ML20040F771
| ML20040F771 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 12/31/1981 |
| From: | Haroldsen R, Weber D EG&G, INC. |
| To: | |
| Shared Package | |
| ML20040F763 | List: |
| References | |
| TASK-07-03, TASK-7-3, TASK-RR 0562J, 562J, NUDOCS 8202100287 | |
| Download: ML20040F771 (17) | |
Text
'
0562J SYSTEMATIC EVALUATION PROGRAM TOPIC VII-3 ELECTRICAL, INSTRUMENTATION AhD CONTROL FEATURES OF-SYSTEMS REQUIRED FOR SAFE SHUTOOWN MILLSTONE UNIT 1 NUCLEAR POWER-PLANT Docket No. 50-245 December 1981 D. A. Weber /R. O. Haroldsen EG&G Idaho, Inc.
l l
l l
12-24-81
- hh kh l
0 P
CONTENTS
- 1. 0. I N TR O DU CT I O N.'................................................... l' 2.0 REVIEW CRITERIA.................................................
2 3.0 RELATED SAF ETY TOPI CS AND INTERFACES............................
2 4.0 REVIEW GUIDELINES...............................................
4 5.0 DIS CUSS IO N AND EVALUATIO N.......................................
5 5.1 Instrumentation...........................................
5 5.1.1 Ev a l u a ti o n........................................
6 5.2 Safe Sh u t d own Sys t ers.....................................
6
-5.2.1 Ons i te P ower Un av ai l ab le..........................
9
- 5. 2.1.1 Evaluation..............................
10 5.2.2 Off s i te P ower Un av ail ab le.........................
10 5.2.2.1 Ev a l u a t i on..............................
11 5.3 Shutdown and Cooldown Capability Outside the C on tr o l R o om..............................................
11 5.3.1 Evaluation........................................
11 5.4 R HR Sys tem Rel i ab i l i ty and In ter lo cks.....................
11 5.4.1 E v a l u a ti o n........................................
12 6.0
SUMMARY
12 7.0 SAFE SHUTDOWN EI&C FEATURES FOR CONSIDERATION BY S E P TO P I C I I I-1.................................................
13 8.0 R EF ER EN C ES......................................................
15 ii
SYSTEMATIC EVALUATION PROGRAM TOPIC VII-3 ELECTRICAL, INSTRUMENTATION AND CGNTROL FEATURES OF
^
SYSTEMS REQUIRED FOR SAFE SHUTDOWN MILLSTONE NUCLEAR STATION, UNIT 1
1.0 INTRODUCTION
This report is part of the Systematic Evaluation Program (SEP) review of Topic VII-3, " Systems Required for Safe Shutdown." The objective of this review is to determine whether the electrical, instrumentation, and control (EI&C) features of the systems required for safe shutdown, includ-ing support systems, meet current licensing criteria.
The systems required for safe shutdown have been identified by the NRC SEP. The systems were reviewed to ensure the following safety objectives are met:
(1) Assure the design adecuacy of the safe shutdown sys-tem to automatically initiate operation of appropri-ate systems,. including reactivity control systems, such that fuel design limits are not exceeded as a result of operational occurrences and postulated accidents, and to automatically initiate systems required to bring the plant to a safe shutdown (2) Assure that reautred systems, equipment, and con-trols to maintain the unit in a safe condition dur-ing hot shutdown are appropriately located outside the control room and have the capability for subse-auent cold shutdown of the reactor using suitable procedures (3) - Assure only safety grade equipment is required to bring primary coolant systems from a high pressure to low pressure cooling condition.
The scope of this review specifically includes an evaluation of the electrical, instrumentation, and control features necessary for operation of the identified safe shutdown systems.
1
The review evaluates the systems for operability with and without offsite power and the ability to operate with any single failure. The EI&C review of safe shutdown systems only includes those features not covered under other SEP Topics.
Specific items which will be covered under other SEP reports are identified in Section 4.0, Review Guidelines.
2.0 REVIEW CRITERIA Current licensing criteria for safe shutdown are contained in the fol-lowing:
(1)
IEEE Standard 279-1971, " Criteria for Protection Systens for Nuclear Power Generating Stations" (2) GDC-5, " Sharing of Structures, Systens, and Com-ponents" (3) GDC-13, " Instrumentation and Control" (4) GDC-17, " Electric Power Systems" (5) GDC-19, " Control Room" (6) GDC-26, " Reactivity Control System Redundancy and Capability"
( 7) GDC-34, " Residual Heat Removal" (8) GOC-3S, " Emergency Core Cooling" (9) GDC-44, " Cooling Water."
3.0 RELATED SAFETY TOPICS AND INTERFACES The following list of SEP topics are related to the safe shutdown topic with respect to EI&C features, but are not being specifically reviewed under this topic:
(1) SEP III-10. A, " Thermal Overload Protection for Motors of Motor-Operated Valves" (2) SEP IV-2, " Reactivity Control Systems Including Functional Design and Protection Against Single Failures" 2
I (3) SEP VI-7. A.3, "ECCS Actuation System" (4) SEP VI-7.C, Appendix K, "EI&C Re-reviews" (5) -SEP VI-10.A, " Testing of RTS and ESF Including
, Response Time Testing" (6) SEP VI-10.8, " Shared ESF, Onsite Emergency Power, and Service Systens for Multiple Unit Facilities" (7) SEP VII-1, " Reactor Trip System" (8) SEP VII-2, "ESF Control Logic and Design" (9).SEP VIII-2, "Onsite Emergency Power Systems--Diesel Generators" (10) SEP VIII-3,. " Emergency DC Power Systems" (11) SEP IX-3, " Station Service and Cooling Water Systems" (12) SEP IX-6, ~" Fire Protection."
Where safe shutdown system EI&C response is affected by the above-mentioned topics, that particular SEP review has been consulted for determination of overall safe shutdown system performance. Where the SEP topic review is not available, the effect on safe shutdown system performance is based on an assumed operating condition of the effecting sys tem. The safe shutdown review will be considered preliminary until resolution of the effecting topic is completed and found to be in l
accordance with assumptions made in this review.
l The canpletion of this review impacts upon the following SEP topics, since capabilities relating to safe shutdown are required in
- the topic:
(1) SEP VIII-1.A, " Potential Equipment Failures Associ-ated with a Degraded Grid Voltage" l
(2) SEP VIII-2, "Onsite Emergency Power Systems--Diesel Generators."
4 3
l i
I
_, v. w m -r y +,-
sc +.., -., #,,.
.m.
..**-*na r~*-
+v e 4 i
+
,e-..
,e'**e-*--
~ _
_m.
__m___=
r.-_.
-.m
=n 4.0 REVIEW GUIDELINES The capability to attain a safe shutdown has been reviewed by evaluat-ing the systems used for normal shutdown (onsite power not available) and emergency shutdown (offsite power not available).
SRP 7.4 was applied to each system to ensure the following guidelines were meet:
(1) They have the required redundancy (SRP 7)
(2) They meet the single failure criterion (RG 1.53, ICSB BTP 18)
(3) They have the required capacity and reliability to perform intended safety functions on demand (SRP 7).
Additionally, SRP 5.4 requirements contained in BTP RSB 5-1 were reviewed to determine if the systems required for residual heat removal meet the following criteria:
(1) The systems are capable of being operated from the control room with only offsite or only onsite power available (2)
The systems are capable of bringing the reactor to cold shutdown with only offsite or only onsite power available within a reasonable period, assuming the most limiting single failure (3) The RHR system has the required isolation features to prevent overpressurization when RCS pressure is above RHR design pressure (4) Protection from RHR pump overheating, cavitation, or loss of suction is provided (5)
Isolation and interlock circuitry is testable during RHR operation and is tested in preoperational and initial startup test programs.
The electrical equipment environmental qualification and physical separ-ation are being reviewed under other. topics, as is the seismic equipment qualification, and are not reviewed in this report. Section 7.0 consists of a list of safety related EI&C equipment necessary for safe shutdown to 4
~. -._
.. ~
w
- .a be used in resolving SEP Topic III-1, " Classification of Structures, Com-ponents, and Systems."
5.0 DISCUSSION AND EVALUATION 5.1 Ins trumentation The NRC SEP Review of Safe Shutdown Systems identified the instrumen-tation available-in the _ control room necessary to bring the reactor from the hot shutdown to cold shutdown condition. This review also evaluates the nuclear instrumentation, since this instrumentation must be monitored to ensure the reactor achieves and maintains shutdown conditions. Various system parameters, such as pump running or valve position indications, are not included in the list of safe shutdown instruments of the SEP Review as indication is provided by the control / operate circuitry. Availability of control / operate circuitry to run the system also means availability of the required indication. Similarly, if the control / operate circuitry is unavailable such that sys:. operation is not possible, then system indica-tion is not mandatory.
The nuclear instrumentation, providing indication of each range of pcwer level, is powered from two independent 24V DC buses, the Vital AC bus (VAC), the Instrumentation AC bus (IAC), and two independent Reactor Pro-tection AC buses. There are no single failures that would result in the loss of all power sources to the nuclear instrumentation.
The instrumentation providing indication of critical reactor parameters (level, pressure, and temperature), are powered from independent 125 VDC sources, the VAC bus, and the IAC bus. There are no single failures that would result in the loss of all po'wer sources to these instruments. The loss of the IAC bus would result in the loss of TR 103 and 104
- However, temperatures could be determined from direct reading pressure indicators, located outsice containment, with the use of appropriate tables.
Indication of Service Water, Emergency Service Water, Feedwater Coolant Injection, Core Spray, Isolation Condenser, Shutdown Cooling, and 5
_.~._z m.
m.
1_
._.n Low Pressure Coolant Injection system parameters such as flow, temperature, level, and pressure available in the control room, are powered by the IAC bus. While loss of the IAC bus would cause a loss of these indications, each of these systems (except for the Isolation Condenser System) has direct reading indicators available at local control stations.
Status of flow for some systems such as LPCI can be inferred from the pump running / valve open indicators (not powered by the AC instrument bus) and by reactor parameters of level, pressure, and temperature.
5.1.1 Evaluation. The instrumentation necessary for reaching and maintaining cold shutdown at Millstone 1 does not meet current licensing criteria since a single f ailure (loss of the IAC bus) would result in loss of indication of flow, temperature, level, and/or pressure of the *vstems required to shutdown the reactor and/or maintain the reactor in shutdown condi tion. With the exception of the Isolation Condenser System, suitable direct reading local indications are available and could be used if opera-tors were stationed at the local indicators and had adequate communications with the control room. Such action would have to be justified by the licen-see under the topic of limited operator action outside the control room.
5.2 Safe Shutdown Systems The SEP review of Safe Shutdown Systems identified the systems required for short-term cooling (immediately after reactor shutdown) and long-term cooling (when the reactor is cooled to the SDCS design temperature limit of 350 F) with only offsite and only onsite power available.
Normal short-term cooling is provided by bypassing steam to the main condenser via the turbine bypass valves. The circulating water pumps pro-
~
vide cooling to remove heat by condensing the steam. The feedwater system then returns the water to the reactor. This cooling method is available with or without offsite power. A full feedwater stri.ng can be powered by the onsite gas turbine generator, but this method of cooling, without out-side power, could be rendered inoperative by failure of the 4160 volt bus number 1 or 3.
6
r-
_.x s n-m _-
a >_-
umam.
~
Emergency or alternate short-term cooling involves operation of the Electro-Pneumatic Relief Valves (EPRV), the Feedwater Coolant Injection System (FWCIS), and the Isolation Condenser System (ICS).
Initial pressure relief is provided by the six EPRVs which operate to prevent overpressurization of the reactor by venting steam into the torus, and backs up the FWCIS to depressurize the reactor. These valves may be manually controlled from the control room but are automatically actuated upon coincident indication of low level in the reactor vessel, high pres-sure in the dryw111, and flow failure of the FWCIS.
In this case, a means of adding water to the reactor (LPCI or Core Spray) is necessary to main-tain reactor level and provide cooling. The relief valves can be supplied power from either MCC DC-1 or MCC DC-1A via a transfer switch and distribu-tion panel DC-11A-2. Failure of the transfer switch or the distribution panel / bus would result in loss of relief valve control from the control' room. In this case the valves would still operate when system pressure reaches the valve pressure relief setpoints. Each valve has its own accumulator with sufficient compressed air for several valve actuations.
In addition each valve can receive compressed air from station air compres-sors or bottles of compressed air. There are no single failures which would completely disable the pressure relief system.
The FWCI system consists of one condensate pump, one condensate booster pump, and one feedwater pump, all powered by the gas turbine generator. Two complete " strings" of pumps a're available for FWCI operation with selection of string A or 8 made from the control room. The pumps in the selected FWCI string will not s_ tar't or restart automatically upon restoratiot of AC power (as provided by the gas turbine generator) unless a low-low reactur water level signal or high drywell pressure signal (or both) exists.
In the absence of such automatic initiation, the operator will bring the FWCI sys-tem on manually as provided by procedure.
Because the gas turbine generator is not ready to load for 48 seconds after starting, the EPRV's will be required to relieve pressure until the FWCI system is operating. At that time, the injection, at rates up to 8000 gpm of cold water, will provide substantial depressurization, result-ing in the reclosure of the EPRV's.
If the FWCI system should provide such 7
4
m m.
u ma w
significant inventory that reactor vessel water level become too high (prior to depressurization and concurrent temperature decrease to SCS initiation limits), the operator can utilize the _ relief valves ~ to continue depressurization,L or can increase discharge fr'om the reactor vessel through the reactor water cleanup system.
Loss -of the GTG or loss of 4160V bus 1 or 3. can render the FWCI system unavailable. In this case short term cooling could be.provided by the
~ EPRV's and the ICS.
The ICS consists of a single steam line from the reactor which passes through the ICS condenser and discharges into the recirculation loop B.
There are two normally open motor operated valves (MOV's) in the line from the reactor, one. inside containment and one outside. The discharge line also contains two_ MOVs with the MOV outside containment normally closed and the MOV inside containment normally open. Flow through the system is initiated by opening the single closed MOV which allows the reactor to be cooled by condensing steam in the ICS condenser.-and returning the condensed steam to the reactor by natural circulation. Failure of the control power or. motive power for this MOV would disable the system, although the valve may be manually operated.
The MOVs outside containment are DC powered with battery back-up. The MOVs inside containment are AC powered and can be supplied from the diesel
' generator (DG) on loss of offsite power. Differential pressure switches, powered from independent DC buses, will close the MOVs and isolate the con-denser upon sensing a line break. The two condenser vent valves,_ the con-trol room level, pressure, and temperature indicators, and the automatic level control system for the isolation condenser are powere i from the single Instrument AC Bus (IAC).
Failure of this bus would result in loss of venting capability, level control and control room ICS parameter indica-tions. Condenser makeup can be from the Fire Water System or the Condensate System. Power supplies for these make-up sources are independent from each other and from the ICS power supplies. The ICS can be manually initiated or will automatically initiate on loss of offsite power and reactor scram.
8
n.-.
..a-
.x._ w-
' a-
- . a.1 i..
.-.L
.x Long-term cooling (below 350*F) is provided by the Shutdown Cooling System (SDCS).
It consists of a si.ngle suction line, two parallel pump and -
heat exchanger loops, and a common discharge line. There are multiple single failures which can render the SDCS inoperable, including loss of motor control center (MCC) 2A-3 which powers the normally closed inlet MOV (located inside containment), or loss of MCC 2-3 which powers the normally closed discharge MOV (located outside containment). Loss of the IAC bus will result in the loss of control room indication of loop pressure, and loop and heat exchanger temperature. Also, the inlet MOV is inside con-tainment and is therefore considered inaccessible for manual operation.
If the inlet and discharge valves can be opened, there is sufficient power sup-ply independence and redundancy in the two parallel SDCS loops and in the SOCS Heat Exchanger cooling, assuming a single power supply failure, to ensure at least partial operation of the SDCS. The SDCS is not a class 1E system but can be used to remove decay heat.
The LPCI system consists of two independent loops, each with two paral-lei pumps, which pump water from the suppression pool to the reactor via heat exchangers cooled by the Emergency Service Water System. Single fail-ures exist which can cause loss of one loop of the LPCI system, but only one loop is needed to maintain reactor level and provide cooling water. On loss of offsite power one loop is supplied by the gas turbine generator (GTG) and the other by the diesel generator (DG).
Starting of the pumps is automatic only in a LOCA situation.
All motor-operated valves in the LPCI system are outside containment and can be manually operated. Loss of the IAC bus will realt in loss of system temperature and flow indications in the control room.
5.2.1 Onsite Power Unavailable. Millstone 1 normally operates with i
all of its auxiliary loads supplied by ths main generator through the Unit Auxiliary Transformer. Loss of the main generator power during operation will result in a reactor scram and turbine trip. The buses normally powered by the generator will transfer to the Reserve Station Service Transformer which is supplied from the 345 kV switchyard. Only single failures involv-ing buses, switchgear, or other equipment downstream of the transformer feed lines to the distribution system are considered.
l
Single failures of EI&C features, such as loss of the feedwater con-trol system, exist which could disable the normal short-term cooldown methods. However, no El&C single failure rendering the normal short-term cooldown methods inoperable can also cause failure of the isolation con-(
denser, ADS, and/or FWCI system. There are multiple single failures pre-viously mentioned which can render the SDCS inoperable. However, since only one LPCI loop is needed to maintain core level and provide cooling water, there are no single failures which can disable both the SDCS and LPCI systems. Therefore, the short-term and long-term cooling capability meets the current licensing criteria with only offsite power available.
Excluding the non-class 1E methods (ICS and 50CS), the required short-term and long-term cooling is still provided.
5.2.1.1 Evaluation. The systems required for short-term and long-term cooling at Millstone 1 are capable of providing the required cooling assuming no onsite power is available and a single failure. Loss of the IAC bus will result in loss of parameter indication in the control room for these systems.
5.2.2 Offsite Power Unavailable.
During normal operation, a loss of offsite power would not automatically result in the loss of the main con-denser and a reactor trip because the plant is designed to withstand this transient while dumping steam to the condenser. However, if there were a complete loss of power to the 4 kV buses, all loads on these buses and all 480V loads supplied from 4 kV Buses 5 and 6 would be shed. On completion x
of load shedding, simultaneous automatic start signals are sent to al gas turbine generator and diesel generator. The gas turbink-Senerator si{pplies 4 kV buses 1, 3, 5 and 7 and the diesel generator supplies 4 kV bus 6.
Also, both the diesel generator and the gas turbine generator are auto-matically started on an ECCS signal.1,3 Assuming the diesel generator and the gas turbine generator are avail -
able, there are no single failures which would disable the ICS, A05, and FWCI system. Failure of the gas turbine generator would prevent initiaticn of the FWCI system. However, the ADS, in ccnjunction with. the ICS, would provide the required short-term cooling. As before, there'are no single 10 a
9
_w,
._m m.gic i.La ; ^
cea.wa.6 ^
-4'
,E
.._. w
-.2 s
s
\\
y failures which would disable both long-term cooling systens (SDCS and LPCI)
'if AC power from the diesel generstor or the gas turbine generator is
.av ail able.
- 5. '2. 2.1 Evaluation. The systens reautred for short-term and long-term cooling at Millstene 1 are capable of providing the required cooling assuming offsite power is not available' and a single failure if the t
c.
diesel generator and/or the ga,s turbine generator is available. Loss of the IAC bus will result in loss of parameter indications in the control i'
room Ter these systems.
5.3 Shutdown and Cooldown Capability Outside toe Control Room s
b
' lhe capabilitN to maintain the plant in hot shutdown from outside the g.
control room exists at Millstone 1.
Reactor parameters such as level and s
pressure can be monitored at locations outside the control room. Reactor pressure (therefore, temperature) can be determined from appropr-iate tables. Local control stations exist for the pumps and valves of the sys-tems reaufred for safe shutdown described in Section 5.2.
Additionally, many of the valves which are outside containment are also capable of being
\\
(manually operated. However, no procedures exist for taking the plant from hot to cold shutdown from outside the control room.
5.3.1 Ev aluation. Adecuate capability exists to maintain the reactor at hot shutdown from outside the control room. No procedures exist for taking the reactor from hot to cold shutdown from outside the control room.
l 3.4' RHR -System Reliability and Interlocks
[
The 5DCS at Millstone 1 is designed to withstand RCS design pressure.
Th'erefore, the isolation valve interlocks recuired by BTP RSB 5-1 are not l
applicable. The isolation valves have interlocks to prevent opening and to automatically close when RCS temperature exceeds the 350*F design tempera-ture of the SDCS.
l i
11 I
w,.
e
- ~ -
t 2
A bypass line provides a flow path from each SDCS pump discharge to its suction to provide the necessary flow to prevent pump overheating due to a discharge isolation valve being c1csed. Cavitation protecticn is pro-vided by the interlock which trips the pumps (and prevents their starting) if the suction pressure f alls below 4 psig. A temperature interlock also protects the pump from overheating by tripping the pump if the temperature 0
is greater than or equal to 350 F.
There are no requirements in the Millstone 1 Technical Specifications for testing the SDCS interlocks and isolation circuitry during SDCS opera-tion. The electrical circuitry is not designed to permit testing while the system is operating without a momentary interruption in system operation.
Although licensed prior to the issuance of RG 1.68, concerning preopera-tional and startup testing, Millstone 1 conducted such tests and has demon-strated SDCS operability on several occasions as noted by the SEP Review of Safe Shutdown Systems, Section 4.5.
5.4.1 Evaluation.
The SDCS does not meet the current licensing criteria of BTP RS8 5-1 in acccrdance with SEP Topics V-10.8, in that the SDCS is not considered to be a safety-grade system and is subject to single failure of the valves inside containment. The SDCS does meet the criteria of SEP Topic V-ll.B in that the SDCS is designed for full reactor pressure but less than full reactor temperature (for which temperature interlocks have been provided).
6.0
SUMMARY
With the exception of the FWCIS, the systems required to take the reactor from hot shutdown to cold shutdown, assuming only offsite power is available or only onsite power is available and a single failure, are cap-able of autcmatic initiation to bring the plant to a safe shutdown and are in compliance with current licensing criteria, and the safety objectives of SEP Topic VII-3.
12
- m._
m._ _m _
r_
.a.
--u.._-...__._
... 1 e
Automatic initiation of the FWCIS will only occur on low-low reactor water level signal and/or high drywell pressure signal.
In the absence of these signal (s), the FWCIS recuires manual initiation. Such manual initia-tion would be reautred in the event that the FWCIS had been transferred from its normal power source to the gas turbine generator.
r The reactor instrumentation available to control. room operators to i
reach and maintain the reactor in cold shutdown conditions meets current licensing criteria. However, the instrumentation available in the control room to monitor the shutdown systens parameters does not meet current licensing criteria as the loss of the IAC bus would result in the loss of this instrumentation.
The capability to maintain the reactor in hot shutdown from outside the control room exists and is in compliance with the safety objectives of SEP Topic VII-3.
No procedures exist to take the plant from hot to cold shutdown from outside the control room to satisfy the safety objectives of SEP Topic VII-3.
The SDCS does not satisfy the safety criteria of SEP Topic V-10.8.
However the SDCS safety criteria of SEP Topic V-ll.B for RHR System Reliability and Interlocks are satisfied.
7.0. SAFE SHUTDOWN EI&C FEATURES FOR CONSIDERATION BY SEP TOPIC III-l ELECTRICAL DISTRIBUTION (including support structure, but not individual loads )
1.
4160 volt buses 1, 3, 5, 6 and 7, 480 volt buses 2 and 2A,120 volt buses IAC and VAC, reactor protec-tion buses 1 and 1 A; including all feeders, incoming and outgoing, control circuits, indicating circuits bus work and support structures 2.
ALL DC BUSES--including 125 V, 24 V batteries, chargers, breakers, bus work, and support structures 3.
DIESEL GENERATOR--including control and indicating circuitry, and control and indication of vital OG auxiliaries such as lube oil, fuel, and cooling 4.
GAS TURBINE GENERATOR--same as above 13 L
.-n.--..
__~..u-.
~..a>
-.. x.
. - -. - = -. -
INSTRUMENTATION (including support structures) 1.
REACTOR LEVEL 2.
REACTOR PRESSURE 3.
REACTOR TEMPERATURE 4
REACTOR PRO'TECTION SYSTEM 5.
NEUTRON MONITORING (including in-core monitoring) 6.
AREA AND SYSTEM RADIATION MONITORING SYSTEMS (includes pumps, valves, control, indication, and support structures) 1.
SHUTDOWN COOLING SYSTEM 2.
REACTOR BUILDING CLOSED COOLING WATER (RBCCW) 3.
SERVICE WATER SYSTEM (SWS) 4 LOW PRESSURE COOLANT INJECTION SYSTEM (LPCI) 5.
CONTAINMENT SPRAY SYSTEM 6.
CORE SPRAY 7.
EMERGENCY SERVICE WATER SYSTEM (ESW) 8.
ELECTRO-PNEUMATIC RELIEF VALVES (AUTOMATIC PRESSURE RELIEF SYSTEM) 9.
ISOLATION CONDENSER
- 11. CONTROL R00 DRIVE SYSTEM (scram function and level control during hot standby)
- 12. VESSEL HEAD COOLING SYSTEM
- 13. REACTOR WATER CLEAN UP SYSTEM (RWCU) (core excess inventory) 14
. ~, -
. ux :.
. =.
.a...-~..
~
8.0 REFERENCES
1.
" Final Safety Analysis Report," Millstone Nuclear Power Station, Unit 1, Amendment 5, dated March 14, 1968.
2.
NNECo letter, W. G. Counsil, to Director of Nuclear Reactor Regula-tion, dated, April 6,1981.
3.
NNECo letter, W. G. Counsil, to Director of Nuclear Reactor Regula-tion, dated, April 16, 1981.
4.
Code of Federal Regulations,10 CFR 50, Appendix A, " General Design Criteria for Nuclear Power Plants."
5.
IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."
6.
MJREG 0800, Nuclear Regulatory Commission Standard Review Plan 7.4,
" Systems Required for Safe Shutdown" and 5.4.7, " Residual Heat Remov al. "
15 t
l' l'
4