmission loading for both normal and contingency operation

2. Unit Stability Stability studies of Pilgrim and other units in the interconnected New England System

3. Transient Network Transient network analysis of trans-Analysis mission line over voltage switching surges

4. Relaying An analytical study to select the proper type, speed, and application as dictated by 1, 2, and 3 above Load Flow Studies performed by the New England Pool Transmission Task Force established the firm transmission requirements for Pilgrim Nuclear Power Station and the Canal Units. Normal and contingency cases were studied at light and heavy load conditions and these studies concluded that the transmission network was adequate to carry the combined output of both Canal and Pilgrim generators after the loss of the Pilgrim-Carver intertie. The studies also concluded that the loss of the Pilgrim Nuclear Power Station or any other generating unit in the system would not affect the availability of offsite power to the Pilgrim Nuclear Power Station.

In the event of the loss of both 345 kV lines out of the Pilgrim Nuclear Power Station, the station output would be lost to New England. However, analysis indicates that this loss would not cascade so as to involve any other generating unit in New England.

Unit Stability Stability studies of the Pilgrim Nuclear Power Station were completed in 1968. Under the auspices of the New England Pool Planning Committee Stability Task Force, stability studies are updated every two years. The Pilgrim Nuclear Power Station along with all other major units in the interconnected New England System were included in all of these studies. These studies concluded that there was no close in three-phase fault or phase to ground fault that would lead to the instability of the Pilgrim Nuclear Power Station.

8.2-6 Rev. 30 - Nov. 2015

PNPS-FSAR Transient Network Analysis A transient network analysis of the transmission system associated with the Pilgrim Nuclear Power Station and the Canal Units was completed in 1968. From these tests, the magnitude of switching surge over voltages was determined.

These data were used to coordinate the lightning arresters and BIL, of the various transformers connected to this transmission system.

Relaying In the event of a phase to phase or phase to ground fault on one of the 345 kV transmission lines, the two adjacent air circuit breakers in the ring bus would open to disconnect the affected line. The main generator and the startup transformer would be unaffected and station operation would therefore be unaffected.

In the event of a phase to phase or phase to ground fault on one of the 345 kV transmission lines, combined with the failure of a single air circuit breaker in the ring bus, the two air circuit breakers adjacent to the failed circuit breaker would open to disconnect both the affected line and the failed breaker from the remaining ring bus. Failure at either of two locations is possible and both are described as follows:

Either Breaker Adjacent to Main Transformer Tap Failure to Open In this event, the automatic opening of the adjacent circuit breakers in the ring bus would disconnect the affected transmission line, the failed breaker, and the main transformer. The main generator is disconnected from the system in this event and any station auxiliary buses connected to the unit power source are automatically transferred to the preferred power source, the startup transformer.

The startup transformer provides adequate capacity to power the entire auxiliary distribution system, including the emergency service portions.

Either Breaker Adjacent to Startup Transformer Tap Failure to Open In this event, the automatic opening of the adjacent circuit breakers in the ring bus would disconnect the affected transmission line, the failed breaker, and the startup transformer.

If the main generator was offline prior to this event, the loss of the preferred power source (startup transformer) would automatically initiate the standby power source, described in Section 8.5. The preferred power source would be restored to service as soon as practical, by opening the two 345 kV disconnects to isolate the failed breaker and the de-energized transmission line, and then manually transferring the startup transformer back to the operating transmission line.

8.2-7 Rev. 30 - Nov. 2015

PNPS-FSAR 8.2.2.6.3 Single Failure Analysis Consequences of Single Failures in the Preferred AC Power Source to Protective Relaying and Breaker Controls The preferred ac power source (startup transformer) protective relaying in the 345 kV switchyard consists of three protection systems: primary, backup, and inoperative breaker relays.

Each relay system and 345 kV circuit breaker has a separate control source from the dc distribution panel to the controlled equipment. Each control source has cable fault protection. The dc distribution panel is supplied by a 60 cell, 180 amp hr (3 hr rating) battery. The battery charger can supply control power to the primary, backup, or inoperative breaker protection if the battery is not available. The battery charger is supplied from two sources of ac power including the diesel generators. The battery charger has a transfer switch installed between the incoming power source and the battery charger itself. This allows for the use of alternate power to be used as the incoming source during a beyond design basis event. The charger is provided with current limiting protection.

In the event of a failure involving the preferred ac power source or the 345 kV bus, the primary relays will operate to clear the fault. If the fault fails to clear (due to the loss of control source dc power, for example) the backup relay system will operate to clear the fault.

If a failure in the dc control power source to a 345 kV circuit breaker adjacent to the preferred ac power source transformer causes a forced outage, the inoperative breaker relay system will operate to open the two circuit breakers adjacent to the failed circuit breaker and disconnect both the transformer and failed circuit breaker from the remaining ring bus.

Loss of dc power to the startup transformer (preferred source) lockout relay circuit would remove protection against ac system faults. Since ac system faults are totally independent of the loss of dc power, this is acceptable for a limited time period. The power supply is monitored in the main control room via the relay house general alarm.

A single failure in one of the protective relay inputs to the lockout relay could provide a spurious trip signal which would isolate the preferred source by tripping and locking out the appropriate switchyard breakers and alarming in the main control room. This would be an acceptable result with the standby ac power source and the secondary ac power source automatically ready to provide emergency service power if required.

8.2-8 Rev. 30 - Nov. 2015

PNPS-FSAR 8.2.2.6.4 Conclusions It is concluded from the analysis of the transmission system, switchyard arrangement, and relay protection that the safety design bases for the preferred ac power source are met.

8.2.2.7 Inspection and Testing Inspection and testing at Vendor factories and initial system tests were conducted to insure that all components are operational within their design capability. Periodic tests of the equipment and the system are conducted to detect the deterioration of equipment in the system toward an unacceptable condition.

8.2.2.8 Proposed Operational Nuclear Safety Requirements for Initial Plant Operation The general entries in this section represent the proposed nuclear safety requirements for the preferred ac power source for station startup. The preferred ac power source operating limitations are related to the operability status of the standby ac power sources and are described in Section 8.5.6.

The following referenced portion of the safety analysis report provides important information justifying the entries in that section.

Reference Information Provided

1. Earlier parts Description of the of Section 8.2 preferred(offsite) ac power source System Action To provide a source of ac power to station systems for startup.

Number Provided by Design One startup transformer connected to two 345 kV transmission lines through a 345 kV ring bus.

Surveillance The preferred AC power source will be tested periodically to detect any deterioration of equipment toward an unacceptable condition.

NOTE: The components of the preferred source are normally energized.

Conclusion The preferred AC power supply is one of the two physically independent circuits designed to provide power to the 4.16 kV auxiliary power distribution system. It is designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the secondary AC power supply power circuit, to assure that fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. Additionally, it is designed to be available following a loss-of-coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained. Therefore, it can be concluded that the startup transformer and associated 345kV transmission lines satisfies the offsite preferred power source requirement of GDC 17.

8.2-9 Rev. 30 - Nov. 2015

PNPS-FSAR 8.6 125 AND 250 VOLT DC POWER SYSTEMS 8.6.1 Safety Objective To provide and distribute an uninterruptible source of power adequate for normal operation and for the safe shutdown of the reactor following abnormal operation transients and postulated accidents.

8.6.2 Safety Design Basis

1. Each 125 V and 250 V battery has adequate capacity to safeguard the station until ac power sources are restored.

2. Each battery charger has adequate capacity to restore its battery to full charge from a totally discharged condition while carrying the normal station steady state dc load.

3. The 125 V and 250 V DC Power Systems are arranged so that no single component failure will prevent the systems from providing power to a sufficient number of vital dc loads necessary for safe shutdown.

4. The 125 V and 250 V dc power systems are provided in accordance with the IEEE-308, Standard Criteria for Class IE Electrical Systems for Nuclear Power Generating Stations.

5. The batteries and battery racks are Class I equipment to assure continuous operation of the equipment under maximum seismic shock conditions applicable to the area and location of the equipment.

8.6.3 Description The dc power systems (125 V for power and control and 250 V for power) supply dc power to conventional station emergency equipment and selected safeguard system loads. The dc power systems are shown on Figure 8.6-1. Table 8.6-1 lists the major electrical equipment of the dc power systems.

The battery chargers in both the 125 and 250 V dc power systems are supplied from the 480 V ac emergency service buses which are described in Section 8.4.

The 125 V dc power system supplies power and control through two control buses, A and B, two distribution panels, A and B, and a common distribution panel, C. Power feeds into control bus A from:

1. Control battery A

2. Battery charger A which is fed from 480 V ac emergency service load center B1 through a transfer switch which can allow use of alternate power in the event of loss of AC power.

3. The 125 V dc backup battery charger which is fed through 480 V ac common emergency service load center B6 through a transfer 8.6-1 Rev. 30 - Nov. 2015

PNPS-FSAR switch which can allow use of alternate power in the event of loss of AC power.

Control bus A feeds power to distribution panel A, 125V DC motor control center No. 1 and through automatic transfer switches to distribution panel C. All connections to control bus B are the same as control bus A, except that battery charger B is fed through 480V AC emergency service load center B2. The 125V DC backup battery charger is common to both control bus A and bus B. The two 125V DC motor control centers feed power to selected safeguard system pump motors and motor operated valves.

Distribution panel C receives power through the automatic transfer switches from either control bus A or bus B. Distribution panel C feeds power to the emergency lighting distribution panel and the solenoid operated valve distribution panel.

The 250V DC power system supplies power through one bus. The bus receives power from:

1. The 250V power battery

2. The 250V normal battery charger which is fed through the 480V AC emergency service load center B2 through a transfer switch which can allow use of alternate power in the event of loss of AC power.

3. The 250V backup battery charger which is fed through 480V AC common emergency service load center B6 through a transfer switch which can allow use of alternate power in the event of loss of AC power.

The bus feeds power directly to conventional station emergency equipment, including the vital motor generator set described in Section 8.8, and through a 250V DC motor control center to selected safeguard system loads.

The 125V control batteries A and B are lead calcium type. Table 8.6-1 provides detailed information of the 125V and 250V DC power system. Each control battery is located in a separate ventilated battery room. The 250V power battery is lead calcium type. The power battery is located in the same room as the 125V control battery B.

The 125V DC battery chargers utilize silicon thyristors and diodes in a full wave rectifier circuit rated at 200 amperes (Future 300A) capable of maintaining 0.5 percent voltage regulation with supply voltage variations of +10 percent of 460V or frequency variations of

+5 percent.

The 250V DC battery chargers are full wave silicon controlled rectifier type rated at 200 amp and 0.5 percent voltage regulation with AC supply variations of 10 percent in voltage and 5 percent in frequency.

8.6-2 Rev. 30 - Nov. 2015

PNPS-FSAR The 125V DC control buses A and B (D16 and D17) are rated at 600 amp continuous current and at least 20,000 amp momentary current. All of the 125V DC panels include two pole molded case circuit breakers.

The 125V DC distribution panel A (D4) has buswork and breakers with an interrupt rating of at least 20,000 amp momentary current. The buswork and breakers on 125V DC distribution panels B (D5) and C (D6) have an interrupt rating of at least 10,000 amp momentary current. The automatic transfer switches associated with distribution panel C have a continuous rating of 200 A, an interrupt rating of 3000 A and a short circuit capability of 15,000 A. The 250V DC power bus and 250V DC motor control center have main buses rated at 600 amp continuous current. The power bus (D10) is rated for at least 25,000 amp momentary current and the 250V DC motor control center (D9) is rated for at least 10,000 amp momentary current. The 250V circuit breakers are two pole manually operated.

All of the breakers and fuses on the power bus (D10) are capable of interrupting at least 25,000 amp momentary current. The breakers in D9 are capable of interrupting at least 10,000 amp. All motor starters are provided with single pole thermal overload elements for alarm only in the main control room. Each motor starter in the 250V DC motor control center is monitored for loss of 250V DC power or loss of 125V DC control power. Any loss of DC power is annunciated in the control room. The 125V DC distribution panels, A, B, and C, are NEMA Type 1 construction, dead front, surface mounted panels with two pole manually operated circuit breakers.

The 125V DC motor control centers are NEMA Type I gasketed construction with drip proof covers. The main bus is rated at 600 amp. The original plant circuit breakers are two pole manually operated with magnetic short circuit protection on both poles. All motor starters are provided with single pole thermal overload elements for alarm only in the main control room. Due to spare part considerations and improved reliability, many of the magnetic only circuit breakers have been replace with thermal-magnetic breakers to provide both short circuit and long term overload protection.

Three of the DC load centers (D7, D8, and D9) have been provided with walk-in enclosures which assure environmental qualification of the MCCs. The exterior walls of the enclosure consists of 1/4" thick steel plate and are designed to withstand the effects of postulated seismic events (OBE and SSE), external pressure due to PBOCs (1 psid), and tornado loads. The walls of the enclosures are covered with insulating material in order to minimize heat transfer from the Reactor Building Atmosphere to the enclosure following a PBOC. Major penetrations such as conduit and pipe are installed with foam sealant.

Principal design criteria are provided in Table 8.6-2.

Cable installation and design criteria for the DC Power System is discussed in Section 8.4.5.2. The current carrying capacity of all power cables is conservatively calculated to preclude damage due to thermal overloads except where deviations are approved by design engineering as stated in Section 8.9.5. Provisions for loss of AC and DC power have been made in the design. The multiplicity of battery charger sources and the division of critical loads between 8.6-3 Rev. 30 - Nov. 2015

PNPS-FSAR buses yields a system that has a high degree of reliability. Also, the physical separation of buses and service components will limit or localize the consequences of electrical faults or mechanical accidents occurring at any point in the system.

8.6.4 Safety Evaluation Power is normally supplied to the dc systems from the AC emergency service buses of the Auxiliary Power Distribution System through three battery chargers. Loss of the ac power source to any of the three chargers causes the related battery to supply power to its dc loads. Each battery is capable of supplying adequate power to operate its loads during normal and emergency conditions. The related backup battery charger (supplied by the 480 V common emergency Bus B6) is then manually connected to the affected battery bus. The backup battery charger recharges the battery while supplying power to the loads. Each battery charger has adequate capacity to restore its battery to full charge from a totally discharged condition while carrying the normal station steady state dc load.

125 Volt DC Distribution Panel C Independence is not compromised by the automatic transfer scheme which transfers dc power from one independent battery side to the other in the event that the first battery side is lost.

The 125 V DC buses A and B (D16 and D17) and panel C (D6) are shown on Figure 8.6-1. Panel C normally receives power from bus A through an automatically controlled switch in series with the normally closed portion of an automatic transfer switch. Between bus B and panel C is a normally open automatically controlled switch in series with the normally open portion of the automatic transfer switch.

Buses A and B cannot be connected together through panel C by a single failure since (a) the automatically controlled switch and transfer switch connected in series are both open and (b) their closing (or transfer) circuits cannot be both actuated by a single failure.

The transfer of panel C from battery side A to B is intentionally delayed 1/2 sec after an under-voltage condition is detected on side A. Operating current for the transfer is taken from the side to which the load is being transferred. After side A has returned to normal and voltage has been maintained at least 1 min, the load will be transferred back to side A. Loss of side B during this 1 min time delay would cause instantaneous (1/3 sec) transfer back to side A.

The effect on the dc systems of the two possible fault types discussed in the following analysis is different than the same fault types on the ac systems. A single line to ground fault is the most common fault possible. Since the DC systems are ungrounded, this fault would not cause excessive over current and under voltage.

However, the fault is detected and annunciated for operator action.

Multiple DC grounds need not be evaluated because the first ground 8.6-4 Rev. 30 - Nov. 2015

PNPS-FSAR would be located and removed as soon as possible after alarming in the main control room. The only type of fault causing excessive over current and under voltage is a line to line fault. If this highly improbable single failure occurs anywhere in a system it will not result in losing both A and B sides. Loss of either A or B side will not cause loss of the other side or panel C. Loss of panel C will not cause the loss of either A or B side.

Postulated loss of battery side A, while much less probable than loss of AC bus A, has generated the use of panel C for loads which do not have redundant 125 V DC sides yet require maximum reliability. To facilitate the ensuing analysis of the requirements of each DC load, the loads are divided into groups as follows:

1. Main Steam Line Isolation Valves (inboard)

2. Bus B6 Control

3. Station Economic Investment Loads and Annunciators

4. Fire System Load

5. Other Loads As with AC bus B6, (see Section 8.4) the grouping manifests the same basis for the selection of panel C as the power source. Discussion of each load group follows:

1. Main Steam Line Isolation Valves (inboard)

As described in Containment Motor Operated Isolating Valves, in Section 8.4.6, all inboard motor operated valves are routed as SX. Similarly, the supplies to dc solenoids are routed as SX which also ensures proper separation from the outboard valves which are routed as SB

2. Bus B6 Control The control power for operation of the ac SX bus circuit breakers must be separated from SA and SB wiring. Hence the DC SX bus is used as the power source.

3. Station Economic Investment Loads and Annunciator These are basically turbine-generator auxiliaries and are vital to protect the station economic investment. Therefore, the most reliable source of DC power has been selected; panel C. All main control room annunciators are powered from panel C to ensure their availability when one battery side is lost.

4. Fire System Load 8.6-5 Rev. 30 - Nov. 2015

PNPS-FSAR The cable spreading room gaseous fire suppression system initiation power is supplied from panel C for maximum availability and reliability.

5. Other Loads Emergency DC lighting of the main control room, redundant switchgear areas, diesel generator areas, and the routes between them is made available during the loss of either battery side, to ensure continued access to these critical areas Since the vital services motor generator set power is fed from the 250 V DC battery side, its control has been taken from panel C. Hence, loss of one 125 V DC battery side will not cause the failure of the 120 V AC vital services subsystem The analysis shows that the intent of safety design basis 4 in Section 8.4.3 is met and that a reasonable and sufficient degree of electrical and physical independence is provided in the current PNPS design When the diesel generators are started for emergency service following loss of all normal AC power to the emergency service buses, the batteries are supplying all dc power. The batteries have adequate capacity for 8 hr operation before battery chargers need to be reenergized. The 250 V dc battery charger and the 125 V DC battery chargers will be reenergized by the standby AC power source and will now supply the DC loads. In the event of loss of the standby AC power source, the installed transfer switches allow the use of alternate power to reenergize the battery chargers.

Therefore the loads receive uninterrupted DC power during AC power interruptions.

The 125 V and 250 V power systems are ungrounded with ground detectors which alarm in the main control room. Multiple grounds are not probable since the first ground would be located and removed as soon as possible after alarming in the main control room.

All batteries and battery racks are designed to Class I requirements.

Although loss of one of the three DC sources is highly improbable, loss of one source would not prevent safe shutdown of the station.

It is therefore concluded that the safety design bases are met.

8.6.5 Inspection and Testing Inspection and testing at vendor factories and an initial system test were conducted to insure that all components are operational within their design capability.

Periodic tests of the equipment and the system are conducted to detect the deterioration of equipment in the system toward an unacceptable condition.

8.6-6 Rev. 30 - Nov. 2015

PNPS-FSAR 8.6.6 Proposed Nuclear Safety Requirements for Initial Plant Operation General The entries in this section represent the proposed nuclear safety requirements for initial plant operation for the 125 V and 250 V DC power systems for each BWR operating state which result from the station wide BWR systems analysis reported in Appendix G. The following referenced portions of the safety analysis report provide important information justifying the entries in this section:

Reference Information Provided

1. Section 8.6.3 Description of the 125 V and 250 V DC power systems

2. Station Nuclear Safety Identifies conditions and and Operational Analysis events for which the Appendix G 125 V and 250 V DC systems are required

3. Jacobs, I.M. Guidelines Describes methods used for Determining Safe Test to establish allowable Intervals and Repair Times repair times for Engineered Safeguards.

General Electric Co.,

Atomic Power Equipment Department, APED-5736, April 1969 Each detailed requirement in this section is referenced, if possible, to the most significant station condition originating the need for the requirement by identifying a matrix block on Table G.5-3. The matrix block references are given in parentheses beneath the detailed requirements in the "minimum required for action" section. The matrix block references identify the BWR operating state, the event number, and the system number. For example, F39-89, identifies BWR operating state F (Matrix 3), event (row) No. 39, and system (column) No. 89.

The maximum requirement on the batteries is based on a loss of coolant accident (LOCA) at design power with a concurrent loss of AC auxiliary power. Load requirements in operating states A and B will be much less.

System Action System action includes providing emergency DC power to station nuclear safety and engineered safeguard systems and their required auxiliaries.

Number Provided by Design 8.6-7 Rev. 30 - Nov. 2015

PNPS-FSAR Two 125 V DC batteries and one 250 V DC battery, three 125 V battery chargers and two 250 V battery chargers.

Battery Side A: one 125 V battery and one 125 V battery charger Battery Side B: one 125 V battery and one 125 V battery charger, one 250 V battery and one 250 V battery charger Backup: one 125 V battery charger and one 250 V battery charger Minimum Required for Action (BWR Operating States A,B,C,D,E,F)

Below 104 psig (states A,B,C,D):

The 125 V portion of one battery side with the associated diesel generator and distribution system operable.

(A28-89) (B28-89)

(C39-89) (D39-89)

Above 104 psig (states C,D,E,F):

One battery side with the associated diesel generator and distribution system operable.

(C39-89) (D39-89)

(E39-89) (F39-89)

Condition Required for Continuous Operation (BWR Operating States A,B,C,D,E,F) - Proposed Limiting Conditions for Initial Plant Operation Below 104 psig (states A,B,C,D), the 125 V portions of both battery sides must be operable except that one battery side may be inoperable for no longer than the allowable repair time, provided that requirements No. 1 through 3 below are met.

Above 104 psig (states C,D,E,F), battery sides "A" and "B" must be operable except that one battery side may be inoperable for no longer than the allowable repair time provided that requirements 1 through 3 below are met:

1. The diesel generator which is controlled by the operable battery must also be operable during this period

2. None of the nuclear safety or engineered safeguard systems required in this state which are powered or controlled by the operable battery side or powered by the operable diesel generator can be out of service

3. During the period that one battery side is out of service, pilot cell voltage and specific gravity, and overall battery voltage must be tested daily on the operable battery side Allowable Repair Time 8.6-8 Rev. 30 - Nov. 2015

PNPS-FSAR The allowable repair time is 10 days, provided the increased testing frequency of 3 is observed. The limitation of allowable repair time is not applicable in cold shutdown condition.

Proposed Surveillance Requirements for Initial Plant Operation Periodic Test Item Description Test Interval All Batteries Liquid Level Monthly Specific Gravity and Pilot cell weekly Cell Voltage All cells quarterly Visual Inspection Weekly Performance Discharge 1/cycle All Battery Visual Inspection Weekly Chargers DC Buses Mechanical Inspection 2 yr Overhaul When required 8.6.7 Current Operational Nuclear Safety Requirements The current limiting conditions for operation, surveillance requirements, and their bases are contained in the Technical Specifications referenced in Appendix B.

8.6-9 Rev. 30 - Nov. 2015

PNPS-FSAR 8.8 120 VOLT AC POWER SYSTEM 8.8.1 Safety Objective The 120V AC safeguard control power subsystem distributes the 120v AC power required to safely shutdown the reactor, maintain the shutdown condition and operate all instrumentation and control circuits necessary for safe shutdown.

8.8.2 Power Generation Objective

1. The 120V AC instrument subsystem supplies power to non-safeguard instruments, control to non-safeguard systems, and power to non-safeguard auxiliaries.

2. The 120/240V AC vital services subsystem provides power for vital services for which power interruption should be avoided. These vital services are necessary for the operation of the station but are not vital to station safety.

3. The 120V ac reactor protection subsystem shall provide power to the reactor protection system (RPS) logic monitors.

8.8.3 Safety Design Basis

1. The 120V AC safeguard control power subsystem distributes power to the 120V AC instrumentation and control loads which are essential to plant safety.

2. The 120V AC safeguard control power subsystem has adequate capacity to supply all loads required for normal and accident conditions, including the H2O2 Analyzer portion of the PASS System.

3. The 120V AC safeguard control subsystem is supplied from the emergency portion of the APDS, which is supplied from both off-site and on-site ac power sources.

4. The 120V AC safeguard control power subsystem is designed and installed to Seismic Class 1 Criteria.

5. The 120V AC safeguard control power subsystem is designed and installed in accordance with IEEE 308, Standard Criteria for Nuclear Power Generating Stations

6. The 120V AC power system, normal and safeguard portion, is arranged so that a single failure will not prevent or impair the operation of the essential station safety functions.

8.8-1 Rev. 30 - Nov. 2015

PNPS-FSAR 8.8.4 Power Generation Design Basis

1. The instrument subsystem distributes adequate power to the main control room instruments, the 24V dc battery chargers (described in Section 8.7), and to all other loads as shown on Figure 8.7-1 (BECo E14). The subsystem receives power from either of two ac sources.

2. The vital service subsystem has adequate capacity to power all loads shown on panel Y2 on Figure 8.7-1.

Power is supplied from: (1) a motor-driven generator which may be powered from either an ac or a dc source, or (2) a second ac source. The motor-driven generator maintains the output voltage while the input is being changed from the ac to the dc source.

3. The reactor protection subsystem contains two ac motor-driven generators, each with adequate capacity to power the logic monitors of one trip channel. Alternate power is provided to both trip channels from a second ac source, powering either bus A or bus B, but not both.

8.8.5 Description The 120V ac Power System consists of four subsystems: the instrument subsystem, the vital services subsystem, the reactor protection subsystem and the safeguard control power subsystem. See Figure 8.7-1 for all subsystems.

The instrument subsystem receives power from the Auxiliary Power Distribution System (APDS) described in Section 8.4.

Power is normally supplied from 480V common emergency service bus B6 and automatically transferred to 480V emergency service bus B1 upon loss of power at the instrument bus. The instrument bus distributes power to all the conventional instrumentation and non-critical monitors and controls.

The instrument power supply transformer is rated at 37.5 KVA, 480-120/240V, single phase, three wire, 60 Hz. The standby instrument and vital services transformer is rated at 50 KVA, 480-120/240V, single phase, three wire, 60 Hz.

The instrument 120V ac power supply panel is a NEMA Type I, dead front, surface mounted panel with single pole manually operated circuit breakers.

The vital services subsystem receives power from the APDS described in Section 8.4, or from the 250V DC power system described in Section 8.6. Normally, power is distributed through a motor-generator set driven by an ac motor receiving power from 480V common emergency service bus B6. Upon loss of power to the ac drive motor, vital services power will continue to be supplied via a dc drive motor on the same shaft as the ac motor and vital services MG set. The dc drive motor is supplied from the 250V dc power bus. Return of ac power will cause an automatic transfer back to the ac drive motor.

8.8-2 Rev. 30 - Nov. 2015

PNPS-FSAR A large flywheel maintains the output voltage level of the generator during each transfer. Upon loss of the motor generator set, ac power is automatically supplied through 480 V ac emergency service bus B1 and through the same path as the alternate supply to the instrument subsystem. Manual transfer is required to supply the vital service bus from the motor-generator set when it returns to service. The motor generator set as the normal power source provides 120/240 V ac power free of electrical noise and transient voltage dips.

The vital services motor-generator set is rated at 31.2KVA, 0.8 power factor, 120/240V, single phase, three wire, 60 Hz.

The standby transformer is common to the instrument subsystem described in Section 8.8.2.

The vital services 120/240 V ac power supply panel is a NEMA Type I, dead front, surface mounted panel with manually operated circuit breakers.

The reactor protection subsystem receives power from the APDS, described in 8.4. Power is normally supplied from 480V normal service buses B3 and B4 through two motor driven generators to two reactor protection logic monitor buses. Alternately, power may be supplied to either of the buses through 480V common emergency service bus B6.

The reactor protection motor-generator sets are each rated 18.75 KVA, 0.8 power factor, 120V, single phase, two wire, 60 Hz.

The two motor generator sets and the alternate power supply for the Reactor Protection System have class IE electrical protection assemblies installed. There are two protection assemblies, in series, for each RPS 120V, 60 Hz supply. A random, or seismically-induced abnormal voltage or frequency condition on the outputs of an MG set, or the alternate supply, would trip one or both of the two protective assemblies installed between a power supply and its respective RPS bus. This protects the RPS components and auxiliaries from damage due to sustained abnormal voltage conditions (over and undervoltage and underfrequency).

The reactor protection 120V AC power supply buses are in a NEMA Type I panel in isolated compartments with manually operated circuit breakers. See Section 7.2 for details.

8.8-3 Rev. 30 - Nov. 2015

PNPS-FSAR The safeguard control power subsystem receives power from the APDS described in section 8.4. Power is supplied from 480V emergency service buses B17, B17a, B18, B18a, and B20 through stepdown transformers. The 208/120V ac safeguard subsystem supplies control power to the PCIS, PASS and PAM control panels. It also supplies control power to various other valves and control panels. The panels are NEMA class I, Type B wiring panels. The step down transformers supplying power to the panels are 10KVA, 480-120V, single phase, two wire, 60 Hz for panels Y3 and Y31,and Y4 and Y41, 25KVA, 480 122/244V, single phase, two wire, 60 Hz for panels Y13 and Y14; and 15KVA, 480-208/120V, 3 phase, 4 wire, 60 Hz for panels Y6, Y7 and Y8.

Transfer switches have been located next to the regulating transformers which supply power to panels Y3, Y31, Y4, and Y41. Transfer switches have also been located near panels Y13 and Y14. The transfer switches provide capability to supply alternate power to these panels in the event of an extended loss of AC power by way of diesel generators.

The 10KVA step-down transformers for distribution panels Y3 and Y31 and Y4 and Y41 are voltage regulating type maintaining output voltage at 120VAC +/- 4% for voltage inputs of 480VAC +

10% / -25% for panels Y3 and Y31 . The 25KVA step down transformers which supply power to distribution panels Y13 and Y14 are voltage regulating type maintaining output voltage at 122VAC +/- 4% for voltage inputs of 480VAC +/- 20%. During undervoltage transients below 480VAC -25% for panels Y3 and Y31 and below 480V -20% for panels Y13 and Y14, the regulating transformers will select the highest transformer tap to maximize the output voltage as close to 120V AC as possible.

During overvoltage transients above 480VAC +10% for panels Y3 and Y31 and above +20% for panels Y13 and Y14, the regulating transformer will select the lowest tap to limit the output voltage as close to 120VAC as possible.

The RPS components which are located inside the primary containment, and which must function in the environment resulting from a break of the nuclear system process barrier inside the primary containment, are the condensing chambers and associated variable and reference leg piping. Special precautions are taken to ensure satisfactory operability after the accident.

8.8.6 Inspection and Testing Inspection and testing at vendor factories and initial system tests were conducted to insure that all components are operational within their design ratings.

8.8-4 Rev. 30 - Nov. 2015

PNPS-FSAR Periodic tests of the equipment and system will be as follows:

Operation Test

• Mechanical Inspection 2 Years Overhaul When Required Breaker Overcurrent Trip Test

• RPS Electrical Protection Assemblies:

Instrument Functional Test Every 18 months Instrument Calibration Once per 18 months Circuit Breaker Testing Once per 18 months

• When operation of generating station permits 8.8-5 Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 10 AUXILIARY SYSTEMS TABLE OF CONTENTS Section Title Page 10.1

SUMMARY

DESCRIPTION 10.1-1 10.2 NEW FUEL STORAGE 10.2-1 10.2.1 Power Generation Objective 10.2-1 10.2.2 Power Generation Design Basis 10.2-1 10.2.3 Safety Design Basis 10.2-1 10.2.4 Description 10.2-1 10.2.5 Safety Evaluation 10.2-2 10.2.6 Inspection and Testing 10.2-3 10.3 SPENT FUEL STORAGE 10.3-1 10.3.1 Power Generation Objective 10.3-1 10.3.2 Power Generation Design Basis 10.3-1 10.3.3 Safety Design Basis 10.3-1 10.3.4 Description 10.3-1 10.3.4.1 General 10.3-1 10.3.4.2 Fuel Pool Level Indicators 10.3-4 10.3.5 Safety Evaluation 10.3-5 10.3.6 Consequences of a Dropped Fuel Cask 10.3-7 10.3.7 Inspection and Testing 10.3-8 10.3.8 Dry Fuel Storage 10.3-9 10.3.9 References 10.3-10 10.4 FUEL POOL COOLING AND CLEANUP SYSTEM 10.4-1 10.4.1 Power Generation Objective 10.4-1 10.4.2 Power Generation Design Basis 10.4-1 10.4.3 Description 10.4-1a 10.4.4 Inspection and Testing 10.4-3 10.5 REACTOR BUILDING CLOSED COOLING WATER SYSTEM 10.5-1 10.5.1 Safety Objective 10.5-1 10.5.2 Power Generation Objective 10.5-1 10.5.3 Safety Design Basis 10.5-1 10.5.4 Power Generation Design Basis 10.5-1 10.5.5 Description 10.5-1 10.5.5.1 System Components 10.5-1 10.5.5.2 Planned Operations 10.5-2 10.5.5.3 Accident and Transient Operations 10.5-3 10.5.6 Safety Evaluation 10.5-4 10.5.7 Inspection and Testing 10.5-4 10.5.8 Nuclear Safety Requirements for Plant Operation 10.5-4 10.5.9 Current Operational Nuclear Safety Requirements 10.5-5 10-i Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 10.6 TURBINE BUILDING CLOSED COOLING WATER SYSTEM 10.6-1 10.6.1 Power Generation Objective 10.6-1 10.6.2 Power Generation Design Basis 10.6-1 10.6.3 Description 10.6-1 10.6.4 Inspection and Testing 10.6-3 10.7 SALT SERVICE WATER SYSTEM 10.7-1 10.7.1 Safety Objective 10.7-1 10.7.2 Safety Design Basis 10.7-1 10.7.3 Power Generation Objective 10.7-1 10.7.4 Power Generation Design Basis 10.7-1 10.7.5 Description 10.7-1 10.7.6 Safety Evaluation 10.7-5 10.7.7 Inspection and Testing 10.7-7 10.7.8 Nuclear Safety Requirements for Plant Operation 10.7-7 10.7.9 Current Technical Specifications 10.7-8 10.8 FIRE PROTECTION SYSTEM 10.8-1 10.8.1 Power Generation Objective 10.8-1 10.8.2 Power Generation Design Basis 10.8-1 10.8.3 Description 10.8-1 10.8.3.1 Fire Water System 10.8-1 10.8.3.2 Other Extinguishing Systems 10.8-4 10.8.3.3 Other Fire Protection Features 10.8-5 10.8.3.4 Fire Barriers 10.8-6 10.8.3.5 Alternate Shutdown System 10.8-6 10.8.4 Inspection, Testing and Limiting 10.8-7 Conditions for Operation for Fire Protection Equipment 10.8-7 10.8.4.1 Fire Detection Instrumentation 10.8-7 10.8.4.1.1 Fire Detection Instrumentation Technical Requirements 10.8-7 10.8.4.1.2 Fire Detection Instrumentation Surveillance Requirements 10.8-8 10.8.4.2 Fire Water Supply System 10.8-8 10.8.4.2.1 Fire Water Supply System Technical Requirements 10.8-8 10.8.4.2.2 Fire Water Supply System Surveillance Requirements 10.8-8 10.8.4.3 Spray and/or Sprinkler Systems 10.8-10 10.8.4.3.1 Spray and/or Sprinkler Systems Technical Requirements 10.8-10 10.8.4.3.2 Spray and/or Sprinkler Systems Surveillance Requirements 10.8-11 10.8.4.4 Halon System 10.8-12 10.8.4.4.1 Halon System Technical Requirements 10.8-12 10.8.4.4.2 Halon System Surveillance Requirements 10.8-12 10-ii Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 10.8.4.5 Fire Hose Stations 10.8-13 10.8.4.5.1 Fire Hose Stations Technical Requirements 10.8-13 10.8.4.5.2 Fire Hose Stations Surveillance Requirements 10.8-13 10.8.4.6 Fire Barrier System 10.8-14 10.8.4.6.1 Fire Barrier System Technical Requirements 10.8-14 10.8.4.6.2 Fire Barrier System Surveillance Requirements 10.8-14 10.8.4.7 Fire Brigade 10.8-15 10.8.4.8 Alternate Shutdown Panels 10.8-15 10.8.5 References 10.8-15 10.9 HEATING, VENTILATION, AND AIR CONDITIONING SYSTEMS 10.9-1 10.9.1 Power Generation Objective 10.9-1 10.9.2 Power Generation Design Basis 10.9-1 10.9.3 Description 10.9-1 10.9.3.1 General 10.9-1 10.9.3.2 Station Heating System 10.9-1 10.9.3.3 Reactor Building Heating and Ventilation System 10.9-3 10.9.3.4 Turbine Building Heating and Ventilation System 10.9-4 10.9.3.4.1 General 10.9-4 10.9.3.4.2 Main Turbine Building Ventilation Supply Fans 10.9-5 10.9.3.4.3 Turbine Building Ventilation Units (Operating Floor Level) 10.9-6 10.9.3.4.4 Turbine Building Basement Exhaust Fans(Condenser Compartment) 10.9-6 10.9.3.4.5 Turbine Building Operating Floor Exhaust Fans 10.9-6 10.9.3.4.6 Lube Oil and Battery Room Exhaust Fans 10.9-6 10.9.3.4.7 Condensate Pump Room Unit Coolers 10.9-6 10.9.3.4.8 Condenser Compartment Unit Coolers 10.9-6 10.9.3.4.9 Off-gas Retention Building 10.9-6a 10.9.3.4.10 Off-gas Retention Room Unit Coolers 10.9-6a 10.9.3.4.11 Switchgear Room Emergency Ventilation System 10.9-6a 10.9.3.5 Radwaste Building Heating and Ventilating System 10.9-6a 10.9.3.5.1 General 10.9-6b 10.9.3.5.2 Radwaste Heating and Ventilating Units 10.9-7 10.9.3.5.3 Radwaste Exhaust Fans and Filters 10.9-7 10.9.3.6 Access Control Area Air Conditioning 10.9-7 10-iii Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 10.9.3.6.1 General 10.9-7 10.9.3.6.2 Access Control Area Air Conditioning Units 10.9-8 10.9.3.6.3 Access Control Area Recirculation and Exhaust Fans 10.9-8 10.9.3.7 Intake Structure 10.9-9 10.9.3.7.1 General 10.9-9 10.9.3.7.2 Service Water Pump Exhaust Fans 10.9-9 10.9.3.7.3 Other Area Exhaust Fans 10.9-9 10.9.3.8 Warehouse and Machine Shop, and PASS Mezzanine MCC Rooms 10.9-9 10.9.3.8.1 General 10.9-9 10.9.3.8.2 Heating and Ventilating Unit 10.9-10 10.9.3.8.3 Exhaust Fans 10.9-10 10.9.3.9 Diesel Generator Building Heating and Ventilation 10.9-10 10.9.3.10 Executive Building Air Conditioning 10.9-11 10.9.3.11 Operations and Maintenance Building HVAC 10.9-11 10.10 MAKEUP WATER TREATMENT SYSTEM 10.10-1 10.10.1 Power Generation Objective 10.10-1 10.10.2 Power Generation Design Basis 10.10-1 10.10.3 Description 10.10-1 10.10.3.1 General 10.10-1 10.10.3.2 Neutralizing Sump 10.10-2 10.10.3.3 Demineralized Water Service 10.10-2 10.10.4 Inspection and Testing 10.10-3 10.11 INSTRUMENT AND SERVICE AIR SYSTEMS 10.11-1 10.11.1 Power Generation Objective 10.11-1 10.11.2 Power Generation Design Basis 10.11-1 10.11.3 Description 10.11-1 10.11.3.1 General 10.11-1 10.11.3.2 Equipment Description 10.11-3 10.11.4 Inspection and Testing 10.11-4 10.12 POTABLE AND SANITARY WATER SYSTEM 10.12-1 10.12.1 Power Generation Objective 10.12-1 10.12.2 Power Generation Design Basis 10.12-1 10.12.3 Description 10.12-1 10.12.4 Inspection and Testing 10.12-1 10-iv Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 10.13 EQUIPMENT AND FLOOR DRAINAGE SYSTEMS 10.13-1 10.13.1 Power Generation Objective 10.13-1 10.13.2 Power Generation Design Basis 10.13-1 10.13.3 Description 10.13-1 10.13.3.1 General 10.13-1 10.13.3.2 Radioactive Equipment Drainage System 10.13-2 10.13.3.3 Radioactive Floor Drainage System 10.13-3 10.13.3.4 Nonradioactive (Normal) Drainage System 10.13-3 10.13.3.5 Miscellaneous Drainage System 10.13-3 10.13.3.6 Reactor Building Emergency Drains 10.13-3 10.13.4 Inspection and Testing 10.13-3 10.14 PROCESS SAMPLING SYSTEMS 10.14-1 10.14.1 Power Generation Objective 10.14-1 10.14.2 Power Generation Design Basis 10.14-1 10.14.3 Description 10.14-1 10.15 COMMUNICATIONS SYSTEMS 10.15-1 10.15.1 Power Generation Objective 10.15-1 10.15.2 Power Generation Design Basis 10.15-1 10.15.3 Description 10.15-2 10.15.4 Inspection and Testing 10.15-5 10.16 STATION LIGHTING SYSTEM 10.16-1 10.16.1 Power Generation Objective 10.16-1 10.16.2 Power Generation Design Basis 10.16-1 10.16.3 Description 10.16-1 10.16.4 Inspection and Testing 10.16-2 10.17 MAIN CONTROL ROOM ENVIRONMENTAL CONTROL SYSTEM 10.17-1 10.17.1 Safety Objective 10.17-1 10.17.2 Safety Design Basis 10.17-1 10.17.3 Power Generation Objective 10.17-1 10.17.4 Power Generation Design Basis 10.17-1 10.17.5 Description 10.17-1 10.17.6 Safety Evaluation 10.17-3 10.17.7 Inspection and Testing 10.17-3 10.17.8 Nuclear Safety Requirements for Plant Operation 10.17-4 10.17.9 Current Technical Specifications 10.17-5 10-v Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 10.18 EQUIPMENT AREA COOLING SYSTEM 10.18-1 10.18.1 Safety Objective 10.18-1 10.18.2 Safety Design Basis 10.18-1 10.18.3 Power Generation Objective. 10.18-1 10.18.4 Power Generation Design Basis 10.18-1 10.18.5 Description 10.18-1 10.18.6 Safety Evaluation 10.18-2 10.18.7 Inspection and Testing 10.18-2 10.18.8 Nuclear Safety Requirements for Plant Operation 10.18-2 10.18.9 Current Technical Specifications 10.18-4 10.19 POST ACCIDENT SAMPLING SYSTEM 10.19-1 10.19.1 Safety Objective 10.19-1 10.19.2 Safety Design Basis 10.19-1 10.19.3 Description 10.19-1 10.19.4 Safety Evaluation 10.19-3 10.19.5 Inspection and Training 10.19-3 10.20 CRACK ARREST VERIFICATION SYSTEM 10.20-1 10.20.1 Design Objective 10.20-1 10.20.2 Design Basis 10.20-1 10.20.3 Description 10.20-1 10.20.3.1 General 10.20-1 10.20.3.2 System Description 10.20-1 10.20.3.3 System Evaluation 10.20-2 10.21 HYDROGEN WATER CHEMISTRY EXTENDED TEST SYSTEM 10.21-1 10.21.1 Design Objective 10.21-1 10.21.2 Design Basis 10.21-1 10.21.3 Description 10.21-1 10.21.3.1 General 10.21-1 10.21.3.2 System Description 10.21-2 10.21.4 Codes, Standards, and Regulations 10.21-5 10.21.5 System Evaluation 10.21-6 10.21.6 References 10.21-6 10.22 ELECTROLYTIC HYDROGEN WATER CHEMISTRY SYSTEM 10.22.1 Design Objective 10.22-1 10.22.2 Design Basis 10.22-1 10.22.3 Description 10.22-2 10.22.3.1 General 10.22-2 10.22.3.2 Gas Generator and Operating Characteristics 10.22-3 10.22.3.3 Compression Modules 10.22-4 10-vi Rev. 30 - Nov. 2015

PNPS-FSAR TABLE OF CONTENTS (Cont)

Section Title Page 10.22.3.4 Pneumatic Backpressure Regulators 10.22-4 10.22.3.5 Process Flow Path Components 10.22-4 10.22.3.6 Gas Generator Building 10.22-5 10.22.3.7 Electrolytic System Controls 10.22-5 10.22.4 Hazards Addressed by the Design 10.22-8 10.22.5 Safety Features of the Design 10.22-9 10.22.6 Codes and Standards 10.22-11 10.22.7 Safety Evaluation 10.22-11 10.22.7.1 Drain Sumps 10.22-11 10.22.7.2 Torus Airspace Hydrogen Concentration After SRV Blowdown 10.22-12 10.22.7.3 Effect of Feedwater Leakage in the Drywell 10.22-12 10.22.7.4 Limiting Transient Consequence 10.22-12 10.22.7.5 Accidents Within the EHWCS 10.22-15 10.22.7.6 Earthquake 10.22-15 10.22.7.7 Tornado, Flood, Plane Crash 10.22-15 10.22.7.8 Radiation - ALARA Considerations 10.22-15 10.22.7.9 High Hydrogen in Offgas Post ASD2 10.22-15 10.22.8 Inspection and Testing 10.22-16 10.23 MITIGATION MONITORING SYSTEM 10.23-1 10.23.1 Design Objective 10.23.1 10.23.2 Design Basis 10.23.1 10.23.3 Description 10.23.1 10.23.3.1 General 10.23.1 10.23.3.2 System Description 10.23-2 10-vii Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 10 LIST OF TABLES Table Title 10.4-1 Fuel Pool Cooling and Cleanup System Equipment List 10.5-1 Equipment Supplied by the RBCCW System 10.5-2 Reactor Building Cooling Water System Equipment Data No. of Independent Loops - 2 10.6-1 Equipment Cooled by the Turbine Building Closed Cooling Water System 10.6-2 Turbine Building Closed Cooling Water System Equipment Data 10.8-1 Fire Detection Instruments 10.8-2 Fire Hose Stations 10.9-1 Design Temperatures (Winter) 10.9-2 Design Temperatures (Summer) 10.14-1 Process Sampling System 10.21-1 Extended Test System Alarms and Shutdown Signals 10-viii Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 10 LIST OF FIGURES Figure Title 10.3-1 Typical "E" Rack Module 10.3-2 Array of "E" Rack Cells (3x3) 10.3-3 Elements "E" Rack Cross Section 10.3-4 Sheathing Shown Installed on "N" Rack Box 10.3-5 A Cross-Section View of "N" Array of Storage Locations 10.3-6 Three "N" Rack Cells in Elevation View 10.3-7 Pilgrim Spent Fuel Pool - Capacity Expansion 10.4-1 Fuel Pool Cooling and Demineralizer System, Piping and Instrumentation Diagram (Drawing M231) 10.5-1 Reactor Building Cooling Water System, Piping and Instrumentation Diagram (Drawing M215) 10.6-1 Turbine Building Cooling Water System, Piping and Instrumentation Diagram (Drawing M216) 10.7-1 Service Water Screen Wash and Hypo - Chlorination Systems, Piping and Instrumentation Diagram (Drawing M212) 10.8-1 Fire Protection System, Piping and Instrumentation Diagram (Sheets 1, 2, 3, and 4) (Drawing M218) 10.9-1 Station Heating Diagram, Sheet 1 (Drawing M236) 10.9-2 Station Heating Diagram, Sheet 2 (Drawing M237) 10.9-3 Reactor Building Air Flow Diagram (Drawing M289) 10.9-4 Turbine Building Air Flow Diagram (Drawing M288) 10.9-5 Radwaste Area Air Flow Diagram (Drawing M290) 10-ix Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 10 LIST OF FIGURES Figure Title 10.9-6 Control and Cable Spreading Rooms, Intake Structure, Access Control, Warehouse, and Machine Shop Air Flow Diagrams (Drawing M292) 10.10-1 Makeup Demineralizer System, Piping and Instrumentation Diagram (Sheets 1 and 2) (Drawings M224, M225) 10.11-1 Compressed Air System, Piping and Instrumentation Diagram (Drawing M220) 10.14-1 Reactor Water Clean-up Sample Racks System (Drawing M228, M229, M230) 10.17-1 Plant Ventilation Diagram (Drawing M287) 10.19-1 H2 & O2 Analyzer & Reactor Coolant Pressure Boundary Leak Detection Systems, Piping and Instrumentation Diagram (Sheet 1), Post Accident Sampling System, Piping and Instrumentation Diagram (Sheets 2 and 3) (Drawing M239) 10.20-1 Crack Arrest Verification System P&ID (Drawing M256) 10.21-1 ETS Subsystem Diagram 10.21-2 Extended Test System Hydrogen and Oxygen Injection Sub-System (Drawing M257) 10.21-3 Extended Test System Oxygen Storage and Supply Sub-System (Drawing M258) 10.21-4 Extend Test System Hydrogen Storage and Supply Sub-System (Drawing M260) 10.22-1 Electrolytic Hydrogen Water Chemistry System (Drawing M269) 10-x Rev. 30 - Nov. 2015

PNPS-FSAR 10.2 NEW FUEL STORAGE 10.2.1 Power Generation Objective The power generation objective of the new fuel storage vault and the new fuel storage racks is to provide a dry location for upright storage of new fuel assemblies which will allow efficient handling of the assemblies during station operations.

10.2.2 Power Generation Design Basis

1. The new fuel storage racks are designed to accommodate greater than 30 percent of the full core loading of fuel assemblies in an upright storage position.

2. The new fuel storage racks and the concrete storage vault are designed to allow efficient handling of the fuel assemblies during station operations.

10.2.3 Safety Design Basis

1. The new fuel racks are designed with sufficient spacing between the new fuel assemblies to assure that the fully loaded array will have a Keff 0.90 for normal dry conditions and a Keff < 0.95 for abnormal conditions where the assemblies are completely flooded with water.

2. The fully loaded new fuel storage vault and storage racks are designed to Class I standards.

10.2.4 Description The new fuel storage vault is a reinforced concrete Class I structure, accessible only through top hatches. There is an open drain in the floor of the vault to prevent flooding. New fuel racks are provided for at least 30 percent of the full reactor core load.

Each new fuel storage rack holds up to 10 unchanneled fuel assemblies in a row spaced approximately 6.6 in apart center-to-center. The racks are arranged in rows having an 11 in center-to-center spacing that will limit the effective multiplication factor (Keff) of the array to less than 0.90 assuming the fuel to be in the dry condition.

Each space for a fuel assembly has adequate clearance for inserting or withdrawing the assembly from above while enclosed in a protective plastic wrapping. Guides are provided to guide the fuel assemblies for the full length of their insertion into the rack.

The design of the racks prevents accidental insertion of the fuel assembly into a position not intended for the fuel. The weight of the fuel assembly is supported at the bottom, and the rack provides full longitudinal support for the new fuel assembly spacers.

Removable gratings (approximately 11 in wide and 6 ft 7 1/2 in long) over each fuel rack are provided to minimize the number of uncovered assemblies.

10.2-1 Rev. 30 - Nov. 2015

PNPS-FSAR Each new fuel storage rack is designed as a Class I structure.

Stresses in a fully loaded rack are designed not to exceed applicable specification requirements of the American Institute of Steel Construction (AISC) or the American Society of Civil Engineers (ASCE) when subjected to a horizontal earthquake load of 0.25g applied in any direction. A safety factor of approximately 2, based upon the material yield strength or local critical buckling, is used where these specifications are not applicable.

The storage rack structure is designed to absorb an impact energy of at least 7,000 ft-lb on an impact surface no larger than 3 inches in diameter. Under this impact force, the members that function to physically maintain the subcritical spacing (to assure that Keff will not exceed 0.95 when flooded) will remain intact. Those members whose local and general strain exceed 25 percent of the material ultimate strain are assumed to be nonexistent for further energy absorption or for spacing purposes. Those members and their connections whose continued presence is required to maintain the subcriticality margin are designed using a minimum safety factor of approximately 1.33 based on the lower of the material yield or buckling stresses.

The storage racks are designed to withstand a pull-up force of 5 tons, equal to the load rating of the overhead crane's auxiliary hoist, and a horizontal force of 1,000 lb applied to the top of the rack. This is necessary in the event that the fuel assembly or grappling device binds during removal. The stress in these members required to maintain the abnormal storage subcriticality conditions will not exceed 75 percent of the material yield strength or 75 percent of that stress at which local buckling occurs.

The new fuel racks are designed to be restrained by hold-down lugs to assure that rack spacing does not vary under specified earthquake loads. Hold-down bolts will restrain the rack in case a stuck fuel assembly is inadvertently hoisted. Each hold-down bolt is designed to withstand 500 lb horizontal shear and an uplift force of 5,000 lb. All materials used in the construction of the new fuel storage racks are specified in accordance with the applicable ASTM specifications, and all welds are in accordance with AWS standards.

Materials selected are corrosion resistant or are treated to provide the necessary corrosion resistance.

Criticality monitoring shall be in accordance with the requirements of 10 CFR 50.68(b).

10.2.5 Safety Evaluation The calculations of Keff are based upon the geometrical arrangement of the fuel array, and subcriticality does not depend upon the presence of neutron absorbing materials. The arrangement of the fuel assemblies in the fuel storage racks results in Keff below 0.90, when dry. In an abnormal condition which assumes the vault is flooded with water and the fuel elements are brought to their most reactive spacing, the rack spacing is designed such that Keff will not exceed 0.95.

Design of the new fuel storage vault to Class I standards effectively eliminates the possibility of vault damage due to earthquake loads.

10.2-2 Rev. 30 - Nov. 2015

PNPS-FSAR A floor drain prevents accumulation of water in the vault. A radiation monitor in the vault provides warning of any radiation level increase above normal operating conditions. It is concluded that the safety design bases are met.

10.2.6 Inspection and Testing The new fuel storage racks do not require any special inspection and testing for nuclear safety purposes.

10.2-3 Rev. 30 - Nov. 2015

PNPS-FSAR 10.3 SPENT FUEL STORAGE 10.3.1 Power Generation Objective The power generation objective of the spent fuel storage racks and the spent fuel storage pool is to provide specially designed underwater storage space for the spent fuel assemblies which require shielding during storage and handling.

10.3.2 Power Generation Design Basis

1. Spent fuel storage racks are supplied for the storage of a maximum number of fuel assemblies.

2. The spent fuel storage racks and the spent fuel storage pool are designed to allow efficient handling of the fuel assemblies during refueling and fuel handling operations.

10.3.3 Safety Design Basis

1. The spent fuel storage racks are designed to maintain, when fully loaded with fuel assemblies, a subcritical configuration having a keff <0.95 for normal and abnormal conditions, as defined in Section 10.3.4.

2. The storage pool and concrete structures provide a sufficient depth of water and sufficient concrete thicknesses to adequately shield station personnel from radiation emitted by a full load of spent fuel assemblies.

3. The fully loaded spent fuel storage racks, supports, and pool concrete structures are designed to Class I standards.

10.3.4 Description 10.3.4.1 General The spent fuel storage racks provide storage at the bottom of the fuel pool for the spent fuel received from the reactor vessel. See Figure 10.3-1. The racks are full length, top entry, and designed to maintain the spent fuel in a space geometry which precludes the possibility of criticality under normal and abnormal conditions.

Normal conditions exist when the spent fuel is stored at the bottom of the fuel pool in the design storage position. Abnormal conditions may result from:

Increased temperature Boiling Reduced moderation density Fuel assembly positioning (rack bending)

Assembly placed outside rack Dropped fuel assembly Lost/Missing absorber plate 10.3-1 Rev. 30 - Nov. 2015

PNPS-FSAR The standard spent fuel racks, shown on Figure 10.3-1, are a modular design of varying sizes. Each rack has the capacity to store an average of 260 spent fuel assemblies. The fuel pool has a licensed capacity of 3859 fuel assemblies. With the present inventory of fuel racks in the pool, PNPS only has the capacity to store 3404 fuel assemblies. The racks are free standing.

Nine racks are made up of welded stainless steel assemblies in the shape of cruciforms, angles, and tees. Sheets of Boraflex poison material are sandwiched between the stainless steel sheets creating a welded assembly. The rack assembly is shown on Figure 10.3-1.

The remainder of the racks are made up of welded stainless steel boxes. Sheets of Boral or Metamic poison material have been sandwiched between the box walls and a stainless steel sheath welded to the box walls for the purposes of holding the poison in position.

Refer to Figures 10.3-4, 10.3-5 and 10.3-6.

The pool configuration for the existing and new racks plus the future expansion racks are shown in Figure 10.3-7.

The racks are designed to withstand a pull-up force equal to 4,000 lb acting on the rack corner (necessary in the event that a fuel assembly or grappling device acting on the rack corner binds during removal). The maximum allowable stress on the members required to maintain the subcritical condition will not exceed 75 percent of the material yield strength or 75 percent of that stress at which local buckling occurs.

No spaces exist between normal fuel storage positions so that it is not possible to insert a fuel assembly, either deliberately or by accidental drop, in any position not intended as a fuel storage position, except as analyzed. See Section 10.3.5.

Each fully loaded spent fuel storage rack is designed as a Class I structure. The spent fuel racks are designed such that the stresses in a fully loaded rack do not exceed applicable American Institute of Steel Construction or American Society of Civil Engineers specification requirements when subjected to the seismic loads resulting from the Safe Shutdown Earthquake. Both the horizontal and vertical forces due to the earthquakes are considered to act simultaneously. Acceleration time-histories resulting at the spent fuel pool floor during the Safe Shutdown Earthquake are used as input to the dynamic analysis of the racks.

The storage rack structure is designed to absorb the vertical impact force imposed by a fuel assembly dropped from a height of 36 in above a rack onto any location on the rack. Under this impact force, those members, whose function is to physically maintain the normal design subcritical spacing to assure keff <0.95, will remain intact.

All materials used in the construction of the rack are specified in accordance with the latest issue of applicable ASTM specifications, and all welds are in accordance with AWS standards or ASME Section IX for materials used. Materials selected are corrosion resistant or treated to provide the necessary corrosion resistance.

10.3-2 Rev. 30 - Nov. 2015

PNPS-FSAR Special brackets have been designed to hang control rod blades from the spent fuel pool curb. Design calculations and administrative controls have been established to identify acceptable radiological limits for storing material in the spent fuel pool. Hanging control rod blades from the spent fuel pool curb is within the plant shielding design as specified in Sections 12.3.1.1 and 12.3.3.2.

The spent fuel storage pool has been designed to withstand earthquake loading as a Class I structure. It is a reinforced concrete structure, completely lined with seam-welded stainless steel plates welded to reinforcing members (channels, I-beams, etc) embedded in concrete. Interconnected drainage monitoring channels are provided behind the liner welds. These channels are designed to (1) prevent pressure buildup behind the liner plate, (2) prevent the uncontrolled loss of contaminated pool water to other relatively cleaner locations within the secondary containment, and (3) provide necessary detection and measurement of liner leaks. These drainage channels are formed in the concrete behind the liner and are designed to permit free gravity drainage to the floor drainage sump.

The passage between the spent fuel storage pool and the refueling cavity above the reactor vessel is provided with two double sealed gates with a monitored drain between the gates. This arrangement permits monitoring of leaks and facilitates repair of a gate or seal, if necessary.

To avoid unintentional draining of the pool, there are no penetrations that would permit the pool to be drained below a safe storage level (approximately 10 ft above the top of the fuel).

Lines extending below this level are equipped with siphon breakers to prevent siphon backflow. Two epoxy phenolic-lined carbon steel skimmer surge tanks are sized to take into account the placement of large items such as the spent fuel cask into the pool.

Makeup water to the fuel pool is transferred from the condensate storage tanks directly to the skimmer surge tanks to make up for normal fuel pool losses. The available methods of providing makeup water to the spent fuel pool include the following:

1. Condensate transfer system with either of the two condensate transfer pumps operating can provide water through two paths:

a. 3-inch piping directly to the fuel pool skimmer surge tanks with a maximum flow rate of 200 GPM.

b. 10-inch piping to the spent fuel pool cooling system (SFPCS) discharging directly to the fuel pool or to the filter-demineralizer train with a flow rate of approximately 1100 GPM.

2. Demineralized water transfer system 4-inch piping to the spent fuel pool, reactor basin, and dryer separator pool service boxes.

Either of the two demineralized water transfer pumps can provide 100 GPM to the service boxes which may be connected to discharge to the fuel pool.

10.3-3 Rev. 30 - Nov. 2015

PNPS-FSAR

3. The fire protection system (FPS) has two hose stations on the refuel floor (Elev. 117 ft). The FPS can be fed from the electric motor driven fire pump or the diesel engine driven fire pump, each rate at 2000 GPM, drawing water from either of the two fire water storage tanks. Each hose station is rated to discharge 150 GPM.

4. After the reactor has been brought to the cold shutdown condition, the RHR/SFPCS intertie may be used to add makeup water to the fuel pool if the other methods described above are not available. The fire protection system is connected to the RHR loop cross-tie to which the RHR/SFPCS intertie is also connected thus delivering water from the FPS directly to the fuel pool.

One loop of RHR using one pump may also be used to deliver water from the torus to the fuel pool while the other RHR loop maintains shutdown cooling of the reactor.

The condensate and demineralized water transfer systems include three alternate storage tanks, four pumps, and three separate flow paths to the SFPS. The FPS is configured with a ring header arrangement that provides two independent flow paths to each hose station. During a loss of off-site power, the FPS diesel fire pumps and mobile fire engines, if needed, would be available.

10.3.4.2 Fuel Pool Level Indicators Low water level alarms are provided locally and in the main control room in the event of water loss from either rupture of the fuel pool wall liner, or the rupture of the reactor basin refueling bellows.

(The alarm from the reactor basin is isolated during station operation.) As a backup, flow alarms are provided in the drain lines of the reactor vessel to drywell seal, drywell to concrete seal, and fuel pool gate to detect leakage. See Section 10.4.

NRC Order EA-12-051 required the installation of at least one permanent Spent Fuel Pool (SFP) level indication system. Pilgrim has installed two permanent SFP level indicating systems. The systems were designed and manufactured by MOHR Industries of Richland Washington.

Each of the two systems consist of a probe in the SFP, a power conditioner in the Control Room, a display unit in the Control Room, and a backup battery in the Control Room. The system can measure the level from approximately 6 inches above the top of the fuel racks to approximately 1-1/2 inches below the flange on the probe.

Therefore the range is from an elevation of 93 ft. 3 inches to 116 ft. 7-1/2 inches. Reference drawing C2900.

10.3-4 Rev. 30 - Nov. 2015

PNPS-FSAR 10.3.5 Safety Evaluation The design of the spent fuel storage provides for a keff < 0.95 for both normal and abnormal storage conditions. Normal conditions exist when the fuel storage racks are located at the bottom of the pool covered with a normal depth of water (about 25 ft above the stored fuel) and with fuel assemblies in their design storage positions. Abnormal conditions may result from abnormal location of a fuel assembly adjacent to the fuel storage racks, eccentric positioning of a fuel assembly within a fuel storage cell, zirconium fuel channel distortion, a dropped fuel assembly, or fuel rack lateral movement.

Analysis of the reactivity effects has been completed twice, first for the existing high density racks by Southern Science (Reference

3) and second by Holtec International (References 4 and 10) for the new racks. The Holtec Analysis bounds the existing analysis and, hence, provides acceptance criteria for storage of reactor fuel equally applicable for both the old and new spent fuel racks.

10.3-5 Rev. 30 - Nov. 2015

PNPS-FSAR These analyses of the reactivity effects were performed with both the CASMO-3 computer code (a two-dimensional multi-group theory code) and the KENO-5a code (a Monte Carlo code), using the 27 energy group SCALE neutron cross section library. CASMO-3 was used as the primary method of analysis as well as the means of evaluating small reactivity increments associated with manufacturing tolerances.

Burn up calculations were also performed with CASMO-3. KENO-5a was used to perform an independent verification of the CASMO-3 results as well as to assess the reactivity consequence of eccentric fuel positioning and abnormal locations of fuel assemblies. Both codes are widely used for the analysis of fuel storage rack reactivity and have been benchmarked against results from numerous critical experiments.

An assessment of the reactivity has also been performed using TGBLA06 in place of CASMO-3 and MCNP-05P in place of KENO-5a. This analysis concluded that acceptance criteria established by the Holtec analysis are also appropriate for use with GNF 10 x 10 fuel.

To ensure that true reactivity will always be less than the calculated reactivity, the following conservative assumptions were made:

1. The racks contain the most reactive fuel authorized to be stored in the facility without any controls or any uncontained burnable poison, and with the fuel at the burn up corresponding to the highest reactivity during its burn up history.

2. Moderator is pure, unborated water at a temperature within the design-basis range corresponding to the highest reactivity.

10.3-6 Rev. 30 - Nov. 2015

PNPS-FSAR

3. Criticality safety analyses are based on the infinite multiplication factor (K); that is, lattice of storage racks is infinite in all directions, except in the assessment of certain abnormal/accident conditions where neutron leakage is inherent.

4. Neutron absorption effects of minor structural material are neglected.

For the design basis reactivity calculations, uncertainties due to tolerances in the following were accounted for: boron loading, Boral thickness, cell lattice spacing, stainless steel cell wall thickness, and fuel enrichment and density. These uncertainties were statistically combined at the 95 percent probability, 95 percent confidence (95/95 probability/confidence) level. In addition, a calculation bias of 0.01 k was added to account for possible differences between fuel vendor calculations and those performed here.

The resulting conservative criteria for acceptable storage of fuel in the spent fuel storage racks at Pilgrim Station are:

1) Fuel must have lattice-average enrichment of 4.6% or less.

2) The K in the standard core geometry, calculated at the burn up of maximum bundle reactivity, must be 1.32 or less.

Together these criteria satisfy the USNRC criteria that Keff of fuel storage racks be maintained less than or equal to 0.95.

The reactivity effects during abnormal and accident conditions due to the effects of temperature and water density, abnormal location of a fuel assembly, eccentric fuel assembly positioning, fuel rack lateral movement or the dropping of a fuel assembly on top of the storage rack were considered. None of the credible conditions resulted in exceeding the limiting reactivity criterion of Keff no greater than 0.95.

Reactivity calculations discussed above assume that the neutron absorbing material incorporated in the design of the fuel storage racks maintains its installed configuration and material properties.

However, the older design employs Boraflex, a polymer which has demonstrated shrinkage under irradiated conditions including exposure to gamma fluxes from stored spent fuel. When further exposed to water, the polymer erodes and washes out of the racks.

Initial in-situ examinations of highly exposed Boraflex material in the PNPS spent fuel racks has confirmed the expected shrinkage, but did not indicate erosion. The test results are reported in reference 11. Reactivity calculations, as previously described, were repeated to allow evaluation of potential future changes in the condition of various Boraflex parameters to determine the extent of further degradation that may be acceptable. The results are reported in reference 12. For the same fuel criteria discussed above, the Keff remains less than 0.95.

10.3-7 Rev. 30 - Nov. 2015

PNPS-FSAR Fuel in the spent fuel storage pool is covered with sufficient water for radiation shielding. Low water level alarms are provided locally and in the main control room in the event of water loss from either rupture of the fuel pool wall liner or the rupture of the reactor basin refueling bellows. As a backup, flow alarms are provided in the drain lines to detect reactor vessel to drywell seal, drywell to concrete seal, and fuel pool gate leakages. An adequate fuel pool water level is maintained even in the unlikely event of a pipe break between the skimmer surge tanks and the fuel pool cooling system pumps, since fuel pool discharge to the skimmer surge tanks is by overflow only. Thus, a pipe break would drain the skimmer surge tank but not reduce the fuel pool level. Siphon-breakers prevent siphon backflow through the fuel pool cooling system discharge pipes.

Criticality monitoring shall be in accordance with the requirements of 10 CFR 50.68(b).

10.3.6 Consequences of a Dropped Fuel Cask The spent fuel pool is designed as a Class I structure using the design criteria described in Appendix C and Section 12. The loading combinations considered do not include the forces generated by a heavy falling object such as a spent fuel handling cask., and it must be conservatively assumed therefore that such an event could potentially result in localized damage to the spent fuel pool floor and liner.

The reactor building crane upgrade modification installed for dry fuel storage cask handling utilizes a reactor building crane main hoist that has been designed as a single-failure-proof component.

When used with casks and below-the-hook cask handling equipment designed to function as a single-failure-proof handling system, consideration of a cask drop accident is not required per the guidance of NUREG-0612 (Reference 14).

To preclude a cask handling accident six shop tests were performed:

1. Main Hook: Load tested to 200 percent capacity followed by magnetic particle and ultrasonic testing.

Dimensional checks conducted prior and subsequent to load testing.

2. Rope Tests: Sample pieces from each rope end piece receive destructive breaking strength tests prior to final splicing.

3. Girder Welds: Three test samples of girder cover plate to web plate automatic welds are radiographed.

4. Trolley Welds: Visual inspection with weld size gage.

5. Gear and pinion blanks, shafts, couplings and brakes for hoist drive are examined by magnetic particle or ultrasonic methods.

10.3-8 Rev. 30 - Nov. 2015

PNPS-FSAR

6. Swivels, load block frames, and hook trunnions are examined by ultrasonic or magnaflux methods.

Field Tests

1. No-load tests: A no-load operational test was conducted to verify proper operation of all controls, brakes, limiting devices, and lifting speeds.

2. Load test: The crane was loaded to 105 percent of rated load (100 tons). The load was raised from the 23 ft elevation to the 117 ft elevation and moved to center span where deflection measurements were taken. The load was moved through the full range of bridge and trolley limits. During the loaded test, a complete operational checkout was repeated.

10.3-9 Rev. 30 - Nov. 2015

PNPS-FSAR In addition to the Uuse of conservatively designed hoisting equipment, load testing, and examination prior to cask handling to verify sound equipment and minimizes the possibility of a dropped cask (see Section 10.3.7).

Pilgrim evaluated a load handling accident involving a cask up to 35 tons in weight being dropped through the refuel floor equipment hatch opening in a submittal letter to the NRC (Reference 15). This letter is cited as an input to the NRC Safety Evaluation supporting Amendment 33 to the Pilgrim Operating License (Reference 16)., an energy absorbing system is provided on the floor of the fuel pool in the cask handling area in order to minimize pool damage in the event of a dropped cask. The energy absorbing system consists of approximately 3 ft of aluminum "Hexcel" honeycomb and a high strength steel load distribution plate. The energy of the falling cask would be transmitted to the "Hexcel" honeycomb core which has an available crushing distance of approximately 70 percent of the core thickness. Analysis has demonstrated that with the energy absorber in place, damage to the floor will not result in a leakage rate greater than the pool makeup capability.

In order to maintain its energy absorbing function and fuel pool water quality, the "Hexcel" core is enclosed in a watertight stainless steel box. The energy absorber is designed so that it can be lifted out of the fuel pool, and is to be provided with connections which will permit periodic testing for leak tightness.

This evaluation is associated with NUREG-0612 requirements when a non single-failure-proof handling system is in use. In the unlikely event of a fuel cask drop through the equipment hatch during cask handling operations, the cask it would fall back onto the transport vehicle which could absorb, dissipate, and distribute over a wide area most of the kinetic energy of the cask. Under the most severe postulated conditions, which assume the transport vehicle and the reactor building floor at el 23 ft. maydo not stop the cask, itthe cask could land in the torus compartment at el -17 ft. 6 in. and could strike and damage the torus.

10.3-10 Rev. 30 - Nov. 2015

PNPS-FSAR Regardless of the degree of penetration of the cask or the location at which it ultimately stops, the ability to safely achieve plant shutdown, cool down, and depressurization is not jeopardized. The reactor would be immediately shut down. Cool down and depressurization would be initiated using the turbine bypass to the condenser and feedwater system. At the appropriate time the shutdown cooling mode of the residual heat removal system (RHR) would be initiated using the RHR and reactor building closed cooling water systems (RBCCW) unaffected by the cask drop.

10.3.7 Inspection and Testing Leak detection channels are provided on the concrete side of the spent fuel storage pool liner. Surveillance of flow from these leak channels will permit early determination and localization of any leakage.

The spent fuel racks require no special inspection and testing for nuclear safety purposes. A commitment was made in response to Generic Letter 96-04, Boraflex Degradation of Spent Fuel Pools, to a periodic material surveillance of the Boraflex material cell panels installed on spent fuel pool racks. A separate commitment was made to an accelerated surveillance program for Boral test coupons installed in the spent fuel rack area as part of License Amendment 155 (increased spent fuel storage capacity). A similar surveillance program will be used for Metamic poison material.

Prior to cask handling operations a visual inspection of cables, sheaves, hook, yoke, and cask lifting trunnions is made. Following these inspections no-load mechanical and electrical tests are conducted to verify proper operation of crane controls, brakes, and lifting speeds. A load test is then conducted by lifting the empty cask approximately 1 ft off its transport vehicle. Once again all critical elements, controls, and lifting speeds are examined and tested in the loaded condition. Additionally, this test is used to verify that no significant movement occurs after an interval in the loaded condition.

After confirmation of the operational acceptability of the crane, the fuel cask is hoisted to the refueling floor and moved over a prescribed path to its position in the fuel storage pool. Travel over the spent fuel storage pool with the refueling cask is limited to that small area provided for cask use.

Preventive maintenance procedures include inspection and testing of crane controls, brakes, and rigging. Hooks are examined by nondestructive testing methods.

The proper application of prescribed industrial specifications in the design of the reactor building crane provides an adequate safety margin over the designed lifting capacity. Inspection, maintenance, and operating procedures as described in the preceding paragraphs will assure that an adequate safety margin is maintained throughout the lifetime of the plant.

10.3-11 Rev. 30 - Nov. 2015

PNPS-FSAR 10.3.8 Dry Fuel Storage The PNPS has established as Independent Spent Fuel Storage Installation (ISFSI) west of the Reactor Building inside the plant protected area. The ISFSI Area includes an ISFSI Pad, an Approach Slab, and a Radiation Control Area (RCA) fence. The ISFSI concrete pad has a capacity for 40 vertical spent fuel storage casks.

The Spent Fuel Dry Cask Storage operations at PNPS will be conducted under a general license in accordance with Subpart K of 10 CFR Part

72. The general license issued by 10 CFR 72.210, "General license issued," authorizes a 10 CFR Part 50 nuclear power plant licensee to store spent fuel at an onsite ISFSI. Subpart K of 10 CFR Part 72 also includes 10 CFR 72.212, "Conditions of general license issued under §72.210," which requires the use of a dry cask storage system that is pre-approved by the Nuclear Regulatory Commission, as evidenced by its listing 10 CFR 72.214.

The PNPS ISFSI uses the Holtec HI-STORM 100S Version B vertical cask storage overpack and the Holtec MPC-68 multi-purpose canister (MPC),

as described in the HI-STORM 100 Cask System FSAR (Reference 17) and approved by the Nuclear Regulatory Commission via the HI-STORM Certificate of Compliance No. 1014 (Reference 18).

The MPC provides the confinement boundary for the stored fuel. The MPC is a welded, cylindrical canister with a honeycombed fuel basket. All MPC confinement boundary components are made entirely of stainless steel. The honeycombed basket, which is equipped with neutron absorbers, provides criticality control.

The HI-STORM 100S Version B storage overpack provides shielding and structural protection of the MPC during storage. The HI-STORM 100S Version B overpack design includes a lid which incorporates the air outlet ducts into the lid. The overpack is a heavy-walled steel and concrete, cylindrical vessel. Its side wall consists of plain (un-reinforced) concrete that is enclosed between inner and outer carbon steel shells. The overpack has four air inlets at the bottom and four air outlets at the top to allow air to circulate naturally through the cavity to cool the MPC inside. The inner shell has supports attached to its interior surface to guide the MPC during insertion and removal, and allow cooling air to circulate through the overpack. A loaded MPC is stored within the HI-STORM 100S Version B storage overpack in a vertical orientation.

Loading the MPC with spent fuel assemblies takes place in the Reactor Building. Using the 100-ton Reactor Building crane and a lift yoke, a transfer cask with an empty MPC is lowered into the spent fuel pool. The MPC is then loaded with spent fuel assemblies utilizing the refueling platform. Once loaded, the transfer cask and MPC are transferred by the Reactor Building crane to the Reactor Building decontamination area, where the MPC is decontaminated, welded shut, drained, dried, and backfilled with helium. The transfer cask containing the loaded MPC is again lifted using the Reactor Building crane and lift yoke, lowered through the hoist way and placed on top of the HI-STORM 100 storage overpack inside the Reactor Building truck bay where the MPC is transferred from the transfer cask to the HI-STORM 100 storage overpack. The loaded HI-10.3-12 Rev. 30 - Nov. 2015

PNPS-FSAR STORM 100 storage overpack is then transported out of the Reactor Building to the ISFSI.

10.3.98 References

1. American National Standard, "Design Objectives for Light Water Reactor Spent Fuel Storage Facilities at Nuclear Power Stations", ANS-57.2, ANSI N210-1976.

2. US Nuclear Regulatory Commission "Standard Review Plan",

Office of Nuclear Reactor Regulation, NUREG-0800.

3. Southern Science Co., "Criticality Safety Analysis of the High Density Spent Fuel Storage Racks for the Pilgrim Nuclear Power Station", SSA-159 (SUDDS/RF 85-40, March 1985).

4. GE Letter ELH: 85-079, from E. L. Heinlein to R. G. Clough, "Transmittal of K-infinity Calculations", September 23, 1985.

5. Holtec International "PNPS Spent Fuel Storage Capacity Expansion" Licensing Report #HI-92925, (SUDDS/RF 93-01)

6. Holtec International "Single Rack Analysis" Report #HI-92927 (SUDDS/RF 94-23)

7. Holtec International "Spent Fuel Pool Slab Analysis" Report

1. HI-92952 (SUDDS/RF 94-24)

8. Holtec International "Whole Pool Multi Rack Analysis" Report

1. HI-92929 (SUDDS/RF 94-27)

9. Holtec International "Thermal Hydraulic Analysis" Report #HI-92936 (SUDDS/RF 94-28)

10. Holtec International "Criticality Safety Analysis" Report #HI-92939 (SUDDS/RF 94-29)

11. Holtec International Blackness Testing of Boraflex in Selected Cells of the Pilgrim Station Spent Fuel Storage Racks, Report #HI-60935 (SUDDS/RF96-57).

12. Holtec International Criticality Safety Analyses of the Pilgrim Spent Fuel Storage Racks with Degradation of the Boraflex Neutron Absorber, Report #HI-91709 (SUDDS/RF97-43).

13. Holtec International In-Situ Neutron Absorber Surveillance Program, HSP-10

14. NUREG-0612, Coontrol of Heavy Loads at Nuclear Power Plants, July 1980 (Encloosure 1 to NRC Letter dated December 22, 1980; Ltr. 1.81.0114).

15. Pilgrim Letter #78-109 to NRC dated June 26, 1978 (Ref.

ELNRC1.2.78.109).

10.3-13 Rev. 30 - Nov. 2015

PNPS-FSAR

16. NRC Saafety Evaluation Report for Amendment No. 33 to the Pilgrim Operaating License (Ref. NRCLE1.1.78.120).

17. Holtec International Final Safety Analysis Report for the HI-STORM 100 Cask System, Revision No. 9, USNRC Docket No.

72-1014, Holtec Report No.: HI-2002444, February 13, 2010.

18. USNRC Certificate of Compliance No. 1014, Docket No. 72-1014, Amendment No. 7, for the HI-STORM 100 Cask System, December 28, 2009.

10.3-14 Rev. 30 - Nov. 2015

PNPS-FSAR 10.8 FIRE PROTECTION SYSTEM 10.8.1 Power Generation Objective The power generation objective of the fire protection system is to provide adequate fire protection capability in all areas of the station and to ensure safe shutdown in the event of a fire in any area of the plant.

10.8.2 Power Generation Design Basis The fire protection system is designed to furnish water, halon, carbon dioxide, and/or dry chemicals as necessary for fire extinguishment in the station. The fire protection system is designed to provide the following:

1. A reliable supply of fresh water for fire fighting

2. A reliable system for delivery of water to potential fire locations

3. Automatic fire detection in selected areas

4. Fire extinguishment or control by fixed equipment activated either automatically or manually for areas with a high fire risk

5. Manually operated fire extinguishing equipment for use by operating personnel at selected points throughout the station In addition, an alternate shutdown system has been installed to ensure that the station's safe shutdown capability is not adversely affected by a fire (Reference 6).

The requirements contained in the Entergy Quality Assurance Program Manual (QAPM) are applied to those activities affecting fire protection systems and equipment required to limit fire damage to safety-related structures, systems, and components so that the capability to safely shut down the plant is ensured.

10.8.3 Description The fire protection system, piping and instrumentation diagram is shown on Figure 10.8-1 (BECo M218).

10.8.3.1 Fire Water System The site fire water supply is taken from two 250,000 gal, lined carbon steel water tanks which are devoted exclusively to fire protection. The fire water system may also use water from a city water main.

10.8-1 Rev. 30 - Nov. 2015

PNPS-FSAR The water supply is delivered by either an electric motor-driven pump (rated at 2,000 gal/min) or a diesel engine driven pump (rated at 2,500 gal/min). The diesel engine driven pump is used for standby and emergency use on loss of ac power. A hydro turbine driven by diesel fire pump P-140 drives the backup diesel fuel transfer pump (P-181). This pump takes suction from the emergency diesel generator fuel oil storage tanks, bypasses diesel transfer pump P141-A and discharges to day tank T-123. The purpose of this hydro turbine driven pump is to provide a redundant (non-electric power dependent) diesel fuel oil transfer pump for the diesel fire pump P-140. This redundant pump will allow extended operation of the diesel fire pump as a water source for the RHR system during extended station blackout and severe accident scenarios beyond design basis. A small jockey pump (rated at 50 gal/min) is provided to maintain a constant pressure for the water system. If the system pressure drops substantially, the motor-driven fire pump will start automatically, and if pressure continues to drop, the diesel-driven pump will also start automatically.

The pumps feed outdoor fire hydrants, interior hose stations, sprinkler systems, and deluge systems for the station.

As part of the Safety Enhancement Program (SEP), a piping connection is provided from the Fire Protection System to the RHR System. This connection will allow water from the Fire Protection System fire pumps to flow to the upper containment spray header, torus spray header, and/or LPCI injection lines during a severe accident or station blackout.

The interconnection of the Fire Protection System and the RHR is manually initiated. Inadvertent admission of fire water to the RHR and or RHR contamination of the FPS is prevented by requiring the operator to install a removable pipe section with couplings and to open two locked closed valves. The removable pipe section is not installed during normal operation.

There are four types of sprinkler or water spray systems used at PNPS: (1) deluge, (2) pre-action, (3) wet pipe, and (4) dry pipe systems.

Deluge and pre-action systems have empty pipes. In these systems, the water is controlled (i.e., held out) by a separate heat detection system. Deluge systems have "open" sprinkler heads or water spray nozzles and pre-action have "closed" automatic heads or nozzles.

Wet pipe systems have pressurized water in their pipes and "closed" sprinkler heads. Dry pipe systems have pressurized air in their pipes and automatic "closed" sprinkler heads.

10.8-2 Rev. 30 - Nov. 2015

PNPS-FSAR Deluge systems protect the exterior surface of the following equipment:

1. Main Transformer

2. Auxiliary Transformer

3. Shutdown Transformer

4. Startup Transformer Wet pipe sprinkler systems protect the following areas:

1. Turbine basement area (west of shield wall)

2. Turbine lube oil reservoir room

3. Turbine lube oil conditioning room

4. Contaminated tool storage area

5. Recirculation motor generator sets room

6. Station heating boiler room

7. Old Machine shop

8. Offices at 37 elevation radwaste bldg.

9. Diesel fire pump and day tank rooms

10. Offgas Retention Building - charcoal filter room

11. Radwaste hydraulic press (baler) area

12. Access control area and radiological offices

13. Condenser Retubing Building

14. Reactor Building (20 ft wide sprinkler systems only on El. 23'0" and 51'-0")

15. Reactor Auxiliary Building - Water Treatment Room

16. Safety enhancement program (SEP) Pump Building.

17. Redline building (RCA ingress/egress area and trash and laundry area).

18. Trash Compaction Facility 10.8-3 Rev. 30 - Nov. 2015

PNPS-FSAR There are pre-action systems provided for the following areas:

1. Hydrogen seal supply oil area (sprinklers)

2. Diesel generator and day tank rooms (sprinklers)

3. Deleted

4. Turbine lube oil reservoir (water spray)

5. Turbine generator bearings (water spray) and oil hazards below the turbine lagging (sprinklers)

There is a dry pipe sprinkler system in the radwaste trucklock and condenser retubing building trucklock areas.

10.8.3.2 Other Extinguishing Systems Total flooding, automatically actuated Halon 1301 fire suppression systems protect the following areas:

1. Cable spreading room

2. Plant computer room

3. O&M building record storage vault

4. Station blackout (SBO) diesel generator building Dry chemical wheeled cart fire extinguishers will be provided in the following areas:

1. Diesel generator building

2. HPCI pump and turbine areas

3. Recirculation pump motor generator set room

4. Reactor feedpump area Portable CO2 hand extinguishers are provided in the control room and computer room. Portable dry chemical and pressurized water hand extinguishes are provided throughout the plant, as indicated in the Fire Protection System Evaluation and as modified by the Safety Evaluation Reports (References 1, 2, and 3).

10.8-4 Rev. 30 - Nov. 2015

PNPS-FSAR 10.8.3.3 Other Fire Protection Features Fire detection systems which alarm in the control room are located in the following areas:

1. Diesel generator building

2. Reactor feed pump area

3. Computer room

4. Recirculation pump motor generator set room

5. Control room air recirculation fan inlet duct

6. Control room cabinets and consoles required for safe shutdown

7. Vital motor generator set room

8. Safety pump rooms (HPCI, RCIC, RHR)

9. CRD modules and MCC areas - east and west elevation 23 ft

10. Switchgear rooms and battery rooms

11. Radwaste trucklock area

12. Reactor Building areas at elevations 51 ft, 74 ft 3 in, 91 ft 3 in, and 117 ft and other areas housing safe shutdown equipment, panels, cable trays, and instrumentation

13. Reactor Building closed cooling water pump rooms A and B

14. Offgas Retention Building

15. The cable spreading room Fire Detection Systems which do not alarm in the Control Room are located in the following areas:

1. Operation & Maintenance Building

2. EPIC Computer Room 10.8-5 Rev. 30 - Nov. 2015

PNPS-FSAR 10.8.3.4 Fire Barriers Three hour rated fire walls, and some that are less than three hour rated in accordance with PNPS Safety Evaluation Report (Reference 4), are identified in the Fire Protection Evaluation Report (Reference 1). Doors, dampers, pipe penetrations, and cable penetrations through these fire walls are also rated 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> fire resistant, unless an evaluation demonstrates a fire rating of less than 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> is acceptable.

These fire walls separate fire areas containing safety related equipment for safe shutdown of the station in accordance with PNPS Safety Evaluation Reports (References 2, 3, and 4).

There are fire wraps for some safe shutdown raceways routed in certain areas as follows:

"B" Switchgear Room - Enclosures #1 and #2, three hour rated.

Cable Spreading Room - Enclosure #3, one hour rated.

Torus Room (Bay 15) - Fire Wrap, one hour rated for instrumentation raceway M994.

Control Room, Shift Managers Office - Fire Wrap, Three hour rated for raceway A-260.

Fire exits in the turbine auxiliary building (i.e., access area and time tunnel) are separated by smoke control doors.

Noncombustible shields are installed between the feedwater pumps (i.e., turbine building) to prevent oil from one pump from spraying on the other(s).

The diesel generator day tank room(s) are designed to prevent diesel fuel oil from entering the diesel generator room(s).

Curbs have been installed in the Generator Auxiliaries Area of the Turbine Building to contain potential oil spills and prevent them from spreading into the Lower Switchgear Room. These curbs, in conjunction with the sprinkler system in the area, provide a reasonable means of fire control should an oil fire occur.

10.8.3.5 Alternate Shutdown System The alternate shutdown system, independent of cabling and equipment in the cable spreading room (CSR) and Control Room, is provided to effect safe shutdown of Pilgrim in the event of a fire in the CSR or the Control Room. This is accomplished by installing isolation switches for safety-related equipment that will provide the capability for the plant operators to reach a safe shutdown condition. These switches will isolate their associated equipment from the CSR cables, thus transferring control from the Control Room to the local emergency shutdown stations outside of the CSR and Control Room. These isolation switches are located in alternate shutdown panels and are located as close as practical to the equipment or switchgear they serve.

10.8-6 Rev. 30 - Nov. 2015

PNPS-FSAR Isolation for other components and systems is achieved by manual tripping of switchgear breakers and MCC breakers such that components which are not required to change status between "Normal" and "Shutdown" conditions will not be affected by faults in their control circuitry.

10.8-7 Rev. 30 - Nov. 2015

PNPS-FSAR Alternate shutdown panels are provided for the following systems:

a. Core Spray

b. RHR

c. RBCCW

d. Salt Service Water

e. HPCI

f. RCIC

g. Automatic Depressurization System

h. Diesel Generators An Emergency Lighting System has been installed to provide sufficient illumination for the access routes to each alternate shutdown panel and for operation of the safety related equipment from these panels (References 2, 3, & 4).

10.8.4 Inspection, Testing and Technical Requirements for Fire Protection Equipment The following provides surveillance frequencies, acceptance criteria and degraded equipment requirements for equipment associated with fire protection. This section reflects the guidance provided in Generic Letters 86-10 and 88-12.

10.8.4.1 Fire Detection Instrumentation 10.8.4.1.1 Fire Detection Instrumentation Technical Requirements The minimum fire detection instrumentation for each fire detection zone shown in Table 10.8-1 shall be operable at all times when equipment in that fire detection zone is required to be operable.

ACTION: With the number of minimum operable fire detection instruments less than required by Table 10.8-1:

a. Within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, establish a fire watch patrol to inspect the zone with the inoperable instrument(s) at least once per hour; and

b. Restore the inoperable instrument(s) to operable status within 14 days to assure the minimum operable detectors for each detection zone, or determine the cause of the malfunction and develop plans for restoring the instrument(s) to operable status.

c. For inoperable fire detectors controlling fire suppression systems, see the respective fire suppression system section (i.e., Section 10.8.4.3 for water suppression systems or 10.8.4.4 for gaseous suppression systems).

10.8.4.1.2 Fire Detection Instrumentation Surveillance Requirements 10.8-8 Rev. 30 - Nov. 2015

PNPS-FSAR As a minimum, the number of fire detectors noted in Table 10.8-1 shall be demonstrated operable in accordance with NFPA 72 Fire Code by a functional test at least once per year.

EXCEPTION; The detectors in the charcoal vault in the augmented offgas building need to be functionally tested once per refueling outage.

10.8.4.2 Fire Water Supply System 10.8.4.2.1 Fire Water Supply System Technical Requirements At all times when any safety related equipment is required to be operable, the fire water supply system shall be operable with:

1. One 2000 gpm and one 2500 gpm,, 119 psig (95% of the 125 psi rated output), fire pumps which are arranged to start automatically.

2. Two water supplies with a minimum storage quantity of 240,000 gallons of water in each.

3. Two independent water flow paths from 1 and 2 above to each fire water suppression system. (10.8.4.3 and 10.8.4.5)

ACTION: With less than the above required equipment:

a. Restore the inoperable equipment to operable status within 7 days or implement the plans and procedures to be used to provide for the loss of redundancy in this system.

b. With no Fire Water Supply System flow path operable, establish the Backup Fire Water Supply System within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (in accordance with station procedures) or an orderly shutdown of the reactor shall be initiated and the reactor shall be in the cold shutdown condition within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

10.8.4.2.2 Fire Water Supply System Surveillance Requirements The fire water supply system shall be tested and verified to be operable:

a. by checking the volume of water in each fire water tank at least once every 7 days.

b. by automatically starting each fire pump at least once every month and running the diesel engine driven pump for thirty minutes and the motor driven pump for at least 10 minutes at that time.

c. by visually checking every shutoff valve on the fire water supply system at least once every month for proper 10.8-9 Rev. 30 - Nov. 2015

PNPS-FSAR position. (Exception - once per cycle for those in Locked High Radiation Areas)

d. by cycling each fire water supply system shutoff valve through its full operation at least once per cycle.

e. by verifying at least once per cycle that each one pump starts and delivers at least 2000 gpm and one pump 2500 gpm while maintaining a system pressure of at least 119 psig (95% of the 125 psi rated output).

f. by performing a water flow test on the fire water yard loop at least once every year.

g. by verifying at least once every month that the diesel fire pump fuel storage tank contains a minimum of 175 gallons of fuel oil.

h. at least once per operating cycle by subjecting the diesel to an inspection in accordance with procedures prepared in conjunction with the manufacturer's recommendations for the class of service.

i. by verifying at least once per 3 months that a sample of diesel fuel from the fuel storage tank, obtained in accordance with ASTM D4057-81 or D4177-82, is within the acceptable limits specified in Table 1 of ASTM D975-81 with respect to viscosity, water content, and sediment.

j. by demonstrating that the diesel starting 24-volt battery bank and charger are operable as follows:

1. at least once per week by verifying that the electrolyte level of each battery is above the plates and battery voltage is at least 24 volts.

2. at least once per 3 months by verifying that the specific gravity is appropriate for continued service of the battery.

3. at least once per operating cycle by verifying that the batteries and battery racks show no visual indication of physical damage or abnormal deterioration and the battery-to-battery and terminal connections are clean, tight, free of corrosion, and coated with anti-corrosion material.

10.8-10 Rev. 30 - Nov. 2015

PNPS-FSAR 10.8.4.3 Spray and/or Sprinkler Systems 10.8.4.3.1 Spray and/or Sprinkler Systems Technical Requirements The spray and/or sprinkler systems located in the following areas shall be operable at all times when equipment in the spray/sprinkler protected area is required to be operable:

1. Diesel generator room preaction sprinkler systems (including detectors).

2. Diesel fire pump fuel oil storage room wet pipe sprinkler system.

3. Auxiliary boiler room wet pipe sprinkler system.

4. Recirculation pump MG set room wet pipe sprinkler system.

5. Hydrogen seal oil supply unit preaction sprinkler system (including detectors).

6. Turbine basement addition wet pipe sprinkler system.

7. Reactor building elevation 23'-0", north side wet pipe sprinkler system.

8. Reactor building Elevation 51'-0", north and south side wet pipe sprinkler systems.

9. Reactor auxiliary building, water treatment area, wet pipe sprinkler system.

10. Health physics access area wet pipe sprinkler system.

ACTION: From and after the date that a spray and/or sprinkler system is made or found to be inoperable:

a. Within one hour establish a continuous fire watch with backup suppression, except as specified in 10.8.4.3.1, actions c, d, e, f, and g.

b. Restore the system to operable status within 14 days or determine the cause of inoperability and develop plans for restoring the system to operable status.

c. If the Spray or Sprinkler System is not operable because no Fire Water Supply System flow path is operable, complete actions identified in Section 10.8.4.2.1.

d. If the suppression system of the diesel generator room preaction sprinkler systems (including detectors but excluding the Pilotex portion of the system), is inoperable, establish an hourly fire 10.8-11 Rev. 30 - Nov. 2015

PNPS-FSAR watch patrol with backup suppression provided that the detection system in that fire area and the detection and suppression system for the redundant fire area is operable.

e. If two or more detectors of the diesel generator room preaction sprinkler system are found or made to be inoperable, within one hour charge that sprinkler system piping with water.

f. If the wet pipe sprinkler system for the reactor recirculation pump MG set room, reactor building auxiliary building water treatment room, auxiliary boiler room, reactor building elevations 23 & 51 north side, or reactor building elevation 51 south side is inoperable, establish an hourly fire watch patrol with backup suppression provided that the detection system in the area is operable.

Additional administrative controls will be implemented to further reduce any potential fire hazards while the automatic suppression systems are inoperable.

g. When the entire fire area protected by a spray and

/or sprinkler system is designated, "HIGH RADIATION AREA/AIRBORNE RADIOACTIVITY AREA", an hourly fire watch patrol may be established (e.g.,

for ALARA considerations in lieu of a continuous fire watch). If a zone of the fire area is so designated, one of the following shall apply: (1)

If the zone is adequately inspectable from a non-High Radiation Area, the continuous fire watch shall be located in the non-High Radiation Area, or (2) If (1) cannot be accomplished, a fire watch patrol shall enter the High Radiation Area once every eight hours.

It is not necessary to enter areas designate designated as "Locked High Radiation Area".

10.8.4.3.2 Spray and/or Sprinkler Systems Surveillance Requirements The spray and/or sprinkler systems shall be demonstrated to be operable according to the following:

1. Each sprinkler system and water spray system alarm shall be tested at least once every year by opening the alarm bypass or inspector test valve. Alarms in high radiation areas are to be tested once per cycle.

2. Deleted.

3. Each preaction sprinkler system shall be trip tested at least once per cycle.

10.8-12 Rev. 30 - Nov. 2015

PNPS-FSAR

4. Each water spray system shall be trip tested automatically by simulated actuation of the heat detectors at least once per cycle.

10.8.4.4 Halon System 10.8.4.4.1 Halon System Technical Requirements The halon system for the cable spreading room shall be operable with each of the five storage tanks charged to at least 95% of the minimum quantity of halon (217 lbs. per tank) necessary to extinguish a fire, and minus or plus 10% of the pressure stamped on the data plate on the tank corresponding to an ambient temperature of 70F. Detectors associated with the automatic initiation of the halon system shall be operable, except that an individual detector may be inoperable if the other detector in the same bay is operable and both detectors in all adjacent bays are operable.

The halon system shall be operable at all times when the safety related equipment in the cable spreading room is required to be operable.

ACTION:

a. Within one hour from and after the time that the system is found to be inoperable, establish a continuous fire watch with backup suppression equipment.

10.8.4.4.2 Halon System Surveillance Requirements The halon system shall be demonstrated operable:

1. At least once per month by verifying the halon storage tank pressure and that the control panel is in the automatic mode.

2. At least once per 6 months by verifying the quantity of halon in the storage tank(s).

3. a. At least once per operating cycle by verifying that the system and associated devices actuate upon receipt of a simulated actuation signal, and

b. Performance of an inspection to assure the nozzles are unobstructed.

10.8-13 Rev. 30 - Nov. 2015

PNPS-FSAR 10.8.4.5 Fire Hose Stations 10.8.4.5.1 Fire Hose Stations Technical Requirements The interior fire hose stations shown in Table 10.8-2 shall be operable at all times when the equipment in the area protected by the fire hose station is required to be operable.

ACTION:

a. With a hose station inoperable, provide an additional equivalent capacity hose for the unprotected area at/from an operable hose station within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, except as specified in 10.8.4.5.1. Action b.

b. If a fire hose station is not operable because no fire water supply system flow path is operable, complete actions specified in section 10.8.4.2.1.

10.8.4.5.2 Fire Hose Stations Surveillance Requirements Each interior fire hose station shall be verified to be operable:

1. At least once per month by visual inspection of the station to assure that the hose and nozzle are properly installed. (Exception - Once per cycle for those in Locked High Radiation Areas).

2. At least once per cycle by removing the hose for inspection, replacing any degraded coupling gaskets, and reracking.

3. At least once per two fuel cycles (approximately 4 years) by partially opening each hose station valve to verify valve operability and no obstruction. (Partial flow test).

4. By conducting a hydrostatic test of each hose every three years.

a. at a pressure 50 psig greater than the maximum available pressure at that hose station, or

b. at the applicable service test pressure as listed in Table 8-3 of the "Standard for Care, Maintenance of Fire Hose Including Connection and Nozzles." NFPA No. 1962-1979, or

c. by replacing each nontested hose with a new or used hose which has been hydrostatically tested in accordance with the pressures specified in a or b above.

10.8-14 Rev. 30 - Nov. 2015

PNPS-FSAR 10.8.4.6 Fire Barrier System 10.8.4.6.1 Fire Barrier System Technical Requirements All fire barrier systems providing separation of redundant safe shutdown systems shall be functional at all times when the safe shutdown systems are required to be operable.

ACTION: With one or more of the required fire barrier systems nonfunctional:

a. Within one hour either establish a continuous fire watch on one side of the affected barrier or verify the OPERABILITY of an automatic fire detection or suppression system on at least one side of the nonfunctional fire barrier and establish an hourly fire watch patrol, except as identified in 10.8.4.6.1 actions b and c.

b: When the fire areas on both sides of the affected fire barrier are designated "HIGH RADIATION AREAS/AIRBORNE RADIOACTIVITY AREA", an hourly fire watch patrol may be established (e.g. for ALARA considerations) in lieu of a continuous fire watch.

c Certain fire barrier components may be degraded without adversely affecting the fire barrier function of preventing fire damage to redundant trains of safe shutdown equipment. Fire Protection may perform an evaluation to document that no fire watch is necessary or to allow hourly fire watches for circumstances where degraded barriers are still capable of performing their fire protection function.

10.8.4.6.2 Fire Barrier System Surveillance Requirements Surveillance requirements for penetrations in fire barriers are as follows:

1. Fire Barrier Penetration Seals: Approximately 20% of the fire barrier penetration seals shall be visually inspected once per cycle. The sampling shall ensure that 100% of the seals are inspected within a 10 year period or 5 fuel cycles. If any seal is found to be inoperable, then an additional 10% of the seals shall be inspected. Sampling and inspection shall continue until all of the seals in a sample are found to be operable or until 100% of the seals are inspected.

2. Fire Doors: Each fire door shall be tested once per cycle for operability of closure and latching mechanisms and for integrity.

10.8-15 Rev. 30 - Nov. 2015

PNPS-FSAR

3. Fire Dampers: Each fire damper shall be tested once per every 2 cycles for operability and integrity. In certain circumstances Fire Protection may determine that it is not necessary to test a damper and may recommend an inspection only. An evaluation will be prepared to document the basis for such determinations.

4. Fire barrier enclosures and fire wrap systems: Each fire barrier enclosure and fire wrap system will be visually inspected for integrity once each operating cycle.

10.8.4.7 Fire Brigade A fire brigade of 5 members including a fire brigade leader shall be maintained on site at all times. This minimum excludes 3 members of the minimum shift crew necessary for safe shutdown and any personnel required for other essential functions during a fire emergency.

The fire brigade training shall be in accordance with Pilgrim Station's Fire Protection Training Program. The fire protection training of fire brigade members shall be held quarterly.

10.8.4.8 Alternate Shutdown Panels The operability and surveillance requirements for the alternate shutdown system are in Section 3/4.12 of Pilgrim Station's Technical Specifications. The emergency lighting system for the alternate shutdown system is within the scope of the Maintenance Rule at PNPS.

Performance requirements are established and monitored accordingly.

10.8.5 References

1. Pilgrim Station 600, Unit 1, Boston Edison Company, Fire Protection System Evaluation, March 1, 1977.

2. Safety Evaluation Report by the Office of Nuclear Reactor Regulation (Amendment 35 to License No. DPR-35) for Pilgrim Nuclear Power Station-1, December 21, 1978.

3. Safety Evaluation Report (additional Fire Protection Information Review) for Pilgrim Nuclear Power Station-1, October 7, 1980.

4. Safety Evaluation Report by the Office of Nuclear Reactor Regulation Related to Amendment No. 123 to Facility Operating License No. DPR-35, dated October 13, 1988.

5. Report 89XM-1-ER-Q Updated Fire Hazards Analysis.

6. Power System Calculation No. 32, "Appendix R, Safe Shutdown Analysis for PNPS".

7. License Amendment 143 resulting from Generic Letters 86-10 and 88-12.

10.8-16 Rev. 30 - Nov. 2015

PNPS-FSAR 10.10 MAKEUP WATER TREATMENT SYSTEM 10.10.1 Power Generation Objective The power generation objective of the makeup water treatment system is to provide a supply of treated water suitable as makeup for the station and reactor coolant cycles and other demineralized water requirements.

10.10.2 Power Generation Design Basis The makeup water treatment system shall be designed to:

1. Provide makeup water of reactor coolant quality

2. Provide an adequate supply of treated water for all station operating requirements 10.10.3 Description 10.10.3.1 General The makeup water system (WTM) receives supply water from the Town of Plymouths municipal water system and discharges filtered and demineralized water to the 50,000 gal demineralized water storage tank, T-108 (see Figure 10.10-1).

The WTM system has a flow path consisting of a three-stage Reverse Osmosis (RO) module and an Electrodionization (EDI) module.

Additionally, two mixed bed resin polisher bottles are included as a backup system for the EDI module. Each RO is three vessels that each contain three semi-permeable membrane elements that separate the municipal water supply into two streams. The first is the permeate stream which has approximately 75% of the supply water flow and contains approximately 2% of the supply impurities. The second is the reject stream, which has approximately 25% of the supply and contains approximately 98% of the municipals impurities. The reject stream is sent to the storm drainage system. The reject stream is in compliance with the stations NPDES permit and EPA has approved its discharge by letter dated April 18, 1990 (BECo letter 5.94.040).

The permeate stream is processed further through the EDI module.

This stream will meet the quality levels established in the Chemistry program.

10.10-1 Rev. 30 - Nov. 2015

PNPS-FSAR The RO module is manually operated. It is continuously monitored for quality by a conductivity meter with temperature compensation, inlet/outlet flow meters, a TOC analyzer, and a silicon analyzer.

In addition to the demineralized water storage tank (T-108), two 275,000 gal condensate storage tanks (T-105A/B) are provided to store and supply the necessary volume of high purity water for initial testing and cleaning, and to provide the required volume for refueling and emergency requirements (HPCI, RCIC, condensate makeup and reject).

The WTM system has a capacity to produce approximately 25 gpm of demineralized water. The PNPS annual usage is approximately 700,000 gallons which is approximately 2000 gallons per day or approximately 1.5 gpm. The WTM can fill the demineralized water tank (T-108, 50,000 gallons) in approximately 33 hours3.819444e-4 days <br />0.00917 hours <br />5.456349e-5 weeks <br />1.25565e-5 months <br /> on a continuous process basis and it can fill one condensate storage tank (T-105 A or B, 250,000 gallons each) in approximately seven days.

10.10.3.2 Neutralizing Sump All regeneration drains and floor drains in the regeneration area are routed to the neutralizing sump for pH neutralizing and filtering prior to being pumped by one of two pumps rated at 100 gal/min to the storm drain system orr to the discharge canal at the location of storm drain outtfall 005 as an alternate discharge path.

10.10.3.3 Demineralized Water Service The demineralized water is taken from the demineralized water storage tank by one of two pumps and supplies the following services:

Condensate storage tank Reactor building closed cooling loops - head tank makeup Turbine building closed cooling loops - head tank makeup Standby liquid control system Heating system fill and makeup Stator winding makeup Condensate pump seal water supply (backup)

Reactor well and dryer - separator pool service Laboratories 10.10-2 Rev. 30 - Nov. 2015

PNPS-FSAR 10.10.4 Inspection and Testing The makeup water treatment System is an operational system in periodic use and as such does not require periodic testing to assure operability. The performance of the system is under surveillance at all times. High demineralizer effluent conductivity initiates an alarm and automatically isolates the system requiring operator action. Grab samples are periodically tested in the laboratory to verify demineralizer performance and to ascertain stored water quality.

10.10-3 Rev. 30 - Nov. 2015

PNPS-FSAR 10.11 INSTRUMENT AND SERVICE AIR SYSTEMS 10.11.1 Power Generation Objective The power generation objective of the Instrument and Service Air Systems is to provide the station with a continuous supply of oil-free compressed air. This air is directed to station instrumentation and general station services.

10.11.2 Power Generation Design Basis

1. The Instrument Air System is designed to supply clean, dry air to station instrumentation and controls at 70 to 100 psig with a design dewpoint of -40F at 100 psig.

2. The Service Air System is designed to provide clean air to station services at 70 to 100 psig. The Low Pressure Service Air System is designed to provide clean air at a nominal pressure of 20 psig to station services.

10.11.3 Description 10.11.3.1 General The air systems are, in general, designed to Class II requirements, although Class I equipment requiring air under accident conditions has Class I air accumulators and piping associated with that equipment. See Figure 10.11-1.

The high pressure air supply (nominal 100 psig with allowance for drops to 90 psig) is developed by three reciprocating (iin long term layyup) and two rotary screw type air compressors operating in parallel. Each compressor has an after cooler and delivers the compressed air to a bank of receivers. There are five air receivers which are connected to a common discharge header that delivers the air to the high pressure service air system and to two instrument air dryers to provide high quality dry air to the various instrument air headers. There is one coalescing air filter located upstream of each instrument air dryer. There is one particulate air filter downstream of the instrument air dryer X-105 and dryer X-160 A&B.

The downstream air filters are to ensure that no desiccant or other foreign material enters the instrument air system. There is also a bypass around the dryers and filters which can be opened by remote manual or automatic means for dryers X-105 and X-160A&B to assure a continued supply of instrument air to the essential instrument air header in the event of an air dryer failure. Normally, use of one of the two rotary compressors will maintain the air receivers at the desired pressure for system supply. The remaining compressors serve as standby units. Actuation of the standby units is automatic and is indicated in the control room.

The High Pressure Service Air System delivers air to various plant services which do not require drying, such as air powered tools.

10.11-1 Rev. 30 - Nov. 2015

PNPS-FSAR The low pressure air supply (nominal 20 psig) is developed by two centrifugal air blowers. The blowers discharge for distribution through a moisture separator and a mist eliminator. Blower usage is intermittent. No dewpoint control is provided. The Low Pressure Service Air System interfaces with several plant systems which contain radioactivity. As a result of aging of system isolation components, unintentional cross-contamination of the Low Pressure Service Air System has occurred. While it is impractical to decontaminate the system and maintain it free of detectable radioactivity, this system should be operated and maintained so as to keep the levels of radioactivity contained within at a minimum commensurate with the goals of the station ALARA program.

A normally closed pressure reducing cross-over line is provided between the high pressure distribution header upstream of the air dryers and the low pressure distribution header. This cross-over may be used to continue low pressure service in the event of blower failure.

Pressure loss in the high pressure system, sensed by several pressure switches, will cause valves in the service air header, the low pressure service air cross-around line, and the non-essential instrument air header to close in a cascading sequence thus leaving the essential instrument air header as the only header drawing air from the receivers in the event that supply pressure decreases.

Instrumentation is provided to monitor the dew point downstream of each air dryer. Flow meters are provided for each air dryer train.

A 3 back-up air supply system was added to the Instrument Air system, tying into the permanent plant hardpipe connection from the outside of the turbine building where it is connected to a diesel driven oil-free air compressor. This back-up source of instrument air is used for station black-out conditions and/or to provide additional air for times when the system is not available due to maintenance.

The backup nitrogen system consists of two banks of ten cylinders each, a cylinder rack and manifold (X-169), associated piping and valves. The cylinders are arranged to automatically maintain the nitrogen supply to drywell instrumentation once the existing nitrogen supply is not available. The cylinders deliver nitrogen gas through 2 inch piping which ties into the existing drywell instrument supply header. A differential pressure indication switch with annunciator is connected between the cylinder supply and the existing supply which provides control room indication of switchover to the cylinders.

10.11-2 Rev. 30 - Nov. 2015

PNPS-FSAR 10.11.3.2 Equipment Description Compressors The three reciprocating air compressors are vertical, single stage, double acting reciprocating compressors. They are each rated to deliver 159.5 standard ft3/min at 105 psig. The two rotary compressors are each rated to deliver 655 standard ft3/min at 102 psig.

The diesel air compressor is sized to accommodate station air loads in a black-out or maintenance condition.

Each reciprocating compressor has a pressurized lubrication system for the power-end parts. The cylinders are non-lubricated having Teflon piston rings. They also have water cooled cylinders and have a displacement of 261 in3. All intake valves have pneumatic operators which depress the valves allowing the cylinder to unload by venting to the atmosphere each time the motor starts and each time the receiver pressure reaches the top of its operating range.

Each of the three reciprocating compressors is belt-driven (4 belts) by a 40 hp drip proof induction motor. The compressor speed is 514 rpm.

The two rotary screw type compressors are direct driven by an electric motor which provides a shaft output of 156 hp at a compressor discharge pressure of 102 psig. The compressor speed is 3,550 rpm.

The accumulator charging compressor (K-203) and dryer (X-285) are powered by a 5 hp, 460 V/3 phase/60 Hz motor and supplies dry air, with a dew point of (-) 50°F, at 130 psig. This compressor serves as the alternate means of charging the Standby Gas Treatment and Torus Vacuum Breaker accumulators.

Aftercoolers The reciprocating compressor aftercoolers are shell and tube counter current coolers with air passing through the tubes and water flowing around the tubes. They have an integral moisture separator equipped with an automatic drain trap to remove condensed moisture from the cooled air. Cooling water is supplied by the Turbine Building Closed Cooling Water System.

The rotary screw compressors are provided with intercoolers and aftercoolers, integral with each unit. Cooling water is supplied by the Turbine Building Closed Cooling Water System.

10.11-3 Rev. 30 - Nov. 2015

PNPS-FSAR Air Receivers The air receivers are vertical vessels built to the ASME code for a design pressure of 125 psig. Each receiver is equipped with two relief valves and an automatic drain trap. The volume of each receiver is 151 ft3.

Air Dryers The two air dryers are each rated to pass 100% of normal station air demand at 100 psig dried to a dewpoint of -40 F. Each drier has twin towers built to the ASME code for a design pressure of 150 psig. The air is dried by passing it through a desiccant. Moisture is removed from the desiccant by a heated purge air flow.

Class I Accumulators Class I accumulators, associated piping, and check valves of appropriate size are provided for the following equipment:

1. Torus to Secondary Containment Vacuum Breaker Butterfly Valves The torus to secondary containment vacuum breaker butterfly valves are powered by Class I air accumulators. These accumulators are sized for a 30 day mission time without operator action and a design leakage rate of 0.1 SLM. A Class I manual make-up system allows the accumulators to be recharged from outside secondary containment and thus maintain the vacuum breakers valve function for an indefinite period of time. The vacuum breaker and make-up air supply are shown on Figure 10.11-1 (Drawing M220).

2. Main Steam Isolation Valves

3. Main Steam Relief Valves A Class I, seismic piping system allows two accumulators to be recharged from outside the Drywell, and thus maintain the RPV pressure control capability for an indefinite period of time.

4. Emergency Diesel Generator Ventilation System Dampers.

10.11.4 Inspection and Testing The Instrument and Service Air System operates continuously and is observed and maintained during normal operation. No special inspection and testing will be required following preoperational testing.

10.11-4 Rev. 30 - Nov. 2015

PNPS-FSAR Figure 10.11-1 has been removed.

Please refer to BECo Controlled Drawing M 220.

1 of 1 Rev. 30 - 2015

PNPS-FSAR 10.13 EQUIPMENT AND FLOOR DRAINAGE SYSTEMS 10.13.1 Power Generation Objective The power generation objective of the Equipment and Floor Drainage Systems is to collect and remove all waste liquid from their points of origin and to transfer them to suitable treatment and/or disposal areas in a controlled manner.

10.13.2 Power Generation Design Basis The Equipment and Floor Drainage System is designed to:

1. Remove equipment and floor drainage water produced during normal station operations.

2. Maintain separation of liquid wastes as follows:

a. Normal drainage wastes - (non-radioactive)

b. Clean radwastes - (all drain flows originating from closed drains having no process chemical content and low conductivity)

c. Chemical radwastes - (all drain flows originating from an open drain, having any process chemical content and high conductivity)

d. Miscellaneous drainage 10.13.3 Description 10.13.3.1 General Equipment and Floor Drainage Systems handle both normal and radioactive drainage. Normal non-radioactive wastes are drained by gravity into the Sewer or Storm Drain System.

Radwaste drains are collected in either one of four equipment sumps, one of four floor drain sumps or directed to waste collection tanks.

These collected wastes are then transferred to the Radwaste Building as required for filtration, demineralization sampling, and analysis prior to either dilution and safe disposal into the ocean or reuse in the station.

Two pumps are provided in each of the potentially radioactive sumps to transfer the collected drains from the sumps to the Radwaste System. Each pump is a full capacity unit and has an Automatic Pump Starting and Alarm System which, on rising water level, acts as follows:

At the first high water level setting (high) one pump is started (pumps are alternately selected for initial operation by an automatic pump alternator). If the water level continues to rise a further high water level switch (HI-HI) initiates the second pump. A further rise in the water to a prescribed level initiates an alarm (HI-HI-HI), indicating 10.13-1 Rev. 30 - Nov. 2015

PNPS-FSAR excessive leakage and/or pump failure to start. The equipment drain and floor drain pumps are tripped by either low sump level or by high level in the clean waste receiver tank or chemical waste receiver tank respectively.

Drywell equipment and floor drain pumps will trip on low level or after a predetermined running time interval (which ever comes first). Reactor Building quadrant floor drains are designed to prevent spread of liquid fire from one quadrant to the other.

Free venting from the enclosed sump pits is prevented by maintaining water level in the sumps to seal the pumps suction, and by venting the sump pit to the controlled ventilation system. The sump level is maintained by normal expected leakage and abnormally low level is alarmed. The drywell equipment and floor drain discharge lines are provided with two isolation valves, both outside of the drywell penetration. These valves close on a drywell isolation signal.

10.13.3.2 Radioactive Equipment Drainage System In general, potential radioactive equipment drains are collected throughout the station in the four following sumps. See Figure 9.2-2 (Drawings M232, M232A).

1. Drywell equipment drain sump

2. Reactor Building equipment drain sump - Draining the Reactor Building, the reactor auxiliary bay, and the reactor building corner rooms.

3. Turbine Building equipment drain sump - Draining the Turbine Building and certain portions of the Radwaste Building.

4. Radwaste Building equipment drain sump Besides normal drain flows, the Reactor Building sump receives the condensate storage tank overflow, and the condensate demineralizer regeneration system backwash drains while the Turbine Building sump receives the main turbine gland seal condenser drain tank overflow, feedwater pump seal leakage, condensate pump seal leakage, and the feedwater and condensate sample rack drains.

Due to the relatively large flows of clean water from the main gland seal condenser which normally does not require processing, the Turbine Building equipment drain sump pump flow can be routed to the condenser hotwell rather than to the clean waste receiver tanks, as in the case of the other equipment drain sump pumps. There is an installed capability to automatically re-route Turbine Building equipment drain sump pump flow to the condenser hotwell rather than to the clean waste receiver tanks. This capability is normally disabled by isolation of the air supply to the valving that swaps the discharge path from the clean waste receiver tanks to the condenser hotwell. If the automatic swap capability is in service, the sump pump is first 10.13-2 Rev. 30 - Nov. 2015

PNPS-FSAR started by sump level, and the discharge is routed to the receiver tanks. Then upon signal of low conductivity coincident with pump actuation, the valving automatically changes to redirect the flow to the condenser. High conductivity or pump tripping closes the line to the condenser and opens the line to the receiver tanks.

Equipment drain lines within the Reactor Building "corner" rooms are hard piped from source to sump, to maintain ECCS Train spatial isolation.

10.13.3.3 Radioactive Floor Drainage System In general, potentially radioactive floor drains are collected throughout the station in four specific sumps which are similar in coverage to the aforementioned equipment drain sumps. All floor drain sump pumps discharge to the chemical waste receiver tanks.

See Figure 9.2-2 (Drawings M232, M232A).

Floor drainage flows from the Reactor Building "corner" rooms and torus area are isolated by block valves enroute to the floor sumps, thus providing ECCS Train spatial isolation. The corner rooms have level alarms to indicate leakage in the floor drain inlet pit of each room.

10.13.3.4 Nonradioactive (Normal) Drainage System Roof drains and some floor drains in the Turbine Building service area are collected and discharged by gravity to the storm sewer.

10.13.3.5 Miscellaneous Drainage System General chemical and detergent type liquid wastes are collected in the neutralizing sump, or the miscellaneous tanks, sampled, neutralized, and discharged at a controlled rate to the storm sewer system or to the discharge canal at the location of storm drain outfall 005 as an alternate discharge path.

Oil drains and oil contaminated liquid drains are collected locally for offsite disposal.

10.13.3.6 Reactor Building Emergency Drains Drainage piping has been provided at the North sides of the floor at elevation 23'-0" and 51'-0" to remove any water discharge from the wet pipe sprinkler systems that accumulates to a depth greater than 3 inches on the floor. Any water collected by this piping is discharged to the Torus Compartment floor where it is held until it can be routed to the Radioactive Floor Drainage System.

10.13.4 Inspection and Testing The system is in continuous use and requires no testing.

10.13-3 Rev. 30 - Nov. 2015

PNPS-FSAR 10.21 Hydrogen Water Chemistry Extended Test System 10.21.1 Design objective The hydrogen water chemistry extended test system (ETS) is non-safety related. The ETS is designed to suppress the dissolved oxygen level in the reactor coolant system and mitigate intergranular stress corrosion cracking (IGSCC).

10.21.2 Design Basis

1. The ETS is designed to inject up to 15 SCFM hydrogen into the suction of the feedwater pumps for oxygen suppression in the reactor coolant system.

2. The ETS is designed to inject up to 10 SCFM oxygen into the offgas recombiner to recombine with the hydrogen carry-over produced with hydrogen injection into the feedwater.

3. The ETS is designed to inject oxygen into the suction of the condensate pumps for erosion corrosion protection.

4. The ETS is designed to provide redundant features to key components to improve reliability and has been designed to ANSI B31.1. However, it is not designed to Seismic Class I requirements.

10.21.3 Description 10.21.3.1 General Boiling water reactors use high purity water as the primary recirculation coolant in the direct cycle production of steam. This water contains a steady state value of 100 to 300 ppb of dissolved oxygen and stoichiometrically related dissolved hydrogen because of the simultaneous action of radiolysis and stripping within the core.

It is well known that this is sufficient oxygen in the coolant to cause, in conjunction with the presence of high stresses, intergranular stress corrosion cracking (IGSCC) of stainless steels.

Full scale testing at Pilgrim has shown that both the dissolved oxygen concentration in the recirculation water and the electrochemical potential (ECP) of sensitized type 304SS (304SS is the material of construction of the reactor pressure vessel lining) vary inversely with the rate of hydrogen addition to the feedwater.

As the dissolved oxygen concentration drops, so does the ECP; it is the ECP that determines the susceptibility of 304SS to IGSCC.

IGSCC of sensitized Type 304SS does not occur below -0.230V standard hydrogen electrode scale (SHE) (as measured by a standard hydrogen electrode). This critical value was identified and verified by a series of constant extension rate tests (CERTS) run in both laboratory and operating plant facilities while concurrently measuring the ECP.

10.21-1 Rev. 30 - Nov. 2015

PNPS-FSAR During RFO 16 (Spring 2007), the initial application of noble metals was performed. The deposition of noble metal compounds on the wetted surfaces of reactor internal systems has been determined to enhance the effect of hydrogen water chemistry in controlling IGSCC.

The intent is to deposit noble metal on the material surfaces of the reactor vessel internal components and recirculation system piping to significantly reduce the ECP in the presence of excess hydrogen concentration. (Reference 6). This has the effect of requiring a much lower hydrogen addition rate; the ETS design was modified to permit injection of up to 15 SCFM hydrogen. The exact level of hydrogen injection flow rate is determined as required to establish the required ECP.

The ETS also provides the capability to inject oxygen into the condensate system (suction of each condensate pump). This maintains condensate/feedwater dissolved oxygen levels in accordance with the BWR water chemistry guidelines for erosion-corrosion protection of the condensate/feedwater piping systems.

10.21.3.2 System Description A flow diagram of the ETS system is given in Figures 10.21-2, 10.21-3, and 10.21-4 (drawings M257, 258, and 260).

The hydrogen water chemistry (HWC) extended test system (ETS) injects hydrogen into the feedwater at the suctions of the feedwater pumps to mitigate IGSCC in the recirculation system. The injected hydrogen forces a reduction in dissolved oxygen within the recirculation piping and lowers the radiolytic production of hydrogen and oxygen exiting the vessel (main steam) and eventually in the main condenser.

The injected hydrogen basically passes through the coolant cycle unreacted. This leaves an excess of hydrogen in the main condenser that would not have an equivalent of oxygen to recombine in the Offgas System. To maintain the Offgas System near its normal operating characteristics, a flow rate of oxygen equal to one half the injected hydrogen flow rate is put in the Offgas System upstream of the recombiner. Oxygen is also being injected into the condensate pump suctions to prevent erosion corrosion in carbon steel piping due to low PPM oxygen.

Three sample subsystems are included in the ETS package to measure:

1) feedwater water chemistry, 2) main steam water chemistry, and 3)

% oxygen exiting the offgas recombiner. The ETS also uses signals from the CAVS and the MMS to measure Reactor water chemistry. All three subsystems contain built-in gas calibrators and sample stream conditioning controls.

A computer Data Acquisition System (DAS) is included to summarize the performance of the ETS for various report requirements. It is set up to accept analog input and digital alarm signals.

A block diagram indication the relationship of the ETS subsystems is shown in Figure 10.21-1.

10.21-2 Rev. 30 - Nov. 2015

PNPS-FSAR Redundant features are incorporated into the ETS to improve reliability. These are:

Hydrogen Flow Meters Oxygen Flow Meters Hydrogen Flow Controllers Oxygen Flow Controllers Oxygen Flow Control Valves Hydrogen Isolation Valves Offgas % Oxygen Meters Reactor Water Dissolved Oxygen Meters Reactor Water Conductivity Meters Main Steam Dissolved Oxygen Meters Feedwater Dissolved Oxygen Meters Recording Excess Flow Check Valves Automatic or control features in the ETS minimize the need for operator attention and improve performance. These are:

a) Automatic variation of hydrogen and oxygen flow rate with power level.

b) Automatic offgas oxygen injection rate change delay. This function is also augmented as a function of power level.

c) Automatic shutdown on several alarms (See Table 10.21-1).

d) Isolation on power loss, operator restart.

e) Reprogrammable alarms and controller electronics.

f) Hydrogen and oxygen flow monitor correction functions to compensate for nonlinearities.

The majority of ETS process valving is grouped into three subsystems (modules). One for the hydrogen injection subsystem, the second for the oxygen injection subsystem to the recombiner, and the third for the oxygen injection subsystem to the condensate system. The hydrogen and oxygen gas sources are from high pressure hydrogen gas storage tanks and the liquid oxygen storage tank.

HWC ETS Hydrogen Supply The gaseous hydrogen supply sub-system is located in the upper parking lot southwest of the Indoctrination and Support Facility.

The equipment consists of a permanent twelve tube bulk modular assembly, equipped with pressure indication, pressure relief, and temperature indication. The twelve tube assembly nominal gas capacity at 70F is:

10.21-3 Rev. 30 - Nov. 2015

PNPS-FSAR Pressure Standard Cubic Feet 2640 psi 99,247 The storage vessels and system piping, valves and controls are designed and constructed in accordance with all applicable codes and standards including EPRI NP-5283SR-A, (Reference 1).

Provisions have been made at the storage facility to accept up to three (3) additional transportable hydrogen tube trailers to supply the extended test system and the generator cooling system.

HWC ETS Oxygen Supply The liquid oxygen supply sub-system is located outside of the turbine building west wall near the southwest corner of the building.

The equipment consists of a 1500 gallon liquid oxygen tank (T-125) with pressure indication, level indication, and pressure, temperature control manifolds. Temperature control valves TCV-58 A&B are set at -20F to close automatically to prevent any liquid oxygen from entering the system.

The storage vessels and system piping, valves and controls are designed and constructed in accordance with all applicable codes and standards including EPRI NP-5283SR-A, (Reference 1).

ETS Safety Features The ETS process design incorporates several key safety features:

Non-flammable Offgas Oxygen is injected into the offgas system upstream of the recombiner in stoichiometric or greater proportion to the hydrogen present to produce a non-flammable offgas through catalytic recombination of all hydrogen.

A built-in delay in the ETS control system insures that the oxygen injection rate decrease lags the hydrogen decrease (excess oxygen is present); and there is no oxygen delay during a hydrogen increase, again insuring excess oxygen in the offgas. This delay period is automatically adjusted for power level.

Low Power Isolation There are two modes of operations for this system. The first mode of operation is to allow the ETS to automatically shutdown; as the reactor percent power decreases to a preset level (30%), the ETS automatically shuts down. Since the lower level is normally seen only during a reactor shutdown, this feature insures a low power isolation which would normally be accomplished by the reactor operating personnel. It also protects against loss of power level signal to the controllers.

10.21-4 Rev. 30 - Nov. 2015

PNPS-FSAR The second mode of operation is to control the shutdown manually by implementing a bypass switch. This mode will allow the ETS to inject hydrogen below 30% reactor power, but will require the system to be secured manually. The ETS is operational while the AOG is in-service.

Automatic Reset of Hydrogen and Oxygen Flow Rates to Zero During ETS Shutdown The hydrogen external and internal setpoints are disabled and are given a zero value immediately on system shutdown.

The oxygen flow will automatically follow the hydrogen flow rate with a delay and decay. A zero setpoint value is also input to the hydrogen rate limiter on shutdown so system restart with an external or internal setpoints proceeds from zero flow. Restart of the system can proceed only if the shutdown condition is cleared and the annunciator panel is reset. Systems restart should also be delayed fifteen minutes to allow for the ramp rate decay in the external or internal setpoint.

Valves The flow control and remote isolation valves fail closed upon loss of instrument air or control power, insuring that flow does not proceed in an uncontrolled fashion.

Alarms and Shutdowns The ETS incorporates numerous alarm and automatic shutdown functions. All alarm and shutdown signals have normally closed continuity, thus alarming or shutting the system down on an electrical wire break.

The ETS control hardware and control logic is designed to insure safe and accurate control of hydrogen and oxygen injection. Primary control of the system takes place at the HWC ETS control panel C613 on the turbine deck, but the system can be shutdown, though not adjusted or re-started, from the control room (Panel CP600).

All the parameters monitored are recorded regularly at a pre-set interval by the data acquisition system (DAS). The DAS also records all alarms and automatic and manual shutdowns. In addition to recording of various parameters at the control panel and DAS, the control room panel continuously displays the hydrogen and oxygen flow rates and the offgas percent oxygen., and the recirculation water dissolved oxygen content.

10.21.4 Codes, Standards, and Regulations The mechanical and electrical aspects of the ETS are designed and selected in accordance with the applicable sections of the codes, standards, and regulations referenced below:

10.21-5 Rev. 30 - Nov. 2015

PNPS-FSAR The ETS equipment and services are classified non-safety related.

ANSI B31.1 American National Standards Institute, Power piping ANSI A13.1 Identification of Piping Systems ANSI/ASTM G63 Evaluating Nonmetallic Materials for Oxygen Service NEPA 70 National Fire Protection Association National Electrical Code NFPA 50A Gaseous Hydrogen System CGA G-4 Compressed Gas Association, Oxygen CGA G-4.1 Cleaning Equipment of Oxygen Services CGA G-4.4 Industrial Practices for Gaseous Oxygen Transmission and Distribution Piping Systems CGA G-5 Hydrogen ASME Boiler and Pressure Vessel Code,Section IX, Welding and Brazing Qualifications Mass Building Code EPRI NP-5283-SR, Dated September 1987, Guidelines for Permanent BWR Hydrogen Water Chemistry Installations, 1987 Revision 10.21.5 System Evaluation The ETS consists of the equipment described above and is non-safety related. The ETS is designed not to affect the safe operation of existing safety related systems. The ETS is operational only when the Augmented Offgas is inservice.

Shielding has been added on the turbine deck for on-site and off-site personnel radiation protection. ALARA procedures and maintenance practices have been designed to limit exposure.

10.21.6 References

1. EPRI NP5283SR-A Guidelines of Permanent BWR Hydrogen Water Chemistry Installations, 1987 Revision.

2. GE-NE-B13-01805-03, Pilgrim HWC Ramping Test Final Report, December 1995.

3. NESD 95-241, Optimum HWC Injection Rate for In Core Components IGSCC Protection

4. PDC 02-122, Licensing Issues - Thermal Power Uprate

5. Safety Evaluation 2974, Increase the ETS H2 Injection Rate up to 50 SCFM

6. ER 05117404, Engineering Evaluation - Plant Configuration

& Operation After Noble Metals Application.

10.21-6 Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 12 STRUCTURES AND SHIELDING TABLE OF CONTENTS Section Title Page 12.1

SUMMARY

DESCRIPTION 12.1-1 12.2 STRUCTURAL DESIGN 12.2-1 12.2.1 Classification of Structures and Equipment 12.2-1 12.2.1.1 General 12.2-1 12.2.1.2 Class I Structures and Equipment 12.2-1 12.2.1.3 Class II Structures and Equipment 12.2-4 12.2.2 Description of Principal Structures 12.2-4 12.2.2.1 Reactor Building Structure and Crane 12.2-4 12.2.2.2 Turbine Building 12.2-6 12.2.2.3 Radwaste Building 12.2-7 12.2.2.4 Trash Compaction Building 12.2-7 12.2.2.5 Diesel Generator Building 12.2-7 12.2.2.6.1 Old Administration Building 12.2-7 12.2.2.6.2 New Administration/Service Building 12.2-8 12.2.2.7 Guardhouse 12.2-8 12.2.2.8 Intake Structure 12.2-8 12.2.2.9 Main Breakwater 12.2-8 12.2.2.10 Main Stack 12.2-8 12.2.2.11 Gas Bottle Storage Facility 12.2-9 12.2.2.12 Governing Codes and Regulations 12.2-9 12.2.3 Loading Considerations 12.2-10 12.2.3.1 General 12.2-10 12.2.3.2 Vertical Loads 12.2-10 12.2.3.3 Lateral Loads 12.2-10 12.2.3.4 Pressure and Thermal Loads 12.2-12 12.2.3.5 Seismic Loads 12.2-12 12.2.3.5.1 General 12-2-12 12.2.3.5.2 Seismic Recording Instrumentation 12.2-13 12.2.3.5.3 Structural Analysis 12.2-14 12.2.3.5.4 Piping Analysis 12.2-15 12.2.3.5.5 Recirculation Piping Replacement Seismic Analysis 12.2-17 12.2.3.5.6 Protective System Instrumentation 12.2-17 12.2.3.5.7 Damping Values 12.2-17 12-i Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 12 (Cont)

Section Title Page 12.2.3.6 Primary Containment Loading Considerations 12.2-18 12.2.3.7 Handling of Heavy Loads 12.2-18 12.2.4 Foundation Analysis 12.2-18 12.2.4.1 General 12.2-18 12.2.4.2 Field Exploration 12.2-19 12.2.4.3 Laboratory Tests 12.2-19 12.2.4.4 Foundation Design Criteria For Structures 12.2-20 12.2.4.4.1 General 12.2-20 12.2.4.4.2 Design Considerations 12.2-20 12.2.4.4.3 Major Structures 12.2-20 12.2.4.4.4 Auxiliary Structures 12.2-21 12.2.4.4.5 Foundation Settlement Measurements 12.2-21 12.2.5 Design Organization and Procedures 12.2-22 12.2.5.1 Design Organization 12.2-22 12.2.5.2 Design Responsibilities 12.2-22 12.2.5.3 Documentation and Control Procedures 12.2-23 12.2.5.4 Purchase of Safety Related Equipment 12.2-23 12.2.6 References 12.2-24 12.3 SHIELDING AND RADIATION PROTECTION 12.3-1 12.3.1 Design Basis 12.3-1 12.3.1.1 Radiation Exposure of Individuals 12.3-1 12.3.1.2 Radiation Exposure of Materials and Components 12.3-1 12.3.2 Radiation Zoning and Access Control 12.3-1 12.3.3 Radiation Shielding Description 12.3-4 12.3.3.1 Main Control Room 12.3-5 12.3.3.2 Reactor Building 12.3-5 12.3.3.3 Turbine Building 12.3-6 12.3.3.4 Radwaste Building and 12.3-6 Trash Compaction Facility (TCF) 12.3.3.5 Administration Buildings 12.3-6 12.3.3.6 Main Stack and Offgas Piping 12.3-7 12.3.3.7 General Station Yard Areas 12.3-7 12.3.4 Inspection and Performance Analysis 12.3-7 12-ii Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 12 (Cont)

Section Title Page 12.4 RADIOACTIVE MATERIALS SAFETY 12.4-1 12.4.1 Materials Safety Program 12.4-1 12.4.2 Facilities and Equipment 12.4-4 12.4.2.1 Method, Frequency, and Standards Used in Calibrating Instruments 12.4-5 12.4.2.2 Dosimeters and Bio-Assay Procedures Used 12.4-5 12.4.3 Personnel and Procedures 12.4-5 12.4.4 Required Materials 12.4-6 12.4.5 Offsite Material Safety Program 12.4-6 12-iii Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 12 LIST OF TABLES Table Title 12.2-1 Live Loads on Structures 12.2-2 Design Wind Loading 12.2-3 Damping Factors 12.2-4 Relationship Between Damping Factors and Design Stress Limits for 0.15g Earthquake 12.2-5 Jet Force Loading on Primary Containment 12.2-6 Settlement Measurements 12.4-1 (Deleted) 12-iv Rev. 30 - Nov. 2015

PNPS-FSAR SECTION 12 LIST OF FIGURES Figure Title 12.1-1 Equipment Location Turbine Building Plan Basement Elevation 6 ft & Below (M-11) 12.1-2 Equipment Location Turbine Building Plan Ground Floor Elevation 23 ft (M-12) 12.1-3 Equipment Location Turbine Building Plan Elevation 37 ft (M-13) 12.1-4 Equipment Location Turbine Building Plan Elevation 51 ft (M-14) 12.1-5 Equipment Location Reactor Building Plan Basement Elevation (-) 17 ft 6 in (M-15) 12.1-6 Equipment Location Reactor Building Plan Ground Floor Elevation 23 ft (M-16) 12.1-7 Equipment Location Reactor Building Plan Elevation 37 ft (M-17) 12.1-8 Equipment Location Reactor Building Plan Elevation 51 ft (M-18) 12.1-9 Equipment Location Reactor Building Plan Elevation 74 ft 3 in & Elevation 91 ft 3 in (M-19) 12.1-10 Equipment Location Reactor Building Plan Elevation 117 ft & Roof (M-20) 12.1-11 Equipment Location Sections: A-A and B-B (M-21) 12.1-12 Equipment Location Reactor Building Section C-C (M-22) 12.1-13 Equipment Location Section D-D (M-23) 12.1-14 Equipment Location Sections: E-E and F-F (M-24) 12.1-15 Equipment Location Section G-G (M-25) 12.1-16 Equipment Location Sections: H-H, J-J & K-K (M-26) 12.2-1 deleted 12.2-2 Equipment Location-Intake Structure (M-27) 12.2-3 Equipment Location-Main Stack and Filter Building (M-28) 12-v Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF FIGURES (Cont)

Figure Title 12.2-4 Unified Soil Classification System 12.2-5 Boring Location Plan 12.2-6 Log of Boring (Boring 3) 12.2-7 Log of Borings (Borings 111 & 112) 12.2-8 Log of Boring (Boring 113) 12.2-9 Log of Boring (Boring 116) 12.2-10 Log of Borings (Borings 117 & 118) 12.2-11 Key Plan 1:40:0 12.2-12 Organization Diagram - Seismic Design Changes 12.3-1 Reactor & Turbine Building Floor Plans at (-) 17 ft 6 in & 6 ft; Access Control & Radiation Zones Station in Operation (A-100) 12.3-2 Reactor & Turbine Building Floor Plan at Elevation 23 ft Access Control & Radiation Zones Station in Operation 12.3-3 Reactor & Turbine Building Floor Plan at Elevation 37 ft Access Control & Radiation Zones Station in Operation 12.3-4 Reactor & Turbine Building Floor Plans Elevation 51 ft & 64 ft; Access Control & Radiation Zones Station in Operation 12.3-5 Reactor Building Floor Plans Elevation 74 ft 3 in 91 ft 3 in & 117 ft; Access Control & Radiation Zones Station in Operation 12.3-6 Reactor & Turbine Building Floor Plans at Elevation

(-) 17 ft 6 in & 6 ft; Access Control & Radiation Zones 24 Hr After Station Shutdown 12.3-7 Reactor & Turbine Building Floor Plan at Elevation 23 ft; Access Control & Radiation Zones 24 Hr After Station Shutdown 12-vi Rev. 30 - Nov. 2015

PNPS-FSAR LIST OF FIGURES (Cont)

Figure Title 12.3-8 Reactor and Turbine Building Floor Plan at Elevation 37 ft; Access Control & Radiation Zones 24 Hr After Station Shutdown 12.3-9 Reactor and Turbine Building Floor Plan Elevation 51 ft 0 in & 64 ft; Access Control & Radiation Zones 24 Hr After Station Shutdown 12.3-10 Reactor Building Floor Plans Elevation 74 ft 3 in, 91 ft 3 in & 117 ft; Access Control & Radiation Zones 24 Hr Zones 24 Hr After Station Shutdown 12.3-11 Main Stack and Filter Building Access Control and Radiation Zones 12-vii Rev. 30 - Nov. 2015

PNPS-FSAR 12.2 STRUCTURAL DESIGN 12.2.1 Classification of Structures and Equipment 12.2.1.1 General The most severe environmental phenomena which could affect the site have been evaluated in Section 2. Based on these evaluations, the station structures and equipment have been classified with respect to systems which must remain functional during and following the most severe natural phenomena which can be postulated to occur at this site. For the purpose of categorizing the mechanical structural strength designs for loading conditions due to environmental events, the following definitions have been established:

1. Class I This class includes those structures, equipment, and components whose failure or malfunction might cause or increase the severity of an accident which would endanger the public health and safety. This category includes those structures, equipment, and components required for safe shutdown and isolation of the reactor

2. Class II This class includes those structures, equipment, and components which are important to reactor operation, but are not essential for preventing an accident which would endanger the public health and safety, and are not essential for the mitigation of the consequences of these accidents. Class II designated structures and/or equipment shall not degrade the integrity of any structures and/or equipment designated Class I The only exception to these definitions is that a system, whose failure or malfunction might increase the severity of an accident, is not designed to withstand the effects of a tornado if the failure of the system will not cause an accident. The probability of the occurrence of a design basis loss of coolant accident or a design basis tornado during the life of a plant is small. Therefore, the probability of the simultaneous occurrence of these two independent events is relatively small.

12.2.1.2 Class I Structures and Equipment Nuclear Steam Supply System (NSSS)

Reactor vessel and supports Control Rod and Drive System including equipment necessary for scram operation Control rod drive housing supports Fuel assemblies Core shroud 12.2-1 Rev. 30 - Nov. 2015

PNPS-FSAR Core supports Steam separator assembly Steam dryer assembly Reactor Coolant Recirculation System including valves and pumps All piping connectors from the reactor vessel up to and including the first isolation valve external to the drywell Main steam piping when located inside a Class I structure Isolation valves Reactor Core Isolation Cooling System High Pressure Coolant Injection System Standby Liquid Control System Residual Heat Removal System Core Spray Systems Primary Containment System Drywell Pressure suppression chamber Vent System Vacuum Relief System Pressure suppression pool Isolation valves Containment penetrations Secondary Containment System Reactor Building (with the exception of access locks which are Class II structures)

Reactor Auxiliary Bay Pipe Vaults Standby Gas Treatment System Main stack Reactor Building Isolation Control System NOTE:

12.2-2 Rev. 30 - Nov. 2015

PNPS-FSAR The Secondary Containment System is not designated to be functional during or after a tornado; however, the Reactor Building does protect all the Class I equipment located inside the building from the effects of a tornado.

Station Standby Cooling Systems Reactor Building Closed Cooling Water System (portion serving Class 1 equipment)

Salt Service Water System (portions serving Class I equipment)

Intake structure (housing the Salt Service Water System)

Equipment Area Cooling System (portions serving Class I equipment)

Standby Electrical Power Systems Standby AC Power System DC Power System (125/250 V)

DC Power System (24 V)

Emergency service buses and other electrical gear to power Class I equipment Station battery rooms Diesel Generator Building and Underground Fuel Storage Tanks Reactor Building Fuel Storage Facilities Spent fuel storage equipment Spent fuel pool New fuel storage equipment New fuel storage vault Main Control Room System Main control room Main Control Room Environmental Control System All instrumentation and controls required for operation of Class I equipment except the Reactor Manual Control System Parts of structures housing or supporting Class I equipment Reactor Building Auxiliary Bay Substructure 12.2.1.3 Class II Structures and Equipment 12.2-3 Rev. 30 - Nov. 2015

PNPS-FSAR Reactor Building auxiliary bay superstructure and Reactor Building access locks Reactor Building (truck) access lock Turbine Building Radwaste Building (Except areas housing or supporting Class I equipment)

Old Administration Building New Administration/Service Building Intake and discharge structures (Except areas housing or supporting Class I equipment)

Trash Compaction Building Turbine Generator System Main Condenser System Reactor and Turbine Building cranes Reactor Feedwater and Condensate Systems Main Steam System (outside Reactor Building)

Reactor Cleanup System Radwaste System Fire Protection System Condensate Storage and Transfer Systems Normal Heating and Ventilating System Station auxiliary power buses Electrical controls and instrumentation (for above systems) and the Reactor Manual Control System Other structures, piping, and equipment not listed under Class I

12.2.2 Description of Principal Structures 12.2.2.1 Reactor Building Structure and Crane The Reactor Building, with its associated auxiliary bays, houses the reactor, the Reactor Coolant System, and auxiliaries associated with the Nuclear Steam Supply System. It also houses the refueling facilities, spent fuel storage pool, steam 12.2-4 Rev. 30 - Nov. 2015

PNPS-FSAR separator and dryer storage pool, new fuel storage vault, control rod drive hydraulic equipment, and the Reactor Primary Containment System. The Reactor Building is basically a reinforced concrete structure with structural steel framing, consisting of the following major structural components:

1. The foundation consists of an 8 ft thick heavily reinforced concrete mat

2. Elevated floors consist of concrete slabs simply supported by conventional type structural steel framing

3. The interior walls are reinforced concrete or concrete block

4. The spent fuel storage pool, the reactor well, and the dryer separator storage pool consist of reinforced concrete deep girder walls and base slabs. The pool structures are supported by the drywell shield and the exterior walls. The pools are lined with stainless steel plates on their inside surface

5. The reactor support is a reinforced concrete pedestal. It also serves as a support for the "biological" shield and two steel service platforms. Access through the biological shield is provided in selected areas by means of removable blocks

6. The exterior walls above the refueling floor consist of columns of structural steel and precast concrete wall panels with structural steel bracing

7. The exterior walls below the refueling floor are reinforced concrete with precast panels on the exterior face

8. The roof is an insulated steel deck system supported by structural steel framing and bracing

9. Major structural appurtenances consist of the crane runway, elevator shaft, stairways, and hatches Loaad handling over the Refueling Floor and hoist-way down to grround grade is conducted utilizing the Reactor Building crane. The Reactor Building crane is a Class II component upgraded to meet the guidance of NUREG-0554 (reference 8) for single-failure-proof cranes and the guidance of NUREG-0612 Appendix C (reference 1) for the modification of existing cranes. The upgraded crane includes a new trolley with a single-failure-proof 100 tone main hoist, designed and qualified in accordance with the appropriate requirements of ASME NOG-1-2004 (reference 9). The trolley also includes a 10 ton non single-failure-proof auxiliary hoist which conforms to the requirements of Crane Manufacturers Association of America Specification #70 (reference 10). The Reactor Building crane has been evaluated for earthquake loading to meet NUREG-0554 seismic design requirements, and the Reactor Building structure 12.2-5 Rev. 30 - Nov. 2015

PNPS-FSAR has been evaluated to ensure its integrity for the associated crane reactions.

Notes

1) Use of the Reactor Building Crane Main Hoist as part of a single-failure proof handling system for casks containing irradiated fuel, requires that crane operations be limited to the bridge runway area west of column line 9, and that the ambient air temperature in the vicinity of the bridge girders be 65°F.

2) The Reactor Building Crane will not become a missile in the event of an earthquake. Anti-derailment devices installed on the wheel trucks of original crane bridge remain in place but are not required by the upgraded design.

In the area of the reactor well and the storage pools, if the reactor cavity is drained, and the dryer separator pool is filled no higher than el 106.5 ft, the shield block wall has sufficient strength to withstand the hydrostatic head of water, assuming all shield blocks are in place.

Using a mylar sheet over the pool and filling the pool up to the first fixed shield block will reduce airborne contamination. In addition, an area around the pool will be declared an exclusion area and roped off for protection against shine.

12.2.2.2 Turbine Building The Turbine Building, with its auxiliary bays, houses the turbine generator and associated auxiliaries, the Condensate and Feedwater Systems, switchgear, some radwaste tankage, the Turbine Building crane, and other auxiliary equipment. The Turbine Building is a rigid steel structure with precast concrete siding consisting of the following major structural components:

1. The foundation is a reinforced concrete mat stiffened by the basement walls

2. Elevated floors are concrete slabs simply supported on structural steel framing

3. The interior walls are reinforced concrete or concrete block

4. The turbine pedestal is a heavily reinforced concrete structure resting on the concrete foundation

5. The exterior walls consist of structural steel columns and bracing with precast concrete wall panels

6. The roof is an insulated steel deck system supported by structural steel framing and bracing 12.2.2.3 Radwaste Building 12.2-6 Rev. 30 - Nov. 2015

PNPS-FSAR The Radwaste Building houses the radioactive waste treatment equipment, the control room, the cable spreading and computer room, the warehouse, and miscellaneous offices and shops. The Radwaste Building is a reinforced concrete structure with structural steel framing consisting of the following major structural components:

1. The foundation is a reinforced concrete mat

2. Elevated floors are concrete slabs simply supported on structural steel framing

3. The interior walls are reinforced concrete or concrete block

4. Exterior walls are reinforced concrete below grade, and in Class I areas above grade. Other exterior walls above grade consist of structural steel columns and bracing with precast concrete wall panels

5. The roof consists of an insulated steel deck system supported by structural steel framing. In areas requiring missile protection, the metal decking is covered with a reinforced concrete slab 12.2.2.4 Trash Compaction Building The Trash Compaction Facility processes dry compactable contaminated and non-contaminated waste at Pilgrim Station.

The structure is founded on a continuous footing and consists of poured concrete exterior and interior walls and floors. The exterior is surfaced with architectural concrete stock.

12.2.2.5 Diesel Generator Building The Diesel Generator Building houses two emergency diesel generators and their accessories. The Diesel Generator Building is a reinforced concrete structure with steel framing consisting of the following major structural components:

1. The foundation is reinforced concrete wall footings which are separated from the diesel generator foundation blocks

2. The walls are reinforced concrete with precast reinforced concrete panels on the exterior face

3. The roof is a reinforced concrete slab supported by structural steel framing 12.2.2.6.1 Old Administration Building The Administration Building provides an office facility for the administrative and clerical personnel. The structure is founded on a continuous footing and consists of a structural steel frame with metal and glass curtain walls, precast concrete panels, and masonry panels. The interior walls are steel stud and plaster. The floors are reinforced concrete on steel framing.

12.2-7 Rev. 30 - Nov. 2015

PNPS-FSAR 12.2.2.6.2 New Administration/Service Building The New Administration/Service Building provides an office facility for the administrative and clerical personnel as well as a warehouse, laboratories, and shops. The structure is founded on a continuous footing and consists of a structural steel frame with metal and glass curtain walls. The interior walls are steel stud and plaster. The floors are reinforced concrete on steel framing. The connecting corridor to the process building is located at elevation 23'-0 of the Radwaste Building.

12.2.2.7 Guardhouse The Main Guardhouse is a facility which houses security equipment and security personnel. It serves as the main entrance and exit to the plant. The structure is founded on spread and continuous footings and consists of a structural steel frame with metal and glass curtain walls and precast concrete panels. Interior walls are masonry block.

The floors are reinforced concrete. The roof is structural steel roof deck with built-up roofing.

12.2.2.8 Intake Structure The intake structure houses the Salt Service Water System pumps, the Circulating Water System pumps, Fire Protection System pumps, the Chlorination System equipment, stop logs, trash racks, and the traveling screens with their wash pumps.

The intake structure consists of a reinforced concrete substructure, and a superstructure of steel framing enclosed with precast panels. Enclosed within the superstructure are the Service Water System pump compartments which are constructed of reinforced concrete and concrete block walls.

The four circulating water bays have steel struts on the walls to allow dewatering of the bays. See Figure 12.2-2.

12.2.2.9 Main Breakwater The main breakwater is of rubble mound construction with the outer layer protected by heavy capstone. The breakwater protects the intake structure against wave attack and damage.

In particular, the breakwater is designed to protect the intake structure against wave damage during the design basis storm (see FSAR Section 2.4.4.3.).

12.2.2.10 Main Stack The main stack is a pipe with a top elevation of 400 ft msl.

The main stack is supported by the Filter Building. The Filter Building is a reinforced concrete structure which houses the dilution fans, offgas filters, and heaters. See Figure 12.2-3.

The main stack is located 700 ft NW of the Reactor Building as shown on Figure 1.6-1.

12.2-8 Rev. 30 - Nov. 2015

PNPS-FSAR 12.2.2.11 Gas Bottle Storage Facility This facility provides a safe and permanent high pressure gas cylinder storage area facilitating control, inventory management and dispensation of gas cylinders. This facility is constructed of concrete block walls, a poured concrete floor and a metal roof. It is open at one side to provide venting in case of a leak. It contains concrete stalls which separate and individually store various gas cylinders used at the Station.

12.2.2.12 Governing Codes and Regulations The design of all structures and facilities conforms to the applicable code or specification listed below, except where specifically stated otherwise:

1. Uniform Building Code (UBC) 1967

2. American Institute of Steel Construction (AISC)

Specification for the Design, Fabrication, and Erection of Structural Steel for Buildings, Sixth Edition (for original design), latest edition for modifications

3. American Concrete Institute (ACI) Building Code Requirements for Reinforced Concrete (ACI 318-63)

4. American Welding Society (AWS) Standard Code for Arc and Gas Welding in Building Construction (AWS D.1.0-66)

5. API Specification No. 620 for Welded Steel Storage Tanks

6. ASME Boiler and Pressure Vessel Code,Section III, Class B, governs the design and fabrication of the drywell and suppression chambers

7. AEC Publication TID 7024, Nuclear Reactors and Earthquakes, governs the seismic design of all Class I structures

8. American Water Works Association (AWWA) AWWA M 11 Steel Pipe Manual and Standard D100

9. Regulations of the Commonwealth of Massachusetts as follows:

a. Standard Specifications for Highways, Bridges, and Waterways (1967) for construction

b. Regulations of the Department of Health and Sanitary Water Board with respect to water

c. Department of Labor and Industry Regulations

d. Massachusetts State Police Department Bureau of Fire Protection Regulations for storage of combustible materials 12.2-9 Rev. 30 - Nov. 2015

PNPS-FSAR

10. Standard Specifications for Highway Bridges by the American Association of State Highway Officials (AASHO) for design

11. U.S. Army Corps of Engineers regulations with respect to dredging and construction of offshore structures for the Bay of Cape Cod

12. American Society of Civil Engineers Paper No. 3269, for wind design requirements

13. American Iron and Steel Institute Specifications for the Design of Light Gage Cold-formed Steel Structural Members, 1962 The design of new structures subsequent to plant construction conforms to the latest revision of the code or standard as applicable.

12.2.3 Loading Considerations 12.2.3.1 General All structures and equipment are designed for dead, live, seismic, and wind loads in accordance with applicable codes and as described in the following paragraphs. The loading conditions are determined by the function of the structure and its importance in meeting the station safety and power generation objectives. The load combinations and limits are given in Appendix C, Structural Loading Criteria.

12.2.3.2 Vertical Loads Dead Loads The dead loads include the weight of the framing, roof, floors, walls, platforms, and all permanent equipment and materials.

Live Loads The live loads include all vertical loads except the dead loads. The live loads that have been used in the design of structures are given on Table 12.2-1.

12.2.3.3 Lateral Loads Wind Loads The design wind loads are derived from ASCE Paper 3269. The wind loads given on Table 12.2-2 apply to the site area and are used in the station design. A one-third increase in allowable stress is permitted for the wind loading conditions.

12.2-10 Rev. 30 - Nov. 2015

PNPS-FSAR Tornado Loads All Class I structures are designed to withstand the effects of tornadoes and to protect Class I equipment. The Class I structures are designed in accordance with Appendix H, Tornado Criteria for Nuclear Power Plants. The basic design criteria for tornado effects are as follows:

1. The velocity components are applied as a 300 mph horizontal wind over the full height of the structure

2. The pressure differential is applied as 3 psi internal (bursting) pressure occurring in 3 sec

3. The missiles are applied as a 4,000 lb automobile flying through the air at 50 mph but not more than 25 ft above ground, as a 4 in x 12 in x 12 ft plank (108 lb) traveling end-on at 300 mph over the full height of the structure, or as a 3 in dia Schedule 40 pipe 10 ft long traveling end-on at 100 mph over the full height of the structure All three loading conditions are applied simultaneously.

In the case of adjacent Class I and II structures, such as the Reactor Building and portions of the Turbine Building, an expansion joint is provided to allow for possible unequal deflections associated with different structural systems.

The only Class II structure attached to a Class I structure and not designed to withstand tornado loading is the building exhaust vent stack. This structure consists of light steel framing attached to the Reactor Building and is covered with metal wall siding. The design of siding is such that it may be partially blown away by the tornado without affecting the adjacent Reactor Building. The steel framing will remain in place.

The offgas stack is a Class I structure not designed to withstand tornado loadings, as stated in Section 12.2.1.1. The stack is located sufficiently far from other Class I structures to preclude any interaction, assuming the stack were to fall as a result of tornado loads.

The Secondary Containment System is not designated to be functional during or after a tornado; however, the Reactor Building does protect all the Class I equipment located inside the building from the effects of a tornado.

Crane Runway Loads The lateral and longitudinal forces on crane runways are in accordance with the AISC Code.

12.2.3.4 Pressure and Thermal Loads The pressure and thermal design conditions for the Primary Containment System are given on Table 5.2-1. The Reactor Building is designed for an internal pressure loading of 36.5 12.2-11 Rev. 30 - Nov. 2015

PNPS-FSAR lb/ft2 (7 in H20). The spent fuel storage pool has a design temperature of 212F.

12.2.3.5 Seismic Loads 12.2.3.5.1 General The design of Class I structures and equipment is for horizontal ground acceleration of 0.08g for the Operating Basis Earthquake (OBE) and 0.15g for the Safe Shutdown Earthquake (SSE).

The vertical acceleration is equal to two-thirds of the horizontal ground acceleration. Both the vertical and either of the responses of two horizontal seismic motions are considered to be applied simultaneously. The larger combination controls the design. The combined stresses resulting from operational loadings and from a SSE are such that a safe shutdown can be achieved. The applicable load combinations and stress limits including all operational and seismic loads for Class I equipment are given in Appendix C, Structural Loading Criteria. The derivation of the OBE and the SSE is given in Section 2.

Equipment seismic loadings were determined from amplified floor response spectra for the appropriate locations. These spectra were generated from acceleration time-histories at each floor, derived from the normalized Taft earthquake response spectrum, applied to the base of each building model. All erratic peaks were averaged to give smoothed curves for various values of critical damping as required for the seismic analysis.

Class II structures and equipment are designed in accordance with the provisions of the Uniform Building Code, Seismic Zone

2. Class I to Class II interfaces are designed so that there will be no functional failure in the Class I structure. In order to accomplish this design objective, Class I structures have the capacity of withstanding the forces resulting from possible failures of Class II structures which are either attached or adjacent to the Class I structures. In the case of Class I and Class II structures rigidly interconnected, the Class I structure is designed to support the latter.

The Class I portion is checked to assure it can carry any loads that may be transmitted from the connected Class II structures.

For example, the salt service water pump room reinforced concrete structure in the intake structure will act as a support for the rest of the building superstructure. Wherever a Class II structure supports a Class I portion located above it, the supporting structure is analyzed and designed to the Class I requirements. Where relative movement between buildings may endanger the integrity of Class I piping or other connecting elements, or the Class I structures themselves, a dynamic analysis of the interconnected or adjacent buildings and/or equipment systems is performed.

12.2-12 Rev. 30 - Nov. 2015

PNPS-FSAR Relative deflections are computed for each structure both parallel and perpendicular to the interface.

The criteria for the relative movements under the SSE loadings require that the combined movement does not exceed the clearance provided. The relative movements under these loadings are accommodated by sliding expansion joints at adjoining structures and by built-in flexibility for piping systems. The dynamic analysis has shown that the cumulative maximum displacement of adjoining concrete structures will be about one-half of the clearance provided.

12.2.3.5.2 Seismic Recording Instrumentation The seismic recording instrumentation used at Pilgrim Nuclear Power Station is an analog centralized recording magnetic tape acceleration system consisting of a multichannel strong motion accelerograph, remote triaxial accelerometers, peak acceleration recorders, control panel and a magnetic tape playback system.

The system automatically senses, transmits and records seismic responses from three elevation locations, storing the records for quick replay and analysis in response to exceeding a "trigger" acceleration of (.01 g) at plant elevation -17'6".

The system automatically resets in preparation for the next seismic event.

The local accelerometers are mounted in the Reactor Building at elevations -17'6", 23'0" and 91'0". Each elevation's local accelerometer will sense and transmit displacements in each of three axes (horizontal, vertical, and lateral). The Main Control Room instrumentation on panel C-911 records the date on cassette tape which may be played back in the form of a chart record by the playback unit. The time history is recorded, as received, from a standard time receiver also located in panel C-911. The seismic monitoring instrumentation does not perform any safety related function.

If an earthquake should occur and the g levels, as recorded by the described instrumentation, are at or below the accelerations corresponding to the OBE (0.08 g ground acceleration), the station will continue in operation. The station design considered these loadings, taking no credit for code allowable increases in stress values. If the recorded accelerations approach the values corresponding to the SSE (0.15 g ground acceleration), an inspection will be undertaken of selected high stress welds in the primary pressure boundary to verify continued system integrity.

12.2.3.5.3 Structural Analysis A dynamic analysis is performed for Class I structures. The dynamic analysis is performed in four steps; develop a mathematical model, perform the analysis, obtain the structural response, and make spectrum plots.

12.2-13 Rev. 30 - Nov. 2015

PNPS-FSAR A mathematical model is developed to represent the structure in order to determine its response to the earthquake. Essentially the weight of the building and major internal elements are concentrated at each of the building floor levels. Provisions are made in the model to account for rocking by means of springs representing the soil stiffness. The stiffness matrix, natural frequencies, and mode shapes are obtained by computer analysis. The technique used in the program to determine natural frequencies and mode shapes is that of tri-diagonalization by successive rotations. The damping values used are given on Table 12.2-3.

For purposes of computer analysis, the time history of the Taft Earthquake of July 21, 1952 is used with the amplitude scaled to 0.08g and 0.15g ground acceleration for the OBE and the SSE, respectively. The earthquake data is placed into digital information with g levels expressed every 0.01 sec over a time interval of 30 sec. The final design is checked to assure that the results are compatible with smoothed response spectra as given on Figures 2.5-5 and 2.5-6.

The Taft time history record generates plots below the ground response spectrum, for frequencies below 1 cps. However, when generating floor response spectra curves from the Taft record for use in equipment seismic design, each curve is compared to the ground response spectrum and corrected so that no points fall below the ground spectrum curve.

The results of the modal analysis are used to represent the structure as a modal system. The technique of modal synthesis is employed to reduce the structural equations to j (number of modes) independent equations.

The modes are further employed to reduce the earthquake forces into j modal forces. The resulting system of equations are then solved independently to obtain the modal coordinates. The solution employs a Runge-Kutta numerical integration scheme.

The integration step used is 0.01 sec. Again using the mode shapes, the modal coordinates are operated upon to obtain the physical coordinates of the model; then solved for displacement, velocity, and acceleration. These values are separated point by point for each of the floors as a record of the response time history.

For each of the floors a spectrum plot is made. The technique for the plots makes use of determining the response of a single mass system. The natural frequency of this system is varied from 0.1 cps to 30 cps. The maximum response, as acceleration, is then plotted for each frequency.

Class I systems and equipment at the supplier's option may be analyzed dynamically to establish the natural frequency of the equipment and accessories complete with supports. If the natural frequency is less than 20 Hz, then the corresponding particular value of the floor response spectrum is used. For all natural frequencies greater than 20 Hz, an appropriate 12.2-14 Rev. 30 - Nov. 2015

PNPS-FSAR value of the respective zero period (ZPA) floor acceleration is used.

The equipment supplier is also given the choice, in lieu of performing a dynamic analysis for equipment design, to use the peak value of the applicable floor response spectrum curve.

For the Class I mechanical and electrical equipment, dynamic tests may be carried out, or evidence may be submitted of satisfactory performance through environments of equal or higher dynamic intensity. For such environmental data the levels sustained are required to be greater than the applicable floor response spectrum curve. See paragraph C.3.3.2, Appendix C.

For dynamic test, various approaches may be used. For example, the Class I equipment may be taken at the applicable critical damping curve peak level from 5 Hz to 20 Hz. Alternately, the equipment may be shaken to determine its natural frequency, and the appropriate g level then applied to determine its functional adequacy.

A structure or structural system that cannot be satisfactorily included in the lumped mass structural model analysis are analyzed separately, such as masonry blockwalls and the cable tray and conduit support systems. The analytical technique for the seismic loads induced is similar to that for Class I structures, but is based on response spectrum developed at the structure's support point. The damping values used for the evaluation are based on Table 12.2-3. They are derived from the test results and inherent in the structural system.

12.2.3.5.4 Piping Analysis For critical piping systems, a dynamic analysis is performed, as described in paragraph C.3.3.1, Appendix C.

Class I piping and associated miscellaneous Class I equipment, instruments, and controls that cannot be satisfactorily included in the lumped mass model representing a structure, are analyzed individually. The analysis is similar to that for Class I structures, but is based on response spectrum developed for points of pipe or equipment supports. These spectra are computed from time history analysis of the structure model, subjected to the north-south horizontal component of the earthquake, normalized to the maximum acceleration associated with the OBE and SSE. Stops, guides, and snubbers are added where necessary to avoid critical natural periods, and to make the system as rigid as practical. Displacements of the piping are checked to assure that there will be no interference with any other equipment or piping.

Essentially the same method of analysis for seismic inertia loads is used on Class I piping, whether located outside or inside the containment structure. To determine the effect of relative differential end displacements on Class I piping systems, the following method is used: The seismic 12.2-15 Rev. 30 - Nov. 2015

PNPS-FSAR displacements at the ends and at restraints are known from the seismic analysis of the structures. The displacements applied to the piping restraints and anchors correspond to the maximum differential displacements which could occur. The analysis is made twice; once for north-south differential displacements and once for east-west differential displacements. For each response quantity considered (i.e., moments or displacements at a point, and restraint force or moment), the largest value of the two analyses is chosen. The displacements, restraint forces, and moments due to differential displacement are combined with the corresponding quantity from the inertia load analysis of the piping. The basis of combination is SRSS, since the maximums of the two quantities would not occur at the same time. For recirculation, RWCU and RHR replacement piping the basis of combination is absolute sum. The stresses due to relative support displacements in piping are combined with stresses caused by other secondary effects, and the resulting secondary stresses are compared with the applicable, allowable stresses in USAS B31.1.0. For recirculation, RHR and RWCU replacement piping, stresses due to secondary effects were combined in accordance with ASME B&PV Code Section III Subsection NB 1980 Edition through Winter 1981 Addenda.

Allowable stresses were referenced from ASME B&PV Code Section III Division I, Appendix I 1980 Edition through Winter 1980 Addenda.

The results of the differential displacement analysis are usually insignificant compared to those of the inertia force analysis. This is because the differential displacements are usually very small, and most piping systems (especially hot ones) have enough flexibility so that these small displacements have little effect.

Since the movement of buried piping is essentially the same as that of the surrounding soil, piping strains due to seismic ground motion are equated to soil strains, which are calculated from the assumed seismic ground motions. Piping stresses, obtained from the strains, are within the allowable stresses defined in USAS B31.1.0.

Where Class I buried piping enters a structure, the magnitude of the relative movements is expected to be insignificant, because the backfill supporting the piping has been compacted to a relative density of 85 percent. Any differential settlement will be small and readily accommodated by the welded steel pipe.

12.2.3.5.5 Recirculation RHR and RWCU Piping Replacement Seismic Analysis The recirculation piping replacement seismic analysis uses the multi-support excitation response spectrum methodology in which the individual response spectra are applied to each support degree-of-freedom. The individual input spectra are peak broadened +15% to account for the potential variation in the primary structure eigenvalues due to modeling, analysis and material property uncertainties.

12.2-16 Rev. 30 - Nov. 2015

PNPS-FSAR Piping structural damping is provided in Table 12.2-3 and is 2.0% and 3.0%, respectively, for the OBE and SSE analyses.

The colinear contributions due to the 3 spatial components of seismic excitation are combined by the square root of the sum of the squares (SRSS) method.

Peak modal responses are combined by the Double Sum method which accounts for the effects of closely spaced modes. The Double Sum method is identical to the SRSS method if there are no closely spaced modes. Both combination methods; i.e., for 3D spatial effects and for modal confirmation, are consistent with Regulatory Guide 1.92, Revision 1, February 1976.

Recirculation RHR and RWCU piping differential anchor displacements are evaluated and the primary (inertia) and secondary (anchor displacement) stresses combined as described in Paragraph 12.2.3.5.4.

The piping multi-support input spectra are generated from the acceleration time history responses at the primary structure/piping attachment points obtained from the primary structure time history seismic analysis.

12.2.3.5.6 Protective System Instrumentation Each type of protective system instrument and its supporting panel or cabinet is analyzed, tested, or investigated to confirm that it will withstand the interaction effects of the floor acceleration from the SSE without loss of function. The interaction effects on a protective system instrument are determined by the dynamic response of its supporting control panel or cabinet, static analysis or test.

12.2.3.5.7 Damping Values The damping factors used in the seismic analysis are based upon deformations or stresses of various materials, and are shown on Table 12.2-3. These damping values are the lower limits of commonly accepted ranges for the stress levels associated with the respective earthquakes based on recommendations by Newmark and Hall in NUREG/CR-0098.

12.2.3.6 Primary Containment Loading Considerations The primary containment system is designed to withstand all forces associated with a postulated loss of coolant accident (LOCA). In addition to the pressure and thermal loading conditions shown on Table 5.2-1, the primary containment is designed to withstand the jet forces associated with a LOCA, and a post accident flooded condition. The jet forces given on Table 12.2-5 are assumed to result from the impingement of steam and/or water at 300F. For the flooded condition, the primary containment is assumed to be filled with water up to the normal refueling level.

12.2-17 Rev. 30 - Nov. 2015

PNPS-FSAR 12.2.3.7 Handling of Heavy Loads The Pilgrim Station heavy load handling program provides a defense-in-depth approach to reduce the probability of accidents, or the consequences of such accidents, from handling heavy loads (loads in excess of 1500 lbs). The program establishes administrative controls to address safe load paths, safe load handling procedures, crane and hoist operator training, standards for lifting devices and cranes, and special requirements when handling heavy loads in areas where fuel or safe shutdown equipment could be damaged. The program provides reasonable assurance that heavy load lifts will be performed safely and meet applicable guidance contained in NUREG 0612, Control of Heavy Loads at Nuclear Power Plants, July 1980 (reference 1).

Program details are described in references 2, 3, 4, and 5. NRC evaluation of the program is documented in references 6 and 7.

The approach to NUREG 0612 compliance for Dry Fuel Storage heavy loads differs from the above description. The Pilgrim Heavy Load Handling Program details described in references 1,2,3,4, and 5, and evaluated by the NRC in references 6 and 7, are based on the use of non-single-failure-proof hoisting equipment, hence requiring evaluations to demonstrate acceptable load drop consequences. An upgraded Reactor Building crane with a single-failure-proof main hoist is being used with Dry Fuel Storage components and ancillaries designed to the augmented safety factors ANSI N14.6 for critical loads. This approach does not require postulating and analyzing load drop accidents for Dry Fuel Storage operations involving the handling of heavy loads. Dry Fuel Storage is described in FSAR Section 10.3.8.

12.2.4 Foundation Analysis 12.2.4.1 General The foundation investigation and analysis for the construction of the station was performed in three parts:

1. Field explorations

2. Laboratory Tests and analyses

3. Establishment of foundation design criteria The field explorations and laboratory tests led to the conclusions that the subsurface conditions in the station area are somewhat variable especially in the upper 35 to 40 ft. The borings encountered erratic and discontinuous layers of silty fine sand, fine sand, clayey silts, and clayey sands. The soils within about 35 ft of the ground surface range in density from loose to compact and are compressible.

Beneath the upper variable strata, dense and relatively incompressible poorly graded to well graded sands with varying amounts of gravel and cobbles are found. Bedrock is generally encountered at a depth of about 80 ft in the station area. See Figure 12.2-4.

The foundation design criteria were established on the basis of these conclusions.

12.2-18 Rev. 30 - Nov. 2015

PNPS-FSAR 12.2.4.2 Field Exploration In addition to the overall site geologic and seismic explorations, detailed foundation investigations, including borings and field permeability tests, were carried out for use in establishing the foundation criteria for the station structures. Prior to construction, a series of test borings was drilled in the general station area. Altogether a total of 58 borings were drilled to determine the subsurface condition. The locations of some of the test borings and test wells are shown on Figure 12.2-5. In addition to borings for the station, a number of borings was scattered over the site. Borings were made to various depths from 16 to 130 ft. Bedrock was generally encountered at a depth of about 80 ft in the station area as determined by a seismic refraction survey. Disturbed and undisturbed soil samples, suitable for laboratory testing, were extracted from the test borings, examined, and subjected to the laboratory tests listed in Section 12.2.4.3. Figures 12.2-6 through 12.2-10 are some of the boring logs for borings taken in the station area.

A series of pumping and percolation tests were performed to obtain estimates of the permeability of the onsite materials at predetermined depths. The data obtained from these tests were used in the foundation analysis to establish de-watering requirements during the excavation for the foundations.

12.2.4.3 Laboratory Tests Representative undisturbed soil samples extracted from the test borings were subjected to a comprehensive laboratory testing program to evaluate the physical and chemical characteristics of the soil encountered at the site. The laboratory tests included:

Direct shear tests Unconfined compression tests Confined compression tests Triaxial compression tests Moisture and density determinations Particle size analysis Shockscope 12.2.4.4 Foundation Design Criteria for Structures 12.2.4.4.1 General This section describes the foundation conditions for the major and auxiliary station structures.

12.2.4.4.2 Design Considerations The major station facilities include the reactor building, turbine building, and radwaste building. The auxiliary structures include the diesel generator building, main stack, administration building, and intake structure. A description of foundations provided for the structures is given in the 12.2-19 Rev. 30 - Nov. 2015

PNPS-FSAR following sections. Figure 12.2-5 shows the locations of structures in relation to the test borings drilled.

An analysis of the liquefaction potential of cohesionless soil fill materials indicated that a granular material compacted to an average relative density of 80 percent at station grade, and 75 percent under the surcharge of the turbine building, would have a factor of safety of at least 1.5 against initial liquefaction, with earthquake motions producing a maximum ground surface acceleration of 0.15g. All Class I structures and the turbine building are founded on undisturbed soil, or on select granular fill compacted to a minimum of 85 percent relative density. The relative density tests were performed in accordance with ASTM Standard D-2049, March 1968, Tentative Method of Testing for Relative Density of Cohesionless Soils.

12.2.4.4.3 Major Structures Reactor Building The lowest floor of the reactor building is founded at el -25.5 ft msl on dense to very dense silty sand and sand and gravel.

At the center of the reactor, bedrock is about el -60 ft msl.

Groundwater in-leakage is designed to be prevented or minimized by a waterproof membrane. The estimated total settlement that this structure will experience is 2 to 4 in of uniform elastic compression at the design loads. The differential settlements are expected to be less than 1 in. Since this structure consists primarily of dead load, most of the elastic deformation will occur during construction. Post construction settlement is expected to be on the order of 1/2 in. A survey traverse of points on the building has been established to monitor settlement. The settlement at approximately 30 percent of the load was negligible.

Turbine Generator Building The subsurface soil below the founding elevation of the turbine building was found to consist of erratic layers of clayey sand, silty sand, and sand and gravel. This soil was excavated to el

-27 ft msl, 13 ft below the founding elevation, to remove these undesirable pockets of less dense compressible soils. The excavated area was then backfilled with suitable granular material and compacted to a minimum relative density of 85 percent.

The Turbine Building is protected below grade by a waterproof membrane designed to prevent or minimize ground water in-leakage.

Radwaste Building The radwaste building rests partially on undisturbed dense relatively incompressible sand, gravel, and cobbles, and partially on structural backfill compacted to 85 percent 12.2-20 Rev. 30 - Nov. 2015

PNPS-FSAR relative density. This structure has a waterproof membrane designed to prevent or minimize ground water in-leakage.

12.2.4.4.4 Auxiliary Structures Diesel Generator Building The diesel generator building has a reinforced concrete foundation mat founded on a structural backfill, compacted to 85 percent relative density.

Main Stack The main stack and filter building structure rests on undisturbed dense relatively incompressible sand, gravel, and cobbles.

Administration Building This structure is founded on structural fill compacted to 75 percent relative density.

Intake Structure This structure rests on undisturbed very dense incompressible silty sand and gravel.

Guardhouse This structure is founded on spread and continuous footings and consists of a structural steel frame with metal and glass curtain walls and precast concrete panels. Interior walls are masonry block. The floors are reinforced concrete. The roof is structural steel roof deck with built-up roofing.

12.2.4.4.5 Foundation Settlement Measurements Table 12.2-7 6 summarizes the results of foundation settlement measurements taken at various stages of dead load application during construction at points shown on Figure 12.2-11.

Total differential settlements are predicted to be 1 in or less. Measured values of settlement are acceptably low.

12.2.5 Design Organization and Procedures 12.2.5.1 Design Organization The GE-APED organizations having responsibility for the seismic design of safety related systems and structures in the NSSS were Power Plant Projects, Requisition Engineering, Component Engineering, Seismic Design Engineering, and Plant and Equipment Engineering. The seismic design responsibility was assigned to the functional group, Component Engineering or Plant and Equipment Engineering, responsible for the equipment 12.2-21 Rev. 30 - Nov. 2015

PNPS-FSAR and/or structure design. These functional groups are responsible to the Manager, Design Engineering.

The Bechtel Corporation Pilgrim Nuclear Power Station Project design organization consisting of the Mechanical Group, Layout Group, Civil Group, and the Electrical Group, in parallel with the Bechtel Corporation Power and Industrial Division's Structural Dynamics Group, and the Piping Stress Group, had the responsibility for the seismic design of all balance of plant structures, systems, and components related to safety.

Dames and Moore performed the site seismology studies. These studies were reviewed and checked by Bechtel's Soils and Geology Department. Chicago Bridge and Iron performed the primary containment stress analyses.

12.2.5.2 Design Responsibilities Design organizations of GE-APED have been responsible for proper application of seismic design loads and conditions to the design of equipment components and piping in the NSSS scope. Analytical assistance was available within Design Engineering from analytical components specialized in seismic design. An Engineering Practices and Procedures Manual defined explicitly in writing, all Design Engineering responsibilities, including seismic. The Manager, Design Engineering, had overall responsibility for the adequacy of the seismic design of the General Electric product. Overall coordination of this work was assigned to the Seismic Design Component.

The dynamic analysis of station structures was performed by the Bechtel Structural Dynamics Group after the location of major component masses was determined by the involved Bechtel Project groups. The Civil group had responsibility for station structural design. See Appendix C. The Mechanical and Electrical Groups had responsibility for obtaining vendor seismic design analyses or test results of safety-related equipment and instrumentation; the Layout Group provides input on station piping layout to the Piping Stress Group which performs piping stress calculations for Class I piping systems.

The Structural Dynamics Group performed the dynamic structural analyses. The resulting floor response spectrum curves were promulgated in writing to the Bechtel project groups and to the GE- APED Pilgrim Project Organization through the Civil Group which coordinates, and has overall responsibility for, the balance of plant station seismic design.

12.2.5.3 Documentation and Control Procedure The mechanism for the interchange of needed design information and changes thereto and the coordination of the various facets of the seismic design among the involved design organizations components, and/or groups is shown on Figure 12.2-12.

The system shown on Figure 12.2-12 is a pattern of interrelationships and checks from which an iterative process 12.2-22 Rev. 30 - Nov. 2015

PNPS-FSAR evolves which ensures proper station seismic design for structures, systems, and components related to safety.

Within GE-APED Design Engineering, the design engineer was ultimately responsible for implementation of the seismic design requirements. Within the Bechtel Pilgrim Project organization, the engineer responsible for the safety-related equipment, supported by the engineers qualified in seismic analysis within the Structural Dynamics Group, were responsible for the implementation of the seismic design requirements.

For GE-APED components, the adequacy of seismic design was the responsibility of the individual design engineer. Within the Bechtel Corporation, the seismic certification of safety-related equipment was the responsibility of the design group procuring the equipment. Within each group, one or more engineers coordinated the transfer of vendor seismic certification (analyses, tests, or documentation of suitable performance in comparable vibrational environments) to the Civil Group for engineering review and approval by the Structural Dynamics Group.

12.2.5.4 Purchase of Safety-Related Equipment Class I Systems and equipment at the supplier's option may be analyzed dynamically to establish the natural frequency of the equipment and accessories complete with supports. If the natural frequency is less than 33 Hz, then the corresponding particular value of the floor amplified response spectrum is used. For all natural frequencies greater than 33 Hz, the zero period acceleration value of the respective amplified floor spectrum is used.

The equipment supplier is also given the choice, in lieu of performing a dynamic analysis for equipment design, to use the peak value of the corresponding floor amplified response spectrum curves for the seismic analysis.

For the Class I mechanical and electrical equipment, dynamic tests may be carried out, or evidence may be submitted of satisfactory performance through environments of equal or higher dynamic intensity. For such environmental data, the g levels sustained are required to be greater than the 2 and 3 percent critical damping curves for OBE and SSE respectively.

See paragraph C.3.3.2, Appendix C for further requirement.

For dynamic test, various approaches may be used. For example, the Class I equipment may be taken at the associated critical damping curve push level. Alternately, the equipment may be shaken to determine its natural frequency and the appropriate g level then applied to determine its functional adequacy.

The above three procedures are consistent with the seismic qualification requirements of IEEE 344-1975.

Seismic qualification documentation of electrical and/or mechanical equipment purchased prior to 1983, for initial use 12.2-23 Rev. 30 - Nov. 2015

PNPS-FSAR or for replacement-in-kind service, may comply to the requirements of IEEE 344-1987 in lieu of IEEE 344-1975.

12.2.6 References

1. NUREG-0612, Control of Heavy Loads at Nuclear Power Plants, July 1980 (Enclosure 1 to NRC Letter dated December 22, 1980; Ltr. 1.81.014).

2. PNPS Letter 2.81.141, A. Morisi to D.G. Eisenhut (NRC),

Subject:

NUREG-0612, Control of Heavy Loads, dated June 25, 1981.

3. PNPS Letter 2.81.242, A. Morisi to D.G. Eisenhut (NRC),

Subject:

NUREG-0612, Control of Heavy Loads, dated October 8, 1981.

4. PNPS Letter 2.83.181, W.D. Harrington to D.G. Eisenhut (NRC),

Subject:

NUREG-0612, Control of Heavy Loads, dated July 13, 1983.

5. PNPS Letter 2.85.017, W.D. Harrington to D.B. Vassallo (NRC),

Subject:

Additional Information on NUREG-0612, Factors of Safety for Reactor Building Lifting Devices, dated January 25, 1985.

6. NRC Letter dated March 6, 1985 (Ltr 1.85.069), D.B.

Vassello (NRC) to W.D. Harrington,

Subject:

Control of Heavy Loads (Phase 1).

7. NRC Generic Letter 85-11 (Ltr. 1.85.202), Completion of Phase II on Control of Heavy Loads at Nuclear Power Plants, NUREG-0612, dated June 28, 1985.

8. NUREG-0554, Single Failure Proof Cranes for Nuclear Power Plants, May 1979.

9. ASME NOG-1, Rules for Construction of Overhead and Gantry Cranes (Top Running Bridge, Multiple Girder), 2004 Edition.

8.10. Crane Manufacturers Association of America (CMAA)

Specification #70, Specifications for Top Running Bridge and Gantry Type Multiple Girder Electric Overhead Traveling Cranes, 2010 Edition.

12.2-24 Rev. 30 - Nov. 2015