Text

Updated Final Safety Analysis Report, Volume 7A
	ML16193A622
Person / Time
Site:	Saint Lucie
Issue date:	07/11/2016
From:	; Florida Power & Light Co
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML16193A354	List: ML16193A622; ML16194A144; ML16194A165;
References
	Download: ML16193A622 (535)
	v • d • e

{{#Wiki_filter:rfi7d

 ~~* ~n ~J/!                                                                *-NOTICE-THE AlTACHED FILES ARE OFFICIAL RECORDS OF THE INFORMATION & .

REPORTS MANAGEMENT BRANCH. THEY HAVE BEEN CHARGED TO YOU FOR A LIMITED TIME PERIOD AND MUST BE RETURNED TO THE RE-CORDS & ARCHIVES SERVICES SEC-TION P1-22 WHITE FLINT. PLEASE DO NOT SEND DOCUMENTS CHARGED OUT THROUGH THE MAIL. REMOVAL OF ANY PAGE(S) FROM DOCUMENT FOR REPRODUCTION MUST BE RE-FEARED TO FILE PERSONNEL.

                                                             ... !f

lj f ? ~ T

         ,*.:'i;,_p-Jt.**-f vc*f-rJ R' a '.vlf.t":'t1?J7!1

=

TWO DIGIT TABLE OF CONTENTS

Section

1. 0 1.1

1.2 INTRODUCTION

AND GENERAL DESCRIPTION OF PL.ANT INTRODUCTION GENERAL PLANT DESCRIPTION 1.3 COMPARISONS 1.4 IDENTIFICATION OF AGENTS AND CONTRACTORS 1.5 REQUIREMENTS FOR FURTHER TECHNICAL INFORMATION

1. 6 MATERIAL INCORPORATED BY REFERENCE

1. 7 DRAWINGS

1. 8 NRC REGULATORY GUIDES 1.9 OTHER CONCERNS AND COMMITMENTS 1.9A TMI RELATED REQUIREMENTS 2.0 SITE CHARACTERISTICS 2.1 GEOGRAPHY AND DEMOGRAPHY 2.lA FIVE YEAR POPULATION ESTIMATES

2.2 2.3 2.4 2.4A NEARBY INDUSTRIAL. TRANSPORTATION METEOROLOGY HYDROLOGY EROSION ESTIMATES AND MILITARY FACILITIES 2.5 GEOLOGY. SEISMOLOGY AND GEOTECHNICAL ENGINEERING 2.5A BORING LOGS & DATA SUMMARIES 2.5B FLORIDA EARTHQUAKE OF OCTOBER 27, 1973 3.0 DESIGN CRITERIA-STRUCTURES, COMPONENTS, EQUIPMENT AND SYSTEMS 3.1 CONFORMANCE WITH NRC GENERAL DESIGN CRITERIA 3.2 CLASSIFICATION OF STRUCTURES, SYSTEMS AND COMPONENTS I Amendment No. 12 (12/98)

TWO DIGIT TABLE OF CONTENTS (Cont'd) Section Title 3.3 WIND AND TORNADO LOADINGS 3.4 WATER LEVEL (FLOOD) DESIGN 3.5 MISSILE*. PROTECTION 3.6 PROTECTION AGAINST DYNAMIC EFFECTS ASSOCIATED WITH THE RUPTURE OF PIPING 3.6A HIGH ENERGY PIPE RUPTURE ANALYSIS - INSIDE CONTAINMENT 3.6B HIGH ENERGY PIPE RUPTURE ANALYSIS - OUTSIDE CONTAINMENT 3.6C PIPE WHIP RESTRAINTS AND BREAK LOCATIONS 3.6D STRUCTURAL DETAILS OF PIPE WHIP RESTRAINTS 3.6E MAIN STEAM AND FEEDWATER ANALYSIS 3.6F MODERATE ENERGY PIPING FAILURE ANALYSIS 3.7 SEISMIC DESIGN 3.8 DESIGN OF CATEGORY I STRUCTURES 3.8A EVALUATION OF CONCRETE MASONRY WALLS 3.9 MECHANICAL SYSTEMS AND COMPONENTS 3 .9A OPERABILITY CONSIDERATIONS FOR SEISMIC CATEGORY I ACTIVE PUMPS

AND VALVES 3.9B CONCRETE EXPANSION ANCHOR DESIGN 3.10 SEISMIC QUALIFICATION OF SEISMIC CATEGORY I INSTRUMENTATION AND ELECTRICAL EQUIPMENT 3.10A CRITERIA FOR SEISMIC QUALIFICATION OF SEISMIC CATEGORY I INSTRUMENTATION AND ELECTRICAL EQUIPMENT AND THEIR SUPPORTS 3 .11 ENVIRONMENTAL QUALIFICATION 4.0 REACTOR 4.1

SUMMARY

DESCRIPTION II Amendment No 6 (4/91)

                                                                        *~*
                                                                            /'-

Page _ _ of _*_ FSAR User Comment Form FSAR errors or improvement suggestions should be identified below by FSAR Users and. forwarded to the appropriate Nuclear Engineering Project Licensing Supervisor. Originator _ _ _ _ _ Dept _ _ _ _ _ Location _ _ _ __ Phone - - - - - PTN PSL I PSL 2 _ _ FSAR Areas Affected Sections Figures Comments Attached - - - Below - - - Engineering Review (To be completed by Project Licensing) Accepted _ __ Insufficient Information ~-- No Change Required _ __ Disposition: _ _~~~~~-~~--~----~~--~------~ Assigned User .comment #------~- Reviewing Engineer-------~ Form 38, Rev 6/94

LIST OF EFFECTIVE PAGES CHAPTER 7 INSTRUMENTATION AND CONTROLS Page Amendment Page Amendment 7-1 23 7.2-9 18 7-2 23 7.2-10 11 7-3 23 7.2-11 12 7-4 23 7.2-12 18 7.2-12a 20 7.2-13 20 7-i 20 7.2-14 12 7-ii 21 7.2-15 18 7-iii 18 7.2-16 21 7-iv 14 7.2-17 14 7-v 18 7.2-18 11 7-vi 18 7.2-18a 21 7-vii 20 7.2-19 20 7.2-19a 20 7.1-1 7 7.2-20 18 7.1-2 20 7.2-21 21 7.1-2a 20 7.2-22 20 7.1-3 21 7.2-23 13 7.1-4 20 7.2-24 7.1-4a 20 7.2-25 21 7.1-4b 12 7.2-26 21 7.1-5 18 7.2-26a 21 7.1-6 20 7.2-26b 21 7.1-7 7.2-27 21 7.1-8 18 7.2-28 20 7.1-9 7.2-29 21 7.1-9a 21 7.2-30 1 7.1-9b 7.2-31 7.1-10 21 7.2-32 7.1-11 18 7.2-33 21 7.2-34 7.1A-i 7.2-34a 13 7.1A-1 21 7.2-35 13 7.1A-2 7.2-36 7.1A-3 7.2-37 13 7.2-38 7.2-1 16 7.2-39 7.2-2 21 7.2-40 7.2-2a 7.2-41 7.2-3 16 7.2-42 7.2-4 18 7.2-43 21 7.2-5 12 7.2-6 12 F7.2-1 18 7.2-6a 21 F7.2-2 18 7.2-6b 20 F7.2-3 7.2-7 13 F7.2-4 7.2-8 21 F7.2-5 13 F7.2-6 13 F7.2-7 13 UNIT2 7-1 Amendment No. 23 (04/16)

LIST OF EFFECTIVE PAGES CHAPTER 7 Page Amendment Page Amendment F7.2-8 18 7.3-23 F7.2-9 13 7.3-24 20 F7.2-10 0 7.3-24a 18 F7.2-11 7.3-24b F7.2-12 7.3-25 18 F7.2-13 7.3-26 18 F7.2-14 13 7.3-27 19 F7.2-15a 18 7.3-28 18 F7.2-15b 18 7.3-29 18 F7.2-16 7.3-30 13 F7.2-17 13 7.3-31 18 F7.2-18 18 7.3-32 21 F7.2-19a 18 7.3-33 21 F7.2-19b 18 7.3-34 18 F7.2-20 18 7.3-35 18 F7.2-21 7.3-36 18 7.3-37 21 7.3-1 13 7.3-38 18 7.3-la 7.3-39 18 7.3-2 19 7.3-40 20 7.3-3 13 7.3-41 18 7.3-4 18 7.3-42 7.3-5 18 7.3-43 13 7.3-6 17 7.3-44 13 7.3-6a 13 7.3-45 13 7.3-7 21 7.3-46 21 7.3-7a 16 7.3-47 7.3-8 18 7.3-48 7.3-8a 18 7.3-49 13 7.3-9 18 7.3-49a 13 7.3-10 18 7.3-52 13 7.3-11 18 7.3-53 13 7.3-12 18 7.3-54 13 7.3-13 21 7.3-54a 13 7.3-14 18 7.3-55 18 7.3-15 7.3-56 21 7.3-15a 13 7.3-57 13 7.3-15b 13 7.3-58 13 7.3-15c 13 7.3-59 21 7.3-15d 16 7.3-60 21 7.3-15e 18 7.3-61 21 7.3-16 18 7.3-62 13 7.3-16a 7.3-63 21 7.3-17 18 7.3-64 21 7.3-18 7.3-65 21 7.3-19 21 7.3-66 21 7.3-20 7.3-67 13 7.3-21 18 7.3-68 13 7.3-22 12 7.3-69 13 7.3-70 13 UNIT2 7-2 Amendment No. 23 (04/16)

LIST OF EFFECTIVE PAGES CHAPTER 7 Page Amendment Page Amendment 7.3-71 13 7.4-21 21 7.3-72 13 7.4-22 21 7.3-73 13 7.4-23 18 7.3-74 13 7.4-24 18 7.3-75 13 7.4-25 18 7.3-76 21 7.4-26 18 7.4-27 18 F7.3-1 18 7.4-28 21 F7.3-2 18 7.4-29 21 F7.3-3 18 7.4-30 18 F7.3-4 18 7.4-31 18 F7.3-5 18 F7.3-6 18 7.5-1 8 F7.3-6a 7 7.5-2 8 F7.3-7 18 7.5-3 20 F7.3-8 18 7.5-4 8 F7.3-9 18 7.5-5 19 F7.3-10 18 7.5-6 18 F7.3-11 13 7.5-7 8 F7.3-12 18 7.5-8 21 F7.3-13 18 7.5-9 13 F7.3-14 18 7.5-10 16 7.5-11 18 7.4-1 20 7.5-11a 7.4-2 14 7.5-12 20 7.4-2a 7.5-13 19 7.4-3 18 7.5-13a 20 7.4-4 13 7.5-14 18 7.4-5 13 7.5-15 18 7.4-6 14 7.5-15a 20 7.4-7 18 7.5-15b 20 7.4-8 20 7.5-15c 19 7.4-9 14 7.5-15d 20 7.4-10 18 7.5-15e 21 7.4-11 18 7.5-15f 14 7.4-12 7.5-15fa 18 7.4-13 7.5-15g 18 7.4-14 21 7.5-15h 20 7.4-15 14 7.5-15i 18 7.4-15a 18 7.5-15j 20 7.4-15b 18 7.5-15k 21 7.4-16 16 7.5-151 20 7.4-17 7.5-15m 14 7.4-18 14 7.5-15n 21 7.4-19 14 7.5-150 18 7.4-20 21 7.5-15p 11 UNIT2 7-3 Amendment No. 23 (04/16)

LIST OF EFFECTIVE PAGES CHAPTER 7 Page Amendment Page Amendment 7.5-15q 18 7.6-1 14 7.5-16 20 7.6-2 14 7.5-16a 20 7.6-3 18 7.5-17 17 7.6-4 7.5-18 14 7.6-5 13 7.5-18a 14 7.6-6 14 7.5-19 14 7.6-7 14 7.5-20 14 7.6-8 20 7.5-21 14 7.6-8a 20 7.5-22 21 7.6-8b 7.5-23 20 7.6-8c 20 7.5-24 14 7.6-8d 21 7.5-24a 20 7.6-8e 18 7.5-25 20 7.6-8f 14 7.5-26 20 7.6-8g 21 7.5-26a 19 7.6-9 18 7.5-26b 18 7.6-10 21 7.5-27 18 7.5-28 14 F7.6-1 18 7.5-28a 14 F7.6-2 7 7.5-29 18 7.5-30 20 7.7-1 21 7.5-31 20 7.7-2 18 7.5-32 18 7.7-2a 17 7.5-33 14 7.7-3 21 7.5-34 14 7.7-4 18 7.5-35 21 7.7-4a 21 7.5-36 14 7.7-5 21 7.5-37 14 7.7-6 20 7.5-38 18 7.7-7 20 7.5-39 18 7.7-7a 7.5-40 18 7.7-8 23 7.7-9 15 F7.5-1a 7.7-9a 18 F7.5-1b 20 7.7-10 18 F7.5-2 7.7-11 17 F7.5-3 11 7.7-12 18 F7.5-4 18 7.7-13 4 F7.5-5 18 7.7-14 4 F7.5-6 7.7-15 21 F7.5-7a 11 7.7-16 18 F7.5-7b 7.7-16a 21 F7.5-8 10 7.7.16b 21 7.5A-i 20 F7.7-1 10 7.5A-1 21 F7.7-2 7.5A-2 21 F7.7-3 17 7.5A-3 21 F7.7-4 18 F7.7-5 21 F7.5A-1 20 F7.7-6 20 F7.5A-2 20 F7.7-7 17 F7.5A-3 20 F7.7-8a F7.7-8b UNIT2 7-4 Amendment No. 23 (04/16)

INSTRUMENTATION AND CONTROLS CHAPTER 7 TABLE OF CONTENTS l Section 7.0 INSTRUMENTATION AND CONTROLS 7.1-1

7.1 INTRODUCTION

7.1-1 7.1.1 IDENTIFICATION OF SAFETY RELATED SYS}EMS 7.1.1 7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1-4a 7.1A RPS MATRIX POWER SUPPLY ISOLATION QUALIFICATION 7.1A-i 7.2 REACTOR PROTECTIVE SYSTEM 7.2-1 7.

2.1 DESCRIPTION

7.2-1 7.2.2 ANALYSIS 7.2-15 7.3 ENGINEERED SAFETY FEATURES SYSTEM 7.3-1 7.3.1 DESCRIPT!ON 7.3-1 7.3.2 ANALYSIS 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.

4.1 DESCRIPTION

7.4-1 7.4:2 ANALYSIS 7.4-11 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION 7.5-1 (INCLUDES NON-SAFETY RELATED DISPLAY INSTRUMENTATION) 7.

5.1 DESCRIPTION

7.5.2 ANALYSIS 7.5-7 7.5.3 TMI RELATED ADDITIONAL ACCIDENT MONITORING INSTRUMENTATION 7.5-15a 7.5.4 INSTRUMENTATION FOR DETECTION OF INADEQUATE 7.5-15d CORE COOLING 7.5.5 POST ACCIDENT EXCORE NEUTRON FLUX MONITORING SYSTEM 7.5-150 7.5A SAFETY ASSESSMENT SYSTEM/EMERGENCY RESPONSE

 \     DATA ACQISITION AND DISPLAY SYSTEM                        '7.5A-1 7.5A.1       DESCRIPTION                                           7.5A-1 7.5A.2       HUMAN FACTORS CONSIDERATIONS                          7.5A-3 7-i                 Amendment No. 20 (05/11)

CHAPTER 7 TABLE OF CONTENTS (Cont'd) Section Title Page 7.5A.3 VERIFICATION AND VALIDATION . 7.SA-3 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-1 7.

6.1 DESCRIPTION

7.6-1 7.6.2 ANALYSIS 7.6-2 7.6.3 ADDITIONAL SYSTEMS REQUIRED FOR SAFETY 7.6-7 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY . 7.7-1 7.

7.1 DESCRIPTION

7.7-1 7.7.i ANALYSIS 7.7-12 7.7.3 SYSTEM EVALUATION-HUMAN fACTORS ENGINEERING 7.7-12 7.7.4 LEADING EDGE FLOW METER (LEFM) 7.7-16a 7-ii Amendment No. 21 (11/12)

r INSTRUMENTATION AND CONTROLS CHAPTER 7 LIST OF TABLES Table Title Page 7.2-1 REACTOR PROTECTIVE SYSTEM DESIGN INPUTS 7.2-27 7.2-2 REACTOR PROTECTIVE SYSTEM BYPASSES 7.2-28 7.2-3 REACTOR PROTECTIVE SYSTEM SENSORS 7.2-29 7.2-4 REACTOR PROTECTIVE SYSTEM MONITORED INSTRUMENT 7.2-30 RANGES 7.2-5 REACTOR PROTECTIVE SYSTEM - FAILURE MODES AND 7.2-31 EFFECTS ANALYSIS 7.3-1 ESFAS SENSOR PARAMETERS AND SETPOINTS 7.3-27 7.3-2 COMPONENTS ACTUATED ON SIAS 7.3-28 7.3-3 COMPONENTS ACTUATED ON RAS 7.3-34 (-,, 7.3-4 COMPONENTS ACTUATED ON CSAS 7.3-36 ~J 7.3-5 COMPONENTS ACTUATED ON CIAS 7.3-37 7.3-6 COMPONENTS ACTUATED ON MSIS 7.3-40 7.3-7 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-41 FAILURE MODES AND EFFECTS ANALYSIS 7.3-8 ESF SIGNAL INTERCONNECTIONS FOR AB SHARED SYSTEM 7.3-49 EQUIPMENT CONTROL-FAILURE MODE ANALYSIS 7.3-9 MSIV ISOLATION CIRCUIT FAILURE MODE ANALYSIS 7.3-49a 7.3-10 ESF BYPASSES OR INOPERABLE INDICATION SYSTEM 7.3-52 7.3-11 COMPONENTS ACTUATED BY AFAS 7.3-55 7.3-12 AUXILIARY FEEDWATER ACTUATION SYSTEM 7.3-56 FAILURE MODES AND EFFECTS ANALYSIS 7.4-1 INSTRUMENTS FOR MONITORING SAFE SHUTDOWN 7.4-18 7-iii - Amendment No. 18 (01/08)

                            ' CHAPTER 7 LIST OF TABLES (Cont'd) 7.4-2  INSTRUMENTATION AND CONTROL- HOT SHUTDOWN PANEL 7.4-22 OUTSIDE THE CONTROL ROOM 7.4-3  EMERGENCY REACTOR HOT SHUTDOWN/HOT STANDBY               7.4-24 FROM OUTSIDE OF THE CONTROL ROOM CONTROL &

TRANSFER SWITCH LIST 7.4-4 EMERGENCY REACTOR COOLDOWN & SHUTDOWN FROM 7.4-27 OUTSIDE OF THE CONTROL ROOM 7.4-5 EMERGENCY REACTOR SHUTDOWN FROM OUTSIDE OF 7.4-29 THE CONTROL ROOM - INSTRUMENTATION 7.4-6 HOT SHUTDOWN PANEL SWITCH POSITIONS 7.4-30 7.5-1 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5-16 7.5-2 DELETED 7.5-36 7.5-3 SAFETY RELATED ANNUNCIATOR WINDOWS 7.5-38 7.5-4 ESF SYSTEM VALVE INDICATORS 7.5-39 7.6-1 SHUTDOWN COOLING SYSTEM AND SAFETY INJECTION 7.6-9 TANK INTERLOCKS 7.6-2 ACOUSTIC VALVE FLOW MONITOR COMPONENTS 7.6-10 7-iv Amendment No. 14 (12/01)

INSTRUMENTATION AND CONTROLS CHAPTER 7 LIST OF FIGURES Figures 7.2-1 Control Wiring Diagram Pressurizer Pressure Measurement Loop 7.2-2 Neutron Flux Monitoring System Safety Channel 7.2-3 Low Steam Generator Pressure Reactor Trip Bypass Functional Diagram 7.2-4 Core Protection Trips Block Diagram 7.2-5 Thermal Margin Trip 7.2-6 LH Power Calculation 7~2-7 Reactor Protective System Block Diagram 7.2-8 RPS Functional Diagram 7.2-9 Basic RPS Testing System 7.2-10 Simplified RPS Cabinet Layout (Rear View) 7.2-11 Typical RPS Bay Layout 7.2-12 Bistable Block Diagram 7.2-13 Variable High-Power Trip Operation (Typical) 7.2-14 Low Flow Protective System Functional Diagram 7.2-15a Steam Generator 'A' Protective Channel Block Diagram 7.2-15b . Steam Generator 'B' Protective Channel Block Diagram 7.2-16 Local Power Density Trip 7.2-17 Schematic Trip Test System 7.2-18 RPS Schematic SH 4 of 4 7-v Amendment No. 18 (01/08)

CHAPTER 7 LIST OF FIGURES(Cont'd) Figures Title 7.2-19a RPS Misc. Schematics Sheet 1 of 4 7.2-19b RPS Misc. Schematics Sheet 3 of 4 7.2-20 RPS Misc. Schematics Sheet 2 of 4 7.2-21 Reactor-Protective System Interface Logic Diagram 7.3-1 Block Diagram - Engineered Safeguards Logic System 7.3-2 Control Wiring Diagram Pressurizer Pressure P-1102A Measurement Loop 7.3-3 Deleted 7.3-4 Deleted 7.3-5 Deleted 7.3-6 Deleted 7.3-6a A TWS/DSS Logic Channel 7.3-7 Deleted 7.3-8 Deleted 7.3-9 Deleted 7.3-10 Block Diagram Power Distribution For Engineered Safeguards Logic System 7.3-11 ESFAS Interconnection for AB Shared System Equipment 7.3-12 Auxiliary Feedwater Actuation System Simplified Functional Diagram 7.3-13 Auxiliary Feedwater Actuation System Testing System Diagram 7.3-14 AFW Actuation System Signal Logic Diagram \ 7-vi Amendment No. 18 (01/08)

CHAPTER 7 LIST OF FIGURES(Cont'd) Figures Title 7.5-1a ICC Detection Instrumentation 7.5-1b Qualified Safety Parameter Display System 7.5-2 HJTC Sensor - HJTC/Splash Shield 7.5-3 Heated Junction Thermocouple Probe Assembly 7.5-4 Deleted 7.5-5 HJTC Probe Installation 7.5-6 HJTC Sensor Locations 7.5-7a In-Core Instrument Assembly 7.5-7b ICI Detector Assemblies/Core Exit Thermocouples Core Locations 7.5-8 Interaction of the DG and the Inoperable Status Board 7.5A-1 Deleted 7.5A-2 Deleted 7.5A-3 Data Link System Configuration 7.6-1 Shutdown Cooling Suction Valves Power and Control 7.6-2 ATWS Block Diagram 7.7-1 Reactor Regulating System Block Diagram 7.7-2 CEDMCS-RPS Interface Block Diagram 7.7-3 Deleted 7.7-4 Deleted 7.7-5 Feedwater Control System Block Diagram 7.7-6 Analog Display System Simplified Block Diagram 7.7-7 Deleted 7.7-8a Boron Dilution Alarm System Functional Diagram 7.7-8b Boron Dilution Alarm System Neutron Flux and Setpoint 7-vii Amendment No. 20 (05/11)

7.0 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

The instrumentation and control systems which monitor and perform safety related functions are discussed in this chapter. complete descriptions and analyses of these systems are provided in Sections 7.2 through 7.6. I & E Bulletin 79-24 titled "Frozen Lines" required review of plant design to ensure adequate protection of safety-related process, instrument, and sampling lines from freezing during extremely cold weather. Insulation was added to selected instrument lines as a result of this bulletin. 7 .1.1 IDENTIFICATION OF SAFETY RELATED SYSTEMS The safety related instrumentation and controls are associated with the .Reactor Protective System, engineered safety features systems, systems required for safe shutdown, safety r*elated display instrumentation and all other systems required for safety. The responsibility for design and supply of each system is identified as follows: Combustion Engineering, Inc (CE) Ebasco Services Inc (E) 7.1.1.1 Reactor Protective System CRPSl CCEl The RPS generates signals that actuate reactor trip. A description of the RPS, detailing the functions of the system, is found in Section 7.2. 7.1.1.2 Engineered Safety Features Actuation System CESFAS) CE), CCEl The ESFAS generates signals that actuate engineered safety feature (ESF) systems. The actuation signals and the actuated systems are discussed in Section 7.3. The ESFAS consists of devices and circuitry to actuate the following signals: a) Safety Injection Actuation Signal (SIAS) b) Recirculation Actuation Signal (RAS) c) Containment Spray Actuation Signal (CSAS) d) Containment Isolation Actuation Signal (CIAS) e) Main Steam Isolation Signal (MSIS) f) Auxiliary Feedwater Actuation Signal-1 (AFAS-1) g) Auxiliary Feedwater Actuation Signal-2 (AFAS-2) The ESF systems which are actuated by the ESFAS are the following: a) Safety Injection System (CE) b) Recirculation system (E) 7.1-1 Amendment No. 7 (4/92)

c) Containment Spray System (E) d) Containment Isolation (E) e) Main Steam and Feedwater Isolation (E) f) Containment Cooling System (E) g) Shield Building Ventilation System (E) h) ESF Support Systems (E); see Subsection 7.1.1.3 for a list of support systems i) Auxiliary Feedwater System (E) 7.1.1.3 Systems Required for Safe Shutdown The systems required for safe shutdown include those systems which are required to secure and maintain the reactor in a hot shutdown condition and bring it to cold shutdown. The following are the systems normally used for safe shutdown: a) Auxiliary Feedwater System (E) b) Atmospheric Steam Dump Valves (Steam Dump and Bypass System) (E) c) Shutdown Cooling System (CE) d) Chemical and Volume Control System (CVCS) [Boron addition and charging portion only] (CE) The following support systems are also required to be operable or to function: a) Component Cooling Water System (E) b) Intake Cooling Water System (E) c) Onsite Power System, including diesel generator system (E) d) Heating, Ventilating and Air Conditioning (HVAC) Systems as required for areas containing systems and equipment required for safe shutdown (E) e) Diesel Fuel Oil Storage and Transfer System (E) The instrumentation and controls for the systems required for safe shutdown are described in Section 7.4. 7.1.1.4 Display Instrumentation This section describes non-safety and safety related display instrumentation. The safety related (Class 1E) display instrumentation provides 7.1-2 Amendment No. 20 (05/11)

timely information to the operator so that he may initiate appropriate safety actions if and when

.,,_. required. Non-safety instrumentation is used for normal operation and although not required may be

available for operator information.

The following display instrumentation provides monitoring of the automatic or manually actuated systems associated with the operation of the plant during normal or accident conditions: a) ESF Systems Monitoring (E) b) ESF Support Systems Moni,toring (E) c) Reactor Protective System Monitoring (CE) d) CEA Position Indication System (CE) e) Plant Process Display Instrumentation (CE/E) f) Control Board Annunciators (E) g) Bypass and Inoperable Status Indication (E) h) Control Room Habitability Instrumentation (E) i) Post Accident Monitoring Instrumentation (E)/(CE)

        , j)       Shutdown Cooling System Instrumentation (CE)

Refer to Section 7.5 for a description of the above instrumentation systems. 7.1.1.4.1 Qualified Safety Parameter Display System (QSPDS) The QSPDS provides Class 1E processing and display of inadequate core cooling monitoring instruments and calculations. A description of the QSPDS, specifically the functions of the system is found in Subsection 7.5.4.3.2. 7.1.1.4.2 Regulatory Guide 1.97, R2 Instrumentation pertaining to RG 1.97, R2 is described in Subsection 7.5.2.9. 7.1.1.5 All Other Systems Required for Safety Other systems required for safety include the following interlocks and systems: a) Shutdown Cooling System Suction Line Valve Interlocks (CE) (see Subsection 5.4.7) b) Safety Injection Tank Isolation Valve Interlocks (CE) (see Section 6.3) 7.1-2a Amendment No. 20 (05/11)

c) Refueling Interlocks (CE) (see Subsection 9.1.4) d) Fuel Pool Cooling and Purification System (CE) (see Subsection 9.1.3) e) Reactor Coolant Leak Detection System (CE) (see Subsection 5.2.5) f) Area and Process Radiation Monitoring (E) (see Subsection* 12.3.4) g) Containment Vacuum Relief System (E) (see Subsection 6.2.1) h} Overpressurization Protection (GE) (see Subsection 5*.2.2) i) Shield Building Ventilation System Switchover from Fuel Handling Building (E) (see Subsection 6.2.3) The above are described further in Section 7.6. 7.1.1.6 Comparison The Reactor Protective System was designed and built functionally identical to the system provided for St. Lucie Unit 1 (Docket No. 50-335) wit.h the following exceptions: a) The number of CEAs for St. Lucie Unit 2 is 83 (Cycle 1). This change has resulted in minor changes in core protection calculator settings. b) The RPS of St. Lucie Unit 2 has a loss of CCW trip for RCP (Equipment) protection. This trip is not credited in the safety analysis. 7.1-3 Amendment No. 21 (11/12)

The St. Lucie Unit 2 logic functions are identical to those used for St. Lucie Unit 1, but also include fuses in all matrix inter-bay connections as part of improved fault protection. In addition, a test circuit is provided for checking the fuses (associated with this matrix fault protection) periodically (See Note 2). Matrix fuse integrity is checked periodically in accordance with the RPS technical specifications. St. Lucie Unit 2 matrix relays are dry reed types, for improved reliability over the original St. Lucie Unit 1 mercury wetted reed type relay design.

St. Lucie Unit 2 incorporates a new RPS bistable design which, while functionally identical, is characterized by: greater accuracy, input buffering for improved circuit isolation, improved noise immunity via an adjustable response time, less cycling due to a variable hysterisis feature, and a pull-up (down) circuit design which forces a bistable trip on a loss of input signal. Consequently, contrary to the St. Lucie Unit 1 UFSAR Subsection 7.2.2-2, the St.

Lucie Unit 2 auctioneered input bistables utilizing negative inputs trip in an open circuit configuration (See Note 3). St. Lucie Unit 2 has incorporated RG 1.53, RG 1.22, RG 1.75, IEEE 323-74, 344-75, and 384-74 in the RPS design. These guides/standards were not in effect when St. Lucie Unit 1 was licensed. c) Systems Required for Safe Shutdown St. Lucie Unit 2 conforms to RG 1.75, which identifies a 6-inch spatial separation requirement, versus the 12 inch criteria of St. Lucie Unit 1. d) Safety Related Display Instrumentation The upper and lower CEA limits are indicated on the CEDMCS control panel for St. Lucie Unit 2, while St. Lucie Unit 1 displays this information on the core mimic display. The St. Lucie Unit 2 design is identical to the SONGS design (Docket No. 50-362). Many aspects of the St. Lucie Unit 2 design for Post Accident Monitoring are different from St. Lucie Unit 1. St. Lucie Unit 2 is identical to SONGS with the exception of invoking BTP EICSB No. 23, Qualification of Safety-Related Display Instrumentation for Post Accident and Safe Shutdown. The associated changes in this area for invoking RG 1.97 (R2) are provided in Subsection 7.5.2.9. St. Lucie Unit 2 utilizes the Analog Display System (ADS), which while functionally identical to the originally supplied St. Lucie Unit 1 Metroscope, exhibits improved reliability design features and incorporates improved human factors characteristics. The metroscope was subsequently replaced with the CEA position display system (CEAPDS), which is similar to ADS. This indication is non-1 E indication and is further described in Subsection 7.7.1.1.6. 7.1-4 Amendment No. 20 (05/11)

e) Engineered Safety Features Actuation System (ESFAS) The St. Lucie Unit 2 ESFAS is functionally identical to the St. Lucie Unit 1 System. Channel designation and parameter inputs are essentially the same except for the following specific differences: The St. Lucie Unit 2 main steam isolation signal (MSIS) is initiated by a low pressure signal from either steam generator or high containment pressure (Subsection 7.3.1.1.5). St. Lucie Unit 1 MSIS is initiated by a low pressure signal from either steam generator only. The St. Lucie Unit 2 containment isolation actuation signal (CIAS) is modified to actuate on safety injection actuation signal (SIAS) as well as high containment pressure or high containment radiation. This modification was incorporated in St. Lucie Unit 1 as required by USNRC TMI Action Items to satisfy a diversity requirement for containment isolation. Subsection 7 .3.1.1.4 reflects this CIAS modification. St. Lucie Unit 2 has incorporated RG 1.53, RG 1.22, RG 1.75, IEEE 323-1974, 344-1975, and 384-1974 in the ESFAS design. These guides/standards were not in effect when St. Lucie Unit 1 was licensed. The ESF systems are designed and built functionally identical to the ESF systems used on St. Lucie Unit 1 (Docket No. 50-335). The following are ESF system differences when compared against St. Lucie Unit 1. a) Containment fan cooling system has two speed motor~ b) Each safety injection train is provided with its own miniflow recirculation header. c) Each LPSI pump has its own separate header and associated valves. d) The HPSI pumps are comprised of two functionally separate and independent pumps and headers. There is no installed spare HPSI pumps. e) The Shutdown Cooling System is designed with redundant valves and headers. f) Piping and valves permit the diversion of HPSI flow from the cold leg into the hot leg of the Reactor Coolant System for simultaneous hot and cold leg injection. g) Pressurizer pressure interlocks on the SIT isolation valves open the valves prior to an actual or simulated pressurizer pressure signal exceeding 515 psia and prevent closure of the valves if pressurizer pressure is greater than 276 psia. NOTES:

1) Deleted

2) The fuses of this section are utilized in the System 80 Plant Protection System Design.

3) The bistable design is a modified System 80 design, since the System 80 design does not utilize auctioneering.

7.1.2 IDENTIFICATION OF SAFETY CRITERIA Comparison of the design with applicable Regulatory Guide recommendations and degrees of compliance with the appropriate design bases, criteria 7.1-4a Amendment No. 20 (05/11)

standards, and other documents used in the design of the systems listed in Subsection 7.1.1 are described in Subsections 7.1.2.1 through 7.1.2.2. 7.1.2.1 Design Bases The technical design bases for specific instrumentation a..~d controls of each safety-related system are presented in applicable Subsections of this chapter. Design bases that apply equally to all safety-related instrumentation and control systems are in this Subsection. 7.1-4b Amendment No. 12 (12/98)

a) General Design Criteria (GDC) Appendix A to 10 CFR 50: Discussions of compliance with GDC are provided in Sections 3.1, 7.2 and 7.3.

b) IEEE 279-1971 (ANSI N42.7-1972), "Criteria for Protection Systems for Nuclear Power Generating Station,": Discussions of conformance to this standard are provided in Sections 7.2, 7.3, 7.4, 7.5, and 7.6.

c) Applicable Regulatory Guides and IEEE standards discussed in Subsection 7 .1.2.2. Reactor Protective System The design bases for the RPS are presented in Section 7.2. Engineered Safety Features Actuation System The design bases for the ESFAS and the ESF support systems are described in Section 7.3. Systems Required for Safe Shutdown The design bases for the systems required for safe shutdown are given in Section 7.4. Safety Related Display Instrumentation The design bases for display instrumentation are delineated in Section 7.5. All Other Systems Required for Safety The design bases for all other systems required for safety are discussed in Section 7.6. The ESFAS and RPS instruments and circuitry inaccuracies are taken into consideration during setpoint selection and the accident analyses discussed in Chapter 15. 7.1.2.2 Regulatory Guide Implementation Section 1.8 discusses how the effective dates of the Regulatory Guides discussed below were selected. The following is a comparison of the St. Lucie Unit 2 instrumentation and control design with the listed Regulatory Guides: Regulatory Guide 1.11. "Instrument Lines Penetrating Primary Reactor Containment," 3/71 (RO) The vacuum relief and containment main purge sensing lines used to detect a negative pressure inside containment do not form part of the protection system (as defined in IEEE 279-1971); but based on regulatory position 2a, compliance with positions 1b, 1c, 1d, and 1e is discussed below. 7.1-5 Amendment No. 18 (01/08)

The sensing lines are redundant, independent and are testable in accordance with the requirements for a protective system. The sensing lines are each 3/8 inch (OD). In the event of a postulated failure in this line or in the excess flow check valve located just outside the shield wall during normal operation, the small size of this line precludes a) gross leakage, b) coolant loss since this line does not carry reactor coolant, c) jeopardizing the integrity of the secondary containment and d) potential offsite doses in excess of guidelines established for design basis accidents. A self actuated excess flow check valve is provided outside of and as close to the shield wall as practical in each of the sensing lines. The sensing lines and excess flow check valves are Quality Group B. The redundant lines are separated and provisions are incorporated to permit periodic visual in-service inspection. Regulatory Guide 1.22. "Periodic Testing of Protection System Actuation Functions," 2/72 (RO) Periodic testing of protection system actuation functions is discussed in Subsection 7 .2.1.1.9 for RPS, Subsection 7.3.1.1.1 d for ESFAS, Subsection 7.3.1.1.8d for AFAS, Subsection 7.4.2.3 for systems required for safe shutdown, Subsection 7.5.2.9 for safety related instrumentation and Subsection 7.6.2.2 for all other instrumentation systems required for safety. Regulatory Guide 1.29, "Seismic Design Classification," 9/78 (R3) Class 1E instrumentation and control components are designed to withstand the effects of a safe shutdown earthquake (SSE) and are designed as seismic Category 1. The seismic Category I design requirements are applied to the instrumentation and controls for the safety related systems identified in Subsection 7 .1.1. Qualification of seismic Category I/Class 1E instrumentation and controls is discussed in Section 3.10. Regulatory Guide 1.30, "Quality Assurance Requirements for the Installation, Inspection. and Testing of Instrumentation and Electric Equipment." 8/72 (RO) For a discussion of Regulatory Guide 1.30 (RO), refer to Chapter 17. Regulatory Guide 1.32, "Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants," 8/72 (RO) The use of IEEE 308-1971 in conjunction with Regulatory Guide 1.32 (RO) is discussed in Subsection 8.3.1.2. Regulatory Guide 1.40, "Qualification Tests of Continuous-Duty Motors Installed Inside the Containment of Water-Cooled Nuclear Power Plants," 3/73 (RO) This regulatory guide is not applicable to any instrumentation. Information on qualification is provided in Section 3.11. 7.1-6 Amendment No. 20 (05/11)

Regulatory Guide 1 .47, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems", 5/73 (RO) The design of the safety related display information conforms to the reg-ulatory positions of Regulatory Guide 1.47 (RO). Refer to Subsection 7.5.2.7 for a discussion of bypassed and inoperable status indication. 7 .1-7

/ . Regulatory Guide 1.53, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems," 6/73 (RO) The instrumentation and controls for safety related equipment conform to the recommendations of IEEE 379-1972 and are consistent with the recommendations of Regulatory Guide 1.53 (RO). Regulatory Guide 1.62, "Manual Initiation of Protective Actions," 10/73 (RO) The recommendations of Regulatory Guide 1.62 (RO) are complied with by the following design: a) Manual initiation of each protective action at the system level is provided. b) Manual initiation of a system level protective action initiates all required supporting systems. c) Manual initiation switches are located in the control room and are readily accessible by the operator. d) The amount of equipment common to both manual and automatic initiation is kept to a minimum. No-single failure within the manual, automatic or common portions of the protection system can prevent initiation of the protection action by manual or automatic means. e) Manual initiation of P.rotective action depends on the operation of a minimum of equipment consistent with the above. f) Manual initiations at the system level are designed to go to completion once initiated as required by Section 4.16 of IEEE 279-1971. Regulatory Guide 1.63, "Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants," 10/73 (RO) Instrumentation wiring which penetrates the containment is through electric penetration assemblies. For a discussion of how the design of the penetrations complies with the Regulatory Guide, refer to Subsection 8.3.1.2. Regulatory Guide 1.68, "Initial Test Programs for Water-Cooled Reactor Power Plants," 11/73 (RO) Regulatory Guide 1.73, "Qualification Tests of Electric Valve Operators Installed Inside the Containment of Nuclear Power Plants," 1/74 (RO) Information on qualification testing is discussed in Section 3: 11. Regulatory Guide 1.75, "Physical Independence of Electric Systems," 1/75 (R 1) 7.1-8 Amendment No. 18 (01/08)

The safety related instrumentation and control systems meet the intent of Regulatory Guide l.75 (Rl) and IEEE 384-1974. Additional discussions "';,..*. concerning the implementation of Regulatory Guide 1.75 (Rl) are given in Subsection 8.3.1.2. Note that the majority of the regulatory positions are directed at electric energy levels significantly above the energy levels of instrumentation and control circuits. The RPS cabinet is divided into four bays which are separated by barriers. Each bay contains one of the four redundant channels of the RPS. This provides the separation and independence necessary to meet the requirements of Section 4.6 of IEEE 279-1971. Tests or analyses are performed to demonstrate that no single *credible event in one RPS channel can propagate the fault created to any other

channel.

The reactor trip switchgear components and its associated switches, con-tacts, relays, etc. is contained in a five bay switchgear cabinet (four safety bays and one neutral bay). Each bay is physically separated from the' other bays. This method of construction ensures that a single credible failure in one reactor ;trip switchgear does not cause malfunction or failure in another cabinet. These isolation techniques ensure that no credible failure on the output side of the isolation device affects the RPS side and th'at the independ-ence of the RPS is not jeopardized. Instrumentation and control channel independence is achieved by electrical and physical separation between redundant Safety Class lE channels and be-tween Class lE and non-Class lE circuits and equipment. 'nle ESFAS is pro-vided with six separate cubicles, one for each channel (MA, MB, MC, MD, SA and SB), consisting of four measurement channels separated by metal bar-riers and two actuation channels. Redundant bistables, modules. logic matrices and Output relays are located in separate cabinets. The redundant components at the control boards in the control room are also electrically and physically separated, providing complete channel independence. Phy-sical separation barriers and boxed in terminal boards are utilized to maintain these separations between electrical circuits of redundant com-ponents. Circ~its which perform a nonsafety function and share or come in contact with Class lE circuits are identified as associated circuits up to the isolation device. Associated circuits are* separated in the same manner as the Class lE circuits with which they are associated. Associated circu~ts are connected to non-Class IE circuits through an isolat~on device. Separa-tion is maintained from the Class lE equipment up to and including the isola-tion device. The isolation and independence of the Reactor Protective System is discussed below within two classifications: 1) Isolation of external non-lE interface signals and 2) Internal isolation to maintain independence of redundant channels. 7 .1-9

a) Below is a listing of the signals which interface with systems external to the Rf:;>S.

                \                                     .

Transmission Isolation Type Device Reactor Coolant Pump Digital Relay Breaker Status Contacts Reactor Trip Switchgear Digital Relay Trip Circuit Breakers Bistable Trip to Sequence Digital Relay of Events Bistable Trip & Pre-Trip to Digital. Relay Plant Annunciator Operating Bypass and Misc. Digital Relay Plant Annunciator settings CEA Withdrawal Prohibit Digital Relay 10-4 % Power to Analog Display Digital Relay System

Power Operated Relief Valve .Closure Digital Relay Signal Q Power to Power Ratio Calculator Analog Isolation Amplifier~ Q Power to Analog Display System Analog Isolation I Amplifier When reviewing the above list it should be noted that signals which are listed as not requiring an isolation device are maintained separate from signals classified as 1E or associated in accordance with the requirements set forth ih Regulatory Guide 1.75 (R1 ). Also the isolation device identified as relay are physically a relay in conjunction with a fuse. The relay provides contact to coil isolation (dielectric strength) while the fuse maintains the integrity of the wire. The two devices together are considered to be the isolation device. Each type isolation device is qualified for a fault of 480V ac and 325V de. The actual test voltages are 600V ac and 400V de. The general acceptance criteria for RPS isolation devices is as follows:

1) Application of the fault to the appropriate side of the isolation device shall not propagate to the other side of the isolation device or adversely affect the operation of circuitry connected 7.1-9a Amendment No. 21 (11/12)

to the other side of this isolation device.

2) The integrity of the wire insulation must be maintained. lbe above acceptance criteria meets Regulatory Guide 1.75 and IEEE 384.

The. following is a discussion of the means by which independence of the four RPS channels is maintained .

.. Process input signals are sent to bistable trip units within the RPS where the signal is first buffered and then compared to a setpoint *to create an on/off type signal. This "signal deenergizes five separate relays within the trip unit. At this point all signals, cablings, modules, dedicated power supplies and any' associated test circuitry are maintained totally independent across the four channels.

One contact from each trip unit is wired in series together within each channel. This series string is produced three times within each channel. The strings are then combined with another channel such that each contact is in parallel with a contact from another channel. This forms the six possible combinations of logic ~{"matrices .AB, AG., .AD, BC, BD~ CD. All connections of relay contacts

...between ~~han~e-ls are fuse protected in the cham1el of origin and the channel of destination. This fuse in conjunction with its related contact and coil provide the required isolation between bistable and matrix.

Each matrix is powered from two diode isolated power supplies located in two different channels of the RPS. Each power supply has with it an isolation circuit which limits the fault to acceptable values and prevents the fault 'from disturbing the independent vital buses. Each logic matrix drives four matrix relays. One matrix relay contact from each of the six matrices is connected in series to drive an initiation relay. This circuit is labeled the trip path. All connections of relay contacts between channels are fuse protected in the channel of origin and the channel of destination. !bis

fuse iri conjunction with its related contact and coil provide the required isolation between the trip path and each matrix.

Testing within each channel is maintained independent through the use of a test interlock circuit which provides the intelligence to allow testing in only one channel at a time. The test is performed in three levels: 1) bistable test, 2) matrix test and 3) trip path test. The bistable test is performed using an independent test source within each channel such that a fault would affect only one channel. The matrix and ~rip path test is performed through the matrix test module by energizing bistable and/or matrix secondary rel~y coils. A combination of contact to contact, contact to coil, coil to contact and coil to coil isolation (all in conjunction with a fuse) are used to ensure a fault within the test circuit will not compromise the four channel redundancy.

7. l-9b

All isolation devices discussed above are qualified to 480V ac and 325V de and tested to 600V ac and 400V de. The entire system is also subjected to an EMI test in accordance with MIL-STD-461A, "Electromagnetic Interference Characteristics Requirements for Equipment," for both conducted and radiated signals using tests CS01, CS02, CS06, RS03 and RS04. Additional information on qualification tests is provided in Appendix 7 .1 A. In addition to the above, the safety portion of the pressurizer level channels are isolated from the non-safety portion by an analog voltage to analog voltage isolation. This isolation utilizes transformer coupling as its isolating/signal coupling medium. Short circuits, open eircuits, and high voltages (480 ac) are applied to the output circuitry as credible faults. The failure of these faults to perturb or propagate to the input circuitry form the basis of the acceptance criteria for this isolation. There are no additional safety to non-safety interfaces nor process instrumentation interconnections between redundant safety circuits. Regulatory Guide 1.80, "Preoperational Testing of Instrument Air Systems," 6/74 (RO) Regulatory Guide 1.89, "Qualification of Class 1E Equipment for Nuclear Power Plants," 11/74 (RO) For discussion of qualification of Class 1E equipment, see Section 3.11. Regulatory Guide 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions ~uring and Following an Accident" 12/75 (RO) and 12/80 (Rev. 2) As indicated in the implementation section of Regulatory Guide 1.97 (RO}, the positions of this guidb are to be used to evaluate construction permit (CP) applications submitted after August 1, 1976; the St. Lucie Unit 2 CP application was docketed in September 1974. Although Regulatory Guide 1.97 (RO) is not applicable to this operating license applic.ation, the positions of this Regulatory Guide are discussed in Subsection 7.5.2.9. _Implementation of the requirements of Regulatory Guide 1.97, Rev. 2 is discussed in Subsection 7.5.2.9. Regulatory Guide 1.100, "Seismic Qualification of Electric Equipment for Nuclear Power Plants," 3/76 (RO) As indicated in the implementation section of Regulatory Guide 1.100 (RO), the positions of this guide are to be used to evaluate construction permit (CP) applications docketed after November 15, 1976. The St. Lucie Unit 2 (CP) application was docketed in September, 1974. Although RG 1.100 (RO) is not applicable to this operating license application, Section 3.10 presents a discussion of seismic I qualification of Class 1E instrumentation 7.1-10 Amendment No. 21 (11/12)

and controls. Regulatory Guide 1.105, "Instrument Setpoints," 11/76 (R1) As indicated in the implementation section of Regulatory Guide 1.105 (R 1), the method described in this guide is to be used in the evaluation of plants with construction permits docketed after July 1, 1976. Although Regulatory Guide 1.105 (R1) not applicable to the St. Lucie Unit 2 operating license, the intent of the regulatory positions is met as follows: (C1) Setpoints are established with margins as indicated at the Technical Specification limits for the

process variable and the nominal trip setpoint which include allowance for instrument inaccuracy, calibration uncertainty, and instrument drift anticipated between calibration intervals.

(C2) All setpoints are established in that portion of the instrument span which insures that accuracy is maintained. lnstn,iments are calibrated so as to insure the required accuracy at the setpoint. (C3) The range selected for the instrumentation encompasses the expected operating range of the process variable being monitored to the extent that saturation does not negate the required action of the instrument. (C4) The accuracies of all instruments with setpoints are equal to or better than the accuracy assumed in the safety analysis. Instrument internals are chosen for the design conditions in which they are installed. Design verification is included as,.part of the equipment qualification program as recommended in Regulatory Guide 1.89 (RO). (C5) Instruments important to safety have securing devices on the setpoint adjustment mechanism. The securing device is designed such that during securing or releasing it does not alter the setpoint. Such devices are under administrative control. (C6) Documentation of bases used in selecting setpoint values are contained in the Technical

        $pecifications. Chapter 15 contains assumptions used in the accident analyses whereby setpoint values are determined.

Regulatory Guide 1.118, "Periodic Testing of Electric Power and Protection Systems" 6/76 {RO) As indicated in the implementation section of Regulatory Guide 1.118 (RO), the positions of this guide are to be used to evaluate construction permit applications docketed after February 15, 1977. Although Regulatory Guide 1.118 (RO) is not applicable to this operating license application, the design meets the intent of Regulatory Guide 1.118 (RO) and IEEE 338-1971 except for response time testing. Periodic response time testing during reactor operation is required by the Regulatory Guide. l;he design calls for response time verification testing conducted during initial installation and subsequent plant shutdowns. This Regulatory Guide is further discussed in Subsection 8.3.1.2. 7.1-11 Amendment No. 18 (01/08)

APPENDIX 7.lA RPS MATRIX POWER SUPPLY ISOLATION QUALIFICATION D

7.lA-i

I APPENDIX 7.1A RPS MATRIX POWER SUPPLY ISOLATION QUALIFICATION The following provides further definition on the method of qualifying the RPS matrix power supply (with associated isolation networks) to the requirements of IEEE 323-1974, in accordance with CENPD-255(R1 ), "Qualification of Class 1E Instrumentation." The results of each test discussed below were provided to the NRC.(1 H2 l a) Fault Isolation Qualification The test involves simulating a typical RPS matrix, including bistable trip units, bistable power supplies, matrix power supplies, matrix relays, and isolation relays. Vital bus power .(120V ac) Is simulated by using two power isolation transformers. The isolation test consists of the application of 600V ac and 400V de faults in the circuit in the common and transverse modes. The basis for the 600V ac and the 400V de test voltage is as follows: 600V ac: The highest credible ac fault voltage which could appear within the RPS is 480V ac. This voltage is increased by 10 percent to 528V ac to account for normal voltage tolerances and then again increased by 10 percent to 581V ac to account for IEEE STD 323-1974 margin. This voltage is then rounded off to 600V ac. 400V de: The highest credible de fault voltage which could appear within the RPS is 325V de. This voltage is increased by 10 percent to 358V de to account for normal voltage tolerances and then again increased by 1O percent to 394V de to account for IEEE STD 323-1974 margin. This voltage is then rounded off to 400V de.

1) Common Mode Test The common mode test is accqmplished by applying a fault to the de side of a matrix power supply. The fault voltage and current are monitored to define the fault characteristics. Also, the 120V ac line side of the power supply is monitored to document any effect as a result of application of the fault. All monitoring is by means of a light beam recorder.

2) Transverse Mode Test The transverse mode test is accomplished by applying the fault directly to the output terminals of the isolation circuit. This fault voltage and current are

monitored to define the fault characteristics. Also, the Input side of the Isolation circuit and the 120V ac line side of the power supply are monitored to document any effects as a result of application of the faults. All monitoring is by means of a light beam recorder.

                                                                                         \.
                                             , 7.1A-1                     Amendment No. 21 (11/12)

3) Acceptance Criterion The acceptance criterion for the above tests is that upon application of the fault the input power supply voltage does not vary more than+/- 10 percent from the nominal voltage. It has been shown that before, during, and after a fault application the system will perform its protective function (trip actuation) when required.

b) Surge Qualification A surge test is performed on the RPS according to the guidance of IEEE Standard 472-1974, to the extent practical. The test involves simulating a typical RPS matrix, including bistable trip l.inits, bistable power supplies, matrix power supplies, matrix relays, and isolation relays. Vital bus power (120V ac) is simulated by using two power isolation transformers. The test voltage from neutral to peak is 337 volts (120V ac + 10 percent) x 1.414 plus the neutral to peak surge 300V/2. An ultra isolation transformer has been added to the design of the vital bus inverter system in order to attenuate any line surges which may pass through the inverter system. The isolation transformer is surge qualified in accordance with the guidelines of IEEE Standard 472-1974. This includes application of a surge (2.5 kV to 3.0 kV) 'to the primar-Y winding in both the common and transverse modes.,* The acceptance criterion for this test is that the transformer limits the surge on the secondary to 100 volts. Note that the credible surge seen by the RPS is limited to 100 volts which is two thirds of the surge being applied to the RPS. The transformer is also qualified to the requirements of IEEE Standard 344-1975 and IEEE Standard 323-1974, in accordance with CENPD-255(R1) _

1) Corranon Mode Test The common mode test is accomplished by applying a surge to the ac side of the matrix power supply and the power supply chassis. During surge application the simulated RPS circuit is operated to show proper function and accuracy. Also, the 120V ac line of the associated power supply is monitored.

2) Transverse Mode Test The transverse mode test is accomplished by applying a surge to the ac side of the matrix power supply. During application of the surge the simulated RPS circuit is operated to show proper function and accuracy. Also the 120V ac line of the associated power supply is monitored.

3) Acceptance Criterion The acceptance criterion for the above tests is that all circuits shall operate correctly and within their normal accuracy requirements before, during, and after the surge application. Also, the voltage observed at the input of the second power supply should not vary more than +/- 10 percent of the nominal voltage.

7. lA-2

APPENDIX 7. lA: REFERENCES

1) FP&L Letter L-82-470 from Dr. R. E. Uhrig (FP&L) to Mr. D. G. Eisenhut (NRC) dated October 29, 1982.

2. FP&L Letter L-82-550 from Dr. R. E. Uhrig (FP&L) to Mr. D. G. Eisenhut (NRC) dated December 22, 1982 *

7.lA-3

( 7.2 REACTOR PROTECTIVE SYSTEM This section describes the design and functions of the Reactor Protective System (RPS). Subsection 7.2.1 includes a summary description of the following: Reactor Trips Initiating Circuits Logic ' Actuated Devices Bypasses Interlocks Redundancy Diversity Testing I

Power Supply Design bases are discussed in Subsection 7 .2.1.2.

Analysis of the design of the RPS is discussed in Subsection 7.2.2, including the bases for the reactor trips, purpose of the trips, compliance with General Design Criteria and IEEE 279-1971, and a failure modes and effects analysis. \ 7.

2.1 DESCRIPTION

7.2.1.1 System Description The Reactor Protective System (RPS) consists of s,ensors, calculators, logic, and other equJpment necessary to monitor selected Nuclear Steam Supply System (NSSS) conditions and to effect reliable and rapid reactor shutdown (reactor trip) if any or a combination of the monitored conditions approach specified safety system settings. The RPS functions are to assure that reactor coolant pressure boundary (RCPB) and fuel performance guidelines are not exceeded during moderate frequency events and infrequent events and also to provide assistance in limiting conditions for Jcertain limiting faults. The system is designed such that the single failure criterion and performance requirements are met with three channels in service. A coincidence of any two like trip signals generates a reactor trip signal. However, four measurement channels with electrical and physical separation are provided for each parameter. To enhance plant availability, a fourth channel is provided as a spare and allows bypassing of one channel while maintaining the requisite two-out-of-three logic. A reactor trip initiated by the Reactor Protective System causes the input motive power to be removed from the control element drive mechanism control system (CEDMCS) by the trip switchgear, which in turn causes all control element assemblies to be inserted by gravity. Provisions were originally made for future operations with one or more reactor coolant pumps inoperative, in that the low reactor coolant flow trip setpoint and the thermal margin/low pressure trip setpoints could be simultaneously

7.2-1 Amendment No. 16 (02/05)

changed to the setpoints for the selected pump conditions. However, power operation with less than four pumps in operation is not allowed by the operating license, and this flow dependent setpoint capability was subsequently eliminated. Th~ RPS trip setpoints are provided in the Technical Specifications. RPS bypasses are summarized on Table 7.2-2. 7.2.1.1.1 Reactor Trips 7.2.1.1.1.1

High Power Level A reactor trip on variable high power level is provided to trip the reactor in the event of reactivity excursions that may be too rapid for the high pressurizer pressure trip function to respond. High power level trips also provide backup protection for steam line break accidents.

High Power levels trip the reactor when the reactor power (the higher of neutron flux power or thermal power) .reaches a high preset value. During startups, this setpoint is manually increased to a fixed increment above the existing reactor power level up to a maximum value. As reactor power decreases, the high power level trip setpoint automatically decreases, maintaining the fixed increment between the reactor power level and the setpoint. The high power trip has a 15% lower and a 10% upper limit (RTP). 7 .2.1.1.1.2 High Rate-of-Change of Power The high rate-of-change of power trip is not credited in any of the Chapter 15 accident analyses; however, the trip is considered in the safety analysis in that the presence of this trip function precluded the need for specific analyses of other events initiated from subcritical conditions (events not discussed in Chapter 15). This trip is provided to trip the reactor when the rate-of-change of neutron flux power reaches a high preset value. 7.2.1.1.1.3 High Local Power Density The high local power density trip is provided to trip the reactor when the axial offset exceeds a high calcutated value or falls bel_ow a low calculated value. The calculated setpoints are gerierated in the analog core protection calculators as a function of reactor power (the higher of neutron flux power or thermal power), and assure a core peak local power density below fuel performance guidelines for infrequent events and, moderate frequency events (See Chapter 15). The trip is automatically bypassed when reactor power falls below a low preset value. 7.2.1.1.1.4_ Thermal Margin/Low Pressure The thermal margin/low pressure (TM/LP) trip is provided to trip the reactor when the Reactor Coolant System pressure falls below a low preset value, or a low calculated value, whichever is

.higher. The calculated setpoint is a function of reactor inlet temperature, and axial offset. The calculated setpoint assures a core departure from nucleate boiling (DNB) ratio above the fuel performance guidelines for infrequent events and moderate frequency events. The pre~et setpoint provides protective action assistance to the engineered safety feature (ESF) systems during certain LOCA limiting faults. The trip signal can be manually bypassed when the neutron flux power falls below a low preset value. The bypass is automatically removed when the flux power exceeds the bypass value.
The Asymmetric Steam Generator Transient Protective Trip Function (ASGTPTF) consists of SG pressure inputs to the TM/LP calculator, causing a reactor trip when the difference in pressure between the two SGs exceeds the trip 7.2-2 Amendment No. 21 (11/12)

                                              .J setpoint. The ASGTPTF is designed to provide a reactor trip on secondary system malfunctions which result in asymmetric primary loop coolant temperatures.

7.2-2a

7.2.1.1.1.5 High Pressurizer Pressure The high pressurizer pressure trip is provided to trip the reactor when measured pressurizer pressure reaches a high preset value. 7.2.1.1.1.6 Low Reactor Coolant Flow The low reactor coolant flow trip is provided to trip the reactor when the reactor coolant flow reaches a low preset value. The low reactor coolant flow trip signal may be manually bypassed when the neutron flux power falls below a low preset value. The bypass is automatically removed when the flux power exceeds this value.

7.2.1.1.1.7 Low Steam Generator Water Level The low steam generator water level trip is provided to trip the reactor when the lower of the measured steam generator water levels for the two steam generators falls to a low preset value.

7.2.1.1.1.8 Low Steam Generator Pressure The low steam generator pressure trip is provided to trip the reactor when the lower of the measured steam generator pressures for the two steam generators falls to a low preset value. The low steam generator pressure trip signal may be manually bypassed when the steam generator pressure falls below a low preset value. The bypass is automatically removed when the steam generator pressure exceeds this value. 7.2.1.1.1.9 High Containment Pressure The high containment pressure trip is provided to trip the reactor when measured containment pressure reaches a high preset value. 7 .2.1.1.1.10 Turbine Trip The reactor trip on turbine trip is an equipment protective trip and is not required for reactor protection. The reactor trip on turbine trip is automatically bypassed when the reactor power falls below a low preset value. The bypass is automatically removed when the reactor power exceeds this value. 7 .2.1.1.1.11 Loss of Component Cooling Water Trip The reactor trip upon a loss of component cooling water to the reactor coolant pumps is not required for reactor protection. The reactor trip upon loss of component cooling water is delayed 10 minutes after it reaches the preset setpoint. Four channels of Class 1E indication of component cooling water flow out of all reactor coolant pumps is provided on the RTGB. In addition, indicators are provided on the reactor turbine generator board (RTGB) for reactor coolant pump component cooling water flow for each reactor coolant pump. 7.2-3 Amendment No. 16 (02/05)

7.2.1.1.1.12 Manual Trip A manual reactor trip is provided to permit the operator to trip the reactor. Actuation of two adjacent pushbutton switches in the control room causes interruption of the AC power to the CEDMs. Two independent sets of trip pushbuttons are provided; either one of which causes a reactor trip. There are also manual reactor trip switches at the reactor trip switchgear. The remote manual initiation portion of the reactor trip system is designed as an input to the reactor trip switchgear system (RTSS). This design is consistent with the recommendations of Regulatory Guide 1.62, "Manual Initiation of Protective Actions," October 1973 (RO). The amount of equipment common to both automatic and manual initiation is kept to a minimum. Once initiated, the manual trip goes to completion as required in Section 4.16 of IEEE 279-1971. 7.2.1.1.2 Initiating Circuits 7.2.1.1.2.1 Process Measurements Various pressures, water levels, and temperatures associated with the NSSS and the containment atmosphere are continuously monitored to provide signals to the RPS trip bistables. All protective parameters are measured with four independent process instrument channels each of which is powered by an independent instrument power supply. A detailed listing of the parameters measured is contained in Table 7.2-3. A typical protective channel as shown on Figure 7.2-1, consists of a sensor/transmitter, power supply, current loop resistors, indicating meter or recorder, trip bistable/calculator inputs. 7.2.1.1.2.2 . Excore Neutron Flux Monitoring and Protective Systems The excore nuclear instrumentation includes neutron detectors located around the reactor core, and signal conditioning equipment located within the containment and Reactor Auxiliary Building. Neutron flux is monitored over a 10 decade span from 2x10*9 percent to 200 percent reactor power and outputs are provided for reactor protection and information display. There are four channels of safety instrumentation (see Figure 7.2-2). Each channel comprises both linear "Power Range" circuitry and logarithmic "Wide Range" circuitry located within the same drawer. Each channel has separate detectors and amplifiers (where required) for the linear and logarithmic portions of the safety channel. 7.2.1.1.2.2.1 Wide Range Logarithmic Safety Channels The four wide range logarithmic safety channels measure neutron flux from 2x1 o-0 percent of full power through 200 percent of full power. A fission chamber detector and amplifier, both located within containment, provide a signal input to the signal processing electronics, located in the safety channel drawer in the RPS cabinet. 7.2-4 Amendment No. 18 (01/08)

The wide range logarithmic safety channels are used by the RPS as input signals to the high rate of change of power trip, input to the zero power mode bypass circuitry and to the low power bypass of this trip. 7.2.1.1.2.2.2 Power Range Safety Channels The four power range channels measure neutron flux linearly over the range of 1.0 percent to 200 percent of full power. The detector assembly provided for each power range safety channel consists of two uncompensated ionization chambers stacked vertically along the length of the reactor core. The use of two subchannel detectors in this arrangement permits the measurement of axial offset during power operation. The de current signal from each of the ionization chambers is fed directly to the signal processing electronics, located in the safety channel drawer. The power range safety channels are used by the RPS as input signals to the core protection calculators to determine the neutron flux power and axial offset, and as input signals to the high power bypass circuitry for the high rate of change of power trip. 7.2-5 Amendment No. 12 (12/98)

7.2.1.1-2.3 Reactor Coolant Flow Measurements The reactor coolant flow measurement signals are provided by summing a function of the differential pressure across each steam generator to provide an indication of the total coolant flow through the reactor*. This measurement of differential pressure (A p) is directly proportional to the actual flow. The low flow reactor trip is actuated directly by the summed A p signals. 7.2.1.1.2.4 Analog Core Protection. Calculators The core protection calculators are analog computers that provide input to the thermal margin/low pressure trip, the local power density trip, and the high power trip. A calculated low pressure limit related to departure from nucleate boiling ratio (DNBR) is determined using preset coefficients as a function of the measured cold leg temperature, axial offset, and the higher of the thermal power or neutron flux power. This calculated low pressure limit is an input to the thermal margin/low pressure trip. The difference between steam generator pressures is monitored and compared to a predetermined setpoint, above which a reactor trip is initiated to protect against secondary system malfunctions which result in asyrmnetric primary loop coolant temperat:ures. The functiorrs of the analog core protection calculators are shown on Figures 7.2-4 through 7.2-6. 7.2-6 ~.rnendrnent No. 12 (12/98)

The upper and lower subchannel neutron flux signals from the power range safety channels are processed to determine the neutron flux power and the axial offset. The axial offset is an input to the local power density trip, and the thermal margin/low pressure trip. The hot and cold leg temperatures from precision resistance temperature detectors' are processed to determine the thermal power. The higher of the thermal power or neutron flux power is an input to the high power trip, the thermal margin/low pressure trip, and the local power density trip. 7.2.1.1.2.5 Trip GE:meration Signals from the process trip unit measurement loops are sent to bistables where the input signals are compared (trip setpoint) to predetermined trip values. Whenever a parameter reaches th~ trip value, the bistables deenergize three bistable relays. The bistable relay *contacts change state, effecting the appropriate coincidence logic (refer to Subsection 7 .2.1.1.3). Auxiliary bistables are provided for contacrinput process signals. The bistable setpoints are adjustable from the front of the RPS cabinet through recessed potentiometers. The setpoints within a channel can be monitored on a meter located on the front of the RPS cabinet. Pretrip and trip circuitry is also provided to generate visible indiciation on the front of each RPS cabinet. 7.2.1.1.2.6 Pressurizer and Steam Generator Level Measurements Bot~ steam generators and the pressurizer at St. Lucie Un.it 2 have open-column reference legs susceptible to containment temperature changes. The effe,ct of a High Energy Line Break inside the containment would be to heatup the reference legs and cause a decrease in the density of the water columns. The resultant effect on the level measurement system would be an indicated level that is reading higher than the actual level. The main concern for an accurate level reading during an accident such as a main steam break would be to maintain an inventory level in the intact steam generator(s) using the auxiliary feedwater system to allow a controlled cooldown and also to record an accurate pressurizer level as a means of reacting to changing RCS conditions. The level error is accounted for in the determination of safety s*etpoints. 7.2.1.1.3 Logic . Tripping of a bistable (or trip contact opening as in the case of turbine trip, loss of component cooling water to the reactor coolant pumps, or a calculated trip) results in a channel trip which is chf3racterized by the deenergization of three bistable trip relays (see Figures 7.2-7 and 7.2-8). 7.2-6a Amendment No. 21 (11/12)

Contacts from the bistable relays of the same parameter in the four protective channels are arranged into six logic ANDs, designated AB, AC, AD, BC, BD, and CD, which represent all possible coincidence of two combinations. To form an AND circuit, the bistable trip relay contacts associated with two like measurement channels are connected in parallel (e.g., one from A and one from B). This process is continued until all combinations have been formed. Since there is more than one parameter that can initiate a reactor trip, the parallel pairs of bistable trip relay contacts for each monitored parameter are connected in series (logic OR) to form six logic matrices. The six matrices are designated AB, AC, AD, BC, BD, and CD. Each logic matrix is connected in series with a set of four matrix output relays. Each logic matrix is powered from two separate 120v Class 1E instrument power supply buses through dual de power supplies as shown on Figure 7.2-8. The power supplies are protected from overload by means of input and/or output fuses or circuit breakers. The contacts of the matrix relays are combined into four trip paths, one trip path per channel. Each initiation circuit is formed by connecting six contacts (one matrix relay contact from each of the six logic matrices) in series. The six series contact are in series with the initiation relay. The initiation relays open the reactor trip switchgear system (RTSS) circuit breakers as discussed in Subsection 7.2.1.1.4. 7.2.1.1.4 Actuated Devices The logic matrices cause the four initiation relays to be deenergized. Each initiation relay in turn causes two of the trip circuit breakers in the RTSS to open (see Figures 7.2-7 and 7.2-8). Power input to the RTSS comes from two full-capacity motor-generator sets, so that the loss of either set does not cause a release of the CEAs. Each line passes through two trip circuit breakers (each actuated by a separate trip-path) in series so that, although both sides of the branch lines must be deenergized to release the CEAs, there are two separate means of interrupting each side of the line. Upon removal of power to the CEDM power supplies, all of the CEAs are inserted into the reactor core by gravity. Two independent sets of manual trip pushbuttons are provided on the RTGB 201 and 204 to open the trip circuit breakers, if desired. The manual trip completely bypasses the trip logic. As can be seen on Figure 7 .2-8, both 7.2-6b Amendment No. 20 (05/11)

manual trip pushbuttons in a set must be depressed to initiate a reactor trip. The reactor trip switchgear system is housed in a cabinet separate from the Reactor Protective System and is located in the electrical equipment room below the control room. In addition to the trip circuit breakers, the cabinet also contains current monitoring devices for testing purposes, bus undervoltage relays for auxiliary functions, and a bus tie breaker. Pushbuttons are provided at the RTSS to allow circuit breaker testing at a location other than the control room. 7.2.1.1.5 Bypasses The bypasses listed in Table 7.2-2 are provided to permit testing, startup, and maintenance. a) Operating Bypasses The zero power mode and low steam generator pressure bypasses are provided for two conditions: system tests at low power and low temperature, and heatup and cooldown with shutdown CEAs withdrawn. The bypasses may be used in mode 3 and below consistent with Technical Specifications and operating procedures. The bypasses are manually initiated and removed within each channel, with automatic removal as a backup to assure full system capability. The functions affected by this bypass are listed in Table 7.2-2. The turbine trip bypass is provided to remove this equipment protective trip below the value shown in Table 7.2-2 so that the reactor can be started up with the turbine tripped. The high local power density trip bypass is provided to remove this trip in the low power range where it ~s not required for reactor protection. The high rate of change of power trip bypass is provided to remove this equipment protective trip in the range of low power operation where its function is not required. All operating bypasses are visibly displayed to the operator. b) Trip Channel Bypass A bypass is provided to remove a trip function from one of the RPS channels from service for maintenance or testing. The requisite two-out-of-three trip logic is unaffected by this bypass. The remaining trip functions in that channel are unchanged. The bypass is manually initiated and manually removed. The bypass is initiated by the use of a key operated switch. By the use of administrative controls only one key is available for each trip parameter. Each of the CCW low flow to RCP trip channels may be manually bypassed (one key per channel) to remove this trip when not required by Technical Specifications. By the use of administrative controls, only one key is used to bypass a trip function when required by the Technical Specifications. Therefore, only one channel of a given parameter can be bypassed at a time, except as detailed above. 7.2.1.1.6 Interlocks The following interlocks are provided: 7.2-7 Amendment No. 13, (05/00)

a) An electrical interlock allows only one set of four matrix relays in one matrix to be held at a time during system testing. The same circuit allows only one pair of bistable trip relays, for a given parameter, to be actuated at a time (see Figure 7.2-9).

b)
An interlock is provided to initiate a variable high power, thermal margin/low pressure and local power density trips when test signals are applied to the calculators. This occurs when the nuclear instrument summer control switch is removed from the (A + B)/2 position or a linear channel high voltage trip is produced or the calibration panel mode select switch is removed from the operating position.

                                                                                           ' J c)      A mechanical interlock in conjunction with administrative control prevents the operator from bypassing more than one trip channel at a time for any one type of trip. Different type trips may be simultaneously bypassed, however, either in one channel or in different channels.

7.2.1.1.7 Redundancy/Independence ThE? four channel independence begins at the output of the 4 ac UPS inverters, designated inverter 2A, 2B, 2C and 2D or the Maintenance Bypass Transformer 2A, 2B, 2C and 2D and their associated instrument Buses as shown on Figure 8.3-3. Independence of the four channels of ..,. RPS.,or ESFAS is maintained in accordance with Subsections 8.3.1.3, 8.3.1.4, and 7.3.1.1.1 h.

/ '

Redundant features of the Reactor Protective System' include: a) Four independent channels, from process sensor through and including channel trip relays

b) Six logic matrices which provide the trip logic. Dual power supplies are provided for the matrix relays c) Four trip paths, including four control logic paths and four initiation relays d) GEOM power from two power buses, including two full capacity motor-generator sets e) Two sets of manual trip pushbuttons with either set being sufficient to. initiate a reactor trip f) AC power for the system from four separate Class 1E instrument power supply buses. DC power for trip circuit breaker control logic is provided from four separate de buses powered from two separate battery trains.

The resuJt of the redundant features is a system that meets the single failure criterion, can be tested during reactor operation, and maintains the requisite two-out-of-three logic. The benefit of a system that includes four independent and redundant channels is that the system can be operated, if need be,. with up to two channels out of service (one bypassed and another tripped) and still meet the single failure criterion. The system logic must be restored to at least a three 7.2-8 Amendment No. 21 (11/12)

operating channel condition prior to removing another channel for Maintenance. 7.2.1.1.8 Diversity The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that credible common failure modes do not exist. The design provides reasonable assurance that: a) The monitored variables provide adequate information during the events listed in Subsections 7.2.2.1.1and7.2.2.1.2. b) The equipment can perform as required. c) The interactions of protective actions, control actions and the environmental changes that cause, or are caused by, the events listed in Subsection 7.2.2.1.1 and 7 .2.2.1.2 do not prevent the mitigation of the consequences of the event. d) The RPS can not be made inoperable by the inadvertent actions of operating or maintenance personnel.*

In addition, the design is not encumbered with additional components or channels without reasonable assurance that such additions are beneficial.

In accordance with 10 CFR 50.62, a high degree of diversity is required between the RPS and the Diverse Scram and Auxiliary Feedwater Actuation Systems (see further discussion in section 7 .6.3.11 ). The bistable and matrix relay cards found in the AFAS cabinets have a high level of diversity with respect to the relays found in the RPS. In general the AFAS relays have different types of reed switch assemblies than the RPS relays. These relays are the only area of concern identified by the NRC relevant to the mitigation requirement of the A TWS Rule (10 CFR 50.62) and they maintain diversity between the RPS and AFAS. It has been concluded that the different relay cards are sufficient to show compliance with the NRC ATWS Rule on auxiliary feedwater initiation, 10 CFR Part 50.62. 7.2.1.1.9 Testing Provisions are made to permit periodic testing of the RPS, with the reactor operating at power or when shut down. These tests cover the trip actions from sensor input through the logic and the trip switchgear . .The system test-does not interfere with the protective function of the system. The testing system meets the criteria of IEEE 338-1971," IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," and is consistent with the recommendations of Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functio.ns," February 1972 (RO). RPS functions can be tested one channel at a time while the plant is operating by using the built in test circuits, with the following exceptions: a) PORV Actuation - This logic circuit requires two out of four trip actuations and therefore can only be tested during plant shutdown when the PORV control circuit external of the RPS can be defeated. Testing the PORV will also initiate a reactor trip. b) CEA Withdrawal Prohibit (CWP)-This logic circuit requires two out of four pre-trip actuations and should be tested only during plant shutdown. c) Response Time Testing -This test requires two out of four actuations of the RPS and can only *be performed during plant shutdown. NI detectors and amplifiers where utilized are not capable of being tested during operation. Proper operation of these channels is verified by periodic 7.2-9 Amendment No. 18 (01 /08)

channel comparisons . Process transmitters and sensors feeding the RPS not accessible during operation are also checked for proper operation by periodic channel comparisons. The individual tests are described briefly below. Overlap between in-dividual tests exists so that the entire RPS can be tested. Frequency of accomplishing these tests is listed in the Technical Specifications. 7.2.1.1.9.1 Sensor Check During reactor operation, the measurement channels providing an input to the RPS are checked by comparing the outputs of similar channels and cross-checking with related measurements. These measurement channels are checked and calibrated in accordance with plant Technical Specifications. 7.2.1.1.9.2 Bistable Trip Unit Tests Testing of the bistable trip units is accomplished by manually varying the input signal up to or down to the trip setpoint level on one bistable at a time and observing the trip action. Varying the input signal is accomplished by means of a trip test circuit consisting of a digital voltmeter and a test circuit used to vary the magnitude of the signal supplied by the measurement channel to the trip input. The trip test circuit is interlocked electrically so that it can be used in only one channel at a time. A switch is provided to select the measurement channel, and a pushbutton is provided to apply the test signal. The digital voltmeter indicates the value of the test signal. Trip action (deenergizing) of each of the bistable trip relays is indicated by individual lights on the front of the cabinet, indicating that these relays operate as required for a bistable trip condition. When one of the bistables of a protective channel is in the tripped condi-tion, a channel trip exists and is annunciated on the RTGB. In this condition, a reactor trip would take place upon receipt of a trip signal in one of the other like trip channels. The trip channel under test is therefore bypassed for this test. Full protection is maintained. 7.2.1.1.9.3 Analog Core Protection Calculator Test This test is accomplished by simulating selected calculator sensor inputs values and monitoring the corresponding output signals. The checking of the trip relays for the calculator generated trips is con-ducted as described in Subsection 7.2.1.1.9.2, for thermal margin/low pressure, or by initiating a calculator trip, for local power density, and observing the individual bistable relay trip lights. 7.2-10 Amendment No. 11, (5/97)

7.2.1.1.9.4 Logic Matrix Test This test is carried out to verify proper operation of the six logic matrices, any of which can initiate a system trip for any possible coincidence of two trip condition from the signal inputs from each measure-ment channel. Only the matrix relays in one of the six logic matrix test modules can be held in the energized position during tests. If, for example, the AB logic matrix hold pushbutton is depressed, actuation of the other matrix hold pushbuttons can have no effect upon their respective logic matrices. Actuation of the pushbutton applies a test voltage to the test system hold coils of the selected double coil matrix relays. This voltage provides the power necessary to hold the relays in their energized position when deactuation of the bistable trip relay contacts in the matrix ladder being tested causes deenergization of the primary matrix relay coils. The logic matrix to be tested is selected using the system channel trip select switch. While holding the matrix hold pushbutton in its actuated position, rotation of the channel trip select switch releases only those bistable trip relays that have operating contacts in the logic matrix under test. The channel trip select switch applies a test voltage of opposite polarity to the bistable trip relay test coils, so that the magnetic flux generated by these coils opposes that of the primary coil of the relay. The resulting flux will be zero, and the relays are released. A simplified diagram of this testing system is shown on Figure 7.2-9 using the AB matrix. Trip action can be observed by illumination of the trip relay indicators 1* located on the front panel of the RPS cabinet and by loss of voltage to the four matrix relays, which is indicated by extinguishing indicator lights connected across each matrix relay coil. Test equipment may be used for monitoring if status lights are not available. During this test, the matrix relay "hold" lights remain on, indicating that a test voltage' has been applied to the holding coils of the matrix relays of the logic matrix module under test. Each logic matrix tested consists of series/parallel contact arrangements of the trip unit bistable relays in two RPS bays. Each wire crossing a channel boundary is fused. A two-position fuse test switch is provided for each matrix. Operation of the matrix push button applies a test voltage to the holding coils of the matrix relays, while at the same time operation of the fuse test switch places alternate trip unit relays in the tripped condition. This in turn changes the series/parallel matrix to a series circuit. Fuse status is determined by observing the normal matrix lights and the bistable relay status lights. The test is repeated for all six matrices. This test verifies that the bistable relay contacts operate correctly and that the logic matrix relays will deenergize if the matrix continuity is violated. The opening of the matrix relay contact is tested in the trip path tests (see Subsection 7.2.1.1.9.5). 7 .2-11 Amendment No. 12 (12/98)

7.2.1.1.9.5 Trip Path/Circuit Breaker Tests Each trip path is tested individually by depressing a matrix hold pushbutton (holding matrix relays), selecting any trip position on the channel trip select switch (opening the matrix), and selecting a matrix relay on the matrix relay trip select switch (deenergizing one of the matrix relays). This causes one, and only one, of the trip paths to deenergize, causing two trip circuit breakers to open. CEDMs remain energized via the other trip circuit breakers. The dropout lamps shown on Figures 7.2-8 and 7.2-9 are used to provide additional verification that the matrix relay is deenergized, (e.g., the AB-1 matrix relay contact energized the dropout lamp). Proper operation of the actual trip path matrix relay contacts is verified by the trip path lamp located on the trip status panel. Proper operation of all trip circuit breakers is verified by lights on the RPS status panel; final proof of opening of the trip circuit breakers is the lack of indicated current through the trip breakers. Test equipment may be used for monitoring if status lights are not available. The matrix relay trip select switch is turned to the next position, reenergizing the tested matrix relay and allowing the trip breakers to be manually reset. This sequence is repeated for the other three trip paths from the selected matrix. Following this, the entire sequence is repeated for the remaining five matrices. Upon completion, all 24 matrix relay

 ~ontacts and all four trip paths and breakers have been tested.

7.2.1.1.9.6 Manual Trip Test The manual trip feature is tested by depressing one of the four manual trip pushbuttons, observing a trip of two of the trip breakers and resetting the breakers prior to depressing the next manual trip pushbutton. 7.2.1.1..9.7 Bypass Test The system bypasses, as itemized in Table 7.2-2, are tested by appropriate test circuitry. Testing includes both initiation and removal features. 7.2.1.1.9.8 Response Time Test Response time testing of the Reactor Protective System is required at refueling intervals per the Technical Specifications. Response time test requirements and acceptance criteria are discussed in Section 13.7.2.1. These tests are conducted on a system basis or an overlapping subsystem basis. 7.2.1.1.10 Class 1E Instrument Power Supply The adequacy of a four (4) channel based ac UPS system deriving its stored energy power source from two divisions of de power requires a brief review of the philosophy of ac UPS power for RPS and ESFAS power supply. 7.2-12 Amendment No. 18 (01/08)

The ac UPS power supply four channel concept is selected for plant availability and not plant safety as the loss of power to the RPS and ESFAS will result in channel trip. Furthermore, the number of channels, whether three or four, provides a design basis in excess of that required for safety by providing for spurious channel trips or testing during plant operation without plant trip for the specific purpose to enhance plant availability or provide testing during operation. In fact, the requirement for the ac UPS system is actually the ability to "ride-through" a momentary power loss without plant trip. Boiling Water Reactors (e.g., WPPSS No. 2) utilize non-Class 1E "ride-through flywheel motor-generator power systems" to power the reactor protection systems. 7.2-12a Amendment No. 20 (05/11)

Table 7.3-7, "Engineered Safety Features Actuation System Modes and Effects Analysis," clearly indicates that the loss of a battery will not preclude completion of safety function. Furthermore, the two redundant Class 1E divisions of onsite ac power deriving its onsite power generation from Class 1E diesel-generators forms the basis for compliance with 10 CFR 50 Appendix A GDC 17. These two divisions provide the source of power to the ac UPS RPS & ESFAS power supplies through the de power distribution system battery chargers in Light Water Reactors. Provision of four batteries for utility convenience or symmetry, each in support of a RPS and ESFAS channel, would typically only support RPS and ESFAS loads for the short time necessary to resequence the battery chargers on the Class 1E ac system subsequent to a Loss of Offsite Power. A review of licensed nuclear plants demonstrates the acceptability of the two safety related battery design (References 1 & 2). On the basis of the referenced information, the St. Lucie Unit 2 design is considered acceptable. The Class 1E instrument power supply requirements are discussed in Chapter 8. 7.2.1.2 Design Bases The RPS is designed to assure that acceptable RCPB and fuel performance guidelines are not exceeded during Moderate Frequency Events and Infrequent Events. In addition, the system is designed to assist the ESF systems in limiting the consequences of limiting Faults. To ensure that these objectives are achieved, the reactor must be maintained within the limiting conditions and the limiting safety system settings implemented consistent with the Technical Specifications. The system is designed on the following bases to assure adequate performance of its protective function: a) The system is designed in compliance with the applicable criteria of, "General Design Criteria for Nuclear Power Plants," Appendix A of 10 CFR 50. b) Instrumentation, function, and operation of the system conform to the requirements of IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations." c) System testing conforms to the requirements of IEEE 338-1971, "IEEE Trial-Use Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems." d) The system designed is consistent with the recommendations of Regulatory Guide 1.53, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems," June 1973 (RO) and Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions," February 1972 (RO). e) The system is designed to determine the following conditions in order to provide adequate protection during Moderate Frequency Events and Infrequent Events.

1) Neutron flux power, thermal power

2) Reactor Coolant System pressure

3) Thermal margin in the limiting coolant channel in the core

4) Axial offset

5) Steam generator water level

6) Reactor Coolant System flow 7.2-13 Amendment No. 20 (05/11)

f} The system is designed to determine the following conditions in order to provide protective action assistance to the ESF during Limiting Faults:

1) Neutron flux power

2) Reactor Coolant System pressure

3) Stearn generator pressure

4) Containment pressure

5) Reactor Coolant System flow

6) Stearn generator water level g) The system is designed to monitor variables that are needed to assure adequate determination of the conditions given in listings e) and f) above, over the entire range of normal operation and transient conditions. The full power nominal values and the maximum and minimum values that can be sensed for each monitored plant variable are given in Table 7.2-4.

The type, number, and location of the sensors provided to monitor these variables are given in Table 7.2-3. h) The system is designed to alert the operator when any monitored condition is approaching a condition that would initiate a protective action. i) The system is designed so that a protective action is not initiated due to normal operation. Nominal full power values of monitored conditions and their cor-responding nominal protective action (trip) setpoints are given in Table 7.2-1 and St. Lucie Unit 2 Technical Specifications respectively. The selection of these trip setpoints is such that adequate protec-tion is provided when all sensor and processing time delays and inaccuracies are taken into account. Response times and analysis setpoints used in the safety analyses are provided in Chapters 6 and 15. The trip delay times and analysis setpoints provided in Chapter 15 are representative of the manner in which the RPS instrumentation operates. These quantities are used in the transient analysis shown in Chapters 6 and 15. Actual RPS uncertainties and delay times are obtained from calculations and tests performed on the RPS and associated instrumentation. The verified system uncertainties are factored into RPS settings and/or setpoints to assure that the system adequately performs its intended function when the errors and uncertainties combine in an adverse manner. The final equipment settings are then included in the Technical Specifications. 7.2-14 Amendment No. 12 (12/98)

j) System components are qualified for environmental and seismic conditions in accordance with IEEE 344, and IEEE 323 as defined in Section 3.10 and referenced in Section 3.11 Electrical transmitters are mounted on open instrument racks, insulated cabinets with heaters are not utilized. 7.2.1.3 _lSystem Drawings The signal logics, block diagrams, and test circuit block diagrams are shown on Figures 7.2-1 through 7.2-21. Electrical wiring diagrams, block diagrams, logic diagrams and location layout drawings are listed and provided by reference in Section 1.7. 7.2.2 ANALYSIS 7.2.2.1 Introduction The RPS is designed to provide the following protective functions: a) Initiate automatic protective action to assure that acceptable RCPB and fuel performance guidelines are not exceeded during Moderate Frequency Events and Infrequent Events. b) Initiate automatic protective action during Limiting Faults to aid the ESF systems in limiting

       . the consequences of these events.

A description of the reactor trips provided in the RPS is given in Subsection 7.2.1.1.1. Subsection 7.2.2.2 provides the bases for all the RPS trips and the Technical Specifications provide nominal trip setpoints. Most of the trips in the RPS are single parameter trips (i.e., a trip signal is generated by comparing a single measured variable with a fixed setpoint). The RPS calculated trips that do not fall into this category are as follows: a) Low Steam Generator Level Trip. This trip is determined as a function of the lower of the measured steam generator water levels for the two steam generators.

b) Low Steam Generator Pressure Trip.

This trip is determined as a function of the lower of the measured steam generator pressures for the two steam generators. c) High Local Power Density Trip. This trip is calculated as a function of several measured variables. d) Thermal Margin/Low Pressure Trip. This trip is calculated as a function of several measured variables. e) High Power Level Trip. 7.2-15 Amendment No. 18 (01/08)

This trip is determined as a function of the higher of neutron flux power or thermal power. The trip employs a setpoint that can be manually increased to a fixed increment above the existing power level (higher of the two power levels). The setpoint tracks the power (remaining this fixed increment above it) when the power decre~ses. All RPS trips except turbine trip are provided with a pretrip alarm in addition to the trip alarm. Pretrip alarms are provided to alert the operator to an approach to a trip condition and play no part in the safety evaluation of the plant. The pr~trip alarms associated with the high power level trip, thermal margin/low pressure trip, high local power density, and high rate-of-change of power initiates a control rod withd~awal prohibit (CWP) to the CEDMCS. RPS setpoints are chosen in the following manner: nominal RPS trip setpoints are selected on the basis of past performance of similar plants. Considering expected uncertainties and delay times, an analysis setpoint is selected to verify the adequacy of the nominal setpoint for the conditions described in Subsections 7.2.2.1.1 and 7.2.2.1.2. The analysis setpoint along with actual instrument uncertainties provides the basis for the calculation of the final equipment setpoints to be reported in the Technical Specifications. These final equipment setpoints assure that a trip signal is generated at or before the analysis setpoint. The manner by which these delay times and uncertainties are verified is discussed in Subsection 7.2.1.2. 7.2.2:1.1 Moderate Frequency Events and Infrequent Events Moderate Frequency Events and Infrequent Events are those events that may occur one or more times during the life of the plant. In particular, the occurrences considered include single component failures or control system failures resulting in transients which may require protective action. ' *......____. J

The RPS provides proper protective actions when required to assure that the fuel performance and RCPB guidelines are not exceeded for Moderate Frequency and Infrequent Events.

7.2.2.1.2 Limiting Faults The Limiting Faults are those events that are not expected to occur during the-life of the plant. The consequences of these Limiting Faults are limited by the actions of the Engineered safety features systems. The RPS provides actions when required to assist in limiting the consequences of the Limiting Faults to assume that the fuel performance and RCPB guidelines are not exceeded. 7.2.2.2 Trip Bases The RPS consists of eleven trips in each channel that initiates the required automatic protective action utilizing a coincidence of two like trip signals. 7.2-16 Amendment No. 21 (11/12)

A brief description of the inputs and purpose of each trip is presented in Subsections 7.2.2.2.1 through 7 .2.2.2.11. Due to the significance of the Loss of Component Cooling Water Trip and the Turbine Trip, an analysis of these trips has been included in Subsections 7 .2.2.2.10 and 7 .2.2.2.11, respectively. 7.2.2.2.1 High Power Level Trip a) Neutron flux power from the Excore Neutron Flux Monitoring System; b) Thermal power derived from the hot and cold leg coolant temperature. Purpose Trip to assist the ESF systems in the event of an ejected CEA Limiting Fault. 7.2.2.2.2 High Rate-of-Change of Power Trip Neutron flux power from the Exc;:ore Neutron Flux Monitoring System. Purpose To provide equipment protection and to protect against an exceedingly high rate of change of power resulting from large reactivity insertions during periods of low power operation. 7.2.2.2.3 High Local Power Density Trip a) Neutron flux power and axial offset from the Excore Neutron Flux Monitoring System; b) Thermal power derived from the hot and cold leg coolant temperature measurements. Purpose To prevent the linear heat rate (kW/ft) in the limiting fuel pin in the core from exceeding the fuel performance guidelines in the event of any Moderate Frequency Event or Infrequent Event. 7.2.2.2.4 Thermal Margin/Low Pressure Trip a) Neutron flux power and axial offset from the Excore Neutron Flux Monitoring System; 7.2-17 Amendment No. 14 (12/01)

b) RCS pressure from pressurizer pressure measurement; c) Thermal power derived from the hot and cold leg cooJ.ant temperature measurements, and d) Steam generator pressure from each steam generator Purpose To prevent the DNB ratio in the limiting coolant channel in the core from exceeding the fuel performance guidelines in the event of defined Moderate Frequency Events. In addition, this trip provides a low pressure reactor trip to assist the ESF systems in limiting the consequences of certain LOCA Limiting Faults. 7.2.2.2.5 High Pressurizer Pressure Trip Input Pressurizer pressure from narrow range pressurizer pressure measurement. Purpose To help assure the integrity of the RCS boundary for any defined Moderate Frequency Events or Infrequent Events that could lead to an overpressuri-za tion of the RCS, and to provide a reactor trip to assist the ESF systems in the event of a feedwater line break (FWLB) Limiting Fault. 7.2.2.2.6 Low Reactor Coolant Flow Trip Input Reactor coolant flow from summing the differential pressure across each steam generator. Purpose To provide a reactor trip to prevent the DNB ratio in the limiting coolant channel in the core from exceeding the fuel performance guidelines' in the event of a change of forced reactor coolant flow Infrequent Event or Moderate Frequency Events. In addition, this trip will assist the ESF systems in limiting the consequences of a RCP shaft seizure Limiting Fault, RCP sheared shaft Limiting Fault, and certain steam line break Limiting Faults. 7.2.2.2.7 Low Steam Generator Water Level Trip Input Level of water in each steam generator downcomer region from narrow range differential pressure measurements. 7.2-18 Amendment No. 11, (5/97)

Purpose To provide protective action to assure that there is sufficient time for actuating the auxiliary feedwater pumps to remove decay heat from the reactor in the event of a reduction of steam generator water inventory. Should feedwater not be recoverable, the increased EPU core decay power and the associated decreased boil-off time impacts the timing and equipment set required for successful implementation of once-through-cooling operation. A risk informed change to increase the steam generator narrow range low level reactor trip setpoint from 20.5 percent to 35 percent was implemented to address this potential loss of capability. 7.2-18a Amendment No. 21 (11/12)

7.2.2.2.8 Low Steam Generator Pressure Trip Steam pressure in each steam generator. Purpose To assist the ESF systems in the event of a steam line break Limiting Fault. 7.2.2.2.9 High Containment Pressure Trip Pressure inside containment. Purpose To assist the ESF systems in the event of certain LOCA or FWLB Limiting Faults. 7.2.2.2.10 Loss of Component Cooling Water Trip . A reactor trip following a loss of Component Cooling Water (CCW) to the reactor coolant pumps is provided as an equipment protective feature, but is not required for reactor protection. See Subsection 7.2.2.5.5. The return flow of CCW to the reactor coolant pumps is sensed at the discharge header. Four flow transmitters are located on the CCW common return header to monitor CCW flow from the RCPs. These four transmitters are powered from redundant Class 1E power supplies (MA, MB, MC, and MD) are physically and electrically separated in accordance with Regulatory Guide 1.75 (R1 ). Purpose The trip setting corresponds to a reduction in flow to the four reactor coolant pumps. System evaluation is described in Subsection 9.2.2. 7.2.2.2.11 Loss of Load, Turbine Trip A reactor trip initiation following a turbine trip is provided as an equipment protective feature, and is not required for reactor protection. See Subsection 7.2.2.5.4. Turbine trip is taken from four non-Class 1E hydraulic oil pressure swfrches associated with the Turbine Control System. A coincidence of low hydraulic oil on two of the pressure switches initiates the reactor 7.2-19 Amendment No. 20 (05/11)

trip signal. The signal is fed to the Reactor Protective System through an isolation device. The turbine trip circuit for the reactor trip up to the isolation device is classified as non-safety. Special cable routing provisions are provided. After the isolation device the circuit (including the isolation device) meets all IEEE 279-1971 requirements as described in Subsection 7.2.2.3.2. The circuit testing is in accordance with the Subsection 7 .2.1.1.9 and the plant technical specification. Purpose To provide equipment protection rather than reactor protection. This trip is intended to precede a high pressurizer pressure trip, which is the safety related reactor protective trip, as a result of a turbine trip at power operation above the bypass setpoint shown in Table 7.2-2. The Turbine Control System is described in Subsection 7.7.1.1.10. 7.2-19a Amendment No. 20 (05/11)

7.2.2.3 Design 7.2.2.3.1 General Design Criteria Conformance to Appendix A of 10 CFR 50, "General Design Criteria for Nuclear Power Plants," are given in Section 3.1. 7.2.2.3.2 Equipment Design Criteria IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations", establishes minimum requirements. for s~fety related functional performance and reliability of the Reactor Protective System. This section describes how the requirements as listed in Section 4* of IEEE 279-1971 are satisfied. 4.1, "General Functional Requirement" The RPS is designed to assure that acceptable RCPB and fuel performance guidelines are not exceeded for Moderate Frequency Events and Infrequent Events. In addition, the RPS is designed to assist the ESF in limiting the consequences of Limiting Faults. Instrument performance characteristics, response time, and accuracy are selected for compatibility with and adequacy for the particular function. Trip setpoints are established by analyses of the system

parameters. Factors such as instrument accuracies, trip times, CEA travel times, circuit breaker trip times, and pump starting times are considered in the design of the system.

4.2, "Single Failure Criterion" The RPS is desig[led so that any single failure within the system does not prevent proper , protective action at the system level. No single failure defeats more than one of the protective channels associated with any one trip function. The wiring in the system is grouped so that no single fault or failure, including either an open or shorted circuit, negates protective system operation. Signal conductors are protected and routed independently. Signal conductors and power leads coming into or going out of each cabinet are protected and routed separately for each channel of each system to minimize possible interaction. $ingle failures considered in the design of the RPS are described in the failure modes and effects analysis (FrytEA) shown in Table 7.2-5. 4.3, "Quality Control of Components and Modules" The quality assurance program complies with 10 CFR 50, Appendix B. This program includes --1 appropriate requirements for design review, procurement, inspection and testing to ensure that the system components are of a quality consistent with minimum maintenance requirements and low failure rates. 7.2-20 Amendment No. 18 (01/08)

4.4, "Equipment Qualification" The RPS meets the equipment qualification requirements described in Sections 3.10 and 3.11. 4.5, "Channel Integrity" lype testing of components, separation of sensors and channels, and qualification of the cabling are utilized to ensure that the channels maintain their functional capability required under applicable extremes of environment, power supplied, malfunction and fault conditions. Loss of or damage to any one channel does not prevent the protective action of the RPS. Sensors are connected so that blockage or failure of any one connection does not prevent protective system action. The process transducers located in the containment are specified and rated for the intended service. Components which must operate during or after a Limiting Fault are qualified for the most limiting environment for the period of time for which they must maintain their functional capability. Results of type tests are used to verify this. 4.6, "Channel Independence" Each channel is independent of its redundant channels. The sensors are separated, cabling is routed separately and, in cabinets, each redundant channel is located in a separate compartment which provides thermal and mechanical barriers. This minimizes the possibility of a sir19le event causing more than one channel failure. The outputs from these redundant channels are isolated from each other so that a single failure does not cause impairment of the system function. Outputs from the RPS channels to non-Class 1E systems are isolated so that a failure in the non-Class 1E system does* not cause loss of the safety system fL;1nction. Conformance with the requirements of IEEE 384-1974, "IEEE Trial Use Standard Criteria for Separation of Class 1E Equipment and Circuits," and Regulatory Guide 1.75, "Physical Independence of Electric Systems," January, 1975 (R1) is discussed in Subsection 7.1.2.2. 4.7, "Control and Protection System Interaction" a) 4.7.1 - Classification of Equipment , Equipment that is used for both protective and control functions is designed in accordance with IEEE 279-1971. The following is a list of such cases:

           - The RPS thermal margin/low pressure, local power density high power, level, high rate-of-change of power and high pressurizer pressure bistable pre-trips are formed into logic which initiates a CEA withdrawal prohibit. This circuit is classified as non-CJass 1E and its signal is isolated prior to being sent to the CEDMCS.

7.2-21 Amendment No. 21 (11/12)

                - The RPS high pressurizer pressure bistable trips are arranged into a logic to initiate opening of the pressurizer relief valves upon a coincidence of two channels. This circuit is classified as non-Class 1E and is isolated prior to leaving the RPS cabinet.
                - Meter relays located within the steam generator level measuring loops are arranged such that a high level in the steam generator produces a feedwater regulating valve closure and high-high level trips the turbine and feedwater pumps. The circuits are classified as non-Class 1E and. are isolated accordingly.

b) 4.7.2 - Isolation Devices Signals from the RPS are isolated such that a failure does not affect protective action of the RPS. c) 4.7.3- Single Random Failures Provisions are included such that a single random failure does not cause a control action

     -** that results in a condition requiring a protective action, and does not concurrently prevent
    **** proper action of RPS channel even when degraded by a second random failure. The control feature is manually bypassed when the associated protective channel is bypassed or removed from service.

d) 4.7.4- Multiple Failures Resulting from a.Credible Single Event No credible single event results in multiple failures. 4.8, "Derivation of System Input" Insofar as is practicable, system inputs are derived from signals that are direct measures of the desired variables. Variables that are measured directly include neutron flux, temperatures, and pressures. Level information is derived from appropriate differential pressure measurements. Flow information is derived from steam generator differential pressure. 4.9, "Capability for Sensor Checks" RPS sensors are checked by cross-channel comparison. Each channel has a known relationship with the other channels of the same parameter. 4.10, "Capability for Test and Calibration" The RPS design complies with IEEE 338-1971, "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," and Regulatory Guide 1.22 {RO), as discussed in Subsection 7.2.2.3.2. 4.11, "Channel Bypass or Removal From Operation" Any one of the four protection channels can be tested, calibrated, or repaired without impairing the protective action capability of the RPS. Within any RPS channel, individual trip functions may be bypassed. The 7.2-22 Amendment No. 20 (05/11)

requisite two-out-of-three logic is unaffected. 4.12, "Operating Bypasses" Operating bypasses are provided as shown in Table 7 .2-2. The operating bypasses are automatically removed when the conditions which permitted the bypass are no longer present. 4.13, "Indication of Bypasses" RPS trip channel bypasses are not automatically annunciated on the control board but are indicated on the RPS which is in the control room in view of the operator. Indication of test or bypass conditions or removal of any channel from service is given by lights and annunciation. Bypasses that are automatically removed at specified setpoints are indicated when in the bypass condition. Bypassing for maintenance or testing is visually indicated on the front of the respective RPS cabinet. System level bypass indication (zero power mode bypass, SG pressure bypass) of the RPS is furnished on the reactor protection annunciators RTGB-204. 4.14, "Access to Means for Bypassing" A key is required to bypass a protective system channel (refer to Figure 7 .2-20). Only one key is available for bypassing the channels of a given parameter. Therefore, only one of the four channels of any one type trip may be bypassed at any one time. All bypasses are visually indicated. The CCW low flow to RCP trip may be manually bypassed via multiple keys to remove this trip when not required by Technical Specifications. By the use of administrative controls, only one key is available when the function is required to be operable by Technical Specifications. 4.15, "Multiple Setpoints" Manual setpoint changes are not required during normal plant operation, except high power *level. Manual incrementing of high power level setpoints is used for the controlled increasing of reactor power as discussed in Subsection 7 .2.1.1.1.1. Incrementing of setpoints is initiated by a RTGB pushbutton, one for each channel. This method of increasing setpoints provides a positive assurance that the setpoint is never increased above existing power by more than a predetermined margin. A variable setpoint is provided for Thermal Margin/Low Pressure (TM/LP) and Local Power Density (LPD) for the purposes defined in Subsections 7.2.1.1.1.4 and 7 .2.1.1.1.3 respectively. The setpoints are continuously calculated with limits being* applied to restrict the setpoints to a prescribed range. 4.16, "Completion of Protective Action Once It is Initiated" The system is designed to ensure that protective action (reactor trip) goes to completion once initiated. Operator action is required to clear the trip and* return to operation. Protective action is initiated when the reactor trip circuit breakers open. Protective action is completed when the CEAs arrive at their full-in position. 7.2-23 Amendment No. 13, (05/00)

4.17, *Manual Initiation* A manual trip is effected by depressing either of two sets of trip push-buttons on the* RTGB for the RPS or the pushbuttons on the RTSS. No single failure prevents a manual trip .

      . 4.18, "Access to Setpoint Adjustments, Calibration and Test Points" Setpoint-or calibration adjustments 'are either internai to the protective system or under direct administrative control.
        -4.19, "Identification of Protective Action"

/ Indication lights are provided for all protective actions, including identification of channel trips. The breaker status and current indication are available to the operator. 4.20, *In£o:rmation Readout" Means are provided to allow the operator to monitor trip system inputs, outputs and calculations. The specific displays that are provicred for continuous display are described in Section 7.5.

4.21, *system Repair*

Identification of a defective input channel is accomplished by observation of system status lights or by testing as described in Subsection 7.2.1.1.9. Replacement or repair of components is accomplished with the affected input channel bypassed. The affected trip function then operates in its requisite two-out-of-three trip_ logic. 4.22, "Identification* Equipment, including panels, modules, and cables, associated with the trip system are marked in order to facilitate identification. A color coding scheme is used to identify the physically separated channel cabling from sensor to the RPS. The same color code is used for interbay or intercabinet identification. Cabling or wiring within a bay at the cabinet which is in the channel of its circuit classification is not color coded. The cabinet nameplates and cabling are color coded as follows: Protective Associated Non-Class 1E Channel MA: Red Channel J- (AMA) : Red/White All chamiels black Channel MB: Yellow Channel K- (AMS): Yellow/White Channel MC: Green Channel L- (AMC) : Green/White, Channel MD: Blue Channel M:- (.AMO) : Blue/White 7 .2-24

*-~

7.2.2.3.3 Testing Criteria Conformance to IEEE 338-1971 and Regulatory Guide 1.22 (RO) are discussed in Subsection 7.1.2.2. Test intervals and their bases are included in the Technical Specifications. A complete channel can be tested without causing a reactor trip and without affecting system operability. Overlap in the RPS channel tests is provided to assure that the entire channel is functional. The testing ~cheme is discussed in detail in Subsection 7 .2.1.1.9. The RPS is periodically and routinely tested to verify its operability. A complete channel can be individually tested without initiating a reactor trip, without violating the single failure criterion, and without inhibiting the operation of the system. The system can be checked from the sensor signal through the circuit breakers of the RTSS. The RPS logic can be tested during reactor operation. The sensors can be checked by comparison with similar channels or channels that involve related information. Minimum frequencies for checks, calibration, and testing of the RPS instrumentation are given in the Technical Specifications. 0"'.erlap in the checking and testing is provided to , . assure that the entire channel is functional. The use of individual trip and ground detection lights, in conjunction with those provided at the Class 1E instrument power supply bus, assure that all possible grounds are detected. The periodic test of the RPS utilize the built in test circuitry. No additional test equipment or fuse removal procedures are required. The installed test equipment contains its own power supply, checks the logic and trip relays which conforms to Regulatory ,Guide 1.118 (RO) position C.13, 7.2.2.4 Failure Modes and Effects Analysis (FMEA) A FMEA for the RPS is provided in Table 7.2-5. The FMEA is for protection systems.' sensors, and coincidence and actuating logic~. The logic interface for the protection systems is shown on Figure 7.2-21. 7.2.2.5 Effects of Other Associated Functions 7.2.2.5.1 Instrument Air The loss of plant instrument air systems has no effect upon the safety channel sensors, Reactor Protective System or actuated devices'. , 7.2.2.5.2 Cooling Water Loss of cooling water can in no way degrade the safety channel sensors, Reactor Protective System or actuated devices. 7.2.2.5.3 Plant Load Rejection The original 45 percent steam bypass capability of the Steam Dump and Bypass System (Subsection 7.7.1.1.5) was restored as part of the Extended Power Uprate. A load rejection of greater magnitude is reflected into the Reactor Coolant System and, if severe enough, initiates a 7.2-25 Amendment No. 21 (11/12)

I Reactor Protective System response by either a high pressurizer pressure trip (Subsection 7.2.1.1.1.5) or a low thermal margin trip (Subsection 7.2.1.1.1.4) to prevent the occurrence of an unacceptable approach to the DNB or RCPB limit. I 7 .2.2.5.4--, Turbine Trip A reactor trip initiation following a turbine trip (Subsection 7.2.1.1.1.10) is provided as an equipment protective feature and is not required for reactor protection. 7.2.2.5.5 Loss-of-Component Cooling Water Trip A reactor trip following a loss of component cooling water to the reactor coolant pumps is provided but is not required for reactor protection. 7.2.2.6 Protection System Setpoint Methodology and Determination of Surveillance Procedure Acceptance Criteria The RPS low SG level trip setpoint was changed for the e>cten~ed power uprate (EPU). In accordance with References 1 and 2, this section was added to document the methodology used to determine the trip setpoint, the as-foun.d acceptance criteria band, and the as-left acceptance criteria. A combination of three documents is used to initially establish, and subsequently maintain compliance with, each TS setpoint value. These three documents are the instrument channel uncertainty calculation, the safety analysi~ plant parameters document, and the instrument channel setpoint calculation. An instrument uncertainty calculation exists for each safety system input parameter. These calculations determine the various elements of uncertainty applicable to each component within that instrument channel from the sensor/transmitter up to the protection system cabinet input. These loop uncertainty calculations have been prepared in aq:ordance with FPL discipline standard IC-3.17, Instrument Setpoint Methodology. IC-3.17 is in turn based on ISA Standard 67 .04, Setpoints for Nuclear Safety Related Instrumentation, and Regulatory Guide (RG) 1.105, Instrument Setpoints for Safety Related Systems. Elements of uncertainty for individual components, such as setting tolerance, measuring & test equipment (M&TE) and drift are specifically based on associated surveillance procedure requirements and test frequencies. Ehvironmental effects for both normal and harsh conditions are determined for each loop component as applicabl~. The safety analysis plant parameters (SAPP) document serves as a bridge between the instrument channel setpoint calculations and the safety analysis. The bounding uncertainty allowance applicable to each protection system function is documented and managed in the SAPP. Where applicable, the SAPP includes individual\bounding uncertainty allowances for both norm<;il and harsh conditions. The rationale for managing the trip function uncertainty allowances in the SAPP is as follows:

All inputs used for the safety analysis are managed in the SAPP: This organization facilitates the safety analysis work required for each reload.
Including bounding trip function uncertainty allowances in one common document promotes consistent use of analytical limit values throughout the safety analysis which facilitates effective margin management.

7.2-26 Amendment No. 21 (11/12)

Including bounding trip function uncertainty allowances in the SAPP eliminates the need for documenting the analytical limits in the setpoint calculations. Therefore the purpose of the setpoint calculations is to verify that the trip function uncertainty allowances in the SAPP are bounding with respect to the calculated total channel uncertainty.

A second calculation exists for each safety system input parameter. Each of these calculations combines the loop component uncertainties with the protection system cabinet uncertainties to determine an overall total loop uncertainty (TLU). These setpoint calculations also verify that the uncertainty allowances defined in the SAPP may be left anywhere within the as-left band. This allowed setting tolerance must be treated as a bias in the setpoint determination. RIS 2006-17 further stipulates that the surveillance procedures must ensure that the trip setpoint is restored to .

. within the as-left band before the channel is returned to service. To address this NRC guidance, the setpoint calculatioris are structured to ensure that TLU plus setting tolerance (ST} is less than or equal to the SAPP allowance (TLU + ST s SAPP uncertainty allowance). The ST is also included as a random I independent term in the root-sum-square TLU calculation. Pr6tection system surveillance procedures require that trip setpoints are restored to within the as-left band before th.e channel is returned to service.

NRC guidance provided in RIS 2006-17 stipulates use of an as-found acceptance criteria band centered about the nominal equipment setpoint as a measure of instrument channel operability. To address this NRC guidance, the setpoint calculations are structured to include determination of an operability limit (OL) band. The OL. band is synonymous with the as-found acceptance

criteria band. The OL band is based on 2 times the ST and is normally centered about the nominal equipment setting. For trip functions where the ST is non-symmetrical about the nominal trip setpoint, the OL band is structured to provide equal tolerance above and below the ST limits.

NRC guidance also required the addition of two notes to TS Table 4.3-1 pertaining to the monthly functional surveillance requirement for the Low Steam Generator Level function. For the Low SG Level function, note #8 of TS Table 4.3-1 requires that if the as-found setpoint is outside of the as-found tolerance band then the channel must be declared inoperable and must be evaluated under the corrective action program (CAP). The CAP evaluation must conclude that the channel is functioning as required before returning the channel to service. For the Low SG Level function, note #9 of TS Table 4.3-1 requires that this trip setpoint be reset to a value within the as-left band before the channel is returned to OPERABLE status. In addition, Note 9 required specificity of the Field Trip Setpoint along with the as-found acceptance criteria band and the as-left acceptance criteria. Those values are: Field Trip Setpoint 35.5% (-2.420 VDC) Trip Setpoint As-Found Band 35.0 to 36.0% (-2.400 to -2.440 VDC) Trip Setpoint As-Left Band 35.25 to 35.75% (-2.410 to -2.430 VDC) 7.2-26a Amendment No. 21 (11/12)

REFERENCES:

SECTION 7.2

1) NRC Regulatory Issue Summary.(RIS) 2006-17, NRC Staff Position on the Requirements of 10 CFR 50.36, "Technical Specifications," Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels

2) TSTF-493, Clarify Application of Setpoint Methodology for LSSS Functions

3) FPL Letter L-2011-346, Response to NRC Instrumentation & Controls Branch Request for Additional Information Regarding Extended Power Uprate License Amendment Request, 7.2-26b Amendment No. 21 (11/12)

TABLE 7.2-1 REACTOR PROTECTIVE SYSTEM DESIGN INPUTS Nominal Value Nominal (Full Power) Trip Setpoint High Rate-of-Change of Power, dpm 0 c High Power Level,% Full Power (a) 100 c Thermal Margin, psia Variable .--' c Low Pressure, psia 2250 c High Local Power Density;kw/ft Variable c High Pressurizer Pressure, psia 2250 c Low Steam Generator Water Level, %(b) 65 c Low Steam Generator Pressure, psia 888 c High Containment Pressure, psig 0 c Low Reactor Coolant Flow, % 100 v c Loss of CCW to RCPs, gpm 1368 c Steam Generator Pressure 0 c . Difference, psid Turbine Trip Not-Tripped c

a. $etpoint can be manually increased to a fixed increment above existing power level as power is increased and is automatically decreased as power is decreased maintaining a fixed increment. This fixed increment is 1O percent power.

b. Percent of the distance between the instrument nozzles above the lower nozzle.

c. Refer to the St Lucie Unit 2 Technical Specifications, for setpoint values.

7.2-27 Amendment No. 21 (11/12)

TABLE 7.2-2 REACTOR PROTECTIVE SYSTEM BYPASSES Title Function Initiated by Removed by Notes Zero Power Mode by- Disables TM/LP Trip Manually Automatically above Allows system tests and pass Disables TM/LP CWP .5% power* low temperature, and low Disables Low Reactor power heatup and cooldown Coolant Flow Trip with shutdown CEAs with-drawn. Disables tlT Power input to High Power Level Trip Low Steam Generator Disables Low SG Pressure Manually Automatically if Allows system tests at (SG,) Pressure trip trip SG pressure is low power and low temp-bypass above 705 psig* erature and heatup and cooldown with shutdown CEAs withdrawn. High Local Power Disables High LPD trip Automatically below Automatically above Protection from this trip Density (LPD) trip 15% power* 15% power* is not required in this bypass power range. High Rate-of-Change Disables High Rate-of- Automatically above Automatically below This equipment protective of Power trip bypass Change of Power trip 15% power and below 15% power and above trip is not required in 4 4 10" % power* 10 % power* this power range. Turbine trip bypass Disables reactor trip on Automatically below Automatically above Allows reactor start-up turbine trip 15% power* 15% power* with the turbine tripped. Trip is equipment pro-tective only. )> Trip Channel bypass Disables any given trip Manually by con- Same switch Captive key allows only 3 channel trolled access one channel for anyone co switch type trip to be bypassed

i

c. at one time.

3 co ~ z * - Nominal values ~ N 0 0 ~

TABLE 7.2-3 REACTOR PROTECTIVE SYSTEM SENSORS Number of Monitored Variable Tyi;ie Sensors Location Neutron flux power Fission chambers 4 Biological shield Ion chambers 4 Cold leg temperature Precision RTD 8 Cold leg piping Hot leg temperature Precision RTD 8 Hot leg piping Pressurizer pressure Pressure Transducers 4 la) Pressurizer Steam generator LIP Differential pressure 4 per steam Between hot leg and steam transducers generator generator output plenum Steam generator level Differential pressure 4 per steam Steam generators transducers generator Steam generator pressure Pressure Transducers 4 per steam Steam generators 1 generator "' Containment pressure Pressure Transducers 41*) Reactor Auxiliary Building Turbine trip sensors Pressure Switches 4 Turbine Building

 ---.J               Component Cooling Water                 Flow Transducers                    4            Reactor Auxiliary Building N I                 Flow from RCPs N

c.o (a) Common with Engineered Safety Feature Actuation System.

)>

3 CD

I c.

3 CD

I

.~

357lb TABLE 7 .2-4

REACTOR PROTECTIVE SYSTEM MONlTORED lNSTRUMENT RANGES Cycle l Nominal Monitored Variable Minimum (Full Power) Maximum Neutron flux power, % full power 2 x 10-8 100 200 Cold leg temperature, F 465 548 615 Hot leg temperature, F 515 596 665 Pressurizer Pressure psia l,500 2,250 2,500 Steam generator Primary 4P, psid 0 45 50 Steam generator water level (a) % 0 70 100 Steam generator pressure, psia 0 815 1,200 Containment pressure, psia 0 0 15 Component cooling water flow 1,368 from RCPs, gpm (a) Percent of the distance between the level instrument nozzles (above the lower nozzle) *
7.2-30 Ammendment No. l, (4/86)

TABLE 7.2-5 REACTOR PROTECTIVE SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects

1. Local Axial off- The ioniza- The axial offset index for the Pre-trip alarm 3 channel redun- Logic becomes . a) Failure of this measure-Power set index tion chamber affected safety channel will be Periodic test dancy (4th 1/2 coincidence ment channel could also Density for one of detector negative. This can lead to channel in Bypass) affect the TM/LP and the 4 power failure. exceeding a power-dependent High Power ~istables range safety limit, resulting a trip of the b) The operator can restore channel auxiliary trip unit, and thus a the Reactor Trip Logic to fails low channel trip. 2/3 coincidence by re-storing the bypassed 4th channel operability and then bypassing the failed channel.

Axial off- The ioniza- The axial offset index for the Pre-trip alarm 3 channel redun- Logic becomes set index tion chamber affected measurement will exceed Periodic test dancy (4th 1/2 coincidence .._, for one of the 4 power detector failure a calculated power dependant limit, resulting a trip of the channel in Bypass) I range safety associated auxiliary trip unit,

.....              channels                   and thus the effected trip fails high                 channel_trips.

2. High Fails low Maximum sel- Calculated reactor power, Q, will Periodic test 3 channel redund- Logic becomes a) Failure of this measure-Power ect circuit be too low. Affected trip ancy (4th chan- 2/2 coincidence ment channel could also Level in 6T power channel will not trip even when nel in Bypass) affect the TM/LP and the calculation bonafide high power level con- Local Power Density network fail- dition exists. Bistables.

ure in low output. b) See Item 1, Remark b. Fails high Maximum sel- Calculated reactor power, Q, will Pre-trip alarm 3 channel redund- Logic becomes ect circuit be too high. Affected trip chan- Periodic test ancy (4th chan- 1/2 coincidence in 6T power nel trips. nel in Bypass) calculation network fails in high out-put voltage.

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects

3. Loop 2A Channel A Power supply The averaged T hot decreases Periodic test 3 channel redund- Makes reactor a) Failure of this mea-core out- fails low failure. Apower decreases in TM/LPT Sensor test ancy (4th chan- trip logic surement channel could let temp- (Typical RTD shorted. calculation for channel A. nel in Bypass) for TM/LPT 2- also affect the Local erature for chan- out-of-2 coin- Power Density and the (T hot) nels B, C, cidence. High Power Bistables.

(Typical and D) for Loop b) See Item 1, Remark b. 2B) Channel A RTD open The averaged T hot increases Periodic test 3 channel redund- Makes reactor fails high AT power increases in TM/LPT Sensor test ancy (4th chan- trip logic for (Typical calculation for channel A. Pre-trip nel in Bypass) TM/LPT l-out-for channels Channel A will trip on TM/LPT. alarm 2 coincidence. B, C, and D)

4. Core in- Channel A Power supply Low value for T cold input to TM/ Periodic test The maximum T cold Changes a) Failure of this mea-let temp- fails low failure RTD LP calculation for Ch. A. Sensor test among the 2 loops Setpoints surement channel could erature (Typical network is chosen. So one affect the TM/LP, Loop 2A for channel failure loop temperature Local Power Density (Typical B, C, and D) failing low does and High Power for Loop not affect the Bis tables.

2B) TM/LPT b) See Item 1, Remark b. (T cold) Channel A RTD open Loop 2A T cold is used in AT Periodic test 3 channel redund- Reactor fails high power calculation for channel Sensor test ancy (4th channel trip logic for (Typical A. So AT power decreases for in bypass) TM/LPT becomes for channels channel A. Whether channel A 2/2 coincidence. B, C, and D) wil 1 trip or not will depend upon sensitivity of pressure setpoint as a function of T cold.

5. Press- One Pressure Low pressurizer pressure signal Periodic 3 channel redun- Trip logic be- a) See Item 1, Remark b.

urizer measurement transmitter to the high pressurizer press- testing dancy (4th channel comes 2-out-of Pressure channel failure; de ure Bistable trip unit (BTU) Sensor check in Bypass) 2 coincidence. fails low power supply will not trip even when bonafide failure high pressurizer pressure exists.

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including De12endent Failures Detection Provision RPS Other Effects Thermal margin/low pressure trip Pre-trip alarm TM/LPT logic be-function (TM/LPT) will trip the comes 1/2 affected channel. coincidence. One Pressure High pressurizer pressure signal Pre-trip alarm 3 channel re- Trip logic be-measurement transmitter to the high pressurizer pressure Periodic dundancy (4th comes 1-out-channel failure, BTU and the thermal margin BTU. testing channel in Bypass) of 2 for TM/ fails high component Affected channel trips. LP and Hi failure Pressurizer Pressure Trips

6. Core Flow Fails low Power supply Flow bistable trip unit will trip Flow bistable 3 channel redun- Logic becomes a) See Item 1, Remark b.

Summer failure; the affected channel. trip unit dancy (4th chan- 1/2 coincidence grounded trip alarm & nel in Bypass) output. pre-trip alarm Periodic test Fails High Sensor Flow bistable trip unit will not Periodic test 3 channel redun- Logic becomes failure; trip for bonafide low flow condi- dancy (4th 2/2 coincidence component lion. channel in Bypass) saturated -.J output ~ I (,.) 7 Loss of Fails off Failure of Affected channel will not trip Periodic test 3 redundant Logic becomes a) See Item 1, Remark b. (,.) Load auxiliary even if bonafide loss of load channels (4th 2/2 coincident Trip trip unit. condition exists. channel in Input Turbine Bypass) auto-stop oil pressure )> switch fails 3 closed. CD

J Cl.. Fails on Pressure Auxiliary trip unit trips Pre-trip alarm 3 redundant Logic becomes 3 switch fails channels (4th 1/2 coincident CD open in Bypass)

J z 8. Steam Fails low ,Transmitter Channel-A trips on low S.G. level Pre-trip alarm 3 channel Logic becomes a) See Item 1, Remark b.

~ Generator Channel A failure DC Redundancy (4th 1/2 coincidence N Level No . 1 (Typical (Typical for Channels power supply failure. channel in Bypass) N For No. 2) B, C,& D)

0322W-4 TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects Fails high Transmitter The lower of the 2 S.G. levels Periodic test 3 channel redun- Logic becomes channel A failure, is chosen for each channel. dancy (4th 2/2 coincidence component If the failure affects the S.G. channel in failure with the lower level, the channel Bypass). will not trip.

9. Steam a) Channel Transmitter A low pressure signal from SG 1 Pre-trip alarm 3 channel redun- Logic becomes See Item 1, Remark b generator fails failure, DC is input to the steam generator on either "Low dancy (4th chan- l-out-of-2 pressure low power supply low pressure trip bistable and SG Pressure" nel Bypass) coincident for (SG 1) failure or the asymmetric steam generator or "Asymmetric "Low Steam (Channel A high line trip portion of the TM/LP cal- Steam Generator Generator Typical) resistance culator. If pressure signal is Transient".* Pressure" and/or low enough, one SG low pressure Periodic test- "Asymmetric bistable will trip. TM/LP cal- ing otherwise. Generator culator might sense an SG 1 Pres. Trip" (SG 2 Pres. condition and initi-ate one bistable trip on an asymmetric steam generator tran-sient condition.

b) Channel Transmitter A high pressure signal from SG 1 If Annuncia- 3 channel redun-* SG low pressure fails failure, is input to the steam generator ting TM/LP dancy (4th chan- logic is 2-out-of high component low trip bistable and the asym- calculator nel in Bypass) 2 for transients failure metric steam generator trip initiates a affecting SG 1 and portion of the TM/LP calculator. channel trip, 2-out-of-three for For the low steam generator trip, otherwise transient affecting the lower of the two steam gen- periodic SG 2. Asymmetric erator pressures is chosen. If testing, steam generator the failure affects the steam pressure trip logic generator with the lower pressure, becomes l-out-of-2. the channel will not respond properly. The TM/LP calculator will sense SG 2 Press. ( SG 1 Press. and trip one bistable on an asymmetric steam generator transient condition. c) Signal Sensor Pressure *changes in SG 1 will Periodic test. 3 channel redun- Low steam generator fails as malfunction not be input to the RPS. For Also detect- dancy (4th c han- pressure and is or at transmitter transients affecting SG 1, the able due to nel in Bypass) asymmetric steam a point malfunction. low pressure trip bistable and a spurious generator pressure trip set- the TM/LP "Asymmetric Steam "Asymmetric trip logics become ting. Generator Pressure" bistable Steam Gen- 2-out-of-2 for will not trip. For transients erator Press." transients affect-involving SG 2, both bistables Trip on a ing SG 1.

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects will respond properly. For Transient transients involving both steam affecting generators, the "Low Steam Gen- both steam erator Pressure" bistable will generators trip properly and the "Asymmetric Steam Generator Pressure" bistable will trip spuriously on SG 2 Press.< SG 1 Press. 10 Steam This item is equivalent to line item 9 a), b), c) for steam generator 2 Instead of steam generator 1. generator pressure (SG2), (Channel A Typical)

11. Contain- Fails High Transmitter Failure Affected channel will not respond Periodic test 3 channel redun- Logic becomes a) See Item 1, Remark b ment Component Failure to bonafide high containment Sensor test dancy (4th chan- 212 coincidence b) Transmitter Is reverse Pressure pressure condition nel in Bypass acting Fails Low Transmitter Affected channel trips Pre-trip alarm 3 channel redun- Logic becomes failure dancy (4th chan- 1/2 coincidence in Bypass) w NI

12. CCWFlow Fails high Transmitter Affected channel will not respond Periodic test 3 channel redun- Logic becomes a) See Item 1, Remark b

 ~          toRCP                       failure                    to a decrease in CCW flow to                              dancy (4th chan-   212 coincidence D>

signal RCPs nel In Bypass) Fails low Transmitter Spurious indication of low CCW Annunciating 3 channel redun- Logic becomes

 )>                                     failure,                   flow to RCPs                                              dancy (4th chan-   1/2 coincidence 3                                      sensor                                                                               nel in Bypass)

CD failure,

I

a. power supply 3 failure

-CD

I zp 13 Log Flux Monitor One chan-nel output Transmitter failure, The high signal level will cause one High Rate-of-Change of Power Annunciating 3 channel Redun-dancy (4th chan-Trip logic for High Rate-of-See Item 1, Remark b y> fails high noise Bistable to trip nel in Bypass) Change of Power becomes 1/2 0 coincidence

0

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects One channel Transmitter The High Rate-of-Change of Power Periodic 3 channel redun- Trip logic for output failure, DC Bistable associated with the Testing dancy (4th High Rate-of-fails low Power supply failed measurement channel will channel in Change of Power fault not trip on an actual high rate Bypass) becomes 2/2

                                                .of change of power                                                      coincidence One channel   Open circuit The affected High Rate-of-Change         Annunciating   3 channel redun- Trip logic for output                      of power bistable will trip                            dancy(4th        High Rate of fails open                                                                         channel In       Change of power Bypass)          becomes 112 coincidence 14   Linear     One channel  Transmitter    High Flux Input to Core                 Annunciating   3 channel redun- RPS trip logic      a) See Item 1, Remark b Flux       output       failure,       Protection Calculator (CPC).                           dancy (4th       for Local Power Monitor    fails high   electronic     This will cause one Local Power                        channel In       Density and High noise          Density Bistable and possibly                          Bypass)          Power becomes one High Power Bistable to                                              1/2 coincidence trip. TM/LP calculation will also be affected.

One channel Transmitter Linear flux Input to one CPC Periodic Test 3 channel redun- RPS Trip Logic output fault, D.C. will be low, the associated dancy (4th for Local Power falls low Power supply Local Power Density Bistable channel In Density becomes fault will not trip on a high flux Bypass) 212 coincidence condition. The TM/LP and High Power Blstables will also be affected. ""-I N Loss of Open circuit Flux Input to CPC lost, Local Annunciating 3 channel redun- RPS trip logic w' 01 output from Density Bistable will trip dancy (4th chan- for large power one channel High Power and TM/LP Blstables nel bypass) density becomes also affected. 1/2 coincidence

15. High rate Output fails Open circuit, Bistable Trip Unit relays are Pre-trip 3 channel redun- RPS Trip Log for See Item 1, Remark b.

of change low component deenerglzed. Contacts In the alarms dancy (4th chan- high rate of change )> "A" leg of the logic matrices AB, nel In Bypass) of power becomes of Power failure 3 Bistable AC, and AD open. The AB, AC and 1/2 coincidence m

J Trip Unit AD logic matrices are In the half

c. (Channel trip state.

3 m A Typical) 3. z Output fails Short Bistable Trip unit relays will Periodic test 3 channel redun- Trip logic for p high circuit, set- not be deenerglzed when a valid dancy (4th chan- high rate of change ..... point com- high rate of change of power nel In Bypass) of power becomes _w parator condition occurs 212 (3 failure,

component failure 9

0322W-7 TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects

16. Local Output fails Power supply Bistable trip unit relays will be Annunciating 3 channel redun- Trip logic for See Item 1, Remark b power low failure, open deenergized and their contacts dancy (4th channel high local power density circuit, in the trip logic matrices will in Bypass) density becomes bistable. component open. Trip logic matrices AB, 1/2 coincidence.

trip unit failure AC, and AD will be in a half-trip Trip logic for (Channel state. other parameters A Typical) unaffected. Output fails Short Bistable trip unit relays will Periodic test 3 channel redun- Trip logic for high circuit, not be deenergized on a valid dancy (4th channel high local power component high local power density in Bypass) density becomes failure 2/2 coincidence. Trip logic for other parameters unaffected.

17. High Output low Open circuit, Bistable trip unit relays are Annunciating 3 channel redun- Trip logic for See Item 1, Remark b Power power supply deenergized and their contacts dancy (4th channel High Power bistable failure, in the trip logic matrices in Bypass) becomes 1/2 trip unit component AB, AC, and AD are in half-trip coincidence.

(Channel failure state Other parame-

--' A Typical) ters unaffected N

....,I Bistable trip unit relays will Periodic test 3 channel redun- Trip logic for Output high Short "' circuit, not deenergize for a valid dancy (4th channel High Power variable overpower condition in Bypass) becomes 2/2 setpoint coincidence. comparator Other parame-failure. ters unaffected

18. Thermal a) Output Open cir- Bistable trip unit relays will be Annunciating 3 channel redun- Trip logic for See Item 1, Remark b.

Margin/ fails cuit power deenergized, and their contacts dancy (4th channel thermal margin/ Low low supply in the trip logic matrices will in Bypass) low pressure and Pressure failure open. Trip logic matrices AB, asymmetric steam Bistable component AC, and AD will be in the half- generator pres-Trip unit failure trip state. sure will become (Channel 1/2 coincicensce. A Typical) Other parameters unaffected.

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Deuendent Failures Detection Provision RPS Other Effects b)Output Short Bistable trip unit relays will Periodic test 3 channel redun- Trip logic for fails circuit, nol deenergize for a valid TM/LP dancy (4th channel thermal margin high setpoint condition In Bypass) low pressure comparator and asymmetric failure sleam generator pressure will become 212 coincidence. Other parameters unaffected.

19. Pressur- Output fails Open circuit, See Item 17 See Item 17 See Item 17 Trip logic for See llem 1, Remark b.

lzer low power supply high pressurizer bislable failure, pressure becomes trip unit component 1/2 coincidence (Channel failure ,Other parameters A Typical) unaffecled. Output fails Short cir- Bistable trip unit relays will Periodic test 3 channel redun- Trip logic for high cuit, set- not deenergize on a valid high dancy (4th chan- high pressuri-point com- pressurizer pressure condition net bypass) zer 212 coincl-para tor dance. Other failure parameters are unaffected. ...... 20 . Low Output fails Open circuit, See Item 17 See Item 17 See Item 17 Trip logic for See Item 1, Remork b. i-.> reactor low power supply low reactor I CJ) coolant failure, coolant now ...... now component becomes 1/2 bistable failure coincidence. trip unit Other parame-(Channel tars are un-A Typical) affected. )> Output fails Short cir- Bistable trip unit will not Periodic test 3 channel redun- Trip logic for 3 high cuit setpoint deenergize for a valid low coolant dancy (4th chan- low reactor CD comparator reactor coolant now condition nel in bypass) coolant now

J

a. failure becomes 2/2 3 coincidence.

CD Other parameters

J are unaffected .

z !'.' 21. Loss of Output falls Open circuit, Same as Item 17 Same as Item 17 Same as Item 17 Trip logic for Seo Item 1, Remark b ..... load low power supply loss* of load ~ failure, becomes 1/2 Bistable 0 trip unit component coincidence. 01 C; (Channel failure Other parameters A Typical) arc unaffected .9

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects Output fails Short Bistable trip unit relays will not Periodic_ test 3 channel redun- Trip logic for high circuit deenergize on a valid loss of load dancy (4th channel loss of load in Bypass) becomes 2/2 coincidence. Other trip parameters are unaffected.

22. Low steam Output fails Open circuit, Same as Item 17 Same as Item 17 Same as Item 17 Trip logic for* See Item 1, Remark b.

generator low power supply low steam gene-water failure rator level level becomes 1/2 co-Bistable incidence. trip unit Other parame-(Channel ters are unaf-A Typical) fected. Output fails Short Bistable trip unit relays will not Periodic test 3 channel redun- Trip logic for high circuit, deenergize on a valid low steam dancy (4th channel steam generator setpoint generator level in Bypass) level becomes ..., comparator 2/2 coinci- ~ failure dence. Other I w parameters are 00 unaffected.

23. Low steam Output fails Open circuit, Same as Item "i7 Same as Item 17 Same as Item 17 Trip logic for See Item 1, Remark b.

generator low power supply low steam steam failure, generator steam pressure component pressure be-bistable failure comes 1/2 trip unit coincidence. (Channel Other parame-A Typical) ters are unaf-fected. Output fails Short Bistable trip unit relays will not Periodic test 3 channel redun- Trip logic for high circuit, deenergize on a valid low steam dancy (4th channel low steam gene-setpoint generator pressure condition in Bypass) rator steam comparator pressure be-failure comes 2/2 co-incidence. Other parame-ters are unaf-fected.

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects

24. High con- Output fails Open circuit, Same as 17 Same as 17 Same as 17 Trip logic for See Item 1, Remark b.

tainment low component high contain-pressure failure, ment pressure bistable power supply becomes 1/2 co-trip unit failure incidence. (Channel Other parame-A Typical) ters are unaf-fected. Output fails Short Bistable trip relays will not Periodic test 3 channel redun- Trip logic for high circuit, deenergize for a valid high con- dancy (4th channel high contain-setpoint tainment pressure condition in Bypass) ment pressure comparator becomes 2/2 failure coincidence. Other parame-ters unaf fec-ted.

25. Loss of Output fails Open circuit, Same as 17 Same as 17 Same as 17 Trip logic for See Item 1, Remark b.

RCP CCW low power supply loss of RCP CCW flow failure, flow becomes 1/2 Bistable component coincidence.

-' trip unit failure Other parame-

"'I ....., (Channel ters unaffec- \D A Typical) ted. Output fails Short Bistable trip unit relays will not Periodic test 3 channel redun- Trip logic for high circuit, deenergize on loss of CCW flow to dancy loss of RCP CCW the RCPs flow becomes 2/2 coincidence Other parame-ters are unaf-fected.

26. Loss of Output fails Open circuit, Equivalent to 17 Equivalent to Equivalent to 17 Same as 24 RCP CCW low power supply 17 flow failure, com-trip ponent timer failure (Channel A Typical)

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects Output fails Short Same as 24 Same as 24 Same as 24 Same as 24 high circuit, component failure Time delay Component When loss of RCP CCW flow bistable Periodic test 3 channel redun- No impact changes degradation trips, contacts in the logic dancy (4th channel on trip logic matrices will open either earlier in Bypass) or later than the contacts for the other two channels (dependent on which direction time delay changes)

27. Logic Fails OFF Concurrent Reactor Trip Annunciating N/A Reactor Trip There is no single Matrix opening of component failure (AB 2 parallel within the logic Typical) paths matrix that can (See cause this failure.

Figure 7 .2-7) ..... Fails ON Failure of The logic matrix will not Periodic There are five The Reactor l of 2 deenergize the logic matrix other logic Trip Logic I .p.. parallel relays and hence not trip the ma tr i<:es which becomes 2-out-0 paths to reactor on a coincidence of can initiate a of-4 selective, open on trip signals in the A and B reactor trip on with the AB signal - channels for a given trip a coincidence combination not contact parameter of 2 trip signals effective for a short, for a given trip given parameter. short parameter (i.e., circuit AC, BC, BD, CD, AD) 28, Logic Fails Short to When the AB logic matrix Periodic Test The contacts for No significant Matrix Energized power, deenergizes, the AB contact the other 3 AB effect Relay contact in Trip Path 1 will not open. logic matrix

         -ABl                  weld                                                          relays in the.

(Typical other three Trip of 24) Paths will open (See and trip the Figure reactor. In

7. 2-7) addition, Trip Path 1 can be deenergized by

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects the No. 1 logic matrix relay from any one of the other 5 logic matrices. Fails Open circuit, The AB contact in Trip Path 1 will Annunciating None Required One of two pa-De energized Power Supply open, the Trip Path will deener- rallel paths Failure gize, and two reactor trip cir- providing power cuit breakers will open to the CEDl1 buses is open, Reacto"r is in a half trip state, The trip path logic changes from 2/4 selec-tive to 1/3 se-lective. ...., 29. Trip a) One Mechanical The Trip Path relay (Kl) is Annunciating None Required Reactor is in a

Path 1 Trip failure, deenergized and two reactor half-trip state.

~        (Typical     Path     open circuit  trip circuit breakers are                                          Trip Path Logic

'f:. of 4) Contact open. changes from 2/4 (See Fails selective to 1/3 Figure open selective.

7. 2-7) b) One Contact Deenergization of one of six Periodic Test Trip Paths 2, 3 No significant Trip weld, short logic matrices will not & 4 not affected effect Path circuit deenergize the Trip Path 1 and can trip Contact circuit breaker control relay reactor, plus fails (Kl) deenergization closed of any one of the five other logic matrices will deenergize Trip Path one

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including Dependent Failures Detection Provision RPS Other Effects c) Trip Open winding, Same as 28a) Annunciating None Required Same as 28a) circuit Power supply breaker failure control relay (Kl) fails open d) Trip Short to Trip Path 1 cannot be deenergized Periodic Test Trip Paths 2,3 Trip Path Logic circuit power, by a valid signal coincidence. and 4 are not becomes 2/3 breaker contact Two of eight circuit breakers affected and can selective in-control weld will not open. trip reactor stead of 2/4 relay selective. (Kl) fails energized 30, Trip a) Fails Failure of One of two parallel paths Annunciating Parallel redun- RPS Trip Logic Circuit open under supplying power to one half plus zero dant path to not affected. Breaker voltage of the Control Element Drive reading from supply power to ...., 1 (Typi- relay coil, Mechanisms (CEDM) will be current the CEDMS

,., cal of 8) open interrupted. indicator in I

-I'- circuit, circuit. "' Mechanical failure b) Fails Contact One of two series redundant Periodic Test The series redun- RPS Trip Logic closed weld, breakers in one of two parallel dant breaker can not affected. Mechanical redundant paths to supply power interrupt power binding, to the CEDMS will not open on on the affected Short to a trip signal. path. power, under voltage coil shorted.

TABLE 7.2-5 (Cont'd) Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and No. Name Mode Cause Including DeQendent Failures Detection Provision RPS Other Effects

31. Power a) One Failure in Spurious opening of the power Annunciating N/A No effect on RPS There is no single Operated fails two operated relief valve Trip Logic will component failure Relief off parallel result in RCS within a logic matrix Valve paths which Depressuriza- that can produce Actuation cause open lion, and Loss this fault.

Logic circuits of RCS inventory Matrices b) One Short The affected Logic Matrix will Periodic Test Three redundant The RPS Trip Logic fails circuit in not produce a Power Operated Logic Matrices unaffected. The on one of two Relief Valve (PORV) Actuation for actuation of actuation logic parallel Signal when the pressurizer the PORV. (One for the PORVs paths, pressure reaches the pretrip of four pressu- becomes 2-out-of contact set point rizer pressure 3 selective. short channels assumed to be bypassed, hence only three

                                                                                                     . of six Logic Matrices
  -....j  32. Control   a) Fails Concurrent    Spurious actuation of the           Annunciating       N/A                 No effect on RPS   There is no single NI           Rod          off   failure in    Control Rod Withdrawal                                                     Trip Logic, but    component failure With-              two parallel  Prohibit.                                                                  control rods       that can cause a
  .i:..

UJ drawal paths which cannot be with- Logic Matrix to Prohibit result in a drawn. fall off. Logic open circuit Matrix in both paths (Matrix b) Fails Short A Control Rod Withdrawal (CWP) Periodic Tests The three Logic RPS Trip Logic See Item 1, Remark b. AB Typi- on circuit or actuation signal will not be Matrices are not affected. cal of 6) shorted generated by the affected Logic each capable of CWP actuation

)>

contact in Matrix when a valid condition initiating a CWP logic becomes 3 one of the exists. actuation signal 2/4 selective. CD

I two parallel

c. paths in (Note: one 3 the Logic channel, i.e.,

CD

I Matrix Ch. D, is assumed*

   ......                                                                                              to be bypassed, z                                                                                                    hence only 3 of 9                                                                                                    6 Logic matrices I N are active.
 ~

Refer to Drawing 2998-B-327 Sh.372,373,374,375 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 CONTROL WIRING DIAGRAM PRESSURIZER PRESSURE MEASUREMENT LOOP FIGURE 7.2-1 Amendment No. 18 (01108)

! Refer to Drawing \

 "-   2998-15345 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 NEUTRON FLUX MONITORING SYSTEM SAFETY CHANNEL FIGURE 7.2-2 Amendment No. 18 (01/08)

                      +15 VDC TU5 Power Supply Auto Test

_I_ Off Bypass Off 0 Bypass Latch Manual

                                                                        -1 Unlatch                             I Switch S2                                               I I                                                     I I                                                     I I                                                     I I                                                     I
                                                                         - _J I                                     Auto         K22 I.

Press Press SG-.1 SG-2

t"\J 24 voe Normal Test 1 Test2 N

0 Test elect 0 0 1 0

 ,------~-~r---                                   ---,

I +15 V, No Trip I I I I Open, Trip Arlowed 1 I ?Pren For SG I I I I s~f~gi~~e> I L ________ _I L _______ _J Trip Un it 5 Bistable Device Low Press, SG In Aux. Logjc Drawer

FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2*

LOW STEAM GENERATOR PRESSURE

                                               . REACTOR TRIP BYPASS FUNCTIONAL DIAGRAM.

FIGURE 7.2-3

PRIMARY PRESSURE

                                                                                             --               I    - THERM/\!

Tc - THERMAL POWER THERMAL - POVVER LOW MARGIN MAX . TRIP TH ,. CALCULATION POWER : PRESSURE

                                                                    ...... SEL                  LIMIT   PTRIP NUCLEAR POWER
                                           .. +

L+Uv/Vv-r-1 + L: GAIN ADJ AXIAL

OFFSET --

LOC.~L U"P'"" I 0 Ch~ -LOWER LIMITS POWER

                          . DET. (U)          DET. ( L)                                                                 DENSITY
                                                                .                                                         TRIP

- AXIAL .- II r 4

                                              +  L:      L-U .- OFFSET 0
                      ;;u

() (II - 0 -I 0 r-u

            ;;u o:::rm r -u
                      )>
'Tl               c: 0 G; O;;u           n~

c: no mm HIGH

a om 7'-t . ;;u , POWER m-n ~ !?"

l~t

....... )>...:..i

G>- >

z_ r a. TRIP N ;;uO

                  -I G>                                                                                 HIGH POWER _

h~~ C: I -

            ;;u   z~
                  -   ()

MANUAL . TRIP

             -u C/l
                  -I 0 RESET                        SETPOINT
                  "' s::
                      -u
                      )>

z

SJ: FLOW DEPENDENT SETPOINT

                                                                             ~ c.PI  2 SELECTOB SWITCtl IN UPSCIP POSITIONS      1. 4 PUMPS

2. 3 PUMPS

3. 2 PUMPS

OPP. LOOPS z 4. 2 PUMPS
LOOP 1 0 {J 5. 2 PUMPS
LOOP 2 ....;'\/\/\,-

                            ....<{                                                         fl TCAL                                                *r.-,*
                             ..J

> =Tc+ KcB

                                                                                         >-----------,                            (ftPSCIP)   l     .,

u

                             ..J
                             <{

SJ -<~ u -JVyv-(RPSCIPI QA 5'IJ4~, a: w AXIAL ~ ~ 3: OFFSET 0 QA 0... y

                         *<1
                            ~                                                                                             ---**-*------ ---

0 OR 1 AXIAL FUNCTION a: PVAH u. 1 -cr-9

                                                  ---                                                                                                       (CONT.
                                                         . . . ,. /                                                                                         IJELOWI a  ---1
                                                    ,,         I
                                                  /
                                              ...                    a "TI r

0 VI -

                ;:u                        CEA FUNCTION
          -10
      -l  *     )>

I: r -u m c: 0 )>

0 "TI s:: 0 :i: 3 G) )> m rn CD

                ;:u c:     r   "'O        5._ PVAR                                                                ALARM:

.:0 s:: r po 3 (ABOVE) m )> ,._ z_ r CD P< PPRETRIP CALCULATION ....., ::0 ::J N (;) ..... G) .-+ TRIP PvAn =" oDNB *fl TCAL ' ,1 en 2 c: ::i:

                -l . z                                 100                  ,__.._ _,U'JIT TRIP:                     WMEUE TCAL '"" Tc t KcU. 0 *MAX (1/1. U)
      -l  z          p

0 -n PPRETRIP 7 p < PTRIP

          -t 0

0 ~ 3:: P =PRIMARY PTRIP '-= MAX IPvAn* PM1NI "U

                 )>                                                   PRESSURE z                                                                                        PPRETRIP = PTRIP t 50 psia

                                                                                                        , - - - - - - - - *** MA~GIN THt:mM.L S3: FLOW DEP~ NDH""f SHPOINT SELECTOlt SWITCtf IN RPSCll' U+l(NI)

NUClE.t.:t PO'llEP.

O CALIO!:t.TION (RP SC IP) _

                                                                                                       -c:;4 2    I          (NI) 'JAP I!

SJ SJ (RPSCll') (RPSCIP) F Tt:cr.M/.l Ka: 6. T B.. MJ, 1!GIH*

6 ~ PO\'/En .<* ll T --1:-' r "11 c;:t (RPSCIP) J *, J [> o-C

       -I
       "'O
            .-t c Cit -
                    ):                                                                       BIAS (i<l'SC H')

0 r- .,

!! Cc C>

m n :i: ~ . r* c:

u n

       ;:tJ  m IT
                    ;;t ~                                    a                                                                              ~ .. 1:

m >

             -0 r-     P<

w PRINCir i\l C/.LCUt.',ilO;-t: *( . :c._:. r ....... n z_ ~ B=6T PO\'Jcf: = F Ka6T+:,, 6T +l<11Tc6l+"dl(a6T+Tc.:>* DIAS]

             >r         0                  [        .    . 2        d                 THEr.Ml.l Mf.!':GIM QeMAX(i, (I          J.tJMUNC ,,, 'oa t.-> c: r-    -t c;:     0                                .

°' >-I c::i: 0 TC= HIGHEST COLD LEG 'TEMPERATU:?E LOCAL rb\vcr. OEMSITV z -I 0 -n z -t 0 TH 0 AVERAGE OR ACTIVE LOOP UOT lEG TEMPERATU'tE

                    "'O
                    )>       6T"'TH-TC z

INPUTS FROM NSSS MEASUREMENT 1 2 3 4 S 6 7 B 9 10 11 12345678~1011 CHANNELS TRIP UNITS LOGIC MA TRICES LOGIC MATRIX RELAYS 480 V1c-U 480 Vac-U INPUT FROM NSSS BUS A BUS B

                                                                                                               .:~::~~:~~:

MEASUREMENT CHANNELS TO 120Vac TO 120 Vac 1-POWER LEVEL TO 120Vac VITAL VITAL INSTRUMENT TO 120 Vtc VITAL INSTRUMENT INSTRUMENT BUS MC VITAL INSTRUMENT 2-RATE OF CHANGE OF POWER BUS MA BUS MD BUS MB 3*REACTOR COOLANT FLOW 4-STEAM GENERATOR WATER LEVEL LOW 5-STEAM GENERATOR

                                                                                                                      )~l) l PRESSURES TRIP PATHS 11-PRE~RIZER PRESSURE 7-THERMAL MARGIN/LOW PRESSURE 8-TURBINE TRIP                                                                                                         DIVERSE SCRAM
  !I-CONTAINMENT PRESSURE                TRIP                         Kl                                                    SYSTEM 10-LOCAL POWER DENSITY                  CIRCUIT BREAKER CONTROL RELAYS 11-LOSS COMPONENT CODLING WATER TO RCP

_....______,, C>-----....... BUS TIE

                                                                                                                                                ~
                                                                                                                                                               +125Vd*c BUS A 0------------------------

(}---------------- +125Vd-cBUSA UV ___ - ST-----;.) MANUAL TRIP MANUAL TRIP UY-- sT ----- -3

                    ~            *1 Kl E--~-== u~     ::::::                       *125Vd<llUS a a---

UV UY

                                                                                    $~==-=====-=-=-=----_-_-_~-j                                                                               I       I
                                                   .._i..;;...;.............:;.;._i                                                          ~-t-:.::::::-:..-:..-..:-.:==:       UY UV CEDM POWER SUPPLIES                                                                                                                       Amendment No. 13, (05/00)

FLORIDA POWER & LIGHT COMPANY ST, LUCIE PLAHT UHIT 2 CONTROL ELEMENT DRIVE MECHANISMS REACTOR PROTECTIVES YSTEM BLOCK DIAGRAM FIGURE 7.2-7

I Refer to Drawing 2998-4991 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 RPS FUNCTIONAL DIAGRAM FIGURE 7.2-8 Amendment No. 18 (01/08)

CHM-:HL A CHANNEL D SIG ti AL SIGNAL jrRIP~ff Al- - -: - - - -, _ __.___ _,.TRIPUNIT DI I ISETPO:NT COMPl*nATO:l I SHPOINT I II + ~TU . I m:LA'l'I I .tDOIJ3LE I I Al-I COl_L-.l_-T-----------..----..0--------.; L- - - - - - - - - ._ - - - _:J CHAHNEl. MATRIX~... AD 0M_A_T_R_ix_ _ _ _ _ _ _~11JA-t* MAT Arn TRIP

                                                    ,,,t-----~

SELECT POWER SU?Pl'f ,j1' r ( . POWER SUPPLV tAATRIY. Li Bl-~ RELAY UOLO RPS TEST AB-I POWER SUPPLY TEST

                                                                                                                                                  *POWER MG-I         MG-2 ON 120 Voe                  +
                -n r                                                                                                                   0-AB-18--

0 UJ ;;ti )>

      ~
       )>

(') VI -

           -l 0
                )>

3

<O

J

                                                                                                                   .-----o    ..-..

BUS TIE

                                                                                                                                   ----o r- -0      0..

c: 0

                                                                                                        ---; j
      ;o                                                                                                                                                    120 Vac

!! 3 "1l n~

G'l V> mm <D c:;:o m

      -l       ;;o    ::::J ST m :::! V>  ~
          >- 90.      z

z c 0 - - - ----J z

';-> G'l .... G'l c: :r

                      ...lo.

'° V> V>

      -l m

3: z

          -n
               -l
          .... 0 N    3:
               "1l 5>>

0 (J1 2> CEDt.t POWER SUPR.Y I CEOM POWER SUPPLY

               )>     0 z

a: w a: a:

<(

ca 1-(.)CJ

 <( :::::>

c

                   \
                     \
                       \
                         \
                           \
                             \
                               \
                                 \
                                  \     w ca a:
                                        <1-Uz wW AMENDMENT NO. 0            (12/80)

FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 SIMPLIFIED RPS CABINET LAYOUT (REAR VIEW)

FIGURE 7.2-10

RPS

                                                            ..-.+---STATUS -~~

PANEL INTERBAY WIRE DUCT FIELD FIELD TERMINAL --+---~ ~----t-- TERMINAL BLOCKS BLOCK . PULL OUT DRAWER FIXED FIXED FIXED

                 ,,                                                 ASSEMBLY r

0

       -I        :;o
       -0  .

Cl> -

           -I 0
                 )>                       _, 6" ~

"Tl n r -o INTERBAY C')

)>

r c: 0 WIRE DUCT

           .0    ::?::                 NON IE     IE                                   IE    NONIE c       :;o mm                          CABLE    CABLE

0 -0 :;o CABLE CABLE m (/I "'tJ r !?" ENTRY ENTRY ENTRY ENTRY

......, OJ

       )>  > r z_

N I -< -I G'> FIELD CONNECTORS FIELD CONNECTORS ..... r C: I

       )>  z -I
       -<  -n 0   -I 0 c   ...., 3:
       -I
                 -0
                 )>

z

TRIP BYPASS SETPOINT READOUT I

I TRIP 2/4 LOGIC I RELAY No. 1

                   **VARIABLE      I SETPOINT INPUT        L------------------1 I

BUFFER

                                                       ~~~~                                   TRIP        2/4 LOGIC I                                                       RELAY No. 2 I

I TRIP 2/4 LOGIC TRIP I COMPARATOR BUFFER RELAY No. 3 VOLTAGE I SIGNAL I TRIP I ANNUNICATOR INPUT RELAY FROM I SEQ. OF EVENTS PROCESS SETPOINT VARIABLE PRE-TRIP VOLTAGE SIGNAL

PRE-TRIP BUFFER RELAY ANNUNCIATOR COMPARATOR SPARE INPUTS FROM PROCESS VARIABLES

               ,,     WHEN AUCTIONEER-                         SETPOINT

CONNECTION MADE FOR r ING AUCTIONEERED INPUT 0 SIGNALS ONLY OJ ;;o Cl' -

(/)

      -I
      )>
          .-t 0)>                                                   REF.
                                                                             ** VARIABLE SETPOINT INPUT IS ONLY USED FOR VARIABLE "Tl    OJ r-  -u                                                  SUPPLY SETPOINT FUNCTIONS r    c:  0 C'>    rn   Q ::::

c: OJ m rn

               ;;o
                            +/- 15 v

0 I I m 0r ""D r- !?" ** VAR'IABLE I I

...... n >r z_ SETPOINT 1--------------.J 7' N -t G) INPUT I I 0 I ..... )> c: :r: z -I I N G)

      ;;o  -n
           -t 0 L----------------------------------------~
      )>

3:: "' 3::

               -u
               )>

z

1-w Cl) w

                                . cc
                                   ..J
                                   <(

z<( 2 0.. a: I- w

         .... z                       2                           :a:

w-

         ..J 0 a:

m c.. <( I-

                                       ..J
         <( I-                         <(

I- -w a: Cl)

  ~I     <C Cl..

a:

   ~I
         >                             I-w
  ~,                                   a:

Cl..

  ~I I

I z (.!) a:

           <C .J:I 20 Cl..

a: I-CX) c.c rn x<( 0 ci ci cc 2 l-o 1::13M0d FLORI DA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 VARIABLE HIGH-POWER TRIP OPERATION (TYPICAL) FIGURE 7.2-13

dP SENSORS 0 I 0 f FUNCTION GENERATOR CHANNEL A SHO\VN CHANNEL B, C, D SIMILAR FLOW TRIP UNIT I I I I I I I PRE-I

                 . TRIP                                       TRIP            I I                                                                     I L ____ _                                           _ _ _ _ _J SETPOINT                                   S:TPOINT SELECTOR REDUC"IION                                 14P 3P 2P         2P 2P I
                                                                                 ~l1JJ Amendment No. 13 (05/00)

~~* . .A.t p-~wer oocration with less than four (4 l Reactor Coolant Pumdps is not

,. * -
1.he flow Depen enl FLORIDA POWER & LIGHT COMPANY allowed bv oiant Technical Specmcauons. ano ..

           . . S . h '--* been harow1red m the 4-Pump posmon.                     ST. LUCIE PLANT UNIT 2 Setpomt Selector wnc '"""
                                    ... ,,.. ""'                                   LOW FLOW PROTECTIVE SYSTEM FUNCTIONAL DIAGRAM FIGURE 7.2-14

Refer to Drawing 2998-8342 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 STEAM GENERATOR 'A' PROTECTIVE CHANNEL BLOCK DIAGRAM FIGURE 7.2-15a Amendment No. 18 (01/08)

Refer to Drawing 2998-8341 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 STEAM GENERATOR 'B' PROTECTIVE CHANNEL BLOCK DIAGRAM FIGURE 7.2-1 Sb Amendment No. 18 (01/08)

LINEAR FUNCTION I :> L-U

I -;-

                                            ~
                                                 ~~~I+'             ~

y II AXIAL OFFSET

                                                                                               ;  .. TO THERMAL MARGIN (0)

CEA FNCT ORz AUXILIARY u L B MAX~ TRIP UNIT

                                                        -SEL           --Q COMP U+L Yp
                       +                                   ORzl IvOP I      ..._
                  "'Tl r

0 r----1 QR2 r Cl'~ I \ I t> 0 n

           -I 0
           *      )>

y .

)>

I ""'O I ' I N r c: 0 "Tl

-     ""'O n::;:             L - - - ..J                         -YON C'>  0     mm                  GAIN c::;:

c m ""Cl

o ADJ COMP m: ;o I QC>

."'-4 m0 >- r z_ ~ zUl -I G> c: :r: °" ---l z --l

     -<    =t     n
      --l         0
           ....., 3::
      ~           ""'O
      ""'O        )>

z

NEXT -18 +18 28V TESTER

LJj ~ PBS Kl

                              ---    r    ------

r------1+ OVM OTHER POSITIONS S6 O Y 0 NOT RELATED TO TESTER

        -------~+----                  TRIP TR(.R)RIP ~ -;- --

UNIT SET POINTS

                           +15V
                      +10V
                                                                                       ~_.,_TO   BISTABLE RELAYS
                                                          ,--Jl./\/\r-
         ...                                              L" 1 . . ....
                      -10V I

I I i..---....i I

                                                        "-I
                                                                                       >-...._PRETRIP RELAYS I _ _ _ _ _ _ _ _ _ _ _ _JI t,_                                    I I

I LOCAL I SETPOINT I I GENERATION REMOTE SETPOINT GENERATION Amendment No. 13, (05/00) FLORIDA POWER & LIGHT COMPANY \ I

  .. *.                                                                    ST. LUCIE PU.HT UNIT 2 SCHEMATIC TRIP TEST SYSTEM FIGURE 7.2-17

                                    ', ..                     ~
           'Refer to Drawing 2998-4967 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 RPS SCHEMATIC

_.. SH 4 OF 4 FIGURE 7.2-18 Amendment No. 18 (01/08)

Refer to Drawing 2998-4972 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 RPS MISC. SCHEMATICS SHEET 1OF4 FIGURE 7.2-19a Amendment No. 18 (01/08)

Refer to Drawing 2998-4973 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 RPS MISC. SCHEMATICS SHEET30F4 - FIGURE 7.2-19b Amendment No. 18 (01/08)

l Refer to Drawing 2998-4974 1 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 RPS MISC. SCHEMATICS SHEET 2 OF 4 FIGURE 7.2-20 Amendment No. 18 (01/08)

- )

I I i'J

                   ***.:.. ***/
                            */

I 75 HIGH RATE OF CHANGE OF POWER 72 VARIABLE OVER POWER BO 96 LOCAL 78 160 POWER DENSITY CORE 82 PROTECTION 108 CALCULATORS 92 OPEN THERMAL MARGIN/ CEDM LOW PRESSURE PS 81 65 ASGT HIGH PRESSURE PRESSURIZER 103 LOW REACTOR COOLANT FLOW LOSS OF LOAD TURBINE TRIP 107 STEAM 57 GEN. NO. 1 56 58 LOW STEAM GEN WATER LEVEL N0.2 HIGH STEAM GEN WATER LEVEL FW HIGH STEAM GEN ISOL. WATER LEVEL VALVE OVERRIDE 49 NO. 1 48 50 169 LOW STEAM GEN STEAM PRESSURE /\ OPEN NO. 2 PRESSURIZER RELIEF VALVE I ~ 8 24 HIGH CONTAINMENT 6 PRESSURE 8. LOSS RCP CCW 10 MIN/TIMER

/\

PRE-TRIP TIMER & 105 RUNNING

                                 ~                      MANUAL TRIP I    ALARM    \

II ~ r 0

0 0

      -m zl>

o

                      "'-i -0)>   ~

rrln *

                                  *'en

o(j r -u "T1 "Tl . c: 0 G) (") .,,

      )> ::i;!

n::e j;im

                                  .o c: rn ::o

0 'r O .:...i
o co mo C>m ~ QO c.o

                      ~r i\>

_(") (")-I Z-

                      -i G) aa N ci<
... l>m I

I:

G) (/) . c: --! z I

0 -<

      )> (/)
                      -n
                       -i 0 s:: iTl          "' 3::"U s::                )>

z

7.3 ENGINEERED SAFETY FEATURES SYSTEM The safety related instrumentation and controls of the engineered safety features (ESF) systems include (1) the Engineered Safety Feature Actuation System (ESFAS), which consists of the electrical and mechanical devices and circuitry (from sensors through the contacts of the output relays) involved in generating those signals that actuate the required ESF systems, (2) the initiation of components that perform the protective actions after receiving an actuation signal generated by the ESFAS (or by the operator), and (3) the instrumentation and control of , supporting systems to the ESF. The ESFAS contains devices and circuitry needed to generate the following signals, when the monitored variables reach levels that are indicative of conditions which require protective action (see Table 7.3*1): a) Safety Injection Actuation Signal (SIAS) b) Recirculation Actuation Signal (RAS) c) Containment Spray Actuation Signal (CSAS) d) Containment Isolation Actuation Signal (CIAS) e) Main Steam Isolation Signal (MSIS) f) Auxiliary Feedwater Actuation Signal-1 (AFAS-1) g) Auxiliary Feedwater Actuation Signal-2 (AFAS.,2) The ESFAS circuitry includes the redundant initiating variable measurement devices, trip bistables, the coincidence logic matrices, actuation modules, output relays, manual and automatic test circuitry and the separated channel cabinets for housing the components. 7.

3.1 DESCRIPTION

The actuation signals sent to the following systems are discussed herein: a) ESF systems and components (and actuation signal(s) are identified in parentheses)

1) Safety Injection System (SIAS)

2) Recirculation (SIS Subsystem) (RAS)

3) Containment Spray System (CSAS)

4) Containment Isolation (CIAS)

5) Main Steam and Feedwater Isolation (MSIS)

6) Containment Cooling System (SIAS) 7.3-1 Amendment No. 13, (05/00)

7) Shield Building Ventilation System (CIAS)

8) ESF Support System (SIAS) '*':.. ';

9) Auxiliary Feedwater System (AFAS-1, AFAS-2) 7 .3-la

b) ESF Systems Not Actuated by ESFAS

1) Combustible Gas Control System, although an ESF, is manually actuated if required following a LOCA.

The system P&I diagrams for the ESF systems are shown on Figures 6.3-1 (a-c), 6.2-41, 9.4-9, 9.4-11, 10.1-1(a-f)and 10.1-2(a&b). 7.3.1.1 Signal Description 7.3.1.1.1 Safety Injection Actuation Signal This description deals with the instrumentation and controls for the safety injection actuation signal (SIAS). Refer to Section 6.3, Emergency Core Cooling System, for a description of the Safety Injection System (SIS) and Subsection 6.2.2 for a description of the Containment Cooling System. The safety related display information which provides the operator with information to monitor the required safety functions is described in Section 7.5. The instrumentation and controls for the components and equipment in channel SA are physically and electrically separate and independent of the instrumentation and controls for the components and equipment in channel SB. This independence maintains the redundancy required to ensure the functional capability of the equipment following a design basis event which is mitigated by the SIS. A SIAS automatically actuates the Safety Injection System and the supporting systems as listed iri Table 7.3-2. The SIAS is initiated by a coincidence of either two-out-of-three low pressurizer pressure signals or two-out-of-three high containment pressure signals, shown on Figure 7.3-1. There are four independent pressurizer pressure transmitters (PT-1102A, B, C, D) and four . I, ...... .._ __ _ independent containment pressure transmitters (PT-07-2A, B, C, D) to provide signal inputs . A bypass is provided to remove a trip function from one of the measurement channels for maintenance or testing. The requisite two-out-of-three trip logic is unaffected by this bypass, The remaining trip functions in the channels are unchanged. The two-out-of-three logic meets full safety requirements including the requirements of single failure criteria. Separate control switches, for optional manual actuation of the equipment, are located on the reactor turbine generator board (RTGB) in the control room. Automatic actuation of the equipment is initiated by the SIAS output relay contacts. Control board instrumentation (eg., flow, temperature, pressure) is provided to enable the operator to evaluate system performance. Alarms are provided; see Subsection 7 .5.1 for a discussion of the ESF system/support monitoring display instrumentation. A safety injection block is provided to permit shutdown depressurization of the Reactor Coolant System (RCS) without initiating safety injection. This block is accomplished manually after pressurizer pressure has been reduced and a permissive signal is generated by the Engineered Safety Features Actuation System. This blocking procedure is under strict administrative control; block and block permissive is annunciated and indicated in the

                                                                 ' 7.3-2                    Amendment No. 19 (06/09)

control room. It is not possible to block above a preset pressure, if the system is blocked and pressure rises above that point, the block is automatically removed. The block circuit complies with the signal failure criterion in IEEE 279-1971. The actuation circuits for the ESFAS are all similar except for specific inputs, operating bypasses, and actuation devices. The SIAS described below is typical of all ESFAS. The specific instruments and controls associated with each actuation signal are discussed separately in the appropriate subsection. a) Initiating Circuit Pressure measurement channels associated with the pressurizer and the containment are continuously monitored to provide signals to the SIAS. The protective parameters are measured with four independent instruments, utilized to perform the following functions: i) Monitor pressurizer pressure and containment pressure ii) Provide indication of operational availability of each sensor to the operator iii) Transmit analog signals to bistables within the SIAS initiating logic. The measurement channels consist of instrument sensing lines, sensors, transmitters, power supplies, bistables, isolation devices, indicators, current loop resistors, and interconnecting wiring. A typical protective measurement channel functional diagram is shown on Figure 7 .3-2. Each measurement channel is separated from its redundant measurement channels to provide physical and electrical isolation of the signals to the SIAS initiating logic. The output of each transmitter is an ungrounded current loop which has a live zero. Each I ' channel is supplied from its separate 120 volt safety related ac distribution bus.

Display information, which provides the operator with the operational availability of each

     - measurement channel, is described and tabulated for the ESFAS in Section 7 .5.

b) Logic The SIAS logic matrices are physically separated into channel related sections within the ESFAS cabinets. The SIAS initiation signals generated in the four measurement channels (MA, MB, MC, MD) are received by four trip bistables from each parameter. At the bistables the signals are compared to predetermined setpoints. Whenever a channel parameter reaches the predetermined setpoint, the bistable initiates a channel trip. 7.3-3 Amendment No. 13 (05/00) I

The signals of the four trip bistables from each parameter, feed two separate SIAS coincidence logic matrices (SA & SB) via channel separated isolation modules. The isolation modules maintain separation between the measurement channels and the logic matrices. One of the four measurement channels serves as an active standby, which can be removed for maintenance or testing, while still maintaining a two-out-of-three logic. The output of the SIAS matrices feed the actuation relays. Four separate power buses from safety related inverters (described in Section 8.3), supply 120 volt ac to the ESFAS cabinets. The MA, MB, MC, and MD cabinets have power supplies fed from the MA, MB, MC and MD buses respectively, while cabinet SA is powered by two auctioneered supplies fed from MA and MC buses and cabinet SB is powered by two auctioneered supplies fed from MB & MD buses (see Figure 7.3-10). c) Output Relays The SIAS output relays are located in the two redundant cabinets SA and SB of the ESFAS. . Initiation signals from the coincidence logic matrices associated with each actuation channel. {SA & SB) de-energize the SIAS output relays, which in turn initiate the ESF and supporting equipment listed in Table 7.3-2. The SIAS output relays in both redundant channels are divided into groups, for individual actuation of specific ESF equipment during manual periodic testing. Components of each group are actuated by one group relays. Group relay contacts are directly connected in the actuating device control circuit for the actuated components of each ESF system. In the unlikely event of an actual SIAS, all groups of output relays are de-energized to actuate automatically the equipment listed in Table 7.3-2. d) Manual and Automatic Test Circuitry Periodic testing of the SIAS and its associated components is conducted from the ESFAS cabinets by means of separate manually operated switches and pushbuttons provided at each of the redundant cabinets. The tests are conducted periodically during normal plant operation in*accordance with Technical Specifications to verify operability of the SIAS. The grouping of the relays provides the verification tests without interrupting normal plant operation. Jumpers or temporary forms of bypassing are not used during testing. The system testing in no way interferes with the protective function of the system and meets the intent of IEEE 338-1971, "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," and of Regulatory Guide 7.3-4 Amendment No. 18 (01/08)

1.22, "Periodic Testing of Protection System Actl1ation Functions," 2/72(RO). The periodic test of t)le ESFAs* utilizes th!= built in test circuitry. No additional test

 .equipment or fuse removal procedures**are required. The installation test equipment *

contains its own power.supply and checks logic an*d trip relays, which GOnforms to .

Regulatory G.uide 1~118 Rev. O,*positiori C,13*. The individual tests are described below: i) Sensor Checks The four redundant measurement channels providing inputs to the SIAS (i.e., pressurizer pressure and containment pressure) are checked by comparing the reading of the indicators of the four channels in the control room, and by cross checking with related measurements. ii) Trip Bistable Tests Testing of the trip bistable calibration setpoint is accomplished by manually varying a test input signal to the trip setpoint level (on one bistable at a time) and observing the trip action. An adjustable voltage source provides the calibration input signal and digital voltmeter indicates the value of this signal. During this bistable trip setpoint calibration test the bistable trip output is blocked to the logic matrices. An additional pushbutton on each bistable in concert with the selector switch allows to trip test the bistable and to provide one test input to the logic matrices. The bistable test circuit uses a momentary, spring return "Auto" calibration switch. After calibration test, the bistable is returned to its normal automatic position. The bistable trip test uses momentary spring return pushbutton located on the bistable. After observing trip test lights and releasing the button, the bistable returns to its normal position. iii) Logic Matrices Tests Each group logic matrix requires two inputs for a test trip. One test signal is obtained by the trip tested bistable described above and the second one is provided by the activation of a test group selector switch and simultaneously pressing a momentary test button on the tested logic matrix. This causes the logic matrix undergoing the test to trip and to de-energize the output relays connected to this test group. It should be noted that any test selector switch position chosen does not block an incoming SIAS resulting from a design basis accident (OBA). The matrix does not reset after the test and requires operator action on the main control board to actuate the systems reset switch. 7.3-5 Amendment No. 18 (01/08)

iv) Actuating Device and Actuated Component Test Operational testing of the group output relays as described in (iii) above is accomplished by individually selecting one group (refer to Table 7.3-2 for the test group assignment). Components were grouped to maximize their testability at power without impacting plant operation. For example, when SIAS test group 1A is tested the LPSI pump 2A starts but LPSI discharge valves remain closed since they are assigned to test group 2A. This overlapping test method causes the ESF components to actuate; therefore the propagation of a valid trip during testing is not impeded and the ESF system proceeds to full actuation. Group 0 was originally intended to include all components not testable at power; however, design development precluded this limitation. v) Response Time Tests Response time tests of the ESFAS are conducted at refueling intervals in accord with the Technical Specifications. Response time test requirements and -1 acceptance criteria are discussed in Section 13.7.2.2. vi) Automatic Testing An automatic test inserter (ATI) provides automatic and continuous on-line testing without disturbing the ESFAS functions. During each test interval, two ATI pulses (less than 2 Milliseconds) are applied to selected groups of bistables. The first ATI pulse is lower than the trip level and it sets a flip-flop in each bistable for a test interval memory. The second ATI pulse is above the trip point so that the bistables provide the trip signals through the isolation modules and actuation j modules, and the pulses are returned to the bistables if the equipment performs properly. If the first pulse trips a bistable, or if the second pulse is not transmitted, an ATI fault is then indicated and alarmed on the ESFAS front panel. The control room annunciator does not have reflash capability, therefore, the annunciator "locks in" after the first detected fault. The operator then performs manual tests at the indicated area, to determine and replace the faulty components. The ATI and its components are completely independent from the ES FAS. vii) Engineered Safety Feature (ESF) Reset Controls * (IE Bulletin 80-06) In order to maintain safety equipment in its emergency mode upon reset of an engineered safety features actuation signal, (ESFAS) design changes on several systems have been performed to assure that protective action of the equipment, initiated by ESFAS, is not compromised once the associated actuation signal is reset. The circuitry for reset has been tested and verified to comply with IE Bulletin 80-06 Item 2 during plant startup. The only exception is the circuitry for the Diesel Generator where in the emergency mode all protective trips, except differential current and overspeed, are bypassed by an ESFAS. ESFAS reset restores the DC trip circuits provided "), the emergency bus tie breakers are closed manually upon restoration of offsite j power. Since the ESFAS reset restores all DG trips only if the emergency bus tie breakers are closed (offsite power available), no changes are planned for these circuits. 7.3-6

Amendment No. 17 (12/06)

e) Bypasses A key-operated trip channel bypass is provided to remove a trip function from service for maintenance or testing. The bypass is manually initiated and manually removed. The pressurizer pressure bypass is designed as a safety injection block during shutdown depressurization of the RCS. Manual block is induced only during shutdown when the pressurizer pressure has been reduced. Pressurizer pressure signals generated by the measurement channels are received through separate bistables whereby a 3-out-of-4 channel coincident permissive bypass signal is generated by the ESFAS. This permissive signal must be available before the manual block can be induced. The block function is automatically removed when pressurizer pressure returns above setpoint f) Interlocks A key interlock prevents the operator from, bypassing more than one measurement channel at a time. During system testing the electrical interlocks allow only one matrix logic to be held in the test position at one time, and only one process measurement loop signal can be perturbed at one time. g) Sequencing Each ESFAS simultaneously actuates components listed in Tables 7.3-2, 3, 4, 5 and 6. However, to ensure that emergency diesel generator loads are properly assigned in the event of loss of offsite power, individual time relays are provided to delay starting of the equipment in accordance with the emergency diesel generator loading sequence (see Table 8.3-2). h) Redundancy Redundant features of the SIAS include: i) Four independent channels, from process sensor through and including bistables and channel isolation modules. ii) Two redundant logic matrices which provide the coincidence logic. Independent power supplies are provided for each logic matrix.

iii) Two trip paths are present for each actuation signal.

iv) Four independent bistables are utilized to provide block permissive signals for the pressurizer pressure actuation signal. 7.3-6a Amendment No. 13, (05/00)

v) The actuation signal is generated by relays within two output trains so that redundant system components are actuated from separate trains. Separate relays in each of the redundant trains are also provided for the actuation of the equipment. In the third channel (channel SAB). ESFAS interconnectiqns for AB shared system equipment are shown on Figure 7.3-11. A discussion of channel SAB is presented in Subsection 8.3.1. Equipment actuated by redundant actuation trains (SA and SB) for SAB shared system equipment are as follows: I

1) Intake Cooling Water Pump 2C

2) Charging Pumps 2C

3) Component Cooling Water Pump 2C vi) Two independent sets of control switches and pushbuttons are provided at two locations on the main control board for optional operator actions to initiate SIAS.

vii) The four channel independence begins at the output of the 4 ac UPS inverters, designated inverter 2A, 28, 2C and 2D or the Maintenance Bypass Transformer 2A, 28, 2C and 20 and their associated instrument Buses as shown on Figure 8.3-3. Independence of the four channels of RPS or ESFAS is maintained in accordance with Subsections 8.3.1.3, 8.3.1.4, and 7 .2.1.1. 7.

AC power for the actuation system is provided from four separate 120V AC instrumentation buses. Power for control and operation of redundant actuated components comes from separate buses. The above redundant features provide a system which meets the single failure criterion, is testable during plant operation, and is operable with ~two-out-of-three

        .. logic.

The benefit of a system that includes four independent and redundant channels is that the system can be operated with up to two channels out of service (one bypassed, one tripped) and still meet the single failure criterion. While in this condition (one-out-of-two logic), it is impossible to bypass another channel for testing or maintenance: the system logic must be restored to at least a two-out-of-three condition prjbr to removing another channel for maintenance. In fact, the plant basis (Figure 7.3-1) is a three channel protection system with an "Installed spare" for the RPS, and ESFAS functions of SIAS, MSIS, and CIAS. However, the design basis for the ESFAS functions of RAS and CSAS is the energization of actuation relays (Figure 7 .3-1) to make it incredible for spurious actuation of Containment Spray or Recirculation which can be detrimental to equipment in a non-accident condition. Therefore, the NRC position of trip instead of continuous bypass for one of the four channels used for RAS or CSAS is acceptable to the applicant. i' 7.3-7 Amendment No. 21 (11/12)

i) Diversity The ES FAS incorporates functional diversity to accommodate the unlikely event of a common mode failure during accident conditions. j) Auxiliary Supporting Systems Required Support systems are identified in Subsection 7.3.1.1.6. 7.3-7a Amendment No. 16 (02/05)

7.3.1.1.2 Recirculation Actuation Signal This description deals with the instrumentation and controls for the recirculation actuation signal (RAS). Refer to Section 6.2 for a description of the Containment Spray System, and Section 6.3 for a description of the Safety Injection System. All actions required to effect the change over from injection to recirculation are automatically initiated by the RAS. No operator interaction is required. The RAS is automatically initiated by two-out-of-four low refueling water tank level signals rather than two-out-of-three, because it is designed to energize to actuate rather than de-energize to actuate; see Figure 7.3-1. The four measurement channels for the refueling water tank level are physically and electrically separated and all four channels are active during plant operation. A bypass is provided to remove a trip function from one of the measurement channels for maintenance or testing. The requisite two-out-of-three trip logic is unaffected by this bypass. The remaining trip functions in the channels are unchanged. Due to the energize-to-activate design, technical specifications require that the channel be placed in trip condition after a specified time; the trip of one-out-of-three remaining channels actuates the RAS. Based on the following considerations, Technical Specification action statements pertaining to one inoperable RAS (RWT level) measurement channel were revised (via Technical Specification Amendment #132 and Engineering Evaluation PSL-ENG-SENS-00-024) to restrict* the amount of time an inoperable channel could remain in either trip or bypass. With one inoperable channel in bypass, RAS actuation could be precluded by a single failure (i.e., failure. of a DC Bus that results in loss of both associated 120 VAC measurement channel busses) due to the energize to actuate RAS design. The second consideration is that with one inoperable channel in trip, premature RAS actuation could occur due to single failure of another channel. The RAS automatically transfers the suction of the high pressure safety injection pumps and the containment spray pumps from the refueling water tank (RWT) to the containment sump, by opening the two sump outlet valves while simultaneously closing the refueling water tank outlet valves, and closing the pump miniflow recirculation valves to the tank. Concurrent with transfer of pump suction from the refueling water tank to the containment sump, the low pressure safety injection pumps are automatically stopped on RAS. The RAS measurement channels and logics are designed as "energize to actuate" in order to prevent spurious RAS initiation in the unlikely event of a loss of power to the channels. Consequences due to spurious RAS initiation are summarized below: 7.3-8 Amendment No. 18 (01108)

a) Normal Plant Operation The LPSI, HPSI and containment spray are not operating. On a spurious RAS initiation, (LPSI, HPSI and Containment Spray Pumps remain not operating) one outlet valve opens and one refueling water tank outlet valve closes. This should not affect normal plant operation because the other ESFAS channel will remain operational. Adequate valve position, sump/tank levels instrumentation, and alarms in the control room are provided. The operators are alerted to correct the abnormal condition promptly. b) Emergency Reactor Shutdown Condition (i.e., SIAS and/or CIAS) The HPSI, LPSI and Containment Spray Pumps are running with their suction headers lined up with the Refueling Water Tank (RWT). If RAS signal of one (1) safety channel actuated, the corresponding LPSI pump will be stopped. The HPSI and Containment Spray Pumps of that channel will be connected to the dry sump. However, the remaining redundant safety pump trains will remain intact and perform the required safety functions. The control room operator has adequate alarms and instrumentation to recognize the abnormal pump-valve line up and correct it manually from the control room prior to pump damage. c) Normal Shutdown Cooling The LPSI pumps are isolated from RWT and containment sump by V3444 and V3432. Pump suctions are obtained from RCS. Spurious RAS switchover signal should not affect the Decay Heat Removal System or damage the pumps. No single failure prevents initiation of the RAS. Valve circuitry permits optional manual closing of any containment sump suction line or manual opening of any RWT outlet line after an RAS initiation, 'from either the control room or from a local control station. Control room alarms are provided to annunciate possible maloperations (see Subsection 7.5.1). ' Redundant safety class instrumentation is provided for RWT level and containment sump level. Annunciations are available to the control room operator to alert him of abnormal valve positions, and pump operating conditions. Furthermore, RAS annunciation is provided in the control room. The reset of SIAS prior to automatic switchover from injection to recirculation does not affect RAS. The RAS actuation strictly depends on RWT levels, (2 out of 4 channels) and

  .is independent of SIAS.

The containment sump valves (MV-07-2A, 28) open in 30 seconds and the refueling water tank outlet valves (MV-07-1A, 18) close in 90 seconds, such that RWT or containment sump water is always available at the suction of the pumps during the transfer. Further, enough water is maintained below the low level (RAS) setpoint in the RWT to sustain pump suction throughout the closure of the RWT isolation valves. In the event one or both of the RWT Valves fails to close, the water seal created by the difference in elevation between the containment sump and RWT water levels would prevent air from being drawn into the system. No credit is taken for the height of water in the RWT above the suction line in the calculation of the available Net Positive Suction Read (NPSH). Thus, even if tank level is drawn down to the suction line, pump operation is assured. (Note: This information is historical and based on the original NPSH calculation. The calculation did not include the effects of vortex formation). 7.3-Ba Amendment No. 18 (01/08)

Components actuated by the RAS are listed in Table 7.3-3. a) Initiating Circuits The RAS initiating circuits are similar to the initiating circuits described in Subsection 7.3.1.1.1 a for SIAS other than the fact that RWT water level is the only parameter monitored. b) Logic The logic for the RAS is shown on Figure 7.3-1. c) Output Relays Output relays for the RAS are similar to those described in Subsection 7.3.1.1.1 c for SIAS except relays are energized to actuate the RAS. d) Manual and Automatic Test Circuitry Provisions for testing the RAS are similar to those described in Subsection 7 .3.1.1.1 d. e) Bypasses Bypasses for the RAS are similar to those described in Subsection 7 .3.1.1.1 e for SIAS except there is no blocking for shutdown. f) Interlocks Interlock provision for RAS are similar to those described in Subsection 7.3.1.1.1f for SIAS. g) Sequencing Sequencing equipment and functions for RAS are described in Subsection 7.3.1.1.1 g. h) Redundancy Redundancy features for the RAS are similar to those described in Subsection 7.3.1.1.1 h. i) Diversity The only parameter being measured is RWT water level; therefore functional diversity is not applicable. j) Auxiliary Supporting Systems Required Support systems are identified in Subsection 7.3.1.1.6. 7.3-9 Amendment No. 18 (01/08)

7.3.1.1.3 Containment Spray Actuation Signal This description deals with the instrumentation and controls for the containment spray actuation signal (CSAS). Refer to Subsection 6.2.2 for a description of the Containment Spray System (CSS). The containment heat removal function is also performed by the Containment Cooling System which is actuated by SIAS. The CSAS automatically actuates the CSS. The CSAS is initiated by a coincidence of two-out- . of-four high-high containment pressure signals (rather than two-out-of-three, because it is designed to energize to actuate rather than de-energize to actuate) and a simultaneous SIAS signal as shown on Figure 7.3-1. The four measurement channels for high-high containment pressure are physically and electrically separated and all four channels are active during plant operation. A bypass is provided to remove a trip function from one of the measurement channels for maintenance or testing. The requisite two-out-of-three trip logic is unaffected by this bypass. The remaining trip functions in the channels are unchanged. Due to the energize-to-actuate design, technical specifications require that the channel be placed in trip condition after a specified time; the trip of one-out-of-three remaining channels in conjunction with a SIAS actuates the CSAS. The system is composed qf four redundant channels, MA, MB, MC, and MD. The instrumentation and controls in a .channel are physically and electrically separate and independent of the instrumentation and controls in other channels. This independence maintains the redundancy required to ensure equipment functionality following any design basis event. The two redundant CSAS actuation channels (SA and SB) initiate the operation of the containment spray pumps (A and B) and their associated valves (see Figure 6.2-41 ). Each spray system isolation valve (FCV-07-1A and 1 B) is opened by its associated CSAS actuation channel (SA or SB). . The CSAS containment pressure measurement channels and CSAS actuation logics are designed as. "energize to actuate" to prevent spurious spray system operation on loss of power to one of the two 125V de buses. The 125V de system is designed such that no single failure results in loss of power tO both of the 125V de buses (see Subsection 8.3.2). In the event of loss of power to one bus, CSAS is initiated when required by the measurement channels associated with the unaffected bus. Each CSAS actuation channel can also be initiated manually from the control room. Thus, no single failure prevents proper CSAS actuation. a) Initiating Circuits Initiating circuits are similar to the initiating circuits described in Subsection 7.3.1.1.1 a for SIAS except that the parameter monitored is containment pressure only. The* SIAS and high-high containment pressure signals are combined in two AND circuits within the ESFAS initiating logic. The AND circuits prevent inadvertent operation of the Containment Spray System upon generation of an SIAS only. 7.3-10 Amendment No. 18 (01/08)

b) Logic The CSAS logic is shown on Figure 7.3-1. c) Output Relays The output relays for CSAS are similar to those described in Subsection 7 .3.1.1.1 c for SIAS except relays are energized to actuate the CSAS. d) Manual and Automatic Test Circuitry Manual and automatic testing for CSAS is similar to that described in Subsection 7.3.1.1.1d for SIAS. e) Bypasses Bypasses forthe CSAS are similar to those described in Subsection 7.3.1.1.1e for SIAS except there is no blocking for shutdown. f) Interlocks Interlock provisions for CSAS are similar to those described in Subsection 7 .3.1.1.1 f for SIAS. g) Redundancy Redundancy features for CSAS are similar to those described in Subsection 7.3.1.1.1 h for SIAS. h) Diversity The only parameter being measured is Containment Pressure, therefore Functional Diversity is not applicable. i) Sequencing Sequencing equipment and functions for CSAS are similar to those described in Subsection 7.3.1.1.1g. j) Auxiliary Supporting Systems Required The auxiliary supporting systems are identified in Subsection 7.3.1.1.6. 7.3.1.1.4 Containment Isolation Actuation Signal This description deals with the instrumentation and controls for the containment isolation actuation signal (CIAS). Refer to Subsection 6.2.4 for a description of the containment isolation system (CIS), and to Subsection 6.2.3 for a description of the Shield Building Ventilation System (SBVS). The CIS is automatically actuated by a CIAS. A list of the isolation valves with valve size, type of actuator, normal position, and position on loss of power is given in Tables 6.2-52 and 53. 7.3-11 Amendment No. 18 (01/08)

The logic which initiates the CIAS is shown on Figure 7.3-1. CIAS is actuated on high containment pressure, or high containment radiation or on SIAS actuation. The CIAS measurement channels include four independent pressure transmitters and four independent containment radiation monitors. The measurement channel signals for each of these two diverse parameters are combined in two-out-of-three logic matrices. Each measurement channel is physically and electrically separated, enabling the bypass of any one of the four channels for maintenance or testing while remaining with a two-out-of-three logic for automatic actuation. The two-out-of-three logic meets full safety requirements including the requirement of the single failure criterion. The output signals from the high containment pressure, high radiation, and SIAS logic matrices are combined in an "OR" logic circuit-to form the CIAS. There are two redundant independent CIAS actuation channels (SA and SB). The instrumentation and controls of the components and equipment in channel A are physically and electrically separate and independent of the instrumentation and controls of the components and equipment in channel B. This independence maintains the redundancy required to ensure the functional capability necessary to isolate the containment. The safety related display instrumentation for the containment isolation system provides the operator with sufficient information to monitor the required safety functions. Each CIAS actuation channel (SA and SB) also actuates the Shield Building Ventilation System (SBVS) fans (A and B) and its associated dampers and valves. Each CIAS actuation channel may also be initiated manually from the control room. a) Initiating Circuits The initiating circuits for the CIAS are similar to those described in Subsection 7.3.1.1.1a for the SIAS with the exception that the parameters monitored are containment pressure and containment radiation. b) Logic The CIAS logic is shown on Figure 7.3-1. c) Output Relays The output relays for CIAS are similar to those described in Subsection 7 .3.1.1.1.c for SIAS. d) Manual and Automatic Test Circuitry Manual and automatic testing for CIAS is similar to that described in Subsection 7.3.1.1.1d for SIAS. 7.3-12 . Amendment No. 18 {01/08)

e) Bypasses Bypasses for CIAS are similar to those described in Subsection 7 .3.1.1.1 e for SIAS except there is no blocking for shutdown. f) Interlocks Interlock provisions for CIAS are similar to those described in Subsection 7 .3.1.1.1 f for SIAS. g) Redundancy Redundancy features for CIAS are similar to these described in Subsection 7 .3.1.1.1 h for SIAS. h) Diversity Diversity aspects for CIAS are similar to those described in Subsection 7.3.1.1.1 i for SIAS. i) Sequencing Sequencing equipment and functions for CIAS are similar to those described in Subsection 7 .3.1.1.1 g for SIAS. j) Auxiliary Supporting Systems Required The auxiliary supporting systems are Identified in Subsection 7 .3.1.1.6. 7.3.1.1.5 Main Steam (and Feedwater) Isolation Signal This description deals with the Instrumentation and controls for main steam and feedwater isolation. Refer to Section 10.3 for a description of the Main Steam System (MSS) and see Subsection 10.4. 7 for a description of the Feedwater System. The main steam isolation signal (MSIS) is initiated by two-out-of-three low pressure signals from either steam generator and/or upon high containment pressure. The MSIS terminates blowdown of steam from the steam generators, and stops the normal feedwater flow to the steam generators by-closing the main steam and main feedwater Isolating valves. The logic which initiates MSIS is shown on Figure 7.3-1. The MSIS measurement channels consist of four steam generator pressure transmitters for each steam generator and four high containment pressure transmitters. Two-out-of-three logic signals from low steam generator pressure and two-out-of-three logic signals from high containment pressure are combined in OR logic to provide closure of both the ,r:n.ain steam isolation valves (MS IVs) and the main feedwater isolation valves (MFIVs). Each one of the four measurement channels is physically and electrically separated, enabling the bypass of any one channel for maintenance or testing while remaining with a two-out-7.3-13 Amendment No. 21 (11/12)

of-three logic for automatic actuation. The two-out-of-three logic meets full safety requirements including the requirement of the single failure criterion. The measurement channels logic and actuation channels associated with steam generator A are separated from those associated with steam generator B. An MSIS signal on either channel closes the MSIV, the main feedwater isolation valve, and the backup feedwater isolation valve on that channel, and sends a signal through an isolation device to close the MSIV, the main feedwater isolation valve, and the backup feedwater isolation valve of the other channel. Each isolation device is designed as an energize-to-actuate device and is powered from the same safety related ac power source as the MSIS activation signal. The effects of ac or de power loss in combination with the isolation device have been evaluated in Table 7.3-9 tp insure conformance to single failure criteria for the MSIS features. In addition, annunciation is provided to alert the operator of power loss to the isolation device. This ensures that in the unlikely event of a steam line break accident upstream of the MS IVs; the MS IVs close and limit the blowdown to the faulted steam generator. The consequences of such an occurrence are evaluated in Chapter 15. A manual block on the MSIS is provided to permit shutdown depressurization of the Main Steam System without initiating MSIS. This process is under strict administr~tive control with block and block permissive annunciated and indicated in the control room. It is not possible to block above a preset pressure: if the system is blocked and pressure rises above this point, the block is automatically removed. The block circuit is designed to comply with the single failure criterion specified in IEEE 279-1971. Each MSIS actuation channel can be initiated manually from the control room. A list of components activated on a MSIS is given in Table 7.3-6. a) Initiating Circuits The initiating circuits for the MSIS is similar to that described in Subsection 7.3.1.1.1 a for SIAS except that the parameters monitored are the steam generator pressure for each steam generator and containment pressure.

b) Logic The MSIS logic is shown on figure 7.3-1.

c) Output Relays The output relays for MSIS are similar fo those described in Subsection 7 .3.1.1.1 c for SIAS. a) Manual and Automatic Test Circuitry Manual and automatic testing for MSIS is similar to that described in Subsection 7.3.1.1.1d for SIAS. e) Bypasses Bypasses for MSIS are similar to those described in Subsection 7.3.1.1.1e for SIAS. f) Interlocks Interlock provisions for MSIS are similar to those described in 7.3-14 Amendment No. 18 (01/08)

Subsection 7.3.1.1.lf for SIAS

g) Redundancy Redundancy features for MSIS are similar to those described in Subsection 7.3.1.1.lh for SIAS.

h) Diversity The parameters being measured are steam generator pressure and containment pressure; therefore functional diversity is applicable. i) Sequencing Sequencing equipment and functions for MSIS are. similar to those described in Subsection 7.3.1.1.lg for SIAS. j) Auxiliary Supporting Systems Required The auxiliary supporting systems required are identified and des-cribed in Subsection 7.3.1.1.6. 7.3.1.1.6 ESF Supporting Systems The ESF supporting systems listed below are described in the referenced sections: a) Component Cooling Water System (Subsection 9.2.2) b) Intake Cooling Water System (Subsection 9.2.1) c) Ons'ite Power System, including the diesel generator system (Section

8.3) d) Diesel Fuel Oil Storage and Transfer System (Subsection 9.5.4) .

e) Heating, Ventilating and Air Conditioning (BVAC) Systems as required for areas containing systems and equipment required for safe shut-down (Section 9.4). 7.3.1.1.7 Systems Not Actuated by ESFAS a) Combustible Gas Control System The Combustible Gas Control System is provided to control the concentration of hydrogen that may be released into containment following a L~A; see Subsection 6.2.5. f *. \.--.* ;. 7.3-15

7.3.1.1.8 Auxiliary Feedwater Actuation Signals This description deals with the instrumentation and mntrols for the auxiliary feedwater actuation signals (AFAS-1, AFAS-2). Refer to Subsection 10.4.9 for a description of the "Auxiliary Feedwater System" (AFWS). The safety related display information which provides the operator with information to monitor the required safety functions is described in Section 7.5. The instrumentation and controls for the components and equipment in channel MA, MB, MC and MD are physically separated and electrically isolated and independent of each other. This independence maintains the redundancy required to ensure the functional capability of the equipment following a design basis event which is mitigated by the AFWS. The AFAS actuation logic is shown functionally on Figures 7.3-12 and 7.3-14. It initiates auxiliary feedwater to a steam generator on a low level signal following a variable preset initiation delay period that performs in accordance with the Technical Specifications. However, the initiation of AFW to a steam generator with a low level condition will be prevented by the AFAS logic if the steam generator or its associated auxiliary feedwater supply header is identified as being ruptured. A steam generator is identified as being ruptured when its pressure is approximately 275 psi below the other steam generator coincident with its own low level signal and with the other steam generator and auxiliary feedwater header being identified as not ruptured, per Technical Specification ESFAS trip value requirements. An auxiliary feedwater supply header is identified as ruptured when its pressure is approximately 150 psi below the other feedwater header pressure coincident with its associated steam generator low level signal and with the other steam generator and auxiliary feedwater header being identified as not ruptured, per Technical Specification ESFAS trip value requirements. The AFAS actuation logic isolates auxiliary feedwater flow to a steam generator upon recovery of steam generator level. A separate auxiliary feedwater actuation signal is generated for each steam generator (AFAS-1, AFAS-2). The AFAS logic employs three channels of initiating signals to provide a two-out-of-three actuation sequence of system components. However, to enhance plant availability, a fourth channel is provided as a spare and allows by-passing of one channel while maintaining the requisite two-out-of-three logic. The components actuated by the AFAS-1 and AFAS-2 logic are provided on Table 7.3-11. The failure modes and effects analysis for the AFAS logic is provided on Table 7.3-12. a) Initiating Circuits The AFAS initiation circuits are similar to the initiation circuits described in Subsection 7 .3.1.1.1 a for SIAS except that Steam Generator 2A and 28 pressure, Feedwater Header Pressure 1 and 2 and Steam Generator Level 2A and 28 are the parameters monitored as shown in Figure 7.3-12. 7.3-15a Amendment No. 13, (05/00)

b) Logic

1) The steam generator low level initiation signals generated in the four measurement channels (MA, MB, MC, MD) are received by four bistable comparators for each parameter. At the bistables, the signals are compared to predeteremined setpoints.

Whenever a channel parameter reaches the predetermined setpoint, the bistable initiates a channel trip which is characterized by the deenergization of three bistable trip relays. Channel trip reset, characterized by the energization of the bistable relays, occurs whenever a channel parameter returns to a value representing the setpoint plus a predetermined bistable hysteresis resetpoint. Two bistable hysteresis resetpoints operate to reset the channel trip before and after completion of a predetermined initiation time delay period. Contacts from the bistable relays of the same system in the four protective channels are arranged into six logic AND'S, designated AB, AC, AD, BC, BD and CD, which represent all possible coincidence of two combinations. To form an AND circuit, the bistable trip relay contacts associated with the same AFAS (AFAS-1 or AFAS-2) are connected in parallel (eg, one from channel A and one from channel B). This process is continued until all combinations have been formed. Each logic matrix is connected in series with a set of four matrix output relays. Each logic matrix is powered from two separate 120v Class 1E instrument power supply buses through dual de power supplies. The contacts of the matrix relays are combined into four initiation circuits, one circuit per channel per AFAS. Each initiation circuit is formed by connecting six contacts (one matrix relay contact from each of the six logic matrices) in series. The six series contacts are in series with the initiation delay circuit and the initiation relay. The initiation relay outputs are combined to form the actuation logic.

2) Actuation Logic The actuation logic is formed by combining the initiation circuit output signals from the four channels into a selective two-out-of-three logic within each channel. Upon actuation of this logic the appropriate (AFAS 1 or 2) AFAS actuation relays will deenergize to control the individual AFWS components.

The actuation relays are subdivided into two categories as follows: (a) Cycling Relays -These relays control the auxiliary feedwater isolation valves and will automatically reset when the steam generator has refilled or a steam generator or feedwater header has been identified as being ruptured. The main feedwater isolation valves also utilize cycling relays, which close the isolation valves to the affected steam generator. After relay reset valve control is returned to the operator, however, the valve will remain closed. (b) Latching Relays - These relays control the auxiliary feedwater pumps and the AFW system turbine inlet valves, and will remain in the actuated condition until manually reset. 7.3-15b Amendment No. 13, (05/00)

(c) Trip Generator (Output Relays) Signals from the process measurement loops are sent to bistables where the input signals are compared to the predetermined trip setpoints. Whenever a parameter reaches the trip value, the bistable output deenergizes. This and other similar signals form the AFAS logic signal which deenergizes three bistable relays when the appropriate conditions are met. The bistable relay contacts change state, effecting the appropriate coincidence logic (Sub- section 7.3.1.1.8b(1)). The bistable and differential bistable setpoints are adjusted at the AFAS cabinet. Access to the adjustments is administratively controlled by means of a key locked cover. The initiation delay time setpoints and bistable hysteresis resetpoints are adjusted internal to the AFAS cabinet. The setpoints within each channel can be monitored through test jacks located on the AFAS cabinet. (d) Testing Circuitry Provisions for testing the AFAS are similar to those described in Subsections 7.2.1.1.9.1, 7.2.1.1.9.2, 7.2.1.1.9.4 and 7.2.1.1.9.5 except as discussed below:

1) Bistable Comparator Test Operation of bistable hysteresis resetpoints are verified using hysteresis test switches for each low steam generator level bistable*(see Figure 7.3-13). The bistable is placed in a tripped condition by test methods defined in Subsection 7.2.1.1.9.2, then the test input signal is increased until reset occurs.

2) Actuation Logic Test This test verifies the proper operation of the AFAS actuating logic circuits (refer to Figure 7.3-13). The selective two-outof-three logic circuit, located in AFAS Cabinet, of each AFAS channel is tested in a manner identical to the Trip Path/Circuit Breaker System (see Subsection 7.2.1.1.9.5). One current leg of the selective two-out-of-three logic matrix is interrupted by opening one of the current legs contacts and loss of current in that current leg is verified. Each contact in both current legs is checked in this manner.

Initiation delay operation is tested using an initiation delay test switch (see Figure 7.3-13). One current leg of the selective two-out-of-three logic matrix is interrupted and loss of current in that leg is verified by the extinguishing of an AFAS panel indicator. Upon completion of the delay time period, the initiation delay function under test is automatically reset and the restoration of current is verified by the illumination of the panel indicator. The manual trips are checked one at a time from the MAIN CONTROL BOARD and the lockout relay contacts are checked via the individual relay test system. 7.3-15c Amendment No. 13, (05/00)

3) Actuating Device Test Proper operation of the AFAS relays in the AFAS Cabinet is verified by deenergizing the relays one at a time via a test relay contact (see Figure 7 .3-12) and noting the proper operation of all actuated components in that trip function (AFAS-1 or AFAS-2). The relay will automatically reenergize and return its components to the pretest condition when the test pushbutton is released.

The design of the test system is such that only one relay may be deenergized at a time. The test switch must be positioned to the function relays (AFAS-1 or AFAS-2) to be tested; selection of more than one function is impossible. The test circuit is electrically locked out upon actuation of a particular AF AS function. e) Bypasses

1) Trip Channel Bypass A bypass is provided to remove an AFAS function from one of the channels from service for maintenance or testing. The requisite two-out-of-three trip logic is unaffected by this bypass. The remaining trip functions in that channel are unchanged. The bypass is manually initiated and manually removed. The.

bypass is initiated by use of a pushbutton behind a key locked panel. When an AFAS is bypassed there is an audible and visible alarm to indicate which channel is being bypassed. Based on the following considerations, Technical Specification action statements pertaining to one inoperable AFAS or AFW Isolation measurement channel were revised (via Technical Specification Amendment #132 *and Engineering Evaluation PSL-ENG-SENS-00-024) to restrict the amount of time an inoperable channel could remain in a tripped condition. With one inoperable channel placed in trip, single failure of another AFW Isolation logic channel could compromise the rupture detection logic. This same Technical Specification Amendment also restricted the amount of time that either AFAS-1 or AFAS-2 could remain in bypass without bypassing both AFAS actuation functions in the affected channel. This change was also required to ensure the rupture detection logic could not be compromised by a postulated single failure.

2)

Battery Fail Bypass A bypass is provided upon battery failure defined as the loss of inver:ter output power to two AFAS channels. The bypass is automatically initiated and removed. Upon loss of power, the bypass is applied in one affected channel while the other affected channel trips. This results in a one-out-of-two trip logic for the remaining two unaffected channels. There is an audible and visible alarm to indicate which channel is bypassed. The automatic bypass operates on a priority basis in conjunction with trip channel bypass to preclude bypassing of more than one channel at a time.

f) Interlocks Two interlocks are provided within the AFAS cabinet as follows:

1) Bypass Interlock - A priority bypass system prevents the operator from bypassing more than one AFAS function in a channel at a time.

2) Test System Interlock - A priority interlock prevents more than one channel of the AF AS from being tested at a time.

                                   .7.3-15d                   Amendment No. 16 (2/05)

g) Sequencing The AFAS simultaneously actuates the following AFW components:

1) The AFWS pumps and the Auxiliary Feedwater turbine inlet valves are

          *" * *

latched on.

, ,., *'*:;if.~~f <:+ f , - ** ?L~~J~~ :!~~~nbv:i~~= ~~~~~~Jeedwater to Steam Generator 2A If a minimum pressure differential exists between steam generators or feedwater headers indicating a rupture, the associated AFWS isolation valves will remain closed. Once the steam generator level has reached its high level setpoint, the AFAS trip condition will no longer be generated, and the AFWS isolation valves will close.

3) The main feedwater isolation valves also utilize cycling relays, which close the isolation valves to the affected steam generator. After relay reset valve control is returned to the operator, however, the valve will remain closed.

Each AFAS actuates the components listed on Table 7.3-11. However, to ensure that the emergency diesel generator loads are properly assigned in the event of loss of offsite power, individual time relays are provided to delay starting of the equipment in accordance with the diesel generator sequence in Table 8.3-2. h) Redundancy Redundancy features for the AFAS-1 and AFAS-2 are similar to those described in Subsection 7 .2.1.1.8. i)

Diversity The systeni is designed to eliminate credible multiple channel failures originating from a common cause. The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that a predictable common failure mode does not exist.

The design provides reasonable assurance that the protective system cannot be made inoperable by the inadvertent actions of operating or maintenance personnel. The design is not encumbered with additional channels or components without reasonable assurance that such additions are beneficial. The bistable and matrix relay cards found in the AFAS cabinets have a high level of diversity with respect to the relays found in the RPS; In general the AFAS relays have different types of reed switch assemblies than the RPS relays. These relays are the only area of concern identified by the NRC relevant to the mitigation requirement of the ATWS Rule (10 CFR 50.62) and they maintain diversity between the RPS and AFAS. It has been concluded that the different relay cards are sufficient to show compliance with the NRC A TWS Rule on auxiliary feedwater initiation, 10 CFR Part 50.62. (See Section 7 .6.3.11) 7.3-15e Amendment No. 18 (01/08)

j) Auxiliary Supporting Systems Required The auxiliary supporting systems required are described in Subsection 7.3.1.1.6 . 7.3.1.2 . Design Basis Information The ESFAS conforms to IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," and contains the following actuations: a) Safety Injection Actuation Signal (SIAS) - De-energized to Actuate b) Recirculation Actuation Signal (RAS) - Energized to Actuate c) Containm(3nt Spray Actuation Signal (CSAS) - Energized to Actuate d) Containment Isolation Actuation Signal (CIAS) - De-energized to Actuate e) Main Steam Isolation Signal (MSIS) - De-energized to Actuate f) Auxiliary Feedwater Actuation Signal - 1 (AFAS-1) - De-energize to Actuate g) Auxiliary Feedwater Actuation Signal - 2 (AFAS-2) - De-energize to Actuate Per Section 3 of IEEE 279-1971 "Design Basis", the design bases for the ESFAS are listed below: *' Basis 1 Design basis events requiring protective actions are as follows:

a) Loss of Reactor Coolant - the actuating signals are SIAS, CIAS, CSAS, MSIS b) Steam Generator Tube Rupture - the actuating signal is SIAS c) Steam or Feedwater Line Break (Inside Containment) - the actuating signals are: SIAS, CSAS, CIA$, MSIS, AFAS-1, AFAS-2 d) Steam or Feedwater Line Break (Outside Containment) - the actuating signals are: MSIS, AFAS-1, AFAS-2 Basis 2 The station variables which must be monitored to provide protective actions are listed in Table 7.3-1.

Basis 3 None of the station variables referred to in Basis 2 are spatially dependent. The locations of the ESFAS sensors are listed in Table 7.3-1. 7.3-16 Amendment No. 18 (01/08)

Bases 4,5,6 Table 7.3-1 lists normal operating conditions, and the nominal actuation setpoints for the ESFAS monitored variables. 7 .3-16a

Basis 7,8 The ESFAS is designed to function so that: a) The ranges of transient and steady-state conditions, during circumstances in which the system must perform, fall within the operating ranges of the equipment. b) Any single failure does not prevent system action when required. c) A loss of power to the measurement channels and/or to the logic system causes system actuation except for the containment spray and recirculation actuation signals. d) The environmental conditions that accompany the design basis accident do not interfere with the ability of the systems to perform their safety function. Environmental design conditions for ESFAS instrumentation are discussed in Section 3.11. e) The systems are designed to withstand safe shutdown earthquake loads without loss of their safety functions as discussed in Section 3.10, Basis 9 a) ESFAS response times are discussed in UFSAR Table 13.7.2-2. For the CIAS Radiation Detectors, see Subsection. 7.3.2.1.3. b) Sensor accuracies and processing time delays are taken into account in the selection of each ESFAS trip setpoint. Response times and analysis setpoints used in the safety analysis are provided in Chapters 6 and 15. Accuracies and processing time are provided in appropriate .vendor manuals and design calculations. c) The ranges for the sensed variables that are accommodated by the ESFAS until proper conclusion of the protective action is assured as shown on Table 7.3-1. In addition to conforming to IEEE 279-1971, the ESFAS meets the following design bases: a) The systems meet the applicable criteria of 10CFR 50, Appendix A and General Design Criteria as discussed in Subsection 7.3.2.1.1. b) Channel independence is maintained by electrical and physical separations between redundant channels. c) Equipment, including panels, components and cables associated with the protection system are uniquely identified. d) The systems can be tested during reactor operation as far as practical without interrupting operation. 7.3.1.3 System Drawings Control wiring diagrams, block diagrams, final logic diagrams, and location layout drawings are listed and provided by reference in Section 1.7. 7.3-17 Amendment No. 18 (01/08)

7.3.2 1.3.2.l ANALYSIS E?lqineered Safety Feature Actuation System

                                                                            \;.-.~..;_-

The design of each of the ESF systems, including design bases and evalua-tion, is presented in Chapter 6. The ESFAS_and the instrumentation addressed here are desiS;ned to provide the following protective functions: a) Initiate automatic Protective action to assure that acceptable RCS pressure and fuel performance guidelines are not exceeded. b) Initiate automatic protective action, during certain postulated incidents of moderate frequency, infrequent events and limiting faults, to aid the ESF systems in mitigating the consequences of an accident. 7.3.2.1.l Design As previously described, the major portion of the ESFAS is functionally identical to the Reactor Protective System (RPS)~ *Because of this, many of the responses to the requirements of the General Design Criteria, IEEE 279-1971 and IEEE 338-1971 are identical to the responses for the RPS. Where responses for the two systems are identical, reference is made to the appropriate section. Section 3.1 provides a discussion of all General Design Criteria. This subsection describes how the requirements that are applicable to the ESFAS are satisfied. Criterion 1: Quality Standards and Records For a discussion of the Quality Assurance program, see Chapter 17. criterion .2: Design Bases For Protection Against Nat'llral Phenomena The design bases for protection against natural phenomena are described in Chapter 3. Criterion 3; Fire .Protection For a discussion of separation criteria see Subsection 8.3.l. The design bases for fire protection is described in Subsection 9.5.l. criterion 4: Environmental and Missile Design Bases Environmental design bases are.described :In Section 3.11. Missile design bases are described in Section 3.5. Criterion 5: Sharing of Structures, Systems; and Components No ESFAS components are shared with future or existing reactor facilities. 7.3-18

Criterion 10: Reactor Design The ESFAS in conjunction with the plant control systems and Technical Specification requirements, provides sufficient margin to trip setpoints so that: (1) during normal operation spurious protective action is not initiated, and (2) during plant transients RCS pressure and fuel performance guidelines are not exceeded. Parameter actuation setpoints are shown in Table 7.3-1. Criterion 13: Instrumentation and Control

Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls are provided to maintain these variables and systems within pres_cribed operating ranges.

Criterion 19: Control Room Instrumentation and controls are provided in the control room to safely operate the plant under normal conditions and to maintain it in a safe condition under accident conditions. Emergency shutdown from outside the control room is described in Subsection 7.4.1.5. Criterion 20: Protection System Functions The ESFAS is designed to initiate automatically the operation of appropriate systems to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and to sense accident conditions and to initiate the operation of systems and

components important to safety.

Criterion 21: Protection System Reliability and Testability Functional reliability is ensured by compliance with the requirements of IEEE 279-1971. Testing is in compliance with IEEE 338-1971, and consistent with the recommendations of Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions," 2/72 (RO). Criterion 22: Protection System Independence The ESFAS independence is assured through redundancy and diversity as described in Subsection 7.3.1.1. .

Criterion 23: Protection System Failure Modes Failure modes of the ESFAS components are discussed in Subsection 7.3.2.1.4.

7.3-19 Amendment No. 21 (11/12)

Where protective action is required under adverse environmental conditions during certain incidents of moderate frequency, infrequent events and limiting faul~s, the ESFAS components are designed to function under such conditions.

I Criterion 24: Separation of Protection and Control Systems The ESFAS systems is separated from the control systems. No single failure of any control system component can impair the safety functions of ESF_AS~

Criteria 34, 35, 37, 38, 40, 41, 43, 44 and 46 The ESF systems and the ESF support system are designed to comply with the above criteria. The instrumentation and control for these systems are ,discussed in Subsection 7.3.1.1. Criteria 54, 55, 56, 57: The instrument sensing lines for monitoring containment pressure. are dis-cussed in Subsection 7.1.2.2. ( 7.3-20

7.3.2.1.2 Equipment Design Criteria IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," establishes minimum requirements for safety related functional performance and reliability of the ESFAS. This subsection describes how the requirements listed in Section 4 of IEEE 279-1971 are satisfied. 4.1 "General Functional Requirements" The ESFAS is designed to automatically actuate the appropriate ESF systems, where required, and to mitigate the effects of a OBA. Instrument performance characteristics, response time, and accuracy are selected for compatibility with and adequacy for the particular function. Trip setpoints are established by analysis of the system parameters. Factors such as instrument inaccuracies, bistable trip times, valve travel time, and pump starting times are considered in establishing the margin between the trip setpoints and the safety limits. The time response of the sensors and protective systems are evaluated for abnormal conditions. Since *uncertainty factors are considered as cumulative for the derivation of these times, the actual response time may be more rapid. However, even at the maximum time, the system provides conservative protection. 4.2 "Single Failure Criterion" The ESFAS is designed so that any single failure within the system does not prevent proper protective action at the system level. Single failures considered include electrical faults (e.g., open, aborted or grounded circuits) and physical events (e.g., fires, missiles) resulting in mechanical damage. Compliance with the single failure criterion is accomplished by providing redundancy of power supplies and actuation circuits, and by separating the redundant elements . electrically and physically to achieve the required independence. Each of these provisions is discussed below: a) Redundancy The ESFAS consists of redundant subsystems and/or components for maximum system reliability. Each of the redundant components has automatic and/or manual actuation circuits which are separate from those provided for its redundant counterpart. Redundant instrumentation is provided to monitor ESFAS parameters. b) Electrical Separation Electrical separation is achieved through the provision of independent power supplies and the elimination of electrical interconnection between redundant elements. Control power for redundant circuits is fed from separate 125V de buses, through four redundant 125V de to 120V ac inverters. The ac UPS power supply four channel concept is described in Subsection 7.2.1.1.10. 7.3-21 Amendment No. 18 (01/08)

The provision of separate power supplies and elimination of electrical connections between redundant circuits ensures that loss of power or electrical faults on any circuit cannot affect the redundant circuit. c) Physical Separation Protection against the possibility of mechanical damage to both redundant portions of any instrumentation and control system required for the ESFAS is achieved by spatial separation and/or the provision of physical barriers between redundant elements. Physical separation within control panels is achieved by providing at least six inches of spatial separation between redundant circuitry or by a metal barrier. This separation is provided between control switches, bistables, relays and wiring necessary to actuate and control redundant components. Cable trays and conduit containing redundant wiring and cables necessary to actuate and control redundant components are physically separated as discussed in Subsection 8.3.1.2. The four channel independence is as described in Subsection 7.3.1.1.lh. The redundant wiring and circuitry of the instrumentation and control systems required for ESFAS are marked and identified as described in Subsection 8.3.1.3. 7.3-22 Amendment No. 12 (12/98)

The evaluation of the effects of specific single faults in the logic por-tion of the system included electrical faults (e.g., open, shorted or grounded circuits) and physical events (e.g., fires, missiles) resulting in mechanical damage. Compliance with the single failure criterion is accomplished by providing redundancy of sensors, measurement channels, logic matrices and actuation channels and separating these redundant elements electrically and physically to achieve the required independen*ce. 4.3 "Quality Control of Components and Modules" For a discussion of the Quality Assurance Program see Chapter 17. 4.4 "Equipment Qualification" The ESFAS meets the equipment qualification requirements described in Sec-tions 3.10 and 3.11. r 4.5 "Channel Integrity" Type testing of components, separation of sensors and channels, and qua1-ification of cabling are utilized to ensure that the channels maintain

the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents.

Loss of or damage to any one path does not prevent ESF actuation. *Sens'ors in lines are routed so that failure of any one line does not prevent timely ESF actuation. The components located in the containment are capable of operating in their specified environment described in Section 3.11. 4.6 "Channel Independence" Channel independence is provided in accordance with Regulatory Guide 1.75, "Physical Independence of Electric Systems," 1/75 (Rl). The locations of . the sensors, and the points at which the sensing lines are connected to the process loop have been selected to provide physical separation of the chan-nels, thereby precluding a situation in which a single event could remove or negate a protective function. Sensing lines are routed together in channel pairs. Redundant sensing lines are routed separately and are sepa-rated either by a barrier or a distance of four ft. These separations start from as close to the process taps as practical and continue out to the sensor mounting locations. This includes separation at the containme~t penetration areas. In the control room, protective system trip channels are located in individual compartments. Mechanical and thermal barriers between these compartments minimize *the possibility of common event fail-ure. Outputs from the components in this area to the control boards are isolated so that shorting, grounding, or the application of the highest available local voltages (120V ac, 125V de) do not cause channel malfunc-tion. Separate cabinets are provided in the control room for each of the ESFAS channels to separate components, logic and cable terminations assoc-iated with each channel. Engineered safety features A and B actuating circuits are maintained in-dependent with respect to signal interconnections for the AB shared system equipment control by both physical separation and electrical isolation.

7. 3-23

Figure 7.3-11 shows this arrangement. A welded sheet metal box is located in each ESFAS logic cabinet and contains AB equipment actuation relays. These relays with 24 volt de coils are hermetically sealed. The AB cables are routed from an AB tray through steel conduit to the AB1 and AB2 boxes and connected to the terminal boards. Tefzel insulated wires connect the terminal board and relay contacts. The two relay coils are connected to a 2 out-of 4 actuation module which is used for AB relay only. A failure mode and effects for ESFAS AB system is given in Table 7.3-8. All other design concepts which meet the requirements of IEEE Standard 279-1971 and IEEE Standard 384-1977. The isolation box is located in both the 9N38-5 and 9N38-6 cabinets and a single normally closed contact is used to provide a start signal to the C pump. The isolation characteristic is provided by a relay (coil to contacts) in each of the isolation boxes. The approximate isolation barrier is 500 volts ac or de between the coil and contacts of this relay. The response time is approximately 12 milliseconds and the relay coil and contact wiring within the isolation box is routed so that the input (coil) and other (contacts) wires do not come in proximity. 4.7 "Control and Protection System Interaction" No portion of the ESFAS is used for both control and protection functions. 4.8 "Derivation of Systems Inputs" ESFAS inputs are derived from signals that are direct measures of the desired variables. 4.9 "Cap.ability for Sensor Checks" The ESFAS monitoring sensors are checked by comparing the monitored variables of redundant channels or by observing the effects of introducing and varying a substitute input to the sensor similar to the measured variable. 4.10 "Capability for Test and Calibration" IEEE 338-1971 and Regulatory Guide 1.22 (RO) provides guidance for the development of procedures, equipment and documentation of periodic testing. The measurement signals for the ESFAS have the capability of being tested and calibrated under the design requirements of the system. 4.11 "Channel Bypass or Removal from Operation" Any one of the four protective system channels may be tested, calibrated, or repaired without detrimental effects on the system. The single failure criterion is met during this condition. Redundant two channel systems are not bypassed during testing. Their tests are conducted in the actuated or safety position. 4.12 "Operating Bypasses" Operating bypasses in the form of blocks for the SIAS and MSIS are discussed in Subsections 7.3.1.1.1 and 7.3.1.1.5, respectively. The operating by-7.3-24 Amendment No. 20 (05/11)

passes are automatically removed when the permissive conditions are not met. The circuitry and devices which function to remove these inhibits are designed in accordance with IEEE 279-1971. 4.13 "Indication of Bypasses" Indication of test or bypass conditions or removal of any channel from service is given by lights and annunciation at the system level I and at the component level. Bypasses that are automatically removed at fixed setpoints are alarmed and indicated (see Table 7.3-1 O). Conformance to ICSB 21 Position B.3, B.4, and B.5 can be summarized as follows: B.3) St. Lucie Unit 2 ESF bypass indicating system provides availability (or bypass) indications of all ESF systems. These indications are at a system level. Means are not provided to cancel erroneous bypass indication. However, the operator can always assure the system status by cross checking the associated component operating status through their corresponding annunciation windows. B.4) The ESF bypass indicating system is strictly status indication available to the control room operator. Based on the bypass informations and other related instrumentations, the operator can intelligently coordinate all maintenance/test activities throughout the plant, without compromising the plant safety.

B.5) Proper isolation devices are provided between the bypass indicating system and all*

safety-related systems to assure adverse effects cannot propagate from the indicating systems to the plant safety systems. Isolation devices are in accordance with Regulatory Guide 1.75 (R1). 4.14 "Access to Means for Bypassing" The design of the ESFAS logic cabinets permits the administrative control of the means for manually bypassing measurement or actuation channels. The cabinets are located in the control room adjacent to the RTG boards. An administratively controlled key is required to permit only authorized access to the logic cabinets. Any channel that is bypassed is visibly indicated"and annunciated on system and component level annunciators. 4.15 "Multiple Setpoints" There are no multiple setpoints used for the ESFAS. 4.16 "Completion of Protective Action Once it Is Initiated" The system is designed to ensure that protective action goes to completion once initiated. 7.3-24a Amendment No. 18 (01/08)

4.17 "Manual Initiation" For each ESFAS actuation a manual spring return switch and a "think" push- . button is provided in each of the redundant channels. The operator must turn the switch while simultaneously pressing the "think" pushbutton in order to manually initiate the ESFAS channel. The switch and the push-button for each channel are located together on the control boards. 4.18 "Access to Setpoint Adjustments, Calibration and Test Points" A key is required for access to setpoint adjustments, calibration and test points. Access is also visually and audibly annunciated. Setpoints are periodically checked during each periodic test. 4.19 "Identification of Protective Action" Indication lights and/or annunciators are provided for identification of ESFAS status or trips in the control room. 7.3-24b

4.20 "Information Readout" Instruments are provided in the control room to allow the operator to monitor ESFAS measurement channel inputs. The specific displays that are provided for continuous monitoring are described in Subsection 7.5.1. 4.21 "System Repair" Identification of a defective channel is accomplished by observation of system status lights or by testing as described in Subsection 7.3.1.1.1 d. Replacement or repair of components is accomplished with the affected channel bypassed. 4.22 "Identification" The ESFAS equipment, including panels, modules, and cables associated with the actuation system, are uniquely identified. Interconnecting cables are color coded on a channel basis (see

Subsection 8.3.1.3).

7.3.2.1.3 Testing Criteria IEEE 338-1971, "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Generating Station Protection Systems," and Regulatory Guide 1.22, (RO) provides guidance for development of procedures, equipment, and documentation of periodic testing. The basis for the scope and means of testing are described in this section. Test intervals and their bases are included in the Technical Specifications. Since operation of the ESF system, is not expected, the systems are periodically tested to verify operability. The system is tested from the sensor signal through the actuation devices. Complete channels can be individually tested without initiating protective action, without violating the single failure criterion, and without inhibiting the operation of the systems. The organization for testing and for documentation is described in Chapter 13. Minimum frequencies for checks, calibration and testing of the ESFAS instrumentation are given in the Technical Specifications. Overlap in the checking and testing is provided to assure that the entire channel is functional. The operability of the measurement channel sensors is verified during reactor operation by cross-checking between sensor output signals. Each of the ESFAS sensors has a control room readout and the operator can detect sensor malfunction through anomalous indication of the failed sensor. Testing of ESFAS subgroup relays is performed on a staggered basis such that all relays are tested at least once every fuel cycle. Those components which cannot be tested during reactor operation because of their potential impact are tested during scheduled reactor shutdown. During refueling the ESFAS sensors are checked and calibrated against known standards. The test equipment which is used to verify the sensor 7.3-25 Amendment No. 18 (01/08)

accuracies is checked periodically against shop reference standards traceable to nationally recognized standards. The pressure and electronic calibration standards are as accurate or better than the devices to be checked. Testing of ESFAS sensor response times is in accordance with Section 13.7.2.2 and the requirements of the Technical Specifications.

However, sensor response time testing is not required for the CIAS radiation detectors. This is because preoperational response time tests have shown that the response time is negligible with respect to the rest of the radiation detection system, and that this response will not change through the life of the detectors.

7.3.2.1.4 Failure Modes and Effects Analysis Failure modes and effects analyses for the ESFAS are provided in Table 7.3-7. Figure 7.3-1 shows the typical logic, bistables, and isolation modules. 7.3.2.1.5 Consideration of Selected Plant Contingencies a) Loss of Instrument Air System None of the essential control or monitoring instrumentation is pneumatic. Electrical instrumentation is powered from the emergency power system. Therefore, the loss of instrument air does not degrade instrumentation and control systems required for shutdown of the plant. ', b) Loss of Cooling Water to Vital Equipment None of the instrumentation and controls required for safe shutdown rely on cooling water for operation. Air conditioning systems required to maintain the environment within the instrument design parameters are redundant and described in Sections 6.4 and 9.4. 7.3-26 Amendment No. 18 (01/08)

TAbLc: f.3-1 ESFAS SENSOR PARAMETERS AND SETPOINTS Normal Nominal lnstrument(c) Operating Actuation Location Tag Nos. Range Conditions Setgoint Pressurizer See Table 1.7-1, PT-1102 A,B,C,D 2170-2330 (a) Pressure Dwg. No. G226 psi a Containment See Table 1.7-1, PT-07-2 A,B,C,D 0 (a) Pressure Dwg. No. G226 Steam Generator See Table 1.7-1. PT-8013 A,B,C,D 815-915 (a) Pressure Dwg. No. G226 PT-8023 A,B,C,D psi a Steam Generator See Table 1.7-1. PT-8013 A,B,C,D 0 (a) Delta Pressure Dwg. No. G226 PT-8023 A,B,C,D Containment See Figures RD-26-3 200 mR/hr (a) Radiation(b) 1.2-8, 1.2-10 RD-26-4

                              & 1.2-11                     RD-26-5 RD-26-6 Refueling Water               See Table 1.7-1,              LT-07-2 A,B,C,D                          32.5' to 38'   (a)

Tank Water Level Dwg. No. G226 Feedwater Dwg. No. G226 PT 9A,B,C,D O psid (a) Header Delta Sh 3 PT-09-1 OA,B,C,D Pressure Steam Generator See Table 1.7-1 LT-9013A,B,C,D 65% (a) Level Dwg No. G226 LT-9023A,B,C,D (a) Specific setpoint values are provided in the Technical Specifications. (b) Due to the configuration of these detectors, response time testing is not required. Also see Subsection 7.3.2.1.3. (c) Instrument ranges are selected in accordance with standard engineering practices. 7.3-27 Amendment No. 19 (06/09)

TABLE 7.3-2 COMPONENTS ACTUATED ON SIAS Actuation Tag Channel Test Action Component Number 8 .!2. Group Start Low Pressure Safety Injection Pump 2A x 1A Start Low Pressure Safety Injection Pump 2B x 1B Start High Pressure Safety Injection Pump 2A x 1A Start High Pressure Safety Injection Pump 2B x 1B Open LPSI Discharge Valve to Loop 2A-2 HCV-3615 x 2A Open LPSI Discharge Valve to Loop 2A-1 HCV-3625 x 2A Open LPSI Discharge Valve to Loop 2B-1 HCV-3635 x 2B Open LPSI Discharge Valve to Loop 2B-2 HCV-3645 x 2B Open HPSI Header A Disch. Valve to Loop 2A-2 HCV-3617 x 2A Open HPSI Header A Disch. Valve to Loop 2A-1 HCV-3627 x 2A ""-I w Open HPSI Header A Disch. Valve to Loop 2B-1 HCV-3637 x 2A K., CXl Open HPSI Header A Disch. Valve to Loop 2B-2 HCV-3647 x 2A Open HPSI Header B Disch. Valve to Loop 2A-2 HCV-3616 x 2B Open HPSI Header B Disch. Valve to Loop 2A-1 HCV-3626 x 2B Open HPSI Header B Disch. Valve to Loop 2B-1 HCV-3636 x 2B Open HPSI Header B Disch. Valve to Loop 2B-2 HCV-3646 x 2B Close HPSI Hot Leg Line Check Leak Drain Valve V3572 x 3A Close S.I. Tank Test Line Valve to RWT :*i' SE-03-2A x 3A Stop Reactor Cavity Cooling Fan HVS-2A x 3A Start Inhibit Reactor Cavity Cooling Fan HVS-2A x 3A Stop Reactor Support Cooling Fan HVE-3A x 3A Start Inhibit Reactor Support Cooling Fan HVE-3A x

 )>                                                                                                     3A 3(!) Stop           CEDM Cooling Fan                                     HVE-21A         x              3A

J

a. Start Inhibit CEDM Cooling Fan HVE-21A x 3(!) 3A

3. Close S.I. Tank 2A1 Recirc Drain Valve HCV-3628 x z DA Close S.I. Tank 2A2 Recirc Drain Valve HCV-3618 x

CX> DA '§ Close S.I. Tank 2B1 Recirc Drain Valve HCV-3638 x OB 0 ~ Close S.I. T<!nk 2B2 Recirc Drain Valve HCV-3648 x OB

TABLE 7.3-2 (Cont'd) Actuation Tag Channel Test Action Component Number 6 ~ Group Start Diesel Generator 2A x 7A Start Diesel Generator 2B x 7B Trip Diesel Generator Breaker (for DG Loading) 2A x BA Trip Diesel Generator Breaker (for DG Loading) 2B x BB Close CCW to Fuel Pool HX Isolation Valve MV-14-1B x BA Open Inhibit CCW to Fuel Pool HX Isolation Valve MV-14-1B x BA Close CCW to Fuel Pool HX Isolation Valve MV-14-17 x BB Open Inhibit CCW to Fuel Pool HX Isolation Valve MV-14-17 x BB Close Hot Leg Line Check Valve Leak Drain Valve v3s11** x 3B Stop Reactor Cavity Cooling Fan HVS-2B x 3B Start Inhibit Reactor Cavity Cooling Fan HVS-2B x 3B Stop Reactor Support Cooling Fan HVE-3B x 3B Start Inhibit Reactor Support Cooling Fan HVE-3B x 3B Stop CEDM Cooling Fan HVE-21B x 3B Start Inhibit CEDM Cooling Fan HVE-21B x 3B

-..J w     Close           Boric Acid Make-up Valve to VCT N                                                                      V2512                   x 6B co Open            Boric Acid Tank 2A Gravity Feed                   V2509                   x 5B Valve to Charging Pumps Close           Boric Acid Tank 2A Gravity Feed                   V2509                   x 5B Inhibit        Valve to Charging Pumps Open            Boric Acid Tank 2B Gravity Feed                   V2508                   x 5B Valve to Charging Pumps Close           Boric Acid Tank 2B Gravity Feed                   V250B                   x SB
)>      Inhibit        Valve to Charging Pumps 3
<D   Close           Letdown Line Isolation Valve                      V2516         x

J OA a.

3 Close Letdown Line Isolation Valve V2515 x OB -z

<D

J Close VCT Discharge Valve V2501 x OB

~    Start           Component Cooling Water Pump                      2A            x           5A

-CX> 0_,, 0 Start Start Component Cooling Water Pump Component Cooling Water Pump 2B 2C x x x 5B 9A,9B ~ Close CCW Header A Supply to Non-essential Header Isolation Valve HCV-14-BA / 9 x 6A

TABLE 7.3-2 (Cont'd Actuation Channel Tag Test Action Component Number A B Group Override Close CCW Hdr. Supply B lo Non-essential Header Isolation Valve HCV-14-88/10 x 68 Override Close CCW Non-Essential Header Return to Hdr. A Isolation Valve HCV-14-8A/9 x 6A Close CCW Non-essential Header Return to Hdr. B Isolation valve HCV-14-88/10 x 68 Open CCW Outlet Valve from Shutdown HX 2A HCV-14-3A x 5A Open CCW Outlet Valve from Shutdown HX 28 HCV-14-38 x 58 Start Intake Cooling Water Pump 2A x 5A Start Intake Cooling Water Pump 28 x 58 I Start Intake Cooling Waler Pump 2C x x 9A,9B Close ICW Hdr. A Disch. to TCW Heat Exch. Isolation valve MV-21-3 x OA Close ICW Hdr. B Disch. lo TCW Heat Exch. Isolation valve MV-21-2 x OB Start Inhibit RCP 2A-1 Oil Lift Pump P-2A1-B x OB Start RCP 2A-2 Oil Lift Pump P-2A2-B x OA Inhibit Start RCP 2B-1 Oil Lift Pump P-281-B x OA Inhibit Start RCP 28-2 Oil Lift Pump P-2B2-B x OB Inhibit Start Reactor Aux. Bldg. Main Supply Fan HVS-4A x 1A Start Reactor Aux. Bldg. Main Supply Fan HVS-48 x 1B Start ECCS Area Exhaust Fan HVE-9A x 1A 7.3-30 Amendment No. 13, (05/00)

TABLE 7.3-2 (Cont'd Actuation Tag Channel Test Action Component Number 8 J2 Group Start ECCS Area Exhaust Fan HVE-9B x 1B Open Air Supply Dampers to ECCS Pump Room A D-1, D-2 x 1A Open Air Supply Dampers to ECCS Pump Room B D-3, D-4 x 1B Close ECCS Area Isolation Dampers D-BA, D-9A x 1A Close ECCS Area Isolation Dampers D-BB, D-9B x 1B Close ECCS Area Isolation Dampers D-7A, 5A x 1A Close ECCS Area Isolation Dampers D-7B, 5B x 1B Close ECCS Area Isolation Dampers D-6A x 1A Close ECCS Area Isolation Dampers D-6B x 1B Close ECCS Area Isolation Dampers D-12A x 1A

-...J   Close  ECCS Area Isolation Dampers                D-12B w '

x 18 w

....... Start  Containment Fan Cooler                     HVS-1A      x            BA Start  Containment Fan Cooler                     HVS-1B      x            BA Start  Containment Fan Cooler                     HVS-1C                x  BB Start  Containment Fan Cooler                     HVS-10                x  BB Close  RCP Cooling Water Supply Isolation Valve                         HCV-14-1    x            OA
)>

3 Close RCP Cooling Water Supply CD

J Isolation Valve HCV-14-7 x OB a.

3 CD Close RCP Cooling Water Return

a. Isolation Valve HCV-14-2 x OA z

!=>     Close
.......        RCP Cooling Water Return co                Isolation Valve                         HCV-14-6              x  OB 0.......

Close Reactor Cavity Sump Pump Isolation 0 Valve ~ LCV-07-11A x 5A

TABLE 7.3-2 (Cont'd) Actuation Tag Channel Test Action Component Number !:,, ~ Group Close Reactor Cavity Sump Pump Isolation Valve LCV-07-11B x SB Open Safety Injection Tank 2A 1 Disch Valve V3624 x 6A Close Safety lnjecti~n Tank 2A 1 Disch Valve V3624 x 6A Inhibit Open Safety Injection Tank 2A2 Disch Valve V3614 x 7A Close Safety Injection Tank 2A2 Disch Valve Inhibit V3614 x 7A Open Safety Injection Tank 2B1 Disch Valve V3634 x 7B Close Safety Injection Tank 2B1 Disch Valve Inhibit V3634 x 7B Open Safety Injection Tank 2B2 Disch Valve V3644 x 8B Close Safety Injection Tank 2B2 Disch Valve Inhibit V3644 x 8B Close Safety Injection Tank Fill and Drain Valves SE-03-1AN3621 x 2A w I Close Safety Injection Tank Fill and Drain Valves SE-03-1BN3611 x 2A N Close Safety Injection Tank Fill and Drain Valves SE-03-1CN3631 x 2B Close Safety Injection Tank Fill and Drain Valves S E-03-1DN3641 x 2B Close Safety Injection Tank Test Line Valve to RWT SE-03-2B x 3B Close Boric Acid Supply Valve FCV-2210Y x 4A )> Open Boron Load Control Valve V2525 x 48 3 Inhibit CD

J

a. Close Boron Load Control Valve V2525 x 4B 3

CD

a. Start Charging Pump 2A11 l 2A x 4A z

9 Close Recirculation Valve to VCT V2555 x 4A N Start Charging Pump 2B 11 l 2B x 4B ~ Close Recirculation Valve to VCT V2554 x 4B Start Charging Pump 2c 11 > 2C x x 9A,9B Close Recirculation Valve to VCT V2553 x x 9A,9B Start Boric Acid Make-up Pump 2A 2A x 5A

TABL (Cont'd) Actuation Tag Channel Test Action Component Number 6. fl. Group Start Boric Acid Makeup Pump 2B x 5A Close Boric Acid Tank 2A Recirculation Line Valve V2650 x 6A Close Boric Acid Tank 2B Recirculation Line Valve V2651 x 6A Open Boric Acid Makeup Pump Bypass to Charging Pumps V2514 x 5A Close Inhibit Boric Acid Makeup Pump Bypass to Charging Pumps V2514 x 5A Trip 4160 Swgr UV Interlock 2A3 x 7A Trip 4160 Swgr UV Interlock 2B3 x 7B Trip Non-Essential Load x OA Trip Pressurizer Heater 2A3 Breaker 2A3 x OA Close Inhibit Pressurizer Heater 2A3 Breaker 2A3 x OA Status SAS Input x 3A Trip Non-Essential Load x OB

-..J

(.V I (.V Trip Pressurizer Heater 2B3 Breaker 2B3 x OB (.V Close Inhibit Pressurizer Heater 2B3 Breaker 2B3 x OB Status SAS Input x OB Close CCW Heat Exchanger Inlet Strainer Debris Discharge Valve HCV-21-7A x 6A

)>     Close         CCW Heat Exchanger Inlet Strainer 3                    Debris Discharge Valve                             HCV-21-78              x   68 CD

J

c. Stop Feedwater Pump 2A 2A1-3 x 3A, BA 3

CD

J z

!='

Stop Stop Feedwater Pump 2B Heater Drain Pump 2A 281-3 2A2-B x x 38, 18 3A, BA

Stop Trip Heater Drain Pump 28 Generator Main Leads (IPBD) Fan 2A 282-3 2A1-6D x x 38, 18 3A, BA ~ Trip Generator Main Leads (IPBD) Fan 28 2B1-2D x 38, 1B Trip Main Transformer 2A Coolers (Normal) 2A1-5C x 3A, BA Trip Main Transformer 28 Coolers (Normal) 2B1-2C x 38, 18 Trip Main Transformer 2A Coolers (Alternate) 281-18 x 38, 1B Trip Main Transformer 2B Coolers (Alternate) 2A1-6A x 3A, BA

TABLE 7.3-3 COMPONENTS ACTUATED ON RAS Actuation Tag Channel Test Action Component Number 8 §. Group Stop LPSI Pump 2A x 1A Stop LPSI Pump 28 x 1B Close S.I. Pump Recirc. Line Valve to RWT V3659 x 2A Open S.I. Pump Recirc. Line Valve to RWT Inhibit V3659 x 2A Close S.I. Pump Recirc. Line Valve to RWT V3660 x 28 Open S.I. Pump Recirc. Line Valve to RWT Inhibit V3660 x 28 Open Containment Sump Outlet Valve to Recirc. Header A MV-07-2A x 4A Alarm Containment Sump Outlet Valve to Recirc. Header A MV-07-2A x 4A

--..i Open Containment Sump Outlet Valve to w

w I Recirc. Header 8 MV-07-28 x 48 ~ Alarm Containment Sump Outlet Valve to Recirc. Header 8 MV-07-2B x 4B Close RWT Outlet Valve to S.I. Header A MV-07-1A x 3A Alarm RWT Outlet Valve to S.I. Header A MV-07-1A x 3A Close RWT Outlet Valve to S.I. Header B MV-07-1B x 3B

)>

3 Alarm RWT Outlet Valve to S.I. Header B MV-07-18 x 3B CD

l

c. Manual Start LPSI Pump 3 Permissive 2A x 1A CD

l z Manual Start Permissive LPSI Pump 2B x

~                                                                                                   18 OJ      Failure to     LPSI Pump 0->.
-                                                                                     x Stop Alarm                                                  2A                           1A 0

~

TABLE 7.3-3 (Cont'd) Actuation Tag Channel Test Number ~ .!2. Group Action Component Failure to LPSI Pump Stop Alarm 28 x 18 V3495 x 5A Close Minimum Flow Isolation Valve V3496 x 58 Close Minimum Flow Isolation Valve §' co

l a.

3 co

l CX>

0_. ~ 0

TAB .... ~, .u~4 COMPONENTS ACTUATED ON CSAS Actuation Tag Channel Test Action Component Number 8 ft Group Start Containment Spray Pump & Hydrazine Pump 2A x 1A Start Containment Spray Pump & Hydrazine Pump 28 x 18 Open Containment Spray Header A Inlet Valve FCV-07-1A x 2A Open Containment Spray Header B Inlet Valve FCV-07-18 x 2B Resequence Diesel Generator Loading 2A x 3A block 6 & 7 Resequence Diesel Generator Loading 28 x 38 block 6 & 7 Open Iodine Removal System Pump Isolation Valve SE-07-3A x 2A Open Iodine Removal System Pump Isolation Valve SE-07-38 x 2B 7.3-36 Amendment No. 18 (01/08)

Tfl 3-S COMPONENTS ACTUATED ON CIAS Actuation Tag Channel Test Action Component Number 6 g Group Start Shield Building Vent System Fan HVE-6A x 7A Start Shield Building Vent System Fan

HVE-6B x 7B Start Control Room Isolation & Emergency Filtration System HVE-13A x 7A FCV-2S-16, 17, 18,24 Start Control Room Isolation & Emergency Filtration System HVE-13B, x 7B FCV-2S-14, 1S,19,2S Start Control Room Air Conditioning Unit (note 1) HVNACC-3A x 7A Start Control Room Air Conditioning Unit (note 1) HVNACC-3B x 7B (note 1) CRAC fan start required to support control room emergency filtration system function Close Letdown Line Isolation Valve V2S16 x QA Close Letdown Line Isolation Valve V2S22 x OB

-....J Close RCS Sample Line Isolation Valve VS200 x 1A i:...> I (....) -....J Close RCS Sample Line Isolation Valve VS203 x 1B Close RCS Surge Line Sample Isolation Valve V5201 x 1A Close RCS Surge Line Sample Isolation Valve V5204 x 1B Close Pressurizer Sample Line Isolation Valve V5202 x 1A Close Pressurizer Sample Line Isolation Valve .VS205 x 1B

)>     Close  Primary Water Line Isolation Valve                             HCV-1S-1                       x SB 3

CD

i c.

Close Safety Injection Tank Test Line Valve to RWT SE-03-2A x 1A 3 x -CD

J z

9 Close Close Instrument Air Isolation Valve Station Air Isolation Valve HCV-18-1 HCV-18-2 x OA SA N Close Main Purge Inlet Isolation Valve FCV-2S-1 x 2A

  .... Close  Main Purge Inlet Isolation Valve                               FCV-2S-3             x           2A

~ Close Main Purge Inlet Isolation Valve FCV-2S-2 x 2B Close Main Purge Inlet Isolation Valve FCV-2S-S x 2A Close Main Purge Inlet Isolation Valve FCV-2S-4 x 2B Close Main Purge Inlet Isolation Valve FCV-25-6 x 2B

TABLE 7.0-v \vont'd) Actuation Tag Channel Test Action Component Number ~ .§. Group Stop Containment Main Purge Exhaust Fan HVE-8A x 2A Stop Containment Main Purge Exhaust Fan HVE-8B x 28 Close Nitrogen Supply Isolation Valve V6741 x 2B Close Waste Gas Header Isolation Valve V6750 x 3A Close Waste Gas Header Isolation Valve V6718 x 3B Close Reactor Cavity Sump Pump Discharge Isolation Valve LCV-07-11A x 4A Close Reactor Cavity Sump Pump Discharge Isolation Valve LCV-07-11B x 4B Close Containment Sample Isolation Valve FCV-26-2,-4,-6 x 3A Close Containment Sample Isolation Valve FCV-26-1,-3,-5 x 3B Close Steam Generator A Blowdown Isolation Valve FCV-23-3 x 3A Close Steam Generator B Blowdown FCV-23-5 x 3A Isolation Valve Close RCP Controlled Bleed-off Isolation Valve V2505 x QA Close Reactor Drain Tank Discharge Isolation Valve V6341 x 4A Close Reactor Drain Tank Discharge Isolation Valve V6342 x 4B Close Steam Generator A Slowdown Sample Isolation Valves FCV-23-7 & 9 x 4A Close RCP Controlled Bleed-off Isolation Valve V2524 x OB Open Shield Building Ventilating System Isolation Valve FCV-25-32 x 6A 7.3-38 Amendment No. 18 (01/08)

TABLE 7.3 it'd) Actuation Tag Channel Test Action Component Number 8 ~ Group Close Inhibit Shield Building Ventilating Sys Isolation Valve FCV-25-32 x 6A Close Safety Injection Tank Sample Isolation Valve SE-05-1E x 6A Open Inhibit Fuel Hdlg Bldg Emergency Ventilation lsol Valve FCV-25-30 x 6A Open Inhibit Fuel Hdlg Bldg Emergency Ventilation lsol Valve FCV-25-31 x 6B Close Fuel Hdlg Bldg Emergency Ventilation lsol Valve FCV-25-30 x 6A Close Fuel Hdlg Bldg Emergency Ventilation lsol Valve FCV-25-31 x 68 Close Continuous ContainmenUH 2 Purge lsol Valve FCV-25-20 x 6A Close Continuous ContainmenUH 2 Purge lsol Valve FCV-25-21 x 58 Close Continuous ContainmenUH 2 Purge lsol Valve FCV-25-26 x ?A Close Continuous ContainmenUH 2 Purge Valve FCV-25-36 x 68 Override/Close Continuous ContainmenUH 2 Purge lsol Valve FCV-25-20 x 6A Override/Close

-.i Continuous ContainmenUH2 Purge lsol Valve                   FCV-25-21                      x 58 w    Override/Close w
<D I

Continuous ContainmenUH 2 Purge lsol Valve FCV-25-26 x 7A Override/Close Continuous ContainmenUH 2 Purge Valve FCV-25-36 x 68 Open S8VS Isolation Valve FCV-25-33 x 6B Close Inhibit Shield Building Ventilating Sys Isolation Valve FCV-25-33 x 68 Close Safety Injection Tank Sample Isolation Valve SE-05-1A x

)>                                                                                                               68 3                                                                               SE-05-18 CD                                                                              SE-05-1C

J

a. SE-05-10 3

-    Close CD

J Safety Injection Tank Test Line Valve to RWT SE-03-28 x 18 z Start

Unit 1 Control Room Isolation & Emergency Filtration System HVE-13B, x OB __.. FCV-25-14,15,19 & 25 co 0__.. ~ 0 Start Unit 1 Control Room Isolation & Emergency Filtration System HVE-13A, FCV-25-16,17,18 & 24 x OA

TABLE 7.3-6 COMPONENTS ACTUATED ON MSIS Actuation Tag Channel Test Action Component Number 6. ~ Group Close Main Steam Line A Isolation Valve HCV-08-1A x xc'> OA Close Main Steam Line B Isolation Valve HVC-08-1B xcn x OB Close Main Steam Isolation Valve A Bypass Valve MV-08-1A x xc'> 1A Open Inhibit Main Steam Isolation Valve A Bypass Valve MV-08-1A x 1A Close Main Steam Isolation Valve B Bypass Valve MV-08-18 xc'> x 1B Open Inhibit Main Steam Isolation Valve B Bypass Valve MV-08-1B x 1B

--i Close Main FW Isolation Valve to SG 2A HCV-09-1B xc x OB w I

.j:>. 0 Open Inhibit Main FW Isolation Valve to SG 2A HCV-09-1B x OB Close Main FW Isolation Valve to SG 2B HCV-09-2B xc'> x OB Open Inhibit Main FW Isolation Valve to SG 2B HCV-09-2B x OB Close Main FW Isolation Valve to SG 2A HCV-09-1A x xc11 OA )> Open Inhibit Main FW Isolation Valve to SG 2A HCV-09-1A x OA 3 CD

i Close Main FW Isolation Valve to SG 2B HCV-09-2A x xP> OA c.

3 Open Inhibit Main FW Isolation Valve to SG 2B HCV-09-2A x OA CD

i z

!=:l Status SAS Input (MSIS-A) x DA N Status SAS Input (MSIS-B) x OB 0 0 ~ (1) Actuates through an isolation device

TABLE ENGINEERED SAFETY FEATURES ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS ILLUSTRATION FIGURE 7.3-1 (3-Channels Operational 1-Channel Bypassed, See Note D) OPERATIONAL EFFECTS ON COMPONENTS NAME FAILURE MODE FAILURE MECHANISM DETECTION ESFAS LOGIC REMARKS 3 Pressurizer Pressure One spurious low Open circuit, de power Measurement channel Makes both channel Notes Sensing Circuit** signal (dropping failure, or shorted pre-trip & trip Logics 1-out-of-2 A&B to zero at output) resistor (IN converter) alarms; meters in- to actuate (also dicate trip condi-3 Containment Pressure tion makes SIAS & MSIS Sensing Circuit** block permissive logic 2-out-of-f-2) 3 Refueling Water Tank Level Sensor 3 Steam Generator 2A One spurious high Component failure, Makes both channel Pressure Sensing signal (reaching open resistor (IN Test and comparison logics 2-out-of 2 Notes Circuit** scale maximum at converter) with redundant channel (also makes SIAS & A&C 3 Steam Generator 28 output) indicators; alarms MSIS block permiss-Pressure Sensing ive logic 3-out-of-Circiut** 2* 3 Pressurizer Pressure, One fails low Open circuit, ac Measurement channel Makes both channel Notes Containment Pressure, supply failure. trip & pre-trip logics 1-out-of-2 A&B

---i                 SG 2A Pressure and                                          Inverter failure                  alarms; indicating                    (also makes SIAS &

w I SG 28 Pressure, meters read low. MSIS block permiss-

_,. Sensing Circuit Power Loss alarm ive logic 2-out-of2) Power Supply Initiates SIAS, MSIS, 3 RWT Level Sensor Failure of two Open battery circuit Alarms, Reactor & CIS and makes one Notes Power Supply on loss of one turbine-gen.trip. channel logic 1-out-of-1 A,B&D 125V de battery or 1-out-of-2 for CSAS and RAS One fails high Component failure Test and comparison Makes both channel Notes with redundant chan- logics 2-out-of-2 A&C

)>

nel indicators (also makes SIAS & 3 CD MSIS block permissive

I

a. lo ic 3-out-of 2

3 CD Notes: A Single failure with a measurement channel bypassed does not prevent system actuation.

I

 ......            B    Immediate detection z                 c    Possible immediate detection
 ~

_,. D Bypassed measurement channel of the containment pressure or RWT level should be placed in trip mode or promptly restored to its operable status, in order to fulfill the logic for automatic actuation of the CSAS & RAS during a single failure of one battery --CX> 0_,. 0 SIAS & MSIS actuation cannot be blocked until bypassed channel of the pressurizer pressure of SG pressure is placed in trip mode. Sensing circuit includes transmitter, converter and E/I converter. ~

TABLE 7.3-7 (Cont'd) OPERATIONAL EFFECTS ON COMPONENTS FAILURE MODE FAILURE MECHANISM DETECTION ESFAS LOGIC NAME

                                                                                                                           -- -*----- - - * * -REMARKS 3     Pressurizer Pressure    One fails off       Open circuit, de             Bistable indicator      Hakes both channel                    Notes SIAS Trip Bistable                          supply failure               low reading             logics l-out-of-2                      A&B 3     Containment Pressure SIAS Trip Bistable                                                       Channel trip alarm; Auto test light & alarm 3     Containment Pressure CIAS Trip Bistable One fails on        Electronic circuit           Manual and automatic     Makes both channel                   Notes failure                      test                     logics 2-out-of-2                     A&B 3     Containment Pressure CSAS Trip Bistable 3     Refueling Tank Level                                                     Automatic test light RAS Trip Bistable                                                        & alarm 3     Containment Radiation CIAS Trip Bistable 3     Steam Generator 2A Pressure MSIS Trip       Bistable removed   Bistable removed             Alarm when cabinet      Makes both channel                  Notes Bistable                                                                 door opened             logics 2-out-of-2                     A&B 3     Steam Generator 2B                                                       Automatic test light Pressure MSIS Trip                                                       and alarm Bistable                                                                 Module removed alarm 12      Isolation Module for    One fails off       Electronic circuit           Manual test               Makes one channel block            Note Trip Block Bistables                        damaged                                                 logic 2-out-of-2                    A One fails on        Open circuit.                Manual test               Makes one channel block            Note logic 3-out-of-2*                   A Module removed      Module removed               Alarm when cabinet door   Makes one channel block            Note opened; module removed     logic 2-out-of-2                  A, B alarm Note:   A-  Single failure with a measurement channel bypassed does not prevent system actuation.

B- Immediate detection

       * - SIAS & MSIS actuation cannot be locked until bypassed channel of the pressurizer pressure of SG pressure is placed in trip mode.

TABLE 7.3-7 (Cont'd) OPERATIONAL EFFECTS ON COMPONENTS NAME FAILURE MODE FAILURE MECHANISM DETECTION ESFASLOGIC REMARKS 48 Isolation Module One fails off Electronic circuit Manual and automatic Makes one channel logic Notes for Trip Bistables Damaged test, auto test light 1-out-of-2 A&B

                                                                                                          &alarm One fails on        Electronic circuits                Automatic and manual  Makes one channel logic Notes Shorted                            test auto test light  2-out-of-2              A&B
                                                                                                          &alarm Module removed      Module removed                     Alarm when cabinet    Makes one channel logic Notes door opened           1-out-of-2              A&B Module removed alarm; automatic test light
                                                                                                          &alarm 3   Containment Radiation           One spurious        Open circuit, ac                   Test and comparison   Makes both channel      Notes Monitor                         low signal          supply failure                     with redundant        logics 2-out-of-2       A&B channel Indicators; meters read low 3   Containment Radiation           One spurious        Component failure                  Measurement channel   Makes both channel      Notes MV/I Converter                  high signal                                            pre-trip & trip       logics 1-out-of-2       A&C

....... alarms: indicating <..> meters read high j. c.> IN Converter Notes A&B 6 Pressurizer Press. One falls open Component failure Open resistor lndl- Makes both channel (R-1, 2) cator reads high; logics to actuate measurement channel 1-out-of-2 trip alarm 3 Containment Press. (Resistors R-1, 2, (R-6) and 15, also make SIAS & MSIS §' 3 Containment Rad. block permissive CD

J (R-9) logic 2-out-of-2) a.

3 CD

J 3 RWTLevel One shorts Short circuit Indicator reads None Notes z (R-12) low; pre-trip A&B 9 3 SG 2A Press (R-15) alarm

...... 3 SG 2B Press (R-15 Typical) YJ 0 01 Notes: A B Single failure with a measurement channel bypassed does not prevent system actuation. Immediate detection 0 0 c Possible immediate detection

TABLE 7.3-7 (Cont'd) OPERATIONAL EFFECTS ON COMPONENTS NAME FAILURE MODE. FAILURE MECHANISM DETECTION ESFASLOGIC REMARKS IN Converter Notes 3 Pressurizer Press. One falls open Component failure Bistable Indicator Makes both channel A&C (R-5) high reading logics 2-out-of-2 3 Containment Press. Test and comparison (Resistors R-5, (R-8) with redundant 14 make SIAS & MSIS channel indicators block logic 3-out-3 Containment Rad. of-2)* (R-10) 3 RWTLevel One shorts Short circuit Bistable Indicator Makes both channel Notes (R-11) low reading, logics 1-out-of-2 - A&B channel trip alann 3 SG2APress. (Resistors R-5, (R-14) 14 also make SIAS

                                                                                                                               & MSIS block logic
 .......        3    SG 2B Press.                                                                                              (2-out-of-2) i:.>                (R-14 typical) t Notes:   A    Single failure with a measurement channel bypassed does not prevent system actuation.

B Immediate detection c Possible immediate detection See note page 7.3-41.

 §'
 <D

J a.

3

 <D a

z

-.§

*w 0

TABLE 7.3-7 (Cont'd) OPERATIONAL EFFECTS ON COMPONENTS NAME FAILURE MODE FAILURE MECHANISM DETECTION ESFAS LOGIC REMARKS 3 Pressurizer Pressure One falls off Open circuit, de Manual test Makes both channel Note SIAS Trip Block supply failure logics 2-out-of 2 A Bistable 3 Steam Generator 2A Pressure MSIS Trip Block Bl- One fails on Electronic circuit Manual test Makes both channel Nole A stable failure logics 3-out-of 2* 3 Steam Generator 2B Pressure MSIS Trip Block Bi- Module removed Module removed Alann when cabinet Makes both channel Noles stable door opened; module logics 3-out-of 2* A&B removed alann 2-out-of-4 Matrix and One fails off Open circuit, ESFAS channel actu- De-energizes output Noles Actuation Module: de supply failure ation alarm relays and starts A&B components associated 2 SIAS A, B Test Group 0 with failed test group 2 SIAS A, B Test Group 1

--1

(.o.) 2 SIAS A, B Test Group 2 One fails on Electronic circuit Manual and auto- Prevents auto starts Noles J,. shorted malictest of components asso- A&B 01 2 SIAS A, B Test Group 3 ciated with failed test group 2 SIAS A, B Test Group 4 Alann lest light & 2 SIAS A, B Test Group 5 alarm 2 SIAS A, B Test Group 6 2 SIAS A, B Test Group 7 Module removed Module removed Alarm when cabinet De-energizes output re- Notes )> door opened lays and starts compon- A&B 3 2 SIAS A, B Test Group 8 ents associated with Cl>

J failed test group 0.

2 SIAS A, B Test Group 9 3 Cl>

J zp Notes: A Single failure with a measurement channel bypassed does not prevent system actuation.

5.Y 0 01 B Immediate detection See note on page 7 .3-41 -0 0

TABLE [Cont'd) OPERATIONAL EFFECTS ON COMPONENTS NAME FAILURE MODE FAILURE MECHANISM DETECTION ESFAS LOGIC REMARKS 2 CIAS A, B Test Group 0 2 CIAS A, B Test Group 1 One fails off Open circuit, ESFAS channel actu- De-energizes output Notes de supply failure ation alarm relays and starts A&B 2 CIAS A, B Test Group 2 components with failed test group 2 CIAS A, B Test Group.3 One fails on Electronic circuit Manual and auto- Prevents auto starts Notes shorted matic test of components associated A&B 2 CIAS A, B Test Group 4 with failed test group 2 CIAS A, B Test Group 5 Auto test light & alarm 2 CIAS A, B Test Group 6 2 CIAS A, B Test Group 7 Module removed Module removed Alarm when cabinet De-energizes output re- Notes 2 MSIS A, B Test Group 0 door opened lays and starts compon- A&B ents associated with 2 MSIS A, B Test Group 1 failed test group

-...J w
./:..

Q) 2-out-of-4 Matrix and One fails on Electronic circuits ESFAS channel Energize output re- Notes Actuation Module shorted actuation alarm lays and starts com- A&B ponents associated with failed Test Group 2 CSAS A, B Test Group 1 2 CSAS A, B Test Group 2 2 CSAS A, B Test Group 3

)>

2 RAS A, B Test Group 1 3 CD

J 2 RAS A, B Test Group 2 a.

3

-z CD          2    RAS A, B Test Group 3        One fails off         Component failure                  Manual-auto test    Prevents auto start      Notes

J of components asso- A&B 2 RAS A, B Test Group 4 Auto test light & ciated with failed 9 alarm Test Group N

__. 2 RAS A, B Test Group 5 ~

--__. Notes:   A B

Single failure with a measurement channel bypassed does not prevent system actuation. Immediate detection

TABLE 7.3-7 (Cont'd) OPERATIONAL EFFECTS ON COMPONENTS NAME FAILURE MODE FAILURE MECHANISM DETECTION ESFAS LOGIC REMARKS Module removed Module removed Alarm when cabinet Prevents auto start Notes door opened. of components asso- A &B Automatic test light ciated with failed

                                                                                       & alarm                 Test Group 3-out-of 4 Matrix and    One fails on       Electronic circuit           Block permissive        Completes permissive  Notes Actuation Module                            shorted                       indication &           signal for manual     A &B alarm                   block of SIAS or 2          SIAS, A, .B Block                           de supply failure                                    MSIS on one channel only 2          HSIS, A, B Block One fails off      Component failure            Manual Test             Prevents SIAS or MSIS Notes channel block         A &C Module removed     Module removed               Alarm when cabinet      Prevents SIAS or MSIS Notes door opened             channel block         A &B Pushbutton "think":      One fails open     Component failure            Manual test             Blocks ESFAS channel  Notes manual actuation      A &C 2        SIAS A, B                                                                Pushbutton and control switch actuated alarm 2        CIAS A, B 2        RAS A, B                 One fails closed   Component failure            Pushbutton' and control None                  Notes switch actuated alarm                        A &B 2        CSAS A, B 2        MSIS A, B Notes       A - Single failure with a measurement channel bypassed does not prevent system actuation.

B - Immediate detection C - Possible immediate detection I

TABLE 7.3-7 (Cont'd) OPERATIONAL EFFECTS ON NAME FAILURE MODE FAILURE MECHANISM DETECTION COMPONENTS

                                                                                                             - - -ESFAS
                                                                                                                   -    LOGIC            REMARKS Control Switch         One fails open       Component failure          Manual Test               Blocks ESFAS channel   Notes manual actuation       A &C 2        SIAS A, B                                                              Pushbutton and control switch actuated alarm 2        CIAS A, B 2        RAS A, B               One fails closed     Component failure          Pushbutton and control    None                   Notes switch actuated alarm                            A &B 2        CSAS A, B 2       MSIS A, B Output relays:         One relay coil       Component failure          Component running         Starts components      Notes fails open or                                   lights on control         assigned to this       A & B shorted. Contacts                               board on.                 relay fail in actuated position 36        SIAS A, B 4        CIAS A, B              One relay's contacts  Component failure         Manual test               Prevents automatic     Note

_, fail to actuate start of component A '-" assigned to this I 4 l1SIS A, B relay CXl Output relays: One relay coil fails Component failure Manual test Prevents auto start Note open or shorted. of components assigned A Contacts fail to to this relay actuate. 6 CSAS A & B 10 RAS A, B One relay's contacts Component running Starts components Notes fail in actuated Component failure lights on control assigned to this A &B position board on relay Notes: A - Single failure with a measurement channel bypassed does not prevent system actuation. B- Immediate detection C- Possible immediate detection

TABLE7.3-8 ESF SIGNAL INTERCONNECTIONS FOR AB SHARED SYSTEM EQUIPMENT CONTROL-FAILURE MODE ANALYSIS Failure Effects on Failure Component Function Mode ESFSystem Detection Mechanism Remarks AB Equipment Centralized AB Control AB Equipment Circuit Open Circuits Immediate Control Board Control of Power Control Lost Monitoring, Or Cables Detection AB Equipment Failure Alarms, Power Supply Indicating Failure ESFAand B Lights Not Effected Control AB Equipment Imposed High Possible Power High Control Lost Voltage on AB Immediate Voltage or Including Circuits Detection Fire Relay Contact Relay Coils, Failure In Shorted Wires ESF A & B System Relay Boxes Not Effected AB1 &AB2 ESFLogic Centralized Control Failure or Various Power Supply Immediate Cabinet SA ESFA&AB Power ESFA&AB. Alarms Failure Detection Initiation Failure Initiation, Electronic or Spurious Components ESFBSystem Initiation Shorted Not Effected Fire Shorted Wires (,.) ESF Logic Centralized Control Failure of Various Power Supply Immediate

~                      ESFB&AB       Power              ESFB&AB            Alarms      Failure       Detection
<O       Cabinet SB Initiation   Failure             Initiation                     Electronic or Spurious                    Components    ESFASystem Initiation -                   Shorted       Not Effected Fire                                               Shorted Wires BoxAB1        Provides      Fire               Failure of         Various     Shorted Wires Immediate Located In    Separation                       ESFAB              Alarms      Faulty Relays Detection

)> ESFCablnet Between Initiation 3 SA A&AB ESF A & B System CD Not Effected

J 0.

3 BoxAB2 Provides Fire Failure of Vanous Immediate CD Separation ESFAB Alarms Detection

J Located in ESF Cabinet Between Initiation p

z SB B&AB ESF A & B System

......                                                                                               Not Effected Y'

0

.9

Table 7.3-9 MSIV ISOLATION CIRCUIT FAILURE MODE ANALYSIS Item Power Supply Function Failure Mode & Detection Failure Meets Single Effect Mechanism Failure Criteria 1 125 voe supply Provides Low Control Open fuse, Yes. MSIV A Control power for HCV-08-1A room CKTground HCV-08-1 B will Circuit HCV-08-1A remains open alarm test operate on MSIS-A closing circuit but inoperational orMSIS-B. FW isolation valves will operate also. 2 125 voe Supply Provides Low Control Open fuse, Yes. to isolation relay power to MSIS Disables MSIS- room CKTground MSIS A will close 29/312 circuit A signal A signal to train alarm test valve HCV-08-1A & isolation to B train A FW isolation train B valves. MSIS B will operate both trains. 3 125 voe Battery Provides Low Control Battery A or Yes. A power through Train A valves room 125VDC MSIS 8 will close MA&MC inoperational. alarm bus failure HCV-08-18 & train inverters to Train B MSIS is B FW isolation ESFAS A train spuriously valves. actuated. Note (2) Notes: (1) Train B similar (2) MSIS B trip logic 2 out of 4 (2 out of 3) is spuriously actuated by de-energizing MA & MC ESFAS measurement cabinet bistables & isolation modules. 7.3-49a Amendment No. 13, (05/00)

TABLE 7.3-10 ESF BYPASSES OR INOPERABLE INDICATION SYSTEM Bypass Indication Bypassed Components Causing Manual Capability To Channel Window System Automatic Indication Connection From Activate B~E!ass Indication Remarks A L.P. Safety Injection Diesel Generator 2A Annunciator Yes LPSI Pump2A Annunciator 125V DC Battery 2A BKR Open Annunciator A 2 H.P. Safety Injection Diesel Generator 2A Annunciator Yes CCWHeader Annunciator HPSI Pump2A Annunciator 125V DC Battery 2A BKR Open Annunciator A 3 Charging and Boron Diesel Generator 2A Annunciator Yes Charging Pump 2A Annunciator Boric Acid Make-up Pump 2A Annunciator Boric Acid Make-up Pump 2B Annunciator 125V DC Battery 2A BKR Open Annunciator A 4 Control Room Habits- Diesel Generator 2A Annunciator Yes bility Control Room Air Conditioning Annunciator 125V DC Battery 2A BKR Open Annunciator A 5 Aux. Building H&V Diesel Generator 2A Annunciator Yes RAB Exhaust Fans HVCB RAB Supply Pans HVCB 125V DC Battery 2A BKR Open Annunciator A 6 Containment Spray Diesel Generator 2A Annunciator Yes CCWHeader Annunciator Containment Spray Pump 2A Annunciator 125VDC Battery 2A BKR Open Annunciator A 8 Containment Vacuum Cont. Vacuum Relief Va. Contr. HVCB Yes Relief Pwr. Cont. Vacuum Relief Air Low Annunciator Press. A 9 Containment Air Diesel Generator 2A Annunciator Yes Cooler 125V DC Battery 2A BKR Open Annunciator CCWHeader Annunciator Yes Containment Air Recirc. Coolers Annunciator A 10 Main Steam Isolation Diesel Generator 2A Annunciator Yes Main Steam Isolation Valve Annunciator 125V DC Battery 2A BKR Open Annunciator 7.3-52 Amendment No. 13, (05/00)

TABLE 7.3-10(Cont'd) Bypass Indication Bypassed Components Causing Manual Capability To Channel Window System Automatic Indication Connection From Activate Bypass Indication Remarks A 11 Reclrc. Actuation Diesel Generator 2A Annunciator Yes Refueling Water Tank Valve Annunciator Containment Sump Valve Annunciator 125V DC Battery 2A BKR Open Annunciator A 12 Fuel Pool Emerg Vent Diesel Generator 2A Annunciator Yes Fuel Bldg Emerg Vent Annunciator 125V DC Battery 2A BKR Open Annunciator A 13 H2Systems Diesel Generator 2A Annunciator Yes 125V DC Battery 2A BKR Open Annunciator A 14 Shield Bldg. Vent Diesel Generator 2A Annunciator Yes Shield Bldg Vent Exh. Fan Annunciator 125V DC Battery 2A BKR Open Annunciator A 15 Aux. Feed Water Diesel Generator 2A Annunciator Yes 125V DC Battery 2A BKR Open Annunciator A 16 Spare Yes -.J A 17 Spare w I tn A 18 Spare w A 19 Spare A 20 Component Cooling Diesel Generator 2A Annunciator Yes Water Intake Cooling Water Pump 2A Annunciator Component Cooling Water Pump 2A Annunciator 125V DC Battery 2A BKR Open Annunciator B LP. Safety Injection Diesel Generator 2B Annunciator Yes LPSI Pump 2B Annunciator ~ Cl> 125V DC Battery 2B BKR Open Annunciator

0. H.P. Safety Injection Diesel Generator 2B Annunciator Yes B 2 3

Cl> CCW Header Annunciator

?. HPSI Pump 2B Annunciator zp 125V DC Battery 2B BKR Open Annunciator

 ~                      Charging and Boron    Diesel Generator 2B                 Annunciator                  Yes B         3 a                                              Charging Pump 2B                    Annunciator
 ~

g Boric Acid Annunciator Gravity Valves Annunciator 125V DC Battery 2B BKR Open Annunciator

TABLE 7.3-10(Cont'd) Bypass Indication Bypassed Components Causing Manual Capability To Channel Window System Automatic Indication Connection From Activate B~~ass Indication Remarks B 4 Control Room Diesel Generator 2B Annunciator Yes Habitability Control Room Air Conditioning Annunciator 125V DC Battery 2B BKR Open Annunciator B 5 Aux. Bulidlng H&V Diesel Generator 2B Annunciator Yes. RAB Exhaust Fans HVCB RAB Supply Fans HVCB 125V DC Battery 2B BKR Open Annunciator B 6 Containment Spray Diesel Generator 2B Annunciator Yes CCWHeader Annunciator Containment Spray Pump 2B Annunciator 125V DC Battery 2B BKR Open Annunciator B 8 Containment Vacuum Cont. Vacuum Relief Va. Contr. HVCB Yes Relief Pwr. Cont. Vacuum Relief Va. Air Annunciator Low Press. B 9 Containment Air Cooler Diesel Generator 2B Annunciator Yes CCWHeader Annunciator Contain Air Recirc. Coolers Annunciator 125V DC Battery 2B BKR Open Annunciator B 10 Main Steam Isolation Diesel Generator 2B Annunciator Yes Main Steam Isolation Valve Annunciator 125V DC Battery 2B BKR Open Annunciator B 11 Recirc. Actuation Diesel Generator 2B Annunciator Yes Refueling Water Tank Valve Annunciator Containment Sump Valve Annunciator 125V DC Battery 2B BKR Open Annunciator B 12 Fuel Pool Emerg Vent Diesel Generator 2B Annunciator Yes Fuel Bldg Ernerg. Vent Valve Annunciator 125V DC Battery 2B BKR Open Annunciator B 13 H2Systems Diesel Generator 2B Annunciator Yes 125V DC Battery 2B Annunciator B 14 Shield Bldg Vent Diesel Generator 2B Annunciator Yes Shield Bldg. Exh. Fan Annunciator 125V DC Battery 2B BKR Open Annunciator 7~3-54 Amendment No. 13, (05/00)

TABLE 7.3-10(Cont'd) Bypass Indication Bypassed Components Causing Manual Capability To Channel Window System Automatic Indication Connection From Activate By12ass Indication Remarks B 15 Aux. Feed Water Diesel Generator 2B Annunciator Yes 125V DC Battery 28 BKR Open Annunciator B 16 Spare B 17 Spare B 15 Spare B 19 Spare B 20 Component Cooling Diesel Generator 2B Annunciator Yes Water Intake Cooling Water Pump 28 Annunciator Component Cooling Water Pump 2B Annunciator 125V DC Battery 2B BKR Open Annunciator c Charging and Boron Charging Pump 2C Annunciator Yes c 2 Control Room Habita- Cont. Room Air Cond Sys. C Annunciator Yes --I w bility ~ Dl c 3 Spare c 4 Component Cooling Intake Cooling Water Pump 2C Annunciator Yes Water Component Cooling Water Pump 2C Annunciator )> 3(1)

I a.

ill;:!. z 9

TABLE 7.3-11 COMPONENTS ACTUATED BY AFAS Actuation Channel Action Component Tag Number 8 .e. AFAS Start(1) AFWPump 2A x AFAS-1 Start(1) AFWPump 28 x AFAS-2 Open/Close AFW Pump 2A Disch to SG 2A. MV-09-9 x AFAS-1 Open/Close AFW Pump 28 Disch to SG 28 MV-09-10 x AFAS-2 Open/Close AFW Pump 2C Disch to SG 2A MV-09-11 x AFAS-1 Open/Close AFW Pump 2C Disch to SG 28 MV-09-12 x AFAS-2 Open(1) STM From SG 28 to AFWP 2C MV-08-12 x AFAS-2 or AFAS 1 Open(1) STM From SG 2A to AFWP 2C MV-08-13 x AFAS-1 or AFAS 2 Open/Close AFW Pump 2A Disch to SG 2A SE-09-2 X(2) AFAS-1 Open/Close AFW Pump 28 Disch to SG 28 SE-09-3 X(3) AFAS-2 Open/Close AFW Pump 2C Disch to SG 2A SE-09-4 X(3) AFAS-1 Open/Close AFW Pump 2C Disch to SG 28 SE-09-5 X(2) AFAS-2 Close MFIVtoSG 2A HCV-09-1A x AFAS-1* Close MFIVto SG 2A HCV-09-18 x AFAS-1* Close MFIVto SG 28 HCV-09-2A X(2) AFAS-2* Close MFIVto SG 28 HCV-09-28 X(3) AFAS-2* The AFAS may be overridden and the valve re-opened by the control room operator only during 2-EOP-06, total loss of feedwater. (1) Indicates components that are latched. All other components are unlatched (cycling). (2) Indicates that components are actuated by Channel C which is diverse from Channel A for single failure considerations. (3) Indicates that components are actuated by Channel D which is diverse from Channel B for single failure. considerations. 7.3-55 Amendment No. 18 (01/08)

TABLE 7.3-12 AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Degendent Failures Detection Provision AFAS Other Effects Feedwater a. Fails Sensor fail- Low P1 pressure signal to P 1< Annunciating, pre- 3-channel redun- Actuation logic To restore the header off (low ure, open P2 differential pressure trip and trip dancy (4th channel for AFAS1 becomes system logic to pressure pressure circuit, DIC bistable. Bistable changes alarms in bypass) 2-out-2 coinci- 2-out-of-3 coin-sensor-1 Signal) power supply logic state and initiates dent. The block cidence, the (Channel A, failure input to the channel A AFAS1 logic becomes operator must Typical) block circuit. 1-out-of-2 coin- restore the by-cident. passed channel to operation and then bypass the failed channel function.

b. Fails as Sensor fail- Erroneous P1 pressure signal Annunciating, pre-

3-channel redun- Actuation logic Same as above is ure, compo- to P2<P1 differential pres- trip and trip dancy (4th channel for AFAS2 becomes nent failure sure bistable during actual alarms in bypass) 2-out-of-2 coin-SG1 trip. Bistable changes cident. The block logic state and initiates logic becomes 1-input to channel A AFAS2 out-of-2 coinci-block circuit when SG2 trips. dent.

c. Fails Sensor fail- Erroneous high P1 pressure Annunciating, pre- 3-channel redun- Actuation logic Same as above on (high ure, compon- signal to P 2<P 1 differential trip and trip dancy (4th channel for AFAS2 becomes pressure ent failure pressure bistable. Bistable alarms. in bypass) 2-out-of-2 coin-signal) changes logic state and cident. The block initiates input to channel logic becomes 1-

--J                                                             A AFAS2 block circuit.                                                          out-of-2 coinci-w
&,                                                                                                                                              dent.

Ol 2 Feedwater a. Fails off . Sensor fail- Low P 2 pressure signal to Annunciating, pre- 3-channel redun- Actuation logic Same as above header ure, open the P2<P1 differential pres- trip and trip dancy (4th channel for AFAS2 becomes pressure circuit, DIC sure bistable. Bistable alarms in bypass) 2-out-of-2 coin-sensor-2 power supply changes logic state cident. The block

)>                                                              and initiates input to                                                          logic .becomes 1-failure 3

m

J c.

channel A AFAS2 block circuit. out-of-2 coinci-dent. I 3 m

;:?.                       b. Fails as     Sensor fail-         Erroneous P 2 pressure signal           Annunciating, pre-   3-channel redun-   Actuation logic   Same as above z                             is           ure, compo-          to the P1 < P2 differential             trip and trip        dancy (4th channel for AFAS1 becomes
~

nent failure pressure bistable. Bistable alarms in bypass) 2-out-of-2 coin-

~                                                               changes logic state and                                                         cident. The block

~

~
~

initiates input to channel A AFAS1 block circuit. logic becomes 1-out-of-2 coinci-dent.

SG2A is SG1 SG2B is SG2 Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks* Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including De12endent Failures Detection Provision AFAS Other Effects

c. Fails on Sensor fail- Erroneous high P2 pressure Annunciating pre- 3-channel redun- Same as above Same as above ure, compon- signal to P,< P2 diff- trip and trip dancy (4th channel ent failure erential pressure bistable. alarms in bypass)

Bistable changes logic state and initiates input to channel A AFAS1 block circuit. 3 Steam a. Fails off Sensor fail- Low P 1pressure signal to Annunciating pre- 3-channel redund- Actuation logic Same as above Generator 1 ure, open P1< P2 differential trip and trip ancy (4th channel for AFAS1 becomes pressure circuit, DIC pressure bistable. Bistable alarms in bypass) 2-out-of-2 coin-sensor power supply changes logic state and init- cldent. Block failure lates input to channel A AFAS1 logic becomes block circuit. 1-out-of-2 coin-cident.

b. Fails as Sensor fail- Erroneous P1 pressure signal Annunciating pre- 3-channel redun- Actuation logic Same as above is ure, compon- to P2 < P1 differential trip and trip dancy (4th channel for AFAS2 becomes ent failure pressure bistable during alarms in bypass) 2-out-of-2 coin-actual SG1 trip. Bistable cident. Block changes logic state and initiates logic becomes input to channel A AFAS2 block 1-out-of-2 coin-circuit. cident.

c. Fails on Sensor fail- Erroneous high P, pressure Annunciating pre- 3-channel redun- Same as above Same as above ure, compon- signal to P2 < P1 differ- trip and trip dancy (4th channel I ent failure ential pressure bistable. alarms in bypass)

~ Bistable changes logic state w ' and initiates input to channel U1 ~ A AFAS2 block circuit. 4 Steam a. Fails off Sensor fail- Low P2 pressure signal to Annunciating pre- 3-channel redun- Actuation logic Same as above Generator ure, open P2 < P1 differential trip and trip dancy (4th channel for AFAS2 becomes 2 Pressure circuit, DIC pressure bistable. Bistable alarms In bypass) 2-out-of-2 coinci- )> changes logic state and sensor power supply dent. Block logic 3ro failure initiates input to Channel becomes 1-out-of-2

J

0. A AFAS2 block circuit. coincident.

3ro

;:!.                        b. Fails as      Sensor fail-         Erroneous P2 pressure signal           Annunciating pre-  3-channel redun-   Actuation logic    Same as above z                               is           ure compon-          to P, < P2 differential                 trip and trip     dancy (4th channel for AFAS1 becomes

?

......                                       ent failure          pressure bistable during               alarms             in bypass)         2-out-of-2 coinci-f"                                                               actual SG2 trip. Bistable                                                    dent. Block 0                                                                changes logic state and Initiates                                            logic becomes
 ~                                                                input to channel A AFAS1 block                                               1-out-of-2 g                                                                circuit                                                                       coincident.

SG2Ais SG1 SG2B is SG2

           ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including DeQendent Failures Detection Provision . AFAS Other Effects

c. Fails on Sensor fail- Erroneous high P2 pressure Annunciating pre- 3-channel redun- Same as above Same as above ure, compon- signal lo P 1 < P2 different- trip and trip dancy (4th channel ent failure ial pressure bistable. Bis- alarms in bypass) table changes logic stale and initiates input lo channel A AFAS1 block circuit.

5 Steam a. Fails off Sensor fail- Low steam generator level Annunciating pre- 3-channel redun- Actuation logic Same as above Generator 1 ure, compon- signal to Lo LVL SG1 bi- trip and trip dancy (4th channel for AFAS1 becomes low-level enl failure stable Bistable changes alarms in bypass) 1-out-of-2 coin-sensor logic state and Initiates cident. No effect input to channel A AFAS1 block on block logic. circuit and actuation logic.

b. Falls on Sensor fail- High steam generator level Periodic test 3- 3-channel redun- AFAS1 logic becomes Same as above ure, compon- signal to Lo LVL SG1 bistable. channel compar- dancy (4th channel 2-out-of-2 coin-ent failure Will not trip for actual lo Ison. in bypass) cident level.

6 Steam a. Fails off Sensor fail- Low steam generator level Annunciating, pre- 3-channel redun- Actuation logic Same as above Generator 2 ure, compon- signal to Lo LVL SG2 bistable. trip and trip dancy (4th channel for AFAS2 becomes low-level ent failure Bistable changes logic stale alarms in bypass) 1-out-of-2 coin-sensor and initiates channel A AFAS2 cldent. No effect block clrcuiVand actuation on block logic. logic.

b. Fails on Sensor fail- High steam generator level Periodic test, 3-channel redun- AFAS2 logic becomes Same as above

--I ure, compo- signal to Lo LVL SG2 bistable. 3-channel dancy (4th channel 2-out-of-2 coincl- ~ nent failure Will not trip for actual Lo comparison In bypass) dent. 01 IX> level. BISTABLES 7 SG1 lo a. Setpoint Component SG1 level setpoinl drops lo Power supply 3-channel redun AFAS1 actuation To restore the }> failure open zero. Bistable will not annunciator dancy (4th channel level power logic becomes system logic to 3 circuit change stale on valid Lo in bypass) ct> bistable fails off 2-out-of-2 coin- 2-out-of-3 coinci-

J

0. (Channel A level signal. cident. dence, the aper-3 Typical) alor must restore ct>

\. the bypassed p

z channel and then

.....                                                                                                                                                                by pass the failed f.J                                                                                                                                                                   Channel function.

0 0 9

SG2AisSG1 SG2B isSG2

           ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE l.3-12 (cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

b. Trip set- Component Same as 7a. Same as 7a. Same as 7a. Same as 7a. Same as above point failure fails low

c. Trip set- Component Bistable will trip at greater Annunciation if 3-channel redun- AFAS1 actuation Same as above point failure than desired SG1 level bistable is dancy (4th channel logic becomes fails high tripped. Periodic in bypass) 1-out-of-2 coin-test. cident.

d. Trip vol- Open circuit, Bistable relays will deenerg- Annunciating 3-channel redun- AFAS1 actuation Same as above tage com- component ize resulting in half trips dancy (4th channel logic becomes parator failure of the AB, AC and AD in bypass) 1-out-of-2 coin-fails off actuation logic matrices. cident.

e. Trip vol- Component Bistable relays will not Periodic test, 3-channel redun- AFAS1 actuation Same as above

                               !age com-   failure,              de-energize for valid SG1                3-channel com-     dancy (4th channel  logic becomes para tor    short circuit         lo level signal.                         parison.           in bypass)          2-out-of-2 coinci-fails on                                                                                                          dent.

f. Pre-trip Component Pre-trip setpoint decrease.s Periodic test, 3-channel redun- No impact on AFAS1 Same as above setpoint failure, open Pre-trip relays will not 3-channel com- dancy (4th channel actuation logic.

fails low circuit de-energize when SG1 at parison in bypass) or off desired pre-trip level. -.J w g. Pre-trip Component Pre-trip relays will de- Pre-trip alarm and None required Spurious pre-trip Same as above c'n setpoint failure energize at higher than test. 3-channel alarms. No impact tO fails high desired SG1 level. comparison on AFAS1 actuation logic.

h. Pre-trip Open circuit, Same as 7g. Same as 7g. Sam~ as 7g. Same as 7g. Same as above voltage component

)> comparator failure 3 C1l fails off

i c.

3 i. Pre-trip Component Pre-trip relays will not Periodic test, 3-channel redun- No impact on AFAS1 Same as above C1l

3. voltage failure de-energize when SG1 level 3-channel com- dancy (4th channel actuation logic.

z comparator reaches pre-trip setpoint. parison in bypass) 9 I\.) fails on ~ ~ ~

SG2A is SG1 SG2B is SG2

          ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including De12endent Failures Detection Provision AFAS Other Effects

j. Pre-trip Open circuit, Pre-trip relay will de-energize Annunciating pre- None required No impact on AFAS1 Same as above op to- component trip alarm actuation logic.

isolator failure fails off

k. Pre-trip Open circuit, Same as 7j. Same as 7j. Same as 7j. Same as 7j. Same as above relay component driver failure fails off I. Pre-trip Emitter to Same as 7i. Same as 7i. Same as 7i. Same as 7i. Same as above relay collector driver short circuit fails on

m. Pre-trip Mechanical Same as 7j. Same as 7j. Same as 7j. Same as 7j. Same as above relay coil failure fails open

n. Pre-trip Mechanical Channel A pre-trip will not Periodic test, Visual indicator No impact on AFAS1 Same as above relay con- damage, cor- annunciate. 3-channel com- not affected. actuation logic tact in rosion parison 3-channel redun-annunciator dancy (4th channel circuit in bypass).

fails open

o. Pre-trip Contact Spurious pre-trip alarms Annunciating None required AFAS1 actuation Same as above

---J w relay con- arcing logic not affected Ci tact in 0 annunciator circuit fails closed )> Same as above

p. Pre-trip Mechanical No visual indication of Periodic test Annunciator not AFAS1 actuation 3

<ll relay con- damage, cor- channel A pre-trip. affected. 3- logic not affected

J

c. tact in rosion channel redundancy 3 indicator (4th channel in

<ll

a. circuit bypass) z fails open 9

~ None required AFAS1 actuation Same as above

q. Pre-trip Contact Spurious pre-trip visual Visual pre-trip

~ ~ relay con-tact in indicator arcing indications indication logic not affected circuit fails closed

SG2A is SG1 SG2B is SG2

         ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

r. Trip opto- Component Bistable relays will de-ener- Annunciating 3-channel redun- AFAS1 actuation Same as above isolator failure, gize resulting in half trips dancy (4th channel logic becomes fails off open circuit of the AB, AC and AD actuation in bypass) 1-out-of-2 coin-logic matrices. cident.

s. Trip opto- Component Bistable relays will not de- Periodic test 3-channel redun- AFAS1 actuation Same as above isolator failure, energize on valid low level dancy (4th channel logic becomes fails on short circuit signal in bypass) 2-out-of-2 coin-cident.

t. Trip relay Transistor One bistable relay de-energizes Annunciation 3-channel redun- AFAS1 actuation Same as above driver failure, open resulting in spurious half indication dancy (4th channel logic becomes fails off circuit. trips in AB, AC or AD logic in bypass) 1-out-of-2 coin-matrices or spurious trip cident.

indication

u. Trip relay Emitter to Affected relay will not de- Periodic test, 3-channel redun- AFAS1 actuation Same as above driver collector energize for valid low level 3-channel com- dancy (4th channel logic becomes fails on short circuit signal. One logic matrix parison in bypass) 2-out-of-2 coin-(AB, AC or AD) will not de- cident.

energize

v. Trip relay Mechanical Same as 71. Same as 7t. Same as 7t. Same as 7t. Same as above coil fails failure open

w. Trip relay Contacts Relay initiates input to the Periodic test, 3-channel redun- No effect on AFAS1 Same as above w form c con- welded by channel A block circuit. 3-channel com- dancy (4th channel actuation logic or

""" on block logic. tacts to arcing, fuse parison in bypass) ~ SG1 Rup- failure lure identi-fication circuit fails to )> N.C. pole 3 CD

J

0. x. Trip relay Open circuit Channel A block circuit can Periodic test, 3-channel redun- No effect on AFAS1 Same as above 3 form c con- not be activated. 3-channel com- dancy (4th channel actuation logic, CD

!. tacts to parison in bypass) block logic becomes z SG1 Rupture 2-out-of-2 coinci-

!=' dent. ID Circuit

fails open ~

SG2A is SG1 SG2B is SG2 Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

y. Trip relay Conlacls Relay will nol de-energize on Periodic lest, 3-channel redun- AFAS1 logic becomes Same as above form c con- welded actual Lo level signal. 3-channel com- dancy (4th channel 2-oul-of-2 coinci-lactto parison In bypass) dent no effect on AFAS1 fails channel A block to N.O. Pole logic

z. Trip relay Contacts One relay will de-energize Annunciating 3-channel redun- No effect on AFAS Same as above form c con- welded resulting In hair trips of AB, dancy (41h channel block logic. AFAS1 tact to AC or AD actuation logic matrix in bypass) actuation logic AFAS1 fails and initiating input to channel becomes 1-out-of-2 lo N.C. pole A block circuit.

aa. Trip relay Contacts Annunciator will not signal Periodic test, 3-channel redun- AFAS1 actuation Same as above form c con- welded relay coll or relay driver 3-channel com- dancy (4th channel logic not affected tacts in failure. parison in bypass) trip annun-ciator cir-cuit fails toN.O. Pole ab. Trip relay Contacts weld- Spurious relay coil or relay Annunciating None required AFAS1 actuation Same as above form c con- ed, fuse fail- driver failure indications logic not affected tacts in ure trip annun-elation circuit fails to N.C. Pole ..... ac. Pre-Trip Component Bistable relays will not de- Periodic test None required No impact on AFAS1 Same as above (,) Opto- Failure Short energize on valid low level 3 channel com- actuation logic Cn N Isolator Circuit. signal parison fails on ad. Bistable Component Bistable will reset al greater Periodic test 3-channel AFAS1 reset logic Same as above Hysteresis Failure lhan desired SG1 level redundancy (4th becomes 1-out-of-2 voltage channel In Bypass) coincident

CD falls high

J a.

3 ae. Bistable Component Bistable will reset al less Periodic test Same as 7ad Same as 7ad Same as above CD

J Hysteresis Failure than desired SG1 level.

z p voltage falls low _w c;

SG2Als SG1 SG2BlsSG2

.9 Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (c*ont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects af. Bistable Component Bistable will reset at less Periodic test Same as 7ad Same as 7ad Same as above Hysteresis Failure than desired SG1 level. For voltage Open reset before actuation, reset analog Circuit level will equal trip level, switch resulting in relay cycling fails open ag. Bistable Component Bistable will trip at greater Periodic test Same as 7ad AFAS 1 actuation Same as above Hysteresis Failure than desired SG1 level logic becomes 1-voltage Short out-of-2 coincident analog Circuit switch fails closed 8 SG2 Lo level Failure modes and effects on AFAS2 actuation logic for lo steam bistable generator level trips are equivalent to the failure modes and effects on AFAS1 actuation logic provided in line item 7, failure modes a through ag. 9 Pressure a. Setpoint Component Setpoint level goes to zero Anunciating 3-channel redun- AFAS 1 block To restore the SG1< SG2 power fails failure, open bistable relays de-energize dancy (4th channel logic becomes system logic to bistable off or low circuit for any P1<P2 signal result- in bypass) 1-out-of-2 coin- 2-out~of-3 ing in input to channel A cident coincidence, block circuit. the operator must restore the bypassed w channel and 0, w then bypass the failed channel function.

b. Setpoint Component Bistable relays will not Periodic test 3-channel redun- AFAS 1 block Same as above

)> dancy (4th channel logic for SG 1 llP power fails failure, de-energize for valid Lo llP 3 in bypass) becomes 2-out-of-2. CD high short circuit

J

c. Block logic for FWH 3 llP not affec;:ted.

CD

?.

z p c. Trip set- Component Same as 9a. Same as 9a. Same as 9a. Same as 9a. Same as above 1'.l point failure ..... fails low ~

SG2A is SG1 SG2B is SG2 Pre-trip & trip annunciation consists of local light indication & sequence of events__ printout.

TABLE 7.3-12 (cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

d. Trip set- Component Same as 9b. Same as 9b. Same as 9b. Same as 9b. Same as above point failure fails high

e. Process "A" Component SG1 pressure signal goes to Same as 9a. Same as 9a. Same as 9a. Same as above input buf- failure, open zero. Trip and pre-trip com-fer fails circuit parators de-energize bistable off or low relays and initiates input to channel A block circuit.

f. Process "A" Component SG1 pressure signal goes high. Periodic test 3-channel redun-

AFAS 1 block Same as above input buf- failure, short Bistable will not change logic dancy (4th channel logic for SG 11'.l.P fer fails circuit state for valid pressure dif- in bypass) becomes 2-out-of-2.

high ferential. Block logic for FWH Ll.P not affected

g. Process "B" Component SG2 pressure goes negative. Periodic test 3-channel redun- AFAS 1 block logic Same as above input buf- failure, open Bistable will not change logic dancy (4th channel for SGLl.P becomes fer fails circuit state for valid signal in bypass) 2-out-of-2 off or low

h. Process "B" Component fai- SG2 pressure goes high. Bisi- Annunciating 3-channel redun- AFAS 1 block Same as above input buf- lure, open able relays de-energize result- dancy (4th channel logic becomes fer fails circuit ing in input to channel A block in bypass) 1-out-of-2 coinci-high circuit dent

i. Pre-trip Component Pre-trip setpoint increases Periodic test 3-channel redun- No impact on AFAS1 Same as above

--i setpoint failure pre-trip relays will not de- dancy (4th channel block logic. Spur- ~ fails low energize at desired pre-trip in bypass) ious pre-trip or off level alarms

j. Pre-trip Component Pre-trip relays will de- Pre-trip alarm None required No impact on AFAS1 Same as above setpoint failure energize at higher than de- and periodic test block logic. Spur-fails high sired pressure differential ious pre-trip alarms.*

k. Pre-trip Component Pre-trip relays de-energize Pre-trip alarm and None required Spurious pre-trip Same as above

   ~                            voltage       failure,             at higher than desired SG2A             test                                    alarms no impact 3                            comparat-     open circuit         pre-trip pressure                                                               on AFAS1 block CD

J

c. or fails logic 3 off CD z I. Pre-trip Component Pre-trip relays will not Periodic test 3-channel No impact on AFAS1 Same as above

   !='                          voltage       failure,             de-energize at desired pre-trip                            redundancy (4th      block logic.

l\.l

   --"                          comparat-     short circuit        setpoint                                                   channel in bypass) or fails

SG2A is SG1 on SG2B is SG2

           *** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

m. Pre-trip Open circuit, Pre-trip relay will de-energize Annunciating pre- None required No impact on AFAS1 Same as above op to- component trip alarm block logic.

isolator failure fails off

n. Pre-trip Component Same as 9m. Same as 9m. Same as 9m. Same as 9m. Same as above relay failure, open driver circuit fails off

o. Pre-trip Emitter to Same as 91. Same as 91. Same as 91. Same as 91. Same as above relay collector driver short circuit fails on P. Pre-trip Mechanical Same as 9m. Same as 9m. Same as 9m. Same as 9m. Same as above relay coil failure fails open

q. Pre-trip Mechanical Channel A pre-trip will not Periodic test 3-channel redun- No impact on AFAS Same as above relay con- damage, annunciate. dancy (4th channel 1 block logic.

tact in corrosion in bypass) visual annunciator indicator not fails open affected

r. Pre-trip Contact arcing Spurious channel A pre-trip Annunciating None required AFAS1 block logic Same as above relay con- alarms not affected.

tact in an-nunciator fails closed

s. Pre-trip Mechanical No visual indication of channel Periodic test Annunciator not AFAS1 block logic Same as above relay con- damage, A pre-trip affected 3-channel not affected.

tact in corrosion redundancy (4th indicator channel in bypass) circuit fails open )> 3 AFAS1 block logic Same as above Cl>

i

t. Pre-trip Contact arcing Spurious channel A pre-trip Visual pre-trip None required

c. relay con- indications indication not affected 3 tact in Cl>

?. indicator z circuit

~ fails closed ~

.

SG2A is SG1

~ SG2B is SG2

       ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

u. Trip volt- Open circuit, Bistable relays will de- Annunciating 3-channel redun- AFAS 1 block Same as above age com- component energize resulting in input dancy (4th channel logic becomes parator failure to AFAS1 block circuit in bypass) 1-out-of-2 fails off coincident

v. Trip volt- Component Bistable relays will not de- Periodic test 3-channel redun- AFAS 1 block Same as above age compa- failure energize for valid pressure dancy (<Ith channel logic for SGL'.P rator fails differential signal in bypass) becomes 2-out-of-2 on coincident

w. Trip opto- Component Bistable relays will de-energize Annunciating 3-channel redun- AFAS 1 block Same as above isolator failure, resulting in input to channel A dancy (4th channel logic becomes fails off open circuit AFAS1 block circuit in bypass) 1-out-of-2 coincident

x. Trip relay Transistor Bistable relay de-energizes Annunciating 3-channel redun- AFAS 1 block Same as above driver failure, resulting in input to channel dancy (4th channel logic becomes fails off open circuit A AFAS1 block circuit in bypass) 1-out-of-2 coincident

y. Trip relay Emitter to Affected relay will not be Periodic test 3-channel redun- AFAS 1 block Same as above driver collector able to de-energize for valid dancy (4th channel logic for SGL'.P fails on short circuit signals in bypass) becomes 2-out-of-2 coincident

z. Trip relay Mechanical Same as 9x. Same as 9x. Same as 9x. Same as 9x. Same as above coil fails failure open

--.J

(.., aa. Trip relay Contacts Bistable relay de-energizes Periodic test 3-channel redun- No impact on AFAS1 Same as above Cn Cr> form c con- welded by resulting in input to channel dancy (4th channel actuation logic. tacts to arcing, fuse A AFAS1 block circuit in bypass) Block logic becomes SG1 Rupture failure 1-out-of-2 coinci-identifica- dent.

                            !ion cir-cuit fails to N.C. pole

)> 3Cl)

l a.

3Cl) a. z 9

SG2A is SG1 SG2B is SG2 Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method .. Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS other Effects ab. Trip relay Contacts Relay cannot activate Periodic test 3-channel No effect on AFAS1 Same as above form c welded channel A, block circuit redundancy (4th block logic contacts channel in toSGI bypass) Rupture Iden ti-fication circuit rails to N.O. pole ac. Trip Contacts Annunciator will not signal Periodic test, 3- 3-channel No effect on AFAS 1 Same as above annuncia- welded relay coll or relay driver channel comparison redundancy (4th block logic tor relay failure channel in form c bypass) contacts fail to N.O. pole ad. Trip Contacts Spurious relay coil or relay Annunciating None required AFAS1 block logic Same as above annuncia- welded, fuse driver failure indications not affected tor relay failure form c contacts fail to N.C. pole 10 Pressure Failure modes and effects on AFAS2 block logic for pressure SG2<SG1 trips are -..j SG2<SG1 equivalent to the failure modes and effects on AFAS1 block logic provided Bistable in line Item 9, failure modes a through ad. ~ -..j 11 Pressure Failure modes and effects for pressure FWH1<FWH2 trips are equivalent to FWH1<FWH2 the failure modes and effects provided In line item 9, failure modes a through ad. Bistable 12 Pressure Failure modes and effects on AFAS2 block logic for pressure FWH2<FWH1 trips are FWH2<FWH1 equivalent to the failure modes and effects on AFAS1 block logic provided in line )> bistable item 9, failure modes a through ad. 3 Ill

J Indication in 3-channel AFAS1 actuation Same as above

c. 13AFAS1 a. One Transistor One bistable relay de-energ-3 bistable trip failure, izes resulting In half trip affected logic redundancy (4th logic remains 2-Ill

!. card relay open of AB, AC or AD logic matrix. matrix Channel out-of-3 coinci-z driver circuit In bypass) dance, with 1-

?..... fails off out-of-2 selective

~                                                                                                                                                      coincidence between a                                                                                                                                                      unaffected channels 01

SG2Als SG1 0 SG2B isSG2 g

           ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effecls

b. One Emitter to Affected relay will not Periodic lest 3-channel AFAS acluation Same as above

                                   !rip         collector           de-energize for valid                                      redundancy (4th    logic becomes 2-relay        short               signal                                                     channel in         out-of-2 driver       circuit                                                                        bypass)            coincident fails on

c. One Mechanical Same as 13a Same as 13a Same as 13a Same as 13a Same as above

                                  !rip          failure relay coil fails

d. One trip Contacts Channel A AFAS 1 test coils Visual indicalion 3-channel AFAS1 actuation Same as above relay welded, will de-energize resulting in redundancy (4th logic becomes 1-form c component half trips or the AB, AC and channel in out-of-2 contact failure AD logic matrices bypass) coincident to 2/4 logic matrix fails to N.C. pole a.One Contacts Channel A AFAS 1 test coils Periodic test 3-channel AFAS1 actuation Same as above trip welded will not de-energize for redundancy (4th logic becomes 2-relay valid signal channel in out-of-2 form c bypass) coincident conlacl to 2/4

...., logic wI malrix Ol ()) fails lo N.O. pole

f. One Contacts Annunciator will not signal Periodic lest 3-channel AFAS1 actuation Same as above trip welded relay coil or relay driver redundancy (4th logic not affected relay fallure channel in bypass)

     )>                             form c 3(l)                            con tact

I

a. to trip 3(l) annuncia-a tor z clrcuil

       !=>                           fails to

_w

N.O. pole C> s

SG2Als SG1 SG2BlsSG2 Pre-trip & trip annunciation consists of local light Indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects g.One Contacts Spurious relay coil or relay Annunciating None required AFAS1 not Same as above trip welded driver failure Indications affected formc contact to trip annun. circuit falls to N.O. pole 14 AFAS2 Failure modes and effects on AFAS2 actuation logic for AFAS2 bistable trips bistable are equivalent to the failure modes and effects on AFAS 1 actuation logic card provided in line item 13. Failure modes a through g. LOGIC MATRICES - AB TYPICAL A minimum of two AFAS actuation Same as 9a 15 Logic a. Fails Transistor One matrix relay de-energizes Visual indicator trip paths must logic remains 2-matrix off failure, inducing a trip via the time be de-energized out-of-3 relay open Delay circuitry in one of four lo produce a trip coincident driver circuit AFAS trip paths

b. Fails Emitter to One logic matrix relay will Periodic test 3-channel AFAS actuation Same as above On collector not de-energize on a valid redundancy (4th logic remains 2-short signal coincidence channel in out-of-3 coinci-circuit bypass) dent. Affected logic matrix can still generate a trip to other three circuits w 16 Logic a. Fails Open One matrix relay de-energizes Visual indication A minimum of two AFAS actuation Same as above b>

lO matrix open circuit inducing a trip via the lime trip paths must logic remains 2-relay delay circuitry in one AFAS 1 be de-energized out-of-3 coil trip path to produce a trip coincident

b. Short- Hot Affected matrix relay will Periodic test 3-channel Same as above Same as above ed Short not de-energize on valid redundancy (4th

)> signal channel in 3 bypass) ro c. 3 17 One a. Fails Open circuit One matrix relay de-energizes Visual indication A minimum of two AFAS actuation Same as above ro

;:a.      Logic                 open         mechanical           inducing a trip via the time                                     trip paths must   logic remains 2-z 0

matrix damage delay circuitry in one of four be de-energized out-of-3

... relay corrosion trip paths to produce a trip coincident

~         contact 0         in trip
!l!

0 path 9

SG2A is SG1 SG2B isSG2

           ** Pre-trip & trip annunciation consists of local light indication  & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

b. Fails Contact One matrix relay will not Periodic test 3-channel AFAS actuation Same as above closed weld de-energize on a valid redundancy (4th logic remains 2-signal coincidence channel In out-of-3 coinci-bypass) dent. Affected logic matrix can still generate a trip with other relays 16 One a. Fails Broken Spurious indication that one Annunciating None required No effect on AFAS Same as above logic off filament matrix relay is de-energized visual indication trip logic matrix indicator lamp

b. Fails Hot No indication of matrix Periodic test None required Same as above Same as above on short relay failure or de-energiza-lion.

19 one a. Fails Component Loss of one power supply Annunciating Second power No effect on AFAS Same as above matrix off or failure, visual indication supply provides trip logic. power low open power to logic supply circuit matrix relays

b. Fails Component Possible overstress of 2-out- Visual Indication Same as above Same as above Same as above high failure of-4 logic matrix relays. If matrix fails Relays may fail open and open logic matrix may become half-tripped

-I 20 Logic a. Fails Overstress, Loss of one of two matrix Power supply Same as above Same as above Same as above if-I matrix open mechanical power supplies trouble alarm, 0 power damage visual Indication supply diode b.Shorted Overstress No impact during normal Periodic test Redundant power No impact on AFAS Same as above operation, loss of isolation supplies trip logic §' for power supplies Ill

J

a. 21 Logic Fail open Overstress Loss of one of two matrix Power supply Redundant power AFAS actuation Same as above 3

Ill matrix mechanical power supplies trouble alarm, supplies logic remains 2-

a. power damage visual indication out-of-3 z supply coincident p fuses f.ol

SG2A is SG1 a

01 SG2BisSG2 0 Pre-trip & trip annunciation consists of local light indication & sequence of events printout. 9

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects 22 Logic Fails off Open Spurious visual indication Visual Indication, None required No impact on AFAS Same as above matrix filament of failure of one logic no alarm trip logic power matrix power supply supply indicator lamp 23 Logic matrix Fails Overstress, Spurious logic matrix power Annunciating None required No impact on AFAS Same as above power supply open mechanical supply alarms trip logic trouble damage open annunciator circuit relay 24 Logic a. Fails Mechanical Same as above Same as above Same as above Same as above Same as above matrix open damage, power open circuit, supply corrosion trouble annunc. relay contact

b. Falls Contact Power supply trouble alarm None, if power Visual power No Impact on AFAS Same as above closed weld will not sound if power supply fails then supply operabi- trip logic supply falls visual indication lily Indication no alarm INITIATION CIRCUIT- CHANNEL A TYPICAL Mechanical Initiation relays for one Visual indication A minimum of two AFAS for one leg Same as 9a "c,., 25 Remote manual

a. Fails open damage, AFAS will de-energize and and annunciation trip paths must will become 1-out-

~             pushbutton                         open circuit       initiate input to the AFAS                                 be de-energized    of-3 selective actuation circuit. in actuation       In actuation circuit to         circuit to pro-Produce a trip     duce a trip.

b. Fails Contact Unable to de-energize Periodic test 3-channel AFAS for one leg Same as above

)>                                closed         weld short         channel A initiation relays                                redundancy (4th    becomes 2-out-of*

3 circuit for one AFAS by using channel In 3 selective ro

J pushbutton bypass) 0.

3 ro Open circuit One Initiation relay Annunciating 3-channel AFAS remains 2- Same as above

;:!. 26 Initiation             Fails z             relay               open                              de-energizes and Initiates                                 redundancy (4th    out-of-3
?                                                                   Input to one leg of                                        channel In         coincident
......                                                              actuation circuit .                                        bypass)            Initiation logic
~

becomes 1-out-a of-3 selective

9

SG2Als SG1 SG2BisSG2

              ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects 27 Initiation a. Fails Open circuit One train of AFAS will Annunciating 3-channel AFAS remains 2- Same as above relay open corrosion, open redundancy (4th out-of-3 colnci-contacts in mechanical channel in dent with inilia-actuation damage bypass) lion logic circuit becoming 1-out-of-3 selective

b. Fails Contact weld, AFAS1-A actuation relay will Periodic test Parallel AFAS remains 2- Same as above closed short circuit not de-energize to actuate redundancy in out-of-3 coincident AFAS1-A equipment. channel. with Initiation logic becoming 2-out-of-3 selective ACTUATION CIRCUIT - CHANNEL A TYPICAL 28 Actuation a. Falls Component Loss of power from one power Annunciating and Power to each bi- No effect on AFAS Same as 9a power supply off or failure, open supply for one set of actua- visual indication stables and actu- logic low circuit lion relays and bistables alien circuits of each channel Is provided by two auctioneered sup-plies. If one falls the other will meet requirements

b. Fails Component Loss of power from one power Annunciating if Automatic overvo- No effect on AFAS Same as above high failure supply for one set of actua- relays fail and ltage protection, logic lion relays and bistables visual indication redundant power supply unaffected

""l w ~ I\) 29 Actuation a. Fails Overstress, Loss of one of two power Power supply Redundant power No effect on AFAS Same as above power supply open mechanical supplies for one set of trouble alarm, supply logic diode damage actuation relays visual indications

b. Shorted Overstress No impact in normal opera- Periodic test Redundant power No effect on AFAS Same as above lion loss of isolation for supply logic

)> one power supply 3 Cl>

J

a. 30 Auction- a. Falls Overstress, Loss of power from one Annunciating Redundant power No effect on AFAS Same as above 3Cl> earing open mechanical power supply to one set of visual indication supply logic

?. diode damage actuation relays z

? f.> a

!l!

SG2Ais SG1 0

g SG2BisSG2 Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

b. Shorted Overstress Loss of Isolation between Periodic test, Will not force No effect on AFAS Same as above power supplies possible visual Indication delivery of aux. logic short of both power feedwater or supplies which Initiates Inhibit delivery actuation of equipment of aux. feedwater associated with channel A due to actuation AFAS. of equipment.

31 Actuation Falls off Burnt Spurious visual Indication Visual Indication None required No effect on AFAS Same as above circuit filament that one leg of actuation logic Indicator mechanical circuit has opened lamp damage 32 Local a. Falls Mechanical AFAS1-A actuation Annunciating AFAS1 not AFAS1-A actuated Same as above Manual open damage. fully actuated AFAS2 unaffected Actuation Open Only channel Switch Circuit MA components

b. Fails Contact Manual actuation wlll not Periodic test Automatic No manual actuation Same as above closed weld, open one leg of actuation actuation not of one leg of AFAS mechanical circuit affected damage 33 Lockout a. Falls Mechanical No Impact In normal operation. Periodic test Automatic No effect on AFAS Same as above reset push open damage Unable to reset channel MA actuation actuation and logic button Relays after test or actuation. manual Initiation not affected

~!..> b. Falls Contact weld No Impact In normal operation, Periodic test Automatic AFAS logic not Same as above closed mechanical automatic reset of channel MA actuation and affected. damage Activation relays. manual Initiation not affected 34 Lockout a. Falls Open circuit, One actuation leg opens Annunciating Opposite No effect on AFAS Same as above relay coil open overstress, actuation leg will logic

)>                                         mechanical                                                                        provide power to 3ID                                        damage                                                                            actuation relays

J Cl.

3 b. Shorted Mechanical AFAS1-A actuation Annunciating AFAS1 not AFAS1-A actuated Same as above ID a damage. fully actuated AFAS2 unaffected z Open Only channel p Circuit MA components a

~      *SG2Als SG1 9       SG2BlsSG2
         ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method"* Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects 35 Lockout a. Falls Open circuit, One actuation leg opens Annunciating Opposite No effect on Same as above relayN.O. open mechanical actuation leg AFASloglc contact damage provides power to actuation relays

b. Fails Contact weld, Equipment will cycle with Periodic test Automatic AFAS logic not Same as above closed mechanlcal relays actuation and affected damage manual initiation not affected 36 Lockout Falls Burnt Spurious visual Indication Visual Indication None required No effect on AFAS Same as above Indication off filament, that one lockout relay is logic lamp mechanical . de-energized damage 37 Actuation a. Falls Mechanical AFAS1-A actuation Annunciating AFAS1 not AFAS1-A actuated Same as above relay coll open damage. fully actuated AFAS2 unaffected Open Only channel Circuit MA components b.Shorted Mechanical Actuation relay will not Visual Indication Same as above Same as above Same as above short hold contacts, one pump or one valve will be actuated In one AFAStraln 3BActuatlon a.Fall Contact weld, Unable to test actuation of Periodic test None required No effect on AFAS Same as above

..... relay closed mechanical one pump or valve In one logic it> Indicator damage AFAStraln i>! N.C. contacts

b. Falls Mechanical One valve or one pump will Visual Indication One component AFAS actuation Same as above open damage be actuated In one AFAS will be actuated remains 2-out-of-train full train will 3 coincidence

)> not be actuated 3(I) by failure of one

i

c. actuation relay 3(I) a 39Actuatlon a. Fall Contact weld Spurious Indication of Visual Indication None required No Impact of AFAS Same as above z relay closed mechanical failed actuation relay logic p Indicator damage N.O.

contacts a(JI 0

SG2AlsSG1 g

SG2BisSG2

          ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision . AEAS Other Effects

b. Fails Mechanical No indication of actuation Periodic test None required No impact on AFAS Same as above open damage relay failure logic open circuit 40 Time Delay a. Timer fails Component Timer will not deenergize Periodic test. 3-channel redun- AFAS 1 remains 2- Same as above Circuitry fails off Failure initiation relays If it dancy (4th channel out-of-3 coinci or slow fails off. Time delay will be in bypass) dent with initia-increased if timer fails slow !Ion logic becoming 2-out-of-3 selective

b. Timer Component Timer will deenergize inilia- Periodic test 3-channel redun- AFAS 1 remains 2- Same as above Fails fast Failure lion relays before desired dancy (4th channel out-of-3 coinci-delay in bypass) dent with lnitia-

                                                                                                                                              !ion logic becoming 1-out-of-3 selective after timer has timed out

c. Time delay Transistor Time delay relay will de- Visual inspection A minimum of 2 AFAS 1 remains Same as above relay failure, open energize resulting in the de- trip paths must be 2-out-of-3 coinci-driver circuit energization of the associated deenergized to dent with initia-fails off initiation relays produce a trip lion logic becoming 1-out-of-3 selective

d. Time delay Emilter Affected relay will not de- Periodic test 3-channel Same as 40a Same as above relay to collector energize for valid signal redundancy (4th I driver short circuit channel in bypass) fails on

-.i e. Time delay Mechanical Same as 40c Same as 40c Same as40c Same as40c Same as above w coil fails Failure .!-i 01 open

f. Time delay Contacts Initiation relays in affected Periodic test Same as 40a Same as 40a Same as above relay welded, com- trip path will not be deener-contact to ponent fail- gized on valid signal initiation ure

)> circuit 3 fails to CD

I

c. N.O. pole 3

CD a g. Time delay Component Initiation relays will be de- Visual Indication Same as 40c Same as40c Same as above z relay failure energized p contact lo .... initiation f..> circuit a fails to

~                             N.C. pole 9

SG2Ais SG1 SG2BlsSG2 Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

TABLE 7.3-12 (Cont'd) Method** Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon And Name* Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

h. Opto- Component Analog switch in normally open Periodic test Same as 40a AFAS 1 actuation Same as above Isolator failure state providing continuous logic becomes 1-between Open circuit hysteresis voltage to bistable out-of-2 timer and comparator, associated bistable coincident analog will trip at greater than desired fails off SG1 level I. Opto- Component Timer timing-out will not change Periodic test Same as 40a AFAS 1 reset logic Same as above isolator failure, state of analog switch. Asso- becomes 1-out-of-2 between short circuit ciated bistable will reset at coincident time and less than desired SG 1 level analog switch fails on

j. Time delay Component Associated bistable will trip Periodic test Same as 40a Same as 40i Same as above analog failure, at greater than desired SG1 switch short level fails circuit closed

k. Time delay Component Associated bistable will reset Periodic test Same as 40a Same as 40h Same as above analog failure, at lower than desired SG1 level switch open fails high circuit I. Time delay Component Same as 40j Periodic test Same as 40a Same as 40i Same as above hysteresis failure

--i voltage w fails high .!..i Ol

m. Time delay Component Same as 40k Periodic test Same as 40a Same as 40h Same as above hysteresis failure voltage fails low

t> n. Hysteresis Component Same as 40j Periodic test Same as 40a Same as 40i Same as above 3 voltage failure ro

l

c. summer 3 output ro

l. fails high z
) o. Hysteresis Component Same as 40k Periodic test Same as 40a Same as 40h Same as above

"'...... voltage summer failure

SG2A is SG1 output fails low SG2B is SG2

           ** Pre-trip & trip annunciation consists of local light indication & sequence of events printout.

Refer to Drawings 2998-3956 and 2998-3957 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 BLOCK DIAGRAM - ENGINEERED SAFEGUARDS LOGIC SYSTEM FIGURE 7~3-1 Amendment No. 18 (01/08)

Refer to Drawing 2998-8-327 SH 372 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 CONTROL WIRING DIAGRAM PRESSURIZER PRESSURE P-1102A MEASUREMENT LOOP FIGURE 7.3-2 Amendment No. 18 (01/08)

DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.3-3 Amendment No. 18 (01/08)

/ DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.3-4 Amendment No. 18 (01/08)

DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.3-5 Amendment No. 18 (01/08)

DELETED

            -.-::-',*' ~~~.::~::;.   ..
                       ~    -.:: . -

FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 1 FIGURE 7.3-6 Amendment No. 18 (01/08)

SA CONT'D ISOLATION RELAYS.

FROM FIGURE l

7.3-6 1 2 3 ATWS/DSS 2/4 LOGIC

                                                             - I I

I

                                                                 ------1--i
                                                                 ~

OP ISOL-1 CONTACTOR TRIP CEA DRIVE MG SET 2A L------11-CONTACTOR >>~ ATWS/ A

                             - ACTUATION                 '     l top               ISOL-3 DSS                 MODULE                 24V~

TEST ' ~BYPASS ATWS

                             -  ' Q TRIP
                                    /

BYPASS

                                /   '

ISOL-2 ATWS OUTPUT TRIP L___~To AUTO TESTER ATWS A SER ATWS TRIP BYPASS I 11 OUTPUT SB

                                   ~--1-~To AUTO                               ISOLATION RELAYS TESTER
                                                  ------~*--------~-~ISOL-2 ATWS TRIP
                                                                 ---------11--i-   ISOL-3 ATWS BYPASS        I ISOL-1                        CEA DRIVE MG SET 28 CONTACTOR     j,._~-----coNTACTOR L___ _ _              TR_I_P_ ___. ,
                                                                           -----1-~_ _ _

AMENDMENT NO. 7 (4/92) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 ATWS/DSS LOGIC CHANNEL -~

I . .,,..

FIGURE 7.3-Sa ,.,_ -, ,- .. 9 2 0 *3 3 0 0 l 5 6 - '"

DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.3-7 Amendment No. 18 (01/08)

DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.3-8 Amendment No. 18 (01/08)

Deleted FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.3-9

                      .Amendment No. 18 (01/08)

. ( *, .. Refer to Drawing 2998-4311 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 BLOCK DIAGRAM POWER DISTRIBUTION FOR ENGINERED SAFEGUARDS LOGIC SYSTEM FIGURE 7.3-10 Amendment No. 18 (01/08)

ENGINEERED SAFEGUARD CABINETS I OGIC CAlllNlf IA MEASllRlMINf MlASllRlMlNT MlASllREMENT MEASUREMENT LOGIC CABINET SB AtHAllltll AClllAllU .. CABINET MA CABINET MC CABINET MD CABINET MB M<JIJUll USlD AClllA flfllt 21e llAI --,:_ MOUUlll

                 *1* 1.,.11         *1    I 111, Sl\11 CllA .... rl O .. l Y JeV l>C llllAY                                                                                                        SAME AS UlllPUI                INTERFACING                                                                                   CABINET SA w111u Bnwu,.

11- CHANNEL '"SA'" 1. flRI PRIHJI .

CllANNH '"SAB'"

TOTAi. l WIRES Pl Nlf RA llOJI ****: 1**.ISCllATl~DIVICl BOii J*~J9~-~ .... BOX SAD 2 SAME AS SAB 1

                                         !U . .         uu 2 lllRME llCAIO' SEALED ROTARY RELAYS.

t - INSULAHON RESISJANCE IOODMEGOHMS. DIHECrRIC STRENGTH 1000V RMS, 60 Hr MINIMUM RELAY SllElL-STEEl. I I I

                                          -      SIEH CONDllll                                                                                                                  I I

I I ro IA IOlllPMENI CIHCUIU TO SB EOUIPME~T CIRCUITS

                                                                                                      - - SAB*CABLES

[--~i~~~~~cd~l SAD EOUlrMENT CONTllOl BOARD AMENDMENT NO. 13 (05/00) FLORIDA POWER & LIGHT COMPANY ST, LUCIE PLANT UHIT 2 ESFAS INTERCONtlECTION FOR AB SHARED SYSTEM EQUIPMENT AH owa, SK 29!)8 145 SHUT 5 FIGURE 7.3-11

 ~---------------------------------

( \ REFER TO DRAWING 2998-12613 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 AUXILIARY FEEDWATER ACTUATION SYSTEM SIMPLIFIED FUNCTIONAL DIAGRAM FIGURE 7.3-12 Amendment No. 18 (01/08)

SEE DRAWING 2998-12614 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 AUXILIARY FEEDWATER ACTUATION SYSTEM TESTING SYSTEM DIAGRAM FIGURE 7.3-13 Amendment No. 18 (01/08)

Refer to Drawing 2998-15003 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 AFW ACTUATION SYSTEM SIGNAL LOGIC DIAGRAM FIGURE 7.3-14 Amendment No. 18 (01 /08)

7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN This section describes the instrumentation and control systems that are required to establish and maintain a safe shutdown condition for the reactor. "Safe Shutdown" is defined depending on plant operating conditions as hot standby, hot shutdown or cold shutdown conditions. "Capability for safe shutdown," in all cases, is defined as maintaining the capability to reach cold shutdown conditions even though cold shutdown may not be required for maintaining the plant in a safe condition. In most cases these instrumentation and control systems are utilized in the performance of both normal and emergency plant operations. Shutdown conditions addressed in this section include both hot shutdown and cold shutdown. Hot shutdown and cold shutdown modes are defined in the plant Technical Specification. 7.

4.1 DESCRIPTION

Controls and instrumentation are provided to enable the operator to monitor operations and actuate controls of systems and components necessary to bring the unit from full power operation to cold shutdown. A tabulation of the control room instruments and readouts used to monitor shutdown is shown in Table 7.4-1. The normal shutdown procedure includes the following operations: a) Maintenance of hot standby conditions which requires:

1) Actuation and operation of the Auxiliary Feedwater System

2) Actuation and control of the Steam Dump and Bypass System

3) Monitoring of Reactor Coolant System pressurizer temperature, pressure and water level

4) Monitoring of steam generator pressure and water level b) Boration of Reactor Coolant System which requires:

1) Actuation and control of boron addition and charging subsystem of the Chemical and Volume Control System (CVCS)

2) Monitoring of Reactor Coolant System boron concentration c) Reactor Coolant System cooldown to 325 °F which requires:

1) Operation and control of Auxiliary Feedwater System

2) Control of Steam Dump and Bypass System

3) Monitoring of Reactor Coolant System temperature, pressurizer pressure and water level

4) Monitoring of steam generator pressure and water level 7.4-1 Amendment No. 20 (05/11)

d) Reactor Coolant System cooldown to cold shutdown which requires: 1) 2) Actuation and control of Shutdown Cooling System Control of Component Cooling Water System

3) Control of Intake Cooling Water System

4) Operation and control of boron.addition and charging subsystem of eves

5) Monitoring of Reactor Coolant System pressurizer temperature, pressure and water level

6) Availability of auxiliary spray flow, as further described in Subsection 5.4.7.5 (item A.2). However, RCS depressurization during cooldown can be accomplished without auxiliary spray flow (see Subsection 5.4.7.5 (Item A.2) and SubsecUon 9.3.4.3.1.3.4).

For.off-normal shutdowns (e.g., loss of offsite power, loss of condenser cooling), the atmospheric dump valves are utilized for heat removal until shutdown cooling is initiated ... The Onsite Power System (Section 8.3) provides power upon a loss of offsite power. For all shutdown conditions the capability exists for emergency actions (see Subsections 7.4.1.5 and 9.SA.5) outside of the control room. Based on the above, the following is the n_linimum equipment required to be operable for safe*

shutdown: * .
a) Auxiliary Feedwater System b) Chemical and Volume Control System (Boron addition and charging portions only) c) Shutdown Cooling System d} Atmospheric Dump Valves (or Steam Dump and Bypass System) e) Control Room f) Instrumentation listed in Table 7.4-1.

The following support systems are also required to be operable for safe shutdown, including shutdown with a concurrent loss of offsite power: a) Onsite Power System b) Diesel Fuel Oil Storage and Transfer System c) Intake Cooling Water System d) Component Cooling Water System 7.4-2 Amendment No. 14 (12/01)

e) Heating, Ventilating, and Air Conditioning (HVAC) Systems for areas containing systems and equipment required for safe shutdown The instrumentation and control systems required for safe shutdown of the reactor are in the subsections which follow .

7.4-2a

The instrumentation and control systems required for safe shutdown are not protective systems (~- as defined by IEEE 279-1971, and therefore the Design Basis (Section 3) of IEEE 279-1971 does not apply. Nevertheless, the instrumentation and control systems conform to many of the requirements of IEEE 279-1971 as described in Subsection 7.4.2. 7.4.1.1 Auxiliary Feedwater System Instrumentation and Control The Auxiliary Feedwater (AFW) System design is more fully described in Subsection 10.4.9. The system P&ID is shown on Figures 10 .. 1-1a and 10.1-2b and locations of system components are shown on the reactor Auxiliary Building (RAB) general arrangement drawings in Section 1.2. The system instrumentation and controls utilized to achieve plant shutdown are as follows: a) Controls Two full capacity motor driven {2A, 2B) and one full capacity turbine driven {2C) auxiliary feedwater pumps are actuated automatically upon low steam generator level. Controls are provided for opening and closing the steam inlet valves for starting and stopping the turbine driv~n auxiliary feedwater pump 2C (Valves MV-08-12 and 13) and for starting and stopping the motor driven auxiliary feedwater pumps 2A and 28. Steam for turbine driven pump is supplied from either one of the steam generators. Power for the steam inlet valve motors MV-08-12 and 13 and their controls is supplied froni the 125 Volt de bus A and B, respectively. The motor driven AFW pump 2A and 28 are powered from separate 4.16 kV buses 2A3 and 2B3, respectively. Auxiliary feedwater pump 2C inlet valve MV-08-3 is normally open and does not require power during auxiliary feedwater pump 2C operation. Auxiliary feedwater required for each steam generator during shutdown is supplied by throttling the appropriate feedwater pump discharge valves until the desired flow is reached. Flow indicators (reference Table 7.4-1) and valve control switches are provided in the control room. The water level in each steam generator is adjusted by controlling the inlet valves thereby increasing or decreasing the auxiliary feedwater flow rate. The level in steam generator 2A is adjusted by opening valve SE-09-2 and throttling valves MV-09-9 and/or MV-09-11 using flow indicators Fl-09-2A and/or Fl-09-2C. The level in steam generator 2B is adjusted by opening valve SE-09-3 and throttling valves MV-09-10 and/or MV-09-12 using flow indicators Fl-09-28 and/or Fl-09-2C. The motor operated valves fail "as is" and the solenoid valves fail closed on loss of ac power. In the event of loss of ac power, auxiliary feedwater is supplied from the turbine driven auxiliary feedwater pump 2C through de operated valves MV-09-11 and 12. Flow from auxiliary feedwater pump 2C to the steam generator is controlled by opening de operated valves SE-09-3 and SE-09-4 and throttling de operated MV-09-11 and 12. When the Auxiliary Feedwater System is operated from outside the control room, resetting of the automatic Auxiliary Feedwater Initiation signal is not required. The individual transfer switches enable the operator to take control of the system from outside the control room. 7.4-3 Amendment No. 18 (01/08)

Control room process indication, alarm and status instrumentation is provided to enable the operator to evaluate system performance and detect malfunctions. The condensate storage tank water level is provided with redundant control room indicators and with redundant low, low-low water alarms. Separate processing instrumentation is provided for each of the auxiliary feedwater pumps. Pump discharge pressure and flow are indicated and low pump suction pressure is alarmed. Steam generator water level and pressure instrumentation is provided as shown in Table 7.5-1. Further discussion of the control room display instrumentation is presented in Section 7.5. b) Bypasses, Interlocks and Sequencing Upon a loss of offsite power, the motor driven pumps are automatically restarted and powered from the emergency diesel generators if they were previously running due to an AFAS. Sequencing is shown in Table 8.3-2. The turbine driven pump requires no ac or de power for its operation. c) Redundancy and Diversity The two motor driven pumps and their respective discharge valves MV-09-9 and 10 to the steam generators are redundant to the turbine driven pump and its discharge

      . valves MV-09-11 and 12 to each steam generator. Separate and independent circuitry, logic and controls are provided for the redundant components.

125V de power for the turbine driven pump and associated valves is available from the 125V de A and B buses (see Subsection 8.3.2). Auxiliary Feedwater System diversity is provided by virtue of the diverse pump drivers, motor driven versus steam turbine driven, and the associated ac-powered versus de-powered motor operated valves. Additionally, there are manual operators (handwheels) on the flow control valves to the steam generators. J I 7.4-4 Amendment No. 13, (05/00)

7.4.1.2 Chemical and Volume Control System (Boron Addition and Charging Portions) The boron concentration in the reactor coolant is increased to the cold shutdown value, during the cooldown of the plant; to assure sufficient shutdown margin throughout the cooldown period. The boron addition and charging subsystems are portions of the Chemical and Volume Control System (CVCS) which are used in the shutdown process. The Chemical and Volume Control System is discussed in Subsection 9.3A. The system P&ID is shown on Figure 9.3-5(a-c). Location of major system components is shown on the RAB general arrangement drawings in Section 1.2. The system instrumentation and controls utilized to achieve plant shutdown are discussed as follows: a) Initiating Circuits and Logic To help achieve a safe shutdown and cooldown, the system component actuation steps required are:

1) coordinated control of the charging pumps, letdown control valves, and letdown backpressure valves to adjust and maintain the correct pressurizer water level

2) periodic sampling and adjustment of the boron concentration to compensate for the temperature decrease and other variables until shutdown concentration is reached.

Control board mounted instrumentation tabulated in Table 7.4-1, is provided to enable the operator to evaluate system performance and to control system operation. b) Interlocks, Sequencing and Bypasses System operation is achieved by the coordinated operation of the charging pump and boric acid makeup pump control circuits. The charging pump control circuit sequences charging pump operation in response to pressurizer water level control cjrcuit requirements as discussed in Subsection 7.7.1.1.3. The boric acid makeup pump control circuit sequences the boric acid makeup pump and valve operation to achieve the desired boric acid concentration. Manual control of any portion of these systems can be achieved while allowing the remainder to continue functioning in automatic. The receipt of a safety injection actuation signal (SIAS) (discussed in Subsection 7.3.1) overrides any control mode condition so that full boron addition and charging capabilities are achieved. No instrument bypasses exist which could degrade this response. c) Redundancy and Diversity Two separate and distinct modes of boron addition are available through the use of the boric acid makeup pumps or the gravity feed lines. Either of these methods can be used to transfer concentrated 7.4-5 Amendment No. 13, (05/00)

boric acid from each of the boric acid makeup tanks to either the volume control tank or

directly to the reactor coolant system. Charging system redundancy is achieved by having separate charging pumps (with diverse injection paths) and supporting instrumentation powered from separate electrical buses.

7.4.1.3 Shutdown Cooling System l&C The Shutdown Cooling System (SOCS) is more fully described in Subsection 5.4.7. The SOCS P&IO is shown on Figure 6.3-1(a-c) and the location of major components are shown on the RAB general arrangement drawings in Section 1.2. The SOCS instrumentation and controls necessary to initiate and achieve safe shutdown are described below. As described in Subsection 5.4.7, the SOCS utilizes the low pressure safety injection (LPSI) pumps, which are aligned for the Emergency Core Cooling System (ECCS) mode of operation when the Reactor Coolant System temperature is above 325 F. Alignment from the ECCS to the SOCS mode is described in Subsection 5.4.7.2.

a) Initiating Circuits, Logics and Controls The Shutdown Cooling System is manually initiated when the Reactor Coolant System temper~ture and pressure are reduced to-about 325 F and about 276 psia. Subsequent to the valve switchovers from ECCS to SOCS mode, actions are performed in the control

      . room to initiate shutdown cooling as outlined in Subsection 5.4.7.2.6.

The process instrumentation and controls for the SOCS including the LPSI pumps are delineated in Table 7.4-1. b) Bypasses and Interlocks The Shutdown Cooling System instrumentation has no bypass features~ Interlocks, key locked switches and administratively locked valves are provided to prevent the possibility of overpressurization of the lines, which are designed for low pressure operation. These interlocks are described in Subsection 7.6.1.1. Also see discussions provided in Subsection 5.4.7.2. Following certain postulated accidents (e.g., feedwater lir:ie brea~, small break LOCA, steamline break) or loss of offsite power, it may become necessary to initiate shutdown cooling with Reactor Coolant System hot leg conditions which exceed the normal shutdown cooling initiation temperature. However, shutdown cooling is not initiated at conditions which exceed the design temperature of the SOCS components. c) Redundancy and Diversity Initiation of shutdown cooling with the most limiting single failure (loss of one shutdown cooling train) is accomplished using the procedures under plant cooldown for the operable train (i.e., operating 7.4-6 Amendment No. 14 (12/01)

the valves with (A) for train A, or the valves without (A) for train B). The power supplies to the isolation valves are so arranged that the following objectives are met assuming a single failure.

1) Both redundant lines are closed at least by one valve when the pressure is above the set value, thus protecting the low pressure part of the line, Valves V3481 and V3664 in train A and V3652 in train B are powered from SA power. Valves V3480 in line A and V3651 and V3665 in line B are powered from SB power.

.* - **** ~ ?-'**' 2) Header A and B tie valve V3545 is powered from SAB power assuring that at

    . '?.~'~:>:--~.-~**                    least one header is available for shutdown, In the unlikely event of a loss of power to one of the two SOCS trains, the SOCS suction line cross-connect valve (V3545) is utilized to provide at least one complete shutdown cooling train. The operator selects the system flow path with an active available power supply (emergency or normal) since the SOCS suction line cross-connect valve (V3545) is normally locked open, the SOC functions can continue.

7.4.1.4 Atmospheric Dump Valves (or Steam Dump and Bypass System) During plant shutdown, the steam dump and bypass valves may be remote manually positioned to remove reactor decay heat, pump heat and Reactor Coolant System sensible heat to reduce the reactor coolant temperature at the design cooldown rate until shutdown cooling is initiated. See Subsection 10.4.4.for a discussion of the Steam Dump and Bypass System. For a discussion of the instrumentation and control for the Steam Dump and Bypass System, see Subsection 7.7.1.1.5.

For normal and off-normal shutdowns, the atmospheric dump valves (ADV) may be utilized for heat removal. Four 50 percent capacity ADVs each, are located outside the containment
upstream of the main steam isolation valves, and are discussed in Subsection 10.3.3. The ADV P&ID is shown on Figure 10.1-1 a and the location of the valves are shown on the RAB general arrangement drawings in Section 1.2.

In the event of loss of condenser cooling or offsite power the valves remove reactor decay heat by venting steam to the atmosphere. In this way the Reactor Coolant System is maintained at hot standby conditions or cooled down to SOCS initiation temperature and pressure. The instrumentation and control design features of these valves are as follows: a) Initiating Circuits, Logic and Controls The valves are electrically operated, and are manually initiated and automatically or manually controlled with auto/hand indicating controllers either from the control room or from the hot shutdown panel. An electronic transmitter converts the steam line pressure to an electronic signal. When a high steam generator pressure signal is received by the controller, the opening of the valve is automatically modulated until the pressure is reduced. The operator main-7.4-7 Amendment No. 18 (01/08)

tains pressure automatically or reduces pressure by reducing the PIC setpoint or by manually operating the PICs. b) Bypasses and Interlocks No bypasses or interlocks are provided for the atmospheric dump valves. c) Redundancy and Diversity The atmospheric dump valves are sized such that the reactor can be brought to shutdown cooling initiation pressure and temperature assuming a loss of two out of four valves. Upon a loss of ac power, the atmospheric dump valves can be remote manually operated using battery power only. The cooldown of the reactor to 350°F can also be accomplished through manual operation of the atmospheric dump valves. Each atmospheric dump valve has a hand wheel which can be operated locally to override the motor operator. Each atmospheric dump valve has a corresponding block valve

operated from the opposite safety channel. This block valve is normally locked open, but can be closed so as to isolate its associated atmospheric dump valve.

7.4.1.5 Control Room (or Hot and Cold Shutdown Capability from outside the Control Room) Emergency instrumentation and controls are provided outside the control room to enable the operator to shutdown and maintain the unit at hot standby or initiate a cool down as required by GDC 19. The postulated control room conditions and/or event which would make it inaccessible and result in its evacuation remain undefined, with the exception of an Appendix "R" fire in the control room or cable spreading room. Since no other failure mechanisms have been established or identified, a shutdown from outside the control room is not assumed to be accompanied by any OBA. An "alternative" shutdown from outside the control room due to an Appendix "R" fire is discussed in Subsection 9.5A.5. The Appendix "R" Essential Equipment List defines the instrumentation and controls for equipment required for the hot or cold shutdown operations from both inside and outside the control room to address an Appendix "R" fire. The Appendix "R" Safe Shutdown Analysis identifies which circuits require transfer switches so that shutdown can be achieved independent of the control room and/or cable spreading room. These transfer switches and other provisions (such as redundant fuses) are located throughout the plant to provide for electrical isolation of electrical faults which could occur in the control room and/or spreading room due to a fire. For both Appendix "R" and GDC 19 functions, transfer switches are also used to switch instrumentation and control functions from the control room to their remote location. Tables 7.4-1, 2, 3, 4, 5 & 6 are applicable to the GDC 19 requirements and do not include analysis which is applicable to Appendix "R". As discussed above, these requirements are included in the Appendix "R" Safe Shutdown Analysis. Plant Procedures for a shutdown from outside the control room due to a fire are based on the Appendix "R" Safe Shutdown Analysis. Table 7.4-3 lists the locations of the transfer switches and alarm number that are initiated in the control room when any of the transfer switches are activated. This table also includes those transfer switches for equipment required for cold shutdown from outside the control room. Table 7.4-4 lists equipment that can be actuated from outside the control room during reactor cooldown and shutdown without needing transfer switches actuation. Table 7.4-5 lists the instrumentation available for reactor shutdown from outside the control room and indicates the location of the transfer switch and the alarm that actuates in the control room when the transfer switch is actuated. As indicated in this table, some instruments outside the control room do not require the actuation of transfer switches. 7.4-8 Amendment No. 20 (05/11)

Controls and instrumentation for redundant equipm~nt are mounted in separate sections of the hot shutdown panel (HSDP) such that no single failure can prevent the safe shutdown of the reactor. A list of indicators, controllers, control switches and indicating lamps located on the HSDP is given in Table 7.4-2. The HSDP design meets the separation requirement of R.G. 1.75 (R1) and the overall design criteria of IEEE 279-1971 for protection system. To activate the HSDP, transfer switches and isolation switches have to be turned to "isolate" position. Transfer switches and isolation switches are located on transfer panel 2A, 28, 2AB and various MCCs and switchgears are concentrated in the middle section of RAB at Elevation 43 and RAB at Elevation 19.5 to facilitate transfer from control room to Hot Shutdown Panel (HSDP). The transfer switches are safety class 1E. The transfer switches meet the separation requirements of R.G. 1.75 (R1) and the overall design criteria of IEEE 323-1971 for the protection system. HSDP is located in a room at the southwest corner of the RAB at Elevation

43. The seismic and environmental qualification is described in Sections 3.1 O and 3.11.

Equipment that does not.change operating statuswhen transferred is controlled at the Hot Shutdown Panel or locally by spring return to "auto" or return to "normal" type switches. Equipment in this category have latched-in circuitry such as switchgear operated pumps and motor operated valves .. Equipment that does change operating status when transferred is controlled by maintained contact switches. These circuits drop out at interrupted power. Equipment such as solenoid valves and pumps actuated by motor starters have this type of circuitry. In the event of a non-mechanistic evacuation of the control room, the operator trips the reactor before leaving the control room. Manual tr~msfer switches are provided at appropriate locations outside the control room so that the required circuits for hotshutdown are isolated from, the circuits in the control room. A control room operator forced to leave the control room and proceed to the Shutdown Panel uses his security card key to exit the control room. He

proceeds to the 45' elevation and again uses his key card to gain access to the cable spreading area where the Hot Shutdown Panel is located. The hot shutdown panel room is located Within*

a security area and therefore, is not required to be locked, but may include security access control that does not inhibit the ability of the operator to gain access to the room during safe shutdown. The controls can be isolated from the control room and transferred to the Hot Shutdown Panel control shortly after leaving the control room. Refer to section 7.4.2.3 (R.G. 1.68). As described in the Emergency Procedures one operator is transferring the controls while the other operator is ready to take control as soon as the transfer takes place. Until a transfer is executed the automatic functions of the logic cabinets located in the control room are in full effect. (Example: Auxiliary Feedwater is automatically initiated if low-level is .reached before the transfer takes place. After the transfer the operator can manually control Steam Generator level from the Hot Shutdown Panel).

                                                                                                   /
                                                                                                   \

7.4-9 Amendment No. 14 (12/01)

Table 7.4-6 provides a list of the Hot Shutdown Panel switch positions with a justification for the chosen positions. After the completion of the required circuit transfers, the Hot Shutdown Panel becomes fully operational. An alarm is initiated in the control room whenever any one of the transfer switches are operated into the transfer position. Operability of controls for equipment required for shutdown are based on the assumption that they are not affected by the destruction of circuitry within the control room. Sufficient instrumentation and controls are provided outside the control room to:

a) Achieve prompt hot shutdown of the reactor
b) Maintain the unit in a safe condition during descent to hot shutdown c) If required, monitor cooldown and achieve cold shutdown through the use of suitable procedures.

7.4.1.6 Supporting Systems for Safe shutdown The supporting systems required for safe shutdown of the reactor listed below are described in the .referenced sections: a) Component Cooling Water System (Subsection 9.2.2) b) Intake Cooling Water System (Subsection 9.2.1) ,/"--, c) Onsite Power System, including diesel generator system (Section 8.3) d) Diesel Fuel Oil Storage and Transfer System (Subsection 9.5.4) e) Heating, Ventilating and Air Conditioning (HVAC) Systems as required for areas containing systems and equipment required for safe shutdown (Section 9.4). 7.4.1.7 System Drawings Control wiring diagrams, block diagrams, final logic diagrams, and location layout drawings are listed and provided by reference in Section 1.7. 7.4-10 Amendment No. 18 (01/08)

7.4.2 ANALYSIS 7.4.2.1 General Design Criteria (GDC) For a discussion of GDCs, see Subsection 7.1.2.1. 7.4.2.2 Conformance to IEEE 279-1971 The shutdown systems, which are manually operated, are not protective systems as listed in the Scope (Section 1) of IEEE 279-1971 and therefore, the Design Bases (Section 3) of IEEE 279-1971 does not apply. Nevertheless, the systems conform to many of the requirements of Section 3 of IEEE 279-1971 as described below: Bases 1. 6 7. 8 and 9 Not applicable. The safe shutdown system instruments are used for the indication of the safe shutdown system performances only. Basis 2 The station variables which are monitored to provide information for the safe shutdown are listed in Table 7.4-1. Basis 3 None of the station variables listed In Basis 2 for the safe shutdown have spatial dependence. Bases 4, 5 Table 7.4-1 lists the instrumentation monitoring station variables of systems required for the safe shutdown. In addition, the instrumentation and controls for safe shutdown meet the following design bases: a) any single failure does not prevent safe plant shutdown. b) channel independence is maintained by electrical and physical separation between redundant channels. c) equipment, including electric cables, associated with redundant systems are uniquely identified as detailed in section 8.3.1.3. d) the systems are designed to withstand safe shutdown earthquake loads without loss of their safety functions. e) the systems can be tested with the plant shutdown. 7.4-11 Amendment No. 18 (01/08)

4.7, "Control and Protection System Interaction" No portion of the safe shutdown system is used for both control and protection. 4.8, "Derivation of System Inputs" The safe shutdown system monitoring signals are a direct measurement of the desired variables. 4.9, "Capability for Sensor Checks" The safe shutdown system monitoring sensors are checked by comparing the monitorea variables of redundant channels or by observing the effects of introducing and varying a substitute input to the sensor similar to the measured variable. 4.1 O; "Capability for Test and Calibration" IEEE 338-1971 and Regulatory G'uide 1.22, "Periodic Testing of Protection System Actuation Functions/' 2/72 (RO) provides guidance for the development of procedures, equipment and documentation of periodic testing. The measurement signals required for safe shutdown have the capability of being tested and calibrated under the design requirements of the system. 4.11, "Channel Bypass or Removal from Operation" Any one of the channels may be tested, calibrated, or repaired without detrimental effects on the other channels. 4.12, "Operating Bypasses" There are no "Operating Bypasses" for the safe shutdown systems. 4: 13, "Indication of Bypasses" A discussion of bypass and inoperable status indication is provided in Subsection 7.5.1.6 and a listing of inoperable or bypassed components is contained in Table 7.3-10. 4.14, "Access to Means for Bypassing" This section is not applicable. 4.15, "Multiple Setpoints" This section is not applicable. 4.16, "Completion of Protective Action Once it is Initiated" )This section is not applicable. 7.4-14 Amendment 21 (11/12)

4.17, "Manual Initiation" The safe shutdown systems may be manually actuated. I 4.18, "Access to Setpoint Adjustments, Calibration, and Test Points" This section is not applicable. 4.19, "Identification of Protective Actions" This section is not applicable. 4.20, Information Readouts" Safe shutdown system monitoring and contr0I channels are indicated in the control room. 4.21, "System Repair The safe shutdown systems may be actuated manually; therefore, replacement or repair of components can be accomplished in reasonable time when the systems are not actuated, Outage of systel!J components for replacement or repair are limited by the Technical 'Specifications. 4.22, "Identification" Safety equipment and cables associated with the systems required for safe shutdown are uniquely identified. 7.4.2.3 Conformance to Applicable Regulatory Guides Regulatory Guide 1.22. "Periodic Testing of Protection System Actuation Functions". 2/72 (RO) The design conforms to the requirements of Regulatory Guide 1.22 (RO). These systems are periodically tested to verify proper functioning during normal plant operation. Actuation devices and actuated equipment are simultaneously operated during testing without any bypasses. The HSDP instrumentation and control is periodically tested in accordance with technical specification req4irements and plant procedures. By positioning the transfer/isolation switch to "ISOLATE:', the instrumentation and controls on the Hot Shutdown Panel can be tested to assure their operability. This test is performed on_ a "not to disturb the normal operation" basis. There are a few other instruments on Hot Shutdown Panel (such as pressurizer pressure) which have their own dedicated detectors and do not require transfer action because they are continuously functioning. Valves are actuated for full travel verification; The safeguards act1:1ation system has an , automatic test circuit to monitor trip setpoints. At 18 month intervals an integrated test of the ESF is performed. This test assures operation and response of all safeguards required equipment '-and circuits. [ 7.4-15 Amendment No. 14 (12/01)

Testing of pumps and valves for safety and shutdown systems is done in accordance with the ,,- ~\ appropriate technical specifications*. Regulatory Guide 1.30. "Quality Assurance Requirements for the Installation. Inspection. and Testing of Instrumentation and Electric Equipment," 8/72 (RO) Regulatory Guide 1.47. "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." 5/73 (RO) Refer to Subsection 7.5.2.7 for a discussion of bypassed and inoperable status indication. Regulatory Guide 1.53, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems," 6/73 (RO) These systems are designed so that any single failure within each system does not prevent proper action at the system level. No single failure defeats more than one of the two channels associated with any one system. The wiring in the system is grouped so that no single fault or failure, including either an open or shorted circuit, nega~es the intended function of the system. Signal conductors are protected and routed independently. Compliance with the single failure criterion is accomplished by providing redundant channels and separating these redundant elements physically and electrically to achieve the required ind~pendence. The instrumentation and controls for these systems meet the requirements of IEEE 379-1972 and are consistent with the recommendations of Regulatory Guide 1.53 (RO). Regulatory Guide 1.68. "Initial Test Programs for Water-Cooled Reactor Power Plants.", 11/73 (RO) ~ To meet the intent of Regulatory Guide 1.68 (R1) for reactor remote shutdown capability, the following are remote shutdown procedures under three different plant conditions. The three plant conditions are: I) Remote Hot Shutdown (No LOOP)

             . II)     Remote Hot Shutdown (LOOP)

Ill) Remote Cooldown and Shutdown (with or without LOOP) These shutdown procedures are based on the availability of three to four operational personnel. I) Condition I: Remote Hot Shutdown (No Loop) Before leaving the control room, the operators assure the reactor and turbine have been tripped. One person will be sent to the turbine building ground floor (7 kV and 4 kV switchgear room) 7.4-15a Amendment No. 18 (01/08)

to trip the reactor coolant pumps, feed pumps, etc. Meanwhile, additional persons will have the responsibility to activate the transfer (isolate) devices. Most of these MCCs, switchgear and transfer panels are located in the Reactor Auxiliary Building, floor elevation 43 feet, on the west half of the floor. The 480 volt switchgear 2AB and 4 kV switchgear 2AB are located on the 19.6 feet floor elevation. Approximately 56 transfer switches have to be activated. It takes personnel approximately 1O minutes to complete the above transfer functions. The time from when the operators leave the control room to the moment the hot shutdown panel is fully operational, is approximately 15 to 20 minutes. Once the hot shutdown station is operational, a senior licensed operator is primarily stationed there to monitor.and control the hot shutdown process, whereas the other operators are strategically stationed throughout the plant. Communication is maintained by way of sound power phones {head sets) at required stations. II) Condition II: Remote Hot Shutdown (LOOP) If offsite power is not available (or lost), the Reactor Coolant Pumps and main FW pump are de-energized. Under LOOP conditions, the operators proceed to pre-designated stations including the diesel generator building. Some additional manual switchgear loading might be required in order to connect certain plant investment load onto the emergency buses. Upon completion of all the necessary transfer functions, the hot shutdown panel is manned continuously by a licensed *operator, whereas the other operators are stationed throughout the plant, awaiting further instructions. Ill) Condition Ill: Remote Cooldown and Shutdown (with or without (LOOP)) For further plant cooldown and shutdown from the HSDP, several systems are required to be operated. They are identified as follows: a) Chemical & Volume Control System (CVCS) (See Subsection 9.3.4) b) Shutdown Cooling. System (See Subsection 5.4. 7) c) Reactor Coolant Sampling System (See Subsection 9.3.2) d) Other supporting Systems such as CGW, ICW System etc; that are needed for a), b), and c) above. For a list of ESF support systems and their associated subsections, see Subsection 7.4.1.6. 7.4-15b Amendment No. 18 (01/08)

From the Hot Shutdown Panel, the senior licensed operator directs the lineups of the above systems which requires manual valve operation, "locked closed" and "locked open" valves, and coolant sampling to check proper reactivity. Additional operators are assigned to accomplish these tasks. Regulatory Guide 1.75, "Physical Independence of Electric Systems". 1/75 (R1) With respect to the instrumentation and controls for these systems, the method used for identifying power and signal cables and cable trays as safety related equipment, and the identification scheme used to distinguish between redundant cables, cable trays, and instrument panels are in accordance with the recommendations of Subsections 5.1.2 and 5.6.3 of Regulatory Guide 1.75 (R1 ). For further information see Subsections 7.1.2.2 and 8.3.1.2. 7.4.2.4 Loss of Instrument Air Systems Pneumatically operated valves in systems required for safe shutdown upon loss of instrument air takes the position required for system operation in the plant shutdown mode. Valves which are in required flow paths open on loss of instrument air. Valves which isolate nonessential portions of the system from portions required for safe shutdown closes on a loss of air. Valve failure positions are identified on the system P&I diagrams. The essential control and monitoring instrumentation is not pneumatic. Electric power for the instrumentation is capable of being supplied from the emergency power system. The intake cooling outlet flow from the component cooling heat exchangers is pneumatically controlled. The valves fail open on loss of air. Flow modulation is not required for safe shutdown. The pressurizer spray pneumatically controlled valves (PCV-1100E and PCV-1100F) fail closed on loss of instrument air. Pressurizer pressure is then controlled by operation of the electric pressurizer heaters and electrically operated auxiliary spray valves. Therefore, the loss of instrument air does not prevent safe shutdown of the plant. 7.4.2.5 Loss of Cooling Water to Vital Equipment None of the instrumentation and controls required for safe shutdown rely on cooling water for operation. 7.4.2.6 Plant Load Rejection. Turbine Trip and Loss of Offsite Power In the event of loss of offsite power associated with plant load rejection or turbine trip, power for safe shutdown is provided by the Onsite Power System. The description and analysis of the emergency power system are discussed more fully in Section 8.3. The emergency diesel generators provide power for operation of all necessary pumps and valves. The 7.4-16 Amendment No. 16 (02/05)

station de system provides uninterrupted power for operation of control and instrumentation systems required to actuate and control essential components. The emergency diesel generators automatically start and begin supplying power to components necessary to achieve safe shutdown. The station de system maintains continuity of de control power. The emergency power system meets the single failure criterion and can withstand the most severe natural phenomena. Adequate onsite emergency power is available, in the event of loss-of-offsite power to safely shutdown the plant under postulated design basis accident conditions assuming a single failure. 7.4-17

TABLE 7.4-1 INSTRUMENTS FOR MONITORING-SAFE SHUTDOWN Normal1Al System Par~meter Contr. Room lnst. 11 > Operating

  & Location                                      Indication                         Alarm       Tag Number Range         Value Shutdown Cooling System

1) HX 2A Outlet Temperature RTG8-206 Tl-3303X 175 F

2) HX 28 Outlet Temperature RTGB-206 Tl-3303Y 175 F

3) HX 2A Inlet Pressure RTGB-206 Pl-3303X 450 si

4) HX 28 Inlet Pressure RTG8-206 Pl-3303Y 450 si

5) Low Press Safety Inject- RTG8-206 Fl-3312 1800 lion Loop 2A2 Flow gpm

6) Low Press Safety lnjec- RTGB-206 Fl-3322 1800 tion Loop 2A 1 Flow gpm

7) Low Press Safety lnjec- RTG8-206 Fl-3332 1800

     !ion Loop 281 Flow                                                                                                   gpm

8) Low Press Safety lnjec- RTG8-206 Fl-3342 1800 lion Loop 282 Flow gpm

9) Shutdown Cooling Loop RTG8-206 FR-3306 3500 2A Return Flow gpm

10) Shutdown Cooling Loop RTG8-206 FR-3301 3500 28 Return Flow gpm

11) Low Press Safety lnjec- RTG8-206 Pl-3307 450 tion Hdr A Press psig 1

( ) Instrument ranges are selected in accordance with standard engineering practices. 7.4-18 Amendment No. 14 (12/01)

TABLE 7.4-1 (Cont'd) Norma1<A> System Parameter Contr. Room lnst.<1> Operating

   & Location                                      Indication                                    Tag Number Range       Value

12) Low Press Safety lnjec- RTGB-206 Pl-3304 450 Tion Hdr B Pressure psig

13) LPSI Pump 2AAmp. RTGB-206 AM/251

14) LPSI Pump 28 Amp RTGB-206 AM/252

15) Shutdown HX 2A Inlet RTGB-206 TR-3351 Temp

16) Shutdown HX 28 Inlet RTGB-206 TR-3352 Temp Atmospheric Dump System

1) St Generator 2A Pressure RTG8-202 PIC-08-1A 900 PAC8 PIC-08-38 psig

2) St Generator 28 Pressure RTG8-202 PIC-08-18 900 PAC8 PIC-08-3A psig Auxiliary Feedwater System 1l Aux Feedwater Pumps Disch Hdr Flow

                       -2A HOR                      RTG8-202                                     Fl-09-2A               250 gpm
                       -28 HOR                      RTG8-202                                     Fl-09-28               250 gpm
                      -2C HOR                      RTG8-202                                      Fl-09-2C               500 gpm

2) Aux Feedwater Pumps Disch Hdr Press

                       -2AHDR                       RTG8-202                                     Pl-09-8A               1115 psig
                       -28 HOR                      RTG8-202                                     Pl-09-88               1115 psig
                       -2C HOR                      RTG8-202                                     Pl-09-8C               1115 psig 1

< J Instrument ranges are selected in accordance with standard engineering practices. 7.4-19 Amendment No. 14 (12/01)

TABLE 7.4-1 (Cont'd) Normal!Al System Parameter Contr. Room lnst. 11 > Operating

& Location                                      Indication                            Alarm     Tag Number        Range          Value

3) Aux Feedwater Pump RTGB-202 AM/629 47A 2AAmmeter Aux Feedwater Pump RTGB-202 AM/630 47A 28 Ammeter

4) Condensate Storage Tank RTGB-202 Lo/Lo-Lo LIS-12-11A 44 ft Water Level RTGB-202 Lo LIS-12-118 44 ft

5) Steam Generator Level (Narrow Range) 2A Level RTGB-202 LIC-9013A, 90138, 65%

9013C, 90130 28 Level RTGB-202 LIC-9023A, 90238, 65% 9023C, 90230

6) Steam Press to Steam Driven Aux Feed Pump RTGB-202 Pl-08-5 800 psig Intake Cooling Water System

1) Intake CW Hdr A & B RTG8,202 Low PIS-21-8A 90 psig Pressure PIS-21-88

2) Intake CW Pump 2A Amp RTG8-202 AM-832 Intake CW Pump 28 Amp RTG8-202 AM-833 Intake CW Pump 2C Amp RTG8-202 AM-834 Com12onent Cooling Water System

1) CCW Press at HX Outlets HX2A Outlet RTG8-206 Low PIS-14-8A 100 psig HX28 Outlet RTG8-206 Low PIS-14-88 100 psig 1

( ) Instrument ranges are selected in accordance with standard engineering practices. 7.4-20 Amendment No. 21 (11/12)

TABLE 7.4-1 (Cont'd) Norma1<Al System Parameter Contr. Room lnst.<1l Operating

   & Location                                        Indication                Alarm             Tag Number              - Range    Value

2) CCW Flow Hdrs HORA RTGB-206 High-Low FIS-14-1A 8,500 gpm HDRB RTGB-206 High-Low FIS-14-1B 8,500 gpm

3) CCW Flow at Shutdown Cooling HX outlet HX 2A Outlet RTGB-206 High-Low FIS-14-10A 4,820 gpm HX2B outlet RTGB-206 High-Low FIS-14-10B 4,820 gpm

4) Charging Pumps Charging Hdr Pressure RTGB-205 Low PIA-2212 2,377 psig Charging Flow to RHX RTGB-205 Low FIA-2212 44 ea pump Reactor and Primary Loop

1) Pressurizer Pressure RTGB-203 Pl-1103, -11030, -1104, 1105, -11050, -1106 RTGB-203 Pl-1102A,-1102B, 2,250 psia

                                                                                                 -1102C,-11020 RTGB-203                                    Pl-1107-1,-1108-1.                 2,250 psia

2) Pressurizer Water Level RTGB-203 Ll-111 OX & Ll-111 DY 50%

3) Reactor Cold Leg Temp RTGB-203 Tl-1115 & Tl-1125 551F

4) Neutron Power Level RTGB-204 Jl-001A,-001 B, 100%

                                                                                                 -001 C,-0010

5) Neutron Power Wide Range RTGB-204, Rl-26-BOA5 & 80B5 NA PACB-2 RR-26-BOA & BOB NA

6) Neutron Power Rate RTGB-204 Rl-26-80A3 & 80B3 NA 1

( ) Instrument ranges are selected in accordance with standard engineering practices. 7.4-21 Amendment No. 21 (11/12)

TABLE 7.4-2 INSTRUMENTATION AND CONTROL- HOT SHUTDOWN PANEL OUTSIDE THE CONTROL ROOM Instruments Safety Scale(2 ) Tag No. Section Range Ll-9113 Steam Generator 2A Water Level SA Pl-8113 Steam Generator 2A Pressure SA

*PIC-08-1A1, 3A1              SG 2A Atmospheric Steam Dump           SA Pl-1108                       Pressurizer Pressure                   SA Ll-1105                       Pressurizer Water Level                SA Tl-1115-1                     Reactor Cold Leg Temperature           SA Tl-3351Y                      Shutdown Cooling Temperature           SA Fl-3306                       Shutdown Cooling Flow                  SA VM/1606-1                     Diesel Generator 2A Volts              SA WM/1606-1                     Diesel Generator 2A Watts              SA Fl-2212                       Charging Flow                          SA Jl-001A-1                     Neutron Power Level                    MA Jl-001 B-1                    Neutron Power Level                    MB Rl-26-80A1                    Neutron Power - Wide Range             SA Rl-26-80A2                    Neutron Power - Source Range           SA Rl-26-80B1                    Neutron Power - Wide Range             SB Rl-26-80B2                    Neutron Power - Source Range           SB Ll-9123                       Steam Generator 2B Water Level         SB Pl-8123                       Steam Generator 2B Pressure            SB
*PIC-08-181, 3B1              SG 2B Atmospheric Steam Dump           SB

'Pl-1107 Pressurizer Pressure SB Pl-2212 Charging Pressure SB Ll-1104 Pressurizer Water Level SB Tl-1125-1 Reactor Cold Leg Temperature SB Tl-3352Y Shutdown Cooling Temperature SB Fl-3301 Shutdown Cooling Flow SB VM/1616-1 Diesel Generator 2B Volts SB WM/1616-1 Diesel Generator 2B Watts SB Ll-9012 SG 2A Wide Range Level None Ll-9022 SG 2B Wide Range Level None Tl-2223 Letdown Heat Ex Outlet Temperature( 1) None Switches & Indicating Lamps Safety Scale( 2 ) Tag No. Section Range CS-608-2 Auxiliary FW 2A Discharge MV-09-9 SA CS-629-2 Auxiliary FW Pump 2A SA CS-189-1 Auxiliary Spray Valve SE-02-3 SA 7.4-22 Amendment No. 21 (11/12)

TABLE 7.4-2 (Cont'd) Switches and Indicating Lamps Safety Sca1e<2 >

 .Tag No.                Servic*e                                             .. Section     Range CS-157-1             **Letdown Contain isol V2516                           *.SA CS-194-2               Charging Line lsolV2523

SA CS-177 Charging Pump 2A and Position Indication for Recirculation Valve V2554 SA CS-176-1 Charging Line Valve SE-02-2 SA CS-246-3 SIAS "A" Block SA CS-1625-2 Stm Gen 2A Atm Stm Dump Valve MV-08-19A SB CS-1626-2 Stm Gen 2AAtm Stm Dump Valve MV-08-18A SA CS-1628-2 Stm Gen 2B Atm Stm Dump Valve MV-08-18B SA CS-1627-2 Stm Gen 2B Atm Stm Dump Valve MV-08-19B SB CS-609-2 Auxiliary FW 2B Disch MV-09-10 SB CS-630-2 Auxiliary FW Pump 2B SB CS-189-2 Auxiliary Spray Valve SE-02-4 SB CS-157-2 Letdown Stop Valve V2515 SB CS-194-1 Letdown Contain lsol V2522 SB CS-178 Charging Pump 2B and Position Indication for SB Recirculation Valve V2555 CS-176-2 Charging Line Valve SE-02-01 SB CS-248-3 SIAS "B" Block SB CS-612-2 Auxiliary FW 2C to SC 2A MV-09-11 SB CS-1632-2 Auxiliary FW 2B Disch to SG 2B Valve SE-09-3 SE CS-1633-2 Auxiliary FW 2C Disch to SG 2A Valve SE-09-4 SB CS-179 Charging Pump 2C and Position Indication for Recirculation Valve V2553 SAB CS-652-2 Steam from SG 2A to Auxiliary FW 2C SB Turbine MV-08-13 CS-653-2 Steam from SG 2B to Auxiliary FW 2C SA Turbine MV-08-12 CS-632-2 Auxiliary FW Pump 2C Turbine SAB CS-124 Pressurizer Back-up Heater Bank B-1 None CS-125 Pressurizer Back-up Heater Bank B-2 None CS-126 Pressurizer Back-up Heater Bank B-3 None CS-127 Pressurizer Back-up Heater Bank B-4 None CS-128 Pressurizer Back-up Heater Bank B-5 None CS-129 Pressurizer Back-up Heater Bank B-6 None CS-613-2 Auxiliary FW 2C to SG 2B MV-09-12 SA CS-1631-2 Auxiliary FW 2A to SG 2A SE-09-2 SA CS-1634-2 Auxiliary FW 2C to SC 2B SE-09-5 SA 1

( > Required for cold shutdown only. 2 ( > Instrument ranges are selected in accordance with standard engineering practices.

This instrument includes an Auto/Manual switch located on the HSCP for operation of the Atmospheric Dump Valves.

7.4-23 Amendment No. 18 (01/08)

TABLE 7.4-3 EMERGENCY REACTOR HOT SHUTDOWN/HOT STANDBY FROM OUTSIDE OF THE CONTROL ROOM CONTROL & TRANSFER SWITCH LIST ITEM CWD EQUIPMENT CLASS TRANSFER SWITCH ALARM HOT SHUTDOWN NOTES LOCATION CONTROL SWITCH LOCATION 1 177 Charging Pump 2A 1E 480 Swgr 2A2 M-46 HSP (3) 2 178 Charging Pump 2B 1E 480 Swgr2B2 M-47 HSP (3)

     ~    179   Charging Pump 2C                   1E            480 Swgr 2AB            M-48   HSP            (3) 4    124   Press Heater Bank B1               NS            Press Htr MCC 2A3        H-30  HSP            (4) 5    125   Press Heater Bank B2               NS            Press Htr MCC 2A3        H-30  HSP            (4) 6    126   Press Heater Bank B3               NS            Press Htr MCC 2A3        H-30  HSP            (4) 7    127   Press Heater Bank B4               NS            Press Htr MCC 2B3        H-30  HSP            (4) 8   128   Press Heater Bank B5               NS            Press Htr MCC 2B3        H-30  HSP            (4)
     ~    129   Press Heater Bank B6               NS            Press Htr MCC 2B3        H-30  HSP            (4) 10  189   AUX Spray Valve SE-02-3             1E           Transfer Panel 2A        H-12  HSP            (4) 11   189   AUX Spray Valve SE-02-4            .!!;_         Transfer Panel 2B        H-12  HSP            (4) 12  176   Charging Line Valve SE-02-1         1E           Transfer Panel 2B       M-36   HSP            (4) 13  176   Charging Line Valve SE-02-2         1E           Transfer Panel 2A       M-36   HSP            (4) 14  194   Charging Line Isolation V2523       1E           Transfer Panel 2A        M-6   HSP            (4) 15  629   AUX FW Pump 2A                      1E           4 kV Swgr 2A3            G-44  HSP             (3) 16  630   AUX FW Pump 2B                      1E           4 kV Swgr 2B3            G-45  HSP            (3) 17  631   AUX FW Pump 2C                      1E           Transfer Panel 2AB       G-46  HSP             (3) 18  1631  AFW 2A Disch Valve SE-09-2          1E           480 MCC 2A5              G-12  HSP             (4) 19  1632  AFW 2B Disch Valve SE-09-3          1E           480 MCC 2B5              G-13  HSP             (4) 20  652   AFWP 2C Steam Valve MV-08-13         1E          480V MCC2B5              G-14  HSP             (3)

-...J 61 653 AFWP 2C Steam Valve MV-08-12 .!!;_ 480V MCC 2A5 G-14 HSP (3) ~ I 22 608 AFW 2A Disch Valve MV-09-9 1E MCC 2A5 G-12 HSP (3) N 23 609 AFW 2B Disch Valve MV-09-10 1E MCC 2B5 G-13 HSP (3) ./>. 24 1633 AFW 2C Disch Valve SE-09-4 1E Transfer Panel 2B G-12 HSP (4) 25 1634 AFW 2C Disch Valve SE-09-5 1E Transfer Panel 2A G-13 HSP (4) 26 612 AFW 2C Disch Valve MV-09-11 1E Transfer Panel 2B G-12 HSP (3) 27 613 AFW 2C Disch Valve MV-09-12 .!!;_ Transfer Panel 2A G-13 HSP (3) 28 1625 SG 2A ATM STM Dump MV-08-19A 1E DC Starter LB-12 HSP (3) 29 1626 SG 2A ATM STM DUMP 1E DC Starter LA-12 HSP (3) MV-08-18A 30 1627 SG 2B ATM STM Dump MV-08-19B 1E DC Starter LB-12 HSP (3) 31 1628 SG 2B ATM STM Dump MV-08-18B 1E DC Starter LA-12 HSP (3) 32 201 Component CW Pump 2A 1E 4 kV Swgr 2A3 S-51 4 kV Swgr2A3 (1)(3)

)>

33 205 Component CW Pump 2B 1E 4 kV Swgr 2B3 S-52 4 kV Swgr 2A3 (1)(3) 3 34 209 Qompon!;!nt CW Pump 2C .!!;_ 4 kV Swgr2AB S-53 4 kV Swgr 2AB (1)(3) CD

J Q_ 35 203 Component CW Valve MV-14-3 1E MCC 2AB S-56 Local PB (1)(3) 3 36 204 Component CW Valve MV-14-1 1E MCC2AB S-55 Local PB (1)(3)

CD 37 207 Component CW Valve MV-14-4 1E MCC2AB S-56 Local PB (1)(3)

J 38 208 Component CW Valve MV-14-2 1£ MCC 2AB S-55 Local PB (1)(3) z 39 832 Intake CW Pump 2A 1E 4 kV Swgr 2A3 E-46 4 kV Swgr 2A3 (1)(3) 9

_.. 40 833 Intake CW Pump 2B 1E 4 kV Swgr 2B3 E-47 4 kV Swgr 2B3 (1)(3) CD 41 834 Intake CW Pump 2C 1E 4 kV Swqr2AB E-48 4 kV Swqr2AB (1)(3) 0_.. 0 -S

TABLE 7.4-3 (Cont'd) ITEM CWD EQUIPMENT CLASS TRANSFER SWITCH ALARM HOT SHUTDOWN NOTES LOCATION CONTROL SWITCH LOCATION 42 285 Containment Fan Cooler HVS-1A 1E 480V MCC 2A9 T-22 480V MCC 2A9 (1)(3} 43 286 Containment Fan Cooler HVS-1B 1E 480V MCC 2A9 T-23 480V MCC2A9 (1)(3} 44 304 Containment Fan Cooler HVS-1C 1E 480V MCC 2B9 T-24 480V MCC 2B9 (1)(3) 45 305 Containment Fan Cooler HVS-1D 1E 480V MCC 2B9 U-19 480V MCC 2B9 (1 )(3) 46 220 MV-14-9 CCW to and from Contain- 1E MCC 2A5 T- 3 Local PB (1)(3) 47 221 MV-14-10 ment Coolers 1E MCC 2A5 T- 3 Local PB (1)(3) 48 222 MV-14-11 CCW to and from Contain- 1E MCC 2A5 T- 3 Local PB (1)(3) 49 223 MV-14-12 ment Coolers 1E MCC2A5 T-3 Local PB (1)(3) 50 224 MV-14-13 CCW to and from Contain- 1E MCC 2B5 T-3 Local PB (1)(3) 51 225 MV-14-14 ment Coolers 1E MCC2B5 T- 3 Local PB (1)(3) 226 MV-14-15 CCW to and from Contain- 1E MCC 2B5 T-3 Local PB (1)(3) 53 227 MV-14-16 ment Coolers ~ MCC 2B5 T- 3 Local PB (1)(3) ....., 54 165 Boric Acid Grav. Feed V2508 1E MCC 2B5 M-33 Local PB (1)(3) ~ 55 166 Boric Acid Grav. Feed V2509 1E MCC 2B5 M-41 Local PB (1)(3) I 56 167 Make-Up By Pass to Ch. V2514 1E MCC2A5 M-42 Local PB (1)(3) C.J1 57 58 174 175 Boric Acid Makeup Pump 2A Boric Acid Makeui;i Pumi;i 2B 1E 1E MCC2A6 MCC 2A6 N-47 N-48 Local Switch Local Switch (4) (4) 59 906 4 kV Startup Transfer 2A2 NS 4 kV Swgr2A2 B-51 4 kV Swgr 2A2 (3)

60. 907 4 kV Startup Transfer 2B2 NS 4 kV Swgr 2B2 A-51 4 kV Swgr 2B2 (3) 61 934 4kV Bus Tie 2A2 to 2A3 NS 4 kV Swgr 2A2 B-52 4 kV Swgr 2A2 (3) 62 935 4 kV Bus Tie 2B2 to 2B3 NS 4 kV Swgr 2B2 A-52 4 kV Swgr 2B2 (3) 63 936 4 kV Bus Tie 2A3 to 2A2 1E 4 kV Swgr 2A3 B-52 4 kV Swgr 2A3 (3) 64 937 4 kV Bus Tie 2B3 to 2A2 1E 4 kV Swgr 2B3 A-52 4 kV Swgr 2B3 (3) 65 938 4 kV Bus Tie 2A3 to 2AB 1E 4 kV Swgr 2A3 B-54 4 kV Swgr 2A3 (3) 66 939 4 kV Bus Tie 2B3 to 2AB 1E 4 kV Swgr2B3 A-54 4 kV Swgr 2B3 (3)

)>       67   940  4 kV Bus Tie 2AB to 2A3            1E              4 kV Swgr2AB     B-54  4 kV Swgr2AB    (3) 3        68   941  4 kV Bus Tie 2AB to 2B3           ~                4 kV Swgr 2AB    A-54  4 kV Swgr 2AB   (3)

CD

i 69 946 Sta Service Transf. 2A2 1E 4 kV Swgr 2A3 B-57 4 kV Swgr 2A3 (3)

a. 70 948 Sta Service Transf. 282 1E 4 kV Swgr2B3 A-57 4 kV Swgr 2B3 (3) 3 71 977 480V Swgr 2A2 Feeder 1E 480V Swgr 2A2 B-57 480V Swgr 2A2 (3)

CD

i 72 980 480V Swgr 282 Feeder 1E 480V Swgr 2B2 A-57 480V Swgr 2B2 (3)

...... 73   978   480V Swgr Tie 2A2 to 2AB          1E              480V Swgr 2A2    B-58  480V Swgr 2A2   (3) z        74   981   480V Swgr Tie 2B2 to 2AB          1E              480V Swgr 282    A-58  480V Swgr 282   (3)
~
....... 75  979   480V Swgr Tie 2AB to 2A2          1E              480V Swgr 2AB    B-58  480V Swgr 2AB   (3) co        76  982   480V Swgr Tie 2AB to 2B2          1E              480V Swgr 2AB    A-58  480V Swgr 2AB   (3}

77 943 Pressurizer Heater Transf 2A 1E 4 kV Swgr 2A3 B-59 4 kV Swgr 2A3 (3) 0....... 78 944 Pressurizer Heater Transf 2B ~ 4 kV Swgr2B3 A-59 4 kV Swgr 2B3 (3) 0 79 953 Diesel Gen Breaker 2A 1E 4 kV Swgr2A3 B-56 4 kV Swgr 2A3 (3) ~ 80 963 Diesel Gen Breaker 2B 1E 4 kV Swgr2B3 A-56 4 kV Swgr 2B3 (3) 81 956 DG 2A Control 1E DG2ACP B-26 DG 2ACP (3) 82 958 DG 2A Governor Contr. 1E DG 2ACP B-26 DG 2ACP (3) 83 1608 DG 2A Volt Regulator 1E DG 2ACP B-26 DG 2ACP (3) 84 966 DG 2B Control 1E DG 2B CP A-26 DG 2B CP (3) 85 968 DG 2B Governor Contr. 1E DG 2B CP A-26 DG 2B CP (3) 86 1618 DG 2B Volt Regulator 1E DG 2B CP A-26 DG2B CP (3)

TABLE 7.4-3 (Cont'd) ITEM CWD EQUIPMENT CLASS TRANSFER SWITCH ALARM HOT SHUTDOWN NOTES LOCATION CONTROL SWITCH LOCATION 87 198 Charging Pump 2C Bypass V2553 1E 480V MCC 2AB M-48 Hot Shutdown Panel (3) (Valve Position Indication dnly) 88 197 Charging Pump 2B Bypass V2554 1E 480V MCC 2B5 M-47 Hot Shutdown Panel (3) (Valve Position Indication Only) 89 196 Charging Pump 2A Bypass V2555 1E 480V MCC2A5 M-46 Hot Shutdown Panel (3) (Valve Position Indication Only) 90 162 RWT to Charging Pumps V2504 NS None Local Manual Valve Control 91 1126 DG Fuel Oil Transfer Pump 2A 1E None None DG 2A Control Panel (2) 92 1136 DG Fuel Oil Transfer Pump 2B 1E None None DG 2B Control Panel (2) 93 1126 DG Fuel Oil Transfer Shutoff 1E None None Auto Control - Local (2) Valve SE-59-1A1 94 1126 DG Fuel Oil Transfer Shutoff 1E None None Auto Control - Local (2) Valve SE-59-1A2 95 1136 DC Fuel Oil Transfer Shutoff 1E None None Auto Control - Local (2) Valve SE-59-1B1 (2) 96 1136 DC Fuel Oil Transfer Shutoff 1E None None Auto Control - Local Valve SE-59-182 98 146 Boric Acid Heat Trace System A 1E None None Local Auto Control (2) 99 147 Boric Acid Heat Trace System B 1E None None Local Auto Control (2) -..J 100 476 Elec Equipment RM Supply Fan 1E 480V MCC 2A5 None Local Control (2) PCM 99104 ~ I (HVS-5A) N 101 477 Elec Equipment RM Supply Fan 1E None None Local Control (2) CJ) (HVS-5B) 102 46B Elec Equip RM Exhaust (HVE-11) 1E 480 MCC 2A6 X-6 Local Control (4) 103 468 Elec Equip RM Exhaust (HVE-12) 1E None None Local Control 104 1169 Power Roof Vent (RV-3) 1E None None Local Control (2) 105 1169 Power Roof Vent (RV-4) 1E None None Local Control (2) 106 157 Letdown lsol Valve V2515 1E Transfer PNL 2B M-37 HSP (1)(3) 107 157 Letdown lsol Valve V2516 1E Transfer PNL 2A M-44 HSP (1)(3) 108 194 Letdown lsol Valve V2522 1E Transfer PNL 2B M-21 HSP (1)(3) 109 1702 480V SWGR 2A5 FDR 1E 480V SWGR 2A5 B-57 480V SWR2A5 (1)(3) 110 1712 480V SWGR 2B5 FDR 1E 480V SWGR 2B5 A-57 480V SWR 2B5 (1)(3) )> 111 503 Reactor Aux Bldg 1E 480V MCC 2A5 W-10 Local Control (4) 3 Emergency Exhaust Fan HVE-9A CD

J 112 1629 PORVV1474 1E Local Box H-40 None (4)

a. 113 1630 PORVV1475 1E Local Box H-40 None (4) 3 CD

J z

!=:> (1) - (2)- Notes: Required for Cold Shutdown No Interaction with the control room CXl (3) - Equipment does not change operating status (remains as is) by switching transfer switch to "isolate" position. c; (4)- Equipment changes status and assumes safe position required by the Hot Shutdown Panel or local control switch position. 0 ~ Procedures for reactor shutdown from outside the control room specify Hot Shutdown Panel/Local control switch position settings while the reactor is controlled from the control room.

TABLE 7.4-4 EMERGENCY REACTOR COOLDOWN & SHUTDOWN FROM OUTSIDE OF THE CONTROL ROOM COLD SHUTDOWN ITEM CWD EQUIPMENT CLASS CONTROL SWITCH NOTES 1 246 Safety Injection Block CH-A 1E HSP (Key Lock SW) (1) 2 248 Safety Injection Block CH-B 1E HSP (Key Lock SW) (1)

-[

3 269 SI Tank 2A1 lsol Valve V3624 1E CS-Key Operated 4 270 SI Tank 2A2 lsol Valve V3614 1E Switch-Outside 5 271 SI Tank 2B1 lsol Valve V3634 1E Control Room & Outside 6 272 SI Tank 2B2 lsol Valve V3644 1E Containment 7 249 Shutdown lsol Valve V3480 1E 8 250 Shutdown lsol Valve V3481 1E Pressurizer 9 254 Shutdown lsol Valve V3652 1E Pressure Interlocks 10 253 Shutdown lsol Valve V3651 1E 11 1501 Shutdown lsol Valve V3545 1E 12 1502 Shutdown lsol Valve V3664 1E CS-Key Operated Switch outside control room & containment 13 1503 Shutdown lsol Valve V3665 1E 14 251 LPSI Pump2A 1E Local PB Sta 15 252 LPSI Pump2B 1E Local PB Sta 16 1504 Shdn from HX 2A V3456 1E 17 1505 Shdn from HX 2B V3457 1E CS-Key Operated 18 1506 Shdn to HX 2A V3517 1E Switch 19 1507 Shun to HX 28 V3658 1E Local -...J '.I>- 20 1510 Shdn Warm-up V3536 1E N -...J 21 1511 Shdn Warm-up V3539 1E 22 1514 Shdn Control HCV-3657 1E 23 1515 Shdn Control HCV-3512 1E 24 1516 LPSI Loop 2A Flow FCV-3306 1E Key Operated 25 1517 LPSI Loop 2B Flow FCV-3301 1E Control Switch - Local 26 257 LPSI Flow Contr. HCV-3615 1E 27 260 LPSI Flow Contr. HCV-3625 1E Local PB Sta )> 28 263 LPSI Flow Contr. HCV-3635 1E 3Cl) 29 266 LPSI Flow Contr. HCV-3645 1E

J

c. 30 244 Mini Flow V3659 1E 3Cl) 31 245 Mini Flow V3660 1E Key locked

!. 32 1520 Mini Flow V3495 1E Local Contr. Sw's z 33 1520 Mini Flow V3496 1E 9 34 247 SI Tank 2A2 Vent V3733 1E

co 35 247 SI Tank 2A1 Vent V3735 1E 0 36 247 SI Tank 2B2 Vent V3739 1E Key Locked

37 247 SI Tank 2B1 Vent V3737 1E Local Control Sw's 0 ~ 38 275 SI Tank 2A2 Vent V3734 1E Located Outside 39 275 SI Tank 2A 1 Vert V3736 1E Containment & Outside 40 275 SI Tank 2B2 Vent V3740 1E Control Room 41 275 SI Tank 281 Vent V3738 1E

TABLE 7.4-4 (Cont'd} COLD SHUTDOWN ITEM CWD EQUIPMENT CLASS CONTROL SWITCH NOTES* 42 578 Primary Coolant Sample V5200 1E Cable Spreading Room 43 578 Primary Coolant Sample V5203 1E Outside N. Wall of PASS Room 44 579 Pressurizer Surge Sample V5201 1E Cable Spreading Room 45 579 Pressurizer Surge Sample V5204 1E Pipe Penetration Room 46 47 48 49 50 580 580 1531 1532 1529 Pressurizer Steam Sample V5202 Pressurizer Steam Sample V5205 LPSI Pump 2A Suction V3444 _ LPSI Pump 2B Suction V3432 Containment Spray Hdr. 2A MV-07-3 IT 1E 1E 1 Key

                                                       - 1E 1E Cable Spreading Room Pipe Penetration Room Locked -

Local Control Sw's 51 1530 Containment Spray Hdr. 2B MV-07-4 1 52 211 CCW From HX 2A HCV-14-3A 53 211 CCW From HX 2B HCV-14-3B 1] 1E _None - Local Manual Operation Required . (4) 54 505 ECCS Area Supply HVS-4A -/1E Local PB Sta 55 506 ECCS Area Supply HVS-4B - 1E Local PB Sta 56 503 ECCS Area Exhaust HVE-9A 1E Local PB Sta 57 504 ECCS Area Exhaust HVE-9B 1E Local PB Sta 58 465 ECCS Area Dampers 1E Automatic Control by HVE-9A, -9B 59 251 LPSI Pump 2A 1E Local PB Sta (4) 60 252 LPSI Pump 2B 1E Local PB Sta (4) 61 237 HPSI Pump2A 1E Local PB Sta (2) (3) 63 238 HPSI Pump2B 1E Local PB Sta (2) (3) 63 287 Containment Spray Pump 2A 1E Local PB Sta (2) (3) 64 290 Containment Spray Pump 2B 1E Local PB Sta (2) (3) NOTES: (1) - SIAS cannot be blocked unless pressurizer pressure is less than the "block permissive" allowed by Technical Specifications. (2) - Transfer Switch Deactivated by Jumpering SW Contacts to Permit Automatic Start by ESFAS. ESFAS Cabinets are Located in the Control Room. (3) - Not Required for Hot or Cold Shutdown. (4) - Required for cold shutdown only. 7.4-28 Amendment No. 21 (11/12)

TABLE 7.4-5 EMERGENCY REACTOR SHUTDOWN FROM OUTSIDE OF THE CONTROL ROOM - INSTRUMENTATION I TRANSFER SWITCH COLD SHUTDOWN ITEM CWD EQUIPMENT CLASS LOCATION ALARM INSTR SWITCH NOTES 1 369 Steam Gen 2A Level Ll-9113 1E Not Required None HSP (2) 2 369 Steam Gen 28 Level Ll-9123 1E Not Required None HSP (2) 3 136 Reactor Cold Leg Temp Tl-1115-1 1E Not Required None HSP (2) 4 137 Reactor Cold Leg Temp Tl-1125-1 1E Not Required None HSP (2) 5 370 Pressurizer Press Pl-1108 1E Not Required None HSP (2) 6 370 Pressurizer Press Pl-1107 1E Not Required None HSP (2) 7 370 Pressurizer Level Ll-1105 1E Not Required None HSP (2) 8 370 Pressurizer Level Ll-1104 1E Not Required None HSP (2) 9 369 Sim Gen 2A Press Pl-8113 1E Not Required None HSP (2) 10 369 Sim Gen 28 Press Pl-8123 1E Not Required None HSP (2) 11 955 DG 2A-Ammeter 1E Not Required None DG 2A Control Panel (2) 12 965 DG 28 - Ammeter 1E Not Required None DG 28 Control Panel (2) 13 1606 DG 2A Voltmeter 1E Transfer Panel 2A B-26 HSP (3) 14 1606 DG 2A Wattmeter 1E Transfer Panel 2A B-26 HSP (3) 15 1616 DG 28 Voltmeter 1E Transfer Panel 28 A-26 HSP (3) 16 1616 DG 28 Wattmeter 1E Transfer Panel 28 A-26 HSP (3) 17- 603 Atmos Sim Dump Control PIC-08-1A1 1E Transfer Panel 2A G-41 RSP (4) 18 603 Atmos Stm Dump Control PIC-08-181 1E Transfer Panel 28 G-41 HSP (4) 19 654 Atmos Stm Dump Control PIC-08-3A1 1E Transfer Panel 2A G-41 HSP (4) 20 654 Atmos Stm Dump Control PIC-08-381 1E Transfer Panel 28 G-41 HSP (4) 21 1528 Shutdn Cooling Flow Fl-3301 1E None None HSP (1)

      -..J  22                 1528     Shutdn Cooling Flow Fl-3306                  1E                 None                               None  HSP                 (1) t
      <O 23 24 1525 1525 Shutdn Cooling Temp Tl-3351Y Shutdn Cooling Temp Tl-3352Y 1E 1E None None None None HSP HSP (2)(1)

(2)(1) 25 50 Neutron Power J1-001A-1 1E None None HSP (1) 26 50 Neutron PowerJ1-001B-1 1E None None HSP (1) 27 150 Chargirg Flow Fl-2212 1E None None HSP (2) 28 150 Charging Pressure Pl-2212 1E None None HSP (2) 29 627 SG 2A Level Wide Range Ll-9012 NS Local Box None HSP 30 627 SG 28 Level Wide Range Ll-9022 NS None None HSP 31 58 Neutron Power Rl-26-80A1 1E None None HSP (2) 32 59 Neutron Power Rl-26-8081 1E None None HSP (2) 33 151 Letdown HT EX Outlet Temp Tl-2223 NS None None HSP (1)

)>

3Cl) (NOTES:

J c.

3 (1) - Required for Cold Shutdown only Cl) (2) - No interaction with the Control Room

2. (3) - Equipment does not change operating status (remains as is) by switching transfer switch to "isolate" position.

a z (4) - Equipment changes status and assumes safe position required by the Hot Shutdown Panel or Local control switch position. r-.l Procedures for reactor shutdown from outside the control room specify Hot Shutdown Panel/Local control switch position settings while the reactor is controlled from the control room. -~

~
~

TABLE 7.4-6 HOT SHUTDOWN PANEL SWITCH POSITIONS ITEM# SWITCH POSITION TABLE 7.4-3 EQUIPMENT ON THE HSP REMARKS 4 Pressurizer Heater B1 Off During normal operation the pressuizer pressure (Back-up Heater) is maintained via the "Proportional Heaters". The 5 Pressurizer Heater B2 Off "Back-up Heaters" are normally off and placing them (Back-up Heater) in the "Off' position on the HSP maintains the 6 Pressurizer Heater B3) Off plant as is in the control room if offsite power loss (Back-up Heater) is not postulated. With a loss of offsite power 7 Pressurizer Heater B4 Off all heaters are off. With all heaters off the (Back-up Heater) operator has a minimum of four hours to establish B Pressurizer Heater B5 Off pressurizer pressure control. This is done outside (Back-up Heater) the control room by manually loading the 9 Pressurizer Heater B6 Off appropriate number of heaters on the emergency power (Back-up Heater) source and turning heater switches to the "On" position on the HSP. 10 Auxiliary Spray Valve Close These valves are normally closed fail closed SE-02-3 valves. Auxiliary spray is utilized during 11 Auxiliary Spray Valve Close cooldown to reduce pressurizer pressure on a SE-02-4 pre-determined curve. If auxiliary spraying is interrupted, pressurizer pressure is maintained until spraying is resumed. 12 Charging Line Valve Open These valves are normally open fail open valves SE-02-1 and are closed only when the auxiliary spray is 13 Charging Line Valve Open used during cooldown. Closing of the auxiliary SE-02-2 spray valves (Items 10 and 11) and reopening of these valves during the transfer will maintain the pressurizer pressure until auxiliary spraying is resumed. 14 Charging Line Isolation Open This valve is a,fail open locked open valve and it V2523 should not be closed during operation or shutdown. 18 AFW 2A Discharge Valve Open These valves are normally closed fail closed valves SE-09-2 however, the Emergency Procedure will require placing 19 AFW 2B Discharge Valve Open these valves in the open position on the HSP. This

)>                 SE-09-3                                                position will ensure that water flow to the Steam 3                  AFW 2C Discharge Valve                                 Generators will not he terminated if it bas been m          24                                            Open

J c.. SE-09-4 automatically initiated before the transfer occurs. Steam 3 25 AFW 2C Discharge Valve Open Generator high-level isolation is manually accomplished m

;::\.              SE-09-5                                                from the HSP.

zp O> '§ 0 ~

TABLE 7.4-6 (Cont'd) ITEM# SWITCH POSITION TABLE 7.4-3 EQUIPMENT ON THE HSP REMARKS 106 Letdown Isolation Valve Close These valves are normally-open, fail-closed valves. V2515 closes on* SIAS, V2515 V2522 closes on CIS, and V2516 closes on SIAS or CIS. The analysis for 107 Letdown Isolation Valve Close alternative shutdown from outside the control room for an Appendix.R fire V2516 assumes pressurizer level is maintained by isolation of letdown and by use 108 Letdown Isolation Valve Close of a charging system pump and valves. Plant procedures for a shutdown

V2522 from outside the control room due to a fire require closing these valves in the control room to isolate letdown prior to the transfer of control to the HSP.

The switch position of close on the HSP maintains the isolation of letdown .. Loss of air closes these valves regardless of switch position. ITEM# HSP CONTROL TABLE 7.4-5 EQUIPMENT POSITION SETPOINT REMARKS 17 Atmos Stm Dump Control Manual Closed During normal operation the control room controller for PIC-08-1A1 the ADVs are in the manual mode with a setpoint to maintain the valves closed. Similarly, the controller 18 Atmos Stm Dump Control Manual Closed positions on the Hot Shutdown Panel is "Manual" set for PIC-08-181 fully closed valves. The closed position of the ADVs minimizes the possibility of a steam generator dryout 19 Atmos Stm Dump Control Manual Closed event and thus promotes an orderly cooldown. These PIC-08-3A1 ADVs are backed-up by the safety relief valves if the 20 Atmos Stm Dump Control Manual Closed pressure builds up during the transfer. After the PIC-08-3B1 transfer the operator has full manual control of the ADVs at the Hot Shutdown Panel. ~ Note: I ~ (#) Switch is not located on HSCP. §' CD

l c.

3(!>

l z

9

7.5 SAFETY RELATED DISPLAY INSTRUMENTATION (INCLUDES NON-SAFETY RELATED DISPLAY INSTRUMENTATION) !~~. . . . This section describes non-safety and safety related display instrumentation. The safety related (Class lE) display instrumentation provides timely information to the operator so that he may initiate appropriate safety actions if and when required. Non-safety instrumentation is used for normal operation and although not required may be available for operator information. Table 7.5-1 lists the safety display instrumentation. 7.

5.1 DESCRIPTION

The safety related display instrumentation provides monitoring of the automatic or manually actuated systems associated with the operation of the plant during normal or accident conditions. The following displays are

          .included:

ESFAS Input Parameters/ESF Systems Monitoring (lE) ESF Support Systems Monitoring (lE) Reactor Protective System Monitoring (lE) CEA Position Indication System (non lE) Control Boards (lE) and Annunciators (lE and non lE) Bypass and Inoperable Status Indication (non lE) Control Room Habitability Instrumentation (lE) IC. I, 7.5.1.1 Post Accident Monitoring Instrumentation (lE) Shutdown Cooling System Instrumentation (lE) ESFAS Input Parameters/ ESF System Monitoring The Engineered Safety Features Actuation System (ESFAS) continuously monitors and feeds into the actuation logic the ESFAS input parameters in order to initiate the safeguards when parameters reach their trip set-points. The ESFAS is described in Section 7.3. After the ESF systems are automatically actuated, they continue to function without operator action. Table 7.5-1 lists the ESFAS input parameters safety related display instrumentation. Information is made available for monitoring the status of .each ESF system.Sufficient information is provided to the operator in the control room to monitor ESF systems during normal operating and post accident conditions. Based on this information the operator can take any anticipatory action that is required. The available information consists of valve position indication, pump operating status, and indication of process parameters.* Table 7.5-1 also lis~s ESF safety related display instrumentation . 7.5-1 Amendment No. 8, (9/93)

The ESF valves have red and green indicating lights in the control room where a red light indicates open valve position and a green light indicates closed valve position. The lights are powered from the same power source as the valve actuating circuit and are located above the control switch, except for valves supplied with valve position indicators; in this case, the valve position indicator is located above the control switch lights located on the vertical section of the board. Refer to Table 7.5-4 for a list of valves which have position indicators and indicating lights in the control room. 7.5.1.2 ESF Support Systems Monitoring ESF support systems are those systems which are required to function when the ESF systems are operating (Subsection 7.3.1.1.6). The instrumentation provided enables the operator to monitor the process variables for these systems in order to take appropriate action when required. The ESF support systems are as follows: Component Cooling Water System Intake Cooling Water System Onsite Power System, including Diesel Generator System HVAC Systems for Areas Containing ESF Systems Diesel Fuel Oil Storage and Transfer System The safety related display instrumentation for the ESF support systems are also listed in Table 7.5-1. 7.5.1.3 Reactor Protective System (RPS) Monitoring The RPS has automatic monitoring of the safety parameters and does not re-quire operator action. Sufficient information is provided to the operator in the control room to confirm that a limiting setpoint has been reached and that a reactor trip has taken place. This information includes: pretrip reactor trip indication, warning lights, audible alarms, control element assembly (CEA) position indication (Subsection 7.5.1.4) and trip switchgear circuit breaker position indication. Subsequently, the operator has full verification that the reactor has tripped and that the CEAs are fully inserted into the core by monitoring the CEA position and neutron level information that is provided in the control room. The display in-strumentation together with the system components for the RPS are described in Section 7.2. The display instrumentation in the control room for the RPS is listed in Table 7 .5-1. 7.5.1.4 CEA Position Indication System a) Pulse Counting CEA Position Indication System The pulse counting CEA position indication system infers each CEA position by maintaining a record of the "up" and "down" control 7.5-2 Amendment No. 8, (9/93)

power pulses received from the Control Element Drive Mechanism Control System (CEDMCS). Each "up" or "down" pulse represents 0.75 inches of CEA motion. The CEA position value associated with each CEA is reset to zero whenever the rod dropped contact (located within the reed switch position transmitter housing) is closed. This permits the pulse counting system to automatically reset the position to zero whenever a reactor trip occurs or whenever a CEA is dropped into the core. This system is incorporated in the DCS which transmits digital information to an output printer. CEA position information is periodically printed out by the printer and also upon operator demand, for a permanent record. The DCS also provides deviation information to the reactor operator. If the deviation in position between the highest and lowest CEA in any group exceeds either of two preset amounts (for predeviation or deviation), an alarm is annunciated. This alarm condition is documented on the DCS printer. The DCS also provides alarm information when an out-of-sequence condition occurs for the regulating groups or power and pre-power dependent insertion limits are being exceeded. b) Reed Switch CEA Position Indication System The reed switch CEA position indication system utilizes a series of magnetically actuated reed switches, spaced at 1-1/2 inch intervals along the CEDM housing and arranged with precision resistors in a voltage divider network. These reed switches are employed on each CEA to provide an analog voltage signal that is proportional to the CEA position. This voltage signal is continuously output by its reed switch position transmitter to the Analog Display System (ADS) (refer to Subsection 7.7.1.1.6). The reed switch position transmitter signals are displayed in a bar graph format by the ADS display on the control board. In addition reactor power signals from the Reactor Protective System received through isolation in accordance with IEEE 279-1971, are used to determine the prepower dependent insertion limit and power dependent insertion limit for each CEA regulating group. Both insertion limits are displayed on the display to assist the operator in ensuring a correct control rod pattern. A backup numerical display is employed to readout an individual CEA position selected by the operator. This backup numerical display is completely independent of the ADS logic and displays. This feature can be used to cross-check the display. 7.5-3 Amendment No. 20 (05/11)

c) CEA Limits Indication System The Control Element Drive Mechanism Control System (CEDMCS) receives indication of . a fully withdrawn or fully inserted CEA position from distinct contact closure signals from the reed switch position transmitter assembly. The reed switch position transmitter assembly, on each CEA, transmits an upper electrical limit signal, if the CEA is fully withdrawn or transmits a lower electrical limit signal, if the CEA is fully inserted. The CEDMCS control panel provides indication of CEA travel limits to the reactor operator when an upper or lower limit signal is received for a CEA. The CEA limits indication system is separate from the reed switch CEA position indication system discussed in Subsection 7 .5.1.4.b. The CEA Limits Indication System is powered by battery backed supply to provide indication in the control room under LOOP or SBO conditions. d) Core Mimic CEA Limit Indication A light display, arranged in the shape of the CEA configuration in the core, is provided in the control room to indicate the dropped rod status of each CEA. The detection of a dropped CEA is received, through the CEDMCS, from the dropped rod contact on the reed switch position transmitter assembly for each CE.A. The Core Mimic CEA Limit Indication is powered from battery backed supply to provide indication in the control room under LOOP or SBO conditions. e) NSSS Process Display lnstrumentati~n Table 7.5-1 lists the safety related process instrumentation that is provided to inform the operator of the status of the NSSS. This information, which is used for the startup, operation and shutdown of the plant, is provided on the reactor turbine generator board {RTGB) and other control panels in the control room. Indicating and control instrumentation is provided at local panels and the hot shutdown panel outside of the control room to allow reactor shutdown and maintenance of the reactor in a safe condition during either hot shutdown or cold shutdown. 7.5.1.5 Control Boards and Annunciators a) Control Boards The reactor-turbine generator board {RTGB) is a free standing benchboard type board with control switches primarily arranged on the lower bench portion, indicating and recording display instrumentation primarily on the lower vertical section, and annunciator windows on the upper vertical section. The RTGB consists of six separate control panels as follows: 201 Turbine Generator Control Panel 202 Feedwater and Cooling Water Systems 203 Reactor Coolant System 204 Reactivity Control I 7.5-4 Amendment No. 8, (9/93)

205 Waste Management and Chemical and Volume Control System 206 Engineered Safety Features Systems The heating ventilating control board (HVCB) and plant auxiliary boards are free standing vertical boards with control switches, indicating and recording display or flat panel display driven by Distributed Control System (DCS) instrumentation on the front of the boards. For a discussion of plant heating, ventilating and air conditioning systems see Section 9.4. Plant Auxiliary Control Board 1, PACB-1, is one panel section of Heating-Ventilating and Plant Auxiliaries Control Board. On the safety sections of the board (SA and SB section), two safety-related redundant annunciator panels LA and LB and atmospheric steam dump controls are located. The atmospheric steam dump controls are duplicated here as a backup to the controls located on RTG board 202 and the Hot Shutdown panel. The safety section is separated from the non-safety section of the plant auxiliary control board in accordance with Regulatory Guide 1.75 (R1) (refer to Table 7.5-1). Plant Auxiliary Control Board 2, PACB-2, is located next to the Safety Related Radiation Monitoring Panels. The panel has several safety-related instruments including, but not limited to, Containment Sump Water Level recorder, Containment Pressure recorder, Neutron Power Wide Range recorders, and PORV and SRV position indication. See Table 7.5-1 for Safety Related Instruments located on the two Plant Auxiliary Control Boards. The hot shutdown panel is a free standing vertical board with control switches and *indicating display instrumentation on the front of the board. For a discussion of emergency shutdown from outside the control room see Subsection 7.4.1.5. The display instruments, switches and indicating lights are functionally grouped on the boards and identified with nameplates for each component. The safety related display instrumentation located on each of the above mentioned boards are listed in Table 7.5-1. b) Annunciators The annunciator windows are located on the upper vertical portion of the RTGB and HVCB and are functionally grouped and form nonsafety display units. The annunciator windows on each board are associated with the systems having instrumentation and/or controls on that same board. The annunciator initiating circuits, generated by the Class 1E devices are connected to the annunciator logic through isolation devices. Safety related annunciator window display units are provided on the plant auxiliary board with 16 windows for channel SA and 16 windows for channel SB. Table 7.5-3 lists the safety related windows. Audible alarms, together with visual displays, alert the operator of departures from normal operating conditions, such as trips, bypasses, overrides of safety signals or equipment faults. The arrangement of annunciator windows is shown on figures listed in Table 1.7-1. 7.5.1.6 Bypass and Inoperable Status Indication Bypass and inoperable status indication for ESF and ESF support systems are located on the / 206 RTGB. The bypass and inoperable status system is 7.5-5 Amendment No. 19 (06/09)

actuated throwgh logics within the annu1_1ciator cabin_ets, which processes safety related systems status information

                   . and driv~s
                              . indicating.
                                       . . lights on
                                                      . the bypass and inoperable status
                                                                                     . module.

The light, indicating bypass _or inoperable statu~. stays until. the bypass is.removed or the.

inoperable condition-is rectified. St. Luci~ Bypass Jndication System is basically actuated automatically. The effectiveness of this automatic indicating system.is further enhanced by. . including a manual actuation capability. The manual capability of the bypass iridication system is endorsed by the Regulatory Guide 1.47 position C4, (RO).

The grouping of the windows on the status module indicates bypass and inoperable conditions on a system and channel level.

The listing of inoperable or bypass condition of the individual components is shown in Table 7.3-10. Description of bypass and inoperable status indication of the RPS and the ESF systems is discussed in Sections 7.2 and 7.3 respectively. 7.5.1.7 Control Room Habitability Instrumentation The design for the control room habitability syste*m is discussed in Section 6.4. The Control Room Air Conditioning System is discussed in Subsection 9.4.1. The system flow and P & I diagrams are shown on Figures 9.4-1 and 9.4-2, respectively. System component status indicating lights, system failure alarms and control room and outside air intake monitoring are provided in the control room to enable the operator to evaluate habitability conditions. Instrumentation for this system is listed in Tables 9.4-4 and 12.3-3 (Control Room outside air monitors). 7.5.1.8 Post Accident Monitoring Instrumentation The post accident monitoring is designed to monitor plant variables during and following an accident; and conform to the requirements of Branch Technical Position EICSB Number 23, "Qualification of Safety Related Display Instrumentation for Post-Accident Condition Monitoring and Safe Shutdown," and Regulatory Guide 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," December 1980, Rev. 2. For more information see Subsection 7.5.2.9. The wide range of information furnished to the operator by the extensive instrumentation and control systems depicted in Table 7.5-1 provides him with the long-term monitoring and surveillance capabilities of post accident conditions. For a complete list of Post Accident Monitoring Instrumentation see Subsection 7.5.2.9. 7.5.1.9 Shutdown Cooling System Instrumentation A description of Shutdown Cooling System instrumentation is discussed in Subsection 7.4.1.3. Instrumentation utilized to monitor safe shutdown is listed in Table 7.4-1. 7.5-6 Amendment No. 18 (01/08)

7.5.2 .ANALYSIS I 7.5.2.1. ESFAS Input Parameters/ ESF Systems Monitoring The following design criteria are used in the selection of ESF system monitored parameters: a) Provide display of system conditions reqtiiring operator attention or testing during routine plant operation. b) Provide annunciation for automatic or manual initiation of any of the ESF systems including annunciation for malfunctions after system was l initiated. c) Provide information to determine if manual action is required to aid in proper system operation after automatic initiation, including input/output parameter indication for verification that proper func-tions have been established. d) Provide indication for manu,ally blocked or bypassed safeguard equip-ment. e) Provide redundancy of indication. Th~ information which is displayed for the operators' use is listed in Table 7.5-1 consistent with the above criteria.

7.5.2.2 ESF Support Systems Monitoring

  'Information generated by the ESF support systems monitoring instrumentation is available to the operator to allow him to take appropriate action. The requirements are the same as for the ESF system. The following design
 .criteria are used in the selection of monitoring instrumentation:

' a) b) Provide a continuous display of various process parameters that are essential for proper support of the *ESF systems in normal and in emergency modes. Provide alarm for system conditions requiring operators' attention or action. c) Provide redundancy of instrumentation, for reliability. d) *, Provide visual verification of parameter function and accuracy during periodic testing of equipment. Using these criteria the operator has sufficient instrumentation at his disposal, to assess properly the situation during various modes of opera-tion in order to take corrective action if required. This instrumentation is shown in Table 7.5-1. ' 7.5-7 Amendment No. 8, (9/93)

7.5.2.3 Reactor Protective System Monitoring Sufficient information is1provided for the operator to confirm that a trip has occurred. CEA insertion information after a trip can be determined by the operator from the Analog Display System bar chart display and the Core Mimic CEA limit light indication (see Subsection 7.5.1.4). I ( Indication of neutron faux levels in the reactor core, as well as other reactor and RCS information, are provided for the operator.

The following design criteria were used in the selection of information that is provided to the operator:

a) System conditions requiring operator attention during routine plant operations and at the time of reactor trip are displayed in the control room. b) Indication in the control room of all operations performed at the RPS cabinet affecting the function of the system. c) Indication of all selected plant variables that are manually bypassed. d) Indication of automatic removal of a bypass. 7.5.2.4 CEA Position Indication Systems CEA position indication is provided to give the operator information to easily determine the CEA positions and perform any. related op_erations that are required. The following design criteria are used in selection of the CEA position indication systems: .. , * ...r' j a) Provide a redundant and diverse means ?f indicating CEA position; b) Provide a permanent record of' any or all of the CEAs for which trend i.nformation is useful; c) Provide a continuous display of all CEA positions and readout of any selected CEA; d) Provide redundant means of displaying to the operator CEA deviation within a control group, improper group sequencing or overlap, and CEA group inserted below power dependent insertion limits; and

e) Provide separate fully inserteq and fully withdrawn indications for each CEA.

7 .5.2.5 NSSS Process Display Instrumentation NSSS process display instrumentation gives the operator information to monitor conditions in the plant and to perform necessary operations. In addition, the information allows the operator to - cross check protective 7.5-8 Amendment No. 21 (11/12)

system measurement channels to ensure operational availability of these channels as discussed in Sections 7.2 and 7.3. The following design criteria are used in the selection of the NSSS process instrumentation: a) Provide continuous monitoring of process parameters required by the operator. b) Provide reliable and comprehensible information.to the operator. c) Provide information display that adequately monitors the parameter over the range required for various conditions. d) Provide a permanent record of those parameters for whic~ trend information is useful. e) Provide four channels of indication for RPS and ESFAS process parameters to allow cross checking of channels. f) Ensure that failure of a single indicator or one channel does not adversely affect operators' action. Sufficient information is provided for the operator to accurately assess the conditions within the plant systems, to perform those appropriate actions in a timely manner, and to maintain the reactor systems within the conditions assumed by the safety analyses in Chapter 15. 7.5.2.6 Control Panels and Annunciators The control boards and annunciators are arranged in functional groupings to allow the operator to assess quickly the operating conditions of the various plant systems over the full range of normal operating and accident conditions. Safety related parameters in the Reactor Protective System, ESFAS and systems required for safe shutdown are indicated and/or annunciated. This monitoring instrumentation also provides the means for determining malfunctions in safety related systems. Control boards containing more than one set of redundant components are subdivided into compartments separated by a barrier. None of the compartments contain Wiring or other components from redundant safety systems. Cables, entering the boards from redundant components, are run in separate fully enclosed steel raceways. Wiring within the board mounted equipment is carried in separate enclosed raceways. Electrical and physical separation in the panels is maintained between the following: a) redundant safety related channels SA, SB, and SAB b) redundant safety related measurement channels MA, MB, MC, and MD c) redundant safety related (SA, SB AND SAB) channels and safety related (MA, MB, MC, and MD) measurement channels 7.5-9 Amendment No. 13, (05/00)

d) Class 1E and non-Class 1E circuits Identification of redundant cable and components is as described in Subsection 8.3.1.3. 7.5.2.7 Bypass and Inoperable Status Indication Bypass or inoperable equipment conditions are governed by administrative procedures. These administrative procedures are supplemented by bypass and inoperable status indication of selected equipment in the control room. The following design criteria are used in the selection of the status indication: a) Provide indication windows for a bypass and inoperable condition on a system and channel level. b) Determine the significance of the function of the equipment with regard to the safety of the plant. c) Testing capability by activating each indicator manually. Conformance with the Regulatory Guide 1.47 Position (RO) C2 is as follows: The Bypass Indicating System is automatically activated by the bypassing or deliberately induced 'inoperability on the supporting systems. Table 7.3-10 reflects these requirements (e.g., LP Safety injection "A 1" automatically activated by the diesel generator and/or pump motor breaker unavailability). The operator has sufficient information about the important safety related systems which are removed from service, tested or being repaired, or disabled to allow him to take the proper course of action. The bypass and inoperable status indication windows are listed in Table 7.3-10. Figure 7.5-8 shbws the interaction of the diesel generator and the bypass and inoperable status indication board. 7.5.2.8 Control Room *Habitability Instrumentation During normal operation of the plant, the control room envelope is air conditioned by one or two of three air conditioning units. The air inside the control room is mixed with fresh air taken in from the north or the .south side of the Reactor Auxiliary Building in order to maintain a positive pressure differential. During an emergency condition the control room is isolated by closing the fresh air intakes, and the emergency air filtration is started. Indication is provided in the control room for the fresh air intakes, for the differential pressure and for the emergency air filtration. The instrumentation is shown in Tables 9.4-4 and 12.3-3 (Control Room outside air monitors). 7.5.2.9 Post Accident Monitoring Instrumentation The post accident monitoring instrumentation, which is identified (as '.'Required Post Accident") in Table 7.5-1, is provided for monitoring post acci-7.5-10 Amendment No. 16 (02/05)

dent conditions within the RCS, the steam generating system and the containment. The extensive instrumentation, as shown in the tables, provide the operator with required monitoring and surveillance capabilities to obtain information of post accident conditic;rns. Accident environments and times required for equipment to operate post accident are referenced in Section 3.11. The post accident monitoring (PAM) instrumentation design conforms to the requirements of Branch Technical Position EICSB Number 23 and Regulatory Guide (RG) 1.97, December 1980, R2 through the following: a) the PAM instrumentation is redundant, with indication in the control room and with at least one channel continuously recorded when required by RG 1.97 (R2). b) the PAM instrumentation is energized from the onsite emergency power supplies. c) the PAM instrumentation is qualified for operation in the environmental and seismic conditions specified in Sections 3.10 and 3.11. Recorders function with their required accuracy immediately after the SSE ground motion subsides without requiring any maintenance. d) for the safety-related PAM instrumentation the intent of IEEE 279-1971 is applied as discussed below. The requirements of IEEE 279~1971, "Criteria for Protection Systems for Nuclear Power Generating Station," are not completely applicable to the design of the post accident monitoring instrumentation because this instrumentation is not a part of a protection system. However, the intent of the design criteria contained therein has been applied, in the design of those systeml:) used for post accident monitoring conditions, to the following extent: 4.1 "General Functional Requirement" The safety related display instrumentation is designed to provide monitoring of the automatic or manually actuated systems associated with the operation of the plant during normal or accident conditions. The instrument performance characteristics, response times, and accuracy are selected for compatibility with the design goal of providing the operator with longterm monitoring and surveillance capabilities after the plant has reached a stable condition.

4.2 "Single Failure Criterion" The safety related display instrumentation "Single Failure Criterion" is functionally identical to that described in Subsection 7.3.2.1.2.

4.3 "Quality Control of Components and Modules" For a discussion of the Quality Assurance program see Chapter 17. 7.5-11 Amendment No.18 (01/08)

4.4 "Equipment Qualification" The post accident monitoring instrumentation meets the environmental and seismic qualification requirements discussed in Sections 3.10 and 3.11 *

7. 5-lla

4.5 "Channel Integrity" The safety related display instrumentation "Channel Integrity" is functionally identical to that described in Subsection 7.3.2.1.2.

4.6 "Channel Independence" The safety related display instrumentation "Channel Independence" is functionally identical to that described in Subsection 7.3.2.1.2. Safety related QSPDS electronic (cabinet) equipment has been qualified in accordance with Regulatory Guide 1.75, Revision 3. 4.7 "Control and Protection Systems Interaction" No control and protective interaction occurs in any portion of the post accident monitoring instrumentation. 4.8 "Derivation of System Inputs" All system inputs are derived from signals that are direct measures of the desired variables. 4.9 "Capability for Sensor Checks" The safety related display instrumentation sensors are checked by comparing the monitored variables of redundant channels or by observing the effects of introducing and varying a substitute input to the sensor similar to the measured variable. 4.10 "Capability for Test and Calibration" IEEE 338-1971 and Regulatory Guide 1.22 "Periodic Testing of Protection System Actuation Functions" 2/72 (RO) provides guidance for the development of procedures, equipment and documentation of periodic testing. The measurement signals for post accident monitoring that are also signals of the RPS, ESF, ESF support or systems required for plant shutdown have the capability of being tested and calibrated under the design requirements of that respective system. 4.11 "Channel Bypass or Removal from Operation" Any one of the channels may be tested, calibrated, or repaired without detrimental effects on the other channels. A limitation is provided in the Technical Specification for continued operation with one channel out of service. 4.12 through 4.17 These sections are not applicable. 4.18 "Access to Setpoint Adjustments, Calibration and Test Points" Administrative controls are provided for access to calibration points. 7.5-12 Amendment No. 20 (05/11)

4.19 "Identification of Protective Action" This section is not applicable. 4.20 "Information Readout" The post accident monitoring instrumentation contains indication of the required variable parameters for each of the redundant channels. At least one redundant channel of each analog variable is continuously recorded by a seismic Category I digital recorder in the control room. 4.21 "System Repair" A defective component can be detected by testing. Replacement or repair of components within one channel does not affect the other channels. 4.22 "Identification" The safety related display instrumentation equipment, including panels, meters, recorders, and cables associated with the system are uniquely identified. Interconnecting cables are color coded on channel basis (see Subsection 8.3.1.3). Regulatory Guide 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident" The requirements of RG 1.97, R3 are defined and implemented as described below: Variable Type Definitions Type A- Those variables that provide primary information so that operators can take the specified manual actions for which there are no automatic actions so that safety systems can accomplish their safety function for DBE. This does not include those variables required for contingency actions. Type B- Those variables that indicate that safety functions are being accomplished. Type C- Those variables that indicate a breach or potential to breach of barriers to fis~ion product release. (Fuel cladding, RCS pressure boundary, coritainment) Type D- Those variables that indicate the operation of individual safety systems and other systems important to safety. Type E- Those variables that indicate the magnitude of radioactive releases and for assessing such releases. 7.5-13 Amendment No.19 (06/09)

Design and Qualification Criteria Category 1 a) Provide the most stringent requirements for key variables. b) Qualified to RG 1.89 (RO) c) Seismically qualified to RG 1.100 {R1 ). Safety related QSPDS electronic (cabinet) equipment has been qualified in accordance with Regulatory Guide 1.100 (R2). d) The instrumentation systems are single failure proof. e) A minimum, of two channels are provided with additional backup instruments (same or diverse) to verify correct channel in the event of a "mid-scale" instrument failure. f) Redundant or diverse channels are independent and physic9lly separated in accordance with RG 1.75 (R1). Safety related QSPDS electronic (cabinet) equipment has been qualified in accordance with Regulatory Guide 1.75 (R3).

g) The instrumentation is powered from Standby Power per RG 1.32 (RO) and backed up by battery where momentary interruption of power is not tolerable.

h) The instrumentation is available prior to an accident. i) The proper QA requirements apply. i) Continuous indication is provided (may be a recorder). k) Where variable trending is required for operator information, dedicated recorders or continuously updated and stored in computer memory and displayed on demand information are provided. I) These variables are considered PAM instrumentation or part of effluent monitoring instrumentation. m) Types A, B, and Care identified on the control boards for easy recognition by the operator. Category 2 a) Less stringent requirements than Category 1 and applies to variables which indicate system operating status. b) Qualified to RG 1.89 (RO). c) Seismic qualification to RG 1.100, (R1) if the device is part of a safety related system. Safety related QSPDS eledronic (cabinet) equipment has been qualified in accordance with Regulatory Guide 1.100 (R2). d) Instrumentation is powered from a high reliability power source. e) Technical Specification out of service requirements for the system the process variable covers, apply also to the process variable components. 7.5-13a Amendment No. 20 (05/11)

f) The proper QA requirements apply. g) The signal way be displayed on an individual instrument or CRT (demand display). h) The display may be dial, digital, CRT or stripchart recorder. i) Where variable trending is required for operator information, a dedicated recorder or continuously updated, stored in computer memory and displayed on demand information is provided. j) These variables are considered PAM instrumentation or part of effluent monitoring instrumentation. k) Types A, B and C are identified on the control boards for easy recognition by the operator. Category 3 a) Provides requirements for high qualified off-the-shelf instrumentation and applies to backup and diagnostic variables. b) Provides the requirements for equipment where state-of-the art cannot meet Category 1 and 2 levels. c) High quality commercial grade and capable of operating in the specified service environment. d) Display may be dial, digital, CRT or stripchart recorder. e) Where variable trending is required for operator information, a dedicated recorder or continuously updated, stored in computer memory and displayed on demand information is provided. Implementation Type A, B, C, D and E variables per reference 5 were identified to the NRC. Environmental Qualification Environmental qualification of RG 1.97, (R3) equipment is covered in Section 3.11. Wide Range Steam Generator Level Instrumentation In response to RG 1.97 concerning the issue of wide range level instrumentation, FPL committed to upgrade the environmental qualification of existing transmitters to meet post-accident containment conditions, and add a redundant measurement channel for each steam generator. The upgrade was completed under PC/M 138-293. Additionally, PC/M 068-294 added redundant instrumentation to the single instrument tap shared between the two channels. Based on FPL letter to the NRG, L-92-28, dated February 10, 1992, the NRC agreed to an exception for redundant instrument taps until the steam generators are replaced. Redundant Instrument Taps were provided with the replacement of the steam generators in fall 2007 and implementation of PC/M No. 05136M, "Steam Generator 2A & 28 Water Level modifications for the Unit 2 Component Replacement Projects." 7.5-14 Amendment No.18 (01/08)

7.5.2.10 Shutdown Cooling System Instrumentation The Shutdow~ C~oling Syst~m (SOCS) utiliZes low *pressure safetY injection pumps, which are aligne*d

for the Emergency Core Coding System, (ECCS) mode of operation when the* Reacfor Coolant
System temperature is above .325°F. Alignment from the ECCS to the SOCS mode is described in Subsection 5.4. 7.
For a discussion of the SOCS initiating circuits, logic, bypasses, interlocks and redundancy, see Subsection 7.4.1.3.
7.5.2.11 System Drawings Applicable safety related display instrumentation system schematics, functional block diagrams, wiring diagrams and layouts are provided by reference in Section 1. 7.

7.5-15 Amendment No.18 (01 /08)

7.5.3 TMI RELATED ADDITIONAL ACCIDENT MONITORING INSTRUMENTATION 7.5.3.1 TMI Containment Pressure Monitors In compliance with NUREG-0737 permanently installed wide range containment pressure monitors are provided for post accident monitoring of containment pressure. 7.5.3.1.1 Design Bases a) Measurement and indication capability is provided over a range of -5 psig to four times the containment design pressure (175 psig). b) Safety related redundant instrumentation channels are provided to meet the single failure criteria. c) The redundant containment pressure monitoring instrumentation channels are energized from independent Class 1E power sources, and are physically separated in accordance with Regulatory Guide 1.75, "Physical Independence of Electric Systems," January 1975 (R1). d) The containment pressure monitoring instrumentation is qualified in accordance with IEEE 323-1974 for the design bases accident environment in which they operate. e) The containment pressure monitors are designed seismic Category I and qualified per the IEEE 344- 1975 criteria. f) Continuous indication and recording of containment pressure is provided in the control room. g) Each instrument covers the entire pressure range. h) The monitoring instrumentation inputs are from sensors that directly measure containment pressure and provide input only to the containment pressure monitors.

i) An instrumentation channel is available during normal operation prior to an accident as specified in plant technical specification.
j) Testing and calibration requirements are specified in plant technical specification.

k) The instruments are specifically identified on the control panels so that the operator .can easily discern that they are intended for use under accident conditions. 7.5-15a Amendment No. 20 (05/11)

7.5.3.1.2 Design Description The containment pressure detectors are electronic transmitters mounted outside the Reactor Containment Building. The detectors utilize independent sensing lines which penetrate the containment. A normally open fail closed solenoid valve with remote manual control operated from the control room is provided for containment isolation for each loop. The redundant containment pressure monitoring channels are provided with indicators in the control room and one of the channels is recorded in the control room. Instrument loop accuracy is addressed in Table 7.5-1. 7.5.3.1.3 Safety Evaluation The TMI containment pressure monitors are designated seismic Category I and designed to the Quality Group B standard. Two more channels of containment pressure monitoring instrumentations are provided as post accident monitors (refer to Table 7.5-1 ). Hence in the unlikely event when the two redundant TMI containment pressure monitor displays disagree the operator has available to his disposition these other monitoring channels for verification purposes. Channel calibration and channel check are performed periodically. 7.5.3.2 TMI Containment Water Level Monitors In compliance with NUREG-0737, permanently installed narrow and wide range containment water level monitors are provided for post accident monitoring. The narrow range instrument covers the range from the bottom to the top of the reactor cavity sump. The wide range instruments cover the range from the bottom of the containment to the elevation equivalent to 600,000 gallon capacity. 7.5.3.2.1 Design Bases a) Safety related, redundant wide range water leve.1 monitors are provided to meet the single failure criteria. The wide range monitors are designed to seismic Category I requirements. b) The redundant wide range water level instrumentation channels are energized from independent Class 1E power sources and are physically separated in accordance with Regulatory Guide 1.75, "Physical Independence of Electric Systems, January 1975 (R1 ). II c) One narrow range containment water level monitor is provided. 7.5-15b Amendment No. 20 (05/11)

d) Both the narrow and wide range containment water level monitoring channels are qualified to IEEE 323-1974 for post accident environment in which they operate seismic qualification per IEEE 344-1975 is also provided. e) Continuous indication and recording of containment water level is provided in the control room. f) Adequate overlapping of the ranges of narrow and wide range monitors are provided. g) Signals from the associated sensors are only used for monitoring the containment water level. h) The availability requirement of the wide range containment water level monitors is specified in plant technical specification. i) Testing and calibration requirements are specified in plant technical specification. j) The instruments are specifically identified on the control panels so that the operator can easily discern that they are intended for use under accident conditions. 7.5.3.2.2 Design Description The wide and narrow range containment level detectors are located inside the containment. The narrow range monitor measures discrete level points from the bottom of the reactor cavity sump (elevation -7 ft.) to the top of the sump (elevation Oft.). The wide range monitors measure discrete level points from elevation -1 ft. to elevation 26 ft. of the containment. The electronics portion of each of the sensors are located outside the containment and converts the discrete point measurement to a continuous level indication in the control rooms. The two channels of wide range level monitors are recorded in the control room. The narrow range level monitoring channel is recorded also in the control room. 7.5.3.2.3 Safety Evaluation The redundant wide range water level monitors are safety related and designated seismic Category I. They are qualified for the design basis accident environment in which they operate per IEEE 323-1974, seismic qualification is per IEEE 344-1975. These monitors are provided strictly for monitoring purpose. The narrow range water level instrument is primarily used during normal operation and does not serve any safety related function post accident. 7.5-15c Amendment No. 19 (06/09)

7.5.4 INSTRUMENTATION FOR DETECTION OF INADEQUATE CORE COOLING This subsection responds to the requirements in Section 11.F.2 of NUREG-0737 (Reference 1), for the development of CE instrumentation or detection of Inadequate Core Cooling (ICC). Results of initial studies by the CE Owners Group are documented in reports CEN-117 (Reference 2) and CEN-125 (Reference 3). 7.5.4.1 Description of Inadequate Core Cooling (ICC) 7.5.4.1.1 Definition of ICC The definition of ICC and the functional requirements for the ICC Detection System have been established within the bounds of the following core conditions: a) The reactor is tripped so only decay power is considered. b) The coolant level falls below the top of the core, which can occur only with a loss of coolant mass from the Reactor Coolant System (RCS). c) The event proceeds slowly enough so that the operator has time to observe and to make use of the instrument displays. The condition at which ICC is considered to occur is at a fuel clad temperature of 2200°F (which is the licensing limit for design basis events using approved analytical methods). 7.5.4.1.2 Description of Event Progression Events considered have the potential for progressing toward and returning from ICC. Events which might progress to core uncovery and heatup or which might appear as such events include LOCA, loss-of-feedwater, and rapid cooldown events including steamline breaks. These events all have in common a progression through some or all of three distinct sets of thermal and hydraulic cor;iditions during the approach to ICC, and they follow a reversal of that progression through the same thermal and hydraulic conditions during the recovery from ICC. The three sets of conditions and the ICC variables which are displayed* to indicate each condition are as follows: Condition 1: The reduction in subcooling until the primary system reaches saturation. Saturation Margin is the ICC variable.

Condition 2: The loss of coolant inventory from the reactor vessel until the two-phase level falls to the top of the active core. Collapsed level above the core is the ICC variable.

Condition 3: The rising core temperatures as the two-phase level falls below the top of the active fuel. Core exit superheat and steam temperature are the ICC variables. 7.5-15d Amendment No. 20 (05/11)

The following subsections describe the sensors used in an ICC detection system during the /' - above event ~rogression 1 7.5.4.1.3 Description of Sensors 7 .5.4.1.3.1 Saturation Margin Monitor The Saturation Margin Monitor (SMM), using input from existing Resistance Temperature Detectors (RTD) in the hot and cold legs and from the pressurizer pre,Ssure sensors, detects the initial occurrence of saturation during LOCA events and during loss of heat sink _events. Fluid temperature measurements from the Heated Junction Thermocouples (HJTC} and the signals from core exit thermocouples are input to calculate and display degrees superheat (up to about 1800°F) in addition to degrees subcooling. The signals from the HJTC temperature measurements provide information about possible local differences in temperature between the reactor vessel upper head/upper plenum (location of the HJTC} and the hot or cold legs (location of the RTDs). The core exit thermocoupfes respond to the coolant temperature at the core exit and their signal indicates superheat after the coolant level drops below the top of the core and, thus, provide an approximate indication of the depth of core uncovery. r The SfylM can be used for detection of the approach to ICC, namely Condition 1 (loss of subcooling), and Condition 3 (core uncovery). The SMM is not capable of indicating the existence of Condition 2 when the coolant is at saturation conditions and the level is between the top of the vessel and the top of the core. 7.5:4.1.3.2 Resistance Temperature Detectors (RTD) The RTDs sense the initial occurrence of saturation. However, the RTD range is not adequate for ICC indications during core uncovery since, as the uncovery proceeds, the superheated steam temperature may quickly exceed the upper limit of the RTD range. The core exit thermocouples and the unheated thermocouples in the HJTC *are then used. 7.5.4.1.3.3 Heated Junction Thermocouples (HJTC) The HJTC show the liquid inventory of the mixture of liquid and vapor coolant above the core. These are the instruments which show the approach to ICC in Conditioh 2, namely the period from the initial occurrence of saturation conditions until the start of core unc'overy. The installed instruments are also referred to as Liquid Level Probes (LLP), and the two terms may be used interchangeably. 7.5.4.1.3.4 Core Exit Thermocouples (CET) The core exit thermocouples show the approach to ICC after core uncovery for the event analyzed. As mentioned above, the core exit thermocouples respond to the coolant temperature at th,e core exit and indicate superheat after the core is no longer completely covered by coolant. Except for a time delay of about 200 to 400 seconds, depending on event, the trend of the change in superheat c0rresponds to the trend of core uncovery as well as to the accompanying trend of the change in cladding temperature. 7.5-15e Amendment No. 21 (11/12) )

L 7.5.4.2 System Functional Description In the following subsections a functional description of the instruments of the ICC Detection System is given and the function of the instruments is related to the ICC conditions which are described in Subsection 7.5.4.1. 7.5.4.2.1 Subcooling and Saturation The parameters measured to detect subcooling and saturation are the RCS coolant temperature and the pressurizer pressure. Temperature is measured in the hot legs for typical LOCA type events and is measured in the vessel upper head region for cooldown events. The measurement range extends from the shutdown cooling conditions up to saturation conditions at the pressurizer safety valve setpoint. The response time is such that the operator obtains adequate information during those events which proceed slowly enough for him to observe and to act upon the information from the instrument display. The information which is derived from the reactor vessel temperature and pressure measurements is the amount of subcooling during the initial approach to saturation conditions and the occurrence of saturation during Condition 1. Following core recovery, the reestablishment of subcooled conditions is obtained. During Condition 3, core uncovery, coolant superheat is measured.

7.5.4.2.2 Coolant Level Measurement in Reactor Vessel The Reactor Coolant System is at saturation conditions until sufficient coolant is lost to lower the two-ph?1se level to the top of the active core. A Reactor Vessel Level Monitoring System provides a direct measurement during this period. The parameter which is measured is the collapsed liquid level above the fuel alignment plate. The collapsed level represents the amount of liquid mass which is in the reactor vessel above the core. Measurement of the collapsed water level is selected because it is a direct indication of the water inventory.

The collapsed level is obtained over the same temperature and pressure range as the saturation measurements, thereby encompassing all operating and accident conditions where it must function. Also, it functions during the recovery interval. Therefore, it is designed to survive the high steam temperature which may occur during the preceeding core uncovery interval. The level range extends from the top of the vessel down to the top of the fuel alignment plate. The response time is short enough to track the level during small break LOCA events. The resolution is sufficient to show the initial level drop, the key locations near the hot leg elevation and the lowest levels just above the alignment plate. This provides the operator with adequate indication to track the progression during Condition 2 and core recovery and to detect the consequences of his mitigating actions or the functionability of automatic equipment. 7.5-15f Amendment No. 14 (12/01)

7.5.4.2.2.1 Alternate Reactor Vessel Level Monitoring Technical Specifications required that an alternate method of determining reactor vessel level be implemented when both channels of RVLMS are out-of-service. The alternate methods are:

1) Mismatch between charging and letdown with incorrect response of pressurizer level to pressurizer spray or charging; *

2) CET indicated temperature in the superheat region;

3) Unheated junction thermocouples indicating superheat.

PWR operators have been trained on these methods as part of the Mitigating Core Damage courses required following TMI. 7.5.4.2.2.2 Mismatch between Charging and Letdown with Incorrect. Response of Pressurizer Level to Pressurizer Spray or Charging This process to identify voids was incorporated into St. Lucie procedures following the Natural Circulation Cooldown event on Unit 1. A void developed in the reactor head due to incomplete cooling of the upper head region. The void was identified by the mismatch in charging and letdown and a response opposite to the normal response to pressurizer sprays. With voids present in the reactor vessel head, increasing pressurizer sprays causes pressurizer level to rise. A reduction in sprays and increased charging would cause pressurizer level to decrease. Both of these indications are abnormal and opposite to what is expected for a subcooled RCS. Post event evaluations confirmed the creation and collapse of a reactor head void. \ / 7 .5.4.2.2.3 CET Indicating Temperatures in the* Superheat Region , Events where RCS inventory is reduced to the top of the core can be determined by use of the CETs. Once the core becomes uncovered, the steam rising from the core would become superheated as it passes over the top of the uncovered fuel assemblies. The CETs can be used to monitor this condition by providing a temperature that indicates the steam has entered the superheat region. Pressurizer pressure and steam tables would have to be used in conjunction with the indicated temperature to determine that the steam is being superheated. The CETs can be read directly on QSPDS. 7.5.4.2.2.4 Unheated Junction Thermocouples Indicating Superheat As discussed above, thermocouples can be used to determine if superheated conditions exist in the reactor core. The RVLMS uses both heated and unheated thermocouples to determine reactor vessel level. If the unheated thermocouples are available, they can be used and temperatures read from QSPDS. 7.5.4.2.3 Fuel Cladding Heatup The overall intent of ICC detection is to detect the potential for fission product release from the reactor fuel. The parameter which is most directly 7.5-15fa Amendment No.18 (01/08)

related to the potential for fission product release is the cladding temperature rather than the uncovery of the core by coolant. Since clad temperature is not directly measured, a parameter to which cladding temperature may be related is measured. This parameter is the fluid temperature at the core exit. After the core becomes uncovered, the fluid leaving the core is superheated steam and the amount of superheat is related to the fuel length exposed and to the cladding temperature. The amount of superheat of the steam leaving the core is measured by the core exit thermocouples. The time behavior of the superheat temperature is, with the exception of an acceptably small time delay, similar to the time behavior of the cladding temperature. Thus, from the observation of the steam superheat, the behavior of the cladding temperature can be inferred. Observation of the cladding temperature trends during an accident is considered to be of more value to the operator than information on the absolute value of the cladding temperature. The core exit steam temperature is measured with the thermocouples included in the lncore Instrument (ICI) string. They are located inside the ICI *support tube above the fuel alignment plate. Calculations for representative uncovery events show that the thermocouples respond sufficiently fast to the increasing steam temperature. The required*temperature range of the thermocouples extends from the lowest saturation temperature at which uncovery may occur up to the maximum core average exit temperature which occurs when the peak clad temperature reaches 2200°F. The actual thermocouple range encompasses the required range, which extends from 32°F to about 1800°F. Thermocouples function with reduced accuracy at even higher temperatures, so the range for processing the thermocouple output extends to about 2300°F.

/~*

)

I 7.5.4.3 System Design Description The following sensors have been selected as the basic instruments to meet the functional requirements described tn Subsection 7.5.4.2, a) The Saturation Margin Monitoring (SMM) system (Reference 1) b) The Heated Junction Thermocouple (HJTC) system (Reference 2) and c). The Core Exit Thermocouple (CET) system. The conceptual design o~ each ICC Instrument is described In this section which addresses: a) Sensors design b) Signal processing and display design Figures 7.5-1a and 7.5-1 bare the functional diagrams for the ICC instrument systems. Each instrument system consists of two safety grade channels from sensors through signal processing equipment. The outputs of processing 7.5-15g Amendment No.18 (01/08)

equipment systems feeding the primary display (i.e., SAS/DCS) are isolated to separate safety grade and non-safety grade systems. Channelized safety grade backup displays are included for each instrument system. The following sections present details of the design. 7.5.4.3.1 Sensors Design 7.5.4.3.1.1 Saturation Margin Monitoring System (SMMS) The SMM includes the RCS temperature and pressure inputs plus the maximum unheated junction thermocouple temperature (UHJTC) described in Subsection 7.5.4.3.1.2 and the representative core exit thermocouple (GET) temperature (Subsection 7.5.4.3.1.3). The UHJTC and CET inputs come from the outputs of the HJTC and CET processing units. In summary, the sensor inputs to the SMMS are: Range Pressurizer Pressure 0-3000 psia Cold Leg Temperature 50-750°F Hot Leg Temperature 50-750°F Maximum UHJTC Temperature 32-2300°F (from HJTC processing) Representative CET Temperature 32-2300°F (from CET processing) 7.5.4.3.1.2 Heated Junction Thermocouple (HJTC) System The HJTC system measures reactor coolant liquid inventory with discrete HJTC sensors located at different levels within a separator tube ranging from the top of the core to the reactor vessel head. The basic principle of system operation is the detection of a temperature difference between adjacent heated and unheated thermocouples. The HJTC sensor consists of a Chromel-Alumel thermocouple surrounded by a resistance wire heater (or heated junction) and another Chromel-Alumel thermocouple (or unheated junction) positioned 4 1/2 inches above the heater. In a fluid with relatively good heat transfer properties, the temperature difference between the adjacent thermocouples is very small. In a fluid with relatively poor heat transfer properties, the temperature difference between the thermocouples is large. Two design features ensure proper operation under all thermal-hydraulic conditions. First, each HJTC is shielded to avoid overcooling due to direct water contact during two-phase fluid conditions. The HJTC with the splash shield is referred to as the HJTC sensor (see Figure 7.5-2). Second, each string of HJTC sensors is enclosed in a separator tube that separates them from the turbulent liquid and vapor phases that surround the HJTC during a reactor coolant inventory transient. The separator tube creates a collapsed liquid level that the HJTC sensors measure. This collapsed liquid level is directly related to the average liquid fraction of the fluid in the reactor head volume above the fuel alignment plate. This mode of direct in-vessel sensing reduces spurious fluid 7.5-15h Amendment No. 20 (05/11)

effects due to pressure, fluid properties, and non-homogeneities of the fluid medium. The string of HJTC sensors and the separator tube is referred to as the HJTC instrument. The HJTC System is composed of two channels of HJTC instruments. Each HJTC instrument is manufactured into a probe assembly. The probe assembly includes eight HJTC sensors, a seal plug, and electrical connector (Figure 7.5-3). The eight HJTC sensors are located at eight levels from the reactor vessel head to the fuel alignment plate. The volume above the core in the St. Lucie Unit 2 reactor vessel is hydraulically separated into two regions (Figure 7.5-5). The region between the Fuel Alignment Plate (FAP) and Upper Guide Structure Support Plate (UGSSP) is the upper plenum. The second region, between the UGSSP and the top of the vessel head, is the upper head. The HJTC probe assembly is located outside of a CEA shroud and extends through both these regions. The HJTC probe assembly for St. Lucie Unit 2 is designed to measure the collapsed water level in the upper head independently from the collapsed water level in the upper plenum. This is accomplished by the use of a "split" probe assembly (Figure 7.5-6). Functionally, the probe is divided into an upper separator tube in the upper head region and a lower separator tube in the upper plenum region. A divider disk inside the probe located at the UGSSP elevation isolates the upper and lower tubes hydraulically. Holes at the top and bottom of each separator tube allow the collapsed water level in each region to be formed and measured inside the separator tubes. The HJTC sensors are located axially in the probe assembly so that the collapsed water level in each region can be measured. The location of the eight sensors available in each of two probe assemblies are shown on Figure 7.5-6. A sensor is placed as high as possible in the upper head and upper plenum to provide an early indication of voiding in each region. A sensor just above the UGSSP indicates when the upper head is completely empty. A sensor placed midway between these sensors provides increased resolution for the level measurement in the upper head. In the lower separator tube, sensors are placed at the top, centerline, and bottom of the hot leg. These sensors tell the operator when the collapsed water level passes through the hot leg elevation. The final sensor is placed as close as possible to the FAP. This sensor provides an indication that the water inventory above the core in the upper plenum has been depleted and thus, gives an advanced warning of the impending core uncovery. 7.5.4.3.1.3 Core Exit Thermocouple (CET) System St. Lucie Unit 2 is equipped with a Type K (Chromel-Alumel) thermocouple within each of the 56 (maximum) core exit thermocouples (CETs). The CETs are arranged so that 14 CETs are distributed as uniformly as possible in each of the four core quadrants. Each of the two Qualified Safety Parameter Display System (QSPDS) channels receives input from 28 GETS. The input of all valid CETs to each of the QSPDS channels will be used to determine the representative core exit temperature. 7.5-15i Amendment No.18 (01/08)

An Evaluation was made of the minimum number of valid CETs necessary for ICC detection. The evaluation determined the reduced complement of CETs that adequately detect initial core uncovery and trend the ensuing core heatup. The evaluation account for core nonuniformities including in-core effects of the radial decay power distribution; and ex-core effects of condensate runback in the hot legs and nonuniform inlet temperatures. Based on these evaluations adequate ICC detection is assured with two valid CETs,per quadrant. Therefore, the full core complement of CETs to be installed is more than adequate for use In ICC detection, and provides an additional degree of operational flexibility. / The junction of each thermocouple is located a few inches above the fuel assembly inside q, - structure which supports and shields the ICI detector assembly string from flow forces in the outlet plenum region. These core exit thermocouples (GET) monitor the temperature of the* reactor coolant as it exits the fuel assemblies. Figure 7.5-7 A depicts a typical ICI detector* assembly, showing the GET. The cure locations of the ICI detector assemblies are shown on Figure 7.5-78. The CETs have a usable temperature range from 32°F up to 2300°F (Reference 4) although accuracy is reduced at temperatures above 1800°F. 7.5.4.3.2 Signal Processing and Display Equipment Design The processing and display hardware is divided into two major hardware groups - the Qualified Safety Parameter Display System (QSPDS) and the Safety Assessment System (SAS)/Distributed Control System (DCS). The equipment groups process and display the ICC detection sensor inputs as well as sensor inputs to meet other NRG requirements. The QSPDS provides the safety grade processing and display for the ICC detection instruments. The SAS is the non-safety grade primary display system which has full human factors engineering display capabilities. The design objectives for the equipment is to address the NUREG-0737 criteria, including the criteria for Attachment 1 to 11.F.2 and Appendix B. 7.5.4.3.2.1 Qualified Safety Parameter Display System (QSPDS) The QSPDS is a two-channel system which displays the ICC instrument (Saturation Margin Monitor, HJTC and GET System) outputs to the control room. The QSPDS uses a microprocessor-based design for the signal processing equipment in conjunction with an alphanumeric display for each of the two channels. Each channel accepts and processes ICC input signals and transmits its output to the SAS. The two QSPDS channels are powered by Channel A & B station vital busses. Each QSPDS is electrically independent and physically separated according to the Regulatory Guide 1.75 (R1 ). The QSPDS Is designed to meet Class 1E isolation requirements. Safety related QSPDS electronic (cabinet) equipment has been qualified in accordance with Regulatory Guide 1.75 (R3).

7. 5-15j Amendment No. 20 (05/11)

The QSPDS is qualified environmentally in accordance with l~EE 323-1974 and seismically qualified according to IEEE STD 344-1975. Safety related QSFDS electronic (cabinet) I* equipment has been qualified in accordance with IEEE 323-1flB2. and seismic qualified according to IEEE 344-1987. The QSPDS consists of two redundant cham1(-11S to avoid interruptions of display due to a single failure. This two safety grade channel configuration provides QSPDS availability greater than 99* percent. If in the remote chance that one complete QSPDS channel fails, the operator has: aY' Additional channels of ICC sensor inputs for cold leg temperature, hot leg temperature, and pressurizer pressure on the control board separate from the QSPDS. b) 1 The HJTCS and CET have multiple sensors in each channel for the operator to correlate and check inputs. c) The HJTCS sensor output may be tested by adjusting the heater power. The QSPDS is available during normal operation and availability is addressed in the Technical Specifications. The QSPDS has two functions: a) Sensor input processing b) Display of safety parameters The sensor input processing consists of: a) Checking that the sensor inputs are within range b) Converting sensor inputs into display units c) Calculating parameters from the sensor inputs (if required) d) Alarming when a parameter exceeds setpoint The QSPDS processing equipment includes operator interfaces for equipment testing, setup, and maintenance. The processing for the ICC instrumentation will have surveillance testing and diagnostic capabilities. Automatic on-line surveillance tests1continuously check for specified hardware and software malfunctions. The on-line automatic surveillance tests as a minimum, indidate inputs that are out of range and computer hardware malfunctions. The malfunctions are indicated through the operator interface. A manual on-line diagnostic capability is incorporatedto aid the operator in locating the source of these malfunctions. The QSPDS displays present the most reliable basic information for each of the ICC instrument systems. The QSPDS displays are designed: 7.5-15k Amendment No. 21 (11/12)

The representative core exit temperature is calculated as follows. During normal RCS conditions (saturation margin alarm not active), non-valid core exit thermocouples (CETs) is detected with out-of-scale checks, tolerance checks, and statistical analysis. The representative core exit temperature is selected from the upper end of the temperature distribution of the remaining valid CETs. While a saturation margin alarm is active, indicating abnormal RCS conditions, the same method will be used to select the representative core exit temperature from among the valid CETs determined during prior normal operation. The out-of-scale failure checks are still performed. The following information is displayed on the QSPDS displays: (a) All CET temperatures for each channel (or 28 maximum CET temperatures) (b) The representative CET temperature 7 .5.4.4 System Qualification The in-vessel sensors are designed to meet the-NUREG-0737, Appendix B guide to install the best equipment available consistent with qualification and schedular requirements. Design of the equipment is consistent with the guidelines of Appendix B as well as the clarification and Attachment 1 to Item 11.F.2 in NUREG-0737. Specifically, instrumentation meets appropriate stress criteria when subjected to normal .and design basis accident loadings. Seismic qualification to safe shutdown conditions verifies function after being subjected to the seismic loadings. * \ The out-of-vessel instrumentation system, up to and not including the cabinets are environmentally qualified in accordance with IEEE 323-1974 as interpreted by CENPD-255 Rev.

01. Plant-specific containment temperature and pressure design profiles are used where appropriate in these tests. This equipment is seismically qualified according to IEEE STD 344-1975~ CENPD-182, "Seismic Qualification of CE Supplied Instrumentation Equipment, Combustion Engineering, Inc.," May 1977 describes the methods used to meet the criteria of this document. Safety related QSPDS electronic (cabinet) equipment has been qualified in accordance with IEEE 323-1983 and seisr:nic qualified according to IEEE 344-1987.

FP&L has evaluated what is required to augment the out..of-vessel Class 1E instrumentation equipment qualification program to NUREG-0588. Consistent with Appendix B of NUREG-0737, the out-of-vessel equipment under procurement is the best available equipment. See Section 3.11 for more information. The primary display (i.e., SAS/DCS) is not designed as a Class 1E system, but is designed for high reliability; thus it is not qualified environmentally or seismically to Class 1E requirements nor does it meet the single failure criteria of Appendix B, Item 2. Post-accident maintenance accessibility is included in the design. The quality assurance provisions of Appendix B, Item 5 do not apply to the primary display according to NUREG-0737. However, the computer driven primary display system is separated from the Class 1E sensors, processing and backup display equipment by means of an isolation device which is qualified to Class 1E criteria. 7.5-15n Amendment No. 21 (11/12)

Verification and validation of the QSPDS software for the ICC display includes use of a designated test facility, integrated software testing, and static and dynamic tests which thoroughly test the software. The QSPDS verification testing procedures utilize the experience gained from previous CPCS software verification. 7.5.4.5 System Verification Testing This section describes tests and operational experience with ICC instruments. 7.5.4.5.1 RTD and Pressurizer Pressure Sensors The hot and cold leg RTD temperature sensors and the pressurizer pressure sensors are . standard NSSS instruments which have well known responses. No special verification tests have been performed nor are planned for the future. These sensors along with UHJTC inputs provide basic, reliable temperature and pressure inputs which are considered adequate for use in the SMM and other additional display functions. 7.5.4.5.2 Core Exit Thermocouples Testing at the Oak Ridge National Laboratory was performed to evaluate thermocouple performance under simulated accident conditions (Reference 4 ). These tests included long term exposure to elevated temperatures and repeated quenchings. In summary, these tests demonstrated that the Type K Chromel-Alumel thermocouples remain functional up to 2300°F. 7.5.4.5.3 HJTC System Sensors and Processing The HJTC System is a new system. Extensive testing has been performed to assure that the HJTC System will operate to unambiguously indicate liquid inventory above the core. The test program has been completed and the results submitted to the NRC in late 1982 in CEN-185-P, Supplement 3-P. The full prototype system, including the probe and associated microprocessor, heater controllers, and display were integrated into one test arrangement. The system as a whole was subjected to steady-state single and two phase conditions, top and bottom depressurizations, as well as repressurization. 7.5.5 POST ACCIDENT EXCORE NEUTRON FLUX MONITORING SYSTEM The Excore Neutron Flux Monitoring System monitors neutron flux wide range and source range monitors with Class 1E independent displays in the Control Room and on the Hot Shutdown Panel. This system is designed to meet the NRC requirements found in 10 CFR 50 Appendix R and Regulatory Guide 1.97, Revision 3, Type B variable. The Excore Neutron Flux Monitoring System consists of two redundant Class 1E channels each consisting of the following major components: 7.5-150 Amendment No.18 (01/08)

a) Fission chamber neutron det'ector assembly b) Cable assemblies with qualified junction box c) Containment triaxial cable penetration feedthrough modules d) Amplifier assembly e) Signal processing assembly f) Control Room instrumentation (displays and trend recorder) g) Hot shutdown panel instrumentation (displays) The design basis of the Excore Neutron Flux Monitoring System is to provide neutron flux measurement from 5 x 10-2 nv (neutron/cm2 -sec) to 5 x 10 9 nv. The basis for range required by Regulatory Guide 1. 97 R3 is lx10- 6 to 100% . power. The installed Excore Neutron Flux Monitoring System meets or exceeds these bases. Reference Table 7.5-1. 7.5-15p Amendment No. 11, (5/97)

REFERENCES:

SECTION 7.5.

1. *. NUREG-0737, ,;Clarification of TM.I Actio*~ Plan R~quirements," U.S. Nuclear Regulatory Commi~s.ion. November; 1980.. *

2. CEN-117, "Inadequate Core Cooling-* A Response to NRC IE Bulletin 79~060, Item 5 fo(

Combusiton Engineering Nuclear Steam Supply Systems," Combustion Engineering,

October, 1979.

3. CEN-125, "Input for Response to NRC Lessons Learned Requirements for Combustion Engineering Nuclear Steam Supply Systems," Combustion Engineering, December, 1979.

4. Anderson, R. L., Banda, L.A., Cain, D. G., "lncore Thermocouple Performance Under Simulated Accident Conditions," IEEE Nuclear Science Symposium, Vol. 28, No. 1 page 773, Figure 81.

5. FP&L Letter L-85-417 from J. W. Williams (FPL) to Mr. E. J. Butcher (NRG) dated November 18, 1985.

6. Title 1O Code of Federal Regulations, Part 50.62.

7. NUREG-1394, "Emergency Response Data System (EROS) Implementation," Rev. 1.

8. PC/M No. 05136M, Steam Generator 2A & 2B Water Level Modification for the Unit 2 Component Replacement Projects.

/ 7.5-15q Amendment No.18 (01/08)

TABLE 7.5-1 1 SAFETY-RELATED DISPLAY INSTRUMENTATION' ' REQUIRED FOR 2 2 Parameters Associated lnstrument' ' ESF/Shutdown Shut- Post Loop Accuracy' ' With The S!{stem Function Tag No. Range RPS ESF Support down Accident (Percent)

1. RTGB- 201 Battery 2A-Volts Indication VM-1001 x Battery 2A-Amps Indication AM-1801 x 4.16 KV Bus 2A3-Amps Indication AM-936 x 4.16 KV Bus 2A3-Volts Indication VM-954 x D.G. #2A-Frequency Indication FM-1606 x D.G. #2A-Amps Indication AM-955D x D.G #2A-Volts Indication VM-1606D x 4.16 KV Bus 2AB-Amps Indication AM-942 x 4.16 KV Bus 2AB-Volts Indication VM-942 x D.G. #2B-Frequency Indication FM-1616 x D.G. #2B-Amps Indication AM-965D x D.G. #2B-Volts Indication VM-1616D x Battery 2B-Volts Indication VM-1002 x Battery 2B-Amps Indication AM-1802 x 4.16 KV Bus 2B3-Amps Indication AM-937 x 4.16 KV Bus 2B3-Volts Indication VM-964 x D.G #2A-MVARS Indication VARM-1606 x D.G #2B-MVARS Indication VARM-1616 x D.G #2A-Watts Indication REC/1606 x 7.5-16 Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd). REQUIRED FOR Parameters Associated lnstrument<2l ESF/Shutdown Shut- Post Loop Accurac/2l With The System Range Support down Accident (Percent)

1. RTGB - 201 (Cont'd)

D.G #2B-Watts Indication REC/1616 x D.G #2A-Kilowatt Hour Indication WHM-9550 x D.G #2B-Kilowatt Hour Indication WHM-9650 x 7.5-16a Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument<2> ESF/Shutdown Shut- Post Loop Accuracy!2> With The System Function Tag No. Range RPS ESF Support down Accident (Percent) II. RTGB - 202: S. Gen #2A-Level Ind/Control LIC-9013A x x x x<4> S. Gen #2A-Level Ind/Control LIC-90138 x x x x<4> S. Gen #2A-Level Ind/Control LIC-9013C x x x x<4> S. Gen #2A-Level Ind/Control LIC-9013D x x x x<4> S. Gen #28-Level Ind/Control LIC-9023A x x x x<4> S. Gen #28-Level Ind/Control LIC-90238 X(4) x x x S. Gen #28-Level Ind/Control LIC-9023C x x x x<4> S. Gen #28-Level Ind/Control LIC-9023D x x x x<4> S. Gen #2A Wide Range Indication DCS Flat Panel x x<4> Display (DCS Flat Panel Display is Not Nuclear Safety but has its transmitter qualified for post accident environment.) S.Gen #28 Wide Range Indication DCS Flat Panel x x<4> Display (DCS Flat Panel Display is Not Nuclear Safety but has its transmitter qualified for post accident environment.) S.Gen #2A Wide Range* Recorder DCS I Historian x S.Gen #28 Wide Range* Recorder DCS I Historian x Aux. FW Hdr. A-Flow/ Indication Fl-09-2A/ x x x Aux. FW Hdr. A-Press Indication Pl-09-8A x x Aux. FW Hdr. 8-Flow/ Indication Fl-09-28/ x x x Aux. FW Hdr. 8-Press Indication Pl-09-88 x x Aux. FW Hdr. C-Flow/ Indication Fl-09-2C/ x x x Aux. FW Hdr. C-Press Indication Pl-09-8C x x lntk. Clg. Wtr. Hdr. Ind/Alarm PIS-21-8A x A-Press lntk. Clg. Wtr. Hdr. Ind/Alarm PIS-21-88 x 8-Press Cond. St. Tk-Level Ind/Alarm LIS-12-11A x x Cond. St. Tk-Level Ind/Alarm LIS-12-118 x x Sim. to Aux. FW Pump Ind/Alarm Pl-08-5 x x 2C-Press

Not Safety Related but transmitter is EQ qualified.

7.5-17 Amendment No. 17 (12/06)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument<2> ESF/Shutdown Shut- Post Loop Accuracy<2> With The S~stem Function Tag No. Range RPS ESF Support down Accident (Percent) II. RTGB - 202:(Cont'd) Alm. Sim. Dump SG lnd!Control PIC-08-1A x

   #2A-Press Alm. Stm. Dump SG       lnd!Control PIC-08-18                                                      x
   #28-Press Aux FW Hdr. 8-Flowf     Recorder    FR-09-2812C                        x                                 x Hdr. C-Flow Feedwater Hdr. A Press  Indication  Pl-09-9A                           x Feedwater Hdr. A Press  Indication  Pl-09-98                           x Feedwater Hdr. A Press  Indication  Pl-09-9C                           x Feedwater Hdr. A Press  Indication  Pl-09-9D                           x Feedwater Hdr. 8 Press  Indication  Pl-09-10A                          x Feedwater Hdr. 8 Press  Indication  Pl-09-108                          x Feedwater Hdr. 8 Press  Indication  Pl-09-10C                          x Feedwater Hdr. 8 Press  Indication  Pl-09-10D                          x Aux. FW Hdr. A-Flow     Recorder    FR-09-2A                           x                                 x Aux. FW Pump 2A-Amp     Indication  AM-629                             x                           x Aux. FW Pump 28-Amp     Indication  AM-630                             x                           x Intake Pump 2A-Amp      Indication  AM-832                                                x Intake Pump 2C-Amp      Indication  AM-834                                                x Intake Pump 28-Amp      Indication  AM-833                                                x 7.5-18                                  Amendment No. 14 (12101)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrumentl2> ESF/Shutdown Shut- Post Loop Accuracyl 2> With The SJ1Stem Function Tag No. Range RPS ESF Support down Accident (Percent) Ill. RTGB- 203: RCS Cold Leg 2A1-Temp Indication Tl-1115 x x RCS Cold Leg 281-Temp Indication Tl-1125 x x Pressurizer Water Level Indication Ll-1110X x x Pressurizer Water Level Indication Ll-1110Y x x Pressurizer-Press Indication Pl-1103 x (Low Range) Pressurizer-Press Indication Pl-1104 x (Low Range) Pressurizer-Press Indication Pl-1105 x (Low Range) Pressurizer-Press Indication Pl-1106 x (Low Range) Pressurizer-Press Indication Pl-1102A x x x Pressurizer-Press Indication Pl-11028 x x x Pressurizer-Press Indication Pl-1102C x x x Pressurizer-Press Indication Pl-11020 x x x 7.5-18a Amendment No. 14 (12/01)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated Instrument<2> ESF/Shutdown Shut- Post Loop Accuracyl2> Tag No . Range RPS ESF Support down Accident (Percent) With The System .Eill!.!illQn Ill. RTGB - 203: (Cont'd) Thermal Margin-Lo Ind/Alarm PIA-1102A x Press Set Pl. (RPS) Thermal Margin-Lo Ind/Alarm PIA-11028 x Press Set Pl. (RPS) Thermal Margin-Lo Ind/Alarm PIA-1102C x Press Set Pt. (RPS) Thermal Margin-Lo Ind/Alarm PIA-11020 x Press Set Pt. (RPS) SG 2M.P /SG 288P/ Indication PDl-1101A x Total Core Flow SG 2M.P /SG 288P/ Indication PDl-11018 x Total Core Flow 10 SG 2M.P /SG 288P/ Indication PDl-1101C x Total Core Flow SG 2M.P /SG 288P/ Indication PDl-11010 x Total Core Flow Coolant Loop-Temp Indication Tl-1102A x TC/TH Coolant Loop-Temp Indication Tl-11028 x TC/TH Coolant Loop-Temp Indication Tl-1102C x TC/TH Coolant Loop-Temp Indication Tl-11020 x TC/TH HoUCold Leg-Temp Recorder TR-1112 HA/CA x 7.5-19 Amendment No. 14 (12/01)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument<2> ESF/Shutdown Shut- Post Loop Accuracy<2> With The System Function Tag No. Range RPS ESF Support Down Accident (Percent) Ill. RTGB - 203: (Cont'd) HoUCold Leg-Temp Recorder TR-1122 HB/CB x Pressurizer-Level/Press Recorder LR-1110X/PR-1108 x Pressurizer Pressure Indication Pl-1107-1 x x Pressurizer Pressure Indication Pl-1108-1 x x IV. RTGB - 204: % of Power Indication Jl-001A x x % of Power Indication Jl-0018 x x % of Power Indication Jl-001C x x % of Power Indication Jl-0010 x x NIS Wide Range-Rate Indication JKl-001A x NIS Wide Range-Rate Indication JKl-0018 x NIS Wide Range-Rate Indication JKl-001C x NIS Wide Range-Rate Indication JKl-0010 x NIS Power Range Safety Indication Jl-003Af x Power 004A NIS Power Range Safety Indication Jl-0038/ x Power 0048 Neutron Power Wide Range Indication Rl-26-80A5 x x Neutron Power Wide Range Indication Rl-26-8085 x x Neutron Power Rate of Change Indication Rl-26-80A3 x Neutron Power Rate of Change Indication Rl-26-8083 x Neutron Power Source Range Indication Rl-26-80A4 x Neutron Power Source Range Indication Rl.-26-8084 x 7.5-20 Amendment No. 14 (12/01)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument! 2> ESF/Shutdown Shut- Post Loop Accuracy!2> With The Sl£Stem Function Tag No. Range RPS ESF Support down Accident (Percent) IV. RTGB - 204: (Cont'd) NIS Power Range Safety Indication Jl-003C/ x Power 004C NIS Power Range Safety Indication Jl-0030/ x Power 0040 Flux Indicators Indication Jl-005A/ x 007A Jl-006A x Flux Indicators Indication Jl-0058/ x 0078 Jl-0068 x Flux Indicators Indication Jl-005c/ x 007C Jl-006C x Flux Indicators Indication Jl-0050/ x 0070 Jl-0060 x NIS Wide Range Log Recorder JR-001A x Power NIS Wide Range Log Recorder JR-0018 x Power NIS Wide Range Log Recorder JR-001C x Power NIS Wide Range Log Recorder JR-0010 x Power V. RTGB - 205: Charging Flow to RHX Ind/Alarm FIA-2212 x x Charging Hdr. Pre.ss Ind/Alarm PIA-2212 x 7.5-21 Amendment No. 14 (12/01)

TABLE 7.5-1 (Cont'd) REQUIRED FOR 2 Parameters Associated lnstrument' l ESF/Shutdown Shut- Post Loop Accuracy< 2l With The System Function Tag No. Range RPS ESF Support down Accident (Percent) Remarks VI. RTGB - 206: CCW Hdr. 2A - _Flow Ind/Alarm FIS-14-1A x x CCW Hdr. 2B - Flow Ind/Alarm FIS-14-18 x x CCW HX-2A Outlet Press Ind/Alarm PIS-14-BA x CCW HX-2B Outlet Press Ind/Alarm PIS-14-BB x CCW from Shutdown Ind/Alarm FIS-14-1 OA x HX-2AFlow CCW from Shutdown Ind/Alarm FIS-14-1 OB x HX-2B Flow CCW from Fuel Pool Ind/Alarm FIS-14-2 x Process HX Flow Display CCW from Letdown Ind/Alarm FIS-14-6 (5) HX Flow CCW Pump2A Indication AM-201 x CCW Pump 2B Indication AM-205 x CCW Pump2C Indication AM-209 x C.S. Hdr. A Press Ind/Alarm PIS-07-3A x C.S. Hdr. A Wtr. Flow Indication Fl-07-1A x x C.S. Hdr. B Press Ind/Alarm PIS-07-3B x C.S. Hdr. B Wtr. Flow Indication Fl-07-1 B x x 7.5-22 Amendment No. 21 (11/12)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument12l ESF/Shutdown Shut- Post Loop Accuracy(2l With The S~stem Function Tag No. Range RPS ESF Support down Accident (Percent) VI. RTGB - 206 (Cont'd) Cont. Spray Pump 2A Indication AM-287 x Cont. Spray Pump 2B Indication AM-290 x Pressurizer Press Ind/Alarm PIA-1102ALL x x Pressurizer Press Ind/Alarm PIA-1102BLL x x Pressurizer Press Ind/Alarm PIA-1102CLL x x Pressurizer Press Ind/Alarm PIA-1102DLL x x Cont. Pressure Ind/Alarm PIS-07-2A x x Cont. Pressure Ind/Alarm PIS-07-2B x x Cont. Pressure Ind/Alarm PIS-07-2C x x Cont. Pressure Ind/Alarm PIS-07-20 x x RWT Water Level Ind/Alarm LIS-07-2A x x14) RWT Water Level Indication LIS-07-2B x x(4) RWT Water Level Ind/Alarm LIS-07-2C x x(4) RWT Water Level Ind/Alarm LIS-07-20 x x(4) High Containment Rad "MA" Ind/Alarm RIS-26-3-2 x x(3) High Containment Rad "MB". Ind/Alarm RIS-26-4-2 x High Containment Rad "MC" Ind/Alarm RIS-26-5-2 x High Containment Rad "MD" Ind/Alarm RIS-26-6-2 x S.G. #2A Press Indication Pl-8013A x x x(4) S.G. #2A Press Indication Pl-8013B x x x(4) 7.5-23 Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd REQUIRED FOR Parameters Associated lnstrument<2> ESF/Shutdown Shut- Post Loop Accuracy< 2> With The S~stem Function Tag No. Range RPS ESF Support down Accident (Percent\ VI. RTGB - 206 (Cont'd) S.G. #2A Press Indication Pl-8013C x x x<4) S.G. #2A Press Indication Pl-80130 x x x<4) S.G. #28 Press Indication Pl-8023A x x x<4> S.G. #28 Press Indication Pl-80238 x x x<4> S.G. #28 Press Indication Pl-8023C x x x<4> S.G. #28 Press Indication Pl-80230 x x x<4> CCWfrom RCP Ind/Control FIS-14-15A x CCWfrom RCP Ind/Control FIS-14-158 x CCWfrom RCP Ind/Control FIS-14-15C x CCWfrom RCP Ind/Control FIS-14-150 x LPSI Loop 2A2 Flow Indication Fl-3312 x x x LPSI Loop 2A1 Flow Indication Fl-3322 x x x LPSI Loop 281 Flow Indication Fl-3332 x x x LPSI Loop 282 Flow Indication Fl-3342 x x x HPSI Loop 2A2 Flow Indication Fl-3311 x x HPSI Loop 2A1 Flow Indication Fl-3321 x x HPSI Loop 281 Flow Indication Fl-3331 x x HPSI Loop 282 Flow Indication Fl-3341 x x LPSI Hdr. A Press Indication Pl-3307 x x HPSI Hdr. A Press Indication Pl-3308 x 7.5-24 Amendment No. 14 (12/01)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument( 2l ESF/Shutdown Shut- Post Loop Accuracy(2l With The System Function Tag No. Range RPS ESF Support down Accident (Percent) VI. RTGB - 206 (Cont'd) All Containment **Position x x Isolation Valves Indicator SIT Isa. Viv. Pas Indication Zl-3614 x x SIT Isa. Viv. Pas Indication Zl-3624 x x SIT Isa. Viv. Pas Indication Zl-3634 x x SIT Isa. Viv. Pas Indication Zl-3644 x x

- All containment isolation valves are provided with valve position indication in the control room.

7.5-24a Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument( 2l ESF/Shutdown Shut- Post Loop Accuracyl 2l With The S~stem Function Tag No. Range RPS ESF Support down Accident (Percent) VI. RTGB - 206 (Cont'd) LPSI Hdr B Press Indication Pl-3304 x x HPSI Hdr B Press Indication Pl-3309 x HPSI to Hot Loop 2A Indication Fl-3315 x x Flow HPSI to Hot Loop 28 Indication Fl-3325 x x Flow Hydrazine Spray Flow Indication Fl-07-2-1 x Cont. Temperature Indication Tl-07-3A x Cont. Sump Temp Indication Tl-07-5A x Cont. Press/Cont. Sump Indication Pl-07-4A x Press Pl-07-5A x Hydrazine Tank Level Ind/Alarm LIS-07-9 x HPSI Pump 2A Amp Indication AM-237 x x HPSI Pump 28 Amp Indication AM-238 x x LPSI Pump 2A Amp Indication AM-251 x x 7.5-25 Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument(2l ESF/Shutdown Shut- Post Loop Accuracy!2l With The S~stem Function Tag No. Range RPS ESF Support down Accident (Percent) VI. RTGB - 206 (Cont'd) LPSI Pump 28 Amp Indication AM-252 x x Shutdown Cooling Loop 2A Flow Recorder FR-3306 x x Shutdown Cooling Loop 28 Flow Recorder FR-3301 x x Shutdown HX 2A Inlet Recorder TR-3351 x Temp/LPSI Hdr 2A Temp C.S. Flow Recorder FR-07-1 B x x Shutdown HX 28 Outlet Indicator Tl-3303Y x x Temp Recorder TR-3303Z x x Shutdown HX 28 Inlet/ Recorder TR-3352 x LPSI Hdr 28 Temp C.S. Flow Recorder FR-07-1A x x Shutdown HX 2A Outlet Indicator Tl-3303X x x Temp Recorder TR-3303W x x HPSI to Hot Loop 28 Recorder FR-3327 x x Flow HPSI Loop 281/282 Flow Recorder FR-3333/ x x 3343 HPSI Pump 28 Disch. Recorder PR-3306 x Hdr Press LPSI Hdr "B" Press Recorder PR-3302 x HPSI to Hot Loop 2A Recorder FR-3317 x x Flow 7.5-26 Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument<2> ESF/Shutdown Shut- Post Loop Accuracy<2> With The System Function Tag No. Range RPS ESF Support down Accident (Percent) VI. RTGB - 206 (Cont'd} HPSI Loop 2A2/2A1 Flow Recorder FR-3313/3323 x x HPSI Pump 2A Disch. Hdr Press Recorder PR-3305 x LPSI Hdr "A" Press Recorder PR-3301 x Cont. Press/Cont. Sump Press Recorder UR-07-1B x Cont. Temp/Cont. Sump Temp Recorder UR-07-18 x Hydrazine Spray Flow Recorder FR-07-2-2. x RWT Level Recorder LR-07-2D x x S.G. 2A/2B Press Recorder UR-09-2 x S.G. 2A/2B Level Recorder UR-09-2 x Plant Auxilia!:Y Control Boards Containment Sump Recording UR-07-2A x Wtr Level (Narrow Range) Containment Wtr Recording UR-07-2A x Level (Wide Range) Containment Wtr Recording UR-07-2B x Level (Wide Range) Containment Pressure Recording UR-07-2A x Containment Pressure Recording UR-07-2B x Atm. Stm. Dump SG #2A-Press Ind/Control PIC-08-3B x Atm. Stm. Dump SG #2B-Press Ind/Control PIC-08-3A x Neytron Power Wide Range Recorder RR-26-80A x x Neutron Power Wide Range Recorder RR-26-80B x x 7.5-26a Amendment No. 19 (06/09)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument!2> ESF/Shutdown Shut- Post Loop Accuracy!2> With The System Function Tag No. Range RPS ESF Support down Accident (Percent) Pressurizer Heater* Indication AM-943 x x Pressurizer Heater* Indication AM-944 x x Condensate Storage Tank Recording LR-12-11B x PORV & SRV Position** Indication Fl-01-1 x and Alarm PORV & SRV Position** Indication Fl-01-2 x and Alarm PORV & SRV Position** Indication Fl-01-3 x and Alarm PORV & SRV Position** Indication Fl-01-4 x and Alarm PORV & SRV Position** Indication Fl-01-5 x and Alarm Steam Generator #2A Wide Indication Ll-9014 x x(4) Range Steam Generator #2B Wide Indication Ll-9024 x Range VII. HVCB: Control Room to Outside Indicating/ PDIC-25-23A 1 x Air Diff Pressure Control Control Room to Outside Indicating/ PDIC-25-23B1 x Air Diff Pressure Control Annulus to Outside P Ind/Alarm PDIS-25-7A x Annulus to Outside P Ind/Alarm PDIS-25-7B x Shield Building HEPA Ind/Alarm PDIS-25-8A x Filter 8P

Not Safety Related. Required by NUREG-0737 Item 11.E.3.1.

**Not Safety Related but sensor is EQ Qualified. Required by NUREG-0737 Item 11.D.3.

7.5-26b Amendment No. 18 (01/08)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrumentt2l ESF/Shutdown Shut- Post Loop Accuracy' 2l With The System Function Tag No. Range RPS ESF Support down Accident (Percent) VII HVCB (Cont'd) Shield Bldg HEPA Ind/Alarm PDIS-25-8B x Filterll.P Shield Bldg Exhaust- Ind/Alarm FIS-25-20A 1 x Flow A Shield Bldg Exhaust- Ind/Alarm FIS-25-20B1 x Flow B Containment to Annulus Ind/Cont PDIS-25-1A x ll.P Containment to Annulus Ind/Cont PDIS-25-1B x ll.P Containment to Annulus Indication PDl-25-15A x ll.P Containment to Annulus Indication PDl-25-15B x ll.P Fuel Pool Area to Ind/Alarm PDIS-25-17A x Outside ll.P Fuel Pool Area to Ind/Alarm PDIS-25-17B x Outsidell.P ECCS Pump Room Ind/Alarm PDIS-25-16A x to Outside ll.P ECCS Pump Room to Ind/Alarm PDIS-25-16B x Outside ll.P ECCS Area Exhaust Ind/Alarm PDIS-25-5A x RAB HEPA Filter "A"ll.P ECCS Area Exhaust Ind/Alarm PDIS-25-5B x RAB HEPA Filter "B"ll.P 7.5-27 Amendment No. 18 (01/08)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument121 ESF/Shutdown Shut- Post Loop Accuracy121 With The System Function Tag No. Range RPS ESF Support down Accident (Percent) VII HVCB (Cont'd) ECCS Area Exhaust Flow Indication Fl-25-21A1 x ECCS Area Exhaust Flow Indication Fl-25-2181 x Control Room Emerg Ind/Alarm PDIS-25-9A x Filter 6P HEPA Filter Control Room Emerg Ind/Alarm PDIS-25-98 x Filter 6P HEPA Filter Control Room Emerg Filter Indication Fl-25-19A1 x Fan Discharge Flow Control Room Emerg Filter Indication Fl-25-1981 x Fan Discharge Flow Control Room to Ind/Alarm PDIS-25-23A x Outside6P Control Room to Ind/Alarm PDIS-25-238 x Outside 6P Control Room (North) Indication Fl-25-18A x Intake-Flow Control Room (South) Indication Fl-25-188 x Intake-Flow Shield Bldg Vent- Ind/Control FIC-25-20A 1 x Flow Train A ECCS Area Exhaust-Flow Ind/Control FIC-25-21A1 x Train A 7.5-28 Amendment No. 14 (12/01)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument< 2> ESF/Shutdown Shut- Post Loop Accuracy<2> With The System Function Tag No. Range Support down Accident (Percent) VII HVCB (Cont'd) Shield Bldg Vent-Flow Ind/Control FIC-25-20B1 x Train B ECCS Area Exhaust-Flow Ind/Control FIC-25-21 B1 x Train B Control Room South Indication Zl-25-17 x lso. Valve Position Control Room North Indication Zl-25-14 x lso. Valve Position Cont Room Emerg Recorder FR-25-1A x Filtration Sytem Train A Disch-Flow Shield Bldg Vent Recorder FR-25-1A x System Train A Discharge-Flow 7.5-2Ba Amendment No. 14 (12/01)

TABLE 7.5-1 (Cont'd) REQUIRED FOR lnstrument(2 l ESF/Shutdown Shut- Post Loop Accuracy<2> , Parameters Associated With The System Function Tag No. Range RPS ESF Support down Accident (Percent) VII HVCB (Cont'd) Auxiliary Building and ECCS Recorder FR-25-1A x Vent System Train A Discharge-Flow Control Room A/C Emerg Recorder FR-25-1 B x : Filter System Train B Discharge-Flow Shield Bldg Vent System Recorder FR-25-1B x Train B Discharge-Flow Auxiliary Building and ECCS Recorder FR-25-1 B x Vent System Train B Discharge-Flow Containtnt Cooling Fan Recorder TR-25-1A x x HVS-1A ooling Coil Inlet - Temperature Containment Cooling Fan Recorder TR-25-1A x x HVS-1A Cooling Coil Outlet-Temperature Containment Cooling Fan Recorder TR-25-1A x x HVS-1 B Cooling Coil Inlet-Temperature 7.5-29 Amendment No. 18 W1/08.)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument'2> ESF/Shutdown Shut- Post Loop Accuracy' 21 With The System Range RPS ESF Support down Accident (Percent) VII. HVCB (Cont'd) Containment Cooling Fan Recorder TR-25-1A x x HVS-18 Cooling Coil Outlet - Temperature 7.5-30 Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument' 2

                                                       >                 ESF/Shutdown   Shut- Post     Loop Accuracy'2 >

With The System Range RPS Support down Accident (Percent) VII. HVCB(Cont'd) Containment Cooling Fan Recorder TR-25-1 B x x HVS-1C Cooling Coil Inlet Temperature Containment Cooling Fan Recorder TR-25-1 B x x HVS-1C Cooling Coil Outlet Temperature 7.5-31 Amendment No. 20 (05/11)

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument' 2l ESF/Shutdown Shut- Post Loop Accurac/2l With The S~stem Function Tag No. Range RPS Support down Accident (Percent) Remarks VII. HVCB: (Cont'd) Containment Cooling Fan Recorder TR-25-1B x x HVS-10 Cooling Coil Inlet Temperature Containment Cooling Fan Recorder TR-25-18 x x HVS-10 Cooling Coil OutletTemperature Control Room Recorder PR-25-1B x Train B Pre HEPA Filter diff Pressure Control Room Recorder PR-25-1 B x Train B Charcoal Filter diff Pressure Control Room Recorder PR-25-1B x Train B After HEPA Filter Diff Pressure Control Room Recorder PR-25-18 x Train B Diff Pressure Aux Build and ECCS Vent Recorder PR-25-1B x System Train B HEPA Filter Diff Pressure Aux Build and ECCS Vent Recorder PR-25-1B x System Train B Charcoal Filter Diff Pressure Aux Build and ECCS Recorder PR-25-18 x Vent System Train B Diff Pressure 7.5-32 Amendment No. 18 (01/08)

TABLE 7.5-1 (Cont'd} REQUIRED FOR Parameters Associated lnstrumentl2> ESF/Shutdown Shut- Post Loop Accuracyl2> With The System Range Support down Accident (Percent) VII. HVCB: (Cont'd) Shield Build Vent . Recorder PR-25-1B x System Train B Pre HEPA Filter Diff Press Shield Build Vent Recorder PR-25-1 B x System Train B Charcoal Filter Diff Press Shield Build Vent Recorder PR-25-1B x System Train B Diff Press Shield Build Vent Recorder PR-25-1B x System Train B After HEPA Filter Diff Press Control Room Recorder PR-25-1A x Train A Pre HEPA Filter Diff Press Control Room Recorder PR-25-1A x Train A Charcoal Filter Diff Press Control Room Recorder PR-25-1A x Train A After HEPA Filter Diff Press Control Room Recorder PR-25-1A x Train A Diff Press Aux Build and ECCS Recorder PR-25-1A x Vent System Train A HEPA Filter Diff Press 7.5-33 Amendment No. 14 (12/01}

TABLE 7.5-1 (Cont'd) REQUIRED FOR Parameters Associated lnstrument<2l ESF/Shutdown Shut- Post Loop Accuracy 2l With The S~stem Function Tag No. Range RPS ESF .fu!ImQrt down Accident (Percent) VII. HVCB: (Cont'd} Aux Build and ECCS Recorder PR-25-1A x Vent System Train A Charcoal Filter Diff Press Aux Build and ECCS Recorder PR-25-1A x Vent System Train A Diff Press Shield Build Vent Recorder PR-25-1A x System Train A Pre HEPA Filter Diff Press Shield Build Vent Recorder PR-25-1A x System Train A Charcoal Filter Diff Press Shield Build Vent Recorder PR-25-1A x System Train A Diff Press Shield Build Vent Recorder PR-25-1A x System Train A After HEPA Filter Diff Press VIII. HSDP (Hot Shutdown Panel) Pressurizer Pressure Indication Pl-1107 x Pressurizer Pressure Indication Pl-1106 x Pressurizer Level Indication Ll-1104 x Pressurizer Level Indication Ll-1105 x Neutron Power Wide Range Indication Rl-26-60A1 x l,i)., Neutron Power Wii:le Range Indication Rl-26-60B1 x Neutron Power sburce Range Indication Rl-26-60A2 x Neutron Power s*b~rce Range Indication Rl-26-60B2 x

                   ' 'II!~

7.5-34 Amendment No. 14 (12/01)

TABLE 7.5*1 (Cont'd) REQUIRED C-Parameters Associated lnstrument121 ESF/Shutdown Post Loop Accuracy 12> With the System Function Tag No. Range RPS ESF Support Shutdown Accident (Percent) VIII. HSDP: (Cont'd) (Hot Shutdown Panel) Steam Gen 2A Pressure Indication Pl-8113 x Steam Gen 2A Level Indication Ll-9113 x Steam Gen 28 Pressure Indication Pl-8123 x - Steam Gen 28 Level Indication Ll-9123 x -- Reactor Cold Leg 2A Temp Indication Tl-1115-1 x / Reactor Cold Leg 28 Temp Indication Tl-1125-1 x Shutdown Cooling Temp Indication Tl-3351Y x Shutdown Cooling Temp Indication Tl-3352Y x Shutdown Cooling Flow Indication Fl-3306 x Shutdown Cooling Flow Indication Fl-3301 __ .,, x Diesel Gen 2A Volts Indication VM-1606-1 x Diesel Gen 28 Volts Indication VM-1616-1 x Diesel Gen 2A Watts Indication WM-1606-1 x Diesel Gen 28 Watts Indication WM-1616-1 x Neutron Power Level Indication Jl-001A-1 x Neutron Power Level Indication Jl-0018-1 x SG2AADV Ind/Control PIC-08-1A1, -381 x SG28ADV Ind/Control PIC-08-181,-3A1 x Charging Pump Discharge-Pressure Indication *PJ-2212 x Charging Pump Discharge-Flow Indication Fl-2212 x (1) Instrument setpoints and accuracies are referenced in the Technical Spec1ficat1ons. (2) Instrument ranges are selected in accordance with standard engineering practices. Instrument accuracies are selected such that existing instrument loop performance and safety analysis assumptions remain valid. Where applicable, instrument accuracies are* also evaluated for their impact on setpoints in accordance with the FPL Setpoint Methodology. (3) Post-LOCA monitoring is provided on the radiation Monitoring Panel. (4) Available Reg. Guide 1.97 Instrumentation; see Technical Specification for minimum channels required. (5) This instrµment does not provide a safety related display function; however, it is electrically "associated" with a safety channel. As such, it is Class 1E and meets the requirements of RG 1.75. 7.5-35 Amendment No. 21 (11/12)

PAGE INTENTIONALLY DELETED 7.5-36 Amendment No. 14 (12/01)

PAGE INTENTIONALLY DELETED 7.5-37 Amendment No. 14 (12/01)

TABLE 7.5-3 SAFETY RELATED ANNUNCIATOR WINDOWS Window No. Actuating Device LA-1 INTAKE WATER LEVEL LOW LS-21-5A LA-2 B SAFEGUARDS PUMP ROOM SUMP LEVEL HIGH-HIGH LS-06-41 LA-3 2A DIESEL OIL STORAGE TANK LEVEL LOW LS-17-10A LA-4 3A1/3A2 LUBE WATER SUPPLY STRAINER MP HIGH <1> PDIS-21-25-1A1 PDIS-21-25-1A2 LA-5 PZR CHANNEL X LEVEL HIGH LA-1110X-1 LA-6 ADV ISOL MV-08-15/ (74,33)1621 MV-08-17 OVRLD/CLOSED (7 4,33)1623 LA-7 CST LEVEL LOW-LOW LIS-12-11A LA-8 A SAFEGUARDS PUMP ROOM SUMP LEVEL HIGH I LS-06-1A HIGH-HIGH LA-9 2A 1/2A2 DIESEL OIL DAY TANK LEVEL LOW-LOW LS-59-009A/O 14A LA-10 CCW SURGE TANK COMPARTMENT A LEVEL LOW LS-14-1A LA-11 PZR CHANNEL X LEVEL LOW-LOW LC-1110X LA-12 ADV MV-08-18A/MV-08-18B (74 )1626,SS-1626-3 OVRLD/SS ISOL (74)1628,SS-1628-3 LA-13 CST LEVEL LOW LIS-12-11A LA-14 FUEL POOL TEMP HIGH/ LEVEL HIGH/LOW LS-4420,TA-4420 LA-15 VALVES SE-07-5A/5C/5E CLOSE SE-07-5A,-5C,-5E LB-1 INTAKE WATER LEVEL LOW LS-21-5B LB-2 A SAFEGUARDS PUMP ROOM SUMP LEVEL HIGH-HIGH LS-06-40 LB-3 2B DIESEL OIL STORAGE TANK LEVEL LOW LS-17-10B LB-4 3B1/3B2 LUBE WATER SUPPLY STRAINER MP HIGH <1> PDIS-21-25-181 PDIS-21-25-1 B2 LB-5 PZR CHANNEL Y LEVEL HIGH LA-1110Y-1 LB-6 ADV ISOL MV-08-14/ (74,33)1622 MV-08-16 OVRLD/CLOSED (74,33)1624 LB-7 CST LEVEL LOW-LOW LS-12-8 LB-8 B SAFEGUARDS PUMP ROOM SUMP LEVEL HIGH I LS-06-1 B HIGH-HIGH LB-9 2B1/2B2 DIESEL OIL DAY TANK LEVEL LOW-LOW LS-59-021 B/0288 LB-10 CCW SURGE TANK LEVEL HIGH/ LS-14-1 B,LS-14-5 COMPARTMENT B LEVEL LOW LB-11 PZR CHANNEL Y LEVEL LOW-LOW LC-1110Y LB-12 ADV MV-08-19A/ (74)1625,SS-1625-3 MV-08-19B OVRLD/SS ISOL (74 )1627,SS-1627-3 LB-13 CST LEVEL LOW LIS-12-11B LB-14 FUEL POOL TEMP HIGH/ LEVEL HIGH/LOW LS-4421, TA-4421 LB-15 VALVES SE-07-5B/5D/5F CLOSE SE-07-5B,-5D,-5F 1 <> System is no longer Safety Related; however, annunciation circuit remains with Safety Related components. 7.5-38 Amendment No. 18 (01108)

TABLE 7.5-4 ESF SYSTEM VALVE INDICATORS Position Indication Valve Tag Valve Description .Type . Power

 *V3614      SIT 2A2. Isolation Valve            Analog     Separate from control power V3624      SIT 2A1 Isolation Valve             Analog     Separate from control power V3634      SIT 2B1 Isolation Valve             Analog     Separate from control power V3644      SIT 2B2 Isolation Valve             Analog     Separate from control power HCV-3615   LPSI Flow Control Valve             Lights     Same as control HCV-3625   LPSI Flow Control Valve             Lights     Same as control HCV-3635  LPSI Flow Control Valve              Lights     Same as control HCV-3645  LPSI Flow Control Valve              Lights     Same as control HCV-3616  HPSI Flow Control Valve              Lights     Same as control HCV-3626  HPSI Flow Control Valve              Lights    Same as control HCV-3636  HPSI Flow Control Valve              Lights     Same as control HCV-3646  HPSI Flow Control Valve              Lights    Same as con"trol HCV-3617  HPSI Flow Control Valve              Lights    Same as control HCV-3627   HPSI Flow Control Valve              Lights    Same as control HCV-3637   HPSI Flow Control Valve              Lights    Same as control

~ HCV-3647 HPSI Flow Control Valve Lights Same as control V3540 HPSI to Bot Leg 2A Valve Lights Same as control V3523 HPSI to Hot Leg 2B Valve Lights Same as control FCV-3306 Shutdown Cooling Bypass Lights Same as control Valve FCV-3301 Shutdown Cooling Bypass Lights Same as control Valve V3545 Shutdown Cooling Return Lights Same as control Crosstie Valve 7.5-39 Amendment No. 18 (01/08)

TABLE 7.5-4 (Cont'd) Position Indication Valve Tag Valve Description ~ Power HCV-3657 Shutdown Cooling Control Lights Same as Valve control HCV-3512 Shutdown Cooling Control Lights Same as Valve control V3536 Shutdown Gig Line 2A Lights Same as Warm-up Valve control V3539 Shutdown Gig Line 2B Lights Same as Warm-up Valve control V1474 Pressurizer Power Oper. Acoustical Separate Relief (PORV) - Lights V1475 Pressurizer Power Oper. Acoustical Separate Relief (PORV) - Lights V1200 Pressurizer Relief Valve Acoustical Separate

                                              - Lights V1201     Pressurizer Relief Valve             Acoustical     Separate
                                              - Lights V1202     Pressurizer Relief Valve             Acoustical     Separate
                                              - Lights 7.5-40                             Amendment No. 18 (01/08)

TH 1 CHANNEL A .

r--------------------------------------------~..;.....------------------4-4-- T C1A _CET A (28 CETS PER CHANNEL) HJTCA (8 HJTC) ICI SENSORS PER ICI DETECTOR-. CHANNEL (CHANNEL B ASSY (56) SIMILAR) HJTCSENSOR PUMP 1B PUMP 2A ,,../'-' (8 PER PROBE ASSY) CET (1 PER ICI) X>OC>CJOOOOOUCX X DETECTOR ASSY) PUMP 2B

                    ,,                                                               -coRE r

0

o VI -

               -t 0
               *    )>

z r- -a CONTAINMENT AUXILIARY

 'Tl en -
      -t (")

c: 0 c;) :::JJ (") Q:::;: BUILDING c co mm REACTOR COOLANT SYSTEM

o JJ 5: m "'ti PLAN VIEW m m-t r- QC>

z~ .."""' -t -t >r z_ U'1 )> - -t G")

  ,. -t 0
'Dt 0 z        C: I z        z -t
               -n
               -t 0 REACTOR VESSEL ELEVATION
               "' ~-a
                    )>

z

QSPDS DISPLAY DISPLAY v THOT2A1 PROCESSING CH A THOT2B1 ICOLD2A2 I I i.------- r==i Tc0Lo2s1 1 I / SMM P7R OC:Ot:"SSURE ii x CETS CETS

                             -------                                        0 DDD

~~ HJTCS

TRACKBALL CONTROUER li 7 HEATER POWER HEATER CONTROLLER DISTRIBUTED CONTROL SYSTEM I\

                                                            ';i.

QSPDS PROCESSING CHANNEL A QSPDS DISPLAY DISPLAY THOT2A1 PROCESSING CH 8 THOT2B1 COLD2Ai ----- SMM l==1 TCOLD2B2 P R PR SSURE CETS CETS 0 0 [] [] 1-!JTCS HJrcs TRACKBALL CONTROLLER HEATER POWER HEATER CONTROLtER QSPDS PROCESSING CHANNEL B Amendment No. 20 05/11 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 QUALIFIED SAFETY PARAMETER DISPLAY SYSTEM FIGURE 7.5-1b

c_J w

c Cl)

c

_J z a.. 0 Cl)

CJ 0

 ..J t

w z 0 N a: w

w

c FLORIDA POWER & LIGHT COMPANY

ST. LUCIE PLANT UNIT 2 HJTC SENSOR - HJTC/SPLASH SHIELD FIGURE 7.5-2

SEPARATOR TUBE (UPPER HEAD) ELECTRICAL CONNECTORS-...........t----4n-"""'T""'l-.,-F~~---,

                                ,-                                                  SEPARATOR TUBE (UPPER PLENUM)

REFERENCE T/C HEATED T/C 4.5" ,.---SPLASH GUARD

                      ,,                                                                                           0 I

m r )> a 0

          )>          :a   ID
          -I m     "' -
               *-tC

I ll.

0

    "'tic....
    ;:oC oz OJ(')

r- ""D Co

               !l ~
                           ..az ID

I HEATER ZONE 1" Cl mm p c m:::! :a .... "SENSOR"

    )>O                    ....

xi m ~z ;! QO UI m-1 >r

z: - Us

--J s: J:

U1 OJm -t C'l ~ w r--(S: :0 c :c

z: -t 0

n -n

               -t 0 0    ...., 3:

c"'ti ""D r-m z>

THIS FIGURE DELETED Amendment No. 18 (01108) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.5-4

l R.V. CLOSURE HEAD HJTC GUIDE TUBE

                   ----.,II CEA SHROUD"-...

HJTC FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 HJTC PROBE INSTALLATION FIGURE 7.5-5 Amendment No. 18 (01/08)

INSTRUMENTATION NOZZLE UPPER SEPARATOR TUBE CEA SHROUD UGSSP LOWER SEPARATOR TUBE UPPER PLENUM HOT FAP FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 HJTC SENSOR LOCATIONS

                                         . FIGURE 7.5-6

Refer to Dwg. 2998-19729 Amendment No. 11, {5/97) FLORIDA POWER & LIGHT COMPANY ST. LOCXE PLANT 'DNXT 2

- IN-CORE INSTRUMENT ASSEMBLY FXGORE 7.5-7a
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

 -  0 0         0        0         0 0           0           0    -  0
 -            0         0        0         0 0           0           O*   -

0

                                                                          -- 0

0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 I I I I I LEGEND

       @]   ICI DETECTOR ASSEMBLY/CORE EXIT THERMOCOUPLE LOCATION FLORI DA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 ICI DETECTOR ASSEMBLIES/CORE EXIT THERMOCOUPLES CORE LOCATIONS FIGURE 7.5-7b

'*I

- ,J

      '                                  DG 2A BREAKER                DG 2A BREAKER DG 2A BREAKER                                                                  125V DC BATTERY ISOLATION SWITCH              CLOSING 125V DC CLOSING SPRINGS                                                                          2A IN iSOLATE POSITION              NOT AVAILABLE NOT CHARGED                                                                    Bi::tEAKER OPEN ISS*ISOLI             . (FUSES REMOVED) 174-21 I

I I ISOLATION CABINET SATO NS ANNUNCIATOR* B *56 "EMERGENCY DG 2A BKR.

                                   .       CS* ISOLATED START INHIBIT".
                   +                    +                       +                    l                  f                      ~

CHARGING CONTROL MAIN LP SAFETY HP SAFETY AUX BLDG

                                                                 &                 ROOM                                    STEAM INJECTION           INJECTION                                                          -H&V BORON             HABITABILITY                             ISOLATION t                                              *t H2 SYSTEMS l

CONTAINMENl SPRAY

                                                    !CONTAINMENT AIR
                                                  . , COOLERS RECIRCU*

LATION (RFWT/CONT.I SUMPI FUEL POOL EMERG. VENT SHIELD BLDG VENT

                                             .,                       ' r INOPERABLE STATUS COMPONENT AUX FEED                                                              INDICATION WATER COOLING ESFAS SYSTEMS "A"'     '

WATER FLORIDA POWER & LIGHT .COMPANY ST. LUCIE PLAN'l' UNIT 2 INTERACTION OF .THE DG AND THE INOPERABLE STATUS BOARD FIGURE 7.5-8 Amendment No. 10 (7/96)

APPENDIX 7.5A SAFETY ASSESSMENT SYSTEM/ EMERGENCY RESPONSE DATA ACQUISITION AND DISPLAY SYSTEM 7.5A-i Amendment No. 20 (05/11)

' ( ( APPENDIX 7.SA SAFETY ASSESSMENT SYSTEM/ ; EMERGENCY RESPONSE DATA ACQUISITION AND DISPLAY SYSTEM 7.SA.1 DESCRIPTION The Safety Assessment System (SAS)/The Emergency Response Data Acquisition And Display System (ERDADS) provides necessary data to the Safety Parameter Display System (SPDS) plus other Emergency Response Functions data required in the control room. SAS/ERDADS also provides the Technical Support Center (TSC) and Emergency Operations Facility (EOF) and the NRC Operations Center through the Pl servers. This report describes that portion of the SAS which meets the SPDS requirements of NUREG-0696, "Functional Criteria for Emergency Response Facilities," dated February 1981 and NUREG-13,94, "Emergency Response Data System (EROS) Implementation." It provides a centralized, flexible, computer-base data and display system to assist control room personnel in evaluating Jhe safety status of the plant. This assistance is accomplished by providing the operators, the Emergency Response Facilities (ERFs) and the NRC with high-level graphical displays containing a minimum set of key plant parameters representative of the plant safety status. The displays of the SAS have been evaluated against human factors design criteria. The concepts used in the SAS design were verified using data recorded from a PWR Power Plant Simulator. The Distributed Control System (DCS) was expanded to include the SAS/ERDADS System. This ERDADS subsystem to the DCS is referred to as ERDADS/DCS or just DCS. The SAS is operable during normal and abnormal plant operating conditions. The SAS is available during all SPDS required modes of plant operation. The normal operation mode encompasses all plant conditions at or above normal operating pressure and temperature: When the Rea.ctor Coolant System is intentionally cooled below normal operating values, the operator selects the Heatup-Cooldown mode which alters the limit checking algorithm for the key parameters. There are also modes of operation which address the Hot Shutdown and Cold Shutdown statuses of the plant. The SAS equipment is composed of the:*

1. Field inputs to the SAS i~olation cabinets to the ERDADS/DCS.

2. Hardware and software necessary to communicate with other associated computers via high-speed serial links to the DLS services computers for the General Atomics Radiation Monitoring Systems, and the Meteorological System.

3. Man Machine Interface (MMI) display stations are provided in the Unit 1 Control Room, the Unit 2 Control Room, the Technical Support Center {TSC), and in the Emergency Offsite Facility (EOF) through the Pl servers.

7.SA-1 Amendment No. 21 (11/12)

r The SPbS portion of the SAS is implemented on a FPO which is seismically mounted in an area of the Control Room visible to the control roorn operator and the senior reactor operator. This FPO contains the high-level display from which the overall safety status of the plant may be assessed. A dedicated function keyboard allows the operator to select any of the high level displays and various supporting displays at any time. The SAS is designed such that control room personnel can utilize its features without requiring additional operations personnel. The SPDS display consists of bar graphs of selected parameter values, digital status indicators for important safety system parameters and digital values. The parameters indicated by bar graphs and digital values include: RCS pressure, RCS temperature, pressurizer level, steam generator levels and steam generator pressures. Status indicators are provided for containment environment and secondary ,system radiation. Reactor vessel level core exit temperature, amount of subcooling and containment radiation are indicated by digital values. In addition, there is a message area for an appropriate secondary display providing information related to off-normal value or event detection. The bar graphs indicate wide-range values and if a parameter is outside its normal range the bar color will change. ( During normal operation, the message area is used to display average power, reactor core average temperature, data, time, and unit time. These messages may be displayed by high priority messages as required. . Trend graph groups of selected related parameters are available. The SAS/ERDADS hardware system utilizes a redundant component configuration to insure high availability. The ERDADS/DCS receive the available variables specified in Regulatory Guide 1.97 "Instrumentation for Light Water Cooled Nuclear Power Plant to Access Plant and Environs Conditions During and Following an Accident," dated December 1980 (R2). 7.5A-2 Amendment No. 21 (11/12)

The system specified by the U.S. Nuclear Regulatory Commission to fulfill t~e data collection needs of the NRC is the Emergency Response Data System (ERDS). The ERDS data link provides a direct near real time transfer.of parametric reactor data of specified data points from the DCS through the Pl servers to the NRC Operations Center. The ERDS data link is used only during emergencies and is activated by the licensee during declared emergencies of ALERT or a higher level classification. Specified data parameter points include (1) core and coolant system conditions, (2) conditions inside containment, (3) radioactivity release rates and (4) Meteorological Tower data. This information allows the NRC information with which to assess the potential or actual impact on public safety. The interface between the SAS and the input variables derived from safety-related systems are isolated in accordance with the safety system criteria to preserve channel independence and Integrity of the safety systems in the case of SAS malfunction. Also design provisions are included in the Interface between the SAS and non-safety systems to ensure the integrity of the SAS upon failure of non-safety systems. 7.5A.2 HUMAN FACTORS CONSIDERA~IONS Humah factors engineering and industrial design techniques have been effectively combined in accordance with established man-machine interface design requirements to maximize system effectiveness, reduce training and skill cjemands, and minimize operator error. The -FPD color graphic formats and functional keyboard c,lesigns have been developed through an interdisciplinary team of senior operational, human factors, industrial design and computer interface personnel. Minimum use of color, combined with simplified format throughout the FPD presentation, have been key design features to provide both normal and off-normal pattern recognition. The operator, who is the end user, has been directly involved from the conception to insure that man-machi,ne interface goals of SAS have been satisfied. The human factor engineering standards and testing verification methods which have been used are consistent with accepted practices. 7.5A.3 VERIFICATION AND VALIDATION The SAS is implemented on a digital computer system. The display software that controls the sensor data, key parameter construction and display formats has been developed under strict verification and validation. Verification and validation is addressed and designed into the DCS software to provide a highly reliable product and a mechanism for identifying and controlling future changes. 7.5A-3 Amendment No. 21 (11/12)

THIS FIGURE HAS BEEN DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.5A-1 Amendment No. 20 (05/11)

THIS FIGURE HAS BEEN DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.5A-2 Amendment No. 20 (05/11)

Unit2 ISOLATED QSPDS DCSA - Channel A DCS DCS Unit2

 .OSPDS Channels ISOLATED INPUT/

COMMUNICATION Devices DCSB x Users Unit I QSPDS - . Channel A Unit I QSPDS - - DLSA PEDSA ChannelB Unit 1 Radiation Users Monitoring System Unit2 Radiation DLS B PEDS B Monitoring System

Meteorological data is available MET*

Data

             -          on two links. The MET Interface Module decides which MET data should be used.

FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 Data Link System Configuration FIGURE 7.SA-3 Amendment No. 20 (05/11)

7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.

6.1 DESCRIPTION

This section includes a description of those systems which are required for safety which have not been discussed in Sections 7.2 through 7.5. 7.6.1.1 Shutdown Cooling System Suction Line Valve Interlocks The Shutdown Cooling System (SDCS) discussed in Subsection 5.4. 7 is used to remove decay heat from the Reactor Coolant System. To preclude overpressurization of the SDCS there are redundant, motor driven isolation valves on each suction line. Interlocks prevent these valves from being opened if RCS pressure has not decreased below the value shown in Table 7.6-1. If the SDCS is operating, and RCS pressure increases above the setpoint shown in Table 7.6-1, the interlock automatically closes the isolation valves. The RCS pressure signals used are provided by the pressurizer pressure 0-750 psia safety channels. These interlocks are redundant so that any single failure does not cause the SDCS to be subjected to pressures greater than design pressure. The interlock cannot be overridden so that operator action cannot inadvertently subject the SDCS to RCS pressure. In addition, no single failure can prevent the operator from aligning the valves, on at least one suction line, for shutdown cooling after RCS pressure requirements are satisfied. They are powered from safety related buses. 7.6.1.2 Safety Injection Tank Isolation Valve Interlocks The Safety Injection System (SIS) is discussed in Section 6.3. The safety injection tanks (SIT) inject borated water if system pressure drops below their internal pressure. The SIT interlocks permit the operator to close the tank isolation valves to prevent the SITs from inadvertently pressurizing the SDCS during shutdown. The SIT isolation valves are also closed to prevent introduction of nitrogen into the RCS. The isolation valves may be manually closed or the SITs partially depressurized when RCS pressure drops below the value shown in Table 7.6-1 so that the SITs cannot cause overpressurization of the SDCS and also so that the SITs can be maintained at some pressure above atmospheric. As RCS pressure increases, the valves automatically reopen at the pressure indicated in Table 7.6-1. The SIAS over-rides the interlock or any manual signal. These interlocks are powered from safety related buses. Following License Amendment no. 100, the SITs are not required to be operable (isolation valves may be closed) when the RCS temperature is below Mode 3 temperature. 7.6.1.3 Design Bases 7 .6.1.3.1 Shutdown Cooling System Suction line Valve Interlocks The SDCS interlocks conform to the following design criteria: 7.6-1 Amendment No. 14 (12/01)

a) The isolation valves have interlocks to prevent opening the isolation valves while the RCS pressure is above the allowable SDCS pressure; b) The interlocks keep the SDCS line isolated even after a single failure; c) The interlocks do not prevent achieving cold shutdown after a single failure (Section 5.4.7.2.6 and 5.4.7.5); d) Pressurizer pressure is used to provide the interlock functions; e) Two pair of physically independent sensors, located on separate pressurizer sensing nozzles, are provided; and f) The interlocks do not fail so as to preclude opening of at least one SOCS path (if RCS pressure permits), or closing of both suction paths after a LOCA. 7.6.1.3.2 Safety Injection Tank Isolation Valve Interlocks The SIT isolation valve interlocks are designed consistent with the balance of the SIS. Because

the SIS is an ESF system, the ESF criteria takes precedence over any other criteria applied to the interlocks. The SIT interlocks meet the following criteria:

a) The SITs cannot be isolated from the RCS when RCS pressure exceeds a preset value; the interlocks automatically open the isolation valves when RCS pressure exceeds a preset value; b) Pressurizer pressure provides the input to interlocks; and* c) Two pair of physically independent sensors, located on separate pressurizer sensing nozzles, are provided. 7.6.1.4 Final System Drawings For schematic diagrams see Section 1.7 for a list of drawings .. 7.6.2 ANALYSIS 7.6.2.1 Design Criteria 7.6.2.1.1 Shutdown Cooling System Suction Line Valve Interlocks a) The isolation valve interlocks are redundant in that there are two trains; mechanical train A has two valves, one receiving its electrical signal from one pressure sensor and the second valve receives its signal from another sensor; mechanical train B also has two valves but using two different pressure sensors. Each electrical path to each pair of valves is physically independent and separate from the others. With this* degree of redundancy, and 7.6-2 Amendment No. 14 (12/01)

independence, the interlocks can sustain a single failure and still isolate both heat exchangers or make one available when required (see Figure 7.6-1 ). b) The method for identifying power, signal and control cables and cable trays dedicated to the instrumentation, control and electrical equipment associated with the isolation valves is discussed in Subsection 8.3.1 and meets the intent of Regulatory Guide 1.75, "Physical Independence of Electric Systems," 1/75 (R1) as discussed in Subsections 7.1.2.2 and 8.3.1.2. c) The instrumentation, control and electrical equipment associated with SOCS interlocks are seismically and environmentally qualified in accordance with the requirements stated in Sections 3.10 and 3.11. 7.6.2.1.2 Safety Injection Tank Isolation Valve Interlocks The SIS is an ESF system and the requirements of the General Design Criteria, Regulatory Guides, and IEEE standards appropriate for ESF systems are used for the instrumentation and controls associated with SIS. The interlocks design is consistent with the balance of the system and its requirements. Refer to Section 6.3 for a discussion of the SIS and Section 7.3 for a discussion of the ESFAS. 7.6.2.2 Equipment Design Criteria 7.6.2.2.1 Shutdown Cooling System Suction Line Valve Interlocks This description is only of the interlocks. The valves and piping are discussed in Subsection 5.4.7. The requirements of IEEE 279-1971 are written expressly for protection systems and as such are not directly applicable to these interlocks. However, a discussion of the extent to which these interlocks comply with Section 4 of this standard is provided below: 4.1 "General Function Requirement" The interlocks are designed to operate during normal shutdown, refueling and accident conditions. 4.2 "Single Failure Criterion" Any single failure leading to loss of one channel does not result in opening of all of the isolation valves installed in series in one SOCS suction line .. 4.3 "Quality Control of Components" The sensors and other instrumentation associated with these interlocks meet the same quality requirements imposed on the protection system sensors. 7.6-3 Amendment No. 18 (01108)

4.4 "Equipment Qualification" Type tests are performed on the instrumentation to ensure that it meets its performance requirements. 4.5 "Channel Integrity" The interlocks are designed to maintain functional capability during accident environments. Failure of one interlock does not preclude opening a path or closing both paths of the SDCS. 4.6 "Channel Independence" The pressure transmitters are located on separate pressurizer nozzles. Separation is maintained between channels.

4. 7 "C.ontrol and Protection System Interaction" There is no control and protection system interaction.

4.8 "Derivation of System Inputs" Pressurizer pressure is the *sensed parameter. 4.9 "Capab~lity for Sensor Check" The operational availability of the four pressure sensing channels can be determined by comparing their outputs once pressurizer pressure has come within the range of the sensors. 4.10 "Capability for Test and Cali brat ion" Testing is performed during normal plant shutdown periods using standard test devices and approved procedures. 4.11 "Capability for Bypass or Removal from Operation" Removal of one channel for test does not compromise system reliability. Failure of one of the remaining channels during a test outage does not create an unacceptable situation, since administrative controls (key locks) preclude inadvertent opening of the valves by the operator. 4.12 through 4.14 "Bypassing" There are no bypasses. 4.15 "Multiple Setpoints" This requirement is not applicable. 4.16 "Completion of Protective Action Once it is Initiated" This requirement is not applicable.

7. 6-4

4.17 "Manual Initiation" The controllers are permissive controls which permit the operator to open the valves below a certain pressure. The controllers also close the valve above a certain pressure. The key lock required to open the valves does not override the controllers. 4.18 "Access to Setpoint Adjustments, Calibration and Test Points" Access is controlled by administrative procedures. 4.19 "Identification of the Protective Action" This requirement is not applicable. 4.20."lnformation Readout" The readout consists of an annunciator alarm and position indication lights for each valve. This provides the operator with clear and concise information. 4.21 "System Repair

Components are accessible for repair. One channel can be placed out of service for maintenance without jeopardizing the isolation of the SOCS.

4.22 "Identification" The method for identifying power, signal and control cables and cable trays dedicated to the instrumentation, control and electrical equipment associated with the isolation valves is discussed in Subsection 8.3.1.3 and meets the intent of Regulatory Guide 1.75 (R1) as discussed in Subsections 7 .1.2.2 and 8.3.1.2. 7.6.2.2.2 Safety Injection Tank Isolation Valve Interlocks The SIS design requirements are discussed in Section 6.3. The requirements of IEEE 279-1971 are written expressly for protection systems, and as such, they are not directly applicable to these interlocks. The following discussions refer to the requirements set forth in the respective items of Section 4 of IEEE 279-1971 as they relate to the SIT isolation valve interlocks: 4.1 "General Function Requirement" The interlocks are designed to operate during normal shutdown, refueling and accident. 4.2 "Single Failure Criterion" No single failure of an interlock channel can prevent system operation when it is required. ) 7.6-5 Amendment No. 13, (05/00)

4.3 "Quality Control of Components" The instrumentation for these interlocks meet the same quality requirements imposed on the protection system sensors. 4.4 "Equipment Qualification" Type tests are performed on the instrumentation to ensure that it meets its performance requirements.

4.5 "Channel Integrity" The interlocks are designed to maintain their functional capability when exposed to accident environments. They do not preclude safety injection during accident conditions.

4.6 "Channel Independence" . The pressure transmitters are located on separate pressurizer nozzles. Separation is maintained between channels. 4.7 "Control and Protection System Interaction" There is no control and protection system interaction. 4.8."Derivation of System Inputs" Pressurizer pressure is the sensed parameter. 4.9."Capability for Sensor Checks" The operational availability of the four pressure sensing channels can be determined by comparing their outputs once pressurizer pressure has come within the range of the sensors. 4.1 O "Capability for Test and Calibration" Testing is performed during normal plant shutdown periods using standard test devices and approved procedures. 4.11 "Capability for Bypass or Removal from Operation" Removal of one channel for test does not compromise system reliability. Failure of one of the remaining channels during a test outage does not create an unacceptable situation since administrative controls (key locks) preclude inadvertent closing of the valves by the operator. 4.12 through 4.14 "Bypassing" There are no bypasses.

                                                                                                 .i 7.6-6              *Amendment No. 14 (12/01)

l.,) 4.15 "Multiple Setpoints" This requirement is not applicable. 4.16 "Completion of Protective Action Once Initiated" This requirement is not applicable. 4.17 "Manual Initiation" The valves are locked open during normal operation. The controllers are permissive controls which permit the operator to close the valves below a certain pressure. The controllers also open the valves above a certain pressure. The keylock required to close the valves does not override the controllers.

4.18 "Access to Setpoint Adjustments, Calibration and Test Points"
Access is controlled by administrative procedures.

4.19 "Identification of the Protective Action" This requirement is not applicable. 4.20 "Information Readout" (* ' The readout consists of pressure indicators, and position indicators and position indication lights ~ for each valve. This provides the operator with clear and concise information. 4.21 "System Repair" The components are accessible for repair. One channel can be placed out of service without jeopardizing the availability of the SITs. 4.22 "Identification" The cables associated with SIT isolation valve interlocks are uniquely identified. The instrumentation cables associated with SIT level and pressure indication are not uniquely identified. The channels are identified to distinguish between channels of safety related equipment (see Subsection 7.1.2). 7.6.3 ADDITIONAL SYSTEMS REQUIRED FOR SAFETY 7.6.3.1 Refueling Interlocks Refueling interlocks are described in Subsection 9.1.4. 7.6.3.2 Fuel Pool Cooling and Purification System The fuel pool instrumentation system is described in Subsection 9.1.3.2.4. A tabulation of the instrument channels and Class 1E instrumentation is included in Table 9.1-7. 7.6-7 Amendment No. 14 (12/01)

All Class 1E instrumentation identified in Table 9.1-7 is qualified to IEEE 323-1974 and 344-1975. 7.6.3.3 Reactor Coolant Leak Detection System Reactor coolant leakage detection is described in Subsection 5.2.5. 7.6.3.4 Process and Effluent Radiological Monitoring and Sampling System The radiation monitoring system is composed of process, effluent, area, and in-plant airborne monitors. Tabulations of these monitors are given in Tables 11.5-1, 12.3-2, and 12.3-3. The Class 1E effluent monitors are the plant stack, as described in Subsection 11.5.2.2.8, and the ECCS exhaust monitors, as described in Subsection 11.5.2.2.10. The Class 1E area monitors include the four CIAS and six spent fuel pool monitors, as well as two post-accident containment monitors. All these monitors are described in Subsection 12.3.4.1.4. The Class 1E in-plant monitors include the containment atmosphere monitors, as described in Subsection 12.3.4.2.3.1, the control room air intake monitors, as described in Subsection 12.3.4.2.3.2 and the ECCS exhaust monitors, as described in Subsection 12.3.4.2.3.3. The component cooling water radiation monitors are Class 1E and are provided with Class 1E power supply (see Table 11.5-1 ). All Class 1 E monitors are qualified to IEEE 323-1974 and IEEE 344-1975. 7.6.3.5 Containment Vacuum Relief System The instrumentation provided for this system is in accordance with Figure 9.4-9. The containment to annulus differential pressure instrumentation that is used for automatic control of the containment vacuum relief valves is Class 1E. The associated differential pressure transmitters are qualified to IEEE 344-1975 and IEEE 323-1974 for the environment in which they operate. The remote mounted indicators and bistables are mounted on the seismically qualified HVCB in the control room. 7.6.3.6 Overpressurization Protection Overpressurization protection is described in Subsection 5.2.2. 7.6.3.7 Shield Building Ventilation System (SBVS) Switchover from Fuel Handling Building (FHB) The Shield Building Ventilation System is an ESF System and is listed in Section 7.3. The SBVS switchover from Fuel Handling Building is the only portion of this system listed in Section 7 .6. The SBVS is described in Subsection 6.2.3.2. 7.6-8 Amendment No. 20 (05/11)

CENPD-158. It was determined that a complete loss of feedwater combined with a failure of the reactor to trip would result in a primary coolant system pressure excursion well above reactor vessel service level c limits and therefore potentially

challenge the integrity of the reactor coolant pressure boundary.

For Combustion Engineering plants, the regulations require the implementation of two methodologies for ensuring that an excessive primary coolant pressure excursion do.es not occur. These methodologies are called "prevention" and "mitigation." Prevention takes form as a Diverse Scram System (DSS) whose purpose is to initiate a shutdown of the reactor by control.rod insertion upon conditions indicative of an anticipated transient, independently and diversely from the RPS. Mitigation is accomplished by tripping the turbine and initiating Auxiliary Feedw~ter to conserve steam generator inventory and to ensure that a primary .coolant heat sink is available. A combination of prevention and mitigation will limit the peak reactor coolant* system pressure rise to within acceptable values. The Diverse Scram System (DSS) is a safety-related system that utilizes existing pressurizer pressure instruments and signal converters and takes as inputs, signals from secondary current loops in RTGB-206 (Figure 7.6-2). These signals are wired to the Engineered Safety Features Actuation System (ESFAS) cabinets where they are processed by DSS bistable and logic components to provide reactor trip signals. The trip signals are used to open the non-safety related control element assembly drive (CEA Drive) motor generator (MG) set output load contactors located between the CEA drive ~G set output breakers and the reactor Trip Switcqgear. The consequential loss of voltage on the Reactor Trip Switchgear buses causes the *reactor to shut down. This system, diverse and independent from the RPS except at the instrument loops, satisfie.s the ATWS Rule requirements for ATWS prevention *

The DSS utilizes the four pressurizer pressure transmitters and their respective current loops for the source of the DSS input signals. These transmitters are also used for the RPS (high pressurizer pressure reactor trip and low pressurizer pressure reactor trip) i:ndications, high and low pressurizer pressure annunciation, Engineered Safety Features Actuation System (ESFAS-low pressurizer pressure/safety injection actuation), and as input to the Sequence of Events Recorder. Two E/I (voltage-to-current) converters in each instrument loop isolate the RPS and DSS inputs from each other.

The following table is provided to list the major components for the DSS inputs. SENSOR-LOOP I/E CONV INST SAFETY INSTRUMENT RPS DSS ES FAS NUMBER CHANNEL CABINET E/I CONV E/I CONV CHANNEL PT-1102A A PY-1102A PY-1102A-l PY-1102A-2 MA PT-1102B B PY-1102B PY-1102B-1 PY-1102B-2 MB PT-1102C c PY-1102C PY-1102C-1 PY-1102C-2 MC PT-1102D D PY-1102D PY-1102D-1 PY-1102D-2 MD Pressurizer pressure input signals are wired into the ESFAS cabinets where they are

     'routed to four bistable modules, one in each measurement cabinet. Digital outputs (ON) are produced from the DSS bistable modules when the pressurizer pressure reaches 2450 psia. This is the DSS actuation setpoint recommended by Combustion 7.6-Boa               Amendment No. 7 (4/92)

Engineering in CEOG repor~ CE NPSD-354. Each of the four bistable modules produces an output for two digital isolators, an SA and an SB, located in the same measurement cabinets as their associated bistable modules. The outputs of the four SA isolators are routed by safety related .cables to ESFAS cabinet ESC-SA while the four: *SB isolator outputs go to ESFAS cabinet ESC-SB. In each safety cabinet (SA and SB), there is an actuation module which accepts the four isolated digital signals and applies two-out-of-four (2/4) logic to produce a digital output. Each 2/4 actuation module sends its output through an isolator to a CEA drive MG set load contactor1 the SER, and to an annunciator window. Both actuation modules must function and trip both load contactors to produce a reactor trip in a 2/2 output logic. There are two bypass switches, one each located on safety channel cabinets SA and SB. Both switches have two positions, NORMAL and BYPASS, and are controlled by keys removable. only in the. NORMAL po~ition. When in tl;le NORMAL position~ the DDS operates as designed and sends actuation signals to the MG set load contactors to trip the. reactor. In the BYPASS position, however, the DSS actuation signals are blocked to allow operators to test and . maintain the DSS with the plant at power without the potential for reactor trip. Complete testing overlap, from the sensors to the trip . coils may be accomplished with the plant shut down. *There are*also four bistable bypass switches, one for each bistable device. Their function is to b}rpass bistable devices individually to test or maintain them without causing bistable output signals to be sent to the 2/4 actuation modules. Since the logic of the DSS is integrated into the ESFAS, the existing ESFAS cabinet automatic testing instrument (ATI) is utilized to check the functions of the DSS components from the bistable devices through the. 2/4 actuation modules by using pulses from an auto-test generator.

ATI operates continuously as long as. ESFAS circuits are energized.

Two annunciator . windows are used to indicate when. a. DSS actuat*ion signal is *obtained

from either 2/4 actuation modules or when either of ~he two safety ~hannel bypass' switches* is placed in the BYPASS position. Local indic.ating lights on the ESFAS cabinets perform the same functions.

The Diverse Turbine Trip (DTT). is inherent in the design of the DSS and it utilizes the DSS bistable and logic functions. Tripping of the load contactors for both MG sets will initiate a Diverse Turbine Trip. When the DSS actuates during an ATWS event, the load contactors will open and de-energize the reactor trip switchgear buses. The loss of voltage on the reactor trip switchgear will be sensed by .four undervoltage relays, which, in turn will operate one auxiliary relay each. The contacts on the four auxiliary relays are arranged in two-out-of-four logic to provide turbine trip signals to both the emergency trip solenoid valve (20/ET) and the auto stop s.olenoid (20/AST). If either 20/ET .or 20/AST is operated, hydraulic oil will be dumped from the turbine control oil system and turbine trip will occur. 7.6.3.6.2 .The requirements of 10CFRS0.62 for prevention were incorporated into the Diverse Scram System. Its design has been specifically approved in the USNRC Safety Evaluation of Compliance with ATWS Rule 10CFRS0.62 dated September 6, 1989

7.6-Sob Amendment No. 7 (4/92)

7.6.3.6.3 Other Overpressurization Protection Overpressurization protection is described in Subsection 5.2.2 *

7.6.3.7 Shield Building Ventilation System CSBVSl Switchover from Fuel Handling Building CFHBl The Shield Building Ventilation System is an ESF System and is listed in Section 7.3 of the FSAR. The SBVS switchover from Fuel Handling Building is the only portion of this system listed in Section 7.6. The SBVS is described in Subsection 6.2.3.2 of the FSAR *
7~6-Soc Amendment No. 7 (4/92)

The instrumentation requirements are provided in Subsection 6.2.3.5 and Table 6.2-51. Instrumentation and controls discussed above for SBVS system are Class 1E. Alarms are annunciated on non-safety annunciation windows through proper isolation devices. All controls and instrumentations for SBVS is qualified to IEEE 323-1974 and IEEE 344-1975. The remote mounted indicators and bistables are mounted on the seismically qualified HVCB in the control room. 7.6.3.8 IEEE 279-1971 Compliance The four containment area radiation monitors which input into the CIAS and the SBVS conform to IEEE 279-1971 similar to the ESFAS described in Subsection 7.3.1.2. The requirements of IEEE 279-1971 for the other systems required for safety are not completely applicable because this instrumentation is not part of a protection system. However, the intent of the design criteria contained therein has been applied in the design of these systems to the following extent: 4.1 - "General Functional Requirements" The safety-related instrumentation for the above systems is designed to provide monitoring and actuation as applicable during normal or accident conditions. The instrument performance characteristics, response times and accuracy are selected for compatibility for the particular function. 4.2 - "Single Failure Criterion" This is functionally identical to that described in Subsection 7.4.2.2. 4.3 - "Quality Control of Components and Module" See Chapter 17. 4.4 - "Equipment Qualification" The instrumentation and controls for these systems meet the equipment qualification requirements discussed in Sections 3.10 and 3.11. 4.5 - "Channel Integrity" The "Channel Integrity" is functionally identical to that described in Subsection 7.3.2.1.2. 4.6 - "Channel Independence" The Channel independence is functionally identical to that described in Subsection 7 .3.2.1.2. 7.6-8a Amendment No. 20 (05/11)

4.7 - "Control and Protection System Interaction" No portion of these systems is used for both control and protection. 4.8 - "Derivation of System Inputs" The monitoring signals for the above systems are a direct measurement of the desired variables. 4.9 - "Capability for Sensor Checks" The monitoring sensors are checked by comparing the monitored variables of redundant channels or by observing the effects of introducing and varying a sub.stitute input to the sensor similar to the measured variable~ 4.10 - "Capabi°lity for Test and Calibration" IEEE 338-1971 and Regulatory Guide 1. 22, "Periodic Testing of Protection System Actuation Functions" 2/72 (RO) provides guidance for the development of procedures, equipment and documentation of pe~iodic testing. The measurement signals required for the above systems have the capability of being tested and calibrated under the design requirements of .the system. 4.11 - "Channel Bypass or Removal from *Opera_tion" Any one of the channels may be tested, calibrated, or repaired without detrimental effects on the other channels. 4.12 - "Operating Bypasses" There are no "Operating Bypasses" for these systems. 4.13 - "Indication of Bypasses" A discussion of bypass and inoperable status indication is provided in Subsection 7.5.1 and a listing of inoperable or bypassed components i,s contained in Table 7.3-10. 4.14 - "Access to Means for Bypassing" This section is not applicable. 4.15 - "Multiple Setpoints" This section is not applicable. 4.16 - "Completion of Protective Action Once it is Initiated" This section is not applicable. 4.17 - "Manual Initiation Manual initiation of the components in these systems is available.

7. 6-8b

4.18 - "Access to Setpoint Adjustments, Calib.ration, and Test Points" This section is not applicable. 4.19 - "Identification of Protective Actions" This section is not applicable. 4.20 - "Information Readouts" The monitoring and control channels for these systems are indicated in the control room with the following exceptions: Remote fuel pool temperature and water level indication is not provided. However, fuel pool temperature and water level alarms are annunciated in the control room. 4.21 - "System Repair" Replacement or repair of components can be accomplished in reasonable time when the systems are not actuated. Outage of system components for replacement or repair are limited by the Technical Specifications. 4 "Identification" Safety equipment and cables associated with these systems are uniquely identified. 7.6.3.9 IEEE 308-1971 Compliance

The St. Lucie Unit 2 UFSAR is committed to Regulatory Guide 1.32 Rev. 0 which addresses IEEE 308-1971. For a further discussion of IEEE 308-1971 refer to Subsection 8.3.1.2. All Class 1E electrical components are electrically and physically separated in accordance with Regulatory Guide 1. 75 (R 1) as discussed in Subsection 8.3.1.2. Electrically redundant and physically '.I independent power supplies to the above systems, electrical components, and to the safety-related power panels that provide power to control and instrumentation devices are provided. All Class 1E eledrical system components are uniquely identified in accordance with Subsection 8.3.1.3. The fuel pool purification pump is a non-safety pump and as such is physically independent and electrically separated from Class 1E components. 7.6-8c Amendment No. 20 (05/11)

7 .6.3.1 O Direct Position Indication of Relief And Safety Valves TMI Item 11.D.3 \ l

Acoustic valve flow monitors are used to provide direct position indication of pressurizer safety valves (SRVs) and power operated relief valves (PORVs). 7.6.3.10.1 Design Basis

, a) Valve positions are monitored acoustically and indicators and alarms are provided in the control room.
b )- Acoustic Flow monitors are powered from a vital instrument bus and are designed as seismic Category I.

c) The acoustic flow monitors are qualified for the appropriate environment (any transient or accident which causes the relief or safety valve to open). 7.6.3.10.2 Description The means of detecting pressurizer safety relief and power operated relief valve position is by continuously and automatically detecting acoustical signals generated by flow noise levels through the valve,. This is accomplished by utilizing accelerometers mounted on the discharge pipe. The accelerometer converts acoustical acceleration into an electrical charge which is converted to a voltage bYr the charge converter. This proportional voltage is then processed and a relative flow indication is obtained. Five valve*position monitors are provided, one for each of the three pressurizer safety relief valves and the two PO RVs. A common audio-visual alarm alerts the operators when flow through any of the five valves exceeds a pre-established setpoint. These setpoints can be adjusted from the control room. The system is powered from a 120V ac 60 Hz uninterruptible power supply (UPS). An alarm is initiated up.on loss of instrument power. The indicator modules are located in the Control Room Plant Auxiliary Control Board No. 2 (PAC B-2). The system is qualified in accordance with IEEE 323-1974 and 344-1975. The accelerometers and charge converters are located inside the containment and are subjected to the containment environment during and followi.ng a small break LOCA These components are designed and tested to withstand and remain operable following the postulated accident. Various components of the acoustic valve flow monitors are

 ,identified in Table 7.6-2.

7.6-8d Amendment No. 21 (11/12)

7.6.3.11 Anticipated Transient Without Scram (ATWS) On July 26, 1984, The Code of Federal Regulations was amended to include Section 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," (also known as the ATWS Rule). The ATWS Rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of a failure to shut down the reactor following anticipated tr~nsients, and to mitigate the consequences of anticipated transients which occur without a shutdown. The occurrence of an anticipated transient in conjunction with a failure of the

    . Reactor Protective System (RPS) to produce a reactor trip is defined as an ATWS event.

The combination of an RPS failure and an anticipated transient is outside the present plant design basis and was analyzed by Combustion Engineering (CE) via CENPD-158. It was determined that a complete loss of feedwater combined with a failure of the reactor to trip would result in a primary coolant system pressure excursion well above reactor vessel service level C limits, and therefore, potentially challenge the integrity of the reactor coolant pressure boundary. For Combustion Engineering plants, the regulations require the implementation *of two fj." methodologies for ensuring that an excessive primary coolant pressure excursion does not occur. These methodologies are called "prevention" and "mitigation." Prevention takes form as a Diverse Scram System (DSS) whose purpose is to initiate a shutdown of the reactor by control rod insertion upon conditions indicative of an anticipated transient, independently and diversely from the RPS. Mitigation is. accomplished by tripping the turbine and initiating Auxiliary Feedwater to conserve steam generator inventory and to ensure that a primary coolant heat sink is available. As required by the rule, both the turbine trip (OTT} and the auxiliary feedwater (DAFAS) initiation were also required to be diverse from the RPS. Through these diverse means of prevention and mitigation, peak reactor coolant system pressure will remain within acceptable values. The requirements of 10 CFR 50.62 for prevention and mitigation were incorporated into the Diverse Scram System (DSS), Diverse Turbine Trip (OTT), and Diverse Auxiliary Feedwater Actuation System (DAFAS). Their design has been specifically approved in the USNRC Safety Evaluation of Compliance with A TWS Rule 10 CFR 50.62 dated September 6, 1989. 7.6.3.11.1 Diverse Scram System (DSS) The Diverse Scram System (DSS) is a safety-related system that utilizes existing pressurizer pressure instruments and signal converters and takes as inputs, signals from secondary current loops in RTGB-206 (Figure 7.6-2). These signals are wired to the Engineered Safety Features Actuation System (ESFAS) cabinets where they are processed by DSS bistable and logic components to provide reactor trip signals. The trip signals are used to open the non-safety related control element assembly drive (CEA Drive) motor generator (MG) set output load contactors located between the CEA drive MG set output breakers and the Reactor Trip Switchgear. The consequential loss of voltage on the Reactor Trip Switchgear buses causes the reactor to shut down. The DSS utilizes the four pressurizer pressure transmitters and their respective current loops for the source of the DSS input signals. These transmitters are also used for the RPS and ESFAS as discussed in Sections 7 .2 and 7 .3. Two Ell (voltage-to-current) converters in each instrument loop isolate ~he RPS and DSS inputs from each other. 7.6-Be Amendment No. 18 (01/08)

The following table is provided to list the major components for the DSS inputs. INST SAFETY INSTRUMENT RPS DSS ESFAS NUMBER CHANNEL CABINET E/1 CONV E/I CONV CHANNEL PT-1102A A PY-1102A PY-1102A-1 PY-1102A-2 MA PT-11028 B PY-11028 PY-11028-1 PY-11028-2 MB PT-1102C c PY-1102C PY-1102C-1 PY-1102C-2 MC PT-11020 D PY-11020 PY-11020-1 PY-11020-2 MD Pressurizer pressure input signals are wired into the ESFAS cabinets where they are routed to four bistable modules, one in each measurement cabinet. Digital outputs (ON) are produced from the DSS bistable modules when the pressurizer pressure reaches 2450 psia. This is the DSS actuation setpoint recommended by Combustion Engineering in GEOG report CE NPSD-354. Each of the four bistable modules produces an output for two digital isolators, an SA and an SB, located in the same measurement-cabinets as their associated.bistable modules. The outputs of. the four SA isolators are routed to ESFAS cabinet ESC-SA while the four SB isolator outputs go to ESFAS cabinet ESC-SB. In each safety cabinet (SA and SB), there is an actuation module which accepts the four isolated digital signals and applies two-out-of-four (2/4) logic to produce a digital output. Each 2/4 actuation module sends its output through an isolator to a CEA drive MG set load contactor, the SER, and .to an annunciator window. Both actuation modules must function and trip both load contactors to produce a reactor trip in a 212 output logic. There are two bypass switches, one each located on safety channel cabinets SA and SB. Both switches have two positions, NORMAL and BYPASS, and are controlled by keys removable only in the NORMAL position. When in the NORMAL position, the DSS operates as designed and sends actuation signals to the MG set load contactors to trip the reactor. In the BYPASS position, however, the DSS actuation signals are blocked to allow operators to test and maintain the DSS with the plant at power without the potential for reactor trip. Complete testing overlap, from the sensors to the trip coils may be accomplished with the plant shut down. There are also four bistable bypass switches, one for each bistable device. Their function is to bypass bistable devices individually to test or maintain them without causing bistable output signals to be sent to the 2/4 actuation modules. Since the logic of the DSS is integrated into the ESFAS, the existing ESFAS cabinet automatic testing instrument (ATI) is utilized to check the functions of the DSS components from the bistable devices through the 2/4 actuation modules by using pulses from an auto-test generator. ATI operates continuously as long as ESFAS circuits are energized. An annunciator window is used to indicate when a DSS actuation signal is obtained from either 214 actuation module. A second annunicator window is used to indicate when either of the two safety channel bypass switches is placed in the BYPASS position. Local indicating lights on the ESFAS cabinets perform the same functions. Diversity of the DSS from sensor output to, and including, the device that interrupts control rod power is required. This diversity to the RPS and its trip bypass is achieved by utilizing different manufacturers or circuit designs for the bistables, comparators, relay logic and relay actuation 7.6-8f Amendment No. 14 (12/01)

outputs. Finally, the final actuation devices (contactors vs. breakers) are diverse and are operated independent of the RPS or its trip paths . . Although the electrical power supply system which serves RPS and DSS is the same, analysis has shown that the design of their inverter system is such that it minimizes common cause failures or will annunciate the condition before an unacceptable degradation occurs, which, could

-affect both the DSS and RPS. In addition, the DSS will remain operable upon loss of offsite power.

End to end testing of the DSS (DSS actuation to breaker opening) is performed each refueling outage. This system, diverse and independent from the RPS except at the instrument loops, satisfies the A TWS Rule requirements for prevention. 7.6.3.11.2 Diverse Turbine Trip (OTT) The Diverse Turbine Trip (OTT) is inherent in the design of the DSS and it utilizes the DSS bistable and logic functions. Tripping of the load contactors for both MG sets will initiate a Diverse Turbine Trip. When the DSS actuates during an ATWS event, the load contactors will open and de-energize the reactor trip switchgear buses. The loss of voltage on the reactor trip switchgear will be sensed by four undervoltage relays, which, in turn will operate one auxiliary relay each. The contacts on the four auxiliary relays are arranged in two-out-of-four logic to provide turbine trip signals to the emergency trip solenoids. If the emergency trip solenoids are operated, hydraulic oil will be dumped from the turbine control oil system and turbine trip will occur. Reference Section 10.2.2 for further description of the turbine trip system. The undervoltage relays, auxiliary relays, and solenoids used in the OTT are diverse from the components used in the Reactor Protection System and its trip paths. The OTT, therefore, satisfies the ATWS Rule requirements for mitigation. 7.6.3.11.3 ~Diverse Auxiliary Feedwater Actuation System (DAFAS) The Auxiliary Feedwater Actuation SystemJis described in Section 7 .3.1.1.8. Diversity of the DAFAS from sensor output up to, but not including, the final actuating devices is required. This diversity to the RPS is achieved by utilizing different manufacturers or circuit designs for the bistables, comparators, matrix relays and initiation relays. Finally, the commonality of the electrical power system has been shown to be acceptable based on an analysis of common mode failure mechanisms as discussed above for the DSS. The DAFAS, therefore, satisfies the A TWS Rule requirements for mitigation. 7.6-8g Amendment No. 21 (11/12)

TABLE 7.6-1 SHUTDOWN COOLING SYSTEM AND SAFETY INJECTION TANK INTERLOCKS (Pressurizer Pressure) System Setpoint Function Shutdown Cooling System. Suction Line Isolation Valves (V3480,3481,3651,3652) ~276 psia Permits valves to be opened by operator.

                                   ~515  psia **                 Valves are automatically closed.

Safety Injection Tank Isolation Valves ~515 psia ** Valves are automatically opened. (V3614,3624,3634,3644) ~276 psia

Permits valves to be closed by operator.

SIAS* Automatically opens the valves, if the valves are closed. Sends an open signal if valves are open that overrides a closing signal. .

Following License Amendment no. 100, the SITs are not required to be operable (isolation valves may be closed) when the RCS temperature is below Mode 3 temperature.
- Prior to an actual or simulated pressurizer pressure signal exceeding 515 psia.

7.6-9 Amendment No. 18 (01/08)

TABLE 7.6-2 ACOUSTIC VALVE FLOW MONITOR COMPONENTS Acoustical Sensors Total number 5 Tested and qualified to IEEE 344 and 323 for the containment environment. Charge Converters Total number 5 Tested and qualified to IEEE 344 and 323 for the containment environment. Indicator Modules Total number 5 Tested and qualified to IEEE 344 and 323 for the control room environment. Alarm Module Total number 1 Tested and qualified to IEEE 344 and 323 for the control room environment. Cable Furnished as Class 1 E. 50 feet of low noise, high temperature cable connects each valve sensor to its charge converter. 7.6-10 _Amendment No. 21 (11/12)

INSTRUMENT BUS SA SB I I r---------T-- I I

                                            --~--------1 PC-;103 I I p(:~1104                  PC-;105    I I        PC-;106
                          !I                     !                   I
 *----                     I r---+---------J I       I I             I       !
             .            iI i I I       I
        .-----------------~-----.---~------~~-----------------------.

I I I I I : I _I____ ----------, I I : I i I lI Il POWER SUSSES I (V3664). (V34a1) I (V3480) l . :------- A I I I (V3545) I I I I I I I I M ,-------------:------~--~------ A/B I I I I I

  --------~-----------1--                      ------,                      I   I I                ~--i------ B
       ,____________________________ i __

1 I I I I I

                                               ----------~-------------*

0 0-j ,

                                                           ~-----; ________ J I

(~)~--~-------~~~~~ ~ ) (V3665) (V3651) (V3652) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 SHUTDOWN COOLING SUCTION VALVES POWER & CONTROL FIGURE 7.6-1 Amendment No. 18 (01/08)

RTGB ESFAS-MA r-{ISOLr TEST1 SA TEST1 2/4 ESFAS-SA BYPASS SW 1i;1 _ rrsoL 1 CEA DRIVE MG SET A CONTACTOR INST CAB MA I

                                                                                                                                                     ;  TC              SI
                                                                                          -       -   LOGIC        Al    I       SA I APERT PZR                     E/I SENSING_

RES

                                                         - BISTABLE  t    =----! SB  I             -                                                           ,.. CAR PRESS PT-1102A
           .__~

I/E 1 I E/I SENSING RES ~RPS ESFAS-MB AlsoAvaila Aperture

                                                                                !SOL~ -                                BYPASS lrsoll TES Tl
                                                                                . SA                                 '

ACTUATE 1 sA r CONTROL ROOM SENSING ,_ BIST~BLE PZR E/I - ~ RES

                                                                         ~
                                                                          - I SB                                                                 ANNUNCIATOR L

PRESS I/E PT-1102B ~!SOL - - A E/I SENSING SA RES ~RPS

                                       -                                                         ~

I

                                                                                                                                       '.__           ~§1            A ESFAS-SB rsoLL SB        -

ESFAS-MC --rrsoL ACTUATE I TEST1 SA - _rrsoLI SENSING r I SB r PZR E/I - ~ RES

                                                        ,   BISTABLE     -        SB                                   BYPASS PRESS PT-1102C
          "---- ,_   I/E 1  E/I - -

L SENSING RES ~RPS ESF AS-MD r-1 !SOL I TES Tl TEST1 SA [ - 2/4 *-L- _ rrsoL 1

                                                                                            -     --  LOGIC I y' Al          LsB r                 -

TC 1-l~f

                                  ..._   SENSING        ,_ BISTABLE I PZR                     E/I                         ,_                        SB r                          BYPASS                             CEA DRIVE PRESS PT-1102D I/E 1  E/I   -
                                       -   RES SENSING RES   ~RP s SW                               MG SET B CONTACTOR
                                       ~

I AMENDMENT NO. 7 (4/92)

Lp~~~R PLANT

                                                                                                                                                       & LIGHT COMPANY FLORIDAST.                UNIT 2 ATWS BLOCK DIAGRAM FIGURE 7.6-2 9 2 0 .3 3 0 0 1 5 S              - If .

7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.

7.1 DESCRIPTION

The control and instrumentation systems, whose functions are not essential for the safety of the plant, include plant instrumentation and control equipment not addressed in Sections 7.2 through 7 .6. The general description given below permits an understanding of the reactor coolant and pertinent subsystem control methodology. The designed reactivity feedback properties of the Nuclear Steam Supply System (NSSS) inherently cause reactor power to match the to~al NSSS load. The resulting reactor coolant temperature at which this occurs is a controlled parameter and is adjusted by changes in total reactivity as implemented through CEA position changes or through boric acid concentration changes in the reactor coolant. The ability of the NSSS to follow turbine load changes is dependent on the ability of the automatic control systems or operator to adjust reactivity, feedwater flow, bypass steam flow, reactor

coolant inventory, and energy content of the pressurizer such that NSSS conditions remain within normal operating limits.

Except as limited by xenon conditions, the major control systems described below provide the capability to automatically follow limited load changes. 7.7.1.1 Control Systems 7.7.1.1.1 Reactivity Control Systems Reactivity is controlled by adjustments of control element assemblies (CEAs) for rapid reactivity changes or by adjustment of boric acid concentration for slow reactivity changes. The boric acid is used to compensate for slow load changes and for such long term effects as fuel burnup and changes in fission product concentration. Since these long term changes occur slowly, operator action is suitable for boric acid concentration control. The CEAs are controlled to maintain the programmed reactor coolant temperature and power level during boric acid concentration changes, within the limits of CEA travel: The Reactor Regulating System (RRS) adjusts reactor power and reactor coolant temperature to follow turbine load transients within established limits. The HRS receives a turbine load index signal (HP turbine inlet pressure linear indication of load) and reactor coolant temperature signals (see Figure 7.7-1). The turbine load index is supplied to a reference temperature (TREF) program which establishes the desired average temperature., The hot leg and cold leg temperature signals are averaged (TAVG) in the RRS. The T REF signal is then subtracted from the T AVG signal to provide a temperature error signal. The turbine load index is subtracted from the power range neutron flux to provide a power error signal. A derivative network is used to provide a power error compensation signal that is proportional to the rate of change of the power error. The t~mperature error and power error compensation signals are then combined. This resulting error signal is fed to a GEA rate program, to determine whether the CEAs are to be moved at a high or low rate, and to a CEA status Amendment No. 21 (11/12)

program which determines if the CEAs are to be withdrawn, inserted or held. The outputs of the rate and status programs are sent to the Control Element Drive Mechanism Control System (CEDMCS). The autom~tic withdrawal signal is presently disabled at the CEDMCS cabinet. CEA withdrawal is accomplished manually only. Consequently, the following discussion on Automatic Withdraw Prohibit (AWP) is maintained for completeness of system capability description only and is not relevant while automatic withdrawal is disabled. If the temperature error signal is very high, that is TAvG is much higher than T REF, an Automatic Withdrawal Prohibit (AWP) signal is sent to the CEDMCS. Since the withdrawal of CEAs causes T AVG to increase, prohibiting a withdrawal prevents an increase in the error signal. The design of the AWP is functionally identical to St. Lucie Unit 1. Receipt of an AWP signal, which is a contact closure interface, energizes the AWP relay. The energized AWP relay opens the contact interfacing the AWP signal to the control AWP raise/lower logic. Whe~ the logic power is removed from the AWP input, the circuitry cannot generate a control group raise signal which is necessary for CEA motion. Indications of AWP initiation are as follows:

1) At the CEDMCS supervisory panel

2) Plant Annunciator The following is a functional description of the AWP:

a) The AWP prohibits the withdrawal of all regulating CEAs in the automatic sequential mode of control.

1) The AWP interlock does not prohibit CEA motion in any other mode of control except automatic sequential.

2) The AWP interlock does not prohibit CEA insertion.

b) An AWP interlock is generated by the CEDMCS whenever any of the following conditions occur:

1) Reactor Coolant Loop Cold Leg Temperature (Tcold) exceeding a setpoint as indicated by a contact closing from either one or both of two channels of (Tcoid) instrumentation.

2) Mismatch between average reactor coolant temperature (TAvG) and the programmed temperature (T REF) exceeding a setpoint as indicated by a contact closure from the Reactor Regulating System.

3) Turbine bypass demand as indicated by a contact closing from the Steam Bypass Control System.

4) A dropped rod condition, as indicated by a contact closure from a Reed Switch Position Transmitter Dropped Rod Contact.

7.7-2 Amendment No. 18 (01/08)

The CEDMCS accepts automatic CEA insertion* demand signals from the Reactor Regulating System, or manual motion demand signals from the CEDMCS operator's module and converts these signals to direct current pulses that are transmitted to the CEDM coil to cause CEA motion. Further, the CEDMCS receives CEA motion inhibit signals from the Analog Display System (refer to Subsection 7. 7 .1.1.6) for certain abnormal CEA configurations. " The Reactor Protective System (RPS) generates a CEA withdrawal prohibit upon pre-trip conditions to the CEDMCS (refer to Section 7.2.2.1) to enhance plant availability. The CEA withdraw prohibit (CWP) signal from the RPS is interfaced to the CEDMCS via a normally closed contact. A CWP condition opens the contact de-en~rgizing the CWP relay in the CEDMCS Common Logic Relay Interface. This removes a logic "1" input to the individual CEA enable logic which prevents a "withdraw CEA" signal from being generated to the GEOM coil timing logic. The withdraw signal is nec~ssary for CEA ~otion. The following is a functional description of the CWP signal: a) It prohibits the withdrawal of all CEAs in all modes of control regardless of any demand for motion. b) It is generated by the CEDMCS upon a contact opening signal from the Reactor Protection System (RPS). This signal is initiated by a 2 of 4 pre-trip actuation in any one of the following ..

1) Local Power Density

\.

2) High Startup Rate Le

3) Thermal Margin/Low Pressure

4) High Power c) Local indication and a contact opening output for remote annunciation of the interlock are provided.

d) The interlock may be overridden from the CEDMCS Control Panel by depressing both the Bypass Enable and Bypass Pusbbuttons. The bypass pushbutton must be held depressed while demanding CEA motion. The override allows all CEA motion in all modes of control. The CWP function is not required by the Safety Analysis to prevent exceeding core safety limits. The CWP bypass is maintained under strict administrative control via plant operating procedures. The Steam Dump and Bypass Control System (SBCS) sends an Automatic Withdrawal Prohibit (AWP) signal to the CEDMCS upon initiation of steam bei~g bypassed (refer to Subsection 7.7.1.1.5). . .

Currently, the automatic CEA insertion feature of the RRS is not used to avoid any spurious CEA insertion (administratively disabled).

7.7-2a Amendment No. 17 (12/06)

A reactor trip initiated by the RPS causes the input motive power to be removed from the CEDMCS by the trip switchgear, which in turn causes all CEAs to be inserted by gravity (see Figure 7.7-2). The CEDMCS is thus not required for safety. There are four 9ifferent modes of CEA movement; sequential group movement in manual and automatic modes, manual group movement and manual individual CEA movement modes. . Sequential group movement functions such that, when the moving group reaches a programmed low (high) position, the next group begins insertion (withdrawal), thus providing for overlapping motion of the regulating groups. The initial group stops after reaching its lower (upper) limit. Applied*successively to all regulating groups, the procedure allows a smooth continuous rate of change of reactivity., The regulating group sequencing signals, called sequential permissives, are supplied to CEDMCS by the Distributed Control System (DCS). The DCS derives these signals based on current CEA positions as indicated by the CEDMCS supplied CEA up-down pulses. The shutdown CEAs are moved in the manual control mode only, with either individual or group movement. A selector switch permits withdrawal of no more than one shutdown group at any time. During plant startup and shutdown, and all cases where power is below 15 percent, manual control is used. Automatic control of the regulating CEAs by the RRS may be selected by the operator only when above the RRS low power automatic motion prohibit interlock setpoint of approximately 15 percent power. Manual control may be used to override automatic. control at anytime. The CEDMCS prohibits the withdrawal of regulating CEAs unless all shutdown CEAs are at their respective upper electrica! limits. This interlock however, can be bypassed. An interlock bypass is provided, which enables the withdrawal of the Regulating Group of CEAs if any of the shutdown group rods are not at their upper electrical limit. This bypass is accomplished by a pushbutton. Further, insertion of shutdown CEAs is prohibited unless all regulating CEAs are at their lower electrical limits. 7.7.1.1.2 Reactor Coolant Pressure Control System The Reactor Coolant Pressure Control System maintains system pressure within specified limits by the use of pressurizer heaters and spray valves. The control and alarm setpoints .are shown on Figure 5.4:-12. The system interconnection wiring diagram is provided by reference in Section 1.7 (see Table 1.7-2).

During normal steady state power operation, a small group of heaters (300 KW) is proportionally controlled to maintain operating pressure. If the pressure falls below the proportional band, all of the heaters are energized. Above the normal operating pressure range, the spray valves are proportionally opened to increase the spray flow rate as pressure rises. A small, continuous spray flow is maintained through the spray lines at all times to keep the lines warm and thereby reduce thermal shock when the control valves open, and to ensure that the boric acid concentration in the reactor coolant loops and pressurizer is in equilibrium. 7.7-3 Amendment No. 21 (11/12)

7.7.1.1.3 Pressurizer Level Control System The Pressurizer Level Control System minimizes changes in Reactor Coolant System water inventory by the use of charging pumps and letdown control valves in the Chemical and Volume Control System described in Subsection 9.3.4. During normal steady state power operation, the pressurizer water level is calculated as a function of TAVG* The control and alarm setpoints are shown on Figure 5.4-11. The level controller compares the measured and programmed Water level signals and generates a proportional signal for regulating the letdown control valves. In addition, the level controller functions to start or stop an additional charging pump at low or high level setpoints. The system interconnection wiring diagram is provided by reference in Section 1.7 (see Table 1.7-2). Two channels of control are provided a11d the controlling channel is selected by a switch on the control board. Automatic control is normally used during operation but manual control may be utilized at any time. * ( Both channels provide pressurizer water level signals for two additional functions: a) A low water level signal from either channel de-energizes all heaters; b) A high water level signal from the controlling channel energizes the backup heaters.

7.7.1.1.4 *Feedwater Regulating System The Feedwater.Regulating System which is a subsystem of the Distributed Control System (DCS) maintains steam generator water level within acceptable limits by positioning the main feedwater regulating valves (FCV-9011 and 9021) which control the feedwater to each steam generator. These valves have-a backup air supply to assure their proper operation and are designed to fail as~is upon low instrum~nt air pressure. These valves have the capability for local manual operation and this can be accomplished by pinning the valv~ stem to the manual jacking mechanism. Local manual operation is controlled by plant operating procedures. The functional block diagram of the system is shown on Figure 7.7-5. The two steam generators are operated in parallel. Each Feedwater Regulating System uses a three-element control system with inputs of feedwater flow, steam flow and steam generator water level for automatic water level control above 15 to 20 percent power. The output of DCS provides a signal to position the respective feedwater regulating valve.

When an abnormally high steam generator water level is sensed in either steam generator,. a signal is sent to close the associated feedwater regulating valve. This signal can be removed by use of a manual override. (see Steam Generator Overfill discussion on next page.)

7.7-4 Amendment No. 18 (01/08)

In the event of a reactor or turbine trip, the feedwater regulating valves are.closed and feedwater control is transferred to the Low Power Feedwater Control System which is a subsystem of the DCS that controls steam generator level via the bypass valves (LCV 9005 and 9006). In order to reduce the frequency of reactor trips encountered during start-up due to the thermal shrink and swell characteristics of the steam generator; the Low Power Feedwater Control System (LPFCS) has been designed to provide automatic control of the feedwater by-pass valves and maintain steam generator level at setpoint value during unit start-up in the range of approximately 2 to 25%

I load. This provides the flolij required for decay heat removal at normal reactor coolant operating temperatures and allows the operator sufficient time before manual control of level is' required.

The LPFCS monitors conditions in both the primary and secondary loops of the NSSS for control of feedwater flow into each steam generator. The LPFCS averages steam generator level signals, LT-9005 and LT-9011 for SG 2A and LT-9006 and LT-9021 for SG 2B, to maintain the level setpoint. The LPFCS also utilizes a feedforward signal based on wide range steam generator water level deviation from its zero power value. This difference generates a reference feedwater flow demand that is proportional to changes in steam flow. The LPFCS uses feedwater temperature downstream of the high pressure heaters to compensate for the effect of feedwater temperature on the steam generator level characteristics. Manual control of the Feedwater Regulating System may be selected at any power level. When in manual control, the operator in the control room can: a) Position each feedwater regulating control valve (FCV-9011, FCV-9021) b) Open or close. each feedwater stop valve c) Position each feedwater control bypass regulating valve (LCV-9005, LCV-9006) d) Control operation of feedwater pumps The DCS was expanded to include the feedwater regJiating system and the Low Power Feedwater Control System. A more detailed discussion of the DCS can be found in Subsection 7.5.1.4a. To integrate the feedwater regulating and the low power feedwater subsystems into the DCS, equipment in addition to the equipment discussed in Subsection 7.5.1.4a was installed. Two touch screen Manual/Auto stations (FIC-9011/LrC-9005 and FIC-9021/LIC-9006) are used to conJrol the valves, while two flat panel displays provide indication, alarms and control capabilities. This equipment is located on RTGB-202. * '

The operator can at any time control operation of two ele~trically driven auxiliary feedwater pumps and/or the turbine driven auxiliary foedwater pump* described in Subsection 10.4.9 and position the associated auxiliary feedwater regulating valves. Remote manual control of auxiliary feedwater is provided in the control room and outside of the control room. Automatic auxiliary feedwater control is desi;:ribed in Sections 7 .3 and 7 .4.

7.7-4a Amendment No. 21 (11/12)

Steam Generator Overfill Protection Features: (Generic Letter 89-19) A review of the feedwater control system was performed in conjunction with Generic Letter 89-19, "Resolution of Unresolved Safety Issue A-47 (Safety Implication of Control Systems in LWR 'Nuclear Power Plants)." This generic letter required, in part, that all CE plants provide automatic steam generator overfill protection and .that these features be sufficiently separate of the existing feedwater control system to mitigate main feedwater (MFW) overfill events. The desired degree of separation was such that it would not be powered fr()m the same power source, not located in the same cabinet, and not routed so that a fire may affect both systems. Periodic testing of these added features, to verify fundionality, was also required. (

References:

Engineering Evaluation JPN-PSL-SEIJ-90-007 and NRC SER, "Steam Generator Overfill Protection

.Response to Generic Letter 89-19," dated 4/4/94.)                       ,

The Steam Generator Overfill Protection features utilize the same safety g,;ade steam generator/ level transmitters signals that provide input to the Reactor Protection System. High and High-High level trip settings provide logic outputs, which are isolated before passing to the non-class . 1E Steam Generator Overfill Protection logic. Feedwater isolation functions are then performed under a 2-out-of-4 coincidence. Diverse and redundant equipment is actuated by these High and High-High signals. First, after the initiating event, high level protection closes the respective steam generator feedwater control valve(s) through the feedwater regulation system, as shown on Figure 7.7-5. Second, if the high level protection should fail, a High-High level protection will trip the turbine, stop the main feedwater pumps and close the main feedwater pump discharge valves. Separate sources of power are provided for the feedwater control system and High-High Steam Geherator Overfill Protection circuits to insure availability of one of these systems should an ovemll ev~nt occur. Furthermore, the design of the feedwater control system requires the feedwater regulating valve to fail closed on a loss of power such that even Jn the unlikely event of a total power failure to both systems, feedwater flow will still be isolated for the affected train. Plant procedures are provided to periodically verify operability of Steam Generator Overfill Protection features during power operation and to functionally test the system during refueling. 7.7.1._1.5 Steam Dump and Bypass Control System The Steam Dump and Bypass Control System is a subsystem of the DCS, is described in Subsection 10.4.4 and is designed to provide a means of manually controlling reactor coolant temperature during plant startup and for removing NSSS stored energy, decay heat, and pump energy during shutdown cooling. The original system design flow capacity of 45% was restored as part of the Extended Power Uprate. The system is designed to mitigate challenges to the pressurizer and steam generator safety valves during large load rejections. -~ The system is composed of five valves, with a combined capacity of greater than 45%, two reactor turbine generator (RTGB) board mounted manual-automatic controllers, and one flat panel display. , The system input variables of main steam header pressure, steam flow, reactor coolant average. temperature, turbine load demand, and reactor trip enter into the computation in order to produce individual valve modulation signals or, if conditions warrant, individual "quick-opening" signals to the dump valves. Initiation of a steam dump action initiates an interlock in the CEDMCS which prevents automatic CEA withdrawal thereby ensuring timely termination of the transient. 7.7-5 Amendment No. 21 (11/12)

7.7.1.1.6 Analog Display System (ADS) The neutron flux and distribution is controlled, in part, through insertion and/or withdrawal of CEAs. The Analog Display System (Figure 7'.7-6) utilizes the signals from the reed switch position transmitters to display the CEA positions on a display' for the operator (refer to Subsection 7.5.1.4 ). Reactor power signals, derived from the Reactor Protection System through isolation in accordance with IEEE 279-1971 are utilized with the CEA position signals in the ADS to provide alarm and motion inhibit signals for specific improper CEA movements. The ADS contains logic which detects certain abnormal CEA configurations such as: CEA

deviation within a control group; CEA inserted to or below the power dependent insertion limit; improper CEA group sequencing or overlap; regulating CEA groups withdrawing before all shutdown CEAs are fully withdrawn and shutdown CEA groups inserting before all regulating CEAs are fully inserted. Upon detection, the ADS initiates CEA motion inhibit (CMI) signals to the CEDMCS and alarm signals to the annunciation system display. The CMI signals are generated to prevent the specific improper CEA movement from continuing.

7.7.1.1.7 Boron Control System The RCS boron control is accomplished by dilution and boration. Refer to Subsection 9.3.4 for a discussion of the Chemical and Volum~ Control System. To allow the operator to maintain the. required boron concentration in the reactor coolant, the volume control tank contents are maintained at a prescribed boron concentration either manually or automatically. To assist the operator in maintaining the proper boric acid concentration in the Reactor Coolant System, recorders indicate reactor makeup water flow and boric acid makeup flow, which can be used to determine whether boration or dilution is occurring. Sampling of the reactor coolant is used to determine boron concentration. At a given power level, the boron concentration and CEA position determines reactor coolant temperature. Because of the long time required to change the boron concentration, boron is used to compensate for slow change of power. By adjusting the boron concentration, the CEAs can be withdrawn to provide an adequate shutdown margin. 7.7.1.1.8 lncore Instrumentation System The lncore Instrumentation System monitors neutron flux distribution within the reactor core. There are maximum of 56 incore instrument assemblies with four self powered rhodium detectors in each assembly. The assemblies are uniformally distributed in the reactor core. The four detectors in each assembly are axially distributed along the height of the core at 20, 40, 60 and 80 percent of core height. This permits representative three dimensional mapping of the neutron flux in the core. The rhodium detectors produce a delayed beta current proportional to the neutron flux in the detector region. 7.7-6 Amendment No. 20 (05/11)

The current signal from each detector is individually converted to a proportional flux level and logged by the Distributed Control System (DCS). The DCS also compares each of these neutron flux levels with alarm setpoints indicative of high neutron flux conditions and prints a message when each of these conditions occurs. In addition to the fixed system described above, the original design included a Movable lncore Detector System (MICDS) as a backup to the fixed system, which has subsequently been deleted. The MICDS consisted of two movable detectors and associated hardware to position either probe at any location within a dry calibration tube of the 56 fixed incore instrument assemblies. The MICDS was controlled by the DCS and provided a neutron flux map independent of the fixed detector system. The incore instrumentation system is designed to perform the following functions: a) To provide data sufficient to determine the gross power distribution in the core during different operating conditions from 20 percent to 100 percent power; b) To provide data to estimate fuel burn up in each fuel assembly; and c) To provide data for the evaluation of thermal margins in the core. The incore detectors can be used to assist in the calibration of the excore detectors by providing azimuthal and axial power distribution information. The fixed incore detectors will be used to periodically calibrate the excore axial flux offset detection system, monitor the azimuthal power tilt, calibrate the power level neutron flux channels and monitor the linear heat rate. The incore instrumentation system, when used to perform the functions listed above must consist of the operability requirements outlined in Section 13. 7. These requirements were amended in the facility technical specifications, Amendment 75, and relocated to the UFSAR. J. 7 .1 J .9 Startup and Control Excore Neutron Flux Monitoring System ~ "/t:i~ili.~~:~{}*~~.

  * * "'Ttie Startup and Control Excore Neutron Flux Monitoring System includes neutron detectors located around the reactor core and signal conditioning equipment located in the control room.

Two startup channels provide source level neutron flux information to the reactor operator for use during extended shutdown periods, initial reactor startup and startups after extended periods of reactor shutdown, such as core refueling operations. Each channel consists of one BF 3 detector, a preamplifier, a signal processing drawer containing power supplies, a logarithmic amplifier and test circuitry located in the control room. High voltage power to the proportional counters is automatically terminated on the increase in nuclear power, above 10,000 cps, to extend the detector's life. Annunciation is provided if this automatic feature fails to operate. High voltage from the startup detectors can be removed manually by the operators. These startup channels provide readout and audio count rate information, but have no direct control or protective functions. Two control channels provide neutron flux information, in the power operating range of 1 percent to 200 percent, to the Reactor Regulating System for use during automatic turbine load - following operation (see Subsection 7. 7.1 ). Each control channel consists of a dual section uncompensated ionization chamber detector and a signal conditioning drawer containing power supplies, a linear amplifier, and test circuitry. 7.7-7 Amendment No. 20 (05/11)

The detector is operated in current mode only. These channels are completely independent of the safety channels. 7.7.1.1.10 Turbine Control System The Turbine Control System has automatic control and trip devices necessary for operation and protection of the turbine-generator. Means are also provided for the operator to override some of the automatic controls when he finds it necessary. An automatic trip is provided to prevent any damage to the turbine-generator. The unit trips upon occurrence of conditions which are potentially hazardous to the turbine-generator or to other associated plant equipment. 7.7.1.1.10.1 System Design The Turbine Control System is a digital electronic hydraulic (DEH) system which controls the turbine automatically using a process control computer, servo-mechanism and hydraulic valve act1,1ators. The computer represents the digital portion of the system, the servo-hardware represents the electrical portion of the system and the valve actuators represent the hydraulic part of the system.

                                                                                                '" -~
                                                                                               'I',..

7.7-7a

The Turbine Control System is designed to: a) Control automatically the turbine-generator output power during all phases of normal operation. b) Trip the turbine to guard the equipment from exposure to hazardous conditions. c) Provide an automatic reactor trip signal when the turbine is tripped. During automatic operation the DEH control system, digital computer output signals are received by the servo system which in turn positions the hydraulic valve actuators to control turbine speed or load. 7.7.1.1.10.2 Turbine Trip Signals The following conditions cause a turbine trip: a) Reactor trip b) Turbine overspeed c) Low condenser vacuum

d) DELETED e) Generator lockout relay f) Exhaust hood high temperature (two out of three high temperature on either exhaust hood)*

g) Turbine low bearing oil pressure h) Manual trip i) DEH control power failure j) Hi-hi water level in either steam generator Any turbine trip causes the hydraulic trip fluid header pressure to decrease and close steam to the turbine. Four redundant pressure switches are also provided on emergency trip fluid line common header, to serve as the loss of load, turbine trip input to the Reactor Protective System logic matrices. Actuation of any two of the pressure switches on low hydraulic oil pressure causes a reactor trip. The pressure switches and circuitry are electrically and physically separated and serve an equipment protection function rather than a reactor safety function, as described in Section 7.2.

Bypassed at low power conditions.

UNIT2 7.7-8 Amendment No. 23 (04/16)

7.7.1.1.10.3 -Turbine Runback The turbine runback feature has been deleted. 7.7.1.1.11 Boron Dilution Alarm System Reactivity control in the reactor core is affected, in part, by soluble boron in the reactor coolant system. The Boron Dilution Alarm System (Figure 7.7-8a) utilizes the start-up channel nuclear instrumentation signals to detect a possible inadvertent boron dilution event while in Modes 3-6. There are two redundant and independent channels in the Boron Dilution Alarm System (BDAS) to ensure detection and alarming of the event. The Boron Dilution Alarm System is an on-line microcomputer based system which receives and monitors two (2) neutron flux signals (one per BDAS channel) processed from the startup channel signal processing nuclear instrumentation. The BDAS alarm logic is designed to follow the decreasing neutron flux signal after a reactor shutdown occurs, including when the neutron flux signal levels out at that core's configuration steady state level. A functional diagram is presented on Figure 7.7-8a. If the neutron flux signal increases, the current alarm setpoint is equal to the previous alarm setpoint before the neutron flux signal increased (see Figure 7.7-8b). A Boron Dilution Event is detected when the current inputted neutron flux signal is equal to or greater than the alarm setpoint. Each BDAS channel initiates an alarm signal to the Plant Annunciation System upon detection of a Boron Dilution Event thus providing two separate alarm signals to the Plant Annunciation System upon determination of a boron dilution event. The BDAS has the capability for the operator to input, from the panel, a reset signal to the system. This reset capability allows the BDAS alarm to be acknowledged and alarm detection to be reset to the current core configuration. The BDAS is powered from an offsite power source with an onsite backup power source. 7.7.1.1.12 Distributed Control System (DCS) The Distributed Control System (DCS) consists of operator and engineering workstations, displays, printers and racks for the control processors. The DCS is connected into the Plant Data Network (PDN) a system of network switches, fiber optic cables and other components that integrate the DCS functions. The functions of the DDPS were integrated into the DCS. The DCS provides the following functions (previously performed by the DDPS):

Calculation of Calorimetric Power - results are displayed on RTGB 204 and on a line printer on a periodic basis.
Monitoring of lncore Detectors and Input to the Beacon Core Monitor - status of the incore detectors is monitored and displayed periodically. Alarms are provided should a detector exceed a preset operating range.
CEA Position Indication and Limit Checking - positions of CEAs and CEA groups are calculated from demand pulses from the CEDMCS. Alarms are provided should limits be exceeded. Contact outputs are provided to CEDMCS to sequence CEA regulating group insertion and withdrawal.

7.7-9 Amendment No. 15 (06/03)

Power Dependent and Pre-Power Dependent Insertion Limits - regulating group CEA insertion limits based on thermal power are calculated on a set frequency. Early warning alarms are provided if these insertion limits are approached.
Xenon and Iodine Concentration Calculations - reactivity worth is calculated on a set frequency for subsequent use to estimate reactor critical conditions during startup operations.
The difference between the feedwater venturi indicated flow and the LEFM is calculated and alarmed if a preset limit is exceeded.
Average Tcold temperature and reactor power are calculated and displayed;on RTGB-204.
Provides "All Rods ln"/"All Rods Not In" input signal to ERDADS as required by Reg. Guide 1.97.

The DCS provides printed records, both periodic and on demand, of all monitored activities via two printers provided in the Unit 2 Control Room. Two operator work stations consisting of keyboards and touch screen flat panel displays are installed on the Operators Console to provide historical, trending or current status of the system inputs. A small flat panel display is installed on RTGB 204 to display Qpower and Tcold. An engineering workstation is provided in the Southeast corner of the Unit 2 Con~rol Room. This workstation is used to make configuration changes to the DCS, change alarm setpoints, and modify displays. This location, inside the Control Room but outside the Operators Work Area, allows for Operations supervision of configuration changes without the need for the additional security measures and communications necessary' to make such changes from a remote location. The DCS is designed with expansion capabilities so that additional instrumentation and control systems can be added in the future, which will utilize the same graphical user interface, storage and printing capability. The system architecture, types and locations of components has incorporated to the extent practical, reliability, redundancy and diversity. The power supplies have been selected so that any panel, inverter, battery or AC power feed can be removed from service without impact to the PON, assuming a coincident loss of offsite power. The DCS will also provide an additional capability. Sequence of Events (SER) records are provided by monitoring the opening and closing of contacts for various pieces of equipment. These reports are utilized to reconstruct events following plant trips or other transients. 7.7.1.2 Design Comparison The design differences between the control systems in the St. Lucie Unit 2 design scope and the control systems provided for the reference plant are discussed in this section. 7.7.1.2.1 Reactivity Control Systems The RRS is functionally identical to that supplied for St. Lucie Unit 1 (NRG Docket 50-335). The CEDMCS combines the Control Element Drive System (CEDS) and the coil power programmers (CPP) into one integrated system thus reducing the interfacing required between the previous two separate subsystems. The CEDMCS is functionally identical to the CEDS/CPP of St. Lucie Unit 1 with the following changes: 7.7-9a Amendment No. 18 (01/08)

The CEAs are controlled in subgroups typically consisting of four CEAs located symmetrically about the core; CEDM timing functions within the CEDMCS are performed using digital techniques to increase the accuracy and flexibility of the integrated system; The CEA withdrawal prohibit (CWP) is effective in all modes, and CWP can be bypassed at the operator's module; To bypass the CEA withdraw prohibit (CWP) signal, at the CEDMCS control panel the operator must: a) Depress the bypass enable switch. b) Depress and maintain the CWP bypass switch. Control room annunciation is provided to indicate a CWP condition. Feedback signals from the CEDMCS illuminate the bypass pushbuttons on the CEDMCS control panel to indicate operation of the override. The CWP bypass is maintained under strict administrative control via plant operating procedures. While the CEDMCS is in the automatic sequential mode, motion of individual CEAs is not possible; While in the automatic sequential mode, the CEA motion inhibit (CMI) cannot by bypassed. The CEDMCS can handle up to 91 CEAs. 7.7.1.2.2 Reactor Coolant Pressure Control System The reactor coolant pressure control system is functionally identical to that supplied for St. Lucie Unit 1 (NRC Docket 50-335). 7.7.1.2.3 Pressurizer Level Control System The Pressurizer Level Control System is functionally identical to that supplied for St. Lucie Unit 1 (NRC Docket 50-335). 7.7.1.2.4 Feedwater Regulating System The Feedwater Regulating System is functionally identical to that supplied for St. Lucie Unit 1 (NRC Docket 50-335). 7.7.1.2.5 Steam Dump and Bypass Control System The Steam Dump and Bypass Control System is functionally identical to that supplied for St. Lucie Unit 1 (NRC Docket 50-335). 7.7.1.2.6 Analog Display System The Analog Display System is functionally identical to the metrascope originally supplied for St. Lucie Unit 1 (NRC Docket 50-335). The metroscope was subsequently replaced with the CEA Position Display System (CEAPDS), which is similar to the Analog Display System. 7.7-10 Amendment No. 18 (01/08)

7.7.1.2.7 Boron Control System The boron control system is functionally identifical to that supplied for St. Lucie Unit 1 (Docket 50-335). 7.7.1.2.8 lncore Instrumentation The lncore Instrumentation System is similar to that supplied for Arkansas Nuclear One-Unit 2 (NRG Docket 50-368). The difference being 44 detector assemblies vs 56 (maximum) on St. Lucie Unit 2. 7.7.1.2.9 Excore Neutron Flux Monitoring System The startup and control channels of the Excore Neutron Flux Monitoring System are functionally identical to that supplied on System 80 (NRG Docket STN-50470F), except for the addition of subchannel deviation circuitry. The safety channels are of a new design, but based on System 80 circuitry. 7.7.1.2.10 Turbine Control System The Turbine Control System is Functionally identical to that supplied for St. Lucie Unit 1 (NRG Docket 50-335). . 7.7.1.2.11 Boron Dilution Alarm System The Boron Dilution Alarm System is an addition to the St. Lucie Unit 2 design. 7.7.1.2.12 Distributed Control System (DCS) The Distributed Control System (DCS) provides identical functions as those provided by the St. Lucie Unit 1 Distributed Control System (DCS). 7.7-11 Amendment No. 17 (12/06)

7.7.2 ANALYSIS The plant control systems and equipment are designed to provide high reliability during steady state operation and anticipated transient conditions. The RPS analysis of Subsection 7.2.2 encompasses the failure modes of these control systems and demonstrates that these systems are not required for safety. Separation of control and protection systems is maintained throughout. The safety analyses of Chapter 15 do not require these systems to remain functional. 7.7.3 SYSTEM EVALUATION - HUMAN FACTORS ENGINEERING 7.7.3.1 HFE Program . In response to the requirement of NUREG-0737, Clarification item l.D.1, "Control Room Design Review,", and supplement 1 to NUREG-0737, FPL established and maintains a Human Factors Engineering program to review the design of the control room and remote shutdown capabilities in order to identify and correct design deficiencies. The design_ review was performed following the guidelines of NUREG-0700, "Guidelines for Control Room Design Review," and . NUREG-0801, "Evaluation Criteria for Detail Control Room Design Review." The continuing Human Factors Engineering program provides for a review of plant changes associated with the Control Room or the Remote Shutdown Facilities to ensure compliance with the guidance provided in NUREG-0700. 7.7.3.2 Detail Control Room Design Review Implementation I A summary report which outlined the activities performed for the implementation of the Detailed* Control Room Design Review was issued on November 1, 1983. This report was prepared following the outline recommended in Section 5.2 of NUREG-0700. This report discusses: a) The Detailed Control Room Design Review phases. b) The technical activities. c) Method of assessment of discrepancies. d) Method of identification and selection of enhancement and design solutions. e) Review results of Human Engineering Discrepancies, Human Engineering Discrepancy Assessment, and the selected enhancement and design solutions. f) Improvements to be made. g) Schedule of implementation. An overview of the major activities and methods utilized in the Detail Control Room. Design Review (DCRDR) is presented below: 7.7-12 Amendment No. 18 (01/08)

Technical Approach The technical approach utilized in the DCRDR included those activities listed

below. A detailed discussion of the methodologies and a discussion of the finding, of each of the surveys is included in Section 2.0 of the DCRDR report.

o o Review of operating experience Assembly of control room documentation o Review of system functions and task analysis o Surveys

     - noise lighting control room environment design conventions controls and displays computers emergency garments labeling annunciators anthropometrics force/torque communications maintainability 0   Verification of task performance capability 0   Validation of control room functions o   Assessment of discrepancies.

Each survey report addresses: o Task Objectives - The type of data to be collected or human performance variables under analysis. o Review Team - The personnel required to conduct the task. o Criteria - Generally, the review guidelines appropriate to the evaluation being conducted. o Task Definition - Steps or procedures followed in the conduct of the task. o Outputs and Results - Task results. These are Human Engineering Discrepancies which may be drawn upon by subsequent tasks (e.g., Task Analysis) *

06911 7.7-13 Amendment No. 4, (4/89)

Assessment The surveys identified Human Engineering Discrepancies (HEDs). These HEDs were assessed for*error inducing potential and the system consequences of the potential error *.

The means of resolving the HEDs were also reviewed.

The basic assessment process was divided into four steps as follows: o Assess extent of deviation from NUREG-0700 guidelines o Assess Human Engineering Discrepancy impact on error occurrence o Assess potential consequences of error occurrence o Assign Human Engineering Discrepancy scheduling priority. Based on the assessment of the HEDs probability of inducing errors, a priority for correction was assigned. The HED priority was utilized in the establishment of a ba.ckfit schedule. Implementation The backf it schedule program for the correction of the HEDs was established based on the following functions: o Human engineering discrepancy priority o Engineering and procurement lead time requirements and constraints o Overall plant outage schedules. The following design solutions and/or enhancements selected for the correction of the HEDs were based on the recommendations of NUREG-0700: o Analysis of correction by enhancement o Analysis of correction by design alternatives o Assess extent of correction. As part of the correction of HEDs several ba.ckfit activities, plant change modifications, were implemented. The objectives of these activities were to reduce the potential for human errors and correct identified HEDs. Examples of these activities are: RTGB Demarcation Update which has provided enhanced demarcation and labeling for the RTG Boards; MSIV Test Panel Upgrade which split controls from the local test panel and the control panel to prevent erroneous information in the control room during testing; modification and upgrade of software for QSPD System providing enhanced display and a .. user-friendly .. environment; correction of Nuisance Alarms Program which eliminated nuisance alarms, provided logic enhancements, corrected setpoints 0691! 7.7-14 Amendment No. 4, (4/89)

and deleted non-applicable alarms; Remote Reactor Vessel Level Indicator Modification which has added instrumentation in the control room to provide true level indication during reactor refueling; replacement of Metrascope to provide high resolution and enhanced software for indication of rod position; modifications to the circuitry of motor operated valves to provide enhanced annunciation in the control room during testing.

Operating procedures have been reviewed and changed to a new format that will reduce the potential for human error. In the new format, procedures are required to be written to the entry-,level person, and have less print per page, one action per step, and cautions and warnings before, rather than after the applicable steps. A review also has been made of maintenance procedures, health physics, and chemistry procedures, etc, with the intention of making them _1 "user-friendly". Other examples of plant change modifications which reduce the potential of human errors include the modifications in Control Room equipment to upgrade the Emergency Response Data Acquisition and Display Systems (ERDADS), which is also known .as the Safety 'Assessment System (SAS) and includes Safety Parameter Display System {SPDS) equipment. These modifications improve the performance and display capabilities of the existing system and include installation of new display, keyboards and a trackball. A Human Factors Engineering 'evaluation of tbe ERDADS has been performed on the SPDS and non-SPDS portions. The SPDS portion consisted of a Human Factors Engineering Review and a SPDS verification .. The Human Factors Engineering review involved the evaluation of SPDS displays, hardware, design and layout in accordance with the guidelines specified in Section 5 & 6 of NUREG-0800, Section 18.2, Appendix A, NRC Standard Review Plan and applicable guidelines specified in Section 5 and 6 of NUREG-0700, "Guidelines for Control Room Design Review." The SPDS review was performed using survey and table-top evaluation methods to obtain information regarding job compatibility, understandability, usability, and completeness. "' A table top evaluation was performed in conjunction with the SPDS survey on the SPDS portion of ERDADS. The results of the survey and table-top evaluation were analyzed to identify Human Engineering Discrepancies (HEDs). The SPDS Parameter Selection Verification consisted of comparing SPDS parameter displays against the design bases requirements and Emergency Operating Procedures (EOPs) for safety status. SPDS displayed alarms were also compared against current EOPs and SPDS design documents, and minimum displayed parameters were reviewed to determine their consistency with operators' needs. The non-SPDS portion of the ERDADS HFE review consisted of the e~aluation of the St. Lucie Unit 1 Critical Safety Function Monitoring (CSFM) displays, hardware evaluation, design, layout, and man-machine interface in accordance with the guidelines specified in NUREG-0700, "Guidelines for Control Room Design Review." The non-SPDS review was performed by a ) survey evaluation method. The results of the survey were analyzed and all HEDs were resolved.' 7.7-15 Amendment No. 21 (11 /12)

7.7.3.3 DCRDR Implementation Evaluation The St. Lucie Detailed Control Room Design Review (DCRDR) Program Plan was submitted to the NRC on June 30, 1983. The program plan utilized Supplement 1 to NUREG-0737, NUREG-0700, and NUREG-0801 as the bases for the program development. The St. Lucie Unit 1 DCRDR Summary Report was then submitted on November 1, 1983. The NRC reviewed these reports and provided FPL with a draft Safety Evaluation and Technical Report of the St. Lucie DCRDR on February 2, 1984. This report indicated that a pre-implementation audit would be necessary to resolve the open or confirmatory items identified in the Safety Evaluation. The NRC then conducted the pre-implementation audit of the DCRDR program on April 2 through 6, 1984. The results of the NRC audit identified the resolved items and those items requiring additional information. The NRC stated that a meeting would be appropriate to discuss FPL plans, methods, and schedules for submittal of a supplement to the St. Lucie DCRDR Summary Report. FPL reviewed the requirements of NUREG-0737, Supplement 1 and the operating experience review problems identified. Programs were established to review and resolve the open or confirmatory items. The Supplemental Summary Report, issued on April 1, 1986 describes the review process. The ten items contained in the supplementary summary report are listed below:

1. Operating Experience Review Problems.

2. LER Review.

3. Task Analysis.

4. HFE Review of Post Control Room Changes.

5. Additional HED Justification.

6. Reverification of Control Room Changes.

7. Reverification of Control Room Changes to Ensure No New HEDS.

8. Future Control Room Changes.

9. Supplemental Summary Report.*

10. Integration Into Other Programs.

The methodology utilized in the review and resolution of the open or confirmatory items is contained in the DCRDR Supplemental Summary Report. All retrofit packages for St. Lucie Unit 2 are being implemented per the FPL quality program for Human Factors Engineering. This program ensures that all aspects of design are in compliance with the guidance provided in NUREG-0700 and that Human Factors engineering principles are followed for plant changes associated with the Control Room or the Remote Shutdown Facilities. 7.7-16 Amendment No. 18 (01/08)

7.7.4 LEADING EDGE FLOW METER (LEFM) The PSL Unit 2 Extended Power Uprate (EPU) raised the licensed maximum power level to 3020 MWt. The EPU change to the maximum rated thermal power (RTP) included a 1.7% Measurement Uncertainty Recapture (MUR). Modifications required for the MUR portion of the EPU included installation of the Cameron Leading Edge Flow Meter (LEFM) CheckPlus system. The use of LEFM for determination of feedwater temperature and feedwater mass flow, results in an overall calorimetric uncertainty of 0.3%. The MUR uprate of 1.7% results from the difference between the original 2% power determination uncertainty (required by 10CFR50 Appendix K) and the LEFM based calorimetric uncertainty of 0.3%. The MUR portion of the EPU license amendment request was based on the following Cameron Topical Reports:

1) ER-SOP, Improving Thermal Power Accuracy and Plant Safety While Increasing Operating Power Level Using the LEFM Check System, dated March 1997 (NRC SER dated March S, 1999)

2) ER-160P, Supplement to Topical Report ER-SOP: Basis for a Power Uprate with the LEFM Check System, dated May 2000 (NRC SER, dated January 19, 2001)

3) ER-157P, Supplement to Topical Report ER~SOP: Basis for a Power Upr_ate with the LEFM Check or CheckPlus System, dated October 2001 (NRC SER, dated December 20, 2001)

The :LEFM feedwater flow measurement system is an ultrasonic S-path transit time flowmeter. The.LEFM CheckPlus system consists of one flow element (spool piece) installed in each of the two FW flow headers. Each individual LEFM CheckPlus system flow element (spool piece) has been calibrated in a site-specific model test at Alden Research Laboratories with traceability to National Standards. The LEFM flow elements (meters) are installed at specified locations

  ).upstream from the existing FW venturi nozzles. The resulting piping configurations were explicitly modeled as part of the LEFM meter factor and accuracy assessment testing performed at Alden Research Laboratories. Test data and results for the flow elements are documented in Cameron

' Engineering Report ER-736, Meter Factor Calculation and Accuracy Assessment for St. LuCie Unit 2. The calibration factor (also known as the meter factor) and the uncertainty in the calibration factor for the LEFM CheckPlus system are also based on this Cameron engine~ring report.

The LEFM CheckPlus system is used for continuous calorimetric power determination by providing FW mass flow and FW temperature input data to the distributed control system (DCS}, which is the computer system used for automated performance of the calorimetric power calculations. The LEFM system communicates with the DCS via redundant digital communication links. The LEFM based mass flow rate and FW temperature data is integrated into appropriate DCS calorimetric display screens to facilitate side-by-side comparison with data based on conventional instruments. Hard-wired alarms from LEFM to main control room annunciator panels provide redundant operator notification of degraded system performance or outright system failure. The LEFM CheckPlus system incorporates self-verification features to ensure that hydraulic profile and signal processing requirements are met within the site-specific design basis uncertainty analysis contained in Cameron Report ER-740, Bounding Uncertainty Analysis for Thermal Power Determination at St. Lucie Units 1 & 2 using the LEFM CheckPlus System. Critical performance parameters are continually monitored for every individual meter path and alarm setpoints are established to ensure corresponding assumptions in the uncertainty analysis remain bounding. 7.7-16a Amendment No. 21 (11/12)

Operability of the LEFM instrumentation is required to support an overall calorimetric uncertainty of 0.3%. Operability requirements and associated action statements are identified in UFSAR Section 13.7. Various LEFM system failure modes and resulting action statements are considered ba~ed on the use of independent LEFM instrumentation for feedwater headers A & B, and also based on redundancy within each LEFM sub-system. Original feedwater flow (Venturis) and temperature (RTD) instrumentation were retained and are used as backup calorimetr:ic instrumentation if needed. 7.7-16b Amendment No. 21 (11/12)

Refer to Dwg. 2998-3054 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 REACTOR REGULATING SYSTEM BLOCK DIAGRAM FIGURE 7.7-1 Amendment No. 10, (7/96)

I i CONTROL ELEMENT DRIVE MECHANISM MOTOR/GENERATOR SETS

240 V-ac 3</>, 4WIRE REACTOR PROTECTION SYSTEM 2/4 LOGIC 240 V-ac 3</>, 4 WIRE IU 1111 UI I

I TRIP I CB CB I TRIP CIRCUIT BREAKER I I TRIP ~ ... ~* TRIP I CIRCUIT I COIL COIL I BREAKER I i I I TRIP I CB CB I TRIP CIRCUIT I TRIP TRIP I CIRCUIT I COIL I BREAKER I *COIL I BREAKER I I I I I TRIP CB CB I TRIP CIRCUIT I I TRIP TRIP: CIRCUIT BREAKER I COIL COIL 1 BREAKER I I

TRIP I

I I CIRCUIT I TRIP BREAKER ! I CB COIL

                             .I a

CB II TRIP I COIL: I TRIP CIRCUIT BREAKER REACTOR TRIP SWITCHGEAR I SOLID II SOLID SOLID I SOLID I STATE I I OPTICAL

STATE STATE __,. OPTICAL I STATE POWER ISOLATION CONTROL CONTROL ISOLATION I I POWER SWITCHES : LOGIC LO.GIC SWITCHES I ! CONTROL ELEMENT DRIVE MECHANISM CONTROL SYSTEM CONTROL CONTROL ELEMENT . ELEMENT DRIVE DRIVE MECHANISMS MECHANISMS (ONE HALF) (ONE HALF)

- FLORIDA POWER & LIGHT* COMPANY ST. LUCIE PLANT UNIT 2 CEDMCS - RPS INTERFACE BLOCK DIAGRAM FIGURE 7.7-2

THIS FIGURE DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.7-3 Amendment No. 17 (12/06)

THIS FIGURE DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.7-4 Amendment No. 18 (01/08)

MAIN

                                                            .. STEAM
                                                                                                                                ~~

HEADER

                                                    ;l@J:
                                                     ~  FT 8011 f!!\!- ---------.- - !              fl?',.-~-,---/         G~~OR       '----,~~LT
                                                                          \J!iJ:        :---- --- -.......... ~-n                          is           9006 I       I
                                                                         ,1[\:          ;
                                                                          ~iJ;          :
            .,~              I                                                  '

I I I I I 3 a il. I

ic;

ll 2 r;- il' I I\ __

            ~ .g             \___                                                                                                    .....    ,/
         ~
             ~ [

0 8

      '      "     '                    '1CV--09*1A                                                                       HCV*09-2A

----,-r*-,---:

I

i :

I MSIS&AFAS - - CJ MSlS&ArAS - - .,

                                                 ~
                                                                                                                     ,'O 0  ~ - - MS!S&AFAS
                                                                                                                           ~--    MSIS&AFAS I:    1.nc=~~'!:::i~r         l          HCV-Q'                                                                      L ,   H(V-09--28 I*                            I I:                            I I*                            I I --                          I I                             I I                             I I    0 _ ator Mao OVl!'nidP.' I L------~-------l

(!.W\ TripMainfW

                                            ~                       Pumps 100%

Bypa~s Trip Turbine I I MAIN 1

                                                                                    +-Stl\S FEEDWATER HEADER FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FEEDWATER CONTROL SYSTEM BLOCK DIAGRAM FIGURE 7.7-5 Amendment No. 21 (11/12)

r--------------------~--~, I . INDEPENDENT co1a1rALourPurs r--i J---.! l ANNUNCIATORS I LOCAL 1/0 I DISPLAY TERMINAL cEA at I " BLOCKS CEOMCS REED

                                               ~~oom                                                                                                                I 4 INTERLO~K                                .  '--

SWITCH .. DIGITAL OUTPUTS I POSITION .l .. MAllV CONTROL BOARD I TRANSMITTERS *t iro rr - - - - - - - - , I I I TERMINAL * ! I I I BLOCKS CEA I II PERCENT I PROCESSOR I l I REACTOR POWl!R SIGNAL l I I *I PROTECTION LOW POWEii I . f I SYSTEM CUTOUTlilGNAL J .: : I .. : I. I .I CEA POSITIONS .. 1I

I 140 A B 1 23 4fi 6 I m~mai~ I*

                             "'TI r

f \' ' .. . ' '(~ I I OD . l ., I CJ)

                 ~ )>

0

                             ;:g                              I                                      .~~                    7ij    PPOIL---                  .1     I lJzcno                                       I             ..

r *

                                                                                                   .   :~t
                                                                                                """'"*1'
                                                                                              **.-.( ..M I

I liO is . l'DIL - I II r)>-fl>

 ~CD             :;;r ~ lJ r;;O    c:: 0 I                                                  .I           0 rt

J -

         "T1 oG> o~                                       t               .                                      I                   DISPLA y              r' I CL G')

3 c:: 1!2ffim I . *t..:- - 7""' - - - -:- _JI CD ;;tJ OJ CJ) ""C ;o I . . '* . . : " . am rlJ r- !20 O);:l>r ~------------~---~~----~ I z~ ()-< z G5'" 0 .......

I :ACJ>-fI I\) Q) g -< c:: _,

0 ......... 'J> CJ) ~ ()

 -0 c.n (j) _,
                 ;om NS:
                 )>

s: s:

                         -4 0 lJ
                             )>

z

THIS FIGURE DELETED FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 7.7-7 Amendment No. 17 (12/06)

FUNCTIONAL DIAGRAM DELTA SETPOINT CURRENT FLUX RESET

                                                                                               --  DISPLAY
                                                                                                -- CURRENT ALARM SIGNAL l         '                     I         SETPOINT DISPLAY EXCORE NEUTRON                     DIRECTION LIMITED FLUX                                                 ALARM
                                  -  FILTER FUNCTION
                                                   -      VARIABLE BISTABLE         - ANNUNCIATION ALARM SIGNAL                          SETPOINT COMPARISON CALCULATION I'
                    .,,r                                                                     '

cc 0 0 ;;o

0 Cit -

0

     ~z      .-f 0>

,, zo n-

     -Ir r -o c: 0 C>    _c         D ::e c: 0-1           mm                          NOTE: ONLY ONE OF TWO IDENTICAL SYSTEMS IS SHOWN

J:I z-

     )>~
               .,,  ;;o m

r o> _ r zr>r "° I )> )> -f G'> co G):O c: :i: I>> :oS: z -I

)>

s:~

             --f 0  ()

en N 3::

        -I          ""C m

s: > z

CURRENT ALARM SETPOINT

                                                                           ----          DELTA SETPOINT CURRENT - - - -

cf> SIGNAL

0

                   \
  ...J               \                                                         OPERATOR
  <(

zC) \ RESETSALA7

(/) x \

r-.----.

                                   '                       INITIATION

___ \_

                                     '                     OF ALARM START OF
                                             --------~--BORON                     DILUTION EVENT TIME FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 BORON DILUTION ALARM SYSTEM NEUTRON FLUX AND SETPOINT FIGURE 7.7-Sb

Page _-__ of ""---'--- FSAR User Comment Form FSAR errors or improvement suggestions should be identified below by FSAR Users and forwarded to the appropriate Nuclea~ ~ngineering Project Licensing Supervisor; Origin_ ator - - - - - Dept - - - - - Location - - - - - Phone - - - - - PTN PSL I PSL 2 FSAR Areas Affected Sections Figures /'

Comments Attached - - - Below - - -

Engineering Review (To be completed by Project Licensing) Accepted _ __ Insufficient Information - - - - No Change Required _ __ Disposition: _________. . ,. . . . __________________ ~ \ Assigned User Comment #_ _ _ _ _ _ __ Reviewing Engineer - - - - - - - - Form 38, Rev 6/94

LIST OF EFFECTIVE PAGES CHAPTER 8 ELECTRIC SYSTEMS Page Amendment Page Amendment 8-1 23 8.3-1 20 8-2 23 8.3-2 20 8.3-3 18 8-i 8.3-4 20 8-ii 7 8.3-5 21 8-iii 17 8.3-5a 8-iv 18 8.3-6 13 8.3-7 20 8.1-1 23 8.3-7a 14 8.1-2 18 8.3-8 3 8.1-3 21 8.3-8a 23 8.1-4 18 8.3-8b 13 8.3-8c 10 F8.1-1 8.3-9 13 F8.1-2 8.3-10 13 8.3-11 20 8.2-1 23 8.3-11a 20 8.2-2 23 8.3-12 13 8.2-3 21 8.3-12a 18 8.2-4 18 8.3-13 13 8.2-5 20 8.3-14 14 8.2-6 21 8.3-15 21 8.2-7 17 8.3-15a 21 8.2-8 17 8.3-16 18 8.2-9 12 8.3-17 8.2-10 8.3-17a 8.2-11 8.3-18 13 8.2-12 18 8.3-19 21 8.2-13 18 8.3-19a 18 8.2-13a 17 8.3-19b 13 8.2-14 20 8.3-19c 9 8.2-15 20 8.3-19d 21 8.2-15a 8.3-19e 18 8.3-19f 16 F8.2-1 15 8.3-19g 20 F8.2-2a 17 8.3-20 1 F8.2-12 8.3-21 20 8.3-21oa 8.3-21a 18 8.3-22 18 8.3-23 18 8.3-24 20 8.3-24a 8.3-25 18 8.3-26 18 8.3-27 8.3-28 UNIT2 8-1 Amendment No. 23 (04/16)

LIST OF EFFECTIVE PAGES CHAPTERS Page Amendment Page Amendment 8.3-29 18 8.3-55 13 8.3-30 18 8.3-56 21 8.3-30a 18 8.3-57 21 8.3-30b 11 8.3-57a 21 8.3-30c 14 8.3-58 13 8.3-30d 14 8.3-59 20 8.3-30e 11 8.3-60 11 8.3-30f 20 8.3-61 18 8.3-31 18 8.3-62 8.3-32 18 8.3-63 8.3-33 21 8.3-64 13 8.3-33a 8.3-65 8.3-34 10 8.3-66 8.3-34a 5 8.3-67 21 8.3-35 8.3-68 13 8.3-36 20 8.3-69 8.3-37 8.3-70 18 8.3-38 20 8.3-71 18 8.3-39 8.3-40 21 F8.3-1 10 8.3-41 21 F8.3-1a 10 8.3-42 21 F8.3-2a 10 8.3-42a 18 F8.3-2b 10 8.3-43 18 F8.3-3 10 8.3-44 13 F8.3-3a 10 8.3-45 20 F8.3-4 21 8.3-45a 21 F8.3-5a 18 8.3-46 F8.3-5b 18 8.3-47 18 F8.3-5c 18 8.3-48 11 F8.3-6 18 8.3-48a 21 F8.3-7 16 8.3-49 13 F8.3-8 6 8.3-49a F8.3-9a 11 8.3-50 18 F8.3-9b 11 8.3-51 18 F8.3-9c 11 8.3-52 20 F8.3-9d 13 8.3-53 18 F8.3-9e 13 8.3-54 5 UNIT2 8-2 Amendment No. 23 (04/16)

ELECTRICAL SYSTEMS CHAPTER 8 TABLE OF CONTENTS Section

 -  --                                          Page 8.0     ELECTRICAL SYSTEMS                     8.1-1

8.1 INTRODUCTION

8.1-1 8.1. l GENERAL 8.1-1 8.1.2 CRITERIA, CODES AND STANDARDS 8.1-1 8.2 OFFSITE POWER SYSTEM 8.2-1 8.

2.1 DESCRIPTION

8.2-1 8.2.2 ANALYSIS 8.2-5 8.3 ONSITE POWER SYSTEH 8.3-1 8.3.1 AC POWER SYSTEMS 8.3-1 8.3.2 DC POWER SYSTEM 8.3-48 8-i

ELECTRICAL SYSTEMS CHAPTER 8 LIST.OF TABLES

 ~                                   l'.ill!:               hG 8.2-1  MAIN GENERATOR DATA                                 8.2-14 8.2-2  MAJOR SYSTEM DISTURBANCES (1973-1982)               8.2-15 8.3-1  DIESEL GENERATOR DESIGN DATA                        8.3-54 8.3-2  EMERGENCY DIESEL GENERATOR LOADING                  8.3-56 SEQUENCE 8.3-3  BATTERY LOAD GROUP B-DC LOADS                       8.3-58 8.3-4  BATTERY LOAD GROUP AB-DC LOADS                      8.3-60 8.3-5  BATTERY LOAD GROUP A-DC LOADS                       8.3-61 8.3-6  4.16 KV SAFETY RELATED SYSTEM - FAILURE MODES       8.3-62 AND EFFECTS ANALYSIS 8.3-7  480 VOLT SAFETY RELATED SYSTEM - FAILURE MODES      8.3-64 AND EFFECTS ANALYSIS

8.3-8 8.3-9 208Y/120V AC SAFETY RELATED SYSTEM - FAILURE MODES AND EFFECTS ANALYSIS 120V INSTRUMENT POWER SUPPLY SAFETY RELATED SYSTEM - FAILURE MODES AND EFFECTS ANALYSIS 8.3-65 8.3-66 8.3-10 125V DC SAFETY RELATED SYSTEM - FAILURE MODES 8.3-67 AND EFFECTS ANALYSIS 8.3-11 DIESEL GENERATOR INDICATION 8.3-68 8.3-12 DIESEL GENERATOR 2A .(2B) ALARMS AND ANNUNCATION 8.3-69 8.3-13 COMPONENT ISOLATION LIST - RG 1. 6'3 8.3-70
0124F 8-ii Amendment No. 7, (4/92)

ELECTRIC POWER CHAPTER 8 LIST OF FIGURES Figure 8.1-1 Substation and Transmission System 8.1-2 State of Florida Electric System Map 8.2-1 Switchyard One-Line Diagram 8.2-2a Deleted 8.2-2b Deleted 8.2-3a Deleted 8.2-3b Deleted 8.2-4a Deleted 8.2-4b Deleted 8.2-Sa Deleted 8.2-Sb Deleted 8.2-6a Deleted

, 8.2-6b Deleted

8.2-7a Deleted 8.2-7b Deleted 8.2-8a Deleted 8.2-Bb Deleted 8.2-9 Deleted 8.2-10 Deleted 8.2-11 Deleted 8.2-12 Load Flow 8.3-1 Main One-Line Wiring Diagram 8.3-1a Combined Main & Auxiliary One-Line Diagram 8.3-2a Auxiliary One-Line Diagram (Sheet 1 of 2) 8.3-2b Auxiliary One-Line Diagram (Sheet 2 of 2) 8.3-3 480V Miscellaneous, 125V DC and Vital AC One Line (Sheet 1 of 2) 8.3-3a 480V Miscellaneous, 125V DC and Vital AC One Line (Sheet 2 of 2) 8.3-4 Diesel Generator Load Profile for Safe Shutdown, Loss of Coolant Accident Condition, and Main Steam Line Break 8-iii Amendment No. 17 (12/06)

LIST OF FIGURES (Cont'd)

j Figure 8.3-5a Electrical General Installation Notes 8.3-5b Electrical General Installation Notes 8.3-5c Electrical General Installation Notes 8.3-6 Control Wiring Diagram 125V DC Bus Transfer Control 8.3-7 Containment Fan Coolers Torque and Current vs Speed at 80% Volts 8.3-8 Torque vs Speed 85% 8.3-9a 5 Kv Penetration (MVP-A) Protective Device Coordination 8.3-9b 15 Kv Penetration (MVP-B) Protective Device Coordination 8.3-9c Penetration Protection - Pressurizer Heaters 8.3-9d

Penetration Protection - Containment Cooling Fan Motors 8.3-9e Penetration Protection - "Normal/Emergency" 200° Y/120 VAC Service 8-iv Amendment No. 18 (01/08)

8.0 ELECTRICAL SYSTEMS

8.1 INTRODUCTION

8.1.1 GENERAL Florida Power & Light Company (FP&L) supplies electric service to most of the territory along the east and lower west coasts of Florida, including the Cape Canaveral area, the agricultural area around southern and eastern Lake Okeechobee, and portions of central Florida. St. Lucie Unit 2 supplies power to the FP&L transmission system which is shown on Figure 8.1-1. The transmission system provides power to the plant for operation of the plant onsite auxiliary power system during start-up, or for plant operation, shutdown or accident conditions. The St. Lucie switchyard is connected to the existing FP&L network at Midway Switching Station and/or Treasure Substation and then hence north and south to other FP&L power plants and to neighboring utilities through multiple lines. Figures 8.1-1 and 8.1-2 are retained for historical purposes to depict FP&L's transmission system at the time of plant license. Technical Specifications provide the minimum requirement for offsite AC sources. FP&L transmission grid is interconnected with utility members of the Florida Electric Power Coordinating Group, Inc. (FCG), which is a non-profit association of investor-owned, municipally-owned, and cooperatively-owned electric utilities engaged in the business of providing the majority of electric power to the public in the State of Florida. For a description of the Offsite and Onsite Power Systems, see Sections 8.2 and 8.3, respectively. 8.1.2 CRITERIA, CODES AND STANDARDS The electrical systems and equipment for the plant which are safety related are designed, manufactured, tested, installed and maintained to meet the requirements of the applicable General Design Criteria and in accordance with IEEE Standards as modified by the following Regulatory Guides. Wherever alternative approaches are used to meet the intent of some specific recommendations of Regulatory Guides and IEEE Standards, the method of attaining an acceptable level of safety is found in the discussion of these documents in Subsections 8.3.1.2 and 8.3.2.2. a) General Design Criteria

Compliance with the applicable General Design Criteria is discussed in Sections 3.1 and 8.3.

b) Regulatory Guide Implementation Section 1.8 discusses how the effective dates of the Regulatory Guides discussed below were selected. For a discussion with respect to conformance and alternative approaches to Regulatory Guides refer to the subsection(s) referenced after each Regulatory Guide. UNIT2 8.1-1 Amendment No. 23 (04/16)

Regulatory Guide 1.6. "Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems." 3n1 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.9, "Selection of Diesel Generator Set Capacity for Standby Power Supplies," 3/71 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.22. "Periodic Testing of Protection System Actuation Functions" 2/72 (RO) See Subsections 7.1.2.2 and 8.3.1.2 Regulatory Guide 1.29, "Seismic Design Classification." 2n6 (R2) See Subsection 8.3.1.2 Regulatory Guide 1.30, "Quality Assurance Requirements for the Installation. Inspection. and Testing of Instrumentation and Electric Equipment." 8n2 (RO) See Subsections 8.3.1.2 and 7.1.2.2. Regulatory Guide 1.32, "Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants. II 8n2 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.40, "Qualification Tests of Continuous-Duty Motors Installed Inside the Containment of Water-Cooled Nuclear Power Plants." 3/73 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.41. "Preoperational Testing of Redundant On-Site Electric Power Systems to Verify Proper Load Group Assignments." 3n3 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.47. "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems. II sn3 (RO) See Subsections 8.3.1.2 and 7.1.2.2. Regulatory Guide 1.53, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems." 6/73 (RO) See Subsections 8.3.1.2 and 7.1.2.2. 8.1-2 Amendment No. 18 (01/08)

Regulatory Guide 1.62. "Manual Initiation of Protective Actions." 10/73 (RO) !'\ See Subsections 8.3.1.2 and 7 .1.2.2. \ ) Regulatory Guide 1.63. "Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants." 10/73 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.73. "Qualification Tests of Electric Valve Operators Installed Inside the

      ,Containment of Nuclear Power Plants." 1/74 (RO)                    *

See Subsection 8.3.1.2 Regulatory Guide 1. 75, "Physical Independence of Electric Systems." 1/75 (R 1)

See Subsections 8.3.1.2 and 7 .1.2.2. Regulatory Guide 1.81, "Shared Emergency and Shutdown Electric Systems for Multi-Unit Nuclear Power Plants," 1/75 (R1) * * *

See Subsection 8.3.1.2 Regulatory Guide 1.89. "Qualification of Class 1E Equipment for Nuclear Power Plants." 11/74 (RO)

See Subsection 8.3.1.2

 ~-/   Regulatory Guide 1.93, "Availability of Electric Power Sources," 12/74 (RO)

See Subsection 8.3.1.2 Regulatory Guide 1.100. "Seismic Qualification of Electrical Equipment for Nuclear Power Plants." 3/76 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.106, "Thermal Overload Protection for. Electric Motors on Motor-Operated Valves,"3/77 (R1)

See Subsection 8.3.1.2

      *Regulatory Guide 1.108, "Periodic Testing of Diesel Generators Used as Onsite Electric Power Systems at Nuclear Power Plants." 8/76 (RO)

See Subsection 8.3.1.2 8.1-3 Amendment No. 21 (11/12)

Regulatory Guide 1.118, "Periodic Testing of Electric, Power and Protection Systems," 6/76 (RO) See Subsections 8.3.1.2 and 7.1.2.2 Regulatory Guide 1.128. "Installation Design and Installation of Large Lead Storage Batteries for Nuclear Power Plants." 4/77 (RO) See Subsection 8.3.1.2 Regulatory Guide 1.129. "Maintenance. Testing, and Replacement of Large Lead Storage Batteries for Nuclear Power Plants," 4/77 (RO) See Subsection 8.3-1.2 Regulatory Guide 1.131. "Qualification Tests of Electric Cables, Field Splices, and Connections for Light-Water-Cooled Nuclear Power Plants" 8/77 (RO) See Subsection 8.3.1.2 IEEE 387. "IEEE Standard Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations" (1972) See Subsection 8.3.1.2 . ) 8.1-4 Amendment No. 18 (01/08)

i* r I

'\

Gilll. P. CO ij

                                                                                                     /)If'£        ,.,,  "1*SI

() JUPITER GOLF To JUNO BEACH MONET LAKE PARK NORTHWOOO TERMINAL DATU RA WESTWARD BELVEDERE PLUMOSUS

                                                                                                                                 \ .
                                                                                                                                               ,,lot'*:*
                                                                  . RIVIERA
                                                                                                       '\1 UCEROALE FAIRMONT PLANTATION PINE HURST PORT PLAYLANO DANIA ORlfTWOOO STIRLING HOLLYWOOD BEVERLY PEMBROKE HALLANDALE COUNTY LINE OJUS GARDEN FULFORD                                                                                             ., i SUNNY ISLES GOLDEN GLAOE.S JOHNSON CHILDS (Gtaan Co--<..ol OORRFICLD BELLE MEADE ILM Co-Op)
                                                                                                                                                                                                                    ,**TURKEY POINT 2039.5 SUBSTATION AND                                                                                                                                                KEYS U.ECTRIC Co-Op TRANSMISSION SYSTEM MIAMI -PALM BEACH AREA 10 12*31-61                      81 GRIFFITH SCALE IN MILES 4800Ci*24 LEGEND TRANSMISSION LINES                                              ......
                                                                                                                                                             <.-.' .~.

500 KV 240 KV 138 KV "Tl 115 KV r 69 KV 0 UNDERGROUND CABLE (II

0

                                                                             --o-     INTERCONNECTION
                                                                             -M       TRANSMISSION SERVICE
         -I                -I 0

c )> UNDER CONSTRUCTION

         )>en              r -u "T1    zc en CJ             c::  0                                                  GENERATING PLANTS 8           SUBSTATIONS C)
         ~~

0 :e D GENERATING PLANT - CAPABILITY IN NET MEGAWATTS c en)> mm 181 GENERATING PLANT WITH TRANSFORMATION OF TRANSMISSION VOLTAGE

0 0 TRANSMISSION SUBSTATION

0 SQ -I m o- ~ QO TRANSMISSION SUBSTATION WITH TRANSFORMATION OF TRANSMISSION VOLTAGE zO 2 )> r OISTRl8UTION SUBSTATION

  !X> en)>                 Z-
  .....                    -I G'>
  .....' ~z                     I                                                                   NOTES
         -to               c:: -I m                 z                                                  11 J    LIMITED 8Y TRANSFORMER CAPACITY s:                -n
                           -I 0 (2) 131 240 KV CONSTRUCTION, 138 KV OPERATION 240 KV CONSTRUCTION, II~ KV OPERATION.
                           "' 3::"'U

14) 240 KV CONSTRUCTION, 69 KV OPERATION m 138 KV CONSTRUCTION, 69 KV OPERATION

                                )>                                            (6)     115 KV CONSTRUCTION, 69 KV OPERATION z                                             (7)     500 KV CONSTRUCTION, 240 KV OPERATION
                                -<                                                                                                                                                                I~

SCALE IN MILES "I

)l                                                                                                                                                                                                                                                                 ~

GA. p CO. !11 GA.P.CO To Bot1on TIE TO HATCH 1 SCHOLZ ~'l.ftir-

                                                                                                                                                                                                  ,...J. FERNANC INA   2
                                                                                                                                                                                                                                                        //
                                                                                                                                                                            .P.~F.==="IC-~<1>.;'

tEA]*~*ru*~ ~Rr~;~B;~~ 4 ~MAYPORT

                                                                                                        ~                 i . ,* ........

v " i::J( 0

                                                                                                              -'\\

EAST CLEARWATER LARGO SEMINOU: lo-~~:I~,.~~1.J._Jl!l,,..., DISSTON ~'--'-Olf""" f\ PASADENA ___ -"!Jl!!Lh-"-9T~~:;!3;,.ll CENTRAL PLA BAYBORO 168 LEGEND 777 _]llANSMISSION __LINES 500 KV 240 KV 138 KV 115 KV GENERALLY OMITTED EXCEPT AS 69 KV OR LESS - REQUIRED TO INTERCONNECT SYSTEMS OA MAJOR FACILITIES. UNDERGROUND CABLE

              --o--
              -~

INTERCONNECTION TRANSMISSION SERVICE UNDER CONSTRUCTION 141 GENERATING PLANTS a SUBSTATIONS 0 GENERATING PLANT - CAPABILITY IN NET MEGAWATTS igJ GENERATING PLANT WITH TRANSFORMATION OF TRANSMISSION VOLTAGE Q TRANSMISSION SUBSTATION TRANSMISSION SUBSTATION WITH TRANSFORMATION OF TRANSMISSION VOLTAGE DISTRIBUTION SUBSTATION (OMITTED SOUTH OF RANCti SUBSTATIONl (I) LIMITED BY TRANSFORMER CAPACITY 121 240 KV CONSTRUCTION, 138 KV OPERATION 131 240 KV CONSTRUCTION, 115 KV OPERATION 141 240 KV CONSTRUCTION, 69 KV OPERATION 151 138 KV CONSTRUCTION, 69 KV OPERATION (6) 115 KV CONSTRUCTION, 69 KV OPERATION 171 500 KV CONSTRUCTION, 240 KV OPERATION

                                                                                                                                                                                             ~c~f"   r,1;                ""'
                                                                                                                                                                                                                  .,a. MARATHON
                                                                                                                                                                                        'l-"i?

rpCT-'"=1 ._.... "~ "' 16 CITY OF KEY WEST 132 "TI r 0

                     ;;o VI -

m -t CJ

)>

r en m --f r -u "Tl () )>

      --f --f co n ::E G) c:
      ~m no"T1   m      rn
                     ;;o

II CJ)

BAYOU CHICO m -< "T1 !?<> en r >r GULF OF '

!JO
      --f 0 m ::o s:_

50 c z

               -t G>

I

                     -I GULF/  '
      )> )>
      "'C     -z
               -t 0

() elr ST. JOE.~*(('

                                                                                                                                                 ~:_~:>"'>/
               "'~   "'U
                     )>

z

                     -<                                                                                                                                                                                                                                  *o
                                                                                                                                                                                                                                '& ....Y                  I SCALE IN MILES J_

8.2 OFFSITE POWER SYSTEM 8.

2.1 DESCRIPTION

The major components of the Offsite Power System are the: a) Transmission lines between the utility grid and the switchyard b) Switchyard c) Plant Generation System, consisting of the:

1) Generator

2) Generator main leads

3) Main transformer d) Unit Auxiliary Transformers e) Startup Transformers f) Auxiliary Switchgear g) Medium Voltage Non Segregated Phase Bus The functions of the Offsite Power Systems are:

a) to provide startup auxiliary power; b) to provide alternate power sources for the auxiliary loads. c) to provide a preferred power source for the safety related electrical equipment during an emergency. 8.2.1.1 Transmission Lines Between the Utility Grid and the Switchyard There are two separate 230<1>kV transmission circuits Midway 1 and 2 connectina the St. Lucie switchyard to the system transmission grid at Midway Substation and a third 23ortl kV circuit connects to Treasure Substation. rhese circuits are on three separate transmission lines and are located parallel to each other to within 9 miles of PSL. At that point Midway 1 & 2 continues to the Midway Substation for a total of approximately 11.7 miles total length. The Treasure line heads toward Treasure Substation from the 9 mile mark for another 1.5 miles making its total length approximately 10.5 miles. Each transmission circuit connecting the St. Lucie switchyard and the Midway Station is rated 952 MVA and is capable of handling the total plant output of St. Lucie Units 1 or 2. Each transmission line is also adequately sized to simultaneously handle the combined safe shutdown loads of one unit and the accident mitigation loads of the other unit. The estimated load in the event that one unit is at the initial point of orderly shutdown while the second is mitigating a design basis event is approximately 68 MVA or 7.1 percent of one transmission line capacity. The lines are spaced so that one tower and line cannot fall into another line. Each transmission line has two overhead ground wires along with driven grounds at each tower and structure. The three transmission lines are basically duplicates and are comprised of an Indian River crossing section and a mainland overland section. (1) In the past, FP&L's 230 kV system was referred to as 240 kV; therefore, some engineering documents may still refer to 240 kV. UNIT2 8.2-1 Amendment No. 23 (04/16)

The Indian River crossing sections are 2.1 miles in length and are supported on steel towers. These transmission lines are spaced with the centerlines of the three lines 200 feet apart and they have spans up to 2005 feet in length. Each phase of these lines consists of a single 3400 kc mil conductor. The overland sections are 9.6 miles in length and are supported on concrete structures. These sections of the transmission lines are spaced with the centerlines of the three lines 100 feet apart and they have spans up to 700 feet in length. The concrete structures rise 60 to 80 feet above ground. Each phase of these lines consists of two bundled 1691 kc mil conductors. 8.2.1.2 Switchyard A five bay 230 kV (nominal) switchyard provides switching capability for two main generator

outputs, four startup transformers, three outgoing transmission lines, and one distribution substation.

The three outgoing lines identified as Midway 1, 2 and Treasure terminate at the pull-off towers for switchyard Bays 1A east, 2 - west and 3 -west, respectively. The "Loop" feeds (two lines) for the Hutchinson Island distribution substation are fed from Bay 4. The plant switchyard one line diagram is shown on Figure 8.2-1. The main generators for both St. Lucie Units 1 and 2 produce power at 22 kV which is transformed up to 230 kV nominal and enters the switchyard through overhead lines to the east pull-off tower in Bays 1 and 3, respectively. The east pull-off tower in Bay 2 supplies power via a single over-head line to startup transformers 1A and 2A, located in the St. Lucie Unit 1 transformer yard. The east pull-off tower in Bay 4 supplies power via 3 single over-head line, to startup transformers 1B and 2B located in the St. Lucie Unit 2 transformer yard.

Either set of startup transformers can be fed from any one of the incoming transmission lines.

8.2.1.3 Plant Generation System The main generator is directly connected through a 22 kV, 33,200 ampere isolated phase bus to the main transformers, where it is stepped up to 230 kV and then tied to bays of the switchyard. The main generator is a 1200 MVA Westinghouse generator which provides power to the offsite transmission network. The main generator data are given in Table 8.2-1. The generator isolated phase bus is forced air cooled and is rated for full unit output with both main transformers in service. Two 100 percent capacity sets of cooling equipment are provided. UNIT2 8.2-2 Amendment No. 23 (04/16)

The main transformer bank consists of two, three-phase transformers, 635 MVA each, oil directed air forced (ODAF) at 55°C temperature rise, connected in parallel with independent cooling (~. equipment for each transformer.

8.2.1.4 Unit Auxiliary Transformers Two unit auxiliary transformers are rated 21/28/35/39.2 MVA oil air/forced oil and air/forced oil and air at 55°C rise/forced oil and air at 65°C rise (OA/FOA/FOA at 55°C/FOA at 65°C) double secondary winding, 20.9-6.74-4.16 kv. The 6.74 kV secondary is rated 12.6/16.8/21/23.5 MVA, OA/FOA/FOA at 55°C/ FOA at 65°C; the 4.16 kV secondary is rated 8.4/11.2/14/15. 7/MVA, OA/FOA/FOA at 55°C/FOA at 65°C. The unit auxiliary transformer primary side is fed from a tap of the generator main leads and under normal conditions provides the bulk of. the auxiliary pow~r to the 6.9 kV and 4.16 _kV buses. 8.2.1.5 Startup Transformers __ _ _ ... Each.Startup Transformer.(SUT), 2A and 2B, is rated 21/28/35/39.2 MVA: SUT 2A- oil air/forced air/forced oil and air at 55°C rise/forced oil and air at 65°C rise (OA/FA/FOA at 55°C/FOA at 65°C); SUT 2B - oil air/forced oil air (one cooling bank)/forced oil air at 55°C rise (both cooling banks)/forced oil air at,65°C rise (both cooling banks) (OA/FOA/FOA at 55°C/FOA at 65°C), double secondary winding, 230-6.9-4.16KV. The SUT 2A 6.9 KV secondary is rated 12.6/16.8/21.0/23.6 MVA and 4.16 KV secondary is rated 8.4/11.2/14.0/15.7 MVA, OA/FA/FOA at 55°C rise/FOA at 65°C rise. The SUT 28 6.9 KV secondary is rated 12.6/16.8/21.0/23.52 MVA and 4.16 KV secondary is rated 8.4/11.2/14.0/15.68 MVA, OA/FOA (one cooling b*ank)/FOA at 55°C rise (both cooling banks)/FOA at 65°C (both cooling banks). The startup transformers do not perform a safety function and are not safety-related. During normal plant operation each of the two startup transformers is in standby and is available to provide offsite (Preferred) power. The startup transformers are sized to accommodate the auxiliary loads of the unit under any operating conditions, including the orderly shutdown and cooldown, or the mitigation of design basis accident (OBA) loads. Each set of startup transformers (1A-2A, 1B-28) is provided with a manual switching arrangement which permits paralleling 4.16 kV power to St. Lucie Units 1 and 2 under administrative control. In the event one of the four startup transformers has to be removed from service for repair, the 4.16 kV power to both St. Lucie Units 1 and 2 could be paralleled to facilitate continued operation of both units. A single startup transformer is adequately sized to accommodate the auxiliary loads of either unit for a postulated OBA when aligned as described above (6.9 kV loads are not required for plant shutdown). However, if a startup transformer in the above alignment is required to provide offsite power to one of the units, administrative and operator procedures would be developed to limit load sufficiently to prevent overloading the startup transformer or exceeding the short circuit rating of the switchgear. If it should ever be necessary to align one startup transformer to supply 4.16 kV power to both units, appropriate operating procedures would be developed to assure that the startup transformer is not overloaded should an accident condition arise. 8.2-3 Amendment No. 21 (11/12)

Furthermore, should all preferred power be lost, both St. Lucie Units 1 and 2 have their own I* 100 percent capacity redundant diesel generator sets which are available for safe shutdown. 8.2.1.6 Auxiliary Switchgear The 6.9 kV and 4.16 kV switchgear, located in the Turbine Building switchgear rooms receive power from the unit auxiliary or startup transformer and distribute power to non-safety related loads and the Onsite Power System. Two 6.9 kV (2A1and281) and two 4.16 kV (2A2 and 282) buses are provided. Each bus is rated 2000 amps and 3000 amps respectively. Each of the eight medium voltage non-segregated bus ducts is connected to a bus through a drawout, metal-clad circuit breaker. Circuit breakers are electrically operated by 125V de control power supplied by the battery system (Subsection 8.3.2). Control Room and local electrical closing and tripping, are provided. The breakers may be withdrawn from the "operate" (or "normal") position to the "test" and "withdrawn" positions.* In the "withdrawn" position, the breaker is completely disconnected from the ac and de systems and may be inspected and tested. The incoming breakers are arranged for automatic operation under control of the bus transfer scheme-. In the "test" position, local electrical operation is possible, but the main power circuit is not completed when the breaker closes. *

Breaker positions and status ar~ indicated in the control room and at the switchgear.

8.2.1.7 Medium Voltage Non-Segregated Phase Bus The eight medium voltage transformer windings (two each for the two startup and the two unit auxiliary transformers) are connected to the plant distribution system auxiliary switchgear through non-segregated bus ducts rated 2000 amps and 3000 amps. The 4.16 kV bus is rated 60 kV BIL and the 6.9 kV bus is rated 95 kV BIL 8.2-4 Amendment No. 18 (01/08)

8.2:2 ANALYSIS 8.2.2.1 Switchyard and Grid The requirements of General. Design Criterion 17, "Electric Power Systems", are satisfied by the following:

1) The network interconnections consist of three transmission lines. Any circuit may be interrupted with the remaining two circuits being capable of carrying the full output of the station.

2) Although the switchyard is common to all three transmission lines, each line terminates in a separate bay and can be connected to either of two separate buses. Failure of the equipment in one bay does not result in loss of more than one transmil_>sion line. No lines are lost due to a failure to one of the buses.

3) A single breaker failing to trip does not result in loss of both lines to the startup transformers, because there are always at least two breakers in series between the two lines.

4) The three single 230 kV lines crossing the Indian River are designed to withstand hurricane winds of 153 mph; the lines west of the river are designed for winds of 140 mph~

With a spacing of 200 ft. between the river towers, 173 ft. above mean sea level, and a spacing of 126 ft. between the 80 ft. high towers on land, the failure or collapse of one structure does not affect the other lines.

5) The 230 kV system is protected from lightning and switching surges by overhead electrostatic shield wire and surge protection equipment. *

6) The switching arrangement in the 230 kV switchyard includes two full capacity main buses which are tied to the generator, startup transformers and outgoing transmission lines through circuit breakers connected to each bus. Protective features provide reliable protection for isolation of faults to ensure continuity of power supply from alternate sources. The protective relay system includes high speed primary and secondary rel_aying. For each of the three 230 kV lines the primary and secondary relaying consists of phase and ground distance relays. Primary and secondary bus differential relaying, and backup protection for breaker failure to trip, is also provided. These provisions permit the following: *

(a) Any circuit can be switched under normal conditions without affecting another circuit. (b) Any single circuit breaker can be isolated for maintenance without interrupting the power or protection to any circuit. 8.2-5 Amendment No. 20 (05/11)

(c) Short circuits in a single main bus are isolated without interrupting service to any circuit. (d) Short circuit failure of a single bay breaker does not result in the permanent loss of any transmission line or any startup transformer. (e) Physical independence of power for the startup transformers is achieved by separating their switchyard 230kV connections in two different bays. Each bay consists of separate circuit breakers and associated equipment to connect the startup transformers with the two main 230kV buses. Two spatially separated over-head lines are used to supply power to the startup transformers (one line for startup transformers 1A and 2A in the Unit 1 transformer yard, and one line for startup transformers 1B and 28 in the Unit 2 transformer yard). The offsite electrical grid is common to St. Lucie Units 1 and 2. See Section 8.2.2 of the St. Lucie Unit 1 UFSAR for the electrical grid transient stability analysis. 8.2-6 Amendment No. 21 (11/12)

THESE PAGES ARE LEFT INTENTIONALLY BLANK 8.2-7/8.2-8 Amendment No. 17 (12/06)

8.2.2.2 following:

a) Transmission Lines and In-Plant Equipment The requirements of General Design Criterion 17, are satisfied by the Two physically independent circuits are provided for offsite power. Although in the same right of way, the two Startup Transformer lines are spaced sufficiently far apart, such that a failing tower cannot involve the other over-head line. b) All circuits are normally energized so that either is available immediately to provide sufficient power to assure that fuel design and reactor coolant pressure design limits are not exceeded, assuming loss of all onsite power .

8.2-9 Amendment No. 12 (12/98)

THESE PAGES ARE LEFT INTENTIONALLY BLANK 8.2-10/8.2-11

c) . The transformers associated with the Offsite Power System are provided with a Fire

     .* *Protection System. They are located sufficiently far apqrt so as to prevent any.damage*
     . that may occur in one tra_nsform~r from occurring in ~ny other transformer. Two _generator * .

transformers wheri paralleled on both HV and. LV sides, comprise in effect a single unif.

        . A three hour rated fire w~ll is* used to separate these tWo transformers rather than.

distance alone: * *

d) The two Startup Transformer line connectio.ns are electrically separated by at least two circuit breakers in series, at the switchyard. Two breakers would have to fail to trip in order for a fault in one line to involve the other.

The requirements of General Design Criterion 18, are satisfied by the following: a) Each transmission line may be tested for operability and functional performance independently of the other. The lines are physically and electrically independent. b) Transfer of power between the startup and the unit auxiliary transformers is provided by inplant equipment (not at the switchyard) and may be initiated by the plant operator at any time the unit is on line. The "line bus" power transfer between the unit auxiliary and the startup transformers (and vice-versa) as described in Subsection 8.3.1.1.1, is demonstrated and exercised periopically when the plant is started up and shut down. This serves as adequate basis to verify the proper operation of the transfer breakers and associated equipment. The "fast dead bus" power transfer from the unit auxiliary transformer to the startup transformer (only a one-way transfer) as described in Subsections 8.3.1.1.1 and 8.3.1.1.2(dj is tested on 18 month intervals. Amendment No. 18 (01/08)

8.2.2.3 Grid Availability FP&L serves approximately 200 municipalities and over 30 counties in the state of Florida. The company's existing generating facilities consist of thirteen generating plants distributed geographically around its service territory. These plants are tied into a system wide transmission network, sometimes referred to as a grid, the purpose of which is to transport energy from the generating plants to the load areas and to assure system reliability. FP&L operates approximately 4,600 circuit miles of transmission lines. Figure 8.2-12 is a one line representation showing FP&L's transmission network interconnections and lead flow. As of January 1998, the FP&L transmission system, which ties the various areas of its service territory, is composed of 1107 miles of 500 kV and 2228 miles of 230 kV lines. The underlying network is composed of 1454 miles of 138 kV, 672 miles of 115 kV, and 177 miles of 69 kV transmission lines. FP&L is directly interconnected with nine other Florida utilities, both public and private, which have significant generating capacity. FP&L maintains 14 normally closed interconnections and two normally open interconnections. Included in the normally closed interconnections are one 11.5 kV and two 230 kV interconnections with Progress Energy, which in turn has interconnections outside Florida: one 230 kV and four 115 kV ties to Georgia Power Company, and one 230 kV tie to Gulf Power Company. FP&L is also directly interconnected with Georgia Power Company via one 230 kV tie between Yulee (FP&L) and Kingsland (GPC) and two 500 kV ties between Duval (FP&L) and Plant Hatch (GPC). Historically, the present 230 kV built transmission system has provided a reliable grid. All outages on the 230 kV system from January 1975 through December 1978, classifying them as either instantaneous or sustained were investigated. An instantaneous outage is defined as an outage in which the line breakers are tripped and reclosed re-energizing the circuit in a total elapsed time of 30 cyCles or less. From historical data, the average frequency of instantaneous outages on the FP&L 230 kV transmission system is 6.25 outages per year per 100 circuit miles. The cause of these outages has been primarily lightning. A sustained outage is defined as an outage due to a permanent fault which requires "manual" reclosing after the fault is corrected and the line is restored to the operating condition. Usually there is some sort of damage associated with permanent faults which requires repairs to the particular transmission circuit. The recorded frequency rate for sustained outages has averaged 2.56 outages per year per 100 circuit miles from January 1975 8.2-13 Amendment No. 18 (01/08)

through December 1978. The average duration of these sustained outages has been 86 minutes. The causes of sustained outages have been varied; some are due to broken lightning arrestors, some to broken insulators, and some to broken conductors. In addition to those sustained outages which are localized in their impact, there have been several system outages that have impacted the grid as a whole. Table 8.2-2 summarizes these outages noting their impact at the time of occurrence. 8.2.2.4 Response to Generic Letter 2006-02 Generic Letter (GL) 2006-02, Grid Reliability and the Impact on Plant Risk and the Operability of Offsite Power, was issued to determine if compliance is being maintained with NRG requirements governing electric power sources and associated personnel training. The GL requested information in four areas: (1) use of protocols between the nuclear power plant (NPP) and the transmission system operator (TSO), independent system operator (ISO), or reliability coordinator/authority (RC/RA) and the use of transmission load flow analysis tools (analysis tools) by TSOs to assist NPPs in monitoring grid conditions to determine the operability of offsite power systems under plant technical specifications (TSs); (2) use of NPP/TSO protocols and analysis tools by TSOs to assist NPPs in monitoring grid conditions for consideration in maintenance risk assessments; (3) offsite power restoration procedures in accordance with Section 2 of NRG Regulatory Guide (RG) 1.155, "Station Blackout;" and (4) losses of offsite power caused by grid failures at a frequency equal or greater than once in 20 site-years in accordance with RG 1.155. FPL provided response to GL 2006-02 in letter L-2006-073. The response included, in part, discussion of the formal interface agreement between St. Lucie and the FPL Transmission System Operator (TSO) as well as the associated implementing procedures, the TSO contingency analysis program, related operator and Work Control personnel training, offsite power operability declarations and entry into applicable Technical Specification action statements upon notification of potential degraded grid conditions, consideration of potential grid degradation/ instability in the performance of risk assessments required by 10 CFR 50.65(a)(4), and compliance with GDC 17, Electric Power Systems. 8.2-13a Amendment No. 17 (12/06)

TABLE 8.2-1 MAIN GENERATOR DATA Rating, MVA 1200 Power factor 0.9 Voltage, kV 22 Frequency Hz 60 Speed, rpm 1800 Hydrogen pressure, psig 75 Synchronous reactance* 200.78 Transient reactance* 46.98 Subtransient reactance* 30.85

Percent on rated base kVA and kV.

8.2-14 Amendment No. 20 (05/11)

TABLE 8.2-2 MAJOR SYSTEM DISTURBANCES (1973 - 1982) Date Causes Result April 3 & 4 Loss of Turkey Point 3 followed by the loss of Port 3400 MW load lost 1973 Everglades 3 & 4 due to the incorrect action of (blackout) (FPL) underfrequency relays. June 23 Permanent fault on the Dade-Flagami 138 kV line and 2300/2972 MW load 1973 subsequent pumping (multiple reclosing) of Flagami shed (FPL/State) breaker. March 1 Loss of Turkey Point 3 & 4 due to voltage regulator 200/390 MW load shed 1974 problems. (FPL/State) April 25 Transformer fault at Turkey Point tripped Turkey Point 3 & 850/1460 MW load 1974 4. shed (FPL/State) June 28 Single phase ground fault on Laudania-Port Everglades 2250 MW load lost 1974 230 kV circuit and slow (42 cycle) clearing resulted in (FPL) loss of Turkey Point 3 & 4 due to low voltage trip. May 16 Loss of Turkey Point 3 and a fault on the Ft. Myers-Ranch 3200 MW load lost 1977 230 kV line (Orange River-Andytown 500 kV, not in (blackout) (FPL) service at the time). May 14 St. Lucie-1 down for refueling. 150 MW load lost. 1978 A fault on the Midway-Ranch St. Lucie-1 auto-230 kV circuit and an incorrect matically shifted relay action at Midway resulted in the de-energization of to onsite power. Midway Substation. April 4 Salt spray contamination causes all seven lines out of 4 70/451 MW load shed 1979 Turkey Point to trip, causing a loss of 1133 MW of (FPL/State) generation. April 20 Low frequency system oscillations cause Manatee #1 & 1479/2463 MW load 1981 #2 to pull out-of-step. TECO's Big Bend #2 also tripped. shed (FPL/State) 1733 MW of generation lost. 8.2-15 Amendment No. 20 (05/11)

Date April 29 1982 TABLE 8.2-2 (Cont'd)

Causes Loss of Turkey Points # 3 & #4 and subsequent tripping of Result 2144 MW load shed (FPL) Gape Canaveral 4/:1 & 4/:2 *

8.2-15a

SL2-FSAR

Date April 29 1982 TABLE 8.2-2 (Cont'd)

Causes Loss of Turkey Points # 3 & #4 and subsequent tripping of Result 2144 MW load shed (FPL) 11 Cape Canaveral #1 & #2 *

8.2-15a Amendment No. 11, (7/82)

1.* I TO HO,, H0.2 HO. l HUTCHINSON ISLAND TO TO TO OISTA lBUTION "IDWAV HIOMAT HJDMA'I' WEST 240kV BUS

++

OG12~

                    "11 r

0

                    ;o II\-
                -40
                *   )>

a2 .,, r-o c:o Ci ~~ o~ mm c 2 =i

a mo m o:::c '°

                ~ flO
     -)> -<

e... I J> Gl ::0

0 0

                ~!:
                ... 2                                                                              EAST 240kV BUS
     )>

~-i BAY *4 llAY . ,

                -n
                -to              TO                TO                      TO                   TO N3:          START-UP             HAIN                 START-UP               HAIN
                    -0     TRANSFORMERS      TRANSFORMER             TRANSFORMERS          TRANSFOAHER
                    )>        lB .. 2B z                          llAHK *2                 lA

2A BANK *l

Figures 8.2-2a through 8.2-8b have been deleted. Amendment No. 17 (12/06) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 FIGURE 8.2-2a

0 0 0 0 0 0 0 0 0 0 0 ffi.......TI

                                                                                                             ~--
                                                                                                            "'H

§,!~

                                                                                                             ;1.?l~

r"., ...

                                                                                                             ~;:ii
                                                                                                            ....,"'"'E
                                                                                                     ..,     l:l~ ..
                                                                                                                   .,1:1

[,0.111?

                                                                                                      ~            ~
                                                                                                    .a
                                                                                                      ~

g.. <

                                                                                                                   ~
                                                                                                                   §,!

5i-~ l\Z.. ;l x

                                                                           ~    ~

0

 ...                                                                       0        0    0   0
            &.0000        1.0000        1l.OOO        1'.ooo l.0000        c.oooo        10.000        1,.000 FRI, >!AY 22 1998       10:20 TIME (SECONDS)

FREQUENCY 0 [1IlJ 0 0

                                                                                                            .~--   ......

r"., ... d n::i~

                                                                                                             "'H
                                                                                                             "'§.!"    "'
                                                                                                            ;iF;
                                                                                                    .        "'"'E l:l~ ...
                                                                                                                   ., ti
                                                                                                      ~            ~
                                                                                                    .a"            ~

0 <

                                                                                                      .."          §,!
                                                                                                                   ;l 0

0 0 0

 ... l.0000 4.0000 c.oooo 1.0000 10.000 u.ooo 1'.000 1',000 u.ooo 10.000 0        0 FRI, MAY 22 1998        10:20 TIME (SECONDS)

MW FLOW CKTS. 1, 2, AND 3 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 1998 GRID STABILITY ANALYSIS CASE 1 Amendment No. 12 (12/98) FIGURE 8.2-2b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           "~;;~*o          ,,,
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                -.:'t~- '
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          .-II I
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ~

c: *1

                                                                                                       -70.J 5"t.3 298     -132 2::!5
                                                                                                                            -':t2.& 3b.8 313
                                                                                                                                        -270
                                                                                                                                                                -2.1   ':17.fi      75.':I
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                *;c 71, b    -10.3                *S't.5                                                                              ~

2"'""""'---~~

                                                                                             .... 0 11--"'

l'J.'l '°i

                                                                                                                                        -203                                         2&7                                                                                                                                                                                                                                           N~

15. s o-=m

3't.5 0.

                                                                                                                                                                                                                                                                                                                                                                                   .... w .!:,:-
                                                                                                                                                                                                                                                                                                                                                                                   .... ...I Ol 0 27 O'O
                                                                                                                                                                                                                                                                                                                                                                                               'N 1./1.C
                                                                                                                                                                                                                                                                                                                                                                                                                                   !.)  D A\l\o.*~so l\)r;r---

0.1 so;., :::i v-

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ~:. SONtllE7 Ll80
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       -~

_;*; ,,,~~

                                                                                                                                                                                                                                                                                                                                                                                   , t:                                                       ~
                                                                                                                                                                                             ~~                                                                                                                                                                                                 -l'LO                                                20.5 o*

itl o.c o.o

                                                                                             -lii!'3 g:;:

0.3

                                                                                                                                                                                                                                                                                                                                                                                                -'* *-----~~
                                                                                                                                                                                                                                                                                                                                                                                            **'"l.'i                    w;:l L

0.3 1---~~:~:-ir.:~r*~-~;--~~~

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   "'~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "-'"':;""*;.:*- - - - * * =

N LCN~WO TURNER lf8!"'*-;*~'° 5 "'-'7-~~ 0.(J ~

                                                                                             ~g                                                                                                                                                                                                                           780              175                                                  1.7    2.l      ... ~               x                   0.0                                                                    .  ~.
                                                                                                                                                                                                                                                                                                                                                                                                                                   ....__.. }--~-'"   a. o*'~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ; ~

00

.:~

bl~ SW1F !:Kl 11~~~ I IW,.o 0.0 ':::::;:!; HOLCPRM 728 SJL SP N P"~ 137 SIL SP N c.r;o ti--h ~1

~ .2

                                                                                                                            -':17.~      ~                                                                                                                                                                                                                                                                                                             1 J:l~lf -G'=U.

I. DlO

                                                                                                                                                                                                                          ~'l2  -5&E.             5&7                                                                             , "'
                                                                                                                                                                                                                                                                                                                                   ~~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        -587
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        -02.5
                                                                                                                                                                                                                                                                                                                          ~~
                                                                                                                                                                                                                                                                                                                                   -~
                                                                                                                                                                                                                                                                                                                                       - ~~
                                                                                                                                                               'i~
                                                                                                                                                                                                                                                                                                                          "'*~----11~'1                                                                                                                                 -10'1 N

so.s:i:

                          ------------~,~~,~                                                                                                                                                                                                                                                                                              -~                                                                                                                     ....  ~:

sc.: i,,::;; -71L I 78.<3 7

                                                                                                                                                                                                                                                                                                                                                .!~:: ~                                                                                                     l.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                           ~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                 ~*'.)I.JI!!'                                                                                                  -=
                                                           -U.7

?.5 B.2

                                                                                                             -321
                                                                                                                                                                                                                                                       .,                                                                                        12. 3
                                                                                                                                                                                                                                                                                                                                                                                                                                                              ,~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              *;;r;

(-

                                                                        ~f::                                 -E..?                                              m-15                                                                          DI                                                                                              -2b. 3                                                                                                                                                :z
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      -~  =-                  -=                      -!                     .
   ;:         ...... *                                                                                !101 -297
                                                                                                                                                                   ~                                                           N-
                                                                                                                                                                                                                                ~z 0'
                                                                                                                                                                                                                                                                                                                                                                                                                                                              -.::.                                       r WO 2't7 -:u. 5             25. 3    b'i. 2                                                                                      z                                                                                                                                                                                                                                                                      "

z

~~

l mo

                                                                                                             -297              338     1q1:1                           ~         ~                                                                                                                     -22b     226                                                                                                                                                                    25. I) -2~.-:- -'t~. 7
                                                                                                             -3. I           33. L 5'1. b                              ~

2.s ~ *3't.S 37.Eo 1;:7 -'-13. t S.i>

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   . ~ *:.:.
                                                                                                                                                                                                                                                                                                                                                                                ' y                                                                                                    13. 3
     - -,.- -                                                                                                                                                                                                                                                                                                                                                                                          -.2.0
                                                                                                             -25,q                                             1'4.C -2&5           26 7 -'Hl2                           ':IZB -10&                                                12J -213 ;    21&   -22b     220  -q2.o (;;

2:

                                                                                                                                                                                  ':12.7 27.2                           I&. 7   l S. ::S
                                                                                                                                                                                                                                -'139 7.0 32. I
                                                                                                                                                                                                                                                 't'i3     -118
                                                                                                                                                                                                                                                                                 -35.0 120 3.2
                                                                                                                                                                                                                                                                                       -213 '

5. 'j 210

                                                                                                                                                                                                                                                                                                       -3'i. 5
                                                                                                                                                                                                                                                                                                       -22b 37.Ei 22G
                                                                                                                                                                                                                                                                                                                     -'17.6 ~
                                                                                                                                                                                                                                                                                                                     -1'1.D                      58."I -1 73                   *-
                                                                                                                                                                                                                                                                                                                                                                            ~~= ~3 Q     -tll                   ~~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       *o 5.Q ~~.5                       -32.e

n51 ~~

                                                           - :: . a                                                                           .                                                                                                                                                        ~~                                                              ~~-                   ~                           .....
                                                                                                                                                                                                                                                                                                                                                                                                                                -1&2
                                                                                                                                                                                                                                                                                                                                                                                                                                -11. 5 Fl' 2!.l                                                                                    .- ~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  =

_:- = -.,.-~.=

                                                                                                                                                                                                                                                                                                                                                                                     . r' 3" 8              25E ... -,,         -12  -2'tD                                                                                                                                                                                                                           b31 ll"'_~~b",'--~--,~,"."'s ~:                                                                                                                                                                                                                                                                                =;:       #0
                                                                                                                                                                                                                                                                                                                                                               ..., a>
                           ---ri ;;                 *.                                                                                           -~E:.                                                                                                                                                                                                                                                                . r\).""
                                                                                                                                                                                 -2~ 5 ~ ;~I
                                                                                                                                                                                                                                                                                                                                                               '".~-----
                                                 ~                                                                                                      3b.2                                                                                    30.6       -'t2.'t   ""11.1

:: ~~ -:;:;, 3 tlB.1:1 ~ -lOii -210 -518 520

w-4-*

                                                       -:----"                                                                                                                                                                                                                                                                                                                                                        \A..,./

7.:;

                                                     -= -         .....
                                                                                                             -: :"I;           : j::            -:=;. 3 't5. 5
                                                                                                                                                                                 -1;-~ ~~

N

                                                                                                                                                                                                                               ,'"=
                                            -~          '-                                                                                                                                                                                                                                                                      O'l   ~*a                                                                           S£ p'D
                                                                                  --:::  -78.'t      7!.!:   -~9.3           t:8.'i t;                ~ ~                                                                                                                                                                 '"

_, *G. - ~Ii. B i j 3 m*

                                                                                                                                                                                                                                                                                                                                                                                                                         -~II---,...--,
                              - : E:C         ~*             *..

I

                                                                            -=    -!5                                                                   ~*

NO

                                                                                                                                                   ~ ~ ~~:=
                                                                                                                                                   ~~
                                                                                                                                                                                   ~ IV
                                                                                                                                                                                 !ill~ l lf=~:~~~:~:-------;:,~~~:~;11~~
                                                                                                                                                                                                                               -o

w ON l\l:!) *.

                                                                                                                                                                                                                                                                            ~o u

17 w-

                                                                                                                                                   ~"'                                                                                                                      ""                                                                                                                                                                             zc:i.*
                                            -z                                                                                                                                    1~:~ =~:~~                           ~::~       ii
                                                                                                                                                                                                                                                                                                                                                                                                                                                                       ~*
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      .*o ~

o"' "'*o ==~

lf=o.;~C':'-:~:-------~:i:i-':i;~llq 2 , b 3'i.B

                                                                                                                                                                                                                                         ~ ; *'i2. &
                                                                                                                                                                                                                                         ? ~   *33.S ow
                                            ~~                                                                                 ,,.

OSI "I 75.0 1:!5;'.! NCRl'IRN01 7S.O FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 LOAD FLOW FIGURE 8.2*12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 "~jT: ""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   -{~#.;. ~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        -c.  ,    I
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ~

i;..:+r~..

71. b -:C' . .3 5'!. 3 -'i2.b 30. 8 -2. l -'i7.0 75.'I

. ~ -

                                                                           -296      \        296       -132              313

71. b

                                                                           'l'!.O
                                                                                                                      -5'!. 5                                ,_
                                                                                                                                                             ~*
                                                                                                                                                             ~Q
                                                                     -     -1':1.~                                                                           *N Q~

J. so -203

15. 5

~*'

S'i.5 t It-

                                                                                                                                                                                                                                                                                                                                                                                                                                                         ~~   _, J~~        ~~~~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ~~-~.                       -;~
                                                                                                                                                                                                                                                                                                                                                                                                                                                         ;~~.:

t:W._

                                                                                                                                                                                                                                                                                                                                                                                                                                                                   ,,~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                   *o      -~  ,.,

~:;

_:;;_.r----1..,.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ?g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    --------"'"_;,;  I~~ -
                                                                                                                                                                                                                                                                                                                                                                                                                                                                   ~*                                                                            ! :

I! I 0*.Cl -123 -::.*..i

                                                            ' 11   o.o a,:-                                                                                                                                                                                                                                                                                                                                                                                        "'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                   ~-

N LCINGWD TllRNEfl ~.,m

                                                                          ~8                                                                                                                                                                                                                          ?BO              175 1~-*~+-~~~~~~-~-~;~::~;4---~~~-*~*

11~ ...... r-11 c.o ~~

                                                   -62. 't                                                                                                                                                                                             HCl..OPA~                                                                              :SIL ~p N 728                                                                                     0.0 137                                 SIL SP N

(,!iQ 7~. l -ISf:I

 .                                                                                                                                                                                                                                  5'7                                                                                                                                                                                -58"1 l 'ilj  2l. l        -79.'i                                                                                                                                                                                  62.S 12' b2. l                                                                                                                                                                                                                          l\:la'     -~ ~~                                                                                                 -55<.t
                                                                                                                                                                                                                                                                                                      ~.;;;'----i1'°~                                                        o:.

N

-*~

02 -1oc;

                        ~~----------~:~:~.;.-                                                                                                                                                                                                             ~

N~

                                                                                                                                                                                                                                                            ~
                                                                                                                                                                                                                                                            ~-

N-----;J~;~,,~*"-----------~1~8~,q~~-~l~L~7:._ w -

                                                                                                                                                                                                                                                                                                                                                                        "'     *~~

il:-

                                                                                                                                                                                                                                                                                                                                                                                                                  -,$;~

__~:~~~:~~11~

                                                                                                                                                                                                                                                                                                                                                                        ~o SC. S  t:::J::                                                                                          I. I5                                                                                                                   7B l                                                                                                                           1.l
                                           -Ll.7   '.i.S                                                                                                                                                                                                                                                                                                     :... ~-    '"
                                                                                                                                                                                                                                                                                                                                                                        ~~
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ,*o>
                                                                                                                                                                                                                                                                                                             ~ ~~;, _;~:: ~                                                    .~.,,, ~1 I  if-                                                                                                                                                                                                       w-
                                                                                                                                                                                                                                                                                                                                                                                                               ~:

8/.* -

                                                   ~~~:                                                                                                                                                                                                                                                                                                                                                                                                            =*

0

                                                                                                                                                      ~
                                                                                                                                                                                                                                                                                                                                                                  -~

C'i7 -~c;;.s 2~.~ b'i.2 rn-

                                                                                                                                                      *  ~                                                         N-
                                                                                                                                                                                                                   ~z
                                                                                                                                                                                                                   ~D z
                                                                                                                                                                                                                                                                                                                                                                                                               §l                                                                                                                                         .
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             ~-
                                                                               ~~- <

z 3;; -I -287 338 1".l'i ~ -22b

                                                                                                                                                                                                                                                                                                                                        ~~ ~3 22&                                                                              23.'3 -ISC                                                          25. ti    -23.6  -'i:'L7

1 i

                                                                                                                                                                                                                                                                                                                      ~1
                                                                                                  -3.                  33. l   5'L D                                    2. 5                                                                                                 -3't.5         37. E.
                                                                                                                                                                                                                                                                                                                                                                                      ~~7  ~                                                                 l7.6r~;

J

                                                                                ~a
                                                                                *N                -25.q                                             74.0                26 7 -402                          428       l OE>          15Y: -12b    123  213           21&      -22b            22<> -92. D ;;,;o                                                                -2.0                                                                                                                                                                 "*:...

Q~ 73.il ~01. 7 ':12. 7 27.2 l&. 7

15. ~ 7.0 32.1

                                                                                                                                                                                                                                   'i'l3 -l LB
                                                                                                                                                                                                                                               -35.0 120 3.2
                                                                                                                                                                                                                                                     -213

5. Cj 210

                                                                                                                                                                                                                                                                             -311. 5
                                                                                                                                                                                                                                                                             -22b 37.6 -'l7.8 ~~

22' -1"1.0 < 1"1.0 -58.b 58."I -L73

                                                                                                                                                                                                                                                                                                                                                                                      ,,,_                                                                        NW s.q
                                                                             '.                                                                                                                                                                                             ~~.s
                                                                                                                                                                                                                                                                                                                                                                                           -Hi2
                                                                                                                                                                                                                                                                            ~2
                                                                                                                                                                                                                                                                       -                                                                                                                                      2 '- (

II-!'-~ti;-!:'-~--,;-!;§.~~ ~~ 2'i5 N N

                                                                                                                                                                                                                                                                   -N
                                                                                                                                       -38. 3b.2                   -21.0 '13.l                                                                                    -w    ~
                                                                     -D o~                                               b8.lf      ~      -lD~ -210
                                                                                                                                                                    -lf25: ~~
                                                                                                                                                                                                                                                                   \A~/

2fl5 -2E'"!. -z

                                                                                                                                                                                                                                                                                                                                                                                                                     """~s~.~3~----~~~~."': ~1 4

7.:: 11;: -::L 3 '"~

                                                                                                                                                                                                                   ~~
                               -:e:                                   - 78. If         7!?. ~                         flt!.':!                                           ' -    ai..i:                               ~                                           291 s:i 'O j~
                                                                      -a. a
                                                                                                                                                                                                                                                                       -~                                                                                                                                                                          ~
                             -'"::*.;                         -2.
                                                                                                                                                                                                                   ~*
                                                              -! 5                                                                                                                                                 - o

w -J~. 7

              ~:;.    =      -~ 7. ~                        -2~.                                                                                                                                                   DN
            ..;,,,~*~*
              -s~ ~
                   .*~-~--~'.~""'~
                             -~~1 :.:
                                      ~=

51 "I 11"=2~*:":~~---....:...---"~~~:~;~1~~ i~:~ =~~:~ ~;:~ ~

                                ' Iv OJ. Ei"O                                                                                                                                         IF=~"':":~:------__.g~:~:~~ lf.2. ti > -~ -lf.2. o 3'1.8   5> *~-33.5
                                                                                                                        '"                                                                         ~
                                                                                                                                                                                                . 0-ffi
                                -m
                                ~ ~

75.Ci' 1es

75. ()

                                                                                                                                                                                                                   ~*
                                                                                                                                                                                                                   ~o
                                                                                                                                                                                                                   ~D l:?S~

GREENLNO l:'.!S.'.! NCIFIMRNDT 1::~~ NOlilrlSDE AMENDMENT NO. 9 131821 (,,~ ~~

                                       ;:                                                                                                                                                                                                                            !t'l

___...,.,,. FLORIDA POWER & LIGHT COMPANY

                                                                                                                                                                                                                                                                                                             ~
                                                                                                                                                                                                                                                                     ~~,

ii:'°

                                                                                                                                                                                                                                                                                    -2.5    *'i;'~*+'--~
                                                                                                                                                                                                                                                                                             -2.8
                                                                                                                                                                                                                                                                                                             ~
                                                                                                                                                                                                                                                                                                          !;JI~

ST. LUCIE PLANT UNIT 2 3! LOAD FLOW FIGURE 8.2-12

8.3 ONSITE POWER SYSTEM The Onsite Power System one line diagrams are shown on Figures 8.3-1, 8.3-1a, 8.3-2 and 8.3-3. 8.3.1 AC POWER SYSTEMS 8.3.1.1 Description 8.3.1.1.1 General The preferred source of auxiliary ac power for plant startup and shutdown is from the incoming offsite transmission lines, through the plant switchyard and startup transformers. The startup transformers step down the 230 kV incoming line voltage to 6.9 kV and 4.16 kV for auxiliary system use. During plant operation, ac power is provided from the main generator through the unit auxiliary transformers. Each unit auxiliary transformer is rated 21/28/35 MVA, OA/FA/FOA at 55 Crise double secondary, 20.9-6.74/4.16 kV. The 6.74 kV secondary is rated 12.6/16.8/21 MVA; the 4.16 kV secondary is rated 8.4/11.2/14 MVA, all at 55 C rise. Each unit auxiliary transformer has a 65 C rating of 39.2 MVA. Preferred (offsite) power from the start-up transformers, or from the unit auxiliary transformers is distributed by two 6.9 kV buses (2A 1 and 281) and by two 4.16 kV buses (2A2 and 282). The 6.9 kV buses serve only motors rated above 4000 hp; the 4.16 kV buses supply motors rated from 250 to 4000 hp, as well as all remaining motors and other loads through 4160-480 volt load centers and motor control centers (MCCs ). Power is also distributed from the two 4.16 kV .buses 2A2 and 282 to the safety related 4.16 kV buses 2A3 and 283, which supply all safety related loads as described below. Transfer of the 6.9 kV or 4.16 kV auxiliary buses between the unit auxiliary and startup transformers is initiated by the operator from the control room. Routine bus transfers l)Sed on startup or shutdown of a unit are "live bus" transfers, i.e., the incoming source feeder circuit breakers are momentarily paralleled with the running source feeder circuit breakers. This results in transfers without power interruption. Bus transfers, initiated automatically by protective relay action, are "fast-dead" bus transfers. A "fast-dead" bus transfer is accomplished by simultaneously tripping the auxiliary transformer secondary circuit breakers and closing the startup transformer secondary breakers. The approximate dead time is of three cycles duration. See Subsections 8.3.1.1.2(d),and 8.2.2.2 for additional information regarding the operation and testing of the "fast dead" bus transfer. Each of the startup transformers and each emergency diesel generator has sufficient capacity to supply the safety related loads for safe plant shutdown or to mitigate the consequences of a design basis accident. 8.3-1 Amendment No. 20 (05/11)

In the event of a loss of the preferred power sources, station onsite power is supplied by the onsite emergency diesel generators and station batteries. a) 6.9 kV System Two 6.9 kV buses 2A1 and 2B1 are provided, each supplied from a unit auxiliary or alternatively from a startup transformer. Each 6:9 kV bus serves two reactor coolant pump motors and one steam generator main feedwater pump motor. The 6.9 kV buses are quality related because inclusion of reactor coolant pump (RCP) discussion in Technical Specifications requires components associated with the circuit-path to provide power to the RCPs from offsite power to be considered quality related. Hence, they do not require backup from the emergency power system. The buses are rated at 2000 amps and are provided with 2000 amp incoming breakers and 1200 amp outgoing

breakers, all with 500 MVA interrupting capacity. The buses are protected by differential relays which also protect the breakers. Incoming breakers are also protected by overcurrent relays and additional backup relaying has been added to trip the corresponding supply transformer breaker if any of the incoming breakers fail to open on .

faults. These breakers are tripped for bus overloads and short circuits. Short circuit tripping occurs only if a fault relay detection operates concurrently. The motors connected to these buses are protected by differential, short circuit and locked rotor relay devices. These devices are selectively set to trip the individu'll motor feeder in the event of a fault downstream of the motor breaker. Alarms are provided for motor overloads. The neutrals of the 6.9 kV system are grounded through grounding transformers and current limiting resistors which enable the system to operate safely, if a ground should occur, until the grounded equipment is located and is removed from service. b) 4.16 kV System The 4.16 kV system consists of non-safety and safety related buses. Non-safety buses, 2A2 and 2B2, provide power to loads which are nonsafety related. The two non-safety buses receive power directly from either the unit auxiliary or startup transformers. Safety related loads are powered from the safety related buses. The safety portion of the 4.16 kV system is arranged into two redundant load groups designated as load group A and load group B. Each of these load groups consists of the complement of safety related equipment needed to achieve safe plant s~utdown and/or to mitigate the consequences of a design basis accident. Additional safety related equipment (e.g., the third component cooling water and intake cooling water pump motors) are arranged to function as a "third service" (swing) load group AB. This load group consists of equipment which can be used for backup or replacement purposes to the equipment in either of the main redundant load groups A or B. Load group A is powered by safety bus 2A3 and load group B is powered by safety bus 283. Load group AB is powered by safety bus 2AB. 8.3-2 Amendment No. 20 (05/11)

The 4.16 kV safety related buses are of indoor, three phase, metalclad construction, with draw . outBF6 circuit breakers. The 4.16 kV non-safety buses 2A2 and 282 are rated 3000*amps and are provided with 3000 amp incoming *brea.kers of350 MVA interrupting capadty. Safety buses 2A3, 283, and 2A8 are rated .1200 amps. The incoming feeder breaker's of 2A3 bus and.

outgoing breakers of 2A3 and 2A2 are. 1200 amps, 250 MVA interrupting capacity and*

80,000 amp momentary. The incoming feeder breakers of 283.and 2A8 buses ~md the* outgoing . breakers of 282,* 283 and 2A8 4.16 kV buses are 1200 amps, 350 MVA intertupting capacity and 132,000 amp momentary duty. Relay protection is similar to the 6.9 kV buses except that no motor differential protection is used. Backup relaying to trip preferred or normal power sources is provided on bus 2A2 and 2B2 only. The neutrals of the 4.16 kV system are grounded through grounding transformers and current limiting resistors which enable the systems to operate safely if a ground should occur, until the grounded equipment is located and is removed from service. The safety related circuit breakers operate from 125V de control power which is supplied by the safety related protection of the 125V de system of the appropriate division (A or B) as described in Subsection 8.3.2.1. Control power for the non-safety related system is obtained from the safety related de panels through qualified isolation devices. The safety related 4.16 kV switchgears are located within switchgear rooms in the Reactor Auxiliary Building which is a seismic Category I structure and is protected from potential missile hazards. Physical separation is maintained in the location and installation of the switchgear for the respective redundant systems. Upon a loss of the preferred power source, the tie breakers between the non-safety and safety buses automatically open, and the emergency diesel generators automatically start, are brought to speed and begin supplying power directly to the emergency buses. The pressurizer heater transformers and CEDM cooling fan motors, which are nonsafety related loads, are supplied from the 4.16 kV safety buses. The loads are tripped from these buses upon loss of offsite power and can only be reconnected to the buses manually. The diesel generator automatic starting and loading sequence is discussed further in Subsection 8.3.1.1.2h. In the unlikely event of a total loss of AC power, both onsite and offsite (Station Blackout), and a loss of one EDG on St. Lucie Unit 1, power can be provided to one of the Unit 2 Class 1E redundant divisions from the only available site EDG set. The power will be transferred via a cross-tie connecting the safety-related swing switchgear (1AB and 2AB) of the two units. The power transferred will be used to augment the DC coping program, i.e., to power battery chargers, UPS and other selected equipment until conclusion of the blackout. The cross-tie may also be used to transfer offsite power, if available, from Unit 1 to Unit 2. Station Blackout is further discussed in subsection 8.3.1.1.2p. Each safety related 4.16 kV breaker can be electrically operated from the control room by the operator or is automatically operated in conjunction with the diesel generator loading sequence on loss of preferred power. Breaker operation locally at the switchgear for hot shutdown is also possible by manual operation of the isolation switch also mounted on the switchgear. In the "test" position, breaker local electrical operation is possible, but the main power circuit is not completed when the breaker closes. Breaker status is indicated by red (closed) and green (tripped) indicating lights in the control room and at the switchgear. These lights also indicate that the breaker is in the operating position. 8.3-3 Amendment No. 18 (01/08)

The 4.16 kV safety-related distribution equipment including the raceway system is designed to meet the seismic requirements for Class 1E electric equipment as discussed in Section 3.10. The environmental qualification for the safety-related equipment is discussed in Section 3.11. c) 480 Volt System The arrangement of the 480 volt system is similar to that of the 4.16 kV system with buses designated as non-safety or safety. There are two non-safety 480 volt buses each powered by one of the non-safety 4.16 kV buses through a station service transformer. There are no interconnections between the non-safety and safety-related portions of the 480 volt system. There are also two non-safety 480 volt buses fed from individual 750 KVA, 3 phase, 65 °C rise transformers, that feed the pressurizer heaters. The 480 volt safety-related auxiliary system consists of five power centers, 11 motor control centers (MCCs), safety-related loads and the interconnecting cables and raceway systems. The safety-related portion of the 480 volt system is arranged into redundant load groups A and B served by 480 volt switchgears 2A2, 2A5 and 2B2, 2B5 respectively, with a third service load group AB served by 480 volt switchgear 2AB. Power is transmitted from the 4.16 kV safety switchgears 2A3 and 2B3 through the respective station service transformer to 480 volt buses 2A2, 2A5 and 2B2, 2B5 respectively. The 480 volt switchgear 2AB is normally tied to either one of the redundant safety 480 volt switchgears. All the AB buses (4.16 kV, 480 volts and 125V de) are connected to either the corresponding A division or B division at any one time. For example, the operation of the 480 switchgear AB connected to the 480 volt switchgear 2A3 and the 480 switchgear AB connected to the 480 volt switchgear 2B2, is not permitted. Alarms in the control room are provided to alert the operator if the AB buses on all voltage levels are not aligned properly. 480 volt switchgear 2A2, 2A5 and 2B2, 2B5 also feed non-safety-related loads through qualified isolation devices. Physical and electrical separation of the redundant load groups is discussed in Subsections 8.3.1.1.2.f and 8.3.1.2.2. The six 480 volt station service transformers, four safety and two non-safety, are rated 1500/1725 KVA, OA/FA, 55 °C rise and 1680/1932 KVA OA/FA, 65 °C rise, 3 phase, 4160-480 volt delta-wye. 8.3-4 Amendment No. 20 (05/11)

The 480V buses, 2A1, 281, 2A2, 282, 2A5, and 2B5, are connected to their respective station ,,__ _ service transformers through 3000 amp continuous breakers. Each of these buses is split into two sections, connected through a 1600 amp current limiting reactor. The first section, connected to the station service transformer, feeds motors generally between 100 and 250 hp through 800 amp frame continuous I 30,000 amp symmetrical interrupting capacity breakers; the second section feeds 480 volt MCCs and other loads throughout the plant, through 800 amp frame continuous I 30,000 amp symmetrical interrupting capacity breakers. The 480V switchgear bus is rated 50,000 amp symmetrical. Safety-related 480 volt switchgear 2AB may be connected to either (but not both with the plant in Modes 1, 2, 3 and 4) 480 volt switchgear 2A2 or 480 volt switchgear 282 through 1600 amp breakers with delayed trips. There are two breakers in series in each tie. The 'incoming breakers are electrically interlocked to prevent the 2AB switchgear from being simultaneously connected to switchgear 2A2 and 2B2. The short circuit level of this section is 50,000 amp symmetrical. This section feeds a third charging pump and the safety-related "third service" MCC 2AB through a 600 amp frame breaker for the 2A2 feed through an 800 amp frame continuous I 3Q1 QOO amp symmetrical breakers. The MCCs consist of metal enclosed groups of motor starters, feeder circuit breakers and control devices assembled in a common structure with horizontal and vertical buses. Feeder circuit breakers in MCCs are manual, thermal magnetic trip, molded case units in 100 amp frame size or larger is required. Motor starters are combination type, consisting of a three pole magnetic trip circuit breaker, a magnetic contactor, a three pole thermal overload device, a 480-120V control transformer and control devices. Motor operated valves located inside the containment which have their thermal overloads bypassed are provided with thermal magnetic circuit breakers as part of their starter. The MCCs except 2AB, 2A9, and 289 are fed from the reduced short circuit level sections of the 480 volt buses as explained above. In no case are two redundant pieces of equipment connected to the same motor control center. For both non-safety and safety services, there are two redundant MCCs in each area, each one connected to a redundant 480 volt switchgear. The single exception is the 480V Drumming Station MCC 2A 11, which is fed from 480V switchgear 2A 1. There is no corresponding (redundant) MCC on the "B" train for this service. This equipment is used to service the Concentrator Bottoms Tank equipment. This (Concentrator Bottoms) is a non-safety related system and is operated on a very infrequent basis. (See Subsection 11.2.2.2 for a description of the Concentrator Bottoms Tank and its associated equipment.) All 480V bus circuit breakers with the exception of 480V MCCs and power panels operate from 125V de control power which is supplied by the safety-related 125V de system of the appropriate division (A or B) as described in Subsection 8.3.2. Control power for the non-safety related system is obtained from the safety-8.3-5 Amendment No. 21 (11/12)

related de panels through qualified isolation devices (i.e., fuses/ breakers, see Subsection 8.3.2.1). The safety-related power centers and MCCs are located within switchgear rooms in the Reactor Auxiliary Building and within the Diesel Generator and Fuel Handling Buildings, all of which are 8.3-5a

seismic Category I structures and are protected from potential missile hazards. Physical separation or fire walls are provided for redundant components. For example, power center 2A2 is physically separated from its redundant counterpart, power center 282. Likewise, MCCs are separated from their redundant counterparts by physical separation or by walls. . Each 480 volt switchgear safety related feeder breaker with the exception of the 480 volt feeder breaker for MCCs are electrically operated directly from the control room by the operator. They remain closed to allow operation in conjunction with the diesel generator loading on loss of preferred power (see Subsection 8.3.1.1.2.b). Breaker status is indicated by red (closed) and green (tripped) indicating lights at the* control room and/or at the switchgear. These lights also indicate that the breaker is in the operating position. The criteria for the protection and grounding of the 480 volt system is the same as for the 4.16 kV system except where grounding transformers are not utilized. . The 480 volt safety related distribution equipment is designed to meet the seismic requirements for Class 1E electric equipment as discussed in Section 3.1 O. The environmental qualification for the safety related equipment is discussed in Section 3.11. In some cases, there are non-safety loads connected to safety MCCs. Wherever this occurs, the MCC bus is split into an essential and a non essential section connected through a bus isolating contactor that automatically opens during an undervoltage I condition, thus separating the non emergency loads from these MCCs. These non emergency loads consist of normal lighting, normal power panels, and power receptacles. There also exist certain connections of nonsafety related plant investment loads to safety related portions of the MCCs. These connections are by means of isolation devices, i.e. circuit breakers. d) 120/208 Volt System Safety related loads such as Engineered Safety Features process monitoring instrumentation are powered from, 1201208 volt panels. Safety related Panels are supplied from safety related step down transformers which in tum are fed from a safety related MCC. The 120/208 volt safety related distribution equipment is designed to meet the seismic requirements for Class 1E electric equipment discussed in Section 3.10. The environmental qualification for the safety related equipment is discussed in Section 3.11. Power is supplied for normal lighting and other plant loads requiring an unregulated power supply by the 120/208 volt system. This system consists of distribution panels and transformers fed from 480 volt MCCs. For further discussion of the plant lighting system, refer to Subsection 9.5.3. ' 8.3-6 Amendment No. 13, (05/00)

e) Instrument Power Supply System Four pairs of redundant 120V ac single phase ungrounded instrument buses (2MA, 2MA-1, 2MB, 2MB-1, 2MC, 2MC-1, 2MD, and 2MD-1) provide uninterruptible power to Engineered Safety Features Actuation System (ESFAS) and Reactor Protective System (RPS) instrumentation. Buses 2MA-1, 2MB-1, etc. are extensions of buses 2MA, 2MB, etc. to allow for future expansion of the instrument power supply system. Each bus is supplied separately from an inverter connected to one of the two safety related 125V de panels described in Subsection 8.3.2. The instrument power buses are located in the Reactor Auxiliary Building. To permit maintenance of any inverter without disabling the corresponding instrument bus, maintenance bypass transformers and voltage regulators are provided for each inverter system. Each of the four redundant measurement channels of the nuclear instrumentation and Reactor Protective Systems equipment described in Section 7 .2 is supplied from a separate bus. Also, each instrumentation channel of the four redundant measurement channels of the Engineered Safety Features Actuation System described in Section 7.3 is supplied from a separate bus. The system is arranged so that any single failure does not prevent the Reactor Protective System and Engineered Safety Features Actuation System from performing their safety functions. The four instrument inverters are each rated 125V dc-120V ac (+/-two percent ac), single phase, 10 KVA, 60 Hz (+/- one percent Hz), voltage and frequency regulated and are ungrounded. The maintenance bypass is provided by an isolimiter for 10 KVA, single phase, 480/120V ac (+/-)ten/ two percent, 60 Hz. lsolimiter is a trade name of a unit which is a combination of a transformer and voltage regulator. The instrument power supply system equipment is designed to meet the seismic requirements for Class 1E electric equipment as discussed in Section 3.10. The environmental qualification for the safety related equipment is discussed in Section 3.11. In addition to the four instrument buses above, two redundant 120V ac single phase ungrounded buses (PP-266 and PP-267) provide uninterruptible power to the Qualified Safety Parameter Display System (QSPDS). Each bus is supplied separately from a 120 VAC single phase ungrounded instrument bus; PP-266 is fed by 2MC-1 through an isolation transformer and PP-267 is fed by 2MD-1 through an isolation transformer. The QSPDS power buses are located in the Reactor Auxiliary Building. For a description of the de instrument power supply system refer to Subsection 8.3.2.1. A total of four non-class 1E uninterruptible power supplies are provided. Two non-Class 1E, uninterruptible power supplies are provided to supply power to non-safety instrumentation and control circuits, communication security, fire detection and radiation monitoring systems. They are both rated 120V +/- two percent ac, 60 Hz, single phase, 20 KVA and 30 KVA respectively. Two additional 20 KVA uninterruptible power supply are provided for SAS. 8.3-7 Amendment No. 20 (05/11)

f) Standby Power Supply The Onsite Power distribution System receives power from either the Preferred (offsite) power system (Section 8.2) or from, the standby power system (safety related) which consists of two diesel generators, 2A and 28. Each diesel generator set is rated at 3685 kW, 0.8 power factor, 4.16 kV and is complete with its own air starting system, fuel supply system, and automatic control circuitry. Design data for the diesel generator sets are given in Table 8.3-1. 8.3-7a Amendment No. 14 (12/01)

The generators have open self ventilated frames, Class F insulation and are wye connected with a synchronous revolving field, and static solid state excitation system, capable of carrying full rated load continuously without exceeding temperature rises at 40°C ambient. Each diesel generator is furnished with automatic de field flashing equipment for qtiick voltage buildup during the start-up sequence. Each diesel generator set consists of two diesel engines mounted in tandem with a 3800 kW generator coupled directly between the engines. Each engine in each diesel generator set has a self contained cooling system which consists of a forced circulation cooling water system which cools the engine directly and an air cooled radiator system which removes the heat from the cooling water. The cooling water pump and radiator fan are belt driven from the engine crankshaft. The engine of each diesel generator set has a self contained lube oil system consisting of a lube oil sump located at the base of the engine, an engine driven lube oil pump, piping, and a heat exchanger. The lube oil heat exchanger is served by the diesel generator set cooling water system. No external source of power or other plant systems are required for the diesel generator set lube oil system during emergency operation. The Diesel Generator Fuel Oil Storage and Transfer System is described in Subsection 9.5.4. The Diesel Generator Cooling Water System, Starting System, and Lubrication System are discussed in Subsections 9.5.5, 9.5.6, and 9.5.7, respectively. The ventilation system provided for* each diesel generator room is described in Subsection 9.4.5. The Diesel Generator Combustion Air Intake and Exhaust System is described in Subsection 9.5.8. Control and monitoring* (local and control room) of the diesel generator setis ., is accomplished through five bay control switchgear that is floor mounted- : * (free standing) in each diesel generator building. Each of the five bays of the control switchgear has a specific function as briefly described below: a) Engine control cubicle: The front of this panel contains the necessary relays, lights, switches, annunciator for the proper and comp],ete operation of the engine. The rear section mainly contains the terminal blocks required for the interconnection of engine mounted devices. These devices include pressure and temperature switches, air valves, governor devices, etc. b) Metering Cubicle: The next section contains the instrumentation and relaying required for the control and protection of the generator. The engine, electric governor control unit is also located in this cubicle. c) Voltage-Regulator-Exciter Cubicle: Meters, protective relays, and voltage regulator controls are mounted on the door of this cubicle. Inside the cubicle is the voltage regulator. 8.3-8 Amen&nent No. 3, (4/88)

d) Transformer-Reactor Cubicle: EOG 28 -This contains the power transformer and the reactors which are a part of the static exciter. EOG 2A - This contains the power potential transformer and the power chassis which are a part of the static exciter. e) Potential Transformer and Current Transformer Cubicle: EOG 28 - This contains the exciter current transformers. The main load and generator loads come into this cubicle. EOG 2A - This contains the exciter power current transformers and the droop current transformer. The main cables from the output of the diesel generator come into this cubicle. Each diesel engine is also provided with an engine mounted terminal box where engine mounted sensors and/or switches are terminated for external connection to devices located in the free standing control panel or switchgear. The controls and instrumentation that are mounted in or on the engine terminal box are listed below: (equipment mounted in the cabinet is marked by an asterisk(*) AC/DC turbo lube oil pump AC/DC soak back pump contactor Turbo lube oil filter low pressure indicating switch AC/DC soak back pump lube oil low/high pressure indicating switch AC/DC turbo lube oil pump low pressure indicating switch

    ' Engine lube .

oil pump pressure switch Low engine oil pressure shutdown Engine overspeed switch High crankcase pressure switch Start cutoff backup engine water pressure switch Low engine oil pressure alarm switch

     *Engine shutdown reset switch
     *Engine emergency shutdown switch Engine low lube oil idle pressure switch Engine low standby pressure switch Engine low water pressure switch Motor driven pump discharge header pressure switch Engine driven pump discharge header pressure switch Fuel oil pressure switch Fuel oil level switch Low starting pressure switch
     *Normal stop pushbuttons Air start cutoff backup pressure switch Low lube oil sump level switch Low lube oil temperature switch High jacket water temperature switch Low water level switch Immersion heater switches
     *Local start push button
     *Exhaust temperature monitors
     *Engine fuel oil transfer relays Governor limit switches UNIT2                                         8.3-8a                Amendment No 23 (04/16)

      *Electronic speed switch Immersion heater starters Speed switch magnetic sensor
      *Engine fuel oil level transfer switches control Electronic governor inductive speed sensor

/

      *Electronic load controller
      *Digital reference unit Below is the list of items and their function. Also indicated is the effect on the diesel generator in an emergency situation.

1) Engine Manual start P/B. The engines can be manually started by means of these pushbuttons. Failure of these pushbuttons has no effect on the diesel running in the emergency mode.

2) Safety shutdown reset switch. This switch is used to reset the lockout relay enabling the diesel generator to restart. Failure of these pushbuttons has no effect on the diesel running in the emergency mode.

3) Engine Emergency Shutdown Switch. This switch is provided for emergency shutdown of the diesels. During diesel generator emergency operation this switch is bypassed.

Failure of this switch during emergency operation has no effect on the diesel generator.

4) Normal stop pushbutton. This switch is provided for normal shutdown of the diesel generator. It only shutdowns the diesel if the generator breaker is open. During emergency operation the generator breaker is closed. Failure of this pushbutton with the diesel generator in the emergency mode has no effect on the diesel generator.

5) Fuel oil transfer relays and fuel oil level transfer switch controls. This equipment controls the refilling of the DG day tanks. Failure could cause the diesel to run out of fuel.

Because of this, these relays have been located in the diesel generator Control Switchgear.

6) The Electronic Speed Switch. This electronic speed switch takes a signal from the engine mounted speed sensor and converts it to an RPM signal. This information is used by various systems (e.g., air start) of the diesel generator. This speed switch is located in the.

diesel generator Control Switchgear.

7) Exhaust temperature monitors. This device alarms only on exhaust temperature differential and does not shutdown the engine. Failure of this device does not have any effect on the diesel generator.

8) Electronic load controller. The electronic load controller, in conjunction with the digital reference unit, controls the speed of the diesel generator during startup, idle and full speed operation. An inductive speed sensor is mounted on the EDG to provide a reference speed signal to the electronic load controller. The governor system is reverse-acting; therefore, failure of the electronic load controller would result in the EDG speeding up until the mechanical governor takes control.

The diesel generator sets 2A and 2B supply reliable power to those electrical loads which are needed to achieve safe shutdown of the 8.3-8b Amendment No. 13, (05/00)

plant or to mitigate the consequences of a design basis accident in the event of a loss of preferred ac power supplies. Table 8.3-2 lists the equipment and loads supplied by the diesel generator. Figure 8.3-4 shows a load profile for the loss of coolant and main steam line break accidents. In the event of loss of preferred sources of power to the Onsite Power System, each diesel generator set is automatically started and loaded by controls and circuitry which are independent of those used to start and load the redundant set. The diesel generator starting and loading logic is as follows:

1) The diesel generator sets start upon loss of voltage in the safety 4.16 kV buses or actuation of the safety injection actuation signal (SIAS).

8.3-Sc Amendment No. 10, (7/96)

2) Upon loss of voltage on the 4.16 kV safety buses, these buses are automatically separated from the non-safety supply buses.

3) After each diesel generator set has attained normal frequency and voltage, the respective breaker closes if preferred ac power has been lost, thus immediately starting all loads belonging to the first block for which "starting required" signals are present (from ESFAS) or from circuit conditions indicating that they were previously running. If preferred ac power is still present, the diesel generator breaker does not close but the set remains at full frequency and voltage until manual actions are taken.

4) The starting of subsequent loads are delayed by timing relays using a design minimum of three second intervals between them. Load sequencing of the diesel generator is shown on Table 8.3-2.

5) If preferred ac power is lost but no Engineered Safety Features actuation signal is present, only the loads shown under the column "Loss of Offsite Power" in Table 8.3-2 are automatically started.

6) If, while operating as per step (5) above an SIAS appears, all loads are stripped and loading is performed per Table 8.3-2. 1

7) Means are provided for periodic testing of the diesel generator sets under load when preferred bus supply is from the unit auxiliary transformer. If preferred ac power is lost or an accident occurs during this testing, the diesel generator breaker is opened and the sequence returns to step (3).

The starting and loading circuitry for the diesel generator and 4.16 kV buses are listed in Section 1.7. Means are provided to permit applying any load in the plant to the diesel generator. However, this is strictly a manual operation under the operator's full control. Such additional loading is limited by the rated capacity of the diesel generators. A wattmeter, a varmeter and an ammeter are provided for continuous indication of diesel generator loading. Administrative control is exercised to prevent loading the diesel generators over their rated capacities. The diesel generator circuit protection is discussed in Subsection 8.3.1.1.2k(ii). By means of potential and current transformer test blocks and a test position of the diesel generator circuit breakers, capability is provided to periodically test the protective relaying components and the auxiliaries which support the diesel function. The power supply sources for the diesel generator instrumentation and control system are in accordance with the redundancy criteria discussed in Subsection 8.3.1.2. 8.3-9 Amendment No. 13, (05/00)

For diesel generator parameters that are monitored and are indicated locally and/or in the control room, see Table 8.3-11. Local and control room alarms are provided for conditions causing diesel generator lockout even if a lockout is overridden. Local alarms and/or control room annunciation are also provided as indicated in Table 8.3-12. Control circuits for each diesel generator operate from separate Class 1E 125V de circuits supplied from the station battery of the same division. The standby power system components are designed to meet the seismic requirements for Class 1E electric equipment as described in Section 3.10. The environmental qualification for the standby power supply system is described in Section 3.11. Class 1E components are located within the Diesel Generator Building, a seismic Category I structure and are protected from potential missiles. Physical separation and isolation has been maintained by the installation of a wall between the redundant systems. 8.3.1.1.2 Specific Details of the Onsite AC Power System a) Power Supply Feeders Power for onsite distribution is normally obtained from the Offsite Power System through 4.16 kV buses 21\2. and 282. Connections between these buses and the safety related buses, 2A3 and 283, are comprised of three conductors of 500 kcmil per phase. Cable consisting of one conductor of 500 kcmil per phase is used to connect buses 2A3 and 283 tobus2AB. Cable feeders consisting of two 500 kcmil conductors per phase are used from diesel ,j generators 2A and 28 to their 4.16 kV safety buses 2A3 and 283 respectively. b) Busing Arrangements Figures 8.3-1 and 8.3-2 show the busing arrangements for the Onsite Power System. ,., There are no direct connections between parts of the system which serve load group A and those parts which serve load group B. There is no automatic transfer of loads between load groups A and B. Buses serving load group AB can be manually connected with either of the buses serving load groups A or B but not simultaneously with the plant in Modes 1, 2, 3 or 4. Ties from the AB buses to the A or B buses have a breaker at each end of the tie. There are two breakers in series in each tie. The incoming breakers at the 2AB bus are electrically interlocked to prevent the 2AB bus froni being simultaneously connected to 2A and 28 buses. In addition, captive key switches are located at the reactor turbine Generator Board to prevent simultaneously closing A&B bus breakers. Under normal operating conditions, load group AB is connected to load group A (or B) through two normally closed breakers in series. These breakers are controlled by their associated captive key type switches. The keys, which must be inserted to close the breakers, are "captured" and cannot be removed until the breaker switch is placed in the open position. These same keys are also used to unlock and operate the switches ~* 8.3-10 Amendment No. 13, (05/00)

controlling the breakers between load group B (A) and load group AB. Therefore, whenever load group A (B) is connected to load group AB, the breaker control switches are in the closed position, the keys to operate the switches are "captured", and the control switches for the breakers between load group B (A) and load group AB cannot be operated. The operation of these switches is the same as that described for the 125V de bus ties described in Subsection 8.3.2.1. Administrative procedures call for tying the AB buses on all of the ac and de voltage levels to the same load group (either A or B). In this way, the split bus system is maintained throughout the plant, including the supply of de power for proper breaker operation. See Subsection 8.3.2.1 and Figure 8.3-6 for a description of this transfer. A violation of the administrative control is annunciated in the control room. The alarms are activated whenever 4.16 kV, 480 volt and 125V de loads are not all aligned to the same A or B load group. There are two alarms provided; one uses auxiliary contacts from the AB bus breakers while the other uses auxiliary contacts from the A and B breakers feeding the AB bus breakers. See Subsection S.3.2.1 and Figure 8.3-6 for a further description of this transfer. The elimination of direct ties between buses serving !oad groups A and B and the: provision of double breakers and interlocks on tie lines to AB buses prevent a single fault from affecting both redundant systems or from accidentally paralleling the emergency power source. c) Loads Supplied from Each Bus The Total Equipment Database shows each load in the plant and the bus to which it is ) connected. The criterion governing the assignment of loads is that redundant loads are assigned to both A and B groups. The design criterion which pertains to the assignment of third service loads (the third component cooling water pump, intake cooling water pump and related equipment) is that of ensuring the availability of one component in each, division during periods of maintenance. For example, prior to rendering any one of three pumps inoperable, administrative controls require that the remaining two pumps be connected to redundant buses. This is done by connecting bus 2AB to bus 2A3 or 2B3 to whichever the inoperable pump is connected. At the same time, at the 480V level, the 480V bus 2AB is connected to the bus corresponding to the 4.16 kV connection. This ensures that all safety related "AB" loads are connected to the same division at all times. Once any third service bus is assigned to a safety division A or B, the loads served by that bus are committed to that safety division. In addition, the 125V de breaker controls are connected to the respective safety division. In the control room, alarms are provided to alert the operator if the AB buses on all voltage levels are not aligned properly.

8.3-11 Amendment No. 20 (05/11)

Once any third service bus is assigned to a safety division, either A or B, the loads served by that bus are committed to that safety division. The third buses are manually switched to the appropriate division A or B bus. Physical separation is provided between load group A and load group B and between load group AB and both load group A and B since load group AB may at various times function as part of either load group A or B. Separate cable tray and conduit systems are provided for each of the redundant load groups. All SAB cables are permitted to be routed only with their own safety class cables and not safety A or safety B. This is a design requirement to which cables are routed in their respective raceways. Separate tray and conduit systems are furnished for the following classes of cable: 5 kV, 600 Volt power, 600 Volt control and 300 Volt shield instrument cable. Physical separation is further discussed in Subsection 8.3.1.2, "Regulatory Guide 1.75 Rev. 1." There are no AB instrumentation protective systems. The physical location of the third channel actuated equipment is shown on Figures 1.2-12 (Charging pumps), 1.2-20 (CCW pumps) and 1.2-22 (Intake Cooling Water Pumps). 8.3-11a Amendment No. 20 (05/11)

d) Manual and Automatic Interconnections Between Buses, Between Buses and Loads, and Between Buses and Supplies Bus transfers used on startup of the main generator are manual "live bus" transfers (i.e., the incoming source feeder circuit breaker is closed onto the energized bus section), as described in Section 8.3.1.1.1.

Safety bus transfers, used on the loss of the main generator or unit auxiliary transformer, are automatic fast-dead bus transfers. The normal source feeder circuit breaker is tripped, and the alternative source circuit breaker is closed, resulting in a transfer within a few cycles, (i.e., the station auxiliary buses rated 6.9 kV and 4.16 kV are automatically transferred from the Station Auxiliary Transformer to the Startup Transformer by tripping either one of the two generator lockout relays. Testing of the transfer feature is performed in accordance with the Technical Specifications.

If the incoming preferred source is not available, as indicated by a voltage relay on the incoming feeder, transfer does not occur. The resultant loss of voltage at the safety related bus thereupon trips the tie feeder breaker(s) and starts the diesel generator(s). Control of the 4.16 kV feeders to the 480V switchgears is manual, as is switching of MCCs to the 480V switchgear. Most loads are manually controlled, but safety related loads are automatically or manually controlled on occurrence of an event as required. The third service buses or AB buses are manually switched to the appropriate division A or B bus, as described in Subsection 8.3.1.1.2b. The electrical system design does not include provisions for crosstie connections, either manual or automatic, between redundant safety related buses. There are also no interconnections between the 120V uninterruptible instrumentation ac buses, although the 11 two supply inverters for channels MA and MC (or MB and MD)*are powered normally by 125V de feeders of the safety related load group A {or B) respectively. The same is true of the 125V de instrumentation buses MA, MB, MC and MD. e) Interconnections Between Safety Related and Non-Safety Related Buses Apart from the preferred source connections from bus 2A2 and bus 292 to bus 2A3 and bus 2B3, respectively, other interconnections between safety related and non-safety related buses occur at the MCCs where non-safety loads are connected to safety related buses. Wherever this occurs, the MCC bus is split into an essential (safety and plant investment loads) and non-essential (non-safety related loads) section 8.3-12 Amendment No. 13, (05/00)

connected through a bus isolating contactor that opens automatically during an undervoltage (i.e., loss of voltage) or safety injection actuation signal, thereby separating the non-essential loads from these MCCs. Safety related loads as well as non-safety related loads are connected to the 480V switchgear and selected 125V de panels. 8.3-12a Amendment No. 18 (01/08)

In all cases, any non-safety related load connected to a safety related bus is fed from a ~ circuit breaker or fuse qualified as an isolation device. In addition, barriers are provided ~ within each switchgear/panel to assure nonsafety components i.e. breakers, wires, etc. cannot cause the failure of any safety component. The discussion in section 8.3.1.2.2 for Regulatory Guide 1.75 describes the separation and isolation of non-safety related loads connected to safety related buses. f) Redundant Bus Separation Separation of 4.16 kV and 480V redundant switchgear, the 480V redundant MCCs and power panels, the 120V uninterruptible ac buses and inverters and the 125V de batteries, chargers and distribution panels is accomplished through spatial separation or provision of fire resistant barriers. The two redundant diesel generators are separated by three hour firewalls in the Diesel Generator Building which is a seismic Category I structure. g) Electrical System Sizing Requirements Equipment capacities have been conservatively selected. The two redundant diesel generators each have adequate capacity to supply an safety related and uninterruptible equipment loads required for safe shutdown of the plant. Table 8.3-2 lists the safety related loads conn*ected to each of the diesel generators under emergency conditions. Brake horsepower ratings listed in the above table for safety related motors are based on loads under expected flow and pressure. Safety related equipment functional capability is verified by preoperational tests.

h) Automatic Tripping and Loading of Buses Loads connected to the safety related switchgear are deenergized when voltage is lost on the 4.16 kV safety related buses. Only the safety related toads, plant normal/emergency lighting and certain plant investmen~ loads are automatically reenergized when voltage is restored to these buses.

Non-safety loads connected to the safety buses can be manually reconnected by the operator. Automatic tripping by protective relays is discussed in Subsection 8.3.1.1.2.k. . i}

Safety Related Equipment identification Safety related equipment is identified by means of nameplates and color coded tape, paint or tags in accordance with its respective safety related system or channel. A further discussion is found in Subsection 8.3.1.3.
8.3-13 Amendment No. 13, (05/00)
j) Instrumentation and Control Systems with Assigned Power Supply The Reactor Protective System (RPS) and Engineered Safety Features Actuation System (ESFAS) are supplied with power from four uninterruptible ac inverters. There are four separate channels in these control systems, each of which operates from one of the four inverters.

Each inverter is supplied from a safety related de bus. For maintenance purposes only 480V ac power is also available through a transformer and voltage regulator and a manual transfer switch to bypass the normal de supply without interruption of services connected to the inverter's ac output. The ac and de supplies for the inverters are taken from the same load group, A or 8, as the inverter serves, so as to provide full separation between redundant divisions. lsolirniters are provided to isolate the instrument buses from unacceptable voltage surges that may result when the bypass system is in operation. The Qualified Safety Parameter Display System (QSPDS) is supplied with power from two instrument buses, 2MC-1and2MD-1, both of which are on separate channels and protected with dedicated isolation transformers. k) .Electric Circuit Protection Systems Electrical protection for safety related equipment is as follows: i) Safety related 4.16 kV System Protection "\ Safety related 4.16 kV switchgears 2A3 and 283 are protected against bus faults by differential relays which trip each respective incoming bus breaker in the . r;.. * , /s unlikely event of a fault on the switchgear bus. In addition inverse time overcurrent relays, one in each phase, provide additional protection against bus faults and backup protection to individual load feeders. Safety related 4.16 kV switchgear 2AB is similarly protected by bus differential relays and three inverse time overcurrent relays which trips the incoming breaker from bus 2A3 or 283, whichever is closed. All outgoing feeders from safety related 4.16 kV, switchgears 2A3, 283 and 2AB are protected against feeder short circuit by instantaneous relays in each phase. Motor feeders are provided with relays for locked rotor protection and overload alarms. Feeders for the 4160/480V switchgear transformers are provided with relays for overload trip. Each feeder is equipped with a ground fault alarm. ii) Diesel Generator Protection When offsite power is available or during normal testing operation the diesel generator is shut down and its breaker is tripped whenever diesel generator lockout occurs. In the absence of 8.3-14 Amendment No. 14 (12/01)

a SIAS or loss of offsite power the following conditions cause a lockout:

1) Low engine oil pressure

2) High engine water temperature

3) Engine overspeed

4) Generator differential

5) Generator overcurrent

6) Reverse power flow to generator

7) Loss of generator excitation

8) Crankcase pressure These lockouts are alarmed locally and are annunciated in the control room as a lockout of the 2A or 2B diesel generator. Besides the above lockouts, the generator breaker is tripped and the engine is left running if a 4.16 kV bus failure occurs. Each diesel generator can be manually started or stopped both locally and from the control room.

If the diesel is started as-a-resultof-a SIAS or loss of_offsite power, all but two diesel generator lockout signals are overridden. Those which remain functional are engine overspeed and generator differential. Overriding all but fyvo of the lockout signals reduces the probability of spuriously tripping a diesel generator when it may be required to shut down the plant or mitigate the consequences of an accident. The rationale for retaining the engine overspeed and _generator differential lockouts is to mitigate the probability of seriously damaging a diesel should one of these adverse conditions occur. The two trips that are not overridden are commonly used in power_plant application and have histories of highly reliable operation. The reliability of the two lockouts discussed above warrants maintaining their protective capability during normal and accident conditions. This rationale is in accordance with the intent of BTP EICSB 17, "Diesel Generator Protective Trip Circuit Bypass." Monitoring the diesel generator protective trips for a "first-out" indication, as discussed in Section C.1 b.5 of Regulatory Guide 1.108 (R1 ), has no safety function and only has application when the DG is under test. In the event that a DG trip occurs during a test FP&L analyzes the cause of the trip and take corrective action accordingly. During this time the unit is under technical specifications as required. Refer to Technical Specification 3/4.8.1. (See also Subsection 8.3.1.2.2.) iii) Safety Related 480 Volt System Protection Feeders to safety related 480V MCCs are protected by ac breakers, each provided with an electronic trip device trip having short time and long time trip elements. The feeders for MCCs 2A9 and 289 provide long time and instantaneous trips as the MCCs supply one motor load each. 8.3-15 Amendment No. 21 (11/12)

Feeders to 460V motors from the 480V safety related switchgears are provided with long time and instantaneous trips. Each 480V switchgear feeder is also provided with a ground fault alarm. The 480V MCC combination motor starters for motors and valve operators are provided with an instantaneous trip circuit breaker (for short circuit protection) and* thermal overload 8.3-15a Amendment No. 21 (11/12)

devices for each phase. The overload elements are set to protect the connected motor and its connected cable. Those motor operated valves that are located in the containment contain thermal magnetic'circuit breakers that provide overcurrent and. short circuit protection as the overload elements have been bypassed to prevent any hindrance to the performance of the valves function. In the case of the selective safety related valve operators, the thermal overload devices are prevented from tripping the valve operators when the appropriate Engineered Safety Features Actuation System signal is present. For a discussion of Regulatory Guide 1.106, "Thermal Overload Protection for Electrical Motors on Motor-Operated Valves," 3/77 (R1 ), see Subsection 8.3.1.2.2.

Static 480V motor control center loads are fed from thermal magnetic breakers providing overcurrent and short circuit protection.

iv) Safety Relcited 120 Volt AC System Protection Each outgoing feeder is provided with overcurrent and shortcircuit protection by a thermal magnetic breaker. Single pole breakers are used for 120V single phase

     . circuits and double pole breakers are used on 208V single phase circuits.

Most pariel buses are directly connected to the secondary terminals of a three phase 480V/208-120V transformer, the primary of which is protected by a three pole thermal magnetic breaker located in a MCC. The instantaneous trip setting of this breaker is set high enough to trip only on faults on the feeder cable or within the transformer itself, thus ensuring that faults in the branch circuits trip only the

                                                                                              .I affected secondary breaker and not the transformer primary circuit breaker. Other panels are fed from these panels.

v) 120 Volt Instrument Power Supply The 120 volt output from the safety related instrument inverters is ungrounded.

The outgoing feeders are protected with current limiting fuses. vi) Ground Fault Protection High resistance grounding is used on the 4.16 kV and 480V systems so that ground fault currents are sufficiently low such that tripping of the affected breaker is not required. Ground faults are detected and alarmed locally or in the control room. The 208V/120V systems are effectively grounded, so that ground faults are seen by the breaker as equivalent to phase-to-phase faults and tripping occurs. 8.3-16 Amendment No. 18 (01/08)

The diesel generator is high resistance grounded through a transformer and resistor connected to the generator neutralft The high resistance grounding system alarms only, thus per-mitting continued operation in the unl~kely event of a single ground ft The safety related 120V instrument power supply systems are effectively ungrounded.. A ground detector is provided on the bus to alarm on occurrence of a ground anywhere on the system; two ground faults on different poles of the system are required for tripping ..

1) Testing of Power Systems During Operation For a discussion of operational testing, see the Technical Specifi-cationsft m) Diesel Generators i) Automatic Starting Initiating Circuits Each diesel generator is started automatically either by the appropriate Engineered Safety Features Actuation System signal

ii) or by the undervoltage relay on tlie respective 4 .. 16 kV safety related busft Starting Mechanism and System Each diesel engine is started by compressed air which is stored in two separate air tanks.. Each tank pair has sufficient air to start each engine five times without recharging.. The air start-ing system is described in Subsection 9 .. 5ft6 ..

iii) Tripping Devices Diesel generator protection is described in Subsection 8ft3ftlftlft2 .. k which gives the conditions under which automatic shutdown of the set occursft iv) Interlocks Interlocks are provided in the closing and tripping circuits to prevent closing of the diesel generator breaker and connected safety related loads under the following conditions: (a) If a lockout relay is tripped, the closing circuit is interrupted .. (b) If safety related bus is energized, the generator break-

er is prevented from automatic closureft Automatic connec-tion of the safety related loads with voltage on the associated safety related bus is prevented by a contact of 8.3-17

v) the bus voltage sensing relays in the closing circuits of the individual breakers~ Permissives Permissives are designed as follows:

1) To start the diesel generator:

(a) 125V de* control power available (b) diesel generator lockout relay in reset position~ 8.3-17a

2) To trip the emergency diesel generator when the unit is on auto operation:

This is covered in Subsection 8.3.1.1.2.k

3) To close the diesel generator air circuit breaker Manual with live bus {test condition) *

{a) diesel generator lockout relay in reset position (b) correct voltage and frequency on the diesel generator (c) synchronizing switch is in ON position

4) Synchronism check relays:

The synchronism switch is in the "on>> position and verification is made by checking the synchroscope. vi) Load,Shedding Upon sensing of the loss of offsite sources of power to the plant Onsite Power System, the safety portion of the system is automatically electrically isolated from the non-safety portion of the system by the operation of circuit breakers on the lines between non-safety and safety related buses. vii) Testing Periodic testing and frequencies at which it is performed are a part of the Technical Specifications. Each diesel generator is equipped with a means for starting periodically to test for readiness, a means for synchronizing the unit onto the bus without interrupting the service, and a means for loading and for shutdown after test viii) Fuel Oil Storage and Transfer System The Diesel Generator Fuel Oil Storage and Transfer System is described in Subsection 9.5.4. ix) Diesel Generator Cooling Water System The Diesel Generator Cooling Water System is described in Subsection 9.5.5. x) Instrumentation and Control for Standby Power Supply Manual and automatic control of the diesel generators is described in Subsection 8.3.1.1.1 (f). Performance of the engine, generator and auxiliaries is monitored locally and selectively at the control room. See Subsection 8.3-18 Amendment No. 13, (05/00)

7.5.1 .for a discussion of safety-related display instrumentation. xi) Basis for Diesel Generator Sizing Table 8.3-2 lists the loads which are used in sizing the diesel generator. This table shows the nature of the various loads, each load that is connected to the safety-related bus, rating of each load in brake horsepower, the loading sequence step time and other details. The continuous rating of each diesel generator is based on the total calculated consumption of the loads, plus margin, that are powered by the system under design basis accidents or safe shutdown conditions. The diesel generator ratings are identified on Table 8.3-1: xii) Diesel Generator Loading

Table 8.3-2 shows the automatic and manual loading sequence of the emergency power supply system. The essential loads are started automatically by their respective ESFAS signals in a predetermined step-by-step loading sequence. Equipment which may requi,re manual startup is started after the initial automatic sequential loading. In an event of a Unit 1 Station Blackout, Unit 2 diesel generator(s) may be used to supply power to the Unit emergency buses via the station blackout tie. Plant procedures define the appropriate actions to be taken and limit the maximum loading on the diesel generator to be 3936 kW. xiii) Preventative Maintenance The Emergency Diesel Generators will be inspected in accordance with a Licensee-controlled maintenance program. This program will require inspections based on procedures prepared in conjunction with the manufacturer's / recommendations for this class of standby service. Changes to the maintenance program will be controlled under 10 CFR 50.59.

St. Lucie Unit 2 monitors equipment and component failure on plant systems, including the diesel generators in three ways. One method is by NRC required Licensee Event Reports (LERs). The applicant is required to list the failure; determine that this is-or is not the first failure of its type; if it is not the first, how often it has previously happened; and describe in detail the action taken to ensure the problem does not recur.
Another method is via a users group that monitors problems at many plants and informs plants with similar equipment of generic problems.

The third method is via a company-wide maintenance monitoring program, referred to as the GEM's program. Reports are completed and records maintained such that generic problems can be quickly identified. This program is initiated and perpetuated by company procedures. The Emergency Diesel Generator Reliability Program for St. Lucie Unit 2 meets the guidelines of Regulatory Guide 1.155, "Station Blackout," Position 1.2 "Reliability Program". These Regulatory Guide requirements are satisfied through plant surveillance, administrative and maintenance procedures. The Regulatory Guide requirements are: a) Unit "average" reliability of 0.975 for a four (4) hour blackout duration, based on an offsite power design characteristic group of "p3" and an emergency AC power configuration group "A". 8.3-19 Amendment No. 21 (11/12)

           . b)         Surveillance testing and reliability monitoring program to track EOG
                      . performance
                                  . are included in
                                                      . plant procedures.      *

c) : Maintenance. program that aS$Ures target EDG. reliability. ls achieved and provides the capability to perform root cause~ analyses. .*
d) *System to collect the data and compare.the achieved reliability level with the target value.

e) Identifies responsibilities for the program's major elements and management oversight for reviewing reliability levels and ensuring that the reliability program is functioning properly. xiv) Training Some operations personnel (RCOs and above) are provided with a diesel generator training program which addresses, in detail, theory, mechanical design, electrical characteristics, instrumentation, operation, load carrying and Technical Specifications. St. Lucie has maintenance personnel who have been factory trained on diesel generator maintenance. All three maintenance departments have training programs which include diesel generator information. As future needs require, maintenance personnel who supervise diesel g~nerator maintenance are also factory trained. n) Power Lockout to Motor Operated Valves The only 480V motor operated valves that require power lockout are safety injection tank valves (V3614, V3624, V3634, V3644). In accordance with BTP ICSB 18 the safety injection valves (V3614, V3624, V3634, V3644) are not considered active valves and, therefore, restoring power to the valve from the control room is not required. In addition, control circuit to the valves is designed si.Jch that power to the pickup coil can be defeated and reinstated from the control room. To assure that the valves are open, the following instrumentation and controls are provided:

1) Valve (open/close) indicating lights. These lights are connected to the valve position limit switches and obtain its control power from the starter control transformer. The illumination of these valve indicating lights reflect the actual valve position. Also, it reminds the operator that the valve operating power has not yet been removed (i.e., the circuit breaker has not physically locked open).

2) When the reactor is not in *shutdown mode, the valves operating power is removed (i.e., circuit breakers locked open). The absence of the indicating lights indicates to the operator that the valve breaker is locked open. In addition, the annunciator indicates that the power is removed and control circuit is de-energized.

3) As a redundant measure, slidewire valve position transmitter/indicator is used to monitor valve position at all times, regardless of breaker positions.

4) Furthermore, an annunciation window is provided to assure "open" valve position and quickly annunciates if the valve is not fully open.

A list of the above valves and appropriate actions is found in the Technical Specifications. In addition, each safety injection tank is provided with two redundant safety grade solenoid vent valves. The addition of these valves allows 8.3-19a Amendment No. 18 (01/08)

depressurization of the safety injection tank from the control room, thereby eliminating the need for isolating these tanks using valves (V3614, V3624, V3634, V3644). The valves are controlled from the control room with key operated control switch. o) Undervoltage Protection for Class 1E Buses (Branch Technical Position PSB-1) In accordance with PSB-1 the first level of undervoltage protection is provided to detect a loss of offsite power. Two (2) solid state undervoltage relays are provided on each of the Class 1E A and B 4.16KV buses, and are set at no less than 3120 volts with undervoltage tripping within 1 second. The relays are connected for a coincident logic and are mounted in the Class 1E 4.16 Kv switchgear. Upon detection of a loss of voltage condition, these relays automatically initiate diesel generator starting and disconnection of the offsite source on a loss of offsite power. In accordance with PSB-1 a second level of undervoltage protection is provided for the Class 1E buses. Florida Power and Light meets the requirements of the position for St. Lucie Unit 2 by providing for each Class 1E division, a 2 out of 3 coincident logic* protection scheme consisting of three solid state undervoltage relays set at approximately 93 percent of 4.16 Kv and provided with a 10 second time delay. The relay logic actuates control room annunciation to alert the operator to a degraded voltage condition and aligns the trip circuitry associated with the undervoltage logic such that subsequent occurrence of a safety injection actuation signal (SIAS) separates the Class 1E system from the offsite power system automatically. The 10 second time delay is based on preventing the worst case motor starting transient from causing spurious alarms in the control room. (The 4.16Kv Condensate Pump accelerates to full speed with the minimum voltage conditions expected on the main generator or switchyard in six seconds.) An additional set of three solid state undervoltage relays* is provided on each of the Class 1E A and B 4.16KV buses. These relays are located downstream of .the 480V ac power center reactors. The output of the relays provides a trip signal, in a coincident logic arrangement (2 out of 3), via an appropriately set timer. The relays will separate the Class 1E buses from the offsite source and transfer them to the emergency diesel generator in accordance with the selected time settings should the operator fail to restore system voltages. The setting of the relaying scheme at approximately 90 percent of 480V ac with a time delay of approximately 21 seconds insures adequate protection against potential damage due to operation with inadequate supply voltage for all Class 1E equipment. 8.3-19b Amendment No. 13, (05/00)

The most limiting equipment was considered to be the .!160V ac motors which are rated at 90 percent of nameplate operating voltage. Should 480V ac bus voltage decrease to 90 percent of 480V ac, voltage at the worst case motor control center will be at least 90 percent of 460V ac or 86-2 percent of 480V ac. Should the 480V ac bus voltage continue to decrease an additional set of relays identical to the degraded voltage *

rel.ays described above will shorten the time to trip. These rel.ays are set at approximately 75% of 480 volts with a time delay of .approximately

1. 5 seconds.

The minimwn acceptable operating voltage at the 120V ac level was established by equipment ratings to be 90 percent of 120V. ac. To evaluate the acceptability of the relay setting an analysis of station electric system voltages was perfo:z:med under steady-state conditions with the full plant running loads and minimum design JJJain generator voltage supplying the onsite system through the U:c.it Auxiliary __ Transfomers. The results of this c;malysis demonstrates that voltages on Class 1E systems at* the 4-.16 kV level, the 480V ac level and the l.20V ac level remain above the design limits of the equipment. The voltage level on the 4.16 kV buses remains above the set.point which insures that the alarm and SIAS al.igmnent relays described above are not aC'tuated during this steady state operating condition. 480V ac bus voltage remains above the setpoints of the undervoltage relays, preventing spurious actuation of the protection feature during steady-state conditions. Analysis of station electric system voltages was also performed under steady-state conditions with the full plant rwming load and minimum design switchya.rd volt.age supplying the onsite system through the startup Transfo:rmers. The results of this analysis demo:C.strate that, as showo in the analysis of the Unit .Auxi.l.iaxy Transfo:rmer, all voltages on the Class lE systems remain above minimum acceptable design conditions. The worst case starting transient was also anal.Y%ed for the most limiting conditions* (the 2A system, since this is the most heavily loaded with all no:rmal plant rmmi.ng loads on the buses) when. the startup Transfo:oner is supplying the system and offsite switc:hyard voltage is at the design minimr.mi of 230 kV. The analysis indicates that following the.starting transient, voltages on*ai1 Class ll: buses remain* at values above"the acceptable design limits and that the voltage on the 4.16 kV buses returns to above the relay setpoi.Dt of approx.iJDa.tely 93 percent within the time delay .setting of 10 seccinds. :In accordallce with Branch Teclmical Position, PsB-1, relay actuation during the *worst case motor starting transient does not occur. An additional analysis was perfo:cmed*on the onsite system to evaluate the impact of .an SIAS and resultant fast dead bus transfer when the offsite source is at the mini'!D!lJll design voltage conditions . 8.3-19c Amendment No. 9, (10/94)

The results of this analysis demonstrate that the voltages on the 4.16 kV level, 480V ac level and 120V ac level remain with acceptable design limits following the fast dead bus transfer. --\I The relays and all associated equipment are Class 1E and are located in the relay panels in the Reactor Auxiliary Building. The capability exists for test and calibration during power operation. FP&L has performed a verification test of the analysis to establish adequate station electric system voltages prior to fuel loading.

The above scheme meets the requirements of Branch Technical Position PSB-1 Section B.1.6(i).

p) Station Blackout Station blackout (i.e., total loss of ac power- offsite and onsite) was considered in the-design for the St. Lucie Unit 2. The current design has been analyzed for station blackout for a period of four hours without unacceptable consequences (see Section 15.10). In the unlikely event of a complete loss of ac power (onsite and offsite) for St. Lucie Unit 2 and, the simultaneous loss of offsite power-and one diesel generator at St. Lucie Unit 1, the remaining diesel generator in St. Lucie Unit 1 is able to operate the minimum selected loads such that both units are maintained in a safe, hot standby condition. A cable tie is provided connecting Class 1E swing switchgear. 1AB and 2AB. This tie can be used only when an actual blackout condition exists (or under test conditions with one of the swing buses d_isconnected from the other parts of its units' system) and will be implemented under procedural controls assuring that the diesel generator capability will not be exceeded. Upon completion of the inter-tie and manual loading, both plants remain in the safe hot standby condition until the. conclusion of the event or approximately four hours. Per the SBO analysis, the SBO cross-tie was originally intended for use for SBO events initiated with both units operating in Mode 1. Additionally, the SBO analysis did not consider the availability of offsite power to the opposite unit. If, during a blackout event, offsite power is available to Unit 1, the SBO cross-tie may be used to provide offsite power from Unit 1 to Unit 2, regardless of the initial operating Mode of either unit. Use of the cross-tie for these non-:licensed blackout events is controlled via plant procedures. Further, the present St. Lucie design also does have the capability of electrically connecting the two units' 4.16 kV buses 1A2 and 2A2 (182 and 282) through 4.16 kV bus 2A4 (284). . 8.3.1.1.3 Design Criteria for Class 1E Equipment Design criteria are discussed below for certain Class 1E equipment: a) Motors Motor sizes are selected based on calculations of load, torque requirements or on the basis of equipment (pump, fan compressor, etc.) supplier recommendations. 8.3-19d Amendment No. 21 (11/12)

The 4.16 kV safety-related motors are specified to start their respective driven equipment with 75 percent of rated motor terminal voltage. The 480V safety-related motors are specified to start and accelerate their respective driven equipment with 90 percent of rated motor terminal voltage. When ESF motors are sequenced onto the diesel generator the voltage at the motor terminals must be sufficient to start and accelerate the motor and driven equipment without damage to the motor or impact to the accident analysis. Motors that are supplied for St. Lucie Unit 2 and that are rated 460 volts are designed as standard motors (90 percent start or specially designed for 75 percent starting voltage). When the ESF motors are sequenced onto the diesel generators, three motors experience starting voltages less than their 460 volt 90 percent design. They are the Containment Fan Coolers quantity 2, and the Shield Building Exhaust Fan. 8.3-19e Amendment No. 18 (01/08)

The voltage of the Containment Fan Cooler motor experiencing the worst starting transient is 84.4% of motor nameplate voltage at the instant that the motor applied to the diesel generator. This voltage recovers to 94.4% of motor nameplate voltage as the result of the recovery of the diesel generator voltage brought about by the voltage regulator action. The next load block to be started by the diesel generator occurs in three seconds subjecting these motors to a motor terminal voltage of approximately 87 percent at the instant the load block is connected which recovers as a result of the diesel generator voltage regulator action to 91.8% motor terminal voltage. To assure that the motor has sufficient torque to accelerate the driven equipment under this type of transient, the motor manufacturer supplied speed torque curves for motor acceleration considering a constant motor terminal voltage of 80 percent which is bounding to the starting transient described above. This curve is shown in Figure 8.3-7. From this curve net torque (motor torque minus loading torque) was determined using 12 speed intervals and the acceleration time of the motor was calculated to be 5.19 seconds. Comparing this acceleration time to the acceleration time measured in the accident analysis, ie. 10 seconds, indicates that the motor is accelerated in sufficient time as to not impact the accident analysis. To assure that the motors are not damaged during this starting transient, the motor acceleration time was compared to_the safe stall time of the motor. From manufacturer's data applied, the safe stall time at 100 percent starting voltage is 12 seconds (hotstart). The acceleration time of 5.19 seconds is less than 12 seconds and therefore motor damage will not occur. It must be noted that the safe stall time of a motor increases as a result of lower starting voltage since the inrush current is less. Therefore, comparing the acceleration time at the lower voltage (5.19 seconds) to the safe stall time at the higher voltage (12 seconds) is very conservative. Actual manufacturers data for starting transients such as described above indicates that the safe stall time is increased to 15 seconds. During the third diesel generator load block and the acceleration of the containment fan coolers, the Shield Building Exhaust Fan is started. The voltage at its motor terminals is approximately 87 percent of motor nameplate voltage. Since this motor is a 90 percent motor, the motor load was analyzed in a similar manner as the containment fan coolers described above utilizing the same conservative constant 80 percent motor terminal voltage. The speed torque curve, taken from manufacturers data for the motor and load is shown on Figure 8.3-8. The acceleration time is calculated for this motor is 4.9 seconds. Again comparing this time to the time assumed in the accident anc;ilysis, 10-seconds, and comparing this time to the safe stall time typical for motors this size, 11 seconds, indicates that the reduced voltage starting of this motor and load does not impact the safety analysis or damage the motor. 8.3-19f Amendment No. 16 (02/05)

b) Motor Starting Torque The motor starting torque is capable of starting and accelerating the connected load to normal speed within time to permit its safety function for all expected operating conditions including the design minimum terminal voltage of the diesel generator. 8.3-19g Amendment No. 20 (05/11)

c) Motor Insulation Insulation systems are selected based on the particular ambient conditions to which the insulation is exposed. 4.16 kV safety related motors are provided with Class B or F insulation systems. 480V safety related motors are provided with Class B, F or H insulation systems. d) Interrupting Capacity of Switchgears, Load Centers, and Motor Control Centers The interrupting capacity of switchgear, load centers, and motor control centers are selectively designed such that 1) any bus is capable of starting the largest motor with the other equipment in operation and 2) the interrupting devices can safely interrupt any short circuit that may occur in the system. e) Electric Circuit Protection Refer to Subsection 8.3.1.1.2.k. f) Grounding Electrical equipment frames are solidly grounded to the station ground grid; an instrument ground system is also provided. For a discussion of ground fault protection, see Subsecti~n 8.3.1.1.2.k(vi). 8.3.1.1.4 Cables and Raceways The 5 kV and 15 kV power cables are insulated with unfilled cross linked polyethylene, wrapped with an extruded layer of semiconducting insulation shield material compatible with the insulation, and covered with a lead sheath and a heavy duty overall neoprene jacket. These cables have a 100 percent insulation level and are rated for continuous temperature operation at a conductor temperature not to exceed 90°C. The 600 volt power cables are insulated with a high temperature Kerite insulation (HTK) and covered with black heavy dµty flame resistant (FR) jacket. The 600 volt control cables are insulated with Kerite flame resistant (FR or FR-2) insulation and covered with heavy flame resistant (FR) jackets. Okonite Co. cables are also utilized, with an X-Olene FMR (flame re~ardant 1 cross-linked polyethylene) extruded insulation and Okolon (Hypanlon) jackets. 600 & 300 volt instrumentation cables consist of twisted, paired, shielded and unshielded cables. Unshielded cables consist of twisted pairs with Kerite flame resistant (FR or FR-2) insulation covered with an extruded polymer layer and having an overall flame resistant (FR) jacket. Okonite cables are of the same construction as described above for the 600V control cables. Shielded cables in addition to the above have a drain wire with each. pair in direct contact with aluminum mylar tape. Each shielded pair is separated by glass mylar tape. The power, control and instrumentation cables are rated for continuous operation at a conductor temperature not to exceed 90°C. 3538b 8.3-20 Amendment No. 1, (4/86)

Prefabricated 600 volt cable assemblies are used for the CEA position, CEDM power and incore monitoring instrumentation (self powered neutron detectors [SPND]). The cable configurations from the penetrations to the disconnect panels located near the refueling cavity consist of the following: CEDM power cable assemblies are insulated with 30°C FR-EP and jacketed with the CPE material.

lncore monitoring assemblies utilize Ml cable.

CEA cable assembly conductors are insulated with 200°C Kapton PYRE-ML varnish, covered with a Kapton PYRE-ML varnish Jacket and an overall stainless steel armor weave to protect the jacket. From the panels located near the refueling cavity out to the instrument connections in the reactor vessel head area all of the CEDM, CEA (RSPT) a_nd ICI cables consist of multiconductor pre-manufactured cable assemblies. Each assembly is made up of individual conductors covered with silicone insulation rated at 125°C, an overall silicone jacket rated at 125°C, and an outer 30 AWG stainless steel armor braid. These cables are not safety related. Nonsafety related cable supplied by a respective equipment manufacturer that is not flame resistant is not routed with other qualified plant cable. Coaxial cables are constructed with a Rockbestos Firewall Ill Polymer LD first insulation, radiation cross linked cellular modified polyolefin or radiation cross linked modified polyolefin second insulation, covered with a tin coated copper shield and a radiation cross linked, non-corrosive, flame retardant modified polyolefin overall jacket. These cables are rated for continuous service up to 110°c. All cable is flame resistant and is qualified in accordance with IEEE 383 or approved equivalent per Section 9.5A, Reference 25, with these exceptions; the lighting branch circuit cable, cables supplied for use with the humidity detectors of the ILRT system, cables for the Fire Sprinkler Systems, cables for Security System, and thermocouple extension cables for the Shield Building Ventilation Fan Heater Controls. However, these cables are uniquely identified and are assigned - to a dedicated raceway system. At no time are these cables permitted to be routed with the other plant cable. In addition, portions of the self-powered neutron detector instrumentation utilized mineral insulated cable assemblies. Both the core exit thermocouples (CET) and the heated junction thermocouples (HJTC) will utilize. mineral insulated cable assemblies to comprise the safety related portion of the incore monitoring instrumentation system. Ampacities for cables are in general accordance with IPCEA 54-440-1975 and the methods presented in P-46-426. Environmental conditions under which cables must operate are given in Section 3.11. Raceways are galvanized steel conduits, trays or wireways, or tube track for all exposed circuits within buildings. Embedded conduits are either PVC or galvanized steel. PVC coated steel conduit is utilized in exposed applications at the intake cooling water structure. Flexible metal conduit is used wherever raceway connections are made to vibrating equipment. 8.3-21 Amendment No. 20 (05/11)

Trays, with the exception of the reactor head area, are solid bottom galvanized steel ventrib trays. The reactor head area cable trays are ladder type to facilitate easy exiting of cable from the tray to the reactor head area. Raceways are supported securely at intervals governed by the span loading. 8_3-21oa

The Class 1E underground raceway system consists of Class 1E cables in directly buried ducts utilizing PVC conduit, protected by concrete slabs-and Class I fill. The Class 1E underground system is in conformance with applicable industry standards, is designed similar to St. Lucie Unit 1 and is in accordance with 10 CFR 50 General Design Criteria 1,2,3,4, 17, 18 and IEEE 308-71 Subsection 5.2.1. The specific design criteria are addressed as follows for the Class 1 E underground cable system. Seismic design of the duct runs is accomplished by using a rigid design (concrete encasement) or a flexible (unencased) design. The flexible design concept for underground electrical duct runs was decided upon in 1970. The flexible design is verified for seismic loadings utilizing concepts derived from N. M. Newmark's paper, "Earthquake Response Analysis of Reactor Structures," Nuclear Engineering and Design, Vol. 20 pp. 303-322. The design method utilizes soil strains induced by seismic waves and frictional resistance between the duct and soil to determine the shear and moment acting on a particular buried element. Relative displacement is considered by using flexible joints at the end of manholes. The results show that the calculated stresses are well below acceptable stress levels. The St. Lucie Unit 2 installation duplicates the St. Lucie Unit 1 design concept. Where seismic design is considered, the seismic effects of the soil on the ducts is a relevant consideration. Ideally, the ducts should move with the soil. This condition is approached in the St. Lucie design by utilizing a conduit system with sufficient flexibility in soil and by separation of the manhole from other structures. At St. Lucie, the soil surrounding the Class 1E duct runs is comprised entirely of Class 1 backfill for which the pertinent physical soil parameters are known and condition of isolation is documented. Flexibility is achieved by not encasing the duct runs in concrete; the moment of inertia and modulus of elasticity of the unencased duct bank is considerably less than that of an encased duct run. Structural separation of the duct runs from other structures is achieved by use of three inch isolation joints permitting three dimensional movement between the structures and the manholes. The unencased ducts are backfilled after the duct bank is completed. Backfilling is accomplished by a combination of hydraulically placed backfill and vibration in accordance with approved procedures. This assures that a high soil density in duct run is achieved. Density checks of the backfill are made to determine that the 98 percent Modified Proctor Density is achieved. The results of these tests are documented and test results are retrievable. Protection from excavation damage, normally achieved by concrete encasement, is obtained by the installation of reinforced concrete slab over the Class 1E duct runs. These slabs are nine inches thick except under roadways where 8.3-21a Amendment No. 18 (01/08)

the slabs are one foot three inches thick. Non-Class 1E runs are concrete encased because there are no seismic considerations. The Class I soil in the area of the St. Lucie Unit 1 duct banks has been chemically analyzed with the results being typical for beach sand except for a somewhat higher than normal level of calcium carbonate (sea shells). The same fill is used for St. Lucie Unit 2. Leaching of chemical compounds in the soils does not have any detrimental effect upon the cables or ducts, Protection against a tornado missile is provided by a minimum of two feet of soil cover with a nine inch reinforced concrete slab or a minimum of one foot of soil cover with a 15 inch reinforced concrete protective slab. The inherent capability of this protection is equivalent to two feet of reinforced concrete criterion for tornado missiles. For the underground Class I raceways that go to-the Main Steam Trestle Area Specific protection is accomplished by the following means: a) For manholes located above grade, a one inch steel plate is provided. b) For conduits, a twelve inch reinforced slab plus a one inch steel plate is provided. 8.3-22 Amendment No. 18 (01108)

The ducts are protected from the direct effects of the winds associated with the design basis natural phenomena by virtue of being below grade. All underground electrical system components are located at least seven feet above the normal groundwater level. Due to maintenance considerations, manholes are constructed to minimize the infiltration of water. A gravity or pumped drainage system is provided where necessary. During severe hurricanes, or excessive rain storms, flooding of the areas surrounding the plant island could result in backup of the storm water system which in turn could result in a wetting of underground cables; no adverse effect results from this condition.

The strength of the PVC schedule 40 ducts have been analyzed as flexible buried pipes.

Analysis methods in American Water Works Association Manual M11 entitled, "Steel Pipe Design Manual," are used to determine the magnitude of lo<;iding transmitted from the surface to the buried ducts and the resulting deflection and stressing of the duct. The maximum design roadway loading is that associated with movement of the St. Lucie Unit 2 steam generator (in the order of 650 tons divided over two transporters). This results in a roadway surface loading of 5000 psf and 3000 psf at the top of the duct bank. Calculated stresses {buckling) in the ducts due to the steam generators load are 118 psi (the ducts can accommodate buckling stresses of 566 psi). The results of the analysis demonstrate that the ducts can withstand this surface loading with

ample margins of safety against crushing or overstressing. The steam generator transporter is considered the design basis load.

As per Supplement No. 1 to the Safety Evaluation of St. Lucie Unit 2 (Docket No. 50-339, dated I* March 3, 1976), it was concluded that the Class 1E underground system provides reasonable assurance that the cables and cable/duct system withstand the specified design conditions without impairment of strwctural integrity. 8.3-23 Amendment No. 18 (01 /08)

8.3.1.2 Analysis Class 1E electric components are designed to insure that any of the design events listed in IEEE 308-1971 do not prevent operation of the minimum number of safety-related loads and protective devices that would be required to mitigate the consequences of an accident and/or safely shutdown the reactor. The General Design Criteria are covered in Section 3.1. The following design aspects illustrate the extent of conformance with respect to Regulatory Guides, IEEE Standards, and General Design Criteria (GDC). 8.3.1.2.1 General Design Criteria General Design Criterion 17

Redundancy of the emergency auxiliary power system is provided for the operation of redundant safety related electrical load groups. This redundancy extends from the emergency power source, through 4.16 kV buses, station service transformers, 480 volt buses, MCCS, distribution cables, 120V/208V and 120V panels, inverters~ and protective devices.*

Each of the redundant onsite emergency power sources and associated load groups independently provide for safe shutdown of the plant and/or mitigation of the consequences of a design basis accident. General Design Criterion 18 Inspection and Testing is carried out in three way~:

1) Periodic inspection and testing, during equipment shutdown of wiring, insulation, connections, and relays to assess the continuity of the systems and the condition of components. *

2)

Periodic testing, during normal plant operation of the operability and functional performance of onsite power supplies, circuit breakers and associated control circuits, relays and buses.

3) Testing during plant shutdown of the operability of the Class 1E system as a whole.

Under conditions as close to design as practical, the full operation sequence that brings the system into operation, including operation of signals of the ESF actuation system and the transfer of power between the offsite and the onsite power system will be tested. 8.3.1.2.2 Regulatory Guide Implementation Regulatory Guide 1.6, "Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems." 3/71 (RO) As stated in the Safety Evaluation Report of St. Lucie Unit 2 (Docket No. 50-389) the electrical design is in compliance with the requirements of the Regulatory Guide. The Regulatory Guide is met as follows: 8.3-24 Amendment No. 20 (05/11)

a) The electrically powered safety loads, both ac and de are s~parated into redundant load groups such that the loss of any one load group does not prevent the performance of the minimum safety functions. b) Each ac load group has a connection to the preferred (offsite) power source and a connection to a standby (onsite) power source, consis-tent with the design of other existing licensed nuclear plants. Each standby power source has no connection to the other redundant load group.

                     . 8.3-24a

c) Each de load group is energized by a separate battery and battery chargers. Each battery and battery charging system has no automatic connection to the other redundant de load group. d) The standby ac power source consists of two redundant diesel generator sets. For further discussion see Subsection 8.3.1.1.2. e) No means are provided to automatically parallel the standby source associated with load group A with the standby source associated with load group B. See Subsection 8.3.1.1.2. f) Each diesel generator set consists of two diesel engines mounted in tandem with a generator coupled directly between the engines. The equivalent reliability of the tan.dem diesel generators has been demonstrated on St. Lucie Unit 1. The diesel generators are subjected to a 100 start test by the manufacturer at the factory to determine their performance reliability. Regulatory Guide 1.9, "Selection of Diesel Generator Set Capacity For Standby Power Supplies." 3/71 (RO) As stated in the Safety, Evaluation Report of St. Lucie Unit 2 (Docket No. 50-389) the electrical design is in compliance with the requirements of Regulatory Guide 1.9 (RO).

Compliance to each Regulatory Guide position is as follows: .

The diesel generator sets are designed, constructed and installed in accordance with IEEE 387-1972. They are provided with surveillance systems to indicate occurrence of abnormal, pretrip or trip conditions. Periodic tests are performed on the power and control circuits and components, including protective relays, meters, and instruments to d.emonstrate that the emergency power supply equipment and other components that are not exercised during normal operation of the station are operable. The operational tests are performed at scheduled intervals to test the ability to start the system and run under load for a period of time long enough to establish that the system meets its performance specificationl;).

The intent of Regulatory Guide 1.9 (RO) is met as follows:

a) The maximum automatically started load on each diesel generator is within the continuous rating of 3685 kW. The total maximum load, including manually started loads, is within the 2000 hour rating. b) The total predicted loads, at either hot or cold conditions (automatic and manual loads) do not exceed 90 percent of the 30 minute rating of the diesel generator set. The 90 percent of the 30 minute rating (3586 kW) is less than the 2000 hour rating (3935 kW). 8.3-25 Amendment No. 18 (01/08)

c) Predicted loads of each diesel generator set are verified during preoperational testing. d) Each diesel generator set is capable of starting, accelerating to rated speed and supplying, in required sequence, all the needed emergency shutdown loads. At no time during the loading sequence does the voltage and frequency decrease to less than 75 percent of nominal generator terminal voltage or 95 percent of nominal generator frequency, respectively. Voltage and frequency are restored to within 90 percent and 97 percent of nominal, respectively, within 40 percent of each load sequence. The speed of the diesel generator set does not exceed 111 percent of nominal speed (900 rpm) during recovery from transients caused by disconnection of the largest single load. The engine trip set point is 1035 rpm (115.00 nominal) to ensure that the unit does not trip on rejection of the largest single load. Each diesel generator set is capable of reaching full speed-and voltage within 10 seconds after receiving a signal to start. e) Prototype qualification test data and preoperational tests are performed to confirm the suitability of the diesel generators. Regulatory Guide 1.22. "Periodic Testing of Protection System Actuation Functions." 2/72 (RO) The extent of compliance with this regulatory guide is discussed in Subsection 7.1.2.2. Regulatory Guide 1.29. "Seismic Design Classification," 2/76 (R2) Qualification of seismic Category I/Class 1E electrical equipment is discussed in Section 3.10. Regulatory Guide 1.30. "Quality Assurance Requirements for the Installation. Inspection. and Testing of Instrumentation and Electric Equipment." 8/72 (RO) See subsections 8.3.1.2 and 7.1.2.2. Regulatory Guide 1.32, "Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants." 8/72 (RO) As stated in the Safety Evaluation Report of St. Lucie Unit 2 (Docket No. 50-389) the electrical design is in compliance with the requirements of Regulatory Guide 1.9 (RO). The Class 1E electric systems comply with the requirements of IEEE 308-1971 as modified by Regulatory Guide 1.32 (RO) as follows:

            . a)      Design Criteria

1) Conditions of operation, due to design basis events, both

' __ .,,.../ 8.3-26 Amendment No. 18 (01/08)

natural and postulated, are defined in Sections 3.10 and J.ll; Class lE electric systems design was developed and equip-ment purchased such that their safety related functions can be performed, in the respective operating environment, under nor-mal and design basis events conditions-

2) The quality of the Class lE electric system output is such thac all electrical loads are able to function in their incended manner, without damage or significant performance degradation.

3) Control and indicating devices, required to switch bet;.een the pref.erred and standby power supplies and to control the standby power supply system, are pr9vided inside and outside the con-trol room.

.f*

4) All Class IE electric system components are uniquely identi-fied.

5) Class lE electric equipment is physically located in seismic Cagego~ I structures and separated from its redundant counter-part.

6) Equipment qualification by analysis, tescs, successful use under similar condition.s, or a justifiable combinacion of the foregoing, ensures that the performance of safety related func-tions under normal and design basis event conditions is demon-strated (refer to Sections 3.10 and 3.11).

7) Tables 8.3-6 through 8.3-10 depict the failure modes and effects analysis for the Class lE electric systems.

b) AC Power Systems

1) Alternating current power systems include power supplies, a distribution system and load groups arranged to provide ac electric power to Class lE loads. Sufficient physical separation, electrical-isolation and redundancy have been provided to prevent the occurrence of common failure 1D0des in the Class lE systems

2) The electric loads are separated into redundant groups.

3) The safety actions by each load group are redundant and independent of the safety actions provided by the redundant counterparts.

4) Each of the load groups has access to both a pr ~ferred and a standby power supply

5) The pref erred and the standby power supplies do not have a common failure mode between .chem- This is ensured by means of ad~inistrative controls that allows only one diesel gen-erator to be tested at any time. ,Also, protective relaying is included to isolate the standby sources fran the preferred 8.3-27

power sourcPS tn 9rder to preserve the availability of the standby sources. c) Distribution System I) All distribution circuitry is capable of starting and sus-taining required loads under normal and design basis event conditions.

2) Physical isolation between redundant counterparts ensures in-dependence.

3) Local and/or remote control and indicating components monitor distribution circuits at all times.

4) Auxiliary devices tha.t are required to operate equipment are suppliPd from a related bus section to prevent loss of.electric power in one load group from causing the loss of equipment in another load group.

5) All Class lE electrical power circuits have provision for isolation from non-Class IE circuits through circuit breakers and or contactors located in Class IE equipment.

d) Preferred Power Supply ' I) The preferred power supply derives power from two alternative sources.

2) Energy in sufficient quantities is available for normal, stand-by, and emergency shutdown conditions of the plant.

3) Offsite power is available to start and sustain all required loads.

4) Surveillance of the availability and status of the preferred power supply ts maintained to ensure readiness when required.

e) Standby Power Su~ply:

1) The standby power supply consists of two diesel generators, each connected to one of the safety rel~ted 4.16 kV ac*buses.

Each diesel generator represents a complPte, independent source of standby power.

2) ~he redundant standby power supplies provide energy for the safety related systems when the preferred power supply is not available.

3) Independence of the two standby power systems ensures that a failure of either standby power source does not jeopardize the capability of the remaining standby power source to start and run the required IE loads.

8. 3-28

4) Each diesel generator is available for service within the time specified upon loss of the preferred power supply.

5) Status indicators, in the control room and remotely located, provide monitoring and alarm for the surveillance of all vital functions for each diesel generator with respect to standby and operating modes (see Section 7-5).

6) Sufficient fuel is provided at the site to sustain the operation of both standby diesel generators continuously for seven days, or of one unit for 14 days (see Subsection 9.5.4).

7) Automatic and/or manual controls are provided for the selection, disconnection and starting of all loads supplied by the standby power sources.

8) Automatic devices disconnect and isolate failed equipment and indication to this effect is provided.

9) Test starting and loading can be accomplished during normal station operation.

Regulatory Guide 1.40. "Qualification Tests of Continuous - Duty Motors Installed Inside the Containment of Water-Cooled Nuclear Power Plants." 3/73 (RO) For qualification of continuous-duty motors installed inside containment, see Section 3.11. Regulatory Guide 1.41. "Preoperational Testing of Redundant On-Site Electric Power Systems to Verify Proper Load Group Assignments," 3/73 (RO)

See Section 14-2.

Regulatory Guide 1.47. "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." 5/73 (RO) The extent of compliance with this Regulatory Guide is discussed in Subsection 7 .1.2.2. Regulatory Guide 1.53, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems," 6/73 (RO) The extent of compliance with this Regulatory Guide is discussed in Subsection 7.1.2.2. Regulatory Guide 1.62, "Manual initiation of Protective Actions." 10/73 (RO) The provisions of Regulatory Guide 1.62 (RO) and IEEE 279-1971 relate mainly to the instrumentation and control systems and are discussed in Subsection 7.1.2.2. The electrical system supplying power to the Reactor Protective System is designed to ensure that failures in the supply system result in consequences no more limiting than failures in 8.3-29 Amendment No. 18 (01/08)

the Reactor Protective System, as follows: a) Power supply to the protection systems is from four (one for each channel) power. supply inverters as described in Subsection 8.3.1.1.1. No random single failure in any one inverter degrades the performance of the other three.* With one measurement channel bypassed for testing, failure of a second channel inverter still leaves two channels functional, thus providing protection without unnecessary tripping as described in Subsection 7.2.1. b) Any one of the four power supply units can be isolated for maintenance at the same time as the remaining protective channel equipment is being maintained. c) A common alarm in the control room provides an annunciation when undervoltage or overvoltage conditions are detected in the inverter's de supply and an undervoltage, overvoltage, or out of frequency condition in the output. d) Each power supply unit is so constructed as to facilitate repair by replacement of defective components or modules, to ensure a minimum of downtime. IEEE 279-1971 has also been used as a guide in the design of all safety related power systems. In particular, the power systems are designed to meet the single failure criterion; electrical equipment may be tested for functional integrity when the loads it supplies are tested; and all bypasses in safety related circuits (e.g., thermal overload relays in selected valve-operating motor starters) are provided with indication. Regulatory Guide 1.63. "Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants." 10/73 (RO) The intent of Regulatory Guide (RG) 1.63 (RO) is met as follows: The electrical penetrations for St Lucie Unit 2 are designed in accordance with IEEE 317-1972 and are qualified and tested in accordance with IEEE 317-1976, "IEEE Standards for Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations," as modified by the appropriate quality assurance related positions of RG 1.63, Rev 2. Conax Corporation is the supplier of all electrical penetration assemblies for St. Lucie Unit 2. The following types of electrical circuits penetrate containment: a) Medium Voltage Power Circuits b) Low Voltage Power Circuits 8.3-30 Amendment No. 18 (01/08)

c) AC and DC Control Circuits d) Instrumentation Circuits All electrical penetration assemblies are designed to meet the maximum containment internal pressure of 44 psig. In addition, all electrical penetration assemblies are designed to withstand an overload pressure of 50 psig for one hour. The electrical penetration assemblies are designed to IEEE 317, 278 and 383. The Quality Assurance (QA) program is in accordance with the Engineering QA program previously approved by the NRC during the construction permit review. 480V switchgear circuits, control circuits, and instrumentation circuits are designed in compliance with position C.1 of Regulatory Guide 1.63. The specific methods utilized to meet position C.1 to RG 1.63 revision 2 (i.e., "electrical penetration assembly should be designed to withstand, without loss of mechanical integrity, the maximum short-circuit vs time conditions that could occur given single random failures of circuit overload protection devices") are different in accordance with the electrical service class (i.e., a, b, c and d above) and the function of the circuit (e.g., certain circuits shall be de-energized prior to entering the plant modes shown on Table 8.3-13). The single failure concern of position C.1 (RG 1.63, Rev 2) may be considered credible, however,* the following design, installation, and quality assurance features utilized for St. Lucie 2 provide ~onfidence that such an event is.indeed unlikely. a) The low voltage and medium voltage power systems (i.e., nominal 480V ac, 4.16. kV ac., 6.9 kV ac) are high impedance grounded (i.e., connected to station ground through an impedance value aimed to limit line-to-ground faults to less than approximately 10-15 amperes). When an electrical short circuit fault occurs, the predominant fault mode is typically a single line to ground fault as documented in IEEE Standard 500-1977, "IEEE Guide to the Collection and Presentation of Electrical, Electronic and Sensing Component Reliability Data for Nuclear-Power Generating Stations." A high impedance grounding system limited ground fault current would not result in unacceptable degradation of the penetration assembly (e.g., the additional ground current of 10-15 amperes to the 50 amperes full load current of the 4000V CEDM cooling fan motors, has no impact on the penetration which has a 500 ampere continuous current capability). This allows continued system load operation under single line-to-ground fault which for Class 1E circuits provides a margin above the single failure criterion to promote continuity of service. The failure rates for copper conductor power cable reported in Chapter 10 of IEEE Std 500

      * (listing 10.1.1.1 Power) would indicate that there may be no multiphase shorts for power cables in containment over the licensed plant life.

8.3-30a Amendment No. 18 (01/08)

b) The DC. Power Distribution Systems are designed for ungrounded operation (i.e., without any intentional design connection to ground except_through very high impedance measurement and-ground indication circuitry). Consequently, a single line-to-ground fault results in virtually no ground fault current flow. c) All cables are installed and documented against controlled installation procedures and verified by quality control procedures. Each power cable has its insulation resistance tested after installation to verify integrity. d) Protective devices (e.g., relays, overload elements, etc.) are provided in the three phases of the three phase power system. The high impedance grounding limits the destructive short circuits to line-to-line and line-to~line-to-line faults. Consequently, a single failure of protective relaying or overload elements does not preclude tripping the circuit for a line-to-line fault. Two failures of relaying/overload elements does not preclude tripping the circuit for a line-to-line-to-line fault. e) Stringent design provisions for in-containment equipment, as described in Chapter 3,. of this SAR minimize damage potential due to seismically induced failures, missile generation, etc. f) The failure modes of the circuit protective devices (i.e., the failure to open the circuit under maximum overcurrent conditions). have a low failure rate as identified in IEEE Std 500. Medium Voltage Power Circuits There are two medium voltage power penetration classes; one class rated 5 kV and one class rated 15 kV. The method of compliance with RG 1.63 Rev 2 position C.1 is as follows for the two classes of medium voltage electrical penetration assemblies: a) Type MVP-A Two penetration assemblies provide power for 4000 Volt rated, 400 hp CEDM Cooling Fan Motor Drives.

1) Primary Protection: OVercurrent relays (device 50/51/83) are provided for all three phases of each motor feeder circuit.

These relays are housed in their respective 5 kV metal clad switchgear cubicles. The control (i.e., breaker trip) voltage is 125V de nominal from Class lE de buses. 8.3-30b. Amendment No. 11, (5/97)

2) Backup Protection: Fuses are provided to backup the relays in a coordinated manner as described in Subparagraph (3) below.

3) Fault-current-versus-time coordination:

The largest short-circuit current anticipated downstream of the penetration assembly is approximately 30,000 amperes symmetrical. Primary protection is provided by an overcurrent relay (Figure 8.3-9(a)) which has its instantaneous setting at approximately twice locked rotor current. The interrupting time of the medium voltage switchgear is approximately 5.5 cycles, which includes relay pickup time. Consequently, the primary protection will clear any fault which exceeds the instantaneous setting in approximately 5.5 cycles. Smaller fault or overload currents will result in circuit opening in accordance with the inverse time element of the primary protective relay (see Figure 8.3-9(a)). Fuses are provided to backup the primary relays and are mounted in, their own enclosure. This entire assembly is purchased as Class 1E and qualified to IEEE 323-1974 and IEEE 344-1975. Each fuse is connected in series with each pole of the three phase switchgear breaker. They are selected so that they will clear a fault or overload condition before the current capabilities of the 750 .kcmil penetration feedthroughs are reached (RG. 1.63). They are also coordinated to allow the existing switchgear circuit breaker sufficient time to clear a fault or overload condition before opening and will clear before any upstream breaker is affected (RG. 1.75). The cable between the switchgear and the new fuse is run in its own dedicated seismically supported conduit and is thus separated from any other safety or non-safety cable. To prevent non-three phase operation of the fan motors due to individual fuse operation, a negative sequence current relaying scheme was added to the affected switchgear cubicle. b) Type MVP-B Four penetration assemblies are provided designated A3, A4, A7, AB. to service 6600 volt rated, 6500 hp Reactor Coolant Pump Motor Drives.

1) Primary Protection: Overcurrent relays (device 50/51/83) are provided for all three phases of each motor feeder circuit. The control (i.e., breaker trip) voltage is 125V de nominal derived from Class 1E de buses.

8.3-30c Amendment No. 14 (12/01)

2) Backup Protection: Overcurrent (device 50/51) and fault detection (device 50FD) relays are provided to backup the primary relays in a coordinated manner as described in Subparagraph (3) below. The control circuit for backup protection has a power source that is fused separately from the primary protection control circuits.

3) Fault current versus time coordination:

The largest short circuit current anticipated downstream of the penetration assembly is approximately 31,000 amperes symmetrical. Primary protection is provided by an overcurrent relay (device 50/51/83) which has its instantaneous setting at approximately 180% of locked rotor current. The interrupting time of the medium voltage switchgear is approximately 5.5 cycles, which includes relay pickup time. Consequently the primary protection clears any fault which exceeds the instantaneous setting within approximately 5.5 cycles. Smaller fault or overload currents results in circuit opening in accordance with the inverse time element of the primary protective relay (Figure 8.3-9(b)). Backup protection is provided by a relay scheme consisting of an overcurrent relay (device 50/51), a fault detector (device 50FD) and a time delay relay (device 62). The backup protection scheme opens the backup circuit breaker for a short circuit exceeding the instantaneous setting of the overcurrent relay upon the failure of the primary protection. The Time Delay Relay, delays tripping to allow the primary protection to clear the fault. A small fault or overload current results in circuit opening in accordance with the inverse time element of the backup protective relay. Low Voltage Power Circuits As described in Subsection 8.3.1.1.1.c, "480 Volt System" low voltage power circuits are protected by 480 volt switchgear or 480V Motor Control Centers. The following describes the typical methods utilized. a) 480 Volt Switchgear The only power circuit penetrating the containment powered directly from 480 volt switchgear is the Reactor Containment Building Polar Crane. The penetration assembly provides service to the Reactor Containment Building Polar Crane utilizing 500 kcmil conductors. ,.( ) 8.3-30d Amendment No. 14 (12/01)

As the polar crane is not required during plant operating modes, Regulato:ry Guide 1.63 Rev 2, position C.l, is met by adherence to the Technical Specification limitation on power delive~ to-the polar crane (e.g., breaker locked open). b) 460 Volt Pressurizer heater 3us Power circuits penetrating containment serve in-containment power panels which distribute power to the heater circuits which form the first level of protection for a short circuit at the heaters. The field cable is 2-4/0 AWG conductors per phase and the penetration conductor sizes are two 350 kcmil conductors per phase. In the unlikely event of a fault at or downstream of the penetration assembly, prima:ry and backup overcurrent protection is provided as illustrated in current vs time plots of Figure 8.3-9(c). T:~e 480 Volt Pressurizer Heater Bus Breaker is a thermal magnetic molded case circuit breaker. The incoming power to the Pressurizer Heater Buses is derived through a 4160/480 volt 750/1000 kVA transformer from Class lE SWitchgear as shown on Figure 8.3-9(c). The molded case circuit breaker requires no external power supply to trip the circuit on overcurrent.

The Pressurizer Heater Buses are supplied from Class lE qualified 4.16 kV SWitchgears 2A3 and 2B3 for Pressurizer Heater, Buses 2A3 and 2B3 respectively. As indicated on Figure 8.3-9(c) the Class lE switchgear breaker backs up the 480 Volt Pressurizer Heater Bus Breaker and opens the circuit, prior to exceeding the maximum I 2 t capability of the penetration seal, under maximum fault conditions .

.c) Containment Cooling Fan Motors Four Containment Cooling Fan Motors, (125/83 hp) located in containment, are served by combination starters which provide the necessary two-speed two-winding control functions. Each starter is individually served by a* 480 volt switchgear breaker. Figure 8.3-9(d) provides the time-current pl9ts which demonstrate that the penetration integrity is protected with two independent tripping devices. Primary protection is provided by a the:rma.1 magnetic circuit breaker which is backed up by a circuit breaker. All _.protective devices are Class lE commensurate with the safety function of the Containment Cooling Fan Motors.

8.3-30e Amendment No. 11, (5/97)

d) 480V AC Motor Control Center Circuits Small 460 volt ac, rated 3 motor loads (maximum motor load being 40 hp), and 480 volt ac static or intermittent loads (e.g., power receptacles) are powered from 480 volt ac Motor Control Centers as described in Subsection 8.3.1.1.2. The circuit overload protective devices and the MCCs themselves, which supply circuits which penetrate containment are Class 1E.

1) Motor Circuit & Static Devices These circuits are protected with two fault current interrupting devices in series.

2) Normal/Emergency Service Lighting systems and other non-Class 1E 208Y/120V ac systems which derive "emergency power" from the Class 1E power (distribution system for personnel safety (e.g., safe egress from containment upon loss of plant normal or preferred power) are powered from Power Panels PP 210 or 214. These panels derive their power through a Class 1E qualified dry type 45 kVA Transformer with Class 1 E primary and secondary breaker protection.
A failure of either the primary or secondary breaker, device 1 and device 2, as respectively described on Figure 8.3-9(e) does not prevent the alternate circuit breaker from opening the penetration circuit without violation of containment integrity. Control Circuits Control circuits which penetrate containment typically utilize a #16 AWG conductor for field cable and #8 AWG penetration conductor. The control circuits are typically provided with fuse protection. Furthermore, DC Control Circuits for control valves and similar devices have several levels of circuit protection (e.g., 2-6 ampere fuses backed up by 15 ampere thermal magnetic breakers). AC control circuits (e.g., MCC control circuits) which penetrate containment utilize fuses rated six amperes or less. DC control circuits utilize two fuses (i.e., one for positive and one for negative leads) so that a single fuse failure to clear the circuit does not prevent the second fuse to clear the circuit. Furthermore, a ground fault produces negligible currents. It is worth noting that failure of a fuse to clear a circuit when properly installed would be an incredible event (i.e., IEEE 500 does not indicate any failures other than misapplication). 8.3-30f Amendment No. 20 (05/11)
Site construction verification and/or pre-operational verification ensure the fuse, as specified, is installed. Ac control circuits derived from MCC control circuits have control transformer sizes of 150 through 500 Va and maximum secondary fuse of six amperes. In the extremely unlikely event of fuse failure the impedance of the circuit elements (i.e., magnetic only circuit breaker, control transformers, and control cable) would limit the maximum fault to less than the mechanical integrity limit of the penetration assembly. Instrument Circuits These circuits supply signals from devices such as transmitters (e.g., pressure, flow, etc.), thermocouples, annunciators and other limited energy circuits. These instrument circuits are typically de, low voltage circuits derived from current limited instrument power supplies. Faults on such circuits therefore are of low energy value such that penetration mechanical integrity is not jeopardized. Regulatory Guide 1.73, "Qualification Tests of Electric Valve Operators Installed Inside the Containment of Nuclear Power Plants." 1/74 (RO) Qualification of electric valve operators installed inside the containment and compliance to IEEE 382, see Section 3.11. 8.3-31 Amendment No. 18 (01/08)
Regulatory Guide 1.75. "Physical Independence of Electric Systems." 1/75 (R1) The intent of Regulatory Guide 1.75 (R1) is met as follows (See Figure 8.3-5). The Class 1E electric system complies with the requirements of IEEE 384-1974 (other IEEE Standards discussed in Section 8.3.1.2.3). The extent to which this standard has been followed is described below. a) General Separation Criteria Separation is provided to maintain independence of electrical circuits and equipment so that the protective functions required during any design basis event can be accomplished. The degree and method of separation varies with the potential hazards in a particular area. Equipment and circuits requiring separation are identified on drawings and identification. in the field is in a distinctive manner as described in Su.b.section 8.3.1.3. Separation of equipment and circuits is achieved by safety class structures, distance, or barriers, or any combination thereof. Electrical equipment, circuits, and raceways are separated into three-distinct categories.-
1) Class 1E safety related: equipment, circuits, or raceways that are essential to emergency reactor shutdown, containment isolation, reactor core cooling and containment and reactor heat removal, or are otherwise essential in preventing
. significant release of radioactive material to the environment. Safety related equipment, circuits, and raceways are separated per the "Specific Separation Criteria" below. *
2) Associated Circuits and Equipment: Non-Class 1E circuits or equipment that share power supplies, enclosures or raceways with Class 1E circuits or are not physically separated from class 1E circuits or equipment by acceptable separation distance or barriers.
Associated circuits and equipment comply with one of the following: i) They are uniquely identified as such or as class 1E and remain with or are separated the same as those Class 1E circuits with which they are associated; the cables are subject to all requirements placed on Class 1E circuits such as cable derating, environmental qualification, flame retardance, splicing restrictions and raceway fill, unless the absence of such requirements could not significantly reduce the availability of the Class 1 E circuits, or
8.3-32 Amendment No. 18 (01/08)
ii} They are in accordance with (i} above from Class 1E equipment to and
. including an isolation device. Beyond the isolation device a circuit is considered a non-Class 1E circuit provided it does not again become associated with a Class 1E system. St. Lucie Unit 2 is designed such that those non-safety loads connected to the Class 1E busses which are not considered important for operation and plant investment will be shed from the Class 1E buses by a Safety Injection Actuation Signal (SIAS} or will be locked out of service during plant operation in accordance with the Technical Specifications. An example is the pressurizer heater bus circuit which is shed by a Safety Injection Actuation Signal (SIAS}.
Those non-safety loads which are considered important for operation and plant investment remain connected to the Class 1E buses, however, they are provided with two, Class 1E, fault current interrupting devices. Preferred power supply circuits from the transmission network and the similar power supply circuits from the unit generator that become associated circuits solely by their connection to the Class 1E distribution system input terminals are exempt from the requirements of the above. Isolation devices are devices in a circuit which prevent malfunctions in one section of a circuit from causing unacceptable influences in other sections of the circuit or other circuits. Class 1E qualified circuit interrupting devices actuated by fault current are considered to be isolation devices.
3) Non-Class 1E Circuits and Equipment: Non-Class 1E circuits, equipment, and raceways do not perform any safety operation within the plant.
j i} Non-Class 1E circuits are routed in separate raceway systems from Class 1E circuits. These raceway systems are separated from Class 1E raceway systems by the minimum separation requirements specified in b} "Specific Separation Criteria," below. Non-Class 1E circuits are separated from associated circuits by the minimum separation requirements in b} Specific Separation Criteria" below, or the effects of lesser separation between non-Class 1E circuits and associated circuits are analyzed to demonstrate that the Class 1E circuits are not degraded below an acceptable level or, 8.3-33 Amendment No. 21 (11/12)
ii) The non-Class lE circuits are treated as associated. b) Specific Separation Criteria
1) Separation criteria for Cables and Race.ways i) General Plant Areas: In general redundant Class lE raceway systems are separated spatially by three feet horizontally and five feet vertically. This separation distance is based upon the following:
- Cable splices in raceways are prohibited - Cables are flame retardant
B.3-33a
Power cable trays are designed to be no more than 40 percent full
- Hazards are limited to failures or faults internal to the electric equipment or cables If, in addition, high energy electric equipment such as 4.16 kV or 6.9 kV switchgear, transformers over 480V or large rotating equipment are excluded and power cables are installed in enclosed raceways or there are no power cables, the minimum separation distance is one foot horizontally and three feet vertically.
ii) Cable and Raceway Hazard Areas Analyses of the effects of pipe whip, jet impingement, missiles, fire and flooding demonstrate that safety-related electrical circuits, raceways and equipment are not degraded beyond an acceptable level. The analyses are referenced as follows: Pipe Rupture (Section 3. 6) Missiles (Section 3. 5) Flammable Material . (Subsection 9. 5 .1) Flooding (Section 2 .4) iii) Cable. Spreading Area and Control Room: The cable spreading area is the space below the control room where ( the instrumentation and control cables converge prior to ' entering the control, termination, or instrumentation panels. The cable spreading area and control room do not contain high energy equipment* such as high energy switchgear, transformers over 480 volts, high energy rotating equipment, or potential sources of missiles or pipe whip, and are not used for storing flannnable materials. Circuits in the cable spreading area and control room are limited to control functions, instrument functions and those power supply circuits and facilities serV"ing the control room and instrument systems. There are two pressurizer heater transformers each rated 750 kVA, 4.16 kV to 480V, 3 phase, dry type that are located adjacent to the Unit 2 cable spreading area. These non-safety transformers are powered from Class lE 4.16 kV' switchgear through qualified isolation devices. The 4.16 kV
High energy circuits are considered to be those with available fault currents in excess of the interrupting rating of the 480V motor control centers*.
8.3-34 Amendment No. 10, (7/96)
cable, that connects the switchgear bus with the transformer high side winding and enters through the bottom of the floor at EL. 43.00, is qualified to the requirements of IEEE 383. Sprinklers are provided above the transformers on EL. 43.00 as a result of the Appendix R review. Transformers are built in accordance with ANSI Standard C57.12.00-1973. They are designed to sustain external short circuit faults on any one set of terminals *
0124F 8.3-34a Amendment No. 5, (4/90)
0027W-6 The minimum separation distance between redundant Class lE cable trays is one foot between trays separated horizontally and three feet between trays separated vertically. distance is based upon the following: This separation Cable splices in raceways are prohibited. Cables are flame retardant. Hazards are limited to failures or faults internal to the electric equipment or cables. Uo high energy equipment such as high energy switchgear, transformers over 480 volts, hi5h energy rotatin5 e~uipment are located in this area. There are no potential sources of missiles or pipe whip. Refer to Subsection 9.5.1 for a discussion ot combustible loads. Where the minimum separation distance described in i, ii and iii above cannot be maintained, the redundant circuits are enclosed in raceways that qualify as barriers or the tray is coated with fire retardant spray or other barriers are provided between redundant circuits. The minimum distance between the redundant enclosed raceways and between barriers and raceways is one inch. liorizontal separation is measured from the side rail of one tray to the side rail of the adjacent tray. Vertical separation is measured from the bottom of the top tray to the top of the side rail of the bottom tray. DC power supply feeders from redundant MA, M.B, Z..1C and ND instrument buses to the control roora are installed in enclosed raceways that qualify as barriers. For identification of c~ble and raceways, refer to Subsection 8.3.1.3.
2) Separation Criteria for Emergency Power Supply i) Emergency Diesel Generators: Redundant Class lE emergency diesel generators are located in separate safety class structures and have independent air supplies.
ii) Auxiliaries and Local Controls. ~he auxiliaries and local controls for redundant emergency diesel generators are located in the same safety class structure as the unit they serve or are physically separated in accordance with the requirements of a) "General Separation Criteria" above. iii) Cable and Raceway: Cable and Raceway separation is in accordance with b) "Specific Separation C.:riteria", item 1. 8.3-35
Separate electrical equipment rooms are provided in the Reactor Auxiliary Building for redundant 4.16 kV safety buses. The spatial separation is provided between redundant 480V switchgear. The 480 volt safety MCCs are located inside the Reactor Auxiliary Building, Fuel Handling Building and Diesel Generator Building. Spatial separation is provided between redundant MCCs.
3) DC System i) Batteries: Redundant Class 1E batteries are placed in separate rooms. These rooms are served by independent ventilation systems.
ii) Battery Chargers: Battery chargers for redundant Class 1E batteries are physically separated in accordance with the requirements of a) "General Separation Criteria" above.
4) Separation Criteria for Distribution System i) Switchgear: Redundant Class 1E distribution switchgear groups are physically separated in accordance with the requirements of a) "General Separation Criteria" above.
ii) Motor Control Centers: Redundant Class 1E motor control centers are physically separated in accordance with the requirements of a) "General Separation Criteria" above. iii) Distribution Panels: Redundant Class 1E distribution panels are physically separated in accordance with the requirements of a) "General Separation Criteria" above. In some cases, non-safety related equipment is fed from safety related distribution buses. In such cases, barriers are provided and cable entrances are designed such that all nonsafety related cables are not routed in the same raceways as safety related cables. The emergency diesel generator sets are located in the Diesel Generator Building with each diesel generator set and its auxiliary equipment in separate rooms. The wall separating the diesel generator sets is floodlight and fire resistant, and protects the redundant sets against internally generated missiles. Missile protection is described in Section 3.5. Figures 1.2-20 and 21, Diesel Generator Building plan and sections, show the size and location of both the intake and exhaust parts.
5) Separation Criteria for Containment Electrical Penetrations Redundant Class 1E containment electrical penetrations are physically separated in accordance with the requirements of a) "General Separation Criteria" above. The minimum physical separation for redundant penetrations meets the requirements for cables and raceways given in b) "Specific Separation Criteria" item 1. Non-Class 1E 8.3-36 Amendment No. 20 (05/11)
0027W-7 circuits routed in penetrations containing Class lE circuits are t*eated as associated circuits in accordance with the requirements of a) "General Separation Criteria" above.
For cables entering the containment, there are a total of. 48 electrical penetrations. The 6.9 kV and two 4.16 kV power penetrations use 18 inch sleeves. All other service penetrations use 12 inch sleeves except for two low level penetrations which utilize 18 inch sleeves. Cables terminate on the penetrations via bushing terminations, lug to lug connectors, in line splices, connectors or terminal blocks located inside a terminal boA. All cables entering these terminal boxes are run in flexible conduits. The penetrations are arranged in five horizontal rows of 10 penetrations each. The spacing between penetrations is approximately 44 inches horizontally and 36 inches vertically, center to center. In the penetration room outside the Shield Building, a vertical wall divides the penetration area into two separate compartments with 25 penetration sleeves on each side.* This wail extends from floor to ceiling and prevents damage in one compartment from affecting penetrations or cables in the other compartment. Cables serving.load group A are run in one compartment and cables serving load group B are run in the other. In addition, one composite penetration for load group AB powered equipment is run in area B*
. In the annulus within the Shield Building, each penetration has a protective sleeve. The sleeves are designed to allow for differential movement between the-Shield Building and containment vessel and allow any leakage past the containment canister seal.to vent into the annulus. "£he sleeves piaevents damage in one penetration ft:om affecting other penetrad.ons. Inside the I
containment vessel, the cables are run into cable trays as near to the penetration as possible. The cable separation criteria described
*previously are applied for the cable tray runs located insi~e the containment * .. "-*
There are 24 penetrations and one spare nozzle on each compartment.
6) Separation Criteria for Class lE Control Boards i) All Class lE control boards are located in seismic Category I structures.
ii) Internal Separation: The minimum separation distance between redundant Class lE equipment and circuits internal to the control board is six inches. In the event the above separation distances are not maintained, barriers are installed between redundant Class lE wiring. 8.3-37 I
iii) Internal Wiring Identification: Class 1E wire bundles or cables internal to the control boards are identified in a distinct permanent manner at a sufficient number of points to readily distinguish redundant Class 1E wiring, and non-Class 1 E wiring.
iv) Common Terminations: Where redundant Class 1E circuits are terminated at a common point locally qualified isolators are utilized to assure that the separation of either circuit is not compromised.
v) Non-Class 1E wiring: Non-Class 1E wiring not separated from Class 1E wiring by the minimum separation distance or by a barrier is treated as associated circuits. vi) Cable Entrance: Redundant Class 1E cables entering the control board enclosure meet the requirements of b) "Specific Separation Criteria", item iii.
7) Separation Criteria for Instrument Panels The separation requirements of a) "General Separation Criteria" above apply to instrumentation racks. Redundant Class 1E instruments are located in separate panels or compartments of a panel. Where redundant Class 1E instruments are located in separate compartments of a panel, attention is given to routiniJ of external cables to the instruments to assure that cable separation is retained. The separation requirements of a) "General Separation Criteria" above apply to instrumentation racks.

8) Separation Criteria for Sensors and Sensor-to-Process Connections Redundant Class 1E sensors and their connection to the process system are sufficiently separated that functional capability of the protection system can be maintained despite any single design basis event or result therefrom. Consideration is given to secondary effects of design basis events such as pipe-whip, steam release, radiation, missiles, and flooding.
Large components such as the reactor vessel are considered a suitable barrier if the sensor-to-process connecting lines are brought out at widely divergent points and routed so as to keep the component between redundant lines. Redundant pressure taps located on opposite sides of a large pipe are considered to be separated by the pipe. 8.3-38 Amendment No. 20 (05/11)
9) Separation Criteria for Actuated Equipment Locations of Class 1E actuated*eqU,ipment, such as pump drive motors and valve operating motors are normally dictated by the locations of I
the driven equipment. The resultant locations of this equipment are reviewed to ensure that separation of redundant Class 1E actuated equipment is acceptable. By implementing the above criteria, physical separation as a protection against common mode failure of emergency power to both redundant electrical loads groups is achieved between the redundant emergency portions of the standby power system. Physical separation is provided between load group A and load group B and between load group AB and both load groups A and B since load group AB may at various times function as part of either load group A or B. Separate cable tray and conduit systems are provided for each of the redundant load groups. In addition, to enhance the above separation criteria the following specific criteria are applied for cable runs: Separate tray and. conduit systems are fw:nished for *the following classes of cable: SkV, 600 volt power, 600 volt control and 300 volt shielded instrument cable. Different parameter signal cables are in the same wireway as long as they do not belong to separate redundant channels. The correct routing of all cabling is assured by a design and engineering review of all cable runs by following a stringent document control procedure. Base *ampacity rating of cables in trays is methods of IPCEA PS4440 (1972 edition) .
~ased on the general Power cable trays are designed to be no more than 40 percent full.
All cables are inspected by site quality control to assure that they are not dcimaged in the process of cable pulling. The inspection of these cables is documented and subject to random audit by quality compliance. Compliance to Regulatory Guide 1.75 (R1) regulatory positions are as follows: 8.3-39
Position C1: The design of the Class 1E portions of the Onsite Power System includes fault current interrupting devices which serve an isolation function. Approval of this design approach has been accepted by the NRG in the Safety Evaluation Report (Docket #50-389). Circuit interrupting devices actuated by fault current (fuses, circuit breakers) are commonly used as isolating devices. Once actuated these devices prevent the faulted circuit from influencing the uhfaulted circuit in an unacceptable manner. The St: Lucie Unit 2 design will be modified such that those non-safety loads connected to the Class 1E buses which are not considered important for operation and plant investment will be shed from the Class 1E buses by a Safety Injection Signal or will be locked out of service during plant operation in accordance with the Technical Specifications. Those non-safety loads which are considered important for operation and plant investment will remain connected to the Class 1E busses, however, they will be provided with two, Class 1E, fault current interrupting devices. Since these changes will require new hardware and engineering changes which cannot be accomplished prior to fuel load these modifications will be installed on, or before, the first refueling outage. Position C2: Interlocked armored cable is not used as a raceway systein. Position C3: The separation of circuits and equipment is achieved by seismic Category I structures, distance or barriers or any combination thereof. In general, locating redundant circuits and equipment in separate safety class structures affords a greater degree of assurance that a single event does not affect redundant systems. Therefore, this method of separation is used whenever practical and its use does not conflict with other safety objectives. Position C4: Associated circuits comply as described in a) "General Separation Criteria" above. Position C5: The offsite power system meets the requirements of GDC 17. See Subsection 8.3.1.2.1. Position C6: The analyses identified in this Regulatory Guide correspond to those contained in a) "General Separation Criteria" above-. 8.3-40 Amendment No. 21 (11/12)
Position C7: Non--Gfass 1E circuits comply as described in a) "General Separation Criteria" above. Position CB: Cable tunnels are not utilized. Position C9: Cable splices are avoided. However, if the need for a splice arises, it is made in: i) FS boxes when connections are made to valve limit switches, solenoids and also at instruments ii) Cable terminations at the electrical containment penetrations for safety related cables other than those with connectors iii) A terminal box or a manhole/handhole. Position C10: Cables installed in Class 1E raceways are marked in a manner of sufficient durability and at a sufficient number of points to ensure initial verification that the installation is in conformance with the separation criteria. The cable markings are applied prior to or during installation. Refer to Subsection 8.3.1.3. Position C11: The method of identification readily distinguishes between redundant Class 1E systems, associated circuits assigned to redundant Class 1E divisions and non-Class 1E systems. Color coding is used. Refer to Subsection 8.3.1.3. I Position C12: Circuits in the control room are limited to control functions, instrument functions and those power supply circuits and facilities serving the control room and-instrument systems. Redundant Class 1E standby generating units are placed in separate rooms of the Diesel Generator Building, a seismic . Category I structure and have independent air supplies. Redunoant Class 1E batteries are placed in separate rooms in the Reactor Auxiliary Building, a seismic Category I structure and are served by independent ventilation systems. The separation requirements of b7) "Separation Criteria for Instrument Panels" above apply to instrumentation racks. In addition, redundant Class 1E instruments are located on separate racks or compartments of a cabinet. Where redundant Class 1E instruments are located in separate compartments of a single cabinet, attention is given to routing of external cables to instruments to assure that cable separation is retained. In locating Class 1E instrument cabinets, attention is given to the effects of all pertinent design basis events. 8.3-41 Amendment No. 21 (11/12)
Regulatory Guide 1.81, "Shared Emergency and Shutdown Electric Systems For Multi-Unit Nuclear Power Plants," 1/75 (R1) There are no shared onsite safety related systems between St. Lucie Units 1 and 2. Therefore the regulatory positions of Regulatory Guide 1.81 (R1) do not apply. Regulatory Guide 1.89, "Qualification of Class 1E Equipment for Nuclear Power Plants," 11/74 (RO) . For a discussion of the environmental qualification of Class 1E equipment and compliance to IEEE 323, see Section 3.11. I Regulatory Guide 1.93, "Availability of Electric Power Sources," 12/74 (RO) The limiting conditions of operation with respect to available electric power sources presented in Regulatory Guide 1.93 (RO) are incorporated into the Technical Specifications. Regulatory Guide 1.100, "S-eismic Qualification of Electrical Equipment for Nuclear Power Plants," 3/76 (RO) As indicated in the implementation section of Regulatory Guide 1.100 (RO) the positions of this guide are to be used to evaluate construction permit (CP) applications docketed after November 15, 1976; the St. Lucie Unit 2 CP application was docketed in September, 1973. Although Regulatory Guide 1.100 (RO) is not applicable to this operating license application, Section 3.10 presents a discussion of seismic qualification of Class 1E electrical equipment. Regulatory Guide 1.106, "Thermal Overload Protection for Electric Motors on Motor-Operated
*Valves," 3/77 (R1)
As indicated in the implementation section of Regulatory Guide 1.106 (R 1), the positions of this guide are to be used to evaluate current submittals for construction permits (CP); the St. Lucie Unit 2 CP was issued May, 1977. Although Regulatory Guide 1.106 (R1) is not applicable to this operating license application, the design complies with the recommendations of this Regulatory Guide as follows: The design of control circuits for MOVs includes the use of thermal overload (TOL) relays and their associated TOL heaters. It is desirable for specific safety related MOVs to have these devices bypassed during design basis accident conditions. "Maintenance Bypass" switches are . provided for these specific valves which allow the TOL relays to be in the control circuit for maintenance or testing activities. For plant operation, these switches are placed in the "Bypass position" to defeat the TOL relay function except for an annunciation function. To provide electrical penetration protection for safety related valves located inside containment with bypass switches in their control circuits, thermal magnetic feeder breakers are provided to maintain the integrity of the penetration if the valve motor continues to draw locked rotor current. The safety injection operated flow control valves thermal overloads are by-8.3-42 Amendment No. 21 (11/12)
passed in both manual and automatic valve activation mode. Manual valve activation is required to adjust safety injection flow rate after the valves were opened automatically. Regulatory Guide 1.108, "Periodic Testing of Diesel Generators Used as Onsite Electric Power Systems at Nuclear Power Plants," 8/76 (RO) As indicated in the implementation section of Regulatory Guide 1.108 (RO), the positions of this guide are to be used to evaluate construction permit (CP) applications docketed after April 1, 1977; the St. Lucie Unit 2 CP 8.3-42a Amendment No. 18 (01/08)
application was docketed in September, 1973. Although Regulatory Guide 1.108 (RO) is not applicable to this operating license application, diesel generator functional testing is presented in the Technical Specifications. Per 58 Federal Register 41813, 8/5/1993, RG 1.108 was withdrawn by the NRC. Regulatory Guide 1.118. "Periodic Testing of Electric Power and Protection Systems," 6/76 (RO) As indicated in the implementation section of Regulatory Guide 1.118 (RO), the positions of this guide are to be used to evaluate submittals for construction permit (CP) applications docketed after February 15, 1977; the St. Lucie Unit 2 CP was docketed in September, 1973. Although Regulatory Guide 1.118 (RO) is not applicable to this operating license, the design and construction of the electrical distribution system does allow for a certain level of periodic testing in accordance with IEEE 338-1971. Periodic testing is infrequently required for the Class 1E electrical distribution system other than of the power supplies. The majority of equipment is continuously monitored (e.g., medium voltage switchgear voltage and current) or is tested with the process equipment (e.g., the pumps are tested by closing the switchgear to power the pump drive).
1;; practice, voltmeters, power available alarms, breaker position switches, etc., facilitate the ability to monitor the electrical distribution system. Due to the separation of all safety related electrical equipment into at least two redundant groups, it is possible to test the power equipment while testing the signal and control system.
The instrumentation and control to support the electrical distribution systems are discussed in Chapter 7. Diesel generator and battery functional testing is presented in the plant Technical Specifications. Regulatory Guide 1.128. "Installation Design and Installation of Large Lead Storage Batteries for Nuclear Power Plants." 4/77 (RO) As indicated in the implementation section of Regulatory Guide 1.128 (RO) the positions of this guide are to be used to evaluate submittals for construction permit (CP) applications docketed after December 1, 1977; the St. Lucie Unit 2 CP was docketed in September, 1973. Although Regulatory Guide 1.128 (RO) is not applicable to this operating license the intent of the Regulatory Guide is met as follows: The installation procedures for the Class 1E batteries meet in general the requirements of IEEE 484-1975. The Class 1E batteries are installed in accordance with Construction Procedure IP-E-1 entitled, "Installation of 125V de Station Batteries and Chargers," as well as the instructions of the battery vendor. 8.3-43 Amendment No. 18 (01/08)
Safety procedures which require the use of protective equipment are implemented. In the battery installation the batteries are mounted in accordance with the manufacturer's instructions. The location of the batteries takes into account ventilation conditions and water facilities, alloted space for maintenance conditions and lighting facilities. The batteries are protected against natural phenomena such as, flooding, winds as well as induced events such as missiles and environmental hazards. The batteries and racks meet the seismic criteria as described in Section 3.10. The batteries are separated in divided rooms as per the requirement of IEEE 384-1974. The intent of the Regulatory Guide positions are as follows: a) The percentage of hydrogen accumulation is no greater than two percent of the volume of the battery room. b) The battery rack is coated with an epoxy powder and plastic covers fit over the rails on which the cells are placed. Restraining channel beams and tie rods are insulated from the cells. c) The acceptance test is a capacity discharge test that when required is conducted in accordance with IEEE 450-1972. d) The reference as listed in Section 7 of IEEE 484-1975 with the exception of IEEE 100-1972 and IEEE 380-1972 are discussed elsewhere in Section 8.3. e) 1) The battery rooms are ventilated and provisions are made for adequate aisle space and for space above the cells.
2) Extreme ambient temperatures are prevented from ocurring in the battery room.

3) No significant temperature differential exists between cells, localized sources of heat are avoided.

4) The emergency showers and sinks are separated from the batteries by an eight ft high wall.

5) The batteries are mounted on a battery rack.

6) Fire detection sensors are provided, however, hydrogen sensors are not

7) See Section 9.5.1, Appendix 9.5A Section 2.4, Appendix A to BTP 9.5-1 Guidelines, Item F7.
8.3-44 Amendment No. 13, (05/00)
8) As per the equipment instruction inanual, during unpacking the process of inspecting the battery cells and the electrolyte level is observed.

9) *The cells are stored in an indoo~ area that is weather proof, cool and dry.

10) Deleted.

11) Afte*r the initial charge has been performed, the batteries are connected to their respective chargers and thus no freshening charge is required.

12) No initial hydrogen survey base line data for locating hydrogen detectors are provided. However, records are kept as follows:
a) Records of protective measures b) Total cell storage c) Cell electrolyte level d) Cell voltage after initial charge e) Hydrometer readings f) Electrolyte temperature g) Specific gravity *
Regulatory Guide 1.129, "Maintenance, Testing, and ReplaC"ement of Large Lead Storage Batteries for Nuclear Power Plants," 4/77 (RO)
As indicated in the implementation section of Regulatory Guide 1.129 (RO), the positions of this guide are to be used to evaluate submittals for construction permits (CP) appHcations docke~ed. after December 1, 1977; the St. Luci~ Unir2 CP was docketed in September, 1973. Although ( Regulatory Guide 1.129 (RO) is not applicable to this operating license, this Regulatory Guide ' used to be included in Section 14.0 of the original FSAR. Regulatory Guide 1.131. "Qualification Tests of Electric Cables\ Field Splices. and Connections for Light-Water-Cooled Nuclear Power Plants." 8/77 (RO) As indicated in the implementation section of Regulatory Guide 1.131 (RO), the positions of this guide are to be used to evaluate construction permit .applications docketed after May 1, 1979; the St. Lucie Unit 2 CP application was docketed in September, 1973. Although Regulatory Guide 1.131 (RO) is not applicable to this operating license application, Section 3.11 presents environmental qualification of Class 1E electrical equipment. 8.3.1.2.3 IEEE Standards IEEE 387. "IEEE Standards Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear PowerGenerating Stations .." (1972) The diesel generator sets are designed, constructed and installed in accordance with the provisions within this standard. 8.3-45 Amendment No. 20 (05/11)
/
Two redundant 100 percent capacity diesel generators are provided. Each diesel generator . design is such that it can be started without any ac power from the preferred power supply. The diesel engine-generator is capable of remote unattended automatic starting reaching full speed and rated voltage in a maximum of 10 seconds after initiation of a starting signal and picking up full nameplate rated load in not more than 50 seconds after initiation of the start signal. The diesel generator can be automatically started from the normal standby condition. In addition, if the diesel generator is in the running/testing mode and an emergency start signal is initiated, the diesel will automatically transfer from the parallel mode to the isochronous mode. The diesel generator is capable of being started with an initial engine temperature equal to the continuous full load rating engine-temperature. The diesel generator continuous rating exceeds the total load which the diesel must carry. Based on actual tests and a computer program/ analysis simulating actual loading sequence,, the diesel voltage and frequency remain within acceptable levels during load application. The diesel generators are inspected and maintained periodically using the manufacturer's reconimenda.tions. Unscheduled maintenance will be performed in accordance with need as indicated by the periodic inspection and as suggested by the manufacturer's recommendations. The diesel generators are interconnected with the rest of the system to utilize the diesel generators for the design basis events indicated in Table 8.3-2 (refer to Subsection 8.3.1.1.1 and Section 9.5 for diesel generator interfaces with the rest of the plant).
*The diesel generator has been environmentally qualified in accordance with IEEE 323-1971 to the extent defined in Section 3.11.
The diesel generator was designed and built to operate at 115 percent of rated speed without , overstressing any part of the engine generator. The co-mplet!31Y assembled engine-generator unit was designed to be free of torsional vibration at any speed between 90 and 115 percent of rated speed. The diesel generator overspeed trip is set at 115 percent of rated speed. The diesel generator was tested for full load rejection without exceed,ing 115 percent speed. The diesel can be controlled from the control room as well as from the diesel-generator local panel.
The diesel generator has surveillance systems permitting remote and local surveillance.* These include abnormal, pretrip and trip conditions. During emergency operations only a diesel generator overspeed and generator differential will .cause the unit to trip.
Refer to Tables 8.3-11 and 8.3-12 Jor diesel generator alarms and indicators. 8.3-45a Amendment No. 21 (11/12)
8.3.1.3 Physical Identification of Safety Related Equipment Cables, except those for lighting receptacles and small power cables, are tagged at their termination with a unique identifying number. Electrical safety related equipment (switchgear, motor control centers, junction boxes, cables, cable trays, conduits, etc.) are identified by color coded .tags, paint or tape according to the following scheme: System A (Power, Control, and Instrumentation) (SA): orange System B (Power, Control, and Instrument~tion) (SB): purple System AB (Power, Control, and Instrumentation) (SAB): pink Measurement Channel A (MA): red Measurement Channel B (MB): yellow Measurement Channel C (MC): green Measurement Channel ,o (MD): blue Associated System A (Power, Control, and (ASA): orange white Instrumentation) Associ~ted System B (Power, Control, and (ASB): purple white Instrurnenta ti on) Associated System AB (Power, Control, and (ASAB): pink white Instrumentation) Associated Measurement Channel A (AMA): red white Associated Meas11rement Ch;1nnel F. (AME): yellow white Associated Measureme~~ Channel C (AMC): green white Associated Measurement Channel D (Af*D): blue white Non-Safety Systems black Color coded tray numbers are either stencilled or engraved on both side*s of cable trays at 15 ft. intervals. Additional tray identifications are placed at elbows, room entrances and other areas of possible congestion. For verification during initial installation, safety-related cables are identified by color at every five ft. and safety-related conduits are identified by color at intervals of 15 ft. , 8.3.1.4 Independence of Redundant Systems The redundant systems are designed to be physically independent -of each other so that failure of any part or the whole of one train, channel.or division does not prevent safe shutdown of the plant. 8 .3-4.6
The Class 1E electric systems are designed to ensure that a design basis event does not prevent operation of the minimum amount of safety related equipment required to safely shutdown the reactor and to maintain a safe shutdown condition. The Class 1E power system is designed to meet the requirements of IEEE 279-1971, IEEE 308-1971, applicable portions of 10 CFR Part 50 Appendices A and B, and Regulatory Guide 1.6 (RO). Safety related loads are separated into two completely redundant load groups. Each load group has adequate capacity to start and operate a sufficient number of safety related loads to safely shut down the plant, without exceeding fuel design limits or reactor coolant pressure boundary limits, during normal operation or a design basis event. As required by IEEE 308-1971 and General Design Criterion 17 each redundant safety related load can be powered by both onsite and offsite power supplies. Consistent with Regulatory Guide 1.6 (RO), no provision exists for automatically transferring loads between the redundant power sources. Furthermore, the redundant load groups cannot be automatically connected to each other, nor can the two emergency power sources be paralleled automatically. Separation and independence have been maintained between redundant systems, including the raceways, so that any component failure in one safety related channel does not disable the other safety related division. A discussion of the independence of redundant Class 1 E electric systems including electrical and physical separation of cables, cable tray fill, cable derating, tray marking and fire protection is contained in Subsection 8.3.1.2 (the Regulatory Guide 1.75 (R1) discussion). 8.3-47 Amendment No. 18 (01/08)
8.3.2 DC POWER SYSTEM . 8.3.2.1 Description The DC Power System is shown on Figure 8.3-3. Power is provided at 125 volts de (ungrounded) for plant control and instrumentation and for operation of de motor operated equipment such as valve operators. Similar to the 4.16 kV and 480V ac emergency systems, the 125V de system is arranged into two main redundant load groups, SA and SB, and a third service (swing load) group SAB. Load groups SA and SB are* each capable of supplying the minimum de power requirements to safely shutdown the plant and/or mitigate the consequences of a DBA. Load group SA is served by de buses 2A and 2AA and load group SB by de buses 2B and 288. Load group SAB is served by de bus 2AB which is normally tied to either (but never both) de bus 2A or 28, corresponding to the manner in which the 4.16 kV and 480V AB buses are connected to their respective SA or SB buses. There are two breakers in series in each tie which are key interlocked to prevent the 2AB bus from being simultaneously connected to both the 2A and 2B buses. The de loads served by each bus are given in Tables 8.3-3, 4, and 5. Should the operator desire to change the 125V de, 480V ac and 4160V ac AB buses from one battery source to the other, the following operator action is required (assume all AB buses are connected to their respective A bus). Transfer of 125V de AB bus - Four control switches with key locks are switched from the A-AB(A8-A) positions to the 8-AB(AB-B) positions. The design of the key locks (key removable in breaker open position only) precludes cross connecting of power sources. Figure 8.3-6 depicts . the 125V de bus transfer circuit capability in the control room. When the transfer is complete, two misalignment alarms are annunciated indicating improper alignment of 4160 and 480 volt buses. The operator dispatches a member of the operating crew to manually open these breakers to clear the alarm. After opening locally the tie breakers from the A system, the operator will tie AB. 480 and 4160 tie breakers of the B system. 8.3.2.1.1 Batteries and Battery Chargers Each 125V de battery is supplied from two 125V de battery chargers connected in parallel, both of which are normally operating. Each charger system is sized to carry normal de load and to recharge a battery from 1. 75 volts per cell to full charge. The worst case loading condition on the battery chargers occurs during a post LOCA condition with loss of offsite power. Each of the two parallel 125V de battery chargers operate separately on the SA and SB buses. A fifth 125V de battery charger on the SAB bus provides a backup for the four operating 125V de chargers. Each of the two 125V lead-calcium type safety related batteries consists of 60 cells and is rated 2400 ampere hours for eight hours and has a capacity of 3040 amps for one minute at 77°F. The above rating is sufficient to supply de loads until which time the battery chargers are loaded onto the diesel generators. (Note: The above stated ratings are original design values. For current values, refer to latest battery design margin calculation.) 8.3-48 Amendment No. 11, (5/97)
The battery chargers are automatically loaded on the diesel generators approximately forty seconds after loss of offsite power, thus returning the de system to normal. The above battery rating, when compared to the one minute loading of Table 15.10-5, is more than adequate for this design limiting case of forty second battery operation. The batteries are qualified for a period of atleast twenty years. At the end of this period, these batteries will be either replaced or requalified for an extended period of time. Among the alarms and indications for the de systems, battery breaker position alarm, battery high discharge rate alarm and battery ammeter have been provided in the Control Room. The turbine generator de emergency bearing oil pump motor is fed from the non-safety 2C battery a and de bus 2C. The non-safety 2C is normally supplied from 300 ampere charger similar to the safety system chargers and, oh loss of offsite power from a 60 cell 2,340 ampere-hour eight hour discharge rate battery. The turbine generator de emergency _seal oil pump motor is fed from the non-safety 2D battery and de bus 2D. The non-safety 2D battery bus and charger system is similar to the 2C de system.
* . I The ties between the safety-related 125V DC BUS 2AB and the non-safety 125V DC Buses 2C and 2D are through non-automatic circuit breakers (two per tie). Each pair of breakers is key interlocked _such that the ties can not be accidently closed (completion of each tie requires that each of the two breakers be independently key operated).
The emergency batteries desci-ibed above comply with the intent of IEEE 450-1975, "IEEE Recommended Practice for Maintenance, Testing, and Replacement of Large L~ad Storage Batteries for Generating Stations and Substations," and Regulatory Guide 1.129, "Maintenance, Testing, and Replacement of Large Lead Storage Batteries for Nuclear Power Plants." Station battery maintenance is performed only by persons knowledgeable of batteries and the safety _precautions involved. Protective equipment and fixed water facilities are provided for maintenance personnel safety. Regular inspections are performed based on schedules set in the operating and maintenance procedures. Acceptance testing of all batteries is satisfactorily completed at the manufacturers' shop. In addition, battery capacity testing is conducted as per the Technical Specifications. Two separate de ~ystems are provided for the 230 kV circuit breakers, control and protective relaying. The system consists of two 125 volt batteries, three battery chargers, and two de distribution panels.
8.3-48a *Amendment No. 21 (11/12)
The two 125V lead-calcium switchyard batteries consist of 60 cells and are rated 400 ampere-hr at eight hour discharge rate. The three switchyard battery chargers are rated at 50 amp each. 8.3.2.1.2 DC SA and SB Buses and Panels Two de main buses 2AA and 2BB and their respective bus extensions 2A and 2B rated at 1200 amperes and one SAB bus rated at 400 amperes are provided; all five buses are rated at 20,000 amps interrupting capacity. Certain non-Class 1E loads ate supplied with 125V de power from these buses. In such cases, separation is provided as described in the discussions for R.G. 1.75 (Section 8.3.1.2.2). Each bus and each panel has a steel barrier which provides separation between safety and non-safety related circuits. Four de panels are provided for the measurement channels 2MA, 2MB, 2MC, and 2MD. These four de panels facilitate maintenance and/or periodic testing of each measurement channel and minimize the possibility.of a spurious reactor trip. 8.3.2.1.3 System Operation Because the de system operates ungrounded, at least two grounds are necessary to trip a feeder circuit breaker. Ground fault annunciation provides an opportunity to correct a fault condition before a second fault occurs. One undervoltage relay is provided on each bus section to initiate an alarm if voltage on the bus drops to a preset value. A charger failure relay, provided on each charger, detects and annunciates failures in ac power input and de power output. Cables and raceways for the de power supply systems are as described in Subsection 8.3.1.1.4. 8.3.2.1.4 Equipment Separation and Redundancy The 125V de system is designed to meet the seismic Category I requirements as stated in Section 3.10. The two redundant batteries and their related accessories. are separated by full height walls in the Reactor Auxiliary Building which is a seismic Category I structure. Each battery room is provided with its own eyewash and shower. The showers located in the battery rooms are designed to deter the splashing of water directly onto battery. This is accomplished by providing walls on 3 sides of the shower. In addition the shower is provided with its own roof. The showers are provided with floor drains to carry away all the water from the shower. 8.3-49 Amendme.nt No. 13, (05/00)
The safety-related de loads have been grouped into two redundant load groups such that the loss of either group does not prevent the minimum safety function from being performed. Complete separation and independence are maintained between components and circuits of the two 125 V safety related de systems, including the raceways. For the raceway separation c_riteria, see Subsection 8. 3.1. 2 (Regulatory Guide 1. 75 (Rl) discussion). Because of the physical and electrical se-paration provided for the batteries, chargers, distribution equipment and wiring for the 125V de safety-related systems, a single failure at any point in either system does not disable both systems. Non-Class lE loads are provided with isolation devices to protect the bus in the event of an emergency. 8.3-49a
8.3.2.1.5 Ventilation
Each* 125V de system battery equipm~nt room is served by an exhaust fan. Supply air is effected

by two' redundant Ele.ctrical Equipment Room Supply Fans fed frorn. redundan.t safety rel.afed .. . I motor control centers :(see Su~sectiori .9.4.3). * * . " . :*.* * . . * . * :. *.
8.3.2.1.6 . Inspection, Servicing, Testing, and Installation The station batteries and their associated equipment are easily accessible for inspection, servicing; and testing. Servicing and testing is performed on a routine basis in accordance with the manufacturer's recommendations and the Technical Specifications. Typical inspection includes visual inspection for leaks, corrosion, or other deterioration, and checking all batteries for voltage, specific gravity, level of electrolyte, and temperature. At the time of installation, rated discharge acceptance tests are made to verify that the battery capacity meets the manufacturer's rating. 8.3.2.2 Analysis The 125V de electric system is Class 1E and is designed to meet the requirements of IEEE 279-1971, IEEE 308-1971, IEEE 450-1972, General Design Criteria 17 and 18, Regulatory Guides 1.6 (RO), 1.32(RO)1.62 (RO), 1.63 (RO), 1.75 (R1), 1.81(R1),1.118 (RO), 1.128 (RO), 1.129 (RO). The system also meets the requirements of the design basis accidents described and evaluated in Chapter 15. 8.3.2.2.1 General Design Criteria General Design Criterion 17 - The two systems which supply the 125V de power to redundant Class 1E load groups from the two separate 125V de buses are electrically independent and physically separated from each other. Each of the two systems has adequate capacity to supply the 125V de power for the safety related loads required for safe shutdown of the plant. General Design Criterion 18 The Class 1E de system is designed to permit appropriate periodic inspection and testing. 8.3.2.2.2 Regulatory.Guide Implementation Regulatory Guide 1.6. "Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems," 3/71 (RO) As stated in the Safety Evaluation Report of St. Lucie Unit 2 (Docket No. 50-389) the de onsite power system is in compliance with the requirements of Regulatory Guide .1.6 (RO). 8.3-50 Amendment No. 18 (01/08) .
As described in Subsection 8.3.1.2.2 the Class 1E de system is designed with sufficient independence to perform its safety functions assuming a single failure. Regulatory Guide. 1.32. "Criteria for Safety-Related Electric Power Systems For Nuclear Power Plants." 8/72 (RO) As stated in the Safety Evaluation Report of St. Lucie Unit 2 (Docket No. 50-389) the de onsite power system is in compliance with IEEE 308-1971 as modified by Regulatory Guide 1.32 (RO). The intent of RG 1.32 is met as follows: The de Power System meets IEEE 308-1971. The Class 1E de system provides de electric power to the Class 1E de loads and for control and switching of the Class 1E systems. Physical separation, electrical isolation, and redundancy are provided to prevent the occurrence of common failure modes. The design of the Class 1E de system includes the following features: a) The de system is separated into two main redundant systems. b) The safety actions by each group of loads are independent of the safety actions provided by its redundant counterpart. c) Each redundant dG system includes power supplies that consist of one battery and two battery chargers. d) Redundant batteries cannot be interconnected. Alarm circuits are provided to ascertain this requirement. e) The batteries are physically separated. Each distribution circuit is capable of transmitting sufficient energy to start and operate the required loads in that circuit. Distribution circuits to redundant equipment are independent of each other. The de auxiliary devices required to operate equipment of a specific ac load group are supplied from the same load group. Each battery supply is continuously available during normal operation and, following a loss of power from the ac system, to start and operate all required loads. Instrumentation is provided to monitor the status of the battery supply as follows: a) de bus undervoltage alarm (control room); b) battery current indication (local room and control room) c) de voltage indication (local room and control room); and d) de ground indication and alarm (control room) e) battery high discharge rate alarm (control room) 8.3-51 Amendment No. 18 (01/08)
f) battery breaker in open position alarm position alarm (control room) The batteries are maintained in a fully charged condition and have sufficient stored energy to operate all necessary circuit breakers and to provide an adequate amount of energy for all required emergency loads. The battery chargers of one redundant system are independent of the battery chargers for the other redundant system. Instrumentation is provided to monitor the status of each battery charger as follows: a) output voltage of the charger; b) output current of the charger; c) charger trouble common alarm including input ac undervoltage, de undervoltage, and loss of de output current which is indicative of output breaker open (in control room). Each battery charger has an input ac and output de circuit breaker for isolation of the charger. Each battery charger power supply is designed to prevent the ac supply from becoming a load on the battery due to a power feedback as the result of the loss of ac power to the chargers. Equipment of the Class 1E de system is protected and isolated by fuses or circuit breakers in case of short circuit or overload conditions. Indications provided to identify equipment that is made unavailable are the following: Event Available Indication a) Battery charger ac input Charger trouble alarm breaker trip b) Loss of battery charger Charger trouble alarm de output current c) Distribution circuit breaker trip Individual equipment alarm. or supervisory light (for Class 1E circuits) For a further discussion of Regulatory Guide 1.32 (RO) and IEEE 308-1971, see Subsection 8.3.1.2.2. Regulatory Guide 1.62, "Manual Initiation of Protective Actions," 10/73 (RO) For a discussion of this Regulatory Guide see Subsection 8.3.1.2.2. Regulatory Guide 1.63, "Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants," 10/73 (RO) For a discussion of this Regulatory Guide see Subsection 8.3.1.2.2. Regulatory Guide 1.75, "Physical Independence of Electric Systems," 1/75 (R1) For a discussion of this Regulatory Guide see Subsection 8.3.1.2.2. 8.3-52 Amendment No. 20 (05/11)
Regulatory Guide 1.81, "Shared Emergency and Shutdown Electric Systems for Multi-Unit Nuclear Power Plants," 1/75 (R1) For a discussion of this Regulatory Guide, see Subsection 8.3.1.2.2. Regulatory Guide 1.118, "Periodic Testing of Electric Power and Protection Systems" 6/76 (RO) For a discussion of this Regulatory Guide see Subsection 8.3.1.2.2 Regulatory Guide 1.128. "Installation Design and Installation of Large Lead Storage Batteries for Nuclear Power Plants, "4177 (RO) For a discussion of this Regulatory Guide see Subsection 8.3.1.2.2. Regulatory Guide 1.129, "Maintenance, Testing, and Replacement of Large Lead Storage Batteries for Nuclear Power Plants." 4/77 (RO) For a discussion of this Regulatory Guide see Subsection 8.3.1.2.2. 8.3.3 FIRE PROTECTION FOR CABLE SYSTEM This is covered in Subsection 9.5.1. 8.3-53 Amendment No. 18 (01/08)
TABLE 8.3-1 DIESEL GENERATOR DESIGN DATA
1. Diesel Engine Manufacturer General Motors EMD Model and type 645-E4 Total No. of Cylinders per set 28 (One 16 cylinder engine and one 12 cylinder engine)
Set arrangement Two engines in tandem, with generator in the middle Rated Speed 900 rpm Continuous (8000) hr rating at 5375 bhp 90°F 8000 hr/yr rating at 104°F 5160 bhp 30 min/yr rating at 90°F 6095 bhp 30 min/yr rating at 104°F 5851 bhp Method of cooling Air radiators with shaft driven fans
2.
Starting Time Generator 10 seconds maximum, including generator breaker closing time Manufacturer Electric Products Div. Voltage, phase & frequency 4160 V, 3 phase, 60 Hz kW, 'K!VA, power factor 3800 kW, 4750 KVA, 0.8 P.F. Synchronous reactance, Xd *86. 9 percent Transient reactance, X'd 17.4 percent (Direct Axis) Subtransient reactance, X"d 9.6 percent (Direct Axis) Excitation system Solid state, forced excitation 0124F 8.3-54 Amendment No. 5, (4/90)
TABLE 8.3-1 (Cont'd)
3. D-G Set Rating at 104 F Continuous - 8760 hrs 3685 kW 5136.78 bhp 30 Minute to 7 day 3985 kW 5485.27 bhp 8.3-55 Amendment No. 13, (05/00)
TABLE 8.3-2 EMERGENCY DIESEL GENERATOR LOADING SEQUENCE Load Timing* Item Equipment Per DG Rated Running Load KW Block .Sequence No. Description Qty. HP (KW) LOOP LOOP/LOCA LOOP/MSLB 1 0 Secs 11 Component Cooling Water Pump 1 450 362.9 362.9 362.9 1 0 Secs 2 Motor Operated Valves Lot 0.0 0 0 0 1 0 Secs 2 Motor Operated Valves Lot 13.22 0 11.9 0 1 0 Secs 2 Motor Operated Valves Lot 12.89 0 0 11.6 1 0 Secs 3 Emergency Lighting Lot (114.9) 114.9 114.9 114.9 1 0 Secs 4 Power Panels Lot (139.4) 139.4 139.4 139.4 1 0 Secs 5 RCP Oil Lift Pump 2 10 18 18 18 1 0 Secs 6A Plant Vital AC UPS 1 (20) 20 20 20 1 0 Secs 6B Security UPS 1 (30) 30 30 30 1 0 Secs 7B Air Conditioner HVA-10A 1 .10 8.0 8.0 8.0 1 0 Secs 7C Hydrogen Analyzer Cub. SA 1 (1.6) 1.6 1.6 1.6 1 0 Secs BA EDG Turbo Lube Oil Pumps 2 2 ,3.6 3.6 3.6 1 0 Secs BB EDG Soak Back Lube Oil Pumps 2 1 1.8 1.8 1.8 1 0 Secs BC EDG Air Compressor Motor 1 7.5 '6.7 6.7 6.7 1 0 Secs 32 Charging Pump 2 125 .118.8 59.3 118.8 1 0 Secs 33 Boric Acid Makeup Pumps 2 25 13 21.4 21.4 1 0 Secs 39 Fuel Hdlg Bldg H&V Room Fan 1 3 2.7 2.7 2.7 1 0 Secs 40 DG Cooling Water Heaters 4 (15) 60 60 60 1 0 Secs 27 CVCS Heat Tracing Lot (3.8) 1.9 1.9 1.9 1 0 Secs 41 Transformer & Cable Losses Lot (22.7) 22.7 22.7 22.7 1 0 Secs 42 lsolimiters 3 (5.3) 5.3 5.3 5.3 2 3 Secs 9 LPSIPump 1 400 0 317.5 165 1 0 Secs 24A Control Room Air Conditioner Fan 1 15 13.5 13.5 13.5 1 0 Secs 24B Control Room Air Conditioner Transfmr 1 (5) 5 5 5 2 3 Secs 10 Containment Fan Coolers (Note 3) 2 125/83 331.8 235.5 235.5 2 3 Secs 17 Diesel Oil Transfer Pump 1 3 2.2 2.2 2.2 3 6 Secs 1 HPSIPump 1 400 0 324.3 324.3 3 6 Secs 12 Shield Building Exhaust Fan 1 60 0 40.0 40.0 3 6 Secs 13 Shield Building Vent Heaters Lot (31.5) 0 31.5 31.5 4 9 Secs 14 Intake Cooling Water Pump 1 600 482.3 482.3 482.3 4 9 Secs 10 Containment Fan Coolers (Note 3) 2 125/83 0 [331.8] -136.4 [99.1] -136.4 [99.1]
Counting from time the EDG Output Breaker closes.
Notes: 1. M = Manual Operation
2. Numbers not in brackets indicate load changes, numbers in brackets indicate running loads. *

3. Due to long acceleration, initial loading is due to locked rotor current. This is reduced to running current after the acceleration period.
8.3-56 Amendment No. 21 (11/12)
TABLE 8.3-2 (Cont'd) EMERGENCY DIESEL GENERATOR LOADING SEQUENCE Load Timing* Item Equipment Per DG Rated Running Load KW Block Sequence No. Description Qty. Hp (KW) LOOP LOOP/LOCA LOOP/MSLB 5 12 Secs 15 Containment Spray Pump 1 500 0 398.9 398.9 5 12 Secs 16 Hydrazine Pump 1 3 0 2.9 2.9 5 12 Secs 10 Containment Fan Coolers (Note 3) 2 125/83 -193.8 [138] 0 [99.1] 0 [99.1] 6 18 Secs 18 Electrical Equipment Room Supply Fan 1 100 69.7 69.7 69.7 6 18 Secs 19 Reactor Cavity Supply Fan 1 20 13.7 0 0 6 18 Secs 20 Reactor Support Cooling Fan 1 40 21.8 0 0 7 21 Secs 21 Electrical Equipment Room Roof Vent Fan 1 5 4.4 4.4 4.4 7 21 Secs 22 Battery Room Ventilator 1 0.75 0.8 0.8 0.8 7 21 Secs 23 Intake Structure Exhaust Fan 1 7.5 6.5 6.5 6.5 8 24 Secs 25 Control Room Filter Fan 1 10 0 7.0 7.0 8 24 Secs 26 ECCS Area Exhaust Fan (Note 3) 1 60 0 69.3 69.3 9 27 Secs 28 Battery Chargers 2 (68) 100 100 100 10 30 Secs 29 Aux. Feedwater Pump 1 350 246.8 282.3 282.3 10 30 Secs 26 ECCS Area Exhaust Fan (Note 3) 1 60 0 -22.7 [46.6] -22.7 [46.6] 11 33 Secs 30 Reactor Aux. Building Supply Fan 1 150 106.9 106.9 106.9 12 38 Secs 31 Electrical Equipment Room Exhaust Fan 1 50 41.7 41.7 41.7 12 38 Secs 24 Control Room Air Conditioner Compressor 1 65 53 53 53 13 90 Secs 2 Motor Operated Valves Lot 0.0 0 0 0 13 90 Secs 2 Motor Operated Valves Lot 13.22 0 -11.9 0 13 90 Secs 2 Motor Operated Valves Lot 12.89 0 0 -11.6 13 90 Secs 40 DG Cooling Water Heaters 4 (15) -60 -60 -60 14 5 Mins 7A Air Conditioner 2ACC-4 1 11.85 11.7 11.7 11.7 14 5 Mins 28 Battery Chargers 2 (68) -52 [48.0] -52 [48.0] -52 [48.0] 15 30 Mins 37 Pressurizer Heaters 1 (200) 200 M 0 0 15 30 Mins 34 Instrument Air Compressor 1 60 53.9 M 0 53.9 M 15 30 Mins 38 Instr. Air Comp. Clg. Pump & Fan 1 12.5 11.2 M 0 11.2 M
Counting from time the EOG Output Breaker closes Notes: 1. M =Manual Operation
2. Numbers not in brackets indicate load changes, numbers in brackets indicate running loads.

3. Due to long acceleration, initial laoding is due to loacked rotor current. This is reduced to running current after the acceleration period.
8.3-57 Amendment No. 21 (11/12)
( \ TABLE 8.3-2 (Cont'd) EMERGENCY DIESEL GENERATOR LOADING SEQUENCE Load. *Timing* Item Equipment Per DG Rated Running Load KW Block Seguence No. Descrii;ition Qty. Hg (KW) LOOP LOOP/LOCA LOOP/MSLB 16 1 Hour 8C EOG Air Compressor Motor 1 / 7.5 -6.7 -6.7 -6.7 16 1 Hour 33 Boric Acid Makeup Pumps 2 25 0 -21.4 M 0 16 1 Hour 35 Fuel Pool Cooling Pump 1 40 26.2 M 0 26.2 M 16 1 Hour 1 HPSIPump 1 400 0 0 -324.3 M 16 1 Hour 9 LPSIPump 1 400 0 0 -165 M 16 1 Hour 15 Containment Spray Pump 1 500 0 0 -347.1M 16 1 Hour 37 Pressurizer Heaters . 1 (200) 0 0 200 M 17 73 Mins 9 LPSIPump 1 400 0 -317.5 M 0 17 73 Mins 34 *Instrument Air Compressor 1 60 0 53.9 M 0 17 73 Mins 35 Fuel Pool Cooling Pump 1 40 0 26.2 M 0 17 73 Mins 36 Hydrogen Recombiner 1 (75) 0 75 M 0 17 73 Mins 2 Motor Operated Valves Lot 2.93 0 2.6 2.6 17
73 Mins 38 Instr. Air Comp. Clg. Pump & Fan* 1 12.5 0 11.2 M 0 18 4 Hours 5 RCP Oil Lift Pump 2 10 -18 M -18 M -18 M 18 4 Hours 29 Aux. Feedwater Pump 1 350 0 -282.3 M 0 18 4 Hours 33 Boric Acid Makeup Pumps 2 25 -13.0 M 0 -21.4 M 18 4 Hours 36 Hydrogen Recombiner 1 (75) 0 0 75 M 19 8 Hours 9 LPSI Pump _)
1 400 0 0 271.4 M 20 12 Hours 9 LPSI Pump 1 400 271.4 M 0 0 20 12 Hours .16 Hydrazine Pump 1 3 0 -2.9 M -2.9 M 20 12 Hours 29 Aux. Feedwater Pump 1 350 0 0 -282.3 M 20 12 Hours 32 Charging Pumps 2 125 -55.5 [48] Q -55.3 [48] 20 12 Hours 37 Pressurizer Heaters 1 (200) -200 M 0 -200 M 21 30 Hours 29 Aux. Feedwater Pump 1 350 -246.8 M 0 0
*Counting from time the EDG Output Breaker ~loses.
Notes: 1. M =Manual Operation
2. Numbers not in brackets indicate load changes, numbers in brackets indicate running loads.

3. Due to long acceleration, initial loading is due to locked rotor current. This* is reduced to running current after the acceleration period.
8.3-57a * *
Amendment No. 21 (11/12)
TABLE8.3-3 BATTERY LOAD GROUP B-DC LOADS Ckt. LOAD DESCRIPTION NO. Hydrogen Panel 1 Turbine Oil Hydrogen Seal Oil & Heater Drain Fire Protection 3 480V Swgr 2B2 7 480 Swgr2B1 11 125V DC PP-219 13 480 Swgr2B2 15 IRS Valve 2B SE-07-3B 17 Diesel Gen 2B Control Pnl 19 Diesel Gen 2B Cntl Pnl 21 Plant Aux Cntrl BD Ann-LB 23 RTGB 203, 205 27 480V Swgr 2B5 29 RTGB206 31 125V DC Bus MB 33 Charging Line 2B1 Valve ** - SE-02-01 35 Isolation Cab "SB" 37 125V DC Bus "2AB" 43 DC LP228 2 Start-up Standby Transf 2B Cntl Cab 4 Main TR 2B Cntl Cab 6 Unit Aux Transf 2B ContrCab 8 6900V Swgr 2B1 12 4160V Swgr 2B2 14 Aux Spray Valve SE-02-4 16 4160V Swgr 2B3 18 Control Transfer Pnl 2B 24 RTGB201 10 8.3-58 Amendment No, 13, (05/00)
TABLE 8.3-3 (cont'd) BATTERY LOAD GROUP B-DC LOADS Ckt. LOAD DESCRIPTION NO. Static Inverter Cab 2B 26 125V DC PP-239 28 Diesel Gen Ann Ckts 30 Control Transfer Panel 2B 32 125V DC Bus MD 34 Relief Valve V1475 36 HVCB 38 125V DC PP-255 40 Static Inverter Cab 2D 2 RTGB 205 (NB) 3 4160v Swgr 2AB 21 Isolation Cabinet "SAB" 23 HVCB 2 RTGB 205 (NA) 4 125V de Bus 2C 10 Isolation Term Cab 3 12 Aux FW Pump 2C - MV-08-03 20 480V Swgr 2AB 22 125V de PP240 24 125V de Bus 2D 9 Gen Prat Relay Cab 1 For current load listings, refer to the latest design margin calculation. 8.3-59 Amendment No. 20 (05/11)
TABLE 8.3-4 BATTERY LOAD GROUP AB-DC LOADS LOAD DESCRIPTION Refer to Table 8.3-3 for listing of AB-DC loads . 8.3-60 Amendment No. 11, (5/97)
TABLE 8.3-5 BATTERY LOAD GROUP A-DC LOADS LOAD DESCRIPTION Instrument Bus 2A Inverter Instrument Bus 2C Inverter (Bus 2AA) 480V Swgr 2A2 & 2A5 480V Swgr 2A 1 4160V Swgr 2A3 4160V Swgr 2A2
. 6900V Swgr 2A1 DC Bus 2AB DC Pnl 218 DC Pnl 238 DC Ltg Pnl DC Bus MA DC Bus MC Diesel Generator 2A Control Pnl Diesel Generator 2A Excitation RTGB 205 & 203 Unit Auxiliary 2A RTGB 206 Main Transf 2A Start-up Transf 2A Miscellaneous Relief Valve V1474 PCV-18-5, 6 HVCB Plant Aux. Control "Ann" Isolation Cabinet "SA" V2516 SE-02-3 V2523 SE-02-2 SE-07-3A Isolation Box B-2952 CCW Surge Tank DC-Pnl 254 RTG8-201 Note: 1) Part of the switchgear's loads include non-safety related equipment.
2) The loading and duty cycle of safety battery 28 is larger than battery 2A.
Therefore, the Safety Related Batteries 2A & 2B sizing calculation used the 28 loads. See Table 8.3-3 for loads used for sizing. 8.3-61 Amendment No. 18 (01/08)
TABLE 8.3-6
4. 16 KV SAFETY RELATED SYSTEM - FAILURE MODES Aim EFFECTS ANALYSTS
-------r'AILURE - ------- CAUSE CONSEQUENCES AND COMMENTS I. 4. 16 kV power to bus *a. Failure of the associated a. Failure of the DG to start results in the loss 2A3 or 2B3 assuming DG (diesel generator) to of one complete safetv related division. The re-coincident loss of start. dundant DG sta.rts and. supplies the redundant safety, preferred power. related loads.
The reliability of the DG to start has been enhanced considerably by the following design features: Starting Signal: Engineered Safety Features actu-ation signal or undervoltage relays on 4. 16 kV bus .
Starting System: Four air starting systems for each DG unit.
,/
b. Failure of the DG to b. The consequences are identical to Item a. A dual develop voltage. static excitation system is used to improve reliability and to ensure fast voltage buildup.
?' c. Failure of DG c. Consequences are identical to Item a. w I ACB to autoclose °' N
d. Bus fault on Bus 2A3 d. A bus fault prevents loading of the bus. The or 2B3. redundant bus provides the power to the redundant safety related loads.

e. Loss of associated de con- e. DC control power to the two redundant 4.16 kV safety trol power source. related systems is supplied from two redundant batteries. Loss of control power to any one system does not prevent the redundant system from performing the safety function.

f. Failure of a feeder breaker f. A fault on a feeder cable, if not cleared by the to trip on feeder fault. feeder breaker, leads to tripping of the bus.
Under this condition, the redundant 4.16 kV bus supplies the redundant safety related loads. The safety related system is designed to operate with-out isolating any component on a single ground fault. As multiple faults are relatively few in number, reliability of complete safety functions is greatly increased.
TAbLE 8.3-6 (Cont'd) FAILURE CAUSE CONSEQUENCES AND COMMENTS
2. 4.16 kV load (power a. Failure of power center Any of the events a, b or c results in a loss of the center, motor, etc) feeder. ACB to close. affected actuated component. The redundant load on the redundant bus performs the safety function.

p. Stalled motor

c. *Feeder cable fault
TABLE 8.3-7 480 VOLT SAFETY RELATED SYSTEM - FAILURE MODES AND EFFECTS ANALYSIS FAILURE CAUSE CONSEQUENCES AND COMMENTS
1. 480V power to bus a. Failure of associated power Any of the five events a, b, c, d or e causes the loss 2A2, 282, 2A5, 285 or center transformer. of 480V safety related loads on one channel The 2AB redundant 480V load center bus supplies the redundant safety related loads.

b. 4.16 kV cable fault.

c. Power center bus fault.

d. Failure of any load breaker to clear a fault.

e. Loss of de control power source.

2. 480V MCC feeders a. Feeder cable fault. Any of the events a, b, or c results in the loss of
()) 480V power to the safety related loads conhected , wI
b. MCC bus fault. to the affected MCC. The redundant loads O> connected to the redundant MCC performs the
~
safety function.
c. Failure of any MCC load feeder breaker to clear a fault.

3. 480Vloads a. Feeder cable fault. The result is the loss of the affected actuated component. The redundant component on the other division performs the safety function.
)>
3
<D
b. Stalled motor.

J 0.
3
<D
J z
p -~ 0 -0
TAllLE 8.3-8 208Y/120V AC SAFETY RELATED SYSTEH - FAILURE MODES AND EFFECTS ANALYSIS FAILURE CAUSC: CONSEOUC:NCES AND C:GHNJ::NTS I. Power to bus a. Failure of associated a, b, c, d; trans former. Any of these events resnlts in the loss of power to the 208 or 120V loads of one division. The
b. Cable fault. unaffected bus supplies the redundant safety related loads.

c. Failure of any load breaker to clear a fault.

d. Bns fanlt.

2. Any distribution a. Cable fault. a. This results in loss of power to the connected feeder loads. The redundant loads on the unaffected divi-sion are adequate to insure safety.
?" w I V1
/
TABLE 8.3-9 120 V INSTRUMENT POWER SUPPLY SMETY RELATED SYSTEM-FAILURE MODES AND EHECTS ANALYSIS FAILURE CAUSE CONSEQUENCES AND COMMENTS I. 120 V ac power to a. Bus fault a,b,c,cl. The result is the loss of 120 volt uninter-buses 2MA, 2MB, rnptible ac power supply to one of the four channels of the 2MC ancl 2MD b. Cable fault protection syste111. As a two out of four criterion is used in all logic circuits, the remaining three channels c.* Failure of a distribution ensure safe, but not false, shutdown. The !20 V ac system breaker to clear a fault is clesignecl as an ungrounclecl system. The reliability of any channel is consequently greatly enhancecl. cl. Failure in inverter
2. Any distribution a. Cable fault a. This results in the loss of power to the connected feeder loacls. The reclunclant loacls in the remaining three ch.annels are aclequate to enaure safety.

3. Loss of 480 V ac a. MCC bus fault a,b. The inverter is suppliecl by the battery without power to battery interruption of output power within the battery rating.
charger. b. Cable fault
TABLE 8.3-10 125 V DC SAFETY RELATED SYSTEM - FAILURE MODES AND EFFECTS ANALYSIS FAILURE CAUSE CONSEQUENCES AND COMMENTS
1. 125 V de power to bus 2A or a. Bus fault a,b,c. In the event of the loss of one de bus, the redundant bus 2B supplies control power to the safety related load of corresponding channel.

b. Battery fault

c. Failure of load breaker to clear fault.

2. 125 V de power to bus 2AB a. Bus fault a,b. Loss of this bus causes loss of control power to the 4160V switchgear 2AB, and 480V switchgear 2AB thereby rendering loads fed from these buses inoperable. However, since these loads are third service loads designed to replace a

b. Failure of load breaker to clear fault.
corresponding load is the A or B division the effect of a loss of this bus is equivalent to the loss of a single train. If a faulted charger can be isolated from the bus, the other
3. Battery Charger a. Charger fault a.
!=X' charger is capable of supplying the connected loads. If it can't be VJ I isolated, the 2AB charger cannot be connected to a faulted bus.
CJ)
-...J The associated battery will supply the fault until conductor failure clears the fault. The redundant train then supplies the necessary loads.
The loss of a single charger as a result of losing its feeder cable
b. Loss of feeder to charger b.
will still leave one charger connected to the bus and it is capable of supplying the connected loads.
)>
3Cl) If an MCC (2A5 or 2B5) is lost, both associated chargers will be
I

c. Loss of MCC supplying a charger c.
Cl. lost. In this case, the 2AB charger can be aligned to the 3Cl) appropriate bl.is and its output breaker closed to fully supply the
I connected loads.
....+
z0 4. Loss of any de load breaker a. Cable fault a. A cable fault trips the feeder breaker and results in lose of power to the connected safety related loads. The redundant loads N
b. Distribution feeder fault not cleared by associated breaker .
b. connected to the redundant de system ensures safe shutdown . An uncleared fault results in loss of all de on the bus concerned. The redundant loads ensures safe shutdown as in (a). N
TABLE 8.3-11 DIESEL GENERATOR INDICATION Control Room Local Diesel Generator Voltage *
Diesel Generator Current *

Diesel Generator Watts *

Diesel Generator Watt-Hours

Diesel Generator Frequency *

Diesel Generator Reactive Power *

Diesel Generator Field Voltage

Diesel Generator Field Current

Diesel Generator Elapsed Running Time

Diesel Generator Breaker Position Lights *

Diesel Generator Volt Regulator Position Lights * *

Diesel "Off-Run-Ready To Start" Lights *

Diesel Speed Check Lights

Diesel Governor Position Lights *

8.3-68 Amendment No. 13, (05/00)

TABLF. 8.3-12 DIESEL GENERATOR 2A(2B) ALARMS AND ANNUNCIATION Control Room Local Emergency Diesel Generator

Breaker Failure To Close Emergency Diesel Gerterator - One

Engine Failure To Start Emergency Diesel Generator

Lockout Emergency Diesel Generator

Local Alarm Diesel Oil Storage Tank Low Level

Diesel Oil Day Tank Low Level **l Engine Fuel System Fault

Engine Low Li.1be Oil Temperature ( 2Al) *l Engine Low Lube Oil Temperatur~ (2A2) *l Engine High Crankcase Pressure Trip (2Al) *l Engine High Crankcase Pressure Trip (2A2) *l Engine High Jacket Water Temperature .(2A2) *l Engine Low Lube Oil Pressure (2Al) ~"1 Engine Low Lube Oil Pressure (2A2) *l Engine Low Water Pressure (2Al) *l

Engine Low Water Pressure (2A2) *l Engine Low Water Level (2AI) *l Engine Low Water Level (2A2) *1 Engine Low Lube Oil Sump Level (2Al) *l Engine Low Lube Oil Sump Level (2A2) *l Low Air Start Pressure
*l
Overspeed Trip *l

Fuel Day Tanks Low-Low Level *l

Fuel Day Tanks High-High Level *I

Unit Trip/Lockout *l

Start de Failure *l

On~ Engine Failure to Start *l Fuel Storage Tank 2A Low Level Generator Ground
*l *l Generator Overcurrent Trip *l Generator Reverse Power Trip *l Generator Loss of Excitation Trip *l Generator Differential Trip *l Potential Transformer Fuse Failure *l Lockout Relay Failure *l Notes:
1. All local annunciation/ alarms are annunciated in the control room as Emergency Diesel Generator Local Alarm.
8.3-69 .
*TABLE 8;3-13 . *COMPONENT ISOLATION LIST- RG 1.63 COMPONENT **1soLATION MODE*(Ascending Power Levell V3614 (2A2 SIT Outlet)
Isolate prior to Mode 2 Space heater for V3614 Isolate prior to Mode 4**
V3624 (2A 1 SIT Outlet) Isolate prior to Mode 2 Space Heater forV3624 Isolate prior to Mode 4** V3634 (281 SIT Outlet) Isolate prior to Mode 2 Space heater for V3634 Isolate prior to Mode 4** V3644 (282 SIT Outlet) Isolate prior to Mode 2 Space heater for V3644 Isolate prior to Mode 4** V3480 ("A" SDC Hot Leg Suction) Isolate prior to Mode 2 Space heater for V3480 Isolate prior to Mode 4** V3481 ("A" SDC Hot Leg Suction) *Isolate prior to Mode 2 Space heater for V3481 Isolate prior to Mode 4** V3652 (8" SDC Hot Leg Suction) Isolate prior to Mode 2 Space heater for V3652 Isolate prior to Mode 4** V3545: (SDC Cross-Conn) Isolate prior to Mode 2 Space heater for V3545 Isolate prior to Mode 4** HVE-22: (Containment Elevator Fan) Isolate prior to Mode 4 Fuel Transfer Equipment Isolate prior to Mode 4 Refueling Machine Junction Box Isolate prior to Mode 4 V3651 "8" SDC Hot Leg Suction Isolate prior to Mode 2 Space heater for V3651 Isolate priorto Mode 4** Space heater for V1476 Isolate prior to Mode 4** (PORV Block valve) ./ 8.3-70 Amendment No. 18 (01/08)
TABLE 8.3-13 (Cont'd) COMPONENT ISOLATION LIST- RG 1.63 COMPONENT ISOLATION MODE Space heater for V1477 Isolate prior to Mode 4** (PORV Block valve) Reactor Bldg. Maint. Hatch Hoist Isolate prior to Mode 4 Bkr 2-41381 Reactor Bldg. Jib Crane Recpt Isolate prior to Mode 4 Pwr Reep 257,.261, 265, 271 Isolate prior to Mode 4 Pwr Reep 227, 232, 258, 262, 266 Isolate prior to Mode 4 Pwr Reep 259, 263, 267, 270 Isolate prior to Mode 4 Pwr Reep 260, 264, 268, 269 Isolate prior to Mode 4 Reactor Bldg Telescoping Crane Isolate prior to Mode 4 Reactor Bldg Elevator Starter Isolate prior to Mode 4 RCP Polar Crane Isolate prior to Mode 2
Technical Specification identify power modes
Cables to MOV space heaters have been disconnected at their 120 VAC power panels.
Cables remain in place for possible connection in the future. 8.3-71 Amendment No. 18 (01/08)
Refer to Dwg. 2998-G-272 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 MAIN ONE-LINE WIRING DIAGRAM FIGURE 8.3-1 Amendment No. 10, (7/96)
Refer to Dwg. 2998-G-272A FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 COMBINED MAIN & AUXILIARY ONE-LINE DIAGRAM FIGURE 8.3-la Amendment No. 10, (7/96)
~~eER MTR TllA.tJ5F'S Da4"°"1IM,!1",60M~llJUZTOllJ G.~*c *9*o/.. 'W~/Jjl~/do!S.e./3~o,480'"'
e.*LO~ 0-.1 .,-.o ii'..... &....U 48oV SWITCMGU.R 2A*I a!J,OI SWlTCMGEA.R 2ti*I 480V TUR~!lll!. AREA CoMMOJI MCC 'ZC TO '!IT. were 1.1.*,111"1fS110*'i1tl)
*aav flJ~!lllNI A~f G6YV l.,/fAKI! ~6~'1 f'UA&11od #.Ali" MCC '.llt.*r MCC ftA*~ ""'Cf; f&*I 4i!ni ~WITC~6E.AR iAD (5A6) 480-IUI
c.J: c'-1!,.
*~
SYMi;ol.5
/:!,. ~~~~~~~:::..~~......UU.Y 480V SWITCJ.IGEAR ZA-2 (f!AI LIGUTll.JG PA.lo.J&L ..,.,.,, !i>TA, 5eRV, TRAl.l5F, 2A-2 *IE O/C "ICAMAJ./li'ME!'RIOl!l.ICY lt>.ITE.RRUP'Tla.J<ii C........aT'( ~~ ~-~
IGOO AMP ~U&(I0,000..t. ~YMJ c'" rr..oo... CLR PP t.JOTES QJRR£1JT U141Tli..lei RIU!o.CTOA. POfWUI PIJ4l-NON.*C:~S n EQIJLPMEM'T I. A.LL <llSOY '&'INOR. BltRS AR.It IDOO.. , aCI 000 * !:il'M ~ITH llJ!;!.TA.IJTTRIP(22000p,. SYMWmiOUT INS'l"AIJT TR.IP) llltJl..E~~ OTMERWISE IJOTEO
l. :l'\Olrilif g>- 1/G rooo ICCMIL..
"6nV ~Jrt.c.toa ltt.ll#lt.*MCC 2.lrt.*Sl~""')
4!0Y RllL WlWOl.ll.lli Met 2&*~(s&)
~:OIMTla.L ~C"l\CUI MOM*t~TIAL :loat0TIOM E52tC'll...._ U:C.ttOM lilOM*f::O~MTV.1.. YCTIOli&
i) t 1) 11£" 212~
~
i1.
~!J..,
TIO\ 8$T g ~
~
FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 AUXILIARY ONE-LINE DIAGRAM REF DWG: 2998-G-274 (REV 4) FIGURE 8*.3-2
Refer to Dwg. 2998-G-274 Sh. 1 FLORIDA POWER & LIGHT COMPANY ST. LUC:CE PLANT UNIT 2 AUXILIARY ONE-LINE DIAGRAM SHEET 1 OF 2 F:CGURE 8.3-2a Amendment No. 10, (7/96). *
~efer to Dwg.
2998-G-274 SH 2 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 AUXILIARY ONE-LINE DIAGRAM SHEET 2 OF 2 FIGURE 8.3-2b
.Amendment No. 10, (7/96)
Refer to Dwg. 2998-G-332 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 480V MISCELLANEOUS, 125V DC AND VITAL AC ONE LINE SHEET 1 OF 2 FIGURE 8.3-3 Amendment No. 10, (7/96)
Refer to Dwg. 2998-G-332 SH 2 FLORIDA POWER & LIGHT COMPANY c ST. LUCIE PLANT UNIT 2 480V MISCELLANEOUS, 125V DC AND VITAL AC ONE LINE
'SHEET 2 OF 2 FIGURE s.3-3a Amendment No. 10, (7/96)
3500 3000
~
3126.6 3..!.41.~ To34.3 I 9 3256.3 I 3'160 3]16.9 3187.9 lllii.~ J!El 3008.1 2867.0 I 2679.0 2690.7 2674.7 - 2767.0 ~]jJ. I I
~~<)
2707.8 2737.7 22221 ~22 2500 -~-
,ro.u lj_BiJ. ll!/i4 I II 2522.0 'J~°ldA - -*- ~!
1,4lli_ 2422.7 1~-4
~
12241.6 lll<ll~ l!.~1- ~ l.Jll.! ft 1-JJ.71.9t - 2141.31 i 2000 -* -*** ------ - - ----- iiiS.2 --* -- - * - - -*- . -*- ~12. ***********-** **---*- 1
**-**r** ***-*-*--**-*..-
§' ~ Cl <t 0_, 1500 11465. 11.7.15 llliM. 1861.6
~A'.!l llMJ.
Jl12_l
!Pi'l::L ~9.1 .,._
ill._~.q 1 I I ' 1000 I I I'
~ 949.8 I '
910.6 I !! Ii 500 --**** ****---..-* - - --*--.. *******-*- j
-*-*-- ******-***-* ************- -------1----**- *****-******-* ***********-* ,, ______ I ................
I i I I ! 0 I l Ii I 1 0 3 6 9 12 18 21 24 27 30 33 38 90 J s 30 60 73 4 8 12 30' 7 y '---v----1 '---v----1 SECONDS MINUTES HOURS DAYS TIME I LOOP/LOCA -------* LOOP/MSLB -----LOOP I FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 DIESEL GENERATOR LOAD PROFILE FOR SAFE SHUTDOWN, LOSS OF COOLANT ACCIDENT CONDITION, AND MAIN STEAM LINE BREAK FIGURE 8.3-4 Amendment No. 21 (11/12)
I Refer to Drawing 2998-B-271 SH 5-3 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 ELECTRICAL GENERAL INSTALLATION NOTES FIGURE 8.3-5a Amendment No. 18 (01/08)
.1 \
Refer to Drawing 2998-8-271 SH 5-4 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 ELECTRICAL GENERAL INSTALLATION ~- _,IL._ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _...J..-_ _ _ _ _ F_IG_~~~=;-:-:E_a~;--3-__.s-=-b~---:;-:;z-;;~~ Amendment No. 18 (01/08)
Refer to Drawing 2998-8-271 SH 5-5 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 ELECTRICAL GENERAL INSTALLATION NOTES FIGURE 8.3-Sc Amendment No. 18 (01/08)
Refer to Drawing 2998-8-327 Sheet 1000 Amendment No. 18 (01/08) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 2 CONTROL WIRING DIAGRAM 125V DC BUS TRANSFER CONTROL FIGURE 8.3-6
'\ 1400 TYPE RH INSULATION ft;5C 1300 (pOO 1200 WK2 = 57'/ I..~ FT"t. _ rpmX WK2 1 308 Tr
'~o 1100 rpm= INCREMENT OF SPEED 1000 Tr = MOTOR TORQUE LESS LOAD TORQUE 900 B !: 800 fawa: "'"" ..,:
a. u.
~3 m .... 700 z z 1- w z
W )uO a a: a: 600 . a: (,) e iso 500 z..oo 400 t S"O 300 tDD 200 60 100 0 200 400 600 800 1000 1200 1400 1600 1800 2000 2200 SPEED IN RPM AMENDMENT NO. 16 (02/05) FLORIDA POWER & .LIGt:IT COMPANY ST. LUCIE PLANT UNIT 2 CONTAINMENT FAN COOLERS TORQUE AND CUR RENT VS SPEED AT80%VOLTS FIGURE 8.3-7
300 280 260 240 220 MOTOR (100% VOLT) 200 180 w
> 160 0
a: 0 140 I-120
)> "Tl s:m r z 100 0 c
o s

m
-I "'-10 -)> z -i .
80 0 z
0 r- "ti "T1 0 c: 0 9
.,, 60
-c C> m Q == mm MOTOR (80% VOLT) c<
IJ U>
.,,r- :;;o ~ <D .... 40 m* po
co~
m zC1 20 Cf' m -I G'> coo CD U1 ~-I
-n
i::
I 0 0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 SPEED
* -I 0 ...,~ "ti rpm X 10 )>
z
~~
\ ,,,~--
), ,1 I
I I
\ \ \
3-POLE __FUSE___ _ BACKUP PROTECTION RELAY 50/51/83 PRIMARY PROTECTION 750 KCMIL PEN COND 4.16KV BUS 2A2 OR 2B2 UJ )
-~
I-I)
-- ---------~*-~~ *-- 4.~~~~s~Gs /*""':~*=-'!==-"=;:====------ -. -o-2A30R 283 0 75:5 D
750 KCM IL . CEDM FAN MOTOR PEN COND PENETRATIONS A2 AND AG 5.5 CYCLE INST TRIP PRIMARY PROTECTION I I MAXSYM I s.c. ~1:J~RENT. I CURRENT
"'O ..,, )>
0 r 3 0 0 m
;o ~>
J
-l (11 m7' "" - -I 0
c. !:
~< <:-o r-u )> 3 m .t*
CDO
~!Ji Co ::!. "Tl mm z Q:E z p :1.~
G) Om mm c: lilt c <::o m-1 ;o .....
..... GJ= :0-1-1
0 -:P m 0-l ~ !?'> -
01 n&;
!? ... acm z-- :an m_ >- r CXl oO :z: - tO a.o.
w oz m :oS: Cl o-
-I Cl c --1 I :; ~ m....
o< :z:
-"'O -n -l 0 z*
P~ ...,, 3:::
-l -u 0 >
z :z r. f -<
j -~I
~,-
~ /J I I 1 I 1 l I 1 I
I 1 1 l 1 \ l
\ \ \ \l \ \ \ \ \ \ \ \
BACKUP RELAY50&J PROTECTION RELAY 50/51/83 w
. :E PRIMARY I- PROTECTION 750 KCMI L PEN. COND.--
CAPABl LITY t TO START-UP OR UNIT AUX TRAN SF
~-T--,
I I 2000'5~ 3 I 6.9 KV : BUS2A-1 I OR 28-1 800:5
~ ~ TRIP DELAY 1\)
TIME DELAY RELAY
~
B' 750KCMIL 5.5 CYCLE INST TRIP PRIMARYPROT.
~\
PENETRATION R.C.P. DRIVE CONDUCTOR 6600 HP 502A FL
~ ' IIs.c.
MAXSTM CURRENT
*~ CURRENT I *.. )> "O 11 3
n 0
r 0
o Cl>
J
a. :.!! >
-i~
mm (ft :-- 3 . "O g n-a> ()7\
l<
-fo *> ~
Cl> .. ft
.. *;:a..> ,_gJZ . :Dail~ .,*<-u r -o co z ci} -,mm G) oz Q=E ? Cd= m c*mm mm j?!! ccm
D <-i m.n
-::D OJ:m-i }> ~ >r
o 9"
01 CD c..o
I

an m
. 10- Z-Cf :O 0 -{ C) c::i'oZ :c i:r::o~ C-j 2< z z-u -n -{ 0 }>b tJ 3:: -{- *, I 0 -0 z z I -< ~ \._
f.*
~ ~
CLASS IE BUS
,..,£-0 T) *4.16-0.48KV * (S0{1.000 KV A .
480V PRESS
"* *---------..---.,.,,.~--
HE~TER BUS
)(!) MOLDED CASE BREAKER 2-4/0 AWG FIELD CABLE PER~
HEATER DIST.
\ PANEL \ \ \ \ \: 2*350 KCMIL PEN COND CAPABILITY w ~
I-
- - - - -*--~-\ , _____ --------------~--,-------~
BACKUP
~ **PRIMARY 1---~
PROTECTION PROTECTION REl,.AY 50/51 5.5 CYCLE MEDIUM VOLTAGE
~'.
BREAKER CLEARING TIME INCLUDES RELAY OPERATION
~* MAXIMUM INTERRUPTING TIME ~ ~ I l ~.
MAX SHORT CIRCUIT. ____ _ CURRENT
~ 11 )> ~
r 3 Q 0 ::J ...
-0 :::0 a.
m V>-
-10 3 > -oZ
om m-l r -o
)> CD
J

i n;I~
en ::o Co z0 GJ
~~
11
- en)>
C) C-j .Q m rn
~
3!: >::Dtn c;~o :::0 nm :D ..... ....
D NZ m~m-o r Ll
,,_ r !?" I~ ~ ~ S!
a ccm
?J
0 ::0 IO :z: - ~
w ti)
UC>
C;J;m-i tO )> m n -in
-IC)
CI 0
s m m-i :z: -I
o-eno
-n -I 0 z ..., 3::
I -0
)> - z -< p
(_;
\.--.
/
480V LOAD CENTERS 21<1.J 282/ 2ASI 285 . RE: OWG. 2998-G-275
l' J~ SHEETS 22 & 23
__i_ i ;";"\ RE: DRWG. 2998*G-275 1, ' - SHEET 42 { SOOMC>O
,.ELD CAllLE ~""--- ~ ~" C°"D 2SO ltCMIL OR 350 ltCMI L LONG* TIME DELAY BAND --,.~4- INTERMEDIATE ITRIP oA. CBI w
E 7"'--------1 MAX S.C.
-AS~
CURRENT
)>
8z 3
...>m.,, CD
J
-z Zm a.
3: ...
.,, m:z1 3 -z -Z> CD Cl ..... :::! ::::J c: no
>Oz m ~~
. zo p
w Cl-< ......
-25 cD .,,m z::!
w 3: 0 0
~z =< I 0
II
- 0
"\._ -~
. ... ..;: .. *~ *~ .=*;
1 480V MCC 2A.61 286 MCC - CLASS .iE ii T 0
! RE: DWG. 2998-G-275 i
SHEETS 38 & 41 (D i l
*~ . 48~ZD8Yl120V ~KVA TRANSF -1 T © )
FIELD 4/0AWG~ CABLE 250 KCMIL * ** * *~:*.ULT PEN. . .. COND ; POWER
) PANEL t
TYPICAL FOR PP Z10 OR PP Z14
...:E 250 KCMIL PENETRATION i= CONDUCTION SEAL CAPABIUTY
_,/ r, "~ ...
.'.'. :*~~~.:-<.J I.
IMAx SYMMETRICAL SHORT CKT (1035AI CURRENT
)> .,,.... 3 g a>
J
~ :~ "'o zm :< >
o-< ... ..,,
?! :5~~ c:o 0.
3 ci-,. .. no; Cl>
-m ::::J c: ... o ~ m,.,
a <mz ;:!! go m>:!:""
m n m:za >r-z cn=O :Z- 9 a
~ m (;1-1 ... §! ...... .,.,.,mm c ... w .. <zn -n"" ~i~ =n -<o 0 """~- ~ ~ *~J** ;. *.c.:*.* *:!
0
-, .* ~:}}

ML16193A622

Contents

Text

1.2 INTRODUCTION

SUMMARY

7.1 INTRODUCTION

2.1 DESCRIPTION

4.1 DESCRIPTION

5.1 DESCRIPTION

6.1 DESCRIPTION

7.1 DESCRIPTION

7.1 INTRODUCTION

2.1 DESCRIPTION

REFERENCES:

3.1 DESCRIPTION

4.1 DESCRIPTION

5.1 DESCRIPTION

REFERENCES:

6.1 DESCRIPTION

7.1 DESCRIPTION

References:

8.1 INTRODUCTION

2.1 DESCRIPTION

8.1 INTRODUCTION

2.1 DESCRIPTION

Navigation menu

ML16193A622

Text

1.2 INTRODUCTION

SUMMARY

7.1 INTRODUCTION

2.1 DESCRIPTION

4.1 DESCRIPTION

5.1 DESCRIPTION

6.1 DESCRIPTION

7.1 DESCRIPTION

7.1 INTRODUCTION

2.1 DESCRIPTION

REFERENCES:

3.1 DESCRIPTION

4.1 DESCRIPTION

5.1 DESCRIPTION

REFERENCES:

6.1 DESCRIPTION

7.1 DESCRIPTION

References:

8.1 INTRODUCTION

2.1 DESCRIPTION

8.1 INTRODUCTION

2.1 DESCRIPTION

Navigation menu

Search