Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 7.0, Instrumentation and Controls

ML18221A169
Person / Time
Site:	Summer
Issue date:	05/31/2018
From:	South Carolina Electric & Gas Co
To:	Office of Nuclear Reactor Regulation
Shared Package
ML18221A142	List: ML18221A134 ML18221A145 ML18221A147 ML18221A151 ML18221A152 ML18221A153 ML18221A154 ML18221A155 ML18221A156 ML18221A157 ML18221A158 ML18221A159 ML18221A160 ML18221A161 ML18221A162 ML18221A165 ML18221A166 ML18221A167 ML18221A168 ML18221A169 ML18221A171 ML18221A172 ML18221A175 ML18221A178 ML18221A180 ML18221A181 ML18221A182 ML18221A206 ML18221A210 ML18221A211 ML18221A212 ML18221A213 ML18221A214 ML18221A215 RC-18-0080, Updated Final Safety Analysis Report, Chapter 9, Figures 9.5-1 Through 9.5-11 - Redacted RC-18-0080, Virgil C. Summer Nuclear Station Unit 1 Submittal of Updated Final Safety Analysis Report, Updated Through May 31, 2018, Cover Sheet RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Approved FSAR Revision Notices RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 1, Introduction and General Description of Plant RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 10.0, Steam and Power Conversion System RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 11.0, Radioactive Waste Management RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 12.0, Radiation Protection RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 13, Conduct of Operations RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 14, Initial Tests and Operation RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 15, Accident Analyses RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 16, Technical Specifications RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 17, Quality Assurance RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 18, Aging Management Programs and Activities RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 3.0, Design of Structures, Components, Equipment and Systems RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 4.0, Reactor RC-18-0080, Virgil C. Summer Nuclear Station, Unit 1, Updated Final Safety Analysis Report, Chapter 5.0, Reactor Coolant System ... further results
References
RC-18-0080
Download: ML18221A169 (288)
v • d • e

Text

7-i Reset May 201 8 TABLE OF CONTENTS Section Title Page 7.0 INSTRUMENTATION AND CONTROLS 7.1-1

7.1 INTRODUCTION

7.1-1 7.1.1 IDENTIFICATION OF SAFETY

-RELATED SYSTEMS 7.1-4 7.1.1.1 Safety-Related Systems 7.1-4 7.1.1.2 Safety-Related Display Instrumentation 7.1-5 7.1.1.3 Instrumentation and Control System Designers 7.1-5 7.1.1.4 Plant Comparison 7.1-5 7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1-5 7.1.2.1 Design Bases 7.1-6 7.1.2.2 Independence of Redundant Safety

-Related Systems 7.1-11 7.1.2.3 Physical Identification of Safety

-Related Equipment 7.1-15 7.1.2.4 Conformance to Criteria 7.1-16 7.1.2.5 Conformance to Regulatory Guide 1.22 7.1-16 7.1.2.6 Conformance to Regulatory Guide 1.47 7.1.22 7.1.2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 7.1.23 7.1.2.8 Conformance to Regulatory Guide 1.63 7.1-23 7.1.2.9 Conformance to IEEE Standard 317

-1972 7.1-23 7.1.2.10 Conformance to IEEE Standard 336

-1971 7.1-23 7.1.2.11 Conformance to IEEE Standard 338

-1971 7.1-24 7.

1.3 REFERENCES

7.1-25 7.2 REACTOR TRIP SYSTEM 7.2.1 7.

2.1 DESCRIPTION

7.2-1 7.2.1.1 System Description 7.2-1 7.2.1.2 Design Bases Information 7.2-13 7.2.1.3 Final Systems Drawings 7.2-16 7.2.2 ANALYSES 7.2-16 7.2.2.1 Failure Mode and Effects Analyses 7.2-16 7.2.2.2 Evaluation of Design Limits 7.2-16 7.2.2.3 Specific Control and Protection Interactions 7.2-29 7.2.2.4 Additional Postulated Accidents 7.2-33 7.2.3 TESTS AND INSPECTIONS 7.2-33 7.

2.4 REFERENCES

7.2-33 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-1 7.

3.1 DESCRIPTION

7.3-1 7.3.1.1 System Description 7.3-1 7.3.1.2 Design Bases Information 7.3-7 7.3.1.3 Final System Drawings 7.3-10 7.3.2 ANALYSIS 7.3-10 7.3.2.1 Failure Mode and Effects Analyses 7.3-10 7.3.2.2 Compliance With Standards and Design Criteria 7.3-11 7.3.2.3 Further Considerations 7.3-24 7.3.2.4 Summary 7.3.25 7-ii Reset May 201 8 TABLE OF CONTENTS (continued)

Section Title Page 7.3.3 ELECTRIC HYDROGEN RECOMBINER

-DESCRIPTION OF INSTRUMENTATION 7.3-27 7.3.3.1 Initiating Circuits 7.3-27 7.3.3.2 Logic 7.3-28 7.3.3.3 Bypasses 7.3-28 7.3.3.4 Interlocks 7.3-28 7.3.3.5 Sequence 7.3-28 7.3.3.6 Redundancy 7.3-28 7.3.3.7 Diversity 7.3-28 7.3.3.8 Actuated Devices 7.3-29 7.3.4 CROSS REFERENCES 7.3-29 7.

3.5 REFERENCES

7.3-29 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.

4.1 DESCRIPTION

7.4-1 7.4.1.1 Monitoring Indicators 7.4-2 7.4.1.2 Controls 7.4-2 7.4.1.3 Control Room Evacuation 7.4-7 7.4.1.4 Equipment and Systems Available for Cold Shutdown 7.4-8 7.4.2 ANALYSIS 7.4-9 7.4.2.1 Conformance to General Design Criterion 19 7.4-11 7.4.2.2 Conformance to IEEE Standard 279

-1971 7.4-11 7.4.3 CROSS REFERENCES 7.4-11 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION 7.5-1 7.

5.1 DESCRIPTION

7.5-1 7.5.2 ANALYSES

-- DELETED 7.5-1 7.5.3 DESIGN CRITERIA

-- DELETED 7.5-1 7.5.4 ESF MONITOR LIGHTS 7.5-1 7.5.5 INADEQUATE CORE COOLING 7.5-2 7.

5.6 REFERENCES

7.5-3 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-1 7.6.1 INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM 7.6-1 7.6.1.1 Description 7.6-1 7.6.1.2 Analysis 7.6-1 7.6.2 RESIDUAL HEAT REMOVAL ISOLATION VALVES 7.6-2 7.6.2.1 Description 7.6-2 7.6.2.2 Analysis 7.6-3 7.6.3 REFUELING INTERLOCKS 7.6-4 7.6.4 ACCUMULATOR MOTOR OPERATED VALVES 7.6-4 7.6.5 LEAKAGE DETECTION SYSTEMS 7.6-5 7.6.5.1 Description 7.6-5 7.6.5.2 Analysis 7.6-6 02-01 7-iii Reset May 201 8 TABLE OF CONTENTS (continued)

Section Title Page 7.6.6 INTERLOCKS FOR RCS PRESSURE CONTROL DURING LOW TEMPERATURE OPERATION

-- DELETED 7.6-7 7.6.7 SWITCHOVER FROM INJECTION TO RECIRCULATION 7.6-7 7.6.7.1 Description of Instrumentation Used for Switchover 7.6-7 7.6.7.2 Initiating Circuit 7.6-7 7.6.7.3 Logic 7.6-7 7.6.7.4 Bypass 7.6-7 7.6.7.5 Interlocks 7.6-8 7.6.7.6 Sequence 7.6-8 7.6.7.7 Redundancy 7.6-8 7.6.7.8 Diversity 7.6-8 7.6.7.9 Actuated Devices 7.6-8 7.6.7.10 Channel Bypass Indication 7.6-9 7.6.8 DELETED 7.6-9 7.6.9 DELETED 7.6-9 7.6.10 DELETED 7.6-9 7.6.11 SWITCHOVER FROM SPRAY TO RECIRCULATION 7.6-9 7.6.11.1 Description of Instrumentation Used for Switchover 7.6-9 7.6.11.2 Initiation Circuit 7.6-9 7.6.11.3 Logic 7.6-9 7.6.11.4 Bypass 7.6-10 7.6.11.5 Interlocks 7.6-10 7.6.11.6 Sequence 7.6-10 7.6.11.7 Redundancy 7.6-10 7.6.11.8 Diversity 7.6-11 7.6.11.9 Actuated Devices 7.6-11 7.6.11.10 Channel Bypass Indication 7.6-11 7.6.12 REFERENCES 7.6-11 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.7-1 7.

7.1 DESCRIPTION

7.7-1 7.7.1.1 Reactor Control System 7.7-3 7.7.1.2 Rod Control System 7.7-4 7.7.1.3 Plant Control Signals for Monitoring and Indicating 7.7-5 7.7.1.4 Plant Control System Interlocks 7.7-10 7.7.1.5 Pressurizer Pressure Control 7.7-11 7.7.1.6 Pressurizer Water Level Control 7.7-11 7.7.1.7 Steam Generator Water Level Control 7.7-12 7.7.1.8 Steam Dump Control 7.7-13 7.7.1.9 Incore Instrumentation 7.7-14 7.7.1.10 Boron Concentration Measurement System 7.7-17 7.7.2 ANALYSIS 7.7-17 7.7.2.1 Separation of Protection and Control System 7.7-18 7.7.2.2 Response Considerations of Reactivity 7.7-19 7.7.2.3 Step Load Changes Without Steam Dump 7.7-21 7.7.2.4 Loading and Unloading 7.7-22 7.7.2.5 Load Rejection Furnished by Steam Dump System 7.7-22 7.7.2.6 Turbine Generator Trip With Reactor Trip 7.7-23 7.7.3 TECHNICAL SUPPORT COMPLEX (TSC) 7.7-24 7.7.3.1 Description 7.7-24 7.7.3.2 Analysis 7.7-25 00-01 7-iv Reset May 201 8 TABLE OF CONTENTS (continued)

Section Title Page 7.7.4 CRITICAL SYSTEMS LEAK MONITORING SYSTEM 7.7-26 7.7.4.1 Description 7.7-26 7.7.4.2 Analysis 7.7-26 7.7.5 RVLIS - DELETED (RN 99

-115) 7.7-26 7.7.6 CORE SUBCOOLING MONITOR

- DELETED (Amendment 1) 7.7-26 7.

7.7 REFERENCES

7.7-27 7.8 ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY (AMSAC) 7.8-1 7.

8.1 DESCRIPTION

7.8-1 7.8.1.1 System Description 7.8-1 7.8.1.2 Equipment Description 7.8-1 7.8.1.3 Functional Performance Requirements 7.8-3 7.8.1.4 AMSAC Interlocks 7.8-3 7.8.1.5 Steam Generator Level Sensor Arrangement 7.8-3 7.8.1.6 Turbine Impulse Chamber Pressure Arrangement 7.8-4 7.8.1.7 Trip System 7.8-4 7.8.1.8 Isolation Devices 7.8-4 7.8.1.9 AMSAC Diversity From the Reactor Protection System 7.8-4 7.8.1.10 Power Supply 7.8-5 7.8.1.11 Environmental Variations 7.8-5 7.8.1.12 Setpoints 7.8-5 7.8.2 ANALYSIS 7.8-5 7.8.2.1 Safety Classification/Safety

-Related Interface 7.8-5 7.8.2.2 Redundancy 7.8-6 7.8.2.3 Diversity From Existing Trip System 7.8-6 7.8.2.4 Electrical Independence 7.8-6 7.8.2.5 Physical Separation From the Reactor Trip System and Engineered Safety Features Actuation System 7.8-6 7.8.2.6 Environmental Qualification 7.8-6 7.8.2.7 Seismic Qualification 7.8-7 7.8.2.8 Test, Maintenance, and Surveillance Quality Assurance 7.8-7 7.8.2.9 Power Supply 7.8-7 7.8.2.10 Testability at Power 7.8-7 7.8.2.11 Inadvertent Actuation 7.8-8 7.8.2.12 Maintenance Bypasses 7.8-8 7.8.2.13 Operating Bypasses 7.8-8 7.8.2.14 Indication of Bypasses 7.8-8 7.8.2.15 Means for Bypassing 7.8-8 7.8.2.16 Completion of Mitigative Actions Once Initiated 7.8-9 7.8.2.17 Manual Initiation 7.8-9 7.8.2.18 Information Readout 7.8-9 7.8.3 COMPLIANCE WITH STANDARDS AND DESIGN CRITERIA 7.8-9 00-01 7-v Reset May 201 8 LIST OF TABLES Table Title Page 7.1-1 Listing of Applicable Criteria 7.1-26 7.1-2 Applicable Criteria 7.1-36 7.1-3 Conformance with Regulatory Guide 1.53 and IEEE 379

-1972, for Balance of Plant Safety Related Instrumentation and Control Systems 7.1-43 7.2-1 List of Reactor Trips 7.2-34 7.2-2 Protection System Interlocks 7.2-37 7.2-3 Reactor Trip System Instrumentation 7.2-39 7.2-4 Reactor Trip Correlation 7.2-42 7.3-1 Instrumentation Operating Condition for Engineered Safety Features 7.3-30 7.3-2 Instrument Operating Conditions for Isolation Functions 7.3-31 7.3-3 Interlocks for Engineered Safety Features Actuation System 7.3-33 7.3-4 Secondary System Accidents and Required Instrumentation, Minor Secondary System Pipe Break, Major Secondary System Pipe Break 7.3-35 7.3-5 Primary System Accidents and Required Instrumentation Ruptures in Small Pipes, Cracks in Large Pipes, Ruptures of Large Pipes, Steam Generator Tube Rupture 7.3-36 7.3-6 Engineered Safety Feature Loading Sequence Control Panels, Degree of Conformance with Regulatory Guide 1.53 and IEEE -379-1972 7.3-37 7.3-7 Instrument and Control Data Cross References 7.3-39 7.4-1 Summary of Local Control Stations 7.4-12 7.4-2 Instrument and Control Data Cross References 7.4-19 7.5-1 Regulatory Guide 1.97 Variables

- Deleted Deleted 7.5-2 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation 7.5-4 7.6-1 Leak Detection Methods Inside Control Room 7.6-12 7.7-1 Plant Control System Interlocks 7.7-28 7.7-2 BCMS Specs

- Deleted (RN 99

-085) 7.7-30 00-01 7-vi Reset May 201 8 LIST OF FIGURES Figure Title 7.1-1 Protection System Block Diagram 7.2-1 Functional Diagrams (15 Sheets) 7.2-2 Setpoint Reduction Function for Overtemperature T Trip 7.2-3 Reactor Trip/ESF Actuation Mechanical Linkage 7.3-1 Engineered Safety Features Loading Sequence Control Panels System Functional Diagram 7.3-2 Typical Engineered Safety Features Test Circuits 7.3-3 Engineered Safety Features Test Cabinet

- Index, Notes and Legend 7.4-1 Front View Arrangement Control Room Evacuation Panel XPN

-7200-CE 7.4-2 Control Room Evacuation Panel XPN

-7200-CE (A & B) 7.5-1 Containment Isolation Phase A and Containment Ventilation ESF Monitor Lights 7.5-2 Containment Isolation Phase B and Control Room Ventilation Isolation ESF Monitor Lights 7.5-3 Safety Injection (BOP) ESF Monitor Lights 7.5-4 Reactor Building Spray ESF Monitor Lights 7.5-5 Westinghouse Safety Injection Groups (1

-3) ESF Monitor Lights 7.6-1 Logic Diagram

- Residual Heat Removal System Isolation Valves XVG8701A and XVG8702B 7.6-1a Logic Diagram

- Residual Heat Removal System Isolation Valves XVG8701B and XVG8702A 7.6-1b Logic Diagram

- Residual Heat Removal System Isolation Valves XVG8701A, 8701B, 8702A, 8702B 7.6-2 Functional Block Diagram of Accumulator Isolation Valve 7.6-3 Deleted (Amendment 1) 7.6-3a Auxiliary Steam and Condensate Intermediate and Auxiliary Buildings Plans and Isometric Below Elevation 485'

-0" 7.6-4 Auxiliary Steam Auxiliary Building Plan and Sections Below Elevation 436'

-0" 7.6-5 Auxiliary Steam Intermediate and Auxiliary Building Plans Below Elevation 463'

-0" 7.6-6 Chemical and Volume Control System Auxiliary Building Plan Below Elevation 436'

-0" North of Reactor Building Centerline 7.6-7 Chemical and Volume Control System Auxiliary Building Plan and Sections Below Elevation 436'

-0" South of Reactor Building Centerline 7.6-8 Chemical and Volume Control System Penetration Access Areas Plan and Sections Below Elevation 436'

-0" 7.6-9 Safety Injection System and Reactor Building Spray System Recirculation Isolation Valves 7.6-10 Safety Injection System and Reactor Building Spray System Recirculation Isolation Valves 00-01 00-01 00-01 00-01 7-vii Reset May 201 8 LIST OF FIGURES (Continued)

Figure Title 7.7-1 Simplified Block Diagram of Reactor Control System 7.7-2 Control Bank Rod Insertion Monitor 7.7-3 Rod Deviation Comparator 7.7-4 Block Diagram of Pressurizer Pressure Control System 7.7-5 Block Diagram of Pressurizer Level Control System 7.7-6 Block Diagram of Steam Generator Water Level Control System 7.7-7 Block Diagram of Main Feedwater Pump Speed Control System 7.7-8 Block Diagram of Steam Dump Control System 7.7-9 Basic Flux

-Mapping System 7.7-10 Deleted per RN 99

-085 7.7-11 Deleted per RN 99

-085 7.7-12 Deleted per RN 99

-085 7.7-13 Deleted per RN 99

-085 7.7-14 Simplified Block Diagram Rod Control System 7.7-15 Control Bank D Partial Simplified Schematic Diagram Power Cabinets 1BD and 2BD 7.8-1 Actuation Logic System Architecture 00-01 LIST OF EFFECTIVE PAGES (LEP)

The following list delineates pages to Chapter 7 of the Virgil C. Summer Nuclear Station Final Safety Analysis Report which are current through May 201 8. The latest changes to pages and figures are indicated below by Revision Number (RN) in the Amendment column along with the Revision Number and date for each page and figure included in the Final Safety Analysis Report.

Page/Fig. No

. Amend. No.

Date Page/Fig. No

. Amend.No. Date 7-viii Reset May 201 8 Page 7-i Reset May 2018 7-ii Reset May 2018 7-iii Reset May 2018 7-iv Reset May 2018 7-v Reset May 2018 7-vi Reset May 2018 7-vii Reset May 2018 7-viii Reset May 2018 7-ix Reset May 201 8 7-x Reset May 2018 7-xi Reset May 201 8 7-xii Reset May 2018 Page 7.1-1 00-01 December 2000 7.1-2 00-01 December 2000 7.1-3 00-01 December 2000 7.1-4 00-01 December 2000 7.1-5 00-01 December 2000 7.1-6 00-01 December 2000 7.1-7 00-01 December 2000 7.1-8 00-01 December 2000 7.1-9 00-01 December 2000 7.1-10 00-01 December 2000 7.1-11 00-01 December 2000 7.1-12 00-01 December 2000 7.1-13 00-01 December 2000 7.1-14 00-01 December 2000 7.1-15 00-01 December 2000 7.1-16 00-01 December 2000 7.1-17 RN11-015 November 2011 7.1-18 RN11-015 November 2011 7.1-19 00-01 December 2000 7.1-20 00-01 December 2000 7.1-21 00-01 December 2000 Page 7.1-22 00-01 December 2000 7.1-23 00-01 December 2000 7.1-24 RN01-109 October 2002 7.1-25 RN01-109 October 2002 7.1-26 00-01 December 2000 7.1-27 00-01 December 2000 7.1-28 00-01 December 2000 7.1-29 00-01 December 2000 7.1-30 00-01 December 2000 7.1-31 00-01 December 2000 7.1-32 00-01 December 2000 7.1-33 00-01 December 2000 7.1-34 00-01 December 2000 7.1-35 00-01 December 2000 7.1-36 00-01 December 2000 7.1-37 00-01 December 2000 7.1-38 00-0 1 December 2000 7.1-39 RN11-015 November 2011 RN18-019 May 2018 7.1-40 00-01 December 2000 7.1-41 00-01 December 2000 7.1-42 00-01 December 2000 7.1-43 97-01 August 1997 7.1-44 97-01 August 1997 Fig. 7.1-1 2 August 1986 Page 7.2-1 00-01 December 20 00 7.2-2 00-01 December 2000 7.2-3 00-01 December 2000 7.2-4 00-01 December 2000 7.2-5 RN02-044 July 2003 7.2-6 00-01 December 2000 7.2-7 00-01 December 2000 7.2-8 RN11-015 November 2011

LIST OF EFFECTIVE PAGES (LEP)

Page/Fig. No

. Amend. No.

Date Page/Fig. No

. Amend.No. Date 7-ix Reset May 201 8 7.2-9 RN11-015 November 2011 Page 7.2-10 00-01 December 2000 7.2-11 00-01 December 2000 7.2-12 00-01 December 2000 7.2-13 00-01 December 2000 7.2-14 00-01 December 2000 7.2-15 00-01 December 2000 7.2-16 00-01 December 2000 7.2-17 00-01 December 2000 7.2-18 00-01 December 2000 7.2-19 00-01 December 2000 7.2-20 00-01 December 2000 7.2-21 00-01 December 2000 7.2-22 00-01 December 2000 7.2-23 00-01 December 2000 7.2-24 00-01 December 2000 7.2-25 00-01 December 2000 7.2-26 00-01 December 2000 7.2-27 00-01 December 2000 7.2-28 00-01 December 2000 7.2-29 00-01 December 2000 7.2-30 RN11-015 November 2011 7.2-31 00-01 December 2000 7.2-32 00-01 December 2000 7.2-33 00-01 December 2000 7.2-34 00-01 December 2000 7.2-35 00-01 December 2000 7.2-36 02-01 May 2002 7.2-37 99-01 June 1999 7.2-38 99-01 June 1999 7.2-39 99-01 June 1999 7.2-40 99-01 June 1999 7.2-41 00-01 December 2000 7.2-42 00-01 December 2000 7.2-43 00-01 December 2000 7.2-44 00-01 December 2000 7.2-45 00-01 December 2000 Fig. 7.2-1 (Sh 1) 0 August 1984 7.2-1 (Sh 2) 2 August 1986 7.2-1 (Sh 3) 96-03 Sept. 1996 7.2-1 (Sh 4) 1 August 1985 7.2-1 (Sh 5) RN11-015 November 2011 7.2-1 (Sh 6) 96-03 August 1996 7.2-1 (Sh 7) 0 August 1984 7.2-1 (Sh 8) RN03-052 April 2004 7.2-1 (Sh 9) 7 August 1991 7.2-1 (Sh 10) 96-03 August 1996 7.2-1 (Sh 11) 7 August 1991 7.2-1 (Sh 12) 0 August 1984 7.2-1 (Sh 13) 96-03 August 1996 7.2-1 (Sh 14) 99-01 June 1999 7.2-1 (Sh 15) RN1 2-01 3 May 2015 7.2-2 0 August 1984 7.2-3 2 August 1986 Page 7.3-1 00-01 December 2000 7.3-2 00-01 December 2000 7.3-3 0 0-01 December 2000 7.3-4 00-01 December 2000 7.3-5 00-01 December 2000 7.3-6 00-01 December 2000 7.3-7 00-01 December 2000 7.3-8 00-01 December 2000 7.3-9 00-01 December 2000 7.3-10 00-01 December 2000 7.3-11 00-01 December 2000 7.3-12 00-01 December 2000 7.3-13 00-01 December 2000 7.3-14 00-01 December 2000 7.3-15 00-01 December 2000 7.3-16 00-01 December 2000 7.3-17 00-01 December 2000 7.3-18 00-01 December 2000

LIST OF EFFECTIVE PAGES (LEP)

Page/Fig. No

. Amend. No.

Date Page/Fig. No

. Amend.No. Date 7-x Reset May 201 8 7.3-19 00-01 December 2000 Page 7.3-20 00-01 December 2000 7.3-21 00-01 December 2000 7.3-22 00-01 December 2000 7.3-23 00-01 December 2000 7.3-24 00-01 December 2000 7.3-25 00-01 December 2000 7.3-26 00-01 December 2000 7.3-27 00-01 December 2000 7.3-28 00-01 December 2000 7.3-29 00-01 December 2000 7.3-30 99-01 June 1999 7.3-31 97-01 August 1997 7.3-32 97-01 August 1997 7.3-33 97-01 August 1997 7.3-34 97-01 August 1997 7.3-35 97-01 August 1997 7.3-36 97-01 August 1997 7.3-37 00-01 December 2000 7.3-38 00-01 December 2000 7.3-39 00-01 December 2000 7.3-40 00-01 December 2000 7.3-41 02-01 May 2002 7.3-42 00-01 December 2000 7.3-43 RN 0 9-0 02 January 20 1 0 7.3-44 00-01 December 2000 7.3-45 00-01 December 2000 7.3-46 00-01 December 2000 Fig. 7.3-1 02-01 May 2002 7.3-2 0 August 1984 7.3-3 0 August 1984 Page 7.4-1 00-01 December 2000 7.4-2 00-01 December 2000 7.4-3 RN00-085 November 2011 7.4-4 00-01 December 2000 7.4-5 00-01 December 2000 7.4-6 00-01 December 2000 Page 7.4-7 00-01 December 2000

RN18-019 May 2018 7.4-8 00-01 December 2000 7.4-9 00-01 December 2000

RN18-019 May 2018 7.4-10 00-01 December 2000 7.4-11 00-01 December 2000

RN18-019 May 2018 7.4-12 02-01 May 2002 RN18-019 May 2018 7-4-13 02-01 May 2002 7.4-14 RN10-014 November 2011 7.4-15 02-01 May 2002 7.4-16 02-01 May 2002 7.4-17 02-01 May 2002 7.4-18 02-01 May 2002 7.4-19 00-01 December 2000 7.4-20 RN09-002 January 20 1 0 7.4-21 02-01 May 2002 7.4-22 00-01 December 2000 7.4-23 02-01 May 2002 7.4-24 02-01 May 2002 Fig. 7.4-1 RN00-085 November 2011 7.4-2 RN00-085 November 2011 Page 7.5-1 02-01 May 2002 7.5-2 02-01 May 2002 7.5-3 02-01 May 2002 7.5-4 00-01 December 2000 7.5-5 00-01 December 2000 7.5-6 00-01 December 2000 7.5-7 00-01 December 2000 7.5-8 00-01 December 2000 7.5-9 00-01 December 2000 7.5-10 00-01 December 2000 Fig. 7.5-1 94-02 Feb. 1994 LIST OF EFFECTIVE PAGES (LEP)

Page/Fig. No

. Amend. No.

Date Page/Fig. No

. Amend.No. Date 7-xi Reset May 201 8 7.5-2 02-01 May 2002 7.5-3 98-01 April 1998 7.5-4 02-01 May 2002 7.5-5 3 August 1987 Page 7.6-1 00-01 December 2000 7.6-2 00-01 December 2000 7.6-3 00-01 December 2000 7.6-4 00-01 December 2000 7.6-5 00-01 December 2000 7.6-6 00-01 December 2000 7.6-7 00-01 December 2000 7.6-8 00-01 December 2000 7.6-9 00-01 December 2000 7.6-10 00-01 December 2000 7.6-11 00-01 December 2000 7.6-12 99-01 June 1999 7.6-13 99-01 June 1999 7.6-14 99-01 June 1999 Fig. 7.6-1 6 August 1990 7.6-1a 6 August 1990 7.6-1b 6 August 1990 7.6-2 0 August 1984 7.6-3a 02-01 May 2002 7.6-4 96-03 Sept. 1996 7.6-5 02-01 May 2002 7.6-6 02-01 May 2002 7.6-7 02-01 May 2002 7.6-8 02-01 May 2002 7.6-9 0 August 1984 7.6-10 96-03 Sept. 1996 Page 7.7-1 00-01 December 2000 7.7-2 00-01 December 2000 7.7-3 00-01 December 2000 7.7-4 00-01 December 2000 7.7-5 00-01 December 2000 7.7-6 RN1 0-0 1 1 June 2010 7.7-7 RN10-011 June 2010 7.7-8 00-01 December 2000 7.7-9 RN10-011 June 2010 7.7-10 RN10-011 June 2010 Page 7.7-11 00-01 December 2000 7.7-12 RN 0 8-0 1 1 May 2009 7.7-13 RN04-003 February 2004 7.7-14 00-01 December 2000 7.7-15 00-01 December 2000 7.7-16 02-01 May 2002 7.7-17 00-01 December 2000 7.7-18 00-01 December 2000 7.7-19 00-01 December 2000 7.7-20 00-01 December 2000 7.7-21 00-01 December 2000 7.7-22 RN04-003 February 2004 7.7-23 00-01 December 2000 7.7-24 RN13-009 May 2013 7.7-25 00-01 December 2000 7.7-26 00-01 December 2000 7.7-27 RN12-027 December 2012 7.7-28 00-01 December 2000 7.7-29 00-01 December 2000 7.7-30 00-01 December 2000 Fig. 7.7-1 7 August 1991 7.7-2 7 August 1991 7.7-3 0 August 1984 7.7-4 6 August 1990 7.7-5 7 August 1991 7.7-6 96-0 3 August 1996 7.7-7 0 August 1984 7.7-8 96-03 August 1996 7.7-9 0 August 1984 7.7-14 98-01 April 1998 7.7-15 0 August 1984 Page 7.8-1 97-01 August 1997

LIST OF EFFECTIVE PAGES (LEP)

Page/Fig. No

. Amend. No.

Date Page/Fig. No

. Amend.No. Date 7-xii Reset May 201 8 7.8-2 97-01 August 1997 7.8-3 97-01 August 1997 7.8-4 97-01 August 1997 7.8-5 97-01 August 1997 Page 7.8-6 97-01 August 1997 7.8-7 97-01 August 1997 7.8-8 97-01 August 1997 7.8-9 RN11-015 November 2011 Fig. 7.8-1 5 August 1989

7.3-1Reformatted PerAmendment 00-017.3ENGINEERED SAFETY FEATURES ACTUATION SYSTEMIn addition to the requirements for a reactor trip for anticipated abnormal transients, thefacility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features. The occurrence of a limiting fault, such as a loss of coolant accident or a steam line break, requires a reactor trip plus actuation of one or more of the engineered safety features in order to prevent or mitigate damage to the core and Reactor Coolant System components, and ensure containment integrity.In order to accomplish these design objectives the Engineered Safety Features Systemhas proper and timely initiating signals which are to be supplied by the sensors,transmitters and logic components making up the various instrumentation channels of the Engineered Safety Features Actuation System.7.

3.1DESCRIPTION

The Engineered Safety Features Actuation System uses selected plant parameters,determines whether or not predetermined safety limits are being exceeded and, if theyare, combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures (Condition III or IV faults). Once the required logic combination is completed, the system sends actuation signals to the appropriate engineered safety features components. The Engineered Safety Features Actuation System meets the requirements of Criteria 13, 20, 27, 28, and 38 of the 1971 General Design Criteria (GDC).7.3.1.1System DescriptionThe Engineered Safety Features Actuation System is a functionally defined systemdescribed in this section. The equipment which provides the actuation functions identified in Section 7.3.1.1.1 is listed below and discussed in this section and the references.1.Process Instrumentation and Control System (Reference [1]).

2.Solid-State Logic Protection System (Reference [2]).

3.Engineered safety features test cabinet (Reference [3]).

4.Engineered safety features loading sequence control panels.

5.Manual actuation circuits.

The Engineered Safety Features Actuation System consists of 2 discrete portions ofcircuitry: 1) An analog portion consisting of 3 to 4 redundant channels per parameter orvariable to monitor various plant parameters such as the Reactor Coolant System and steam system pressures, temperatures and flows and Reactor Building pressures; and 7.3-2Reformatted PerAmendment 00-012) a digital portion consisting of 2 redundant logic trains which receive inputs from theanalog protection channels and perform the logic needed to actuate the engineered safety features. Each digital train is capable of actuating the engineered safety features equipment required. The intent is that any single failure within the Engineered Safety Features Actuation System shall not prevent system action when required.The redundant concept is applied to both the analog and logic portions of the system.Separation of redundant analog channels begins at the process sensors and ismaintained in the field wiring, containment penetrations and analog protection racks terminating at the redundant safeguards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23, and 24 of the 1971 GDC.The variables are sensed by the analog circuitry as discussed in Reference[1] and inSection 7.2. The outputs from the analog channels are combined into actuation logic asshown on Figure 7.2-1, Sheets 5, 6, 7, and 8. Tables 7.3-1 and 7.3-2 give additional information pertaining to logic and function.The interlocks associated with the Engineered Safety Features Actuation System areoutlined in Table 7.3-3. These interlocks satisfy the functional requirements discussedin Section 7.1.2.

Manual actuation from the control board of both trains of containment isolation Phase Ais provided by operation of either one of the redundant momentary containment isolationPhase A controls. Also on the control board is manual actuation of safety injection by one of the redundant controls and a manual activation of containment isolation Phase B by either of 2 sets of controls. Each set consists of 2 switches which also actuate reactor building spray.Manual controls are also provided to supplement the semi-automatic switchover fromthe injection to the recirculation phase after a loss of coolant accident.7.3.1.1.1Function InitiationThe specific functions which rely on the Engineered Safety Features Actuation Systemfor initiation are:1.A reactor trip, provided one has not already been generated by the Reactor TripSystem.2.Cold leg injection isolation valves which are opened for injection of borated waterby charging pumps into the cold legs of the Reactor Coolant System.3.Charging pumps and associated valving which provide emergency makeup waterto the cold legs of the Reactor Coolant System following a loss of coolant accident.

7.3-3Reformatted PerAmendment 00-014.Phase A containment isolation, whose function is to prevent fission productrelease. (Isolation of all lines not essential to reactor protection.)5.Steam line isolation to prevent the continuous, uncontrolled blowdown of morethan one steam generator and thereby uncontrolled Reactor Coolant Systemcooldown.6.Main feedwater line isolation to prevent or mitigate the effect of excessivecooldow n.7.Start the emergency diesels to assure backup supply of power to emergency andsupporting systems components.8.Isolate the control room intake ducts to meet control room occupancy requirementsfollowing a loss of coolant accident.9.Reactor building spray actuation which performs the following functions:a.Initiates reactor building spray to reduce reactor building pressure andtemperature following a loss of coolant or steam line break accident inside theReactor Building. Iodine removal benefits are also obtained from reactorbuilding spray following a loss of coolant accident.b.Initiates Phase B containment isolation which isolates the Reactor Buildingfollowing a loss of reactor coolant accident, or a steam or feedwater linebreak within the Reactor Building to limit radioactive releases. (Phase B isolation together with Phase A isolation results in isolation of all but engineered safety features lines penetrating the Reactor Building.)10.Initiates the engineered safety features loading sequence (ESFLS) which providestiming in order to load the buses at predetermined intervals, avoiding overloadconditions on the associated bus. In addition, the engineered safety features loading sequence provides for tripping and blocking of loads. The engineered safety features loading sequence initiates the following functions:a.Those pumps which serve as part of the heat sink for Reactor Buildingcooling (i.e., service water) and associated supporting systems, such ascomponent cooling water pumps and chilled water pumps.b.Motor driven emergency feedwater pumps.c.Residual heat removal pumps.

d.Reactor building cooling units (recirculation fans and filtration system) whichcool the Reactor Building and limit the potential for release of fission productsfrom the Reactor Building by reducing pressure following an accident.

7.3-4Reformatted PerAmendment 00-01e.Trip and lockout of non-engineered safety features loads.7.3.1.1.2Analog CircuitryThe process analog sensors and racks for the Engineered Safety Features ActuationSystem are covered in Reference[1]. Discussed in this report are the parameters to bemeasured including pressures, flows, tank and vessel water levels, and temperatures as well as the measurement and signal transmission considerations. These latter considerations include the transmitters, orifices and flow elements, resistance temperature detectors, as well as automatic calculations, signal conditioning and location and mounting of the devices.The sensors monitoring the primary system are located as shown on the piping flowdiagrams in Chapter 5. The secondary system sensor locations are shown on thesteam system flow diagrams given in Chapter 10.Reactor Building pressure is sensed by 4 physically separated differential pressuretransmitters mounted and supported outside of the Reactor Building. Thesetransmitters, meeting Class 1E seismic criteria regarding mounting, are connected to the Reactor Building atmosphere by a filled transmission system. The distance frompenetration to transmitter is kept to a minimum, and separation is maintained. This arrangement, together with the pressure sensors external to the Reactor Building, meets the double barrier requirements of General Design Criteria-56 and Regulatory Guide 1.11.Pumps and valves which are an integral part of, or associated with the engineeredsafeguards (used for injection, reactor building spray and recirculation) will have anoperation/position status light.Engineered safety features remote operated valves have position indication on thecontrol board in 2 places to show proper positioning of the valves. Red and greenindicator lights are located next to the manual control station showing open and closed positions. The engineered safety features (safety injection) positions of these valves are displayed by an energized bright light on the monitor light panels, which consist of an array of white lights which are dim when the valves are in their normal or required positions for power operations. The monitor lights for automatically actuated valves are energized when the valve is in the automatically actuated position. These monitor lights thus enable the operator to quickly assess the status of the Engineered Safety Features Systems. These indications are derived from contacts integral to the valve operators.

The circuits for the engineered safety features monitor lights and red/green lights are classified as associated circuits and have electrical and physical separation. In the cases of the accumulator isolation valves, redundancy of position indication is provided by valve stem mounted limit switches which actuate annunciators on the control board when the valves are not correctly positioned for engineered safety features actuation.

7.3-5Reformatted PerAmendment 00-01The stem mounted switches for the accumulator isolation valves are independent of thelimit switches in the motor operators.7.3.1.1.3Digital Circuitry The engineered safety features logic racks are discussed in detail in Reference[2]. Thedescription includes the considerations and provisions for physical and electricalseparation as well as details of the circuitry. Reference[2] also covers certain aspects ofonline test provisions, provisions for test points, considerations for the instrument power source, considerations for accomplishing physical separation. The outputs from the analog channels are combined into actuation logic as shown on Sheets 5, 6, 7, 8, and 14 of Figure 7.2-1.To facilitate engineered safety features actuation testing, 2 test cabinets (1 per train) areprovided which enable operation, to the maximum practical extent, of safety featuresloads on a group by group basis until actuation of all devices has been checked (see Reference[3]). Final actuation testing is discussed in detail in Section 7.3.2.Separation and redundancy requirements are satisfied for the engineered safety features loading sequence by the provision of 2 independent engineered safety featuresload sequencer control panels. These physically separate control panels, located in the relay room, each consist of a logic output relay cabinet.7.3.1.1.4Final Actuation Circuitry The outputs of the Solid-State Logic Protection System (the slave relays) are energizedto actuate. These devices are listed as follows:1.Safety Injection System pump and valve actuators. See Chapter 6 for flowdiagrams and additional information.2.Containment isolation (Phase A - "T" signal isolates all nonessential process lineson receipt of safety injection signal; Phase B - "P" signal isolates remainingprocess lines (which do not include engineered safety features lines) on receipt of 2/4 Hi-3 containment pressure signal). For further information, see Section 6.2.4.3.Diesel start (see Chapter 8).4.Feedwater isolation (see Chapter 10).

5.Ventilation isolation valve and damper actuators (see Chapter 6).

6.Steam line isolation valve actuators (see Chapter 10).

7.Reactor Building spray pump and valve actuators (see Chapter 6).

99-01 7.3-6Reformatted PerAmendment 00-018.Engineered safety features loading sequence (see Section 7.3.1.1.5).If an accident is assumed to occur coincident with a loss of offsite power, theengineered safety features loads must be sequenced onto the diesel generators toprevent overloading them. This sequence is discussed in Chapter 8. The design meets the requirements of Criterion 35 of the 1971 General Design Criteria.7.3.1.1.5Engineered Safety Features Loading Sequence Control Panels The ESFLS automatically loads engineered safety features components to the ESFbuses under the following conditions:a.Loss of offsite power or degradation of voltage.b.Safety injection.

c.Safety injection coincident with loss of offsite power or degradation of voltage.

The loss of offsite power or degradation of voltage considered here is related to theengineered safety features buses (7.2 V buses 1DA and/or 1DB). Loss of voltage isdetected on either bus by 3/3 loss of voltage relays. Degraded voltage is detected on either bus by 3/3 degraded voltage relays. The safety injection signal is generated by the Solid-State Protection System. To assure component operation under the various initiating conditions, 2 initiating sequences are provided. These sequences are a "blackout sequence," which loads the components needed to shut down the plant in the event of a loss of power or degraded voltage, and a "safety injection sequence," which loads the components needed to mitigate the consequences of design bases accidents occurring coincident with a loss of offsite power or degradation of voltage.The initiation of engineered safety features loads following safety injection withengineered safety features bus power available utilizes the same "safety injectionsequence" identified above. Use of the loading sequencer during conditions when ESF bus power is available provides the following benefits:1.Enhanced reliability due to a simplified logic for component actuation.

2.Improved online testing capability.

As discussed in Section 8.3, each 7.2 kV engineered safety features bus is fed fromboth the normal (offsite) and emergency (onsite) supplies and each engineered safetyfeatures bus is provided with loss of voltage and degraded voltage relays. This arrangement enables operation of the engineered safety features logic sequence independent of the source (offsite or onsite) of power.When initiated, the sequencer provides timing to load the buses at 5 second intervals.Order of loading is determined by system requirements, design capabilities of the diesel 00-01 00-01 7.3-7Reformatted PerAmendment 00-01and the type of incident or accident, as evaluated by the engineered safety featureslogic sequence logic circuitry (see Figure 7.3-1 and Section 8.3). In addition, the sequencer provides for tripping and blocking of loads. The engineered safety features logic sequence is located in the relay room and indication is provided on the main control board. It provides the operator with information on the progress of the loading sequence and consists of internal logic circuits and output relays (the relays are located in a cabinet in the relay room). The output of these relays actuates the required safety-related equipment.Each engineered safety features loading sequence consists of the followingcompon ents:1.Logic circuits, located in the logic section of the control cabinet.2.Indication, located on the monitor section of the control cabinet and on sectionXCP-6117 of the main control board. The indication on the main control boardprovides the operator with information necessary for evaluation of progress of theloading sequence.3.Output relays, located in the relay cabinet, to provide multiple contacts for thevarious functions.7.3.1.1.6Support SystemsThe following systems are required for support of the engineered safety features:

1.Service Water - Heat Removal (see Chapter 9).

2.Component Cooling Water Systems - Heat Removal (see Chapter 9).

3.Chilled Water System - Heat Removal (see Chapter 9).

4.Class 1E Electrical Power Distribution Systems (see Chapter 8).

5.Other Heating, Ventilating and Air Conditioning Systems (see Section 9.4.5).7.3.1.2Design Bases InformationThe functional diagrams presented in Figure 7.2-1, Sheets 5, 6, 7, and 8 provide agraphic outline of the functional logic associated with requirements for the Engineered Safety Features Actuation System. Requirements for the Engineered Safety Features System are given in Chapter 6. Given below is the design bases information required in IEEE Standard 279-1971, Reference[4].

7.3-8Reformatted PerAmendment 00-017.3.1.2.1Generating Station ConditionsThe following is a summary of those generating station conditions requiring protectiveaction: 1.Primary Systema.Rupture in small pipes or cracks in large pipes.b.Rupture of a reactor coolant pipe (loss of coolant accident).c.Steam generator tube rupture.2.Secondary Systema.Minor secondary system pipe breaks resulting in steam release ratesequivalent to a single dump, relief, or safety valve.b.Rupture of a major steam pipe.7.3.1.2.2Generating Station Variables The following list summarizes the generating station variables required to be monitoredfor the automatic initiation of safety injection during each accident identified in thepreceding section. Post accident monitoring requirements are described in the VCSNS Environmental Qualification/Reg. Guide 1.97 Design Basis Document.1.Primary System Accidentsa.Pressurizer pressure.

b.Reactor Building pressure (not required for steam generator tube rupture).2.Secondary System Accidentsa.Pressurizer pressure.

b.Steam line pressures.

c.Reactor Building pressure (steam or feedwater line break inside reactorbuilding).d.Steam line differential pressure.

7.3-9Reformatted PerAmendment 00-017.3.1.2.3Spatially Dependent VariablesThe only variable sensed by the Engineered Safety Features Actuation System whichhas spatial dependence is reactor coolant temperature. The effect on the measurementis negated by taking multiple samples from the reactor coolant hot leg and averaging these samples by mixing in the resistance temperature detector bypass loop.7.3.1.2.4Limits, Margins, and Levels Prudent operational limits, available margins, and setpoints before onset of unsafeconditions requiring protective action are discussed in Chapter 15 and the TechnicalSpecifications.7.3.1.2.5Abnormal Events The malfunctions, accidents, or other unusual events which could physically damageprotection system components or could cause environmental changes are as follows:1.Loss of coolant accident (see Sections 15.3 and 15.4).2.Steam line breaks (see Sections 15.3 and 15.4).

3.Earthquakes (see Chapters 2 and 3).

4.Fire (see Section 9.5.1).

5.Explosion (Hydrogen buildup inside the Reactor Building) (see Section 15.4).

6.Missiles (see Section 3.5).

7.Flood (see Chapters 2 and 3).

7.3.1.2.6 Minimum Performance Requirements Minimum performance requirements are as follows:

1.System Response TimesThe Engineered Safety Features Actuation System response time is defined as theinterval required for the engineered safety features sequence to be initiatedsubsequent to the point in time that the appropriate variable(s) exceed setpoints.

The response time includes sensor/process (analog) and logic (digital) delay plus, the time delay associated with tripping open the reactor trip breakers and control and latching mechanisms. The values listed herein are maximum allowable times consistent with the safety analyses and are systematically verified during plant 00-01 7.3-10Reformatted PerAmendment 00-01preoperational startup tests. These maximum delay times thus include allcompensation and therefore require that any such network be aligned and operating during verification testing.The Engineered Safety Features Actuation System is always capable of havingresponse time tests performed using the same methods as those tests performedduring the preoperational test program or following significant component changes.System response times for loss of coolant protection are:

a.Pressurizer pressure1.0 second b.Reactor building pressure1.5 secondsMaximum allowable time delays in generating the actuation signal for steam breakprotection are given in Table 7.3-4.2.System AccuraciesAccuracies required for generating the required actuation signals for loss of coolant protection are given in Table 7.3-5.3.Ranges of sensed variables to be accommodated until conclusion of protectiveaction is assured are given in Table 7.3-5.7.3.1.3Final System DrawingsThe schematic diagrams for the systems discussed in this section are discussed in Section 1.7.7.3.2ANALYSIS7.3.2.1Failure Mode and Effects AnalysesFailure mode and effects analyses have been performed on Engineered SafetyFeatures Systems (ESFS) equipment within the scope of Westinghouse. The results verify that these systems meet protection single failure criteria as required by IEEE Standard 279-1971 and the Virgil C. Summer Nuclear Station (Engineered Safety Features Systems) equipment is designed to equivalent safety design criteria. The actuation of the Virgil C. Summer Nuclear Station Engineered Safety Features Systems is functionally the same as the systems studied in these analyses.The failure mode and effects analysis (FMEA) which was performed on engineeredsafety features engineered safety features equipment within the scope of Westinghousewas for a typical Westinghouse Engineered Safety Features Actuation System (ESFAS). (See Reference [5]). The analysis has generic application to all Westinghouse Engineered Safety Features Actuation Systems of the Virgil C. Summer 00-01 7.3-11Reformatted PerAmendment 00-01Nuclear Station vintage. The conclusion is that the analysis (1) qualitativelydemonstrates the reliability of the Engineered Safety Features Actuation System to perform its intended function and (2) shows that the Engineered Safety Features Actuation System does comply with the single failure criterion, because no single failure was found which could prevent the Engineered Safety Features Actuation System from generating the proper actuation signal on demand for an engineered safety feature.

Random single failures are either in a safe direction or a redundant channel or train ensures the necessary actuation capability.The basis of a failure mode and effects analysis is principally that single failures aredetectable, identifiable, and random. They are not systematic (common mode). Thesystematic failure considerations applied to equipment hardware, as well as actuation functions, are addressed elsewhere in the final safety analysis report, such as:1.Seismic qualification of Seismic Category 1 instrumentation and electricalequipment (Section 3.10). This conforms to Section 4.7.4.2 of IEEE 279-1971.2.Environmental design of mechanical and electrical equipment (Section 3.11). Thisconforms to Section 4.7.4.2 of IEEE 279-1971.3.The Nuclear Instrumentation System, the Solid State Protection System, and the7300 Series Process Control System noise tests (See Section 7.2.2.2.3.7 andReference 5 in Section 7.2.4).4.Manual initiation of protective actions (See Section 7.3.2.2.7).

7.3.2.2Compliance With Standards and Design CriteriaDiscussion of the General Design Criteria (GDC) is provided in various sections ofChapter 7 where a particular General Design Criteria is applicable. Applicable General Design Criteria include Criteria 13, 20, 21, 22, 23, 24, 25, 27, 28, 35, 37, 38, 40, 43, and 46 of the 1971 General Design Criteria. Compliance with certain IEEE Standards is presented in Sections 7.1.2.7, 7.1.2.9, 7.1.2.10, and 7.1.2.11. The discussion given below shows that the Engineered Safety Features Actuation System complies with IEEE Standard 279-1971, Reference[4]. For the list of references to the discussions ofconformance to applicable criteria, see Table 7.1-1.Table 7.3-6 outlines the degree of conformance of the engineered safety featuresloading sequence control panels to Regulatory Guide 1.53 and IEEE Standard379-1972, Reference[5]. 00-01 7.3-12Reformatted PerAmendment 00-017.3.2.2.1Single Failure CriteriaThe discussion presented in Section 7.2.2.2.3 is applicable to the Engineered SafetyFeatures Actuation System, with the following exception.In the engineered safety features, a loss of instrument power will call for actuation of engineered safety features equipment controlled by the specific bistable that lost power(Reactor Building spray excepted). The actuated equipment must have power to comply. The power supply for the protection systems is discussed in Section 7.6 and in Chapter 8. For Reactor Building spray, the final bistables are energized to trip to avoid spurious actuation. In addition, manual Reactor Building spray requires a simultaneous actuation of 2 manual controls. This is considered acceptable because spray actuation on Hi-3 Reactor Building pressure signal provides automatic initiation of the system via protection channels meeting the criteria in Reference [4]. Moreover, 2 sets (2 switches per set) of Reactor Building spray manual initiation switches are provided to meet the requirements of IEEE Standard 279-1971. Also it is possible for all engineered safety features equipment (valves, pumps, etc.) to be individually manually actuated from the control board. Hence, a third mode of Reactor Building spray initiation is available. The design meets the requirements of Criteria 21 and 23 of the 1971 General Design Criteria.7.3.2.2.2Equipment Qualification Equipment qualifications are discussed in Sections 3.10 and 3.11.

7.3.2.2.3Channel Independence The discussion presented in Section 7.2.2.2.3 is applicable. The engineered safetyfeatures slave relay outputs from the solid-state logic protection cabinets are redundant,and the actuations associated with each train are energized up to and including the final actuators by the separate a-c power supplies which power the logic trains.7.3.2.2.4Control and Protection System Interaction The discussions presented in Section 7.2.2.2.3 are applicable.

7.3.2.2.5Capability for Sensor Checks and Equipment Test and Calibration The discussions of system testability in Section 7.2.2.2.3 are applicable to the sensors,analog circuitry, and logic trains of the Engineered Safety Features Actuation System.The following discussions cover those areas in which the testing provisions differ from those for the Reactor Trip System.

7.3-13Reformatted PerAmendment 00-017.3.2.2.5.1Testing of Engineered Safety Features Actuation SystemsThe Engineered Safety Features Systems are tested to provide assurance that thesystems will operate as designed and will be available to function properly in theunlikely event of an accident. The testing program meets the requirements of Criteria 21, 37, 40, and 43 of the 1971 General Design Criteria and requirements on testing of the Emergency Core Cooling System as stated in General Design Criteria-37 except for the operation of those components that will cause an adverse effect to thesafety or operability of the plant per Regulatory Guide 1.22 as discussed in Section 7.1.2.5. The tests described in Section 7.2.2.2.3 and further discussed in Section 6.3.4 meet the actual safety injection. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and emergency power sources and the operation of associated cooling water systems. The charging pumps and residual heat removal pumps are started and operated and their performance verified in a separate test discussed in Section 6.3.4.

When the pump tests are considered in conjunction with the Emergency Core Cooling System test, the requirements of General Design Criteria-37 on testing of the Emergency Core Cooling System are met as close as possible without causing an actual safety injection.Testing as described in Sections 6.3.4, 7.2.2.2.3, and 7.3.2.2.5 provides completeperiodic testability during reactor operation of all logic and components associated withthe Emergency Core Cooling System.This design meets the requirements of Regulatory Guide 1.22 as discussed in theabove sections. The program is as follows:1.Prior to initial plant operations, Engineered Safety Features System tests will beconducted.2.Subsequent to initial startup, Engineered Safety Features System tests will beconducted during each regularly scheduled refueling outage.3.During online operation of the reactor, engineered safety features analog and logiccircuitry will be fully tested. In addition, essentially all of the engineered safetyfeatures final actuators will be fully tested. The remaining few final actuators whose operation is not compatible with continued online plant operation will bechecked by means of continuity testing.

99-01 7.3-14Reformatted PerAmendment 00-017.3.2.2.5.2Performance Test Acceptability Standard for the "S" (Safety InjectionSignal) and for the "P" (the Automatic Demand Signal for Reactor BuildingSpray Actuation) Actuation Signals GenerationDuring reactor operation the basis for Engineered Safety Features Actuation Systems acceptability will be the successful completion of the overlapping tests performed on theinitiating system and the Engineered Safety Features Actuation System, see Figure 7.3-2. Checks of process indications verify operability of the sensors. Analogchecks and tests verify the operability of the analog circuitry from the input of thesecircuits through to and including the logic input relays except for the input relays associated with the Reactor Building spray function which are tested during the solid-state logic testing. Solid-State logic testing also checks the digital signal path fromand including logic input relay contacts through the logic matrices and master relays and performs continuity tests on the coils of the output slave relays; final actuator testing operates the output slave relays and verifies operability of those devices whichrequire safeguards actuation and which can be tested without causing plant upset. A continuity check is performed on the actuators of the untestable devices. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves shall have completed their travel.The basis for acceptability for the engineered safety features interlocks will be controlboard indication of proper receipt of the signal upon introducing the required input at theappropriate setpoint.Routine periodic inspections of the ESF equipment and performance acceptabilitytesting of the "S" (Safety Injection Signal) and of the "P" (Automatic Demand Signal forReactor Building Spray Actuation) are consistent with inspections and tests of the NSSS Electrical Equipment Section 3.11.2.2.1 and the Technical Specifications.7.3.2.2.5.3Frequency of Performance of Engineered Safety Features Actuation Tests During reactor operation, complete system testing (excluding sensors or those deviceswhose operation would cause plant upset) is performed on a periodic basis. Testing,including the sensors, is also performed during scheduled plant shutdown for refueling.7.3.2.2.5.4Engineered Safety Features Actuation Test Description The following sections describe the testing circuitry and procedures for the onlineportion of the testing program. The guidelines used in developing the circuitry andprocedures are:1.The test procedures must not involve the potential for damage to any plantequipment. 00-01 7.3-15Reformatted PerAmendment 00-012.The test procedures must minimize the potential for accidental tripping.3.The provisions for online testing must minimize complication of engineered safetyfeatures actuation circuits so that their reliability is not degraded.7.3.2.2.5.5Description of Initiation Circuitry Several systems comprise the total Engineered Safety Features System, the majority ofwhich may be initiated by different process conditions and be reset independently ofeach other.The remaining functions (listed in Section 7.3.1.1.1) are initiated by a common signal(safety injection) which in turn may be generated by different process conditions.In addition, operation of all other vital auxiliary support systems, such as EmergencyFeedwater, Component Cooling Water, Service Water, and Heating, Ventilating and Air Conditioning Systems listed in Section 9.4.5, is initiated by the safety injection signal.Each function is actuated by a logic circuit which is duplicated for each of the 2redundant trains of engineered safety features initiation circuits.The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master, and slave relays aremounted in the solid-state logic protection cabinets designated Train A, and Train B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor operated valve contactors, solenoid operated valves, emergency generator starting, etc.7.3.2.2.5.6Analog Testing Analog testing is identical to that used for reactor trip circuitry and is described inSection 7.2.2.2.3.An exception to this is Reactor Building spray, which is energized to actuate 2/4 and reverts to 2/3 when 1 channel is in test.7.3.2.2.5.7Solid-State Logic TestingExcept for Reactor Building spray channels; solid-state logic testing is the same as thatdiscussed in Section 7.2.2.2.3. During logic testing of 1 train, the other train can initiatethe required engineered safety features function. For additional details, see Reference[2].

7.3-16Reformatted PerAmendment 00-017.3.2.2.5.8Actuator TestingAt this point, testing of the initiation circuits through operation of the master relay and itscontacts to the coils of the slave relays has been accomplished. Slave relays (K601,K602, etc.) do not operate because of reduced voltage.The Engineered Safety Features Actuation System final actuation device or actuatedequipment testing shall be performed from the engineered safety features test cabinets.These cabinets are normally located near the Solid-State Logic Protection System equipment. There is 1 test cabinet provided for each of the 2 protection Trains "A" and "B". Each cabinet contains individual test switches necessary to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be rotated and then depressed to operate the slave relays. Assignments of contacts of the slave relays for actuation of various final devices or actuators have been made such that groups of devices or actuated equipment, can be operated individually during plant operation without causing plant upset or equipment damage. In the unlikely event that a safety injection signal is initiated during the test of the final device that is actuated by this test, the device will already be in its engineered safety feature position.During this last procedure, close communication between the Control Room operatorand the operator at the test panel is required. Prior to the energizing of a slave relay,the operator in the Control Room assures that plant conditions will permit operation ofthe equipment that will be actuated by the relay. After the tester has energized the slave relay, the Control Room operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps and annunciators on the control board and, using a prepared check list, records all operations. After proper operation is verified, the test switch is reset at the test panel and each device is returned to its desired mode from the control board.By means of the procedures outlined above, all engineered safety features devicesactuated by engineered safety features actuation systems initiation circuits, with theexceptions noted in Section 7.1.2.5 under a discussion of Regulatory Guide 1.22 are operated by the automatic circuitry.7.3.2.2.5.9Actuator Blocking and Continuity Test Circuits Those few final actuation devices that cannot be designed to be actuated during plantoperation (discussed in Section 7.1.2.5) have been assigned to slave relays for whichadditional test circuitry has been provided to individually block actuation of a final device upon operation of the associated slave relay during testing. Operation of these slave relays, including contact operations, and continuity of the electrical circuits associated with the final devices' control are checked in lieu of actual operation. The circuits provide for monitoring of the slave relay contacts, the devices' control circuit cabling, control voltage and the devices' actuation relay coils, solenoids, etc. Interlocking prevents blocking the output from more than 1 output relay in a protection train at a 99-01 7.3-17Reformatted PerAmendment 00-01time. Interlocking between trains is also provided to prevent continuity testing in bothtrains simultaneously, therefore the redundant device associated with the protection train not under test will be available in the event protection action is required. If anaccident occurs during testing, the automatic actuation circuitry will override testing as noted above. One (1) exception to this is that if the accident occurs while testing a slave relay whose output must be blocked, those few final actuation devices associated with this slave relay will not be overridden; however, the redundant devices in the other train would be operational and would perform the required safety function. Actuation devices to be blocked are identified in Section 7.1.2.5.The continuity test circuits for these components that cannot be actuated online areverified by proving lights on the engineered safety features test racks.The typical schemes for blocking operation of selected engineered safety features function actuator circuits are shown in Figure 7.3-3 as details A and B. The schemesoperate as explained below and are duplicated for each engineered safety features train.Detail A shows the circuit for contact closure for protection function actuation. Undernormal plant operation, and equipment not under test, the test lamps "DS *" for thevarious circuits will be energized. Typical circuit path will be through the normallyclosed test relay contact "K8 *" and through test lamp connections 1 to 3. Coils "X1" and "X2" will be capable of being energized for protection function actuation uponclosure of solid-state logic output relay contacts "K *". Coil "X1" or "X2" is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a solenoid valve, auxiliary relay, etc. When the contacts "K8 *" are opened to block energizing of coil "X1" and "X2", the white lamp is de-energized, and the slave relay "K *" may be energized to perform continuity testing. To verify operability of the blocking relay in both blocking and restoring normal service, open the blocking relay contact in series with lamp connections - the test lamp should be de-energized; close the blocking relay contact in series with the lamp connections - the test lamp should now be energized, which verifies that the circuit is now in its normal, i.e., operable condition.Detail B shows the circuit for contact opening for protection function actuation. Undernormal plant operation, and equipment not under test, and white test lamps "DS *" forthe various circuits will be energized, and green test lamp "DS *" will be de-energized.Typical circuit path for white lamp "DS *" will be through the normally closed solid-state logic output relay contact "K *" and through test lamp connections 1 to 3. Coils "Y1" and "Y2" will be capable of being de-energized for protection function actuation upon opening of solid-state logic output relay contacts "K *". Coil "Y2" is typical for a solenoid valve coil, auxiliary relay, etc. When the contacts "K8 *" are closed to block de-energizing of coils "Y1" and "Y2", the green test lamp is energized, and the slave relay "K *" may be energized to verify operation (opening of its contacts). To verify operability of the blocking relay in both blocking and restoring normal service, close theblocking relay contact to the green lamp - the green test lamp should now be energized 7.3-18Reformatted PerAmendment 00-01also; open this blocking relay contact - the green test lamp should be de-energized,which verifies that the circuit is now in its normal, i.e., operable condition.7.3.2.2.5.10 The testing provisions of the engineered safety features loading sequence controlpanels differ from the Engineered Safety Features Actuation System. Each engineeredsafety features loading sequence control panel is designed to combine automatic testing with manual testing. Continuous and periodic test features are provided to test for equipment faults (e.g., open circuits, short circuits, inoperative timers). All system accuracy and functional requirements are maintained when automatic testing is implemented. These features are provided in accordance with IEEE-420, Section 4.7 and the following:1.Automatic TestThe Automatic Test Feature has 3 operating modes: Continuous, Fast, and Slow.During these modes, the Automatic Test Feature monitors the engineered safetyfeatures loading sequence and upon occurrence of an improper response will display the step number of the failed test and energize a fault relay for remote annunciator. The Continuous mode provides on-line surveillance of the engineered safety features loading sequence operation by repeatedly cycling the Automatic Test circuits through their test states and monitoring the various system outputs for appropriate responses. Operation is check from the logic input signals through the logic and counter stages and up to and including the relay driven outputs. The surveillance will not interface with system requirements nor cause an undesired relay actuation during normal system operation. The Fast mode operates in the same manner as the Continuous mode except that only 1 test cycle is performed for each operation initiated test.The Slow mode allows manual stepping of the Automatic Test circuits through atest cycle to observe the system response via the cabinet control panel indicators.Operation is checked from the logic input signals through the logic and counter stages, the relay driver outputs, and output relays. The Slow mode actuates the output relays thereby starting or tripping plant equipment.Fault detection and annunciation, local and remote, are automatic in theContinuous and Fast mode while operation interpretation of the system response isrequired in the Slow mode. Additionally, automatic resetting of the Automatic Test circuits, in response to a True input signal, is provided in the Continuous and Fast modes. Manual reset is required in the Slow mode.

7.3-19Reformatted PerAmendment 00-012.Manual TestThe Manual Test Features provide the means to verify all engineered safetyfeatures loading sequence functions locally at the cabinet control panel. Input testswitches enable simulation of all inputs, including operation of the input buffer relays, in any combination or time sequence. Output test switches enable actuation of each step or output individually, including operating of the final associated solid state driver stage. Blocking switches, which allow active testing of Output 1 and Output 4 without effecting associated external loads, are also provided. Indicator lamps associated with each input, system, startup, each step and each output allow the operation to visually observe the results of all tests.7.3.2.2.5.11Time Required for TestingIt is estimated that analog testing can be performed at a rate of several channels perhour. Logic testing of both Trains A and B can be performed in less than 30 minutes.Testing of actuated components (including those which can only be partially tested) will be a function of control room operator availability. It is expected to require several shifts to accomplish these tests. During this procedure automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked and then only while blocked. It is anticipated that continuity testing associated with a blocked slave relay could take several minutes.

During this time the redundant devices in the other train would be functional.7.3.2.2.5.12Summary of Online Testing Capabilities The procedures described provide capability for checking completely from the processsignal to the logic cabinets and from there to the individual pump and fan circuitbreakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called upon to operate for an accident condition.

For those few devices whose operation could adversely affect plant or equipment operation, the same procedure provides for checking from the process signal to the logic rack. To check the final actuation device, a continuity test of the individual control circuits is performed.The procedures require testing at various locations.

1.Analog testing and verification of bistable setpoint are accomplished at processanalog racks. Verification of bistable relay operation is done at the control boardstatus lights.2.Logic testing through operation of the master relays and low voltage application toslave relays is done at the logic rack test panel.

7.3-20Reformatted PerAmendment 00-013.Testing of pumps, fans and valves is done at a test panel located in the vicinity ofthe logic racks in combination with the control room operator.4.Continuity testing from those circuits that cannot be operated is done at the sametest panel mentioned in item 3 above.The reactor coolant pump essential service isolation valves consist of the isolationvalves on the component cooling water and the seal water return header.The main reason for not testing these valves periodically is that the reactor coolant pumps may be damaged. Although pump damage from this type of test would notresult in a situation which endangers the health and safety of the public, it could result in unnecessary shutdown of the reactor for an extended period of time while the reactor coolant pump or certain of its parts were replaced. This would place a great economic burden on South Carolina Electric and Gas Company.Reactor Building Spray System pump tests will be performed periodically. The pumptests will be performed with the isolation valves in the spray pump discharge lines at theReactor Building blocked closed; the Sodium Hydroxide Storage Tank valves are also blocked closed.7.3.2.2.5.13Testing During Shutdown Emergency Core Cooling System tests will be performed at each major fuel reloadingwith the Reactor Coolant System isolated from the Emergency Core Cooling System byclosing the appropriate valves. A test safety injection signal will then be applied toinitiate operation of active components (pumps and valves) of the Emergency Core Cooling System. This is in compliance with Criterion 37 of the 1971 General Design Criteria.7.3.2.2.5.14Periodic Maintenance Inspection The maintenance procedures which follow may be accomplished in any order. Thefrequency will depend on the operating conditions and requirements of the reactorpower plant. If any degradation of equipment operation is noted, either mechanically or electrically, remedial action is taken to repair, replace, or readjust the equipment.Typical maintenance procedures include the following:

1.Check cleanliness of all exterior and interior surfaces.

2.Inspect for loose or broken control knobs and burned-out indicator lamps.

3.Inspect for moisture and condition of cables and wiring.

7.3-21Reformatted PerAmendment 00-014.Visually or mechanically check connectors and terminal boards for looseness, poorconnection, or corrosion.5.Inspect the components of each assembly for signs of overheating or componentdeterioration.6.Perform complete system operating check.The balance of the requirements listed in Reference[4] (paragraphs 4.11 through 4.22)are discussed in Section 7.2.2.2.3. Paragraph 4.20 receives special attention inSection 7.5.4.7.3.2.2.6Manual Resets and Blocking Features The manual reset feature associated with reactor building spray actuation is provided inthe standard design of the Westinghouse Solid-State Protection System design for 2basic purposes: First, the feature permits the operator to start an interruption procedure of automatic reactor building spray in the event of false initiation of an actuation signal.

Second, although spray system performance is automatic, the reset feature enables the operator to start a manual takeover of the system to handle unexpected events which can be better dealt with by operator appraisal of changing conditions following an accident.It is most important to note that manual control of the Spray System does not occur,once actuation has begun, by just resetting the associated log devices alone.Components will seal in (latch) so that removal of the actuation signal, in itself, willneither cancel or prevent completion of protective action or provide the operator with manual override of the automatic system by this single action. In order to take complete control of the system to interrupt its automatic performance, the operator must deliberately unlatch relays which have "sealed in" the initial actuation signals in the associated motor control center, in addition to tripping the pump motor circuit breakers, if stopping the pumps is desirable or necessary.The manual reset feature associated with reactor building spray, therefore, does notperform a bypass function. It is merely the first of several manual operations required totake control from the automatic system or interrupt its completion should such an action be considered necessary.In event that the operator anticipates system actuation and erroneously concludes that itis undesirable or unnecessary and imposes a standing reset condition in 1 train (byoperating and holding the corresponding reset switch at the time the initiate signal is transmitted) the other train will automatically carry the protective action to completion.

In the event that the reset condition is imposed simultaneously in both trains at the time the initiate signals are generated, the automatic sequential completion of system action is interrupted and control has been taken by the operator. Manual takeover will be maintained, even though the reset switches are released, if the original initiate signal 00-01 7.3-22Reformatted PerAmendment 00-01exists. Should the initiate signal then clear and return again, automatic systemactuation will repeat.Note also that any time delays imposed on the system action are to be applied after theinitiating signals are latched. Delay of actuation signals for fluid systems lineup, loadsequencing, etc., does not provide the operator time to interrupt automatic completion, with manual reset alone, as would be the case if time delay were imposed prior to sealing of the initial actuation signal.The manual block features associated with pressurizer and steam line safety injectionsignals provide the operator with the means to block initiation of safety injection duringplant startup. These block features meet the requirements of paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.Safety injection actuation on low pressurizer pressure may be manually blocked whenthe primary pressure falls below the P-11 setpoint. Safety injection and steamlineisolation actuation on low steamline pressure may also be manually blocked below the P-12 setpoint (low-low Tavg). Safety injection cannot be blocked on high steam linedifferential pressure or high-1 containment pressure, and steam line isolation cannot be blocked on either high steam line flow coincident with low-low T avg or high-2containment pressure. Thus these signals would always be available to automatically terminate a steam line rupture during cooldown or startup.Furthermore, during heatup and cooldown and while safety injection is blocked, theoperator will be in full manual control of the plant. He will be cognizant of the plantoperating conditions and the expected changes in these parameters. If a serious steam line break should occur during this time, it should be apparent to the operator so that he can take the necessary action to prevent any adverse consequences in a timely fashion.The types of instrumentation available to the operator which would indicate that a steam line break has occurred consists of alarms and indicated values. Alarms could occur onhigh steam flow, low steam line pressure (SI actuation, Steamline Isolation), low-low steam generator level (reactor trip), low steam generator level, high steam line differential pressure (SI actuation), high source range nuclear flux (reactor trip), and containment pressure high-1 (SI actuation) and high-2 (steam line isolation).The instrumentation which would be indicated on the control board consists of theabove channels plus T avg, pressurizer level and pressurizer pressure. Since theshutdown margin during cooldown or startup is greater than that for the case analyzed in the FSAR, there will be more time for manual action to terminate the transient.

Furthermore, the steam line pressure during cooldown and startup would be such that the consequences of the steam generator blowdown would be less severe than for the hot zero power case analyzed in the Final Safety Analysis Report.

00-01 7.3-23Reformatted PerAmendment 00-01Therefore, either the protection system will automatically terminate the transient or theoperator will determine soon after the incident begins that a break has occurred and willtake the necessary action.7.3.2.2.7Manual Initiation of Protective Actions (Regulatory Guide 1.62)

There are 3 individual main steam isolation valve momentary control switches (1 perloop) mounted on the control board. Each switch when actuated, will isolate its mainsteam line. In addition, an independent momentary control switch, mounted on the control board, will isolate all 3 main steam lines when actuated.Manual initiation of semi-automatic switchover to recirculation following a loss of primarycoolant accident is in compliance with paragraph 4.17 of IEEE Standard 279-1971 withthe following comments:1.The manual operations that are involved in this switchover are described inSection 6.3.2.Once safety injection is initiated following a loss of primary coolant accident, theReactor Building sump isolation valves in the Residual Heat Removal Systempump suction lines will open automatically upon receipt of a lo-lo level signal fromthe refueling water storage tank level instrumentation.3.Manual initiation of either 1 of 2 redundant safety injection actuation main controlboard mounted switches not only provides for actuation of the componentsrequired for reactor protection and mitigation of adverse consequences of thepostulated accident prior to the recirculation mode associated with a loss of primary coolant accident, but also enables the Reactor Building sump isolation valves to automatically open when the lo-lo level setpoint on the refueling water storage tank is reached.Manual operation of other components or manual verification of proper position as part of emergency procedures is not precluded nor otherwise in conflict with the abovedescribed compliance to paragraph 4.17 of IEEE Standard 279-1971.No exception to the requirements of IEEE Standard 279-1971 has been taken in themanual initiation circuit of safety injection. Although paragraph 4.17 of IEEE Standard279-1971 requires that a single failure within common portions of the protective system shall not defeat the protective action by manual or automatic means, the standard does not specifically preclude the sharing of initiated circuitry logic between automatic and manual functions. It is true that the manual safety injection initiation functionsassociated with 1 actuation train (e.g., Train A) shares portions of the automatic initiation circuitry logic of the same logic train; however, a single failure in shared functions does not defeat the protective action of the redundant actuation train (e.g., Train B). A single failure in shared functions does not defeat the protective action of the safety functions. It is further noted that the sharing of the logic by manual and 7.3-24Reformatted PerAmendment 00-01automatic initiation is consistent with the system level action requirements of IEEEStandard 279-1971, paragraph 4.17 and consistent with the minimization of complexity.7.3.2.3Further ConsiderationsIn addition to the considerations given above, a loss of instrument air or loss ofcomponent cooling water to vital equipment has been considered. Neither the loss of instrument air nor the loss of component cooling water (assuming no other accident conditions) can cause safety limits as given in the Technical Specifications to be exceeded. Likewise, loss of either 1 of the 2 will not adversely affect the core or the Reactor Coolant System nor will it prevent an orderly shutdown if this is necessary.

Furthermore, all pneumatically operated valves and controls will assume a preferred operating position upon loss of instrument air. It is also noted that, for conservatism during the accident analyses (Chapter 15), credit is not taken for the instrument air systems nor for any control system benefit.In its present design, Westinghouse does not provide any circuitry which will directly tripthe reactor coolant pumps on a loss of component cooling water. Normally, indication inthe control room is provided whenever component cooling water is lost. The reactor coolant pumps can run about 10 minutes after a loss of component cooling water. This provides adequate time for the operator to correct the problem or trip the plant if necessary.In regards to the Emergency Feedwater System, there are 2 motor driven pumps andone turbine driven pump. The motor driven pumps are initiated automatically by thefollowing signals:1.Safety injection, through the engineered safety features load sequencer.

2.Low-low level (2/3) in any steam generator (derived from the Solid-State ProtectionSystem output cabinets).3.Manual start.

4.Trip of all main feed pumps.

5.Undervoltage on the diesel bus.

The turbine driven pump as well as the closing of blowdown and sample valves areinitiated automatically by:1.Low-low level (2/3) in 2/3 steam generators (derived from the Solid-StateProtection System output cabinets).2.Manual start.3.Undervoltage on both diesel buses.

00-01 7.3-25Reformatted PerAmendment 00-01To assure auto-start of the component cooling water and service water pumps on theinactive loop and to prevent diesel generator overloading on a SI/LOOP signal, the circuit breaker(s) for the out of service or spare pump/chiller for systems with swing components will be racked out.7.3.2.4SummaryThe effectiveness of the Engineered Safety Features Actuation System is evaluated inChapter 15, based on the ability of the system to contain the effects of Condition III and IV faults, including loss of reactor coolant and steam break accidents. The Engineered Safety Features Actuation System parameters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system.The Engineered Safety Features Actuation System must detect Condition III and IVfaults and generate signals which actuate the engineered safety features. The systemmust sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by and consistent with the accident analyses in Chapter 15.Much longer times are associated with the actuation of the mechanical and fluid systemequipment associated with engineered safety features. This includes the time requiredfor switching, bringing pumps and other equipment to speed and the time required for them to take load.Operating procedures require that the complete Engineered Safety Features ActuationSystem normally be operable. However, redundancy of system components is suchthat the system operability assumed for the safety analyses can still be met with certain instrumentation channels out of service. Channels that are out of service are to be placed in the tripped mode, or bypass mode in the case of Reactor Building spray.7.3.2.4.1Loss of Coolant Protection By analysis of loss of coolant accident and in system tests it has been verified that(except for very small coolant system breaks, which can be protected against by thecharging pumps followed by an orderly shutdown), the effects of various loss of coolant accidents are reliably detected by the low pressurizer pressure signal.For large coolant system breaks the passive accumulators inject first, because of therapid pressure drop. This protects the reactor during the unavoidable delay associatedwith actuating the active Emergency Core Cooling System phase.

7.3-26Reformatted PerAmendment 00-01High Reactor Building pressure also actuates the Emergency Core Cooling System.Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break; that is the Engineered Safety Features Actuation System detects the leakage of the coolant into the Reactor Building.

The generation time of the actuation signal of about 1.5 seconds, after detection of the consequences of the accident, is adequate.Reactor Building spray will provide additional emergency cooling of the Reactor Buildingand also limit fission product release upon sensing elevated Reactor Building pressure(Hi-3) to mitigate the effects of a loss of coolant accident.The delay time between detection of the accident condition and the generation of theactuation signal for these systems is assumed to be about 1.0 second; well within thecapability of the protection system equipment. However, this time is short compared to that required for startup of the fluid systems.The analyses in Chapter 15 show that the diverse methods of detecting the accidentcondition and the time for generation of the signals by the protection systems areadequate to provide reliable and timely protection against the effects of loss of coolant.7.3.2.4.2Steam Line Break Protection The Emergency Core Cooling System is also actuated in order to protect against asteam line break. Table 7.3-4 gives the time between sensing high steam linedifferential pressure or low steam line pressure and generation of the actuation signal.

Analysis of steam line break accidents, assuming this delay for signal generation, shows that safety injection is actuated for a steam line break in time to limit or prevent further core damage for steam break cases. There is a reactor trip and the core reactivity is further reduced by the borated water injected by the Emergency Core Cooling System.Additional protection against the effects of steam line break is provided by feedwaterisolation which occurs upon actuation of the Emergency Core Cooling System.Feedwater isolation is initiated in order to prevent excessive cooldown of the reactor vessel and thus protect the Reactor Coolant System boundary.Additional protection against a steam line break accident is provided by closure of allsteam line isolation valves in order to prevent uncontrolled blowdown of all steamgenerators. The time for generation of the protection system signal (about 2.0 seconds) is again short compared to the time to trip the fast acting steam line isolation valves which are designed to close in less than approximately 5 seconds.

7.3-27Reformatted PerAmendment 00-01In addition to actuation of the engineered safety features, the effect of a steam linebreak accident also generates a signal resulting in a reactor trip on overpower or following Emergency Core Cooling System actuation. The core activity is further reduced by the Emergency Core Cooling System.The analyses in Chapter 15 of the steam line break accidents and an evaluation of theprotection system instrumentation and channel design shows that the EngineeredSafety Features Actuation Systems are effective in preventing or mitigating the effects of a steam line break accident.7.3.3ELECTRIC HYDROGEN RECOMBINER-DESCRIPTION OFINSTRUMENTATIONThe Electric Hydrogen Recombiner System is discussed in Section 6.2.5. Two (2)redundant recombiners, which are located inside the Reactor Building, do not requireany instrumentation inside the Reactor Building for proper operation after a loss of coolant accident (LOCA). Thermocouples are provided for convenience in test and periodic checkout of the recombiner; however, they are not considered necessary to assure proper operation of the recombiner.There are provided for each recombiner a control panel and a power supply panel whichare located outside the Reactor Building, as shown on Figure 6.2.54 and Figure 6.2-58.The power supply panel contains an isolation transformer plus a controller to regulate power into the recombiners. The manually operated potentiometer for this controller is on the control panel. For equipment test and periodic checkout, a thermocouple readout instrument is also provided on the control panel for monitoring temperatures in the recombiner. To control the recombination process, the correct power input which will bring the recombiner above the threshold temperature for recombination will be seton the controller. Setting of the controller is accomplished at the local control panel and power input monitored by a wattmeter, which is also mounted on the control panel. This predetermined power setting will cover variations in Reactor Building pressure andhydrogen concentration in the post-loss of coolant accident environment. The manually operated switch for energizing a recombiner is on the control panel.7.3.3.1Initiating CircuitsThe Hydrogen Recombiner System would be operated only during periodic testing andafter a loss-of-coolant accident. Operation is initiated manually from the control station, so as to allow the heating elements within the unit to be energized. A 2 position switch is provided on the control panel for this purpose.

7.3-28Reformatted PerAmendment 00-017.3.3.2LogicAll operation of the electric hydrogen recombiner is by operator action; there are noautomatic logic functions required. A post accident hydrogen analyzer will be used to indicate when the recombiners or the venting system should be actuated.7.3.3.3BypassesThe electric hydrogen recombiners are normally not operating and are not armed forautomatic actuation. Following an accident the elapsed time prior to the needed start of the equipment is in terms of hours or days. The recombiners are also operated during periodic testing. Other than these times they are in a standby mode. This standby mode is not a bypass mode, which refers to the inoperative status of systems that are normally operating.7.3.3.4InterlocksThere are no functional interlocks associated with the electric hydrogen recombiner.

7.3.3.5SequenceEach electric hydrogen recombiner is capable of being supplied from an independentonsite diesel generator. Loading on the emergency electric bus is by manual means, not by sequencers.7.3.3.6RedundancyTo meet the requirements for redundancy and independence, 2 electric hydrogenrecombiners are provided, and each recombiner is provided with a separate power panel and control panel and each is powered from a separate Class 1E bus. The operation of a single unit is intended to provide the required hydrogen removal capability.7.3.3.7DiversityDiversity between the redundant portions of the Electric Hydrogen Recombiner Systemis not required to protect against systematic failures, such as, multiple failures resulting from a credible single event. The design and environmental and seismic qualification of the Westinghouse electric hydrogen recombiner, as reported on in topical report WCAP-7709-L (Proprietary) with Supplements 1 to 7 and WCAP-7820 (Non-Proprietary), was found acceptable for the prototype and production models by the NRC. This acceptance was reported in NRC's letters of May 1, 1975 from D. B.Vassalo to C. Eicheldinger, Manager of W Nuclear Safety Department and of June 22,1978 from John Stolz to T. M. Anderson regarding supplements 5, 6, and 7.

7.3-29Reformatted PerAmendment 00-017.3.3.8Actuated DevicesA manually operated switch on the control panel is used to initiate operation of anelectric hydrogen recombiner. This switch energizes a contactor in the power supply panel which applies the 3-phase electric power source to the transformer, also in the power supply panel. Electric power input to the recombiner is controlled by a controller in the power supply panel, by means of a manually operated potentiometer and a wattmeter on the control panel. Electric power is fed to the recombiner's electric resistance heaters which are used to heat a continuous flow of Reactor Building atmosphere to the hydrogen-oxygen reaction temperature. This causes hydrogen to combine with the oxygen which is in the Reactor Building.7.3.4CROSS REFERENCESTable 7.3-7 provides cross references outlining appropriate sections that supplydescriptions of initiating circuitry, logic, bypasses, interlocks, sequencing, redundancy,diversity and actuated devices for ESF and ESF supporting systems.7.

3.5REFERENCES

1.Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam SupplySystem (4 Loop Plant using WCID 7300 Series Process Instrumentation),"WCAP-7913, 1973.2.Katz, D. N., "Solid-State Logic Protection System Description," WCAP-7488-L(Proprietary), 1971 and WCAP-7672 (Non-Proprietary), 1971.3.Swogger, J. W., "Testing of Engineered Safety Features Actuation System,"WCAP-7705, Revision 2, 1976.4.The Institute of Electrical and Electronics Engineers, Inc., "IEEE Standard:Criteria for Protection System for Nuclear Power Generating Stations," IEEEStandard 279-1971.5.Eggleston, F. T., Rawlins, D. H., Petrow J. R., "Failure Mode and Effects Analysis(FMEA) of the Engineering Safeguard Features Actuation System," WCAP-8584,(Proprietary) 1976, and WCAP-8760 (Non-Proprietary), 1976.

7.3-30Reformatted PerAmendment 99-01TABLE 7.3-1INSTRUMENTATION OPERATING CONDITION FOR ENGINEERED SAFETY FEATURESNumberFunction UnitNumber of ChannelsNumber of Channels to Trip 1.Safety Injection (SIS) a.Manual 2 1 b.Reactor building pressure(Hi-1)3 2 c.High differential pressure betweensteam lines3/steam line2 / steam line indicating thatthe steam line pressure is lowin comparison to the two lines d.Pressurizer low pressure (1)3 2 e.Low steam line pressure3 pressure signals 2 2.Reactor Building Spray a.Manual (2)4 2 b.Reactor building pressure (Hi-3) (3)4 2 (1)Permissible bypass if reactor coolant pressure is less than 2,000 psig.(2)Manual actuation of reactor building spray is accomplished by actuating either of two sets (two switches per set).Both switches in a set must be actuated to obtain a manually initiated spray signal.(3)Coincident with containment isolation Phase A.

7.3-31AMENDMENT 97-01AUGUST 1997TABLE 7.3-2INSTRUMENT OPERATING CONDITIONS FOR ISOLATION FUNCTIONSNumber of ChannelsNumberFunction UnitNumber of Channelsto Trip1.Containment Isolation a.Safety Injection

Phase ASee Item No. 1 (a) through (e) of Table 7.3-1 b.Reactor Building Pressure

Phase BSee Item No. 2 (b) of Table 7.3-1c.ManualPhase A21Phase BSee Item No. 2 (a) of Table 7.3-12.Steam Line Isolationa.High Steam Flow in 2/3 SteamLines Coincident with Low Tavg2 flow signals/steam line

3 Tavg signals1 flow signal/steam line in any two lines 2b.Low steam line pressureSee Item No. 1 (e) of Table 7.3-1 c.Reactor Building Pressure(Hi-2)32 d.Manual(1)1/loop1/loop

_________________(1) System level isolation also available 7.3-32AMENDMENT 97-01AUGUST 1997TABLE 7.3-2 (Continued)INSTRUMENT OPERATING CONDITIONS FOR ISOLATION FUNCTIONSNumber of ChannelsNumberFunction UnitNumber of Channelsto Trip3.Feedwater Line Isolationa.Safety InjectionSee all signals Item No. 1 of Table 7.3-1b.Steam Generator High-HighLevel (any loop)3/loop2/loopc.Low Tavg Coincident withReactor Trip 32__________________

(1) System level isolation also available 7.3-33AMENDMENT 97-01AUGUST 1997TABLE 7.3-3INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEMDesignation InputFunction PerformedP-4Reactor trippedPresence of P-4 signal actuates turbine tripPresence of P-4 signal closes main feedwater valves on Tavgbelow low Tavg setpointPresence of P-4 signal prevents opening of main feedwater valveswhich were closed by safety injection or high-high steam generator water levelPresence of P-4 signal allowsmanual reset/block of theautomatic reactuation of safety injectionAbsence of P-4 signal defeats themanual reset/block preventingautomatic reactuation of safety injectionP-112/3 pressurizer pressure below setpoint (Presence of P-11 signalpermits functions shown. Absence of signal defeats functions shown)Allows manual block of safety injection actuation on lowpressurizer pressure and level signalBlocks automatic opening of thepressurizer power relief valvesP-12 2/3 (1)T av g below setpoint(Presence of P-12 signal performs or permits functions shown.

Absence of signal defeats function shown)Allows manual block of safety injection actuation and steam lineisolation on low steam line pressureBlocks steam dump except forcooldown valvesAllows manual bypass of steam dump block for the cooldownvalves only

_______________(1) This signal in coincidence with high steam line flow actuates steam line isolation.

7.3-34AMENDMENT 97-01AUGUST 1997TABLE 7.3-3 (Continued)INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEMDesignation InputFunction PerformedP-142/3 Steam generator water level above setpoint on any steamgenerator (Presence of signal performs or permits functions shown)Closes all feedwater control valvesTrips all main feedwater pumpswhich closes the pump dischargevalvesActuates turbine trip 7.3-35AMENDMENT 97-01AUGUST 1997TABLE 7.3-4SECONDARY SYSTEM ACCIDENTS AND REQUIRED INSTRUMENTATION,MINOR SECONDARY SYSTEM PIPE BREAK,MAJOR SECONDARY SYSTEM PIPE BREAKChannelResponseTime (4)Accuracy (1)RangeReactor Building Pressure (2)1.5 sec full scale 1.75% of-5 to 15 psigSteam Line Pressure(2)1.0 sec 2.25% of span 0 to 1300 psi gSteam Line Differential Pressure 1.0 sec 3.0% of span 0 to 1200 psi gSteam Line Flow(2)2.0 sec 4.5% of maximum guaranteed flow overthe pressure range of 700 to 1200 psig0 to 120% maximum calculated flow Tavg (2)8.5 sec(3) 3.6F 530 to 630FPressurizer Pressure 1.0 sec 1.75% of span 1700 to 2500 psi g__________________

1.See Section 7.1 for definition of ESFAS accuracy.2.Used for closing main steam line stop valves.

3.RCS Tavg as measured at the resistance temperature detector output.4.That time interval from when the monitored parameter exceeds its ESF setpoint atthe channel sensor until the channel bistable changes state.

7.3-36AMENDMENT 97-01AUGUST 1997TABLE 7.3-5PRIMARY SYSTEM ACCIDENTS AND REQUIRED INSTRUMENTATIONRUPTURES IN SMALL PIPES, CRACKS IN LARGE PIPES,RUPTURES OF LARGE PIPES, STEAM GENERATOR TUBE RUPTUREChannelResponseTime (3)Accuracy (1)RangePressurizer

Pressure 1.0 sec 1.75% of span 1700 to 2500 psi gReactor Building

Pressure (2)1.5 sec 1.75% of span

-5 to 15 psig

_______________

(1)See Section 7.1 for definition of ESFAS accuracy.

(2)Not required for steam generator tube rupture.

(3)That time interval from when the monitored parameter exceeds its ESF setpoint at the channel sensor until the channel bistable changes state.

7.3-37 Reformatted Per Amendment 00

-01 TABLE 7.3-6 ENGINEERED SAFETY FEATURE LOADING SEQUENCE CONTROL PANELS, DEGREE OF CONFORMANCE WITH REGULATORY GUIDE 1.53 AND IEEE -379-1972 (1) Criteria FSAR SECTION Regulatory Guide 1.53 C.1, IEEE 379-1972 See IEEE 379 comparison below C.2, Continuity Checks 7.3.2.2.5.9 C.3, Interconnections 7.1.2.1.7, 7.1.2.1.8, 7.1.2.2, 7.3.2.2, 7.3.2.2.3, 7.3.2.2.7 C.4, Protection System Logic and Actuator System 7.3.2.2.5.9, 7.3.2.3 IEEE 379-1972 3(1), Redundancy 7.1.2.2, 7.3.1.1.3, 8.3.1.4 3(2), Detectability 7.3.2.2.5.9 3(3), Nondetectability None identified, NA 3(4), Multiple Faults NA, included in 7.3.2.2.5.9 3(5), Completing Protective Functions 7.3.2.2, 7.3.2.2.3, 8.3.1.4 3(6), DBE and Single Failure 3.10, 3.11, 7.3.1.2.5 3(7), Operational Reliability NA, included in design concept 5.1, Classification NA, included in design concept 5.2, Undetectable Failures NA, testing features are provided to detect all failures 5.3, Common Mode Failures None identified, NA 00-01 7.3-38 Reformatted Per Amendment 00

-01 TABLE 7.3-6 (Continued)

ENGINEERED SAFETY FEATURE LOADING SEQUENCE CONTROL PANELS, DEGREE OF CONFORMANCE WITH REGULATORY GUIDE 1.53 AND IEEE -379-1972 (1) Criteria FSAR SECTION IEEE 379-1972 (Continued) 6.1, General 7.1.2.2, 7.3.1.1, 7.3.1.1.3, 7.3.1.1.5, 7.3.2.4 6.2, Channels NA, included in design concept 6.3, Protection System Logic NA, redundant logic is completely separate 6.4, Actuator Circuit NA to this equipment 6.5, Type 2 and 3 Single Failure Analysis 3.10, 3.11, 7.3.1.2.5, 7.3.2.3 6.6, Overall System

- Failure Analysis NA, no interconnection between control and protective systems for this equipment

NOTE:

(1) Formal analyses have not been provided. However, FSAR Sections referenced indicate compliance with the concept outlined in the criteria.

7.3-39 Reformatted Per Amendment 00

-01 TABLE 7.3-7 Sheet 1 of 8 INSTRUMENT AND CONTROL DATA CROSS REFERENCES Reference Related Drawings (1) Category System FSAR Sections FSAR Figure Drawing Number Engineered Safety Features System Engineered Safety Features

Actuation System (ESFAS) 7.1.2.5, 7.1.2.6, 7.3.1.1, 7.3.2.2.3, 7.3.2.2.5.5, 7.3.2.2.6, 7.5.4 Tables 7.3

-1, 7.3-3 7.2-1 Sh. 8 7.3-1 thru 7.3-3 7.5-1 thru 7.5

- - - - B-208-066 B-208-094 B-208-103 D-2544-1013 7244D38 (1MS 017) Reactor Building Heat Removal Reactor Building Ventilation 6.2.2.2.2.1, 6.2.2.2.2.2, 6.2.2.5.2.2, 7.1.2.6, 7.3.1.1, 7.3.1.1.6, 7.5.4, 9.2.1.5, 9.4.7.2.5, Notes 3, 6 6.2-49 7.3-1

-

- - -

B-208-004 Sh AH273 thru AH276 8756D01 (1MS 221) Reactor Building Spray System 6.2.2.2.1, 6.2.2.5.1.6, 7.1.2.6, 7.3.1.1, 7.3.1.1.6, 7.5.4 Notes 3, 6 6.2

- - -

B-208-005 B-208-097 8756D01 (1MS 221) Reactor Building Air Purification and Cleanup 6.2.2.2.1, 6.2.2.5.1.6, 6.2.3, 7.3.1.1, 7.3.1.1.6, 7.5.4 Notes 3, 6 6.2

- - -

B-208-005 B-208-097 8756D01 (1MS 221) 99-01 99-01 99-01 99-01 00-01 00-01 00-01 00-01 7.3-40 Reformatted Per Amendment 00

-01 TABLE 7.3-7 (Continued)

Sheet 2 of 8 INSTRUMENT AND CONTROL DATA CROSS REFERENCES Reference Related Drawings (1) Category System FSAR Sections FSAR Figure Drawing Number Engineered Safety Features System Containment Isolation 6.2.4, 7.3.1.1, 7.5.4 Tables 6.2

-54, 7.3-2 Notes 3, 6 6.2 Combustible Gas Control 6.2.4, 6.2.5, 7.3.3 Table 6.2-54 6.2-54 6.2 B-208-054 Containment Leakage

Testing 6.2.6, 6.2.6.1.5 Note 7 6.2-59 6.2

- Safety Injection System Isolation Valves

- Accumulator N 2 Supply (8880) 6.2.4, 6.3.2.2.7, 6.3.5.5, 7.1.2.5, 6.3.2.11.1, 7.3.1.1, 7.5.4 Tables 7.3

-1, 7.3-2, 7.3-3, 6.2-54 Notes 2, 3, 4, 6 6.3-1 Sh 2 B-208-095 Sh SI72 Isolation Valves - Accumulator Test (8871 & 8961) 6.2.4, 6.3.2.2.7, 6.3.5.5, 7.1.2.5, 6.3.2.11.1, 7.3.1.1, 7.5.4 Tables 7.3

-1, 7.3-2, 7.3-3, 6.2-54 Notes 2, 3, 4, 6 6.3-1 Sh 2 B-208-095, Sh SI59, SI76 Isolation Valves -

Accumulator Fill Line (8860) 6.2.4, 6.3.2.2.7, 7.1.2.5, 6.3.2.11.1, 6.3.5.5, 7.3.1.1, 7.5.4 Tables 6.2

-54, 7.3-1, 7.3-3 Notes 2, 3, 4, 6 6.3-1 Sh 2 B-208-095, Sh SI58 00-01 00-01 7.3-41 Reformatted Per Amendment 00

-01 TABLE 7.3-7 (Continued)

Sheet 3 of 8 INSTRUMENT AND CONTROL DATA CROSS REFERENCES Reference Related Drawings (1) Category System FSAR Sections FSAR Figure Drawing Number Engineered Safety Features System Sump Isolation Valves (Recirc. following SI) 8811A, B, & 8812A, B 6.2.4, 6.3.2.2.7, 6.3.5.5, 6.3.2.11.1, 7.6.7 Tables 6.2

-54, 7.3-1, 7.3-3 Note 3 7.6-9 B-208-095, Sh SI

-21, 22, 23, 24 Isolation Valves (8801A & B) 6.2.4, 6.3.2.2.7, 6.3.5.5, 7.1.2.5, 6.3.2.11, 7.3.1.1 Tables 6.2

-54, 7.3-1, 7.3-3, 6.3-7 Notes 2, 3, 5, 6 6.3-1 Sh 1 B-208-095 Sh SI09, 10, 11, 12 Isolation Valves -

Accumulator

(8808A, B, C) 6.3.2.2.7, 7.6.4, 6.3.2.11, 7.3.1.1, 6.3.2.15 Tables 7.3

-1. 7.3-2. 7.3-3 Notes 2, 3, 5 7.6-2 B-208-095, Sh SI-16, 17, 18 RHR/LO-HEAD SI Pump 6.3.2.2.7, 6.3.2.2.4.1, 7.1.2.5, 7.3.1.1, 7.3.1.1.6, 6.3.2.11.1 Tables 7.3

-1, 7.3-3, 8.3-3, 6.3-7 Notes 3, 5, 6 6.3-1 Sh 3 7.3-1 B-208-084 Sh RH-01, 02 CENT. CHARGING/HI HEAD SI Pump 6.3.2.2.4.2, 6.3.2.2.7, 7.1.2.5, 7.3.1.1.5, 6.3.2.11.1, 7.3.1.1 Tables 7.3

-1, 7.3-3, 8.3-3, 6.3-7 Notes 3, 5, 6 6.3-1 Sh 1 7.3-1 B-208-021 Sh CS-04, 05, 06, 07, 08 00-01 00-01 02-01 7.3-42 Reformatted Per Amendment 00

-01 TABLE 7.3-7 (Continued)

Sheet 4 of 8 INSTRUMENT AND CONTROL DATA CROSS REFERENCES Reference Related Drawings (1) Category System FSAR Sections FSAR Figure Drawing Number Engineered Safety Features System Habitability Systems 6.4, 6.4.1.5, 7.3.1.1, 7.3.1.1.5 Note 6 9.4 B-208-04, Sh AH102 thru AH105 Fission Product Removal and Control Systems Reactor Building

Cooling Unit HEPA Filters 6.2.2.2.2, 6.2.2.5.2, 6.5.1.3, 6.5.1.5.1, 7.3.1.1, 7.5.4 Notes 3, 6 6.2 B-208-004, Sh AH273 thru AH284 Control Room Emergency Filter Plenums 6.4, 6.4.1.5, 6.5.1.3, 6.5.1.5.2, 7.3.1.1, 7.3.1.1.5, 9.4.1.2.1, 9.4.1.3 Note 6 9.4-1

- B-208-004, Sh AH102, AH103 Fuel Handling Building Charcoal Exhaust System 6.5.1.3, 6.5.1.5.3, 7.3.1.1, 7.3.1.1.5, 9.4.3.2.1, 9.4.3.3 Notes 3, 6 7.3-1 9.4 - - - B-208-004 Sh AH174, AH175 8576D01 (1MS 221) Emergency Feedwater System 7.1, 7.3.1.1 7.3.1.1.5, 7.5.4 10.4.9.2, 10.4.9.3 10.4.9.5 Note 6 7.3-1 10.4 - - - B-208-032, 8576D01 (1MS 221) 99-01 99-01 7.3-43 Reformatted Per Amendment 00

-01 TABLE 7.3-7 (Continued)

Sheet 5 of 8 INSTRUMENT AND CONTROL DATA CROSS REFERENCES Reference Related Drawings (1) Category System FSAR Sections FSAR Figure Drawing Number Engineered Safety Features Supporting Systems Component Cooling Water System 7.1, 7.1.2.6, 7.3.1.1, 7.3.1.1.5, 7.4, 7.5.4, 9.2.2.1, 9.2.2.2, 9.2.2.3, 9.2.2.5, 11.4.2 Note 3 7.3-1 9.2-4 thru 9.2 - - - - B-208-005 B-208-011 Diesel Generator System 7.3.1.1, 7.4, 8.3.1.1.2, 9.5.4.2, 9.5.4.3, 9.5.4.5, 9.5.5.3, 9.5.5.5, 9.5.6.1, 9.5.7.3, 9.5.7.5, 9.5.8.3

Notes 3, 6 8.2-3 8.3-0h thru 8.3-0j 9.5-2 9.5-3 9.5-4 9.5-6 9.5-7

- - -

-

-

B-208-005 B-208-023 Engineered Safety Features System Service Water System 7.1, 7.1.2.6, 7.3.1.1, 7.3.1.1.5, 7.4, 7.5.4, 9.2.1.2, 9.2.1.3 9.2.1.5 Note 3 7.3-1 9.2-1 9.2-2 (4 Sheets)

- - - - -

-

B-208-005 B-208-101 8756D01 (1MS 221) Chilled Water System 7.1.2.6, 7.3.1.1, 7.3.2.2.5, 7.5.4, 9.4.7.2.4, 9.4.7.3

Note 3 7.3-1 9.4-22 9.4-23 9.4

- - -

-

-

- B-208-005 B-208-109 8756D01 (1MS 22 1) 99-01 99-01 RN 09-002 7.3-44 Reformatted Per Amendment 00

-01 TABLE 7.3-7 (Continued)

Sheet 6 of 8 INSTRUMENT AND CONTROL DATA CROSS REFERENCES Reference Related Drawings (1) Category System FSAR Sections FSAR Figure Drawing Number Engineered Safety Features System Heating, Ventilating and Air Conditioning Systems Auxiliary and Fuel Handling Building Ventilation Systems 6.5.1.3, 6.5.1.5.3, 7.3.1.1, 7.3.1.1.5, 9.4.2.1, 9.4.2.2, 9.4.2.3, 9.4.3.2, 9.4.3.3

Notes 3, 6 7.3-1 9.4-10 9.4

- - - -

-

B-208-004 Sh AH174, AH175 B-208-108, Sh VL05 thru VL09 8756D01 (1MS 221) Control Building Ventilation Systems 6.4, 6.4.1.5, 6.5.1.3, 6.5.1.5.2, 7.3.1.1, 7.3.1.1.5, 9.4.1.2, 9.4.1.3, 12.2.4.2.1 Note 6 9.4-1 9.4-2 9.4-3 9.4 - - -

-

- B-208-004, Sh AH102 thru AH105, AH107, AH108, AH147, AH148 8756D01 (1MS 221) Diesel Generator Building Ventilation System 7.3.1.1.5, 8.3.1.1.2.4, 9.4.7.2.1, 9.4.7.3 Notes 2, 3, 6 9.4 B-208-004, Sh AH 164 thru AH167 99-01 99-01 7.3-45 Reformatted Per Amendment 00

-01 TABLE 7.3-7 (Continued)

Sheet 7 of 8 INSTRUMENT AND CONTROL DATA CROSS REFERENCES Reference Related Drawings (1) Category System FSAR Sections FSAR Figure Drawing Number Engineered Safety Features System Intermediate Building Ventilation System 7.3.1.1, 7.3.1.1.5, 9.4.6.2, 9.4.6.3 9.4-15 thru 9.4 -

- B-208-004 Sh AH194 thru AH197 B-208-108 Sh VL18, VL19, VL22, VL24, VL26, VL27, VL30, VL31 8756D01 (1MS 221) Reactor Building Ventilation Systems 6.2.2.2.2.1, 6.2.2.2.2.2, 6.2.2.5.2.2, 7.1.2.6 7.3.1.1, 7.3.1.1.5, 7.5.4, 9.2.1.5, 9.4.7.2.5, Notes 3, 6 6.2-49 7.3-1

- -

-

-

B-208-004 Sh AH273 thru AH276 8756D01 (1MS 221) Service Water Pumphouse Ventilation System 7.3.1.1.5, 9.4.7.2.2, 9.4.7.3 9.4 - B-208-004 Sh AH326 thru AH331 8756D01 (1MS 221) 99-01 99-01 99-01 7.3-46 Reformatted Per Amendment 00

-01 NOTES TO TABLE 7.3-7 Sheet 8 of 8

1. FSAR figure numbers refer to figures in the FSAR; drawing numbers refer to drawings in the Wiring Schematic Package (see Section 1.7)

2. Not sequenced

3. Not diverse

4. Solenoid valve is the actuation device

5. Motor Control Center is actuation device

6. No Interlocks or Bypasses are provided which would inhibit ESF actuation.

7. The containment leakage testing system is not an Engineered Safety Features System or an essential Auxiliary Supporting System. The system includes only that equipment and instrumentation required to perform the initial and periodic containment leakage testing during plant shutdown. All penetrations through containment are capped during normal plant operation.

Figure 7.4-1, Sheet 2 - (Deleted per RN 99-074) 00-01 Figure 7.4-1, Sheet 3 - (Deleted per RN 99-074)

This Page Intentionally Left Blank Reformatted Per Amendment 00-01 SOUTH CAROLINA ELECTRIC & GAS CO.

VIRGIL C. SUMMER NUCLEAR STATION CONTROL ROOM EVACUATION PANEL (XPN-7200-CE (A&B)) FIGURE 7.4

-2 REV. 1 RN 00-085 RN 00-085 7.5-1Reformatted PerAmendment 02-017.5SAFETY RELATED DISPLAY INSTRUMENTATION7.

5.1DESCRIPTION

Regulatory Guide 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plantsto Assess Plant and Environs Conditions During and Following an Accident", providesguidance for selection of readouts to monitor plant variables and systems during and following a design basis event. For VCSNS, the post-accident monitoring instrumentation provides readouts to the operator to enable him to perform manual safety functions and to determine the effect of manual actions taken following a reactor trip due to a Condition II, III, or IV event, as defined in Chapter 15. Regulatory Guide 1.97 instrumentation includes the readouts required to maintain the plant in a hot shutdown condition or to proceed to cold shutdown within the limits of the Technical Specifications. Reactivity control after Condition II and III faults will be maintained by administrative sampling of the reactor coolant for boron to ensure that the concentration is sufficient to maintain the reactor subcritical. Additional details are provided in Reference [1].Table 7.5-2 lists the information available to the operator in addition to Regulatory Guide1.97 instrumentation for monitoring conditions in the reactor, the Reactor CoolantSystem, and in the Reactor Building and process systems throughout all normal operating conditions of the plant, including anticipated operational occurrences.7.5.2ANALYSESThis section deleted by Amendment No. 94-08 in October, 1994.7.5.3DESIGN CRITERIAThis section deleted by Amendment No. 94-08 in October, 1994.7.5.4ESF MONITOR LIGHTSCertain pumps and valves, which are an integral part of or which are associated with theengineered safety features systems (used for safety injection, Reactor Building spray,and recirculation) are equipped with ESF monitor lights. These "bright/dim" lights are displayed on the main control board within easy view of the operator. When the plant is in normal full power operation, the ESF monitor lights should generally be "dim." These lights change to the "bright" condition when the component monitored changes to an off normal operating mode. In addition to the ESF monitor lights, certain valves have an annunciator which indicates a change to an off-normal operating mode and actuates an alarm.02-01 02-01 7.5-2Reformatted PerAmendment 02-01The ESF monitor lights are arranged on the main control board as shown byFigures 7.5-1 through 7.5-6 to permit the operator to discover easily a component that is in an off-normal operating mode. These figures also outline the components monitored.

Elementary diagrams (GAI Dwg. B-208-066), submitted separately in the "Wiring Schematic Package" and listed in Table 1.7-1, outline the specific components included.The ESF monitor lights provide supplemental information with regard to the status ofESF components.7.5.5INADEQUATE CORE COOLINGThe inadequate core cooling instrumentation includes the Incore TemperatureMonitoring System, the core subcooling monitors, and the Reactor Vessel LevelInstrumentation System (RVLIS). These systems meet the requirements of NUREG-0737 item II.F.2 for inadequate core cooling instrumentation. They are also used to provide Post Accident Monitoring Information in compliance with Regulatory Guide 1.97, Rev. 3. See Section 7.5.1.The Incore Temperature Monitoring system is designed to provide rapid monitoring offuel assembly outlet temperatures and to verify that the core is being adequately cooledduring and after an accident. The Incore Temperature Monitoring System consists of 51 thermocouples positioned in the reactor vessel above the core to measure reactor coolant temperature at the fuel assembly outlets. After the thermocouple leads exit the reactor vessel head the circuits are divided into two electrical trains and separately routed out of the containment, through separate thermocouple penetrations, to two separate thermocouple transmitter/isolator cabinets. Outputs from the cabinets are connected to the plant computer system and Technical Support Center computer and core subcooling monitoring system. Plant computer system displays and SPDS displays, via the Technical Support Center computer, of core exit thermocouple readings are provided in the Control Room.The core subcooling monitoring system is designed to provide information to plantpersonnel concerning the status of reactor core heat removal capability. Thisinformation includes a continuous display of the saturation margin to provide an early warning that core conditions are approaching saturation. Two separate core subcooling monitoring system microprocessors calculate the RCS saturation margin based on independent wide range RCS pressure input and RCS temperature inputs and display the results on four main control board analog indicators (two per channel). Temperature inputs are from both hot and cold leg wide range RTDs and Incore Temperature Monitoring System thermocouples (two per core quadrant). Only the two indicators utilizing incore thermocouple inputs are used for Post-Accident Regulatory Guide 1.97 monitoring functions.

02-01 7.5-3Reformatted PerAmendment 02-01RVLIS provides an indication of the water level in the reactor vessel when the reactorcoolant pumps are not running and the relative void content of the reactor coolant when one or more of the reactor coolant pumps is running. RVLIS provides an anticipatory and unambiguous indication of an inadequate core cooling situation. The system consists of two redundant trains of instrumentation to provide three main control board indications of reactor vessel level. The indicated levels are: 1) reactor vessel upper range (water level above the penetration top of the hot leg pipe when no reactor coolant pumps are running); 2) reactor vessel full range (level from the bottom to the top of the reactor vessel when no reactor coolant pumps are operating); and 3) reactor vessel dynamic range (a measurement of the reactor core and internals pressure drop when reactor coolant pumps are operating which provides means to estimate the relative void content of the circulating fluid).7.

5.6REFERENCES

1.Virgil C. Summer Nuclear Station, "Summary Report on Regulatory Guide 1.97,Revision 3, Post Accident Monitoring System"; Enclosure II to SCE&G letter toUSNRC dated April 15, 1985,

Subject:

Generic Letter 82-33, "EmergencyResponse Capability Supplement 1 to NUREG-0737." 02-01 7.5-4Reformatted PerAmendment 00-01TABLE 7.5-2CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATORTO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATIONParameter No. ofChannelsAvailableRangeIndicated,Accuracy (1)Indicator /

RecorderLocation NotesNUCLEAR INSTRUMENTATION1.Source Rangea.Count rate 21 to 10 6 counts/sec-0.5 to 5.0 decades/min 5.3% of the linear full scaleanalog voltageBoth channels

ind icated.Either may be selected forrecording.Control boardOne 2 pen recorder is us ed to record any ofthe 8 nuclear channels (2 source range, 2intermediate range, and4 power range).b.Startup rate 2-0.5 to 5.0 decades/min 7% of the linear full scaleanalog voltageBoth channels

ind icatedControl board2.Power Rangea.Uncalibrated ionchamber current(top and bottom uncompensatedion chambers) 40 to 120% of full power c urrent 1% of full power currentAll 8 current

s ignals indicated.NIS racks in control room 7.5-5Reformatted PerAmendment 00-01TABLE 7.5-2 (Continued)CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATORTO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATIONParameter No. ofChannelsAvailableRangeIndicated,Accuracy (1)Indicator /

RecorderLocation NotesNUCLEAR INSTRUMENTATION (Continued)2.Power Range (continued)b.Calibrated ion c hamber current(top and bottom uncompensatedion chambers) 40 to 125% of full power c urrent 2% of full power currentAll 8 current

s ignals recorded(four 2 pen recorders)Recorder 1 upper cu rrents for twodiagonally opposed detectors Recorder 2 -

upper currents forremainingdetectors Recorder 3 - lower

cu rrents for twodiagonallyopposed detectorsRecorder 4 - lower

cu rrents forremaining detectors.Control board 7.5-6Reformatted PerAmendment 00-01TABLE 7.5-2 (Continued)CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATORTO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATIONParameter No. ofChannelsAvailableRangeIndicated,Accuracy (1)Indicator /

RecorderLocation NotesNUCLEAR INSTRUMENTATION (Continued)2.Power Range (continued)c.Upper and lower ion c hambercurrent difference 4-30 to +30% 3% of full power currentDiagonally

oppos ed channelsmay be selected for recording atthe same timeusing recorder in Item 1.Control boardd.Average flux of the t op a ndbottom ion chamber 40 to 120% of full power 3% of full power forindication. 2% forrecordingAll 4 channels

ind icated.Any 2 of the fourchannels may be recorded using recorder in Item 1 aboveControl boarde.Average flux of the t op a ndbottom ion chambers 40 to 200% of full power 2% of full power to 120% 6% of full power to 200%All 4 channels

re cordedControl boardf.Flux difference of the top andbottom ion chambers 4- 30 to + 30% 4%All 4 channels ind icated.Control board 00-01 7.5-7Reformatted PerAmendment 00-01TABLE 7.5-2 (Continued)CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATORTO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATIONParameter No. ofChannelsAvailableRangeIndicated,Accuracy (1)Indicator /

RecorderLocation NotesREACTOR CONTROL SYSTEM1.T average (measured)1/loop530 to 630F 4% FAll channels indicated.Control board2.Overpower T Setp oi nt1/loop0 to 150% of full powerT 4% of full power TAll channels ind icated.One channel isselected forrecording.Control board3.Overpower T Setp oi nt1/loop0 to 150% of full powerT 4% of full power TAll channels ind icated.One channel is selected for recording.Control board4.Overtemperature T Setp oi nt1/loopto 150% of full powerT 4% of full power TAll channels ind icated.One channel is selected for recording.Control board5.Primary Coolant Fl o w3/Loop0 to 120% of rated flowRepeatability of 4.5% of f ullflowAll channelsindicated.Control board 00-01 7.5-8Reformatted PerAmendment 00-01TABLE 7.5-2 (Continued)CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATORTO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATIONParameter No. ofChannelsAvailableRangeIndicated,Accuracy (1)Indicator /

RecorderLocation NotesREACTOR CONTROL SYSTEM (Continued)1.Demanded RodSpeed 10 to 100% of ratedspeed 2%The one channel

is indicated.Control board2.Median T avg 1530 to 630F 4FThe one channelis recorded.Control Board3.Treference 1540 to 590F 4FThe one channelis recorded.Control board4.Control rod PositionIf system not available, bor ate and sampleaccordingly.a.Number of steps of dem andedrod withdrawal1/group0 to 230 steps 1 step Each group is ind icated duringrod motion.Control boardThese signals are used

in c onjunction with themeasured position signals (Item 4c) to detect deviation of anyindividual rod from thedemanded position. A deviation will actuate an alarm and annunciator.b.Demanded pos ition of thepart length rod

bank 10 to 230 steps 1 step The bank is ind icated duringrod motion.Control board 7.5-9Reformatted PerAmendment 00-01TABLE 7.5-2 (Continued)CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATORTO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATIONParameter No. ofChannelsAvailableRangeIndicated,Accuracy (1)Indicator /

RecorderLocation NotesREACTOR CONTROL SYSTEM (Continued)5.Control rod BankDemanded Position 40 to 230 steps 2.5% of total bank travelAll 4 control rod

bank positions arerecorded along with the low-low limit alarm for each bank.Control board1. One channel for

eac h control bank.2. An alarm and

annu nciator is actuatedwhen the last rodcontrol bank to bewithdrawn reaches the withdrawal limit, when any rod control bank reaches the low-lowinsertion limit.FEEDWATER AND STEAM SYSTEMS1.Programmed SteamGenerator Level Signal1/steam gener ator 0 to 100% of span 4%All channelsindicated.Control board2.Steam Flow2/steam gener ator 0 to 120% of max.calculated flow 5.5%All channels

ind icated.The channels used for controlare recorded.Control boardAccuracy is equipment c apability; however,absolute accuracy depends on applicantcalibration against flow.

7.5-10 Reformatted Per Amendment 00-01 TABLE 7.5-2 (Continued)

CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT PLANT PARAMETERS DURING NORMAL OPERATION Parameter No. of Channels Available

Range Indicated, Accuracy (1)

Indicator /

Recorder

Location Notes FEEDWATER AND STEAM SYSTEMS (Continued)

3. Steam Dump Modulate Signal 1 0 to 85% max. calculated steam flow 1.5% The one channel is indicated Control board OPEN/SHUT indication is provided in the control room for each steam dump valve.

4. Turbine First Stage Pressure 2 0 to 120% of max. calculated turbine load 3.5% Both channels

indicated. Control board OPEN/SHUT indication is provided in the control room for each turbine stop valve.

COMPONENT COOLING WATER SYSTEM

1. Reactor Coolant Pump Upper and Lower Bearing Cooling Water Flow 2 0 to 500 gpm 5.0% of calibrated span Both channels

indicated. Control board

2. Reactor Coolant Pump Thermal Barrier Cooling Water Flow 2 0 to 150 gpm 5.0% of calibrated span Both channels indicated. Control board (1) Includes channel accuracy and environmental effects.

7.6-1Reformatted PerAmendment 00-017.6ALL OTHER SYSTEMS REQUIRED FOR SAFETY7.6.1INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM7.6.1.1DescriptionThe following is a description of the Instrumentation and Control Power Supply System:1.Refer to Figures 8.3-1, 8.3-2, 8.3-2aa, and 8.3-2ab for a single line diagram of theInstrumentation and Control Power Supply System.2.There are 4 inverters and 6 distribution panels. Four (4) normally operatinginverters are connected to 4 distribution panels. The remaining 2 panels arebranch loads of the same channelized distribution panel.3.The inverters provide a source of 120 volt 60 Hz power for the operation of theNuclear Steam Supply System instrumentation. This power is derived from the480 volt a-c, 3, 60 Hz distribution system Class 1E power supply, or the stationbatteries which assure continued operation of instrumentation systems in the eventof loss of offsite power.4.Each of the 4 distribution panels fed from the 4 normally operating inverters maybe connected to a backup regulated source of 120 volt Class 1E a-c power. Thetie is through an automatic static transfer switch or through a manual bypass switch such that the distribution panel cannot be connected to both sources simultaneously.7.6.1.2AnalysisThere are 2 independent 480 volt a-c power sources, each serving 2 inverters.

Therefore, loss of either of the two 480 volt a-c power sources affects only 2 of the 4 inverters.There are 2 independent Class 1E batteries and battery chargers. Each battery isattached to a bus serving 2 inverters.There is a third battery charger provided, which serves as a standby charger. This charger is provided for use during maintenance of, and backup to the normal batterychargers. The standby charger has mechanically interlocked circuit breakers on the a-c input and d-c output such that only the 2 circuit breakers associated with Channel A or the 2 circuit breakers associated with Channel B can close at one time.Since not more than 2 inverters are connected to the same bus, a loss of a single buscan only affect 2 of the 4 inverters.

99-01 7.6-2Reformatted PerAmendment 00-01Since each of the 4 instrument channels is supplied power by independently connectedinverters, the loss of an inverter cannot affect more than 1 of the 4 instrument channels.Each distribution panel can receive power from the 120 volt Class 1E a-c backupregulated source through an automatic static transfer switch or through a manualbypass switch. The inverter power source and the backup source are aligned such that the distribution panels cannot be connected to both sources at the same time.Therefore no single failure in the Instrumentation and Control Power Supply System orits associated power supplies can cause a loss of power to more than one of theredundant loads.The inverters are designed to maintain their outputs within acceptable limits. The lossof the a-c or d-c inputs is alarmed in the Control Room, as is the loss of an inverter'soutput. There are no inverter breaker controls on the control board, as no manual transfers are necessary in the event of loss of the 480 volt a-c preferred power source.

The a-c and d-c inputs are diode isolated in the UPS. Physical separation and provisions to protect against fire are discussed in Chapter 8.

Based on the scope definitions presented in References [1] through [3], the criteria whichare applicable to the Instrumentation and Control Power Supply System are listed inIEEE Standard 308-1971. The design is in compliance with IEEE Standard 308-1971 and Regulatory Guide 1.6. Availability of this system is continuously indicated by theoperational status of the systems it serves (see Figures 8.3-1 and 8.3-2) and is verified by periodic testing performed on the served systems. The inverters have been seismically qualified as discussed in Section 3.10 and shown in Table 3.10-2.7.6.2RESIDUAL HEAT REMOVAL ISOLATION VALVES7.6.2.1DescriptionThere are 2 motor operated gate valves in series in each of 2 inlet lines from theReactor Coolant System to the Residual Heat Removal System. They are normally closed and are only opened for residual heat removal and Reactor Coolant System overpressure protection after system pressure is reduced below approximately 425 psig and system temperature has been reduced to approximately 350°F (see Chapter 5).

They are the same type of valve and motor operator as those used for accumulator isolation (refer to Section 7.6.4), but they differ in their controls indications in the following respect (see Figures 7.6-1, 7.6-1a, and 7.6-1b):1.Pressure interlocks are provided to prevent opening of the isolation valveswhenever the Reactor Coolant System pressure is greater than approximately425 psig. This interlock is derived from Class 1E process instrumentation channel for the isolation valves closest to the Reactor Coolant System (XVG8702A and XVG8702B) and from another independent process instrumentation channel for 00-01 00-01 7.6-3Reformatted PerAmendment 00-01the 2 isolation valves closest to the Residual Heat Removal System (XVG8701Aand XVG8701B). Interlock diversity is provided through the use of pressure transmitters from different manufacturers employing different measurement principles for the 2 channels of process instrumentation.2.In addition to the open interlock, an alarm is located in the Control Room which willalert the operator if these valves are not fully closed when the Reactor CoolantSystem pressure increases above the 520 psig alarm setpoint.7.6.2.2AnalysisBased on the scope definitions presented in References [2] and [3], these criteria do notapply to the residual heat removal isolation valve interlocks; however, in order to meet NRC requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE Standard 279-1971 will be applied with the following comments:1.For the purpose of applying IEEE Standard 279-1971, to this circuit, the followingdefinitions will be used.a.Protection SystemThe 2 valves in series in each line and all components of their interlocks thatprevent opening of the isolation valves whenever the Reactor Coolant Systempressure is greater than 425 psig.b.Protective ActionThe maintenance of Residual Heat Removal System isolation from the Reactor Coolant System when Reactor Coolant System pressures are abovethe preset value.2.IEEE Standard 279-1971, paragraph 4.10: The above mentioned pressureinterlock signals and logic will be tested on line to the maximum extent possiblewithout adversely affecting safety. This test will include the analog signal throughto the train signal which activates the relays that provide the interlocks into the valve control circuit. This is done in the best interests of safety since defeat of the interlock to permit opening the valve could potentially leave only 1 remaining valve to isolate the low pressure Residual Heat Removal System from the Reactor Coolant System.It is noted that the valve position lights operated from the motor operated valve limit switch on the operator are similar to the position lights (red for open and greenfor closed) for the accumulator isolation valves described in Section 7.6.4.

7.6-4Reformatted PerAmendment 00-013.IEEE Standard 279-1971, paragraph 4.15: This requirement does not apply, as thesetpoints are independent of mode of operation and are not changed.Environmental qualification of the valves and wiring is discussed in Section 3.11.7.6.3REFUELING INTERLOCKSElectrical interlocks (i.e., limit switches) as discussed in Section 9.1.4 are provided forminimizing the possibility of damage to the fuel during fuel handling operations.7.6.4ACCUMULATOR MOTOR OPERATED VALVESThe design of the interconnection of signals to open the accumulator isolation valvesmeets the following criteria established in previous NRC positions on this matter:1.Automatic opening of the accumulator valves when a) the primary coolant systempressure exceeds a preselected value (specified in the Technical Specifications) orb) as a safety injection signal has been initiated. Both signals shall be provided to the valves.2.Utilization of a safety injection signal to automatically remove (override) anybypass features that are provided to allow an isolation valve to be closed for shortperiods of time when the Reactor Coolant System is at pressure (in accordance with the provisions of the Technical Specifications). As a result of the confirmatory "S" signal, isolation of an accumulator with the Reactor Coolant System at pressure is acceptable.The control circuit for these valves is shown on Figure 7.6-2. The valves and control circuits are further discussed in Sections 6.3.2.15 and 6.3.5.The Safety Injection System accumulator discharge isolation valves are motor operated normally open valves which are controlled from the main control board. These valvesare interlocked such that:1.They open automatically on receipt of an "S" signal with the main control boardswitch in either the "AUTO" or "CLOSE" position.2.They open automatically whenever the Reactor Coolant System pressure is abovethe safety injection unblock pressure (P-11) specified in the TechnicalSpecifications only when the main control board switch is in the "AUTO" position.3.They cannot be closed as long as an "S" signal is present.

The main control board switches for these valves are 3 position switches which providea "spring return to auto" from the open position and a "maintain position" from theclosed position.

7.6-5Reformatted PerAmendment 00-01The "maintain closed" position is required to provide an administratively controlledmanual block of the automatic opening of the valve at pressure above the safety injection unblock pressure (P-11). The manual block or "maintain closed" position is required when performing periodic check valve leakage tests when Reactor Coolant System is at pressure. The maximum permissible time that an accumulator valve can be closed when the Reactor Coolant System is at pressure is specified in the Technical Specifications.Administrative control is required to ensure that any accumulator valve, which has beenclosed at pressures above the safety injection unblock pressure, is returned to the"AUTO" position. Verification that the valve automatically returns to its normal full open position would also be required.During plant shutdown, the accumulator valves are in a closed position. To prevent aninadvertent opening of these valves during that period the accumulator valve breakersshould be opened or removed. Administrative control is again required to ensure that these valve breakers are closed during the prestartup procedures.7.6.5LEAKAGE DETECTION SYSTEMS7.6.5.1DescriptionLeakage detection is provided for the following areas and systems:1.Reactor coolant pressure boundary (see Section 5.2.7 for a detailed description).

2.Engineered safety features systems (i.e., Reactor Building Spray, Residual HeatRemoval, Safety Injection systems) in the Auxiliary Building.3.Feedwater system (intermediate building flood protection).

7.6.5.1.1Engineered Safety Features Systems in the Auxiliary Building1.LevelUndetected leaks from the Engineered Safety Features Systems in the AuxiliaryBuilding (Reactor Building Spray, Residual Heat Removal, Safety Injection) couldhave adverse effects upon the safety functions of these systems. For this reason, means for detecting leakage are provided.Level switches are located in specifically provided alarm drains and in the buildingdrain sumps. When leakage exceeds a flowrate of 25 gpm for the floor drains or45 gpm the sump drains, an alarm is activated in the Control Room. Upon receipt of such an alarm, the operator takes action to isolate the leak.Figures 9.3-6 and 9.3-7 schematically depict the locations of alarm drains andbuilding sumps.

00-01 98-01 7.6-6Reformatted PerAmendment 00-012.TemperatureUndetected leakage from the Chemical and Volume Control System letdown linesor the Auxiliary Steam System could cause the ambient temperature in theAuxiliary Building to rise. This high temperature could possibly prohibit personnel access to the area and limit the capability of equipment to function. Pipe ruptureanalysis has indicated the location of the most probable break areas in the system.

Temperature sensors located in these break areas actuate alarms in the Control Room. Locations of these sensors are illustrated by Figures 7.6-3a through 7.6-8.7.6.5.1.2Feedwater SystemSafety equipment and systems in the Intermediate Building are protected from floodingdue to postulated pipe break or component failure resulting in leakage from theFeedwater System.The sump level system incorporates a level switch located in each of the 3 IntermediateBuilding sumps. Should a high level occur in any sump, it is annunciated in the ControlRoom to alert the operator to the need for investigation of the source of leakage and, if necessary, to take manual action to isolate the leak. The high-high sump level detectors are set to detect flooding which occurs at a rate which exceeds the capacity of the sump pumps. When 2 out of 3 redundant high-high sump level switches are energized, the A channel closes the feedwater pump discharge valves and the B channel trips the feedwater pumps and closes the feedwater pump suction valves.

The A channel closes the feedwater isolation valves to the steam generators.7.6.5.1.3Leak Detection Methods Inside the Control RoomTable 7.6-1 provides a tabulation of leak detection methods inside the Control Room.7.6.5.2AnalysisLeak detection instrumentation is seismically qualified. These instruments are locatedthroughout the Auxiliary Building in areas where engineered safety features equipmentand piping are located. Physical separation and separate electrical power sources are used for 2 sets of redundant instruments. Calibration of the Leak Detection System instrumentation can be performed during plant operation. The instrumentation can be functionally checked by testing at any time.

7.6-7Reformatted PerAmendment 00-017.6.6INTERLOCKS FOR RCS PRESSURE CONTROL DURING LOWTEMPERATURE OPERATIONThis Section deleted by Amendment 1 in August, 1985.7.6.7SWITCHOVER FROM INJECTION TO RECIRCULATIONThe details of achieving cold leg recirculation following safety injection and a postulatedLOCA are given in Section 6.3.2.2.7 and on Table 6.3-3.7.6.7.1Description of Instrumentation Used for SwitchoverAs noted in Table 6.3-3, protection logic is provided to automatically open the 4 Safety Injection System (SIS), Reactor Building recirculation sump isolation valves (8811A and 8812A in Train A and 8811B and 8812B in Train B) when 2 of 4 (2/4) Refueling Water Storage Tank (RWST) level transmitters sense the Lo-Lo level setpoint in conjunction with the initiation of the engineered safety features actuation signal ("S" signal). The "S" signal is initiated by the contact of a slave relay in the Solid State Protection System output cabinet that closes on Safety Injection and remains closed until manually reset from the control board. This reset switch is separate from the main safety injection reset switch which is not associated with this circuit. The purpose of the sump valve automatic open circuit reset switch is to permit the operator to remove the actuation signal in the event the corresponding sump isolation valve must be closed and retained in a closed position following a LOCA, such as for maintenance purposes.7.6.7.2Initiating CircuitThe 2/4 Lo-Lo RWST level is the trip signal, which in coincidence with the "S" signal,provides the initiation function which would align the 2 residual heat removal pumps to take suction from the Reactor Building sumps and deliver directly to the RCS.7.6.7.3LogicThe logic function derived from the RWST level sensors and the "S" signal are depictedin Figure 7.6-9.7.6.7.4BypassThe manual reset logic function is shown in Figure 7.6-10 and its purpose and actionare described in Section 7.6.7.1. As noted, the "S" signal is retained by sealing it in (i.e., it is latched). This signal is not removed by action of the main safety injection reset that is used by the operator per emergency procedures to block the "S" signal to certain other equipment prior to realignment for switchover to the recirculation mode following a postulated loss of coolant accident.

7.6-8Reformatted PerAmendment 00-017.6.7.5InterlocksThe Trip Signal logic consists of 4 Refueling Water Storage Tank water leveltransmitters, each of which provides a level signal to 1 of the 4 Refueling Water Storage Tank level channel bistables. The Refueling Water Storage Tank level channel bistables are:1.Normally de-energized 2.De-energized on loss of power 3.Energized on Lo-Lo setpoint Each level channel bistable is assigned to a separate instrumentation and control powersupply. A Trip Signal is provided from both Train A and Train B Solid State ProtectionSystem cabinets to the corresponding Reactor Building recirculation sump isolation valves logic, should 2 of the 4 water level channel bistables receive an RWST level signal lower than the Lo-Lo level setpoint, following the generation of an "S" signal.7.6.7.6SequenceThis circuit is energized directly from the Solid State Protection System output cabinetand is not sequenced following an accident that requires its functioning.7.6.7.7RedundancyThe function of this semi-automatic switchover is available from both Train A andTrain B down to the actuated equipment. The function including the actuated equipment is, therefore, redundant and train separation and independence are maintained from sensor to actuated equipment.7.6.7.8DiversityDiversity of components and equipment between the redundant Trains is not required toprotect against systematic failures, such as multiple failures resulting from a credible single event. The associated components are environmentally and seismically qualified in accordance with the procedures described in Sections 3.10 and 3.11. It is noted that there is functional diversity provided in that manual operation is available as a backup to the semi-automatic mode.7.6.7.9Actuated DevicesThe actuated devices are the 4 motor control center starters, 1 for each of the MotorOperated Sump Valves, 8811 A&B, and 8812 A&B.

7.6-9Reformatted PerAmendment 00-017.6.7.10Channel Bypass IndicationIndication is provided on the main control board to alert the operator that a RefuelingWater Storage Tank water level channel is in the bypass mode and is unavailable. The indication is by status light and alarm window as shown on figure 7.6-10.7.6.8Deleted7.6.9Deleted 7.6.10Deleted 7.6.11SWITCHOVER FROM SPRAY TO RECIRCULATION The details of the Reactor Building Spray System operation following a postulated lossof coolant accident are given in Section 6.2.2.2.1.2.7.6.11.1Description of Instrumentation Used for SwitchoverAs noted in Section 6.2.2.2.1.2 logic is provided to automatically open the 4 Reactor Building Spray System, Reactor Building recirculation sump isolation valves (3004A and 3005A in Train A and 3004B and 3005B in Train B) when 2 of 4 (2/4) Refueling Water Storage Tank (RWST) level transmitters sense the Lo-Lo level setpoint in conjunction with the initiation of the engineered safety features actuation signal ("S" signal). The "S" signal is initiated by the contact of a slave relay in the Solid State Protection System output cabinet that closes on safety injection and remains closed until manually reset from the control board. This reset switch is separate from the main safety injection reset switch which is not associated with this circuit. The purpose of the sump valve automatic open circuit reset switch is to permit the operator to remove the actuation signal in the event the corresponding sump isolation valve must be closed and retained in a closed position following a loss of coolant accident, such as for maintenance purposes.7.6.11.2Initiation CircuitThe 2/4 Lo-Lo Refueling Water Storage Tank level is the trip signal, which incoincidence with the "S" signal, provides the initiation function which would automatically align the 2 Reactor Building spray pumps to take suction from the Reactor Building recirculation sumps and deliver directly to the Reactor Building spray nozzles.7.6.11.3LogicThe logic function derived from the Refueling Water Storage Tank level sensors and the"S" signal are depicted in Figures 7.6-9 and 7.6-10.

7.6-10Reformatted PerAmendment 00-017.6.11.4BypassThe manual reset logic function is shown in Figure 7.6-9 and its purpose and action aredescribed in Section 7.6.11.1. As noted, the "S" signal is retained by sealing it in (i.e., it is latched). This signal is not removed by action of the main safety injection reset that isused by the operator per emergency procedures to block the "S" signal to certain other equipment prior to realignment for switchover to the recirculation mode following a postulated loss of coolant accident.7.6.11.5InterlocksThe Trip Signal logic consists of 4 Refueling Water Storage Tank water leveltransmitters, each of which provides a level signal to 1 of the 4 Refueling Water Storage Tank level channel bistables. The Refueling Water Storage Tank level channel bistables are:1.Normally de-energized 2.De-energized on loss of power 3.Energized on Lo-Lo setpoint Each level channel bistable is assigned to a separate instrumentation and control powersupply. A Trip Signal is provided from both Train A and Train B Solid State ProtectionSystem cabinets to the corresponding Reactor Building recirculation sump isolation valves logic, should 2 of the 4 water level channel bistables receive an Refueling Water Storage Tank level signal lower than the Lo-Lo level setpoint, following the generation of an "S" signal.7.6.11.6SequenceThis circuit is energized directly from the Solid State Protection System output cabinetand is not sequenced following an accident that requires its functioning.7.6.11.7RedundancyThe function of this switchover is available from both Train A and Train B down to theactuated equipment. The function including the actuated equipment is, therefore, redundant and train separation and independence are maintained from sensor to actuated equipment.

7.6-11Reformatted PerAmendment 00-017.6.11.8DiversityDiversity of components and equipment between the redundant Trains is not required toprotect against systematic failures, such as multiple failures resulting from a credible single event. The associated components are environmentally and seismically qualified in accordance with the procedures described in Sections 3.10 and 3.11. It is noted that there is functional diversity provided in that manual operation is available as a backup to the semi-automatic mode.7.6.11.9Actuated DevicesThe actuated devices are the 4 motor control center starters, 1 for each of the MotorOperated Sump Valves, 3004 A&B and 3005 A&B.7.6.11.10Channel Bypass IndicationIndication is provided on the main control board to alert the operator that a RefuelingWater Storage Tank water level channel is in the bypass mode and is unavailable. The indication is by status light and alarm window as shown on Figure 7.6-10.7.6.12REFERENCES1.The Institute of Electrical and Electronic Engineers, Inc., "IEEE Criteria for Class1E Electrical Systems for Nuclear Power Generating Stations,"IEEE Standard 308-1971.2.The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard: Criteriafor Protection Systems for Nuclear Power Generating Stations,"IEEE Standard 279-1971.

00-01 7.6-12Reformatted PerAmendment 99-01TABLE 7.6-1LEAK DETECTION METHODSINSIDE CONTROL ROOMPARAMETERPRIMARY DETECTION ELEMENTCONTROL ROOM DISPLAYTYPE OF LEAKAGERefueling water storagetank levellevel transmitters(LT990, LT991, LT992, LT993)indicationalarm-high levelreactor coolant leakage to

ECCSAccumulator levellevel transmitters (LT920, LT922, LT924, LT926,LT928, LT930)indication alar m-high levelreactor coolant leakage to

ECCSAccumulator pressurepressure transmitters (PT921, PT923, PT925, PT927,PT929, PT931)indication alar m-high levelreactor coolant leakage to

ECCSReactor vessel flange leak-o ff temperaturetemperature element(TE401)indicationalarm-high temperatureleakage from reactor ve sselPressurizer safety valve dischar ge temperaturetemperature elements(TE463, TE465, TE467, TE469)indicationalarm-high temperaturereactor coolant leakage to pressurizer relief tankPressurizer relief tank

t emperaturetemperature element(TE471)indicationalarm-high temperaturereactor coolant leakage to pressurizer relief tankPressurizer relief tank levellevel transmitters (LT470)indicationalarm-high levelreactor coolant leakage to pressurizer relief tankFlow in pressurizer

r elief lineacoustic leak monitoralarm-high flowreactor coolant leakage to pressurizer relief tank 7.6-13Reformatted PerAmendment 99-01TABLE 7.6-1 (Continued)LEAK DETECTION METHODSINSIDE CONTROL ROOMPARAMETERPRIMARY DETECTION ELEMENTCONTROL ROOM DISPLAYTYPE OF LEAKAGELeak detection drainslevel switchesalarm-high levelnuclear valve leak-off andmiscellaneous equipmentleakageSteam generator blo wdown andsampling radiationradiation monitor (RM-L3, RM-L10)indicationalarm-high radiationprimary to secondary system leakageMain plant vent

ex haust radiationradiation monitor(RM-A3)indicationalarm-high radiationprimary to secondary system leakageTurbine room

sum p radiationradiation monitor(RM-L8)indicationalarm-high radiationprimary to secondary system leakageComponent cooling water r adiat ionradiation monitor(RM-L2A, RM-L2B)indicationalarm-high radiationintersystem leakage into component cooling watersystemComponent cooling water t emperature from RHRheat exchangertemperature elements (TE7037, TW7047)temperature switches(TS038, TS7048)indicationalarm-high temperatureresidual heat removal heat exchanger leakage 7.6-14Reformatted PerAmendment 99-01TABLE 7.6-1 (Continued)LEAK DETECTION METHODSINSIDE CONTROL ROOMPARAMETERPRIMARY DETECTION ELEMENTCONTROL ROOM DISPLAYTYPE OF LEAKAGEComponent cooling watertemperaturefrom reactor coolant draintanktemperature elements (TE7118)indicationalarm-high temperaturereactor coolant drain tank heat exchanger leakageComponent cooling

w ater flow from reactorcoolant drain tankflow transmitters (FT7116)indicationreactor coolant drain tank heat exchanger leakageComponent cooling

w ater temperature fromreactor coolant pump thermal barriertemperature elements (TE7140, TE7160, TE7180)indicationalarm-high temperaturereactor coolant pump thermal barrier leakageComponent cooling waterflow from reactor coolantpump thermal barrierflow transmitters (FT7138, FT7158, FT7178)indicationreactor coolant pump thermal barrier leakage

00-01 Figure 7.7-10, (Deleted per RN 99-085)

Figure 7.7-11, (Deleted per RN 99-085)

Figure 7.7-12, (Deleted per RN 99-085)

Figure 7.7-13, (Deleted per RN 99-085)

This Page Intentionally Left Blank Reformatted Per Amendment 00-01 REACTOR CONTROL SYSTEM PULSER MASTER CYCLER SLAVE CYCLER 1 BD SLAVE CYCLER 2 BD POWER CABINET 1 BD POWER CABINET 2 BD LIFT COIL

DISCONNECT

SWITCHES CONTROL BANK D GROUP 1 CONTROL BANK D GROUP 2 BANK SELECTOR BANK OVERLAP MULTIPLEX CIRCUITS MANUAL SWITCHLIFTING t t/2OFFLIFTING OFF GROUP 1 GROUP 2 ONLY CABINETS 1 BD

AND 2 BD SHOWN.

SOUTH CAROLINA ELECTRIC & GAS CO.

VIRGIL C. SUMMER NUCLEAR STATION Simplified Block Diagram Rod Control System Figure 7.7-14 NOTE: Amendment 98-01 April 1998